Push an error on sigalg mismatch in X509_verify.
It was failing but not pushing an error. See https://github.com/google/conscrypt/pull/537 Change-Id: Iafba1a5c0c7ef8e0535b335aa93df6f520c3803e Reviewed-on: https://boringssl-review.googlesource.com/32044 Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
parent
ca4971cbae
commit
371305f58a
@ -28,6 +28,7 @@ X509,124,NO_CRL_NUMBER
|
|||||||
X509,125,PUBLIC_KEY_DECODE_ERROR
|
X509,125,PUBLIC_KEY_DECODE_ERROR
|
||||||
X509,126,PUBLIC_KEY_ENCODE_ERROR
|
X509,126,PUBLIC_KEY_ENCODE_ERROR
|
||||||
X509,127,SHOULD_RETRY
|
X509,127,SHOULD_RETRY
|
||||||
|
X509,137,SIGNATURE_ALGORITHM_MISMATCH
|
||||||
X509,128,UNKNOWN_KEY_TYPE
|
X509,128,UNKNOWN_KEY_TYPE
|
||||||
X509,129,UNKNOWN_NID
|
X509,129,UNKNOWN_NID
|
||||||
X509,130,UNKNOWN_PURPOSE_ID
|
X509,130,UNKNOWN_PURPOSE_ID
|
||||||
|
@ -627,6 +627,38 @@ static const char kNoBasicConstraintsNetscapeCALeaf[] =
|
|||||||
"XyPwWPbymSTpzKhB4xB7qQ==\n"
|
"XyPwWPbymSTpzKhB4xB7qQ==\n"
|
||||||
"-----END CERTIFICATE-----\n";
|
"-----END CERTIFICATE-----\n";
|
||||||
|
|
||||||
|
static const char kSelfSignedMismatchAlgorithms[] =
|
||||||
|
"-----BEGIN CERTIFICATE-----\n"
|
||||||
|
"MIIFMjCCAxqgAwIBAgIJAL0mG5fOeJ7xMA0GCSqGSIb3DQEBDQUAMC0xCzAJBgNV\n"
|
||||||
|
"BAYTAkdCMQ8wDQYDVQQHDAZMb25kb24xDTALBgNVBAoMBFRlc3QwIBcNMTgwOTE3\n"
|
||||||
|
"MTIxNzU3WhgPMjExODA4MjQxMjE3NTdaMC0xCzAJBgNVBAYTAkdCMQ8wDQYDVQQH\n"
|
||||||
|
"DAZMb25kb24xDTALBgNVBAoMBFRlc3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw\n"
|
||||||
|
"ggIKAoICAQDCMhBrRAGGw+n2GdctBr/cEK4FZA6ajiHjihgpCHoSBdyL4R2jGKLS\n"
|
||||||
|
"g0WgaMXa1HpkKN7LcIySosEBPlmcRkr1RqbEvQStOSvoFCXYvtx3alM6HTbXMcDR\n"
|
||||||
|
"mqoKoABP6LXsPSoMWIgqMtP2X9EOppzHVIK1yFYFfbIlvYUV2Ka+MuMe0Vh5wvD1\n"
|
||||||
|
"4GanPb+cWSKgdRSVQovCCMY3yWtZKVEaxRpCsk/mYYIFWz0tcgMjIKwDx1XXgiAV\n"
|
||||||
|
"nU6NK43xbaw3XhtnaD/pv9lhTTbNrlcln9LjTD097BaK4R+1AEPHnpfxA9Ui3upn\n"
|
||||||
|
"kbsNUdGdOB0ksZi/vd7lh833YgquQUIAhYrbfvq/HFCpVV1gljzlS3sqULYpLE//\n"
|
||||||
|
"i3OsuL2mE+CYIJGpIi2GeJJWXciNMTJDOqTn+fRDtVb4RPp4Y70DJirp7XzaBi3q\n"
|
||||||
|
"H0edANCzPSRCDbZsOhzIXhXshldiXVRX666DDlbMQgLTEnNKrkwv6DmU8o15XQsb\n"
|
||||||
|
"8k1Os2YwXmkEOxUQ7AJZXVTZSf6UK9Znmdq1ZrHjybMfRUkHVxJcnKvrxfryralv\n"
|
||||||
|
"gzfvu+D6HuxrCo3Ojqa+nDgIbxKEBtdrcsMhq1jWPFhjwo1fSadAkKOfdCAuXJRD\n"
|
||||||
|
"THg3b4Sf+W7Cpc570YHrIpBf7WFl2XsPcEM0mJZ5+yATASCubNozQwIDAQABo1Mw\n"
|
||||||
|
"UTAdBgNVHQ4EFgQUES0hupZSqY21JOba10QyZuxm91EwHwYDVR0jBBgwFoAUES0h\n"
|
||||||
|
"upZSqY21JOba10QyZuxm91EwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsF\n"
|
||||||
|
"AAOCAgEABTN5S30ng/RMpBweDm2N561PdpaCdiRXtAFCRVWR2mkDYC/Xj9Vqe6be\n"
|
||||||
|
"PyM7L/5OKYVjzF1yJu67z/dx+ja5o+41g17jdqla7hyPx+9B4uRyDh+1KJTa+duj\n"
|
||||||
|
"mw/aA1LCr6O6W4WizDOsChJ6FaB2Y1+GlFnKWb5nUdhVJqXQE1WOX9dZnw8Y4Npd\n"
|
||||||
|
"VmAsjWot0BZorJrt3fwfcv3QfA896twkbo7Llv/8qzg4sXZXZ4ZtgAOqnPngiSn+\n"
|
||||||
|
"JT/vYCXZ406VvAFpFqMcVz2dO/VGuL8lGIMHRKNyafrsV81EzH1W/XmRWOgvgj6r\n"
|
||||||
|
"yQI63ln/AMY72HQ97xLkE1xKunGz6bK5Ug5+O43Uftc4Mb6MUgzo+ZqEQ3Ob+cAV\n"
|
||||||
|
"cvjmtwDaPO/O39O5Xq0tLTlkn2/cKf4OQ6S++GDxzyRVHh5JXgP4j9+jfZY57Woy\n"
|
||||||
|
"R1bE7N50JjY4cDermBJKdlBIjL7UPhqmLyaG7V0hBitFlgGBUCcJtJOV0xYd5aF3\n"
|
||||||
|
"pxNkvMXhBmh95fjxJ0cJjpO7tN1RAwtMMNgsl7OUbuVRQCHOPW5DgP5qY21jDeRn\n"
|
||||||
|
"BY82382l+9QzykmJLI5MZnmj4BA9uIDCwMtoTTvP++SsvhUAbuvh7MOOUQL0EY4m\n"
|
||||||
|
"KStYq7X9PKseN+PvmfeoffIKc5R/Ha39oi7cGMVHCr8aiEhsf94=\n"
|
||||||
|
"-----END CERTIFICATE-----\n";
|
||||||
|
|
||||||
// CertFromPEM parses the given, NUL-terminated pem block and returns an
|
// CertFromPEM parses the given, NUL-terminated pem block and returns an
|
||||||
// |X509*|.
|
// |X509*|.
|
||||||
static bssl::UniquePtr<X509> CertFromPEM(const char *pem) {
|
static bssl::UniquePtr<X509> CertFromPEM(const char *pem) {
|
||||||
@ -1504,3 +1536,16 @@ TEST(X509Test, NoBasicConstraintsNetscapeCA) {
|
|||||||
EXPECT_EQ(X509_V_ERR_INVALID_CA,
|
EXPECT_EQ(X509_V_ERR_INVALID_CA,
|
||||||
Verify(leaf.get(), {root.get()}, {intermediate.get()}, {}, 0));
|
Verify(leaf.get(), {root.get()}, {intermediate.get()}, {}, 0));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
TEST(X509Test, MismatchAlgorithms) {
|
||||||
|
bssl::UniquePtr<X509> cert(CertFromPEM(kSelfSignedMismatchAlgorithms));
|
||||||
|
ASSERT_TRUE(cert);
|
||||||
|
|
||||||
|
bssl::UniquePtr<EVP_PKEY> pkey(X509_get_pubkey(cert.get()));
|
||||||
|
ASSERT_TRUE(pkey);
|
||||||
|
|
||||||
|
EXPECT_FALSE(X509_verify(cert.get(), pkey.get()));
|
||||||
|
uint32_t err = ERR_get_error();
|
||||||
|
EXPECT_EQ(ERR_LIB_X509, ERR_GET_LIB(err));
|
||||||
|
EXPECT_EQ(X509_R_SIGNATURE_ALGORITHM_MISMATCH, ERR_GET_REASON(err));
|
||||||
|
}
|
||||||
|
@ -65,8 +65,10 @@
|
|||||||
|
|
||||||
int X509_verify(X509 *a, EVP_PKEY *r)
|
int X509_verify(X509 *a, EVP_PKEY *r)
|
||||||
{
|
{
|
||||||
if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature))
|
if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature)) {
|
||||||
|
OPENSSL_PUT_ERROR(X509, X509_R_SIGNATURE_ALGORITHM_MISMATCH);
|
||||||
return 0;
|
return 0;
|
||||||
|
}
|
||||||
return (ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF), a->sig_alg,
|
return (ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF), a->sig_alg,
|
||||||
a->signature, a->cert_info, r));
|
a->signature, a->cert_info, r));
|
||||||
}
|
}
|
||||||
|
@ -1200,5 +1200,6 @@ BSSL_NAMESPACE_END
|
|||||||
#define X509_R_WRONG_TYPE 134
|
#define X509_R_WRONG_TYPE 134
|
||||||
#define X509_R_NAME_TOO_LONG 135
|
#define X509_R_NAME_TOO_LONG 135
|
||||||
#define X509_R_INVALID_PARAMETER 136
|
#define X509_R_INVALID_PARAMETER 136
|
||||||
|
#define X509_R_SIGNATURE_ALGORITHM_MISMATCH 137
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
Loading…
Reference in New Issue
Block a user