Skip to content

Commit

Permalink
fix(x509): use correct spki algorithm and parameters
Browse files Browse the repository at this point in the history 
Signed-off-by: Berend Sliedrecht <sliedrecht@berend.io>
  • Loading branch information
@berendsliedrecht
berendsliedrecht committed Jul 3, 2024
1 parent 352383f commit c232f12
Show file tree
Hide file tree
Showing 5 changed files with 41 additions and 43 deletions.
2 changes: 2 additions & 0 deletions packages/core/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@
"@stablelib/ed25519": "^1.0.2",
"@types/ws": "^8.5.4",
"abort-controller": "^3.0.0",
"asn1js": "^3.0.5",
"big-integer": "^1.6.51",
"borc": "^3.0.0",
"buffer": "^6.0.3",
Expand All @@ -57,6 +58,7 @@
"luxon": "^3.3.0",
"make-error": "^1.3.6",
"object-inspect": "^1.10.3",
"pvtsutils": "^1.3.5",
"query-string": "^7.0.1",
"reflect-metadata": "^0.1.13",
"rxjs": "^7.8.0",
Expand Down
42 changes: 11 additions & 31 deletions packages/core/src/crypto/webcrypto/algorithmIdentifiers.ts
View file
Original file line number Diff line number Diff line change
@@ -1,51 +1,31 @@
import { ecdsaWithSHA256 } from '@peculiar/asn1-ecc'
import { AsnProp, AsnPropTypes, AsnSerializer } from '@peculiar/asn1-schema'
import { id_ecPublicKey, id_secp256r1, id_secp384r1 } from '@peculiar/asn1-ecc'
import { AsnObjectIdentifierConverter } from '@peculiar/asn1-schema'
import { AlgorithmIdentifier } from '@peculiar/asn1-x509'

const ecPublicKeyAlgorithmIdentifier = (objectId: string) =>
new AlgorithmIdentifier({
algorithm: id_ecPublicKey,
parameters: AsnObjectIdentifierConverter.toASN(objectId).toBER(),
})

/**
*
* https://oid-rep.orange-labs.fr/get/1.2.840.10045.3.1.7
*
*/
class P256AlgorithmIdentifierParameters {
@AsnProp({ type: AsnPropTypes.ObjectIdentifier })
public parameters: string = '1.2.840.10045.3.1.7'
}

export const ecPublicKeyWithP256AlgorithmIdentifier = ecPublicKeyAlgorithmIdentifier(id_secp256r1)
/**
*
* https://oid-rep.orange-labs.fr/get/1.3.132.0.34
*
*/
class P384AlgorithmIdentifierParameters {
@AsnProp({ type: AsnPropTypes.ObjectIdentifier })
public parameters: string = '1.3.132.0.34'
}

export const ecPublicKeyWithP384AlgorithmIdentifier = ecPublicKeyAlgorithmIdentifier(id_secp384r1)
/**
*
* https://oid-rep.orange-labs.fr/get/1.3.132.0.10
*
*/
class K256AlgorithmIdentifierParameters {
@AsnProp({ type: AsnPropTypes.ObjectIdentifier })
public parameters: string = '1.3.132.0.10'
}

export const ecdsaWithSha256AndP256AlgorithmIdentifier = new AlgorithmIdentifier({
algorithm: ecdsaWithSHA256.algorithm,
parameters: AsnSerializer.serialize(new P256AlgorithmIdentifierParameters()),
})

export const ecdsaWithSha256AndK256AlgorithmIdentifier = new AlgorithmIdentifier({
algorithm: ecdsaWithSHA256.algorithm,
parameters: AsnSerializer.serialize(new K256AlgorithmIdentifierParameters()),
})

export const ecdsaWithSha256AndP384AlgorithmIdentifier = new AlgorithmIdentifier({
algorithm: ecdsaWithSHA256.algorithm,
parameters: AsnSerializer.serialize(new P384AlgorithmIdentifierParameters()),
})
export const ecPublicKeyWithK256AlgorithmIdentifier = ecPublicKeyAlgorithmIdentifier('1.3.132.0.10')

/**
*
Expand Down
22 changes: 10 additions & 12 deletions packages/core/src/crypto/webcrypto/utils/keyAlgorithmConversion.ts
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,12 @@
import type { EcKeyGenParams, KeyGenAlgorithm } from '../types'
import type { AlgorithmIdentifier } from '@peculiar/asn1-x509'

import { ecdsaWithSHA256 } from '@peculiar/asn1-ecc'

import { KeyType } from '../../KeyType'
import { CredoWebCryptoError } from '../CredoWebCryptoError'
import {
ecdsaWithSha256AndK256AlgorithmIdentifier,
ecdsaWithSha256AndP256AlgorithmIdentifier,
ecdsaWithSha256AndP384AlgorithmIdentifier,
ecPublicKeyWithK256AlgorithmIdentifier,
ecPublicKeyWithP256AlgorithmIdentifier,
ecPublicKeyWithP384AlgorithmIdentifier,
ed25519AlgorithmIdentifier,
x25519AlgorithmIdentifier,
} from '../algorithmIdentifiers'
Expand Down Expand Up @@ -37,16 +35,16 @@ export const cryptoKeyAlgorithmToCredoKeyType = (algorithm: KeyGenAlgorithm): Ke
}

export const spkiAlgorithmIntoCredoKeyType = (algorithm: AlgorithmIdentifier): KeyType => {
if (algorithm.isEqual(ecdsaWithSha256AndP256AlgorithmIdentifier)) {
if (algorithm.isEqual(ecPublicKeyWithP256AlgorithmIdentifier)) {
return KeyType.P256
} else if (algorithm.isEqual(ecdsaWithSha256AndK256AlgorithmIdentifier)) {
} else if (algorithm.isEqual(ecPublicKeyWithP384AlgorithmIdentifier)) {
return KeyType.P384
} else if (algorithm.isEqual(ecPublicKeyWithK256AlgorithmIdentifier)) {
return KeyType.K256
} else if (algorithm.isEqual(ed25519AlgorithmIdentifier)) {
return KeyType.Ed25519
} else if (algorithm.isEqual(x25519AlgorithmIdentifier)) {
return KeyType.X25519
} else if (algorithm.isEqual(ecdsaWithSHA256)) {
throw new CredoWebCryptoError(`ecdsa with SHA256 was used. Please specify a curve in algorithm parameters`)
}

throw new CredoWebCryptoError(
Expand All @@ -61,11 +59,11 @@ export const credoKeyTypeIntoSpkiAlgorithm = (keyType: KeyType): AlgorithmIdenti
case KeyType.X25519:
return x25519AlgorithmIdentifier
case KeyType.P256:
return ecdsaWithSha256AndP256AlgorithmIdentifier
return ecPublicKeyWithP256AlgorithmIdentifier
case KeyType.P384:
return ecdsaWithSha256AndP384AlgorithmIdentifier
return ecPublicKeyWithP384AlgorithmIdentifier
case KeyType.K256:
return ecdsaWithSha256AndK256AlgorithmIdentifier
return ecPublicKeyWithK256AlgorithmIdentifier
default:
throw new CredoWebCryptoError(`Unsupported key type: ${keyType}`)
}
Expand Down
12 changes: 12 additions & 0 deletions packages/core/src/crypto/x509/__tests__/x509Service.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,18 @@ describe('X509Service', () => {
await wallet.close()
})

it('should correctly parse x5c chain provided as a test-vector', async () => {
const x5c = [
'MIICaTCCAg+gAwIBAgIUShyxcIZGiPV3wBRp4YOlNp1I13YwCgYIKoZIzj0EAwIwgYkxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZiZHIuZGUxDzANBgNVBAcMBkJlcmxpbjEMMAoGA1UECgwDQkRSMQ8wDQYDVQQLDAZNYXVyZXIxHTAbBgNVBAMMFGlzc3VhbmNlLXRlc3QuYmRyLmRlMRowGAYJKoZIhvcNAQkBFgt0ZXN0QGJkci5kZTAeFw0yNDA1MjgwODIyMjdaFw0zNDA0MDYwODIyMjdaMIGJMQswCQYDVQQGEwJERTEPMA0GA1UECAwGYmRyLmRlMQ8wDQYDVQQHDAZCZXJsaW4xDDAKBgNVBAoMA0JEUjEPMA0GA1UECwwGTWF1cmVyMR0wGwYDVQQDDBRpc3N1YW5jZS10ZXN0LmJkci5kZTEaMBgGCSqGSIb3DQEJARYLdGVzdEBiZHIuZGUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASygZ1Ma0m9uif4n8g3CiCP+E1r2KWFxVmS6LRWqUBMgn5fODKIBftdzVSbv/38gujy5qxh/q5bLcT+yLilazCao1MwUTAdBgNVHQ4EFgQUMGdPNMIdo3iHfqt2jlTnBNCfRNAwHwYDVR0jBBgwFoAUMGdPNMIdo3iHfqt2jlTnBNCfRNAwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiAu2h5xulXReb5IhgpkYiYR1BONTtsjT7nfzQAhL4ISOQIhAK6jKwwf6fTTSZwvJUOAu7dz1Dy/DmH19Lef0zqaNNht',
]

const chain = await X509Service.validateCertificateChain(agentContext, { certificateChain: x5c })

expect(chain.length).toStrictEqual(1)
expect(chain[0].sanDnsNames).toStrictEqual([])
expect(chain[0].sanUriNames).toStrictEqual([])
})

it('should parse a valid X.509 certificate', async () => {
const key = await agentContext.wallet.createKey({ keyType: KeyType.P256 })
const certificate = await X509Service.createSelfSignedCertificate(agentContext, {
Expand Down
6 changes: 6 additions & 0 deletions pnpm-lock.yaml
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit c232f12

Please sign in to comment.