From 1db52f0c0448d1d7afeb564d49ad6eb4d9320aae Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Tue, 6 Jun 2017 10:52:48 +1000 Subject: [PATCH] Fix to use different PEM header for EDDSA keys Include new cert and key files in distribution Fix compile issue when only doing TLS13. --- certs/ed25519/ca-ed25519-key.pem | 4 +-- certs/ed25519/client-ed25519-key.pem | 4 +-- certs/ed25519/root-ed25519-key.pem | 4 +-- certs/ed25519/server-ed25519-key.pem | 4 +-- certs/include.am | 17 +++++++++++ src/ssl.c | 44 +++++++++++++++++----------- src/tls13.c | 2 ++ wolfcrypt/src/asn.c | 20 +++++++------ wolfssl/wolfcrypt/asn.h | 2 ++ wolfssl/wolfcrypt/asn_public.h | 1 + 10 files changed, 68 insertions(+), 34 deletions(-) diff --git a/certs/ed25519/ca-ed25519-key.pem b/certs/ed25519/ca-ed25519-key.pem index a78c396f7..e21c1100c 100644 --- a/certs/ed25519/ca-ed25519-key.pem +++ b/certs/ed25519/ca-ed25519-key.pem @@ -1,4 +1,4 @@ ------BEGIN RSA PRIVATE KEY----- +-----BEGIN EDDSA PRIVATE KEY----- MFICAQAwBQYDK2VwBCIEIE3EyZVR/gbofvUgIsCeuA3yZ9E7DbTQxW7HMDYQhbxl oSIEIEEH7HUMaHISPASCB24Wb0BBbaSPCPLinadDwiQomH6s ------END RSA PRIVATE KEY----- +-----END EDDSA PRIVATE KEY----- diff --git a/certs/ed25519/client-ed25519-key.pem b/certs/ed25519/client-ed25519-key.pem index b35d30898..fc4eef62f 100644 --- a/certs/ed25519/client-ed25519-key.pem +++ b/certs/ed25519/client-ed25519-key.pem @@ -1,4 +1,4 @@ ------BEGIN RSA PRIVATE KEY----- +-----BEGIN EDDSA PRIVATE KEY----- MFICAQAwBQYDK2VwBCIEIBGdNYxa3ommO8aYO1oGaGSRQBqDYB0sKOdR3bqejqIQ oSIEIDY9UZ60w5FgsDoJuIdapQUPW1PlZBc+cLkNZhKk5fFR ------END RSA PRIVATE KEY----- +-----END EDDSA PRIVATE KEY----- diff --git a/certs/ed25519/root-ed25519-key.pem b/certs/ed25519/root-ed25519-key.pem index be922d961..2db2a669e 100644 --- a/certs/ed25519/root-ed25519-key.pem +++ b/certs/ed25519/root-ed25519-key.pem @@ -1,4 +1,4 @@ ------BEGIN RSA PRIVATE KEY----- +-----BEGIN EDDSA PRIVATE KEY----- MFICAQAwBQYDK2VwBCIEIFwOftlJ9QL4yEBIBh9UmTRwCu+A6puPK9OFmVk0A19P oSIEIKZgKbt92EfL1B7QbQ9XANgqH1BqQrxd5bgZZbLfJK9Q ------END RSA PRIVATE KEY----- +-----END EDDSA PRIVATE KEY----- diff --git a/certs/ed25519/server-ed25519-key.pem b/certs/ed25519/server-ed25519-key.pem index 5699e0a7c..1f1e769ce 100644 --- a/certs/ed25519/server-ed25519-key.pem +++ b/certs/ed25519/server-ed25519-key.pem @@ -1,4 +1,4 @@ ------BEGIN RSA PRIVATE KEY----- +-----BEGIN EDDSA PRIVATE KEY----- MFICAQAwBQYDK2VwBCIEINjpdrI/H/eIdfXd+HrGSTBu6Z/LnR4rwBjvu3WJ5ndn oSIEIBowiBhHL5faBPSk471sDBa5SMHRQteOkoSgdCpDng4p ------END RSA PRIVATE KEY----- +-----END EDDSA PRIVATE KEY----- diff --git a/certs/include.am b/certs/include.am index e9b8e5c5d..72ef15232 100644 --- a/certs/include.am +++ b/certs/include.am @@ -55,6 +55,23 @@ EXTRA_DIST += \ certs/server-ecc.der \ certs/server-ecc-rsa.der \ certs/server-cert-chain.der +EXTRA_DIST += \ + certs/ed25519/ca-ed25519.der \ + certs/ed25519/ca-ed25519-key.der \ + certs/ed25519/ca-ed25519-key.pem \ + certs/ed25519/ca-ed25519.pem \ + certs/ed25519/client-ed25519.der \ + certs/ed25519/client-ed25519-key.der \ + certs/ed25519/client-ed25519-key.pem \ + certs/ed25519/client-ed25519.pem \ + certs/ed25519/root-ed25519.der \ + certs/ed25519/root-ed25519-key.der \ + certs/ed25519/root-ed25519-key.pem \ + certs/ed25519/root-ed25519.pem \ + certs/ed25519/server-ed25519.der \ + certs/ed25519/server-ed25519-key.der \ + certs/ed25519/server-ed25519-key.pem \ + certs/ed25519/server-ed25519.pem dist_doc_DATA+= certs/taoCert.txt diff --git a/src/ssl.c b/src/ssl.c index 59a18ec42..23d7bce00 100755 --- a/src/ssl.c +++ b/src/ssl.c @@ -4035,16 +4035,28 @@ int PemToDer(const unsigned char* buff, long longSz, int type, switch (type) { case CA_TYPE: /* same as below */ case TRUSTED_PEER_TYPE: - case CERT_TYPE: header=BEGIN_CERT; footer=END_CERT; break; - case CRL_TYPE: header=BEGIN_X509_CRL; footer=END_X509_CRL; break; - case DH_PARAM_TYPE: header=BEGIN_DH_PARAM; footer=END_DH_PARAM; break; - case DSA_PARAM_TYPE: header=BEGIN_DSA_PARAM; footer=END_DSA_PARAM; break; - case CERTREQ_TYPE: header=BEGIN_CERT_REQ; footer=END_CERT_REQ; break; - case DSA_TYPE: header=BEGIN_DSA_PRIV; footer=END_DSA_PRIV; break; - case ECC_TYPE: header=BEGIN_EC_PRIV; footer=END_EC_PRIV; break; - case RSA_TYPE: header=BEGIN_RSA_PRIV; footer=END_RSA_PRIV; break; - case PUBLICKEY_TYPE: header=BEGIN_PUB_KEY; footer=END_PUB_KEY; break; - default: header=BEGIN_RSA_PRIV; footer=END_RSA_PRIV; break; + case CERT_TYPE: header=BEGIN_CERT; footer=END_CERT; + break; + case CRL_TYPE: header=BEGIN_X509_CRL; footer=END_X509_CRL; + break; + case DH_PARAM_TYPE: header=BEGIN_DH_PARAM; footer=END_DH_PARAM; + break; + case DSA_PARAM_TYPE: header=BEGIN_DSA_PARAM; footer=END_DSA_PARAM; + break; + case CERTREQ_TYPE: header=BEGIN_CERT_REQ; footer=END_CERT_REQ; + break; + case DSA_TYPE: header=BEGIN_DSA_PRIV; footer=END_DSA_PRIV; + break; + case ECC_TYPE: header=BEGIN_EC_PRIV; footer=END_EC_PRIV; + break; + case RSA_TYPE: header=BEGIN_RSA_PRIV; footer=END_RSA_PRIV; + break; + case ED25519_TYPE: header=BEGIN_EDDSA_PRIV; footer=END_EDDSA_PRIV; + break; + case PUBLICKEY_TYPE: header=BEGIN_PUB_KEY; footer=END_PUB_KEY; + break; + default: header=BEGIN_RSA_PRIV; footer=END_RSA_PRIV; + break; } /* find header */ @@ -4061,6 +4073,8 @@ int PemToDer(const unsigned char* buff, long longSz, int type, header = BEGIN_EC_PRIV; footer = END_EC_PRIV; } else if (header == BEGIN_EC_PRIV) { header = BEGIN_DSA_PRIV; footer = END_DSA_PRIV; + } else if (header == BEGIN_DSA_PRIV) { + header = BEGIN_EDDSA_PRIV; footer = END_EDDSA_PRIV; } else break; } @@ -4685,6 +4699,8 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, resetSuites = 1; } } + else + eccKey = 0; wc_ecc_free(&key); } @@ -4707,7 +4723,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, return SSL_BAD_FILE; } - /* check for minimum ECC key size and then free */ + /* check for minimum key size and then free */ if (ssl) { if (ED25519_KEY_SIZE < ssl->options.minEccKeySz) { wc_ed25519_free(&key); @@ -4725,12 +4741,6 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, wc_ed25519_free(&key); ed25519Key = 1; - if (ssl) { - ssl->options.haveStaticECC = 1; - } - else if (ctx) { - ctx->haveStaticECC = 1; - } if (ssl && ssl->options.side == WOLFSSL_SERVER_END) { resetSuites = 1; diff --git a/src/tls13.c b/src/tls13.c index 3679c06d0..e649bc467 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -4190,10 +4190,12 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input, } /* Check for public key of required type. */ + #ifdef HAVE_ED25519 if (args->sigAlgo == ed25519_sa_algo && !ssl->peerEd25519KeyPresent) { WOLFSSL_MSG("Oops, peer sent ED25519 key but not in verify"); } + #endif if (args->sigAlgo == ecc_dsa_sa_algo && !ssl->peerEccDsaKeyPresent) { WOLFSSL_MSG("Oops, peer sent ECC key but not in verify"); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 51df86d6b..180179eff 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -6550,6 +6550,8 @@ const char* BEGIN_DSA_PRIV = "-----BEGIN DSA PRIVATE KEY-----"; const char* END_DSA_PRIV = "-----END DSA PRIVATE KEY-----"; const char* BEGIN_PUB_KEY = "-----BEGIN PUBLIC KEY-----"; const char* END_PUB_KEY = "-----END PUBLIC KEY-----"; +const char* BEGIN_EDDSA_PRIV = "-----BEGIN EDDSA PRIVATE KEY-----"; +const char* END_EDDSA_PRIV = "-----END EDDSA PRIVATE KEY-----"; #if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) || defined(OPENSSL_EXTRA) @@ -6625,6 +6627,15 @@ int wc_DerToPemEx(const byte* der, word32 derSz, byte* output, word32 outSz, XSTRNCAT(footer, "\n", 1); } #endif +#ifdef HAVE_ED25519 + else if (type == EDDSA_PRIVATEKEY_TYPE) { + XSTRNCPY(header, BEGIN_EDDSA_PRIV, headerLen); + XSTRNCAT(header, "\n", 1); + + XSTRNCPY(footer, END_EDDSA_PRIV, footerLen); + XSTRNCAT(footer, "\n", 1); + } +#endif #ifdef WOLFSSL_CERT_REQ else if (type == CERTREQ_TYPE) { @@ -10230,15 +10241,6 @@ int wc_Ed25519PrivateKeyDecode(const byte* input, word32* inOutIdx, if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0) return BAD_FUNC_ARG; - if (GetOctetString(input, inOutIdx, &privSz, inSz) >= 0) { - priv = input + *inOutIdx; - *inOutIdx += privSz; - - if (*inOutIdx != inSz) - return ASN_PARSE_E; - return wc_ed25519_import_private_only(priv, privSz, key); - } - if (GetSequence(input, inOutIdx, &length, inSz) < 0) return ASN_PARSE_E; endKeyIdx = *inOutIdx + length; diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index f2c5c9aa5..1b732fa55 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -660,6 +660,8 @@ extern const char* BEGIN_DSA_PRIV; extern const char* END_DSA_PRIV; extern const char* BEGIN_PUB_KEY; extern const char* END_PUB_KEY; +extern const char* BEGIN_EDDSA_PRIV; +extern const char* END_EDDSA_PRIV; #ifdef NO_SHA #define SIGNER_DIGEST_SIZE SHA256_DIGEST_SIZE diff --git a/wolfssl/wolfcrypt/asn_public.h b/wolfssl/wolfcrypt/asn_public.h index 9adf13cf5..0b4a8653b 100644 --- a/wolfssl/wolfcrypt/asn_public.h +++ b/wolfssl/wolfcrypt/asn_public.h @@ -66,6 +66,7 @@ enum CertType { RSA_PUBLICKEY_TYPE, ECC_PUBLICKEY_TYPE, TRUSTED_PEER_TYPE, + EDDSA_PRIVATEKEY_TYPE, ED25519_TYPE };