From 2df674bd59a37cea0f1ad5b9bc5e70388108cc98 Mon Sep 17 00:00:00 2001 From: Kareem Date: Thu, 22 May 2025 12:06:38 -0700 Subject: [PATCH 1/3] Correct RPK parsing. As per RFC7250 section 3, the algorithm parameters are optional. --- wolfcrypt/src/asn.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index faf50eed9..6c97695b6 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -23128,10 +23128,10 @@ static const ASNItem RPKCertASN[] = { /* Algorithm OBJECT IDENTIFIER */ /* TBS_SPUBKEYINFO_ALGO_OID */ { 2, ASN_OBJECT_ID, 0, 0, 0 }, /* parameters ANY defined by algorithm OPTIONAL */ - /* TBS_SPUBKEYINFO_ALGO_NULL */ { 2, ASN_TAG_NULL, 0, 0, 2 }, - /* TBS_SPUBKEYINFO_ALGO_CURVEID */ { 2, ASN_OBJECT_ID, 0, 0, 2 }, + /* TBS_SPUBKEYINFO_ALGO_NULL */ { 2, ASN_TAG_NULL, 0, 0, 1 }, + /* TBS_SPUBKEYINFO_ALGO_CURVEID */ { 2, ASN_OBJECT_ID, 0, 0, 1 }, #ifdef WC_RSA_PSS - /* TBS_SPUBKEYINFO_ALGO_P_SEQ */ { 2, ASN_SEQUENCE, 1, 0, 2 }, + /* TBS_SPUBKEYINFO_ALGO_P_SEQ */ { 2, ASN_SEQUENCE, 1, 0, 1 }, #endif /* subjectPublicKey BIT STRING */ /* TBS_SPUBKEYINFO_PUBKEY */ { 1, ASN_BIT_STRING, 0, 0, 0 }, From f942990113a0d9320b6fd2d17cb19aae04394742 Mon Sep 17 00:00:00 2001 From: Kareem Date: Fri, 30 May 2025 11:39:04 -0700 Subject: [PATCH 2/3] Fix building unit tests with --enable-rpk --disable-rsa. Exact configure line used: ./configure --enable-kyber --enable-mlkem --enable-dilithium --enable-dtls --enable-dtls13 --enable-dtls-frag-ch --enable-debug --enable-debug-trace-errcodes \ CFLAGS="-DHAVE_RPK -DWOLFSSL_DER_LOAD -DWOLFSSL_LOGGINGENABLED_DEFAULT=1" --disable-rsa --- tests/api.c | 2 +- tests/utils.h | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/api.c b/tests/api.c index b2afcd803..844e1033f 100644 --- a/tests/api.c +++ b/tests/api.c @@ -61443,7 +61443,7 @@ static int test_wolfSSL_DTLS_fragment_buckets(void) #if !defined(NO_FILESYSTEM) && \ defined(WOLFSSL_DTLS) && !defined(WOLFSSL_NO_TLS12) && \ - defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) + defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && !defined(NO_RSA) static int test_wolfSSL_dtls_stateless2(void) { diff --git a/tests/utils.h b/tests/utils.h index ce410f86f..1bf7ac73e 100644 --- a/tests/utils.h +++ b/tests/utils.h @@ -27,7 +27,8 @@ #ifndef TESTS_UTILS_H #define TESTS_UTILS_H -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_RSA) && \ +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \ + (!defined(NO_RSA) || defined(HAVE_RPK)) && \ !defined(NO_WOLFSSL_SERVER) && !defined(NO_WOLFSSL_CLIENT) && \ (!defined(WOLFSSL_NO_TLS12) || defined(WOLFSSL_TLS13)) #define HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES From 362f0a2cfdfeaea3e9a816ca90c19b4893ea2bbb Mon Sep 17 00:00:00 2001 From: Kareem Date: Thu, 10 Jul 2025 12:43:14 -0700 Subject: [PATCH 3/3] Ensure only one of the RPK algorithm parameters are set. --- wolfcrypt/src/asn.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 6c97695b6..6dba89f9a 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -23372,6 +23372,20 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt, oidCurveType); ret = GetASN_Items(RPKCertASN, RPKdataASN, RPKCertASN_Length, 1, cert->source, &cert->srcIdx, cert->maxIdx); + + if (ret == 0) { + if (( RPKdataASN[RPKCERTASN_IDX_SPUBKEYINFO_ALGO_NULL].length && + RPKdataASN[RPKCERTASN_IDX_SPUBKEYINFO_ALGO_CURVEID].length) +#ifdef WC_RSA_PSS + || ( RPKdataASN[RPKCERTASN_IDX_SPUBKEYINFO_ALGO_P_SEQ].length && + ( RPKdataASN[RPKCERTASN_IDX_SPUBKEYINFO_ALGO_NULL].length || + RPKdataASN[RPKCERTASN_IDX_SPUBKEYINFO_ALGO_CURVEID].length)) +#endif + ) { + WOLFSSL_MSG("Multiple RPK algorithm parameters set."); + ret = ASN_PARSE_E; + } + } if (ret == 0) { cert->keyOID = RPKdataASN[RPKCERTASN_IDX_SPUBKEYINFO_ALGO_OID].data.oid.sum;