diff options
| author | tb <> | 2024-08-28 07:15:04 +0000 |
|---|---|---|
| committer | tb <> | 2024-08-28 07:15:04 +0000 |
| commit | 075c048b99cefdce1245c13c4aa449b28ce8366c (patch) | |
| tree | bb2a05a5261bd27ee87b1f4c8d85ebba6042d17d /src/lib/libcrypto/ec/ecx_methods.c | |
| parent | a03c40153c8f8e484e8b98ea5a52b87116f9bf5a (diff) | |
| download | openbsd-075c048b99cefdce1245c13c4aa449b28ce8366c.tar.gz openbsd-075c048b99cefdce1245c13c4aa449b28ce8366c.tar.bz2 openbsd-075c048b99cefdce1245c13c4aa449b28ce8366c.zip | |
Implement X509_get_signature_info()
This is a slightly strange combination of OBJ_find_sigid_algs() and the
security level API necessary because OBJ_find_sigid_algs() on its own
isn't smart enough for the special needs of RSA-PSS and EdDSA.
The API extracts the hash's NID and the pubkey's NID from the certificate's
signatureAlgorithm and invokes special handlers for RSA-PSS and EdDSA
for retrieving the corresponding information. This isn't entirely free
for RSA-PSS, but for now we don't cache this information.
The security bits calculation is a bit hand-wavy, but that's something
that comes along with this sort of numerology.
ok jsing
Diffstat (limited to 'src/lib/libcrypto/ec/ecx_methods.c')
| -rw-r--r-- | src/lib/libcrypto/ec/ecx_methods.c | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/src/lib/libcrypto/ec/ecx_methods.c b/src/lib/libcrypto/ec/ecx_methods.c index 70475e8dc1..6b5759d4fa 100644 --- a/src/lib/libcrypto/ec/ecx_methods.c +++ b/src/lib/libcrypto/ec/ecx_methods.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ecx_methods.c,v 1.13 2024/04/02 04:04:07 tb Exp $ */ | 1 | /* $OpenBSD: ecx_methods.c,v 1.14 2024/08/28 07:15:04 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2022 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2022 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -510,6 +510,24 @@ ecx_security_bits(const EVP_PKEY *pkey) | |||
| 510 | } | 510 | } |
| 511 | 511 | ||
| 512 | static int | 512 | static int |
| 513 | ecx_signature_info(const X509_ALGOR *algor, int *md_nid, int *pkey_nid, | ||
| 514 | int *security_bits, uint32_t *flags) | ||
| 515 | { | ||
| 516 | const ASN1_OBJECT *aobj; | ||
| 517 | |||
| 518 | X509_ALGOR_get0(&aobj, NULL, NULL, algor); | ||
| 519 | if (OBJ_obj2nid(aobj) != EVP_PKEY_ED25519) | ||
| 520 | return 0; | ||
| 521 | |||
| 522 | *md_nid = NID_undef; | ||
| 523 | *pkey_nid = NID_ED25519; | ||
| 524 | *security_bits = ED25519_SECURITY_BITS; | ||
| 525 | *flags = X509_SIG_INFO_TLS | X509_SIG_INFO_VALID; | ||
| 526 | |||
| 527 | return 1; | ||
| 528 | } | ||
| 529 | |||
| 530 | static int | ||
| 513 | ecx_param_cmp(const EVP_PKEY *pkey1, const EVP_PKEY *pkey2) | 531 | ecx_param_cmp(const EVP_PKEY *pkey1, const EVP_PKEY *pkey2) |
| 514 | { | 532 | { |
| 515 | /* No parameters, so always equivalent. */ | 533 | /* No parameters, so always equivalent. */ |
| @@ -929,6 +947,8 @@ const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth = { | |||
| 929 | .pkey_bits = ecx_bits, | 947 | .pkey_bits = ecx_bits, |
| 930 | .pkey_security_bits = ecx_security_bits, | 948 | .pkey_security_bits = ecx_security_bits, |
| 931 | 949 | ||
| 950 | .signature_info = ecx_signature_info, | ||
| 951 | |||
| 932 | .param_cmp = ecx_param_cmp, | 952 | .param_cmp = ecx_param_cmp, |
| 933 | 953 | ||
| 934 | .pkey_free = ecx_free, | 954 | .pkey_free = ecx_free, |