Author: philip Date: Fri Feb 2 18:27:44 2018 New Revision: 1822996 URL: http://svn.apache.org/viewvc?rev=1822996&view=rev Log: Fix x509 parser to accept RSASSA-PSS certs by no longer assuming that algorithm parameters are NULL for all algorithms. This change doesn't affect whether clients can verify RSASSA-PSS certs, that decision is delegated to OpenSSL, but it does allow JavaHL clients to accept a failure to verify such certs.
* subversion/libsvn_subr/x509parse.c (x509_get_alg): Skip over RSASSA-PSS parameters. * subversion/tests/libsvn_subr/x509-test.c (cert_tests): Add an RSASSA-PSS cert. Modified: subversion/trunk/subversion/libsvn_subr/x509parse.c subversion/trunk/subversion/tests/libsvn_subr/x509-test.c Modified: subversion/trunk/subversion/libsvn_subr/x509parse.c URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_subr/x509parse.c?rev=1822996&r1=1822995&r2=1822996&view=diff ============================================================================== --- subversion/trunk/subversion/libsvn_subr/x509parse.c (original) +++ subversion/trunk/subversion/libsvn_subr/x509parse.c Fri Feb 2 18:27:44 2018 @@ -262,13 +262,34 @@ x509_get_alg(const unsigned char **p, co if (*p == end) return SVN_NO_ERROR; + + /* The OID encoding of 1.2.840.113549.1.1.10 (id-RSASSA-PSS) */ +#define OID_RSASSA_PSS "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x0a" - /* - * assume the algorithm parameters must be NULL - */ - err = asn1_get_tag(p, end, &len, ASN1_NULL); - if (err) - return svn_error_create(SVN_ERR_X509_CERT_INVALID_ALG, err, NULL); + if (equal(alg->p, alg->len, OID_RSASSA_PSS, sizeof(OID_RSASSA_PSS) - 1)) + { + /* Skip over algorithm parameters for id-RSASSA-PSS (RFC 8017) + * + * RSASSA-PSS-params ::= SEQUENCE { + * hashAlgorithm [0] HashAlgorithm DEFAULT sha1, + * maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT mgf1SHA1, + * saltLength [2] INTEGER DEFAULT 20, + * trailerField [3] TrailerField DEFAULT trailerFieldBC + * } + */ + err = asn1_get_tag(p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE); + if (err) + return svn_error_create(SVN_ERR_X509_CERT_INVALID_ALG, err, NULL); + + *p += len; + } + else + { + /* Algorithm parameters must be NULL for other algorithms */ + err = asn1_get_tag(p, end, &len, ASN1_NULL); + if (err) + return svn_error_create(SVN_ERR_X509_CERT_INVALID_ALG, err, NULL); + } if (*p != end) { Modified: subversion/trunk/subversion/tests/libsvn_subr/x509-test.c URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/tests/libsvn_subr/x509-test.c?rev=1822996&r1=1822995&r2=1822996&view=diff ============================================================================== --- subversion/trunk/subversion/tests/libsvn_subr/x509-test.c (original) +++ subversion/trunk/subversion/tests/libsvn_subr/x509-test.c Fri Feb 2 18:27:44 2018 @@ -592,6 +592,32 @@ static struct x509_test cert_tests[] = { "good.example.com", "9693f17e59205f41ca2e14450d151b945651b2d7" }, + /* Signed using RSASSA-PSS algorithm with algorithm parameters */ + { + "MIICsjCCAWkCCQDHslXYA8hCxTA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQC" + "AaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiBAICAN4wKjEUMBIGA1UECgwL" + "TXkgTG9jYWwgQ0ExEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xODAyMDIxNjQ4MzVa" + "Fw0xODAyMDMxNjQ4MzVaMC4xGDAWBgNVBAoMD015IExvY2FsIFNlcnZlcjESMBAG" + "A1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCues61" + "JXXpLQI5yeg4aCLWRfvnJY7wnuU6FSA++3wwCJREx1/7ebnP9RRRqqKM+ZeeFMC+" + "UlJE3ft2tJTDOVk9j6qjvKrJUKM1YkIe0lARxs4RtZKDGfOdBhw/+iD+6fZzhL0n" + "+w+dIJGzl6ADWsE/x9yjDTkdgbtxHrx/76K0KQIDAQABMD4GCSqGSIb3DQEBCjAx" + "oA0wCwYJYIZIAWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIEAgIA" + "3gOCAQEABYRAijCSGyFdSuUYALUnNzPylqYXlW+dMKPywlUrFEhKnvS+FD9twerI" + "8kT4MDW6XvhScmL1MCDPNAkFY92UqaUrgT80oyrbpuakVrxFSS1i28xy8+kXAWYq" + "RNQVaME1NqnATYF0ZMD5xQK4rpa76gvWj3K8Lt++9EjjbkNiirIIMQEOxh1lwnDQ" + "81q1Rk6iujlnVDGHDQ+w8reE6fKfSWfv1EaQRcjNKCuzrW8WNN387G2byvwaaKeL" + "M7lV7wiV6PwrTNTZzVG3cWKDOEP1mGE7gyMu66siLECo8U95+ahK7O6vfeT3m3gv" + "7kzWNYozAQtBSC7b0WqWbVrzWI4HSg==", + "O=My Local Server, CN=localhost", + "2.5.4.10 2.5.4.3", + "O=My Local CA, CN=localhost", + "2.5.4.10 2.5.4.3", + "2018-02-02T16:48:35.000000Z ", + "2018-02-03T16:48:35.000000Z ", + "localhost", + "25ab5a059acfc793fc0d3734d426794a4ca7b631" + }, { NULL } };