diff --git a/include/polarssl/config.h b/include/polarssl/config.h index 29ba54f4e..f00a7fc52 100644 --- a/include/polarssl/config.h +++ b/include/polarssl/config.h @@ -2102,6 +2102,11 @@ #error "POLARSSL_RSA_C defined, but not all prerequisites" #endif +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) && \ + ( !defined(POLARSSL_RSA_C) || !defined(POLARSSL_PKCS1_V21) ) +#error "POLARSSL_RSASSA_PSS_CERTIFICATES defined, but not all prerequisites" +#endif + #if defined(POLARSSL_SSL_PROTO_SSL3) && ( !defined(POLARSSL_MD5_C) || \ !defined(POLARSSL_SHA1_C) ) #error "POLARSSL_SSL_PROTO_SSL3 defined, but not all prerequisites" diff --git a/include/polarssl/x509.h b/include/polarssl/x509.h index 36f19b071..0ffaca145 100644 --- a/include/polarssl/x509.h +++ b/include/polarssl/x509.h @@ -256,9 +256,11 @@ int x509_get_alg_null( unsigned char **p, const unsigned char *end, x509_buf *alg ); int x509_get_alg( unsigned char **p, const unsigned char *end, x509_buf *alg, x509_buf *params ); +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) int x509_get_rsassa_pss_params( const x509_buf *params, md_type_t *md_alg, md_type_t *mgf_md, int *salt_len, int *trailer_field ); +#endif int x509_get_sig( unsigned char **p, const unsigned char *end, x509_buf *sig ); int x509_get_sig_alg( const x509_buf *sig_oid, md_type_t *md_alg, pk_type_t *pk_alg ); diff --git a/library/x509.c b/library/x509.c index e9dc68084..1a5f98a1b 100644 --- a/library/x509.c +++ b/library/x509.c @@ -132,6 +132,7 @@ int x509_get_alg( unsigned char **p, const unsigned char *end, return( 0 ); } +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) /* * HashAlgorithm ::= AlgorithmIdentifier * @@ -324,6 +325,7 @@ int x509_get_rsassa_pss_params( const x509_buf *params, return( 0 ); } +#endif /* POLARSSL_RSASSA_PSS_CERTIFICATES */ /* * AttributeTypeAndValue ::= SEQUENCE { diff --git a/library/x509_crt.c b/library/x509_crt.c index 1447689c8..dc71c1405 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -596,7 +596,7 @@ static int x509_crt_parse_der_core( x509_crt *crt, const unsigned char *buf, if( ( ret = x509_get_version( &p, end, &crt->version ) ) != 0 || ( ret = x509_get_serial( &p, end, &crt->serial ) ) != 0 || ( ret = x509_get_alg( &p, end, &crt->sig_oid1, - &crt->sig_params ) ) != 0 ) + &sig_params ) ) != 0 ) { x509_crt_free( crt ); return( ret ); @@ -617,22 +617,26 @@ static int x509_crt_parse_der_core( x509_crt *crt, const unsigned char *buf, return( ret ); } +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) if( crt->sig_pk == POLARSSL_PK_RSASSA_PSS ) { int salt_len, trailer_field; md_type_t mgf_md; /* Make sure params are valid */ - ret = x509_get_rsassa_pss_params( &crt->sig_params, + ret = x509_get_rsassa_pss_params( &sig_params, &crt->sig_md, &mgf_md, &salt_len, &trailer_field ); if( ret != 0 ) return( ret ); + + memcpy( &crt->sig_params, &sig_params, sizeof( x509_buf ) ); } else +#endif { - /* Make sure parameters were absent or NULL */ - if( ( crt->sig_params.tag != ASN1_NULL && crt->sig_params.tag != 0 ) || - crt->sig_params.len != 0 ) + /* Make sure parameters are absent or NULL */ + if( ( sig_params.tag != ASN1_NULL && sig_params.tag != 0 ) || + sig_params.len != 0 ) return( POLARSSL_ERR_X509_INVALID_ALG ); } @@ -763,9 +767,13 @@ static int x509_crt_parse_der_core( x509_crt *crt, const unsigned char *buf, } if( crt->sig_oid1.len != crt->sig_oid2.len || - memcmp( crt->sig_oid1.p, crt->sig_oid2.p, crt->sig_oid1.len ) != 0 || + memcmp( crt->sig_oid1.p, crt->sig_oid2.p, crt->sig_oid1.len ) != 0 +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) + || crt->sig_params.len != sig_params.len || - memcmp( crt->sig_params.p, sig_params.p, sig_params.len ) != 0 ) + memcmp( crt->sig_params.p, sig_params.p, sig_params.len ) != 0 +#endif + ) { x509_crt_free( crt ); return( POLARSSL_ERR_X509_SIG_MISMATCH ); @@ -1185,6 +1193,7 @@ int x509_crt_info( char *buf, size_t size, const char *prefix, ret = snprintf( p, n, "%s", desc ); SAFE_SNPRINTF(); +#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES) if( crt->sig_pk == POLARSSL_PK_RSASSA_PSS ) { md_type_t md_alg, mgf_md; @@ -1204,6 +1213,7 @@ int x509_crt_info( char *buf, size_t size, const char *prefix, salt_len, trailer_field ); SAFE_SNPRINTF(); } +#endif /* POLARSSL_RSASSA_PSS_CERTIFICATES */ if( ( ret = x509_key_size_helper( key_size_str, BEFORE_COLON, pk_get_name( &crt->pk ) ) ) != 0 ) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index a1c008e19..5e6afcaa2 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -43,23 +43,23 @@ depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C x509_cert_info:"data_files/cert_sha512.crt":"cert. version \: 3\nserial number \: 0B\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA512\nissued on \: 2011-02-12 14\:44\:07\nexpires on \: 2021-02-12 14\:44\:07\nsigned using \: RSA with SHA-512\nRSA key size \: 2048 bits\n" X509 Certificate information RSA-PSS, SHA1 Digest -depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA1_C x509_cert_info:"data_files/server9.crt":"cert. version \: 3\nserial number \: 16\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:38\:16\nexpires on \: 2024-01-18 13\:38\:16\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0xEA, 1)\nRSA key size \: 1024 bits\n" X509 Certificate information RSA-PSS, SHA224 Digest -depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA256_C x509_cert_info:"data_files/server9-sha224.crt":"cert. version \: 3\nserial number \: 17\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:36\nexpires on \: 2024-01-18 13\:57\:36\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0xE2, 1)\nRSA key size \: 1024 bits\n" X509 Certificate information RSA-PSS, SHA256 Digest -depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA256_C x509_cert_info:"data_files/server9-sha256.crt":"cert. version \: 3\nserial number \: 18\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:45\nexpires on \: 2024-01-18 13\:57\:45\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0xDE, 1)\nRSA key size \: 1024 bits\n" X509 Certificate information RSA-PSS, SHA384 Digest -depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA512_C x509_cert_info:"data_files/server9-sha384.crt":"cert. version \: 3\nserial number \: 19\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:58\nexpires on \: 2024-01-18 13\:57\:58\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0xCE, 1)\nRSA key size \: 1024 bits\n" X509 Certificate information RSA-PSS, SHA512 Digest -depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA512_C x509_cert_info:"data_files/server9-sha512.crt":"cert. version \: 3\nserial number \: 1A\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:58\:12\nexpires on \: 2024-01-18 13\:58\:12\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0xBE, 1)\nRSA key size \: 1024 bits\n" X509 Certificate information EC, SHA1 Digest