From 075c048b99cefdce1245c13c4aa449b28ce8366c Mon Sep 17 00:00:00 2001 From: tb <> Date: Wed, 28 Aug 2024 07:15:04 +0000 Subject: Implement X509_get_signature_info() This is a slightly strange combination of OBJ_find_sigid_algs() and the security level API necessary because OBJ_find_sigid_algs() on its own isn't smart enough for the special needs of RSA-PSS and EdDSA. The API extracts the hash's NID and the pubkey's NID from the certificate's signatureAlgorithm and invokes special handlers for RSA-PSS and EdDSA for retrieving the corresponding information. This isn't entirely free for RSA-PSS, but for now we don't cache this information. The security bits calculation is a bit hand-wavy, but that's something that comes along with this sort of numerology. ok jsing --- src/lib/libcrypto/ec/ecx_methods.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) (limited to 'src/lib/libcrypto/ec/ecx_methods.c') diff --git a/src/lib/libcrypto/ec/ecx_methods.c b/src/lib/libcrypto/ec/ecx_methods.c index 70475e8dc1..6b5759d4fa 100644 --- a/src/lib/libcrypto/ec/ecx_methods.c +++ b/src/lib/libcrypto/ec/ecx_methods.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecx_methods.c,v 1.13 2024/04/02 04:04:07 tb Exp $ */ +/* $OpenBSD: ecx_methods.c,v 1.14 2024/08/28 07:15:04 tb Exp $ */ /* * Copyright (c) 2022 Joel Sing * @@ -509,6 +509,24 @@ ecx_security_bits(const EVP_PKEY *pkey) return 0; } +static int +ecx_signature_info(const X509_ALGOR *algor, int *md_nid, int *pkey_nid, + int *security_bits, uint32_t *flags) +{ + const ASN1_OBJECT *aobj; + + X509_ALGOR_get0(&aobj, NULL, NULL, algor); + if (OBJ_obj2nid(aobj) != EVP_PKEY_ED25519) + return 0; + + *md_nid = NID_undef; + *pkey_nid = NID_ED25519; + *security_bits = ED25519_SECURITY_BITS; + *flags = X509_SIG_INFO_TLS | X509_SIG_INFO_VALID; + + return 1; +} + static int ecx_param_cmp(const EVP_PKEY *pkey1, const EVP_PKEY *pkey2) { @@ -929,6 +947,8 @@ const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth = { .pkey_bits = ecx_bits, .pkey_security_bits = ecx_security_bits, + .signature_info = ecx_signature_info, + .param_cmp = ecx_param_cmp, .pkey_free = ecx_free, -- cgit v1.2.3-55-g6feb