On Mon, Mar 06, 2023 at 12:27:36PM +0100, Theo Buehler wrote:
> On Mon, Mar 06, 2023 at 10:52:31AM +0000, Job Snijders wrote:
> > RFC 7935 states in section 3: "The RSA key pairs used to compute the
> > signatures MUST have a 2048-bit modulus and a public exponent (e) of
> > 65,537."
> >
> > The below adds a check for that.
>
> That's a good first step. See comments below.
Compliance checks that follow from reading RFC 7935 section 3 can be
applied in at least three places:
1) The SPKI inside a CA's .cer TBS must be RSA, with mod 2048 & (e) 0x10001
2) Signers wrapped in CMS must be RSA, with mod 2048 & (e) 0x10001
3) Signatures (outside the TBS) in a .cer must be RSA (TODO: also check mod +
(e))
While (1) and (2) can conveniently share some code by passing the
to-be-checked information as EVP_PKEY to valid_ca_pkey(); to fully check
(3) we'd need to transform 'psig' (an ASN1_BIT_STRING) from
X509_get0_signature() into an EVP_PKEY. I didn't see a super easy way to
do that in libcrypto. Leaving it for now.
Kind regards,
Job
Index: cert.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
retrieving revision 1.102
diff -u -p -r1.102 cert.c
--- cert.c 21 Feb 2023 10:18:47 -0000 1.102
+++ cert.c 6 Mar 2023 14:28:20 -0000
@@ -647,8 +647,12 @@ cert_parse_pre(const char *fn, const uns
size_t i;
X509 *x = NULL;
X509_EXTENSION *ext = NULL;
+ const X509_ALGOR *palg;
+ const ASN1_OBJECT *cobj;
ASN1_OBJECT *obj;
+ EVP_PKEY *pkey;
struct parse p;
+ int nid;
/* just fail for empty buffers, the warning was printed elsewhere */
if (der == NULL)
@@ -675,6 +679,22 @@ cert_parse_pre(const char *fn, const uns
goto out;
}
+ /* RFC 7935 section 2 */
+ X509_get0_signature(NULL, &palg, x);
+ if (palg == NULL) {
+ cryptowarnx("%s: X509_get0_signature", p.fn);
+ goto out;
+ }
+ X509_ALGOR_get0(&cobj, NULL, NULL, palg);
+ if ((nid = OBJ_obj2nid(cobj)) != NID_sha256WithRSAEncryption) {
+ warnx("%s: RFC 6488: wrong signature algorithm %s, want %s",
+ fn, OBJ_nid2ln(nid),
+ OBJ_nid2ln(NID_sha256WithRSAEncryption));
+ goto out;
+ }
+
+ /* XXX: also check if the above RSA signature is mod 2048 (e) 0x10001 */
+
/* Look for X509v3 extensions. */
if ((extsz = X509_get_ext_count(x)) < 0)
@@ -747,6 +767,13 @@ cert_parse_pre(const char *fn, const uns
switch (p.res->purpose) {
case CERT_PURPOSE_CA:
+ if ((pkey = X509_get0_pubkey(x)) == NULL) {
+ warnx("%s: X509_get0_pubkey failed", p.fn);
+ goto out;
+ }
+ if (!valid_ca_pkey(p.fn, pkey))
+ goto out;
+
if (X509_get_key_usage(x) != (KU_KEY_CERT_SIGN | KU_CRL_SIGN)) {
warnx("%s: RFC 6487 section 4.8.4: key usage violation",
p.fn);
Index: cms.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/cms.c,v
retrieving revision 1.28
diff -u -p -r1.28 cms.c
--- cms.c 6 Mar 2023 09:14:29 -0000 1.28
+++ cms.c 6 Mar 2023 14:28:20 -0000
@@ -76,6 +76,7 @@ cms_parse_validate_internal(X509 **xp, c
STACK_OF(X509_CRL) *crls;
STACK_OF(CMS_SignerInfo) *sinfos;
CMS_SignerInfo *si;
+ EVP_PKEY *pkey;
X509_ALGOR *pdig, *psig;
int i, nattrs, nid;
int has_ct = 0, has_md = 0, has_st = 0,
@@ -184,7 +185,10 @@ cms_parse_validate_internal(X509 **xp, c
}
/* Check digest and signature algorithms */
- CMS_SignerInfo_get0_algs(si, NULL, NULL, &pdig, &psig);
+ CMS_SignerInfo_get0_algs(si, &pkey, NULL, &pdig, &psig);
+ if (!valid_ca_pkey(fn, pkey))
+ goto out;
+
X509_ALGOR_get0(&obj, NULL, NULL, pdig);
nid = OBJ_obj2nid(obj);
if (nid != NID_sha256) {
Index: extern.h
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
retrieving revision 1.167
diff -u -p -r1.167 extern.h
--- extern.h 13 Jan 2023 08:58:36 -0000 1.167
+++ extern.h 6 Mar 2023 14:28:20 -0000
@@ -660,6 +660,7 @@ int valid_econtent_version(const char
int valid_aspa(const char *, struct cert *, struct aspa *);
int valid_geofeed(const char *, struct cert *, struct geofeed *);
int valid_uuid(const char *);
+int valid_ca_pkey(const char *, EVP_PKEY *);
/* Working with CMS. */
unsigned char *cms_parse_validate(X509 **, const char *,
Index: validate.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/validate.c,v
retrieving revision 1.54
diff -u -p -r1.54 validate.c
--- validate.c 18 Jan 2023 18:12:20 -0000 1.54
+++ validate.c 6 Mar 2023 14:28:20 -0000
@@ -588,3 +588,43 @@ valid_uuid(const char *s)
}
}
+/*
+ * Validate whether the CA's public key (SPKI) conforms to RFC 7935.
+ * Returns 1 if valid, 0 otherwise.
+ */
+int
+valid_ca_pkey(const char *fn, EVP_PKEY *pkey)
+{
+ RSA *rsa;
+ const BIGNUM *rsa_e;
+ int key_bits;
+
+ if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA) {
+ warnx("%s: Expected EVP_PKEY_RSA, got %d", fn,
+ EVP_PKEY_base_id(pkey));
+ return 0;
+ }
+
+ if ((key_bits = EVP_PKEY_bits(pkey)) != 2048) {
+ warnx("%s: RFC 7935: expected 2048-bit modulus, got %d bits",
+ fn, key_bits);
+ return 0;
+ }
+
+ if ((rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {
+ warnx("%s: failed to extract RSA public key", fn);
+ return 0;
+ }
+
+ if ((rsa_e = RSA_get0_e(rsa)) == NULL) {
+ warnx("%s: failed to get RSA exponent", fn);
+ return 0;
+ }
+
+ if (!BN_is_word(rsa_e, 65537)) {
+ warnx("%s: incorrect exponent (e) in RSA public key", fn);
+ return 0;
+ }
+
+ return 1;
+}
