commit 1bc58a303ef577f4dc5c5ed0612e9766c85dce8c
author David Benjamin <davidben@google.com> Fri Aug 15 13:27:08 2025 -0400
committer Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Mon Aug 18 11:38:49 2025 -0700
tree be37df5b19c3bc5c6a15a9515494dbf8499af577
parent d512f5a47b07f63eed61fcfa0cb54c0177323b13

Don't support parameterless DSA keys in SPKIs

RFC 3279 allows DSA parameters to be omitted, in which case they are
picked up from the issuer in an X.509 chain (which we do not support),
or implicitly from some unspecified out-of-band source.

Update-Note: Parameterless DSA keys (a legacy algorithm) in
SubjectPublicKeyInfo will no longer parse. This does not impact TLS,
where we have never supported DSA.

Bug: 438886851
Change-Id: Ib2e7e70b4eb388af4b4299afbc4b36b9c0505d65
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/81367
Reviewed-by: Lily Chen <chlily@google.com>
Commit-Queue: Lily Chen <chlily@google.com>
Auto-Submit: David Benjamin <davidben@google.com>

crypto/evp/evp_tests.txt

diff --git a/crypto/evp/evp_tests.txt b/crypto/evp/evp_tests.txt
index a7f7385..749e641 100644
--- a/crypto/evp/evp_tests.txt
+++ b/crypto/evp/evp_tests.txt
@@ -165,12 +165,11 @@
 ExpectNoRawPrivate
 ExpectNoRawPublic
 
-# The same key as above, but without the parameters.
+# The same key as above, but without the parameters. Although allowed by
+# RFC 3279, we do not support this.
 PublicKey = DSA-1024-SPKI-No-Params
-Type = DSA
 Input = 308192300906072a8648ce38040103818400028180258c30ebbb7f34fdc873ce679f6cea373c7886d75d4421b90920db034daedd292c64d8edd8cdbdd7f3ad23d74cfa2135247d0cef6ecf2e14f99e19d22a8c1266bd8fb8719c0e5667c716c45c7adbdabe548085bdad2dfee636f8d52fd6adb2193df6c4f0520fbd171b91882e0e4f321f8250ffecf4dbea00e114427d3ef96c1a
-ExpectNoRawPrivate
-ExpectNoRawPublic
+Error = DECODE_ERROR
 
 # Private keys from RFC 8032.
 PrivateKey = Ed25519

crypto/evp/p_dsa_asn1.cc

diff --git a/crypto/evp/p_dsa_asn1.cc b/crypto/evp/p_dsa_asn1.cc
index 8503d4d..6c829c0 100644
--- a/crypto/evp/p_dsa_asn1.cc
+++ b/crypto/evp/p_dsa_asn1.cc
@@ -27,19 +27,13 @@
 static int dsa_pub_decode(EVP_PKEY *out, CBS *params, CBS *key) {
   // See RFC 3279, section 2.3.2.
 
-  // Parameters may or may not be present.
-  bssl::UniquePtr<DSA> dsa;
-  if (CBS_len(params) == 0) {
-    dsa.reset(DSA_new());
-    if (dsa == nullptr) {
-      return 0;
-    }
-  } else {
-    dsa.reset(DSA_parse_parameters(params));
-    if (dsa == nullptr || CBS_len(params) != 0) {
-      OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
-      return 0;
-    }
+  // Decode parameters. RFC 3279 permits DSA parameters to be omitted, in which
+  // case they are implicitly determined from the issuing certificate, or
+  // somewhere unspecified and out-of-band. We do not support this mode.
+  bssl::UniquePtr<DSA> dsa(DSA_parse_parameters(params));
+  if (dsa == nullptr || CBS_len(params) != 0) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
+    return 0;
   }
 
   dsa->pub_key = BN_new();