From ee73179b2f3bd61e1b8c18962badd9ad1e2d374e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 11 Sep 2013 22:48:40 +0200 Subject: [PATCH] Adapt x509write_csr prototypes for PK --- include/polarssl/x509write.h | 28 +++++++-- library/x509write.c | 25 ++++---- programs/pkey/ecdsa.c | 9 ++- programs/x509/cert_req.c | 72 +++++++++++++++------- tests/suites/test_suite_x509write.function | 19 +++--- 5 files changed, 98 insertions(+), 55 deletions(-) diff --git a/include/polarssl/x509write.h b/include/polarssl/x509write.h index 661acf6bf..5e0d82ad1 100644 --- a/include/polarssl/x509write.h +++ b/include/polarssl/x509write.h @@ -121,13 +121,13 @@ void x509write_csr_init( x509write_csr *ctx ); int x509write_csr_set_subject_name( x509write_csr *ctx, char *subject_name ); /** - * \brief Set the RSA key for a CSR (public key will be included, + * \brief Set the key for a CSR (public key will be included, * private key used to sign the CSR when writing it) * * \param ctx CSR context to use - * \param rsa RSA key to include + * \param key Asymetric key to include */ -void x509write_csr_set_rsa_key( x509write_csr *ctx, rsa_context *rsa ); +void x509write_csr_set_key( x509write_csr *ctx, pk_context *key ); /** * \brief Set the MD algorithm to use for the signature @@ -419,11 +419,20 @@ int x509write_key_der( rsa_context *rsa, unsigned char *buf, size_t size ); * \param rsa CSR to write away * \param buf buffer to write to * \param size size of the buffer + * \param f_rng RNG function (for signature, see note) + * \param p_rng RNG parameter * * \return length of data written if successful, or a specific * error code + * + * \note f_rng may be NULL if RSA is used for signature and the + * signature is made offline (otherwise f_rng is desirable + * for countermeasures against timing attacks). + * ECDSA signatures always require a non-NULL f_rng. */ -int x509write_csr_der( x509write_csr *ctx, unsigned char *buf, size_t size ); +int x509write_csr_der( x509write_csr *ctx, unsigned char *buf, size_t size, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ); #if defined(POLARSSL_BASE64_C) /** @@ -466,10 +475,19 @@ int x509write_key_pem( rsa_context *rsa, unsigned char *buf, size_t size ); * \param rsa CSR to write away * \param buf buffer to write to * \param size size of the buffer + * \param f_rng RNG function (for signature, see note) + * \param p_rng RNG parameter * * \return 0 successful, or a specific error code + * + * \note f_rng may be NULL if RSA is used for signature and the + * signature is made offline (otherwise f_rng is desirable + * for couermeasures against timing attacks). + * ECDSA signatures always require a non-NULL f_rng. */ -int x509write_csr_pem( x509write_csr *ctx, unsigned char *buf, size_t size ); +int x509write_csr_pem( x509write_csr *ctx, unsigned char *buf, size_t size, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ); #endif /* POLARSSL_BASE64_C */ #ifdef __cplusplus diff --git a/library/x509write.c b/library/x509write.c index 7c4ca33d5..e1f68dc6f 100644 --- a/library/x509write.c +++ b/library/x509write.c @@ -156,16 +156,9 @@ void x509write_csr_set_md_alg( x509write_csr *ctx, md_type_t md_alg ) ctx->md_alg = md_alg; } -// TODO: take a pk_context -// TODO: return int -void x509write_csr_set_rsa_key( x509write_csr *ctx, rsa_context *rsa ) +void x509write_csr_set_key( x509write_csr *ctx, pk_context *key ) { - // temporary - ctx->key = polarssl_malloc( sizeof( pk_context ) ); - - // TODO: check errors - pk_init_ctx( ctx->key, pk_info_from_type( POLARSSL_PK_RSA ) ); - rsa_copy( pk_rsa( *ctx->key ), rsa ); + ctx->key = key; } int x509write_csr_set_subject_name( x509write_csr *ctx, char *subject_name ) @@ -698,7 +691,9 @@ static int x509_write_extensions( unsigned char **p, unsigned char *start, return( len ); } -int x509write_csr_der( x509write_csr *ctx, unsigned char *buf, size_t size ) +int x509write_csr_der( x509write_csr *ctx, unsigned char *buf, size_t size, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) { int ret; const char *sig_oid; @@ -761,7 +756,7 @@ int x509write_csr_der( x509write_csr *ctx, unsigned char *buf, size_t size ) md( md_info_from_type( ctx->md_alg ), c, len, hash ); if( ( ret = pk_sign( ctx->key, ctx->md_alg, hash, 0, sig, &sig_len, - NULL, NULL ) ) != 0 || + f_rng, p_rng ) ) != 0 || ( ret = oid_get_oid_by_sig_alg( pk_get_type( ctx->key ), ctx->md_alg, &sig_oid, &sig_oid_len ) ) != 0 ) { @@ -1006,13 +1001,15 @@ int x509write_key_pem( rsa_context *rsa, unsigned char *buf, size_t size ) return( 0 ); } -int x509write_csr_pem( x509write_csr *ctx, unsigned char *buf, size_t size ) +int x509write_csr_pem( x509write_csr *ctx, unsigned char *buf, size_t size, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) { int ret; unsigned char output_buf[4096]; - if( ( ret = x509write_csr_der( ctx, output_buf, - sizeof(output_buf) ) ) < 0 ) + if( ( ret = x509write_csr_der( ctx, output_buf, sizeof(output_buf), + f_rng, p_rng ) ) < 0 ) { return( ret ); } diff --git a/programs/pkey/ecdsa.c b/programs/pkey/ecdsa.c index 8d52b6726..7e500bba1 100644 --- a/programs/pkey/ecdsa.c +++ b/programs/pkey/ecdsa.c @@ -51,7 +51,7 @@ #endif #endif /* !defined(ECPARAMS) */ -#if !defined(POLARSSL_BIGNUM_C) || !defined(POLARSSL_ECDSA_C) || \ +#if !defined(POLARSSL_ECDSA_C) || \ !defined(POLARSSL_ENTROPY_C) || !defined(POLARSSL_CTR_DRBG_C) || \ !defined(ECPARAMS) int main( int argc, char *argv[] ) @@ -59,9 +59,9 @@ int main( int argc, char *argv[] ) ((void) argc); ((void) argv); - printf("POLARSSL_BIGNUM_C and/or POLARSSL_ECDSA_C and/or " + printf("POLARSSL_ECDSA_C and/or " "POLARSSL_ENTROPY_C and/or POLARSSL_CTR_DRBG_C not defined," - "and/or not EC domain parameter available\n" ); + "and/or no EC domain parameter available\n" ); return( 0 ); } #else @@ -194,6 +194,5 @@ exit: return( ret ); } -#endif /* POLARSSL_BIGNUM_C && POLARSSL_ECDSA_C && - POLARSSL_ENTROPY_C && POLARSSL_CTR_DRBG_C && +#endif /* POLARSSL_ECDSA_C && POLARSSL_ENTROPY_C && POLARSSL_CTR_DRBG_C && ECPARAMS */ diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c index 6cc05c825..b98f23368 100644 --- a/programs/x509/cert_req.c +++ b/programs/x509/cert_req.c @@ -33,24 +33,22 @@ #include "polarssl/config.h" -#include "polarssl/error.h" -#include "polarssl/rsa.h" -#include "polarssl/x509.h" -#include "polarssl/base64.h" #include "polarssl/x509write.h" -#include "polarssl/oid.h" +#include "polarssl/error.h" +#include "polarssl/entropy.h" +#include "polarssl/ctr_drbg.h" -#if !defined(POLARSSL_BIGNUM_C) || !defined(POLARSSL_RSA_C) || \ - !defined(POLARSSL_X509_PARSE_C) || !defined(POLARSSL_FS_IO) || \ +#if !defined(POLARSSL_X509_PARSE_C) || !defined(POLARSSL_FS_IO) || \ + !defined(POLARSSL_ENTROPY_C) || !defined(POLARSSL_CTR_DRBG_C) || \ !defined(POLARSSL_ERROR_C) int main( int argc, char *argv[] ) { ((void) argc); ((void) argv); - printf("POLARSSL_BIGNUM_C and/or POLARSSL_RSA_C and/or " - "POLARSSL_X509_PARSE_C and/or POLARSSL_FS_IO and/or " - "POLARSSL_ERROR_C not defined.\n"); + printf( "POLARSSL_X509_PARSE_C and/or POLARSSL_FS_IO and/or " + "POLARSSL_ENTROPY_C and/or POLARSSL_CTR_DRBG_C and/or " + "POLARSSL_ERROR_C not defined.\n"); return( 0 ); } #else @@ -75,7 +73,9 @@ struct options unsigned char ns_cert_type; /* NS cert type */ } opt; -int write_certificate_request( x509write_csr *req, char *output_file ) +int write_certificate_request( x509write_csr *req, char *output_file, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) { int ret; FILE *f; @@ -83,7 +83,7 @@ int write_certificate_request( x509write_csr *req, char *output_file ) size_t len = 0; memset( output_buf, 0, 4096 ); - if( ( ret = x509write_csr_pem( req, output_buf, 4096 ) ) < 0 ) + if( ( ret = x509write_csr_pem( req, output_buf, 4096, f_rng, p_rng ) ) < 0 ) return( ret ); len = strlen( (char *) output_buf ); @@ -129,18 +129,21 @@ int write_certificate_request( x509write_csr *req, char *output_file ) int main( int argc, char *argv[] ) { int ret = 0; - rsa_context rsa; + pk_context key; char buf[1024]; int i, j, n; char *p, *q, *r; x509write_csr req; + entropy_context entropy; + ctr_drbg_context ctr_drbg; + const char *pers = "csr example app"; /* * Set to sane values */ x509write_csr_init( &req ); x509write_csr_set_md_alg( &req, POLARSSL_MD_SHA1 ); - memset( &rsa, 0, sizeof( rsa_context ) ); + pk_init( &key ); memset( buf, 0, 1024 ); if( argc == 0 ) @@ -251,9 +254,30 @@ int main( int argc, char *argv[] ) if( opt.ns_cert_type ) x509write_csr_set_ns_cert_type( &req, opt.ns_cert_type ); + /* + * 0. Seed the PRNG + */ + printf( " . Seeding the random number generator..." ); + fflush( stdout ); + + entropy_init( &entropy ); + if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, + (const unsigned char *) pers, + strlen( pers ) ) ) != 0 ) + { + error_strerror( ret, buf, 1024 ); + printf( " failed\n ! ctr_drbg_init returned %d - %s\n", ret, buf ); + goto exit; + } + + printf( " ok\n" ); + /* * 1.0. Check the subject name for validity */ + printf( " . Checking subjet name..." ); + fflush( stdout ); + if( ( ret = x509write_csr_set_subject_name( &req, opt.subject_name ) ) != 0 ) { error_strerror( ret, buf, 1024 ); @@ -261,22 +285,24 @@ int main( int argc, char *argv[] ) goto exit; } + printf( " ok\n" ); + /* * 1.1. Load the key */ - printf( "\n . Loading the private key ..." ); + printf( " . Loading the private key ..." ); fflush( stdout ); - ret = x509parse_keyfile_rsa( &rsa, opt.filename, NULL ); + ret = x509parse_keyfile( &key, opt.filename, NULL ); if( ret != 0 ) { error_strerror( ret, buf, 1024 ); - printf( " failed\n ! x509parse_key_rsa returned %d - %s\n\n", ret, buf ); + printf( " failed\n ! x509parse_keyfile returned %d - %s\n\n", ret, buf ); goto exit; } - x509write_csr_set_rsa_key( &req, &rsa ); + x509write_csr_set_key( &req, &key ); printf( " ok\n" ); @@ -286,7 +312,8 @@ int main( int argc, char *argv[] ) printf( " . Writing the certificate request ..." ); fflush( stdout ); - if( ( ret = write_certificate_request( &req, opt.output_file ) ) != 0 ) + if( ( ret = write_certificate_request( &req, opt.output_file, + ctr_drbg_random, &ctr_drbg ) ) != 0 ) { error_strerror( ret, buf, 1024 ); printf( " failed\n ! write_certifcate_request %d - %s\n\n", ret, buf ); @@ -297,7 +324,7 @@ int main( int argc, char *argv[] ) exit: x509write_csr_free( &req ); - rsa_free( &rsa ); + pk_free( &key ); #if defined(_WIN32) printf( " + Press Enter to exit this program.\n" ); @@ -306,5 +333,6 @@ exit: return( ret ); } -#endif /* POLARSSL_BIGNUM_C && POLARSSL_RSA_C && - POLARSSL_X509_PARSE_C && POLARSSL_FS_IO */ +#endif /* POLARSSL_X509_PARSE_C && POLARSSL_FS_IO && + POLARSSL_ENTROPY_C && POLARSSL_CTR_DRBG_C && + POLARSSL_ERROR_C */ diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index b45395fd1..bfe07c6a2 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -14,7 +14,7 @@ void x509_csr_check( char *key_file, int md_type, char *cert_req_check_file ) { - rsa_context rsa; + pk_context key; pem_context pem; x509write_csr req; unsigned char *c; @@ -24,19 +24,20 @@ void x509_csr_check( char *key_file, int md_type, size_t olen = sizeof( check_buf ); FILE *f; char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1"; + rnd_pseudo_info rnd_info; - memset( &rsa, 0, sizeof(rsa_context) ); - ret = x509parse_keyfile_rsa( &rsa, key_file, NULL ); - TEST_ASSERT( ret == 0 ); - if( ret != 0 ) - return; + memset( &rnd_info, 0x2a, sizeof( rnd_pseudo_info ) ); + + pk_init( &key ); + TEST_ASSERT( x509parse_keyfile( &key, key_file, NULL ) == 0 ); x509write_csr_init( &req ); x509write_csr_set_md_alg( &req, md_type ); - x509write_csr_set_rsa_key( &req, &rsa ); + x509write_csr_set_key( &req, &key ); TEST_ASSERT( x509write_csr_set_subject_name( &req, subject_name ) == 0 ); - ret = x509write_csr_der( &req, buf, sizeof( buf ) ); + ret = x509write_csr_der( &req, buf, sizeof( buf ), + rnd_pseudo_rand, &rnd_info ); TEST_ASSERT( ret >= 0 ); c = buf + sizeof( buf ) - ret; @@ -53,8 +54,8 @@ void x509_csr_check( char *key_file, int md_type, TEST_ASSERT( memcmp( c, pem.buf, pem.buflen ) == 0 ); x509write_csr_free( &req ); - rsa_free( &rsa ); pem_free( &pem ); + pk_free( &key ); } /* END_CASE */