x509-test.c

philip Fri, 02 Feb 2018 10:28:17 -0800

Author: philip
Date: Fri Feb  2 18:27:44 2018
New Revision: 1822996

URL: http://svn.apache.org/viewvc?rev=1822996&view=rev
Log:
Fix x509 parser to accept RSASSA-PSS certs by no longer assuming that
algorithm parameters are NULL for all algorithms.  This change doesn't
affect whether clients can verify RSASSA-PSS certs, that decision is
delegated to OpenSSL, but it does allow JavaHL clients to accept a
failure to verify such certs.


* subversion/libsvn_subr/x509parse.c
  (x509_get_alg): Skip over RSASSA-PSS parameters.

* subversion/tests/libsvn_subr/x509-test.c
  (cert_tests): Add an RSASSA-PSS cert.

Modified:
    subversion/trunk/subversion/libsvn_subr/x509parse.c
    subversion/trunk/subversion/tests/libsvn_subr/x509-test.c

Modified: subversion/trunk/subversion/libsvn_subr/x509parse.c
URL: 
http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_subr/x509parse.c?rev=1822996&r1=1822995&r2=1822996&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_subr/x509parse.c (original)
+++ subversion/trunk/subversion/libsvn_subr/x509parse.c Fri Feb  2 18:27:44 2018
@@ -262,13 +262,34 @@ x509_get_alg(const unsigned char **p, co
 
   if (*p == end)
     return SVN_NO_ERROR;
+  
+  /* The OID encoding of 1.2.840.113549.1.1.10 (id-RSASSA-PSS) */
+#define OID_RSASSA_PSS "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x0a"
 
-  /*
-   * assume the algorithm parameters must be NULL
-   */
-  err = asn1_get_tag(p, end, &len, ASN1_NULL);
-  if (err)
-    return svn_error_create(SVN_ERR_X509_CERT_INVALID_ALG, err, NULL);
+  if (equal(alg->p, alg->len, OID_RSASSA_PSS, sizeof(OID_RSASSA_PSS) - 1))
+    {
+      /* Skip over algorithm parameters for id-RSASSA-PSS (RFC 8017)
+       *
+       * RSASSA-PSS-params ::= SEQUENCE {
+       *  hashAlgorithm      [0] HashAlgorithm    DEFAULT sha1,
+       *  maskGenAlgorithm   [1] MaskGenAlgorithm DEFAULT mgf1SHA1,
+       *  saltLength         [2] INTEGER          DEFAULT 20,
+       *  trailerField       [3] TrailerField     DEFAULT trailerFieldBC
+       * }
+       */
+      err = asn1_get_tag(p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE);
+      if (err)
+        return svn_error_create(SVN_ERR_X509_CERT_INVALID_ALG, err, NULL);
+
+      *p += len;
+    }
+  else
+    {
+      /* Algorithm parameters must be NULL for other algorithms */
+      err = asn1_get_tag(p, end, &len, ASN1_NULL);
+      if (err)
+        return svn_error_create(SVN_ERR_X509_CERT_INVALID_ALG, err, NULL);
+    }
 
   if (*p != end)
     {

Modified: subversion/trunk/subversion/tests/libsvn_subr/x509-test.c
URL: 
http://svn.apache.org/viewvc/subversion/trunk/subversion/tests/libsvn_subr/x509-test.c?rev=1822996&r1=1822995&r2=1822996&view=diff
==============================================================================
--- subversion/trunk/subversion/tests/libsvn_subr/x509-test.c (original)
+++ subversion/trunk/subversion/tests/libsvn_subr/x509-test.c Fri Feb  2 
18:27:44 2018
@@ -592,6 +592,32 @@ static struct x509_test cert_tests[] = {
     "good.example.com",
     "9693f17e59205f41ca2e14450d151b945651b2d7"
   },
+  /* Signed using RSASSA-PSS algorithm with algorithm parameters */
+  {
+    "MIICsjCCAWkCCQDHslXYA8hCxTA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQC"
+    "AaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiBAICAN4wKjEUMBIGA1UECgwL"
+    "TXkgTG9jYWwgQ0ExEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xODAyMDIxNjQ4MzVa"
+    "Fw0xODAyMDMxNjQ4MzVaMC4xGDAWBgNVBAoMD015IExvY2FsIFNlcnZlcjESMBAG"
+    "A1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCues61"
+    "JXXpLQI5yeg4aCLWRfvnJY7wnuU6FSA++3wwCJREx1/7ebnP9RRRqqKM+ZeeFMC+"
+    "UlJE3ft2tJTDOVk9j6qjvKrJUKM1YkIe0lARxs4RtZKDGfOdBhw/+iD+6fZzhL0n"
+    "+w+dIJGzl6ADWsE/x9yjDTkdgbtxHrx/76K0KQIDAQABMD4GCSqGSIb3DQEBCjAx"
+    "oA0wCwYJYIZIAWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIEAgIA"
+    "3gOCAQEABYRAijCSGyFdSuUYALUnNzPylqYXlW+dMKPywlUrFEhKnvS+FD9twerI"
+    "8kT4MDW6XvhScmL1MCDPNAkFY92UqaUrgT80oyrbpuakVrxFSS1i28xy8+kXAWYq"
+    "RNQVaME1NqnATYF0ZMD5xQK4rpa76gvWj3K8Lt++9EjjbkNiirIIMQEOxh1lwnDQ"
+    "81q1Rk6iujlnVDGHDQ+w8reE6fKfSWfv1EaQRcjNKCuzrW8WNN387G2byvwaaKeL"
+    "M7lV7wiV6PwrTNTZzVG3cWKDOEP1mGE7gyMu66siLECo8U95+ahK7O6vfeT3m3gv"
+    "7kzWNYozAQtBSC7b0WqWbVrzWI4HSg==",
+    "O=My Local Server, CN=localhost",
+    "2.5.4.10 2.5.4.3",
+    "O=My Local CA, CN=localhost",
+    "2.5.4.10 2.5.4.3",
+    "2018-02-02T16:48:35.000000Z ",
+    "2018-02-03T16:48:35.000000Z ",
+    "localhost",
+    "25ab5a059acfc793fc0d3734d426794a4ca7b631"
+  },
   { NULL }
 };

svn commit: r1822996 - in /subversion/trunk/subversion: libsvn_subr/x509parse.c tests/libsvn_subr/x509-test.c

Reply via email to