don't sign x509 certs

firedancer-io · Nov 22, 2023 · 851e73f · 851e73f
1 parent dd32f7a
commit 851e73f
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 50 deletions.
diff --git a/src/ballet/x509/fd_x509_mock.c b/src/ballet/x509/fd_x509_mock.c
@@ -98,7 +98,6 @@ fd_x509_mock_tpl[ FD_X509_MOCK_CERT_SZ ] = {
       0x06, 0x03, 0x2b, 0x65, 0x70,
       /* signature BIT STRING (512 bit) */
       0x03, 0x41, 0x00,
-      #define FD_X509_MOCK_SIG_OFF (0xb4)
       0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
       0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
       0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
@@ -117,23 +116,12 @@ fd_x509_mock_tpl[ FD_X509_MOCK_CERT_SZ ] = {
 
 void
 fd_x509_mock_cert( uchar         buf[ static FD_X509_MOCK_CERT_SZ ],
-                   uchar         private_key[ static 32 ],
-                   ulong         serial,
-                   fd_sha512_t * sha ) {
+                   uchar         public_key[ static 32 ],
+                   ulong         serial ) {
   serial &= 0xffffffffffffff7fUL;  /* webpki expects a positive integer */
 
   fd_memcpy( buf, fd_x509_mock_tpl, FD_X509_MOCK_CERT_SZ );
-  fd_memcpy( buf+FD_X509_MOCK_SERIAL_OFF, &serial, 8UL );
-
-  /* Derive public key */
-  uchar public_key[ 32 ];
-  fd_ed25519_public_from_private( public_key, private_key, sha );
+  fd_memcpy( buf+FD_X509_MOCK_SERIAL_OFF, &serial,    8UL  );
   fd_memcpy( buf+FD_X509_MOCK_PUBKEY_OFF, public_key, 32UL );
-
-  /* Sign cert */
-  fd_ed25519_sign( buf+FD_X509_MOCK_SIG_OFF,
-                   buf+FD_X509_MOCK_TBS_OFF,
-                       FD_X509_MOCK_TBS_SZ,
-                   public_key, private_key, sha );
 }
 
diff --git a/src/ballet/x509/fd_x509_mock.h b/src/ballet/x509/fd_x509_mock.h
@@ -17,19 +17,14 @@
 
 #define FD_X509_MOCK_CERT_SZ (0xf4)
 
-/* fd_x509_mock_cert generates a self-signed X.509 certificate given
-   an Ed25519 key.  Resulting cert will contain the given public key
-   and an Ed25519 signature made with said key.  Certificate bytes
-   (of size FD_X509_MOCK_CERT_SZ) are copied out to buf.  private_key
-   is an arbitrary 32 byte vector used as an Ed25519 scalar/private key.
-   serial is a random 64-bit integer.  Derives the corresponding Ed25519
-   public key and performs a signature operation.  The caller should
-   cache the resulting buffer as this is a slow operation. */
+/* fd_x509_mock_cert generates a dummy X.509 certificate given an
+   Ed25519 public key.  Resulting cert will contain an invalid
+   signature.  Certificate bytes (of size FD_X509_MOCK_CERT_SZ) are
+   copied out to buf. */
 
 void
 fd_x509_mock_cert( uchar         buf[ static FD_X509_MOCK_CERT_SZ ],
-                   uchar         private_key[ static 32 ],
-                   ulong         serial,
-                   fd_sha512_t * sha );
+                   uchar         public_key[ static 32 ],
+                   ulong         serial );
 
 #endif /* HEADER_fd_src_ballet_x509_fd_x509_gen_h */
diff --git a/src/ballet/x509/test_x509_mock.c b/src/ballet/x509/test_x509_mock.c
@@ -36,14 +36,14 @@ main( int     argc,
 
   /* Params */
 
-  uchar private_key[ 32 ];
-  for( ulong j=0UL; j<32UL; j++ ) private_key[ j ] = fd_rng_uchar( rng );
+  uchar public_key[ 32 ];
+  for( ulong j=0UL; j<32UL; j++ ) public_key[ j ] = fd_rng_uchar( rng );
   ulong serial = fd_rng_ulong( rng );
 
   /* Generate certificate */
 
   uchar cert[ FD_X509_MOCK_CERT_SZ ];
-  fd_x509_mock_cert( cert, private_key, serial, sha );
+  fd_x509_mock_cert( cert, public_key, serial );
 
   FD_LOG_HEXDUMP_DEBUG(( "cert", cert, FD_X509_MOCK_CERT_SZ ));
 
@@ -80,19 +80,6 @@ main( int     argc,
   FD_TEST( parsed->sig_alg  ==SIG_ALG_ED25519  );
   FD_TEST( parsed->hash_alg ==HASH_ALG_SHA512  );
 
-  /* Verify signature */
-
-  uchar const *  pubkey = cert + parsed->spki_alg_params.ed25519.ed25519_raw_pub_off;
-  uchar expected_pubkey[ 32 ];
-  fd_ed25519_public_from_private( expected_pubkey, private_key, sha );
-  FD_TEST( 0==memcmp( pubkey, expected_pubkey, 32UL ) );
-
-  uchar const * sig = cert + parsed->sig_alg_params.ed25519.r_raw_off;
-  int vfy_ok = fd_ed25519_verify( cert + parsed->tbs_start,
-                                  parsed->tbs_len,
-                                  sig, pubkey, sha );
-  FD_TEST( vfy_ok==FD_ED25519_SUCCESS );
-
   /* Parse certificate captured from Solana Labs client */
 
   fd_memset( parsed, 0, sizeof(cert_parsing_ctx) );

diff --git a/src/tango/quic/tls/fd_quic_tls.c b/src/tango/quic/tls/fd_quic_tls.c
@@ -189,7 +189,7 @@ fd_quic_tls_init( fd_tls_t * tls ) {
     FD_LOG_ERR(( "getrandom failed: %s", fd_io_strerror( errno ) ));
 
   uchar cert[ FD_X509_MOCK_CERT_SZ ];
-  fd_x509_mock_cert( cert, tls->cert_private_key, cert_serial, sha );
+  fd_x509_mock_cert( cert, tls->cert_public_key, cert_serial );
   fd_tls_set_x509(tls, cert, FD_X509_MOCK_CERT_SZ );
 
   /* Set ALPN protocol ID

diff --git a/src/tango/tls/test_tls_openssl.c b/src/tango/tls/test_tls_openssl.c
@@ -275,7 +275,7 @@ test_server( SSL_CTX * ctx ) {
   /* Set up server cert */
 
   uchar cert[ FD_X509_MOCK_CERT_SZ ];
-  fd_x509_mock_cert( cert, server->cert_private_key, fd_rng_ulong( rng ), sha );
+  fd_x509_mock_cert( cert, server->cert_public_key, fd_rng_ulong( rng ) );
   fd_tls_set_x509( server, cert, FD_X509_MOCK_CERT_SZ );
 
   /* Initialize OpenSSL */
@@ -287,12 +287,14 @@ test_server( SSL_CTX * ctx ) {
 
   uchar client_private_key[ 32 ];
   for( ulong b=0; b<32UL; b++ ) client_private_key[b] = fd_rng_uchar( rng );
+  uchar client_public_key[ 32 ];
+  fd_ed25519_public_from_private( client_public_key, client_private_key, sha );
   EVP_PKEY * client_pkey = EVP_PKEY_new_raw_private_key( EVP_PKEY_ED25519, NULL, client_private_key, 32UL );
   FD_TEST( client_pkey );
   SSL_use_PrivateKey( ssl, client_pkey );
   EVP_PKEY_free( client_pkey );
 
-  fd_x509_mock_cert( cert, client_private_key, fd_rng_ulong( rng ), sha );
+  fd_x509_mock_cert( cert, client_public_key, fd_rng_ulong( rng ) );
   SSL_use_certificate_ASN1( ssl, cert, FD_X509_MOCK_CERT_SZ );
 
   SSL_set_connect_state( ssl );
@@ -357,14 +359,16 @@ test_client( SSL_CTX * ctx ) {
 
   uchar server_private_key[ 32 ];
   for( ulong b=0; b<32UL; b++ ) server_private_key[b] = fd_rng_uchar( rng );
+  uchar server_public_key[ 32 ];
+  fd_ed25519_public_from_private( server_public_key, server_private_key, sha );
 
   EVP_PKEY * server_pkey = EVP_PKEY_new_raw_private_key( EVP_PKEY_ED25519, NULL, server_private_key, 32UL );
   FD_TEST( server_pkey );
   SSL_use_PrivateKey( ssl, server_pkey );
   EVP_PKEY_free( server_pkey );
 
   uchar cert[ FD_X509_MOCK_CERT_SZ ];
-  fd_x509_mock_cert( cert, server_private_key, fd_rng_ulong( rng ), sha );
+  fd_x509_mock_cert( cert, server_public_key, fd_rng_ulong( rng ) );
   SSL_use_certificate_ASN1( ssl, cert, FD_X509_MOCK_CERT_SZ );
 
   /* Set server QUIC transport params */
@@ -390,9 +394,6 @@ test_client( SSL_CTX * ctx ) {
     .alpn_sz = 11UL,
   };
 
-  uchar server_public_key[ 32 ];
-  FD_TEST( fd_ed25519_public_from_private( server_public_key, server_private_key, sha ) );
-
   fd_tls_estate_cli_t hs[1];
   FD_TEST( fd_tls_estate_cli_new( hs ) );
   memcpy( hs->server_pubkey, server_public_key, 32UL );
@@ -409,7 +410,7 @@ test_client( SSL_CTX * ctx ) {
 
   /* Set up client cert */
 
-  fd_x509_mock_cert( cert, client->cert_private_key, fd_rng_ulong( rng ), sha );
+  fd_x509_mock_cert( cert, client->cert_public_key, fd_rng_ulong( rng ) );
   fd_tls_set_x509( client, cert, FD_X509_MOCK_CERT_SZ );
 
   /* Do handshake */