[openssl.org #3368] (trivial patch): duplicate 0x0x in default RSASSA-PSS salt length
Dear all, when you use e.g. the sample X.509 certs from my website http://www.kaiser.cx/downloads/x509PssEmptyParams.zip and run openssl x509 -in pssRootCert.pem -noout -text the salt len has a duplicate 0x. Signature Algorithm: rsassaPss ... Salt Length: 0x0x14 (default) Trailer Field: 0xBC (default) The attached trivial patch fixes this. Best regards, Martin From e5dc15b9751bf561f6aebd371c31f6da3c345cda Mon Sep 17 00:00:00 2001 From: Martin Kaiser mar...@kaiser.cx Date: Wed, 28 May 2014 11:16:06 +0200 Subject: [PATCH] remove duplicate 0x for default RSASSA-PSS salt len --- crypto/rsa/rsa_ameth.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index 04d9f62..c6e083f 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -375,7 +375,7 @@ static int rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss, if (i2a_ASN1_INTEGER(bp, pss-saltLength) = 0) goto err; } - else if (BIO_puts(bp, 0x14 (default)) = 0) + else if (BIO_puts(bp, 14 (default)) = 0) goto err; BIO_puts(bp, \n); -- 1.7.10.4
[openssl.org #3364] misleading description for -noout in the sess_id application
Hi,
please find attached a trivial patch to correct the description of
-noout in the sess_id application. At the moment, it mentions a CRL,
that's probably a copypaste mistake. I modified it to match the
manpage.
Best regards,
Martin
From 8360cbb13ee0d52ec88e859678d8858e55332d58 Mon Sep 17 00:00:00 2001
From: Martin Kaiser mar...@kaiser.cx
Date: Wed, 21 May 2014 14:12:30 +0200
Subject: [PATCH 1/2] modify the description of -noout to match the manpage
---
apps/sess_id.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/apps/sess_id.c b/apps/sess_id.c
index b16686c..c5823a5 100644
--- a/apps/sess_id.c
+++ b/apps/sess_id.c
@@ -78,7 +78,7 @@ static const char *sess_id_usage[]={
-out arg- output file - default stdout\n,
-text - print ssl session id details\n,
-cert - output certificate \n,
- -noout - no CRL output\n,
+ -noout - no output of encoded session info\n,
-context arg- set the session ID context\n,
NULL
};
--
1.7.6.5
Re: [openssl.org #3352] export session id and master key in NSS keylog format
Hi Matt,
With regards to the patch itself, it is the idiom of many of the OpenSSL
command line apps to take a -outform argument. I think it would be more in
keeping with the intention of that argument if the patch were modified to use
-outform NSS instead of -keylog. Could you make the appropriate amendments
and resubmit?
here's an updated version of the patch that uses -outform NSS.
Best regards,
Martin
From 6abefeefd9ef3cc03d485614c975888e1bb93d38 Mon Sep 17 00:00:00 2001
From: Martin Kaiser mar...@kaiser.cx
Date: Tue, 11 Mar 2014 11:55:17 +0100
Subject: [PATCH 2/2] add an NSS output format to sess_id to export to export
the session id and the master key in NSS keylog format
---
CHANGES |4
apps/apps.c |2 ++
apps/apps.h |1 +
apps/sess_id.c |4 +++-
doc/apps/sess_id.pod |9 +
ssl/ssl.h|1 +
ssl/ssl_txt.c| 30 ++
7 files changed, 46 insertions(+), 5 deletions(-)
diff --git a/CHANGES b/CHANGES
index d5142be..a55bdc9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
Changes between 1.0.2 and 1.1.0 [xx XXX ]
+ *) New output format NSS in the sess_id command line tool. This allows
+ exporting the session id and the master key in NSS keylog format.
+ [Martin Kaiser mar...@kaiser.cx]
+
*) Harmonize version and its documentation. -f flag is used to display
compilation flags.
[mancha manc...@zoho.com]
diff --git a/apps/apps.c b/apps/apps.c
index b82882a..9468848 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -263,6 +263,8 @@ int str2fmt(char *s)
return(FORMAT_ASN1);
else if ((*s == 'T') || (*s == 't'))
return(FORMAT_TEXT);
+ else if ((strcmp(s,NSS) == 0) || (strcmp(s,nss) == 0))
+ return(FORMAT_NSS);
else if ((*s == 'N') || (*s == 'n'))
return(FORMAT_NETSCAPE);
else if ((*s == 'S') || (*s == 's'))
diff --git a/apps/apps.h b/apps/apps.h
index 5f083d4..b4a9b49 100644
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -363,6 +363,7 @@ void store_setup_crl_download(X509_STORE *st);
#define FORMAT_MSBLOB 11 /* MS Key blob format */
#define FORMAT_PVK 12 /* MS PVK file format */
#define FORMAT_HTTP 13 /* Download using HTTP */
+#define FORMAT_NSS 14 /* NSS keylog format */
#define EXT_COPY_NONE 0
#define EXT_COPY_ADD 1
diff --git a/apps/sess_id.c b/apps/sess_id.c
index c5823a5..a31d227 100644
--- a/apps/sess_id.c
+++ b/apps/sess_id.c
@@ -73,7 +73,7 @@ static const char *sess_id_usage[]={
usage: sess_id args\n,
\n,
-inform arg - input format - default PEM (DER or PEM)\n,
- -outform arg- output format - default PEM\n,
+ -outform arg- output format - default PEM (PEM, DER or NSS)\n,
-in arg - input file - default stdin\n,
-out arg- output file - default stdout\n,
-text - print ssl session id details\n,
@@ -246,6 +246,8 @@ bad:
i=i2d_SSL_SESSION_bio(out,x);
else if (outformat == FORMAT_PEM)
i=PEM_write_bio_SSL_SESSION(out,x);
+ else if (outformat == FORMAT_NSS)
+ i=SSL_SESSION_print_keylog(out,x);
else {
BIO_printf(bio_err,bad output format specified for outfile\n);
goto end;
diff --git a/doc/apps/sess_id.pod b/doc/apps/sess_id.pod
index 9988d2c..fb5ce12 100644
--- a/doc/apps/sess_id.pod
+++ b/doc/apps/sess_id.pod
@@ -9,7 +9,7 @@ sess_id - SSL/TLS session handling utility
Bopenssl Bsess_id
[B-inform PEM|DER]
-[B-outform PEM|DER]
+[B-outform PEM|DER|NSS]
[B-in filename]
[B-out filename]
[B-text]
@@ -33,10 +33,11 @@ format containing session details. The precise format can vary from one version
to the next. The BPEM form is the default format: it consists of the BDER
format base64 encoded with additional header and footer lines.
-=item B-outform DER|PEM
+=item B-outform DER|PEM|NSS
-This specifies the output format, the options have the same meaning as the
-B-inform option.
+This specifies the output format. The BPEM and BDER options have the same meaning
+as the B-inform option. The BNSS option outputs the session id and the master key
+in NSS keylog format.
=item B-in filename
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 92ffae9..7d0c7bb 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2235,6 +2235,7 @@ int SSL_SESSION_print_fp(FILE *fp,const SSL_SESSION *ses);
#endif
#ifndef OPENSSL_NO_BIO
int SSL_SESSION_print(BIO *fp,const SSL_SESSION *ses);
+int SSL_SESSION_print_keylog(BIO *bp, const SSL_SESSION *x);
#endif
void SSL_SESSION_free(SSL_SESSION *ses);
int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp);
diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c
index 20b95a2..0ffdcb0 100644
--- a/ssl/ssl_txt.c
+++ b/ssl/ssl_txt.c
@@ -248,3 +248,33 @@ err:
return(0);
}
+/* print session id and master key in NSS keylog format
+ (RSA Session-ID:session id Master-Key:master key) */
+int SSL_SESSION_print_keylog(BIO *bp, const SSL_SESSION *x)
+ {
+ unsigned int i;
+
+ if (x == NULL) goto err;
+ if (x-session_id_length==0 || x-master_key_length==0)
Re: [openssl.org #2315] PSS certificates with keysize n*8+1 don't validate
Hi Hanno, all, Thus wrote Hanno Boeck via RT (r...@openssl.org): openssl genrsa 2001 test.key openssl req -batch -new -x509 -sigopt rsa_padding_mode:pss -nodes -days 9 -key test.key test.crt openssl verify -check_ss_sig -CAfile test.crt test.crt I've had a quick look, the problem is that the saltlen encoded in the certificate (==229) and the saltlen used for the calculations (==228) are different. In RSA_padding_add_PKCS1_PSS_mgf1(), RSA_size(rsa) is 250. In rsa_item_sign(), EVP_PKEY_size(pk) is 251. I can't take the ticket in the RT but I'm happy to progress this and propose a patch. Best regards, Martin __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #1951] [patch] verification of X.509 certificates that contain an RSASSA-PSS signature
Hello Steve,
Thus wrote Stephen Henson via RT (r...@openssl.org):
I've now committed code to the development branch which includes PSS
signature verification support.
thanks for committing this, it looks like a clean and generic approach.
(of course, it's a pity that most of my code didn't make it into the
final version but that's life...)
I'll look into PSS signing at some point too.
Any chance I can contribute to this, based on your approach for
verification?
A while ago, I extended my patch to support basic PSS signing. For this,
I added a -pss command line parameter to x509 which uses the default PSS
parameters and does not explicitly encode them. Instead, an empty
sequence is used to indicate default parameters.
Let me know of any problems.
It runs ok against the sample certificates that I have here.
Do you think it makes sense to check the trailerField in
rsa_item_verify() to make sure that it is the default value?
Index: crypto/rsa/rsa_ameth.c
===
RCS file: /v/openssl/cvs/openssl/crypto/rsa/rsa_ameth.c,v
retrieving revision 1.24
diff -u -r1.24 rsa_ameth.c
--- crypto/rsa/rsa_ameth.c 8 Mar 2010 18:10:35 - 1.24
+++ crypto/rsa/rsa_ameth.c 9 Mar 2010 21:55:22 -
@@ -530,6 +530,13 @@
else
saltlen = 20;
+ /* low-level routines support only trailer field 0xbc (value 1) */
+ if (pss-trailerField ASN1_INTEGER_get(pss-trailerField) != 1)
+ {
+ RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_INVALID_TRAILER);
+ goto err;
+ }
+
/* We have all parameters now set up context */
if (!EVP_DigestVerifyInit(ctx, pkctx, md, NULL, pkey))
BTW, ticket #2131 is now obsolete ;-)
Best regards,
Martin
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
Re: [openssl.org #1951] [patch] verification of X.509 certificates that contain an RSASSA-PSS signature
Hello Steve,
thanks for your feedback.
Thus wrote Stephen Henson via RT (r...@openssl.org):
As has been indicated the PSS ASN1 module is incorrect. Does that
actually verify PSS signatures correctly with non-default algorithms?
I'd expect ASN1 parsing errors.
I got Francesco's point and corrected this. The certificates I used for
testing either had the parameters omitted or were generated by myself
using the same wrong definition, that's why I didn't spot the problem.
I'll update the sample certificates on my website shortly
(http://www.kaiser.cx/x509Pss.html)
A quick look through (I'm not short of things to do at the moment
alas...) suggests ctrl return codes aren't checked properly in a number
of places.
Are you refering to this?
if (type == NULL)
{
if (EVP_PKEY_CTX_ctrl(ctx-pctx, -1, ctx-pctx-operation,
EVP_PKEY_CTRL_PARAM_SET_FROM_PKEY, 0, pkey))
{
EVP_PKEY_CTX_ctrl(ctx-pctx, -1, ctx-pctx-operation,
EVP_PKEY_CTRL_GET_DIGEST, 0, type);
}
I'll add a clean error checking.
I also find the lack of any use of the PSS OID as rather strange. The
specifications I've seen should require it is at least checked.
I've added a function
void EVP_MD_CTX_set_padmode_from_nid(EVP_MD_CTX *ctx, int nid)
that sets EVP_MD_CTX_FLAG_PAD_PSS when it sees the PSS nid. This ctx is
then passed into EVP_DigestVerifyInit.
pkey_rsa_verifyctx_init() converts the flag into RSA_PKEY_CTX' pad_mode
parameter. The pad_mode is checked when the ctrls set the pss
parameters.
Please see the attached patch (against 2010-02-07 snapshot) for a first
concept. Does this make sense to you or does it contradict your intended
use of the (yet unused) EVP_MD_CTX_FLAG_PAD_... flags?
Best regards,
Martin
diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
index d9332ee..c5531de 100644
--- a/crypto/asn1/a_verify.c
+++ b/crypto/asn1/a_verify.c
@@ -134,14 +134,15 @@ err:
int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signature,
void *asn, EVP_PKEY *pkey)
{
- EVP_MD_CTX ctx;
- const EVP_MD *type = NULL;
+ EVP_MD_CTX mctx;
+ const EVP_MD *md = NULL;
+
unsigned char *buf_in=NULL;
int ret= -1,inl;
int mdnid, pknid;
- EVP_MD_CTX_init(ctx);
+ EVP_MD_CTX_init(mctx);
/* Convert signature OID into digest and public key OIDs */
if (!OBJ_find_sigid_algs(OBJ_obj2nid(a-algorithm), mdnid, pknid))
@@ -149,12 +150,7 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM);
goto err;
}
- type=EVP_get_digestbynid(mdnid);
- if (type == NULL)
- {
- ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
- goto err;
- }
+ md=EVP_get_digestbynid(mdnid); /* md == NULL is no longer an error */
/* Check public key OID matches public key type */
if (EVP_PKEY_type(pknid) != pkey-ameth-pkey_id)
@@ -162,8 +158,41 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_WRONG_PUBLIC_KEY_TYPE);
goto err;
}
-
- if (!EVP_VerifyInit_ex(ctx,type, NULL))
+ if (pkey-ameth-param_decode a)
+ {
+ int plen;
+
+ /* this is ok for a-parameter==NULL, result is plen=0 */
+ plen = i2d_ASN1_TYPE(a-parameter, NULL);
+ if (plen 0)
+ {
+ const unsigned char *cp;
+ unsigned char *p;
+ unsigned char *pder=NULL;
+ int ok;
+
+ pder = (unsigned char *)OPENSSL_malloc(plen);
+ if (pder == NULL)
+{
+ ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_MALLOC_FAILURE);
+ goto err;
+}
+
+ /* call i2d_...() routines like in pem_pkey.c */
+ p = pder;
+ plen = i2d_ASN1_TYPE(a-parameter, p);
+ cp = pder;
+
+ ok = pkey-ameth-param_decode(pkey, cp, plen);
+ OPENSSL_free(pder);
+ if (!ok)
+goto err;
+ }
+ }
+
+ EVP_MD_CTX_set_padmode_from_nid(mctx, OBJ_obj2nid(a-algorithm));
+
+ if (!EVP_DigestVerifyInit(mctx, NULL,md, NULL, pkey))
{
ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
ret=0;
@@ -178,7 +207,7 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
goto err;
}
- if (!EVP_VerifyUpdate(ctx,(unsigned char *)buf_in,inl))
+ if (!EVP_DigestVerifyUpdate(mctx,(unsigned char *)buf_in,inl))
{
ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
ret=0;
@@ -188,19 +217,19 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
OPENSSL_cleanse(buf_in,(unsigned int)inl);
OPENSSL_free(buf_in);
- if (EVP_VerifyFinal(ctx,(unsigned char *)signature-data,
- (unsigned int)signature-length,pkey) = 0)
+ if (EVP_DigestVerifyFinal(mctx,(unsigned char *)signature-data,
+ (unsigned int)signature-length) = 0)
{
Re: [openssl.org #1951] [patch] verification of X.509 certificates that contain an RSASSA-PSS signature
Dear OpenSSL team and all,
finally, here's my patch (against today's 1.1 snapshot) for verification
of X.509 certificates using an RSASSA-PSS signature. I believe it is
fairly complete in terms of checking parameters.
The patch follows the idea that I outlined in previous posts
- two new ASN.1 objects for pss, mgf1
- in obj_xref.txt, pss uses digest undef
- verify routine has to determine the digest by itself
- ASN1_item_verify() uses EVP_DigestVerify... API
- rsa_st gets two new elements
- param_decode method for rsa parses rsa key's parameters in the
certificate
- at verification time, pss parameters are copied into EVP_PKEY_CTX
This time, I really do hope to get some feedback. Reviewing this won't
be wasted time, I'm happy to improve the code until it is ready for
merging.
As such pss certificates are now being deployed by the millions for
digital pay-tv in Europe (www.ci-plus.com), I feel that OpenSSL should
support them.
Best regards,
Martin
diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
index d9332ee..aed0fdb 100644
--- a/crypto/asn1/a_verify.c
+++ b/crypto/asn1/a_verify.c
@@ -134,14 +134,15 @@ err:
int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signature,
void *asn, EVP_PKEY *pkey)
{
- EVP_MD_CTX ctx;
- const EVP_MD *type = NULL;
+ EVP_MD_CTX mctx;
+ const EVP_MD *md = NULL;
+
unsigned char *buf_in=NULL;
int ret= -1,inl;
int mdnid, pknid;
- EVP_MD_CTX_init(ctx);
+ EVP_MD_CTX_init(mctx);
/* Convert signature OID into digest and public key OIDs */
if (!OBJ_find_sigid_algs(OBJ_obj2nid(a-algorithm), mdnid, pknid))
@@ -149,12 +150,7 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM);
goto err;
}
- type=EVP_get_digestbynid(mdnid);
- if (type == NULL)
- {
- ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
- goto err;
- }
+ md=EVP_get_digestbynid(mdnid); /* md == NULL is no longer an error */
/* Check public key OID matches public key type */
if (EVP_PKEY_type(pknid) != pkey-ameth-pkey_id)
@@ -162,8 +158,39 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_WRONG_PUBLIC_KEY_TYPE);
goto err;
}
-
- if (!EVP_VerifyInit_ex(ctx,type, NULL))
+ if (pkey-ameth-param_decode a)
+ {
+ int plen;
+
+ /* this is ok for a-parameter==NULL, result is plen=0 */
+ plen = i2d_ASN1_TYPE(a-parameter, NULL);
+ if (plen 0)
+ {
+ const unsigned char *cp;
+ unsigned char *p;
+ unsigned char *pder=NULL;
+ int ok;
+
+ pder = (unsigned char *)OPENSSL_malloc(plen);
+ if (pder == NULL)
+{
+ ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_MALLOC_FAILURE);
+ goto err;
+}
+
+ /* call i2d_...() routines like in pem_pkey.c */
+ p = pder;
+ plen = i2d_ASN1_TYPE(a-parameter, p);
+ cp = pder;
+
+ ok = pkey-ameth-param_decode(pkey, cp, plen);
+ OPENSSL_free(pder);
+ if (!ok)
+goto err;
+ }
+ }
+
+ if (!EVP_DigestVerifyInit(mctx, NULL,md, NULL, pkey))
{
ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
ret=0;
@@ -178,7 +205,7 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
goto err;
}
- if (!EVP_VerifyUpdate(ctx,(unsigned char *)buf_in,inl))
+ if (!EVP_DigestVerifyUpdate(mctx,(unsigned char *)buf_in,inl))
{
ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
ret=0;
@@ -188,19 +215,19 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
OPENSSL_cleanse(buf_in,(unsigned int)inl);
OPENSSL_free(buf_in);
- if (EVP_VerifyFinal(ctx,(unsigned char *)signature-data,
- (unsigned int)signature-length,pkey) = 0)
+ if (EVP_DigestVerifyFinal(mctx,(unsigned char *)signature-data,
+ (unsigned int)signature-length) = 0)
{
ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
ret=0;
goto err;
}
- /* we don't need to zero the 'ctx' because we just checked
+ /* we don't need to zero the 'mctx' because we just checked
* public information */
- /* memset(ctx,0,sizeof(ctx)); */
+ /* memset(mctx,0,sizeof(ctx)); */
ret=1;
err:
- EVP_MD_CTX_cleanup(ctx);
+ EVP_MD_CTX_cleanup(mctx);
return(ret);
}
diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h
index 9064164..344cc03 100644
--- a/crypto/evp/evp.h
+++ b/crypto/evp/evp.h
@@ -1038,6 +1038,9 @@ void EVP_PKEY_asn1_set_ctrl(EVP_PKEY_ASN1_METHOD *ameth,
#define EVP_PKEY_CTRL_CMS_DECRYPT 10
#define EVP_PKEY_CTRL_CMS_SIGN 11
+#define EVP_PKEY_CTRL_PARAM_SET_FROM_PKEY 20
+#define EVP_PKEY_CTRL_GET_DIGEST21
+
#define EVP_PKEY_ALG_CTRL 0x1000
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
index f0b7f95..170f6a9 100644
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@@ -72,19
[openssl.org #2131] [patch] add two objects related to pss
Dear all,
I'm still looking into pss support for X.509 certificates. So far, I
haven't received any feedback to my proposals in #1951, I assume you're
all busy lately. Anyway, I'm trying to progress things along the lines
of what I've proposed and hope for some feedback when I post the code.
Could we kick this whole pss thing off with something non-contentious? I
would like to ask you to add the two ASN.1 objects for pss and mgf1.
Since I'm regularly merging your daily snapshots into my tree, having
those objects in place would make my life much easier.
Attached patch is against 1.1.0 snapshot of 28th December.
Thanks in advance,
Martin
diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
index 80f4d71..acb3001 100644
--- a/crypto/objects/obj_dat.h
+++ b/crypto/objects/obj_dat.h
@@ -62,12 +62,12 @@
* [including the GNU Public Licence.]
*/
-#define NUM_NID 894
-#define NUM_SN 887
-#define NUM_LN 887
-#define NUM_OBJ 841
+#define NUM_NID 896
+#define NUM_SN 889
+#define NUM_LN 889
+#define NUM_OBJ 843
-static const unsigned char lvalues[5835]={
+static const unsigned char lvalues[5853]={
0x00,/* [ 0] OBJ_undef */
0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 1] OBJ_rsadsi */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 7] OBJ_pkcs */
@@ -909,6 +909,8 @@ static const unsigned char lvalues[5835]={
0x55,0x04,0x35, /* [5817] OBJ_deltaRevocationList */
0x55,0x04,0x36, /* [5820] OBJ_dmdName */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x09,/* [5823] OBJ_id_alg_PWRI_KEK */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x08,/* [5834] OBJ_mgf1 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0A,/* [5843] OBJ_rsassaPss */
};
static const ASN1_OBJECT nid_objs[NUM_NID]={
@@ -2354,6 +2356,8 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={
{dmdName,dmdName,NID_dmdName,3,(lvalues[5820]),0},
{id-alg-PWRI-KEK,id-alg-PWRI-KEK,NID_id_alg_PWRI_KEK,11,
(lvalues[5823]),0},
+{MGF1,mgf1,NID_mgf1,9,(lvalues[5834]),0},
+{RSASSA-PSS,rsassaPss,NID_rsassaPss,9,(lvalues[5843]),0},
};
static const unsigned int sn_objs[NUM_SN]={
@@ -2454,6 +2458,7 @@ static const unsigned int sn_objs[NUM_SN]={
4, /* MD5 */
114, /* MD5-SHA1 */
95, /* MDC2 */
+894, /* MGF1 */
388, /* Mail */
393, /* NULL */
404, /* NULL */
@@ -2510,6 +2515,7 @@ static const unsigned int sn_objs[NUM_SN]={
668, /* RSA-SHA256 */
669, /* RSA-SHA384 */
670, /* RSA-SHA512 */
+895, /* RSASSA-PSS */
777, /* SEED-CBC */
779, /* SEED-CFB */
776, /* SEED-ECB */
@@ -3811,6 +3817,7 @@ static const unsigned int ln_objs[NUM_LN]={
602, /* merchant initiated auth */
514, /* message extensions */
51, /* messageDigest */
+894, /* mgf1 */
506, /* mime-mhs-bodies */
505, /* mime-mhs-headings */
488, /* mobileTelephoneNumber */
@@ -3910,6 +3917,7 @@ static const unsigned int ln_objs[NUM_LN]={
6, /* rsaEncryption */
644, /* rsaOAEPEncryptionSET */
377, /* rsaSignature */
+895, /* rsassaPss */
124, /* run length compression */
482, /* sOARecord */
155, /* safeContentsBag */
@@ -4725,6 +4733,8 @@ static const unsigned int obj_objs[NUM_OBJ]={
8, /* OBJ_md5WithRSAEncryption 1 2 840 113549 1 1 4 */
65, /* OBJ_sha1WithRSAEncryption1 2 840 113549 1 1 5 */
644, /* OBJ_rsaOAEPEncryptionSET 1 2 840 113549 1 1 6 */
+894, /* OBJ_mgf1 1 2 840 113549 1 1 8 */
+895, /* OBJ_rsassaPss1 2 840 113549 1 1 10 */
668, /* OBJ_sha256WithRSAEncryption 1 2 840 113549 1 1 11 */
669, /* OBJ_sha384WithRSAEncryption 1 2 840 113549 1 1 12 */
670, /* OBJ_sha512WithRSAEncryption 1 2 840 113549 1 1 13 */
diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h
index ae79e63..53222c9 100644
--- a/crypto/objects/obj_mac.h
+++ b/crypto/objects/obj_mac.h
@@ -580,6 +580,16 @@
#define NID_sha1WithRSAEncryption 65
#define OBJ_sha1WithRSAEncryption OBJ_pkcs1,5L
+#define SN_mgf1 MGF1
+#define LN_mgf1 mgf1
+#define NID_mgf1 894
+#define OBJ_mgf1 OBJ_pkcs1,8L
+
+#define SN_rsassaPss RSASSA-PSS
+#define LN_rsassaPss rsassaPss
+#define NID_rsassaPss 895
+#define OBJ_rsassaPss OBJ_pkcs1,10L
+
#define SN_sha256WithRSAEncryption RSA-SHA256
#define LN_sha256WithRSAEncryption sha256WithRSAEncryption
#define NID_sha256WithRSAEncryption 668
diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
index 65ca66f..108fd4f 100644
--- a/crypto/objects/obj_mac.num
+++ b/crypto/objects/obj_mac.num
@@ -891,3 +891,5 @@ supportedAlgorithms 890
deltaRevocationList 891
dmdName 892
id_alg_PWRI_KEK 893
+mgf1 894
+rsassaPss 895
diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
index 4d92355..263a91a 100644
--- a/crypto/objects/objects.txt
+++ b/crypto/objects/objects.txt
@@ -166,6 +166,8 @@ pkcs1 3 : RSA-MD4 : md4WithRSAEncryption
pkcs1 4 : RSA-MD5 : md5WithRSAEncryption
pkcs1 5 : RSA-SHA1 : sha1WithRSAEncryption
#
Re: [openssl.org #2091] [patch] NULL-pointer check in OBJ_obj2txt()
On Tue, Nov 03, 2009 at 10:09:04AM +0100, Martin Kaiser via RT wrote:
If the parameter has neither ln nor sn, I suggest that -1 is returned.
The attached short patch against today's snapshot fixes this problem
Thinking about this again, would it make sense to add an error to the
queue like the patch below?
Best regards,
Martin
diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
index e999ef7..fd98769 100644
--- a/crypto/objects/obj_dat.c
+++ b/crypto/objects/obj_dat.c
@@ -466,7 +466,7 @@ ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name)
int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
{
int i,n=0,len,nid, first, use_bn;
- BIGNUM *bl;
+ BIGNUM *bl=NULL;
unsigned long l;
const unsigned char *p;
char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2];
@@ -483,6 +483,11 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *
s=OBJ_nid2ln(nid);
if (s == NULL)
s=OBJ_nid2sn(nid);
+ if (s == NULL)
+ {
+ OBJerr(OBJ_F_OBJ_OBJ2TXT,OBJ_R_UNKNOWN_NID_NAME);
+ goto err;
+ }
if (buf)
BUF_strlcpy(buf,s,buf_len);
n=strlen(s);
@@ -494,7 +499,6 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a
p=a-data;
first = 1;
- bl = NULL;
while (len 0)
{
diff --git a/crypto/objects/objects.h b/crypto/objects/objects.h
index bd0ee52..ab43d9d 100644
--- a/crypto/objects/objects.h
+++ b/crypto/objects/objects.h
@@ -1127,10 +1127,12 @@ void ERR_load_OBJ_strings(void);
#define OBJ_F_OBJ_NID2LN102
#define OBJ_F_OBJ_NID2OBJ 103
#define OBJ_F_OBJ_NID2SN104
+#define OBJ_F_OBJ_OBJ2TXT 105
/* Reason codes. */
#define OBJ_R_MALLOC_FAILURE100
#define OBJ_R_UNKNOWN_NID 101
+#define OBJ_R_UNKNOWN_NID_NAME 102
#ifdef __cplusplus
}
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
Re: [openssl.org #1951] [patch] verification of X.509 certificates that contain an RSASSA-PSS signature
Steve, all,
here's another idea in draft stage. Please give me feedback before I
start working out the details.
In obj_xref.txt, we define
rsassaPss undef rsaEncryption
We add two components for pss to rsa_st
struct rsa_st
{
[...]
const EVP_MD *pssDigest; /* pointer ok or should we store the NID? */
int pssSaltlen;
};
and define a function to decode the parameters of the algorithm used in
the X.509 certificate
static int rsa_param_decode(EVP_PKEY *pkey, const unsigned char **pder, int
derlen)
{
/* TODO: parse and check paramters */
if (pkey pkey-type == EVP_PKEY_RSA)
{
pkey-pkey.rsa-pssDigest = EVP_sha1();
pkey-pkey.rsa-pssSaltlen = 20;
}
return 1;
}
In ASN1_item_verify(), we use the EVP_DigestVerify...() API and call
the pkey's param_decode() method
...
if (pkey-ameth-param_decode)
{
/* TODO: pass real algorithm parameters */
pkey-ameth-param_decode(pkey, NULL, 0);
}
else printf(no param_decode method defined\n);
if (!EVP_DigestVerifyInit(mctx,pctx,md, NULL, pkey))
...
md may be NULL if message digest is undef is obj_xref.txt
(some low-level routines must be changed to get this result)
In do_sigver_init(), we check for type==NULL and set the pss parameters
in this case
...
}
else if (EVP_PKEY_sign_init(ctx-pctx) = 0)
return 0;
}
if (type == NULL)
{
if (pkey pkey-type == EVP_PKEY_RSA pkey-pkey.rsa-pssDigest)
{
type = pkey-pkey.rsa-pssDigest;
EVP_PKEY_CTX_set_rsa_padding(ctx-pctx, RSA_PKCS1_PSS_PADDING);
EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx-pctx,
pkey-pkey.rsa-pssSaltlen);
}
else
{
int def_nid;
if (EVP_PKEY_get_default_digest_nid(pkey, def_nid) 0)
type = EVP_get_digestbynid(def_nid);
}
}
if (type == NULL)
{
EVPerr(EVP_F_DO_SIGVER_INIT, EVP_R_NO_DEFAULT_DIGEST);
...
Does this approch look ok?
Best regards,
Martin
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
Re: [openssl.org #1951] [patch] verification of X.509 certificates that contain an RSASSA-PSS signature
Steve, all, I recently found some more time to look into this. In order to make sure that the next attempt is in line with the rest of the code, I need some more discussion. The decision table in obj_xref.txt seems to be the problem. This doesn't work for PSS, you can't determine the digest without parsing the PSS parameters. Yes, probably will need a special value for the digest type NID_undef for example which means the public key algorithm method will work out the digest type. We'll need a way to set these parameters in the EVP_PKEY_CTX or RSA_PKEY_CTX respectively. I've (ab)used the md_ctrl function for this. Could we just add a similar function pointer directly to the EVP_PKEY_CTX structure? That's what I'm considering. We pass (say) a NULL for the digest type in EVP_DigestVerifyInit() and call a ctrl in the associated public key method to let it decide which digest and parameters to use. The functionality isn't in EVP_DigestVerifyInit() yet it just uses a default digest if NULL is passed in. The ctrl would require a X509_ALGOR * an input so that all PSS parameters can be determined. This struct is available only in ASN1_item_verify(). The ctrl however could be part of EVP_PKEY_METHOD and will be called from EVP_DigestVerifyInit(). Any idea how to pass on the struct? Alternatively, I thought of adding the work out the paramters function to EVP_PKEY_ASN1_METHOD's ctrl. It fits there as it involves some ASN1 parsing. But the resulting PSS parameters have to be stored in RSA_PKEY_CTX. According to your last mails, this is the best place to put the params. But it's not accessible from EVP_PKEY_ASN1_METHOD. A third approach would be to run EVP_DigestVerifyInit() with a NULL EVP_MD parameter (just modify it to not use a default md). When the functions returns, we use the resulting EVP_PKEY_CTX in ASN1_item_verify and call its pctx-pmeth-ctrl directly from ASN1_item_verify(), supplying the X509_ALGOR * parameter. Any thoughts what would be the best appoach? Best regards, Martin __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #1951] AutoReply: [patch] verification of X.509 certificates that contain an RSASSA-PSS signature
Steve, all, The new pkey API was designed to avoid tieing digests to signature algorithms (e.g. sha1 can now be used to handle RSA and DSA signatures). i.e. you're going to remove the pkey_type field in the EVP_MD structure? Having looked through the API and standards it seems this can't be avoided without some extensions to the EVP_PKEY API. Some unsorted thoughts: RSA_PKEY_CTX already contains the required fields to store some of the PSS parameters. The mask generation function and its parameters are missing. The low-level routines have MGF1 hard-coded, the digest for MGF1 must be the same as for the entire PSS. This is not a big limitation. An RSA key in an X.509 certificate looks exactly the same, no matter if the signature is PKCSv1.5 or PSS. The decision table in obj_xref.txt seems to be the problem. This doesn't work for PSS, you can't determine the digest without parsing the PSS parameters. We'll need a way to set these parameters in the EVP_PKEY_CTX or RSA_PKEY_CTX respectively. I've (ab)used the md_ctrl function for this. Could we just add a similar function pointer directly to the EVP_PKEY_CTX structure? Do you have some examples of certificates signed with PSS? They would be useful for testing purposes. I've uploaded sample certificates to http://www.kaiser.cx/x509Pss.html Best regards, Martin __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #1862] x509 manpage, -hash parameter
Dear all, in the x509 manpage, the description of the -hash paramter is misleading ;-) Patch is against 0.9.8-stable of March 10th. Best regards, Martin --- x509.pod.orig 2009-03-10 22:42:58.0 +0100 +++ x509.pod2009-03-10 22:43:15.0 +0100 @@ -155,7 +155,7 @@ =item B-hash -synonym for -hash for backward compatibility reasons. +synonym for -subject_hash for backward compatibility reasons. =item B-subject __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #1840] [PATCH] two small issues in RSA_X931_derive_ex()
Dear all, there's two small issues in RSA_X931_derive_ex(), both fips and non-fips version. ctx = BN_CTX_new(); BN_CTX_start(ctx); The result of BN_CTX_new() is passed on to BN_CTX_start(), which dereferences it without any further checks. This fails for ctx == NULL. So does the following code for rsa == NULL. if (!rsa) goto err; ... err: ... if (rsa-iqmp != NULL) ... The attached patch against today's snapshot fixes this. Best regards, Martin diff -ru openssl-0.9.8-stable-SNAP-20090209.ORIG/crypto/rsa/rsa_x931g.c openssl-0.9.8-stable-SNAP-20090209/crypto/rsa/rsa_x931g.c --- openssl-0.9.8-stable-SNAP-20090209.ORIG/crypto/rsa/rsa_x931g.c 2009-02-09 22:17:21.0 +0100 +++ openssl-0.9.8-stable-SNAP-20090209/crypto/rsa/rsa_x931g.c 2009-02-09 22:20:46.0 +0100 @@ -79,6 +79,8 @@ goto err; ctx = BN_CTX_new(); + if (!ctx) + goto err; BN_CTX_start(ctx); if (!ctx) goto err; @@ -190,7 +192,7 @@ if (ctx2) BN_CTX_free(ctx2); /* If this is set all calls successful */ - if (rsa-iqmp != NULL) + if ((rsa) (rsa-iqmp != NULL)) return 1; return 0; diff -ru openssl-0.9.8-stable-SNAP-20090209.ORIG/fips/rsa/fips_rsa_x931g.c openssl-0.9.8-stable-SNAP-20090209/fips/rsa/fips_rsa_x931g.c --- openssl-0.9.8-stable-SNAP-20090209.ORIG/fips/rsa/fips_rsa_x931g.c 2009-02-09 22:17:21.0 +0100 +++ openssl-0.9.8-stable-SNAP-20090209/fips/rsa/fips_rsa_x931g.c 2009-02-09 22:23:05.0 +0100 @@ -83,6 +83,8 @@ goto err; ctx = BN_CTX_new(); + if (!ctx) + goto err; BN_CTX_start(ctx); if (!ctx) goto err; @@ -194,7 +196,7 @@ if (ctx2) BN_CTX_free(ctx2); /* If this is set all calls successful */ - if (rsa-iqmp != NULL) + if ((rsa) (rsa-iqmp != NULL)) return 1; return 0; __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #1841] [PATCH] unused code in asn1_write_micalg()
Dear all,
the following patch against today's stable snapshot removes unused code
in asn1_write_micalg(). The calculated EVP_MD is never used.
Best regards,
Martin
diff -ru openssl-0.9.8-stable-SNAP-20090209.ORIG/crypto/asn1/asn_mime.c
openssl-0.9.8-stable-SNAP-20090209/crypto/asn1/asn_mime.c
--- openssl-0.9.8-stable-SNAP-20090209.ORIG/crypto/asn1/asn_mime.c 2009-02-09
22:17:21.0 +0100
+++ openssl-0.9.8-stable-SNAP-20090209/crypto/asn1/asn_mime.c 2009-02-09
22:53:02.0 +0100
@@ -152,7 +152,6 @@
static int asn1_write_micalg(BIO *out, STACK_OF(X509_ALGOR) *mdalgs)
{
- const EVP_MD *md;
int i, have_unknown = 0, write_comma, md_nid;
have_unknown = 0;
write_comma = 0;
@@ -162,7 +161,6 @@
BIO_write(out, ,, 1);
write_comma = 1;
md_nid = OBJ_obj2nid(sk_X509_ALGOR_value(mdalgs, i)-algorithm);
- md = EVP_get_digestbynid(md_nid);
switch(md_nid)
{
case NID_sha1:
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
