Also verify CRLs signed with RSASSA-PSS
This commit is contained in:
parent
46db4b070c
commit
53882023e7
3 changed files with 32 additions and 10 deletions
|
@ -1492,9 +1492,9 @@ static int x509_crt_verifycrl( x509_crt *crt, x509_crt *ca,
|
|||
|
||||
md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash );
|
||||
|
||||
if( pk_can_do( &ca->pk, crl_list->sig_pk ) == 0 ||
|
||||
pk_verify( &ca->pk, crl_list->sig_md, hash, md_info->size,
|
||||
crl_list->sig.p, crl_list->sig.len ) != 0 )
|
||||
if( pk_verify_ext( crl_list->sig_pk, crl_list->sig_opts, &ca->pk,
|
||||
crl_list->sig_md, hash, md_info->size,
|
||||
crl_list->sig.p, crl_list->sig.len ) != 0 )
|
||||
{
|
||||
flags |= BADCRL_NOT_TRUSTED;
|
||||
break;
|
||||
|
|
14
tests/data_files/crl-rsa-pss-sha1-badsign.pem
Normal file
14
tests/data_files/crl-rsa-pss-sha1-badsign.pem
Normal file
|
@ -0,0 +1,14 @@
|
|||
-----BEGIN X509 CRL-----
|
||||
MIICJDCCAQYCAQEwEwYJKoZIhvcNAQEKMAaiBAICAOowOzELMAkGA1UEBhMCTkwx
|
||||
ETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBFw0x
|
||||
NDAxMjAxMzQ2MzVaFw0yNDAxMTgxMzQ2MzVaMCgwEgIBChcNMTMwOTI0MTYyODM4
|
||||
WjASAgEWFw0xNDAxMjAxMzQzMDVaoGcwZTBjBgNVHSMEXDBagBS0WuSls97SUva5
|
||||
1aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NM
|
||||
MRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMBMGCSqGSIb3DQEBCjAGogQC
|
||||
AgDqA4IBAQB8ZBX0BEgRcx0lfk1ctELRu1AYoJ5BnsmQpq23Ca4YIP2yb2kTN1ZS
|
||||
4fR4SgYcNctgo2JJiNiUkCu1ZnRUOJUy8UlEio0+aeumTNz6CbeJEDhr5NC3oiV0
|
||||
MzvLn9rJVLPetOT9UrvvIy8iz5Pn1d8mu5rkt9BKQRq9NQx8riKnSIoTc91NLCMo
|
||||
mkCCB55DVbazODSWK19e6yQ0JS454RglOsqRtLJ/EDbi6lCsLXotFt3GEGMrob1O
|
||||
7Qck1Z59boaHxGYFEVnx90+4M3/qikVtwZdcBjLEmfuwYvszFw8J2y6Xwmg/HtUa
|
||||
y6li0JzWNHtkKUlCv2+SESZbD3NU8GQY
|
||||
-----END X509 CRL-----
|
|
@ -576,29 +576,37 @@ x509_verify:"data_files/server9.crt":"data_files/test-ca.crt":"data_files/crl.pe
|
|||
|
||||
X509 Certificate verification #58 (Valid, RSASSA-PSS, SHA-224)
|
||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA256_C
|
||||
x509_verify:"data_files/server9-sha224.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server9-sha224.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha224.pem":"NULL":0:0:"NULL"
|
||||
|
||||
X509 Certificate verification #59 (Valid, RSASSA-PSS, SHA-256)
|
||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA256_C
|
||||
x509_verify:"data_files/server9-sha256.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server9-sha256.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha256.pem":"NULL":0:0:"NULL"
|
||||
|
||||
X509 Certificate verification #60 (Valid, RSASSA-PSS, SHA-384)
|
||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA512_C
|
||||
x509_verify:"data_files/server9-sha384.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server9-sha384.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha384.pem":"NULL":0:0:"NULL"
|
||||
|
||||
X509 Certificate verification #61 (Valid, RSASSA-PSS, SHA-512)
|
||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA512_C
|
||||
x509_verify:"data_files/server9-sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
x509_verify:"data_files/server9-sha512.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha512.pem":"NULL":0:0:"NULL"
|
||||
|
||||
X509 Certificate verification #57 (Valid, RSASSA-PSS, SHA-1, not top)
|
||||
X509 Certificate verification #62 (Revoked, RSASSA-PSS, SHA-1)
|
||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA1_C
|
||||
x509_verify:"data_files/server9.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED:"NULL"
|
||||
|
||||
X509 Certificate verification #63 (Revoked, RSASSA-PSS, SHA-1, CRL badsign)
|
||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA1_C
|
||||
x509_verify:"data_files/server9.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1-badsign.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCRL_NOT_TRUSTED:"NULL"
|
||||
|
||||
X509 Certificate verification #64 (Valid, RSASSA-PSS, SHA-1, not top)
|
||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA1_C
|
||||
x509_verify:"data_files/server9-with-ca.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
|
||||
X509 Certificate verification #62 (RSASSA-PSS, SHA1, bad signature)
|
||||
X509 Certificate verification #65 (RSASSA-PSS, SHA1, bad cert signature)
|
||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA1_C
|
||||
x509_verify:"data_files/server9-badsign.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL"
|
||||
|
||||
X509 Certificate verification #63 (RSASSA-PSS, SHA1, no RSA CA)
|
||||
X509 Certificate verification #66 (RSASSA-PSS, SHA1, no RSA CA)
|
||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA1_C
|
||||
x509_verify:"data_files/server9.crt":"data_files/test-ca2.crt":"data_files/crl.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL"
|
||||
|
||||
|
|
Loading…
Reference in a new issue