# HG changeset patch # User Daiki Ueno # Date 1510136005 -3600 # Wed Nov 08 11:13:25 2017 +0100 # Node ID 6da6e699fa02bbf1763acba4176f994c6a5ddf62 # Parent d515199921dd703087f7e0e03eb71058a015934d Bug 1415171, Fix handling of default RSA-PSS parameters, r=mt Reviewers: mt, rrelyea Reviewed By: mt Bug #: 1415171 Differential Revision: https://phabricator.services.mozilla.com/D202 diff --git a/cmd/lib/secutil.c b/cmd/lib/secutil.c --- a/cmd/lib/secutil.c +++ b/cmd/lib/secutil.c @@ -1192,7 +1192,7 @@ secu_PrintRSAPSSParams(FILE *out, SECIte SECU_Indent(out, level + 1); fprintf(out, "Salt length: default, %i (0x%2X)\n", 20, 20); } else { - SECU_PrintInteger(out, ¶m.saltLength, "Salt Length", level + 1); + SECU_PrintInteger(out, ¶m.saltLength, "Salt length", level + 1); } } else { SECU_Indent(out, level + 1); diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c --- a/lib/cryptohi/seckey.c +++ b/lib/cryptohi/seckey.c @@ -2056,9 +2056,13 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_ mech->mgf = CKG_MGF1_SHA1; /* default, MGF1 with SHA-1 */ } - rv = SEC_ASN1DecodeInteger((SECItem *)¶ms->saltLength, &saltLength); - if (rv != SECSuccess) { - return rv; + if (params->saltLength.data) { + rv = SEC_ASN1DecodeInteger((SECItem *)¶ms->saltLength, &saltLength); + if (rv != SECSuccess) { + return rv; + } + } else { + saltLength = 20; /* default, 20 */ } mech->sLen = saltLength; diff --git a/lib/cryptohi/secsign.c b/lib/cryptohi/secsign.c --- a/lib/cryptohi/secsign.c +++ b/lib/cryptohi/secsign.c @@ -610,6 +610,7 @@ sec_CreateRSAPSSParameters(PLArenaPool * SECKEYRSAPSSParams pssParams; int modBytes, hashLength; unsigned long saltLength; + PRBool defaultSHA1 = PR_FALSE; SECStatus rv; if (key->keyType != rsaKey && key->keyType != rsaPssKey) { @@ -631,6 +632,7 @@ sec_CreateRSAPSSParameters(PLArenaPool * if (rv != SECSuccess) { return NULL; } + defaultSHA1 = PR_TRUE; } if (pssParams.trailerField.data) { @@ -652,15 +654,23 @@ sec_CreateRSAPSSParameters(PLArenaPool * /* Determine the hash algorithm to use, based on hashAlgTag and * pssParams.hashAlg; there are four cases */ if (hashAlgTag != SEC_OID_UNKNOWN) { + SECOidTag tag = SEC_OID_UNKNOWN; + if (pssParams.hashAlg) { - if (SECOID_GetAlgorithmTag(pssParams.hashAlg) != hashAlgTag) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; - } + tag = SECOID_GetAlgorithmTag(pssParams.hashAlg); + } else if (defaultSHA1) { + tag = SEC_OID_SHA1; + } + + if (tag != SEC_OID_UNKNOWN && tag != hashAlgTag) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } } else if (hashAlgTag == SEC_OID_UNKNOWN) { if (pssParams.hashAlg) { hashAlgTag = SECOID_GetAlgorithmTag(pssParams.hashAlg); + } else if (defaultSHA1) { + hashAlgTag = SEC_OID_SHA1; } else { /* Find a suitable hash algorithm based on the NIST recommendation */ if (modBytes <= 384) { /* 128, in NIST 800-57, Part 1 */ @@ -709,6 +719,11 @@ sec_CreateRSAPSSParameters(PLArenaPool * PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return NULL; } + } else if (defaultSHA1) { + if (hashAlgTag != SEC_OID_SHA1) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return NULL; + } } hashLength = HASH_ResultLenByOidTag(hashAlgTag); @@ -725,6 +740,8 @@ sec_CreateRSAPSSParameters(PLArenaPool * PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } + } else if (defaultSHA1) { + saltLength = 20; } /* Fill in the parameters */ diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh --- a/tests/cert/cert.sh +++ b/tests/cert/cert.sh @@ -516,6 +516,9 @@ cert_all_CA() cert_rsa_pss_CA $CADIR TestCA-rsa-pss -x "CTu,CTu,CTu" ${D_CA} "1" SHA256 rm $CLIENT_CADIR/rsapssroot.cert $SERVER_CADIR/rsapssroot.cert + ALL_CU_SUBJECT="CN=NSS Test CA (RSA-PSS-SHA1), O=BOGUS NSS, L=Mountain View, ST=California, C=US" + cert_rsa_pss_CA $CADIR TestCA-rsa-pss-sha1 -x "CTu,CTu,CTu" ${D_CA} "1" SHA1 + rm $CLIENT_CADIR/rsapssroot.cert $SERVER_CADIR/rsapssroot.cert # # Create EC version of TestCA @@ -2054,7 +2057,7 @@ check_sign_algo() { certu -L -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" | \ sed -n '/^ *Data:/,/^$/{ -/^ Signature Algorithm/,/^ *Salt Length/s/^ //p +/^ Signature Algorithm/,/^ *Salt length/s/^ //p }' > ${TMP}/signalgo.txt diff ${TMP}/signalgo.exp ${TMP}/signalgo.txt @@ -2088,6 +2091,12 @@ cert_test_rsapss() CU_ACTION="Verify RSA-PSS CA Cert" certu -V -u L -e -n "TestCA-rsa-pss" -d "${PROFILEDIR}" -f "${R_PWFILE}" + CU_ACTION="Import RSA-PSS CA Cert (SHA1)" + certu -A -n "TestCA-rsa-pss-sha1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${R_CADIR}/TestCA-rsa-pss-sha1.ca.cert" 2>&1 + + CERTSERIAL=200 + # Subject certificate: RSA # Issuer certificate: RSA # Signature: RSA-PSS (explicit, with --pss-sign) @@ -2098,7 +2107,7 @@ cert_test_rsapss() certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 CU_ACTION="Sign ${CERTNAME}'s Request" - certu -C -c "TestCA" --pss-sign -m 200 -v 60 -d "${P_R_CADIR}" \ + certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 CU_ACTION="Import $CERTNAME's Cert" @@ -2113,10 +2122,12 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig Hash algorithm: SHA-256 Mask algorithm: PKCS #1 MGF1 Mask Generation Function Mask hash algorithm: SHA-256 - Salt Length: 32 (0x20) + Salt length: 32 (0x20) EOF check_sign_algo + CERTSERIAL=`expr $CERTSERIAL + 1` + # Subject certificate: RSA # Issuer certificate: RSA # Signature: RSA-PSS (explict, with --pss-sign -Z SHA512) @@ -2127,7 +2138,7 @@ EOF certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 CU_ACTION="Sign ${CERTNAME}'s Request" - certu -C -c "TestCA" --pss-sign -Z SHA512 -m 201 -v 60 -d "${P_R_CADIR}" \ + certu -C -c "TestCA" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 CU_ACTION="Import $CERTNAME's Cert" @@ -2142,10 +2153,12 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig Hash algorithm: SHA-512 Mask algorithm: PKCS #1 MGF1 Mask Generation Function Mask hash algorithm: SHA-512 - Salt Length: 64 (0x40) + Salt length: 64 (0x40) EOF check_sign_algo + CERTSERIAL=`expr $CERTSERIAL + 1` + # Subject certificate: RSA # Issuer certificate: RSA-PSS # Signature: RSA-PSS @@ -2156,7 +2169,69 @@ EOF certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 CU_ACTION="Sign ${CERTNAME}'s Request" - certu -C -c "TestCA-rsa-pss" -m 202 -v 60 -d "${P_R_CADIR}" \ + certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" + certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${CERTNAME}.cert" 2>&1 + + CU_ACTION="Verify $CERTNAME's Cert" + certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" + cat > ${TMP}/signalgo.exp <&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" + certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" + certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${CERTNAME}.cert" 2>&1 + + CU_ACTION="Verify $CERTNAME's Cert" + certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" + cat > ${TMP}/signalgo.exp <&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" + certu -C -c "TestCA-rsa-pss" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 CU_ACTION="Import $CERTNAME's Cert" @@ -2171,21 +2246,24 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig Hash algorithm: SHA-256 Mask algorithm: PKCS #1 MGF1 Mask Generation Function Mask hash algorithm: SHA-256 - Salt Length: 32 (0x20) + Salt length: 32 (0x20) EOF check_sign_algo + CERTSERIAL=`expr $CERTSERIAL + 1` + # Subject certificate: RSA-PSS - # Issuer certificate: RSA - # Signature: RSA-PSS (explicit, with --pss-sign) - CERTNAME="TestUser-rsa-pss4" + # Issuer certificate: RSA-PSS + # Signature: RSA-PSS (implicit, without --pss-sign) + CERTNAME="TestUser-rsa-pss6" CU_ACTION="Generate Cert Request for $CERTNAME" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 CU_ACTION="Sign ${CERTNAME}'s Request" - certu -C -c "TestCA" --pss-sign -m 203 -v 60 -d "${P_R_CADIR}" \ + # Sign without --pss-sign nor -Z option + certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 CU_ACTION="Import $CERTNAME's Cert" @@ -2200,21 +2278,40 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig Hash algorithm: SHA-256 Mask algorithm: PKCS #1 MGF1 Mask Generation Function Mask hash algorithm: SHA-256 - Salt Length: 32 (0x20) + Salt length: 32 (0x20) EOF check_sign_algo + CERTSERIAL=`expr $CERTSERIAL + 1` + # Subject certificate: RSA-PSS # Issuer certificate: RSA-PSS - # Signature: RSA-PSS (explicit, with --pss-sign) - CERTNAME="TestUser-rsa-pss5" + # Signature: RSA-PSS (with conflicting hash algorithm) + CERTNAME="TestUser-rsa-pss7" CU_ACTION="Generate Cert Request for $CERTNAME" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 CU_ACTION="Sign ${CERTNAME}'s Request" - certu -C -c "TestCA-rsa-pss" --pss-sign -m 204 -v 60 -d "${P_R_CADIR}" \ + RETEXPECTED=255 + certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + RETEXPECTED=0 + + CERTSERIAL=`expr $CERTSERIAL + 1` + + # Subject certificate: RSA-PSS + # Issuer certificate: RSA-PSS + # Signature: RSA-PSS (with compatible hash algorithm) + CERTNAME="TestUser-rsa-pss8" + + CU_ACTION="Generate Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" + certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 CU_ACTION="Import $CERTNAME's Cert" @@ -2229,21 +2326,23 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig Hash algorithm: SHA-256 Mask algorithm: PKCS #1 MGF1 Mask Generation Function Mask hash algorithm: SHA-256 - Salt Length: 32 (0x20) + Salt length: 32 (0x20) EOF check_sign_algo - # Subject certificate: RSA-PSS - # Issuer certificate: RSA-PSS - # Signature: RSA-PSS (implicit, without --pss-sign) - CERTNAME="TestUser-rsa-pss6" + CERTSERIAL=`expr $CERTSERIAL + 1` + + # Subject certificate: RSA + # Issuer certificate: RSA + # Signature: RSA-PSS (explict, with --pss-sign -Z SHA1) + CERTNAME="TestUser-rsa-pss9" CU_ACTION="Generate Cert Request for $CERTNAME" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" - certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 CU_ACTION="Sign ${CERTNAME}'s Request" - certu -C -c "TestCA-rsa-pss" -m 205 -v 60 -d "${P_R_CADIR}" \ + certu -C -c "TestCA" --pss-sign -Z SHA1 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 CU_ACTION="Import $CERTNAME's Cert" @@ -2255,39 +2354,27 @@ EOF cat > ${TMP}/signalgo.exp <&1 + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 CU_ACTION="Sign ${CERTNAME}'s Request" - RETEXPECTED=255 - certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA512 -m 206 -v 60 -d "${P_R_CADIR}" \ - -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 - RETEXPECTED=0 - - # Subject certificate: RSA-PSS - # Issuer certificate: RSA-PSS - # Signature: RSA-PSS (with compatible hash algorithm) - CERTNAME="TestUser-rsa-pss8" - - CU_ACTION="Generate Cert Request for $CERTNAME" - CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" - certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 - - CU_ACTION="Sign ${CERTNAME}'s Request" - certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA256 -m 207 -v 60 -d "${P_R_CADIR}" \ + # Sign without --pss-sign nor -Z option + certu -C -c "TestCA-rsa-pss-sha1" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 CU_ACTION="Import $CERTNAME's Cert" @@ -2299,12 +2386,29 @@ EOF cat > ${TMP}/signalgo.exp <&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" + RETEXPECTED=255 + certu -C -c "TestCA-rsa-pss-sha1" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + RETEXPECTED=0 } ############################## cert_cleanup ############################ # HG changeset patch # User Daiki Ueno # Date 1514884761 -3600 # Tue Jan 02 10:19:21 2018 +0100 # Node ID 5a14f42384eb22b67e0465949c03555eff41e4af # Parent e577b1df8dabb31466cebad07fdbe0883290bede Bug 1423557, cryptohi: make RSA-PSS parameter check stricter, r=mt Summary: This adds a check on unsupported hash/mask algorithms and invalid trailer field, when converting SECKEYRSAPSSParams to CK_RSA_PKCS_PSS_PARAMS for both signing and verification. It also add missing support for SHA224 as underlying hash algorithm. Reviewers: mt Reviewed By: mt Bug #: 1423557 Differential Revision: https://phabricator.services.mozilla.com/D322 diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c --- a/lib/cryptohi/seckey.c +++ b/lib/cryptohi/seckey.c @@ -1984,13 +1984,14 @@ sec_GetHashMechanismByOidTag(SECOidTag t return CKM_SHA384; case SEC_OID_SHA256: return CKM_SHA256; + case SEC_OID_SHA224: + return CKM_SHA224; + case SEC_OID_SHA1: + return CKM_SHA_1; default: PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - /* fallthrough */ - case SEC_OID_SHA1: - break; + return CKM_INVALID_MECHANISM; } - return CKM_SHA_1; } static CK_RSA_PKCS_MGF_TYPE @@ -2003,13 +2004,14 @@ sec_GetMgfTypeByOidTag(SECOidTag tag) return CKG_MGF1_SHA384; case SEC_OID_SHA256: return CKG_MGF1_SHA256; + case SEC_OID_SHA224: + return CKG_MGF1_SHA224; + case SEC_OID_SHA1: + return CKG_MGF1_SHA1; default: PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - /* fallthrough */ - case SEC_OID_SHA1: - break; + return 0; } - return CKG_MGF1_SHA1; } SECStatus @@ -2019,6 +2021,7 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_ SECStatus rv = SECSuccess; SECOidTag hashAlgTag; unsigned long saltLength; + unsigned long trailerField; PORT_Memset(mech, 0, sizeof(CK_RSA_PKCS_PSS_PARAMS)); @@ -2028,6 +2031,9 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_ hashAlgTag = SEC_OID_SHA1; /* default, SHA-1 */ } mech->hashAlg = sec_GetHashMechanismByOidTag(hashAlgTag); + if (mech->hashAlg == CKM_INVALID_MECHANISM) { + return SECFailure; + } if (params->maskAlg) { SECAlgorithmID maskHashAlg; @@ -2050,6 +2056,9 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_ } maskHashAlgTag = SECOID_GetAlgorithmTag(&maskHashAlg); mech->mgf = sec_GetMgfTypeByOidTag(maskHashAlgTag); + if (mech->mgf == 0) { + return SECFailure; + } } else { mech->mgf = CKG_MGF1_SHA1; /* default, MGF1 with SHA-1 */ } @@ -2064,5 +2073,18 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_ } mech->sLen = saltLength; + if (params->trailerField.data) { + rv = SEC_ASN1DecodeInteger((SECItem *)¶ms->trailerField, &trailerField); + if (rv != SECSuccess) { + return rv; + } + if (trailerField != 1) { + /* the value must be 1, which represents the trailer field + * with hexadecimal value 0xBC */ + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + } + return rv; } diff --git a/tests/cert/TestCA-bogus-rsa-pss1.crt b/tests/cert/TestCA-bogus-rsa-pss1.crt new file mode 100644 --- /dev/null +++ b/tests/cert/TestCA-bogus-rsa-pss1.crt @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEbDCCAxqgAwIBAgIBATBHBgkqhkiG9w0BAQowOqAPMA0GCWCGSAFlAwQCAQUA +oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASCjBAICEmcwgYMxCzAJ +BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFp +biBWaWV3MRIwEAYDVQQKEwlCT0dVUyBOU1MxMzAxBgNVBAMTKk5TUyBUZXN0IENB +IChSU0EtUFNTIGludmFsaWQgdHJhaWxlckZpZWxkKTAgFw0xNzEyMDcxMjU3NDBa +GA8yMDY3MTIwNzEyNTc0MFowgYMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp +Zm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRIwEAYDVQQKEwlCT0dVUyBO +U1MxMzAxBgNVBAMTKk5TUyBUZXN0IENBIChSU0EtUFNTIGludmFsaWQgdHJhaWxl +ckZpZWxkKTCCAVwwRwYJKoZIhvcNAQEKMDqgDzANBglghkgBZQMEAgEFAKEcMBoG +CSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgowQCAhJnA4IBDwAwggEKAoIB +AQDgkKJk+PoFpESak7kMQ0w147/xilUZCG7hDGG2uuGTbX8jqy9N9pxzB9sJjgJX +yYND0XEmrUQ2Memmy8jufhXML5DekW1tr3Gi2L3VivbIReJZfXk1xDMvNbB/Gjjo +SoPyu8C4hnevjgMlmqG3KdMkB+eN6PnBG64YFyki3vnLO5iTNHEBTgFYo0gTX4uK +xl0hLtiDL+4K5l7BwVgxZwQF6uHoHjrjjlhkzR0FwjjqR8U0pH20Pb6IlRsFMv07 +/1GHf+jm34pKb/1ZNzAbiKxYv7YAQUWEZ7e/GSXgA6gbTpV9ueiLkVucUeXN/mXK +Tqb4zivi5FaSGVl8SJnqsJXJAgMBAAGjOTA3MBQGCWCGSAGG+EIBAQEB/wQEAwIC +BDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwICBDBHBgkqhkiG9w0BAQow +OqAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUA +ogMCASCjBAICEmcDggEBAJht9t9p/dlhJtx7ShDvUXyq8N4tCoGKdREM83K/jlW8 +HxdHOz5PuvZx+UMlaUtqZVIriSCnRtEWkoSo0hWmcv1rp80it2G1zLfLPYdyrPba +nQmE1iFb69Wr9dwrX7o/CII+WHQgoIGeFGntZ8YRZTe5+JeiGAlAyZCqUKbl9lhh +pCpf1YYxb3VI8mAGVi0jwabWBEbInGBZYH9HP0nK7/Tflk6UY3f4h4Fbkk5D4WZA +hFfkebx6Wh90QGiKQhp4/N+dYira8bKvWqqn0VqwzBoJBU/RmMaJVpwqFFvcaUJh +uEKUPeQbqkYvj1WJYmy4ettVwi4OZU50+kCaRQhMsFA= +-----END CERTIFICATE----- diff --git a/tests/cert/TestCA-bogus-rsa-pss2.crt b/tests/cert/TestCA-bogus-rsa-pss2.crt new file mode 100644 --- /dev/null +++ b/tests/cert/TestCA-bogus-rsa-pss2.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEFzCCAs2gAwIBAgIBATA/BgkqhkiG9w0BAQowMqAOMAwGCCqGSIb3DQIFBQCh +GzAZBgkqhkiG9w0BAQgwDAYIKoZIhvcNAgUFAKIDAgEgMH4xCzAJBgNVBAYTAlVT +MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRIw +EAYDVQQKEwlCT0dVUyBOU1MxLjAsBgNVBAMTJU5TUyBUZXN0IENBIChSU0EtUFNT +IGludmFsaWQgaGFzaEFsZykwIBcNMTcxMjA3MTQwNjQ0WhgPMjA2ODAxMDcxNDA2 +NDRaMH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH +Ew1Nb3VudGFpbiBWaWV3MRIwEAYDVQQKEwlCT0dVUyBOU1MxLjAsBgNVBAMTJU5T +UyBUZXN0IENBIChSU0EtUFNTIGludmFsaWQgaGFzaEFsZykwggEgMAsGCSqGSIb3 +DQEBCgOCAQ8AMIIBCgKCAQEAtDXA73yTOgs8zVYNMCtuQ9a07UgbfeQbjHp3pkF6 +7rsC/Q28mrLh+zLkht5e7qU/Qf/8a2ZkcYhPOBAjCzjgIXOdE2lsWvdVujOJLR0x +Fesd3hDLRmL6f6momc+j1/Tw3bKyZinaeJ9BFRv9c94SayB3QUe+6+TNJKASwlhj +sx6mUsND+h3DkuL77gi7hIUpUXfFSwa+zM69VLhIu+/WRZfG8gfKkCAIGUC3WYJa +eU1HgQKfVSXW0ok4ototXWEe9ohU+Z1tO9LJStcY8mMpig7EU9zbpObhG46Sykfu +aKsubB9J+gFgwP5Tb85tRYT6SbHeHR6U/N8GBrKdRcomWwIDAQABozwwOjAUBglg +hkgBhvhCAQEBAf8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E +BAMCAgQwPwYJKoZIhvcNAQEKMDKgDjAMBggqhkiG9w0CBQUAoRswGQYJKoZIhvcN +AQEIMAwGCCqGSIb3DQIFBQCiAwIBIAOCAQEAjeemeTxh2xrMUJ6Z5Yn2nH2FbcPY +fTHJcdfXjfNBkrMl5pe2/lk0JyNuACTuTYFCxdWNRL1coN//h9DSUbF3dpF1ex6D +difo+6PwxkO2aPVGPYw4DSivt4SFbn5dKGgVqBQfnmNK7p/iT91AcErg/grRrNL+ +4jeT0UiRjQYeX9xKJArv+ocIidNpQL3QYxXuBLZxVC92Af69ol7WG8QBRLnFi1p2 +g6q8hOHqOfB29qnsSo3PkI1yuShOl50tRLbNgyotEfZdk1N3oXvapoBsm/jlcdCT +0aKelCSQYYAfyl5PKCpa1lgBm7zfcHSDStMhEEFu/fbnJhqO9g9znj3STQ== +-----END CERTIFICATE----- diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh --- a/tests/cert/cert.sh +++ b/tests/cert/cert.sh @@ -2095,6 +2095,20 @@ cert_test_rsapss() certu -A -n "TestCA-rsa-pss-sha1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -i "${R_CADIR}/TestCA-rsa-pss-sha1.ca.cert" 2>&1 + CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid trailerField)" + certu -A -n "TestCA-bogus-rsa-pss1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${QADIR}/cert/TestCA-bogus-rsa-pss1.crt" 2>&1 + RETEXPECTED=255 + certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss1 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 + RETEXPECTED=0 + + CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid hashAlg)" + certu -A -n "TestCA-bogus-rsa-pss2" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${QADIR}/cert/TestCA-bogus-rsa-pss2.crt" 2>&1 + RETEXPECTED=255 + certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss2 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 + RETEXPECTED=0 + CERTSERIAL=200 # Subject certificate: RSA