[openssl] master update
tmraz at fedoraproject.org
tmraz at fedoraproject.org
Fri Jan 29 09:47:17 UTC 2021
The branch master has been updated
via a2a5506b9329b978a2a5b11a518b9789446ad310 (commit)
from e947a0642db111bb34547b5f7d48e13163492ca5 (commit)
- Log -----------------------------------------------------------------
commit a2a5506b9329b978a2a5b11a518b9789446ad310
Author: Tomas Mraz <tomas at openssl.org>
Date: Tue Jan 26 11:39:27 2021 +0100
rsa_kmgmt: Return OSSL_PKEY_PARAM_DEFAULT_DIGEST for unrestricted PSS keys
Add a testcase to the test_req covering the issue.
Fixes #13957
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13967)
-----------------------------------------------------------------------
Summary of changes:
providers/implementations/keymgmt/rsa_kmgmt.c | 11 +++++----
test/recipes/25-test_req.t | 35 ++++++++++++++++++++++++++-
test/testrsapss.pem | 28 +++++++++++++++++++++
3 files changed, 68 insertions(+), 6 deletions(-)
create mode 100644 test/testrsapss.pem
diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c
index 9648c5f65d..9f783c56d8 100644
--- a/providers/implementations/keymgmt/rsa_kmgmt.c
+++ b/providers/implementations/keymgmt/rsa_kmgmt.c
@@ -312,18 +312,19 @@ static int rsa_get_params(void *key, OSSL_PARAM params[])
return 0;
/*
- * For RSA-PSS keys, we ignore the default digest request
- * TODO(3.0) with RSA-OAEP keys, this may need to be amended
+ * For restricted RSA-PSS keys, we ignore the default digest request.
+ * With RSA-OAEP keys, this may need to be amended.
*/
if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_DEFAULT_DIGEST)) != NULL
- && rsa_type != RSA_FLAG_TYPE_RSASSAPSS) {
+ && (rsa_type != RSA_FLAG_TYPE_RSASSAPSS
+ || ossl_rsa_pss_params_30_is_unrestricted(pss_params))) {
if (!OSSL_PARAM_set_utf8_string(p, RSA_DEFAULT_MD))
return 0;
}
/*
- * For non-RSA-PSS keys, we ignore the mandatory digest request
- * TODO(3.0) with RSA-OAEP keys, this may need to be amended
+ * For non-RSA-PSS keys, we ignore the mandatory digest request.
+ * With RSA-OAEP keys, this may need to be amended.
*/
if ((p = OSSL_PARAM_locate(params,
OSSL_PKEY_PARAM_MANDATORY_DIGEST)) != NULL
diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t
index 2bf51a2089..3f0d9f59e7 100644
--- a/test/recipes/25-test_req.t
+++ b/test/recipes/25-test_req.t
@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_req");
-plan tests => 42;
+plan tests => 43;
require_ok(srctop_file('test', 'recipes', 'tconversion.pl'));
@@ -92,6 +92,39 @@ subtest "generating certificate requests with RSA" => sub {
}
};
+subtest "generating certificate requests with RSA-PSS" => sub {
+ plan tests => 4;
+
+ SKIP: {
+ skip "RSA is not supported by this OpenSSL build", 2
+ if disabled("rsa");
+
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-new", "-out", "testreq-rsapss.pem", "-utf8",
+ "-key", srctop_file("test", "testrsapss.pem")])),
+ "Generating request");
+
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-verify", "-in", "testreq-rsapss.pem", "-noout"])),
+ "Verifying signature on request");
+
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-new", "-out", "testreq-rsapss2.pem", "-utf8",
+ "-sigopt", "rsa_padding_mode:pss",
+ "-sigopt", "rsa_pss_saltlen:-1",
+ "-key", srctop_file("test", "testrsapss.pem")])),
+ "Generating request");
+
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-verify", "-in", "testreq-rsapss2.pem", "-noout"])),
+ "Verifying signature on request");
+ }
+};
+
subtest "generating certificate requests with DSA" => sub {
plan tests => 2;
diff --git a/test/testrsapss.pem b/test/testrsapss.pem
new file mode 100644
index 0000000000..4b29ca334f
--- /dev/null
+++ b/test/testrsapss.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADALBgkqhkiG9w0BAQoEggSoMIIEpAIBAAKCAQEAzs95rRH49f5zZ1G9
+Cb/Ie5P5GfNto2etu2L90qrewOJKZ4CQ49D8QEKzjnFJhagj/i5MNdWHeTCrDAsQ
+jrbKS6ik/HY11yiB0wZ4ItXsfMQX+qIVp2X9BQFx/ID5nVCXrQcfMfcqFk19cv4N
+mgKgdeEZT9O5baSX2jKKsR8E/4+QilI9xBxzig+HJ2cG2clMkGZut5hiBwwWZ0+1
+v1v5ZbkUGwroGJqBsqzI8vTW+bT/VVlhCgdoAj6/p543tgBM439O1ZDDIxVZbadI
+uacwSwV2yBlSzDGExJwjisABwOZWNta4lQ5NI1ZEzA0I1+MPyyzvX0/1ZupgDtcq
+T5zWUwIDAQABAoIBAHm4Cvkd1tWRiQKKTSRrx+dT1Ay+BQ1jfBEJ1jIjdy83AGui
+c6Rh39VCbMOtUYRkzapQPXKB1lYxmrpf2MLmOnIFM/WS7WVQ5ff5msOF/MYB88sD
+kpMPp7dGfnwKvN8mC98+jdGukwrFWMxRUlgOq7o1Xdxp1Hz/npBBpvdQNnTiTpbq
+q8tanx2QRHqhc1+5hYik6OamK0D+Gp9Ver+UZSDf86yJro/fLDzkJlZb5tv11ggn
+nv2obfb9cMG/U+QQuWZ18wWrc3EjWDgy5BmUSprPdbJknyIhVhnTwpUQk+MXbx6K
+9RdlpxURXKnlkvL84cdtB6zBfFcNNPSe5si2HCECgYEA+Mb7mAoiZAzwUGKCTvHZ
+AKH2jBEjFA4ZSMqu+bZqLCv8xflbcTAb/b4zxU5PSZCONf0InrhVjqDoz6u/wPC4
+1Drvg8dRIvRoc207lWanMfriE6kj5QdspEARom/56x2ADPy9mRsWy8ZtENrw4LGh
+XaoKr1dvoC1lvAtB/O4RZhcCgYEA1NCT0mthIQkcwgvDXHDyF++/i38zRIbqtWrS
+18UzSk9kMIcP8euP7hesJnvT8ySFXOkmJ9RJd0N5Mc0XXxgT2k52goebw/3IUDIY
+8vuMkANZMjUp7hvXsqYVxWgPU8526rQtbzXTuqKK8mZ9Q03XJ5Mcd/tI80lUkAm3
+WSJhsyUCgYAIA2jRQepPrLcE79dgsZua0Jy/cEHgAIBB/v1Z381VtOkEe369i54r
+Mzg5r8cQCI78IDVp32gqGvbE0bRwg5CAjZFvfjkX1iWTKj6UFmVmT71+gqE8XFvc
+go/O2qqDL0UTpgR5bQzz7WVP+K1vn2kiOjrz4O4gi7XOM9KhUg3PawKBgQDQ7K+i
+jN5/AyYjbk7tqshRLYJbXZYkOVuknOm/AI847bYLWh0SQFM9yCmuYjSS6BCxRQa7
+ZVJ2blxFwvWl2spqsEryHFWUVMpZyMTrjn7RRyhC/SRb6SOZ9Ck9cspRWUkvY5GT
+M0HYYQiNroZdE8ccx/TT6XMVvLDy80b3j6RgrQKBgQCvKd8TNakeskEfjAnn4WLO
+0+I7oxkhth0i6eIUaXpqoVsZypAhXGC13V2Y5HyvIPNUSjsG2XafQOzZXHgGTixP
+YaYHAo9cWis8t21eTRrOMtnALqL59oVMFTbiy/dJhN4m0sxezzTVIpqBxTYzagbZ
+46EVSoOEYkU7U/TiD+HGHQ==
+-----END PRIVATE KEY-----
More information about the openssl-commits
mailing list