Permalink
Browse files

Merge branch 'ia/public_key/ISO-oids/OTP-10873' into maint

* ia/public_key/ISO-oids/OTP-10873:
  public_key & ssl: Add support for ISO oids  1.3.14.3.2.29 and 1.3.14.3.2.27
  • Loading branch information...
2 parents 9285e0f + 006f45a commit 56207dab54862aee071db6f911ad3a447f1cab8f @IngelaAndin IngelaAndin committed Mar 13, 2013
@@ -97,9 +97,9 @@ IMPORTS
id-pkix1-implicit(19) }
--Keys and Signatures
- id-dsa, Dss-Parms, DSAPublicKey,
- id-dsa-with-sha1,
- md2WithRSAEncryption,
+ id-dsa, Dss-Parms, DSAPublicKey,
+ id-dsa-with-sha1, id-dsaWithSHA1,
+ md2WithRSAEncryption,
md5WithRSAEncryption,
sha1WithRSAEncryption,
rsaEncryption, RSAPublicKey,
@@ -115,7 +115,6 @@ IMPORTS
FROM PKIX1Algorithms88 { iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-algorithms(17) }
-
md2WithRSAEncryption,
md5WithRSAEncryption,
sha1WithRSAEncryption,
@@ -316,16 +315,16 @@ PublicKeyAlgorithm ::= SEQUENCE {
OPTIONAL }
SupportedSignatureAlgorithms SIGNATURE-ALGORITHM-CLASS ::= {
- dsa-with-sha1 | md2-with-rsa-encryption |
- md5-with-rsa-encryption | sha1-with-rsa-encryption |
+ dsa-with-sha1 | dsaWithSHA1 | md2-with-rsa-encryption |
+ md5-with-rsa-encryption | sha1-with-rsa-encryption | sha-1with-rsa-encryption |
sha224-with-rsa-encryption |
sha256-with-rsa-encryption |
sha384-with-rsa-encryption |
sha512-with-rsa-encryption |
ecdsa-with-sha1 }
SupportedPublicKeyAlgorithms PUBLIC-KEY-ALGORITHM-CLASS ::= {
- dsa | rsa-encryption | dh | kea | ec-public-key }
+ dsa | rsa-encryption | dh | kea | ec-public-key }
-- DSA Keys and Signatures
@@ -349,6 +348,11 @@ SupportedPublicKeyAlgorithms PUBLIC-KEY-ALGORITHM-CLASS ::= {
ID id-dsa-with-sha1
TYPE DSAParams }
+
+ dsaWithSHA1 SIGNATURE-ALGORITHM-CLASS ::= {
+ ID id-dsaWithSHA1
+ TYPE DSAParams }
+
--
-- RSA Keys and Signatures
--
@@ -367,6 +371,10 @@ SupportedPublicKeyAlgorithms PUBLIC-KEY-ALGORITHM-CLASS ::= {
ID sha1WithRSAEncryption
TYPE NULL }
+ sha-1with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= {
+ ID sha-1WithRSAEncryption
+ TYPE NULL }
+
sha224-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= {
ID sha224WithRSAEncryption
TYPE NULL }
@@ -35,7 +35,9 @@ sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 }
sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 }
sha224WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 14 }
-
+-- ISO oid - equvivalent to sha1WithRSAEncryption
+sha-1WithRSAEncryption OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) sha-1WithRSAEncryption(29)}
id-sha1 OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) oiw(14) secsig(3)
@@ -35,6 +35,9 @@
id-dsa-with-sha1 OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) x9-57 (10040) x9algorithm(4) 3 }
+ id-dsaWithSHA1 OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) dsaWithSHA1(27)
+ }
-- encoding for DSA signature generated with SHA-1 hash
Dss-Sig-Value ::= SEQUENCE {
@@ -60,9 +60,6 @@
marker="public_key">public key reference manual </seealso> or
follows here.</p>
- <p><c>oid() - a tuple of integers
- as generated by the ASN1 compiler.</c></p>
-
<p><c>time() = uct_time() | general_time()</c></p>
<p><c>uct_time() = {utcTime, "YYMMDDHHMMSSZ"} </c></p>
@@ -158,6 +155,9 @@ oid names see table below. Ex: ?'id-dsa-with-sha1'</p>
<cell align="left" valign="middle">id-dsa-with-sha1</cell>
</row>
<row>
+ <cell align="left" valign="middle">id-dsaWithSHA1 (ISO alt oid to above)</cell>
+ </row>
+ <row>
<cell align="left" valign="middle">md2WithRSAEncryption</cell>
</row>
<row>
@@ -166,9 +166,21 @@ oid names see table below. Ex: ?'id-dsa-with-sha1'</p>
<row>
<cell align="left" valign="middle">sha1WithRSAEncryption</cell>
</row>
+ <row>
+ <cell align="left" valign="middle">sha-1WithRSAEncryption (ISO alt oid to above)</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">sha224WithRSAEncryption</cell>
+ </row>
<row>
- <cell align="left" valign="middle">ecdsa-with-SHA1</cell>
+ <cell align="left" valign="middle">sha256WithRSAEncryption</cell>
</row>
+ <row>
+ <cell align="left" valign="middle">sha512WithRSAEncryption</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">ecdsa-with-SHA1</cell>
+ </row>
<tcaption>Signature algorithm oids </tcaption>
</table>
@@ -276,15 +288,14 @@ oid names see table below. Ex: ?'id-dsa-with-sha1'</p>
<cell align="left" valign="middle">dhpublicnumber</cell>
</row>
<row>
- <cell align="left" valign="middle">ecdsa-with-SHA1</cell>
- </row>
- <row>
<cell align="left" valign="middle">id-keyExchangeAlgorithm</cell>
</row>
+ <row>
+ <cell align="left" valign="middle">id-ecPublicKey</cell>
+ </row>
<tcaption>Public key algorithm oids </tcaption>
</table>
-
<code>
#'Extension'{
extnID, % id_extensions() | oid()
@@ -48,7 +48,7 @@
<item>Supports <url href="http://www.ietf.org/rfc/rfc5280.txt">RFC 5280 </url> -
Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile </item>
<item>Supports <url href="http://www.rsa.com/rsalabs/node.asp?id=2125"> PKCS-1 </url> - RSA Cryptography Standard </item>
- <item>Supports <url href="http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf"> DSA</url>- Digital Signature Algorithm</item>
+ <item>Supports <url href="http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf"> DSS</url>- Digital Signature Standard (DSA - Digital Signature Algorithm)</item>
<item>Supports <url href="http://www.rsa.com/rsalabs/node.asp?id=2126"> PKCS-3 </url> - Diffie-Hellman Key Agreement Standard </item>
<item>Supports <url href="http://www.rsa.com/rsalabs/node.asp?id=2127"> PKCS-5</url> - Password-Based Cryptography Standard </item>
<item>Supports <url href="http://www.rsa.com/rsalabs/node.asp?id=2130"> PKCS-8</url> - Private-Key Information Syntax Standard</item>
@@ -72,8 +72,10 @@
<code> -include_lib("public_key/include/public_key.hrl"). </code>
- <p><em>Data Types </em></p>
+ <p><em>Data Types </em></p>
+ <p><code>oid() - a tuple of integers as generated by the ASN1 compiler.</code></p>
+
<p><code>boolean() = true | false</code></p>
<p><code>string() = [bytes()]</code></p>
@@ -491,6 +493,21 @@ fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
</desc>
</func>
+ <func>
+ <name>pkix_sign_types(AlgorithmId) -> {DigestType, SignatureType}</name>
+ <fsummary>Translates signature algorithm oid to erlang digest and signature algorithm types.</fsummary>
+ <type>
+ <v>AlgorithmId = oid()</v>
+ <d>Signature oid from a certificate or a certificate revocation list</d>
+ <v>DigestType = rsa_digest_type() | dss_digest_type() </v>
+ <v>SignatureType = rsa | dsa</v>
+ </type>
+ <desc>
+ <p>Translates signature algorithm oid to erlang digest and signature types.
+ </p>
+ </desc>
+ </func>
+
<func>
<name>pkix_verify(Cert, Key) -> boolean()</name>
<fsummary> Verify pkix x.509 certificate signature.</fsummary>
@@ -1,7 +1,7 @@
%%
%% %CopyrightBegin%
%%
-%% Copyright Ericsson AB 2008-2011. All Rights Reserved.
+%% Copyright Ericsson AB 2008-2013. All Rights Reserved.
%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
@@ -27,7 +27,7 @@
validate_time/3, validate_signature/6,
validate_issuer/4, validate_names/6,
validate_extensions/4,
- normalize_general_name/1, digest_type/1, is_self_signed/1,
+ normalize_general_name/1, is_self_signed/1,
is_issuer/2, issuer_id/2, is_fixed_dh_cert/1,
verify_data/1, verify_fun/4, select_extension/2, match_name/3,
extensions_list/1, cert_auth_key_id/1, time_str_2_gregorian_sec/1]).
@@ -426,13 +426,12 @@ extensions_list(asn1_NOVALUE) ->
extensions_list(Extensions) ->
Extensions.
-
extract_verify_data(OtpCert, DerCert) ->
{_, Signature} = OtpCert#'OTPCertificate'.signature,
SigAlgRec = OtpCert#'OTPCertificate'.signatureAlgorithm,
SigAlg = SigAlgRec#'SignatureAlgorithm'.algorithm,
PlainText = encoded_tbs_cert(DerCert),
- DigestType = digest_type(SigAlg),
+ {DigestType,_} = public_key:pkix_sign_types(SigAlg),
{DigestType, PlainText, Signature}.
verify_signature(OtpCert, DerCert, Key, KeyParams) ->
@@ -451,21 +450,6 @@ encoded_tbs_cert(Cert) ->
{'Certificate_tbsCertificate', EncodedTBSCert}, _, _} = PKIXCert,
EncodedTBSCert.
-digest_type(?sha1WithRSAEncryption) ->
- sha;
-digest_type(?sha224WithRSAEncryption) ->
- sha224;
-digest_type(?sha256WithRSAEncryption) ->
- sha256;
-digest_type(?sha384WithRSAEncryption) ->
- sha384;
-digest_type(?sha512WithRSAEncryption) ->
- sha512;
-digest_type(?md5WithRSAEncryption) ->
- md5;
-digest_type(?'id-dsa-with-sha1') ->
- sha.
-
public_key_info(PublicKeyInfo,
#path_validation_state{working_public_key_algorithm =
WorkingAlgorithm,
@@ -1,7 +1,7 @@
%%
%% %CopyrightBegin%
%%
-%% Copyright Ericsson AB 2010-2012. All Rights Reserved.
+%% Copyright Ericsson AB 2010-2013. All Rights Reserved.
%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
@@ -561,7 +561,7 @@ extract_crl_verify_data(CRL, DerCRL) ->
#'AlgorithmIdentifier'{algorithm = SigAlg} =
CRL#'CertificateList'.signatureAlgorithm,
PlainText = encoded_tbs_crl(DerCRL),
- DigestType = pubkey_cert:digest_type(SigAlg),
+ {DigestType, _} = public_key:pkix_sign_types(SigAlg),
{DigestType, PlainText, Signature}.
encoded_tbs_crl(CRL) ->
@@ -36,6 +36,7 @@
decrypt_public/2, decrypt_public/3,
sign/3, verify/4,
pkix_sign/2, pkix_verify/2,
+ pkix_sign_types/1,
pkix_is_self_signed/1,
pkix_is_fixed_dh_cert/1,
pkix_is_issuer/2,
@@ -53,6 +54,7 @@
-type dss_digest_type() :: 'none' | 'sha'. %% None is for backwards compatibility
-type crl_reason() :: unspecified | keyCompromise | cACompromise | affiliationChanged | superseded
| cessationOfOperation | certificateHold | privilegeWithdrawn | aACompromise.
+-type oid() :: tuple().
-define(UINT32(X), X:32/unsigned-big-integer).
-define(DER_NULL, <<5, 0>>).
@@ -335,6 +337,34 @@ format_rsa_private_key(#'RSAPrivateKey'{modulus = N, publicExponent = E,
[crypto:mpint(K) || K <- [E, N, D]].
%%--------------------------------------------------------------------
+
+-spec pkix_sign_types(SignatureAlg::oid()) ->
+ %% Relevant dsa digest type is subpart of rsa digest type
+ { DigestType :: rsa_digest_type(),
+ SignatureType :: rsa | dsa
+ }.
+%% Description:
+%%--------------------------------------------------------------------
+pkix_sign_types(?sha1WithRSAEncryption) ->
+ {sha, rsa};
+pkix_sign_types(?'sha-1WithRSAEncryption') ->
+ {sha, rsa};
+pkix_sign_types(?sha224WithRSAEncryption) ->
+ {sha224, rsa};
+pkix_sign_types(?sha256WithRSAEncryption) ->
+ {sha256, rsa};
+pkix_sign_types(?sha384WithRSAEncryption) ->
+ {sha384, rsa};
+pkix_sign_types(?sha512WithRSAEncryption) ->
+ {sha512, rsa};
+pkix_sign_types(?md5WithRSAEncryption) ->
+ {md5, rsa};
+pkix_sign_types(?'id-dsa-with-sha1') ->
+ {sha, dsa};
+pkix_sign_types(?'id-dsaWithSHA1') ->
+ {sha, dsa}.
+
+%%--------------------------------------------------------------------
-spec sign(binary() | {digest, binary()}, rsa_digest_type() | dss_digest_type(),
rsa_private_key() |
dsa_private_key()) -> Signature :: binary().
@@ -406,7 +436,7 @@ pkix_sign(#'OTPTBSCertificate'{signature =
= SigAlg} = TBSCert, Key) ->
Msg = pkix_encode('OTPTBSCertificate', TBSCert, otp),
- DigestType = pubkey_cert:digest_type(Alg),
+ {DigestType, _} = pkix_sign_types(Alg),
Signature = sign(Msg, DigestType, Key),
Cert = #'OTPCertificate'{tbsCertificate= TBSCert,
signatureAlgorithm = SigAlg,
@@ -1,7 +1,7 @@
%%
%% %CopyrightBegin%
%%
-%% Copyright Ericsson AB 2008-2012. All Rights Reserved.
+%% Copyright Ericsson AB 2008-2013. All Rights Reserved.
%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
@@ -41,7 +41,8 @@ all() ->
{group, ssh_public_key_decode_encode},
encrypt_decrypt,
{group, sign_verify},
- pkix, pkix_countryname, pkix_path_validation].
+ pkix, pkix_countryname, pkix_path_validation,
+ pkix_iso_rsa_oid, pkix_iso_dsa_oid].
groups() ->
[{pem_decode_encode, [], [dsa_pem, rsa_pem, encrypted_pem,
@@ -688,6 +689,31 @@ pkix_path_validation(Config) when is_list(Config) ->
public_key:pkix_path_validation(unknown_ca, [Cert1], [{verify_fun,
VerifyFunAndState1}]),
ok.
+
+%%--------------------------------------------------------------------
+pkix_iso_rsa_oid() ->
+ [{doc, "Test workaround for supporting certs that use ISO oids"
+ " 1.3.14.3.2.29 instead of PKIX/PKCS oid"}].
+pkix_iso_rsa_oid(Config) when is_list(Config) ->
+ Datadir = ?config(data_dir, Config),
+ {ok, PemCert} = file:read_file(filename:join(Datadir, "rsa_ISO.pem")),
+ [{_, Cert, _}] = public_key:pem_decode(PemCert),
+ OTPCert = public_key:pkix_decode_cert(Cert, otp),
+ SigAlg = OTPCert#'OTPCertificate'.signatureAlgorithm,
+ {_, rsa} = public_key:pkix_sign_types(SigAlg#'SignatureAlgorithm'.algorithm).
+
+%%--------------------------------------------------------------------
+pkix_iso_dsa_oid() ->
+ [{doc, "Test workaround for supporting certs that use ISO oids"
+ "1.3.14.3.2.27 instead of PKIX/PKCS oid"}].
+pkix_iso_dsa_oid(Config) when is_list(Config) ->
+ Datadir = ?config(data_dir, Config),
+ {ok, PemCert} = file:read_file(filename:join(Datadir, "dsa_ISO.pem")),
+ [{_, Cert, _}] = public_key:pem_decode(PemCert),
+ OTPCert = public_key:pkix_decode_cert(Cert, otp),
+ SigAlg = OTPCert#'OTPCertificate'.signatureAlgorithm,
+ {_, dsa} = public_key:pkix_sign_types(SigAlg#'SignatureAlgorithm'.algorithm).
+
%%--------------------------------------------------------------------
%% Internal functions ------------------------------------------------
%%--------------------------------------------------------------------
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEEjCCAqygAwIBAgIQZIIqq4RXfpBKJXV69Jc4BjCCASwGByqGSM44BAMwggEf
+AoGBALez5tklY5CdFeTMos899pA6i4u4uCtszgBzrdBk6cl5FVqzdzWMGTQiynnT
+pGsrOESinzP06Ip+pG15We2OORwgvCxD/W95aCiN0/+MdiXqlsmboBARMzsa+SmB
+ENN3gF/+tuuEAFzOXU1q2cmEywRLyfbM2KIBVE/TChWYw2eRAhUA1R64VvcQ90XA
+8SOKVDmMA0dBzukCgYEAlLMYP0pbgBlgHQVO3/avAHlWNrIq52Lxk7SdPJWgMvPj
+TK9Z6sv88kxsCcydtjvO439j1yqcwk50GQc+86ktBWWz93/HkIdnFyqafef4mmWv
+m2Uq6ClQKS+A0Asfaj8Mys+HUMiI+qsfdjRbyIpwb7MX1nsVdsKzALnZNMW27A0w
+HTEbMBkGA1UEAxMSSVNBIFRlc3QgQXV0aG9yaXR5MB4XDTEyMDMyMDE3MTMyMVoX
+DTM5MTIzMTIzNTk1OVowHTEbMBkGA1UEAxMSSVNBIFRlc3QgQXV0aG9yaXR5MIGf
+MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqe3oVLIVBVIPI/uZjrciELODKxPEE
+SDWoNvycEeP1ERF5kDlRDmLIQ51Nt0vI5pKTasnIDbB1ONiQ2cvMrj2dkWWl/z2v
+f9tqQAzBm/r1LcUmL1bbP2bgk+//n5AJicU1FKecfDeZo0SXChDKSfH3ojdbsS5U
+68q0qGHgNoPRawIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/ME4GA1UdAQRHMEWA
+EEIfCfbwCZs35y8mXWInVuyhHzAdMRswGQYDVQQDExJJU0EgVGVzdCBBdXRob3Jp
+dHmCEGSCKquEV36QSiV1evSXOAYwggEsBgcqhkjOOAQDMIIBHwKBgQC3s+bZJWOQ
+nRXkzKLPPfaQOouLuLgrbM4Ac63QZOnJeRVas3c1jBk0Isp506RrKzhEop8z9OiK
+fqRteVntjjkcILwsQ/1veWgojdP/jHYl6pbJm6AQETM7GvkpgRDTd4Bf/rbrhABc
+zl1NatnJhMsES8n2zNiiAVRP0woVmMNnkQIVANUeuFb3EPdFwPEjilQ5jANHQc7p
+AoGBAJSzGD9KW4AZYB0FTt/2rwB5VjayKudi8ZO0nTyVoDLz40yvWerL/PJMbAnM
+nbY7zuN/Y9cqnMJOdBkHPvOpLQVls/d/x5CHZxcqmn3n+Jplr5tlKugpUCkvgNAL
+H2o/DMrPh1DIiPqrH3Y0W8iKcG+zF9Z7FXbCswC52TTFtuwNAzAAMC0CFH/KmkwI
+wnL9ecefLjQZ9Au52Kt5AhUAqJ5UEy2hIjCkdBoyuwOVPp5qnUw=
+-----END CERTIFICATE-----
Oops, something went wrong.

0 comments on commit 56207da

Please sign in to comment.