[Pki-devel] [PATCH] pki-cfu-0159-Ticket-1741-ECDSA-certs-Alg-IDs-contian-parameter-fi.patch

Fri, 20 Jan 2017 17:00:58 -0800 

This patch addresses:
https://fedorahosted.org/pki/ticket/1741 ECDSA Certificates Generated by Certificate System fail NIST validation test with parameter field. 


Note: Since we do not support DSA, this patch does not attempt to 
address that.  Also, although we do not claim to support sha224, for 
completeness, it has code to recognize sha224 oid and process it as such 
to avoid the parameter field, but it does not offer it as part of the 
hashing alg for signing algorithms, as that is not the purpose of this 
ticket, and would cost more time if to be added.


thanks!

Christina


>From 5e914a3855d95a0bbca5fc565757fea5e40f16a1 Mon Sep 17 00:00:00 2001
From: Christina Fu <[email protected]>
Date: Fri, 20 Jan 2017 16:01:17 -0800
Subject: [PATCH] Ticket #1741 ECDSA certs Alg IDs contian parameter field Per
 rfc5758, When the ecdsa-with-SHA224, ecdsa-with-SHA256, ecdsa-with-SHA384, or
 ecdsa-with-SHA512 algorithm identifier appears in the algorithm field as an
 AlgorithmIdentifier, the encoding MUST omit the parameters field. Note: Since
 we do not support DSA, this patch does not attempt to address them. Also,
 while we do not claim to support sha224, the patch adds enough code to
 process the OID just for completeness.  However, it does not attempt to offer
 it as part of the signing algorithms.

---
 .../src/netscape/security/x509/AlgorithmId.java    | 41 +++++++++++++++++-----
 1 file changed, 32 insertions(+), 9 deletions(-)

diff --git a/base/util/src/netscape/security/x509/AlgorithmId.java b/base/util/src/netscape/security/x509/AlgorithmId.java
index 08c9c4f46cfadd7e75a3e6c1f61b47b6d6687ec9..a89843e0a1fd5dcd4da299758e615a76625019b0 100644
--- a/base/util/src/netscape/security/x509/AlgorithmId.java
+++ b/base/util/src/netscape/security/x509/AlgorithmId.java
@@ -230,10 +230,18 @@ public class AlgorithmId implements Serializable, DerEncoder {
         try (DerOutputStream tmp = new DerOutputStream()) {
             DerOutputStream bytes = new DerOutputStream();
             bytes.putOID(algid);
-            if (params == null)
-                bytes.putNull();
-            else
-                bytes.putDerValue(params);
+
+            // omit parameter field for ECDSA
+            if (!algid.equals(sha224WithEC_oid) &&
+                    !algid.equals(sha256WithEC_oid) &&
+                    !algid.equals(sha384WithEC_oid) &&
+                    !algid.equals(sha512WithEC_oid)) {
+                if (params == null) {
+                    bytes.putNull();
+                } else
+                    bytes.putDerValue(params);
+            }
+
             tmp.write(DerValue.tag_Sequence, bytes);
             out.write(tmp.toByteArray());
         }
@@ -246,12 +254,19 @@ public class AlgorithmId implements Serializable, DerEncoder {
     public final byte[] encode() throws IOException {
         try (DerOutputStream out = new DerOutputStream()) {
             DerOutputStream bytes = new DerOutputStream();
-
             bytes.putOID(algid);
-            if (params == null)
-                bytes.putNull();
-            else
-                bytes.putDerValue(params);
+
+            // omit parameter field for ECDSA
+            if (!algid.equals(sha224WithEC_oid) &&
+                    !algid.equals(sha256WithEC_oid) &&
+                    !algid.equals(sha384WithEC_oid) &&
+                    !algid.equals(sha512WithEC_oid)) {
+                if (params == null) {
+                    bytes.putNull();
+                } else
+                    bytes.putDerValue(params);
+            }
+
             out.write(DerValue.tag_Sequence, bytes);
             return out.toByteArray();
         }
@@ -314,6 +329,9 @@ public class AlgorithmId implements Serializable, DerEncoder {
         if (name.equals("SHA1withEC") || name.equals("SHA1/EC")
                 || name.equals("1.2.840.10045.4.1"))
             return AlgorithmId.sha1WithEC_oid;
+        if (name.equals("SHA224withEC") || name.equals("SHA224/EC")
+                || name.equals("1.2.840.10045.4.3.1"))
+            return AlgorithmId.sha224WithEC_oid;
         if (name.equals("SHA256withEC") || name.equals("SHA256/EC")
                 || name.equals("1.2.840.10045.4.3.2"))
             return AlgorithmId.sha256WithEC_oid;
@@ -646,6 +664,8 @@ public class AlgorithmId implements Serializable, DerEncoder {
      */
     private static final int sha1WithEC_data[] =
                                    { 1, 2, 840, 10045, 4, 1 };
+    private static final int sha224WithEC_data[] =
+                                   { 1, 2, 840, 10045, 4, 3, 1 };
     private static final int sha256WithEC_data[] =
                                    { 1, 2, 840, 10045, 4, 3, 2 };
     private static final int sha384WithEC_data[] =
@@ -676,6 +696,9 @@ public class AlgorithmId implements Serializable, DerEncoder {
     public static final ObjectIdentifier sha1WithEC_oid = new
             ObjectIdentifier(sha1WithEC_data);
 
+    public static final ObjectIdentifier sha224WithEC_oid = new
+            ObjectIdentifier(sha224WithEC_data);
+
     public static final ObjectIdentifier sha256WithEC_oid = new
             ObjectIdentifier(sha256WithEC_data);
 
-- 
2.7.4


_______________________________________________
Pki-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/pki-devel





















					Reply via email to