mirror of
https://github.com/golang/go
synced 2024-09-30 04:14:29 -06:00
crypto/x509: support the PSS certificates that OpenSSL 1.1.0 generates.
It serialises optional parameters as empty rather than NULL. It's probably technically correct, although ASN.1 has a long history of doing this different ways. But OpenSSL is likely common enough that we want to support this encoding. Fixes #23847 Change-Id: I81c60f0996edfecf59467dfdf75b0cf8ba7b1efb Reviewed-on: https://go-review.googlesource.com/96417 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
This commit is contained in:
parent
983dcf70ba
commit
8a1519249f
@ -420,10 +420,10 @@ func getSignatureAlgorithmFromAI(ai pkix.AlgorithmIdentifier) SignatureAlgorithm
|
||||
// https://tools.ietf.org/html/rfc3447#section-8.1), that the
|
||||
// salt length matches the hash length, and that the trailer
|
||||
// field has the default value.
|
||||
if !bytes.Equal(params.Hash.Parameters.FullBytes, asn1.NullBytes) ||
|
||||
if (len(params.Hash.Parameters.FullBytes) != 0 && !bytes.Equal(params.Hash.Parameters.FullBytes, asn1.NullBytes)) ||
|
||||
!params.MGF.Algorithm.Equal(oidMGF1) ||
|
||||
!mgf1HashFunc.Algorithm.Equal(params.Hash.Algorithm) ||
|
||||
!bytes.Equal(mgf1HashFunc.Parameters.FullBytes, asn1.NullBytes) ||
|
||||
(len(mgf1HashFunc.Parameters.FullBytes) != 0 && !bytes.Equal(mgf1HashFunc.Parameters.FullBytes, asn1.NullBytes)) ||
|
||||
params.TrailerField != 1 {
|
||||
return UnknownSignatureAlgorithm
|
||||
}
|
||||
|
@ -946,19 +946,52 @@ qsGZWxzFvvkXUkQSl0dQQ5jO/FtUJcAVXVVp20LxPemfatAHpW31WdJYeWSQWky2
|
||||
+f9b5TXKXVyjlUL7uHxowWrT2AtTchDH22wTEtqLEF9Z3Q==
|
||||
-----END CERTIFICATE-----`
|
||||
|
||||
// openssl req -newkey rsa:2048 -keyout test.key -sha256 -sigopt \
|
||||
// rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -sigopt rsa_mgf1_md:sha256 \
|
||||
// -x509 -days 3650 -nodes -subj '/C=US/ST=CA/L=SF/O=Test/CN=Test' -out \
|
||||
// test.pem
|
||||
var rsaPSSSelfSignedOpenSSL110PEM = `-----BEGIN CERTIFICATE-----
|
||||
MIIDwDCCAnigAwIBAgIJAM9LAMHTE5xpMD0GCSqGSIb3DQEBCjAwoA0wCwYJYIZI
|
||||
AWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgEgMEUxCzAJBgNV
|
||||
BAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0YxDTALBgNVBAoMBFRlc3Qx
|
||||
DTALBgNVBAMMBFRlc3QwHhcNMTgwMjIyMjIxMzE4WhcNMjgwMjIwMjIxMzE4WjBF
|
||||
MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExCzAJBgNVBAcMAlNGMQ0wCwYDVQQK
|
||||
DARUZXN0MQ0wCwYDVQQDDARUZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
|
||||
CgKCAQEA4Zrsydod+GoTAJLLutWNF87qhhVPBsK1zB1Gj+NAAe4+VbrZ1E41H1wp
|
||||
qITx7DA8DRtJEf+NqrTAnAdZWBG/tAOA5LfXVax0ZSQtLnYLSeylLoMtDyY3eFAj
|
||||
TmuTOoyVy6raktowCnHCh01NsstqqTfrx6SbmzOmDmKTkq/I+7K0MCVsn41xRDVM
|
||||
+ShD0WGFGioEGoiWnFSWupxJDA3Q6jIDEygVwNKHwnhv/2NgG2kqZzrZSQA67en0
|
||||
iKAXtoDNPpmyD5oS9YbEJ+2Nbm7oLeON30i6kZvXKIzJXx+UWViazHZqnsi5rQ8G
|
||||
RHF+iVFXsqd0MzDKmkKOT5FDhrsbKQIDAQABo1MwUTAdBgNVHQ4EFgQU9uFY/nlg
|
||||
gLH00NBnr/o7QvpN9ugwHwYDVR0jBBgwFoAU9uFY/nlggLH00NBnr/o7QvpN9ugw
|
||||
DwYDVR0TAQH/BAUwAwEB/zA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEa
|
||||
MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIBIAOCAQEAhJzpwxBNGKvzKWDe
|
||||
WLqv6RMrl/q4GcH3b7M9wjxe0yOm4F+Tb2zJ7re4h+D39YkJf8cX1NV9UQVu6z4s
|
||||
Fvo2kmlR0qZOXAg5augmCQ1xS0WHFoF6B52anNzHkZQbAIYJ3kGoFsUHzs7Sz7F/
|
||||
656FsRpHA9UzJQ3avPPMrA4Y4aoJ7ANJ6XIwTrdWrhULOVuvYRLCl4CdTVztVFX6
|
||||
wxX8nS1ISYd8jXPUMgsBKVbWufvLoIymMJW8CZbpprVZel5zFn0bmPrON8IHS30w
|
||||
Gs+ITJjKEnZgXmAQ25SLKVzkZkBcGANs2GsdHNJ370Puisy0FIPD2NXR5uASAf7J
|
||||
+w9fjQ==
|
||||
-----END CERTIFICATE-----`
|
||||
|
||||
func TestRSAPSSSelfSigned(t *testing.T) {
|
||||
der, _ := pem.Decode([]byte(rsaPSSSelfSignedPEM))
|
||||
if der == nil {
|
||||
t.Fatal("Failed to find PEM block")
|
||||
}
|
||||
for i, pemBlock := range []string{rsaPSSSelfSignedPEM, rsaPSSSelfSignedOpenSSL110PEM} {
|
||||
der, _ := pem.Decode([]byte(pemBlock))
|
||||
if der == nil {
|
||||
t.Errorf("#%d: failed to find PEM block", i)
|
||||
continue
|
||||
}
|
||||
|
||||
cert, err := ParseCertificate(der.Bytes)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
cert, err := ParseCertificate(der.Bytes)
|
||||
if err != nil {
|
||||
t.Errorf("#%d: failed to parse: %s", i, err)
|
||||
continue
|
||||
}
|
||||
|
||||
if err = cert.CheckSignatureFrom(cert); err != nil {
|
||||
t.Fatal(err)
|
||||
if err = cert.CheckSignatureFrom(cert); err != nil {
|
||||
t.Errorf("#%d: signature check failed: %s", i, err)
|
||||
continue
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user