Skip to content

Commit 6f8b5bc

Browse files
SparkiDevSparkiDev
authored
Merge pull request #108 from ColtonWilley/wp_rsa_pss_decode_fix
Fix RSA PSS decoding to properly reject non-pkcs8 keys
2 parents be19a6b + ea4a1a3 commit 6f8b5bc

File tree

1 file changed

+38
-31
lines changed

1 file changed

+38
-31
lines changed

src/wp_rsa_kmgmt.c

Lines changed: 38 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -1949,37 +1949,6 @@ static int wp_rsa_determine_type(wp_Rsa* rsa, unsigned char* data, word32 len)
19491949
return ok;
19501950
}
19511951

1952-
/**
1953-
* Decode the SubjectPublicInfo DER encoded RSA key into the RSA key object.
1954-
*
1955-
* @param [in, out] rsa RSA key object.
1956-
* @param [in] data DER encoding.
1957-
* @param [in] len Length, in bytes, of DER encoding.
1958-
* @return 1 on success.
1959-
* @return 0 on failure.
1960-
*/
1961-
static int wp_rsa_decode_spki(wp_Rsa* rsa, unsigned char* data, word32 len)
1962-
{
1963-
int ok = 1;
1964-
int rc;
1965-
word32 idx = 0;
1966-
1967-
rc = wc_RsaPublicKeyDecode(data, &idx, &rsa->key, len);
1968-
if (rc != 0) {
1969-
ok = 0;
1970-
}
1971-
if (ok && !wp_rsa_determine_type(rsa, data, len)) {
1972-
ok = 0;
1973-
}
1974-
if (ok) {
1975-
rsa->bits = wc_RsaEncryptSize(&rsa->key) * 8;
1976-
rsa->hasPub = 1;
1977-
}
1978-
1979-
WOLFPROV_LEAVE(WP_LOG_PK, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), ok);
1980-
return ok;
1981-
}
1982-
19831952
/**
19841953
* Get the PSS parameters from the DER encoded RSA-PSS parameters.
19851954
*
@@ -2117,6 +2086,44 @@ static int wp_rsa_pss_get_params(wp_Rsa* rsa, unsigned char* data, word32 len)
21172086
return ok;
21182087
}
21192088

2089+
/**
2090+
* Decode the SubjectPublicInfo DER encoded RSA key into the RSA key object.
2091+
*
2092+
* @param [in, out] rsa RSA key object.
2093+
* @param [in] data DER encoding.
2094+
* @param [in] len Length, in bytes, of DER encoding.
2095+
* @return 1 on success.
2096+
* @return 0 on failure.
2097+
*/
2098+
static int wp_rsa_decode_spki(wp_Rsa* rsa, unsigned char* data, word32 len)
2099+
{
2100+
int ok = 1;
2101+
int rc;
2102+
word32 idx = 0;
2103+
2104+
rc = wc_RsaPublicKeyDecode(data, &idx, &rsa->key, len);
2105+
if (rc != 0) {
2106+
ok = 0;
2107+
}
2108+
if (ok && !wp_rsa_determine_type(rsa, data, len)) {
2109+
ok = 0;
2110+
}
2111+
if (ok && (rsa->type == RSA_FLAG_TYPE_RSASSAPSS)) {
2112+
/* We need to check for pss params to allow a rejection for non-pkcs8
2113+
* keys. If we dont reject then the keytype gets set to RSA-PSS
2114+
* which is wrong. For non-pkcs8 fail here for PSS decoder
2115+
* and let the base RSA pick it up instead */
2116+
ok = wp_rsa_pss_get_params(rsa, data, len);
2117+
}
2118+
if (ok) {
2119+
rsa->bits = wc_RsaEncryptSize(&rsa->key) * 8;
2120+
rsa->hasPub = 1;
2121+
}
2122+
2123+
WOLFPROV_LEAVE(WP_LOG_PK, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), ok);
2124+
return ok;
2125+
}
2126+
21202127
/**
21212128
* Decode the PrivateKeyInfo DER encoded RSA key into the RSA key object.
21222129
*

0 commit comments

Comments
 (0)