Basic parsing of certs signed with RSASSA-PSS

2025-07-30 22:43:08 +03:00 · 2014-01-22 10:12:57 +01:00
parent 1ebc0c592c
commit 59a75d5b9d
11 changed files with 90 additions and 3 deletions
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@ -220,6 +220,22 @@
 //#define POLARSSL_SHA256_ALT
 //#define POLARSSL_SHA512_ALT

+/**
+ * \def POLARSSL_RSASSA_PSS_CERTIFICATES
+ *
+ * Enable parsing and verification of X.509 certificates and CRLs signed with
+ * RSASSA-PSS.
+ *
+ * This is disabled by default since it breaks binary compatibility with the
+ * 1.3.x line. If you choose to enable it, you will need to rebuild your
+ * application against the new header files, relinking will not be enough.
+ *
+ * TODO: actually disable it when done working on this branch ,)
+ *
+ * Uncomment this macro to allow using RSASSA-PSS in certificates.
+ */
+#define POLARSSL_RSASSA_PSS_CERTIFICATES
+
 /**
 * \def POLARSSL_AES_ROM_TABLES
 *
--- a/include/polarssl/oid.h
+++ b/include/polarssl/oid.h
@ -207,6 +207,9 @@

 #define OID_PKCS9_EMAIL         OID_PKCS9 "\x01" /**< emailAddress AttributeType ::= { pkcs-9 1 } */

+/* RFC 4055 */
+#define OID_RSASSA_PSS          OID_PKCS1 "\x0a" /**< id-RSASSA-PSS ::= { pkcs-1 10 } */
+
 /*
 * Digest algorithms
 */
--- a/include/polarssl/pk.h
+++ b/include/polarssl/pk.h
@ -99,6 +99,7 @@ typedef enum {
    POLARSSL_PK_ECKEY_DH,
    POLARSSL_PK_ECDSA,
    POLARSSL_PK_RSA_ALT,
+    POLARSSL_PK_RSASSA_PSS,
 } pk_type_t;

 /**
--- a/include/polarssl/x509.h
+++ b/include/polarssl/x509.h
@ -276,6 +276,8 @@ int x509_get_name( unsigned char **p, const unsigned char *end,
                   x509_name *cur );
 int x509_get_alg_null( unsigned char **p, const unsigned char *end,
                       x509_buf *alg );
+int x509_get_alg( unsigned char **p, const unsigned char *end,
+                  x509_buf *alg, x509_buf *params );
 int x509_get_sig( unsigned char **p, const unsigned char *end, x509_buf *sig );
 int x509_get_sig_alg( const x509_buf *sig_oid, md_type_t *md_alg,
                      pk_type_t *pk_alg );
--- a/include/polarssl/x509_crt.h
+++ b/include/polarssl/x509_crt.h
@ -93,6 +93,9 @@ typedef struct _x509_crt
    x509_buf sig;               /**< Signature: hash of the tbs part signed with the private key. */
    md_type_t sig_md;           /**< Internal representation of the MD algorithm of the signature algorithm, e.g. POLARSSL_MD_SHA256 */
    pk_type_t sig_pk            /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. POLARSSL_PK_RSA */;
+#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES)
+    x509_buf sig_params;        /**< Parameters for the signature algorithm */
+#endif

    struct _x509_crt *next;     /**< Next certificate in the CA-chain. */
 }