Parse CSRs signed with RSASSA-PSS
diff --git a/include/polarssl/x509_csr.h b/include/polarssl/x509_csr.h
index 8b4892a..af3f226 100644
--- a/include/polarssl/x509_csr.h
+++ b/include/polarssl/x509_csr.h
@@ -67,6 +67,9 @@
x509_buf sig;
md_type_t sig_md; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. POLARSSL_MD_SHA256 */
pk_type_t sig_pk /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. POLARSSL_PK_RSA */;
+#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES)
+ x509_buf sig_params; /**< Parameters for the signature algorithm */
+#endif
}
x509_csr;
diff --git a/library/x509_csr.c b/library/x509_csr.c
index 16e212b..3118c0a 100644
--- a/library/x509_csr.c
+++ b/library/x509_csr.c
@@ -93,6 +93,7 @@
int ret;
size_t len;
unsigned char *p, *end;
+ x509_buf sig_params;
#if defined(POLARSSL_PEM_PARSE_C)
size_t use_len;
pem_context pem;
@@ -247,7 +248,7 @@
* signatureAlgorithm AlgorithmIdentifier,
* signature BIT STRING
*/
- if( ( ret = x509_get_alg_null( &p, end, &csr->sig_oid ) ) != 0 )
+ if( ( ret = x509_get_alg( &p, end, &csr->sig_oid, &sig_params ) ) != 0 )
{
x509_csr_free( csr );
return( ret );
@@ -260,6 +261,29 @@
return( POLARSSL_ERR_X509_UNKNOWN_SIG_ALG );
}
+#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES)
+ if( csr->sig_pk == POLARSSL_PK_RSASSA_PSS )
+ {
+ int salt_len, trailer_field;
+ md_type_t mgf_md;
+
+ /* Make sure params are valid */
+ ret = x509_get_rsassa_pss_params( &sig_params,
+ &csr->sig_md, &mgf_md, &salt_len, &trailer_field );
+ if( ret != 0 )
+ return( ret );
+
+ memcpy( &csr->sig_params, &sig_params, sizeof( x509_buf ) );
+ }
+ else
+#endif
+ {
+ /* Make sure parameters are absent or NULL */
+ if( ( sig_params.tag != ASN1_NULL && sig_params.tag != 0 ) ||
+ sig_params.len != 0 )
+ return( POLARSSL_ERR_X509_INVALID_ALG );
+ }
+
if( ( ret = x509_get_sig( &p, end, &csr->sig ) ) != 0 )
{
x509_csr_free( csr );
@@ -386,6 +410,28 @@
ret = snprintf( p, n, "%s", desc );
SAFE_SNPRINTF();
+#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES)
+ if( csr->sig_pk == POLARSSL_PK_RSASSA_PSS )
+ {
+ md_type_t md_alg, mgf_md;
+ const md_info_t *md_info, *mgf_md_info;
+ int salt_len, trailer_field;
+
+ if( ( ret = x509_get_rsassa_pss_params( &csr->sig_params,
+ &md_alg, &mgf_md, &salt_len, &trailer_field ) ) != 0 )
+ return( ret );
+
+ md_info = md_info_from_type( md_alg );
+ mgf_md_info = md_info_from_type( mgf_md );
+
+ ret = snprintf( p, n, " (%s, MGF1-%s, 0x%02X, %d)",
+ md_info ? md_info->name : "???",
+ mgf_md_info ? mgf_md_info->name : "???",
+ salt_len, trailer_field );
+ SAFE_SNPRINTF();
+ }
+#endif /* POLARSSL_RSASSA_PSS_CERTIFICATES */
+
if( ( ret = x509_key_size_helper( key_size_str, BEFORE_COLON,
pk_get_name( &csr->pk ) ) ) != 0 )
{
diff --git a/tests/data_files/server9.req.sha1 b/tests/data_files/server9.req.sha1
new file mode 100644
index 0000000..b9d0053
--- /dev/null
+++ b/tests/data_files/server9.req.sha1
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBojCCAQYCAQAwNDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIw
+EAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN0R
+ip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7CuxNA24oSjokTJKXF9frY9ZDX
+yMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsIi2OZOgol7kXSGFi6uZMa7dRY
+mmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCVAgMBAAGgKTAnBgkqhkiG9w0B
+CQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMBIGCSqGSIb3DQEBCjAFogMC
+AWoDgYEA2n8SOoiJCs+YyH2VXoUVxhutdXGP4+7cECakl2mmVEKhxXDMEG7hEFkB
+mkk4b1kRNOQHKqUq3crfi0OkMcPGkPiLlYLKgT51CgsBhuJaMsdCYo/5POgTZD4u
+FI5gfyO70Xpq9QmrWEqqTdalRG7+UmGa3VEUVyXTDnQZfU1N2QE=
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/server9.req.sha224 b/tests/data_files/server9.req.sha224
new file mode 100644
index 0000000..fe1c797
--- /dev/null
+++ b/tests/data_files/server9.req.sha224
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBzTCCAQYCAQAwNDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIw
+EAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN0R
+ip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7CuxNA24oSjokTJKXF9frY9ZDX
+yMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsIi2OZOgol7kXSGFi6uZMa7dRY
+mmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCVAgMBAAGgKTAnBgkqhkiG9w0B
+CQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMD0GCSqGSIb3DQEBCjAwoA0w
+CwYJYIZIAWUDBAIEoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCBKIDAgFiA4GB
+AMlYYZKqpDqg5UZZq3NB3QUR9qftY/52/0gPfruw5s2gNtFmG1uyEBJX/oc7C/fU
+lxo74HDraWJyvP7c3MMhOuwr/RfPNQhA2Hgwz9RuJIBhQrJfiZuHsCfiKVofMuMf
+ar/4EKfyoELDdilhg6i+abahGOkqyXsjavFtyDSeCpXH
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/server9.req.sha256 b/tests/data_files/server9.req.sha256
new file mode 100644
index 0000000..0ef9ef0
--- /dev/null
+++ b/tests/data_files/server9.req.sha256
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBzTCCAQYCAQAwNDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIw
+EAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN0R
+ip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7CuxNA24oSjokTJKXF9frY9ZDX
+yMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsIi2OZOgol7kXSGFi6uZMa7dRY
+mmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCVAgMBAAGgKTAnBgkqhkiG9w0B
+CQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMD0GCSqGSIb3DQEBCjAwoA0w
+CwYJYIZIAWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgFeA4GB
+ACUaCTidvzWVJNKmRrriufThGUfw5Xgdsc3Ga8Cx+vRf+bPZmR3NVkc0Zq9uc0+8
+d1WXaLzbmge6IbcvTPWCLNDAWI9UzoQ6WS9myM3eDEGdruClYwb5BVLx3MvhvooK
+L/H6snE1dHNPXyCNVFTJIll3bRlVMRsfZpDhmz8/ImJ4
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/server9.req.sha384 b/tests/data_files/server9.req.sha384
new file mode 100644
index 0000000..0103450
--- /dev/null
+++ b/tests/data_files/server9.req.sha384
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBzTCCAQYCAQAwNDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIw
+EAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN0R
+ip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7CuxNA24oSjokTJKXF9frY9ZDX
+yMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsIi2OZOgol7kXSGFi6uZMa7dRY
+mmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCVAgMBAAGgKTAnBgkqhkiG9w0B
+CQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMD0GCSqGSIb3DQEBCjAwoA0w
+CwYJYIZIAWUDBAICoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAqIDAgFOA4GB
+ANfZGK6nE/CP9PuALFzbA/mvOnYlI60pMowscRfCYpvR25iQJVhAJfYVXADRN3qd
+NAiFWNVcjFMIkRlq7qifBN97VHGeYoWIuw9gYEb3OqDGzOsYP0KIgMNt8/A4qCkj
+5MzolOYyT+N+QFGV0pdCNpX7QppfNdFyFAmWXa171RzG
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/server9.req.sha512 b/tests/data_files/server9.req.sha512
new file mode 100644
index 0000000..676b5c9
--- /dev/null
+++ b/tests/data_files/server9.req.sha512
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBzTCCAQYCAQAwNDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIw
+EAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN0R
+ip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7CuxNA24oSjokTJKXF9frY9ZDX
+yMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsIi2OZOgol7kXSGFi6uZMa7dRY
+mmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCVAgMBAAGgKTAnBgkqhkiG9w0B
+CQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMD0GCSqGSIb3DQEBCjAwoA0w
+CwYJYIZIAWUDBAIDoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCA6IDAgE+A4GB
+ACxWBhPkhyVlBY/mwkrW7OjYsaN2/ZlFSv76w63b61BpigReJsggMut5EPOgfGYJ
+rzygKDlF/NtmMN22jWrFup9LsZJAX0gYbLmliiaG9Hch+i/8b42oaQTDWGFZ9LiY
+W7F7X0f9lpzNKOtQ8ix0s+nYS2ONyzfu55+Rlzf8/63M
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 91089a4..9568157 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -238,6 +238,26 @@
depends_on:POLARSSL_PEM_PARSE_C
x509_csr_info:"data_files/server5.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA512\nEC key size \: 256 bits\n"
+X509 CSR Information RSA-PSS with SHA1
+depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA1_C
+x509_csr_info:"data_files/server9.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0x6A, 1)\nRSA key size \: 1024 bits\n"
+
+X509 CSR Information RSA-PSS with SHA224
+depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA256_C
+x509_csr_info:"data_files/server9.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0x62, 1)\nRSA key size \: 1024 bits\n"
+
+X509 CSR Information RSA-PSS with SHA256
+depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA256_C
+x509_csr_info:"data_files/server9.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0x5E, 1)\nRSA key size \: 1024 bits\n"
+
+X509 CSR Information RSA-PSS with SHA384
+depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA512_C
+x509_csr_info:"data_files/server9.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0x4E, 1)\nRSA key size \: 1024 bits\n"
+
+X509 CSR Information RSA-PSS with SHA512
+depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSASSA_PSS_CERTIFICATES:POLARSSL_SHA512_C
+x509_csr_info:"data_files/server9.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0x3E, 1)\nRSA key size \: 1024 bits\n"
+
X509 Get Distinguished Name #1
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C
x509_dn_gets:"data_files/server1.crt":"subject":"C=NL, O=PolarSSL, CN=PolarSSL Server 1"
