From ddee19e63c71a75cd999479923ff6b0f05770bb0 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 7 Aug 2017 19:22:30 +0200 Subject: x509: never output our custom FIPS186-4 format Signed-off-by: Nikos Mavrogiannopoulos --- lib/x509/key_encode.c | 61 +++++++++--------------------------------------- lib/x509/privkey.c | 36 +++++++++++----------------- lib/x509/privkey_pkcs8.c | 4 +--- lib/x509/x509_int.h | 2 +- 4 files changed, 26 insertions(+), 77 deletions(-) diff --git a/lib/x509/key_encode.c b/lib/x509/key_encode.c index 3277ca2476..b1e22f58d9 100644 --- a/lib/x509/key_encode.c +++ b/lib/x509/key_encode.c @@ -336,7 +336,7 @@ _gnutls_x509_write_dsa_pubkey(gnutls_pk_params_st * params, /* Encodes the RSA parameters into an ASN.1 RSA private key structure. */ static int -_gnutls_asn1_encode_rsa(ASN1_TYPE * c2, gnutls_pk_params_st * params, unsigned compat) +_gnutls_asn1_encode_rsa(ASN1_TYPE * c2, gnutls_pk_params_st * params) { int result, ret; uint8_t null = '\0'; @@ -442,34 +442,11 @@ _gnutls_asn1_encode_rsa(ASN1_TYPE * c2, gnutls_pk_params_st * params, unsigned c goto cleanup; } - if (compat == 0 && (params->flags & GNUTLS_PK_FLAG_PROVABLE) && params->seed_size > 0) { - if ((result = asn1_write_value(*c2, "otherInfo", - "seed", 1)) != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "otherInfo.seed.seed", - params->seed, params->seed_size)) != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "otherInfo.seed.algorithm", - gnutls_digest_get_oid(params->palgo), 1)) != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(result); - goto cleanup; - } - } else { - if ((result = asn1_write_value(*c2, "otherInfo", - NULL, 0)) != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(result); - goto cleanup; - } + if ((result = asn1_write_value(*c2, "otherInfo", + NULL, 0)) != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(result); + goto cleanup; } if ((result = @@ -583,7 +560,7 @@ cleanup: /* Encodes the DSA parameters into an ASN.1 DSAPrivateKey structure. */ static int -_gnutls_asn1_encode_dsa(ASN1_TYPE * c2, gnutls_pk_params_st * params, unsigned compat) +_gnutls_asn1_encode_dsa(ASN1_TYPE * c2, gnutls_pk_params_st * params) { int result, ret; const uint8_t null = '\0'; @@ -643,23 +620,7 @@ _gnutls_asn1_encode_dsa(ASN1_TYPE * c2, gnutls_pk_params_st * params, unsigned c goto cleanup; } - if (params->seed_size > 0 && compat == 0) { - if ((result = asn1_write_value(*c2, "seed.seed", - params->seed, params->seed_size)) != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(result); - goto cleanup; - } - - if ((result = asn1_write_value(*c2, "seed.algorithm", - gnutls_digest_get_oid(params->palgo), 1)) != ASN1_SUCCESS) { - gnutls_assert(); - ret = _gnutls_asn2err(result); - goto cleanup; - } - } else { - (void)asn1_write_value(*c2, "seed", NULL, 0); - } + (void)asn1_write_value(*c2, "seed", NULL, 0); if ((result = asn1_write_value(*c2, "version", &null, 1)) != ASN1_SUCCESS) { @@ -677,13 +638,13 @@ cleanup: } int _gnutls_asn1_encode_privkey(gnutls_pk_algorithm_t pk, ASN1_TYPE * c2, - gnutls_pk_params_st * params, unsigned compat) + gnutls_pk_params_st * params) { switch (pk) { case GNUTLS_PK_RSA: - return _gnutls_asn1_encode_rsa(c2, params, compat); + return _gnutls_asn1_encode_rsa(c2, params); case GNUTLS_PK_DSA: - return _gnutls_asn1_encode_dsa(c2, params, compat); + return _gnutls_asn1_encode_dsa(c2, params); case GNUTLS_PK_EC: return _gnutls_asn1_encode_ecc(c2, params); default: diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c index 72e4a109d7..8625ded182 100644 --- a/lib/x509/privkey.c +++ b/lib/x509/privkey.c @@ -112,7 +112,7 @@ gnutls_x509_privkey_cpy(gnutls_x509_privkey_t dst, ret = _gnutls_asn1_encode_privkey(dst->pk_algorithm, &dst->key, - &dst->params, src->flags&GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT); + &dst->params); if (ret < 0) { gnutls_assert(); gnutls_pk_params_release(&dst->params); @@ -975,7 +975,7 @@ gnutls_x509_privkey_import_rsa_raw2(gnutls_x509_privkey_t key, ret = _gnutls_asn1_encode_privkey(GNUTLS_PK_RSA, &key->key, - &key->params, key->flags&GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT); + &key->params); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -1070,7 +1070,7 @@ gnutls_x509_privkey_import_dsa_raw(gnutls_x509_privkey_t key, ret = _gnutls_asn1_encode_privkey(GNUTLS_PK_DSA, &key->key, - &key->params, key->flags&GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT); + &key->params); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -1221,15 +1221,9 @@ gnutls_x509_privkey_get_pk_algorithm2(gnutls_x509_privkey_t key, static const char *set_msg(gnutls_x509_privkey_t key) { if (key->pk_algorithm == GNUTLS_PK_RSA) { - if (key->params.seed_size > 0 && !(key->flags&GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT)) - return PEM_KEY_RSA_PROVABLE; - else - return PEM_KEY_RSA; + return PEM_KEY_RSA; } else if (key->pk_algorithm == GNUTLS_PK_DSA) { - if (key->params.seed_size > 0 && !(key->flags&GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT)) - return PEM_KEY_DSA_PROVABLE; - else - return PEM_KEY_DSA; + return PEM_KEY_DSA; } else if (key->pk_algorithm == GNUTLS_PK_EC) return PEM_KEY_ECC; else @@ -1273,11 +1267,9 @@ gnutls_x509_privkey_export(gnutls_x509_privkey_t key, msg = set_msg(key); - if (key->flags & GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT) { - ret = gnutls_x509_privkey_fix(key); - if (ret < 0) - return gnutls_assert_val(ret); - } + ret = gnutls_x509_privkey_fix(key); + if (ret < 0) + return gnutls_assert_val(ret); return _gnutls_x509_export_int(key->key, format, msg, output_data, output_data_size); @@ -1318,11 +1310,9 @@ gnutls_x509_privkey_export2(gnutls_x509_privkey_t key, msg = set_msg(key); - if (key->flags & GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT) { - ret = gnutls_x509_privkey_fix(key); - if (ret < 0) - return gnutls_assert_val(ret); - } + ret = gnutls_x509_privkey_fix(key); + if (ret < 0) + return gnutls_assert_val(ret); return _gnutls_x509_export_int2(key->key, format, msg, out); } @@ -1576,7 +1566,7 @@ gnutls_x509_privkey_generate2(gnutls_x509_privkey_t key, goto cleanup; } - ret = _gnutls_asn1_encode_privkey(algo, &key->key, &key->params, key->flags&GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT); + ret = _gnutls_asn1_encode_privkey(algo, &key->key, &key->params); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -2080,7 +2070,7 @@ int gnutls_x509_privkey_fix(gnutls_x509_privkey_t key) ret = _gnutls_asn1_encode_privkey(key->pk_algorithm, &key->key, - &key->params, key->flags&GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT); + &key->params); if (ret < 0) { gnutls_assert(); return ret; diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c index 2872e54268..fcaf493b54 100644 --- a/lib/x509/privkey_pkcs8.c +++ b/lib/x509/privkey_pkcs8.c @@ -189,7 +189,6 @@ encode_to_private_key_info(gnutls_x509_privkey_t pkey, goto error; } - /* Write the raw private key */ result = _encode_privkey(pkey, &algo_privkey); @@ -211,7 +210,6 @@ encode_to_private_key_info(gnutls_x509_privkey_t pkey, if ((pkey->params.flags & GNUTLS_PK_FLAG_PROVABLE) && pkey->params.seed_size > 0) { gnutls_datum_t seed_info; - result = _x509_encode_provable_seed(pkey, &seed_info); if (result < 0) { gnutls_assert(); @@ -1050,7 +1048,7 @@ _decode_pkcs8_dsa_key(ASN1_TYPE pkcs8_asn, gnutls_x509_privkey_t pkey) ret = _gnutls_asn1_encode_privkey(GNUTLS_PK_DSA, &pkey->key, - &pkey->params, pkey->flags&GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT); + &pkey->params); if (ret < 0) { gnutls_assert(); goto error; diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h index 043c722bd9..f1e938bae7 100644 --- a/lib/x509/x509_int.h +++ b/lib/x509/x509_int.h @@ -250,7 +250,7 @@ _gnutls_x509_read_ecc_params(uint8_t * der, int dersize, unsigned int *curve); int _gnutls_asn1_encode_privkey(gnutls_pk_algorithm_t pk, ASN1_TYPE * c2, - gnutls_pk_params_st * params, unsigned compat); + gnutls_pk_params_st * params); /* extensions.c */ int _gnutls_x509_crl_get_extension_oid(gnutls_x509_crl_t crl, -- cgit v1.2.1