|
|
535d01 |
diff -up openssl-1.1.1g/crypto/ec/ec_asn1.c.explicit-params openssl-1.1.1g/crypto/ec/ec_asn1.c
|
|
|
535d01 |
--- openssl-1.1.1g/crypto/ec/ec_asn1.c.explicit-params 2020-04-21 14:22:39.000000000 +0200
|
|
|
535d01 |
+++ openssl-1.1.1g/crypto/ec/ec_asn1.c 2020-10-23 15:27:31.304312344 +0200
|
|
|
535d01 |
@@ -137,6 +137,12 @@ struct ec_parameters_st {
|
|
|
535d01 |
ASN1_INTEGER *cofactor;
|
|
|
535d01 |
} /* ECPARAMETERS */ ;
|
|
|
535d01 |
|
|
|
535d01 |
+typedef enum {
|
|
|
535d01 |
+ ECPKPARAMETERS_TYPE_NAMED = 0,
|
|
|
535d01 |
+ ECPKPARAMETERS_TYPE_EXPLICIT,
|
|
|
535d01 |
+ ECPKPARAMETERS_TYPE_IMPLICIT
|
|
|
535d01 |
+} ecpk_parameters_type_t;
|
|
|
535d01 |
+
|
|
|
535d01 |
struct ecpk_parameters_st {
|
|
|
535d01 |
int type;
|
|
|
535d01 |
union {
|
|
|
535d01 |
@@ -535,9 +541,10 @@ ECPKPARAMETERS *EC_GROUP_get_ecpkparamet
|
|
|
535d01 |
return NULL;
|
|
|
535d01 |
}
|
|
|
535d01 |
} else {
|
|
|
535d01 |
- if (ret->type == 0)
|
|
|
535d01 |
+ if (ret->type == ECPKPARAMETERS_TYPE_NAMED)
|
|
|
535d01 |
ASN1_OBJECT_free(ret->value.named_curve);
|
|
|
535d01 |
- else if (ret->type == 1 && ret->value.parameters)
|
|
|
535d01 |
+ else if (ret->type == ECPKPARAMETERS_TYPE_EXPLICIT
|
|
|
535d01 |
+ && ret->value.parameters != NULL)
|
|
|
535d01 |
ECPARAMETERS_free(ret->value.parameters);
|
|
|
535d01 |
}
|
|
|
535d01 |
|
|
|
535d01 |
@@ -547,7 +554,7 @@ ECPKPARAMETERS *EC_GROUP_get_ecpkparamet
|
|
|
535d01 |
*/
|
|
|
535d01 |
tmp = EC_GROUP_get_curve_name(group);
|
|
|
535d01 |
if (tmp) {
|
|
|
535d01 |
- ret->type = 0;
|
|
|
535d01 |
+ ret->type = ECPKPARAMETERS_TYPE_NAMED;
|
|
|
535d01 |
if ((ret->value.named_curve = OBJ_nid2obj(tmp)) == NULL)
|
|
|
535d01 |
ok = 0;
|
|
|
535d01 |
} else
|
|
|
535d01 |
@@ -555,7 +562,7 @@ ECPKPARAMETERS *EC_GROUP_get_ecpkparamet
|
|
|
535d01 |
ok = 0;
|
|
|
535d01 |
} else {
|
|
|
535d01 |
/* use the ECPARAMETERS structure */
|
|
|
535d01 |
- ret->type = 1;
|
|
|
535d01 |
+ ret->type = ECPKPARAMETERS_TYPE_EXPLICIT;
|
|
|
535d01 |
if ((ret->value.parameters =
|
|
|
535d01 |
EC_GROUP_get_ecparameters(group, NULL)) == NULL)
|
|
|
535d01 |
ok = 0;
|
|
|
535d01 |
@@ -894,7 +901,8 @@ EC_GROUP *EC_GROUP_new_from_ecpkparamete
|
|
|
535d01 |
return NULL;
|
|
|
535d01 |
}
|
|
|
535d01 |
|
|
|
535d01 |
- if (params->type == 0) { /* the curve is given by an OID */
|
|
|
535d01 |
+ if (params->type == ECPKPARAMETERS_TYPE_NAMED) {
|
|
|
535d01 |
+ /* the curve is given by an OID */
|
|
|
535d01 |
tmp = OBJ_obj2nid(params->value.named_curve);
|
|
|
535d01 |
if ((ret = EC_GROUP_new_by_curve_name(tmp)) == NULL) {
|
|
|
535d01 |
ECerr(EC_F_EC_GROUP_NEW_FROM_ECPKPARAMETERS,
|
|
|
535d01 |
@@ -902,15 +910,16 @@ EC_GROUP *EC_GROUP_new_from_ecpkparamete
|
|
|
535d01 |
return NULL;
|
|
|
535d01 |
}
|
|
|
535d01 |
EC_GROUP_set_asn1_flag(ret, OPENSSL_EC_NAMED_CURVE);
|
|
|
535d01 |
- } else if (params->type == 1) { /* the parameters are given by a
|
|
|
535d01 |
- * ECPARAMETERS structure */
|
|
|
535d01 |
+ } else if (params->type == ECPKPARAMETERS_TYPE_EXPLICIT) {
|
|
|
535d01 |
+ /* the parameters are given by an ECPARAMETERS structure */
|
|
|
535d01 |
ret = EC_GROUP_new_from_ecparameters(params->value.parameters);
|
|
|
535d01 |
if (!ret) {
|
|
|
535d01 |
ECerr(EC_F_EC_GROUP_NEW_FROM_ECPKPARAMETERS, ERR_R_EC_LIB);
|
|
|
535d01 |
return NULL;
|
|
|
535d01 |
}
|
|
|
535d01 |
EC_GROUP_set_asn1_flag(ret, OPENSSL_EC_EXPLICIT_CURVE);
|
|
|
535d01 |
- } else if (params->type == 2) { /* implicitlyCA */
|
|
|
535d01 |
+ } else if (params->type == ECPKPARAMETERS_TYPE_IMPLICIT) {
|
|
|
535d01 |
+ /* implicit parameters inherited from CA - unsupported */
|
|
|
535d01 |
return NULL;
|
|
|
535d01 |
} else {
|
|
|
535d01 |
ECerr(EC_F_EC_GROUP_NEW_FROM_ECPKPARAMETERS, EC_R_ASN1_ERROR);
|
|
|
535d01 |
@@ -940,6 +949,9 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **
|
|
|
535d01 |
return NULL;
|
|
|
535d01 |
}
|
|
|
535d01 |
|
|
|
535d01 |
+ if (params->type == ECPKPARAMETERS_TYPE_EXPLICIT)
|
|
|
535d01 |
+ group->decoded_from_explicit_params = 1;
|
|
|
535d01 |
+
|
|
|
535d01 |
if (a) {
|
|
|
535d01 |
EC_GROUP_free(*a);
|
|
|
535d01 |
*a = group;
|
|
|
535d01 |
@@ -991,6 +1003,9 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con
|
|
|
535d01 |
if (priv_key->parameters) {
|
|
|
535d01 |
EC_GROUP_free(ret->group);
|
|
|
535d01 |
ret->group = EC_GROUP_new_from_ecpkparameters(priv_key->parameters);
|
|
|
535d01 |
+ if (ret->group != NULL
|
|
|
535d01 |
+ && priv_key->parameters->type == ECPKPARAMETERS_TYPE_EXPLICIT)
|
|
|
535d01 |
+ ret->group->decoded_from_explicit_params = 1;
|
|
|
535d01 |
}
|
|
|
535d01 |
|
|
|
535d01 |
if (ret->group == NULL) {
|
|
|
535d01 |
diff -up openssl-1.1.1g/crypto/ec/ec_key.c.explicit-params openssl-1.1.1g/crypto/ec/ec_key.c
|
|
|
535d01 |
--- openssl-1.1.1g/crypto/ec/ec_key.c.explicit-params 2020-10-23 15:27:31.296312275 +0200
|
|
|
535d01 |
+++ openssl-1.1.1g/crypto/ec/ec_key.c 2020-10-23 15:27:31.304312344 +0200
|
|
|
535d01 |
@@ -566,6 +566,13 @@ void EC_KEY_clear_flags(EC_KEY *key, int
|
|
|
535d01 |
key->flags &= ~flags;
|
|
|
535d01 |
}
|
|
|
535d01 |
|
|
|
535d01 |
+int EC_KEY_decoded_from_explicit_params(const EC_KEY *key)
|
|
|
535d01 |
+{
|
|
|
535d01 |
+ if (key == NULL || key->group == NULL)
|
|
|
535d01 |
+ return -1;
|
|
|
535d01 |
+ return key->group->decoded_from_explicit_params;
|
|
|
535d01 |
+}
|
|
|
535d01 |
+
|
|
|
535d01 |
size_t EC_KEY_key2buf(const EC_KEY *key, point_conversion_form_t form,
|
|
|
535d01 |
unsigned char **pbuf, BN_CTX *ctx)
|
|
|
535d01 |
{
|
|
|
535d01 |
diff -up openssl-1.1.1g/crypto/ec/ec_lib.c.explicit-params openssl-1.1.1g/crypto/ec/ec_lib.c
|
|
|
535d01 |
--- openssl-1.1.1g/crypto/ec/ec_lib.c.explicit-params 2020-04-21 14:22:39.000000000 +0200
|
|
|
535d01 |
+++ openssl-1.1.1g/crypto/ec/ec_lib.c 2020-10-23 15:27:31.304312344 +0200
|
|
|
535d01 |
@@ -211,6 +211,7 @@ int EC_GROUP_copy(EC_GROUP *dest, const
|
|
|
535d01 |
|
|
|
535d01 |
dest->asn1_flag = src->asn1_flag;
|
|
|
535d01 |
dest->asn1_form = src->asn1_form;
|
|
|
535d01 |
+ dest->decoded_from_explicit_params = src->decoded_from_explicit_params;
|
|
|
535d01 |
|
|
|
535d01 |
if (src->seed) {
|
|
|
535d01 |
OPENSSL_free(dest->seed);
|
|
|
535d01 |
diff -up openssl-1.1.1g/crypto/ec/ec_local.h.explicit-params openssl-1.1.1g/crypto/ec/ec_local.h
|
|
|
535d01 |
--- openssl-1.1.1g/crypto/ec/ec_local.h.explicit-params 2020-10-23 15:27:31.281312147 +0200
|
|
|
535d01 |
+++ openssl-1.1.1g/crypto/ec/ec_local.h 2020-10-23 15:27:31.304312344 +0200
|
|
|
535d01 |
@@ -217,6 +217,8 @@ struct ec_group_st {
|
|
|
535d01 |
BIGNUM *order, *cofactor;
|
|
|
535d01 |
int curve_name; /* optional NID for named curve */
|
|
|
535d01 |
int asn1_flag; /* flag to control the asn1 encoding */
|
|
|
535d01 |
+ int decoded_from_explicit_params; /* set if decoded from explicit
|
|
|
535d01 |
+ * curve parameters encoding */
|
|
|
535d01 |
point_conversion_form_t asn1_form;
|
|
|
535d01 |
unsigned char *seed; /* optional seed for parameters (appears in
|
|
|
535d01 |
* ASN1) */
|
|
|
535d01 |
diff -up openssl-1.1.1g/crypto/x509/x509_txt.c.explicit-params openssl-1.1.1g/crypto/x509/x509_txt.c
|
|
|
535d01 |
--- openssl-1.1.1g/crypto/x509/x509_txt.c.explicit-params 2020-04-21 14:22:39.000000000 +0200
|
|
|
535d01 |
+++ openssl-1.1.1g/crypto/x509/x509_txt.c 2020-10-23 15:27:31.305312352 +0200
|
|
|
535d01 |
@@ -174,6 +174,8 @@ const char *X509_verify_cert_error_strin
|
|
|
535d01 |
return "OCSP verification failed";
|
|
|
535d01 |
case X509_V_ERR_OCSP_CERT_UNKNOWN:
|
|
|
535d01 |
return "OCSP unknown cert";
|
|
|
535d01 |
+ case X509_V_ERR_EC_KEY_EXPLICIT_PARAMS:
|
|
|
535d01 |
+ return "Certificate public key has explicit ECC parameters";
|
|
|
535d01 |
|
|
|
535d01 |
default:
|
|
|
535d01 |
/* Printing an error number into a static buffer is not thread-safe */
|
|
|
535d01 |
diff -up openssl-1.1.1g/crypto/x509/x509_vfy.c.explicit-params openssl-1.1.1g/crypto/x509/x509_vfy.c
|
|
|
535d01 |
--- openssl-1.1.1g/crypto/x509/x509_vfy.c.explicit-params 2020-10-23 15:27:31.252311900 +0200
|
|
|
535d01 |
+++ openssl-1.1.1g/crypto/x509/x509_vfy.c 2020-10-23 15:27:31.305312352 +0200
|
|
|
535d01 |
@@ -80,6 +80,7 @@ static int get_issuer_sk(X509 **issuer,
|
|
|
535d01 |
static int check_dane_issuer(X509_STORE_CTX *ctx, int depth);
|
|
|
535d01 |
static int check_key_level(X509_STORE_CTX *ctx, X509 *cert);
|
|
|
535d01 |
static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert);
|
|
|
535d01 |
+static int check_curve(X509 *cert);
|
|
|
535d01 |
|
|
|
535d01 |
static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
|
|
|
535d01 |
unsigned int *preasons, X509_CRL *crl, X509 *x);
|
|
|
535d01 |
@@ -508,6 +509,14 @@ static int check_chain_extensions(X509_S
|
|
|
535d01 |
ret = 1;
|
|
|
535d01 |
break;
|
|
|
535d01 |
}
|
|
|
535d01 |
+ if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) && num > 1) {
|
|
|
535d01 |
+ /* Check for presence of explicit elliptic curve parameters */
|
|
|
535d01 |
+ ret = check_curve(x);
|
|
|
535d01 |
+ if (ret < 0)
|
|
|
535d01 |
+ ctx->error = X509_V_ERR_UNSPECIFIED;
|
|
|
535d01 |
+ else if (ret == 0)
|
|
|
535d01 |
+ ctx->error = X509_V_ERR_EC_KEY_EXPLICIT_PARAMS;
|
|
|
535d01 |
+ }
|
|
|
535d01 |
if ((x->ex_flags & EXFLAG_CA) == 0
|
|
|
535d01 |
&& x->ex_pathlen != -1
|
|
|
535d01 |
&& (ctx->param->flags & X509_V_FLAG_X509_STRICT)) {
|
|
|
535d01 |
@@ -3259,6 +3268,32 @@ static int check_key_level(X509_STORE_CT
|
|
|
535d01 |
}
|
|
|
535d01 |
|
|
|
535d01 |
/*
|
|
|
535d01 |
+ * Check whether the public key of ``cert`` does not use explicit params
|
|
|
535d01 |
+ * for an elliptic curve.
|
|
|
535d01 |
+ *
|
|
|
535d01 |
+ * Returns 1 on success, 0 if check fails, -1 for other errors.
|
|
|
535d01 |
+ */
|
|
|
535d01 |
+static int check_curve(X509 *cert)
|
|
|
535d01 |
+{
|
|
|
535d01 |
+#ifndef OPENSSL_NO_EC
|
|
|
535d01 |
+ EVP_PKEY *pkey = X509_get0_pubkey(cert);
|
|
|
535d01 |
+
|
|
|
535d01 |
+ /* Unsupported or malformed key */
|
|
|
535d01 |
+ if (pkey == NULL)
|
|
|
535d01 |
+ return -1;
|
|
|
535d01 |
+
|
|
|
535d01 |
+ if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
|
|
|
535d01 |
+ int ret;
|
|
|
535d01 |
+
|
|
|
535d01 |
+ ret = EC_KEY_decoded_from_explicit_params(EVP_PKEY_get0_EC_KEY(pkey));
|
|
|
535d01 |
+ return ret < 0 ? ret : !ret;
|
|
|
535d01 |
+ }
|
|
|
535d01 |
+#endif
|
|
|
535d01 |
+
|
|
|
535d01 |
+ return 1;
|
|
|
535d01 |
+}
|
|
|
535d01 |
+
|
|
|
535d01 |
+/*
|
|
|
535d01 |
* Check whether the signature digest algorithm of ``cert`` meets the security
|
|
|
535d01 |
* level of ``ctx``. Should not be checked for trust anchors (whether
|
|
|
535d01 |
* self-signed or otherwise).
|
|
|
535d01 |
diff -up openssl-1.1.1g/doc/man3/EC_KEY_new.pod.explicit-params openssl-1.1.1g/doc/man3/EC_KEY_new.pod
|
|
|
535d01 |
--- openssl-1.1.1g/doc/man3/EC_KEY_new.pod.explicit-params 2020-04-21 14:22:39.000000000 +0200
|
|
|
535d01 |
+++ openssl-1.1.1g/doc/man3/EC_KEY_new.pod 2020-10-23 15:27:31.305312352 +0200
|
|
|
535d01 |
@@ -9,7 +9,8 @@ EC_KEY_get0_engine,
|
|
|
535d01 |
EC_KEY_get0_group, EC_KEY_set_group, EC_KEY_get0_private_key,
|
|
|
535d01 |
EC_KEY_set_private_key, EC_KEY_get0_public_key, EC_KEY_set_public_key,
|
|
|
535d01 |
EC_KEY_get_conv_form,
|
|
|
535d01 |
-EC_KEY_set_conv_form, EC_KEY_set_asn1_flag, EC_KEY_precompute_mult,
|
|
|
535d01 |
+EC_KEY_set_conv_form, EC_KEY_set_asn1_flag,
|
|
|
535d01 |
+EC_KEY_decoded_from_explicit_params, EC_KEY_precompute_mult,
|
|
|
535d01 |
EC_KEY_generate_key, EC_KEY_check_key, EC_KEY_set_public_key_affine_coordinates,
|
|
|
535d01 |
EC_KEY_oct2key, EC_KEY_key2buf, EC_KEY_oct2priv, EC_KEY_priv2oct,
|
|
|
535d01 |
EC_KEY_priv2buf - Functions for creating, destroying and manipulating
|
|
|
535d01 |
@@ -38,6 +39,7 @@ EC_KEY objects
|
|
|
535d01 |
point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key);
|
|
|
535d01 |
void EC_KEY_set_conv_form(EC_KEY *eckey, point_conversion_form_t cform);
|
|
|
535d01 |
void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag);
|
|
|
535d01 |
+ int EC_KEY_decoded_from_explicit_params(const EC_KEY *key);
|
|
|
535d01 |
int EC_KEY_precompute_mult(EC_KEY *key, BN_CTX *ctx);
|
|
|
535d01 |
int EC_KEY_generate_key(EC_KEY *key);
|
|
|
535d01 |
int EC_KEY_check_key(const EC_KEY *key);
|
|
|
535d01 |
@@ -118,6 +120,10 @@ EC_KEY_set_asn1_flag() sets the asn1_fla
|
|
|
535d01 |
(if set). Refer to L<EC_GROUP_copy(3)> for further information on the
|
|
|
535d01 |
asn1_flag.
|
|
|
535d01 |
|
|
|
535d01 |
+EC_KEY_decoded_from_explicit_params() returns 1 if the group of the I<key> was
|
|
|
535d01 |
+decoded from data with explicitly encoded group parameters, -1 if the I<key>
|
|
|
535d01 |
+is NULL or the group parameters are missing, and 0 otherwise.
|
|
|
535d01 |
+
|
|
|
535d01 |
EC_KEY_precompute_mult() stores multiples of the underlying EC_GROUP generator
|
|
|
535d01 |
for faster point multiplication. See also L<EC_POINT_add(3)>.
|
|
|
535d01 |
|
|
|
535d01 |
diff -up openssl-1.1.1g/include/openssl/ec.h.explicit-params openssl-1.1.1g/include/openssl/ec.h
|
|
|
535d01 |
--- openssl-1.1.1g/include/openssl/ec.h.explicit-params 2020-04-21 14:22:39.000000000 +0200
|
|
|
535d01 |
+++ openssl-1.1.1g/include/openssl/ec.h 2020-10-23 15:27:31.305312352 +0200
|
|
|
535d01 |
@@ -829,6 +829,8 @@ void EC_KEY_set_flags(EC_KEY *key, int f
|
|
|
535d01 |
|
|
|
535d01 |
void EC_KEY_clear_flags(EC_KEY *key, int flags);
|
|
|
535d01 |
|
|
|
535d01 |
+int EC_KEY_decoded_from_explicit_params(const EC_KEY *key);
|
|
|
535d01 |
+
|
|
|
535d01 |
/** Creates a new EC_KEY object using a named curve as underlying
|
|
|
535d01 |
* EC_GROUP object.
|
|
|
535d01 |
* \param nid NID of the named curve.
|
|
|
535d01 |
diff -up openssl-1.1.1g/include/openssl/x509_vfy.h.explicit-params openssl-1.1.1g/include/openssl/x509_vfy.h
|
|
|
535d01 |
--- openssl-1.1.1g/include/openssl/x509_vfy.h.explicit-params 2020-04-21 14:22:39.000000000 +0200
|
|
|
535d01 |
+++ openssl-1.1.1g/include/openssl/x509_vfy.h 2020-10-23 15:27:31.305312352 +0200
|
|
|
535d01 |
@@ -184,6 +184,7 @@ void X509_STORE_CTX_set_depth(X509_STORE
|
|
|
535d01 |
# define X509_V_ERR_OCSP_VERIFY_NEEDED 73 /* Need OCSP verification */
|
|
|
535d01 |
# define X509_V_ERR_OCSP_VERIFY_FAILED 74 /* Couldn't verify cert through OCSP */
|
|
|
535d01 |
# define X509_V_ERR_OCSP_CERT_UNKNOWN 75 /* Certificate wasn't recognized by the OCSP responder */
|
|
|
535d01 |
+# define X509_V_ERR_EC_KEY_EXPLICIT_PARAMS 79
|
|
|
535d01 |
|
|
|
535d01 |
/* Certificate verify flags */
|
|
|
535d01 |
|
|
|
535d01 |
diff -up openssl-1.1.1g/ssl/statem/statem_lib.c.explicit-params openssl-1.1.1g/ssl/statem/statem_lib.c
|
|
|
535d01 |
--- openssl-1.1.1g/ssl/statem/statem_lib.c.explicit-params 2020-10-23 15:27:31.249311874 +0200
|
|
|
535d01 |
+++ openssl-1.1.1g/ssl/statem/statem_lib.c 2020-10-23 15:27:31.305312352 +0200
|
|
|
535d01 |
@@ -1341,6 +1341,7 @@ int tls_get_message_body(SSL *s, size_t
|
|
|
535d01 |
static const X509ERR2ALERT x509table[] = {
|
|
|
535d01 |
{X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
|
|
|
535d01 |
{X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
|
|
|
535d01 |
+ {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE},
|
|
|
535d01 |
{X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
|
|
|
535d01 |
{X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
|
|
|
535d01 |
{X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
|
|
|
535d01 |
diff -up openssl-1.1.1g/test/certs/ca-cert-ec-explicit.pem.explicit-params openssl-1.1.1g/test/certs/ca-cert-ec-explicit.pem
|
|
|
535d01 |
--- openssl-1.1.1g/test/certs/ca-cert-ec-explicit.pem.explicit-params 2020-10-23 15:27:31.306312361 +0200
|
|
|
535d01 |
+++ openssl-1.1.1g/test/certs/ca-cert-ec-explicit.pem 2020-10-23 15:27:31.305312352 +0200
|
|
|
535d01 |
@@ -0,0 +1,19 @@
|
|
|
535d01 |
+-----BEGIN CERTIFICATE-----
|
|
|
535d01 |
+MIIDGDCCAgCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
|
|
|
535d01 |
+IENBMCAXDTIwMDkxNTEzMDY0MVoYDzIxMjAwOTE2MTMwNjQxWjANMQswCQYDVQQD
|
|
|
535d01 |
+DAJDQTCCAUswggEDBgcqhkjOPQIBMIH3AgEBMCwGByqGSM49AQECIQD/////AAAA
|
|
|
535d01 |
+AQAAAAAAAAAAAAAAAP///////////////zBbBCD/////AAAAAQAAAAAAAAAAAAAA
|
|
|
535d01 |
+AP///////////////AQgWsY12Ko6k+ez671VdpiGvGUdBrDMU7D2O848PifSYEsD
|
|
|
535d01 |
+FQDEnTYIhucEk2pmeOETnSa3gZ9+kARBBGsX0fLhLEJH+Lzm5WOkQPJ3A32BLesz
|
|
|
535d01 |
+oPShOUXYmMKWT+NC4v4af5uO5+tKfA+eFivOM1drMV7Oy7ZAaDe/UfUCIQD/////
|
|
|
535d01 |
+AAAAAP//////////vOb6racXnoTzucrC/GMlUQIBAQNCAASlXna3kSD/Yol3RA5I
|
|
|
535d01 |
+icjIxYb9UJoCTzb/LsxjlOvIS5OqCTzpqP0p3JrnvLPsbzq7Cf/g0bNlxAGs1iVM
|
|
|
535d01 |
+5NDco1MwUTAdBgNVHQ4EFgQUFk6ucH6gMXeadmuV7a1iWEnU/CIwHwYDVR0jBBgw
|
|
|
535d01 |
+FoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
|
|
|
535d01 |
+9w0BAQsFAAOCAQEAdyUgfT0eAsZzoHFXoWN5uqi0MHuhLI37TEzkH5h7iTpDQJTQ
|
|
|
535d01 |
+F0SjbawfM/nxxUekRW3mjFu3lft+VA7yC0OTNBLffan/vTh+HGOvvYZSMJYgKrMG
|
|
|
535d01 |
+PRWgDId+n9RTcQCf+91cISvOazHixRiJG7JfRLdNZsAE+miw4HgPLFboTwpxtTDJ
|
|
|
535d01 |
+zJ4ssBC6P+5IHwBCtNMiilJMMMzuSaZa5iSo6M9AdXWfcQN3uhW1lgQOLOlKLcbo
|
|
|
535d01 |
+3UhW1GMMhTTeytM5aylbKhRsnL7ozmS44zsKZ25YaQxgjdKitFjVN6j7eyQ7C9J2
|
|
|
535d01 |
+bLXgl3APweLQbGGs0zv08Ad0SCCKYLHK6mMJqg==
|
|
|
535d01 |
+-----END CERTIFICATE-----
|
|
|
535d01 |
diff -up openssl-1.1.1g/test/certs/ca-cert-ec-named.pem.explicit-params openssl-1.1.1g/test/certs/ca-cert-ec-named.pem
|
|
|
535d01 |
--- openssl-1.1.1g/test/certs/ca-cert-ec-named.pem.explicit-params 2020-10-23 15:27:31.306312361 +0200
|
|
|
535d01 |
+++ openssl-1.1.1g/test/certs/ca-cert-ec-named.pem 2020-10-23 15:27:31.306312361 +0200
|
|
|
535d01 |
@@ -0,0 +1,14 @@
|
|
|
535d01 |
+-----BEGIN CERTIFICATE-----
|
|
|
535d01 |
+MIICJDCCAQygAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
|
|
|
535d01 |
+IENBMCAXDTIwMDkxNTEzMDY1MFoYDzIxMjAwOTE2MTMwNjUwWjANMQswCQYDVQQD
|
|
|
535d01 |
+DAJDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPt+MXCi9+wztEvmdG2EVSk7
|
|
|
535d01 |
+bAiJMXJXW/u0NbcGCrrbhO1NJSHHV3Lks888sqeSPh/bif/ASJ0HX+VarMUoFIKj
|
|
|
535d01 |
+UzBRMB0GA1UdDgQWBBRjigU5REz8Lwf1iD6mALVhsHIanjAfBgNVHSMEGDAWgBSO
|
|
|
535d01 |
+9SWvHptrhD18gJrJU5xNcvejUjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB
|
|
|
535d01 |
+CwUAA4IBAQCQs9wpblefb2C9a7usGL1DJjWJQIFHtUf+6p/KPgEV7LF138ECjL5s
|
|
|
535d01 |
+0AWRd8Q8SbsBH49j2r3LLLMkvFglyRaN+FF+TCC/UQtclTb4+HgLsUT2xSU8U2cY
|
|
|
535d01 |
+SOnzNB5AX/qAAsdOGqOjivPtGXcXFexDKPsw3n+3rJgymBP6hbLagb47IabNhot5
|
|
|
535d01 |
+bMM6S+bmfpMwfsm885zr5vG2Gg9FjjH94Vx4I7eRLkjCS88gkIR1J35ecHFteOdo
|
|
|
535d01 |
+idOaCHQddYiKukBzgdjtTxSDXKffkaybylrwOZ8VBlQd3zC7s02d+riHCnroLnnE
|
|
|
535d01 |
+cwYLlJ5z6jN7zoPZ55yX/EmA0RVny2le
|
|
|
535d01 |
+-----END CERTIFICATE-----
|
|
|
535d01 |
diff -up openssl-1.1.1g/test/certs/ca-key-ec-explicit.pem.explicit-params openssl-1.1.1g/test/certs/ca-key-ec-explicit.pem
|
|
|
535d01 |
--- openssl-1.1.1g/test/certs/ca-key-ec-explicit.pem.explicit-params 2020-10-23 15:27:31.306312361 +0200
|
|
|
535d01 |
+++ openssl-1.1.1g/test/certs/ca-key-ec-explicit.pem 2020-10-23 15:27:31.306312361 +0200
|
|
|
535d01 |
@@ -0,0 +1,10 @@
|
|
|
535d01 |
+-----BEGIN PRIVATE KEY-----
|
|
|
535d01 |
+MIIBeQIBADCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB
|
|
|
535d01 |
+AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA
|
|
|
535d01 |
+///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV
|
|
|
535d01 |
+AMSdNgiG5wSTamZ44ROdJreBn36QBEEEaxfR8uEsQkf4vOblY6RA8ncDfYEt6zOg
|
|
|
535d01 |
+9KE5RdiYwpZP40Li/hp/m47n60p8D54WK84zV2sxXs7LtkBoN79R9QIhAP////8A
|
|
|
535d01 |
+AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgdEf20fpuqEZU
|
|
|
535d01 |
+tZ4ORoq4vb5ETV4a6QOl/iGnDQt++/ihRANCAASlXna3kSD/Yol3RA5IicjIxYb9
|
|
|
535d01 |
+UJoCTzb/LsxjlOvIS5OqCTzpqP0p3JrnvLPsbzq7Cf/g0bNlxAGs1iVM5NDc
|
|
|
535d01 |
+-----END PRIVATE KEY-----
|
|
|
535d01 |
diff -up openssl-1.1.1g/test/certs/ca-key-ec-named.pem.explicit-params openssl-1.1.1g/test/certs/ca-key-ec-named.pem
|
|
|
535d01 |
--- openssl-1.1.1g/test/certs/ca-key-ec-named.pem.explicit-params 2020-10-23 15:27:31.306312361 +0200
|
|
|
535d01 |
+++ openssl-1.1.1g/test/certs/ca-key-ec-named.pem 2020-10-23 15:27:31.306312361 +0200
|
|
|
535d01 |
@@ -0,0 +1,5 @@
|
|
|
535d01 |
+-----BEGIN PRIVATE KEY-----
|
|
|
535d01 |
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgCTrYrMKcyV49+w4B
|
|
|
535d01 |
+TWr2WTZsMM4aFpaYulKAuhiuQ7mhRANCAAT7fjFwovfsM7RL5nRthFUpO2wIiTFy
|
|
|
535d01 |
+V1v7tDW3Bgq624TtTSUhx1dy5LPPPLKnkj4f24n/wEidB1/lWqzFKBSC
|
|
|
535d01 |
+-----END PRIVATE KEY-----
|
|
|
535d01 |
diff -up openssl-1.1.1g/test/certs/ee-cert-ec-explicit.pem.explicit-params openssl-1.1.1g/test/certs/ee-cert-ec-explicit.pem
|
|
|
535d01 |
--- openssl-1.1.1g/test/certs/ee-cert-ec-explicit.pem.explicit-params 2020-10-23 15:27:31.306312361 +0200
|
|
|
535d01 |
+++ openssl-1.1.1g/test/certs/ee-cert-ec-explicit.pem 2020-10-23 15:27:31.306312361 +0200
|
|
|
535d01 |
@@ -0,0 +1,16 @@
|
|
|
535d01 |
+-----BEGIN CERTIFICATE-----
|
|
|
535d01 |
+MIIChzCCAi6gAwIBAgIBAjAKBggqhkjOPQQDAjANMQswCQYDVQQDDAJDQTAgFw0y
|
|
|
535d01 |
+MDA5MTUxMzE0MzlaGA8yMTIwMDkxNjEzMTQzOVowGTEXMBUGA1UEAwwOc2VydmVy
|
|
|
535d01 |
+LmV4YW1wbGUwggFLMIIBAwYHKoZIzj0CATCB9wIBATAsBgcqhkjOPQEBAiEA////
|
|
|
535d01 |
+/wAAAAEAAAAAAAAAAAAAAAD///////////////8wWwQg/////wAAAAEAAAAAAAAA
|
|
|
535d01 |
+AAAAAAD///////////////wEIFrGNdiqOpPns+u9VXaYhrxlHQawzFOw9jvOPD4n
|
|
|
535d01 |
+0mBLAxUAxJ02CIbnBJNqZnjhE50mt4GffpAEQQRrF9Hy4SxCR/i85uVjpEDydwN9
|
|
|
535d01 |
+gS3rM6D0oTlF2JjClk/jQuL+Gn+bjufrSnwPnhYrzjNXazFezsu2QGg3v1H1AiEA
|
|
|
535d01 |
+/////wAAAAD//////////7zm+q2nF56E87nKwvxjJVECAQEDQgAE+7TDP7C9VqQP
|
|
|
535d01 |
+TnqoJc/Fvf/N45BX+lBfmfiGBeRKtSsvrERUlymzQ4/nxVtymozAgFxQ0my998HH
|
|
|
535d01 |
+TSVCj7Sq56N9MHswHQYDVR0OBBYEFKKwEfKYhNv6fbQf0Xd0te7J3GZdMB8GA1Ud
|
|
|
535d01 |
+IwQYMBaAFGOKBTlETPwvB/WIPqYAtWGwchqeMAkGA1UdEwQCMAAwEwYDVR0lBAww
|
|
|
535d01 |
+CgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1wbGUwCgYIKoZIzj0E
|
|
|
535d01 |
+AwIDRwAwRAIgb4UITAOFlATeaayWQX9r5gf61qcnzT7TjXCekf7ww9oCIBDltg/u
|
|
|
535d01 |
+ZvS9gqviMFuPjTuk/FhsCTAUzTT7WmgcWeH7
|
|
|
535d01 |
+-----END CERTIFICATE-----
|
|
|
535d01 |
diff -up openssl-1.1.1g/test/certs/ee-cert-ec-named-explicit.pem.explicit-params openssl-1.1.1g/test/certs/ee-cert-ec-named-explicit.pem
|
|
|
535d01 |
--- openssl-1.1.1g/test/certs/ee-cert-ec-named-explicit.pem.explicit-params 2020-10-23 15:27:31.306312361 +0200
|
|
|
535d01 |
+++ openssl-1.1.1g/test/certs/ee-cert-ec-named-explicit.pem 2020-10-23 15:27:31.306312361 +0200
|
|
|
535d01 |
@@ -0,0 +1,11 @@
|
|
|
535d01 |
+-----BEGIN CERTIFICATE-----
|
|
|
535d01 |
+MIIBlDCCATqgAwIBAgIBAjAKBggqhkjOPQQDAjANMQswCQYDVQQDDAJDQTAgFw0y
|
|
|
535d01 |
+MDA5MTUxMzE0NDVaGA8yMTIwMDkxNjEzMTQ0NVowGTEXMBUGA1UEAwwOc2VydmVy
|
|
|
535d01 |
+LmV4YW1wbGUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQv5PnMStW/Wx9lpvjl
|
|
|
535d01 |
+JTsFIjc2wBv14sNuMh1hfNX8ZJcoCfAAKYu6ujxXt328GWBMaubRbBjOd/eqpEst
|
|
|
535d01 |
+tYKzo30wezAdBgNVHQ4EFgQUmb/qcE413hkpmtjEMyRZZFcN1TYwHwYDVR0jBBgw
|
|
|
535d01 |
+FoAUFk6ucH6gMXeadmuV7a1iWEnU/CIwCQYDVR0TBAIwADATBgNVHSUEDDAKBggr
|
|
|
535d01 |
+BgEFBQcDATAZBgNVHREEEjAQgg5zZXJ2ZXIuZXhhbXBsZTAKBggqhkjOPQQDAgNI
|
|
|
535d01 |
+ADBFAiEA9y6J8rdAbO0mDZscIb8rIn6HgxBW4WAqTlFeZeHjjOYCIAmt2ldyObOL
|
|
|
535d01 |
+tXaiaxYX3WAOR1vmfzsdrkCAOCfAkpbo
|
|
|
535d01 |
+-----END CERTIFICATE-----
|
|
|
535d01 |
diff -up openssl-1.1.1g/test/certs/ee-cert-ec-named-named.pem.explicit-params openssl-1.1.1g/test/certs/ee-cert-ec-named-named.pem
|
|
|
535d01 |
--- openssl-1.1.1g/test/certs/ee-cert-ec-named-named.pem.explicit-params 2020-10-23 15:27:31.306312361 +0200
|
|
|
535d01 |
+++ openssl-1.1.1g/test/certs/ee-cert-ec-named-named.pem 2020-10-23 15:27:31.306312361 +0200
|
|
|
535d01 |
@@ -0,0 +1,11 @@
|
|
|
535d01 |
+-----BEGIN CERTIFICATE-----
|
|
|
535d01 |
+MIIBkzCCATqgAwIBAgIBAjAKBggqhkjOPQQDAjANMQswCQYDVQQDDAJDQTAgFw0y
|
|
|
535d01 |
+MDA5MTUxNDEwNDhaGA8yMTIwMDkxNjE0MTA0OFowGTEXMBUGA1UEAwwOc2VydmVy
|
|
|
535d01 |
+LmV4YW1wbGUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS0YU57+RFRWxr/frnL
|
|
|
535d01 |
++vOYkY3h9roKnvxCG07wK5tevEYtSdKz0KsHvDBDatw1r3JNv+m2p54/3AqFPAZ3
|
|
|
535d01 |
+5b0Po30wezAdBgNVHQ4EFgQUypypuZrUl0BEmbuhfJpo3QFNIvUwHwYDVR0jBBgw
|
|
|
535d01 |
+FoAUY4oFOURM/C8H9Yg+pgC1YbByGp4wCQYDVR0TBAIwADATBgNVHSUEDDAKBggr
|
|
|
535d01 |
+BgEFBQcDATAZBgNVHREEEjAQgg5zZXJ2ZXIuZXhhbXBsZTAKBggqhkjOPQQDAgNH
|
|
|
535d01 |
+ADBEAiAEkKD7H5uxQ4YbQOiN4evbu5RCV5W7TVE80iBfcY5u4wIgGcwr++lVNX0Q
|
|
|
535d01 |
+CTT+M3ukDjOA8OEvKUz1TiDuRAQ29qU=
|
|
|
535d01 |
+-----END CERTIFICATE-----
|
|
|
535d01 |
diff -up openssl-1.1.1g/test/certs/ee-key-ec-explicit.pem.explicit-params openssl-1.1.1g/test/certs/ee-key-ec-explicit.pem
|
|
|
535d01 |
--- openssl-1.1.1g/test/certs/ee-key-ec-explicit.pem.explicit-params 2020-10-23 15:27:31.306312361 +0200
|
|
|
535d01 |
+++ openssl-1.1.1g/test/certs/ee-key-ec-explicit.pem 2020-10-23 15:27:31.306312361 +0200
|
|
|
535d01 |
@@ -0,0 +1,10 @@
|
|
|
535d01 |
+-----BEGIN PRIVATE KEY-----
|
|
|
535d01 |
+MIIBeQIBADCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB
|
|
|
535d01 |
+AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA
|
|
|
535d01 |
+///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV
|
|
|
535d01 |
+AMSdNgiG5wSTamZ44ROdJreBn36QBEEEaxfR8uEsQkf4vOblY6RA8ncDfYEt6zOg
|
|
|
535d01 |
+9KE5RdiYwpZP40Li/hp/m47n60p8D54WK84zV2sxXs7LtkBoN79R9QIhAP////8A
|
|
|
535d01 |
+AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQg0cmpcTcEYG5G
|
|
|
535d01 |
+ZaVkGjtsBc3sLZn1EuV9qNK2qx6iNzmhRANCAAT7tMM/sL1WpA9Oeqglz8W9/83j
|
|
|
535d01 |
+kFf6UF+Z+IYF5Eq1Ky+sRFSXKbNDj+fFW3KajMCAXFDSbL33wcdNJUKPtKrn
|
|
|
535d01 |
+-----END PRIVATE KEY-----
|
|
|
535d01 |
diff -up openssl-1.1.1g/test/certs/ee-key-ec-named-explicit.pem.explicit-params openssl-1.1.1g/test/certs/ee-key-ec-named-explicit.pem
|
|
|
535d01 |
--- openssl-1.1.1g/test/certs/ee-key-ec-named-explicit.pem.explicit-params 2020-10-23 15:27:31.306312361 +0200
|
|
|
535d01 |
+++ openssl-1.1.1g/test/certs/ee-key-ec-named-explicit.pem 2020-10-23 15:27:31.306312361 +0200
|
|
|
535d01 |
@@ -0,0 +1,5 @@
|
|
|
535d01 |
+-----BEGIN PRIVATE KEY-----
|
|
|
535d01 |
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg2ue+X5ZFJPJPQG2E
|
|
|
535d01 |
+WQY4ALv2PkPp2Gy6KrMiokgmjkehRANCAAQv5PnMStW/Wx9lpvjlJTsFIjc2wBv1
|
|
|
535d01 |
+4sNuMh1hfNX8ZJcoCfAAKYu6ujxXt328GWBMaubRbBjOd/eqpEsttYKz
|
|
|
535d01 |
+-----END PRIVATE KEY-----
|
|
|
535d01 |
diff -up openssl-1.1.1g/test/certs/ee-key-ec-named-named.pem.explicit-params openssl-1.1.1g/test/certs/ee-key-ec-named-named.pem
|
|
|
535d01 |
--- openssl-1.1.1g/test/certs/ee-key-ec-named-named.pem.explicit-params 2020-10-23 15:27:31.306312361 +0200
|
|
|
535d01 |
+++ openssl-1.1.1g/test/certs/ee-key-ec-named-named.pem 2020-10-23 15:27:31.306312361 +0200
|
|
|
535d01 |
@@ -0,0 +1,5 @@
|
|
|
535d01 |
+-----BEGIN PRIVATE KEY-----
|
|
|
535d01 |
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgGSoneIKG3//ujXGu
|
|
|
535d01 |
+/EoJdNhpKZj026EF/YQ5FblUBWahRANCAAS0YU57+RFRWxr/frnL+vOYkY3h9roK
|
|
|
535d01 |
+nvxCG07wK5tevEYtSdKz0KsHvDBDatw1r3JNv+m2p54/3AqFPAZ35b0P
|
|
|
535d01 |
+-----END PRIVATE KEY-----
|
|
|
535d01 |
diff -up openssl-1.1.1g/test/certs/setup.sh.explicit-params openssl-1.1.1g/test/certs/setup.sh
|
|
|
535d01 |
--- openssl-1.1.1g/test/certs/setup.sh.explicit-params 2020-04-21 14:22:39.000000000 +0200
|
|
|
535d01 |
+++ openssl-1.1.1g/test/certs/setup.sh 2020-10-23 15:27:31.306312361 +0200
|
|
|
535d01 |
@@ -116,6 +116,10 @@ openssl x509 -in ca-cert-md5.pem -trusto
|
|
|
535d01 |
# CA has 768-bit key
|
|
|
535d01 |
OPENSSL_KEYBITS=768 \
|
|
|
535d01 |
./mkcert.sh genca "CA" ca-key-768 ca-cert-768 root-key root-cert
|
|
|
535d01 |
+# EC cert with explicit curve
|
|
|
535d01 |
+./mkcert.sh genca "CA" ca-key-ec-explicit ca-cert-ec-explicit root-key root-cert
|
|
|
535d01 |
+# EC cert with named curve
|
|
|
535d01 |
+./mkcert.sh genca "CA" ca-key-ec-named ca-cert-ec-named root-key root-cert
|
|
|
535d01 |
|
|
|
535d01 |
# client intermediate ca: cca-cert
|
|
|
535d01 |
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth
|
|
|
535d01 |
@@ -184,6 +188,14 @@ OPENSSL_SIGALG=md5 \
|
|
|
535d01 |
# 768-bit leaf key
|
|
|
535d01 |
OPENSSL_KEYBITS=768 \
|
|
|
535d01 |
./mkcert.sh genee server.example ee-key-768 ee-cert-768 ca-key ca-cert
|
|
|
535d01 |
+# EC cert with explicit curve signed by named curve ca
|
|
|
535d01 |
+./mkcert.sh genee server.example ee-key-ec-explicit ee-cert-ec-explicit ca-key-ec-named ca-cert-ec-named
|
|
|
535d01 |
+# EC cert with named curve signed by explicit curve ca
|
|
|
535d01 |
+./mkcert.sh genee server.example ee-key-ec-named-explicit \
|
|
|
535d01 |
+ ee-cert-ec-named-explicit ca-key-ec-explicit ca-cert-ec-explicit
|
|
|
535d01 |
+# EC cert with named curve signed by named curve ca
|
|
|
535d01 |
+./mkcert.sh genee server.example ee-key-ec-named-named \
|
|
|
535d01 |
+ ee-cert-ec-named-named ca-key-ec-named ca-cert-ec-named
|
|
|
535d01 |
|
|
|
535d01 |
# Proxy certificates, off of ee-client
|
|
|
535d01 |
# Start with some good ones
|
|
|
535d01 |
diff -up openssl-1.1.1g/test/ec_internal_test.c.explicit-params openssl-1.1.1g/test/ec_internal_test.c
|
|
|
535d01 |
--- openssl-1.1.1g/test/ec_internal_test.c.explicit-params 2020-04-21 14:22:39.000000000 +0200
|
|
|
535d01 |
+++ openssl-1.1.1g/test/ec_internal_test.c 2020-10-23 15:27:31.306312361 +0200
|
|
|
535d01 |
@@ -183,6 +183,106 @@ static int field_tests_default(int n)
|
|
|
535d01 |
return ret;
|
|
|
535d01 |
}
|
|
|
535d01 |
|
|
|
535d01 |
+/*
|
|
|
535d01 |
+ * Tests behavior of the decoded_from_explicit_params flag and API
|
|
|
535d01 |
+ */
|
|
|
535d01 |
+static int decoded_flag_test(void)
|
|
|
535d01 |
+{
|
|
|
535d01 |
+ EC_GROUP *grp;
|
|
|
535d01 |
+ EC_GROUP *grp_copy = NULL;
|
|
|
535d01 |
+ ECPARAMETERS *ecparams = NULL;
|
|
|
535d01 |
+ ECPKPARAMETERS *ecpkparams = NULL;
|
|
|
535d01 |
+ EC_KEY *key = NULL;
|
|
|
535d01 |
+ unsigned char *encodedparams = NULL;
|
|
|
535d01 |
+ const unsigned char *encp;
|
|
|
535d01 |
+ int encodedlen;
|
|
|
535d01 |
+ int testresult = 0;
|
|
|
535d01 |
+
|
|
|
535d01 |
+ /* Test EC_GROUP_new not setting the flag */
|
|
|
535d01 |
+ grp = EC_GROUP_new(EC_GFp_simple_method());
|
|
|
535d01 |
+ if (!TEST_ptr(grp)
|
|
|
535d01 |
+ || !TEST_int_eq(grp->decoded_from_explicit_params, 0))
|
|
|
535d01 |
+ goto err;
|
|
|
535d01 |
+ EC_GROUP_free(grp);
|
|
|
535d01 |
+
|
|
|
535d01 |
+ /* Test EC_GROUP_new_by_curve_name not setting the flag */
|
|
|
535d01 |
+ grp = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
|
|
|
535d01 |
+ if (!TEST_ptr(grp)
|
|
|
535d01 |
+ || !TEST_int_eq(grp->decoded_from_explicit_params, 0))
|
|
|
535d01 |
+ goto err;
|
|
|
535d01 |
+
|
|
|
535d01 |
+ /* Test EC_GROUP_new_from_ecparameters not setting the flag */
|
|
|
535d01 |
+ if (!TEST_ptr(ecparams = EC_GROUP_get_ecparameters(grp, NULL))
|
|
|
535d01 |
+ || !TEST_ptr(grp_copy = EC_GROUP_new_from_ecparameters(ecparams))
|
|
|
535d01 |
+ || !TEST_int_eq(grp_copy->decoded_from_explicit_params, 0))
|
|
|
535d01 |
+ goto err;
|
|
|
535d01 |
+ EC_GROUP_free(grp_copy);
|
|
|
535d01 |
+ grp_copy = NULL;
|
|
|
535d01 |
+ ECPARAMETERS_free(ecparams);
|
|
|
535d01 |
+ ecparams = NULL;
|
|
|
535d01 |
+
|
|
|
535d01 |
+ /* Test EC_GROUP_new_from_ecpkparameters not setting the flag */
|
|
|
535d01 |
+ if (!TEST_int_eq(EC_GROUP_get_asn1_flag(grp), OPENSSL_EC_NAMED_CURVE)
|
|
|
535d01 |
+ || !TEST_ptr(ecpkparams = EC_GROUP_get_ecpkparameters(grp, NULL))
|
|
|
535d01 |
+ || !TEST_ptr(grp_copy = EC_GROUP_new_from_ecpkparameters(ecpkparams))
|
|
|
535d01 |
+ || !TEST_int_eq(grp_copy->decoded_from_explicit_params, 0)
|
|
|
535d01 |
+ || !TEST_ptr(key = EC_KEY_new())
|
|
|
535d01 |
+ /* Test EC_KEY_decoded_from_explicit_params on key without a group */
|
|
|
535d01 |
+ || !TEST_int_eq(EC_KEY_decoded_from_explicit_params(key), -1)
|
|
|
535d01 |
+ || !TEST_int_eq(EC_KEY_set_group(key, grp_copy), 1)
|
|
|
535d01 |
+ /* Test EC_KEY_decoded_from_explicit_params negative case */
|
|
|
535d01 |
+ || !TEST_int_eq(EC_KEY_decoded_from_explicit_params(key), 0))
|
|
|
535d01 |
+ goto err;
|
|
|
535d01 |
+ EC_GROUP_free(grp_copy);
|
|
|
535d01 |
+ grp_copy = NULL;
|
|
|
535d01 |
+ ECPKPARAMETERS_free(ecpkparams);
|
|
|
535d01 |
+ ecpkparams = NULL;
|
|
|
535d01 |
+
|
|
|
535d01 |
+ /* Test d2i_ECPKParameters with named params not setting the flag */
|
|
|
535d01 |
+ if (!TEST_int_gt(encodedlen = i2d_ECPKParameters(grp, &encodedparams), 0)
|
|
|
535d01 |
+ || !TEST_ptr(encp = encodedparams)
|
|
|
535d01 |
+ || !TEST_ptr(grp_copy = d2i_ECPKParameters(NULL, &encp, encodedlen))
|
|
|
535d01 |
+ || !TEST_int_eq(grp_copy->decoded_from_explicit_params, 0))
|
|
|
535d01 |
+ goto err;
|
|
|
535d01 |
+ EC_GROUP_free(grp_copy);
|
|
|
535d01 |
+ grp_copy = NULL;
|
|
|
535d01 |
+ OPENSSL_free(encodedparams);
|
|
|
535d01 |
+ encodedparams = NULL;
|
|
|
535d01 |
+
|
|
|
535d01 |
+ /* Asn1 flag stays set to explicit with EC_GROUP_new_from_ecpkparameters */
|
|
|
535d01 |
+ EC_GROUP_set_asn1_flag(grp, OPENSSL_EC_EXPLICIT_CURVE);
|
|
|
535d01 |
+ if (!TEST_ptr(ecpkparams = EC_GROUP_get_ecpkparameters(grp, NULL))
|
|
|
535d01 |
+ || !TEST_ptr(grp_copy = EC_GROUP_new_from_ecpkparameters(ecpkparams))
|
|
|
535d01 |
+ || !TEST_int_eq(EC_GROUP_get_asn1_flag(grp_copy), OPENSSL_EC_EXPLICIT_CURVE)
|
|
|
535d01 |
+ || !TEST_int_eq(grp_copy->decoded_from_explicit_params, 0))
|
|
|
535d01 |
+ goto err;
|
|
|
535d01 |
+ EC_GROUP_free(grp_copy);
|
|
|
535d01 |
+ grp_copy = NULL;
|
|
|
535d01 |
+
|
|
|
535d01 |
+ /* Test d2i_ECPKParameters with explicit params setting the flag */
|
|
|
535d01 |
+ if (!TEST_int_gt(encodedlen = i2d_ECPKParameters(grp, &encodedparams), 0)
|
|
|
535d01 |
+ || !TEST_ptr(encp = encodedparams)
|
|
|
535d01 |
+ || !TEST_ptr(grp_copy = d2i_ECPKParameters(NULL, &encp, encodedlen))
|
|
|
535d01 |
+ || !TEST_int_eq(EC_GROUP_get_asn1_flag(grp_copy), OPENSSL_EC_EXPLICIT_CURVE)
|
|
|
535d01 |
+ || !TEST_int_eq(grp_copy->decoded_from_explicit_params, 1)
|
|
|
535d01 |
+ || !TEST_int_eq(EC_KEY_set_group(key, grp_copy), 1)
|
|
|
535d01 |
+ /* Test EC_KEY_decoded_from_explicit_params positive case */
|
|
|
535d01 |
+ || !TEST_int_eq(EC_KEY_decoded_from_explicit_params(key), 1))
|
|
|
535d01 |
+ goto err;
|
|
|
535d01 |
+
|
|
|
535d01 |
+ testresult = 1;
|
|
|
535d01 |
+
|
|
|
535d01 |
+ err:
|
|
|
535d01 |
+ EC_KEY_free(key);
|
|
|
535d01 |
+ EC_GROUP_free(grp);
|
|
|
535d01 |
+ EC_GROUP_free(grp_copy);
|
|
|
535d01 |
+ ECPARAMETERS_free(ecparams);
|
|
|
535d01 |
+ ECPKPARAMETERS_free(ecpkparams);
|
|
|
535d01 |
+ OPENSSL_free(encodedparams);
|
|
|
535d01 |
+
|
|
|
535d01 |
+ return testresult;
|
|
|
535d01 |
+}
|
|
|
535d01 |
+
|
|
|
535d01 |
int setup_tests(void)
|
|
|
535d01 |
{
|
|
|
535d01 |
crv_len = EC_get_builtin_curves(NULL, 0);
|
|
|
535d01 |
@@ -196,6 +296,7 @@ int setup_tests(void)
|
|
|
535d01 |
ADD_TEST(field_tests_ec2_simple);
|
|
|
535d01 |
#endif
|
|
|
535d01 |
ADD_ALL_TESTS(field_tests_default, crv_len);
|
|
|
535d01 |
+ ADD_TEST(decoded_flag_test);
|
|
|
535d01 |
return 1;
|
|
|
535d01 |
}
|
|
|
535d01 |
|
|
|
535d01 |
diff -up openssl-1.1.1g/test/recipes/25-test_verify.t.explicit-params openssl-1.1.1g/test/recipes/25-test_verify.t
|
|
|
535d01 |
--- openssl-1.1.1g/test/recipes/25-test_verify.t.explicit-params 2020-10-23 15:27:31.253311908 +0200
|
|
|
535d01 |
+++ openssl-1.1.1g/test/recipes/25-test_verify.t 2020-10-23 15:27:31.306312361 +0200
|
|
|
535d01 |
@@ -27,7 +27,7 @@ sub verify {
|
|
|
535d01 |
run(app([@args]));
|
|
|
535d01 |
}
|
|
|
535d01 |
|
|
|
535d01 |
-plan tests => 137;
|
|
|
535d01 |
+plan tests => 142;
|
|
|
535d01 |
|
|
|
535d01 |
# Canonical success
|
|
|
535d01 |
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
|
|
|
535d01 |
@@ -280,6 +280,27 @@ ok(verify("ee-cert-md5", "sslserver", ["
|
|
|
535d01 |
ok(!verify("ee-cert-md5", "sslserver", ["root-cert"], ["ca-cert"]),
|
|
|
535d01 |
"reject md5 leaf at auth level 1");
|
|
|
535d01 |
|
|
|
535d01 |
+# Explicit vs named curve tests
|
|
|
535d01 |
+SKIP: {
|
|
|
535d01 |
+ skip "EC is not supported by this OpenSSL build", 5
|
|
|
535d01 |
+ if disabled("ec");
|
|
|
535d01 |
+ ok(verify("ee-cert-ec-explicit", "sslserver", ["root-cert"],
|
|
|
535d01 |
+ ["ca-cert-ec-named"]),
|
|
|
535d01 |
+ "accept explicit curve leaf with named curve intermediate without strict");
|
|
|
535d01 |
+ ok(verify("ee-cert-ec-named-explicit", "sslserver", ["root-cert"],
|
|
|
535d01 |
+ ["ca-cert-ec-explicit"]),
|
|
|
535d01 |
+ "accept named curve leaf with explicit curve intermediate without strict");
|
|
|
535d01 |
+ ok(!verify("ee-cert-ec-explicit", "sslserver", ["root-cert"],
|
|
|
535d01 |
+ ["ca-cert-ec-named"], "-x509_strict"),
|
|
|
535d01 |
+ "reject explicit curve leaf with named curve intermediate with strict");
|
|
|
535d01 |
+ ok(!verify("ee-cert-ec-named-explicit", "sslserver", ["root-cert"],
|
|
|
535d01 |
+ ["ca-cert-ec-explicit"], "-x509_strict"),
|
|
|
535d01 |
+ "reject named curve leaf with explicit curve intermediate with strict");
|
|
|
535d01 |
+ ok(verify("ee-cert-ec-named-named", "sslserver", ["root-cert"],
|
|
|
535d01 |
+ ["ca-cert-ec-named"], "-x509_strict"),
|
|
|
535d01 |
+ "accept named curve leaf with named curve intermediate with strict");
|
|
|
535d01 |
+}
|
|
|
535d01 |
+
|
|
|
535d01 |
# Depth tests, note the depth limit bounds the number of CA certificates
|
|
|
535d01 |
# between the trust-anchor and the leaf, so, for example, with a root->ca->leaf
|
|
|
535d01 |
# chain, depth = 1 is sufficient, but depth == 0 is not.
|
|
|
535d01 |
diff -up openssl-1.1.1g/util/libcrypto.num.explicit-params openssl-1.1.1g/util/libcrypto.num
|
|
|
535d01 |
--- openssl-1.1.1g/util/libcrypto.num.explicit-params 2020-10-23 15:27:31.265312011 +0200
|
|
|
535d01 |
+++ openssl-1.1.1g/util/libcrypto.num 2020-10-23 15:31:37.424413877 +0200
|
|
|
535d01 |
@@ -4587,6 +4587,7 @@ EVP_PKEY_meth_set_digestverify
|
|
|
535d01 |
EVP_PKEY_meth_get_digestverify 4541 1_1_1e EXIST::FUNCTION:
|
|
|
535d01 |
EVP_PKEY_meth_get_digestsign 4542 1_1_1e EXIST::FUNCTION:
|
|
|
535d01 |
RSA_get0_pss_params 4543 1_1_1e EXIST::FUNCTION:RSA
|
|
|
535d01 |
+EC_KEY_decoded_from_explicit_params 4547 1_1_1h EXIST::FUNCTION:EC
|
|
|
535d01 |
FIPS_drbg_reseed 6348 1_1_0g EXIST::FUNCTION:
|
|
|
535d01 |
FIPS_selftest_check 6349 1_1_0g EXIST::FUNCTION:
|
|
|
535d01 |
FIPS_rand_set_method 6350 1_1_0g EXIST::FUNCTION:
|