Add basic PSS cert verification
Still todo: - handle MGF-hash != sign-hash - check effective salt len == announced salt len - add support in the PK layer so that we don't have to bypass it here
This commit is contained in:
parent
e6d1d82b66
commit
920e1cd5e2
4 changed files with 180 additions and 0 deletions
|
@ -1669,6 +1669,21 @@ static int x509_crt_verify_top(
|
|||
continue;
|
||||
}
|
||||
|
||||
#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES)
|
||||
if( child->sig_pk == POLARSSL_PK_RSASSA_PSS )
|
||||
{
|
||||
if( pk_can_do( &trust_ca->pk, POLARSSL_PK_RSA ) == 0 ||
|
||||
rsa_rsassa_pss_verify( pk_rsa( trust_ca->pk ),
|
||||
NULL, NULL, RSA_PUBLIC,
|
||||
child->sig_md,
|
||||
md_info->size, hash,
|
||||
child->sig.p ) != 0 )
|
||||
{
|
||||
continue;
|
||||
}
|
||||
}
|
||||
else
|
||||
#endif
|
||||
if( pk_can_do( &trust_ca->pk, child->sig_pk ) == 0 ||
|
||||
pk_verify( &trust_ca->pk, child->sig_md, hash, md_info->size,
|
||||
child->sig.p, child->sig.len ) != 0 )
|
||||
|
@ -1758,6 +1773,21 @@ static int x509_crt_verify_child(
|
|||
{
|
||||
md( md_info, child->tbs.p, child->tbs.len, hash );
|
||||
|
||||
#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES)
|
||||
if( child->sig_pk == POLARSSL_PK_RSASSA_PSS )
|
||||
{
|
||||
if( pk_can_do( &parent->pk, POLARSSL_PK_RSA ) == 0 ||
|
||||
rsa_rsassa_pss_verify( pk_rsa( parent->pk ),
|
||||
NULL, NULL, RSA_PUBLIC,
|
||||
child->sig_md,
|
||||
md_info->size, hash,
|
||||
child->sig.p ) != 0 )
|
||||
{
|
||||
*flags |= BADCERT_NOT_TRUSTED;
|
||||
}
|
||||
}
|
||||
else
|
||||
#endif
|
||||
if( pk_can_do( &parent->pk, child->sig_pk ) == 0 ||
|
||||
pk_verify( &parent->pk, child->sig_md, hash, md_info->size,
|
||||
child->sig.p, child->sig.len ) != 0 )
|
||||
|
|
19
tests/data_files/server9-badsign.crt
Normal file
19
tests/data_files/server9-badsign.crt
Normal file
|
@ -0,0 +1,19 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDBTCCAeegAwIBAgIBFjATBgkqhkiG9w0BAQowBqIEAgIA6jA7MQswCQYDVQQG
|
||||
EwJOTDERMA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3Qg
|
||||
Q0EwHhcNMTQwMTIwMTMzODE2WhcNMjQwMTE4MTMzODE2WjA0MQswCQYDVQQGEwJO
|
||||
TDERMA8GA1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkq
|
||||
hkiG9w0BAQEFAAOBjQAwgYkCgYEA3RGKn5m6sGjKKuo7am1Zl+1OyVTkDe7OoH2g
|
||||
HqroDsK7E0DbihKOiRMkpcX1+tj1kNfIysvF/pMdr9oSI3NSeUYauqBXK3YWMbOo
|
||||
r+c4mwiLY5k6CiXuRdIYWLq5kxrt1FiaYxs3/PcUCJ+FZUnzWTJt0eDobd5S7Wa0
|
||||
qQvaQJUCAwEAAaOBkjCBjzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTu88f1HxWlTUeJ
|
||||
wdMiY7Lfp869UTBjBgNVHSMEXDBagBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0w
|
||||
OzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xh
|
||||
clNTTCBUZXN0IENBggEAMBMGCSqGSIb3DQEBCjAGogQCAgDqA4IBAQDAog/jXydR
|
||||
vDIugTzBXtfVK0CEX8iyQ4cVzQmXWSne8204v943K5D2hktSBkjdQUdcnVvVgLR6
|
||||
te50jV89ptN/NofX+fo9fhSRN9vGgQVWzOOFiO0zcThy749pirJu1Kq5OJdthIyW
|
||||
Pu0UCz5G0k3kTp0JPevGlsNc8S9Ak1tFuB0IPJjrbfODWHS2LDuO+dB6gpkNTdrj
|
||||
88ogYtBsN4D5gsXBRUfobXokUwejBwLrD6XwyQx+0bMwSCxgHEhxvuUkx1vdlXGw
|
||||
JG3aF92u8mIxoKSAPaPdqy930mQvmpUWcN5Y1IMbtEGoQCKMYgosFcazJpJcjnX1
|
||||
o4Hl/lqjwCFG
|
||||
-----END CERTIFICATE-----
|
99
tests/data_files/server9-with-ca.crt
Normal file
99
tests/data_files/server9-with-ca.crt
Normal file
|
@ -0,0 +1,99 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDBTCCAeegAwIBAgIBFjATBgkqhkiG9w0BAQowBqIEAgIA6jA7MQswCQYDVQQG
|
||||
EwJOTDERMA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3Qg
|
||||
Q0EwHhcNMTQwMTIwMTMzODE2WhcNMjQwMTE4MTMzODE2WjA0MQswCQYDVQQGEwJO
|
||||
TDERMA8GA1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkq
|
||||
hkiG9w0BAQEFAAOBjQAwgYkCgYEA3RGKn5m6sGjKKuo7am1Zl+1OyVTkDe7OoH2g
|
||||
HqroDsK7E0DbihKOiRMkpcX1+tj1kNfIysvF/pMdr9oSI3NSeUYauqBXK3YWMbOo
|
||||
r+c4mwiLY5k6CiXuRdIYWLq5kxrt1FiaYxs3/PcUCJ+FZUnzWTJt0eDobd5S7Wa0
|
||||
qQvaQJUCAwEAAaOBkjCBjzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTu88f1HxWlTUeJ
|
||||
wdMiY7Lfp869UTBjBgNVHSMEXDBagBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0w
|
||||
OzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xh
|
||||
clNTTCBUZXN0IENBggEAMBMGCSqGSIb3DQEBCjAGogQCAgDqA4IBAQDAog/jXydR
|
||||
vDIugTzBXtfVK0CEX8iyQ4cVzQmXWSne8204v943K5D2hktSBkjdQUdcnVvVgLR6
|
||||
te50jV89ptN/NofX+fo9fhSRN9vGgQVWzOOFiO0zcThy749pirJu1Kq5OJdthIyW
|
||||
Pu0UCz5G0k3kTp0JPevGlsNc8S9Ak1tFuB0IPJjrbfODWHS2LDuO+dB6gpkNTdrj
|
||||
88ogYtBsN4D5gsXBRUfobXokUwejBwLrD6XwyQx+0bMwSCxgHEhxvuUkx1vdlXGw
|
||||
JG3aF92u8mIxoKSAPaPdqy930mQvmpUWcN5Y1IMbtEGoQCKMYgosFcazJpJcjnX1
|
||||
o4Hl/lqjwCEG
|
||||
-----END CERTIFICATE-----
|
||||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 0 (0x0)
|
||||
Signature Algorithm: sha1WithRSAEncryption
|
||||
Issuer: C=NL, O=PolarSSL, CN=PolarSSL Test CA
|
||||
Validity
|
||||
Not Before: Feb 12 14:44:00 2011 GMT
|
||||
Not After : Feb 12 14:44:00 2021 GMT
|
||||
Subject: C=NL, O=PolarSSL, CN=PolarSSL Test CA
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: rsaEncryption
|
||||
RSA Public Key: (2048 bit)
|
||||
Modulus (2048 bit):
|
||||
00:c0:df:37:fc:17:bb:e0:96:9d:3f:86:de:96:32:
|
||||
7d:44:a5:16:a0:cd:21:f1:99:d4:ec:ea:cb:7c:18:
|
||||
58:08:94:a5:ec:9b:c5:8b:df:1a:1e:99:38:99:87:
|
||||
1e:7b:c0:8d:39:df:38:5d:70:78:07:d3:9e:d9:93:
|
||||
e8:b9:72:51:c5:ce:a3:30:52:a9:f2:e7:40:70:14:
|
||||
cb:44:a2:72:0b:c2:e5:40:f9:3e:e5:a6:0e:b3:f9:
|
||||
ec:4a:63:c0:b8:29:00:74:9c:57:3b:a8:a5:04:90:
|
||||
71:f1:bd:83:d9:3f:d6:a5:e2:3c:2a:8f:ef:27:60:
|
||||
c3:c6:9f:cb:ba:ec:60:7d:b7:e6:84:32:be:4f:fb:
|
||||
58:26:22:03:5b:d4:b4:d5:fb:f5:e3:96:2e:70:c0:
|
||||
e4:2e:bd:fc:2e:ee:e2:41:55:c0:34:2e:7d:24:72:
|
||||
69:cb:47:b1:14:40:83:7d:67:f4:86:f6:31:ab:f1:
|
||||
79:a4:b2:b5:2e:12:f9:84:17:f0:62:6f:27:3e:13:
|
||||
58:b1:54:0d:21:9a:73:37:a1:30:cf:6f:92:dc:f6:
|
||||
e9:fc:ac:db:2e:28:d1:7e:02:4b:23:a0:15:f2:38:
|
||||
65:64:09:ea:0c:6e:8e:1b:17:a0:71:c8:b3:9b:c9:
|
||||
ab:e9:c3:f2:cf:87:96:8f:80:02:32:9e:99:58:6f:
|
||||
a2:d5
|
||||
Exponent: 65537 (0x10001)
|
||||
X509v3 extensions:
|
||||
X509v3 Basic Constraints:
|
||||
CA:TRUE
|
||||
X509v3 Subject Key Identifier:
|
||||
B4:5A:E4:A5:B3:DE:D2:52:F6:B9:D5:A6:95:0F:EB:3E:BC:C7:FD:FF
|
||||
X509v3 Authority Key Identifier:
|
||||
keyid:B4:5A:E4:A5:B3:DE:D2:52:F6:B9:D5:A6:95:0F:EB:3E:BC:C7:FD:FF
|
||||
DirName:/C=NL/O=PolarSSL/CN=PolarSSL Test CA
|
||||
serial:00
|
||||
|
||||
Signature Algorithm: sha1WithRSAEncryption
|
||||
b8:fd:54:d8:00:54:90:8b:25:b0:27:dd:95:cd:a2:f7:84:07:
|
||||
1d:87:89:4a:c4:78:11:d8:07:b5:d7:22:50:8e:48:eb:62:7a:
|
||||
32:89:be:63:47:53:ff:b6:be:f1:2e:8c:54:c0:99:3f:a0:b9:
|
||||
37:23:72:5f:0d:46:59:8f:d8:47:cd:97:4c:9f:07:0c:12:62:
|
||||
09:3a:24:e4:36:d9:e9:2c:da:38:d0:73:75:61:d7:c1:6c:26:
|
||||
8b:9b:e0:d5:dc:67:ed:8c:6b:33:d7:74:22:3c:4c:db:b5:8d:
|
||||
2a:ce:2c:0d:08:59:05:09:05:a6:39:9f:b3:67:1b:e2:83:e5:
|
||||
e1:8f:53:f6:67:93:c7:f9:6f:76:44:58:12:e8:3a:d4:97:e7:
|
||||
e9:c0:3e:a8:7a:72:3d:87:53:1f:e5:2c:84:84:e7:9a:9e:7f:
|
||||
66:d9:1f:9b:f5:13:48:b0:4d:14:d1:de:b2:24:d9:78:7d:f5:
|
||||
35:cc:58:19:d1:d2:99:ef:4d:73:f8:1f:89:d4:5a:d0:52:ce:
|
||||
09:f5:b1:46:51:6a:00:8e:3b:cc:6f:63:01:00:99:ed:9d:a6:
|
||||
08:60:cd:32:18:d0:73:e0:58:71:d9:e5:d2:53:d7:8d:d0:ca:
|
||||
e9:5d:2a:0a:0d:5d:55:ec:21:50:17:16:e6:06:4a:cd:5e:de:
|
||||
f7:e0:e9:54
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
|
||||
MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
|
||||
MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
|
||||
A1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
|
||||
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
|
||||
mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
|
||||
50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
|
||||
YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
|
||||
R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
|
||||
KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
|
||||
gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH
|
||||
/f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV
|
||||
BAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVz
|
||||
dCBDQYIBADANBgkqhkiG9w0BAQUFAAOCAQEAuP1U2ABUkIslsCfdlc2i94QHHYeJ
|
||||
SsR4EdgHtdciUI5I62J6Mom+Y0dT/7a+8S6MVMCZP6C5NyNyXw1GWY/YR82XTJ8H
|
||||
DBJiCTok5DbZ6SzaONBzdWHXwWwmi5vg1dxn7YxrM9d0IjxM27WNKs4sDQhZBQkF
|
||||
pjmfs2cb4oPl4Y9T9meTx/lvdkRYEug61Jfn6cA+qHpyPYdTH+UshITnmp5/Ztkf
|
||||
m/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ
|
||||
7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==
|
||||
-----END CERTIFICATE-----
|
|
@ -570,6 +570,38 @@ X509 Certificate verification #56 (CA keyUsage plain wrong)
|
|||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C:POLARSSL_X509_CHECK_KEY_USAGE:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP384R1_ENABLED
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-ds.crt":"data_files/crl-ec-sha256.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL"
|
||||
|
||||
X509 Certificate verification #57 (Valid, RSASSA-PSS, SHA-1)
|
||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA1_C
|
||||
x509_verify:"data_files/server9.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
|
||||
X509 Certificate verification #58 (Valid, RSASSA-PSS, SHA-224)
|
||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA256_C
|
||||
x509_verify:"data_files/server9-sha224.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
|
||||
X509 Certificate verification #59 (Valid, RSASSA-PSS, SHA-256)
|
||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA256_C
|
||||
x509_verify:"data_files/server9-sha256.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
|
||||
X509 Certificate verification #60 (Valid, RSASSA-PSS, SHA-384)
|
||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA512_C
|
||||
x509_verify:"data_files/server9-sha384.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
|
||||
X509 Certificate verification #61 (Valid, RSASSA-PSS, SHA-512)
|
||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA512_C
|
||||
x509_verify:"data_files/server9-sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
|
||||
X509 Certificate verification #57 (Valid, RSASSA-PSS, SHA-1, not top)
|
||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA1_C
|
||||
x509_verify:"data_files/server9-with-ca.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
|
||||
X509 Certificate verification #62 (RSASSA-PSS, SHA1, bad signature)
|
||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA1_C
|
||||
x509_verify:"data_files/server9-badsign.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL"
|
||||
|
||||
X509 Certificate verification #63 (RSASSA-PSS, SHA1, no RSA CA)
|
||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA1_C
|
||||
x509_verify:"data_files/server9.crt":"data_files/test-ca2.crt":"data_files/crl.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL"
|
||||
|
||||
X509 Parse Selftest
|
||||
depends_on:POLARSSL_SHA1_C:POLARSSL_PEM_PARSE_C:POLARSSL_CERTS_C
|
||||
x509_selftest:
|
||||
|
|
Loading…
Reference in a new issue