From 39868ee3011bd60d7ecd2ee8f383b3b167680801 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 24 Jan 2014 18:47:17 +0100 Subject: [PATCH] Parse CSRs signed with RSASSA-PSS --- include/polarssl/x509_csr.h | 3 ++ library/x509_csr.c | 48 +++++++++++++++++++++++++- tests/data_files/server9.req.sha1 | 11 ++++++ tests/data_files/server9.req.sha224 | 12 +++++++ tests/data_files/server9.req.sha256 | 12 +++++++ tests/data_files/server9.req.sha384 | 12 +++++++ tests/data_files/server9.req.sha512 | 12 +++++++ tests/suites/test_suite_x509parse.data | 20 +++++++++++ 8 files changed, 129 insertions(+), 1 deletion(-) create mode 100644 tests/data_files/server9.req.sha1 create mode 100644 tests/data_files/server9.req.sha224 create mode 100644 tests/data_files/server9.req.sha256 create mode 100644 tests/data_files/server9.req.sha384 create mode 100644 tests/data_files/server9.req.sha512 diff --git a/include/polarssl/x509_csr.h b/include/polarssl/x509_csr.h index 8b4892aea..af3f226c8 100644 --- a/include/polarssl/x509_csr.h +++ b/include/polarssl/x509_csr.h @@ -67,6 +67,9 @@ typedef struct _x509_csr x509_buf sig; md_type_t sig_md; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. POLARSSL_MD_SHA256 */ pk_type_t sig_pk /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. POLARSSL_PK_RSA */; +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) + x509_buf sig_params; /**< Parameters for the signature algorithm */ +#endif } x509_csr; diff --git a/library/x509_csr.c b/library/x509_csr.c index 16e212b31..3118c0a34 100644 --- a/library/x509_csr.c +++ b/library/x509_csr.c @@ -93,6 +93,7 @@ int x509_csr_parse( x509_csr *csr, const unsigned char *buf, size_t buflen ) int ret; size_t len; unsigned char *p, *end; + x509_buf sig_params; #if defined(POLARSSL_PEM_PARSE_C) size_t use_len; pem_context pem; @@ -247,7 +248,7 @@ int x509_csr_parse( x509_csr *csr, const unsigned char *buf, size_t buflen ) * signatureAlgorithm AlgorithmIdentifier, * signature BIT STRING */ - if( ( ret = x509_get_alg_null( &p, end, &csr->sig_oid ) ) != 0 ) + if( ( ret = x509_get_alg( &p, end, &csr->sig_oid, &sig_params ) ) != 0 ) { x509_csr_free( csr ); return( ret ); @@ -260,6 +261,29 @@ int x509_csr_parse( x509_csr *csr, const unsigned char *buf, size_t buflen ) return( POLARSSL_ERR_X509_UNKNOWN_SIG_ALG ); } +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) + if( csr->sig_pk == POLARSSL_PK_RSASSA_PSS ) + { + int salt_len, trailer_field; + md_type_t mgf_md; + + /* Make sure params are valid */ + ret = x509_get_rsassa_pss_params( &sig_params, + &csr->sig_md, &mgf_md, &salt_len, &trailer_field ); + if( ret != 0 ) + return( ret ); + + memcpy( &csr->sig_params, &sig_params, sizeof( x509_buf ) ); + } + else +#endif + { + /* Make sure parameters are absent or NULL */ + if( ( sig_params.tag != ASN1_NULL && sig_params.tag != 0 ) || + sig_params.len != 0 ) + return( POLARSSL_ERR_X509_INVALID_ALG ); + } + if( ( ret = x509_get_sig( &p, end, &csr->sig ) ) != 0 ) { x509_csr_free( csr ); @@ -386,6 +410,28 @@ int x509_csr_info( char *buf, size_t size, const char *prefix, ret = snprintf( p, n, "%s", desc ); SAFE_SNPRINTF(); +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) + if( csr->sig_pk == POLARSSL_PK_RSASSA_PSS ) + { + md_type_t md_alg, mgf_md; + const md_info_t *md_info, *mgf_md_info; + int salt_len, trailer_field; + + if( ( ret = x509_get_rsassa_pss_params( &csr->sig_params, + &md_alg, &mgf_md, &salt_len, &trailer_field ) ) != 0 ) + return( ret ); + + md_info = md_info_from_type( md_alg ); + mgf_md_info = md_info_from_type( mgf_md ); + + ret = snprintf( p, n, " (%s, MGF1-%s, 0x%02X, %d)", + md_info ? md_info->name : "???", + mgf_md_info ? mgf_md_info->name : "???", + salt_len, trailer_field ); + SAFE_SNPRINTF(); + } +#endif /* POLARSSL_RSASSA_PSS_CERTIFICATES */ + if( ( ret = x509_key_size_helper( key_size_str, BEFORE_COLON, pk_get_name( &csr->pk ) ) ) != 0 ) { diff --git a/tests/data_files/server9.req.sha1 b/tests/data_files/server9.req.sha1 new file mode 100644 index 000000000..b9d005382 --- /dev/null +++ b/tests/data_files/server9.req.sha1 @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBojCCAQYCAQAwNDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIw +EAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN0R +ip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7CuxNA24oSjokTJKXF9frY9ZDX +yMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsIi2OZOgol7kXSGFi6uZMa7dRY +mmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCVAgMBAAGgKTAnBgkqhkiG9w0B +CQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMBIGCSqGSIb3DQEBCjAFogMC +AWoDgYEA2n8SOoiJCs+YyH2VXoUVxhutdXGP4+7cECakl2mmVEKhxXDMEG7hEFkB +mkk4b1kRNOQHKqUq3crfi0OkMcPGkPiLlYLKgT51CgsBhuJaMsdCYo/5POgTZD4u +FI5gfyO70Xpq9QmrWEqqTdalRG7+UmGa3VEUVyXTDnQZfU1N2QE= +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server9.req.sha224 b/tests/data_files/server9.req.sha224 new file mode 100644 index 000000000..fe1c797ed --- /dev/null +++ b/tests/data_files/server9.req.sha224 @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBzTCCAQYCAQAwNDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIw +EAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN0R +ip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7CuxNA24oSjokTJKXF9frY9ZDX +yMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsIi2OZOgol7kXSGFi6uZMa7dRY +mmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCVAgMBAAGgKTAnBgkqhkiG9w0B +CQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMD0GCSqGSIb3DQEBCjAwoA0w +CwYJYIZIAWUDBAIEoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCBKIDAgFiA4GB +AMlYYZKqpDqg5UZZq3NB3QUR9qftY/52/0gPfruw5s2gNtFmG1uyEBJX/oc7C/fU +lxo74HDraWJyvP7c3MMhOuwr/RfPNQhA2Hgwz9RuJIBhQrJfiZuHsCfiKVofMuMf +ar/4EKfyoELDdilhg6i+abahGOkqyXsjavFtyDSeCpXH +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server9.req.sha256 b/tests/data_files/server9.req.sha256 new file mode 100644 index 000000000..0ef9ef028 --- /dev/null +++ b/tests/data_files/server9.req.sha256 @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBzTCCAQYCAQAwNDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIw +EAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN0R +ip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7CuxNA24oSjokTJKXF9frY9ZDX +yMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsIi2OZOgol7kXSGFi6uZMa7dRY +mmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCVAgMBAAGgKTAnBgkqhkiG9w0B +CQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMD0GCSqGSIb3DQEBCjAwoA0w +CwYJYIZIAWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgFeA4GB +ACUaCTidvzWVJNKmRrriufThGUfw5Xgdsc3Ga8Cx+vRf+bPZmR3NVkc0Zq9uc0+8 +d1WXaLzbmge6IbcvTPWCLNDAWI9UzoQ6WS9myM3eDEGdruClYwb5BVLx3MvhvooK +L/H6snE1dHNPXyCNVFTJIll3bRlVMRsfZpDhmz8/ImJ4 +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server9.req.sha384 b/tests/data_files/server9.req.sha384 new file mode 100644 index 000000000..010345027 --- /dev/null +++ b/tests/data_files/server9.req.sha384 @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBzTCCAQYCAQAwNDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIw +EAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN0R +ip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7CuxNA24oSjokTJKXF9frY9ZDX +yMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsIi2OZOgol7kXSGFi6uZMa7dRY +mmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCVAgMBAAGgKTAnBgkqhkiG9w0B +CQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMD0GCSqGSIb3DQEBCjAwoA0w +CwYJYIZIAWUDBAICoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAqIDAgFOA4GB +ANfZGK6nE/CP9PuALFzbA/mvOnYlI60pMowscRfCYpvR25iQJVhAJfYVXADRN3qd +NAiFWNVcjFMIkRlq7qifBN97VHGeYoWIuw9gYEb3OqDGzOsYP0KIgMNt8/A4qCkj +5MzolOYyT+N+QFGV0pdCNpX7QppfNdFyFAmWXa171RzG +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/server9.req.sha512 b/tests/data_files/server9.req.sha512 new file mode 100644 index 000000000..676b5c996 --- /dev/null +++ b/tests/data_files/server9.req.sha512 @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBzTCCAQYCAQAwNDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIw +EAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN0R +ip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7CuxNA24oSjokTJKXF9frY9ZDX +yMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsIi2OZOgol7kXSGFi6uZMa7dRY +mmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCVAgMBAAGgKTAnBgkqhkiG9w0B +CQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMD0GCSqGSIb3DQEBCjAwoA0w +CwYJYIZIAWUDBAIDoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCA6IDAgE+A4GB +ACxWBhPkhyVlBY/mwkrW7OjYsaN2/ZlFSv76w63b61BpigReJsggMut5EPOgfGYJ +rzygKDlF/NtmMN22jWrFup9LsZJAX0gYbLmliiaG9Hch+i/8b42oaQTDWGFZ9LiY +W7F7X0f9lpzNKOtQ8ix0s+nYS2ONyzfu55+Rlzf8/63M +-----END CERTIFICATE REQUEST----- diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 91089a4b0..956815749 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -238,6 +238,26 @@ X509 CSR Information EC with SHA512 depends_on:POLARSSL_PEM_PARSE_C x509_csr_info:"data_files/server5.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA512\nEC key size \: 256 bits\n" +X509 CSR Information RSA-PSS with SHA1 +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA1_C +x509_csr_info:"data_files/server9.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0x6A, 1)\nRSA key size \: 1024 bits\n" + +X509 CSR Information RSA-PSS with SHA224 +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA256_C +x509_csr_info:"data_files/server9.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0x62, 1)\nRSA key size \: 1024 bits\n" + +X509 CSR Information RSA-PSS with SHA256 +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA256_C +x509_csr_info:"data_files/server9.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0x5E, 1)\nRSA key size \: 1024 bits\n" + +X509 CSR Information RSA-PSS with SHA384 +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA512_C +x509_csr_info:"data_files/server9.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0x4E, 1)\nRSA key size \: 1024 bits\n" + +X509 CSR Information RSA-PSS with SHA512 +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA512_C +x509_csr_info:"data_files/server9.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0x3E, 1)\nRSA key size \: 1024 bits\n" + X509 Get Distinguished Name #1 depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C x509_dn_gets:"data_files/server1.crt":"subject":"C=NL, O=PolarSSL, CN=PolarSSL Server 1"