diff --git a/certs/include.am b/certs/include.am index 3ab8337a5..700927500 100644 --- a/certs/include.am +++ b/certs/include.am @@ -128,4 +128,5 @@ include certs/test/include.am include certs/test-pathlen/include.am include certs/intermediate/include.am include certs/falcon/include.am +include certs/rsapss/include.am diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh index 208fc1a58..d2cca7f9a 100755 --- a/certs/renewcerts.sh +++ b/certs/renewcerts.sh @@ -619,10 +619,20 @@ run_renewcerts(){ echo "End of section" echo "---------------------------------------------------------------------" + ############################################################ + ########## generate RSA-PSS certificates ################### + ############################################################ + echo "Renewing RSA-PSS certificates" + cd rsapss + ./renew-rsapss-certs.sh + cd .. + echo "End of section" + echo "---------------------------------------------------------------------" + ############################################################ ########## generate Ed25519 certificates ################### ############################################################ - echo "Renewing Ed448 certificates" + echo "Renewing Ed25519 certificates" cd ed25519 ./gen-ed25519-certs.sh cd .. diff --git a/certs/rsapss/ca-3072-rsapss-key.der b/certs/rsapss/ca-3072-rsapss-key.der new file mode 100644 index 000000000..d36bc7113 Binary files /dev/null and b/certs/rsapss/ca-3072-rsapss-key.der differ diff --git a/certs/rsapss/ca-3072-rsapss-key.pem b/certs/rsapss/ca-3072-rsapss-key.pem new file mode 100644 index 000000000..d199fe978 --- /dev/null +++ b/certs/rsapss/ca-3072-rsapss-key.pem @@ -0,0 +1,11 @@ +-----BEGIN PUBLIC KEY----- +MIIBoDALBgkqhkiG9w0BAQoDggGPADCCAYoCggGBAMgqQMjrrnwYM8s4Uea3exFP +zeo1h2TZssrPSyHEhirHo28VPh7EmwOBSzpdU2IR4gjfl003PXhiUEAxKnBEGm1p +Sfx3uPJCCYaaXTnNhHsyijuwT7891AV+wKoopc6xKDpZ2RkQOtQfkQcHc1CkK9gY +HyL49GQ/E6DYYH5TTDuXcLw25b4xl0VV7aJbh7UbjmU9txUI0RIaquxOVjVwpz5Q +Zfc+MJwy27Ike4cCKScSNa2OwwIiE8JuU0XwFiGB5dW1kWCL11y7wnAG9lBBRTZ/ +QUSJtpcjvnbXfHJ/6vQZEBfD34/NlyAEyx0DawmP13uEfSLF4hDLzBGqofVmhQ41 +WozDiWEp0FxTLwlLkX7O4BLTzuvJUDw28Ka0+7XC3mGgrG+8fu9TCJ+xGK1b4wEj +3hGlH33VtvRyHVN1ZozbYR7p6zzzSWmCtiBrKQOhvlXkTPglp6ij4z8yH66nKptr +Vt3JWrEaAaAT0o6aLNt+/VsOLu+Sac7y3u/QLwkOZwIDAQAB +-----END PUBLIC KEY----- diff --git a/certs/rsapss/ca-3072-rsapss-priv.der b/certs/rsapss/ca-3072-rsapss-priv.der new file mode 100644 index 000000000..6891400d3 Binary files /dev/null and b/certs/rsapss/ca-3072-rsapss-priv.der differ diff --git a/certs/rsapss/ca-3072-rsapss-priv.pem b/certs/rsapss/ca-3072-rsapss-priv.pem new file mode 100644 index 000000000..96ce0abb8 --- /dev/null +++ b/certs/rsapss/ca-3072-rsapss-priv.pem @@ -0,0 +1,40 @@ +-----BEGIN PRIVATE KEY----- +MIIG/AIBADALBgkqhkiG9w0BAQoEggboMIIG5AIBAAKCAYEAyCpAyOuufBgzyzhR +5rd7EU/N6jWHZNmyys9LIcSGKsejbxU+HsSbA4FLOl1TYhHiCN+XTTc9eGJQQDEq +cEQabWlJ/He48kIJhppdOc2EezKKO7BPvz3UBX7AqiilzrEoOlnZGRA61B+RBwdz +UKQr2BgfIvj0ZD8ToNhgflNMO5dwvDblvjGXRVXtoluHtRuOZT23FQjREhqq7E5W +NXCnPlBl9z4wnDLbsiR7hwIpJxI1rY7DAiITwm5TRfAWIYHl1bWRYIvXXLvCcAb2 +UEFFNn9BRIm2lyO+dtd8cn/q9BkQF8Pfj82XIATLHQNrCY/Xe4R9IsXiEMvMEaqh +9WaFDjVajMOJYSnQXFMvCUuRfs7gEtPO68lQPDbwprT7tcLeYaCsb7x+71MIn7EY +rVvjASPeEaUffdW29HIdU3VmjNthHunrPPNJaYK2IGspA6G+VeRM+CWnqKPjPzIf +rqcqm2tW3clasRoBoBPSjpos2379Ww4u75JpzvLe79AvCQ5nAgMBAAECggGAEW40 +hAqaAC5vXDQEVc4GhoRnjwyoRKz8d9LDXSZq9JC797Fm3nEKeqyoq2VzHGgoQdOO +rmewD6qoCF7/rhUQJBT2H2khjt8XS0Rn99+guMW26em5mBK/Qtc92dN+VNhyg1pN +oHQcW1qAW5dXgF87fi7jjz0UsyIXCHuvM3D3g3z1kT5KlVxmKuCHuAq2b5v9s21D +Yy6IXkY6Oie8NB0iQzfnGTeuLfvzy7iHlUMn6EIasIltC+OByv2mfMGie7p+7IWq +bzRf3cBTiR6ozEIfDobVT+RQbc3Zj6nLI63Lt1ANGLL3j4bcCTKmteNwaCYiDVBU +9cYhuoSUcnegZHkhnFjnY+PoqE8TIWp+nAY97Ptz8s8aMXP6vZ6j2KV8HJgqj18w +05x6cyvCPMXOh2ZJvn7daDRFL+o5Fj+rWch202gsTxqbPzqtph8OxMMyCZMbXHrw +GkDNhRlg22MjfLpiKYZKfPC6dX8GVywuc8O7qwBUBB4QH+w8myitVCj7h2QRAoHB +AP28yltlAlpIPovARsscof3ntn4koamcdLjtFxVeLRz/4DsBLH2Oa0vOu67Y/dH9 +FunmPO6B7TqnE41pf1qBNhmWDwIb/eRD9bLQStW9Vd6jg42Z76+LVgjjAk1bXoUz +nNvNQhzfW9H6NgsqJhH+b07YhyI9qJCIWwGRcl9+C4XZXTxSY1qDDIL4KzsyK2SW +LsOcSK67VJisUsiVeq05yjTSzy6upjXgYVAoMqGRlKxw1RH/o2F5ovvkBYB90sws +DwKBwQDJ8ywW1YC3nuyRgX9B5+MGFnNIOnP5lSHuNf06o7hRY7ikpC9ZMSaIgZqZ +Fly6ZcBeja+rZuwmYQ4lmjpUfcY1mORsljSW+M8cobUIf9YDmc2MfZs0961sR4eR +fxSkDez819jn0iT4MiMqKzOBiRdvVw07UScpneC0coQ4j6nNaUoHg1/KIRIGrA5K +SZjK6LWsdulGMJp6u1K0ms+gOj6Jp2CO4xvpdl7EWKT/SDo4S8pVnQAvNSXE9cwT +IFBKACkCgcAkyeCVC7ohmOPoo0IgZNBf3d6pv2npC5Qo08dLA9KKp9a891iaA7Iu +1ZSEr1VtwsI1u3oOIqxgmqTNFgSu/Jj5cLZQWfqfw/K1sFmJT+BJXW/Pcgg8bXlV +5IQK7zpvGaKeg84YHZJUiXCYgc3vQfKlfeNp5YKxIfP/8DSi/8Vv7KoF+vQIxYNk +4dJyzL1Z4iR5nAk1vFdxo1qFVpbo0r4slnwPiqbynMu/MXTV1CO4NMvPxj7L/TTS +TKc3kAamL6UCgcEAi2Y1ytU5coZbGd1fsGiWhv88OGFQ6LkOoNXXpICanGPPcqZ6 +oICS7qs3wfBztZ7C+QGofxIedCeOkloxZV0kUp7lHidYydWZcVQWGHXVjsq93fpe +BmPo69M8OyyTXOLX8Xg1G2AtcL17FIKZnRK6gHqAga907v8xup1Js5lHRqklFqaS +mn3VaZGek5zVwUp9DT1PrMmj+JAReOVb6GgL/wzwU/FktPSmWbYuvqBmv7FhS1OC +axOurJRWd+VYRpxxAoHBAOWBLmlWOGpOfr1r35I3+qrAQRtApEXplHCnCNc1ngIJ +bquSIAfEQCVlJBkE2OPxApqQ6WmU60TbOnuLzBZWh391wiFMEt3j1z9/ExUJjEhq +ub0VwhSI+Zm8wI3nIKf55JbO/H4diO2boOFs6hGFf7AM6yzmH3Pw3l9y+nXga+rp +aT/gIcqdz2mVpm3DiI4tNaSljyhvtJXrv7KDK6G0IPz5489619agwzU3sTLATeSD +M18AEXr2oS6sXtflRhcdDw== +-----END PRIVATE KEY----- diff --git a/certs/rsapss/ca-3072-rsapss.der b/certs/rsapss/ca-3072-rsapss.der new file mode 100644 index 000000000..7e1f99272 Binary files /dev/null and b/certs/rsapss/ca-3072-rsapss.der differ diff --git a/certs/rsapss/ca-3072-rsapss.pem b/certs/rsapss/ca-3072-rsapss.pem new file mode 100644 index 000000000..a89c4ae4e --- /dev/null +++ b/certs/rsapss/ca-3072-rsapss.pem @@ -0,0 +1,116 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: rsassaPss + Hash Algorithm: sha384 + Mask Algorithm: mgf1 with sha384 + Salt Length: 0x014E + Trailer Field: 0xBC (default) + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSA-PSS, OU = Root-RSA-PSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Validity + Not Before: Jul 25 02:27:55 2022 GMT + Not After : Apr 20 02:27:55 2025 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = CA-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Subject Public Key Info: + Public Key Algorithm: rsassaPss + RSA-PSS Public-Key: (3072 bit) + Modulus: + 00:c8:2a:40:c8:eb:ae:7c:18:33:cb:38:51:e6:b7: + 7b:11:4f:cd:ea:35:87:64:d9:b2:ca:cf:4b:21:c4: + 86:2a:c7:a3:6f:15:3e:1e:c4:9b:03:81:4b:3a:5d: + 53:62:11:e2:08:df:97:4d:37:3d:78:62:50:40:31: + 2a:70:44:1a:6d:69:49:fc:77:b8:f2:42:09:86:9a: + 5d:39:cd:84:7b:32:8a:3b:b0:4f:bf:3d:d4:05:7e: + c0:aa:28:a5:ce:b1:28:3a:59:d9:19:10:3a:d4:1f: + 91:07:07:73:50:a4:2b:d8:18:1f:22:f8:f4:64:3f: + 13:a0:d8:60:7e:53:4c:3b:97:70:bc:36:e5:be:31: + 97:45:55:ed:a2:5b:87:b5:1b:8e:65:3d:b7:15:08: + d1:12:1a:aa:ec:4e:56:35:70:a7:3e:50:65:f7:3e: + 30:9c:32:db:b2:24:7b:87:02:29:27:12:35:ad:8e: + c3:02:22:13:c2:6e:53:45:f0:16:21:81:e5:d5:b5: + 91:60:8b:d7:5c:bb:c2:70:06:f6:50:41:45:36:7f: + 41:44:89:b6:97:23:be:76:d7:7c:72:7f:ea:f4:19: + 10:17:c3:df:8f:cd:97:20:04:cb:1d:03:6b:09:8f: + d7:7b:84:7d:22:c5:e2:10:cb:cc:11:aa:a1:f5:66: + 85:0e:35:5a:8c:c3:89:61:29:d0:5c:53:2f:09:4b: + 91:7e:ce:e0:12:d3:ce:eb:c9:50:3c:36:f0:a6:b4: + fb:b5:c2:de:61:a0:ac:6f:bc:7e:ef:53:08:9f:b1: + 18:ad:5b:e3:01:23:de:11:a5:1f:7d:d5:b6:f4:72: + 1d:53:75:66:8c:db:61:1e:e9:eb:3c:f3:49:69:82: + b6:20:6b:29:03:a1:be:55:e4:4c:f8:25:a7:a8:a3: + e3:3f:32:1f:ae:a7:2a:9b:6b:56:dd:c9:5a:b1:1a: + 01:a0:13:d2:8e:9a:2c:db:7e:fd:5b:0e:2e:ef:92: + 69:ce:f2:de:ef:d0:2f:09:0e:67 + Exponent: 65537 (0x10001) + No PSS parameter restrictions + X509v3 extensions: + X509v3 Subject Key Identifier: + F8:42:CC:88:C9:C8:18:F9:D3:B0:24:65:06:4C:FF:55:AB:BF:0E:7F + X509v3 Authority Key Identifier: + keyid:AA:71:D3:B1:8A:4B:BB:47:15:47:5F:9B:D0:2B:69:D1:6F:85:5E:F6 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Signature Algorithm: rsassaPss + Hash Algorithm: sha384 + Mask Algorithm: mgf1 with sha384 + Salt Length: 0x014E + Trailer Field: 0xBC (default) + + 39:a8:ef:b1:66:08:50:0b:5e:cb:b2:29:8c:9b:b1:be:21:44: + d6:d8:97:1d:45:dc:52:70:f1:de:ac:74:65:03:6b:af:a0:f0: + 21:61:ce:23:39:33:c8:cb:1e:8f:77:12:1e:5b:99:0c:e1:1b: + 75:cf:1d:d7:12:86:cc:fc:86:90:0f:45:ea:8b:08:47:08:ac: + 56:44:31:f2:c9:23:6b:d5:30:ca:5f:49:b0:4b:8b:36:bd:5c: + 92:fa:86:34:57:80:30:93:29:59:19:a4:dd:f9:91:26:8a:49: + b4:ee:93:aa:e1:b2:06:f6:2f:2a:d9:5b:6d:f9:7c:04:4f:1c: + 7a:cc:8e:39:c2:98:3a:bd:b9:a2:24:82:8f:e4:d8:80:47:73: + 84:6e:bc:20:5c:ac:79:72:a7:6f:e3:c8:3a:9c:cc:83:b1:1f: + e2:65:3b:a1:f5:86:1a:33:53:bc:05:ba:6a:b1:bc:a7:b4:c1: + 44:8c:0a:cc:c2:15:da:c1:dd:dc:31:91:46:5b:48:d8:ea:03: + 78:e1:1f:ce:79:19:c8:6e:d6:3f:4c:f5:3b:b3:e7:2e:b7:46: + 0c:58:cd:ca:56:a6:88:fb:fd:12:d1:27:80:5a:a2:51:96:f8: + 4c:65:8d:71:0b:84:ca:94:f9:9f:c9:38:62:a3:64:cd:91:44: + 50:ed:bb:c0:1d:9b:b8:a4:57:b1:7a:2e:44:57:a5:15:ba:cc: + b3:62:f5:46:aa:cd:fb:53:d3:ed:ef:e3:f4:b2:9b:3f:29:d0: + 00:8c:19:61:48:b6:da:74:27:05:69:7b:df:04:0e:e2:f1:0f: + 1a:fa:92:70:79:78:86:52:60:e1:4d:4e:66:14:ba:86:e2:4e: + dd:e0:d0:f3:c0:2d:6d:3a:16:00:1d:c6:9c:27:6f:a6:5f:21: + 4c:e4:82:14:95:d1:a7:4a:15:13:ba:d8:65:ad:34:a2:93:3a: + d1:49:12:4d:f2:97:f3:e2:8a:83:d2:bf:84:84:c6:87:70:c9: + 38:e0:5f:fe:7f:38 +-----BEGIN CERTIFICATE----- +MIIFjzCCA8agAwIBAgIBATA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAqEa +MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgKiBAICAU4wgZ0xCzAJBgNVBAYTAlVT +MRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRgwFgYDVQQKDA93 +b2xmU1NMX1JTQS1QU1MxFTATBgNVBAsMDFJvb3QtUlNBLVBTUzEYMBYGA1UEAwwP +d3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29t +MB4XDTIyMDcyNTAyMjc1NVoXDTI1MDQyMDAyMjc1NVowgbIxCzAJBgNVBAYTAlVT +MRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRcwFQYDVQQKDA53 +b2xmU1NMX1JTQVBTUzESMBAGA1UECwwJQ0EtUlNBUFNTMRgwFgYDVQQDDA93d3cu +d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20xFzAV +BgoJkiaJk/IsZAEBDAd3b2xmU1NMMIIBoDALBgkqhkiG9w0BAQoDggGPADCCAYoC +ggGBAMgqQMjrrnwYM8s4Uea3exFPzeo1h2TZssrPSyHEhirHo28VPh7EmwOBSzpd +U2IR4gjfl003PXhiUEAxKnBEGm1pSfx3uPJCCYaaXTnNhHsyijuwT7891AV+wKoo +pc6xKDpZ2RkQOtQfkQcHc1CkK9gYHyL49GQ/E6DYYH5TTDuXcLw25b4xl0VV7aJb +h7UbjmU9txUI0RIaquxOVjVwpz5QZfc+MJwy27Ike4cCKScSNa2OwwIiE8JuU0Xw +FiGB5dW1kWCL11y7wnAG9lBBRTZ/QUSJtpcjvnbXfHJ/6vQZEBfD34/NlyAEyx0D +awmP13uEfSLF4hDLzBGqofVmhQ41WozDiWEp0FxTLwlLkX7O4BLTzuvJUDw28Ka0 ++7XC3mGgrG+8fu9TCJ+xGK1b4wEj3hGlH33VtvRyHVN1ZozbYR7p6zzzSWmCtiBr +KQOhvlXkTPglp6ij4z8yH66nKptrVt3JWrEaAaAT0o6aLNt+/VsOLu+Sac7y3u/Q +LwkOZwIDAQABo2MwYTAdBgNVHQ4EFgQU+ELMiMnIGPnTsCRlBkz/Vau/Dn8wHwYD +VR0jBBgwFoAUqnHTsYpLu0cVR1+b0Ctp0W+FXvYwDwYDVR0TAQH/BAUwAwEB/zAO +BgNVHQ8BAf8EBAMCAYYwPgYJKoZIhvcNAQEKMDGgDTALBglghkgBZQMEAgKhGjAY +BgkqhkiG9w0BAQgwCwYJYIZIAWUDBAICogQCAgFOA4IBgQA5qO+xZghQC17LsimM +m7G+IUTW2JcdRdxScPHerHRlA2uvoPAhYc4jOTPIyx6PdxIeW5kM4Rt1zx3XEobM +/IaQD0XqiwhHCKxWRDHyySNr1TDKX0mwS4s2vVyS+oY0V4AwkylZGaTd+ZEmikm0 +7pOq4bIG9i8q2Vtt+XwETxx6zI45wpg6vbmiJIKP5NiAR3OEbrwgXKx5cqdv48g6 +nMyDsR/iZTuh9YYaM1O8BbpqsbyntMFEjArMwhXawd3cMZFGW0jY6gN44R/OeRnI +btY/TPU7s+cut0YMWM3KVqaI+/0S0SeAWqJRlvhMZY1xC4TKlPmfyThio2TNkURQ +7bvAHZu4pFexei5EV6UVusyzYvVGqs37U9Pt7+P0sps/KdAAjBlhSLbadCcFaXvf +BA7i8Q8a+pJweXiGUmDhTU5mFLqG4k7d4NDzwC1tOhYAHcacJ2+mXyFM5IIUldGn +ShUTuthlrTSikzrRSRJN8pfz4oqD0r+EhMaHcMk44F/+fzg= +-----END CERTIFICATE----- diff --git a/certs/rsapss/ca-rsapss-key.der b/certs/rsapss/ca-rsapss-key.der new file mode 100644 index 000000000..0a13499db Binary files /dev/null and b/certs/rsapss/ca-rsapss-key.der differ diff --git a/certs/rsapss/ca-rsapss-key.pem b/certs/rsapss/ca-rsapss-key.pem new file mode 100644 index 000000000..a9724c461 --- /dev/null +++ b/certs/rsapss/ca-rsapss-key.pem @@ -0,0 +1,10 @@ +-----BEGIN PUBLIC KEY----- +MIIBUjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEB +CDALBglghkgBZQMEAgGiAwIBIAOCAQ8AMIIBCgKCAQEA1g7HUE0p9aii1ClbWPK8 +LSfeiEkahBkrhI2U0XgS1nsU2NKCJJWr/k9V++BV/Dk3e0GAtJhvf8W3Pjf4Xx0v +EjGI+Ys7AIXmNqUXP5qkvkj/ejYiLCPUn1tS0RfRwfJpGdgyxfd57IMZh+MToENe +sekD7bQIzXsUaA8lT5DwBKe7CIkI3HZOcEkEQU2/t393eWrvaEtil44zkTIq42MV +R/ZhpCbbAgS2V8Cn8KrsIHKRwzKrmH+Exuhf1uAa0iSxx1C7c4feKsPixGAyuORa +W7XkKYyLKGu7Gtw8/rnvnokoYLqkQGbVu+Bif6cr4Q845jPqshAOFMg/h5//iyjM +HQIDAQAB +-----END PUBLIC KEY----- diff --git a/certs/rsapss/ca-rsapss-priv.der b/certs/rsapss/ca-rsapss-priv.der new file mode 100644 index 000000000..5108996f1 Binary files /dev/null and b/certs/rsapss/ca-rsapss-priv.der differ diff --git a/certs/rsapss/ca-rsapss-priv.pem b/certs/rsapss/ca-rsapss-priv.pem new file mode 100644 index 000000000..a47cb4faa --- /dev/null +++ b/certs/rsapss/ca-rsapss-priv.pem @@ -0,0 +1,29 @@ +-----BEGIN PRIVATE KEY----- +MIIE7AIBADA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3 +DQEBCDALBglghkgBZQMEAgGiAwIBIASCBKYwggSiAgEAAoIBAQDWDsdQTSn1qKLU +KVtY8rwtJ96ISRqEGSuEjZTReBLWexTY0oIklav+T1X74FX8OTd7QYC0mG9/xbc+ +N/hfHS8SMYj5izsAheY2pRc/mqS+SP96NiIsI9SfW1LRF9HB8mkZ2DLF93nsgxmH +4xOgQ16x6QPttAjNexRoDyVPkPAEp7sIiQjcdk5wSQRBTb+3f3d5au9oS2KXjjOR +MirjYxVH9mGkJtsCBLZXwKfwquwgcpHDMquYf4TG6F/W4BrSJLHHULtzh94qw+LE +YDK45FpbteQpjIsoa7sa3Dz+ue+eiShguqRAZtW74GJ/pyvhDzjmM+qyEA4UyD+H +n/+LKMwdAgMBAAECggEAQG0QRjYDVAHeiDauXLYqNvkR/DjsdyfQNkQar3URTmab +Hqs1Kme17YPZYEbj+lcKQNm1MCXVIULT5TEZWx9AhJxOGrVyG7UxVe8YcTdNMExu +QE08ucZK/2+QHIirxFD+mx28ImNa2fmXXJPW21yLisaUPR37rETIHo24cBsycmOw +dO25ggGtIX2M5nI75P9p7+jG7vnfDKkn7ER5exGVrF1dED14wra0PUI9yBkjX0Pu +j053crZUcpZMivERWzoGmRA4/leLcTBM/6k7JNoSP+NPIvOm0tDtdDCwos6/wqMw +UlBWBHXWKYlnpYByLGWs+NTZuI/3AAq4Tz3eNX7egQKBgQDta9NSRgEvyXgry9Xv +PV77LBCXyha4FbCS+J3B8sXaGTLZ66zZia2abSRh6/f4HJ9T975tmsKycvcgbdMx +znO4VX+hrOzPYLEug0K3j6SWd8ogvUYfcHe3jqlEac8djfq9lL0/+b2oJGDkUKnM +mOz6WKmfJTora22P8zJ8dgt/vQKBgQDmzuvNQGhwINFBewVkUxjAUWs6sTVucva7 +qd/19OwUIZPDjnIGI9GMY2G21ez8mfgM8NToqyHyl+nwa5y7yy2b18PPXO2agYA6 +E2BIoor8q+y14g6rEsRDOzzWP0sdAp49CpA5wuEouFN+Wn4IJX8JFosHGK6yNn+h +hk4PNMST4QKBgExBGnFNTKpFghRG9qJNSslPQNEPtjZPuROrSDf3unYvK7b0S+Le +pmR383yD5nPI9Z9pbb8UOr5H0HmY7IENtvsYctLBkJmWi7HNtMryFsHBHalgQTpt +y/Wnm1P+y+fJJyRmtlXq53AupvQNuEufPlW1zlzv/vvdGCZozOlOnKjdAoGACjox +CK9J8W4C17vzyTZFaoAxGDCyBWris/4bBnML4vh567hsJQmBR48/zTI9hhPsgeZK +COVMY8uHejfKgifGpZkx/AZKIQaMAAbLxWwubHPR0V1q+Pmj6La/Q18anPZ4vIuz +SFvyTjOcv4STARloP6bYEkBtvUfc7/NbkiDsdQECgYB5e44XdK+5zu+dOUEoN2IR +Jn3YKDJD11Mu7iokFIAnaFC+JUWGUvCPxH8x/UIZ0dFGaak1cbRlfn+xN5SsVxj6 +TZRDmarSQMe7awXUyNw8VHXfHgDFwLMJYC/farwtqH/C0b3DQb8Qq+qlqbj7tzRT +nHPf/IrgYLxWJSKZ/3nvvQ== +-----END PRIVATE KEY----- diff --git a/certs/rsapss/ca-rsapss.der b/certs/rsapss/ca-rsapss.der new file mode 100644 index 000000000..32551ab5c Binary files /dev/null and b/certs/rsapss/ca-rsapss.der differ diff --git a/certs/rsapss/ca-rsapss.pem b/certs/rsapss/ca-rsapss.pem new file mode 100644 index 000000000..14811aa88 --- /dev/null +++ b/certs/rsapss/ca-rsapss.pem @@ -0,0 +1,101 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: rsassaPss + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Salt Length: 0x20 + Trailer Field: 0xBC (default) + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSA-PSS, OU = Root-RSA-PSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Validity + Not Before: Jul 25 02:27:55 2022 GMT + Not After : Apr 20 02:27:55 2025 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = CA-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Subject Public Key Info: + Public Key Algorithm: rsassaPss + RSA-PSS Public-Key: (2048 bit) + Modulus: + 00:d6:0e:c7:50:4d:29:f5:a8:a2:d4:29:5b:58:f2: + bc:2d:27:de:88:49:1a:84:19:2b:84:8d:94:d1:78: + 12:d6:7b:14:d8:d2:82:24:95:ab:fe:4f:55:fb:e0: + 55:fc:39:37:7b:41:80:b4:98:6f:7f:c5:b7:3e:37: + f8:5f:1d:2f:12:31:88:f9:8b:3b:00:85:e6:36:a5: + 17:3f:9a:a4:be:48:ff:7a:36:22:2c:23:d4:9f:5b: + 52:d1:17:d1:c1:f2:69:19:d8:32:c5:f7:79:ec:83: + 19:87:e3:13:a0:43:5e:b1:e9:03:ed:b4:08:cd:7b: + 14:68:0f:25:4f:90:f0:04:a7:bb:08:89:08:dc:76: + 4e:70:49:04:41:4d:bf:b7:7f:77:79:6a:ef:68:4b: + 62:97:8e:33:91:32:2a:e3:63:15:47:f6:61:a4:26: + db:02:04:b6:57:c0:a7:f0:aa:ec:20:72:91:c3:32: + ab:98:7f:84:c6:e8:5f:d6:e0:1a:d2:24:b1:c7:50: + bb:73:87:de:2a:c3:e2:c4:60:32:b8:e4:5a:5b:b5: + e4:29:8c:8b:28:6b:bb:1a:dc:3c:fe:b9:ef:9e:89: + 28:60:ba:a4:40:66:d5:bb:e0:62:7f:a7:2b:e1:0f: + 38:e6:33:ea:b2:10:0e:14:c8:3f:87:9f:ff:8b:28: + cc:1d + Exponent: 65537 (0x10001) + PSS parameter restrictions: + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Minimum Salt Length: 0x20 + Trailer Field: 0xBC (default) + X509v3 extensions: + X509v3 Subject Key Identifier: + 9E:0C:E0:D3:DF:B6:4B:F3:19:63:5C:CA:6C:93:86:A2:14:53:91:31 + X509v3 Authority Key Identifier: + keyid:64:D5:EC:82:87:80:DE:5A:ED:49:98:D8:0C:54:7D:46:9E:A5:3C:D6 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Signature Algorithm: rsassaPss + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Salt Length: 0x20 + Trailer Field: 0xBC (default) + + 32:66:7b:22:4b:80:fc:7a:81:5a:11:1d:1b:d8:a6:26:a9:38: + 6f:f8:c5:cb:80:47:0c:08:cc:12:a4:7a:17:8e:d6:a5:a8:cb: + df:ea:b7:77:b4:df:e5:92:ba:7f:9b:a2:71:0d:7d:7a:36:29: + bd:03:7b:52:65:0d:79:ae:c3:ac:e8:a4:75:c6:28:c0:05:33: + 51:f4:85:37:0e:9c:03:dc:51:3d:5d:55:88:17:da:b5:c5:b1: + 91:a5:a9:40:91:07:a3:0c:17:75:f9:fa:52:43:94:21:40:24: + 8c:31:f3:4a:5e:96:86:20:9b:37:87:a4:56:ac:4f:ac:e6:a6: + 0c:05:cc:62:b2:0a:62:63:04:5f:dc:52:46:db:12:5e:16:2b: + 62:00:fa:30:5f:04:33:28:0c:a6:6c:49:cb:35:ad:f4:d5:57: + cb:16:7c:f4:8c:99:22:e4:e1:f4:97:e4:df:b2:1f:62:8f:50: + 2e:43:aa:cf:c7:86:ae:da:7f:b7:eb:16:cb:28:c2:bc:80:7b: + f2:7f:16:60:88:0e:49:aa:d3:2a:92:54:38:a4:09:be:79:e1: + 1d:6f:b1:95:0c:02:f9:e7:f4:4b:b8:44:4a:e2:db:02:08:b3: + e6:79:d5:d0:bd:34:8f:cc:8e:19:28:48:07:7b:d0:b2:31:ba: + db:e2:e0:3f +-----BEGIN CERTIFICATE----- +MIIEvzCCA3egAwIBAgIBATA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEa +MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIBIDCBnTELMAkGA1UEBhMCVVMx +EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xGDAWBgNVBAoMD3dv +bGZTU0xfUlNBLVBTUzEVMBMGA1UECwwMUm9vdC1SU0EtUFNTMRgwFgYDVQQDDA93 +d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20w +HhcNMjIwNzI1MDIyNzU1WhcNMjUwNDIwMDIyNzU1WjCBsjELMAkGA1UEBhMCVVMx +EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFzAVBgNVBAoMDndv +bGZTU0xfUlNBUFNTMRIwEAYDVQQLDAlDQS1SU0FQU1MxGDAWBgNVBAMMD3d3dy53 +b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTEXMBUG +CgmSJomT8ixkAQEMB3dvbGZTU0wwggFSMD0GCSqGSIb3DQEBCjAwoA0wCwYJYIZI +AWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgEgA4IBDwAwggEK +AoIBAQDWDsdQTSn1qKLUKVtY8rwtJ96ISRqEGSuEjZTReBLWexTY0oIklav+T1X7 +4FX8OTd7QYC0mG9/xbc+N/hfHS8SMYj5izsAheY2pRc/mqS+SP96NiIsI9SfW1LR +F9HB8mkZ2DLF93nsgxmH4xOgQ16x6QPttAjNexRoDyVPkPAEp7sIiQjcdk5wSQRB +Tb+3f3d5au9oS2KXjjORMirjYxVH9mGkJtsCBLZXwKfwquwgcpHDMquYf4TG6F/W +4BrSJLHHULtzh94qw+LEYDK45FpbteQpjIsoa7sa3Dz+ue+eiShguqRAZtW74GJ/ +pyvhDzjmM+qyEA4UyD+Hn/+LKMwdAgMBAAGjYzBhMB0GA1UdDgQWBBSeDODT37ZL +8xljXMpsk4aiFFORMTAfBgNVHSMEGDAWgBRk1eyCh4DeWu1JmNgMVH1GnqU81jAP +BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjA9BgkqhkiG9w0BAQowMKAN +MAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIBIAOC +AQEAMmZ7IkuA/HqBWhEdG9imJqk4b/jFy4BHDAjMEqR6F47WpajL3+q3d7Tf5ZK6 +f5uicQ19ejYpvQN7UmUNea7DrOikdcYowAUzUfSFNw6cA9xRPV1ViBfatcWxkaWp +QJEHowwXdfn6UkOUIUAkjDHzSl6WhiCbN4ekVqxPrOamDAXMYrIKYmMEX9xSRtsS +XhYrYgD6MF8EMygMpmxJyzWt9NVXyxZ89IyZIuTh9Jfk37IfYo9QLkOqz8eGrtp/ +t+sWyyjCvIB78n8WYIgOSarTKpJUOKQJvnnhHW+xlQwC+ef0S7hESuLbAgiz5nnV +0L00j8yOGShIB3vQsjG62+LgPw== +-----END CERTIFICATE----- diff --git a/certs/rsapss/client-3072-rsapss-key.der b/certs/rsapss/client-3072-rsapss-key.der new file mode 100644 index 000000000..944ac7253 Binary files /dev/null and b/certs/rsapss/client-3072-rsapss-key.der differ diff --git a/certs/rsapss/client-3072-rsapss-key.pem b/certs/rsapss/client-3072-rsapss-key.pem new file mode 100644 index 000000000..f83e92f04 --- /dev/null +++ b/certs/rsapss/client-3072-rsapss-key.pem @@ -0,0 +1,11 @@ +-----BEGIN PUBLIC KEY----- +MIIBoDALBgkqhkiG9w0BAQoDggGPADCCAYoCggGBALsGKOR/yUF2vibGqboI5jWc +M6A8W6uVI9drYdMui43tHNlXrhpp4s5liC5lD8vxecssRpY+P1tZ5be1sTx8JuRW +IVFdBHnZf1xxVOkemcH3vmwPe+9GjUAOo2vOmJtsDW3TJJ2e6GglnEZgkjdicyF3 +Gr1c8BFt7rlvso42VD7hcms2yYhIhhhs+Nex4OTXDCoVzJIzhL1xGgdwqgMk4c7C +KLjjg/+6GVC3riL9++twcLAtF6A+qoVQQ2IkXQBRuBH62MYGQAe9SrBCcFLPF5Wx +U/xojRO+oA7ES8sXcs3NCy7/ZkJQzHZ9cE59Yxbl2uH7mWwdBmyr7tM2Tsc0X/fQ +HlD9/kE5KVzhx7/EUDZ1ijZNCWrKKswatw2LFm1IBzlh9cgHWpy/0qXxOTt+v2Ix +k7opWskJ1wAwPtgYjJ6nKHVJqok03loUKV38RwWraoQPVyxkqzuYs9ZIutvxA9Ag +95/vfVJQKONI7Sk+/v+Go2Q9fymio5NS5WrDqRNEzwIDAQAB +-----END PUBLIC KEY----- diff --git a/certs/rsapss/client-3072-rsapss-priv.der b/certs/rsapss/client-3072-rsapss-priv.der new file mode 100644 index 000000000..b11fa543c Binary files /dev/null and b/certs/rsapss/client-3072-rsapss-priv.der differ diff --git a/certs/rsapss/client-3072-rsapss-priv.pem b/certs/rsapss/client-3072-rsapss-priv.pem new file mode 100644 index 000000000..646f43ac2 --- /dev/null +++ b/certs/rsapss/client-3072-rsapss-priv.pem @@ -0,0 +1,40 @@ +-----BEGIN PRIVATE KEY----- +MIIG+wIBADALBgkqhkiG9w0BAQoEggbnMIIG4wIBAAKCAYEAuwYo5H/JQXa+Jsap +ugjmNZwzoDxbq5Uj12th0y6Lje0c2VeuGmnizmWILmUPy/F5yyxGlj4/W1nlt7Wx +PHwm5FYhUV0Eedl/XHFU6R6Zwfe+bA9770aNQA6ja86Ym2wNbdMknZ7oaCWcRmCS +N2JzIXcavVzwEW3uuW+yjjZUPuFyazbJiEiGGGz417Hg5NcMKhXMkjOEvXEaB3Cq +AyThzsIouOOD/7oZULeuIv3763BwsC0XoD6qhVBDYiRdAFG4EfrYxgZAB71KsEJw +Us8XlbFT/GiNE76gDsRLyxdyzc0LLv9mQlDMdn1wTn1jFuXa4fuZbB0GbKvu0zZO +xzRf99AeUP3+QTkpXOHHv8RQNnWKNk0JasoqzBq3DYsWbUgHOWH1yAdanL/SpfE5 +O36/YjGTuilayQnXADA+2BiMnqcodUmqiTTeWhQpXfxHBatqhA9XLGSrO5iz1ki6 +2/ED0CD3n+99UlAo40jtKT7+/4ajZD1/KaKjk1LlasOpE0TPAgMBAAECggGAdKPV +0xRjRyGwW+ygo/ay5JKDnBaosW01Sj+dZiDsRlqwGFjXq3+IRWMLOKws2uvCItV9 +PGycBPQfEaEOZYOkmdmhs+XISdo81UGVTEKacF97cleB2uvsYhv/DdhuUthj06/Q +cUFO/s0eFsJZzpLm7OMkWR9iVexy61HfUVRO3FysiHNF42ofv5IO7C7y7KW133Vy +/WeGDMRCEIvSbF2POuzaitzSUSYWbcHwp8AxYlfg3+9vgbAzlytEqyu0mONdUJFm +2Byjv141pDDtrEdTJPg1TYfaRkxVEtBJB6tFfwJm+Pcn2Y9vDW2/AdWXouhgV3tz +EGEN8U9LGQQ7AsSw6xYcJiH0fBXS0nq1DYNClSDp7dtvQGklp50tKuixLv55ahRL +J7Hcvt7yCMGbU5IGg1fu6wtuLEuvKKHg0maYQK0YDn7DXQkeTgVoK85vdxNJrZOD +vDKX6dT/1q6XkJnhUp74qVqL84MxAFjejK1Q+3JtWFfFjDR1/XDQ0AFbBjFBAoHB +AOxpeAZg5EA4KcSG6BIL5XxQ3g44Egsg6PPpNCuJZJEhU0kHZyD/VtTYRfw0awRI +IsZWo0lPRvzyzP/95IPP3YVHn7qgBu7wfR7sdH7nBXyXgu8Wkp62UfS1u6+3loFj +B9tUdbMjMUv+Em0Ns9tzWLFc/ILNniWmgz1VnweoE9EThYT1QWXuXhW7t3YFMbt3 +vWZSA3Ev8cs+Kj7cUF7RPBBVVAtTjkvo40P0htTAk50+k41VXiftvT1ASBuQy41p +YQKBwQDKhR/ThcrXGN4J7KMr3jztMXi+iYVcY+V4ok9l9KdcSEUNVTIaSfvJNjOw +DJgXOc4uRdMhpO2Gmf6kZNP4Em5Ri0++G2iK+89lY4S4Na9wAd95790It2GokjEZ +TndvyHWYp26baHooV3gu/rc63p/PTHGRUn9EDh5NR28Neph2W6ggm8AntosLlT3b +UnAhLcPli0M14hq8lB/U04PA8/M9Cnh+QqX8/rpavbYooGGYibV3vDFKmVI6fyGC +kbqobC8CgcEAtmSAh1tFfg5WmxsB/LpU6N5zE0FLGm7fix7Gczhi8F1nphYiCKE2 +2qupAvVmAz2sJp09CRgyyoCAjJfTL6a1X1hs8Uz5TGsZ/TusfSO7Ze52xAMER5Ke +FFAJZ34ajeRbcWnuDLEAHYL9sEk8E/kf2mbFIh2E/8NByZY/RWb1Mv7+qh+VvxBy +Yg4bcuB7CAlPhJuNsEuvHoDtkuXi0+RVlLxgRQTH6eTZQdpsE8Qnns9ig03zgJa4 +w4LOnwXNJWLBAoHAasr+eG1CBGFBnRwjA1wC5tVCpb8hCxJGjHGSyuHTay9U8m3t +qL1Av98MLJbHkN/ToMUDS+eLtYH5LLlaqaMWd3uuBkKvwzJ8MCvlbboplDf4n3Vk +KleBcQH+UCj3hIPBt0j7Y4oZeLJ/VtDM0Ida4FagQJCvObT0N64mmoX+ZdN5ehCH +qKly8x2067WyGVznw2DHhV+A19aIXpNXE+XQa2zdEz+UBjBRFs6ZgxznuidMASLF +H2BwYxZtFkxAkNXTAoHAVTyVGyoWbFc3SGfmvTqXCo3MNRTPJHWuxVQz2/SLKVbb +ZltLjMnslRssPA/BMumWdYa6oc8TB0+vNLdOgJA5xn5Cqj2U60GdvNwp++dXXflF +vI8Cy/vNKT1PoMb3KWCUHCrYkHPLypSrZ0rVztNxKCjUYQ+u/BtNo2Sc8/HhB3tk +CybdGAZLD6LYhYfTcyTL1XwyXhFDcVwfu3HKtt0oNLLBB/+K1yTkOvEKx43tz2WT +QRuebAulzRxxwUIyE598 +-----END PRIVATE KEY----- diff --git a/certs/rsapss/client-3072-rsapss.der b/certs/rsapss/client-3072-rsapss.der new file mode 100644 index 000000000..82762ff13 Binary files /dev/null and b/certs/rsapss/client-3072-rsapss.der differ diff --git a/certs/rsapss/client-3072-rsapss.pem b/certs/rsapss/client-3072-rsapss.pem new file mode 100644 index 000000000..c2bc6114c --- /dev/null +++ b/certs/rsapss/client-3072-rsapss.pem @@ -0,0 +1,128 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 34:fb:25:ba:76:1a:4b:f9:38:2a:2b:4d:50:17:1e:7b:32:31:e3:30 + Signature Algorithm: rsassaPss + Hash Algorithm: sha384 + Mask Algorithm: mgf1 with sha384 + Salt Length: 0x014E + Trailer Field: 0xBC (default) + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = Client-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Validity + Not Before: Jul 25 02:27:55 2022 GMT + Not After : Apr 20 02:27:55 2025 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = Client-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Subject Public Key Info: + Public Key Algorithm: rsassaPss + RSA-PSS Public-Key: (3072 bit) + Modulus: + 00:bb:06:28:e4:7f:c9:41:76:be:26:c6:a9:ba:08: + e6:35:9c:33:a0:3c:5b:ab:95:23:d7:6b:61:d3:2e: + 8b:8d:ed:1c:d9:57:ae:1a:69:e2:ce:65:88:2e:65: + 0f:cb:f1:79:cb:2c:46:96:3e:3f:5b:59:e5:b7:b5: + b1:3c:7c:26:e4:56:21:51:5d:04:79:d9:7f:5c:71: + 54:e9:1e:99:c1:f7:be:6c:0f:7b:ef:46:8d:40:0e: + a3:6b:ce:98:9b:6c:0d:6d:d3:24:9d:9e:e8:68:25: + 9c:46:60:92:37:62:73:21:77:1a:bd:5c:f0:11:6d: + ee:b9:6f:b2:8e:36:54:3e:e1:72:6b:36:c9:88:48: + 86:18:6c:f8:d7:b1:e0:e4:d7:0c:2a:15:cc:92:33: + 84:bd:71:1a:07:70:aa:03:24:e1:ce:c2:28:b8:e3: + 83:ff:ba:19:50:b7:ae:22:fd:fb:eb:70:70:b0:2d: + 17:a0:3e:aa:85:50:43:62:24:5d:00:51:b8:11:fa: + d8:c6:06:40:07:bd:4a:b0:42:70:52:cf:17:95:b1: + 53:fc:68:8d:13:be:a0:0e:c4:4b:cb:17:72:cd:cd: + 0b:2e:ff:66:42:50:cc:76:7d:70:4e:7d:63:16:e5: + da:e1:fb:99:6c:1d:06:6c:ab:ee:d3:36:4e:c7:34: + 5f:f7:d0:1e:50:fd:fe:41:39:29:5c:e1:c7:bf:c4: + 50:36:75:8a:36:4d:09:6a:ca:2a:cc:1a:b7:0d:8b: + 16:6d:48:07:39:61:f5:c8:07:5a:9c:bf:d2:a5:f1: + 39:3b:7e:bf:62:31:93:ba:29:5a:c9:09:d7:00:30: + 3e:d8:18:8c:9e:a7:28:75:49:aa:89:34:de:5a:14: + 29:5d:fc:47:05:ab:6a:84:0f:57:2c:64:ab:3b:98: + b3:d6:48:ba:db:f1:03:d0:20:f7:9f:ef:7d:52:50: + 28:e3:48:ed:29:3e:fe:ff:86:a3:64:3d:7f:29:a2: + a3:93:52:e5:6a:c3:a9:13:44:cf + Exponent: 65537 (0x10001) + No PSS parameter restrictions + X509v3 extensions: + X509v3 Subject Key Identifier: + 8C:01:9F:4E:11:24:28:BF:3E:EA:82:EA:54:2A:C9:0F:F5:E4:C5:47 + X509v3 Authority Key Identifier: + keyid:8C:01:9F:4E:11:24:28:BF:3E:EA:82:EA:54:2A:C9:0F:F5:E4:C5:47 + DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_RSAPSS/OU=Client-RSAPSS/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/UID=wolfSSL + serial:34:FB:25:BA:76:1A:4B:F9:38:2A:2B:4D:50:17:1E:7B:32:31:E3:30 + + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Alternative Name: + DNS:example.com, IP Address:127.0.0.1 + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + Signature Algorithm: rsassaPss + Hash Algorithm: sha384 + Mask Algorithm: mgf1 with sha384 + Salt Length: 0x014E + Trailer Field: 0xBC (default) + + 6a:0b:ea:2c:f1:b8:04:d9:8f:a4:a4:be:11:1b:40:2f:dd:bc: + be:47:bb:1e:3d:ef:05:4f:a2:c4:78:59:79:ca:86:d9:d3:cf: + f6:61:9d:a7:5c:22:48:de:e0:53:27:8a:59:e2:d7:8d:03:e2: + 0a:64:55:22:81:e9:69:b4:c4:d1:58:84:a7:85:0d:16:d2:c0: + ee:d7:10:72:46:73:ea:98:61:85:77:a8:b6:40:d4:49:36:a1: + e0:6f:c8:6c:ec:13:6e:e5:4b:d8:d4:e7:be:03:56:03:d4:6c: + 67:9d:30:c4:c5:78:68:cc:60:e9:88:f7:5a:6f:31:ff:26:63: + a5:8d:d2:30:cf:a1:bc:fb:3f:d0:2f:a3:ba:d9:03:ec:fb:b8: + b7:02:46:98:cd:77:40:ba:67:46:55:e9:e3:16:bf:a9:7a:2d: + 49:ee:19:c6:32:c4:04:b1:03:7a:7e:c5:bd:f8:b6:ac:7f:cf: + 4a:ce:af:44:ae:14:cb:c7:69:fe:7c:a3:e7:63:49:b4:3c:e6: + 8b:33:60:92:f7:cf:be:c8:94:c7:f2:3b:d2:03:6b:71:2b:d3: + f6:e0:e9:b2:ba:e2:2b:56:5e:5b:b1:d7:23:92:53:d4:90:e9: + 64:9e:87:d6:e7:4a:74:7b:a8:78:46:1c:24:19:5b:e0:32:21: + 92:cf:69:b4:c2:4d:62:2f:b5:b9:e5:0c:d6:cc:87:45:a2:4c: + 29:a0:6d:50:60:4e:7b:c8:21:37:a0:12:1b:13:10:6e:ac:5c: + cc:07:21:ed:0b:e2:81:eb:7c:c8:e0:dc:cb:1f:8c:7e:38:6f: + 1e:1c:ab:91:93:d0:ec:b4:ce:5e:7e:eb:7f:cf:e0:6c:f9:80: + 29:04:4c:e4:e5:ab:69:ff:b3:18:ba:54:09:cd:ef:bd:6f:b7: + 64:1f:33:ef:08:84:93:3a:2b:81:ab:60:98:9c:08:ac:5c:55: + 06:44:bb:e5:4c:92:cb:a6:2f:8f:40:92:2d:80:43:a4:97:28: + 18:17:0e:8e:54:94 +-----BEGIN CERTIFICATE----- +MIIGxTCCBPygAwIBAgIUNPslunYaS/k4KitNUBceezIx4zAwPgYJKoZIhvcNAQEK +MDGgDTALBglghkgBZQMEAgKhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAICogQC +AgFOMIG2MQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwH +Qm96ZW1hbjEXMBUGA1UECgwOd29sZlNTTF9SU0FQU1MxFjAUBgNVBAsMDUNsaWVu +dC1SU0FQU1MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJ +ARYQaW5mb0B3b2xmc3NsLmNvbTEXMBUGCgmSJomT8ixkAQEMB3dvbGZTU0wwHhcN +MjIwNzI1MDIyNzU1WhcNMjUwNDIwMDIyNzU1WjCBtjELMAkGA1UEBhMCVVMxEDAO +BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFzAVBgNVBAoMDndvbGZT +U0xfUlNBUFNTMRYwFAYDVQQLDA1DbGllbnQtUlNBUFNTMRgwFgYDVQQDDA93d3cu +d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20xFzAV +BgoJkiaJk/IsZAEBDAd3b2xmU1NMMIIBoDALBgkqhkiG9w0BAQoDggGPADCCAYoC +ggGBALsGKOR/yUF2vibGqboI5jWcM6A8W6uVI9drYdMui43tHNlXrhpp4s5liC5l +D8vxecssRpY+P1tZ5be1sTx8JuRWIVFdBHnZf1xxVOkemcH3vmwPe+9GjUAOo2vO +mJtsDW3TJJ2e6GglnEZgkjdicyF3Gr1c8BFt7rlvso42VD7hcms2yYhIhhhs+Nex +4OTXDCoVzJIzhL1xGgdwqgMk4c7CKLjjg/+6GVC3riL9++twcLAtF6A+qoVQQ2Ik +XQBRuBH62MYGQAe9SrBCcFLPF5WxU/xojRO+oA7ES8sXcs3NCy7/ZkJQzHZ9cE59 +Yxbl2uH7mWwdBmyr7tM2Tsc0X/fQHlD9/kE5KVzhx7/EUDZ1ijZNCWrKKswatw2L +Fm1IBzlh9cgHWpy/0qXxOTt+v2Ixk7opWskJ1wAwPtgYjJ6nKHVJqok03loUKV38 +RwWraoQPVyxkqzuYs9ZIutvxA9Ag95/vfVJQKONI7Sk+/v+Go2Q9fymio5NS5WrD +qRNEzwIDAQABo4IBZzCCAWMwHQYDVR0OBBYEFIwBn04RJCi/PuqC6lQqyQ/15MVH +MIH2BgNVHSMEge4wgeuAFIwBn04RJCi/PuqC6lQqyQ/15MVHoYG8pIG5MIG2MQsw +CQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEX +MBUGA1UECgwOd29sZlNTTF9SU0FQU1MxFjAUBgNVBAsMDUNsaWVudC1SU0FQU1Mx +GDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 +b2xmc3NsLmNvbTEXMBUGCgmSJomT8ixkAQEMB3dvbGZTU0yCFDT7Jbp2Gkv5OCor +TVAXHnsyMeMwMAwGA1UdEwQFMAMBAf8wHAYDVR0RBBUwE4ILZXhhbXBsZS5jb22H +BH8AAAEwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMD4GCSqGSIb3DQEB +CjAxoA0wCwYJYIZIAWUDBAICoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAqIE +AgIBTgOCAYEAagvqLPG4BNmPpKS+ERtAL928vke7Hj3vBU+ixHhZecqG2dPP9mGd +p1wiSN7gUyeKWeLXjQPiCmRVIoHpabTE0ViEp4UNFtLA7tcQckZz6phhhXeotkDU +STah4G/IbOwTbuVL2NTnvgNWA9RsZ50wxMV4aMxg6Yj3Wm8x/yZjpY3SMM+hvPs/ +0C+jutkD7Pu4twJGmM13QLpnRlXp4xa/qXotSe4ZxjLEBLEDen7Fvfi2rH/PSs6v +RK4Uy8dp/nyj52NJtDzmizNgkvfPvsiUx/I70gNrcSvT9uDpsrriK1ZeW7HXI5JT +1JDpZJ6H1udKdHuoeEYcJBlb4DIhks9ptMJNYi+1ueUM1syHRaJMKaBtUGBOe8gh +N6ASGxMQbqxczAch7Qviget8yODcyx+MfjhvHhyrkZPQ7LTOXn7rf8/gbPmAKQRM +5OWraf+zGLpUCc3vvW+3ZB8z7wiEkzorgatgmJwIrFxVBkS75UySy6Yvj0CSLYBD +pJcoGBcOjlSU +-----END CERTIFICATE----- diff --git a/certs/rsapss/client-rsapss-key.der b/certs/rsapss/client-rsapss-key.der new file mode 100644 index 000000000..e6c2a33e3 Binary files /dev/null and b/certs/rsapss/client-rsapss-key.der differ diff --git a/certs/rsapss/client-rsapss-key.pem b/certs/rsapss/client-rsapss-key.pem new file mode 100644 index 000000000..b10320a61 --- /dev/null +++ b/certs/rsapss/client-rsapss-key.pem @@ -0,0 +1,10 @@ +-----BEGIN PUBLIC KEY----- +MIIBUjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEB +CDALBglghkgBZQMEAgGiAwIBIAOCAQ8AMIIBCgKCAQEAxoe+YIdDfcSs5Po8Eh3H +z+pcxJNy4g03RzM94KXsVxa9gCpa+aG37m1GfDpOJOMXYlo4lwsDE6V6XhGhUPsb +bRYTVrt3CnuYzIUR0pMx7XQBOD03ATbWUsAn+1P7rv1WvAKAkYHM7VFGFnsdjvMG +SIMoEUu4p3voko6T9I0d+sx8KFE9IZiQP4Aqudwih/CNuae7zKTdJa1liCjxHE/c +BPJaD1K2NYRSGNe/3uPc9vA8ydvNsUgRS658HlmstYzuLoMP9Sk0OXTLmvqm02PV +aXrc8g1DRgMQp7CczRWzNl5DXgVMA2KZKdBXBedU37DlcTk38RNmcBLzh5gJjx/h +5wIDAQAB +-----END PUBLIC KEY----- diff --git a/certs/rsapss/client-rsapss-priv.der b/certs/rsapss/client-rsapss-priv.der new file mode 100644 index 000000000..c922c0689 Binary files /dev/null and b/certs/rsapss/client-rsapss-priv.der differ diff --git a/certs/rsapss/client-rsapss-priv.pem b/certs/rsapss/client-rsapss-priv.pem new file mode 100644 index 000000000..a256a3360 --- /dev/null +++ b/certs/rsapss/client-rsapss-priv.pem @@ -0,0 +1,29 @@ +-----BEGIN PRIVATE KEY----- +MIIE7AIBADA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3 +DQEBCDALBglghkgBZQMEAgGiAwIBIASCBKYwggSiAgEAAoIBAQDGh75gh0N9xKzk ++jwSHcfP6lzEk3LiDTdHMz3gpexXFr2AKlr5obfubUZ8Ok4k4xdiWjiXCwMTpXpe +EaFQ+xttFhNWu3cKe5jMhRHSkzHtdAE4PTcBNtZSwCf7U/uu/Va8AoCRgcztUUYW +ex2O8wZIgygRS7ine+iSjpP0jR36zHwoUT0hmJA/gCq53CKH8I25p7vMpN0lrWWI +KPEcT9wE8loPUrY1hFIY17/e49z28DzJ282xSBFLrnweWay1jO4ugw/1KTQ5dMua ++qbTY9VpetzyDUNGAxCnsJzNFbM2XkNeBUwDYpkp0FcF51TfsOVxOTfxE2ZwEvOH +mAmPH+HnAgMBAAECggEAdyBq5wcjQ2tph3hz5TcDd8ocYkRL0kK14b5oqc1GNLfL +fAVuU45rjOD7Q33E+DNgC78xZ8jOztIjzCBuGOakfV+auReCBcNGW6qZmC6E7gQG +21U4FT1ve3YcR54MTuNrUSN7PFSTv+9dzA2SHf3LzmUM/Nvf8HfUhWSSeVLYI23T +mwhU6VdQCRTk1zFuRNFI1ouekPZ2pLql3a/fWe4v4sxq7yWimUsw6DT5676Dy35g +gzgoXA25POglVNPeN79eHhJW0VlEcsRVwp6nBiPftXDWSZ9FEyu4WySB9hHKeWUR +A0WR05K4txv8VqtDjsUUd+9tSjaFQYdk7Z6v96e1+QKBgQDkY+Q2izXhbS844rny +cQVBBafr7ZuM1NGpZQDYpjgMQAfGiINfe/ecEFpd/fDmyo2lOdvZvOGaqul7Y+YN +Iu2YBREh+MRV2b0V285WV5B75LrjiVBAYmwUXvP/QAzO8r0cVpxxdJXroIDAxM90 +WKixwflIZD65Trf082yUiX6EIwKBgQDeh8LOctcYnfvjL6Vxag80JijbHCaT/bTB +rM8msxs6/+ZuZbDKKHJF8062XYt6O3Kjh72vdOXQUrvB3o3TQB6FPQERqx/b6Axi +/mnktuPhEjmZgMM3lwWwSfsl/mLLs4fGPqepAP3nTKXC7wNbRUJDAI1Pdk7S+m9w +XUtQATZVbQKBgBRIOrANVM+cHqFyoQjCuLC5i9wL0dCD5cqhSZ3zxO5xkT80SFZm +b+rQGPZX4tjcDBAsPzXq7C4MF4f5qyhnfaoOaSMXMHhfScdzKbPJOu+FtIMYYqQV +GXwFoq18RqbqL5kgp+v7aoTuUADOeY3fgbunejfPjzJtpzB9nZrjSvT5AoGASZSO +X4EtimBCt547kELHgDDV9Y1bXDfZmuivHla+vEV9Riety0qQbnzDHB3WTrZ1c4kg +uXFnw/h3SOVz89QRw3Cmd9cjk60o21rQXOX0d6l1DkK7ShhPszjjKG7y7/QPAwgY +nBNN4TtA3DH35CgEfu8hypKOAcj5LChNDMk51AkCgYB1A9rfqXpqlFlwKxpD9kFr +Ym+UoSypwHrGR6MUjO5L6uvOkeBlVbUNMvDgenaPE0h+CFGi+7xqzUvLRZZ3aHVz +5CVbWm4VeCRHxK557adbT8lGiCzvC1PZYAANcmWLvRl53wKpUcYMpiIb3vCMjOCe +n/r41ciXkbYBfmdP7xNOeg== +-----END PRIVATE KEY----- diff --git a/certs/rsapss/client-rsapss.der b/certs/rsapss/client-rsapss.der new file mode 100644 index 000000000..596f9bb4e Binary files /dev/null and b/certs/rsapss/client-rsapss.der differ diff --git a/certs/rsapss/client-rsapss.pem b/certs/rsapss/client-rsapss.pem new file mode 100644 index 000000000..fb8c8203b --- /dev/null +++ b/certs/rsapss/client-rsapss.pem @@ -0,0 +1,112 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 37:58:ff:58:a9:ca:95:0e:04:64:0e:37:3b:f7:89:09:51:31:03:ac + Signature Algorithm: rsassaPss + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Salt Length: 0x20 + Trailer Field: 0xBC (default) + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = Client-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Validity + Not Before: Jul 25 02:27:55 2022 GMT + Not After : Apr 20 02:27:55 2025 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = Client-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Subject Public Key Info: + Public Key Algorithm: rsassaPss + RSA-PSS Public-Key: (2048 bit) + Modulus: + 00:c6:87:be:60:87:43:7d:c4:ac:e4:fa:3c:12:1d: + c7:cf:ea:5c:c4:93:72:e2:0d:37:47:33:3d:e0:a5: + ec:57:16:bd:80:2a:5a:f9:a1:b7:ee:6d:46:7c:3a: + 4e:24:e3:17:62:5a:38:97:0b:03:13:a5:7a:5e:11: + a1:50:fb:1b:6d:16:13:56:bb:77:0a:7b:98:cc:85: + 11:d2:93:31:ed:74:01:38:3d:37:01:36:d6:52:c0: + 27:fb:53:fb:ae:fd:56:bc:02:80:91:81:cc:ed:51: + 46:16:7b:1d:8e:f3:06:48:83:28:11:4b:b8:a7:7b: + e8:92:8e:93:f4:8d:1d:fa:cc:7c:28:51:3d:21:98: + 90:3f:80:2a:b9:dc:22:87:f0:8d:b9:a7:bb:cc:a4: + dd:25:ad:65:88:28:f1:1c:4f:dc:04:f2:5a:0f:52: + b6:35:84:52:18:d7:bf:de:e3:dc:f6:f0:3c:c9:db: + cd:b1:48:11:4b:ae:7c:1e:59:ac:b5:8c:ee:2e:83: + 0f:f5:29:34:39:74:cb:9a:fa:a6:d3:63:d5:69:7a: + dc:f2:0d:43:46:03:10:a7:b0:9c:cd:15:b3:36:5e: + 43:5e:05:4c:03:62:99:29:d0:57:05:e7:54:df:b0: + e5:71:39:37:f1:13:66:70:12:f3:87:98:09:8f:1f: + e1:e7 + Exponent: 65537 (0x10001) + PSS parameter restrictions: + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Minimum Salt Length: 0x20 + Trailer Field: 0xBC (default) + X509v3 extensions: + X509v3 Subject Key Identifier: + 59:71:87:88:D0:3E:C7:EE:08:4D:80:F2:C9:FC:CF:3D:76:E6:A5:62 + X509v3 Authority Key Identifier: + keyid:59:71:87:88:D0:3E:C7:EE:08:4D:80:F2:C9:FC:CF:3D:76:E6:A5:62 + DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_RSAPSS/OU=Client-RSAPSS/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/UID=wolfSSL + serial:37:58:FF:58:A9:CA:95:0E:04:64:0E:37:3B:F7:89:09:51:31:03:AC + + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Alternative Name: + DNS:example.com, IP Address:127.0.0.1 + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + Signature Algorithm: rsassaPss + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Salt Length: 0x20 + Trailer Field: 0xBC (default) + + ae:d5:d0:0a:ba:a4:12:f1:95:99:15:c5:c6:a4:51:46:64:cb: + ed:15:94:0a:89:5e:d0:7f:e2:cb:64:a6:d2:48:e4:52:b2:5a: + c4:ab:d8:e5:2b:e3:72:f5:1d:de:f9:28:a6:e7:7c:29:0b:e3: + e6:0f:f8:2a:d2:e0:25:c6:c7:54:cb:a5:26:2d:20:c4:01:e5: + fe:9d:c6:4e:f8:ba:7a:84:e3:7c:b3:38:b0:d4:2e:47:57:a4: + 2b:5e:29:a9:73:11:93:46:2a:bf:24:11:2f:6d:ff:06:28:1f: + 05:c0:f2:4a:f0:81:29:22:d4:a4:0c:30:b4:cb:f6:51:72:76: + 4a:cf:67:b0:fb:91:1b:d1:92:fc:ad:2e:6f:f0:49:21:31:05: + 2d:ad:30:ba:fd:0b:6e:05:42:b9:a2:b8:34:3e:de:a7:a9:14: + f3:78:14:69:c6:67:ae:4d:b9:6e:72:4c:2e:95:19:03:22:8e: + 14:bc:51:2a:18:ed:cf:f6:0b:50:25:a5:e2:e0:2e:a6:93:76: + 68:8c:9e:1a:ee:bb:24:0a:93:4f:bf:73:2d:48:e8:43:bd:08: + a1:e2:6d:1d:00:a6:b1:78:43:36:57:8b:28:11:37:71:bb:a3: + f7:a6:93:29:85:28:93:ef:d8:a0:4f:2a:b7:15:09:a4:21:49: + b6:b8:c9:a0 +-----BEGIN CERTIFICATE----- +MIIF9TCCBK2gAwIBAgIUN1j/WKnKlQ4EZA43O/eJCVExA6wwPQYJKoZIhvcNAQEK +MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC +ASAwgbYxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC +b3plbWFuMRcwFQYDVQQKDA53b2xmU1NMX1JTQVBTUzEWMBQGA1UECwwNQ2xpZW50 +LVJTQVBTUzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkB +FhBpbmZvQHdvbGZzc2wuY29tMRcwFQYKCZImiZPyLGQBAQwHd29sZlNTTDAeFw0y +MjA3MjUwMjI3NTVaFw0yNTA0MjAwMjI3NTVaMIG2MQswCQYDVQQGEwJVUzEQMA4G +A1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEXMBUGA1UECgwOd29sZlNT +TF9SU0FQU1MxFjAUBgNVBAsMDUNsaWVudC1SU0FQU1MxGDAWBgNVBAMMD3d3dy53 +b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTEXMBUG +CgmSJomT8ixkAQEMB3dvbGZTU0wwggFSMD0GCSqGSIb3DQEBCjAwoA0wCwYJYIZI +AWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgEgA4IBDwAwggEK +AoIBAQDGh75gh0N9xKzk+jwSHcfP6lzEk3LiDTdHMz3gpexXFr2AKlr5obfubUZ8 +Ok4k4xdiWjiXCwMTpXpeEaFQ+xttFhNWu3cKe5jMhRHSkzHtdAE4PTcBNtZSwCf7 +U/uu/Va8AoCRgcztUUYWex2O8wZIgygRS7ine+iSjpP0jR36zHwoUT0hmJA/gCq5 +3CKH8I25p7vMpN0lrWWIKPEcT9wE8loPUrY1hFIY17/e49z28DzJ282xSBFLrnwe +Way1jO4ugw/1KTQ5dMua+qbTY9VpetzyDUNGAxCnsJzNFbM2XkNeBUwDYpkp0FcF +51TfsOVxOTfxE2ZwEvOHmAmPH+HnAgMBAAGjggFnMIIBYzAdBgNVHQ4EFgQUWXGH +iNA+x+4ITYDyyfzPPXbmpWIwgfYGA1UdIwSB7jCB64AUWXGHiNA+x+4ITYDyyfzP +PXbmpWKhgbykgbkwgbYxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAw +DgYDVQQHDAdCb3plbWFuMRcwFQYDVQQKDA53b2xmU1NMX1JTQVBTUzEWMBQGA1UE +CwwNQ2xpZW50LVJTQVBTUzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJ +KoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMRcwFQYKCZImiZPyLGQBAQwHd29s +ZlNTTIIUN1j/WKnKlQ4EZA43O/eJCVExA6wwDAYDVR0TBAUwAwEB/zAcBgNVHREE +FTATggtleGFtcGxlLmNvbYcEfwAAATAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB +BQUHAwIwPQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0B +AQgwCwYJYIZIAWUDBAIBogMCASADggEBAK7V0Aq6pBLxlZkVxcakUUZky+0VlAqJ +XtB/4stkptJI5FKyWsSr2OUr43L1Hd75KKbnfCkL4+YP+CrS4CXGx1TLpSYtIMQB +5f6dxk74unqE43yzOLDULkdXpCteKalzEZNGKr8kES9t/wYoHwXA8krwgSki1KQM +MLTL9lFydkrPZ7D7kRvRkvytLm/wSSExBS2tMLr9C24FQrmiuDQ+3qepFPN4FGnG +Z65NuW5yTC6VGQMijhS8USoY7c/2C1AlpeLgLqaTdmiMnhruuyQKk0+/cy1I6EO9 +CKHibR0AprF4QzZXiygRN3G7o/emkymFKJPv2KBPKrcVCaQhSba4yaA= +-----END CERTIFICATE----- diff --git a/certs/rsapss/gen-rsapss-keys.sh b/certs/rsapss/gen-rsapss-keys.sh new file mode 100755 index 000000000..b8a3b6790 --- /dev/null +++ b/certs/rsapss/gen-rsapss-keys.sh @@ -0,0 +1,29 @@ +#!/bin/sh + +for key in root ca server client +do + + openssl genpkey -algorithm RSA-PSS -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_pss_keygen_md:sha256 -pkeyopt rsa_pss_keygen_mgf1_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:32 > ${key}-rsapss-priv.pem + + openssl pkey -in ${key}-rsapss-priv.pem -outform DER -out ${key}-rsapss-priv.der + + openssl pkey -in ${key}-rsapss-priv.pem -outform PEM -pubout -out ${key}-rsapss-key.pem + + openssl pkey -in ${key}-rsapss-priv.pem -outform DER -pubout -out ${key}-rsapss-key.der + +done + +for key in root-3072 ca-3072 server-3072 client-3072 +do + + openssl genpkey -algorithm RSA-PSS -pkeyopt rsa_keygen_bits:3072 > ${key}-rsapss-priv.pem + + openssl pkey -in ${key}-rsapss-priv.pem -outform DER -out ${key}-rsapss-priv.der + + openssl pkey -in ${key}-rsapss-priv.pem -outform PEM -pubout -out ${key}-rsapss-key.pem + + openssl pkey -in ${key}-rsapss-priv.pem -outform DER -pubout -out ${key}-rsapss-key.der + +done + + diff --git a/certs/rsapss/include.am b/certs/rsapss/include.am new file mode 100644 index 000000000..fe931d8b5 --- /dev/null +++ b/certs/rsapss/include.am @@ -0,0 +1,59 @@ +# vim:ft=automake +# All paths should be given relative to the root +# + +EXTRA_DIST += \ + certs/rsapss/ca-rsapss.der \ + certs/rsapss/ca-rsapss.pem \ + certs/rsapss/ca-rsapss-key.der \ + certs/rsapss/ca-rsapss-key.pem \ + certs/rsapss/ca-rsapss-priv.der \ + certs/rsapss/ca-rsapss-priv.pem \ + certs/rsapss/client-rsapss.der \ + certs/rsapss/client-rsapss.pem \ + certs/rsapss/client-rsapss-key.der \ + certs/rsapss/client-rsapss-key.pem \ + certs/rsapss/client-rsapss-priv.der \ + certs/rsapss/client-rsapss-priv.pem \ + certs/rsapss/root-rsapss.der \ + certs/rsapss/root-rsapss.pem \ + certs/rsapss/root-rsapss-key.der \ + certs/rsapss/root-rsapss-key.pem \ + certs/rsapss/root-rsapss-priv.der \ + certs/rsapss/root-rsapss-priv.pem \ + certs/rsapss/server-rsapss.der \ + certs/rsapss/server-rsapss.pem \ + certs/rsapss/server-rsapss-cert.pem \ + certs/rsapss/server-rsapss-key.der \ + certs/rsapss/server-rsapss-key.pem \ + certs/rsapss/server-rsapss-priv.der \ + certs/rsapss/server-rsapss-priv.pem \ + certs/rsapss/ca-3072-rsapss.der \ + certs/rsapss/ca-3072-rsapss.pem \ + certs/rsapss/ca-3072-rsapss-key.der \ + certs/rsapss/ca-3072-rsapss-key.pem \ + certs/rsapss/ca-3072-rsapss-priv.der \ + certs/rsapss/ca-3072-rsapss-priv.pem \ + certs/rsapss/client-3072-rsapss.der \ + certs/rsapss/client-3072-rsapss.pem \ + certs/rsapss/client-3072-rsapss-key.der \ + certs/rsapss/client-3072-rsapss-key.pem \ + certs/rsapss/client-3072-rsapss-priv.der \ + certs/rsapss/client-3072-rsapss-priv.pem \ + certs/rsapss/root-3072-rsapss.der \ + certs/rsapss/root-3072-rsapss.pem \ + certs/rsapss/root-3072-rsapss-key.der \ + certs/rsapss/root-3072-rsapss-key.pem \ + certs/rsapss/root-3072-rsapss-priv.der \ + certs/rsapss/root-3072-rsapss-priv.pem \ + certs/rsapss/server-3072-rsapss.der \ + certs/rsapss/server-3072-rsapss.pem \ + certs/rsapss/server-3072-rsapss-cert.pem \ + certs/rsapss/server-3072-rsapss-key.der \ + certs/rsapss/server-3072-rsapss-key.pem \ + certs/rsapss/server-3072-rsapss-priv.der \ + certs/rsapss/server-3072-rsapss-priv.pem + +EXTRA_DIST += \ + certs/rsapss/renew-rsapss-certs.sh \ + certs/rsapss/gen-rsapss-keys.sh diff --git a/certs/rsapss/renew-rsapss-certs.sh b/certs/rsapss/renew-rsapss-certs.sh new file mode 100755 index 000000000..9d36de587 --- /dev/null +++ b/certs/rsapss/renew-rsapss-certs.sh @@ -0,0 +1,191 @@ +#!/bin/bash + +check_result(){ + if [ $1 -ne 0 ]; then + echo "Failed at \"$2\", Abort" + exit 1 + else + echo "Step Succeeded!" + fi +} + +############################################################ +####### update the self-signed root-rsapss.pem ############# +############################################################ +echo "Updating root-rsapss.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\\nMontana\\nBozeman\\nwolfSSL_RSA-PSS\\nRoot-RSA-PSS\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | \ +openssl req -new -key root-rsapss-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out root-rsapss.csr +check_result $? "Generate request" + +openssl x509 -req -in root-rsapss.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -signkey root-rsapss-priv.pem -out root-rsapss.pem +check_result $? "Generate certificate" +rm root-rsapss.csr + +openssl x509 -in root-rsapss.pem -outform DER > root-rsapss.der +check_result $? "Convert to DER" +openssl x509 -in root-rsapss.pem -text > tmp.pem +check_result $? "Add text" +mv tmp.pem root-rsapss.pem +echo "End of section" +echo "---------------------------------------------------------------------" + +############################################################ +####### update ca-rsapss.pem signed by root ################ +############################################################ +echo "Updating ca-rsapss.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\\nMontana\\nBozeman\\nwolfSSL_RSAPSS\\nCA-RSAPSS\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key ca-rsapss-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out ca-rsapss.csr +check_result $? "Generate request" + +openssl x509 -req -in ca-rsapss.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -CA root-rsapss.pem -CAkey root-rsapss-priv.pem -set_serial 01 -out ca-rsapss.pem +check_result $? "Generate certificate" +rm ca-rsapss.csr + +openssl x509 -in ca-rsapss.pem -outform DER > ca-rsapss.der +check_result $? "Convert to DER" +openssl x509 -in ca-rsapss.pem -text > tmp.pem +check_result $? "Add text" +mv tmp.pem ca-rsapss.pem +echo "End of section" +echo "---------------------------------------------------------------------" + +############################################################ +####### update server-rsapss.pem signed by ca ############## +############################################################ +echo "Updating server-rsapss.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\\nMontana\\nBozeman\\nwolfSSL_RSAPSS\\nServer-RSAPSS\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key server-rsapss-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out server-rsapss.csr +check_result $? "Generate request" + +openssl x509 -req -in server-rsapss.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions server_ecc -CA ca-rsapss.pem -CAkey ca-rsapss-priv.pem -set_serial 01 -out server-rsapss-cert.pem +check_result $? "Generate certificate" +rm server-rsapss.csr + +openssl x509 -in server-rsapss-cert.pem -outform DER > server-rsapss.der +check_result $? "Convert to DER" +openssl x509 -in server-rsapss-cert.pem -text > tmp.pem +check_result $? "Add text" +mv tmp.pem server-rsapss-cert.pem +cat server-rsapss-cert.pem ca-rsapss.pem > server-rsapss.pem +check_result $? "Add CA into server cert" +echo "End of section" +echo "---------------------------------------------------------------------" + +############################################################ +####### update the self-signed client-rsapss.pem ########### +############################################################ +echo "Updating client-rsapss.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\\nMontana\\nBozeman\\nwolfSSL_RSAPSS\\nClient-RSAPSS\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key client-rsapss-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out client-rsapss.csr +check_result $? "Generate request" + +openssl x509 -req -in client-rsapss.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions wolfssl_opts -signkey client-rsapss-priv.pem -out client-rsapss.pem +check_result $? "Generate certificate" +rm client-rsapss.csr + +openssl x509 -in client-rsapss.pem -outform DER > client-rsapss.der +check_result $? "Convert to DER" +openssl x509 -in client-rsapss.pem -text > tmp.pem +check_result $? "Add text" +mv tmp.pem client-rsapss.pem +echo "End of section" +echo "---------------------------------------------------------------------" + + +################################################################################ +# 3072-bit keys. RSA-PSS with SHA-384 +################################################################################ + +############################################################ +###### update the self-signed root-3072-rsapss.pem ######### +############################################################ +echo "Updating root-3072-rsapss.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\\nMontana\\nBozeman\\nwolfSSL_RSA-PSS\\nRoot-RSA-PSS\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | \ +openssl req -new -key root-3072-rsapss-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out root-3072-rsapss.csr +check_result $? "Generate request" + +openssl x509 -req -in root-3072-rsapss.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -signkey root-3072-rsapss-priv.pem -sha384 -out root-3072-rsapss.pem +check_result $? "Generate certificate" +rm root-3072-rsapss.csr + +openssl x509 -in root-3072-rsapss.pem -outform DER > root-3072-rsapss.der +check_result $? "Convert to DER" +openssl x509 -in root-3072-rsapss.pem -text > tmp.pem +check_result $? "Add text" +mv tmp.pem root-3072-rsapss.pem +echo "End of section" +echo "---------------------------------------------------------------------" + +############################################################ +###### update ca-3072-rsapss.pem signed by root ############ +############################################################ +echo "Updating ca-3072-rsapss.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\\nMontana\\nBozeman\\nwolfSSL_RSAPSS\\nCA-RSAPSS\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key ca-3072-rsapss-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out ca-3072-rsapss.csr +check_result $? "Generate request" + +openssl x509 -req -in ca-3072-rsapss.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -CA root-3072-rsapss.pem -CAkey root-3072-rsapss-priv.pem -sha384 -set_serial 01 -out ca-3072-rsapss.pem +check_result $? "Generate certificate" +rm ca-3072-rsapss.csr + +openssl x509 -in ca-3072-rsapss.pem -outform DER > ca-3072-rsapss.der +check_result $? "Convert to DER" +openssl x509 -in ca-3072-rsapss.pem -text > tmp.pem +check_result $? "Add text" +mv tmp.pem ca-3072-rsapss.pem +echo "End of section" +echo "---------------------------------------------------------------------" + +############################################################ +###### update server-3072-rsapss.pem signed by ca ########## +############################################################ +echo "Updating server-3072-rsapss.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\\nMontana\\nBozeman\\nwolfSSL_RSAPSS\\nServer-RSAPSS\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key server-3072-rsapss-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out server-3072-rsapss.csr +check_result $? "Generate request" + +openssl x509 -req -in server-3072-rsapss.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions server_ecc -CA ca-3072-rsapss.pem -CAkey ca-3072-rsapss-priv.pem -sha384 -set_serial 01 -out server-3072-rsapss-cert.pem +check_result $? "Generate certificate" +rm server-3072-rsapss.csr + +openssl x509 -in server-3072-rsapss-cert.pem -outform DER > server-3072-rsapss.der +check_result $? "Convert to DER" +openssl x509 -in server-3072-rsapss-cert.pem -text > tmp.pem +check_result $? "Add text" +mv tmp.pem server-3072-rsapss-cert.pem +cat server-3072-rsapss-cert.pem ca-3072-rsapss.pem > server-3072-rsapss.pem +check_result $? "Add CA into server cert" +echo "End of section" +echo "---------------------------------------------------------------------" + +############################################################ +###### update the self-signed client-3072-rsapss.pem ####### +############################################################ +echo "Updating client-3072-rsapss.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\\nMontana\\nBozeman\\nwolfSSL_RSAPSS\\nClient-RSAPSS\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key client-3072-rsapss-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out client-3072-rsapss.csr +check_result $? "Generate request" + +openssl x509 -req -in client-3072-rsapss.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions wolfssl_opts -signkey client-3072-rsapss-priv.pem -sha384 -out client-3072-rsapss.pem +check_result $? "Generate certificate" +rm client-3072-rsapss.csr + +openssl x509 -in client-3072-rsapss.pem -outform DER > client-3072-rsapss.der +check_result $? "Convert to DER" +openssl x509 -in client-3072-rsapss.pem -text > tmp.pem +check_result $? "Add text" +mv tmp.pem client-3072-rsapss.pem +echo "End of section" +echo "---------------------------------------------------------------------" + + diff --git a/certs/rsapss/root-3072-rsapss-key.der b/certs/rsapss/root-3072-rsapss-key.der new file mode 100644 index 000000000..fffbf8e52 Binary files /dev/null and b/certs/rsapss/root-3072-rsapss-key.der differ diff --git a/certs/rsapss/root-3072-rsapss-key.pem b/certs/rsapss/root-3072-rsapss-key.pem new file mode 100644 index 000000000..04e12e56b --- /dev/null +++ b/certs/rsapss/root-3072-rsapss-key.pem @@ -0,0 +1,11 @@ +-----BEGIN PUBLIC KEY----- +MIIBoDALBgkqhkiG9w0BAQoDggGPADCCAYoCggGBAK3N7U+UJ/pXKJC85TW2ljYY +JUXh3qqHmIhhK5cq5E72BjYcOLVdrplZmXABEvkCSXuuwap4QSab9jEJrwpr6/KM +OS/5/uA4pi8A7kBulIy+P8E+azqukebWbDQaVIi2OLj4yVi0jpkMqzduoVAl8eTi +dniclRJ+NX90ZR15t4FEeKNT8/QcF4AVt8H3obMLaVrnEmtJHwqEiHAZcxa+HM20 +4Oe/BGG62kTrUkF6RriOAoPBdQVg0GwOdX1Snvk4F96ozFzd5gKL9TBDHFqYj8PB +2V/mb27xdNbei1+LzjWK9FiKDmval82KarF/g058rrZ4jlHoSTTRaOPQv1uzF1rg +15QgEiZ7nRn6HhZlZeFUu/lPnmPa3BDcsJsJJNULl4PrLLMeFVA4kwZajBESYyEx +kcN8v1TtLC+892OkODZc87txPQ0V9lq8TO54UDFhQL9FKNK1L8EIr77WAwDPGWnj +oLCS7CZCXgKl0S3PuGPfzrMibBrTXYkVmsR3mM2VfwIDAQAB +-----END PUBLIC KEY----- diff --git a/certs/rsapss/root-3072-rsapss-priv.der b/certs/rsapss/root-3072-rsapss-priv.der new file mode 100644 index 000000000..08b2be5d1 Binary files /dev/null and b/certs/rsapss/root-3072-rsapss-priv.der differ diff --git a/certs/rsapss/root-3072-rsapss-priv.pem b/certs/rsapss/root-3072-rsapss-priv.pem new file mode 100644 index 000000000..c2a27db9f --- /dev/null +++ b/certs/rsapss/root-3072-rsapss-priv.pem @@ -0,0 +1,40 @@ +-----BEGIN PRIVATE KEY----- +MIIG/AIBADALBgkqhkiG9w0BAQoEggboMIIG5AIBAAKCAYEArc3tT5Qn+lcokLzl +NbaWNhglReHeqoeYiGErlyrkTvYGNhw4tV2umVmZcAES+QJJe67BqnhBJpv2MQmv +Cmvr8ow5L/n+4DimLwDuQG6UjL4/wT5rOq6R5tZsNBpUiLY4uPjJWLSOmQyrN26h +UCXx5OJ2eJyVEn41f3RlHXm3gUR4o1Pz9BwXgBW3wfehswtpWucSa0kfCoSIcBlz +Fr4czbTg578EYbraROtSQXpGuI4Cg8F1BWDQbA51fVKe+TgX3qjMXN3mAov1MEMc +WpiPw8HZX+ZvbvF01t6LX4vONYr0WIoOa9qXzYpqsX+DTnyutniOUehJNNFo49C/ +W7MXWuDXlCASJnudGfoeFmVl4VS7+U+eY9rcENywmwkk1QuXg+sssx4VUDiTBlqM +ERJjITGRw3y/VO0sL7z3Y6Q4Nlzzu3E9DRX2WrxM7nhQMWFAv0Uo0rUvwQivvtYD +AM8ZaeOgsJLsJkJeAqXRLc+4Y9/OsyJsGtNdiRWaxHeYzZV/AgMBAAECggGAKjTm +2ztkVfPSgwuMMfYMFkjYzFakhw70qLHILyaYWOB/86X403pTiyPqEfwAyn2WsLVo +jGg1khWvvIrYehRpMPaCcLcqAPNgz+tO8FCqPF97BgeNbKu1/LO3hROb0bNGpQyt +gKAgPOSJs6VnARql2mpwUKvdu6bwgOoYIAdN29Nv5GHfzTkBL/aWMEFdgChWRl/0 +5h7Ure4vX+GeRDiYsA+ryjtl6gHBPZlT2VjDUdASpkJVk5/GHWeJeoyU1HqdUty2 +V4vekiql4+XzasHQkISkn4RkaD0mzK1KXng3cbwolQfT6C2batYIMTpGjsHNmGgG +NgNEGiHy0ZbgoQ3Ao4LpJ4G8fFK9n9dfQ9itroBRAgJeLIrQGcXEcBriM8jPU8HZ +jFqU9XTvoeefllj1cvXtoDL9CWmSyuuAexKZa55ip+cFfY4B5ZBdtjFdafSdn4UK +FYQr+E7SJ5HjsWTrQPTxBUQF15M0IOt3a0w1ULD44UC5hRqnuc3a17DrVeUhAoHB +ANXFtXSBdv4Qiow8o/HY4H6hP7sGj82HzyEKM7ZmbMagnX5QCYy+uwr5BVfQ1XHx +aznUo5/xsv5H0uYmXqnXVh2Xk4dvQAKzJYrMVXLbRgGCC7IijI2ufi1fITf4b1NJ +NKgyPdzQDogIAWQalwvIl9ZC0NcY+VhQ3geG6sQnYs5137jBepqYxw1gvW63716h +SrC2EjZMsBWoF++g5wJ26OLTFrXITvLdALEjF4/N7eYhs3siYSfddHM8nIhuqvxN +TwKBwQDQIxL6iMNmtmKKe+/2AetcJG0d7vJkYB/E+wLYkpYMsBrVptqt5SmHXcLZ +099GhnbooMlI+1y/15Gnve8h74t+YAxWxBdi/snX1j63+A9iQo4CwjHplrKFWCyT +ejFGEOXAqe+38w7njtxBu6V2ZHNzitZhHKwAlwamOEdbmxD7nlXX+AJUUh3jdn/O +hU17vj8t3d17ip/M6znhUagkO2LcaS+wTIz1/z4kju2wix5k/6EYKEaxdTKKTAaf +UXEYCNECgcEAh9wONYwuRsvWccf8XbD7BB+Q9Fj4PaRpZFMqiGrSCO59CZDucM+q +6g9XcPcdIDxRbECS+QzQOEEHbRPHp+NeLJJvxWxT3yNh4bN5PvTSqhSvQDgq4cSb +FlTWNM8kWWc2GwtLO7HS+ms0Dx3DD08eCKMQPRP3LETAx0HcpGtvpU1OsQnt1KDy +KLNp0Rr++0JAyMv+CRp18l2RUM8O4gcWfUmwrjkuy7TfQrTNvawf3NlgSwqPepmI +78/+n8rNymmLAoHAa8heAaNlHQGB0hkQUKL50MOERiYBG/2zNfyOorx2O6fOnalE +QR0U/maNiuPvEcR8O0dYNRUGGMp3QRhYh4hXAmCWwy/UtI0g1Ua7P+WTgdzZUZBi +7IX/eJIKs2xpq9EASV83JlkV9M/EO74Cl2a5arIRBkUkxUFwTg+C1Gtexg5egfKK +skO7+pjY4oehcl04tnXYRiupSSLe3FG+8tRWA7Hs4i0iKhm9go0JhYzldoPyVmI1 +CZyZSYjJPSOdn0ahAoHBAKbA137srUs34GZvoLkLHsUAEsi9CICVcp5q3MQHvbDH +UfuKAnnpUk1Ly2PAM+zfYfMrC21AMpE2esg6VsqTuhFS/Y8cDYPic4WqtjCtszBn +yiGEFddY3j6dNAEM8Mm6WxsoY2PI6aAAbn8sVyFom4+cbpPeTifw5bFBtyeLsTlz +M5QFpZUvnbW9i8Pif7gea/nF/J/z3iX8XUskZwXpDsucktpGG2bchKN7XKHx1YzH +J4ULnO3PUfR4GVbrSVWl4g== +-----END PRIVATE KEY----- diff --git a/certs/rsapss/root-3072-rsapss.der b/certs/rsapss/root-3072-rsapss.der new file mode 100644 index 000000000..45a16ee1f Binary files /dev/null and b/certs/rsapss/root-3072-rsapss.der differ diff --git a/certs/rsapss/root-3072-rsapss.pem b/certs/rsapss/root-3072-rsapss.pem new file mode 100644 index 000000000..062c84beb --- /dev/null +++ b/certs/rsapss/root-3072-rsapss.pem @@ -0,0 +1,117 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 34:c6:f6:76:c9:a4:72:95:4c:7e:9a:0c:80:5c:6d:8f:64:f2:19:a5 + Signature Algorithm: rsassaPss + Hash Algorithm: sha384 + Mask Algorithm: mgf1 with sha384 + Salt Length: 0x014E + Trailer Field: 0xBC (default) + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSA-PSS, OU = Root-RSA-PSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Validity + Not Before: Jul 25 02:27:55 2022 GMT + Not After : Apr 20 02:27:55 2025 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSA-PSS, OU = Root-RSA-PSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsassaPss + RSA-PSS Public-Key: (3072 bit) + Modulus: + 00:ad:cd:ed:4f:94:27:fa:57:28:90:bc:e5:35:b6: + 96:36:18:25:45:e1:de:aa:87:98:88:61:2b:97:2a: + e4:4e:f6:06:36:1c:38:b5:5d:ae:99:59:99:70:01: + 12:f9:02:49:7b:ae:c1:aa:78:41:26:9b:f6:31:09: + af:0a:6b:eb:f2:8c:39:2f:f9:fe:e0:38:a6:2f:00: + ee:40:6e:94:8c:be:3f:c1:3e:6b:3a:ae:91:e6:d6: + 6c:34:1a:54:88:b6:38:b8:f8:c9:58:b4:8e:99:0c: + ab:37:6e:a1:50:25:f1:e4:e2:76:78:9c:95:12:7e: + 35:7f:74:65:1d:79:b7:81:44:78:a3:53:f3:f4:1c: + 17:80:15:b7:c1:f7:a1:b3:0b:69:5a:e7:12:6b:49: + 1f:0a:84:88:70:19:73:16:be:1c:cd:b4:e0:e7:bf: + 04:61:ba:da:44:eb:52:41:7a:46:b8:8e:02:83:c1: + 75:05:60:d0:6c:0e:75:7d:52:9e:f9:38:17:de:a8: + cc:5c:dd:e6:02:8b:f5:30:43:1c:5a:98:8f:c3:c1: + d9:5f:e6:6f:6e:f1:74:d6:de:8b:5f:8b:ce:35:8a: + f4:58:8a:0e:6b:da:97:cd:8a:6a:b1:7f:83:4e:7c: + ae:b6:78:8e:51:e8:49:34:d1:68:e3:d0:bf:5b:b3: + 17:5a:e0:d7:94:20:12:26:7b:9d:19:fa:1e:16:65: + 65:e1:54:bb:f9:4f:9e:63:da:dc:10:dc:b0:9b:09: + 24:d5:0b:97:83:eb:2c:b3:1e:15:50:38:93:06:5a: + 8c:11:12:63:21:31:91:c3:7c:bf:54:ed:2c:2f:bc: + f7:63:a4:38:36:5c:f3:bb:71:3d:0d:15:f6:5a:bc: + 4c:ee:78:50:31:61:40:bf:45:28:d2:b5:2f:c1:08: + af:be:d6:03:00:cf:19:69:e3:a0:b0:92:ec:26:42: + 5e:02:a5:d1:2d:cf:b8:63:df:ce:b3:22:6c:1a:d3: + 5d:89:15:9a:c4:77:98:cd:95:7f + Exponent: 65537 (0x10001) + No PSS parameter restrictions + X509v3 extensions: + X509v3 Subject Key Identifier: + AA:71:D3:B1:8A:4B:BB:47:15:47:5F:9B:D0:2B:69:D1:6F:85:5E:F6 + X509v3 Authority Key Identifier: + keyid:AA:71:D3:B1:8A:4B:BB:47:15:47:5F:9B:D0:2B:69:D1:6F:85:5E:F6 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Signature Algorithm: rsassaPss + Hash Algorithm: sha384 + Mask Algorithm: mgf1 with sha384 + Salt Length: 0x014E + Trailer Field: 0xBC (default) + + 66:1c:f4:d8:ae:83:99:36:d5:9b:57:84:24:3f:ff:bc:de:1a: + 4c:ba:f2:8b:51:45:37:6f:42:81:18:1c:da:4c:c1:7f:a5:6c: + 6e:45:02:2a:2e:e0:39:5b:47:9b:d9:e8:75:32:44:02:4b:ac: + 65:74:25:e8:b5:9c:f2:33:90:73:e9:59:4f:20:82:dd:20:1e: + 0f:30:bb:77:b2:4c:c1:67:d1:2d:3e:4f:96:e9:31:3d:f3:0c: + 3a:9b:ee:b1:40:34:e3:a1:af:01:ea:91:d8:ba:58:71:32:23: + 6f:a4:38:6a:f9:00:9a:a9:5a:06:b4:f8:6e:25:55:9d:e2:c0: + 54:e8:88:32:68:1b:64:f6:d1:23:f1:46:01:2d:5e:68:bc:5f: + 86:fb:84:d5:35:67:0a:65:4e:4f:e5:fb:d3:1b:ad:46:6a:6a: + 43:d2:e8:3d:13:74:64:f7:54:37:41:14:2d:a3:f0:c6:57:ac: + 25:f4:cd:00:ee:54:77:13:ce:59:13:55:1e:82:f2:68:ac:b7: + c4:90:ab:82:85:86:32:0c:03:9c:ed:ab:cd:81:ae:3e:d2:f9: + 6c:41:cd:03:56:68:bd:48:e2:d0:c8:8b:b3:e5:f0:aa:28:f8: + 36:2e:14:fb:5e:57:6a:26:60:a8:20:ca:f4:05:8e:41:cf:92: + 43:5f:57:2f:c8:ea:de:cb:b0:00:dc:41:53:e1:10:27:b2:7f: + f8:f4:a5:7b:3f:df:f4:cf:53:e6:11:b4:ea:36:53:68:b6:0b: + 96:5c:7d:d0:a1:77:1c:99:fa:68:c2:19:aa:89:40:cc:42:24: + 33:e3:02:28:d0:04:b9:2f:6f:01:6b:55:95:6d:eb:93:3a:e4: + ed:e5:c8:36:68:df:61:07:d0:0d:77:19:8e:3d:9c:5f:6e:8a: + 05:64:2e:27:78:7a:12:30:14:29:17:96:ae:6d:53:8c:98:35: + e9:a1:06:b5:e0:c8:2e:89:6e:7c:bf:b5:c8:3a:8f:07:d1:7e: + 58:b8:c8:23:db:71 +-----BEGIN CERTIFICATE----- +MIIFjTCCA8SgAwIBAgIUNMb2dsmkcpVMfpoMgFxtj2TyGaUwPgYJKoZIhvcNAQEK +MDGgDTALBglghkgBZQMEAgKhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAICogQC +AgFOMIGdMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwH +Qm96ZW1hbjEYMBYGA1UECgwPd29sZlNTTF9SU0EtUFNTMRUwEwYDVQQLDAxSb290 +LVJTQS1QU1MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJ +ARYQaW5mb0B3b2xmc3NsLmNvbTAeFw0yMjA3MjUwMjI3NTVaFw0yNTA0MjAwMjI3 +NTVaMIGdMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwH +Qm96ZW1hbjEYMBYGA1UECgwPd29sZlNTTF9SU0EtUFNTMRUwEwYDVQQLDAxSb290 +LVJTQS1QU1MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJ +ARYQaW5mb0B3b2xmc3NsLmNvbTCCAaAwCwYJKoZIhvcNAQEKA4IBjwAwggGKAoIB +gQCtze1PlCf6VyiQvOU1tpY2GCVF4d6qh5iIYSuXKuRO9gY2HDi1Xa6ZWZlwARL5 +Akl7rsGqeEEmm/YxCa8Ka+vyjDkv+f7gOKYvAO5AbpSMvj/BPms6rpHm1mw0GlSI +tji4+MlYtI6ZDKs3bqFQJfHk4nZ4nJUSfjV/dGUdebeBRHijU/P0HBeAFbfB96Gz +C2la5xJrSR8KhIhwGXMWvhzNtODnvwRhutpE61JBeka4jgKDwXUFYNBsDnV9Up75 +OBfeqMxc3eYCi/UwQxxamI/Dwdlf5m9u8XTW3otfi841ivRYig5r2pfNimqxf4NO +fK62eI5R6Ek00Wjj0L9bsxda4NeUIBIme50Z+h4WZWXhVLv5T55j2twQ3LCbCSTV +C5eD6yyzHhVQOJMGWowREmMhMZHDfL9U7SwvvPdjpDg2XPO7cT0NFfZavEzueFAx +YUC/RSjStS/BCK++1gMAzxlp46CwkuwmQl4CpdEtz7hj386zImwa012JFZrEd5jN +lX8CAwEAAaNjMGEwHQYDVR0OBBYEFKpx07GKS7tHFUdfm9AradFvhV72MB8GA1Ud +IwQYMBaAFKpx07GKS7tHFUdfm9AradFvhV72MA8GA1UdEwEB/wQFMAMBAf8wDgYD +VR0PAQH/BAQDAgGGMD4GCSqGSIb3DQEBCjAxoA0wCwYJYIZIAWUDBAICoRowGAYJ +KoZIhvcNAQEIMAsGCWCGSAFlAwQCAqIEAgIBTgOCAYEAZhz02K6DmTbVm1eEJD// +vN4aTLryi1FFN29CgRgc2kzBf6VsbkUCKi7gOVtHm9nodTJEAkusZXQl6LWc8jOQ +c+lZTyCC3SAeDzC7d7JMwWfRLT5PlukxPfMMOpvusUA046GvAeqR2LpYcTIjb6Q4 +avkAmqlaBrT4biVVneLAVOiIMmgbZPbRI/FGAS1eaLxfhvuE1TVnCmVOT+X70xut +RmpqQ9LoPRN0ZPdUN0EULaPwxlesJfTNAO5UdxPOWRNVHoLyaKy3xJCrgoWGMgwD +nO2rzYGuPtL5bEHNA1ZovUji0MiLs+Xwqij4Ni4U+15XaiZgqCDK9AWOQc+SQ19X +L8jq3suwANxBU+EQJ7J/+PSlez/f9M9T5hG06jZTaLYLllx90KF3HJn6aMIZqolA +zEIkM+MCKNAEuS9vAWtVlW3rkzrk7eXINmjfYQfQDXcZjj2cX26KBWQuJ3h6EjAU +KReWrm1TjJg16aEGteDILolufL+1yDqPB9F+WLjII9tx +-----END CERTIFICATE----- diff --git a/certs/rsapss/root-rsapss-key.der b/certs/rsapss/root-rsapss-key.der new file mode 100644 index 000000000..d43f95aa2 Binary files /dev/null and b/certs/rsapss/root-rsapss-key.der differ diff --git a/certs/rsapss/root-rsapss-key.pem b/certs/rsapss/root-rsapss-key.pem new file mode 100644 index 000000000..07c1e6c0a --- /dev/null +++ b/certs/rsapss/root-rsapss-key.pem @@ -0,0 +1,10 @@ +-----BEGIN PUBLIC KEY----- +MIIBUjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEB +CDALBglghkgBZQMEAgGiAwIBIAOCAQ8AMIIBCgKCAQEAmQoBttFAewyuF37hXI37 +a8yPBlF15vCXzi92+jG973myLuS1ER/LKa0X7jIpBJqaFUNM52e4DnjP6944a0I5 +ZZAZ4FuUjujiGEvF0m7WePCJw9mw3BZ+aHK1ChvOsiSMoMf8xthyrLd4wwV613iq +fKusjK8K1+tLtSxA3b5aSk1tkwJp4gjll6lAbhg4be+OJ+NY+/Ob8Rn5kJpGjieW +aP92wzbjc+LrzQCXNelkzTsN4/IC+4Cq3VXhLRA/CGK+q9xIDIW1XvsSyZ7Au/EK +GGwV+edEShUJc0nYDJb33NACYsqRgfSyPLolqZiE0HUqsX+PnfjKluCClOOKs/bv +9QIDAQAB +-----END PUBLIC KEY----- diff --git a/certs/rsapss/root-rsapss-priv.der b/certs/rsapss/root-rsapss-priv.der new file mode 100644 index 000000000..be9a3902d Binary files /dev/null and b/certs/rsapss/root-rsapss-priv.der differ diff --git a/certs/rsapss/root-rsapss-priv.pem b/certs/rsapss/root-rsapss-priv.pem new file mode 100644 index 000000000..2d9037738 --- /dev/null +++ b/certs/rsapss/root-rsapss-priv.pem @@ -0,0 +1,29 @@ +-----BEGIN PRIVATE KEY----- +MIIE7gIBADA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3 +DQEBCDALBglghkgBZQMEAgGiAwIBIASCBKgwggSkAgEAAoIBAQCZCgG20UB7DK4X +fuFcjftrzI8GUXXm8JfOL3b6Mb3vebIu5LURH8sprRfuMikEmpoVQ0znZ7gOeM/r +3jhrQjllkBngW5SO6OIYS8XSbtZ48InD2bDcFn5ocrUKG86yJIygx/zG2HKst3jD +BXrXeKp8q6yMrwrX60u1LEDdvlpKTW2TAmniCOWXqUBuGDht744n41j785vxGfmQ +mkaOJ5Zo/3bDNuNz4uvNAJc16WTNOw3j8gL7gKrdVeEtED8IYr6r3EgMhbVe+xLJ +nsC78QoYbBX550RKFQlzSdgMlvfc0AJiypGB9LI8uiWpmITQdSqxf4+d+MqW4IKU +44qz9u/1AgMBAAECggEAXtcKtOb8lMUI5lqlApyioO2F/R5ieJnFGevkSaylzlCW +keT+KPyRBOTWHbFMJiRBNMgeUpG+SImqILv4LtA9jak9wAJBEEdWRkQ+9efmVdCL +L6oqplnyQHxFoVwWPePUmpcVGY1tk4en+QPeWsXWsagaKJ0ZlTGmG0KveDvM7JoV +57qoqXw85VCA9yw4+1hyCoMFPZmWoqpU8MtAH65fzuBH/M0dAjzDwJRRsk+mpOxE +/XtKpFsHRXDlXf274U7ktAfHMxS6KthyuP2KJAvycs6BvvKyXW898X1K5ehChjmQ +gGGhm5mmeucdR7oMbw1snnrxZ9Vf+njBMCMQksJVSQKBgQDGFtOYGhHh+eSuUrdY +qlrXF2gxKD9uIwPMBt5uo4FcIVgVtqTE3nyISAkfVw7HbXLDYnICckkxqwZL2U1C +OQ9Syf4ZNNakZ/dwhTtmOQ1zcaEzt3higcBMxxXFeVPl7opxcA/d7N8r6+gPtpOx +bTQH6sN3GLB6v0qgjK4Y3UX1wwKBgQDFx5djSMjylnW6XIvmKH/eKebURGnJWtty +XMPkp+hNLodNgJGakpCe3L7GbiF+uWIxDg+De1oEfssb9Xu/wz507Y0T4mmVgyGn +EuF5cAd2o48p1Hn+G8adh6/ty2dsqBdCC2MCxMD/ZcZy5ELJHnynNUVuffQDcqDK +KZBe7hVP5wKBgQCch28ekwMsiTYeVjiRdNQhgVqQ9Zfh5QNcFtVvof5XmfWr+s6K +zrCjVCD5RebkyeTU5hbnPf3+pIFuMEFvof0s03bZ3jn6YjlSDcXZSh4J6nGSl1km +phcZ1HustuoIGI4Hg6DWIhZb86dFu2VL39oso2Nf2f+ij0ReR6xO85MT1wKBgQCQ ++HoJNoLE/nCRB+Er9ae0ivY9xV/dThHoxAJ7CnCGkoJu1rzjlmcXaysTfAplPzGw +T2QjtjkHboEmn0v0BgMz5iQw3RcTlqkGNBq9ztZJqh34RVyeXHG7aogUP7IxvQw/ +RuVuVBY7nrhV4ubpUMWCMtQP55cDJ/Sf+tNuIgnRJQKBgBfKPaKXffSp+VAezB09 +xPyhpg5mDZqnQCbN7UJTBDAzXLs7NkSRpAb7NT7iTrFq/uFY2QUdgfqIgmGdNmbq +xF/UtQBQBr+y5gu3EjU6p464rM+ui3xU5FlZ60bsDIfP/p2leiJYuGG2ds56CBV/ +bD8DmfVsG0X3d4C/XMtveEgq +-----END PRIVATE KEY----- diff --git a/certs/rsapss/root-rsapss.der b/certs/rsapss/root-rsapss.der new file mode 100644 index 000000000..33a11b7a2 Binary files /dev/null and b/certs/rsapss/root-rsapss.der differ diff --git a/certs/rsapss/root-rsapss.pem b/certs/rsapss/root-rsapss.pem new file mode 100644 index 000000000..6abe00bae --- /dev/null +++ b/certs/rsapss/root-rsapss.pem @@ -0,0 +1,102 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 34:43:a2:a0:b6:01:0c:e3:6d:0d:e8:2d:8c:75:f8:1c:71:74:0d:72 + Signature Algorithm: rsassaPss + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Salt Length: 0x20 + Trailer Field: 0xBC (default) + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSA-PSS, OU = Root-RSA-PSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Validity + Not Before: Jul 25 02:27:55 2022 GMT + Not After : Apr 20 02:27:55 2025 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSA-PSS, OU = Root-RSA-PSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsassaPss + RSA-PSS Public-Key: (2048 bit) + Modulus: + 00:99:0a:01:b6:d1:40:7b:0c:ae:17:7e:e1:5c:8d: + fb:6b:cc:8f:06:51:75:e6:f0:97:ce:2f:76:fa:31: + bd:ef:79:b2:2e:e4:b5:11:1f:cb:29:ad:17:ee:32: + 29:04:9a:9a:15:43:4c:e7:67:b8:0e:78:cf:eb:de: + 38:6b:42:39:65:90:19:e0:5b:94:8e:e8:e2:18:4b: + c5:d2:6e:d6:78:f0:89:c3:d9:b0:dc:16:7e:68:72: + b5:0a:1b:ce:b2:24:8c:a0:c7:fc:c6:d8:72:ac:b7: + 78:c3:05:7a:d7:78:aa:7c:ab:ac:8c:af:0a:d7:eb: + 4b:b5:2c:40:dd:be:5a:4a:4d:6d:93:02:69:e2:08: + e5:97:a9:40:6e:18:38:6d:ef:8e:27:e3:58:fb:f3: + 9b:f1:19:f9:90:9a:46:8e:27:96:68:ff:76:c3:36: + e3:73:e2:eb:cd:00:97:35:e9:64:cd:3b:0d:e3:f2: + 02:fb:80:aa:dd:55:e1:2d:10:3f:08:62:be:ab:dc: + 48:0c:85:b5:5e:fb:12:c9:9e:c0:bb:f1:0a:18:6c: + 15:f9:e7:44:4a:15:09:73:49:d8:0c:96:f7:dc:d0: + 02:62:ca:91:81:f4:b2:3c:ba:25:a9:98:84:d0:75: + 2a:b1:7f:8f:9d:f8:ca:96:e0:82:94:e3:8a:b3:f6: + ef:f5 + Exponent: 65537 (0x10001) + PSS parameter restrictions: + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Minimum Salt Length: 0x20 + Trailer Field: 0xBC (default) + X509v3 extensions: + X509v3 Subject Key Identifier: + 64:D5:EC:82:87:80:DE:5A:ED:49:98:D8:0C:54:7D:46:9E:A5:3C:D6 + X509v3 Authority Key Identifier: + keyid:64:D5:EC:82:87:80:DE:5A:ED:49:98:D8:0C:54:7D:46:9E:A5:3C:D6 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Signature Algorithm: rsassaPss + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Salt Length: 0x20 + Trailer Field: 0xBC (default) + + 8c:4f:b2:a8:12:6c:80:56:78:44:ac:27:38:26:96:a3:e0:58: + 34:81:48:5f:cd:34:28:bd:b7:f6:6e:95:b4:8d:9a:5a:5a:9e: + a5:40:e4:67:b8:53:db:00:ab:81:db:c8:de:77:0e:1b:a7:30: + 74:b8:8f:4b:05:5d:12:5c:f5:7a:40:ed:ba:3a:58:05:99:7b: + 72:a7:f1:c4:0a:4a:c4:fa:44:ef:5b:7e:8f:70:95:bc:3e:bb: + ab:e5:4a:db:7a:d0:a9:82:2d:0c:c8:a0:64:0a:9a:d9:8c:23: + d9:a5:3a:ea:80:ae:47:c0:31:7a:21:3c:4b:5d:9e:22:e1:34: + c8:bb:0c:d5:77:65:6b:c0:76:77:67:41:56:23:33:e2:a6:e9: + 5f:8d:9d:af:73:92:e0:4e:2d:3f:c6:3a:ab:99:67:c5:5a:3e: + a2:50:bb:ca:26:5f:6d:be:f9:71:1f:63:6e:d8:41:ca:96:bc: + 3d:1c:67:00:a1:78:d4:fe:a6:43:64:cf:20:ca:7b:ee:fa:65: + 72:39:ff:9a:8b:99:9c:9c:2d:4e:1d:b0:dc:07:8a:f2:12:81: + 78:d9:d4:55:aa:c5:d1:fb:73:36:71:01:4e:d6:e9:ea:e0:01: + 5c:95:ee:aa:16:cd:1a:d3:00:31:6f:48:7d:b7:52:7c:53:40: + fd:c5:58:a1 +-----BEGIN CERTIFICATE----- +MIIEvTCCA3WgAwIBAgIUNEOioLYBDONtDegtjHX4HHF0DXIwPQYJKoZIhvcNAQEK +MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC +ASAwgZ0xCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC +b3plbWFuMRgwFgYDVQQKDA93b2xmU1NMX1JTQS1QU1MxFTATBgNVBAsMDFJvb3Qt +UlNBLVBTUzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkB +FhBpbmZvQHdvbGZzc2wuY29tMB4XDTIyMDcyNTAyMjc1NVoXDTI1MDQyMDAyMjc1 +NVowgZ0xCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC +b3plbWFuMRgwFgYDVQQKDA93b2xmU1NMX1JTQS1QU1MxFTATBgNVBAsMDFJvb3Qt +UlNBLVBTUzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkB +FhBpbmZvQHdvbGZzc2wuY29tMIIBUjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFl +AwQCAaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIBIAOCAQ8AMIIBCgKC +AQEAmQoBttFAewyuF37hXI37a8yPBlF15vCXzi92+jG973myLuS1ER/LKa0X7jIp +BJqaFUNM52e4DnjP6944a0I5ZZAZ4FuUjujiGEvF0m7WePCJw9mw3BZ+aHK1ChvO +siSMoMf8xthyrLd4wwV613iqfKusjK8K1+tLtSxA3b5aSk1tkwJp4gjll6lAbhg4 +be+OJ+NY+/Ob8Rn5kJpGjieWaP92wzbjc+LrzQCXNelkzTsN4/IC+4Cq3VXhLRA/ +CGK+q9xIDIW1XvsSyZ7Au/EKGGwV+edEShUJc0nYDJb33NACYsqRgfSyPLolqZiE +0HUqsX+PnfjKluCClOOKs/bv9QIDAQABo2MwYTAdBgNVHQ4EFgQUZNXsgoeA3lrt +SZjYDFR9Rp6lPNYwHwYDVR0jBBgwFoAUZNXsgoeA3lrtSZjYDFR9Rp6lPNYwDwYD +VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwPQYJKoZIhvcNAQEKMDCgDTAL +BglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCASADggEB +AIxPsqgSbIBWeESsJzgmlqPgWDSBSF/NNCi9t/ZulbSNmlpanqVA5Ge4U9sAq4Hb +yN53DhunMHS4j0sFXRJc9XpA7bo6WAWZe3Kn8cQKSsT6RO9bfo9wlbw+u6vlStt6 +0KmCLQzIoGQKmtmMI9mlOuqArkfAMXohPEtdniLhNMi7DNV3ZWvAdndnQVYjM+Km +6V+Nna9zkuBOLT/GOquZZ8VaPqJQu8omX22++XEfY27YQcqWvD0cZwCheNT+pkNk +zyDKe+76ZXI5/5qLmZycLU4dsNwHivISgXjZ1FWqxdH7czZxAU7W6ergAVyV7qoW +zRrTADFvSH23UnxTQP3FWKE= +-----END CERTIFICATE----- diff --git a/certs/rsapss/server-3072-rsapss-cert.pem b/certs/rsapss/server-3072-rsapss-cert.pem new file mode 100644 index 000000000..ff9871fcd --- /dev/null +++ b/certs/rsapss/server-3072-rsapss-cert.pem @@ -0,0 +1,122 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: rsassaPss + Hash Algorithm: sha384 + Mask Algorithm: mgf1 with sha384 + Salt Length: 0x014E + Trailer Field: 0xBC (default) + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = CA-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Validity + Not Before: Jul 25 02:27:55 2022 GMT + Not After : Apr 20 02:27:55 2025 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = Server-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Subject Public Key Info: + Public Key Algorithm: rsassaPss + RSA-PSS Public-Key: (3072 bit) + Modulus: + 00:be:84:78:d3:6b:7d:b2:ae:51:88:68:6a:33:f1: + f9:c5:1a:6f:97:71:94:22:f4:c2:f0:49:88:2b:a4: + 4d:15:6f:db:cc:d4:c6:6f:75:a6:e2:22:06:af:91: + 26:4e:a0:2d:97:17:95:0b:40:1a:75:23:9b:b1:e0: + d7:5d:cc:0d:5f:09:9e:c9:b7:3d:f8:e5:62:bb:34: + 75:99:0c:e6:da:7d:95:40:ee:5f:27:76:f9:ca:d6: + 0d:1e:a7:06:9f:c5:75:57:96:44:b9:73:f4:de:aa: + a9:af:be:4b:98:f3:6c:c8:da:d9:a2:26:35:21:40: + e7:67:4b:e2:d9:c4:4f:b8:96:54:17:59:d8:ca:af: + b1:56:47:be:15:5b:05:d3:29:cc:ec:2b:99:fa:13: + 1a:2a:d0:61:d1:41:c2:27:5d:d9:a7:f2:29:28:eb: + fb:e5:89:c5:01:83:88:1d:dc:70:1a:8f:2f:3b:e5: + 34:e8:5b:ef:ed:76:5f:8a:51:ea:2d:92:c2:e6:86: + 6d:6a:92:93:c3:6d:04:c5:95:68:07:fe:9a:32:d9: + 38:c8:06:eb:33:92:b9:0b:ce:2e:c3:6b:6a:a2:41: + 6a:ce:09:e7:4a:90:a8:2f:59:0e:76:dc:4f:b8:86: + d0:4b:95:e6:1b:e4:c6:59:26:ef:1c:00:4e:ce:fb: + cf:63:05:7e:a6:d4:09:39:fe:d3:79:49:f2:6a:6a: + 1a:17:cb:13:a5:3d:d9:fa:b0:a4:5f:18:e8:e5:5c: + 4b:38:d5:d8:b8:76:35:a0:0b:e1:98:b9:58:c3:88: + e5:f8:4a:e6:d0:84:a3:5e:4d:85:c9:d6:7f:9d:9f: + 35:28:66:56:04:25:cc:1b:4c:f7:e3:cb:39:be:e0: + 5f:a8:93:bd:a1:0b:cd:63:e0:16:07:af:40:0b:cb: + 6e:3f:81:0c:cd:80:bf:13:f1:92:57:a1:48:17:d2: + 29:b0:5a:a2:d5:42:84:c8:6c:09:31:c6:05:92:dd: + a3:f7:56:ed:e7:5f:29:88:eb:4b + Exponent: 65537 (0x10001) + No PSS parameter restrictions + X509v3 extensions: + X509v3 Subject Key Identifier: + C8:F1:E9:1E:60:01:C8:23:CC:D7:98:B3:BB:65:7A:32:C4:4B:93:39 + X509v3 Authority Key Identifier: + keyid:F8:42:CC:88:C9:C8:18:F9:D3:B0:24:65:06:4C:FF:55:AB:BF:0E:7F + + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Key Usage: critical + Digital Signature, Key Encipherment, Key Agreement + X509v3 Extended Key Usage: + TLS Web Server Authentication + Netscape Cert Type: + SSL Server + Signature Algorithm: rsassaPss + Hash Algorithm: sha384 + Mask Algorithm: mgf1 with sha384 + Salt Length: 0x014E + Trailer Field: 0xBC (default) + + 68:61:62:4c:67:79:5d:4d:fd:95:14:51:37:f0:d5:d5:b6:f0: + c6:48:cb:23:3c:4c:b6:38:00:63:4d:0e:6a:f6:d0:ba:54:3d: + 40:a4:aa:5b:01:f6:57:c1:13:12:e1:5b:4e:59:21:f7:09:90: + 93:36:ab:44:54:59:f5:f0:da:3a:aa:41:f2:00:a4:fa:3d:8d: + 92:bf:74:84:a2:93:c8:70:d9:5a:2a:ab:47:a9:18:fb:f9:51: + 35:96:89:23:18:7b:a6:ae:1c:88:df:cd:68:ca:3c:8b:03:b2: + b0:c6:6f:9e:1f:fd:00:98:24:72:3b:6a:67:62:ef:28:4a:71: + 6e:b2:53:1c:0b:7c:48:ef:78:6c:73:5d:03:71:44:ac:5c:5e: + a2:75:fd:0b:e4:cc:8c:af:1e:42:9c:b7:d4:02:f4:8e:ad:56: + 77:fe:d0:1b:92:4d:35:ce:3e:bb:e0:43:98:e8:dc:71:e9:fb: + e1:26:17:5c:e1:f2:57:74:45:21:90:42:c1:b0:38:59:7f:0c: + 6a:6e:94:7b:30:a1:fd:10:e0:9b:53:0f:05:19:2d:f6:9a:a3: + 95:f4:52:54:c9:e2:fc:99:0e:64:56:29:31:d2:35:dd:01:b0: + 34:c8:d6:16:40:1a:58:58:62:c1:e4:d8:ee:8e:1d:b2:b7:c9: + 68:07:a5:91:a0:a8:18:c7:5f:80:c6:81:fb:7a:10:17:a8:a5: + 9e:67:d2:ac:31:69:94:ab:36:6f:f6:35:05:c3:80:f3:3e:5f: + 5c:29:d1:13:43:88:1e:79:ac:3d:d3:e0:3d:44:c4:da:c7:1e: + ab:f1:86:07:98:cf:b8:99:5d:6b:7c:3f:c2:c1:ff:1c:b1:8d: + 90:02:45:62:c4:7c:ca:6a:fb:4c:48:bc:73:ad:04:ad:62:87: + 1e:b3:c4:76:a6:a1:27:3d:f5:2a:ca:8e:c0:73:96:08:3c:db: + f7:36:a6:57:a4:98:47:58:cd:56:0e:cd:fc:63:84:b9:df:2f: + 47:bb:8b:0d:7c:54 +-----BEGIN CERTIFICATE----- +MIIFzzCCBAagAwIBAgIBATA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAqEa +MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgKiBAICAU4wgbIxCzAJBgNVBAYTAlVT +MRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRcwFQYDVQQKDA53 +b2xmU1NMX1JTQVBTUzESMBAGA1UECwwJQ0EtUlNBUFNTMRgwFgYDVQQDDA93d3cu +d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20xFzAV +BgoJkiaJk/IsZAEBDAd3b2xmU1NMMB4XDTIyMDcyNTAyMjc1NVoXDTI1MDQyMDAy +Mjc1NVowgbYxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQH +DAdCb3plbWFuMRcwFQYDVQQKDA53b2xmU1NMX1JTQVBTUzEWMBQGA1UECwwNU2Vy +dmVyLVJTQVBTUzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcN +AQkBFhBpbmZvQHdvbGZzc2wuY29tMRcwFQYKCZImiZPyLGQBAQwHd29sZlNTTDCC +AaAwCwYJKoZIhvcNAQEKA4IBjwAwggGKAoIBgQC+hHjTa32yrlGIaGoz8fnFGm+X +cZQi9MLwSYgrpE0Vb9vM1MZvdabiIgavkSZOoC2XF5ULQBp1I5ux4NddzA1fCZ7J +tz345WK7NHWZDObafZVA7l8ndvnK1g0epwafxXVXlkS5c/TeqqmvvkuY82zI2tmi +JjUhQOdnS+LZxE+4llQXWdjKr7FWR74VWwXTKczsK5n6Exoq0GHRQcInXdmn8iko +6/vlicUBg4gd3HAajy875TToW+/tdl+KUeotksLmhm1qkpPDbQTFlWgH/poy2TjI +BuszkrkLzi7Da2qiQWrOCedKkKgvWQ523E+4htBLleYb5MZZJu8cAE7O+89jBX6m +1Ak5/tN5SfJqahoXyxOlPdn6sKRfGOjlXEs41di4djWgC+GYuVjDiOX4SubQhKNe +TYXJ1n+dnzUoZlYEJcwbTPfjyzm+4F+ok72hC81j4BYHr0ALy24/gQzNgL8T8ZJX +oUgX0imwWqLVQoTIbAkxxgWS3aP3Vu3nXymI60sCAwEAAaOBiTCBhjAdBgNVHQ4E +FgQUyPHpHmAByCPM15izu2V6MsRLkzkwHwYDVR0jBBgwFoAU+ELMiMnIGPnTsCRl +Bkz/Vau/Dn8wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCA6gwEwYDVR0lBAww +CgYIKwYBBQUHAwEwEQYJYIZIAYb4QgEBBAQDAgZAMD4GCSqGSIb3DQEBCjAxoA0w +CwYJYIZIAWUDBAICoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAqIEAgIBTgOC +AYEAaGFiTGd5XU39lRRRN/DV1bbwxkjLIzxMtjgAY00OavbQulQ9QKSqWwH2V8ET +EuFbTlkh9wmQkzarRFRZ9fDaOqpB8gCk+j2Nkr90hKKTyHDZWiqrR6kY+/lRNZaJ +Ixh7pq4ciN/NaMo8iwOysMZvnh/9AJgkcjtqZ2LvKEpxbrJTHAt8SO94bHNdA3FE +rFxeonX9C+TMjK8eQpy31AL0jq1Wd/7QG5JNNc4+u+BDmOjccen74SYXXOHyV3RF +IZBCwbA4WX8Mam6UezCh/RDgm1MPBRkt9pqjlfRSVMni/JkOZFYpMdI13QGwNMjW +FkAaWFhiweTY7o4dsrfJaAelkaCoGMdfgMaB+3oQF6ilnmfSrDFplKs2b/Y1BcOA +8z5fXCnRE0OIHnmsPdPgPUTE2sceq/GGB5jPuJlda3w/wsH/HLGNkAJFYsR8ymr7 +TEi8c60ErWKHHrPEdqahJz31KsqOwHOWCDzb9zamV6SYR1jNVg7N/GOEud8vR7uL +DXxU +-----END CERTIFICATE----- diff --git a/certs/rsapss/server-3072-rsapss-key.der b/certs/rsapss/server-3072-rsapss-key.der new file mode 100644 index 000000000..81e64e6bc Binary files /dev/null and b/certs/rsapss/server-3072-rsapss-key.der differ diff --git a/certs/rsapss/server-3072-rsapss-key.pem b/certs/rsapss/server-3072-rsapss-key.pem new file mode 100644 index 000000000..9669bea1d --- /dev/null +++ b/certs/rsapss/server-3072-rsapss-key.pem @@ -0,0 +1,11 @@ +-----BEGIN PUBLIC KEY----- +MIIBoDALBgkqhkiG9w0BAQoDggGPADCCAYoCggGBAL6EeNNrfbKuUYhoajPx+cUa +b5dxlCL0wvBJiCukTRVv28zUxm91puIiBq+RJk6gLZcXlQtAGnUjm7Hg113MDV8J +nsm3PfjlYrs0dZkM5tp9lUDuXyd2+crWDR6nBp/FdVeWRLlz9N6qqa++S5jzbMja +2aImNSFA52dL4tnET7iWVBdZ2MqvsVZHvhVbBdMpzOwrmfoTGirQYdFBwidd2afy +KSjr++WJxQGDiB3ccBqPLzvlNOhb7+12X4pR6i2SwuaGbWqSk8NtBMWVaAf+mjLZ +OMgG6zOSuQvOLsNraqJBas4J50qQqC9ZDnbcT7iG0EuV5hvkxlkm7xwATs77z2MF +fqbUCTn+03lJ8mpqGhfLE6U92fqwpF8Y6OVcSzjV2Lh2NaAL4Zi5WMOI5fhK5tCE +o15NhcnWf52fNShmVgQlzBtM9+PLOb7gX6iTvaELzWPgFgevQAvLbj+BDM2AvxPx +klehSBfSKbBaotVChMhsCTHGBZLdo/dW7edfKYjrSwIDAQAB +-----END PUBLIC KEY----- diff --git a/certs/rsapss/server-3072-rsapss-priv.der b/certs/rsapss/server-3072-rsapss-priv.der new file mode 100644 index 000000000..959d00f14 Binary files /dev/null and b/certs/rsapss/server-3072-rsapss-priv.der differ diff --git a/certs/rsapss/server-3072-rsapss-priv.pem b/certs/rsapss/server-3072-rsapss-priv.pem new file mode 100644 index 000000000..4fec8b37c --- /dev/null +++ b/certs/rsapss/server-3072-rsapss-priv.pem @@ -0,0 +1,40 @@ +-----BEGIN PRIVATE KEY----- +MIIG/AIBADALBgkqhkiG9w0BAQoEggboMIIG5AIBAAKCAYEAvoR402t9sq5RiGhq +M/H5xRpvl3GUIvTC8EmIK6RNFW/bzNTGb3Wm4iIGr5EmTqAtlxeVC0AadSObseDX +XcwNXwmeybc9+OViuzR1mQzm2n2VQO5fJ3b5ytYNHqcGn8V1V5ZEuXP03qqpr75L +mPNsyNrZoiY1IUDnZ0vi2cRPuJZUF1nYyq+xVke+FVsF0ynM7CuZ+hMaKtBh0UHC +J13Zp/IpKOv75YnFAYOIHdxwGo8vO+U06Fvv7XZfilHqLZLC5oZtapKTw20ExZVo +B/6aMtk4yAbrM5K5C84uw2tqokFqzgnnSpCoL1kOdtxPuIbQS5XmG+TGWSbvHABO +zvvPYwV+ptQJOf7TeUnyamoaF8sTpT3Z+rCkXxjo5VxLONXYuHY1oAvhmLlYw4jl ++Erm0ISjXk2FydZ/nZ81KGZWBCXMG0z348s5vuBfqJO9oQvNY+AWB69AC8tuP4EM +zYC/E/GSV6FIF9IpsFqi1UKEyGwJMcYFkt2j91bt518piOtLAgMBAAECggGBALdl +MCZc0Ahj84p68NkGMuiA9TD0naQ0tz61mgZgx+892XlIzahXugjutj7lW9nOKXTL +t6a304A1gdfuV4MsPSbiTN9irJ5eufb5ncZx+/wRbc6uaBzGU9jkyoZaRG8ilj11 +IrzfGbYK1QOfDIi0s2B6A4wqeXSEVP1DuKDmb9OBqns7+wvJqs0ijKFkGKxYDbK+ +mh93qfXS2IamZW6d0jrwSpzg5X/laiZ15l7QZ325nb9rec2/SqvtCjVNez7ZiWeM +HQv6I8s8eBVDtSxzxytHHu90SRqC1fQEKnzKMEYAaT/i2sqqorBSIDVuwl6mnl0X +v22YKoBkaeqyanFY4bjgVkFtVyqxaPxNGW+AosD9usszSP7fHVDsxH+U3VauPDu3 +E/rYkL4ftpetAk1jk7L/LipJkzdPOzcvuC/ZEXdxRkKIrM5Yb4usD+6zPLmm1yuY +HhdGZZuzcv+Uk7vmKZAv0p+IYpP7foCJlX9CsPPwCimWg581q8QTZl7/AQ7qOQKB +wQDx3siwpPspeznnxv0qxcQNK6GuADTSPxRc62ST5IHEXm+bEZJ5mmIOl5BVRn9N +RNQJSSYOHPnmyr0XTGnJ887Wpt6LutPc570pOFF8dBgLziCkHmQaDcKbVDkrNZrA +UKAP3ZppH59slXawVSlbrl3fMd6SEprxmVCuxBu7VJeee5puy4jc7Svl3aXaXOok +kmbxKUtDT456ZUxwqsXjeJbGQQgztGSB6aM/L3Jb9Z5e36o3UON9cfuvet+yCfmP +iW0CgcEAyaWyg74L9BK8taRmeQ2hMQbd8i1GvYnWrEGC0uUTpOxcsEwpFRBWGI47 +Nt9+d9+v4fDULO4ysfOfUjoxpEP6OiPtcjPi+/uKGgqy5kRVEp7qqmv2iUgaJAug +95oxgmlEUjbvJfFFiq7c5UOtHfxM/TWYjoj6FzQUUM4wjcAhVaEMe+zBXpHOi1Db +pS0RuPZ+UaMTeH5NgQyrRNBQj9mK55mFHX9j97HrlbWrMGZQUQryxKWvVwLUe/uE +v/PoTMyXAoHAb8jINiO51N0X0RA9l5QZXQDqU3HS98yhi6RbMqLseqYurJt9d+gr +I5VW5qKTWVHTMYt2JBWuRcUziV4OkoC0+q3asvegzTrpSPC3cG5zYplcqp1FJGlx +pLpTRa4bnIBmyY5gu+8ajmOxnCNv3uiCiBITTK1+oOR7zpniOz0Iaf20TTqSQZD3 +teAvs/E3YbmsDA9KsoxFTDofDv9OQChOfsg1kzfvL7+cbCpwjyHAlRaII9KloSeZ +6+s9EZrclUMtAoHADWADPj/N1Suk/rtf3Kmtxm25LQYZyhqpdZWG0uxE6EyRPVRf +6TjDLS/J97LNVbAtn2P0/uHx1OHe8HpRrp6fq1mUt11/sc0WdPG+ug1QQ0LtN86f +dK2mpjtrOuEsZYUL9hQUusSNI0zD9CUQB4wjoyv56YJmbEGVE2MJz20uCNr80/95 +OAed1pnPZ95cbZNT/6A8e2KNS4EGnzLeFRyN3RzOuo0nmVdg0/ZP2479xtJeFfMT +dUcHxw2A2aaZAvcTAoHBAMsrLMCgT0skDJ/5/ar3f44Pkciibn455qzQ+Gx4vG9x +yCxpv70x4QT6NJz6Aht8JZWl81YlUY21S2JEiAPV3YIfTSrMKLlpvr7fCXz/ghje +4O2Cv3zGHQN6GUidXVR4cjJgx4cjcTcLaRk+e2N+0exAkV4UsDRS8OqBDZTqDwBQ +ntOJIUjNyx1Vqe1o/nxsN21EDF5Ya6K/tgEJsObEWfAStlJxm+ELaqk+29PPsmRD +O2FW8SWubrzhQCndGMYUig== +-----END PRIVATE KEY----- diff --git a/certs/rsapss/server-3072-rsapss.der b/certs/rsapss/server-3072-rsapss.der new file mode 100644 index 000000000..d1ee7b42f Binary files /dev/null and b/certs/rsapss/server-3072-rsapss.der differ diff --git a/certs/rsapss/server-3072-rsapss.pem b/certs/rsapss/server-3072-rsapss.pem new file mode 100644 index 000000000..845b6f315 --- /dev/null +++ b/certs/rsapss/server-3072-rsapss.pem @@ -0,0 +1,238 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: rsassaPss + Hash Algorithm: sha384 + Mask Algorithm: mgf1 with sha384 + Salt Length: 0x014E + Trailer Field: 0xBC (default) + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = CA-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Validity + Not Before: Jul 25 02:27:55 2022 GMT + Not After : Apr 20 02:27:55 2025 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = Server-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Subject Public Key Info: + Public Key Algorithm: rsassaPss + RSA-PSS Public-Key: (3072 bit) + Modulus: + 00:be:84:78:d3:6b:7d:b2:ae:51:88:68:6a:33:f1: + f9:c5:1a:6f:97:71:94:22:f4:c2:f0:49:88:2b:a4: + 4d:15:6f:db:cc:d4:c6:6f:75:a6:e2:22:06:af:91: + 26:4e:a0:2d:97:17:95:0b:40:1a:75:23:9b:b1:e0: + d7:5d:cc:0d:5f:09:9e:c9:b7:3d:f8:e5:62:bb:34: + 75:99:0c:e6:da:7d:95:40:ee:5f:27:76:f9:ca:d6: + 0d:1e:a7:06:9f:c5:75:57:96:44:b9:73:f4:de:aa: + a9:af:be:4b:98:f3:6c:c8:da:d9:a2:26:35:21:40: + e7:67:4b:e2:d9:c4:4f:b8:96:54:17:59:d8:ca:af: + b1:56:47:be:15:5b:05:d3:29:cc:ec:2b:99:fa:13: + 1a:2a:d0:61:d1:41:c2:27:5d:d9:a7:f2:29:28:eb: + fb:e5:89:c5:01:83:88:1d:dc:70:1a:8f:2f:3b:e5: + 34:e8:5b:ef:ed:76:5f:8a:51:ea:2d:92:c2:e6:86: + 6d:6a:92:93:c3:6d:04:c5:95:68:07:fe:9a:32:d9: + 38:c8:06:eb:33:92:b9:0b:ce:2e:c3:6b:6a:a2:41: + 6a:ce:09:e7:4a:90:a8:2f:59:0e:76:dc:4f:b8:86: + d0:4b:95:e6:1b:e4:c6:59:26:ef:1c:00:4e:ce:fb: + cf:63:05:7e:a6:d4:09:39:fe:d3:79:49:f2:6a:6a: + 1a:17:cb:13:a5:3d:d9:fa:b0:a4:5f:18:e8:e5:5c: + 4b:38:d5:d8:b8:76:35:a0:0b:e1:98:b9:58:c3:88: + e5:f8:4a:e6:d0:84:a3:5e:4d:85:c9:d6:7f:9d:9f: + 35:28:66:56:04:25:cc:1b:4c:f7:e3:cb:39:be:e0: + 5f:a8:93:bd:a1:0b:cd:63:e0:16:07:af:40:0b:cb: + 6e:3f:81:0c:cd:80:bf:13:f1:92:57:a1:48:17:d2: + 29:b0:5a:a2:d5:42:84:c8:6c:09:31:c6:05:92:dd: + a3:f7:56:ed:e7:5f:29:88:eb:4b + Exponent: 65537 (0x10001) + No PSS parameter restrictions + X509v3 extensions: + X509v3 Subject Key Identifier: + C8:F1:E9:1E:60:01:C8:23:CC:D7:98:B3:BB:65:7A:32:C4:4B:93:39 + X509v3 Authority Key Identifier: + keyid:F8:42:CC:88:C9:C8:18:F9:D3:B0:24:65:06:4C:FF:55:AB:BF:0E:7F + + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Key Usage: critical + Digital Signature, Key Encipherment, Key Agreement + X509v3 Extended Key Usage: + TLS Web Server Authentication + Netscape Cert Type: + SSL Server + Signature Algorithm: rsassaPss + Hash Algorithm: sha384 + Mask Algorithm: mgf1 with sha384 + Salt Length: 0x014E + Trailer Field: 0xBC (default) + + 68:61:62:4c:67:79:5d:4d:fd:95:14:51:37:f0:d5:d5:b6:f0: + c6:48:cb:23:3c:4c:b6:38:00:63:4d:0e:6a:f6:d0:ba:54:3d: + 40:a4:aa:5b:01:f6:57:c1:13:12:e1:5b:4e:59:21:f7:09:90: + 93:36:ab:44:54:59:f5:f0:da:3a:aa:41:f2:00:a4:fa:3d:8d: + 92:bf:74:84:a2:93:c8:70:d9:5a:2a:ab:47:a9:18:fb:f9:51: + 35:96:89:23:18:7b:a6:ae:1c:88:df:cd:68:ca:3c:8b:03:b2: + b0:c6:6f:9e:1f:fd:00:98:24:72:3b:6a:67:62:ef:28:4a:71: + 6e:b2:53:1c:0b:7c:48:ef:78:6c:73:5d:03:71:44:ac:5c:5e: + a2:75:fd:0b:e4:cc:8c:af:1e:42:9c:b7:d4:02:f4:8e:ad:56: + 77:fe:d0:1b:92:4d:35:ce:3e:bb:e0:43:98:e8:dc:71:e9:fb: + e1:26:17:5c:e1:f2:57:74:45:21:90:42:c1:b0:38:59:7f:0c: + 6a:6e:94:7b:30:a1:fd:10:e0:9b:53:0f:05:19:2d:f6:9a:a3: + 95:f4:52:54:c9:e2:fc:99:0e:64:56:29:31:d2:35:dd:01:b0: + 34:c8:d6:16:40:1a:58:58:62:c1:e4:d8:ee:8e:1d:b2:b7:c9: + 68:07:a5:91:a0:a8:18:c7:5f:80:c6:81:fb:7a:10:17:a8:a5: + 9e:67:d2:ac:31:69:94:ab:36:6f:f6:35:05:c3:80:f3:3e:5f: + 5c:29:d1:13:43:88:1e:79:ac:3d:d3:e0:3d:44:c4:da:c7:1e: + ab:f1:86:07:98:cf:b8:99:5d:6b:7c:3f:c2:c1:ff:1c:b1:8d: + 90:02:45:62:c4:7c:ca:6a:fb:4c:48:bc:73:ad:04:ad:62:87: + 1e:b3:c4:76:a6:a1:27:3d:f5:2a:ca:8e:c0:73:96:08:3c:db: + f7:36:a6:57:a4:98:47:58:cd:56:0e:cd:fc:63:84:b9:df:2f: + 47:bb:8b:0d:7c:54 +-----BEGIN CERTIFICATE----- +MIIFzzCCBAagAwIBAgIBATA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAqEa +MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgKiBAICAU4wgbIxCzAJBgNVBAYTAlVT +MRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRcwFQYDVQQKDA53 +b2xmU1NMX1JTQVBTUzESMBAGA1UECwwJQ0EtUlNBUFNTMRgwFgYDVQQDDA93d3cu +d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20xFzAV +BgoJkiaJk/IsZAEBDAd3b2xmU1NMMB4XDTIyMDcyNTAyMjc1NVoXDTI1MDQyMDAy +Mjc1NVowgbYxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQH +DAdCb3plbWFuMRcwFQYDVQQKDA53b2xmU1NMX1JTQVBTUzEWMBQGA1UECwwNU2Vy +dmVyLVJTQVBTUzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcN +AQkBFhBpbmZvQHdvbGZzc2wuY29tMRcwFQYKCZImiZPyLGQBAQwHd29sZlNTTDCC +AaAwCwYJKoZIhvcNAQEKA4IBjwAwggGKAoIBgQC+hHjTa32yrlGIaGoz8fnFGm+X +cZQi9MLwSYgrpE0Vb9vM1MZvdabiIgavkSZOoC2XF5ULQBp1I5ux4NddzA1fCZ7J +tz345WK7NHWZDObafZVA7l8ndvnK1g0epwafxXVXlkS5c/TeqqmvvkuY82zI2tmi +JjUhQOdnS+LZxE+4llQXWdjKr7FWR74VWwXTKczsK5n6Exoq0GHRQcInXdmn8iko +6/vlicUBg4gd3HAajy875TToW+/tdl+KUeotksLmhm1qkpPDbQTFlWgH/poy2TjI +BuszkrkLzi7Da2qiQWrOCedKkKgvWQ523E+4htBLleYb5MZZJu8cAE7O+89jBX6m +1Ak5/tN5SfJqahoXyxOlPdn6sKRfGOjlXEs41di4djWgC+GYuVjDiOX4SubQhKNe +TYXJ1n+dnzUoZlYEJcwbTPfjyzm+4F+ok72hC81j4BYHr0ALy24/gQzNgL8T8ZJX +oUgX0imwWqLVQoTIbAkxxgWS3aP3Vu3nXymI60sCAwEAAaOBiTCBhjAdBgNVHQ4E +FgQUyPHpHmAByCPM15izu2V6MsRLkzkwHwYDVR0jBBgwFoAU+ELMiMnIGPnTsCRl +Bkz/Vau/Dn8wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCA6gwEwYDVR0lBAww +CgYIKwYBBQUHAwEwEQYJYIZIAYb4QgEBBAQDAgZAMD4GCSqGSIb3DQEBCjAxoA0w +CwYJYIZIAWUDBAICoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAqIEAgIBTgOC +AYEAaGFiTGd5XU39lRRRN/DV1bbwxkjLIzxMtjgAY00OavbQulQ9QKSqWwH2V8ET +EuFbTlkh9wmQkzarRFRZ9fDaOqpB8gCk+j2Nkr90hKKTyHDZWiqrR6kY+/lRNZaJ +Ixh7pq4ciN/NaMo8iwOysMZvnh/9AJgkcjtqZ2LvKEpxbrJTHAt8SO94bHNdA3FE +rFxeonX9C+TMjK8eQpy31AL0jq1Wd/7QG5JNNc4+u+BDmOjccen74SYXXOHyV3RF +IZBCwbA4WX8Mam6UezCh/RDgm1MPBRkt9pqjlfRSVMni/JkOZFYpMdI13QGwNMjW +FkAaWFhiweTY7o4dsrfJaAelkaCoGMdfgMaB+3oQF6ilnmfSrDFplKs2b/Y1BcOA +8z5fXCnRE0OIHnmsPdPgPUTE2sceq/GGB5jPuJlda3w/wsH/HLGNkAJFYsR8ymr7 +TEi8c60ErWKHHrPEdqahJz31KsqOwHOWCDzb9zamV6SYR1jNVg7N/GOEud8vR7uL +DXxU +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: rsassaPss + Hash Algorithm: sha384 + Mask Algorithm: mgf1 with sha384 + Salt Length: 0x014E + Trailer Field: 0xBC (default) + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSA-PSS, OU = Root-RSA-PSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Validity + Not Before: Jul 25 02:27:55 2022 GMT + Not After : Apr 20 02:27:55 2025 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = CA-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Subject Public Key Info: + Public Key Algorithm: rsassaPss + RSA-PSS Public-Key: (3072 bit) + Modulus: + 00:c8:2a:40:c8:eb:ae:7c:18:33:cb:38:51:e6:b7: + 7b:11:4f:cd:ea:35:87:64:d9:b2:ca:cf:4b:21:c4: + 86:2a:c7:a3:6f:15:3e:1e:c4:9b:03:81:4b:3a:5d: + 53:62:11:e2:08:df:97:4d:37:3d:78:62:50:40:31: + 2a:70:44:1a:6d:69:49:fc:77:b8:f2:42:09:86:9a: + 5d:39:cd:84:7b:32:8a:3b:b0:4f:bf:3d:d4:05:7e: + c0:aa:28:a5:ce:b1:28:3a:59:d9:19:10:3a:d4:1f: + 91:07:07:73:50:a4:2b:d8:18:1f:22:f8:f4:64:3f: + 13:a0:d8:60:7e:53:4c:3b:97:70:bc:36:e5:be:31: + 97:45:55:ed:a2:5b:87:b5:1b:8e:65:3d:b7:15:08: + d1:12:1a:aa:ec:4e:56:35:70:a7:3e:50:65:f7:3e: + 30:9c:32:db:b2:24:7b:87:02:29:27:12:35:ad:8e: + c3:02:22:13:c2:6e:53:45:f0:16:21:81:e5:d5:b5: + 91:60:8b:d7:5c:bb:c2:70:06:f6:50:41:45:36:7f: + 41:44:89:b6:97:23:be:76:d7:7c:72:7f:ea:f4:19: + 10:17:c3:df:8f:cd:97:20:04:cb:1d:03:6b:09:8f: + d7:7b:84:7d:22:c5:e2:10:cb:cc:11:aa:a1:f5:66: + 85:0e:35:5a:8c:c3:89:61:29:d0:5c:53:2f:09:4b: + 91:7e:ce:e0:12:d3:ce:eb:c9:50:3c:36:f0:a6:b4: + fb:b5:c2:de:61:a0:ac:6f:bc:7e:ef:53:08:9f:b1: + 18:ad:5b:e3:01:23:de:11:a5:1f:7d:d5:b6:f4:72: + 1d:53:75:66:8c:db:61:1e:e9:eb:3c:f3:49:69:82: + b6:20:6b:29:03:a1:be:55:e4:4c:f8:25:a7:a8:a3: + e3:3f:32:1f:ae:a7:2a:9b:6b:56:dd:c9:5a:b1:1a: + 01:a0:13:d2:8e:9a:2c:db:7e:fd:5b:0e:2e:ef:92: + 69:ce:f2:de:ef:d0:2f:09:0e:67 + Exponent: 65537 (0x10001) + No PSS parameter restrictions + X509v3 extensions: + X509v3 Subject Key Identifier: + F8:42:CC:88:C9:C8:18:F9:D3:B0:24:65:06:4C:FF:55:AB:BF:0E:7F + X509v3 Authority Key Identifier: + keyid:AA:71:D3:B1:8A:4B:BB:47:15:47:5F:9B:D0:2B:69:D1:6F:85:5E:F6 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Signature Algorithm: rsassaPss + Hash Algorithm: sha384 + Mask Algorithm: mgf1 with sha384 + Salt Length: 0x014E + Trailer Field: 0xBC (default) + + 39:a8:ef:b1:66:08:50:0b:5e:cb:b2:29:8c:9b:b1:be:21:44: + d6:d8:97:1d:45:dc:52:70:f1:de:ac:74:65:03:6b:af:a0:f0: + 21:61:ce:23:39:33:c8:cb:1e:8f:77:12:1e:5b:99:0c:e1:1b: + 75:cf:1d:d7:12:86:cc:fc:86:90:0f:45:ea:8b:08:47:08:ac: + 56:44:31:f2:c9:23:6b:d5:30:ca:5f:49:b0:4b:8b:36:bd:5c: + 92:fa:86:34:57:80:30:93:29:59:19:a4:dd:f9:91:26:8a:49: + b4:ee:93:aa:e1:b2:06:f6:2f:2a:d9:5b:6d:f9:7c:04:4f:1c: + 7a:cc:8e:39:c2:98:3a:bd:b9:a2:24:82:8f:e4:d8:80:47:73: + 84:6e:bc:20:5c:ac:79:72:a7:6f:e3:c8:3a:9c:cc:83:b1:1f: + e2:65:3b:a1:f5:86:1a:33:53:bc:05:ba:6a:b1:bc:a7:b4:c1: + 44:8c:0a:cc:c2:15:da:c1:dd:dc:31:91:46:5b:48:d8:ea:03: + 78:e1:1f:ce:79:19:c8:6e:d6:3f:4c:f5:3b:b3:e7:2e:b7:46: + 0c:58:cd:ca:56:a6:88:fb:fd:12:d1:27:80:5a:a2:51:96:f8: + 4c:65:8d:71:0b:84:ca:94:f9:9f:c9:38:62:a3:64:cd:91:44: + 50:ed:bb:c0:1d:9b:b8:a4:57:b1:7a:2e:44:57:a5:15:ba:cc: + b3:62:f5:46:aa:cd:fb:53:d3:ed:ef:e3:f4:b2:9b:3f:29:d0: + 00:8c:19:61:48:b6:da:74:27:05:69:7b:df:04:0e:e2:f1:0f: + 1a:fa:92:70:79:78:86:52:60:e1:4d:4e:66:14:ba:86:e2:4e: + dd:e0:d0:f3:c0:2d:6d:3a:16:00:1d:c6:9c:27:6f:a6:5f:21: + 4c:e4:82:14:95:d1:a7:4a:15:13:ba:d8:65:ad:34:a2:93:3a: + d1:49:12:4d:f2:97:f3:e2:8a:83:d2:bf:84:84:c6:87:70:c9: + 38:e0:5f:fe:7f:38 +-----BEGIN CERTIFICATE----- +MIIFjzCCA8agAwIBAgIBATA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAqEa +MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgKiBAICAU4wgZ0xCzAJBgNVBAYTAlVT +MRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRgwFgYDVQQKDA93 +b2xmU1NMX1JTQS1QU1MxFTATBgNVBAsMDFJvb3QtUlNBLVBTUzEYMBYGA1UEAwwP +d3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29t +MB4XDTIyMDcyNTAyMjc1NVoXDTI1MDQyMDAyMjc1NVowgbIxCzAJBgNVBAYTAlVT +MRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRcwFQYDVQQKDA53 +b2xmU1NMX1JTQVBTUzESMBAGA1UECwwJQ0EtUlNBUFNTMRgwFgYDVQQDDA93d3cu +d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20xFzAV +BgoJkiaJk/IsZAEBDAd3b2xmU1NMMIIBoDALBgkqhkiG9w0BAQoDggGPADCCAYoC +ggGBAMgqQMjrrnwYM8s4Uea3exFPzeo1h2TZssrPSyHEhirHo28VPh7EmwOBSzpd +U2IR4gjfl003PXhiUEAxKnBEGm1pSfx3uPJCCYaaXTnNhHsyijuwT7891AV+wKoo +pc6xKDpZ2RkQOtQfkQcHc1CkK9gYHyL49GQ/E6DYYH5TTDuXcLw25b4xl0VV7aJb +h7UbjmU9txUI0RIaquxOVjVwpz5QZfc+MJwy27Ike4cCKScSNa2OwwIiE8JuU0Xw +FiGB5dW1kWCL11y7wnAG9lBBRTZ/QUSJtpcjvnbXfHJ/6vQZEBfD34/NlyAEyx0D +awmP13uEfSLF4hDLzBGqofVmhQ41WozDiWEp0FxTLwlLkX7O4BLTzuvJUDw28Ka0 ++7XC3mGgrG+8fu9TCJ+xGK1b4wEj3hGlH33VtvRyHVN1ZozbYR7p6zzzSWmCtiBr +KQOhvlXkTPglp6ij4z8yH66nKptrVt3JWrEaAaAT0o6aLNt+/VsOLu+Sac7y3u/Q +LwkOZwIDAQABo2MwYTAdBgNVHQ4EFgQU+ELMiMnIGPnTsCRlBkz/Vau/Dn8wHwYD +VR0jBBgwFoAUqnHTsYpLu0cVR1+b0Ctp0W+FXvYwDwYDVR0TAQH/BAUwAwEB/zAO +BgNVHQ8BAf8EBAMCAYYwPgYJKoZIhvcNAQEKMDGgDTALBglghkgBZQMEAgKhGjAY +BgkqhkiG9w0BAQgwCwYJYIZIAWUDBAICogQCAgFOA4IBgQA5qO+xZghQC17LsimM +m7G+IUTW2JcdRdxScPHerHRlA2uvoPAhYc4jOTPIyx6PdxIeW5kM4Rt1zx3XEobM +/IaQD0XqiwhHCKxWRDHyySNr1TDKX0mwS4s2vVyS+oY0V4AwkylZGaTd+ZEmikm0 +7pOq4bIG9i8q2Vtt+XwETxx6zI45wpg6vbmiJIKP5NiAR3OEbrwgXKx5cqdv48g6 +nMyDsR/iZTuh9YYaM1O8BbpqsbyntMFEjArMwhXawd3cMZFGW0jY6gN44R/OeRnI +btY/TPU7s+cut0YMWM3KVqaI+/0S0SeAWqJRlvhMZY1xC4TKlPmfyThio2TNkURQ +7bvAHZu4pFexei5EV6UVusyzYvVGqs37U9Pt7+P0sps/KdAAjBlhSLbadCcFaXvf +BA7i8Q8a+pJweXiGUmDhTU5mFLqG4k7d4NDzwC1tOhYAHcacJ2+mXyFM5IIUldGn +ShUTuthlrTSikzrRSRJN8pfz4oqD0r+EhMaHcMk44F/+fzg= +-----END CERTIFICATE----- diff --git a/certs/rsapss/server-rsapss-cert.pem b/certs/rsapss/server-rsapss-cert.pem new file mode 100644 index 000000000..881f611aa --- /dev/null +++ b/certs/rsapss/server-rsapss-cert.pem @@ -0,0 +1,106 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: rsassaPss + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Salt Length: 0x20 + Trailer Field: 0xBC (default) + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = CA-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Validity + Not Before: Jul 25 02:27:55 2022 GMT + Not After : Apr 20 02:27:55 2025 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = Server-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Subject Public Key Info: + Public Key Algorithm: rsassaPss + RSA-PSS Public-Key: (2048 bit) + Modulus: + 00:d7:f7:6c:e1:02:89:cc:9b:74:10:f3:ec:01:cb: + 89:ce:ef:f6:29:62:fc:75:3f:6a:99:ba:d6:88:ec: + ae:b3:20:33:44:d2:06:d7:99:21:bb:f3:40:ce:30: + b0:e1:90:4c:5b:58:75:54:1d:a2:dd:bc:63:01:48: + 43:3b:22:7a:78:2a:65:5b:d8:11:5f:9b:7b:db:21: + 1c:bc:f4:a5:ad:3e:d6:07:41:da:04:1f:ea:78:ec: + 57:f3:53:fd:49:2b:5e:0e:34:02:3b:5e:3e:5f:dc: + 63:da:d4:68:26:1a:61:c9:25:d7:53:16:e7:fb:c0: + a5:2d:59:36:7b:e9:c7:42:cb:9b:15:81:fd:d4:0f: + c5:b7:c6:49:c0:45:77:ea:5b:ac:ca:1e:a5:9c:c1: + 86:1b:f2:9e:ed:66:a0:d1:3b:b6:6f:02:54:69:30: + 0d:ba:55:01:18:c0:5f:7d:b2:ee:a6:bd:89:84:fc: + e8:36:e4:bb:d3:b4:9e:dd:b3:a6:80:32:12:37:30: + 8e:0a:89:54:c5:eb:4b:1c:85:02:2b:f8:26:63:c4: + 23:f8:59:35:18:0e:28:cf:5d:07:49:d8:cc:60:4d: + 3b:fb:27:24:f0:d6:46:0f:c5:5b:16:a5:94:8a:69: + 1a:34:62:cd:e0:32:32:55:b9:16:65:50:11:8b:5e: + 36:83 + Exponent: 65537 (0x10001) + PSS parameter restrictions: + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Minimum Salt Length: 0x20 + Trailer Field: 0xBC (default) + X509v3 extensions: + X509v3 Subject Key Identifier: + 2D:07:69:B0:A1:6F:9F:0C:FA:25:05:B2:CA:97:08:44:DF:0E:97:A8 + X509v3 Authority Key Identifier: + keyid:9E:0C:E0:D3:DF:B6:4B:F3:19:63:5C:CA:6C:93:86:A2:14:53:91:31 + + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Key Usage: critical + Digital Signature, Key Encipherment, Key Agreement + X509v3 Extended Key Usage: + TLS Web Server Authentication + Netscape Cert Type: + SSL Server + Signature Algorithm: rsassaPss + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Salt Length: 0x20 + Trailer Field: 0xBC (default) + + be:97:50:2b:be:31:97:8f:92:ed:52:c6:86:b7:12:3c:08:c2: + 97:40:2d:58:51:1d:4b:c4:66:1f:9b:ca:06:66:14:7d:ba:c6: + 16:7d:18:fb:28:3c:5a:b0:b1:e7:dd:6e:6f:1e:18:74:8c:9b: + 71:b3:4a:94:26:bf:14:00:ab:1c:0b:a0:ae:91:7c:71:9c:25: + c5:9a:2d:8a:a3:39:2a:3c:fa:e5:66:ea:9a:16:85:4c:5e:f4: + 03:0b:59:1d:13:08:76:22:f0:de:8c:1c:d4:67:01:fc:a4:cd: + 12:1a:73:1d:67:b0:df:7a:53:68:80:04:a9:37:aa:3f:30:ac: + ee:58:c9:d9:ba:78:00:ff:72:0f:d9:98:62:8e:e6:16:37:fb: + 86:35:b6:20:9e:30:72:39:a6:c8:68:07:83:1c:ad:86:fb:1a: + 67:39:18:2a:99:1f:1f:36:94:72:a2:af:a5:fc:ca:1d:16:cf: + 55:b5:86:30:dc:fd:8b:d1:db:38:28:20:fc:64:4b:71:d4:91: + 0a:dc:b9:00:f7:9c:af:99:e4:b6:2b:b7:f3:76:81:92:8b:0f: + f7:4a:7a:15:2f:48:5c:a4:59:57:55:ab:9e:9e:fc:81:b4:64: + 4b:8e:37:b7:00:c9:54:a5:ea:f6:b9:9c:2b:60:12:7d:f5:29: + 41:07:5a:a3 +-----BEGIN CERTIFICATE----- +MIIE/zCCA7egAwIBAgIBATA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEa +MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIBIDCBsjELMAkGA1UEBhMCVVMx +EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFzAVBgNVBAoMDndv +bGZTU0xfUlNBUFNTMRIwEAYDVQQLDAlDQS1SU0FQU1MxGDAWBgNVBAMMD3d3dy53 +b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTEXMBUG +CgmSJomT8ixkAQEMB3dvbGZTU0wwHhcNMjIwNzI1MDIyNzU1WhcNMjUwNDIwMDIy +NzU1WjCBtjELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcM +B0JvemVtYW4xFzAVBgNVBAoMDndvbGZTU0xfUlNBUFNTMRYwFAYDVQQLDA1TZXJ2 +ZXItUlNBUFNTMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0B +CQEWEGluZm9Ad29sZnNzbC5jb20xFzAVBgoJkiaJk/IsZAEBDAd3b2xmU1NMMIIB +UjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEBCDAL +BglghkgBZQMEAgGiAwIBIAOCAQ8AMIIBCgKCAQEA1/ds4QKJzJt0EPPsAcuJzu/2 +KWL8dT9qmbrWiOyusyAzRNIG15khu/NAzjCw4ZBMW1h1VB2i3bxjAUhDOyJ6eCpl +W9gRX5t72yEcvPSlrT7WB0HaBB/qeOxX81P9SSteDjQCO14+X9xj2tRoJhphySXX +Uxbn+8ClLVk2e+nHQsubFYH91A/Ft8ZJwEV36lusyh6lnMGGG/Ke7Wag0Tu2bwJU +aTANulUBGMBffbLupr2JhPzoNuS707Se3bOmgDISNzCOColUxetLHIUCK/gmY8Qj ++Fk1GA4oz10HSdjMYE07+yck8NZGD8VbFqWUimkaNGLN4DIyVbkWZVARi142gwID +AQABo4GJMIGGMB0GA1UdDgQWBBQtB2mwoW+fDPolBbLKlwhE3w6XqDAfBgNVHSME +GDAWgBSeDODT37ZL8xljXMpsk4aiFFORMTAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB +/wQEAwIDqDATBgNVHSUEDDAKBggrBgEFBQcDATARBglghkgBhvhCAQEEBAMCBkAw +PQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJ +YIZIAWUDBAIBogMCASADggEBAL6XUCu+MZePku1Sxoa3EjwIwpdALVhRHUvEZh+b +ygZmFH26xhZ9GPsoPFqwsefdbm8eGHSMm3GzSpQmvxQAqxwLoK6RfHGcJcWaLYqj +OSo8+uVm6poWhUxe9AMLWR0TCHYi8N6MHNRnAfykzRIacx1nsN96U2iABKk3qj8w +rO5Yydm6eAD/cg/ZmGKO5hY3+4Y1tiCeMHI5pshoB4McrYb7Gmc5GCqZHx82lHKi +r6X8yh0Wz1W1hjDc/YvR2zgoIPxkS3HUkQrcuQD3nK+Z5LYrt/N2gZKLD/dKehUv +SFykWVdVq56e/IG0ZEuON7cAyVSl6va5nCtgEn31KUEHWqM= +-----END CERTIFICATE----- diff --git a/certs/rsapss/server-rsapss-key.der b/certs/rsapss/server-rsapss-key.der new file mode 100644 index 000000000..392cb4ff9 Binary files /dev/null and b/certs/rsapss/server-rsapss-key.der differ diff --git a/certs/rsapss/server-rsapss-key.pem b/certs/rsapss/server-rsapss-key.pem new file mode 100644 index 000000000..77c877a08 --- /dev/null +++ b/certs/rsapss/server-rsapss-key.pem @@ -0,0 +1,10 @@ +-----BEGIN PUBLIC KEY----- +MIIBUjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEB +CDALBglghkgBZQMEAgGiAwIBIAOCAQ8AMIIBCgKCAQEA1/ds4QKJzJt0EPPsAcuJ +zu/2KWL8dT9qmbrWiOyusyAzRNIG15khu/NAzjCw4ZBMW1h1VB2i3bxjAUhDOyJ6 +eCplW9gRX5t72yEcvPSlrT7WB0HaBB/qeOxX81P9SSteDjQCO14+X9xj2tRoJhph +ySXXUxbn+8ClLVk2e+nHQsubFYH91A/Ft8ZJwEV36lusyh6lnMGGG/Ke7Wag0Tu2 +bwJUaTANulUBGMBffbLupr2JhPzoNuS707Se3bOmgDISNzCOColUxetLHIUCK/gm +Y8Qj+Fk1GA4oz10HSdjMYE07+yck8NZGD8VbFqWUimkaNGLN4DIyVbkWZVARi142 +gwIDAQAB +-----END PUBLIC KEY----- diff --git a/certs/rsapss/server-rsapss-priv.der b/certs/rsapss/server-rsapss-priv.der new file mode 100644 index 000000000..4c3ea7590 Binary files /dev/null and b/certs/rsapss/server-rsapss-priv.der differ diff --git a/certs/rsapss/server-rsapss-priv.pem b/certs/rsapss/server-rsapss-priv.pem new file mode 100644 index 000000000..4ee84357a --- /dev/null +++ b/certs/rsapss/server-rsapss-priv.pem @@ -0,0 +1,29 @@ +-----BEGIN PRIVATE KEY----- +MIIE7gIBADA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3 +DQEBCDALBglghkgBZQMEAgGiAwIBIASCBKgwggSkAgEAAoIBAQDX92zhAonMm3QQ +8+wBy4nO7/YpYvx1P2qZutaI7K6zIDNE0gbXmSG780DOMLDhkExbWHVUHaLdvGMB +SEM7Inp4KmVb2BFfm3vbIRy89KWtPtYHQdoEH+p47FfzU/1JK14ONAI7Xj5f3GPa +1GgmGmHJJddTFuf7wKUtWTZ76cdCy5sVgf3UD8W3xknARXfqW6zKHqWcwYYb8p7t +ZqDRO7ZvAlRpMA26VQEYwF99su6mvYmE/Og25LvTtJ7ds6aAMhI3MI4KiVTF60sc +hQIr+CZjxCP4WTUYDijPXQdJ2MxgTTv7JyTw1kYPxVsWpZSKaRo0Ys3gMjJVuRZl +UBGLXjaDAgMBAAECggEARZ4GxQnSbdh2s7hNjc6U39ZOnczA4PLOZDvsSDsznZ51 +qGujtQAx9apWa6Eag7vGQXPkbncXNy8xIwquUXOt0uqnvdGK2C0A4gRshSS/+3bT ++4boxoebR9u4BkI+1cVbDm0JgyXAKZqbvcDWyeGbQAIoxSoPIgJZvKKTg6I6j3cH +KyVYARmQTWbfVcupY/BlFIw3kSpLU3EYPNjF4hBDiEMsp6CpgipIipY6W2HjWHp1 +YS55S6meflkGnikjzXMcptQkaKA3uJmHgNviwZb1z8si5gvUsAA1TbnekVzSCt95 +8aRGZfHFi39CAJ+SZPL+hOHLR1QnDvqFMm/UxKlMMQKBgQDvSlU0j9rt/xZXWF0F +ZfVzRrU6fCDhHhIUu7ujcIvsIl/rAdnDTHZN12vUPI08VtPI5oxNDly95q683rNm +d17YicbKQFRdxRjdG9RCM0JzIbBUzLlbprCEDixi8enyIGkjjxVwA8oEhquAo+if +GUimrwc+/BhAC8JnHvF2nCC+/QKBgQDnDCTrgYDaQSS0bXIjqNontoh2eifAbfYd +A3yqszsseJ0FNEf0KjTyKP0Kz5OYi5uLyi/RlvYj+d+m0qDupPauQEVZGIEb1NG/ +9mwFxrcc9uMiyv0M5Zzh7QrIUX5oJwHGJzad8rFUl/KZCbTaDKdUFsRf+005Yd1t +2f//0jSDfwKBgQCq1HNd0fFnBTwq4S+Pggmn4WvSM/m5HSGlYZ0Egn2x95xohuqy +zWyMB+W4H/5ofEg33bd972nwPLa0qXyEA2ZXyox7qU9Rnjsw5wQyuquOzBc5guo1 +bxwHOqMfhDsTG2ZT93tDe8EGWCop7VpN8tv1+3B927VoS7zep62UksOh9QKBgHPc +QydV6aeIwz83IuV+5ubDQesnloeInMIv3XQ8LJBAa30QmoR2JdbJdxrUvM7iMz4G +RbR0XznrM5wUQ19omcsHr77d6uBp+ESq7cB3xZtgssXfxMWS3vjsRVvugdT4uosD +XwAVk5c4Gw9jLq2par9gK1l2S2NbEA7mItnGL09BAoGBANvLVWSr7kXEsyH23OX1 +XWbbpBK+OW1zzXsfglkpNkqaxI7OtOghhBOeQC4q/8xOInjNjp7fYpkquEawMobo +cyijj+IotP9pak1vk6tf31UkFtNyCJIM8UwUV/oiFTHFW2h6QOrSLgKnPbetWZH4 +7UAAE0VzM7MI7XIdSObbjpr4 +-----END PRIVATE KEY----- diff --git a/certs/rsapss/server-rsapss.der b/certs/rsapss/server-rsapss.der new file mode 100644 index 000000000..9ce45f787 Binary files /dev/null and b/certs/rsapss/server-rsapss.der differ diff --git a/certs/rsapss/server-rsapss.pem b/certs/rsapss/server-rsapss.pem new file mode 100644 index 000000000..479bdbca4 --- /dev/null +++ b/certs/rsapss/server-rsapss.pem @@ -0,0 +1,207 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: rsassaPss + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Salt Length: 0x20 + Trailer Field: 0xBC (default) + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = CA-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Validity + Not Before: Jul 25 02:27:55 2022 GMT + Not After : Apr 20 02:27:55 2025 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = Server-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Subject Public Key Info: + Public Key Algorithm: rsassaPss + RSA-PSS Public-Key: (2048 bit) + Modulus: + 00:d7:f7:6c:e1:02:89:cc:9b:74:10:f3:ec:01:cb: + 89:ce:ef:f6:29:62:fc:75:3f:6a:99:ba:d6:88:ec: + ae:b3:20:33:44:d2:06:d7:99:21:bb:f3:40:ce:30: + b0:e1:90:4c:5b:58:75:54:1d:a2:dd:bc:63:01:48: + 43:3b:22:7a:78:2a:65:5b:d8:11:5f:9b:7b:db:21: + 1c:bc:f4:a5:ad:3e:d6:07:41:da:04:1f:ea:78:ec: + 57:f3:53:fd:49:2b:5e:0e:34:02:3b:5e:3e:5f:dc: + 63:da:d4:68:26:1a:61:c9:25:d7:53:16:e7:fb:c0: + a5:2d:59:36:7b:e9:c7:42:cb:9b:15:81:fd:d4:0f: + c5:b7:c6:49:c0:45:77:ea:5b:ac:ca:1e:a5:9c:c1: + 86:1b:f2:9e:ed:66:a0:d1:3b:b6:6f:02:54:69:30: + 0d:ba:55:01:18:c0:5f:7d:b2:ee:a6:bd:89:84:fc: + e8:36:e4:bb:d3:b4:9e:dd:b3:a6:80:32:12:37:30: + 8e:0a:89:54:c5:eb:4b:1c:85:02:2b:f8:26:63:c4: + 23:f8:59:35:18:0e:28:cf:5d:07:49:d8:cc:60:4d: + 3b:fb:27:24:f0:d6:46:0f:c5:5b:16:a5:94:8a:69: + 1a:34:62:cd:e0:32:32:55:b9:16:65:50:11:8b:5e: + 36:83 + Exponent: 65537 (0x10001) + PSS parameter restrictions: + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Minimum Salt Length: 0x20 + Trailer Field: 0xBC (default) + X509v3 extensions: + X509v3 Subject Key Identifier: + 2D:07:69:B0:A1:6F:9F:0C:FA:25:05:B2:CA:97:08:44:DF:0E:97:A8 + X509v3 Authority Key Identifier: + keyid:9E:0C:E0:D3:DF:B6:4B:F3:19:63:5C:CA:6C:93:86:A2:14:53:91:31 + + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Key Usage: critical + Digital Signature, Key Encipherment, Key Agreement + X509v3 Extended Key Usage: + TLS Web Server Authentication + Netscape Cert Type: + SSL Server + Signature Algorithm: rsassaPss + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Salt Length: 0x20 + Trailer Field: 0xBC (default) + + be:97:50:2b:be:31:97:8f:92:ed:52:c6:86:b7:12:3c:08:c2: + 97:40:2d:58:51:1d:4b:c4:66:1f:9b:ca:06:66:14:7d:ba:c6: + 16:7d:18:fb:28:3c:5a:b0:b1:e7:dd:6e:6f:1e:18:74:8c:9b: + 71:b3:4a:94:26:bf:14:00:ab:1c:0b:a0:ae:91:7c:71:9c:25: + c5:9a:2d:8a:a3:39:2a:3c:fa:e5:66:ea:9a:16:85:4c:5e:f4: + 03:0b:59:1d:13:08:76:22:f0:de:8c:1c:d4:67:01:fc:a4:cd: + 12:1a:73:1d:67:b0:df:7a:53:68:80:04:a9:37:aa:3f:30:ac: + ee:58:c9:d9:ba:78:00:ff:72:0f:d9:98:62:8e:e6:16:37:fb: + 86:35:b6:20:9e:30:72:39:a6:c8:68:07:83:1c:ad:86:fb:1a: + 67:39:18:2a:99:1f:1f:36:94:72:a2:af:a5:fc:ca:1d:16:cf: + 55:b5:86:30:dc:fd:8b:d1:db:38:28:20:fc:64:4b:71:d4:91: + 0a:dc:b9:00:f7:9c:af:99:e4:b6:2b:b7:f3:76:81:92:8b:0f: + f7:4a:7a:15:2f:48:5c:a4:59:57:55:ab:9e:9e:fc:81:b4:64: + 4b:8e:37:b7:00:c9:54:a5:ea:f6:b9:9c:2b:60:12:7d:f5:29: + 41:07:5a:a3 +-----BEGIN CERTIFICATE----- +MIIE/zCCA7egAwIBAgIBATA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEa +MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIBIDCBsjELMAkGA1UEBhMCVVMx +EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFzAVBgNVBAoMDndv +bGZTU0xfUlNBUFNTMRIwEAYDVQQLDAlDQS1SU0FQU1MxGDAWBgNVBAMMD3d3dy53 +b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTEXMBUG +CgmSJomT8ixkAQEMB3dvbGZTU0wwHhcNMjIwNzI1MDIyNzU1WhcNMjUwNDIwMDIy +NzU1WjCBtjELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcM +B0JvemVtYW4xFzAVBgNVBAoMDndvbGZTU0xfUlNBUFNTMRYwFAYDVQQLDA1TZXJ2 +ZXItUlNBUFNTMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0B +CQEWEGluZm9Ad29sZnNzbC5jb20xFzAVBgoJkiaJk/IsZAEBDAd3b2xmU1NMMIIB +UjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEBCDAL +BglghkgBZQMEAgGiAwIBIAOCAQ8AMIIBCgKCAQEA1/ds4QKJzJt0EPPsAcuJzu/2 +KWL8dT9qmbrWiOyusyAzRNIG15khu/NAzjCw4ZBMW1h1VB2i3bxjAUhDOyJ6eCpl +W9gRX5t72yEcvPSlrT7WB0HaBB/qeOxX81P9SSteDjQCO14+X9xj2tRoJhphySXX +Uxbn+8ClLVk2e+nHQsubFYH91A/Ft8ZJwEV36lusyh6lnMGGG/Ke7Wag0Tu2bwJU +aTANulUBGMBffbLupr2JhPzoNuS707Se3bOmgDISNzCOColUxetLHIUCK/gmY8Qj ++Fk1GA4oz10HSdjMYE07+yck8NZGD8VbFqWUimkaNGLN4DIyVbkWZVARi142gwID +AQABo4GJMIGGMB0GA1UdDgQWBBQtB2mwoW+fDPolBbLKlwhE3w6XqDAfBgNVHSME +GDAWgBSeDODT37ZL8xljXMpsk4aiFFORMTAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB +/wQEAwIDqDATBgNVHSUEDDAKBggrBgEFBQcDATARBglghkgBhvhCAQEEBAMCBkAw +PQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJ +YIZIAWUDBAIBogMCASADggEBAL6XUCu+MZePku1Sxoa3EjwIwpdALVhRHUvEZh+b +ygZmFH26xhZ9GPsoPFqwsefdbm8eGHSMm3GzSpQmvxQAqxwLoK6RfHGcJcWaLYqj +OSo8+uVm6poWhUxe9AMLWR0TCHYi8N6MHNRnAfykzRIacx1nsN96U2iABKk3qj8w +rO5Yydm6eAD/cg/ZmGKO5hY3+4Y1tiCeMHI5pshoB4McrYb7Gmc5GCqZHx82lHKi +r6X8yh0Wz1W1hjDc/YvR2zgoIPxkS3HUkQrcuQD3nK+Z5LYrt/N2gZKLD/dKehUv +SFykWVdVq56e/IG0ZEuON7cAyVSl6va5nCtgEn31KUEHWqM= +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: rsassaPss + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Salt Length: 0x20 + Trailer Field: 0xBC (default) + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSA-PSS, OU = Root-RSA-PSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Validity + Not Before: Jul 25 02:27:55 2022 GMT + Not After : Apr 20 02:27:55 2025 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = CA-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Subject Public Key Info: + Public Key Algorithm: rsassaPss + RSA-PSS Public-Key: (2048 bit) + Modulus: + 00:d6:0e:c7:50:4d:29:f5:a8:a2:d4:29:5b:58:f2: + bc:2d:27:de:88:49:1a:84:19:2b:84:8d:94:d1:78: + 12:d6:7b:14:d8:d2:82:24:95:ab:fe:4f:55:fb:e0: + 55:fc:39:37:7b:41:80:b4:98:6f:7f:c5:b7:3e:37: + f8:5f:1d:2f:12:31:88:f9:8b:3b:00:85:e6:36:a5: + 17:3f:9a:a4:be:48:ff:7a:36:22:2c:23:d4:9f:5b: + 52:d1:17:d1:c1:f2:69:19:d8:32:c5:f7:79:ec:83: + 19:87:e3:13:a0:43:5e:b1:e9:03:ed:b4:08:cd:7b: + 14:68:0f:25:4f:90:f0:04:a7:bb:08:89:08:dc:76: + 4e:70:49:04:41:4d:bf:b7:7f:77:79:6a:ef:68:4b: + 62:97:8e:33:91:32:2a:e3:63:15:47:f6:61:a4:26: + db:02:04:b6:57:c0:a7:f0:aa:ec:20:72:91:c3:32: + ab:98:7f:84:c6:e8:5f:d6:e0:1a:d2:24:b1:c7:50: + bb:73:87:de:2a:c3:e2:c4:60:32:b8:e4:5a:5b:b5: + e4:29:8c:8b:28:6b:bb:1a:dc:3c:fe:b9:ef:9e:89: + 28:60:ba:a4:40:66:d5:bb:e0:62:7f:a7:2b:e1:0f: + 38:e6:33:ea:b2:10:0e:14:c8:3f:87:9f:ff:8b:28: + cc:1d + Exponent: 65537 (0x10001) + PSS parameter restrictions: + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Minimum Salt Length: 0x20 + Trailer Field: 0xBC (default) + X509v3 extensions: + X509v3 Subject Key Identifier: + 9E:0C:E0:D3:DF:B6:4B:F3:19:63:5C:CA:6C:93:86:A2:14:53:91:31 + X509v3 Authority Key Identifier: + keyid:64:D5:EC:82:87:80:DE:5A:ED:49:98:D8:0C:54:7D:46:9E:A5:3C:D6 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Signature Algorithm: rsassaPss + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Salt Length: 0x20 + Trailer Field: 0xBC (default) + + 32:66:7b:22:4b:80:fc:7a:81:5a:11:1d:1b:d8:a6:26:a9:38: + 6f:f8:c5:cb:80:47:0c:08:cc:12:a4:7a:17:8e:d6:a5:a8:cb: + df:ea:b7:77:b4:df:e5:92:ba:7f:9b:a2:71:0d:7d:7a:36:29: + bd:03:7b:52:65:0d:79:ae:c3:ac:e8:a4:75:c6:28:c0:05:33: + 51:f4:85:37:0e:9c:03:dc:51:3d:5d:55:88:17:da:b5:c5:b1: + 91:a5:a9:40:91:07:a3:0c:17:75:f9:fa:52:43:94:21:40:24: + 8c:31:f3:4a:5e:96:86:20:9b:37:87:a4:56:ac:4f:ac:e6:a6: + 0c:05:cc:62:b2:0a:62:63:04:5f:dc:52:46:db:12:5e:16:2b: + 62:00:fa:30:5f:04:33:28:0c:a6:6c:49:cb:35:ad:f4:d5:57: + cb:16:7c:f4:8c:99:22:e4:e1:f4:97:e4:df:b2:1f:62:8f:50: + 2e:43:aa:cf:c7:86:ae:da:7f:b7:eb:16:cb:28:c2:bc:80:7b: + f2:7f:16:60:88:0e:49:aa:d3:2a:92:54:38:a4:09:be:79:e1: + 1d:6f:b1:95:0c:02:f9:e7:f4:4b:b8:44:4a:e2:db:02:08:b3: + e6:79:d5:d0:bd:34:8f:cc:8e:19:28:48:07:7b:d0:b2:31:ba: + db:e2:e0:3f +-----BEGIN CERTIFICATE----- +MIIEvzCCA3egAwIBAgIBATA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEa +MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIBIDCBnTELMAkGA1UEBhMCVVMx +EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xGDAWBgNVBAoMD3dv +bGZTU0xfUlNBLVBTUzEVMBMGA1UECwwMUm9vdC1SU0EtUFNTMRgwFgYDVQQDDA93 +d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20w +HhcNMjIwNzI1MDIyNzU1WhcNMjUwNDIwMDIyNzU1WjCBsjELMAkGA1UEBhMCVVMx +EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFzAVBgNVBAoMDndv +bGZTU0xfUlNBUFNTMRIwEAYDVQQLDAlDQS1SU0FQU1MxGDAWBgNVBAMMD3d3dy53 +b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTEXMBUG +CgmSJomT8ixkAQEMB3dvbGZTU0wwggFSMD0GCSqGSIb3DQEBCjAwoA0wCwYJYIZI +AWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgEgA4IBDwAwggEK +AoIBAQDWDsdQTSn1qKLUKVtY8rwtJ96ISRqEGSuEjZTReBLWexTY0oIklav+T1X7 +4FX8OTd7QYC0mG9/xbc+N/hfHS8SMYj5izsAheY2pRc/mqS+SP96NiIsI9SfW1LR +F9HB8mkZ2DLF93nsgxmH4xOgQ16x6QPttAjNexRoDyVPkPAEp7sIiQjcdk5wSQRB +Tb+3f3d5au9oS2KXjjORMirjYxVH9mGkJtsCBLZXwKfwquwgcpHDMquYf4TG6F/W +4BrSJLHHULtzh94qw+LEYDK45FpbteQpjIsoa7sa3Dz+ue+eiShguqRAZtW74GJ/ +pyvhDzjmM+qyEA4UyD+Hn/+LKMwdAgMBAAGjYzBhMB0GA1UdDgQWBBSeDODT37ZL +8xljXMpsk4aiFFORMTAfBgNVHSMEGDAWgBRk1eyCh4DeWu1JmNgMVH1GnqU81jAP +BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjA9BgkqhkiG9w0BAQowMKAN +MAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIBIAOC +AQEAMmZ7IkuA/HqBWhEdG9imJqk4b/jFy4BHDAjMEqR6F47WpajL3+q3d7Tf5ZK6 +f5uicQ19ejYpvQN7UmUNea7DrOikdcYowAUzUfSFNw6cA9xRPV1ViBfatcWxkaWp +QJEHowwXdfn6UkOUIUAkjDHzSl6WhiCbN4ekVqxPrOamDAXMYrIKYmMEX9xSRtsS +XhYrYgD6MF8EMygMpmxJyzWt9NVXyxZ89IyZIuTh9Jfk37IfYo9QLkOqz8eGrtp/ +t+sWyyjCvIB78n8WYIgOSarTKpJUOKQJvnnhHW+xlQwC+ef0S7hESuLbAgiz5nnV +0L00j8yOGShIB3vQsjG62+LgPw== +-----END CERTIFICATE----- diff --git a/configure.ac b/configure.ac index cb928462c..e4d19a54e 100644 --- a/configure.ac +++ b/configure.ac @@ -3574,7 +3574,7 @@ else fi if test "$ENABLED_RSAPSS" = "yes" then - AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS" + AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS -DWOLFSSL_PSS_LONG_SALT" fi diff --git a/src/internal.c b/src/internal.c index 9ba84e1e8..04aa8220b 100644 --- a/src/internal.c +++ b/src/internal.c @@ -12537,6 +12537,9 @@ static int ProcessPeerCertCheckKey(WOLFSSL* ssl, ProcPeerCertArgs* args) switch (args->dCert->keyOID) { #ifndef NO_RSA + #ifdef WC_RSA_PSS + case RSAPSSk: + #endif case RSAk: if (ssl->options.minRsaKeySz < 0 || args->dCert->pubKeySize < @@ -13612,6 +13615,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, /* decode peer key */ switch (args->dCert->keyOID) { #ifndef NO_RSA + #ifdef WC_RSA_PSS + case RSAPSSk: + #endif case RSAk: { word32 keyIdx = 0; diff --git a/src/ssl.c b/src/ssl.c index d70ad7124..e9a2ed7ce 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -5113,7 +5113,10 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) /* check CA key size */ if (verify) { switch (cert->keyOID) { - #ifndef NO_RSA + #ifndef NO_RSA + #ifdef WC_RSA_PSS + case RSAPSSk: + #endif case RSAk: if (cm->minRsaKeySz < 0 || cert->pubKeySize < (word16)cm->minRsaKeySz) { @@ -5121,7 +5124,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) WOLFSSL_MSG("\tCA RSA key size error"); } break; - #endif /* !NO_RSA */ + #endif /* !NO_RSA */ #ifdef HAVE_ECC case ECDSAk: if (cm->minEccKeySz < 0 || @@ -6519,6 +6522,11 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, else if (cert->keyOID == RSAk) { ssl->options.haveRSA = 1; } + #ifdef WC_RSA_PSS + else if (cert->keyOID == RSAPSSk) { + ssl->options.haveRSA = 1; + } + #endif #endif #ifdef HAVE_ED25519 else if (cert->keyOID == ED25519k) { @@ -6552,6 +6560,11 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, else if (cert->keyOID == RSAk) { ctx->haveRSA = 1; } + #ifdef WC_RSA_PSS + else if (cert->keyOID == RSAPSSk) { + ctx->haveRSA = 1; + } + #endif #endif #ifdef HAVE_ED25519 else if (cert->keyOID == ED25519k) { @@ -6578,6 +6591,9 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, /* check key size of cert unless specified not to */ switch (cert->keyOID) { #ifndef NO_RSA + #ifdef WC_RSA_PSS + case RSAPSSk: + #endif case RSAk: #ifdef WOLF_PRIVATE_KEY_ID keyType = rsa_sa_algo; @@ -8405,6 +8421,11 @@ static int check_cert_key(DerBuffer* cert, DerBuffer* key, void* heap, if (der->keyOID == RSAk) { type = DYNAMIC_TYPE_RSA; } + #ifdef WC_RSA_PSS + if (der->keyOID == RSAPSSk) { + type = DYNAMIC_TYPE_RSA; + } + #endif #endif #ifdef HAVE_ECC if (der->keyOID == ECDSAk) { @@ -8417,7 +8438,11 @@ static int check_cert_key(DerBuffer* cert, DerBuffer* key, void* heap, #ifdef WOLF_CRYPTO_CB if (ret == 0) { #ifndef NO_RSA - if (der->keyOID == RSAk) { + if (der->keyOID == RSAk + #ifdef WC_RSA_PSS + || der->keyOID == RSAPSSk + #endif + ) { ret = wc_CryptoCb_RsaCheckPrivKey((RsaKey*)pkey, der->publicKey, der->pubKeySize); } @@ -8435,7 +8460,11 @@ static int check_cert_key(DerBuffer* cert, DerBuffer* key, void* heap, #endif if (pkey != NULL) { #ifndef NO_RSA - if (der->keyOID == RSAk) { + if (der->keyOID == RSAk + #ifdef WC_RSA_PSS + || der->keyOID == RSAPSSk + #endif + ) { wc_FreeRsaKey((RsaKey*)pkey); } #endif @@ -9195,7 +9224,11 @@ static WOLFSSL_EVP_PKEY* _d2i_PublicKey(int type, WOLFSSL_EVP_PKEY** out, WOLFSSL_MSG("Found PKCS8 header"); pkcs8HeaderSz = (word16)idx; - if ((type == EVP_PKEY_RSA && algId != RSAk) || + if ((type == EVP_PKEY_RSA && algId != RSAk + #ifdef WC_RSA_PSS + && algId != RSAPSSk + #endif + ) || (type == EVP_PKEY_EC && algId != ECDSAk) || (type == EVP_PKEY_DSA && algId != DSAk) || (type == EVP_PKEY_DH && algId != DHk)) { @@ -29465,9 +29498,14 @@ int wolfSSL_ASN1_STRING_canon(WOLFSSL_ASN1_STRING* asn_out, /* Update the available options with public keys. */ switch (x->pubKeyOID) { + #ifndef NO_RSA + #ifdef WC_RSA_PSS + case RSAPSSk: + #endif case RSAk: ctx->haveRSA = 1; break; + #endif #ifdef HAVE_ED25519 case ED25519k: #endif diff --git a/tests/api.c b/tests/api.c index 6b4cad62e..5756d82a9 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2378,6 +2378,62 @@ static int test_wolfSSL_FPKI(void) return 0; } +static int test_wolfSSL_CertRsaPss(void) +{ +/* FIPS v2 and below don't support long salts. */ +#if !defined(NO_RSA) && defined(WC_RSA_PSS) && !defined(NO_FILESYSTEM) && \ + (!defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION > 2))) && (!defined(HAVE_SELFTEST) || \ + (defined(HAVE_SELFTEST_VERSION) && (HAVE_SELFTEST_VERSION > 2))) + XFILE f; + const char* rsaPssSha256Cert = "./certs/rsapss/ca-rsapss.der"; + const char* rsaPssRootSha256Cert = "./certs/rsapss/root-rsapss.pem"; +#ifdef WOLFSSL_SHA384 + const char* rsaPssSha384Cert = "./certs/rsapss/ca-3072-rsapss.der"; + const char* rsaPssRootSha384Cert = "./certs/rsapss/root-3072-rsapss.pem"; +#endif + DecodedCert cert; + byte buf[4096]; + int bytes; + WOLFSSL_CERT_MANAGER* cm; + + printf(testingFmt, "test_CertRsaPss"); + + cm = wolfSSL_CertManagerNew(); + AssertNotNull(cm); + AssertIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CertManagerLoadCA(cm, rsaPssRootSha256Cert, NULL)); +#ifdef WOLFSSL_SHA384 + AssertIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CertManagerLoadCA(cm, rsaPssRootSha384Cert, NULL)); +#endif + + f = XFOPEN(rsaPssSha256Cert, "rb"); + AssertTrue((f != XBADFILE)); + bytes = (int)XFREAD(buf, 1, sizeof(buf), f); + XFCLOSE(f); + wc_InitDecodedCert(&cert, buf, bytes, NULL); + AssertIntEQ(wc_ParseCert(&cert, CERT_TYPE, VERIFY, cm), 0); + wc_FreeDecodedCert(&cert); + +#ifdef WOLFSSL_SHA384 + f = XFOPEN(rsaPssSha384Cert, "rb"); + AssertTrue((f != XBADFILE)); + bytes = (int)XFREAD(buf, 1, sizeof(buf), f); + XFCLOSE(f); + wc_InitDecodedCert(&cert, buf, bytes, NULL); + AssertIntEQ(wc_ParseCert(&cert, CERT_TYPE, VERIFY, cm), 0); + wc_FreeDecodedCert(&cert); +#endif + + wolfSSL_CertManagerFree(cm); + + printf(resultFmt, passed); +#endif + + return 0; +} + static int test_wolfSSL_CertManagerCRL(void) { #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && defined(HAVE_CRL) && \ @@ -18523,6 +18579,12 @@ static int test_wc_RsaPublicKeyDecode(void) int bytes = 0; word32 keySz = 0; word32 tstKeySz = 0; +#if defined(WC_RSA_PSS) && !defined(NO_FILESYSTEM) + XFILE f; + const char* rsaPssPubKey = "./certs/rsapss/ca-rsapss-key.der"; + const char* rsaPssPubKeyNoParams = "./certs/rsapss/ca-3072-rsapss-key.der"; + byte buf[4096]; +#endif tmp = (byte*)XMALLOC(GEN_BUF, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (tmp == NULL) { @@ -18592,6 +18654,23 @@ static int test_wc_RsaPublicKeyDecode(void) ret = (ret == 0 && tstKeySz == keySz/8) ? 0 : WOLFSSL_FATAL_ERROR; } +#if defined(WC_RSA_PSS) && !defined(NO_FILESYSTEM) + f = XFOPEN(rsaPssPubKey, "rb"); + AssertTrue((f != XBADFILE)); + bytes = (int)XFREAD(buf, 1, sizeof(buf), f); + XFCLOSE(f); + idx = 0; + AssertIntEQ(wc_RsaPublicKeyDecode_ex(buf, &idx, bytes, NULL, NULL, NULL, + NULL), 0); + f = XFOPEN(rsaPssPubKeyNoParams, "rb"); + AssertTrue((f != XBADFILE)); + bytes = (int)XFREAD(buf, 1, sizeof(buf), f); + XFCLOSE(f); + idx = 0; + AssertIntEQ(wc_RsaPublicKeyDecode_ex(buf, &idx, bytes, NULL, NULL, NULL, + NULL), 0); +#endif + if (tmp != NULL) { XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); } @@ -57044,6 +57123,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_CertManagerNameConstraint4), TEST_DECL(test_wolfSSL_CertManagerNameConstraint5), TEST_DECL(test_wolfSSL_FPKI), + TEST_DECL(test_wolfSSL_CertRsaPss), TEST_DECL(test_wolfSSL_CertManagerCRL), TEST_DECL(test_wolfSSL_CTX_load_verify_locations_ex), TEST_DECL(test_wolfSSL_CTX_load_verify_buffer_ex), diff --git a/tests/include.am b/tests/include.am index 8fd30f617..77a4a1ca9 100644 --- a/tests/include.am +++ b/tests/include.am @@ -48,6 +48,7 @@ EXTRA_DIST += tests/unit.h \ tests/test-sctp.conf \ tests/test-sctp-sha2.conf \ tests/test-sig.conf \ + tests/test-rsapss.conf \ tests/test-ed25519.conf \ tests/test-ed448.conf \ tests/test-enckeys.conf \ diff --git a/tests/suites.c b/tests/suites.c index fa31b98b7..5add18ab0 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -916,6 +916,20 @@ int SuiteTest(int argc, char** argv) } #endif #endif +#if defined(WC_RSA_PSS) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) && \ + (!defined(HAVE_SELFTEST) || (defined(HAVE_SELFTEST_VERSION) && \ + (HAVE_SELFTEST_VERSION > 2))) + /* add RSA-PSS certificate cipher suite tests */ + XSTRLCPY(argv0[1], "tests/test-rsapss.conf", sizeof(argv0[1])); + printf("starting RSA-PSS extra cipher suite tests\n"); + test_harness(&args); + if (args.return_code != 0) { + printf("error from script %d\n", args.return_code); + args.return_code = EXIT_FAILURE; + goto exit; + } +#endif #if defined(HAVE_CURVE25519) && defined(HAVE_ED25519) && \ defined(HAVE_ED25519_SIGN) && defined(HAVE_ED25519_VERIFY) && \ defined(HAVE_ED25519_KEY_IMPORT) && defined(HAVE_ED25519_KEY_EXPORT) diff --git a/tests/test-rsapss.conf b/tests/test-rsapss.conf new file mode 100644 index 000000000..642feaae2 --- /dev/null +++ b/tests/test-rsapss.conf @@ -0,0 +1,74 @@ +# server TLSv1.2 - RSA PSS SHA256 MGF1 SHA256 +-v 3 +-l DHE-RSA-AES128-GCM-SHA256 +-c ./certs/rsapss/server-rsapss.pem +-k ./certs/rsapss/server-rsapss-priv.pem +-d + +# client TLSv1.2 - RSA PSS SHA256 MGF1 SHA256 +-v 3 +-l DHE-RSA-AES128-GCM-SHA256 +-A ./certs/rsapss/root-rsapss.pem +-C + +# server TLSv1.2 - RSA PSS SHA256 MGF1 SHA256 +-v 3 +-l DHE-RSA-AES128-GCM-SHA256 +-c ./certs/rsapss/server-rsapss.pem +-k ./certs/rsapss/server-rsapss-priv.pem +-A ./certs/rsapss/client-rsapss.pem +-V + +# client TLSv1.2 - RSA PSS SHA256 MGF1 SHA256 +-v 3 +-l DHE-RSA-AES128-GCM-SHA256 +-c ./certs/rsapss/client-rsapss.pem +-k ./certs/rsapss/client-rsapss-priv.pem +-A ./certs/rsapss/root-rsapss.pem +-C + +# server TLSv1.2 - RSA PSS SHA384 MGF1 SHA384 +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 +-c ./certs/rsapss/server-3072-rsapss.pem +-k ./certs/rsapss/server-3072-rsapss-priv.pem +-A ./certs/rsapss/client-3072-rsapss.pem +-V + +# client TLSv1.2 - RSA PSS SHA384 MGF1 SHA384 +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 +-c ./certs/rsapss/client-3072-rsapss.pem +-k ./certs/rsapss/client-3072-rsapss-priv.pem +-A ./certs/rsapss/root-3072-rsapss.pem +-C + +# server TLSv1.3 - RSA PSS SHA384 MGF1 SHA384 +-v 4 +-l TLS13-AES256-GCM-SHA384 +-c ./certs/rsapss/server-rsapss.pem +-k ./certs/rsapss/server-rsapss-priv.pem +-d + +# client TLSv1.3 - RSA PSS SHA384 MGF1 SHA384 +-v 4 +-l TLS13-AES256-GCM-SHA384 +-A ./certs/rsapss/root-rsapss.pem +-C + +# server TLSv1.3 - RSA PSS SHA384 MGF1 SHA384 +-v 4 +-l TLS13-AES256-GCM-SHA384 +-c ./certs/rsapss/server-rsapss.pem +-k ./certs/rsapss/server-rsapss-priv.pem +-A ./certs/rsapss/client-rsapss.pem +-V + +# client TLSv1.3 - RSA PSS SHA384 MGF1 SHA384 +-v 4 +-l TLS13-AES256-GCM-SHA384 +-c ./certs/rsapss/client-rsapss.pem +-k ./certs/rsapss/client-rsapss-priv.pem +-A ./certs/rsapss/root-rsapss.pem +-C + diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 2c35cca5d..4d352b71c 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -2564,6 +2564,53 @@ static int GetInteger7Bit(const byte* input, word32* inOutIdx, word32 maxIdx) *inOutIdx = idx; return b; } + +#ifdef WC_RSA_PSS +/* Get the DER/BER encoding of an ASN.1 INTEGER that has a value of no more than + * 16 bits. + * + * input Buffer holding DER/BER encoded data. + * inOutIdx Current index into buffer to parse. + * maxIdx Length of data in buffer. + * returns BUFFER_E when there is not enough data to parse. + * ASN_PARSE_E when the INTEGER tag is not found or length is invalid. + * Otherwise, the 16-bit value. + */ +static int GetInteger16Bit(const byte* input, word32* inOutIdx, word32 maxIdx) +{ + word32 idx = *inOutIdx; + byte tag; + word16 n; + + if ((idx + 2) > maxIdx) + return BUFFER_E; + + if (GetASNTag(input, &idx, &tag, maxIdx) != 0) + return ASN_PARSE_E; + if (tag != ASN_INTEGER) + return ASN_PARSE_E; + if (input[idx] == 1) { + idx++; + if ((idx + 1) > maxIdx) { + return ASN_PARSE_E; + } + n = input[idx++]; + } + else if (input[idx] == 2) { + idx++; + if ((idx + 2) > maxIdx) { + return ASN_PARSE_E; + } + n = input[idx++]; + n = (n << 8) | input[idx++]; + } + else + return ASN_PARSE_E; + + *inOutIdx = idx; + return n; +} +#endif #endif /* !NO_CERTS */ #endif /* !WOLFSSL_ASN_TEMPLATE */ @@ -2607,6 +2654,9 @@ static const char sigSha256wDsaName[] = "SHA256wDSA"; static const char sigSha3_512wRsaName[] = "sha3_512WithRSAEncryption"; #endif #endif +#ifdef WC_RSA_PSS + static const char sigRsaSsaPssName[] = "rsassaPss"; +#endif #endif /* NO_RSA */ #ifdef HAVE_ECC #ifndef NO_SHA @@ -2701,6 +2751,10 @@ const char* GetSigName(int oid) { return sigSha3_512wRsaName; #endif #endif + #ifdef WC_RSA_PSS + case CTC_RSASSAPSS: + return sigRsaSsaPssName; + #endif #endif /* NO_RSA */ #ifdef HAVE_ECC #ifndef NO_SHA @@ -3885,6 +3939,9 @@ static word32 SetBitString16Bit(word16 val, byte* output) static const byte sigSha3_512wRsaOid[] = {96, 134, 72, 1, 101, 3, 4, 3, 16}; #endif #endif + #ifdef WC_RSA_PSS + static const byte sigRsaSsaPssOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 10}; + #endif #endif /* NO_RSA */ #ifdef HAVE_ECC #ifndef NO_SHA @@ -3937,6 +3994,9 @@ static word32 SetBitString16Bit(word16 val, byte* output) #endif /* NO_DSA */ #ifndef NO_RSA static const byte keyRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 1}; +#ifdef WC_RSA_PSS + static const byte keyRsaPssOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 10}; +#endif #endif /* NO_RSA */ #ifdef HAVE_ECC static const byte keyEcdsaOid[] = {42, 134, 72, 206, 61, 2, 1}; @@ -4131,7 +4191,8 @@ static const byte extExtKeyUsageOcspSignOid[] = {43, 6, 1, 5, 5, 7, 3, 9}; /* csrAttrType */ #define CSR_ATTR_TYPE_OID_BASE(num) {42, 134, 72, 134, 247, 13, 1, 9, num} #if !defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_GEN) || \ - defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) + defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ + defined(WOLFSSL_ASN_TEMPLATE) static const byte attrEmailOid[] = CSR_ATTR_TYPE_OID_BASE(1); #endif #ifdef WOLFSSL_CERT_REQ @@ -4183,7 +4244,11 @@ static const byte dnsSRVOid[] = {43, 6, 1, 5, 5, 7, 8, 7}; defined(WOLFSSL_ASN_TEMPLATE) /* Pilot attribute types (0.9.2342.19200300.100.1.*) */ static const byte uidOid[] = {9, 146, 38, 137, 147, 242, 44, 100, 1, 1}; /* user id */ +#endif +#if defined(WOLFSSL_CERT_GEN) || \ + defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ + defined(WOLFSSL_ASN_TEMPLATE) static const byte dcOid[] = {9, 146, 38, 137, 147, 242, 44, 100, 1, 25}; /* domain component */ #endif @@ -4377,6 +4442,12 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) break; #endif #endif + #ifdef WC_RSA_PSS + case CTC_RSASSAPSS: + oid = sigRsaSsaPssOid; + *oidSz = sizeof(sigRsaSsaPssOid); + break; + #endif #endif /* NO_RSA */ #ifdef HAVE_ECC #ifndef NO_SHA @@ -4471,12 +4542,18 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) *oidSz = sizeof(keyDsaOid); break; #endif /* NO_DSA */ - #ifndef NO_RSA + #ifndef NO_RSA case RSAk: oid = keyRsaOid; *oidSz = sizeof(keyRsaOid); break; - #endif /* NO_RSA */ + #ifdef WC_RSA_PSS + case RSAPSSk: + oid = keyRsaPssOid; + *oidSz = sizeof(keyRsaPssOid); + break; + #endif + #endif /* NO_RSA */ #ifdef HAVE_ECC case ECDSAk: oid = keyEcdsaOid; @@ -5606,8 +5683,8 @@ int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid, /* Set OID type expected. */ GetASN_OID(&dataASN[ALGOIDASN_IDX_OID], oidType); /* Decode the algorithm identifier. */ - ret = GetASN_Items(algoIdASN, dataASN, algoIdASN_Length, 0, input, inOutIdx, - maxIdx); + ret = GetASN_Items(algoIdASN, dataASN, algoIdASN_Length, 0, input, + inOutIdx, maxIdx); } if (ret == 0) { /* Return the OID id/sum. */ @@ -5621,6 +5698,349 @@ int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid, #ifndef NO_RSA +#ifdef WC_RSA_PSS +/* RFC 8017 - PKCS #1 has RSA PSS parameter ASN definition. */ + +/* Convert a hash OID to a hash type. + * + * @param [in] oid Hash OID. + * @param [out] type Hash type. + * @return 0 on success. + * @return ASN_PARSE_E when hash OID not supported for RSA PSS. + */ +static int RsaPssHashOidToType(word32 oid, enum wc_HashType* type) +{ + int ret = 0; + + switch (oid) { + /* SHA-1 is missing as it is the default is not allowed to appear. */ +#ifdef WOLFSSL_SHA224 + case SHA224h: + *type = WC_HASH_TYPE_SHA224; + break; +#endif +#ifndef NO_SHA256 + case SHA256h: + *type = WC_HASH_TYPE_SHA256; + break; +#endif +#ifdef WOLFSSL_SHA384 + case SHA384h: + *type = WC_HASH_TYPE_SHA384; + break; +#endif +#ifdef WOLFSSL_SHA512 + case SHA512h: + *type = WC_HASH_TYPE_SHA512; + break; + /* TODO: SHA512_224h */ + /* TODO: SHA512_256h */ +#endif + default: + ret = ASN_PARSE_E; + break; + } + + return ret; +} + +/* Convert a hash OID to a MGF1 type. + * + * @param [in] oid Hash OID. + * @param [out] mgf MGF type. + * @return 0 on success. + * @return ASN_PARSE_E when hash OID not supported for RSA PSS. + */ +static int RsaPssHashOidToMgf1(word32 oid, int* mgf) +{ + int ret = 0; + + switch (oid) { + /* SHA-1 is missing as it is the default is not allowed to appear. */ +#ifdef WOLFSSL_SHA224 + case SHA224h: + *mgf = WC_MGF1SHA224; + break; +#endif +#ifndef NO_SHA256 + case SHA256h: + *mgf = WC_MGF1SHA256; + break; +#endif +#ifdef WOLFSSL_SHA384 + case SHA384h: + *mgf = WC_MGF1SHA384; + break; +#endif +#ifdef WOLFSSL_SHA512 + case SHA512h: + *mgf = WC_MGF1SHA512; + break; + /* TODO: SHA512_224h */ + /* TODO: SHA512_256h */ +#endif + default: + ret = ASN_PARSE_E; + break; + } + + return ret; +} + +/* Convert a hash OID to a fake signature OID. + * + * @param [in] oid Hash OID. + * @param [out] sigOid Signature OID to pass wto HashForSignature(). + * @return 0 on success. + * @return ASN_PARSE_E when hash OID not supported for RSA PSS. + */ +static int RsaPssHashOidToSigOid(word32 oid, word32* sigOid) +{ + int ret = 0; + + switch (oid) { +#ifndef NO_SHA + case WC_HASH_TYPE_SHA: + *sigOid = CTC_SHAwRSA; + break; +#endif +#ifdef WOLFSSL_SHA224 + case WC_HASH_TYPE_SHA224: + *sigOid = CTC_SHA224wRSA; + break; +#endif +#ifndef NO_SHA256 + case WC_HASH_TYPE_SHA256: + *sigOid = CTC_SHA256wRSA; + break; +#endif +#ifdef WOLFSSL_SHA384 + case WC_HASH_TYPE_SHA384: + *sigOid = CTC_SHA384wRSA; + break; +#endif +#ifdef WOLFSSL_SHA512 + case WC_HASH_TYPE_SHA512: + *sigOid = CTC_SHA512wRSA; + break; +#endif + /* TODO: SHA512_224h */ + /* TODO: SHA512_256h */ + /* Not supported by HashForSignature() */ + default: + ret = ASN_PARSE_E; + break; + } + + return ret; +} + +#ifdef WOLFSSL_ASN_TEMPLATE +/* ASN tag for hashAlgorigthm. */ +#define ASN_TAG_RSA_PSS_HASH (ASN_CONTEXT_SPECIFIC | 0) +/* ASN tag for maskGenAlgorithm. */ +#define ASN_TAG_RSA_PSS_MGF (ASN_CONTEXT_SPECIFIC | 1) +/* ASN tag for saltLength. */ +#define ASN_TAG_RSA_PSS_SALTLEN (ASN_CONTEXT_SPECIFIC | 2) +/* ASN tag for trailerField. */ +#define ASN_TAG_RSA_PSS_TRAILER (ASN_CONTEXT_SPECIFIC | 3) + +/* ASN.1 template for RSA PSS parameters. */ +static const ASNItem rsaPssParamsASN[] = { +/* SEQ */ { 0, ASN_SEQUENCE, 1, 1, 0 }, +/* HASH */ { 1, ASN_TAG_RSA_PSS_HASH, 1, 1, 1 }, +/* HASHSEQ */ { 2, ASN_SEQUENCE, 1, 1, 0 }, +/* HASHOID */ { 3, ASN_OBJECT_ID, 0, 0, 0 }, +/* HASHNULL */ { 3, ASN_TAG_NULL, 0, 0, 1 }, +/* MGF */ { 1, ASN_TAG_RSA_PSS_MGF, 1, 1, 1 }, +/* MGFSEQ */ { 2, ASN_SEQUENCE, 1, 1, 0 }, +/* MGFOID */ { 3, ASN_OBJECT_ID, 0, 0, 0 }, +/* MGFPARAM */ { 3, ASN_SEQUENCE, 1, 1, 0 }, +/* MGFHOID */ { 4, ASN_OBJECT_ID, 0, 0, 0 }, +/* MGFHNULL */ { 4, ASN_TAG_NULL, 0, 0, 1 }, +/* SALTLEN */ { 1, ASN_TAG_RSA_PSS_SALTLEN, 1, 1, 1 }, +/* SALTLENINT */ { 2, ASN_INTEGER, 0, 0, 0 }, +/* TRAILER */ { 1, ASN_TAG_RSA_PSS_TRAILER, 1, 1, 1 }, +/* TRAILERINT */ { 2, ASN_INTEGER, 0, 0, 0 }, +}; +enum { + RSAPSSPARAMSASN_IDX_SEQ = 0, + RSAPSSPARAMSASN_IDX_HASH, + RSAPSSPARAMSASN_IDX_HASHSEQ, + RSAPSSPARAMSASN_IDX_HASHOID, + RSAPSSPARAMSASN_IDX_HASHNULL, + RSAPSSPARAMSASN_IDX_MGF, + RSAPSSPARAMSASN_IDX_MGFSEQ, + RSAPSSPARAMSASN_IDX_MGFOID, + RSAPSSPARAMSASN_IDX_MGFPARAM, + RSAPSSPARAMSASN_IDX_MGFHOID, + RSAPSSPARAMSASN_IDX_MGFHNULL, + RSAPSSPARAMSASN_IDX_SALTLEN, + RSAPSSPARAMSASN_IDX_SALTLENINT, + RSAPSSPARAMSASN_IDX_TRAILER, + RSAPSSPARAMSASN_IDX_TRAILERINT, +}; + +/* Number of items in ASN.1 template for an algorithm identifier. */ +#define rsaPssParamsASN_Length (sizeof(rsaPssParamsASN) / sizeof(ASNItem)) +#else +/* ASN tag for hashAlgorigthm. */ +#define ASN_TAG_RSA_PSS_HASH (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 0) +/* ASN tag for maskGenAlgorithm. */ +#define ASN_TAG_RSA_PSS_MGF (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1) +/* ASN tag for saltLength. */ +#define ASN_TAG_RSA_PSS_SALTLEN (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 2) +/* ASN tag for trailerField. */ +#define ASN_TAG_RSA_PSS_TRAILER (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 3) +#endif + +/* Decode the RSA PSS parameters. + * + * @param [in] params Buffer holding BER encoded RSA PSS parameters. + * @param [in] sz Size of data in buffer in bytes. + * @param [out] hash Hash algorithm to use on message. + * @param [out] mgf MGF algorithm to use with PSS padding. + * @param [out] saltLen Length of salt in PSS padding. + * @return ASN_PARSE_E when the decoding fails. + * @return 0 on success. + */ +static int DecodeRsaPssParams(const byte* params, word32 sz, + enum wc_HashType* hash, int* mgf, int* saltLen) +{ +#ifndef WOLFSSL_ASN_TEMPLATE + int ret = 0; + word32 idx = 0; + int len = 0; + word32 oid; + byte tag; + int length; + + if (GetSequence_ex(params, &idx, &len, sz, 1) < 0) { + ret = ASN_PARSE_E; + } + if (ret == 0) { + if ((idx < sz) && (params[idx] == ASN_TAG_RSA_PSS_HASH)) { + /* Hash algorithm to use on message. */ + if (GetHeader(params, &tag, &idx, &length, sz, 0) < 0) { + ret = ASN_PARSE_E; + } + if (ret == 0) { + if (GetAlgoId(params, &idx, &oid, oidHashType, sz) < 0) { + ret = ASN_PARSE_E; + } + } + if (ret == 0) { + ret = RsaPssHashOidToType(oid, hash); + } + } + else { + /* Default hash algorithm. */ + *hash = WC_HASH_TYPE_SHA; + } + } + if (ret == 0) { + if ((idx < sz) && (params[idx] == ASN_TAG_RSA_PSS_MGF)) { + /* MGF and hash algorithm to use with padding. */ + if (GetHeader(params, &tag, &idx, &length, sz, 0) < 0) { + ret = ASN_PARSE_E; + } + if (ret == 0) { + if (GetAlgoId(params, &idx, &oid, oidIgnoreType, sz) < 0) { + ret = ASN_PARSE_E; + } + } + if ((ret == 0) && (oid != MGF1_OID)) { + ret = ASN_PARSE_E; + } + if (ret == 0) { + ret = GetAlgoId(params, &idx, &oid, oidHashType, sz); + if (ret == 0) { + ret = RsaPssHashOidToMgf1(oid, mgf); + } + } + } + else { + /* Default MGF/Hash algorithm. */ + *mgf = WC_MGF1SHA1; + } + } + if (ret == 0) { + if ((idx < sz) && (params[idx] == ASN_TAG_RSA_PSS_SALTLEN)) { + /* Salt length to use with padding. */ + if (GetHeader(params, &tag, &idx, &length, sz, 0) < 0) { + ret = ASN_PARSE_E; + } + if (ret == 0) { + ret = GetInteger16Bit(params, &idx, sz); + if (ret >= 0) { + *saltLen = ret; + ret = 0; + } + } + } + else { + /* Default salt length. */ + *saltLen = 20; + } + } + if (ret == 0) { + if ((idx < sz) && (params[idx] == ASN_TAG_RSA_PSS_TRAILER)) { + /* Unused - trialerField. */ + if (GetHeader(params, &tag, &idx, &length, sz, 0) < 0) { + ret = ASN_PARSE_E; + } + if (ret == 0) { + ret = GetInteger16Bit(params, &idx, sz); + if (ret > 0) { + ret = 0; + } + } + } + } + if ((ret == 0) && (idx != sz)) { + ret = ASN_PARSE_E; + } + + return ret; +#else + DECL_ASNGETDATA(dataASN, rsaPssParamsASN_Length); + int ret = 0; + word16 sLen = 20; + + CALLOC_ASNGETDATA(dataASN, rsaPssParamsASN_Length, ret, NULL); + if (ret == 0) { + word32 inOutIdx = 0; + /* Default values. */ + *hash = WC_HASH_TYPE_SHA; + *mgf = WC_MGF1SHA1; + + /* Set OID type expected. */ + GetASN_OID(&dataASN[RSAPSSPARAMSASN_IDX_HASHOID], oidHashType); + GetASN_OID(&dataASN[RSAPSSPARAMSASN_IDX_MGFHOID], oidHashType); + /* Place the salt length into 16-bit var sLen. */ + GetASN_Int16Bit(&dataASN[RSAPSSPARAMSASN_IDX_SALTLENINT], &sLen); + /* Decode the algorithm identifier. */ + ret = GetASN_Items(rsaPssParamsASN, dataASN, rsaPssParamsASN_Length, 1, + params, &inOutIdx, sz); + } + if ((ret == 0) && (dataASN[RSAPSSPARAMSASN_IDX_HASHOID].tag != 0)) { + word32 oid = dataASN[RSAPSSPARAMSASN_IDX_HASHOID].data.oid.sum; + ret = RsaPssHashOidToType(oid, hash); + } + if ((ret == 0) && (dataASN[RSAPSSPARAMSASN_IDX_MGFHOID].tag != 0)) { + word32 oid = dataASN[RSAPSSPARAMSASN_IDX_MGFHOID].data.oid.sum; + ret = RsaPssHashOidToMgf1(oid, mgf); + } + if (ret == 0) { + *saltLen = sLen; + } + + FREE_ASNGETDATA(dataASN, NULL); + return ret; +#endif /* WOLFSSL_ASN_TEMPLATE */ +} +#endif /* WC_RSA_PSS */ + #ifndef HAVE_USER_RSA #if defined(WOLFSSL_ASN_TEMPLATE) || (!defined(NO_CERTS) && \ (defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || \ @@ -5878,6 +6298,9 @@ static const ASNItem pkcs8KeyASN[] = { /* PKEY_ALGO_OID_KEY */ { 2, ASN_OBJECT_ID, 0, 0, 0 }, /* PKEY_ALGO_OID_CURVE */ { 2, ASN_OBJECT_ID, 0, 0, 1 }, /* PKEY_ALGO_NULL */ { 2, ASN_TAG_NULL, 0, 0, 1 }, +#ifdef WC_RSA_PSS +/* PKEY_ALGO_PARAM_SEQ */ { 2, ASN_SEQUENCE, 1, 0, 1 }, +#endif /* PKEY_DATA */ { 1, ASN_OCTET_STRING, 0, 0, 0 }, /* attributes [0] Attributes OPTIONAL */ /* [[2: publicKey [1] PublicKey OPTIONAL ]] */ @@ -5889,6 +6312,9 @@ enum { PKCS8KEYASN_IDX_PKEY_ALGO_OID_KEY, PKCS8KEYASN_IDX_PKEY_ALGO_OID_CURVE, PKCS8KEYASN_IDX_PKEY_ALGO_NULL, +#ifdef WC_RSA_PSS + PKCS8KEYASN_IDX_PKEY_ALGO_PARAM_SEQ, +#endif PKCS8KEYASN_IDX_PKEY_DATA, }; @@ -5939,6 +6365,29 @@ int ToTraditionalInline_ex(const byte* input, word32* inOutIdx, word32 sz, return ASN_PARSE_E; idx = idx - 1; /* reset idx after finding tag */ +#ifdef WC_RSA_PSS + if (*algId == RSAPSSk && tag == (ASN_SEQUENCE | ASN_CONSTRUCTED)) { + word32 seqIdx = idx; + int seqLen; + /* Not set when -1. */ + enum wc_HashType hash = WC_HASH_TYPE_NONE; + int mgf = -1; + int saltLen = 0; + + if (GetSequence(input, &idx, &seqLen, sz) < 0) { + return ASN_PARSE_E; + } + /* Get the private key parameters. */ + ret = DecodeRsaPssParams(input + seqIdx, + seqLen + idx - seqIdx, &hash, &mgf, &saltLen); + if (ret != 0) { + return ASN_PARSE_E; + } + /* TODO: store parameters so that usage can be checked. */ + idx += seqLen; + } +#endif + if (tag == ASN_OBJECT_ID) { if (SkipObjectId(input, &idx, sz) < 0) return ASN_PARSE_E; @@ -5995,7 +6444,7 @@ int ToTraditionalInline_ex(const byte* input, word32* inOutIdx, word32 sz, } if (ret == 0) { switch (oid) { - #ifndef NO_RSA + #ifndef NO_RSA case RSAk: /* Must have NULL item but not OBJECT_ID item. */ if ((dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_NULL].tag == 0) || @@ -6003,7 +6452,32 @@ int ToTraditionalInline_ex(const byte* input, word32* inOutIdx, word32 sz, ret = ASN_PARSE_E; } break; + #ifdef WC_RSA_PSS + case RSAPSSk: + /* Must not have NULL item. */ + if (dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_NULL].tag != 0) { + ret = ASN_PARSE_E; + } + if (dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_PARAM_SEQ].tag != 0) { + enum wc_HashType hash; + int mgf; + int saltLen; + const byte* params = GetASNItem_Addr( + dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_PARAM_SEQ], input); + word32 paramsSz = GetASNItem_Length( + dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_PARAM_SEQ], input); + + /* Validate the private key parameters. */ + ret = DecodeRsaPssParams(params, paramsSz, &hash, &mgf, + &saltLen); + if (ret != 0) { + return ASN_PARSE_E; + } + /* TODO: store parameters so that usage can be checked. */ + } + break; #endif + #endif #ifdef HAVE_ECC case ECDSAk: /* Must not have NULL item. */ @@ -6251,6 +6725,9 @@ int wc_CreatePKCS8Key(byte* out, word32* outSz, byte* key, word32 keySz, } /* Only RSA keys have NULL tagged item after OID. */ dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_NULL].noOut = (algoID != RSAk); + #ifdef WC_RSA_PSS + dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_PARAM_SEQ].noOut = 1; + #endif /* Set key data to encode. */ SetASN_Buffer(&dataASN[PKCS8KEYASN_IDX_PKEY_DATA], key, keySz); @@ -6303,7 +6780,11 @@ int wc_CheckPrivateKey(const byte* privKey, word32 privKeySz, #if !defined(NO_RSA) && !defined(NO_ASN_CRYPT) /* test if RSA key */ - if (ks == RSAk) { + if (ks == RSAk + #ifdef WC_RSA_PSS + || ks == RSAPSSk + #endif + ) { #ifdef WOLFSSL_SMALL_STACK RsaKey* a; RsaKey* b = NULL; @@ -8127,6 +8608,7 @@ static int RsaPublicKeyDecodeRawIndex(const byte* input, word32* inOutIdx, if (ret != 0) return ret; } + /* TODO: support RSA PSS */ /* should have bit tag length and seq next */ ret = CheckBitString(input, inOutIdx, NULL, inSz, 1, NULL); @@ -8171,6 +8653,9 @@ static const ASNItem rsaPublicKeyASN[] = { /* ALGOID_SEQ */ { 1, ASN_SEQUENCE, 1, 1, 0 }, /* ALGOID_OID */ { 2, ASN_OBJECT_ID, 0, 0, 0 }, /* ALGOID_NULL */ { 2, ASN_TAG_NULL, 0, 0, 1 }, +#ifdef WC_RSA_PSS +/* ALGOID_P_SEQ */ { 2, ASN_SEQUENCE, 1, 0, 1 }, +#endif /* PUBKEY */ { 1, ASN_BIT_STRING, 0, 1, 0 }, /* RSAPublicKey */ /* PUBKEY_RSA_SEQ */ { 2, ASN_SEQUENCE, 1, 1, 0 }, @@ -8182,6 +8667,9 @@ enum { RSAPUBLICKEYASN_IDX_ALGOID_SEQ, RSAPUBLICKEYASN_IDX_ALGOID_OID, RSAPUBLICKEYASN_IDX_ALGOID_NULL, +#ifdef WC_RSA_PSS + RSAPUBLICKEYASN_IDX_ALGOID_P_SEQ, +#endif RSAPUBLICKEYASN_IDX_PUBKEY, RSAPUBLICKEYASN_IDX_PUBKEY_RSA_SEQ, RSAPUBLICKEYASN_IDX_PUBKEY_RSA_N, @@ -8259,6 +8747,14 @@ int wc_RsaPublicKeyDecode_ex(const byte* input, word32* inOutIdx, word32 inSz, if (ret != 0) return ret; } + #ifdef WC_RSA_PSS + /* Skip RSA PSS parameters. */ + else if (tag == (ASN_SEQUENCE | ASN_CONSTRUCTED)) { + if (GetSequence(input, inOutIdx, &length, inSz) < 0) + return ASN_PARSE_E; + *inOutIdx += length; + } + #endif /* should have bit tag length and seq next */ ret = CheckBitString(input, inOutIdx, NULL, inSz, 1, NULL); @@ -8296,6 +8792,9 @@ int wc_RsaPublicKeyDecode_ex(const byte* input, word32* inOutIdx, word32 inSz, #else DECL_ASNGETDATA(dataASN, rsaPublicKeyASN_Length); int ret = 0; +#ifdef WC_RSA_PSS + word32 oid = RSAk; +#endif /* Check validity of parameters. */ if (input == NULL || inOutIdx == NULL) { @@ -8312,15 +8811,52 @@ int wc_RsaPublicKeyDecode_ex(const byte* input, word32* inOutIdx, word32 inSz, 0, input, inOutIdx, inSz); if (ret != 0) { /* Didn't work - try whole SubjectKeyInfo instead. */ + #ifdef WC_RSA_PSS + /* Could be RSA or RSA PSS key. */ + GetASN_OID(&dataASN[RSAPUBLICKEYASN_IDX_ALGOID_OID], oidKeyType); + #else /* Set the OID to expect. */ GetASN_ExpBuffer(&dataASN[RSAPUBLICKEYASN_IDX_ALGOID_OID], keyRsaOid, sizeof(keyRsaOid)); + #endif /* Decode SubjectKeyInfo. */ ret = GetASN_Items(rsaPublicKeyASN, dataASN, rsaPublicKeyASN_Length, 1, input, inOutIdx, inSz); } } +#ifdef WC_RSA_PSS + if ((ret == 0) && (dataASN[RSAPUBLICKEYASN_IDX_ALGOID_OID].tag != 0)) { + /* Two possible OIDs supported - RSA and RSA PSS. */ + oid = dataASN[RSAPUBLICKEYASN_IDX_ALGOID_OID].data.oid.sum; + if ((oid != RSAk) && (oid != RSAPSSk)) { + ret = ASN_PARSE_E; + } + } + if ((ret == 0) && (dataASN[RSAPUBLICKEYASN_IDX_ALGOID_P_SEQ].tag != 0)) { + /* Can't have NULL and SEQ. */ + if (dataASN[RSAPUBLICKEYASN_IDX_ALGOID_NULL].tag != 0) { + ret = ASN_PARSE_E; + } + /* SEQ present only with RSA PSS. */ + if ((ret == 0) && (oid != RSAPSSk)) { + ret = ASN_PARSE_E; + } + if (ret == 0) { + enum wc_HashType hash; + int mgf; + int saltLen; + const byte* params = GetASNItem_Addr( + dataASN[RSAPUBLICKEYASN_IDX_ALGOID_P_SEQ], input); + word32 paramsSz = GetASNItem_Length( + dataASN[RSAPUBLICKEYASN_IDX_ALGOID_P_SEQ], input); + + /* Validate the private key parameters. */ + ret = DecodeRsaPssParams(params, paramsSz, &hash, &mgf, &saltLen); + /* TODO: store parameters so that usage can be checked. */ + } + } +#endif if (ret == 0) { /* Return the buffers and lengths asked for. */ if (n != NULL) { @@ -10592,12 +11128,58 @@ static int GetCertKey(DecodedCert* cert, const byte* source, word32* inOutIdx, /* Parse each type of public key. */ switch (cert->keyOID) { - #ifndef NO_RSA +#ifndef NO_RSA + #ifdef WC_RSA_PSS + case RSAPSSk: + if (srcIdx != maxIdx && + source[srcIdx] == (ASN_SEQUENCE | ASN_CONSTRUCTED)) { + word32 seqIdx = srcIdx; + int seqLen; + /* Not set when -1. */ + enum wc_HashType hash = WC_HASH_TYPE_NONE; + int mgf = -1; + int saltLen = 0; + /* Defaults for sig algorithm parameters. */ + enum wc_HashType sigHash = WC_HASH_TYPE_SHA; + int sigMgf = WC_MGF1SHA1; + int sigSaltLen = 20; + + if (GetSequence(source, &srcIdx, &seqLen, maxIdx) < 0) { + return ASN_PARSE_E; + } + /* Get the pubic key parameters. */ + ret = DecodeRsaPssParams(source + seqIdx, + seqLen + srcIdx - seqIdx, &hash, &mgf, &saltLen); + if (ret != 0) { + return ASN_PARSE_E; + } + /* Get the signature parameters. */ + ret = DecodeRsaPssParams(source + cert->sigParamsIndex, + cert->sigParamsLength, &sigHash, &sigMgf, &sigSaltLen); + if (ret != 0) { + return ASN_PARSE_E; + } + /* Validated signature params match public key params. */ + if (hash != WC_HASH_TYPE_NONE && hash != sigHash) { + WOLFSSL_MSG("RSA PSS: hash not matching signature hash"); + return ASN_PARSE_E; + } + if (mgf != -1 && mgf != sigMgf) { + WOLFSSL_MSG("RSA PSS: MGF not matching signature MGF"); + return ASN_PARSE_E; + } + if (saltLen > sigSaltLen) { + WOLFSSL_MSG("RSA PSS: sig salt length too small"); + return ASN_PARSE_E; + } + srcIdx += seqLen; + } + FALL_THROUGH; + #endif /* WC_RSA_PSS */ case RSAk: ret = StoreRsaKey(cert, source, &srcIdx, maxIdx); break; - - #endif /* NO_RSA */ +#endif /* NO_RSA */ #ifdef HAVE_ECC case ECDSAk: ret = StoreEccKey(cert, source, &srcIdx, maxIdx, source + pubIdx, @@ -13142,6 +13724,47 @@ int wc_GetCertDates(Cert* cert, struct tm* before, struct tm* after) #endif /* WOLFSSL_CERT_GEN && WOLFSSL_ALT_NAMES */ #endif /* !NO_ASN_TIME */ +#ifndef WOLFSSL_ASN_TEMPLATE +static int GetSigAlg(DecodedCert* cert, word32* sigOid, word32 maxIdx) +{ + int length; + word32 endSeqIdx; + + if (GetSequence(cert->source, &cert->srcIdx, &length, maxIdx) < 0) + return ASN_PARSE_E; + endSeqIdx = cert->srcIdx + length; + + if (GetObjectId(cert->source, &cert->srcIdx, sigOid, oidSigType, + maxIdx) < 0) { + return ASN_OBJECT_ID_E; + } + + if (cert->srcIdx != endSeqIdx) { +#ifdef WC_RSA_PSS + if (*sigOid == CTC_RSASSAPSS) { + cert->sigParamsIndex = cert->srcIdx; + cert->sigParamsLength = endSeqIdx - cert->srcIdx; + } + else +#endif + /* Only allowed a ASN NULL header with zero length. */ + if (endSeqIdx - cert->srcIdx != 2) + return ASN_PARSE_E; + else { + byte tag; + if (GetASNTag(cert->source, &cert->srcIdx, &tag, endSeqIdx) != 0) + return ASN_PARSE_E; + if (tag != ASN_TAG_NULL) + return ASN_PARSE_E; + } + } + + cert->srcIdx = endSeqIdx; + + return 0; +} +#endif + #ifdef WOLFSSL_ASN_TEMPLATE /* TODO: move code around to not require this. */ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt, @@ -13185,8 +13808,7 @@ int wc_GetPubX509(DecodedCert* cert, int verify, int* badDate) #endif /* Using the sigIndex as the upper bound because that's where the * actual certificate data ends. */ - if ( (ret = GetAlgoId(cert->source, &cert->srcIdx, &cert->signatureOID, - oidSigType, cert->sigIndex)) < 0) + if ((ret = GetSigAlg(cert, &cert->signatureOID, cert->sigIndex)) < 0) return ret; WOLFSSL_MSG("Got Algo ID"); @@ -13800,6 +14422,9 @@ void FreeSignatureCtx(SignatureCtx* sigCtx) if (sigCtx->key.ptr) { switch (sigCtx->keyOID) { #ifndef NO_RSA + #ifdef WC_RSA_PSS + case RSAPSSk: + #endif case RSAk: wc_FreeRsaKey(sigCtx->key.rsa); XFREE(sigCtx->key.rsa, sigCtx->heap, DYNAMIC_TYPE_RSA); @@ -14008,9 +14633,17 @@ static int HashForSignature(const byte* buf, word32 bufSz, word32 sigOID, static int ConfirmSignature(SignatureCtx* sigCtx, const byte* buf, word32 bufSz, const byte* key, word32 keySz, word32 keyOID, - const byte* sig, word32 sigSz, word32 sigOID, byte* rsaKeyIdx) + const byte* sig, word32 sigSz, word32 sigOID, + const byte* sigParams, word32 sigParamsSz, + byte* rsaKeyIdx) { int ret = 0; +#ifdef WC_RSA_PSS + /* Defaults */ + enum wc_HashType hash = WC_HASH_TYPE_SHA; + int mgf = WC_MGF1SHA1; + int saltLen = 20; +#endif if (sigCtx == NULL || buf == NULL || bufSz == 0 || key == NULL || keySz == 0 || sig == NULL || sigSz == 0) { @@ -14021,6 +14654,8 @@ static int ConfirmSignature(SignatureCtx* sigCtx, (void)keySz; (void)sig; (void)sigSz; + (void)sigParams; + (void)sigParamsSz; WOLFSSL_ENTER("ConfirmSignature"); @@ -14057,10 +14692,33 @@ static int ConfirmSignature(SignatureCtx* sigCtx, case SIG_STATE_HASH: { - ret = HashForSignature(buf, bufSz, sigOID, sigCtx->digest, - &sigCtx->typeH, &sigCtx->digestSz, 1); - if (ret != 0) { - goto exit_cs; + #ifdef WC_RSA_PSS + if (keyOID == RSAPSSk) { + word32 fakeSigOID = 0; + ret = DecodeRsaPssParams(sigParams, sigParamsSz, &hash, &mgf, + &saltLen); + if (ret != 0) { + goto exit_cs; + } + ret = RsaPssHashOidToSigOid(hash, &fakeSigOID); + if (ret != 0) { + goto exit_cs; + } + /* Decode parameters. */ + ret = HashForSignature(buf, bufSz, fakeSigOID, sigCtx->digest, + &sigCtx->typeH, &sigCtx->digestSz, 1); + if (ret != 0) { + goto exit_cs; + } + } + else + #endif + { + ret = HashForSignature(buf, bufSz, sigOID, sigCtx->digest, + &sigCtx->typeH, &sigCtx->digestSz, 1); + if (ret != 0) { + goto exit_cs; + } } sigCtx->state = SIG_STATE_KEY; @@ -14071,6 +14729,9 @@ static int ConfirmSignature(SignatureCtx* sigCtx, { switch (keyOID) { #ifndef NO_RSA + #ifdef WC_RSA_PSS + case RSAPSSk: + #endif case RSAk: { word32 idx = 0; @@ -14371,6 +15032,13 @@ static int ConfirmSignature(SignatureCtx* sigCtx, { switch (keyOID) { #ifndef NO_RSA + #ifdef WC_RSA_PSS + case RSAPSSk: + /* TODO: pkCbRsaPss - RSA PSS callback. */ + ret = wc_RsaPSS_VerifyInline_ex(sigCtx->sigCpy, sigSz, + &sigCtx->out, hash, mgf, saltLen, sigCtx->key.rsa); + break; + #endif case RSAk: { #if defined(HAVE_PK_CALLBACKS) @@ -14480,6 +15148,29 @@ static int ConfirmSignature(SignatureCtx* sigCtx, { switch (keyOID) { #ifndef NO_RSA + #ifdef WC_RSA_PSS + case RSAPSSk: + #if (defined(HAVE_SELFTEST) && \ + (!defined(HAVE_SELFTEST_VERSION) || \ + (HAVE_SELFTEST_VERSION < 2))) || \ + (defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION < 2)) + ret = wc_RsaPSS_CheckPadding_ex(sigCtx->digest, + sigCtx->digestSz, sigCtx->out, ret, hash, saltLen); + #elif (defined(HAVE_SELFTEST) && \ + (HAVE_SELFTEST_VERSION == 2)) || \ + (defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION == 2)) + ret = wc_RsaPSS_CheckPadding_ex(sigCtx->digest, + sigCtx->digestSz, sigCtx->out, ret, hash, saltLen, + 0); + #else + ret = wc_RsaPSS_CheckPadding_ex2(sigCtx->digest, + sigCtx->digestSz, sigCtx->out, ret, hash, saltLen, + wc_RsaEncryptSize(sigCtx->key.rsa)*8, sigCtx->heap); + #endif + break; + #endif case RSAk: { int encodedSigSz, verifySz; @@ -18125,7 +18816,10 @@ static const ASNItem x509CertASN[] = { /* Algorithm OBJECT IDENTIFIER */ /* TBS_ALGOID_OID */ { 3, ASN_OBJECT_ID, 0, 0, 0 }, /* parameters ANY defined by algorithm OPTIONAL */ -/* TBS_ALGOID_PARAMS */ { 3, ASN_TAG_NULL, 0, 0, 1 }, +/* TBS_ALGOID_PARAMS_NULL */ { 3, ASN_TAG_NULL, 0, 0, 2 }, +#ifdef WC_RSA_PSS +/* TBS_ALGOID_PARAMS */ { 3, ASN_SEQUENCE, 1, 0, 2 }, +#endif /* issuer Name */ /* TBS_ISSUER_SEQ */ { 2, ASN_SEQUENCE, 1, 0, 0 }, /* validity Validity */ @@ -18149,8 +18843,11 @@ static const ASNItem x509CertASN[] = { /* Algorithm OBJECT IDENTIFIER */ /* TBS_SPUBKEYINFO_ALGO_OID */ { 4, ASN_OBJECT_ID, 0, 0, 0 }, /* parameters ANY defined by algorithm OPTIONAL */ -/* TBS_SPUBKEYINFO_ALGO_NOPARAMS */ { 4, ASN_TAG_NULL, 0, 0, 1 }, -/* TBS_SPUBKEYINFO_ALGO_CURVEID */ { 4, ASN_OBJECT_ID, 0, 0, 1 }, +/* TBS_SPUBKEYINFO_ALGO_NULL */ { 4, ASN_TAG_NULL, 0, 0, 2 }, +/* TBS_SPUBKEYINFO_ALGO_CURVEID */ { 4, ASN_OBJECT_ID, 0, 0, 2 }, +#ifdef WC_RSA_PSS +/* TBS_SPUBKEYINFO_ALGO_P_SEQ */ { 4, ASN_SEQUENCE, 1, 0, 2 }, +#endif /* subjectPublicKey BIT STRING */ /* TBS_SPUBKEYINFO_PUBKEY */ { 3, ASN_BIT_STRING, 0, 0, 0 }, /* issuerUniqueID UniqueIdentfier OPTIONAL */ @@ -18166,7 +18863,10 @@ static const ASNItem x509CertASN[] = { /* Algorithm OBJECT IDENTIFIER */ /* SIGALGO_OID */ { 2, ASN_OBJECT_ID, 0, 0, 0 }, /* parameters ANY defined by algorithm OPTIONAL */ -/* SIGALGO_PARAMS */ { 2, ASN_TAG_NULL, 0, 0, 1 }, +/* SIGALGO_PARAMS_NULL */ { 2, ASN_TAG_NULL, 0, 0, 2 }, +#ifdef WC_RSA_PSS +/* SIGALGO_PARAMS */ { 2, ASN_SEQUENCE, 1, 0, 2 }, +#endif /* signature BIT STRING */ /* SIGNATURE */ { 1, ASN_BIT_STRING, 0, 0, 0 }, }; @@ -18178,7 +18878,10 @@ enum { X509CERTASN_IDX_TBS_SERIAL, X509CERTASN_IDX_TBS_ALGOID_SEQ, X509CERTASN_IDX_TBS_ALGOID_OID, + X509CERTASN_IDX_TBS_ALGOID_PARAMS_NULL, +#ifdef WC_RSA_PSS X509CERTASN_IDX_TBS_ALGOID_PARAMS, +#endif X509CERTASN_IDX_TBS_ISSUER_SEQ, X509CERTASN_IDX_TBS_VALIDITY_SEQ, X509CERTASN_IDX_TBS_VALIDITY_NOTB_UTC, @@ -18189,8 +18892,11 @@ enum { X509CERTASN_IDX_TBS_SPUBKEYINFO_SEQ, X509CERTASN_IDX_TBS_SPUBKEYINFO_ALGO_SEQ, X509CERTASN_IDX_TBS_SPUBKEYINFO_ALGO_OID, - X509CERTASN_IDX_TBS_SPUBKEYINFO_ALGO_NOPARAMS, + X509CERTASN_IDX_TBS_SPUBKEYINFO_ALGO_NULL, X509CERTASN_IDX_TBS_SPUBKEYINFO_ALGO_CURVEID, +#ifdef WC_RSA_PSS + X509CERTASN_IDX_TBS_SPUBKEYINFO_ALGO_P_SEQ, +#endif X509CERTASN_IDX_TBS_SPUBKEYINFO_PUBKEY, X509CERTASN_IDX_TBS_ISSUERUID, X509CERTASN_IDX_TBS_SUBJECTUID, @@ -18198,7 +18904,10 @@ enum { X509CERTASN_IDX_TBS_EXT_SEQ, X509CERTASN_IDX_SIGALGO_SEQ, X509CERTASN_IDX_SIGALGO_OID, + X509CERTASN_IDX_SIGALGO_PARAMS_NULL, +#ifdef WC_RSA_PSS X509CERTASN_IDX_SIGALGO_PARAMS, +#endif X509CERTASN_IDX_SIGNATURE, }; @@ -18379,6 +19088,72 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt, } } + if ((ret == 0) && (!done)) { + /* Store the signature information. */ + cert->sigIndex = dataASN[X509CERTASN_IDX_SIGALGO_SEQ].offset; + GetASN_GetConstRef(&dataASN[X509CERTASN_IDX_SIGNATURE], + &cert->signature, &cert->sigLength); + /* Make sure 'signature' and 'signatureAlgorithm' are the same. */ + if (dataASN[X509CERTASN_IDX_SIGALGO_OID].data.oid.sum + != cert->signatureOID) { + WOLFSSL_ERROR_VERBOSE(ASN_SIG_OID_E); + ret = ASN_SIG_OID_E; + } + /* Parameters not allowed after ECDSA or EdDSA algorithm OID. */ + else if (IsSigAlgoECC(cert->signatureOID)) { + if ((dataASN[X509CERTASN_IDX_SIGALGO_PARAMS_NULL].tag != 0) + #ifdef WC_RSA_PSS + || (dataASN[X509CERTASN_IDX_SIGALGO_PARAMS].tag != 0) + #endif + ) { + WOLFSSL_ERROR_VERBOSE(ASN_PARSE_E); + ret = ASN_PARSE_E; + } + } + #ifdef WC_RSA_PSS + /* Check parameters starting with a SEQUENCE. */ + else if (dataASN[X509CERTASN_IDX_SIGALGO_PARAMS].tag != 0) { + word32 oid = dataASN[X509CERTASN_IDX_SIGALGO_OID].data.oid.sum; + word32 sigAlgParamsSz; + + /* Parameters only with RSA PSS. */ + if (oid != CTC_RSASSAPSS) { + WOLFSSL_ERROR_VERBOSE(ASN_PARSE_E); + ret = ASN_PARSE_E; + } + if (ret == 0) { + const byte* tbsParams; + word32 tbsParamsSz; + const byte* sigAlgParams; + + /* Check RSA PSS parameters are the same. */ + tbsParams = + GetASNItem_Addr(dataASN[X509CERTASN_IDX_TBS_ALGOID_PARAMS], + cert->source); + tbsParamsSz = + GetASNItem_Length(dataASN[X509CERTASN_IDX_TBS_ALGOID_PARAMS], + cert->source); + sigAlgParams = + GetASNItem_Addr(dataASN[X509CERTASN_IDX_SIGALGO_PARAMS], + cert->source); + sigAlgParamsSz = + GetASNItem_Length(dataASN[X509CERTASN_IDX_SIGALGO_PARAMS], + cert->source); + if ((tbsParamsSz != sigAlgParamsSz) || + (XMEMCMP(tbsParams, sigAlgParams, tbsParamsSz) != 0)) { + WOLFSSL_ERROR_VERBOSE(ASN_PARSE_E); + ret = ASN_PARSE_E; + } + } + if (ret == 0) { + /* Store parameters for use in signature verification. */ + cert->sigParamsIndex = + dataASN[X509CERTASN_IDX_SIGALGO_PARAMS].offset; + cert->sigParamsLength = sigAlgParamsSz; + } + } + #endif + } if ((ret == 0) && (!done)) { /* Parse the public key. */ idx = dataASN[X509CERTASN_IDX_TBS_SPUBKEYINFO_SEQ].offset; @@ -18432,24 +19207,6 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt, } } - if ((ret == 0) && (!done)) { - /* Store the signature information. */ - cert->sigIndex = dataASN[X509CERTASN_IDX_SIGALGO_SEQ].offset; - GetASN_GetConstRef(&dataASN[X509CERTASN_IDX_SIGNATURE], - &cert->signature, &cert->sigLength); - /* Make sure 'signature' and 'signatureAlgorithm' are the same. */ - if (dataASN[X509CERTASN_IDX_SIGALGO_OID].data.oid.sum - != cert->signatureOID) { - WOLFSSL_ERROR_VERBOSE(ASN_SIG_OID_E); - ret = ASN_SIG_OID_E; - } - /* NULL tagged item not allowed after ECDSA or EdDSA algorithm OID. */ - if (IsSigAlgoECC(cert->signatureOID) && - (dataASN[X509CERTASN_IDX_SIGALGO_PARAMS].tag != 0)) { - WOLFSSL_ERROR_VERBOSE(ASN_PARSE_E); - ret = ASN_PARSE_E; - } - } if ((ret == 0) && (!done) && (badDate != 0)) { /* Parsed whole certificate fine but return any date errors. */ ret = badDate; @@ -18704,7 +19461,7 @@ static const ASNItem certReqASN[] = { /* Algorithm OBJECT IDENTIFIER */ /* INFO_SPUBKEYINFO_ALGOID_OID */ { 4, ASN_OBJECT_ID, 0, 0, 0 }, /* parameters ANY defined by algorithm OPTIONAL */ -/* INFO_SPUBKEYINFO_ALGOID_NOPARAMS */ { 4, ASN_TAG_NULL, 0, 0, 1 }, +/* INFO_SPUBKEYINFO_ALGOID_NULL */ { 4, ASN_TAG_NULL, 0, 0, 1 }, /* INFO_SPUBKEYINFO_ALGOID_CURVEID */ { 4, ASN_OBJECT_ID, 0, 0, 1 }, /* INFO_SPUBKEYINFO_ALGOID_PARAMS */ { 4, ASN_SEQUENCE, 1, 0, 1 }, /* subjectPublicKey BIT STRING */ @@ -18716,7 +19473,7 @@ static const ASNItem certReqASN[] = { /* Algorithm OBJECT IDENTIFIER */ /* INFO_SIGALGO_OID */ { 2, ASN_OBJECT_ID, 0, 0, 0 }, /* parameters ANY defined by algorithm OPTIONAL */ -/* INFO_SIGALGO_NOPARAMS */ { 2, ASN_TAG_NULL, 0, 0, 1 }, +/* INFO_SIGALGO_NULL */ { 2, ASN_TAG_NULL, 0, 0, 1 }, /* signature BIT STRING */ /* INFO_SIGNATURE */ { 1, ASN_BIT_STRING, 0, 0, 0 }, }; @@ -18728,14 +19485,14 @@ enum { CERTREQASN_IDX_INFO_SPUBKEYINFO_SEQ, CERTREQASN_IDX_INFO_SPUBKEYINFO_ALGOID_SEQ, CERTREQASN_IDX_INFO_SPUBKEYINFO_ALGOID_OID, - CERTREQASN_IDX_INFO_SPUBKEYINFO_ALGOID_NOPARAMS, + CERTREQASN_IDX_INFO_SPUBKEYINFO_ALGOID_NULL, CERTREQASN_IDX_INFO_SPUBKEYINFO_ALGOID_CURVEID, CERTREQASN_IDX_INFO_SPUBKEYINFO_ALGOID_PARAMS, CERTREQASN_IDX_INFO_SPUBKEYINFO_PUBKEY, CERTREQASN_IDX_INFO_ATTRS, CERTREQASN_IDX_INFO_SIGALGO_SEQ, CERTREQASN_IDX_INFO_SIGALGO_OID, - CERTREQASN_IDX_INFO_SIGALGO_NOPARAMS, + CERTREQASN_IDX_INFO_SIGALGO_NULL, CERTREQASN_IDX_INFO_SIGNATURE, }; @@ -18858,8 +19615,11 @@ int ParseCert(DecodedCert* cert, int type, int verify, void* cm) #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_DYN_CERT) /* cert->publicKey not stored as copy if WOLFSSL_NO_MALLOC defined */ - if (cert->keyOID == RSAk && - cert->publicKey != NULL && cert->pubKeySize > 0) { + if ((cert->keyOID == RSAk + #ifdef WC_RSA_PSS + || cert->keyOID == RSAPSSk + #endif + ) && cert->publicKey != NULL && cert->pubKeySize > 0) { ptr = (char*) XMALLOC(cert->pubKeySize, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY); if (ptr == NULL) @@ -19052,6 +19812,8 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap, int ret = 0; word32 localIdx; byte tag; + const byte* sigParams = NULL; + word32 sigParamsSz = 0; if (cert == NULL) { @@ -19103,9 +19865,22 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap, idx += len; /* signature */ - if (!req && - GetAlgoId(cert, &idx, &signatureOID, oidSigType, certSz) < 0) - ret = ASN_PARSE_E; + if (!req) { + if (GetAlgoId(cert, &idx, &signatureOID, oidSigType, certSz) < 0) + ret = ASN_PARSE_E; + #ifdef WC_RSA_PSS + else if (signatureOID == CTC_RSASSAPSS) { + int start = idx; + sigParams = cert + idx; + if (GetSequence(cert, &idx, &len, certSz) < 0) + ret = ASN_PARSE_E; + if (ret == 0) { + idx += len; + sigParamsSz = idx - start; + } + } + #endif + } } if (ret == 0) { @@ -19293,6 +20068,29 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap, /* signatureAlgorithm */ if (GetAlgoId(cert, &idx, &oid, oidSigType, certSz) < 0) ret = ASN_PARSE_E; + #ifdef WC_RSA_PSS + else if (signatureOID == CTC_RSASSAPSS) { + word32 sz = idx; + const byte* params = cert + idx; + if (GetSequence(cert, &idx, &len, certSz) < 0) + ret = ASN_PARSE_E; + if (ret == 0) { + idx += len; + sz = idx - sz; + + if (req) { + if ((sz != sigParamsSz) || + (XMEMCMP(sigParams, params, sz) != 0)) { + ret = ASN_PARSE_E; + } + } + else { + sigParams = params; + sigParamsSz = sz; + } + } + } + #endif /* In CSR signature data is not present in body */ if (req) signatureOID = oid; @@ -19310,15 +20108,14 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap, if (ret == 0) { if (pubKey != NULL) { ret = ConfirmSignature(sigCtx, cert + tbsCertIdx, - sigIndex - tbsCertIdx, - pubKey, pubKeySz, pubKeyOID, - cert + idx, len, signatureOID, NULL); + sigIndex - tbsCertIdx, pubKey, pubKeySz, pubKeyOID, + cert + idx, len, signatureOID, sigParams, sigParamsSz, NULL); } else { ret = ConfirmSignature(sigCtx, cert + tbsCertIdx, - sigIndex - tbsCertIdx, - ca->publicKey, ca->pubKeySize, ca->keyOID, - cert + idx, len, signatureOID, NULL); + sigIndex - tbsCertIdx, ca->publicKey, ca->pubKeySize, + ca->keyOID, cert + idx, len, signatureOID, sigParams, + sigParamsSz, NULL); } if (ret != 0) { WOLFSSL_ERROR_VERBOSE(ret); @@ -19349,9 +20146,15 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap, #endif const byte* tbs = NULL; word32 tbsSz = 0; +#ifdef WC_RSA_PSS + const byte* tbsParams = NULL; + word32 tbsParamsSz = 0; +#endif const byte* sig = NULL; word32 sigSz = 0; word32 sigOID = 0; + const byte* sigParams = NULL; + word32 sigParamsSz = 0; const byte* caName = NULL; word32 caNameLen = 0; @@ -19403,7 +20206,37 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap, caNameLen = GetASNItem_Length(dataASN[X509CERTASN_IDX_TBS_ISSUER_SEQ], cert); sigOID = dataASN[X509CERTASN_IDX_SIGALGO_OID].data.oid.sum; + #ifdef WC_RSA_PSS + if (dataASN[X509CERTASN_IDX_TBS_ALGOID_PARAMS].tag != 0) { + tbsParams = + GetASNItem_Addr(dataASN[X509CERTASN_IDX_TBS_ALGOID_PARAMS], + cert); + tbsParamsSz = + GetASNItem_Length(dataASN[X509CERTASN_IDX_TBS_ALGOID_PARAMS], + cert); + } + if (dataASN[X509CERTASN_IDX_SIGALGO_PARAMS].tag != 0) { + sigParams = + GetASNItem_Addr(dataASN[X509CERTASN_IDX_SIGALGO_PARAMS], + cert); + sigParamsSz = + GetASNItem_Length(dataASN[X509CERTASN_IDX_SIGALGO_PARAMS], + cert); + } + #endif GetASN_GetConstRef(&dataASN[X509CERTASN_IDX_SIGNATURE], &sig, &sigSz); + #ifdef WC_RSA_PSS + if (tbsParamsSz != sigParamsSz) { + ret = ASN_PARSE_E; + } + else if ((tbsParamsSz > 0) && (sigOID != CTC_RSASSAPSS)) { + ret = ASN_PARSE_E; + } + else if ((tbsParamsSz > 0) && + (XMEMCMP(tbsParams, sigParams, tbsParamsSz) != 0)) { + ret = ASN_PARSE_E; + } + #endif } } else if (ret == 0) { @@ -19430,6 +20263,13 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap, caNameLen = GetASNItem_Length( dataASN[CERTREQASN_IDX_INFO_SUBJ_SEQ], cert); sigOID = dataASN[CERTREQASN_IDX_INFO_SIGALGO_OID].data.oid.sum; + #ifdef WC_RSA_PSS + sigParams = GetASNItem_Addr(dataASN[X509CERTASN_IDX_SIGALGO_PARAMS], + cert); + sigParamsSz = + GetASNItem_Length(dataASN[X509CERTASN_IDX_SIGALGO_PARAMS], + cert); + #endif GetASN_GetConstRef(&dataASN[CERTREQASN_IDX_INFO_SIGNATURE], &sig, &sigSz); } @@ -19477,7 +20317,7 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap, if (ret == 0) { /* Check signature. */ ret = ConfirmSignature(sigCtx, tbs, tbsSz, pubKey, pubKeySz, pubKeyOID, - sig, sigSz, sigOID, NULL); + sig, sigSz, sigOID, sigParams, sigParamsSz, NULL); if (ret != 0) { WOLFSSL_MSG("Confirm signature failed"); } @@ -19767,13 +20607,13 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) cert->srcIdx = cert->sigIndex; } - if ((ret = GetAlgoId(cert->source, &cert->srcIdx, + if ((ret = GetSigAlg(cert, #ifdef WOLFSSL_CERT_REQ !cert->isCSR ? &confirmOID : &cert->signatureOID, #else &confirmOID, #endif - oidSigType, cert->maxIdx)) < 0) { + cert->maxIdx)) < 0) { return ret; } @@ -20031,6 +20871,12 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) cert->ca->publicKey, cert->ca->pubKeySize, cert->ca->keyOID, cert->signature, cert->sigLength, cert->signatureOID, + #ifdef WC_RSA_PSS + cert->source + cert->sigParamsIndex, + cert->sigParamsLength, + #else + NULL, 0, + #endif sce_tsip_encRsaKeyIdx)) != 0) { if (ret != WC_PENDING_E) { WOLFSSL_MSG("Confirm signature failed"); @@ -20060,6 +20906,11 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) cert->publicKey, cert->pubKeySize, cert->keyOID, cert->signature, cert->sigLength, cert->signatureOID, + #ifdef WC_RSA_PSS + cert->source + cert->sigParamsIndex, cert->sigParamsLength, + #else + NULL, 0, + #endif sce_tsip_encRsaKeyIdx)) != 0) { if (ret != WC_PENDING_E) { WOLFSSL_MSG("Confirm signature failed"); @@ -21942,6 +22793,9 @@ static int SetRsaPublicKey(byte* output, RsaKey* key, int outLen, } /* Set OID for RSA key. */ SetASN_OID(&dataASN[RSAPUBLICKEYASN_IDX_ALGOID_OID], RSAk, oidKeyType); + #ifdef WC_RSA_PSS + dataASN[RSAPUBLICKEYASN_IDX_ALGOID_P_SEQ].noOut = 1; + #endif /* Set public key mp_ints. */ #ifdef HAVE_USER_RSA SetASN_MP(&dataASN[RSAPUBLICKEYASN_IDX_PUBKEY_RSA_N], key->n); @@ -26098,8 +26952,12 @@ static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz, oidSigType); if (IsSigAlgoECC(cert->sigType)) { /* No NULL tagged item with ECDSA and EdDSA signature OIDs. */ - dataASN[X509CERTASN_IDX_TBS_ALGOID_PARAMS].noOut = 1; + dataASN[X509CERTASN_IDX_TBS_ALGOID_PARAMS_NULL].noOut = 1; } + #ifdef WC_RSA_PSS + /* TODO: Encode RSA PSS parameters. */ + dataASN[X509CERTASN_IDX_TBS_ALGOID_PARAMS].noOut = 1; + #endif if (issRawLen > 0) { #if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) || \ defined(WOLFSSL_CERT_REQ) @@ -26114,7 +26972,6 @@ static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz, NULL, issuerSz); } -#ifdef WOLFSSL_ALT_NAMES if (cert->beforeDateSz && cert->afterDateSz) { if (cert->beforeDate[0] == ASN_UTC_TIME) { /* Make space for before date data. */ @@ -26146,7 +27003,6 @@ static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz, } } else -#endif { /* Don't put out UTC before data. */ dataASN[X509CERTASN_IDX_TBS_VALIDITY_NOTB_UTC].noOut = 1; @@ -26223,9 +27079,7 @@ static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz, &cert->subject, cert->heap); } if (ret >= 0) { -#ifdef WOLFSSL_ALT_NAMES if (cert->beforeDateSz == 0 || cert->afterDateSz == 0) -#endif { /* Encode validity into buffer. */ ret = SetValidity( @@ -31847,7 +32701,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, &cert->sigCtx, resp->response, resp->responseSz, cert->publicKey, cert->pubKeySize, cert->keyOID, - resp->sig, resp->sigSz, resp->sigOID, NULL); + resp->sig, resp->sigSz, resp->sigOID, NULL, 0, NULL); if (ret != 0) { WOLFSSL_MSG("\tOCSP Confirm signature failed"); @@ -31884,7 +32738,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, /* ConfirmSignature is blocking here */ sigValid = ConfirmSignature(&sigCtx, resp->response, resp->responseSz, ca->publicKey, ca->pubKeySize, ca->keyOID, - resp->sig, resp->sigSz, resp->sigOID, NULL); + resp->sig, resp->sigSz, resp->sigOID, NULL, 0, NULL); } if (ca == NULL || sigValid != 0) { WOLFSSL_MSG("\tOCSP Confirm signature failed"); @@ -31974,7 +32828,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, /* Check the signature of the response. */ ret = ConfirmSignature(&cert->sigCtx, resp->response, resp->responseSz, cert->publicKey, cert->pubKeySize, cert->keyOID, resp->sig, - resp->sigSz, resp->sigOID, NULL); + resp->sigSz, resp->sigOID, NULL, 0, NULL); if (ret != 0) { WOLFSSL_MSG("\tOCSP Confirm signature failed"); ret = ASN_OCSP_CONFIRM_E; @@ -32004,7 +32858,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, /* Check the signature of the response CA public key. */ sigValid = ConfirmSignature(&sigCtx, resp->response, resp->responseSz, ca->publicKey, ca->pubKeySize, ca->keyOID, - resp->sig, resp->sigSz, resp->sigOID, NULL); + resp->sig, resp->sigSz, resp->sigOID, NULL, 0, NULL); } if ((ca == NULL) || (sigValid != 0)) { /* Didn't find certificate or signature verificate failed. */ @@ -32981,7 +33835,7 @@ int VerifyCRL_Signature(SignatureCtx* sigCtx, const byte* toBeSigned, InitSignatureCtx(sigCtx, heap, INVALID_DEVID); if (ConfirmSignature(sigCtx, toBeSigned, tbsSz, ca->publicKey, ca->pubKeySize, ca->keyOID, signature, sigSz, - signatureOID, NULL) != 0) { + signatureOID, NULL, 0, NULL) != 0) { WOLFSSL_MSG("CRL Confirm signature failed"); WOLFSSL_ERROR_VERBOSE(ASN_CRL_CONFIRM_E); return ASN_CRL_CONFIRM_E; diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 95e6229c8..f7d71451d 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -1052,7 +1052,6 @@ enum Hash_Sum { SHAKE256h = 425 }; - #if !defined(NO_DES3) || !defined(NO_AES) enum Block_Sum { #ifdef WOLFSSL_AES_128 @@ -1081,6 +1080,7 @@ enum Block_Sum { enum Key_Sum { DSAk = 515, RSAk = 645, + RSAPSSk = 654, ECDSAk = 518, ED25519k = 256, /* 1.3.101.112 */ X25519k = 254, /* 1.3.101.110 */ @@ -1119,7 +1119,8 @@ enum Key_Agree { enum KDF_Sum { - PBKDF2_OID = 660 + PBKDF2_OID = 660, + MGF1_OID = 652, }; @@ -1549,6 +1550,10 @@ struct DecodedCert { word32 sigLength; /* length of signature */ word32 signatureOID; /* sum of algorithm object id */ word32 keyOID; /* sum of key algo object id */ +#ifdef WC_RSA_PSS + word32 sigParamsIndex; /* start of signature parameters */ + word32 sigParamsLength; /* length of signature parameters */ +#endif int version; /* cert version, 1 or 3 */ DNS_entry* altNames; /* alt names list of dns entries */ #ifndef IGNORE_NAME_CONSTRAINTS diff --git a/wolfssl/wolfcrypt/asn_public.h b/wolfssl/wolfcrypt/asn_public.h index f17eb7394..f33b3ef93 100644 --- a/wolfssl/wolfcrypt/asn_public.h +++ b/wolfssl/wolfcrypt/asn_public.h @@ -167,6 +167,8 @@ enum Ctc_SigType { CTC_SHA3_384wRSA = 429, CTC_SHA3_512wRSA = 430, + CTC_RSASSAPSS = 654, + CTC_ED25519 = 256, CTC_ED448 = 257,