From 7d74caac6d35c10b20e65a3d46ae89f31dfd77ab Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Wed, 10 Jun 2026 07:02:46 +0900 Subject: [PATCH] Addressed review comments --- ChangeLog.md | 11 +++++++++++ tests/api/test_asn.c | 14 ++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/ChangeLog.md b/ChangeLog.md index ef01745e95..d1ea4c31ff 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -2,6 +2,17 @@ ## Enhancements +* **Behavioral change (RSA-PSS trailerField enforcement)**: `DecodeRsaPssParams` + (and its public wrapper `wc_DecodeRsaPssParams`) now enforces RFC 8017 A.2.3, + which mandates `trailerField == trailerFieldBC(1)`. In the default build + (i.e., without `WOLFSSL_NO_ASN_STRICT`), any certificate or CMS/PKCS#7 + structure whose RSA-PSS parameters contain a `trailerField` value other than 1 + is now rejected with `ASN_PARSE_E`. Previously, any positive integer value was + silently accepted. This affects all call paths that decode RSA-PSS algorithm + parameters, including X.509 certificate parsing and PKCS#7 signature + verification. Users who need to interoperate with non-conformant peers can + define `WOLFSSL_NO_ASN_STRICT` to restore the previous permissive behavior. + * **BREAKING (FIPS 205 SLH-DSA)**: `wc_SlhDsaKey_SignHash`, `wc_SlhDsaKey_SignHashDeterministic`, `wc_SlhDsaKey_SignHashWithRandom`, and `wc_SlhDsaKey_VerifyHash` now take the **caller-pre-hashed message digest** diff --git a/tests/api/test_asn.c b/tests/api/test_asn.c index e40ff8cf4a..d6e5ce522b 100644 --- a/tests/api/test_asn.c +++ b/tests/api/test_asn.c @@ -1136,6 +1136,20 @@ int test_wc_DecodeRsaPssParams(void) (word32)sizeof(trailerZero), &hash, &mgf, &saltLen), WC_NO_ERR_TRACE(ASN_PARSE_E)); } + + /* --- Test 12: trailerField = 256 (multi-byte INTEGER) => ASN_PARSE_E --- + * Exercises the 2-byte integer branch in GetInteger16Bit (non-template) + * and the len==2 case of ASN_DATA_TYPE_WORD16 (template path). + * SEQUENCE { [3] CONSTRUCTED { INTEGER 256 } } = 30 06 a3 04 02 02 01 00 + */ + { + static const byte trailerMultiByte[] = { + 0x30, 0x06, 0xa3, 0x04, 0x02, 0x02, 0x01, 0x00 + }; + ExpectIntEQ(wc_DecodeRsaPssParams(trailerMultiByte, + (word32)sizeof(trailerMultiByte), &hash, &mgf, &saltLen), + WC_NO_ERR_TRACE(ASN_PARSE_E)); + } #endif /* !WOLFSSL_NO_ASN_STRICT */ #endif /* WC_RSA_PSS && !NO_RSA && !NO_ASN */