diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2021-01-26 11:53:15 +0100 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2021-01-28 19:27:42 +0100 |
commit | c2fc1115eac53d2043e09bfa43ac5407f87fe417 (patch) | |
tree | 6745e75c02a5c38854166a838c8666f14fb27804 | |
parent | a7222fc14d5977210d2b4673a68039824a039dc2 (diff) | |
download | openssl-c2fc1115eac53d2043e09bfa43ac5407f87fe417.tar.gz |
check_sig_alg_match(): weaken sig nid comparison to base alg
This (re-)allows RSA-PSS signers
Fixes #13931
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13982)
-rw-r--r-- | crypto/x509v3/v3_purp.c | 9 | ||||
-rw-r--r-- | test/certs/ca-pss-cert.pem | 21 | ||||
-rw-r--r-- | test/certs/ca-pss-key.pem | 28 | ||||
-rw-r--r-- | test/certs/ee-pss-cert.pem | 21 | ||||
-rwxr-xr-x | test/certs/mkcert.sh | 22 | ||||
-rwxr-xr-x | test/certs/setup.sh | 13 | ||||
-rw-r--r-- | test/recipes/25-test_verify.t | 5 |
7 files changed, 106 insertions, 13 deletions
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 93b5ca4d42..3f5ce5c91c 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -348,14 +348,17 @@ static int setup_crldp(X509 *x) /* Check that issuer public key algorithm matches subject signature algorithm */ static int check_sig_alg_match(const EVP_PKEY *pkey, const X509 *subject) { - int pkey_nid; + int pkey_sig_nid, subj_sig_nid; if (pkey == NULL) return X509_V_ERR_NO_ISSUER_PUBLIC_KEY; + if (OBJ_find_sigid_algs(EVP_PKEY_base_id(pkey), + NULL, &pkey_sig_nid) == 0) + pkey_sig_nid = EVP_PKEY_base_id(pkey); if (OBJ_find_sigid_algs(OBJ_obj2nid(subject->cert_info.signature.algorithm), - NULL, &pkey_nid) == 0) + NULL, &subj_sig_nid) == 0) return X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM; - if (EVP_PKEY_type(pkey_nid) != EVP_PKEY_base_id(pkey)) + if (pkey_sig_nid != EVP_PKEY_type(subj_sig_nid)) return X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH; return X509_V_OK; } diff --git a/test/certs/ca-pss-cert.pem b/test/certs/ca-pss-cert.pem new file mode 100644 index 0000000000..566b63a800 --- /dev/null +++ b/test/certs/ca-pss-cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDXjCCAhagAwIBAgIBAjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEa +MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIBIDASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIxMDEyNjEwMDUwOFoYDzIxMjEwMTI3MTAwNTA4WjARMQ8wDQYDVQQD +DAZDQS1QU1MwggEgMAsGCSqGSIb3DQEBCgOCAQ8AMIIBCgKCAQEAtclsFtJOQgAC +ZxTPn2T2ksmibRNVAnEfVCgfJxsPN3aEERgqqhWbC4LmGHRIIjQ9DpobarydJivw +epDaiu11rgwXgenIobIVvVr2+L3ngalYdkwmmPVImNN8Ef575ybE/kVgTu9X37DJ +t+8psfVGeFg4RKykOi7SfPCSKHKSeZUXPj9AYwZDw4HX2rhstRopXAmUzz2/uAaR +fmU7tYOG5qhfMUpP+Ce0ZBlLE9JjasY+d20/mDFuvFEc5qjfzNqv/7okyBjaWB4h +gwnjXASrqKlqHKVU1UyrJc76yAniimy+IoXKAELetIJGSN15GYaWJcAIs0Eybjyk +gyAu7Zlf/wIDAQABo2AwXjAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAd +BgNVHQ4EFgQUGfmhA/VcxWkh7VUBHxUdHHQLgrAwHwYDVR0jBBgwFoAUjvUlrx6b +a4Q9fICayVOcTXL3o1IwPQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQMEAgGhGjAY +BgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCASADggEBAF6rSSBj+dkv0UGuE1El +lB9zVpqVlV72RY8gAkmSJmbzblHEO/PYV/UnNJ2C2IXEhAQaE0xKCg+WC2RO56oc +qZc6UXBCN8G9rJKVxgXVbciP4pQYN6POpmhJfQqzNPwzTADt3HY6X9gQtyG0fuQF +OPDc+mXjRvBrcYMkAgYiKe+oA45WDWYpIvipWVQ3xP/BSGJqrdKx5SOrJA72+BLM +bPbD3tBC2SVirDjv0N926Wcb/JQFkM+5YY2/yKNybstngr4Pb1T/tESsIZvGG2Tk +3IhBl1dJtC9gpGTRa8NzQvcmPK9VUjWtv5YNA+FxD9FTxGibh7Aw1fbFCV91Qjc3 +JQQ= +-----END CERTIFICATE----- diff --git a/test/certs/ca-pss-key.pem b/test/certs/ca-pss-key.pem new file mode 100644 index 0000000000..9270c36484 --- /dev/null +++ b/test/certs/ca-pss-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADALBgkqhkiG9w0BAQoEggSpMIIEpQIBAAKCAQEAtclsFtJOQgACZxTP +n2T2ksmibRNVAnEfVCgfJxsPN3aEERgqqhWbC4LmGHRIIjQ9DpobarydJivwepDa +iu11rgwXgenIobIVvVr2+L3ngalYdkwmmPVImNN8Ef575ybE/kVgTu9X37DJt+8p +sfVGeFg4RKykOi7SfPCSKHKSeZUXPj9AYwZDw4HX2rhstRopXAmUzz2/uAaRfmU7 +tYOG5qhfMUpP+Ce0ZBlLE9JjasY+d20/mDFuvFEc5qjfzNqv/7okyBjaWB4hgwnj +XASrqKlqHKVU1UyrJc76yAniimy+IoXKAELetIJGSN15GYaWJcAIs0EybjykgyAu +7Zlf/wIDAQABAoIBAErkiNt+GS+nwVWmhUMt3UfsOjal2EgBQt7xCKSbyVEYSqCg +TDN2Y0IC07kPbwhobR8u7kyzGCs5vwE/3EmQOwNRh/3FyxqSu9IfP9CKrG4GzqMu +DFjH9PjBaEQhi/pXRqFbA6qBgLpvoytcJNlkK3w5HDVuytoNoDpJAm4XhbEAwVG2 +u3De40lPKXBFaGjSrUQETnrm0Fhj+J7+VMheQZVjEHwMIOmbIDcckV0OSIWn00XG +/Md0y0i/U8S0TkP9sVC+cKkKMCNL+BJYf5YucUIna/9PgBD36RRRq2D0e8/iP8m+ +ftnmW7fxlL2neTZ2sAS+4sm7sOoudaeAta+JoEECgYEA5ZjbBJf+FhyFOBFRoYow +OHP+JfU7rdi8n5GpNswVmtNx3FK+eoUz+PlXTluUydS3L40ba7/mzYFzAZETF6YO +Z8STkmvLxRTDzvZoE0SCJQAcG9I1oVWMufDVnHvljflH+IBjvMQM527dfFgaebvD +TkRvnCup2oV3uT430++15K0CgYEAyrESfgP5f9+zZqz30N+QTWHZCzCUqSDcGhke +Irvjs5tSrCQibbSGkGNHZ/V019K8rKJQlvNbEEzlRRcohuqIuUPgPmXBbbruqCBP +a1+DD/HRg6BrTsNo67SbUJ6EsV5D80Ie76Yzye3By7E71xvFzFxbMwcwPFHBDViR +m4oRwNsCgYEAtdb/N78tVNPXytUkot0wXbW4RtXYI1Lx6StTKnwubEYk+otqIt1W +kUzhkcTEralUQEvwuMDvCjoJHOeKiINTC2pMOn43j+pnPoY3XXM35BgXKw2svg9k +emu8ssgJwgz5rF37ICjh03Yh4vZgWaOVBmr7PmPyjYiBjuwxCSDkHa0CgYEAkqwP +9aBqq131NBd2PG+KvHRR2wcMjFZ672e9puTPoOiEqox7XWeE+Hbe9RtpscONRF8w +cgsnmmQKhDR93yNYTLgRTRXVItJiYMcAsXIsJR2XvugWvqgpBGds/Km426CbCyyN +tl1OnJCv6/YUl1RBjeBHHmXVQdDnIgE1XJhMwIECgYEAt4zgPqswoicfDBqakP6X +ZND0s7fiki2YBmXyASIoUACnpJEWsOOEJrAcW7xtgXgjNxKdk1JqYV3ggU8wgCvv +9Ugsx0FiuPmIBhYNZMWIItNmpYqPm8KbEwIPqChs9OA+5FREFwFjJgGK2ublfmVj +dN2I3LilMIXTE4/MQ8Lhcjc= +-----END PRIVATE KEY----- diff --git a/test/certs/ee-pss-cert.pem b/test/certs/ee-pss-cert.pem new file mode 100644 index 0000000000..e908783b55 --- /dev/null +++ b/test/certs/ee-pss-cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDdDCCAiygAwIBAgIBAjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEa +MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIBIDARMQ8wDQYDVQQDDAZDQS1Q +U1MwIBcNMjEwMTI2MTAwNjMzWhgPMjEyMTAxMjcxMDA2MzNaMBExDzANBgNVBAMM +BkVFLVBTUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKj/iVhhha7e +2ywP1XP74reoG3p1YCvUfTxzdrWu3pMvfySQbckc9Io4zZ+igBZWy7Qsu5PlFx// +DcZD/jE0+CjYdemju4iC76Ny4lNiBUVN4DGX76qdENJYDZ4GnjK7GwhWXWUPP2aO +wjagEf/AWTX9SRzdHEIzBniuBDgj5ed1Z9OUrVqpQB+sWRD1DMFkrUrExjVTs5Zq +ghsVi9GZq+Seb5Sq0pblV/uMkWSKPCQWxtIZvoJgEztisO0+HbPK+WvfMbl6nktH +aKcpxz9K4iIntO+QY9fv0HJJPlutuRvUK2+GaN3VcxK4Q8ncQQ+io0ZPi2eIhA9h +/nk0H0qJH7cCAwEAAaN1MHMwHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4HmCKX4XOi +MB8GA1UdIwQYMBaAFBn5oQP1XMVpIe1VAR8VHRx0C4KwMAkGA1UdEwQCMAAwEwYD +VR0lBAwwCgYIKwYBBQUHAwEwEQYDVR0RBAowCIIGRUUtUFNTMD0GCSqGSIb3DQEB +CjAwoA0wCwYJYIZIAWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaID +AgEgA4IBAQCzCXb5XpMvhuwWso9wj4B8AJjCugMlGdrLXIj3ueqyS1qSEcFp1meO +9jMDCjAkitTdZjf3gqEghC/joUd+XAw3JfOPOl36WlNrm9bwZTnfnCYFRrdprfMo +Q1Kqy9SNvDeHZZVcGeU3PZSt+EabmR9mQODg/qfpa9/3WktzFbvxlPOS7Tb0n2tn +vQnTmyrmGN2/o8X1qGQgETw5bH3csKgsPh668zN/gv3DxNN0EVACLaOSahNsNQa7 +KCcl1ez5KcFc0QIlQajhorTYOIeTb8UmR4wdy5C4Nd9P5OKv1sQvVO9PtswAv/s7 +Vs48cDO1+ASn0KjN41hXN5+fOIlNqOeU +-----END CERTIFICATE----- diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh index ebb71c1778..2126c4fcfe 100755 --- a/test/certs/mkcert.sh +++ b/test/certs/mkcert.sh @@ -114,6 +114,19 @@ genroot() { } genca() { + local OPTIND=1 + local purpose= + + while getopts p: o + do + case $o in + p) purpose="$OPTARG";; + *) echo "Usage: $0 genca [-p EKU] cn keyname certname cakeyname cacertname" >&2 + return 1;; + esac + done + + shift $((OPTIND - 1)) local cn=$1; shift local key=$1; shift local cert=$1; shift @@ -123,17 +136,16 @@ genca() { local akid="authorityKeyIdentifier = keyid" exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = critical,CA:true") - for eku in "$@" - do - exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku") - done + if [ -n "$purpose" ]; then + exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$purpose") + fi if [ -n "$NC" ]; then exts=$(printf "%s\nnameConstraints = %s\n" "$exts" "$NC") fi csr=$(req "$key" "CN = $cn") || return 1 echo "$csr" | cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \ - -set_serial 2 -days "${DAYS}" + -set_serial 2 -days "${DAYS}" "$@" } gen_nonbc_ca() { diff --git a/test/certs/setup.sh b/test/certs/setup.sh index 04591bcc05..49aab7118f 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -125,7 +125,7 @@ OPENSSL_KEYBITS=768 \ # client intermediate ca: cca-cert # trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth # -./mkcert.sh genca "CA" ca-key cca-cert root-key root-cert clientAuth +./mkcert.sh genca -p clientAuth "CA" ca-key cca-cert root-key root-cert # openssl x509 -in cca-cert.pem -trustout \ -addtrust serverAuth -out cca+serverAuth.pem @@ -143,7 +143,7 @@ openssl x509 -in cca-cert.pem -trustout \ # server intermediate ca: sca-cert # trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, -anyEKU, +anyEKU # -./mkcert.sh genca "CA" ca-key sca-cert root-key root-cert serverAuth +./mkcert.sh genca -p serverAuth "CA" ca-key sca-cert root-key root-cert # openssl x509 -in sca-cert.pem -trustout \ -addtrust serverAuth -out sca+serverAuth.pem @@ -380,9 +380,14 @@ REQMASK=MASK:0x800 ./mkcert.sh req badalt7-key "O = Bad NC Test Certificate 7" \ # SHA1 ./mkcert.sh genee PSS-SHA1 ee-key ee-pss-sha1-cert ca-key ca-cert \ -sha1 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:digest -# SHA256 +# EE SHA256 ./mkcert.sh genee PSS-SHA256 ee-key ee-pss-sha256-cert ca-key ca-cert \ - -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:digest + -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:digest +# CA-PSS +./mkcert.sh genca "CA-PSS" ca-pss-key ca-pss-cert root-key root-cert \ + -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 +./mkcert.sh genee "EE-PSS" ee-key ee-pss-cert ca-pss-key ca-pss-cert \ + -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 OPENSSL_KEYALG=ec OPENSSL_KEYBITS=brainpoolP256r1 ./mkcert.sh genee \ "Server ECDSA brainpoolP256r1 cert" server-ecdsa-brainpoolP256r1-key \ diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index 1336b8a726..070c8e2245 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -27,7 +27,7 @@ sub verify { run(app([@args])); } -plan tests => 145; +plan tests => 146; # Canonical success ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), @@ -377,6 +377,9 @@ ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_l ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"), "PSS signature using SHA256 and auth level 2"); +ok(verify("ee-pss-cert", "sslserver", ["root-cert"], ["ca-pss-cert"], ), + "CA PSS signature"); + ok(!verify("many-names1", "sslserver", ["many-constraints"], ["many-constraints"], ), "Too many names and constraints to check (1)"); ok(!verify("many-names2", "sslserver", ["many-constraints"], ["many-constraints"], ), |