Google Git
Sign in
boringssl/boringssl/c9a9d8d5a90b55bea3ce019465821478e7036077^!/.
commit
c9a9d8d5a90b55bea3ce019465821478e7036077
[log]
author
David Benjamin <davidben@google.com>
Fri Feb 23 17:56:50 2024 -0500
committer
Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>
Tue Mar 05 18:41:24 2024 +0000
tree
6c419c256dd887d33e9e92a385e084326f632ccd
parent
efad2bfc83544bb926921de61baf6f962e685671 [diff]
Forbid RSA delegated credentials

RFC 9345 has this bizarre special case forbiding the rsaEncryption OID
for delegated credentials. This doesn't make much sense as DCs already
constrain to a single signature algorithm. In fact, they didn't need to
use SPKIs at all and could have just encoded the type-specific values.

Nonetheless, this is where the spec went up. We have long rejected the
RSASSA-PSS OID as being unusably complex, so this effectively means we
will never permit RSA delegated credentials.

This was another oversight in
https://boringssl-review.googlesource.com/c/34884. Fix it separately
before everything is reworked to SSL_CREDENTIAL.

Bug: 249
Change-Id: I7eae1e8da9da8052b8d985e78388ef8f2b235942
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/66567
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>

diff --git a/ssl/ssl_cert.cc b/ssl/ssl_cert.cc
index 71baeb7..3cc9bae 100644
--- a/ssl/ssl_cert.cc
+++ b/ssl/ssl_cert.cc

@@ -726,6 +726,16 @@
     return nullptr;
   }
 
+  // RFC 9345 forbids algorithms that use the rsaEncryption OID. As the
+  // RSASSA-PSS OID is unusably complicated, this effectively means we will not
+  // support RSA delegated credentials.
+  if (SSL_get_signature_algorithm_key_type(dc->dc_cert_verify_algorithm) ==
+      EVP_PKEY_RSA) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);
+    *out_alert = SSL_AD_ILLEGAL_PARAMETER;
+    return nullptr;
+  }
+
   return dc;
 }
 

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 4b704db..0aa0d21 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go

@@ -328,7 +328,7 @@
 	switch dcAlgo {
 	case signatureRSAPKCS1WithMD5, signatureRSAPKCS1WithSHA1, signatureRSAPKCS1WithSHA256, signatureRSAPKCS1WithSHA384, signatureRSAPKCS1WithSHA512, signatureRSAPSSWithSHA256, signatureRSAPSSWithSHA384, signatureRSAPSSWithSHA512:
 		pub = &rsa2048Key.PublicKey
-		privPKCS8, err = x509.MarshalPKCS8PrivateKey(rsa2048Key)
+		privPKCS8, err = x509.MarshalPKCS8PrivateKey(&rsa2048Key)
 		if err != nil {
 			return nil, nil, err
 		}
@@ -16561,6 +16561,25 @@
 		shouldFail:    true,
 		expectedError: ":KEY_VALUES_MISMATCH:",
 	})
+
+	// RSA delegated credentials should be rejected at configuration time.
+	rsaDC, rsaPKCS8, err := createDelegatedCredential(delegatedCredentialConfig{
+		algo:   signatureRSAPSSWithSHA256,
+		dcAlgo: signatureRSAPSSWithSHA256,
+	}, rsaCertificate.Leaf.Raw, rsaCertificate.PrivateKey)
+	if err != nil {
+		panic(err)
+	}
+	rsaFlagValue := fmt.Sprintf("%x,%x", rsaDC, rsaPKCS8)
+	testCases = append(testCases, testCase{
+		testType: serverTest,
+		name:     "DelegatedCredentials-NoRSA",
+		flags: []string{
+			"-delegated-credential", rsaFlagValue,
+		},
+		shouldFail:    true,
+		expectedError: ":INVALID_SIGNATURE_ALGORITHM:",
+	})
 }
 
 type echCipher struct {