diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-04-20 18:46:23 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-04-21 08:57:57 +0200 |
| commit | d767ca979f343483f3ea58e49f3a4e9c391d0795 (patch) | |
| tree | 0599db3fd2004e4e6daff0f71a16e66cbbebc98d | |
| parent | d3ee878e02d9804787179993de513d27b3e53f80 (diff) | |
| download | gnutls-tmp-rsa-pss-cert-fix.tar.gz | |
certtool: refuse to accept an incompatible key typetmp-rsa-pss-cert-fix
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
| -rw-r--r-- | src/certtool.c | 15 | ||||
| -rwxr-xr-x | tests/cert-tests/certtool-rsa-pss | 36 |
2 files changed, 43 insertions, 8 deletions
diff --git a/src/certtool.c b/src/certtool.c index 4d2b7c6a98..7cf447c2cb 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -92,9 +92,11 @@ static gnutls_digest_algorithm_t get_dig(gnutls_x509_crt_t crt, common_info_st * FILE *outfile; static const char *outfile_name = NULL; /* to delete on exit */ +#define REQ_KEY_TYPE_DEFAULT GNUTLS_PK_RSA + FILE *infile; static unsigned int incert_format, outcert_format; -static unsigned int req_key_type = GNUTLS_PK_RSA; +static unsigned int req_key_type = REQ_KEY_TYPE_DEFAULT; gnutls_certificate_print_formats_t full_format = GNUTLS_CRT_PRINT_FULL; /* non interactive operation if set @@ -719,6 +721,13 @@ generate_certificate(gnutls_privkey_t * ret_key, app_exit(1); } + if (req_key_type != REQ_KEY_TYPE_DEFAULT && req_key_type != pk) { + if (pk != GNUTLS_PK_RSA || req_key_type != GNUTLS_PK_RSA_PSS) { + fprintf(stderr, "cannot set certificate type (%s) incompatible with the key (%s)\n", + gnutls_pk_get_name(req_key_type), gnutls_pk_get_name(pk)); + app_exit(1); + } + } /* Set algorithm parameter restriction in CAs. */ @@ -1257,7 +1266,9 @@ static void cmd_parser(int argc, char **argv) outcert_format = GNUTLS_X509_FMT_PEM; /* legacy options */ - if (HAVE_OPT(DSA)) { + if (HAVE_OPT(RSA)) { + req_key_type = GNUTLS_PK_RSA; + } else if (HAVE_OPT(DSA)) { req_key_type = GNUTLS_PK_DSA; } else if (HAVE_OPT(ECC)) { req_key_type = GNUTLS_PK_ECDSA; diff --git a/tests/cert-tests/certtool-rsa-pss b/tests/cert-tests/certtool-rsa-pss index baa819c6ac..617591377d 100755 --- a/tests/cert-tests/certtool-rsa-pss +++ b/tests/cert-tests/certtool-rsa-pss @@ -25,6 +25,7 @@ CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" DIFF="${DIFF:-diff -b -B}" OUTFILE=cert-pss-privkey.$$.tmp TMPFILE=cert-pss.$$.tmp +TMPFILE2=cert2-pss.$$.tmp if ! test -x "${CERTTOOL}"; then exit 77 @@ -60,7 +61,7 @@ fi ${VALGRIND} "${CERTTOOL}" --generate-self-signed \ --pkcs8 --load-privkey "$OUTFILE" --password '' \ --template "${srcdir}/templates/template-test.tmpl" \ - --outfile "${TMPFILE}" --hash $i 2>/dev/null + --outfile "${TMPFILE}" --hash $i rc=$? if test "${rc}" != "0"; then @@ -76,7 +77,7 @@ for j in sha256 sha384 sha512;do ${VALGRIND} "${CERTTOOL}" --generate-self-signed \ --pkcs8 --load-privkey "$OUTFILE" --password '' \ --template "${srcdir}/templates/template-test.tmpl" \ - --outfile "${TMPFILE}" --hash $j 2>/dev/null + --outfile "${TMPFILE}" --hash $j rc=$? if test "$j" != "$j" && "${rc}" = "0"; then @@ -92,7 +93,7 @@ ${VALGRIND} "${CERTTOOL}" --generate-certificate --key-type rsa-pss \ --load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \ --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \ --template "${srcdir}/templates/template-test.tmpl" \ - --outfile "${TMPFILE}" --hash $i 2>/dev/null + --outfile "${TMPFILE}" --hash $i rc=$? if test "${rc}" != "0"; then @@ -109,13 +110,27 @@ fi rm -f "${TMPFILE}" +# Create an RSA certificate from an RSA key, with wrong key-type, should fail +${VALGRIND} "${CERTTOOL}" --generate-certificate --key-type ecdsa \ + --load-privkey "${srcdir}/../../doc/credentials/x509/key-rsa.pem" \ + --load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \ + --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \ + --template "${srcdir}/templates/template-test.tmpl" \ + --outfile "${TMPFILE}" +rc=$? + +if test "${rc}" = "0"; then + echo "Succeeded with wrong key type" + exit 1 +fi + # Create an RSA certificate from an RSA key, and sign it with RSA-PSS ${VALGRIND} "${CERTTOOL}" --generate-certificate --rsa --sign-params rsa-pss \ --load-privkey "${srcdir}/../../doc/credentials/x509/key-rsa.pem" \ --load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \ --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \ --template "${srcdir}/templates/template-test.tmpl" \ - --outfile "${TMPFILE}" --hash $i 2>/dev/null + --outfile "${TMPFILE}" --hash $i rc=$? if test "${rc}" != "0"; then @@ -123,21 +138,30 @@ if test "${rc}" != "0"; then exit 1 fi -${CERTTOOL} -i --infile ${TMPFILE}|tr -d '\r'|grep -i 'Subject Public Key Algorithm: RSA$' >/dev/null +${CERTTOOL} -i --infile ${TMPFILE}|tr -d '\r' > ${TMPFILE2} +grep -i 'Subject Public Key Algorithm: RSA$' ${TMPFILE2} >/dev/null if test $? != 0;then echo "Generated certificate is not RSA" cat ${TMPFILE} exit 1 fi -${CERTTOOL} -i --infile ${TMPFILE}|grep -i "Signature Algorithm: RSA-PSS" +grep -i "Signature Algorithm: RSA-PSS" ${TMPFILE2} if test $? != 0;then echo "Generated certificate is not signed with RSA-PSS" cat ${TMPFILE} exit 1 fi +grep -i "Signature Algorithm: RSA-PSS-${i}" ${TMPFILE2} +if test $? != 0;then + echo "Generated certificate is not signed with RSA-PSS-${i}" + cat ${TMPFILE} + exit 1 +fi + rm -f "${TMPFILE}" +rm -f "${TMPFILE2}" done |