Add RSA-PSS key certificate type.
Recognise RSA-PSS certificate algorithm and add a new certificate type. Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4368)
This commit is contained in:
Dr. Stephen Henson
parent
6b1c8204b3
commit
045d078aef
3 changed files with 11 additions and 13 deletions
|
|
@ -12,6 +12,7 @@
|
|||
*/
|
||||
static const SSL_CERT_LOOKUP ssl_cert_info [] = {
|
||||
{EVP_PKEY_RSA, SSL_aRSA}, /* SSL_PKEY_RSA */
|
||||
{EVP_PKEY_RSA_PSS, SSL_aRSA}, /* SSL_PKEY_RSA_PSS_SIGN */
|
||||
{EVP_PKEY_DSA, SSL_aDSS}, /* SSL_PKEY_DSA_SIGN */
|
||||
{EVP_PKEY_EC, SSL_aECDSA}, /* SSL_PKEY_ECC */
|
||||
{NID_id_GostR3410_2001, SSL_aGOST01}, /* SSL_PKEY_GOST01 */
|
||||
|
|
|
|||
|
|
@ -363,25 +363,20 @@
|
|||
|
||||
/* Mostly for SSLv3 */
|
||||
# define SSL_PKEY_RSA 0
|
||||
# define SSL_PKEY_DSA_SIGN 1
|
||||
# define SSL_PKEY_ECC 2
|
||||
# define SSL_PKEY_GOST01 3
|
||||
# define SSL_PKEY_GOST12_256 4
|
||||
# define SSL_PKEY_GOST12_512 5
|
||||
# define SSL_PKEY_ED25519 6
|
||||
# define SSL_PKEY_NUM 7
|
||||
# define SSL_PKEY_RSA_PSS_SIGN 1
|
||||
# define SSL_PKEY_DSA_SIGN 2
|
||||
# define SSL_PKEY_ECC 3
|
||||
# define SSL_PKEY_GOST01 4
|
||||
# define SSL_PKEY_GOST12_256 5
|
||||
# define SSL_PKEY_GOST12_512 6
|
||||
# define SSL_PKEY_ED25519 7
|
||||
# define SSL_PKEY_NUM 8
|
||||
/*
|
||||
* Pseudo-constant. GOST cipher suites can use different certs for 1
|
||||
* SSL_CIPHER. So let's see which one we have in fact.
|
||||
*/
|
||||
# define SSL_PKEY_GOST_EC SSL_PKEY_NUM+1
|
||||
|
||||
/*
|
||||
* TODO(TLS1.3) for now use SSL_PKEY_RSA keys for PSS
|
||||
*/
|
||||
|
||||
#define SSL_PKEY_RSA_PSS_SIGN SSL_PKEY_RSA
|
||||
|
||||
/*-
|
||||
* SSL_kRSA <- RSA_ENC
|
||||
* SSL_kDH <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN)
|
||||
|
|
|
|||
|
|
@ -799,6 +799,7 @@ static const SIGALG_LOOKUP legacy_rsa_sigalg = {
|
|||
*/
|
||||
static const uint16_t tls_default_sigalg[] = {
|
||||
TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */
|
||||
0, /* SSL_PKEY_RSA_PSS_SIGN */
|
||||
TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */
|
||||
TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */
|
||||
TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */
|
||||
|
|
@ -2126,6 +2127,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
|
|||
void tls1_set_cert_validity(SSL *s)
|
||||
{
|
||||
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA);
|
||||
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN);
|
||||
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
|
||||
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
|
||||
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
|
||||
|
|
|
|||
Loading…
Reference in a new issue