Add RSA-PSS key certificate type.

Recognise RSA-PSS certificate algorithm and add a new certificate
type.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4368)
This commit is contained in:
Dr. Stephen Henson 2017-09-13 13:53:03 +01:00
parent 6b1c8204b3
commit 045d078aef
3 changed files with 11 additions and 13 deletions

View File

@ -12,6 +12,7 @@
*/
static const SSL_CERT_LOOKUP ssl_cert_info [] = {
{EVP_PKEY_RSA, SSL_aRSA}, /* SSL_PKEY_RSA */
{EVP_PKEY_RSA_PSS, SSL_aRSA}, /* SSL_PKEY_RSA_PSS_SIGN */
{EVP_PKEY_DSA, SSL_aDSS}, /* SSL_PKEY_DSA_SIGN */
{EVP_PKEY_EC, SSL_aECDSA}, /* SSL_PKEY_ECC */
{NID_id_GostR3410_2001, SSL_aGOST01}, /* SSL_PKEY_GOST01 */

View File

@ -363,25 +363,20 @@
/* Mostly for SSLv3 */
# define SSL_PKEY_RSA 0
# define SSL_PKEY_DSA_SIGN 1
# define SSL_PKEY_ECC 2
# define SSL_PKEY_GOST01 3
# define SSL_PKEY_GOST12_256 4
# define SSL_PKEY_GOST12_512 5
# define SSL_PKEY_ED25519 6
# define SSL_PKEY_NUM 7
# define SSL_PKEY_RSA_PSS_SIGN 1
# define SSL_PKEY_DSA_SIGN 2
# define SSL_PKEY_ECC 3
# define SSL_PKEY_GOST01 4
# define SSL_PKEY_GOST12_256 5
# define SSL_PKEY_GOST12_512 6
# define SSL_PKEY_ED25519 7
# define SSL_PKEY_NUM 8
/*
* Pseudo-constant. GOST cipher suites can use different certs for 1
* SSL_CIPHER. So let's see which one we have in fact.
*/
# define SSL_PKEY_GOST_EC SSL_PKEY_NUM+1
/*
* TODO(TLS1.3) for now use SSL_PKEY_RSA keys for PSS
*/
#define SSL_PKEY_RSA_PSS_SIGN SSL_PKEY_RSA
/*-
* SSL_kRSA <- RSA_ENC
* SSL_kDH <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN)

View File

@ -799,6 +799,7 @@ static const SIGALG_LOOKUP legacy_rsa_sigalg = {
*/
static const uint16_t tls_default_sigalg[] = {
TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */
0, /* SSL_PKEY_RSA_PSS_SIGN */
TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */
TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */
TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */
@ -2126,6 +2127,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
void tls1_set_cert_validity(SSL *s)
{
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA);
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN);
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);