From b1d4eb16e4bb3e06b78630b0a521bac7e9ca9720 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 22 Jan 2014 10:12:57 +0100 Subject: [PATCH 01/10] Basic parsing of certs signed with RSASSA-PSS --- include/polarssl/config.h | 16 ++++++++++++++++ include/polarssl/oid.h | 3 +++ include/polarssl/pk.h | 1 + include/polarssl/x509.h | 2 ++ include/polarssl/x509_crt.h | 3 +++ library/oid.c | 4 ++++ library/x509.c | 14 ++++++++++++++ library/x509_crt.c | 12 +++++++++--- tests/data_files/server9.crt | 19 +++++++++++++++++++ tests/data_files/server9.key | 15 +++++++++++++++ tests/suites/test_suite_x509parse.data | 4 ++++ 11 files changed, 90 insertions(+), 3 deletions(-) create mode 100644 tests/data_files/server9.crt create mode 100644 tests/data_files/server9.key diff --git a/include/polarssl/config.h b/include/polarssl/config.h index 83f9dac58..29ba54f4e 100644 --- a/include/polarssl/config.h +++ b/include/polarssl/config.h @@ -153,6 +153,22 @@ //#define POLARSSL_SHA256_ALT //#define POLARSSL_SHA512_ALT +/** + * \def POLARSSL_RSASSA_PSS_CERTIFICATES + * + * Enable parsing and verification of X.509 certificates and CRLs signed with + * RSASSA-PSS. + * + * This is disabled by default since it breaks binary compatibility with the + * 1.3.x line. If you choose to enable it, you will need to rebuild your + * application against the new header files, relinking will not be enough. + * + * TODO: actually disable it when done working on this branch ,) + * + * Uncomment this macro to allow using RSASSA-PSS in certificates. + */ +#define POLARSSL_RSASSA_PSS_CERTIFICATES + /** * \def POLARSSL_AES_ROM_TABLES * diff --git a/include/polarssl/oid.h b/include/polarssl/oid.h index f000b8e7e..669ad537f 100644 --- a/include/polarssl/oid.h +++ b/include/polarssl/oid.h @@ -193,6 +193,9 @@ #define OID_PKCS9_EMAIL OID_PKCS9 "\x01" /**< emailAddress AttributeType ::= { pkcs-9 1 } */ +/* RFC 4055 */ +#define OID_RSASSA_PSS OID_PKCS1 "\x0a" /**< id-RSASSA-PSS ::= { pkcs-1 10 } */ + /* * Digest algorithms */ diff --git a/include/polarssl/pk.h b/include/polarssl/pk.h index 8b844714e..e4b56188e 100644 --- a/include/polarssl/pk.h +++ b/include/polarssl/pk.h @@ -94,6 +94,7 @@ typedef enum { POLARSSL_PK_ECKEY_DH, POLARSSL_PK_ECDSA, POLARSSL_PK_RSA_ALT, + POLARSSL_PK_RSASSA_PSS, } pk_type_t; /** diff --git a/include/polarssl/x509.h b/include/polarssl/x509.h index a45653770..c48e00af4 100644 --- a/include/polarssl/x509.h +++ b/include/polarssl/x509.h @@ -254,6 +254,8 @@ int x509_get_name( unsigned char **p, const unsigned char *end, x509_name *cur ); int x509_get_alg_null( unsigned char **p, const unsigned char *end, x509_buf *alg ); +int x509_get_alg( unsigned char **p, const unsigned char *end, + x509_buf *alg, x509_buf *params ); int x509_get_sig( unsigned char **p, const unsigned char *end, x509_buf *sig ); int x509_get_sig_alg( const x509_buf *sig_oid, md_type_t *md_alg, pk_type_t *pk_alg ); diff --git a/include/polarssl/x509_crt.h b/include/polarssl/x509_crt.h index ee8f9e6cd..916dc3b33 100644 --- a/include/polarssl/x509_crt.h +++ b/include/polarssl/x509_crt.h @@ -89,6 +89,9 @@ typedef struct _x509_crt x509_buf sig; /**< Signature: hash of the tbs part signed with the private key. */ md_type_t sig_md; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. POLARSSL_MD_SHA256 */ pk_type_t sig_pk /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. POLARSSL_PK_RSA */; +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) + x509_buf sig_params; /**< Parameters for the signature algorithm */ +#endif struct _x509_crt *next; /**< Next certificate in the CA-chain. */ } diff --git a/library/oid.c b/library/oid.c index f943c6d34..107860836 100644 --- a/library/oid.c +++ b/library/oid.c @@ -327,6 +327,10 @@ static const oid_sig_alg_t oid_sig_alg[] = { ADD_LEN( OID_ECDSA_SHA512 ), "ecdsa-with-SHA512", "ECDSA with SHA512" }, POLARSSL_MD_SHA512, POLARSSL_PK_ECDSA, }, + { + { ADD_LEN( OID_RSASSA_PSS ), "RSASSA-PSS", "RSASSA-PSS" }, + POLARSSL_MD_NONE, POLARSSL_PK_RSASSA_PSS, + }, { { NULL, 0, NULL, NULL }, 0, 0, diff --git a/library/x509.c b/library/x509.c index 2ba1e8618..80390ae73 100644 --- a/library/x509.c +++ b/library/x509.c @@ -118,6 +118,20 @@ int x509_get_alg_null( unsigned char **p, const unsigned char *end, return( 0 ); } +/* + * Parse an algorithm identifier with (optional) paramaters + */ +int x509_get_alg( unsigned char **p, const unsigned char *end, + x509_buf *alg, x509_buf *params ) +{ + int ret; + + if( ( ret = asn1_get_alg( p, end, alg, params ) ) != 0 ) + return( POLARSSL_ERR_X509_INVALID_ALG + ret ); + + return( 0 ); +} + /* * AttributeTypeAndValue ::= SEQUENCE { * type AttributeType, diff --git a/library/x509_crt.c b/library/x509_crt.c index 27d5ec034..70c24f3b4 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -529,6 +529,9 @@ static int x509_crt_parse_der_core( x509_crt *crt, const unsigned char *buf, int ret; size_t len; unsigned char *p, *end, *crt_end; + x509_buf sig_params; + + memset( &sig_params, 0, sizeof( x509_buf ) ); /* * Check for valid input @@ -592,7 +595,8 @@ static int x509_crt_parse_der_core( x509_crt *crt, const unsigned char *buf, */ if( ( ret = x509_get_version( &p, end, &crt->version ) ) != 0 || ( ret = x509_get_serial( &p, end, &crt->serial ) ) != 0 || - ( ret = x509_get_alg_null( &p, end, &crt->sig_oid1 ) ) != 0 ) + ( ret = x509_get_alg( &p, end, &crt->sig_oid1, + &crt->sig_params ) ) != 0 ) { x509_crt_free( crt ); return( ret ); @@ -733,14 +737,16 @@ static int x509_crt_parse_der_core( x509_crt *crt, const unsigned char *buf, * signatureAlgorithm AlgorithmIdentifier, * signatureValue BIT STRING */ - if( ( ret = x509_get_alg_null( &p, end, &crt->sig_oid2 ) ) != 0 ) + if( ( ret = x509_get_alg( &p, end, &crt->sig_oid2, &sig_params ) ) != 0 ) { x509_crt_free( crt ); return( ret ); } if( crt->sig_oid1.len != crt->sig_oid2.len || - memcmp( crt->sig_oid1.p, crt->sig_oid2.p, crt->sig_oid1.len ) != 0 ) + memcmp( crt->sig_oid1.p, crt->sig_oid2.p, crt->sig_oid1.len ) != 0 || + crt->sig_params.len != sig_params.len || + memcmp( crt->sig_params.p, sig_params.p, sig_params.len ) != 0 ) { x509_crt_free( crt ); return( POLARSSL_ERR_X509_SIG_MISMATCH ); diff --git a/tests/data_files/server9.crt b/tests/data_files/server9.crt new file mode 100644 index 000000000..a6f9fbc76 --- /dev/null +++ b/tests/data_files/server9.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDBTCCAeegAwIBAgIBFjATBgkqhkiG9w0BAQowBqIEAgIA6jA7MQswCQYDVQQG +EwJOTDERMA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3Qg +Q0EwHhcNMTQwMTIwMTMzODE2WhcNMjQwMTE4MTMzODE2WjA0MQswCQYDVQQGEwJO +TDERMA8GA1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEA3RGKn5m6sGjKKuo7am1Zl+1OyVTkDe7OoH2g +HqroDsK7E0DbihKOiRMkpcX1+tj1kNfIysvF/pMdr9oSI3NSeUYauqBXK3YWMbOo +r+c4mwiLY5k6CiXuRdIYWLq5kxrt1FiaYxs3/PcUCJ+FZUnzWTJt0eDobd5S7Wa0 +qQvaQJUCAwEAAaOBkjCBjzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTu88f1HxWlTUeJ +wdMiY7Lfp869UTBjBgNVHSMEXDBagBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0w +OzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xh +clNTTCBUZXN0IENBggEAMBMGCSqGSIb3DQEBCjAGogQCAgDqA4IBAQDAog/jXydR +vDIugTzBXtfVK0CEX8iyQ4cVzQmXWSne8204v943K5D2hktSBkjdQUdcnVvVgLR6 +te50jV89ptN/NofX+fo9fhSRN9vGgQVWzOOFiO0zcThy749pirJu1Kq5OJdthIyW +Pu0UCz5G0k3kTp0JPevGlsNc8S9Ak1tFuB0IPJjrbfODWHS2LDuO+dB6gpkNTdrj +88ogYtBsN4D5gsXBRUfobXokUwejBwLrD6XwyQx+0bMwSCxgHEhxvuUkx1vdlXGw +JG3aF92u8mIxoKSAPaPdqy930mQvmpUWcN5Y1IMbtEGoQCKMYgosFcazJpJcjnX1 +o4Hl/lqjwCEG +-----END CERTIFICATE----- diff --git a/tests/data_files/server9.key b/tests/data_files/server9.key new file mode 100644 index 000000000..e005864f9 --- /dev/null +++ b/tests/data_files/server9.key @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQDdEYqfmbqwaMoq6jtqbVmX7U7JVOQN7s6gfaAequgOwrsTQNuK +Eo6JEySlxfX62PWQ18jKy8X+kx2v2hIjc1J5Rhq6oFcrdhYxs6iv5zibCItjmToK +Je5F0hhYurmTGu3UWJpjGzf89xQIn4VlSfNZMm3R4Oht3lLtZrSpC9pAlQIDAQAB +AoGAHFCE2tBL0xB45Go/1e/Pi9//OVZAJ3Cw0mmEuqjVNB7I6zxhYhviWbgz92+V +g92KBlU9CIx0/ZhGMyHRNO0uYNEZUJyM8zItoo/nmU31+VaHOGgpei04HZrn1Nmw +QS01FVrn9wzKR/5qeEBmxE7rVMDQo8QLnllC3jXzIVUtX4ECQQD2g9dleWYbqIQe +Q9paXxzvODhCzNtQwD0PnOKc54Nu4zm3JI45REtunmG8et+Ncms9RycTjNlWPGJT +62jgaJexAkEA5ZMNv4u9NNRfZprmlNyvjSOf+w7fdKzhcnkHbGkfLnFdc7vq0XFC +nwORsdjpOvWQUwrV2Cw8Pl4rKa4B4iqUJQJBAMVti6maU3udN8qhXxP3js3LwctG +E/OVMpH5fMha5jl9w/B4V2tn1d3O/MmdwsKeu2JFRPd0W2+kRr+dDs6DFdECQQC1 +3g9QJRWY2n1RPXlZiJKSDxzXuOqQ9bwMAZE98vE+y5Qq8T2O+li6vAsZhysNCChz +gOvzuudmyRcMh8r6Lpz5AkAUKK3gYtJFiVH2arRig3JjZJqixgSTolMT1n+HG4uM +tnBqBiEBVwBxEqaohla/rHR5joZCdcDN8xq0yeTQyLH9 +-----END RSA PRIVATE KEY----- diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index f9a536681..0f8e29345 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -42,6 +42,10 @@ X509 Certificate information SHA512 Digest depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C x509_cert_info:"data_files/cert_sha512.crt":"cert. version \: 3\nserial number \: 0B\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA512\nissued on \: 2011-02-12 14\:44\:07\nexpires on \: 2021-02-12 14\:44\:07\nsigned using \: RSA with SHA-512\nRSA key size \: 2048 bits\n" +X509 Certificate information RSA-PSS, SHA1 Digest +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C +x509_cert_info:"data_files/server9.crt":"cert. version \: 3\nserial number \: 16\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:38\:16\nexpires on \: 2024-01-18 13\:38\:16\nsigned using \: RSASSA-PSS\nRSA key size \: 1024 bits\n" + X509 Certificate information EC, SHA1 Digest depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C x509_cert_info:"data_files/server5-sha1.crt":"cert. version \: 3\nserial number \: 12\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 16\:21\:27\nexpires on \: 2023-09-22 16\:21\:27\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n" From d9fd87be3368ad9a393e571cdee1c0b41b55736e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 23 Jan 2014 16:24:44 +0100 Subject: [PATCH 02/10] Start parsing RSASSA-PSS parameters --- include/polarssl/x509.h | 2 + library/x509.c | 86 ++++++++++++++++++++++++++ library/x509_crt.c | 31 ++++++++++ tests/suites/test_suite_x509parse.data | 2 +- 4 files changed, 120 insertions(+), 1 deletion(-) diff --git a/include/polarssl/x509.h b/include/polarssl/x509.h index c48e00af4..447025528 100644 --- a/include/polarssl/x509.h +++ b/include/polarssl/x509.h @@ -256,6 +256,8 @@ int x509_get_alg_null( unsigned char **p, const unsigned char *end, x509_buf *alg ); int x509_get_alg( unsigned char **p, const unsigned char *end, x509_buf *alg, x509_buf *params ); +int x509_get_rsassa_pss_params( const x509_buf *params, md_type_t *md_alg, + int *salt_len, int *trailer_field ); int x509_get_sig( unsigned char **p, const unsigned char *end, x509_buf *sig ); int x509_get_sig_alg( const x509_buf *sig_oid, md_type_t *md_alg, pk_type_t *pk_alg ); diff --git a/library/x509.c b/library/x509.c index 80390ae73..7928eea84 100644 --- a/library/x509.c +++ b/library/x509.c @@ -132,6 +132,92 @@ int x509_get_alg( unsigned char **p, const unsigned char *end, return( 0 ); } +/* + * RSASSA-PSS-params ::= SEQUENCE { + * hashAlgorithm [0] HashAlgorithm DEFAULT sha1Identifier, + * maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT mgf1SHA1Identifier, + * saltLength [2] INTEGER DEFAULT 20, + * trailerField [3] INTEGER DEFAULT 1 } + * -- Note that the tags in this Sequence are explicit. + */ +int x509_get_rsassa_pss_params( const x509_buf *params, + md_type_t *md_alg, + int *salt_len, + int *trailer_field ) +{ + int ret; + unsigned char *p; + const unsigned char *end; + size_t len; + x509_buf alg_id; + + /* First set everything to defaults */ + *md_alg = POLARSSL_MD_SHA1; + *salt_len = 20; + *trailer_field = 1; + + /* Make sure params is a SEQUENCE and setup bounds */ + if( params->tag != ( ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) + return( POLARSSL_ERR_X509_INVALID_ALG + + POLARSSL_ERR_ASN1_UNEXPECTED_TAG ); + + p = (unsigned char *) params->p; + end = p + params->len; + + if( p == end ) + return( 0 ); + + if( ( ret = asn1_get_tag( &p, end, &len, + ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0 ) ) == 0 ) + { + /* HashAlgorithm ::= AlgorithmIdentifier (without parameters) */ + // TODO: WIP + } + else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) + return( POLARSSL_ERR_X509_INVALID_ALG + ret ); + + if( ( ret = asn1_get_tag( &p, end, &len, + ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 1 ) ) == 0 ) + { + /* MaskGenAlgorithm ::= AlgorithmIdentifier */ + // TODO: WIP + } + else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) + return( POLARSSL_ERR_X509_INVALID_ALG + ret ); + + if( p == end ) + return( 0 ); + + if( ( ret = asn1_get_tag( &p, end, &len, + ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 2 ) ) == 0 ) + { + /* salt_len */ + if( ( ret = asn1_get_int( &p, p + len, salt_len ) ) != 0 ) + return( POLARSSL_ERR_X509_INVALID_ALG + ret ); + } + else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) + return( POLARSSL_ERR_X509_INVALID_ALG + ret ); + + if( p == end ) + return( 0 ); + + if( ( ret = asn1_get_tag( &p, end, &len, + ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 3 ) ) == 0 ) + { + /* trailer_field */ + if( ( ret = asn1_get_int( &p, p + len, trailer_field ) ) != 0 ) + return( POLARSSL_ERR_X509_INVALID_ALG + ret ); + } + else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) + return( POLARSSL_ERR_X509_INVALID_ALG + ret ); + + if( p != end ) + return( POLARSSL_ERR_X509_INVALID_ALG + + POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); + + return( 0 ); +} + /* * AttributeTypeAndValue ::= SEQUENCE { * type AttributeType, diff --git a/library/x509_crt.c b/library/x509_crt.c index 70c24f3b4..9a37f1a37 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -617,6 +617,22 @@ static int x509_crt_parse_der_core( x509_crt *crt, const unsigned char *buf, return( ret ); } + if( crt->sig_pk == POLARSSL_PK_RSASSA_PSS ) + { + int salt_len, trailer_field; + + if( ( ret = x509_get_rsassa_pss_params( &crt->sig_params, + &crt->sig_md, &salt_len, &trailer_field ) ) != 0 ) + return( ret ); + } + else + { + /* Make sure parameters were absent or NULL */ + if( ( crt->sig_params.tag != ASN1_NULL && crt->sig_params.tag != 0 ) || + crt->sig_params.len != 0 ) + return( POLARSSL_ERR_X509_INVALID_ALG ); + } + /* * issuer Name */ @@ -1166,6 +1182,21 @@ int x509_crt_info( char *buf, size_t size, const char *prefix, ret = snprintf( p, n, "%s", desc ); SAFE_SNPRINTF(); + if( crt->sig_pk == POLARSSL_PK_RSASSA_PSS ) + { + md_type_t md_alg; + int salt_len, trailer_field; + + if( ( ret = x509_get_rsassa_pss_params( &crt->sig_params, + &md_alg, &salt_len, &trailer_field ) ) != 0 ) + return( ret ); + + // TODO: SHA1 harcoded twice (WIP) + ret = snprintf( p, n, " (SHA1, MGF1-SHA1, %d, %d)", + salt_len, trailer_field ); + SAFE_SNPRINTF(); + } + if( ( ret = x509_key_size_helper( key_size_str, BEFORE_COLON, pk_get_name( &crt->pk ) ) ) != 0 ) { diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 0f8e29345..5f0a9d8c1 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -44,7 +44,7 @@ x509_cert_info:"data_files/cert_sha512.crt":"cert. version \: 3\nserial number \ X509 Certificate information RSA-PSS, SHA1 Digest depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C -x509_cert_info:"data_files/server9.crt":"cert. version \: 3\nserial number \: 16\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:38\:16\nexpires on \: 2024-01-18 13\:38\:16\nsigned using \: RSASSA-PSS\nRSA key size \: 1024 bits\n" +x509_cert_info:"data_files/server9.crt":"cert. version \: 3\nserial number \: 16\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:38\:16\nexpires on \: 2024-01-18 13\:38\:16\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 234, 1)\nRSA key size \: 1024 bits\n" X509 Certificate information EC, SHA1 Digest depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C From 3c1e8b539c7740599bf821fe337d82766d4eb60f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 23 Jan 2014 19:15:29 +0100 Subject: [PATCH 03/10] Finish parsing RSASSA-PSS parameters --- include/polarssl/asn1.h | 10 ++- include/polarssl/oid.h | 1 + include/polarssl/x509.h | 3 +- library/x509.c | 86 +++++++++++++++++++++++--- library/x509_crt.c | 20 ++++-- tests/data_files/server9-sha224.crt | 20 ++++++ tests/data_files/server9-sha256.crt | 20 ++++++ tests/data_files/server9-sha384.crt | 20 ++++++ tests/data_files/server9-sha512.crt | 20 ++++++ tests/suites/test_suite_x509parse.data | 18 +++++- 10 files changed, 199 insertions(+), 19 deletions(-) create mode 100644 tests/data_files/server9-sha224.crt create mode 100644 tests/data_files/server9-sha256.crt create mode 100644 tests/data_files/server9-sha384.crt create mode 100644 tests/data_files/server9-sha512.crt diff --git a/include/polarssl/asn1.h b/include/polarssl/asn1.h index 45fd6cd87..7dc591e9c 100644 --- a/include/polarssl/asn1.h +++ b/include/polarssl/asn1.h @@ -93,9 +93,13 @@ /** Returns the size of the binary string, without the trailing \\0 */ #define OID_SIZE(x) (sizeof(x) - 1) -/** Compares two asn1_buf structures for the same OID. Only works for - * 'defined' oid_str values (OID_HMAC_SHA1), you cannot use a 'unsigned - * char *oid' here! +/** + * Compares an asn1_buf structure to a reference OID. + * + * Only works for 'defined' oid_str values (OID_HMAC_SHA1), you cannot use a + * 'unsigned char *oid' here! + * + * Warning: returns true when the OIDs are equal (unlike memcmp)! */ #define OID_CMP(oid_str, oid_buf) \ ( ( OID_SIZE(oid_str) == (oid_buf)->len ) && \ diff --git a/include/polarssl/oid.h b/include/polarssl/oid.h index 669ad537f..5f20b5604 100644 --- a/include/polarssl/oid.h +++ b/include/polarssl/oid.h @@ -195,6 +195,7 @@ /* RFC 4055 */ #define OID_RSASSA_PSS OID_PKCS1 "\x0a" /**< id-RSASSA-PSS ::= { pkcs-1 10 } */ +#define OID_MGF1 OID_PKCS1 "\x08" /**< id-mgf1 ::= { pkcs-1 8 } */ /* * Digest algorithms diff --git a/include/polarssl/x509.h b/include/polarssl/x509.h index 447025528..36f19b071 100644 --- a/include/polarssl/x509.h +++ b/include/polarssl/x509.h @@ -256,7 +256,8 @@ int x509_get_alg_null( unsigned char **p, const unsigned char *end, x509_buf *alg ); int x509_get_alg( unsigned char **p, const unsigned char *end, x509_buf *alg, x509_buf *params ); -int x509_get_rsassa_pss_params( const x509_buf *params, md_type_t *md_alg, +int x509_get_rsassa_pss_params( const x509_buf *params, + md_type_t *md_alg, md_type_t *mgf_md, int *salt_len, int *trailer_field ); int x509_get_sig( unsigned char **p, const unsigned char *end, x509_buf *sig ); int x509_get_sig_alg( const x509_buf *sig_oid, md_type_t *md_alg, diff --git a/library/x509.c b/library/x509.c index 7928eea84..2f7d32c8e 100644 --- a/library/x509.c +++ b/library/x509.c @@ -132,6 +132,62 @@ int x509_get_alg( unsigned char **p, const unsigned char *end, return( 0 ); } +/* + * HashAlgorithm ::= AlgorithmIdentifier + * + * AlgorithmIdentifier ::= SEQUENCE { + * algorithm OBJECT IDENTIFIER, + * parameters ANY DEFINED BY algorithm OPTIONAL } + * + * For HashAlgorithm, parameters MUST be NULL or absent. + */ +static int x509_get_hash_alg( const x509_buf *alg, md_type_t *md_alg ) +{ + int ret; + unsigned char *p; + const unsigned char *end; + x509_buf md_oid; + size_t len; + + /* Make sure we got a SEQUENCE and setup bounds */ + if( alg->tag != ( ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) + return( POLARSSL_ERR_X509_INVALID_ALG + + POLARSSL_ERR_ASN1_UNEXPECTED_TAG ); + + p = (unsigned char *) alg->p; + end = p + alg->len; + + if( p >= end ) + return( POLARSSL_ERR_X509_INVALID_ALG + + POLARSSL_ERR_ASN1_OUT_OF_DATA ); + + /* Parse md_oid */ + md_oid.tag = *p; + + if( ( ret = asn1_get_tag( &p, end, &md_oid.len, ASN1_OID ) ) != 0 ) + return( POLARSSL_ERR_X509_INVALID_ALG + ret ); + + md_oid.p = p; + p += md_oid.len; + + /* Get md_alg from md_oid */ + if( ( ret = oid_get_md_alg( &md_oid, md_alg ) ) != 0 ) + return( POLARSSL_ERR_X509_INVALID_ALG + ret ); + + /* Make sure params is absent of NULL */ + if( p == end ) + return( 0 ); + + if( ( ret = asn1_get_tag( &p, end, &len, ASN1_NULL ) ) != 0 ) + return( POLARSSL_ERR_X509_INVALID_ALG + ret ); + + if( p != end ) + return( POLARSSL_ERR_X509_INVALID_ALG + + POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); + + return( 0 ); +} + /* * RSASSA-PSS-params ::= SEQUENCE { * hashAlgorithm [0] HashAlgorithm DEFAULT sha1Identifier, @@ -141,18 +197,18 @@ int x509_get_alg( unsigned char **p, const unsigned char *end, * -- Note that the tags in this Sequence are explicit. */ int x509_get_rsassa_pss_params( const x509_buf *params, - md_type_t *md_alg, - int *salt_len, - int *trailer_field ) + md_type_t *md_alg, md_type_t *mgf_md, + int *salt_len, int *trailer_field ) { int ret; unsigned char *p; const unsigned char *end; size_t len; - x509_buf alg_id; + x509_buf alg_id, alg_params; /* First set everything to defaults */ *md_alg = POLARSSL_MD_SHA1; + *mgf_md = POLARSSL_MD_SHA1; *salt_len = 20; *trailer_field = 1; @@ -170,8 +226,12 @@ int x509_get_rsassa_pss_params( const x509_buf *params, if( ( ret = asn1_get_tag( &p, end, &len, ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0 ) ) == 0 ) { - /* HashAlgorithm ::= AlgorithmIdentifier (without parameters) */ - // TODO: WIP + /* HashAlgorithm ::= AlgorithmIdentifier (without parameters) */ + if( ( ret = x509_get_alg_null( &p, p + len, &alg_id ) ) != 0 ) + return( ret ); + + if( ( ret = oid_get_md_alg( &alg_id, md_alg ) ) != 0 ) + return( POLARSSL_ERR_X509_INVALID_ALG + ret ); } else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) return( POLARSSL_ERR_X509_INVALID_ALG + ret ); @@ -179,8 +239,18 @@ int x509_get_rsassa_pss_params( const x509_buf *params, if( ( ret = asn1_get_tag( &p, end, &len, ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 1 ) ) == 0 ) { - /* MaskGenAlgorithm ::= AlgorithmIdentifier */ - // TODO: WIP + /* MaskGenAlgorithm ::= AlgorithmIdentifier (params = HashAlgorithm) */ + if( ( ret = x509_get_alg( &p, p + len, &alg_id, &alg_params ) ) != 0 ) + return( ret ); + + /* Only MFG1 is recognised for now */ + if( ! OID_CMP( OID_MGF1, &alg_id ) ) + return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE + + POLARSSL_ERR_OID_NOT_FOUND ); + + /* Parse HashAlgorithm */ + if( ( ret = x509_get_hash_alg( &alg_params, mgf_md ) ) != 0 ) + return( ret ); } else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) return( POLARSSL_ERR_X509_INVALID_ALG + ret ); diff --git a/library/x509_crt.c b/library/x509_crt.c index 9a37f1a37..1447689c8 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -620,9 +620,12 @@ static int x509_crt_parse_der_core( x509_crt *crt, const unsigned char *buf, if( crt->sig_pk == POLARSSL_PK_RSASSA_PSS ) { int salt_len, trailer_field; + md_type_t mgf_md; - if( ( ret = x509_get_rsassa_pss_params( &crt->sig_params, - &crt->sig_md, &salt_len, &trailer_field ) ) != 0 ) + /* Make sure params are valid */ + ret = x509_get_rsassa_pss_params( &crt->sig_params, + &crt->sig_md, &mgf_md, &salt_len, &trailer_field ); + if( ret != 0 ) return( ret ); } else @@ -1184,15 +1187,20 @@ int x509_crt_info( char *buf, size_t size, const char *prefix, if( crt->sig_pk == POLARSSL_PK_RSASSA_PSS ) { - md_type_t md_alg; + md_type_t md_alg, mgf_md; + const md_info_t *md_info, *mgf_md_info; int salt_len, trailer_field; if( ( ret = x509_get_rsassa_pss_params( &crt->sig_params, - &md_alg, &salt_len, &trailer_field ) ) != 0 ) + &md_alg, &mgf_md, &salt_len, &trailer_field ) ) != 0 ) return( ret ); - // TODO: SHA1 harcoded twice (WIP) - ret = snprintf( p, n, " (SHA1, MGF1-SHA1, %d, %d)", + md_info = md_info_from_type( md_alg ); + mgf_md_info = md_info_from_type( mgf_md ); + + ret = snprintf( p, n, " (%s, MGF1-%s, 0x%02X, %d)", + md_info ? md_info->name : "???", + mgf_md_info ? mgf_md_info->name : "???", salt_len, trailer_field ); SAFE_SNPRINTF(); } diff --git a/tests/data_files/server9-sha224.crt b/tests/data_files/server9-sha224.crt new file mode 100644 index 000000000..1b05f313a --- /dev/null +++ b/tests/data_files/server9-sha224.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDWzCCAhKgAwIBAgIBFzA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCBKEa +MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgSiBAICAOIwOzELMAkGA1UEBhMCTkwx +ETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBMB4X +DTE0MDEyMDEzNTczNloXDTI0MDExODEzNTczNlowNDELMAkGA1UEBhMCTkwxETAP +BgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBAN0Rip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7C +uxNA24oSjokTJKXF9frY9ZDXyMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsI +i2OZOgol7kXSGFi6uZMa7dRYmmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCV +AgMBAAGjgZIwgY8wCQYDVR0TBAIwADAdBgNVHQ4EFgQU7vPH9R8VpU1HicHTImOy +36fOvVEwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJ +BgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wg +VGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCBKEaMBgGCSqG +SIb3DQEBCDALBglghkgBZQMEAgSiBAICAOIDggEBADJExjfWWvL28lgj+GGgviqo +PHZLxI0pLQUnFJQ9Kpu6jxfICseBF00Z6BJE/RcYDpIie5GDt/8u/i6xB6Li29Pm +g5nANgd/Y3fFnW7d0ydVjiSnetlPuf/jTlWQl6mQTH2xqYu8J8d3JRxQdRiDYbVm +uywW2d6rksiqm6dPD5l4A5DcemcYo8f/1Ifj5WNDCV8/OHex+AnW2ccDvWAnVgSR +B2VpOXJzVFuBsuf4tGVm/2TUMSB6NcvFc6TeJk1kzbZxii4QjKXtH1SfrVP59iEe +l17NYAEWARjBpQWBiutRG+QM2et0sNiUBuWxTkvd0eSgencNysVAOsZqrqaX3CY= +-----END CERTIFICATE----- diff --git a/tests/data_files/server9-sha256.crt b/tests/data_files/server9-sha256.crt new file mode 100644 index 000000000..7d0aa3956 --- /dev/null +++ b/tests/data_files/server9-sha256.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDWzCCAhKgAwIBAgIBGDA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAaEa +MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiBAICAN4wOzELMAkGA1UEBhMCTkwx +ETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBMB4X +DTE0MDEyMDEzNTc0NVoXDTI0MDExODEzNTc0NVowNDELMAkGA1UEBhMCTkwxETAP +BgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBAN0Rip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7C +uxNA24oSjokTJKXF9frY9ZDXyMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsI +i2OZOgol7kXSGFi6uZMa7dRYmmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCV +AgMBAAGjgZIwgY8wCQYDVR0TBAIwADAdBgNVHQ4EFgQU7vPH9R8VpU1HicHTImOy +36fOvVEwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJ +BgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wg +VGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAaEaMBgGCSqG +SIb3DQEBCDALBglghkgBZQMEAgGiBAICAN4DggEBAH0+knqkcLaxeDkenBQgd4Qg +3ZyAhtpiLU689mw+3cXB/uzFrCIxEL5aGh1eSj+DszB+FtsZ06ux7JVQqVOA2Wm9 +yLxC6wF8OOYj0nBa91BWLhRAHLhmIdWsVk7Hl9KojZd4TwV2N+ZEV/BLxyoRvK4H +V4xCpzgDSiTPe8Etk4r+0akbr6bsOUBayPb7MGLHubZKq8NsFAmmynp+fPmHd3SE +0ooJdiZ1MmKPKLE5Og/hXCI8qeiXQUR6oQ7b2XONsrI2HIj2SA9dA5qmHwE5PbMu +zqxQ3R83boqLXbkFORn+UiYLmffqdoWuNy00BHMCrxRA9DUv+WyN4npLMF8rOJw= +-----END CERTIFICATE----- diff --git a/tests/data_files/server9-sha384.crt b/tests/data_files/server9-sha384.crt new file mode 100644 index 000000000..aaa63e6ed --- /dev/null +++ b/tests/data_files/server9-sha384.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDWzCCAhKgAwIBAgIBGTA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAqEa +MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgKiBAICAM4wOzELMAkGA1UEBhMCTkwx +ETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBMB4X +DTE0MDEyMDEzNTc1OFoXDTI0MDExODEzNTc1OFowNDELMAkGA1UEBhMCTkwxETAP +BgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBAN0Rip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7C +uxNA24oSjokTJKXF9frY9ZDXyMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsI +i2OZOgol7kXSGFi6uZMa7dRYmmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCV +AgMBAAGjgZIwgY8wCQYDVR0TBAIwADAdBgNVHQ4EFgQU7vPH9R8VpU1HicHTImOy +36fOvVEwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJ +BgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wg +VGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAqEaMBgGCSqG +SIb3DQEBCDALBglghkgBZQMEAgKiBAICAM4DggEBABf8Gyq2VYuN1EBW1nOapDQp +B/KuafNW2GEJ7FmQKNyA7MIj1Yqo2MtJ6/OQojRQ3F5rnO4yjmvIPsXeQaMxJBiI +aaoAlLpH++F+oXMq/0aS0WSZrSLrsh2Fpay9cBDGwek2rDOX9kM+ZcPzGitVwWKX +TnOW22hpcl7u95CpZH+JZTcto5nL3tTyV9pIy+tSKQQfjPB+G0TAZCsOkbCGPLug +qdjvqFQwOf15VxQMj7NRiXjlqJvsx+I7B2AIhrs4DzQMEyiWq9S/PzpQuFU5v/Kg +s2iMLJ5ygv5aN3PYqGlE1ZmvgyRp5h/LaTGI2L6lzRTnecOhtPv30N2tyaDAEfo= +-----END CERTIFICATE----- diff --git a/tests/data_files/server9-sha512.crt b/tests/data_files/server9-sha512.crt new file mode 100644 index 000000000..a211b921d --- /dev/null +++ b/tests/data_files/server9-sha512.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDWzCCAhKgAwIBAgIBGjA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCA6Ea +MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgOiBAICAL4wOzELMAkGA1UEBhMCTkwx +ETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBMB4X +DTE0MDEyMDEzNTgxMloXDTI0MDExODEzNTgxMlowNDELMAkGA1UEBhMCTkwxETAP +BgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBAN0Rip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7C +uxNA24oSjokTJKXF9frY9ZDXyMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsI +i2OZOgol7kXSGFi6uZMa7dRYmmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCV +AgMBAAGjgZIwgY8wCQYDVR0TBAIwADAdBgNVHQ4EFgQU7vPH9R8VpU1HicHTImOy +36fOvVEwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJ +BgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wg +VGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCA6EaMBgGCSqG +SIb3DQEBCDALBglghkgBZQMEAgOiBAICAL4DggEBACdVozFq6rUiXo+ib5Y2oPsR +6xxl4Ydn3LpUoYrPpTOrhcXJWW/tOLHGuCF/mSRfUzKaMIfL418cZHYnvumvuttu +6z3tp5E1VsiZCU2MWJnzjKSxFBOss43AmpJHHoapGFZu2pxObBPqegAKHYkKWOLk +tJDj47PurWgEek9j1nL7Pc1tVf59fm/ySp4fWkXLLvQiKid1516VioLyacUvK3zU +6Egz8jMt7D5c9KpaExLRTANVsThqO5/dmR36bOwm3Hpbde7DNdgxru41tiLMqJs/ +5pX3ceaJ1XQ/l0idj5/9ipvqHHUguyk7H22HwQHQdSD9oIha8kEM3P6CjpfE7yY= +-----END CERTIFICATE----- diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 5f0a9d8c1..a1c008e19 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -44,7 +44,23 @@ x509_cert_info:"data_files/cert_sha512.crt":"cert. version \: 3\nserial number \ X509 Certificate information RSA-PSS, SHA1 Digest depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C -x509_cert_info:"data_files/server9.crt":"cert. version \: 3\nserial number \: 16\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:38\:16\nexpires on \: 2024-01-18 13\:38\:16\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 234, 1)\nRSA key size \: 1024 bits\n" +x509_cert_info:"data_files/server9.crt":"cert. version \: 3\nserial number \: 16\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:38\:16\nexpires on \: 2024-01-18 13\:38\:16\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0xEA, 1)\nRSA key size \: 1024 bits\n" + +X509 Certificate information RSA-PSS, SHA224 Digest +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C +x509_cert_info:"data_files/server9-sha224.crt":"cert. version \: 3\nserial number \: 17\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:36\nexpires on \: 2024-01-18 13\:57\:36\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0xE2, 1)\nRSA key size \: 1024 bits\n" + +X509 Certificate information RSA-PSS, SHA256 Digest +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C +x509_cert_info:"data_files/server9-sha256.crt":"cert. version \: 3\nserial number \: 18\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:45\nexpires on \: 2024-01-18 13\:57\:45\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0xDE, 1)\nRSA key size \: 1024 bits\n" + +X509 Certificate information RSA-PSS, SHA384 Digest +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C +x509_cert_info:"data_files/server9-sha384.crt":"cert. version \: 3\nserial number \: 19\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:58\nexpires on \: 2024-01-18 13\:57\:58\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0xCE, 1)\nRSA key size \: 1024 bits\n" + +X509 Certificate information RSA-PSS, SHA512 Digest +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C +x509_cert_info:"data_files/server9-sha512.crt":"cert. version \: 3\nserial number \: 1A\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:58\:12\nexpires on \: 2024-01-18 13\:58\:12\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0xBE, 1)\nRSA key size \: 1024 bits\n" X509 Certificate information EC, SHA1 Digest depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C From b7de86d834c8b3122a18e24627a9307f7a4c2972 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 24 Jan 2014 14:15:20 +0100 Subject: [PATCH 04/10] More checks for length match in rsassa-pss params --- library/x509.c | 53 ++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 45 insertions(+), 8 deletions(-) diff --git a/library/x509.c b/library/x509.c index 2f7d32c8e..e9dc68084 100644 --- a/library/x509.c +++ b/library/x509.c @@ -178,7 +178,7 @@ static int x509_get_hash_alg( const x509_buf *alg, md_type_t *md_alg ) if( p == end ) return( 0 ); - if( ( ret = asn1_get_tag( &p, end, &len, ASN1_NULL ) ) != 0 ) + if( ( ret = asn1_get_tag( &p, end, &len, ASN1_NULL ) ) != 0 || len != 0 ) return( POLARSSL_ERR_X509_INVALID_ALG + ret ); if( p != end ) @@ -202,7 +202,7 @@ int x509_get_rsassa_pss_params( const x509_buf *params, { int ret; unsigned char *p; - const unsigned char *end; + const unsigned char *end, *end2; size_t len; x509_buf alg_id, alg_params; @@ -223,24 +223,41 @@ int x509_get_rsassa_pss_params( const x509_buf *params, if( p == end ) return( 0 ); + /* + * HashAlgorithm + */ if( ( ret = asn1_get_tag( &p, end, &len, ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0 ) ) == 0 ) { + end2 = p + len; + /* HashAlgorithm ::= AlgorithmIdentifier (without parameters) */ - if( ( ret = x509_get_alg_null( &p, p + len, &alg_id ) ) != 0 ) + if( ( ret = x509_get_alg_null( &p, end2, &alg_id ) ) != 0 ) return( ret ); if( ( ret = oid_get_md_alg( &alg_id, md_alg ) ) != 0 ) return( POLARSSL_ERR_X509_INVALID_ALG + ret ); + + if( p != end2 ) + return( POLARSSL_ERR_X509_INVALID_ALG + + POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); } else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) return( POLARSSL_ERR_X509_INVALID_ALG + ret ); + if( p == end ) + return( 0 ); + + /* + * MaskGenAlgorithm + */ if( ( ret = asn1_get_tag( &p, end, &len, ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 1 ) ) == 0 ) { + end2 = p + len; + /* MaskGenAlgorithm ::= AlgorithmIdentifier (params = HashAlgorithm) */ - if( ( ret = x509_get_alg( &p, p + len, &alg_id, &alg_params ) ) != 0 ) + if( ( ret = x509_get_alg( &p, end2, &alg_id, &alg_params ) ) != 0 ) return( ret ); /* Only MFG1 is recognised for now */ @@ -251,6 +268,10 @@ int x509_get_rsassa_pss_params( const x509_buf *params, /* Parse HashAlgorithm */ if( ( ret = x509_get_hash_alg( &alg_params, mgf_md ) ) != 0 ) return( ret ); + + if( p != end2 ) + return( POLARSSL_ERR_X509_INVALID_ALG + + POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); } else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) return( POLARSSL_ERR_X509_INVALID_ALG + ret ); @@ -258,12 +279,20 @@ int x509_get_rsassa_pss_params( const x509_buf *params, if( p == end ) return( 0 ); + /* + * salt_len + */ if( ( ret = asn1_get_tag( &p, end, &len, ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 2 ) ) == 0 ) { - /* salt_len */ - if( ( ret = asn1_get_int( &p, p + len, salt_len ) ) != 0 ) + end2 = p + len; + + if( ( ret = asn1_get_int( &p, end2, salt_len ) ) != 0 ) return( POLARSSL_ERR_X509_INVALID_ALG + ret ); + + if( p != end2 ) + return( POLARSSL_ERR_X509_INVALID_ALG + + POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); } else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) return( POLARSSL_ERR_X509_INVALID_ALG + ret ); @@ -271,12 +300,20 @@ int x509_get_rsassa_pss_params( const x509_buf *params, if( p == end ) return( 0 ); + /* + * trailer_field + */ if( ( ret = asn1_get_tag( &p, end, &len, ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 3 ) ) == 0 ) { - /* trailer_field */ - if( ( ret = asn1_get_int( &p, p + len, trailer_field ) ) != 0 ) + end2 = p + len; + + if( ( ret = asn1_get_int( &p, end2, trailer_field ) ) != 0 ) return( POLARSSL_ERR_X509_INVALID_ALG + ret ); + + if( p != end2 ) + return( POLARSSL_ERR_X509_INVALID_ALG + + POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); } else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) return( POLARSSL_ERR_X509_INVALID_ALG + ret ); From ce7c6fd43318aecf5085a7a4c0b996029be0185f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 24 Jan 2014 14:37:29 +0100 Subject: [PATCH 05/10] Fix dependencies --- include/polarssl/config.h | 5 +++++ include/polarssl/x509.h | 2 ++ library/x509.c | 2 ++ library/x509_crt.c | 24 +++++++++++++++++------- tests/suites/test_suite_x509parse.data | 10 +++++----- 5 files changed, 31 insertions(+), 12 deletions(-) diff --git a/include/polarssl/config.h b/include/polarssl/config.h index 29ba54f4e..f00a7fc52 100644 --- a/include/polarssl/config.h +++ b/include/polarssl/config.h @@ -2102,6 +2102,11 @@ #error "POLARSSL_RSA_C defined, but not all prerequisites" #endif +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) && \ + ( !defined(POLARSSL_RSA_C) || !defined(POLARSSL_PKCS1_V21) ) +#error "POLARSSL_RSASSA_PSS_CERTIFICATES defined, but not all prerequisites" +#endif + #if defined(POLARSSL_SSL_PROTO_SSL3) && ( !defined(POLARSSL_MD5_C) || \ !defined(POLARSSL_SHA1_C) ) #error "POLARSSL_SSL_PROTO_SSL3 defined, but not all prerequisites" diff --git a/include/polarssl/x509.h b/include/polarssl/x509.h index 36f19b071..0ffaca145 100644 --- a/include/polarssl/x509.h +++ b/include/polarssl/x509.h @@ -256,9 +256,11 @@ int x509_get_alg_null( unsigned char **p, const unsigned char *end, x509_buf *alg ); int x509_get_alg( unsigned char **p, const unsigned char *end, x509_buf *alg, x509_buf *params ); +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) int x509_get_rsassa_pss_params( const x509_buf *params, md_type_t *md_alg, md_type_t *mgf_md, int *salt_len, int *trailer_field ); +#endif int x509_get_sig( unsigned char **p, const unsigned char *end, x509_buf *sig ); int x509_get_sig_alg( const x509_buf *sig_oid, md_type_t *md_alg, pk_type_t *pk_alg ); diff --git a/library/x509.c b/library/x509.c index e9dc68084..1a5f98a1b 100644 --- a/library/x509.c +++ b/library/x509.c @@ -132,6 +132,7 @@ int x509_get_alg( unsigned char **p, const unsigned char *end, return( 0 ); } +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) /* * HashAlgorithm ::= AlgorithmIdentifier * @@ -324,6 +325,7 @@ int x509_get_rsassa_pss_params( const x509_buf *params, return( 0 ); } +#endif /* POLARSSL_RSASSA_PSS_CERTIFICATES */ /* * AttributeTypeAndValue ::= SEQUENCE { diff --git a/library/x509_crt.c b/library/x509_crt.c index 1447689c8..dc71c1405 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -596,7 +596,7 @@ static int x509_crt_parse_der_core( x509_crt *crt, const unsigned char *buf, if( ( ret = x509_get_version( &p, end, &crt->version ) ) != 0 || ( ret = x509_get_serial( &p, end, &crt->serial ) ) != 0 || ( ret = x509_get_alg( &p, end, &crt->sig_oid1, - &crt->sig_params ) ) != 0 ) + &sig_params ) ) != 0 ) { x509_crt_free( crt ); return( ret ); @@ -617,22 +617,26 @@ static int x509_crt_parse_der_core( x509_crt *crt, const unsigned char *buf, return( ret ); } +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) if( crt->sig_pk == POLARSSL_PK_RSASSA_PSS ) { int salt_len, trailer_field; md_type_t mgf_md; /* Make sure params are valid */ - ret = x509_get_rsassa_pss_params( &crt->sig_params, + ret = x509_get_rsassa_pss_params( &sig_params, &crt->sig_md, &mgf_md, &salt_len, &trailer_field ); if( ret != 0 ) return( ret ); + + memcpy( &crt->sig_params, &sig_params, sizeof( x509_buf ) ); } else +#endif { - /* Make sure parameters were absent or NULL */ - if( ( crt->sig_params.tag != ASN1_NULL && crt->sig_params.tag != 0 ) || - crt->sig_params.len != 0 ) + /* Make sure parameters are absent or NULL */ + if( ( sig_params.tag != ASN1_NULL && sig_params.tag != 0 ) || + sig_params.len != 0 ) return( POLARSSL_ERR_X509_INVALID_ALG ); } @@ -763,9 +767,13 @@ static int x509_crt_parse_der_core( x509_crt *crt, const unsigned char *buf, } if( crt->sig_oid1.len != crt->sig_oid2.len || - memcmp( crt->sig_oid1.p, crt->sig_oid2.p, crt->sig_oid1.len ) != 0 || + memcmp( crt->sig_oid1.p, crt->sig_oid2.p, crt->sig_oid1.len ) != 0 +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) + || crt->sig_params.len != sig_params.len || - memcmp( crt->sig_params.p, sig_params.p, sig_params.len ) != 0 ) + memcmp( crt->sig_params.p, sig_params.p, sig_params.len ) != 0 +#endif + ) { x509_crt_free( crt ); return( POLARSSL_ERR_X509_SIG_MISMATCH ); @@ -1185,6 +1193,7 @@ int x509_crt_info( char *buf, size_t size, const char *prefix, ret = snprintf( p, n, "%s", desc ); SAFE_SNPRINTF(); +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) if( crt->sig_pk == POLARSSL_PK_RSASSA_PSS ) { md_type_t md_alg, mgf_md; @@ -1204,6 +1213,7 @@ int x509_crt_info( char *buf, size_t size, const char *prefix, salt_len, trailer_field ); SAFE_SNPRINTF(); } +#endif /* POLARSSL_RSASSA_PSS_CERTIFICATES */ if( ( ret = x509_key_size_helper( key_size_str, BEFORE_COLON, pk_get_name( &crt->pk ) ) ) != 0 ) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index a1c008e19..5e6afcaa2 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -43,23 +43,23 @@ depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C x509_cert_info:"data_files/cert_sha512.crt":"cert. version \: 3\nserial number \: 0B\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA512\nissued on \: 2011-02-12 14\:44\:07\nexpires on \: 2021-02-12 14\:44\:07\nsigned using \: RSA with SHA-512\nRSA key size \: 2048 bits\n" X509 Certificate information RSA-PSS, SHA1 Digest -depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA1_C x509_cert_info:"data_files/server9.crt":"cert. version \: 3\nserial number \: 16\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:38\:16\nexpires on \: 2024-01-18 13\:38\:16\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0xEA, 1)\nRSA key size \: 1024 bits\n" X509 Certificate information RSA-PSS, SHA224 Digest -depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA256_C x509_cert_info:"data_files/server9-sha224.crt":"cert. version \: 3\nserial number \: 17\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:36\nexpires on \: 2024-01-18 13\:57\:36\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0xE2, 1)\nRSA key size \: 1024 bits\n" X509 Certificate information RSA-PSS, SHA256 Digest -depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA256_C x509_cert_info:"data_files/server9-sha256.crt":"cert. version \: 3\nserial number \: 18\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:45\nexpires on \: 2024-01-18 13\:57\:45\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0xDE, 1)\nRSA key size \: 1024 bits\n" X509 Certificate information RSA-PSS, SHA384 Digest -depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA512_C x509_cert_info:"data_files/server9-sha384.crt":"cert. version \: 3\nserial number \: 19\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:58\nexpires on \: 2024-01-18 13\:57\:58\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0xCE, 1)\nRSA key size \: 1024 bits\n" X509 Certificate information RSA-PSS, SHA512 Digest -depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA512_C x509_cert_info:"data_files/server9-sha512.crt":"cert. version \: 3\nserial number \: 1A\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:58\:12\nexpires on \: 2024-01-18 13\:58\:12\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0xBE, 1)\nRSA key size \: 1024 bits\n" X509 Certificate information EC, SHA1 Digest From 5eeb32b55260b7dddb84957b4726205048a7e099 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 24 Jan 2014 15:56:20 +0100 Subject: [PATCH 06/10] Parse CRLs signed with RSASSA-PSS --- include/polarssl/x509_crl.h | 3 ++ library/x509_crl.c | 61 +++++++++++++++++++++++-- tests/data_files/crl-rsa-pss-sha1.pem | 14 ++++++ tests/data_files/crl-rsa-pss-sha224.pem | 16 +++++++ tests/data_files/crl-rsa-pss-sha256.pem | 16 +++++++ tests/data_files/crl-rsa-pss-sha384.pem | 16 +++++++ tests/data_files/crl-rsa-pss-sha512.pem | 16 +++++++ tests/suites/test_suite_x509parse.data | 20 ++++++++ 8 files changed, 159 insertions(+), 3 deletions(-) create mode 100644 tests/data_files/crl-rsa-pss-sha1.pem create mode 100644 tests/data_files/crl-rsa-pss-sha224.pem create mode 100644 tests/data_files/crl-rsa-pss-sha256.pem create mode 100644 tests/data_files/crl-rsa-pss-sha384.pem create mode 100644 tests/data_files/crl-rsa-pss-sha512.pem diff --git a/include/polarssl/x509_crl.h b/include/polarssl/x509_crl.h index 0c79916af..14f648fd4 100644 --- a/include/polarssl/x509_crl.h +++ b/include/polarssl/x509_crl.h @@ -89,6 +89,9 @@ typedef struct _x509_crl x509_buf sig; md_type_t sig_md; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. POLARSSL_MD_SHA256 */ pk_type_t sig_pk /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. POLARSSL_PK_RSA */; +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) + x509_buf sig_params; /**< Parameters for the signature algorithm */ +#endif struct _x509_crl *next; } diff --git a/library/x509_crl.c b/library/x509_crl.c index 60a54f2e7..c8c51fbcb 100644 --- a/library/x509_crl.c +++ b/library/x509_crl.c @@ -250,11 +250,15 @@ int x509_crl_parse( x509_crl *chain, const unsigned char *buf, size_t buflen ) size_t len; unsigned char *p, *end; x509_crl *crl; + x509_buf sig_params; + #if defined(POLARSSL_PEM_PARSE_C) size_t use_len; pem_context pem; #endif + memset( &sig_params, 0, sizeof( x509_buf ) ); + crl = chain; /* @@ -373,7 +377,7 @@ int x509_crl_parse( x509_crl *chain, const unsigned char *buf, size_t buflen ) * signature AlgorithmIdentifier */ if( ( ret = x509_crl_get_version( &p, end, &crl->version ) ) != 0 || - ( ret = x509_get_alg_null( &p, end, &crl->sig_oid1 ) ) != 0 ) + ( ret = x509_get_alg( &p, end, &crl->sig_oid1, &sig_params ) ) != 0 ) { x509_crl_free( crl ); return( ret ); @@ -394,6 +398,29 @@ int x509_crl_parse( x509_crl *chain, const unsigned char *buf, size_t buflen ) return( POLARSSL_ERR_X509_UNKNOWN_SIG_ALG ); } +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) + if( crl->sig_pk == POLARSSL_PK_RSASSA_PSS ) + { + int salt_len, trailer_field; + md_type_t mgf_md; + + /* Make sure params are valid */ + ret = x509_get_rsassa_pss_params( &sig_params, + &crl->sig_md, &mgf_md, &salt_len, &trailer_field ); + if( ret != 0 ) + return( ret ); + + memcpy( &crl->sig_params, &sig_params, sizeof( x509_buf ) ); + } + else +#endif + { + /* Make sure parameters are absent or NULL */ + if( ( sig_params.tag != ASN1_NULL && sig_params.tag != 0 ) || + sig_params.len != 0 ) + return( POLARSSL_ERR_X509_INVALID_ALG ); + } + /* * issuer Name */ @@ -478,14 +505,20 @@ int x509_crl_parse( x509_crl *chain, const unsigned char *buf, size_t buflen ) * signatureAlgorithm AlgorithmIdentifier, * signatureValue BIT STRING */ - if( ( ret = x509_get_alg_null( &p, end, &crl->sig_oid2 ) ) != 0 ) + if( ( ret = x509_get_alg( &p, end, &crl->sig_oid2, &sig_params ) ) != 0 ) { x509_crl_free( crl ); return( ret ); } if( crl->sig_oid1.len != crl->sig_oid2.len || - memcmp( crl->sig_oid1.p, crl->sig_oid2.p, crl->sig_oid1.len ) != 0 ) + memcmp( crl->sig_oid1.p, crl->sig_oid2.p, crl->sig_oid1.len ) != 0 +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) + || + crl->sig_params.len != sig_params.len || + memcmp( crl->sig_params.p, sig_params.p, sig_params.len ) != 0 +#endif + ) { x509_crl_free( crl ); return( POLARSSL_ERR_X509_SIG_MISMATCH ); @@ -675,6 +708,28 @@ int x509_crl_info( char *buf, size_t size, const char *prefix, ret = snprintf( p, n, "%s", desc ); SAFE_SNPRINTF(); +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) + if( crl->sig_pk == POLARSSL_PK_RSASSA_PSS ) + { + md_type_t md_alg, mgf_md; + const md_info_t *md_info, *mgf_md_info; + int salt_len, trailer_field; + + if( ( ret = x509_get_rsassa_pss_params( &crl->sig_params, + &md_alg, &mgf_md, &salt_len, &trailer_field ) ) != 0 ) + return( ret ); + + md_info = md_info_from_type( md_alg ); + mgf_md_info = md_info_from_type( mgf_md ); + + ret = snprintf( p, n, " (%s, MGF1-%s, 0x%02X, %d)", + md_info ? md_info->name : "???", + mgf_md_info ? mgf_md_info->name : "???", + salt_len, trailer_field ); + SAFE_SNPRINTF(); + } +#endif /* POLARSSL_RSASSA_PSS_CERTIFICATES */ + ret = snprintf( p, n, "\n" ); SAFE_SNPRINTF(); diff --git a/tests/data_files/crl-rsa-pss-sha1.pem b/tests/data_files/crl-rsa-pss-sha1.pem new file mode 100644 index 000000000..59ca4f703 --- /dev/null +++ b/tests/data_files/crl-rsa-pss-sha1.pem @@ -0,0 +1,14 @@ +-----BEGIN X509 CRL----- +MIICJDCCAQYCAQEwEwYJKoZIhvcNAQEKMAaiBAICAOowOzELMAkGA1UEBhMCTkwx +ETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBFw0x +NDAxMjAxMzQ2MzVaFw0yNDAxMTgxMzQ2MzVaMCgwEgIBChcNMTMwOTI0MTYyODM4 +WjASAgEWFw0xNDAxMjAxMzQzMDVaoGcwZTBjBgNVHSMEXDBagBS0WuSls97SUva5 +1aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NM +MRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMBMGCSqGSIb3DQEBCjAGogQC +AgDqA4IBAQB8ZBX0BEgRcx0lfk1ctELRu1AYoJ5BnsmQpq23Ca4YIP2yb2kTN1ZS +4fR4SgYcNctgo2JJiNiUkCu1ZnRUOJUy8UlEio0+aeumTNz6CbeJEDhr5NC3oiV0 +MzvLn9rJVLPetOT9UrvvIy8iz5Pn1d8mu5rkt9BKQRq9NQx8riKnSIoTc91NLCMo +mkCCB55DVbazODSWK19e6yQ0JS454RglOsqRtLJ/EDbi6lCsLXotFt3GEGMrob1O +7Qck1Z59boaHxGYFEVnx90+4M3/qikVtwZdcBjLEmfuwYvszFw8J2y6Xwmg/HtUa +y6li0JzWNHtkKUlCv2+SESZbD3NU8GQZ +-----END X509 CRL----- diff --git a/tests/data_files/crl-rsa-pss-sha224.pem b/tests/data_files/crl-rsa-pss-sha224.pem new file mode 100644 index 000000000..a51d5d911 --- /dev/null +++ b/tests/data_files/crl-rsa-pss-sha224.pem @@ -0,0 +1,16 @@ +-----BEGIN X509 CRL----- +MIICejCCATECAQEwPgYJKoZIhvcNAQEKMDGgDTALBglghkgBZQMEAgShGjAYBgkq +hkiG9w0BAQgwCwYJYIZIAWUDBAIEogQCAgDiMDsxCzAJBgNVBAYTAk5MMREwDwYD +VQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVzdCBDQRcNMTQwMTIw +MTM1NjA2WhcNMjQwMTE4MTM1NjA2WjAoMBICAQoXDTEzMDkyNDE2MjgzOFowEgIB +FhcNMTQwMTIwMTM0MzA1WqBnMGUwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/r +PrzH/f+hP6Q9MDsxCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcG +A1UEAxMQUG9sYXJTU0wgVGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCG +SAFlAwQCBKEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgSiBAICAOIDggEBAEJI +i9sQOzMvvOTksN48+X+kk/wkLMKRGI222lqU6y6tP1LX3OE/+KN8gPXR+lCC+e0v +TsRTJkpKEcmHZoP/8kOtZnLb9PdITKGMQnZ+dmn5MFEzZI/zyrYWuJTuK1Q83w0e +Mc88cAhu8i4PTk/WnsWDphK1Q2YRupmmwWSUpp1Z2rpR+YSCedC01TVrtSUJUBw9 +NSqKDhyWYJIbS6/bFaERswC8xlMRhyLHUvikjmAK36TbIdhTnEffHOPW75sEOEEB +f0A3VtlZ7y5yt2/a6vOauJCivxKt/PutdHfBqH43QQmoVLWC2FmT9ADTJwcsZB3D +a6JSqCIMRCQY2JOUn0A= +-----END X509 CRL----- diff --git a/tests/data_files/crl-rsa-pss-sha256.pem b/tests/data_files/crl-rsa-pss-sha256.pem new file mode 100644 index 000000000..f16a49118 --- /dev/null +++ b/tests/data_files/crl-rsa-pss-sha256.pem @@ -0,0 +1,16 @@ +-----BEGIN X509 CRL----- +MIICejCCATECAQEwPgYJKoZIhvcNAQEKMDGgDTALBglghkgBZQMEAgGhGjAYBgkq +hkiG9w0BAQgwCwYJYIZIAWUDBAIBogQCAgDeMDsxCzAJBgNVBAYTAk5MMREwDwYD +VQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVzdCBDQRcNMTQwMTIw +MTM1NjE2WhcNMjQwMTE4MTM1NjE2WjAoMBICAQoXDTEzMDkyNDE2MjgzOFowEgIB +FhcNMTQwMTIwMTM0MzA1WqBnMGUwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/r +PrzH/f+hP6Q9MDsxCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcG +A1UEAxMQUG9sYXJTU0wgVGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCG +SAFlAwQCAaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiBAICAN4DggEBAEZ4 +oqp9i5eXrN6aCSTaU1j07MVTFW/U1jQAq6GseB6bEvoEXFMUHJsgAObqCK9flfEC +FEqXqWSo33hhPU7AKKttbDLjUYRNnQAPRUnRIl1/a1+UjqgKchWWD9ityeW8ICxo +IdATX9reYmPDLIMqTC7zuflYkvrvdEOuBORQP5mn4j8t84MSQF/p4qzaU0XxLo4X +ckzZCcHpa45AApCDjJMd9onhFVCYsykiYrF9NQFO8TI4lQ5jv79GoufEzvhY1SPB +r1xz4sMpfyaoPaa3SM2/nD65E5jzXell2u2VWNGKv4zAQP0E5yGel+1rklBltadb +XLdJyyak33CLBKu+nJc= +-----END X509 CRL----- diff --git a/tests/data_files/crl-rsa-pss-sha384.pem b/tests/data_files/crl-rsa-pss-sha384.pem new file mode 100644 index 000000000..50f7e4cd2 --- /dev/null +++ b/tests/data_files/crl-rsa-pss-sha384.pem @@ -0,0 +1,16 @@ +-----BEGIN X509 CRL----- +MIICejCCATECAQEwPgYJKoZIhvcNAQEKMDGgDTALBglghkgBZQMEAgKhGjAYBgkq +hkiG9w0BAQgwCwYJYIZIAWUDBAICogQCAgDOMDsxCzAJBgNVBAYTAk5MMREwDwYD +VQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVzdCBDQRcNMTQwMTIw +MTM1NjI4WhcNMjQwMTE4MTM1NjI4WjAoMBICAQoXDTEzMDkyNDE2MjgzOFowEgIB +FhcNMTQwMTIwMTM0MzA1WqBnMGUwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/r +PrzH/f+hP6Q9MDsxCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcG +A1UEAxMQUG9sYXJTU0wgVGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCG +SAFlAwQCAqEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgKiBAICAM4DggEBAAco +SntUGDLBOAu0IIZaVea5Nt1NMsMcppC0hWPuH1LKAwyUODBqpT+0+AuALK0eIdYR +a7mAB+cv2fFwmwxnQWJ1Fvx4ft/N2AAfB83VRKpSo3xR8bxloHfTWKmyxJHmH9j1 +EYmLS86rj3Nhjf4m/YlQQ3Im5HwOgSgBOE8glq5D+0Wmsi9LsNEZXEzMw7TMUgbs +y9o/ghYF/shKU4mewK3DeM9gQiTcH5A4ISXR87hBQ08AKJRAG1CLvTyzqWiUUY+k +q8iZDYF17sHrPi2yn8q9c4zdxiaWDGDdL0Lh90wXGTAageoGEq25TMuL5FpX+u1u +KUH/xf1jEnNzbYNGiZw= +-----END X509 CRL----- diff --git a/tests/data_files/crl-rsa-pss-sha512.pem b/tests/data_files/crl-rsa-pss-sha512.pem new file mode 100644 index 000000000..0f1d6510b --- /dev/null +++ b/tests/data_files/crl-rsa-pss-sha512.pem @@ -0,0 +1,16 @@ +-----BEGIN X509 CRL----- +MIICejCCATECAQEwPgYJKoZIhvcNAQEKMDGgDTALBglghkgBZQMEAgOhGjAYBgkq +hkiG9w0BAQgwCwYJYIZIAWUDBAIDogQCAgC+MDsxCzAJBgNVBAYTAk5MMREwDwYD +VQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVzdCBDQRcNMTQwMTIw +MTM1NjM4WhcNMjQwMTE4MTM1NjM4WjAoMBICAQoXDTEzMDkyNDE2MjgzOFowEgIB +FhcNMTQwMTIwMTM0MzA1WqBnMGUwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/r +PrzH/f+hP6Q9MDsxCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcG +A1UEAxMQUG9sYXJTU0wgVGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCG +SAFlAwQCA6EaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgOiBAICAL4DggEBAB9F +ywBfxOjetxNbCFhOYoPY2jvFCFVdlowMGuxEhX/LktqiBXqRc2r5naQSzuHqO8Iq +1zACtiDLri0CvgSHlravBNeY4c2wj//ueFE89tY5pK9E6vZp7cV+RfMx2YfGPAA2 +t7tWZ2rJWzELg8cZ8hpjSwFH7JmgJzjE5gi2gADhBYO6Vv5S3SOgqNjiN1OM31AU +p6GHK5Y1jurF5Zwzs+w3wXoXgpOxxwEC4eiS86c9kNSudwTLvDTU0bYEQE1cF+K0 +sB8QWABFJfuO5kjD2w3rWgmAiOKsZoxd1xrda+WD3JhDXnoVq3oVBIVlWVz6YID8 +enMfMvwScA5AImzu9xA= +-----END X509 CRL----- diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 5e6afcaa2..e11c77daa 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -130,6 +130,26 @@ X509 CRL Information SHA512 Digest depends_on:POLARSSL_PEM_PARSE_C x509_crl_info:"data_files/crl_sha512.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA-512\n" +X509 CRL information RSA-PSS, SHA1 Digest +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA1_C +x509_crl_info:"data_files/crl-rsa-pss-sha1.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:46\:35\nnext update \: 2024-01-18 13\:46\:35\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0xEA, 1)\n" + +X509 CRL information RSA-PSS, SHA224 Digest +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA256_C +x509_crl_info:"data_files/crl-rsa-pss-sha224.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:06\nnext update \: 2024-01-18 13\:56\:06\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0xE2, 1)\n" + +X509 CRL information RSA-PSS, SHA256 Digest +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA256_C +x509_crl_info:"data_files/crl-rsa-pss-sha256.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:16\nnext update \: 2024-01-18 13\:56\:16\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0xDE, 1)\n" + +X509 CRL information RSA-PSS, SHA384 Digest +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA512_C +x509_crl_info:"data_files/crl-rsa-pss-sha384.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:28\nnext update \: 2024-01-18 13\:56\:28\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0xCE, 1)\n" + +X509 CRL information RSA-PSS, SHA512 Digest +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA512_C +x509_crl_info:"data_files/crl-rsa-pss-sha512.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:38\nnext update \: 2024-01-18 13\:56\:38\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0xBE, 1)\n" + X509 CRL Information EC, SHA1 Digest depends_on:POLARSSL_PEM_PARSE_C x509_crl_info:"data_files/crl-ec-sha1.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA1\n" From d4fd57dda4573466a9e319e121000e62c739cda9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 24 Jan 2014 17:34:26 +0100 Subject: [PATCH 07/10] Add tests for parsing CSRs --- tests/data_files/server5.req.sha1 | 8 ++++ tests/data_files/server5.req.sha224 | 8 ++++ tests/data_files/server5.req.sha256 | 8 ++++ tests/data_files/server5.req.sha384 | 8 ++++ tests/data_files/server5.req.sha512 | 8 ++++ tests/suites/test_suite_x509parse.data | 48 ++++++++++++++++++++++ tests/suites/test_suite_x509parse.function | 23 +++++++++++ 7 files changed, 111 insertions(+) create mode 100644 tests/data_files/server5.req.sha1 create mode 100644 tests/data_files/server5.req.sha224 create mode 100644 tests/data_files/server5.req.sha256 create mode 100644 tests/data_files/server5.req.sha384 create mode 100644 tests/data_files/server5.req.sha512 diff --git a/tests/data_files/server5.req.sha1 b/tests/data_files/server5.req.sha1 new file mode 100644 index 000000000..1a14a1501 --- /dev/null +++ b/tests/data_files/server5.req.sha1 @@ -0,0 +1,8 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBGDCBvwIBADA0MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxEjAQ +BgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDfMVtl2 +CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA2CMR/+ov0jRdXRa9iojCa3cN +Vc2KKg76Aci07f+gKTAnBgkqhkiG9w0BCQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0P +BAQDAgXgMAkGByqGSM49BAEDSQAwRgIhALSf2Mj3er+ocZCN++aEoIp5PQ9JCkPY +b88ghuTyS7DCAiEA+CnVzNN0I2kpnmKUOUcXxLcjoPaLROgxtubDvKv5ckM= +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server5.req.sha224 b/tests/data_files/server5.req.sha224 new file mode 100644 index 000000000..276683410 --- /dev/null +++ b/tests/data_files/server5.req.sha224 @@ -0,0 +1,8 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBGDCBvwIBADA0MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxEjAQ +BgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDfMVtl2 +CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA2CMR/+ov0jRdXRa9iojCa3cN +Vc2KKg76Aci07f+gKTAnBgkqhkiG9w0BCQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0P +BAQDAgXgMAoGCCqGSM49BAMBA0gAMEUCIDYaN1m9MRk5mhX1U8aZKd0alyGKWqcR +oglF2MsIii/2AiEAjFHs8XQ0Q4yDF8oLztCxlq3nAvqmPdQz9T+TkEfh+PA= +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server5.req.sha256 b/tests/data_files/server5.req.sha256 new file mode 100644 index 000000000..c59e15f99 --- /dev/null +++ b/tests/data_files/server5.req.sha256 @@ -0,0 +1,8 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBFzCBvwIBADA0MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxEjAQ +BgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDfMVtl2 +CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA2CMR/+ov0jRdXRa9iojCa3cN +Vc2KKg76Aci07f+gKTAnBgkqhkiG9w0BCQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0P +BAQDAgXgMAoGCCqGSM49BAMCA0cAMEQCIGmRFdjjd53oM2Zpt3E5vfqujnA+DHWk +s9OudcSWBdjmAiA7BAYjGnXyL6ATPqM7qnLVGTf3JMT+1rXl7esBm/0APA== +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server5.req.sha384 b/tests/data_files/server5.req.sha384 new file mode 100644 index 000000000..87556c6c3 --- /dev/null +++ b/tests/data_files/server5.req.sha384 @@ -0,0 +1,8 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBFzCBvwIBADA0MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxEjAQ +BgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDfMVtl2 +CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA2CMR/+ov0jRdXRa9iojCa3cN +Vc2KKg76Aci07f+gKTAnBgkqhkiG9w0BCQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0P +BAQDAgXgMAoGCCqGSM49BAMDA0cAMEQCIDnO+PIPZJGqiky9unvq13uXxahw1bpk +Zb5NRV0c06Q5AiAo5B49tp3kDN/n0BDNt1BBGLUfhcU+Qn2SQenCyfuGLg== +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server5.req.sha512 b/tests/data_files/server5.req.sha512 new file mode 100644 index 000000000..607741e3e --- /dev/null +++ b/tests/data_files/server5.req.sha512 @@ -0,0 +1,8 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBGDCBvwIBADA0MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxEjAQ +BgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDfMVtl2 +CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA2CMR/+ov0jRdXRa9iojCa3cN +Vc2KKg76Aci07f+gKTAnBgkqhkiG9w0BCQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0P +BAQDAgXgMAoGCCqGSM49BAMEA0gAMEUCIQD8xdtluTiBJM50d/WvDeUvPbXOUMlL +8xEJXU2WOK+RLAIgS8U6Z8tlJpXLEisz/j4gdABG3Y3h4PBJjlpszFisTNo= +-----END CERTIFICATE REQUEST----- diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index e11c77daa..7a0200335 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -170,6 +170,54 @@ X509 CRL Information EC, SHA512 Digest depends_on:POLARSSL_PEM_PARSE_C x509_crl_info:"data_files/crl-ec-sha512.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA512\n" +X509 CSR Information RSA with MD4 +depends_on:POLARSSL_PEM_PARSE_C +x509_csr_info:"data_files/server1.req.md4":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with MD4\nRSA key size \: 2048 bits\n" + +X509 CSR Information RSA with MD5 +depends_on:POLARSSL_PEM_PARSE_C +x509_csr_info:"data_files/server1.req.md5":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with MD5\nRSA key size \: 2048 bits\n" + +X509 CSR Information RSA with SHA1 +depends_on:POLARSSL_PEM_PARSE_C +x509_csr_info:"data_files/server1.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\n" + +X509 CSR Information RSA with SHA224 +depends_on:POLARSSL_PEM_PARSE_C +x509_csr_info:"data_files/server1.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-224\nRSA key size \: 2048 bits\n" + +X509 CSR Information RSA with SHA256 +depends_on:POLARSSL_PEM_PARSE_C +x509_csr_info:"data_files/server1.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\n" + +X509 CSR Information RSA with SHA384 +depends_on:POLARSSL_PEM_PARSE_C +x509_csr_info:"data_files/server1.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-384\nRSA key size \: 2048 bits\n" + +X509 CSR Information RSA with SHA512 +depends_on:POLARSSL_PEM_PARSE_C +x509_csr_info:"data_files/server1.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-512\nRSA key size \: 2048 bits\n" + +X509 CSR Information EC with SHA1 +depends_on:POLARSSL_PEM_PARSE_C +x509_csr_info:"data_files/server5.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n" + +X509 CSR Information EC with SHA224 +depends_on:POLARSSL_PEM_PARSE_C +x509_csr_info:"data_files/server5.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA224\nEC key size \: 256 bits\n" + +X509 CSR Information EC with SHA256 +depends_on:POLARSSL_PEM_PARSE_C +x509_csr_info:"data_files/server5.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\n" + +X509 CSR Information EC with SHA384 +depends_on:POLARSSL_PEM_PARSE_C +x509_csr_info:"data_files/server5.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA384\nEC key size \: 256 bits\n" + +X509 CSR Information EC with SHA512 +depends_on:POLARSSL_PEM_PARSE_C +x509_csr_info:"data_files/server5.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA512\nEC key size \: 256 bits\n" + X509 Get Distinguished Name #1 depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C x509_dn_gets:"data_files/server1.crt":"subject":"C=NL, O=PolarSSL, CN=PolarSSL Server 1" diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index d992c1d18..77e0336ae 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -1,6 +1,7 @@ /* BEGIN_HEADER */ #include #include +#include #include #include @@ -75,6 +76,28 @@ void x509_crl_info( char *crl_file, char *result_str ) } /* END_CASE */ +/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CSR_PARSE_C */ +void x509_csr_info( char *csr_file, char *result_str ) +{ + x509_csr csr; + char buf[2000]; + int res; + + x509_csr_init( &csr ); + memset( buf, 0, 2000 ); + + TEST_ASSERT( x509_csr_parse_file( &csr, csr_file ) == 0 ); + res = x509_csr_info( buf, 2000, "", &csr ); + + x509_csr_free( &csr ); + + TEST_ASSERT( res != -1 ); + TEST_ASSERT( res != -2 ); + + TEST_ASSERT( strcmp( buf, result_str ) == 0 ); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRT_PARSE_C:POLARSSL_X509_CRL_PARSE_C */ void x509_verify( char *crt_file, char *ca_file, char *crl_file, char *cn_name_str, int result, int flags_result, From 41cae8e1f937e27386b3033801b88888cfcd40ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 24 Jan 2014 18:47:17 +0100 Subject: [PATCH 08/10] Parse CSRs signed with RSASSA-PSS --- include/polarssl/x509_csr.h | 3 ++ library/x509_csr.c | 48 +++++++++++++++++++++++++- tests/data_files/server9.req.sha1 | 11 ++++++ tests/data_files/server9.req.sha224 | 12 +++++++ tests/data_files/server9.req.sha256 | 12 +++++++ tests/data_files/server9.req.sha384 | 12 +++++++ tests/data_files/server9.req.sha512 | 12 +++++++ tests/suites/test_suite_x509parse.data | 20 +++++++++++ 8 files changed, 129 insertions(+), 1 deletion(-) create mode 100644 tests/data_files/server9.req.sha1 create mode 100644 tests/data_files/server9.req.sha224 create mode 100644 tests/data_files/server9.req.sha256 create mode 100644 tests/data_files/server9.req.sha384 create mode 100644 tests/data_files/server9.req.sha512 diff --git a/include/polarssl/x509_csr.h b/include/polarssl/x509_csr.h index 7e3830087..a5c109606 100644 --- a/include/polarssl/x509_csr.h +++ b/include/polarssl/x509_csr.h @@ -63,6 +63,9 @@ typedef struct _x509_csr x509_buf sig; md_type_t sig_md; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. POLARSSL_MD_SHA256 */ pk_type_t sig_pk /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. POLARSSL_PK_RSA */; +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) + x509_buf sig_params; /**< Parameters for the signature algorithm */ +#endif } x509_csr; diff --git a/library/x509_csr.c b/library/x509_csr.c index e45935a53..bb0441d13 100644 --- a/library/x509_csr.c +++ b/library/x509_csr.c @@ -89,6 +89,7 @@ int x509_csr_parse( x509_csr *csr, const unsigned char *buf, size_t buflen ) int ret; size_t len; unsigned char *p, *end; + x509_buf sig_params; #if defined(POLARSSL_PEM_PARSE_C) size_t use_len; pem_context pem; @@ -243,7 +244,7 @@ int x509_csr_parse( x509_csr *csr, const unsigned char *buf, size_t buflen ) * signatureAlgorithm AlgorithmIdentifier, * signature BIT STRING */ - if( ( ret = x509_get_alg_null( &p, end, &csr->sig_oid ) ) != 0 ) + if( ( ret = x509_get_alg( &p, end, &csr->sig_oid, &sig_params ) ) != 0 ) { x509_csr_free( csr ); return( ret ); @@ -256,6 +257,29 @@ int x509_csr_parse( x509_csr *csr, const unsigned char *buf, size_t buflen ) return( POLARSSL_ERR_X509_UNKNOWN_SIG_ALG ); } +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) + if( csr->sig_pk == POLARSSL_PK_RSASSA_PSS ) + { + int salt_len, trailer_field; + md_type_t mgf_md; + + /* Make sure params are valid */ + ret = x509_get_rsassa_pss_params( &sig_params, + &csr->sig_md, &mgf_md, &salt_len, &trailer_field ); + if( ret != 0 ) + return( ret ); + + memcpy( &csr->sig_params, &sig_params, sizeof( x509_buf ) ); + } + else +#endif + { + /* Make sure parameters are absent or NULL */ + if( ( sig_params.tag != ASN1_NULL && sig_params.tag != 0 ) || + sig_params.len != 0 ) + return( POLARSSL_ERR_X509_INVALID_ALG ); + } + if( ( ret = x509_get_sig( &p, end, &csr->sig ) ) != 0 ) { x509_csr_free( csr ); @@ -382,6 +406,28 @@ int x509_csr_info( char *buf, size_t size, const char *prefix, ret = snprintf( p, n, "%s", desc ); SAFE_SNPRINTF(); +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) + if( csr->sig_pk == POLARSSL_PK_RSASSA_PSS ) + { + md_type_t md_alg, mgf_md; + const md_info_t *md_info, *mgf_md_info; + int salt_len, trailer_field; + + if( ( ret = x509_get_rsassa_pss_params( &csr->sig_params, + &md_alg, &mgf_md, &salt_len, &trailer_field ) ) != 0 ) + return( ret ); + + md_info = md_info_from_type( md_alg ); + mgf_md_info = md_info_from_type( mgf_md ); + + ret = snprintf( p, n, " (%s, MGF1-%s, 0x%02X, %d)", + md_info ? md_info->name : "???", + mgf_md_info ? mgf_md_info->name : "???", + salt_len, trailer_field ); + SAFE_SNPRINTF(); + } +#endif /* POLARSSL_RSASSA_PSS_CERTIFICATES */ + if( ( ret = x509_key_size_helper( key_size_str, BEFORE_COLON, pk_get_name( &csr->pk ) ) ) != 0 ) { diff --git a/tests/data_files/server9.req.sha1 b/tests/data_files/server9.req.sha1 new file mode 100644 index 000000000..b9d005382 --- /dev/null +++ b/tests/data_files/server9.req.sha1 @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBojCCAQYCAQAwNDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIw +EAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN0R +ip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7CuxNA24oSjokTJKXF9frY9ZDX +yMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsIi2OZOgol7kXSGFi6uZMa7dRY +mmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCVAgMBAAGgKTAnBgkqhkiG9w0B +CQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMBIGCSqGSIb3DQEBCjAFogMC +AWoDgYEA2n8SOoiJCs+YyH2VXoUVxhutdXGP4+7cECakl2mmVEKhxXDMEG7hEFkB +mkk4b1kRNOQHKqUq3crfi0OkMcPGkPiLlYLKgT51CgsBhuJaMsdCYo/5POgTZD4u +FI5gfyO70Xpq9QmrWEqqTdalRG7+UmGa3VEUVyXTDnQZfU1N2QE= +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server9.req.sha224 b/tests/data_files/server9.req.sha224 new file mode 100644 index 000000000..fe1c797ed --- /dev/null +++ b/tests/data_files/server9.req.sha224 @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBzTCCAQYCAQAwNDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIw +EAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN0R +ip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7CuxNA24oSjokTJKXF9frY9ZDX +yMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsIi2OZOgol7kXSGFi6uZMa7dRY +mmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCVAgMBAAGgKTAnBgkqhkiG9w0B +CQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMD0GCSqGSIb3DQEBCjAwoA0w +CwYJYIZIAWUDBAIEoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCBKIDAgFiA4GB +AMlYYZKqpDqg5UZZq3NB3QUR9qftY/52/0gPfruw5s2gNtFmG1uyEBJX/oc7C/fU +lxo74HDraWJyvP7c3MMhOuwr/RfPNQhA2Hgwz9RuJIBhQrJfiZuHsCfiKVofMuMf +ar/4EKfyoELDdilhg6i+abahGOkqyXsjavFtyDSeCpXH +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server9.req.sha256 b/tests/data_files/server9.req.sha256 new file mode 100644 index 000000000..0ef9ef028 --- /dev/null +++ b/tests/data_files/server9.req.sha256 @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBzTCCAQYCAQAwNDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIw +EAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN0R +ip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7CuxNA24oSjokTJKXF9frY9ZDX +yMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsIi2OZOgol7kXSGFi6uZMa7dRY +mmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCVAgMBAAGgKTAnBgkqhkiG9w0B +CQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMD0GCSqGSIb3DQEBCjAwoA0w +CwYJYIZIAWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgFeA4GB +ACUaCTidvzWVJNKmRrriufThGUfw5Xgdsc3Ga8Cx+vRf+bPZmR3NVkc0Zq9uc0+8 +d1WXaLzbmge6IbcvTPWCLNDAWI9UzoQ6WS9myM3eDEGdruClYwb5BVLx3MvhvooK +L/H6snE1dHNPXyCNVFTJIll3bRlVMRsfZpDhmz8/ImJ4 +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server9.req.sha384 b/tests/data_files/server9.req.sha384 new file mode 100644 index 000000000..010345027 --- /dev/null +++ b/tests/data_files/server9.req.sha384 @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBzTCCAQYCAQAwNDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIw +EAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN0R +ip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7CuxNA24oSjokTJKXF9frY9ZDX +yMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsIi2OZOgol7kXSGFi6uZMa7dRY +mmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCVAgMBAAGgKTAnBgkqhkiG9w0B +CQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMD0GCSqGSIb3DQEBCjAwoA0w +CwYJYIZIAWUDBAICoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAqIDAgFOA4GB +ANfZGK6nE/CP9PuALFzbA/mvOnYlI60pMowscRfCYpvR25iQJVhAJfYVXADRN3qd +NAiFWNVcjFMIkRlq7qifBN97VHGeYoWIuw9gYEb3OqDGzOsYP0KIgMNt8/A4qCkj +5MzolOYyT+N+QFGV0pdCNpX7QppfNdFyFAmWXa171RzG +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server9.req.sha512 b/tests/data_files/server9.req.sha512 new file mode 100644 index 000000000..676b5c996 --- /dev/null +++ b/tests/data_files/server9.req.sha512 @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBzTCCAQYCAQAwNDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIw +EAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN0R +ip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7CuxNA24oSjokTJKXF9frY9ZDX +yMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsIi2OZOgol7kXSGFi6uZMa7dRY +mmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCVAgMBAAGgKTAnBgkqhkiG9w0B +CQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMD0GCSqGSIb3DQEBCjAwoA0w +CwYJYIZIAWUDBAIDoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCA6IDAgE+A4GB +ACxWBhPkhyVlBY/mwkrW7OjYsaN2/ZlFSv76w63b61BpigReJsggMut5EPOgfGYJ +rzygKDlF/NtmMN22jWrFup9LsZJAX0gYbLmliiaG9Hch+i/8b42oaQTDWGFZ9LiY +W7F7X0f9lpzNKOtQ8ix0s+nYS2ONyzfu55+Rlzf8/63M +-----END CERTIFICATE REQUEST----- diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 7a0200335..58af01aa6 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -218,6 +218,26 @@ X509 CSR Information EC with SHA512 depends_on:POLARSSL_PEM_PARSE_C x509_csr_info:"data_files/server5.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA512\nEC key size \: 256 bits\n" +X509 CSR Information RSA-PSS with SHA1 +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA1_C +x509_csr_info:"data_files/server9.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0x6A, 1)\nRSA key size \: 1024 bits\n" + +X509 CSR Information RSA-PSS with SHA224 +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA256_C +x509_csr_info:"data_files/server9.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0x62, 1)\nRSA key size \: 1024 bits\n" + +X509 CSR Information RSA-PSS with SHA256 +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA256_C +x509_csr_info:"data_files/server9.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0x5E, 1)\nRSA key size \: 1024 bits\n" + +X509 CSR Information RSA-PSS with SHA384 +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA512_C +x509_csr_info:"data_files/server9.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0x4E, 1)\nRSA key size \: 1024 bits\n" + +X509 CSR Information RSA-PSS with SHA512 +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA512_C +x509_csr_info:"data_files/server9.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0x3E, 1)\nRSA key size \: 1024 bits\n" + X509 Get Distinguished Name #1 depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C x509_dn_gets:"data_files/server1.crt":"subject":"C=NL, O=PolarSSL, CN=PolarSSL Server 1" From 5cac583482a966ed29b34928ddd831ca59a3ac78 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 24 Jan 2014 19:28:43 +0100 Subject: [PATCH 09/10] Factor out some common code --- ChangeLog | 3 +++ include/polarssl/x509.h | 4 ++-- library/x509.c | 33 +++++++++++++++++++++++++++++---- library/x509_crl.c | 25 +++---------------------- library/x509_crt.c | 25 +++---------------------- library/x509_csr.c | 25 +++---------------------- 6 files changed, 43 insertions(+), 72 deletions(-) diff --git a/ChangeLog b/ChangeLog index 96b93cc86..788eb1ddf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,8 @@ PolarSSL ChangeLog (Sorted per branch, date) +TODO: bump SOVERSION +(internal-but-not-static function x509_get_sig_alg() changed prototype) + = PolarSSL 1.3 branch Features * Support for the Koblitz curves: secp192k1, secp224k1, secp256k1 diff --git a/include/polarssl/x509.h b/include/polarssl/x509.h index 0ffaca145..22ba1563e 100644 --- a/include/polarssl/x509.h +++ b/include/polarssl/x509.h @@ -262,8 +262,8 @@ int x509_get_rsassa_pss_params( const x509_buf *params, int *salt_len, int *trailer_field ); #endif int x509_get_sig( unsigned char **p, const unsigned char *end, x509_buf *sig ); -int x509_get_sig_alg( const x509_buf *sig_oid, md_type_t *md_alg, - pk_type_t *pk_alg ); +int x509_get_sig_alg( const x509_buf *sig_oid, const x509_buf *sig_params, + md_type_t *md_alg, pk_type_t *pk_alg ); int x509_get_time( unsigned char **p, const unsigned char *end, x509_time *time ); int x509_get_serial( unsigned char **p, const unsigned char *end, diff --git a/library/x509.c b/library/x509.c index 1a5f98a1b..dbc2e0276 100644 --- a/library/x509.c +++ b/library/x509.c @@ -542,14 +542,39 @@ int x509_get_sig( unsigned char **p, const unsigned char *end, x509_buf *sig ) return( 0 ); } -int x509_get_sig_alg( const x509_buf *sig_oid, md_type_t *md_alg, - pk_type_t *pk_alg ) +/* + * Get signature algorithm from alg OID and optional parameters + */ +int x509_get_sig_alg( const x509_buf *sig_oid, const x509_buf *sig_params, + md_type_t *md_alg, pk_type_t *pk_alg ) { - int ret = oid_get_sig_alg( sig_oid, md_alg, pk_alg ); + int ret; - if( ret != 0 ) + if( ( ret = oid_get_sig_alg( sig_oid, md_alg, pk_alg ) ) != 0 ) return( POLARSSL_ERR_X509_UNKNOWN_SIG_ALG + ret ); +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) + if( *pk_alg == POLARSSL_PK_RSASSA_PSS ) + { + int salt_len, trailer_field; + md_type_t mgf_md; + + /* Make sure params are valid */ + ret = x509_get_rsassa_pss_params( sig_params, + md_alg, &mgf_md, &salt_len, &trailer_field ); + if( ret != 0 ) + return( ret ); + + } + else +#endif + { + /* Make sure parameters are absent or NULL */ + if( ( sig_params->tag != ASN1_NULL && sig_params->tag != 0 ) || + sig_params->len != 0 ) + return( POLARSSL_ERR_X509_INVALID_ALG ); + } + return( 0 ); } diff --git a/library/x509_crl.c b/library/x509_crl.c index c8c51fbcb..6cb3f5f72 100644 --- a/library/x509_crl.c +++ b/library/x509_crl.c @@ -391,35 +391,16 @@ int x509_crl_parse( x509_crl *chain, const unsigned char *buf, size_t buflen ) return( POLARSSL_ERR_X509_UNKNOWN_VERSION ); } - if( ( ret = x509_get_sig_alg( &crl->sig_oid1, &crl->sig_md, - &crl->sig_pk ) ) != 0 ) + if( ( ret = x509_get_sig_alg( &crl->sig_oid1, &sig_params, + &crl->sig_md, &crl->sig_pk ) ) != 0 ) { x509_crl_free( crl ); return( POLARSSL_ERR_X509_UNKNOWN_SIG_ALG ); } #if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) - if( crl->sig_pk == POLARSSL_PK_RSASSA_PSS ) - { - int salt_len, trailer_field; - md_type_t mgf_md; - - /* Make sure params are valid */ - ret = x509_get_rsassa_pss_params( &sig_params, - &crl->sig_md, &mgf_md, &salt_len, &trailer_field ); - if( ret != 0 ) - return( ret ); - - memcpy( &crl->sig_params, &sig_params, sizeof( x509_buf ) ); - } - else + memcpy( &crl->sig_params, &sig_params, sizeof( x509_buf ) ); #endif - { - /* Make sure parameters are absent or NULL */ - if( ( sig_params.tag != ASN1_NULL && sig_params.tag != 0 ) || - sig_params.len != 0 ) - return( POLARSSL_ERR_X509_INVALID_ALG ); - } /* * issuer Name diff --git a/library/x509_crt.c b/library/x509_crt.c index dc71c1405..d222944bf 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -610,35 +610,16 @@ static int x509_crt_parse_der_core( x509_crt *crt, const unsigned char *buf, return( POLARSSL_ERR_X509_UNKNOWN_VERSION ); } - if( ( ret = x509_get_sig_alg( &crt->sig_oid1, &crt->sig_md, - &crt->sig_pk ) ) != 0 ) + if( ( ret = x509_get_sig_alg( &crt->sig_oid1, &sig_params, + &crt->sig_md, &crt->sig_pk ) ) != 0 ) { x509_crt_free( crt ); return( ret ); } #if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) - if( crt->sig_pk == POLARSSL_PK_RSASSA_PSS ) - { - int salt_len, trailer_field; - md_type_t mgf_md; - - /* Make sure params are valid */ - ret = x509_get_rsassa_pss_params( &sig_params, - &crt->sig_md, &mgf_md, &salt_len, &trailer_field ); - if( ret != 0 ) - return( ret ); - - memcpy( &crt->sig_params, &sig_params, sizeof( x509_buf ) ); - } - else + memcpy( &crt->sig_params, &sig_params, sizeof( x509_buf ) ); #endif - { - /* Make sure parameters are absent or NULL */ - if( ( sig_params.tag != ASN1_NULL && sig_params.tag != 0 ) || - sig_params.len != 0 ) - return( POLARSSL_ERR_X509_INVALID_ALG ); - } /* * issuer Name diff --git a/library/x509_csr.c b/library/x509_csr.c index bb0441d13..acb16af76 100644 --- a/library/x509_csr.c +++ b/library/x509_csr.c @@ -250,35 +250,16 @@ int x509_csr_parse( x509_csr *csr, const unsigned char *buf, size_t buflen ) return( ret ); } - if( ( ret = x509_get_sig_alg( &csr->sig_oid, &csr->sig_md, - &csr->sig_pk ) ) != 0 ) + if( ( ret = x509_get_sig_alg( &csr->sig_oid, &sig_params, + &csr->sig_md, &csr->sig_pk ) ) != 0 ) { x509_csr_free( csr ); return( POLARSSL_ERR_X509_UNKNOWN_SIG_ALG ); } #if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) - if( csr->sig_pk == POLARSSL_PK_RSASSA_PSS ) - { - int salt_len, trailer_field; - md_type_t mgf_md; - - /* Make sure params are valid */ - ret = x509_get_rsassa_pss_params( &sig_params, - &csr->sig_md, &mgf_md, &salt_len, &trailer_field ); - if( ret != 0 ) - return( ret ); - - memcpy( &csr->sig_params, &sig_params, sizeof( x509_buf ) ); - } - else + memcpy( &csr->sig_params, &sig_params, sizeof( x509_buf ) ); #endif - { - /* Make sure parameters are absent or NULL */ - if( ( sig_params.tag != ASN1_NULL && sig_params.tag != 0 ) || - sig_params.len != 0 ) - return( POLARSSL_ERR_X509_INVALID_ALG ); - } if( ( ret = x509_get_sig( &p, end, &csr->sig ) ) != 0 ) { From 27b93ade6e1d9daf14ec3dd7a56cd627e84994e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Sat, 25 Jan 2014 11:50:59 +0100 Subject: [PATCH 10/10] Factor common code for printing sig_alg --- include/polarssl/x509.h | 2 ++ library/x509.c | 46 +++++++++++++++++++++++++++++++++++++++++ library/x509_crl.c | 34 ++++++------------------------ library/x509_crt.c | 34 ++++++------------------------ library/x509_csr.c | 34 ++++++------------------------ 5 files changed, 66 insertions(+), 84 deletions(-) diff --git a/include/polarssl/x509.h b/include/polarssl/x509.h index 22ba1563e..6e8641fdb 100644 --- a/include/polarssl/x509.h +++ b/include/polarssl/x509.h @@ -271,6 +271,8 @@ int x509_get_serial( unsigned char **p, const unsigned char *end, int x509_get_ext( unsigned char **p, const unsigned char *end, x509_buf *ext, int tag ); int x509_load_file( const char *path, unsigned char **buf, size_t *n ); +int x509_sig_alg_gets( char *buf, size_t size, const x509_buf *sig_oid, + pk_type_t pk_alg, const x509_buf *sig_params ); int x509_key_size_helper( char *buf, size_t size, const char *name ); int x509_string_to_names( asn1_named_data **head, const char *name ); int x509_set_extension( asn1_named_data **head, const char *oid, size_t oid_len, int critical, const unsigned char *val, size_t val_len ); diff --git a/library/x509.c b/library/x509.c index dbc2e0276..74a8f8e0d 100644 --- a/library/x509.c +++ b/library/x509.c @@ -810,6 +810,52 @@ int x509_serial_gets( char *buf, size_t size, const x509_buf *serial ) return( (int) ( size - n ) ); } +/* + * Helper for writing signature alrogithms + */ +int x509_sig_alg_gets( char *buf, size_t size, const x509_buf *sig_oid, + pk_type_t pk_alg, const x509_buf *sig_params ) +{ + int ret; + char *p = buf; + size_t n = size; + const char *desc = NULL; + + ret = oid_get_sig_alg_desc( sig_oid, &desc ); + if( ret != 0 ) + ret = snprintf( p, n, "???" ); + else + ret = snprintf( p, n, "%s", desc ); + SAFE_SNPRINTF(); + +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) + if( pk_alg == POLARSSL_PK_RSASSA_PSS ) + { + md_type_t md_alg, mgf_md; + const md_info_t *md_info, *mgf_md_info; + int salt_len, trailer_field; + + if( ( ret = x509_get_rsassa_pss_params( sig_params, + &md_alg, &mgf_md, &salt_len, &trailer_field ) ) != 0 ) + return( ret ); + + md_info = md_info_from_type( md_alg ); + mgf_md_info = md_info_from_type( mgf_md ); + + ret = snprintf( p, n, " (%s, MGF1-%s, 0x%02X, %d)", + md_info ? md_info->name : "???", + mgf_md_info ? mgf_md_info->name : "???", + salt_len, trailer_field ); + SAFE_SNPRINTF(); + } +#else + ((void) pk_alg); + ((void) sig_params); +#endif /* POLARSSL_RSASSA_PSS_CERTIFICATES */ + + return( (int) size - n ); +} + /* * Helper for writing "RSA key size", "EC key size", etc */ diff --git a/library/x509_crl.c b/library/x509_crl.c index 6cb3f5f72..964aa7e83 100644 --- a/library/x509_crl.c +++ b/library/x509_crl.c @@ -625,8 +625,12 @@ int x509_crl_info( char *buf, size_t size, const char *prefix, int ret; size_t n; char *p; - const char *desc; const x509_crl_entry *entry; +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) + const x509_buf *sig_params = &crl->sig_params; +#else + const x509_buf *sig_params = NULL; +#endif p = buf; n = size; @@ -682,35 +686,9 @@ int x509_crl_info( char *buf, size_t size, const char *prefix, ret = snprintf( p, n, "\n%ssigned using : ", prefix ); SAFE_SNPRINTF(); - ret = oid_get_sig_alg_desc( &crl->sig_oid1, &desc ); - if( ret != 0 ) - ret = snprintf( p, n, "???" ); - else - ret = snprintf( p, n, "%s", desc ); + ret = x509_sig_alg_gets( p, n, &crl->sig_oid1, crl->sig_pk, sig_params ); SAFE_SNPRINTF(); -#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) - if( crl->sig_pk == POLARSSL_PK_RSASSA_PSS ) - { - md_type_t md_alg, mgf_md; - const md_info_t *md_info, *mgf_md_info; - int salt_len, trailer_field; - - if( ( ret = x509_get_rsassa_pss_params( &crl->sig_params, - &md_alg, &mgf_md, &salt_len, &trailer_field ) ) != 0 ) - return( ret ); - - md_info = md_info_from_type( md_alg ); - mgf_md_info = md_info_from_type( mgf_md ); - - ret = snprintf( p, n, " (%s, MGF1-%s, 0x%02X, %d)", - md_info ? md_info->name : "???", - mgf_md_info ? mgf_md_info->name : "???", - salt_len, trailer_field ); - SAFE_SNPRINTF(); - } -#endif /* POLARSSL_RSASSA_PSS_CERTIFICATES */ - ret = snprintf( p, n, "\n" ); SAFE_SNPRINTF(); diff --git a/library/x509_crt.c b/library/x509_crt.c index d222944bf..585972542 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1124,8 +1124,12 @@ int x509_crt_info( char *buf, size_t size, const char *prefix, int ret; size_t n; char *p; - const char *desc = NULL; char key_size_str[BEFORE_COLON]; +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) + const x509_buf *sig_params = &crt->sig_params; +#else + const x509_buf *sig_params = NULL; +#endif p = buf; n = size; @@ -1167,35 +1171,9 @@ int x509_crt_info( char *buf, size_t size, const char *prefix, ret = snprintf( p, n, "\n%ssigned using : ", prefix ); SAFE_SNPRINTF(); - ret = oid_get_sig_alg_desc( &crt->sig_oid1, &desc ); - if( ret != 0 ) - ret = snprintf( p, n, "???" ); - else - ret = snprintf( p, n, "%s", desc ); + ret = x509_sig_alg_gets( p, n, &crt->sig_oid1, crt->sig_pk, sig_params ); SAFE_SNPRINTF(); -#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) - if( crt->sig_pk == POLARSSL_PK_RSASSA_PSS ) - { - md_type_t md_alg, mgf_md; - const md_info_t *md_info, *mgf_md_info; - int salt_len, trailer_field; - - if( ( ret = x509_get_rsassa_pss_params( &crt->sig_params, - &md_alg, &mgf_md, &salt_len, &trailer_field ) ) != 0 ) - return( ret ); - - md_info = md_info_from_type( md_alg ); - mgf_md_info = md_info_from_type( mgf_md ); - - ret = snprintf( p, n, " (%s, MGF1-%s, 0x%02X, %d)", - md_info ? md_info->name : "???", - mgf_md_info ? mgf_md_info->name : "???", - salt_len, trailer_field ); - SAFE_SNPRINTF(); - } -#endif /* POLARSSL_RSASSA_PSS_CERTIFICATES */ - if( ( ret = x509_key_size_helper( key_size_str, BEFORE_COLON, pk_get_name( &crt->pk ) ) ) != 0 ) { diff --git a/library/x509_csr.c b/library/x509_csr.c index acb16af76..a5cef4c30 100644 --- a/library/x509_csr.c +++ b/library/x509_csr.c @@ -362,8 +362,12 @@ int x509_csr_info( char *buf, size_t size, const char *prefix, int ret; size_t n; char *p; - const char *desc; char key_size_str[BEFORE_COLON]; +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) + const x509_buf *sig_params = &csr->sig_params; +#else + const x509_buf *sig_params = NULL; +#endif p = buf; n = size; @@ -380,35 +384,9 @@ int x509_csr_info( char *buf, size_t size, const char *prefix, ret = snprintf( p, n, "\n%ssigned using : ", prefix ); SAFE_SNPRINTF(); - ret = oid_get_sig_alg_desc( &csr->sig_oid, &desc ); - if( ret != 0 ) - ret = snprintf( p, n, "???" ); - else - ret = snprintf( p, n, "%s", desc ); + ret = x509_sig_alg_gets( p, n, &csr->sig_oid, csr->sig_pk, sig_params ); SAFE_SNPRINTF(); -#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) - if( csr->sig_pk == POLARSSL_PK_RSASSA_PSS ) - { - md_type_t md_alg, mgf_md; - const md_info_t *md_info, *mgf_md_info; - int salt_len, trailer_field; - - if( ( ret = x509_get_rsassa_pss_params( &csr->sig_params, - &md_alg, &mgf_md, &salt_len, &trailer_field ) ) != 0 ) - return( ret ); - - md_info = md_info_from_type( md_alg ); - mgf_md_info = md_info_from_type( mgf_md ); - - ret = snprintf( p, n, " (%s, MGF1-%s, 0x%02X, %d)", - md_info ? md_info->name : "???", - mgf_md_info ? mgf_md_info->name : "???", - salt_len, trailer_field ); - SAFE_SNPRINTF(); - } -#endif /* POLARSSL_RSASSA_PSS_CERTIFICATES */ - if( ( ret = x509_key_size_helper( key_size_str, BEFORE_COLON, pk_get_name( &csr->pk ) ) ) != 0 ) {