Merge pull request #7649 from yuhaoth/pr/add-command-for-server9-bad-saltlen
Add command for server9-bad-saltlen
This commit is contained in:
commit
885bcfc9d0
4 changed files with 113 additions and 14 deletions
|
@ -18,3 +18,7 @@ mypy >= 0.780
|
|||
# for mypy and pylint under Python 3.5, and we also get something good enough
|
||||
# to run audit-validity-dates.py on Python >=3.6.
|
||||
cryptography # >= 35.0.0
|
||||
|
||||
# For building `tests/data_files/server9-bad-saltlen.crt` and check python
|
||||
# files.
|
||||
asn1crypto
|
||||
|
|
|
@ -206,10 +206,8 @@ test-ca2.ku-%.crt: test-ca2.ku-%.crt.openssl.v3_ext $(test_ca_key_file_ec) test-
|
|||
$(OPENSSL) x509 -req -in test-ca2.req.sha256 -extfile $< \
|
||||
-signkey $(test_ca_key_file_ec) -days 3653 -out $@
|
||||
|
||||
all_final += test-ca2.ku-crl.crt \
|
||||
test-ca2.ku-crt.crt \
|
||||
test-ca2.ku-crt_crl.crt \
|
||||
test-ca2.ku-ds.crt
|
||||
all_final += test-ca2.ku-crl.crt test-ca2.ku-crt.crt test-ca2.ku-crt_crl.crt \
|
||||
test-ca2.ku-ds.crt
|
||||
|
||||
test-ca2-future.crt: $(test_ca_key_file_ec) test-ca2.req.sha256
|
||||
$(MBEDTLS_CERT_WRITE) is_ca=1 serial=13926223505202072808 request_file=test-ca2.req.sha256 selfsign=1 \
|
||||
|
@ -580,10 +578,6 @@ server9-with-ca.crt: server9.crt $(test_ca_crt)
|
|||
cat $^ > $@
|
||||
all_final += server9-with-ca.crt
|
||||
|
||||
# FIXME: This file needs special sequence. It should be update manually
|
||||
server9-bad-saltlen.crt: server9.csr $(test_ca_crt) $(test_ca_key_file_rsa)
|
||||
false
|
||||
|
||||
server9-bad-mgfhash.crt: server9.csr $(test_ca_crt) $(test_ca_key_file_rsa)
|
||||
$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa \
|
||||
-passin "pass:$(test_ca_pwd_rsa)" -CA $(test_ca_crt) -CAkey $(test_ca_key_file_rsa) \
|
||||
|
@ -593,6 +587,16 @@ server9-bad-mgfhash.crt: server9.csr $(test_ca_crt) $(test_ca_key_file_rsa)
|
|||
-in $< -out $@
|
||||
all_final += server9-bad-mgfhash.crt
|
||||
|
||||
server9-bad-saltlen.crt: server9.csr $(test_ca_crt) $(test_ca_key_file_rsa) \
|
||||
opensslcnf/server9.crt.v3_ext \
|
||||
../scripts/generate_server9_bad_saltlen.py
|
||||
../scripts/generate_server9_bad_saltlen.py --ca-name test-ca \
|
||||
--ca-password $(test_ca_pwd_rsa) --csr server9.csr \
|
||||
--openssl-extfile opensslcnf/server9.crt.v3_ext \
|
||||
--anounce_saltlen 0xde --actual_saltlen 0x20 \
|
||||
--output $@
|
||||
all_final += server9-bad-saltlen.crt
|
||||
|
||||
# server10*
|
||||
|
||||
server10.crt: server10.key test-int-ca3.crt test-int-ca3.key
|
||||
|
@ -1545,9 +1549,9 @@ server6-ss-child.csr : server6.key
|
|||
all_intermediate += server6-ss-child.csr
|
||||
server6-ss-child.crt: server6-ss-child.csr server5-selfsigned.crt server5.key server6-ss-child.crt.openssl.v3_ext
|
||||
$(OPENSSL) x509 -req -CA server5-selfsigned.crt -CAkey server5.key \
|
||||
-extfile server6-ss-child.crt.openssl.v3_ext \
|
||||
-set_serial 0x53a2cb5822399474a7ec79ec \
|
||||
-days 3650 -sha256 -in $< -out $@
|
||||
-extfile server6-ss-child.crt.openssl.v3_ext \
|
||||
-set_serial 0x53a2cb5822399474a7ec79ec \
|
||||
-days 3650 -sha256 -in $< -out $@
|
||||
all_final += server6-ss-child.crt
|
||||
|
||||
|
||||
|
@ -1714,9 +1718,9 @@ crl.pem: $(test_ca_crt) $(test_ca_key_file_rsa) $(test_ca_config_file)
|
|||
$(OPENSSL) ca -gencrl -batch -cert $(test_ca_crt) -keyfile $(test_ca_key_file_rsa) -key $(test_ca_pwd_rsa) -config $(test_ca_server1_config_file) -md sha1 -crldays 3653 -out $@
|
||||
|
||||
crl-futureRevocationDate.pem: $(test_ca_crt) $(test_ca_key_file_rsa) \
|
||||
$(test_ca_config_file) \
|
||||
test-ca.server1.future-crl.db \
|
||||
test-ca.server1.future-crl.opensslconf
|
||||
$(test_ca_config_file) \
|
||||
test-ca.server1.future-crl.db \
|
||||
test-ca.server1.future-crl.opensslconf
|
||||
$(FAKETIME) -f '+10y' $(OPENSSL) ca -gencrl \
|
||||
-config test-ca.server1.future-crl.opensslconf -crldays 365 \
|
||||
-passin "pass:$(test_ca_pwd_rsa)" -out $@
|
||||
|
|
4
tests/data_files/opensslcnf/server9.crt.v3_ext
Normal file
4
tests/data_files/opensslcnf/server9.crt.v3_ext
Normal file
|
@ -0,0 +1,4 @@
|
|||
basicConstraints = CA:false
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
87
tests/scripts/generate_server9_bad_saltlen.py
Executable file
87
tests/scripts/generate_server9_bad_saltlen.py
Executable file
|
@ -0,0 +1,87 @@
|
|||
#!/usr/bin/env python3
|
||||
"""Generate server9-bad-saltlen.crt
|
||||
|
||||
Generate a certificate signed with RSA-PSS, with an incorrect salt length.
|
||||
"""
|
||||
|
||||
# Copyright The Mbed TLS Contributors
|
||||
# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||
|
||||
import subprocess
|
||||
import argparse
|
||||
from asn1crypto import pem, x509, core #type: ignore #pylint: disable=import-error
|
||||
|
||||
OPENSSL_RSA_PSS_CERT_COMMAND = r'''
|
||||
openssl x509 -req -CA {ca_name}.crt -CAkey {ca_name}.key -set_serial 24 {ca_password} \
|
||||
{openssl_extfile} -days 3650 -outform DER -in {csr} \
|
||||
-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:{anounce_saltlen} \
|
||||
-sigopt rsa_mgf1_md:sha256
|
||||
'''
|
||||
SIG_OPT = \
|
||||
r'-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:{saltlen} -sigopt rsa_mgf1_md:sha256'
|
||||
OPENSSL_RSA_PSS_DGST_COMMAND = r'''openssl dgst -sign {ca_name}.key {ca_password} \
|
||||
-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:{actual_saltlen} \
|
||||
-sigopt rsa_mgf1_md:sha256'''
|
||||
|
||||
|
||||
def auto_int(x):
|
||||
return int(x, 0)
|
||||
|
||||
|
||||
def build_argparser(parser):
|
||||
"""Build argument parser"""
|
||||
parser.description = __doc__
|
||||
parser.add_argument('--ca-name', type=str, required=True,
|
||||
help='Basename of CA files')
|
||||
parser.add_argument('--ca-password', type=str,
|
||||
required=True, help='CA key file password')
|
||||
parser.add_argument('--csr', type=str, required=True,
|
||||
help='CSR file for generating certificate')
|
||||
parser.add_argument('--openssl-extfile', type=str,
|
||||
required=True, help='X905 v3 extension config file')
|
||||
parser.add_argument('--anounce_saltlen', type=auto_int,
|
||||
required=True, help='Announced salt length')
|
||||
parser.add_argument('--actual_saltlen', type=auto_int,
|
||||
required=True, help='Actual salt length')
|
||||
parser.add_argument('--output', type=str, required=True)
|
||||
|
||||
|
||||
def main():
|
||||
parser = argparse.ArgumentParser()
|
||||
build_argparser(parser)
|
||||
args = parser.parse_args()
|
||||
|
||||
return generate(**vars(args))
|
||||
|
||||
def generate(**kwargs):
|
||||
"""Generate different salt length certificate file."""
|
||||
ca_password = kwargs.get('ca_password', '')
|
||||
if ca_password:
|
||||
kwargs['ca_password'] = r'-passin "pass:{ca_password}"'.format(
|
||||
**kwargs)
|
||||
else:
|
||||
kwargs['ca_password'] = ''
|
||||
extfile = kwargs.get('openssl_extfile', '')
|
||||
if extfile:
|
||||
kwargs['openssl_extfile'] = '-extfile {openssl_extfile}'.format(
|
||||
**kwargs)
|
||||
else:
|
||||
kwargs['openssl_extfile'] = ''
|
||||
|
||||
cmd = OPENSSL_RSA_PSS_CERT_COMMAND.format(**kwargs)
|
||||
der_bytes = subprocess.check_output(cmd, shell=True)
|
||||
target_certificate = x509.Certificate.load(der_bytes)
|
||||
|
||||
cmd = OPENSSL_RSA_PSS_DGST_COMMAND.format(**kwargs)
|
||||
#pylint: disable=unexpected-keyword-arg
|
||||
der_bytes = subprocess.check_output(cmd,
|
||||
input=target_certificate['tbs_certificate'].dump(),
|
||||
shell=True)
|
||||
|
||||
with open(kwargs.get('output'), 'wb') as f:
|
||||
target_certificate['signature_value'] = core.OctetBitString(der_bytes)
|
||||
f.write(pem.armor('CERTIFICATE', target_certificate.dump()))
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
Loading…
Reference in a new issue