From fb531dacc26f09f57d161e9bd66f3652d592604b Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Mon, 25 Jul 2022 17:36:17 +1000 Subject: [PATCH] Certs with RSA-PSS sig Add support for parsing and verifying certificates with RSA-PSS signatures. Including check PSS parameters in key with those in signature algorithm. Add support for parsing private RSA PSS key. Add support for parsing public RSA PSS key. --- certs/include.am | 1 + certs/renewcerts.sh | 12 +- certs/rsapss/ca-3072-rsapss-key.der | Bin 0 -> 420 bytes certs/rsapss/ca-3072-rsapss-key.pem | 11 + certs/rsapss/ca-3072-rsapss-priv.der | Bin 0 -> 1792 bytes certs/rsapss/ca-3072-rsapss-priv.pem | 40 + certs/rsapss/ca-3072-rsapss.der | Bin 0 -> 1427 bytes certs/rsapss/ca-3072-rsapss.pem | 116 +++ certs/rsapss/ca-rsapss-key.der | Bin 0 -> 342 bytes certs/rsapss/ca-rsapss-key.pem | 10 + certs/rsapss/ca-rsapss-priv.der | Bin 0 -> 1264 bytes certs/rsapss/ca-rsapss-priv.pem | 29 + certs/rsapss/ca-rsapss.der | Bin 0 -> 1219 bytes certs/rsapss/ca-rsapss.pem | 101 +++ certs/rsapss/client-3072-rsapss-key.der | Bin 0 -> 420 bytes certs/rsapss/client-3072-rsapss-key.pem | 11 + certs/rsapss/client-3072-rsapss-priv.der | Bin 0 -> 1791 bytes certs/rsapss/client-3072-rsapss-priv.pem | 40 + certs/rsapss/client-3072-rsapss.der | Bin 0 -> 1737 bytes certs/rsapss/client-3072-rsapss.pem | 128 +++ certs/rsapss/client-rsapss-key.der | Bin 0 -> 342 bytes certs/rsapss/client-rsapss-key.pem | 10 + certs/rsapss/client-rsapss-priv.der | Bin 0 -> 1264 bytes certs/rsapss/client-rsapss-priv.pem | 29 + certs/rsapss/client-rsapss.der | Bin 0 -> 1529 bytes certs/rsapss/client-rsapss.pem | 112 +++ certs/rsapss/gen-rsapss-keys.sh | 29 + certs/rsapss/include.am | 59 ++ certs/rsapss/renew-rsapss-certs.sh | 191 +++++ certs/rsapss/root-3072-rsapss-key.der | Bin 0 -> 420 bytes certs/rsapss/root-3072-rsapss-key.pem | 11 + certs/rsapss/root-3072-rsapss-priv.der | Bin 0 -> 1792 bytes certs/rsapss/root-3072-rsapss-priv.pem | 40 + certs/rsapss/root-3072-rsapss.der | Bin 0 -> 1425 bytes certs/rsapss/root-3072-rsapss.pem | 117 +++ certs/rsapss/root-rsapss-key.der | Bin 0 -> 342 bytes certs/rsapss/root-rsapss-key.pem | 10 + certs/rsapss/root-rsapss-priv.der | Bin 0 -> 1266 bytes certs/rsapss/root-rsapss-priv.pem | 29 + certs/rsapss/root-rsapss.der | Bin 0 -> 1217 bytes certs/rsapss/root-rsapss.pem | 102 +++ certs/rsapss/server-3072-rsapss-cert.pem | 122 +++ certs/rsapss/server-3072-rsapss-key.der | Bin 0 -> 420 bytes certs/rsapss/server-3072-rsapss-key.pem | 11 + certs/rsapss/server-3072-rsapss-priv.der | Bin 0 -> 1792 bytes certs/rsapss/server-3072-rsapss-priv.pem | 40 + certs/rsapss/server-3072-rsapss.der | Bin 0 -> 1491 bytes certs/rsapss/server-3072-rsapss.pem | 238 ++++++ certs/rsapss/server-rsapss-cert.pem | 106 +++ certs/rsapss/server-rsapss-key.der | Bin 0 -> 342 bytes certs/rsapss/server-rsapss-key.pem | 10 + certs/rsapss/server-rsapss-priv.der | Bin 0 -> 1266 bytes certs/rsapss/server-rsapss-priv.pem | 29 + certs/rsapss/server-rsapss.der | Bin 0 -> 1283 bytes certs/rsapss/server-rsapss.pem | 207 +++++ configure.ac | 2 +- src/internal.c | 6 + src/ssl.c | 48 +- tests/api.c | 80 ++ tests/include.am | 1 + tests/suites.c | 14 + tests/test-rsapss.conf | 74 ++ wolfcrypt/src/asn.c | 990 +++++++++++++++++++++-- wolfssl/wolfcrypt/asn.h | 9 +- wolfssl/wolfcrypt/asn_public.h | 2 + 65 files changed, 3150 insertions(+), 77 deletions(-) create mode 100644 certs/rsapss/ca-3072-rsapss-key.der create mode 100644 certs/rsapss/ca-3072-rsapss-key.pem create mode 100644 certs/rsapss/ca-3072-rsapss-priv.der create mode 100644 certs/rsapss/ca-3072-rsapss-priv.pem create mode 100644 certs/rsapss/ca-3072-rsapss.der create mode 100644 certs/rsapss/ca-3072-rsapss.pem create mode 100644 certs/rsapss/ca-rsapss-key.der create mode 100644 certs/rsapss/ca-rsapss-key.pem create mode 100644 certs/rsapss/ca-rsapss-priv.der create mode 100644 certs/rsapss/ca-rsapss-priv.pem create mode 100644 certs/rsapss/ca-rsapss.der create mode 100644 certs/rsapss/ca-rsapss.pem create mode 100644 certs/rsapss/client-3072-rsapss-key.der create mode 100644 certs/rsapss/client-3072-rsapss-key.pem create mode 100644 certs/rsapss/client-3072-rsapss-priv.der create mode 100644 certs/rsapss/client-3072-rsapss-priv.pem create mode 100644 certs/rsapss/client-3072-rsapss.der create mode 100644 certs/rsapss/client-3072-rsapss.pem create mode 100644 certs/rsapss/client-rsapss-key.der create mode 100644 certs/rsapss/client-rsapss-key.pem create mode 100644 certs/rsapss/client-rsapss-priv.der create mode 100644 certs/rsapss/client-rsapss-priv.pem create mode 100644 certs/rsapss/client-rsapss.der create mode 100644 certs/rsapss/client-rsapss.pem create mode 100755 certs/rsapss/gen-rsapss-keys.sh create mode 100644 certs/rsapss/include.am create mode 100755 certs/rsapss/renew-rsapss-certs.sh create mode 100644 certs/rsapss/root-3072-rsapss-key.der create mode 100644 certs/rsapss/root-3072-rsapss-key.pem create mode 100644 certs/rsapss/root-3072-rsapss-priv.der create mode 100644 certs/rsapss/root-3072-rsapss-priv.pem create mode 100644 certs/rsapss/root-3072-rsapss.der create mode 100644 certs/rsapss/root-3072-rsapss.pem create mode 100644 certs/rsapss/root-rsapss-key.der create mode 100644 certs/rsapss/root-rsapss-key.pem create mode 100644 certs/rsapss/root-rsapss-priv.der create mode 100644 certs/rsapss/root-rsapss-priv.pem create mode 100644 certs/rsapss/root-rsapss.der create mode 100644 certs/rsapss/root-rsapss.pem create mode 100644 certs/rsapss/server-3072-rsapss-cert.pem create mode 100644 certs/rsapss/server-3072-rsapss-key.der create mode 100644 certs/rsapss/server-3072-rsapss-key.pem create mode 100644 certs/rsapss/server-3072-rsapss-priv.der create mode 100644 certs/rsapss/server-3072-rsapss-priv.pem create mode 100644 certs/rsapss/server-3072-rsapss.der create mode 100644 certs/rsapss/server-3072-rsapss.pem create mode 100644 certs/rsapss/server-rsapss-cert.pem create mode 100644 certs/rsapss/server-rsapss-key.der create mode 100644 certs/rsapss/server-rsapss-key.pem create mode 100644 certs/rsapss/server-rsapss-priv.der create mode 100644 certs/rsapss/server-rsapss-priv.pem create mode 100644 certs/rsapss/server-rsapss.der create mode 100644 certs/rsapss/server-rsapss.pem create mode 100644 tests/test-rsapss.conf diff --git a/certs/include.am b/certs/include.am index 3ab8337a5..700927500 100644 --- a/certs/include.am +++ b/certs/include.am @@ -128,4 +128,5 @@ include certs/test/include.am include certs/test-pathlen/include.am include certs/intermediate/include.am include certs/falcon/include.am +include certs/rsapss/include.am diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh index 208fc1a58..d2cca7f9a 100755 --- a/certs/renewcerts.sh +++ b/certs/renewcerts.sh @@ -619,10 +619,20 @@ run_renewcerts(){ echo "End of section" echo "---------------------------------------------------------------------" + ############################################################ + ########## generate RSA-PSS certificates ################### + ############################################################ + echo "Renewing RSA-PSS certificates" + cd rsapss + ./renew-rsapss-certs.sh + cd .. + echo "End of section" + echo "---------------------------------------------------------------------" + ############################################################ ########## generate Ed25519 certificates ################### ############################################################ - echo "Renewing Ed448 certificates" + echo "Renewing Ed25519 certificates" cd ed25519 ./gen-ed25519-certs.sh cd .. diff --git a/certs/rsapss/ca-3072-rsapss-key.der b/certs/rsapss/ca-3072-rsapss-key.der new file mode 100644 index 0000000000000000000000000000000000000000..d36bc7113edba902df14c5cc00150445e942dcee GIT binary patch literal 420 zcmXqLVq9Rr&Bm$K=F#?@mywZ+xrwo#!Jvt;i>ZmRk>P}v!-?1HY9x$LTLeDaUM=W< z_LXUS%FRuu&U-5!Y12BsIA7FG?#OKBMsKUw;3UCE9QUXDn%h<+1vnUL6}U*{W_tc9 z-|@+bvu#$a<=K{Mqb}9cEGzK9m>i`aw*w@#)pA6BD|x$Lu~-!1gV`(bcTp(WP_Sbme_z z*K3OEUwx4j5I=ms|Lk-HmeaD#*_{2?t6OT7jy@7NeMWHA!mnwqe5O%7hdUEBFT@1v zb9zs#JNH27^10V118mGbEZg#X>!Evz3)bZCse2#HF@K}P+UUoO%J&49%GX}q_N7QR zxHPTjcB0(N*EXL$Gn=+4WNR`n+!y-9=ZEU@6^kF+8_BO*t~EP5?C!~^jZ%yYgfI2Y e(z#vtH=0lH{iMuupYFZCpwG#d&cw{fzz6`kQM^|UzlmZa=U=k z?{)@rjBamIscvV|R2MQ`+jp2rN%&A+u<@w@2!XKB`#Q#zo+hfFvt9j5^JL$Gb-N`Tq<9C zb=#LB+2GQ&p4*9XFJIey_RMVBrjV`4yl`LW6Q3Wd%U3LZY;PpLZn@U%?6A8hqc%!0 zE)c%dH%sSs-QQ?Fz4wzc&waZ0{(?RyUpf;rBLgE-6Jvv5o=FSWEC#*&7!#Jzb8Kxb z>HRz_T-N+4zjQcOE$hpK-QPE+-7Dm(TC-wxYOzd)hU4YFb?F=USFPZP`@c?9Kt<%6 ze5PXGeQ|G>^zZi<>^QpZ<;$Hjg!VgKx4n6}F62g0bCmCb5}D|zhUn?x4e{1>dXM{U zMK&vmb5yT4F8JPD^L3(~*VLFatq1KpxVGib{<}HXIa#kG&dth7eUFK(lC$}9N%M8O zzdxVe(LU8#{e_d%hR$5>$Bn1{E~`1XsCrl3o7PqNCh>O<1b51E(UaaYTfqVfePm5OsBo+m$kvBFF3+hd);?r&^jv$I=f1kT878j!uPnvv zS4W;GyPTopFE!iVYV9(4z9WZ?I44WTRDF=DCn^(<;U8VJG;W~Q7 zhj*`L2w{;Ekbh${TVrjA#_#qNL8iuo41f2WicV#U^04bZ;C5PO;os-m>Qol4oKv#n zt+;5MuFU@j){Hu}ec9gUcCWkf_u^l%m(Oh8HNLf4F5H`0AJu3kIgOu5`tK9xubVD- zUELdcZ*g<)%=hcN!#Ex@`9{aJ8qc|X)=B1m^u=Fh+*)da|MLBAv@6-Jn9vc;II$?c zj=S|{tW8jIR5MT04{d8B?UZSHhv#^#+Z{4vP0)#{RckFznOr)rw{Dr~gTw$0qlFWv ztSPuE_Uh*BZh0e@an^Z4IB7=ZsS?wyr6A>1HsiYIo3x^Y=zA>vvMlaM#FGCWRu7hXsquiy$p=%pcPY+z{9>__Ldu2syZ2V^&wR-}MdR{uZ{|x~ z%dhSE9x;n~lit-SE$c&b4;?byUB#!gCSlf+vtlgk{>=DUuq`0+*Zjkuwr+^*^nc(P zn}5ED!zQ;f^hpcXd#ilOMe~}^NyttL=`5Jhc=o;Hr=_)zGoLnXRQ&w^gUO=*NAusT zV*T}n<7jir!%IbH_C`KZshq=Ux+lDFaa3#Av=^85=}fEP?^^b0&guPzC0DN~?=U%i z{+QkAzb2P_mYYvtTc*Dh6b;>Jrl+o27PUo7-i_aoF|F;tjYVR>i=BK6u3lf#Fl$co z`J!c23mPW9TWx;uL-E#mhki1ys27qeQSX}+WtbYP5;X6roO;B`t1}Bj#3V|u_MO^$ z_g5TS@{8A(ZLD=B$2_|JvBFe3LAPLUwMf&!$OVIP+Fd zQeZ#gpqi>8$#UcIN2Xa5US>{t?Q+|yy8Db+SbKfxAw?gdyN|Ei*9(hs_IPCN+$(xW zq~qtzJqLQ9D=h!{WZJnub+R3AXD@h|^GdL_egn^IooDjJAMV8${VIKs{pw|={R72Q zbI)f^U6y;eqfgg#$N@dpP!GDFu)xgZdUtV6W z2hvnroTHbVpKB;@APaXOC!?4^W?ovp1Cjy*IdNViBLj0IQv)L-b5qkOab6=+0}~?y zDA%BI6Y1_3HxLE6l8c8AWE0f=AmHBk?(dxkUdV(e!yXkzSQYGQ0;IHBcm;`O>33FFfifzP&A3;LgZW!j!{ zbJMBw-ik-sw2m*%7qyc+GMl;4+bT9VN$?TJ{pr5uwiQVM4u)CgLfo`1@Bd~)J! zn-yz$wx!yr%X)+Ve%mXobq7{yEIqeT!z%Koq=3~G`HAf8#Q{sSZ%D{1{rHk%FTCJJ zLS3+r_4I;0W>5DSPInD`yC}MSt8`zg?RHU)i$YSX-uQ)?7A&_5Nd0bSFvsZjCY9=T zCQWrA)3tqvnUsVNgzoDxyAKtxeG71OHLG`Y>D)G5d0*M}nxgtw zUnB*@58v-UJ6(b0v@CNrXaDu;mRhBwj|5Ji5nQ$KYg#LxX;jbQ&P2@%F~Rzr-V^K2 zJrKHl?)Aw48?z6~w*20D=w9N2HTiq$-UoBc-zc#*`Z1&OJ;9~&wO6-&DUuB?P3yUx zDEIQU&1cWdrfmw@n#>FLg+B55p}Ks<;>Y$z^6Qps&CU+HdopUH6ypNnOMSC+ZrA;d z=F@vWDf8T?d+#skbMmD#F*7nSE>1Q`G>~Ou4wdC&5n~bg;dG|s>L-asBCt;`}}Al4wVs_^p0F7Ms$qVDmtFKB08%x{hRX21_pAk4`4pM}+cnUV27 zIB&`Fg9KQZnHbwB&ArT^2f7Z``Noa_z=+S=T#31t0INDM@9{ zUccajV&XYvOXCx#<@(Eod!Mh?o1g1#cjJjTdn#;M$M3&F7u6f0 z76nfG;gi~1$lY>k%Fp>HEs_?eoSon;EMC#)Nt4Lbi_5)4g?HUZU2C#vveiXTA>U8aKR@bfzO=ukc LNs9;Z|LQFOuXhu# literal 0 HcmV?d00001 diff --git a/certs/rsapss/ca-3072-rsapss.pem b/certs/rsapss/ca-3072-rsapss.pem new file mode 100644 index 000000000..a89c4ae4e --- /dev/null +++ b/certs/rsapss/ca-3072-rsapss.pem @@ -0,0 +1,116 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: rsassaPss + Hash Algorithm: sha384 + Mask Algorithm: mgf1 with sha384 + Salt Length: 0x014E + Trailer Field: 0xBC (default) + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSA-PSS, OU = Root-RSA-PSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Validity + Not Before: Jul 25 02:27:55 2022 GMT + Not After : Apr 20 02:27:55 2025 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = CA-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Subject Public Key Info: + Public Key Algorithm: rsassaPss + RSA-PSS Public-Key: (3072 bit) + Modulus: + 00:c8:2a:40:c8:eb:ae:7c:18:33:cb:38:51:e6:b7: + 7b:11:4f:cd:ea:35:87:64:d9:b2:ca:cf:4b:21:c4: + 86:2a:c7:a3:6f:15:3e:1e:c4:9b:03:81:4b:3a:5d: + 53:62:11:e2:08:df:97:4d:37:3d:78:62:50:40:31: + 2a:70:44:1a:6d:69:49:fc:77:b8:f2:42:09:86:9a: + 5d:39:cd:84:7b:32:8a:3b:b0:4f:bf:3d:d4:05:7e: + c0:aa:28:a5:ce:b1:28:3a:59:d9:19:10:3a:d4:1f: + 91:07:07:73:50:a4:2b:d8:18:1f:22:f8:f4:64:3f: + 13:a0:d8:60:7e:53:4c:3b:97:70:bc:36:e5:be:31: + 97:45:55:ed:a2:5b:87:b5:1b:8e:65:3d:b7:15:08: + d1:12:1a:aa:ec:4e:56:35:70:a7:3e:50:65:f7:3e: + 30:9c:32:db:b2:24:7b:87:02:29:27:12:35:ad:8e: + c3:02:22:13:c2:6e:53:45:f0:16:21:81:e5:d5:b5: + 91:60:8b:d7:5c:bb:c2:70:06:f6:50:41:45:36:7f: + 41:44:89:b6:97:23:be:76:d7:7c:72:7f:ea:f4:19: + 10:17:c3:df:8f:cd:97:20:04:cb:1d:03:6b:09:8f: + d7:7b:84:7d:22:c5:e2:10:cb:cc:11:aa:a1:f5:66: + 85:0e:35:5a:8c:c3:89:61:29:d0:5c:53:2f:09:4b: + 91:7e:ce:e0:12:d3:ce:eb:c9:50:3c:36:f0:a6:b4: + fb:b5:c2:de:61:a0:ac:6f:bc:7e:ef:53:08:9f:b1: + 18:ad:5b:e3:01:23:de:11:a5:1f:7d:d5:b6:f4:72: + 1d:53:75:66:8c:db:61:1e:e9:eb:3c:f3:49:69:82: + b6:20:6b:29:03:a1:be:55:e4:4c:f8:25:a7:a8:a3: + e3:3f:32:1f:ae:a7:2a:9b:6b:56:dd:c9:5a:b1:1a: + 01:a0:13:d2:8e:9a:2c:db:7e:fd:5b:0e:2e:ef:92: + 69:ce:f2:de:ef:d0:2f:09:0e:67 + Exponent: 65537 (0x10001) + No PSS parameter restrictions + X509v3 extensions: + X509v3 Subject Key Identifier: + F8:42:CC:88:C9:C8:18:F9:D3:B0:24:65:06:4C:FF:55:AB:BF:0E:7F + X509v3 Authority Key Identifier: + keyid:AA:71:D3:B1:8A:4B:BB:47:15:47:5F:9B:D0:2B:69:D1:6F:85:5E:F6 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Signature Algorithm: rsassaPss + Hash Algorithm: sha384 + Mask Algorithm: mgf1 with sha384 + Salt Length: 0x014E + Trailer Field: 0xBC (default) + + 39:a8:ef:b1:66:08:50:0b:5e:cb:b2:29:8c:9b:b1:be:21:44: + d6:d8:97:1d:45:dc:52:70:f1:de:ac:74:65:03:6b:af:a0:f0: + 21:61:ce:23:39:33:c8:cb:1e:8f:77:12:1e:5b:99:0c:e1:1b: + 75:cf:1d:d7:12:86:cc:fc:86:90:0f:45:ea:8b:08:47:08:ac: + 56:44:31:f2:c9:23:6b:d5:30:ca:5f:49:b0:4b:8b:36:bd:5c: + 92:fa:86:34:57:80:30:93:29:59:19:a4:dd:f9:91:26:8a:49: + b4:ee:93:aa:e1:b2:06:f6:2f:2a:d9:5b:6d:f9:7c:04:4f:1c: + 7a:cc:8e:39:c2:98:3a:bd:b9:a2:24:82:8f:e4:d8:80:47:73: + 84:6e:bc:20:5c:ac:79:72:a7:6f:e3:c8:3a:9c:cc:83:b1:1f: + e2:65:3b:a1:f5:86:1a:33:53:bc:05:ba:6a:b1:bc:a7:b4:c1: + 44:8c:0a:cc:c2:15:da:c1:dd:dc:31:91:46:5b:48:d8:ea:03: + 78:e1:1f:ce:79:19:c8:6e:d6:3f:4c:f5:3b:b3:e7:2e:b7:46: + 0c:58:cd:ca:56:a6:88:fb:fd:12:d1:27:80:5a:a2:51:96:f8: + 4c:65:8d:71:0b:84:ca:94:f9:9f:c9:38:62:a3:64:cd:91:44: + 50:ed:bb:c0:1d:9b:b8:a4:57:b1:7a:2e:44:57:a5:15:ba:cc: + b3:62:f5:46:aa:cd:fb:53:d3:ed:ef:e3:f4:b2:9b:3f:29:d0: + 00:8c:19:61:48:b6:da:74:27:05:69:7b:df:04:0e:e2:f1:0f: + 1a:fa:92:70:79:78:86:52:60:e1:4d:4e:66:14:ba:86:e2:4e: + dd:e0:d0:f3:c0:2d:6d:3a:16:00:1d:c6:9c:27:6f:a6:5f:21: + 4c:e4:82:14:95:d1:a7:4a:15:13:ba:d8:65:ad:34:a2:93:3a: + d1:49:12:4d:f2:97:f3:e2:8a:83:d2:bf:84:84:c6:87:70:c9: + 38:e0:5f:fe:7f:38 +-----BEGIN CERTIFICATE----- +MIIFjzCCA8agAwIBAgIBATA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAqEa +MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgKiBAICAU4wgZ0xCzAJBgNVBAYTAlVT +MRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRgwFgYDVQQKDA93 +b2xmU1NMX1JTQS1QU1MxFTATBgNVBAsMDFJvb3QtUlNBLVBTUzEYMBYGA1UEAwwP +d3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29t +MB4XDTIyMDcyNTAyMjc1NVoXDTI1MDQyMDAyMjc1NVowgbIxCzAJBgNVBAYTAlVT +MRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRcwFQYDVQQKDA53 +b2xmU1NMX1JTQVBTUzESMBAGA1UECwwJQ0EtUlNBUFNTMRgwFgYDVQQDDA93d3cu +d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20xFzAV +BgoJkiaJk/IsZAEBDAd3b2xmU1NMMIIBoDALBgkqhkiG9w0BAQoDggGPADCCAYoC +ggGBAMgqQMjrrnwYM8s4Uea3exFPzeo1h2TZssrPSyHEhirHo28VPh7EmwOBSzpd +U2IR4gjfl003PXhiUEAxKnBEGm1pSfx3uPJCCYaaXTnNhHsyijuwT7891AV+wKoo +pc6xKDpZ2RkQOtQfkQcHc1CkK9gYHyL49GQ/E6DYYH5TTDuXcLw25b4xl0VV7aJb +h7UbjmU9txUI0RIaquxOVjVwpz5QZfc+MJwy27Ike4cCKScSNa2OwwIiE8JuU0Xw +FiGB5dW1kWCL11y7wnAG9lBBRTZ/QUSJtpcjvnbXfHJ/6vQZEBfD34/NlyAEyx0D +awmP13uEfSLF4hDLzBGqofVmhQ41WozDiWEp0FxTLwlLkX7O4BLTzuvJUDw28Ka0 ++7XC3mGgrG+8fu9TCJ+xGK1b4wEj3hGlH33VtvRyHVN1ZozbYR7p6zzzSWmCtiBr +KQOhvlXkTPglp6ij4z8yH66nKptrVt3JWrEaAaAT0o6aLNt+/VsOLu+Sac7y3u/Q +LwkOZwIDAQABo2MwYTAdBgNVHQ4EFgQU+ELMiMnIGPnTsCRlBkz/Vau/Dn8wHwYD +VR0jBBgwFoAUqnHTsYpLu0cVR1+b0Ctp0W+FXvYwDwYDVR0TAQH/BAUwAwEB/zAO +BgNVHQ8BAf8EBAMCAYYwPgYJKoZIhvcNAQEKMDGgDTALBglghkgBZQMEAgKhGjAY +BgkqhkiG9w0BAQgwCwYJYIZIAWUDBAICogQCAgFOA4IBgQA5qO+xZghQC17LsimM +m7G+IUTW2JcdRdxScPHerHRlA2uvoPAhYc4jOTPIyx6PdxIeW5kM4Rt1zx3XEobM +/IaQD0XqiwhHCKxWRDHyySNr1TDKX0mwS4s2vVyS+oY0V4AwkylZGaTd+ZEmikm0 +7pOq4bIG9i8q2Vtt+XwETxx6zI45wpg6vbmiJIKP5NiAR3OEbrwgXKx5cqdv48g6 +nMyDsR/iZTuh9YYaM1O8BbpqsbyntMFEjArMwhXawd3cMZFGW0jY6gN44R/OeRnI +btY/TPU7s+cut0YMWM3KVqaI+/0S0SeAWqJRlvhMZY1xC4TKlPmfyThio2TNkURQ +7bvAHZu4pFexei5EV6UVusyzYvVGqs37U9Pt7+P0sps/KdAAjBlhSLbadCcFaXvf +BA7i8Q8a+pJweXiGUmDhTU5mFLqG4k7d4NDzwC1tOhYAHcacJ2+mXyFM5IIUldGn +ShUTuthlrTSikzrRSRJN8pfz4oqD0r+EhMaHcMk44F/+fzg= +-----END CERTIFICATE----- diff --git a/certs/rsapss/ca-rsapss-key.der b/certs/rsapss/ca-rsapss-key.der new file mode 100644 index 0000000000000000000000000000000000000000..0a13499db1ab8a6bae7f5bc5f3a90edc4565e8a9 GIT binary patch literal 342 zcmXqLVhl2{W#iOp^Jx3d%gD%OV6cGKfSZjoq0NIam6?T!aiNrf1VWwzMQ#x@6Qcri z6C*!^K@%evQxhX2!!^F+0lu1FS1h`s86ELykFNT?4o|5TN$r;2DHkh*u2qZNxYVRF zb@f00(BBV2|5%z=J2q^YkzapwyPf%ucv*cR!;YWb)(oxB%$ADV&swt2Qj{e|vp-W!C!)@1*H{#uJUS9w&>se@k4VcAJT1Tlj(HA6C6lD4KZKX!VTxmSZpC zuRV~uq_XjN!0zJqds>Gd9Z4|S@gypG>l4kMZjJ2SQg>|r?R-D4QzK#55{I;_yB{Rg gFV}v^Z}H6d)g}QxkrVdq^Z$2ioRMW>W@KOl0Cek)S^xk5 literal 0 HcmV?d00001 diff --git a/certs/rsapss/ca-rsapss-key.pem b/certs/rsapss/ca-rsapss-key.pem new file mode 100644 index 000000000..a9724c461 --- /dev/null +++ b/certs/rsapss/ca-rsapss-key.pem @@ -0,0 +1,10 @@ +-----BEGIN PUBLIC KEY----- +MIIBUjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEB +CDALBglghkgBZQMEAgGiAwIBIAOCAQ8AMIIBCgKCAQEA1g7HUE0p9aii1ClbWPK8 +LSfeiEkahBkrhI2U0XgS1nsU2NKCJJWr/k9V++BV/Dk3e0GAtJhvf8W3Pjf4Xx0v +EjGI+Ys7AIXmNqUXP5qkvkj/ejYiLCPUn1tS0RfRwfJpGdgyxfd57IMZh+MToENe +sekD7bQIzXsUaA8lT5DwBKe7CIkI3HZOcEkEQU2/t393eWrvaEtil44zkTIq42MV +R/ZhpCbbAgS2V8Cn8KrsIHKRwzKrmH+Exuhf1uAa0iSxx1C7c4feKsPixGAyuORa +W7XkKYyLKGu7Gtw8/rnvnokoYLqkQGbVu+Bif6cr4Q845jPqshAOFMg/h5//iyjM +HQIDAQAB +-----END PUBLIC KEY----- diff --git a/certs/rsapss/ca-rsapss-priv.der b/certs/rsapss/ca-rsapss-priv.der new file mode 100644 index 0000000000000000000000000000000000000000..5108996f166d4cb7f6c74b35e2d384cd864b51b6 GIT binary patch literal 1264 zcmXqLVtK>F$Y5a0#;Mij(e|B}k&(;5U;(cIHydX{n+IbmGYb>rLMa0Ygggg|+#+Ts zMg^88mSqM_EQ^>J8JLn;CNmORtrvD6B{dF zTXAUH7F#FV6OzjD&hPsD%8Ryz6ixH#`Y0G}#WqvG;$L`op@Gl;mDVb^gzO*tD}7#e z>B8F*gAI$$?LV~GASfV=rSzI+XZq5HBAwJVKd#)|(f^%+Ylpw>J=3~-jZBS=3~#e9 z2e~oopRCY6ef7O<+;1I$>8HeYh;EqlWA4FEM{h|Q-F&^~X6M>jxhjdTzyFY#AN+k^ z?yN(bioPr4UN$^eyd$)J;hHz+6E^BKJ8kb@GOhfS!d^G|g7WQsD_t_r%l7`-J7ur^ z&%G;D5}pLCJTv3XuZWfNRjstMbNfFV)s%79?*+Nx*}2ze9Wn|OE;?4TrUXkI2+X$H zXqs2_ZTHIiU%$K&QJj3ZuZT_gVo!47wySUc%>2Rg;mV8Eil3&x{E$6o_i5eP*AJhM zc{{7I!Ady6V^Pw;#)0r#M#>Bn!UFy(>zl*Lt>+Z$W|vsE z$*g{1n;*Z)k;xC48XJ5Zr3!t0R=GBbxP4pX>vhuK;UfPwGyk2!t3AxW?<&*R-uA`& z(Y<9U<)3SspB10@IzKaazlha7_Y0LX-Zb)V`z=v)>EMK!)4DgF-E!)a*ujIcD-#^8 za!-FE|caRnoSFzItAux9kh=4)6JPpcPnxZm`_Yfe*E@1lIUC*k?avz7wh6y!eCEaR z)F=6LdzJaACiP=WXBz%t^HOB%VPHFbG)FI|_~OObtRFuYzu30lIbLecw~9U8n?0gG z`5DjI-!hp|GQ)n^4Izizz3zA3e~zA{@TQcJsj;E5x=*}h{mygm=UO^ym?sIU)!xuB za=sp{_fAViq(MC+V4tdMThNF8BlU)Vog^<_bjw_6TDT>(u70EWlr`ZJzkH`S&s=rM z;rQ-s)+;CO*o2hcmt#13U^8ce{{5^yx-04rUEF)valgRoS4&s!_`TgEcuw*CKV1(J O_JpY_&HP{aelGyt<6DdX literal 0 HcmV?d00001 diff --git a/certs/rsapss/ca-rsapss-priv.pem b/certs/rsapss/ca-rsapss-priv.pem new file mode 100644 index 000000000..a47cb4faa --- /dev/null +++ b/certs/rsapss/ca-rsapss-priv.pem @@ -0,0 +1,29 @@ +-----BEGIN PRIVATE KEY----- +MIIE7AIBADA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3 +DQEBCDALBglghkgBZQMEAgGiAwIBIASCBKYwggSiAgEAAoIBAQDWDsdQTSn1qKLU +KVtY8rwtJ96ISRqEGSuEjZTReBLWexTY0oIklav+T1X74FX8OTd7QYC0mG9/xbc+ +N/hfHS8SMYj5izsAheY2pRc/mqS+SP96NiIsI9SfW1LRF9HB8mkZ2DLF93nsgxmH +4xOgQ16x6QPttAjNexRoDyVPkPAEp7sIiQjcdk5wSQRBTb+3f3d5au9oS2KXjjOR +MirjYxVH9mGkJtsCBLZXwKfwquwgcpHDMquYf4TG6F/W4BrSJLHHULtzh94qw+LE +YDK45FpbteQpjIsoa7sa3Dz+ue+eiShguqRAZtW74GJ/pyvhDzjmM+qyEA4UyD+H +n/+LKMwdAgMBAAECggEAQG0QRjYDVAHeiDauXLYqNvkR/DjsdyfQNkQar3URTmab +Hqs1Kme17YPZYEbj+lcKQNm1MCXVIULT5TEZWx9AhJxOGrVyG7UxVe8YcTdNMExu +QE08ucZK/2+QHIirxFD+mx28ImNa2fmXXJPW21yLisaUPR37rETIHo24cBsycmOw +dO25ggGtIX2M5nI75P9p7+jG7vnfDKkn7ER5exGVrF1dED14wra0PUI9yBkjX0Pu +j053crZUcpZMivERWzoGmRA4/leLcTBM/6k7JNoSP+NPIvOm0tDtdDCwos6/wqMw +UlBWBHXWKYlnpYByLGWs+NTZuI/3AAq4Tz3eNX7egQKBgQDta9NSRgEvyXgry9Xv +PV77LBCXyha4FbCS+J3B8sXaGTLZ66zZia2abSRh6/f4HJ9T975tmsKycvcgbdMx +znO4VX+hrOzPYLEug0K3j6SWd8ogvUYfcHe3jqlEac8djfq9lL0/+b2oJGDkUKnM +mOz6WKmfJTora22P8zJ8dgt/vQKBgQDmzuvNQGhwINFBewVkUxjAUWs6sTVucva7 +qd/19OwUIZPDjnIGI9GMY2G21ez8mfgM8NToqyHyl+nwa5y7yy2b18PPXO2agYA6 +E2BIoor8q+y14g6rEsRDOzzWP0sdAp49CpA5wuEouFN+Wn4IJX8JFosHGK6yNn+h +hk4PNMST4QKBgExBGnFNTKpFghRG9qJNSslPQNEPtjZPuROrSDf3unYvK7b0S+Le +pmR383yD5nPI9Z9pbb8UOr5H0HmY7IENtvsYctLBkJmWi7HNtMryFsHBHalgQTpt +y/Wnm1P+y+fJJyRmtlXq53AupvQNuEufPlW1zlzv/vvdGCZozOlOnKjdAoGACjox +CK9J8W4C17vzyTZFaoAxGDCyBWris/4bBnML4vh567hsJQmBR48/zTI9hhPsgeZK +COVMY8uHejfKgifGpZkx/AZKIQaMAAbLxWwubHPR0V1q+Pmj6La/Q18anPZ4vIuz +SFvyTjOcv4STARloP6bYEkBtvUfc7/NbkiDsdQECgYB5e44XdK+5zu+dOUEoN2IR +Jn3YKDJD11Mu7iokFIAnaFC+JUWGUvCPxH8x/UIZ0dFGaak1cbRlfn+xN5SsVxj6 +TZRDmarSQMe7awXUyNw8VHXfHgDFwLMJYC/farwtqH/C0b3DQb8Qq+qlqbj7tzRT +nHPf/IrgYLxWJSKZ/3nvvQ== +-----END PRIVATE KEY----- diff --git a/certs/rsapss/ca-rsapss.der b/certs/rsapss/ca-rsapss.der new file mode 100644 index 0000000000000000000000000000000000000000..32551ab5cec9a6bd6201920ecbcd95bfc4c1a0c4 GIT binary patch literal 1219 zcmXqLV%cxd#9Y3BnTe5!iILI3mW@-Z&7jN1q}E=91b3K-~7Ci#Joh92s;nEQ+`!y zZepIHgn<}H4Hpl8d45h>aIjB&P_UzJKya|3sDUs@hMR{cC_leM7bXnVz|6y6US6&T z(o|fWqnDhYYbb9Z3wIwUqnJQuURu5bk^%!cab6=M19Kx&10y4IQ`0DMUL#Wj6C(pC z*Pw9|>FyUd5CyrCi-!+n6V&}6=L;DKfF!tiIGr6qjt7a6?{-6wJzSiV)H)}B(n(=t z+qCnk<@PK zopP~4=vuYNjY~}`Q&<1<5B>ch^pB-^wPVAU8Ts``x7(Tjh?mtDGVJ)-ZOzd7%xtN+ z{j4SXJpNaiDd{L*nI9c=QT*b;PnnW8jE;V@J^cEXFSnJ>v6KE`?tg;YPXqKwuK*9{$bS{ zg`$avjaJX7Z#niN{@MenODY?W2kb6xzo&Kh(UAnB9Z#a7w?5JA>DI{JEp^A{-_G~* zIyDk@EpbS@y8A&={c`Px{1(rQUu_cL6FFhuKL3BW#u-^AW=00a#mNSV2C{6-p|X4| zVk{!_cphB7zs>uzWOB@@oXKsAM1m(88pwmBm02VV#2Q3WuD)q%Z@3rr)^o-Uo{(C% zc}s1s8SsM?2s1MNXJIv9W@P*i&JD8sAORL;CdM|(qm7ZlD6Lw_yWvk&W0at*^o?a| zD=qSW96jCO&cks=Xi1fL-?gPHPTzmEy?o34r;~Qo&t6o>TU%wOxtF;*D3!Nz-QhJa zmXsdTIKXNg_@&jHZw~XFK-<{R4)I%Ck8Yf}bfv>Y_QgEnr9XcKIZsh^Q0X!J>=iey zO<}fq`;xFV{%f8s<6%9Mw23PznI-;CklSscI5F)chF=EpEXEo<%W^zVo38zGHT<+# z&6l2;N>3hsnf~PdCi$fP06phb=a09oyH&sawb*HmLwg#kKh=vRbntnux~w%R#9|5O yzRHKP`5UM5F#UY~#e0W~*Q47^9Gjn2UcIo_r2kBxq=pB3^@UA_yKX;vU=ILJa-MGh literal 0 HcmV?d00001 diff --git a/certs/rsapss/ca-rsapss.pem b/certs/rsapss/ca-rsapss.pem new file mode 100644 index 000000000..14811aa88 --- /dev/null +++ b/certs/rsapss/ca-rsapss.pem @@ -0,0 +1,101 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: rsassaPss + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Salt Length: 0x20 + Trailer Field: 0xBC (default) + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSA-PSS, OU = Root-RSA-PSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Validity + Not Before: Jul 25 02:27:55 2022 GMT + Not After : Apr 20 02:27:55 2025 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = CA-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Subject Public Key Info: + Public Key Algorithm: rsassaPss + RSA-PSS Public-Key: (2048 bit) + Modulus: + 00:d6:0e:c7:50:4d:29:f5:a8:a2:d4:29:5b:58:f2: + bc:2d:27:de:88:49:1a:84:19:2b:84:8d:94:d1:78: + 12:d6:7b:14:d8:d2:82:24:95:ab:fe:4f:55:fb:e0: + 55:fc:39:37:7b:41:80:b4:98:6f:7f:c5:b7:3e:37: + f8:5f:1d:2f:12:31:88:f9:8b:3b:00:85:e6:36:a5: + 17:3f:9a:a4:be:48:ff:7a:36:22:2c:23:d4:9f:5b: + 52:d1:17:d1:c1:f2:69:19:d8:32:c5:f7:79:ec:83: + 19:87:e3:13:a0:43:5e:b1:e9:03:ed:b4:08:cd:7b: + 14:68:0f:25:4f:90:f0:04:a7:bb:08:89:08:dc:76: + 4e:70:49:04:41:4d:bf:b7:7f:77:79:6a:ef:68:4b: + 62:97:8e:33:91:32:2a:e3:63:15:47:f6:61:a4:26: + db:02:04:b6:57:c0:a7:f0:aa:ec:20:72:91:c3:32: + ab:98:7f:84:c6:e8:5f:d6:e0:1a:d2:24:b1:c7:50: + bb:73:87:de:2a:c3:e2:c4:60:32:b8:e4:5a:5b:b5: + e4:29:8c:8b:28:6b:bb:1a:dc:3c:fe:b9:ef:9e:89: + 28:60:ba:a4:40:66:d5:bb:e0:62:7f:a7:2b:e1:0f: + 38:e6:33:ea:b2:10:0e:14:c8:3f:87:9f:ff:8b:28: + cc:1d + Exponent: 65537 (0x10001) + PSS parameter restrictions: + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Minimum Salt Length: 0x20 + Trailer Field: 0xBC (default) + X509v3 extensions: + X509v3 Subject Key Identifier: + 9E:0C:E0:D3:DF:B6:4B:F3:19:63:5C:CA:6C:93:86:A2:14:53:91:31 + X509v3 Authority Key Identifier: + keyid:64:D5:EC:82:87:80:DE:5A:ED:49:98:D8:0C:54:7D:46:9E:A5:3C:D6 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Signature Algorithm: rsassaPss + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Salt Length: 0x20 + Trailer Field: 0xBC (default) + + 32:66:7b:22:4b:80:fc:7a:81:5a:11:1d:1b:d8:a6:26:a9:38: + 6f:f8:c5:cb:80:47:0c:08:cc:12:a4:7a:17:8e:d6:a5:a8:cb: + df:ea:b7:77:b4:df:e5:92:ba:7f:9b:a2:71:0d:7d:7a:36:29: + bd:03:7b:52:65:0d:79:ae:c3:ac:e8:a4:75:c6:28:c0:05:33: + 51:f4:85:37:0e:9c:03:dc:51:3d:5d:55:88:17:da:b5:c5:b1: + 91:a5:a9:40:91:07:a3:0c:17:75:f9:fa:52:43:94:21:40:24: + 8c:31:f3:4a:5e:96:86:20:9b:37:87:a4:56:ac:4f:ac:e6:a6: + 0c:05:cc:62:b2:0a:62:63:04:5f:dc:52:46:db:12:5e:16:2b: + 62:00:fa:30:5f:04:33:28:0c:a6:6c:49:cb:35:ad:f4:d5:57: + cb:16:7c:f4:8c:99:22:e4:e1:f4:97:e4:df:b2:1f:62:8f:50: + 2e:43:aa:cf:c7:86:ae:da:7f:b7:eb:16:cb:28:c2:bc:80:7b: + f2:7f:16:60:88:0e:49:aa:d3:2a:92:54:38:a4:09:be:79:e1: + 1d:6f:b1:95:0c:02:f9:e7:f4:4b:b8:44:4a:e2:db:02:08:b3: + e6:79:d5:d0:bd:34:8f:cc:8e:19:28:48:07:7b:d0:b2:31:ba: + db:e2:e0:3f +-----BEGIN CERTIFICATE----- +MIIEvzCCA3egAwIBAgIBATA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEa +MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIBIDCBnTELMAkGA1UEBhMCVVMx +EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xGDAWBgNVBAoMD3dv +bGZTU0xfUlNBLVBTUzEVMBMGA1UECwwMUm9vdC1SU0EtUFNTMRgwFgYDVQQDDA93 +d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20w +HhcNMjIwNzI1MDIyNzU1WhcNMjUwNDIwMDIyNzU1WjCBsjELMAkGA1UEBhMCVVMx +EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFzAVBgNVBAoMDndv +bGZTU0xfUlNBUFNTMRIwEAYDVQQLDAlDQS1SU0FQU1MxGDAWBgNVBAMMD3d3dy53 +b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTEXMBUG +CgmSJomT8ixkAQEMB3dvbGZTU0wwggFSMD0GCSqGSIb3DQEBCjAwoA0wCwYJYIZI +AWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgEgA4IBDwAwggEK +AoIBAQDWDsdQTSn1qKLUKVtY8rwtJ96ISRqEGSuEjZTReBLWexTY0oIklav+T1X7 +4FX8OTd7QYC0mG9/xbc+N/hfHS8SMYj5izsAheY2pRc/mqS+SP96NiIsI9SfW1LR +F9HB8mkZ2DLF93nsgxmH4xOgQ16x6QPttAjNexRoDyVPkPAEp7sIiQjcdk5wSQRB +Tb+3f3d5au9oS2KXjjORMirjYxVH9mGkJtsCBLZXwKfwquwgcpHDMquYf4TG6F/W +4BrSJLHHULtzh94qw+LEYDK45FpbteQpjIsoa7sa3Dz+ue+eiShguqRAZtW74GJ/ +pyvhDzjmM+qyEA4UyD+Hn/+LKMwdAgMBAAGjYzBhMB0GA1UdDgQWBBSeDODT37ZL +8xljXMpsk4aiFFORMTAfBgNVHSMEGDAWgBRk1eyCh4DeWu1JmNgMVH1GnqU81jAP +BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjA9BgkqhkiG9w0BAQowMKAN +MAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIBIAOC +AQEAMmZ7IkuA/HqBWhEdG9imJqk4b/jFy4BHDAjMEqR6F47WpajL3+q3d7Tf5ZK6 +f5uicQ19ejYpvQN7UmUNea7DrOikdcYowAUzUfSFNw6cA9xRPV1ViBfatcWxkaWp +QJEHowwXdfn6UkOUIUAkjDHzSl6WhiCbN4ekVqxPrOamDAXMYrIKYmMEX9xSRtsS +XhYrYgD6MF8EMygMpmxJyzWt9NVXyxZ89IyZIuTh9Jfk37IfYo9QLkOqz8eGrtp/ +t+sWyyjCvIB78n8WYIgOSarTKpJUOKQJvnnhHW+xlQwC+ef0S7hESuLbAgiz5nnV +0L00j8yOGShIB3vQsjG62+LgPw== +-----END CERTIFICATE----- diff --git a/certs/rsapss/client-3072-rsapss-key.der b/certs/rsapss/client-3072-rsapss-key.der new file mode 100644 index 0000000000000000000000000000000000000000..944ac7253b1d6a1acf69dda5a70330d5c77e1dd8 GIT binary patch literal 420 zcmXqLVq9Rr&Bm$K=F#?@mywZ+xrwo#!Jvt;i>ZmRkzqHR#*_M!j%EAQj;-9q@yv9N z@dBIZ)l-$PXD43P>+XFkb2EIMROX{|sU3Q${HH%wp4M@jW@jHA`E>i%jW#uEPr?)f zV_7P1*2ffvyp)@H@cX_T{_6K`y$*bfv(L?#ox_`ZS!M3L7a6K^+!7|4ClxD}OYM#M zAej4ZXa1%>vk<$7McHO2J3QJXa(-Oj_~6NP9xc%`lZ;#T7D}-ftYTJqcpaa zcS#0pU#Il<_v?a!4Z7kB>{hh~I47yZG6e1r{B`3Pn*;k^uMJKGLFdJ%ZVdjD(JQ=f z0pAht)8a*E&vNViPjd=5Q&wBxSDP&M^wz`QGjn9wa#p{)Z02{|B>wvaxq!d_94$3t z9vy*|RsqMVoV!0mdmWf|aut&|=e`)DQOY6G*NrsbmX-1voyv|@? zcSE9Q-g1pn&sCi!_o75JWB<6buFh)V57$XqZ9QZ2HIH4lKQdoX_&)!AZBT&5V~@9* fcK`mjEl#nm*IcxCa?sPP!z+bd&NDGHGB5%FF#5q1 literal 0 HcmV?d00001 diff --git a/certs/rsapss/client-3072-rsapss-key.pem b/certs/rsapss/client-3072-rsapss-key.pem new file mode 100644 index 000000000..f83e92f04 --- /dev/null +++ b/certs/rsapss/client-3072-rsapss-key.pem @@ -0,0 +1,11 @@ +-----BEGIN PUBLIC KEY----- +MIIBoDALBgkqhkiG9w0BAQoDggGPADCCAYoCggGBALsGKOR/yUF2vibGqboI5jWc +M6A8W6uVI9drYdMui43tHNlXrhpp4s5liC5lD8vxecssRpY+P1tZ5be1sTx8JuRW +IVFdBHnZf1xxVOkemcH3vmwPe+9GjUAOo2vOmJtsDW3TJJ2e6GglnEZgkjdicyF3 +Gr1c8BFt7rlvso42VD7hcms2yYhIhhhs+Nex4OTXDCoVzJIzhL1xGgdwqgMk4c7C +KLjjg/+6GVC3riL9++twcLAtF6A+qoVQQ2IkXQBRuBH62MYGQAe9SrBCcFLPF5Wx +U/xojRO+oA7ES8sXcs3NCy7/ZkJQzHZ9cE59Yxbl2uH7mWwdBmyr7tM2Tsc0X/fQ +HlD9/kE5KVzhx7/EUDZ1ijZNCWrKKswatw2LFm1IBzlh9cgHWpy/0qXxOTt+v2Ix +k7opWskJ1wAwPtgYjJ6nKHVJqok03loUKV38RwWraoQPVyxkqzuYs9ZIutvxA9Ag +95/vfVJQKONI7Sk+/v+Go2Q9fymio5NS5WrDqRNEzwIDAQAB +-----END PUBLIC KEY----- diff --git a/certs/rsapss/client-3072-rsapss-priv.der b/certs/rsapss/client-3072-rsapss-priv.der new file mode 100644 index 0000000000000000000000000000000000000000..b11fa543c2c8ed83a85b732d880e3463b628a499 GIT binary patch literal 1791 zcmXqLV*Aa+$Y8+D#;Mij(e|B}k&%m~iS4;T6We1ZMh2!P#zuzSY#LAMPdb+EQ#-bD z7soTxImQcYqE}By?yY)KoEzUkSV|EU2?q!v^^Il}A&T&haWS&&4 zST40U=7V7FyPf%)`piP?9u{Sro$T;vlgRmTedB{C*Lk!=&rC9I*;^>ZUa*Q;<>9$Q z8ap00|KBAUuzj7<-`}qb3O4A9FR)wH8sMCy63Y;{L-5y)V{8uWd%ZR|6$G6ZpSm&l zPe!lsz6E?oyibc4ojuE~_dm@k;7nOo_WhPNkfzvktEmb~(?)%*epV)Wq0OviRy{kz{wp4bg8FEdI9X z$)x5vVk9mTGXv*hCMuu_e+cZrnm7NaT4ghloQ);_2yRB zolAjgVz~!DEI(kF6#n4;`~1cY#?!T3R%>sW@i;bMV%iOv#rxw-ml(WV;~uQ?!_>F^ zmYYwg&;?KS)vonSX+OTJ-|Wxl&E3y7_FOx;d5_WbmskE@TQ_~e%!fhqeyoh@{@iTH z5OJ?(ZNTrM+=%d_Jtn1p3ocw>jAk=*WNJLf@Fuf@E#ZlSh31jA7ed@mYXa`^SqO0} zy!iamM7uL(qGGTod%D8^uq!uQ|CnU6cqknUTkPrY_UF@?|9_t}pTFDcK7ZE&ws#+D z<=&LkJ!h?%-t=B<(!6bfU$*XEzkOO`GW+e2(#^_--v5Mhc{krKj@TIUr|IlG)n(1L zq4U{S2wxO#ZTae$`Yuj%_x3VY!`i=AT)$KxX=5=W9Khz zR}M^`Yd5(!G*12PURwtb=?SNMGZR66IMphDx%Jd_iF=%H7Hi+Ld23j)ud_8K`Dw)> z|I{zbV?11WLye?7f1fln-oP_M-13~B>t)3yZ`)@6Tat45hfrQ%xBourjIQ73QBwq2t(*OpVl=u|^P&-Bas%eKZx60z_*LqE@^6u1k zWk;A<+$YTw3E)hxlj?mEU6}cfXCs4b)87rAHo`yUZ>1eol5P2a*zx2vd)KtDM*se; zlApR?peTt?y68bQ2d96_?A{ID>*X5WPI~(2@{`ahdlFn(j=y|z)A3f0@DcTS=aZU! zKQ~OBMwvN=>Dg7MrTZ1Rh1_}yC!KnDIa@#E zQ|{XpdmZ-Q=h2yVe8T<93yv~-Kkwe!_)}+R)XK$T<<;xhoYo&Usxi=hn!8JLiusTE zr72qBjfIT=0yMt2G#}jV@jJOovSL$x*o89}+M^zXEpV8y-g3(q^L1*oTK}b9uB;Mh zU$L_2v+S1FTQ^C@JU^Upyfwbz`n8U@$>G9JFJ$N36}F$kW)LWLZf3L0^Ihsbj7mr4 z6AF^Wa>aZcCS1MD)OaA&W~#K7SWdXPNBXn9R@1q9&zOpwS1Db0G{pG!mu}6l+iB6> zJtyBxmDaK0KWOxFT4~#^h3AFY{nwjp_iLD7d92Q9mF<+*j&t|i(fs{9JocySo_?m& zzt3vg`Y$;4T{B^djMj|_#ivhAS)J~6_1xt`4UH>_{OkTm`z}tI^ZDaL_UaUFwYw5* z-u#Phw6HK_PIi=@m&3jE NtW4oSCnMqcH2|lQUFiS- literal 0 HcmV?d00001 diff --git a/certs/rsapss/client-3072-rsapss-priv.pem b/certs/rsapss/client-3072-rsapss-priv.pem new file mode 100644 index 000000000..646f43ac2 --- /dev/null +++ b/certs/rsapss/client-3072-rsapss-priv.pem @@ -0,0 +1,40 @@ +-----BEGIN PRIVATE KEY----- +MIIG+wIBADALBgkqhkiG9w0BAQoEggbnMIIG4wIBAAKCAYEAuwYo5H/JQXa+Jsap +ugjmNZwzoDxbq5Uj12th0y6Lje0c2VeuGmnizmWILmUPy/F5yyxGlj4/W1nlt7Wx +PHwm5FYhUV0Eedl/XHFU6R6Zwfe+bA9770aNQA6ja86Ym2wNbdMknZ7oaCWcRmCS +N2JzIXcavVzwEW3uuW+yjjZUPuFyazbJiEiGGGz417Hg5NcMKhXMkjOEvXEaB3Cq +AyThzsIouOOD/7oZULeuIv3763BwsC0XoD6qhVBDYiRdAFG4EfrYxgZAB71KsEJw +Us8XlbFT/GiNE76gDsRLyxdyzc0LLv9mQlDMdn1wTn1jFuXa4fuZbB0GbKvu0zZO +xzRf99AeUP3+QTkpXOHHv8RQNnWKNk0JasoqzBq3DYsWbUgHOWH1yAdanL/SpfE5 +O36/YjGTuilayQnXADA+2BiMnqcodUmqiTTeWhQpXfxHBatqhA9XLGSrO5iz1ki6 +2/ED0CD3n+99UlAo40jtKT7+/4ajZD1/KaKjk1LlasOpE0TPAgMBAAECggGAdKPV +0xRjRyGwW+ygo/ay5JKDnBaosW01Sj+dZiDsRlqwGFjXq3+IRWMLOKws2uvCItV9 +PGycBPQfEaEOZYOkmdmhs+XISdo81UGVTEKacF97cleB2uvsYhv/DdhuUthj06/Q +cUFO/s0eFsJZzpLm7OMkWR9iVexy61HfUVRO3FysiHNF42ofv5IO7C7y7KW133Vy +/WeGDMRCEIvSbF2POuzaitzSUSYWbcHwp8AxYlfg3+9vgbAzlytEqyu0mONdUJFm +2Byjv141pDDtrEdTJPg1TYfaRkxVEtBJB6tFfwJm+Pcn2Y9vDW2/AdWXouhgV3tz +EGEN8U9LGQQ7AsSw6xYcJiH0fBXS0nq1DYNClSDp7dtvQGklp50tKuixLv55ahRL +J7Hcvt7yCMGbU5IGg1fu6wtuLEuvKKHg0maYQK0YDn7DXQkeTgVoK85vdxNJrZOD +vDKX6dT/1q6XkJnhUp74qVqL84MxAFjejK1Q+3JtWFfFjDR1/XDQ0AFbBjFBAoHB +AOxpeAZg5EA4KcSG6BIL5XxQ3g44Egsg6PPpNCuJZJEhU0kHZyD/VtTYRfw0awRI +IsZWo0lPRvzyzP/95IPP3YVHn7qgBu7wfR7sdH7nBXyXgu8Wkp62UfS1u6+3loFj +B9tUdbMjMUv+Em0Ns9tzWLFc/ILNniWmgz1VnweoE9EThYT1QWXuXhW7t3YFMbt3 +vWZSA3Ev8cs+Kj7cUF7RPBBVVAtTjkvo40P0htTAk50+k41VXiftvT1ASBuQy41p +YQKBwQDKhR/ThcrXGN4J7KMr3jztMXi+iYVcY+V4ok9l9KdcSEUNVTIaSfvJNjOw +DJgXOc4uRdMhpO2Gmf6kZNP4Em5Ri0++G2iK+89lY4S4Na9wAd95790It2GokjEZ +TndvyHWYp26baHooV3gu/rc63p/PTHGRUn9EDh5NR28Neph2W6ggm8AntosLlT3b +UnAhLcPli0M14hq8lB/U04PA8/M9Cnh+QqX8/rpavbYooGGYibV3vDFKmVI6fyGC +kbqobC8CgcEAtmSAh1tFfg5WmxsB/LpU6N5zE0FLGm7fix7Gczhi8F1nphYiCKE2 +2qupAvVmAz2sJp09CRgyyoCAjJfTL6a1X1hs8Uz5TGsZ/TusfSO7Ze52xAMER5Ke +FFAJZ34ajeRbcWnuDLEAHYL9sEk8E/kf2mbFIh2E/8NByZY/RWb1Mv7+qh+VvxBy +Yg4bcuB7CAlPhJuNsEuvHoDtkuXi0+RVlLxgRQTH6eTZQdpsE8Qnns9ig03zgJa4 +w4LOnwXNJWLBAoHAasr+eG1CBGFBnRwjA1wC5tVCpb8hCxJGjHGSyuHTay9U8m3t +qL1Av98MLJbHkN/ToMUDS+eLtYH5LLlaqaMWd3uuBkKvwzJ8MCvlbboplDf4n3Vk +KleBcQH+UCj3hIPBt0j7Y4oZeLJ/VtDM0Ida4FagQJCvObT0N64mmoX+ZdN5ehCH +qKly8x2067WyGVznw2DHhV+A19aIXpNXE+XQa2zdEz+UBjBRFs6ZgxznuidMASLF +H2BwYxZtFkxAkNXTAoHAVTyVGyoWbFc3SGfmvTqXCo3MNRTPJHWuxVQz2/SLKVbb +ZltLjMnslRssPA/BMumWdYa6oc8TB0+vNLdOgJA5xn5Cqj2U60GdvNwp++dXXflF +vI8Cy/vNKT1PoMb3KWCUHCrYkHPLypSrZ0rVztNxKCjUYQ+u/BtNo2Sc8/HhB3tk +CybdGAZLD6LYhYfTcyTL1XwyXhFDcVwfu3HKtt0oNLLBB/+K1yTkOvEKx43tz2WT +QRuebAulzRxxwUIyE598 +-----END PRIVATE KEY----- diff --git a/certs/rsapss/client-3072-rsapss.der b/certs/rsapss/client-3072-rsapss.der new file mode 100644 index 0000000000000000000000000000000000000000..82762ff139302564d6d99b6036216d904ab053d6 GIT binary patch literal 1737 zcmXqLVmoTk#PVkWGZP~dlZeT0)m>#$-ajq0w0#4_<*JPg9~&6hv2kj(d9;1!Wn|)(B{FI%FM#Vv{1@G0wK?VBDaWziHXtApmCcaw*e;`b0`a&FjHu-p@0D& zh{M6d?wg-il9-nW6Jh6Jcgn9y%}vZR6gLnBso~<`E6>kK3l8>)4+?e+2o5$BGY|nu zaP#mw=VYelmFPmnB@Dzs;>lpiAWg-^IeN+YxrXuvvTz4-GKvXg=B4F3AS(db z#l<;Et#k4xofJk!9(IsqaIlYooH(zMk%769sezG^xv6QCIIoeZfr*g;lsj}i*2K5~ z6jAV4Wo}~ZXE11D>|$zSY-HHYrtzfyq+{7WwPP!HaXd4fW4yp7di7N0>)DBy^}2iC z%G?ZJCzbi=Txy42D*x$^m8W&wrrFs?M?T%Yb)!v<+LJKFz*v^boAoh;Aur`-9{j#9 zhrjy0TdxD(;_P!XX6NwcURIeq??r~{9Jho?=1IkhopfGo*eWv z>+nipm-9@_j0}v6n;6p#ni!J}WZ9TQW%*ddSVVdl=lcn&XzaIp)$}Sv>m>izCr8~4 z8oz<$m023!88p6bz^Z0ps`giy2bKfmz`<~T*(UFSC%2RDOFQ5OGICpuBlE=LV!RlR+kFNJJKjKOWRcd^h zx#h^kh?eE8ykeIQyt^(?`HeFefd~y z|H>*|&v%l?jE=BuWUi_^y7$MnHTCDc&aHP@Cvy6D=D(W7&yzj3*gWetPMGxl{Js-Y zj(@Vg#GGBIefisimz#Dy(hiG@-gsSkQt*`tFH`2VUwiIVQoW+WO-4mB`hk(+r1P0u z4*4eOZ{7Kn=h~Te*F`>>3vvSz{HjkVnlBKN78b}`6LW@L@h$hG#@96`9^5%C-&1Fi zFDJ8l;^Yf&ww#NrdtHD2LC((xO%|UgPgiID-z>2!g!AnCz4_Zye literal 0 HcmV?d00001 diff --git a/certs/rsapss/client-3072-rsapss.pem b/certs/rsapss/client-3072-rsapss.pem new file mode 100644 index 000000000..c2bc6114c --- /dev/null +++ b/certs/rsapss/client-3072-rsapss.pem @@ -0,0 +1,128 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 34:fb:25:ba:76:1a:4b:f9:38:2a:2b:4d:50:17:1e:7b:32:31:e3:30 + Signature Algorithm: rsassaPss + Hash Algorithm: sha384 + Mask Algorithm: mgf1 with sha384 + Salt Length: 0x014E + Trailer Field: 0xBC (default) + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = Client-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Validity + Not Before: Jul 25 02:27:55 2022 GMT + Not After : Apr 20 02:27:55 2025 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = Client-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Subject Public Key Info: + Public Key Algorithm: rsassaPss + RSA-PSS Public-Key: (3072 bit) + Modulus: + 00:bb:06:28:e4:7f:c9:41:76:be:26:c6:a9:ba:08: + e6:35:9c:33:a0:3c:5b:ab:95:23:d7:6b:61:d3:2e: + 8b:8d:ed:1c:d9:57:ae:1a:69:e2:ce:65:88:2e:65: + 0f:cb:f1:79:cb:2c:46:96:3e:3f:5b:59:e5:b7:b5: + b1:3c:7c:26:e4:56:21:51:5d:04:79:d9:7f:5c:71: + 54:e9:1e:99:c1:f7:be:6c:0f:7b:ef:46:8d:40:0e: + a3:6b:ce:98:9b:6c:0d:6d:d3:24:9d:9e:e8:68:25: + 9c:46:60:92:37:62:73:21:77:1a:bd:5c:f0:11:6d: + ee:b9:6f:b2:8e:36:54:3e:e1:72:6b:36:c9:88:48: + 86:18:6c:f8:d7:b1:e0:e4:d7:0c:2a:15:cc:92:33: + 84:bd:71:1a:07:70:aa:03:24:e1:ce:c2:28:b8:e3: + 83:ff:ba:19:50:b7:ae:22:fd:fb:eb:70:70:b0:2d: + 17:a0:3e:aa:85:50:43:62:24:5d:00:51:b8:11:fa: + d8:c6:06:40:07:bd:4a:b0:42:70:52:cf:17:95:b1: + 53:fc:68:8d:13:be:a0:0e:c4:4b:cb:17:72:cd:cd: + 0b:2e:ff:66:42:50:cc:76:7d:70:4e:7d:63:16:e5: + da:e1:fb:99:6c:1d:06:6c:ab:ee:d3:36:4e:c7:34: + 5f:f7:d0:1e:50:fd:fe:41:39:29:5c:e1:c7:bf:c4: + 50:36:75:8a:36:4d:09:6a:ca:2a:cc:1a:b7:0d:8b: + 16:6d:48:07:39:61:f5:c8:07:5a:9c:bf:d2:a5:f1: + 39:3b:7e:bf:62:31:93:ba:29:5a:c9:09:d7:00:30: + 3e:d8:18:8c:9e:a7:28:75:49:aa:89:34:de:5a:14: + 29:5d:fc:47:05:ab:6a:84:0f:57:2c:64:ab:3b:98: + b3:d6:48:ba:db:f1:03:d0:20:f7:9f:ef:7d:52:50: + 28:e3:48:ed:29:3e:fe:ff:86:a3:64:3d:7f:29:a2: + a3:93:52:e5:6a:c3:a9:13:44:cf + Exponent: 65537 (0x10001) + No PSS parameter restrictions + X509v3 extensions: + X509v3 Subject Key Identifier: + 8C:01:9F:4E:11:24:28:BF:3E:EA:82:EA:54:2A:C9:0F:F5:E4:C5:47 + X509v3 Authority Key Identifier: + keyid:8C:01:9F:4E:11:24:28:BF:3E:EA:82:EA:54:2A:C9:0F:F5:E4:C5:47 + DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_RSAPSS/OU=Client-RSAPSS/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/UID=wolfSSL + serial:34:FB:25:BA:76:1A:4B:F9:38:2A:2B:4D:50:17:1E:7B:32:31:E3:30 + + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Alternative Name: + DNS:example.com, IP Address:127.0.0.1 + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + Signature Algorithm: rsassaPss + Hash Algorithm: sha384 + Mask Algorithm: mgf1 with sha384 + Salt Length: 0x014E + Trailer Field: 0xBC (default) + + 6a:0b:ea:2c:f1:b8:04:d9:8f:a4:a4:be:11:1b:40:2f:dd:bc: + be:47:bb:1e:3d:ef:05:4f:a2:c4:78:59:79:ca:86:d9:d3:cf: + f6:61:9d:a7:5c:22:48:de:e0:53:27:8a:59:e2:d7:8d:03:e2: + 0a:64:55:22:81:e9:69:b4:c4:d1:58:84:a7:85:0d:16:d2:c0: + ee:d7:10:72:46:73:ea:98:61:85:77:a8:b6:40:d4:49:36:a1: + e0:6f:c8:6c:ec:13:6e:e5:4b:d8:d4:e7:be:03:56:03:d4:6c: + 67:9d:30:c4:c5:78:68:cc:60:e9:88:f7:5a:6f:31:ff:26:63: + a5:8d:d2:30:cf:a1:bc:fb:3f:d0:2f:a3:ba:d9:03:ec:fb:b8: + b7:02:46:98:cd:77:40:ba:67:46:55:e9:e3:16:bf:a9:7a:2d: + 49:ee:19:c6:32:c4:04:b1:03:7a:7e:c5:bd:f8:b6:ac:7f:cf: + 4a:ce:af:44:ae:14:cb:c7:69:fe:7c:a3:e7:63:49:b4:3c:e6: + 8b:33:60:92:f7:cf:be:c8:94:c7:f2:3b:d2:03:6b:71:2b:d3: + f6:e0:e9:b2:ba:e2:2b:56:5e:5b:b1:d7:23:92:53:d4:90:e9: + 64:9e:87:d6:e7:4a:74:7b:a8:78:46:1c:24:19:5b:e0:32:21: + 92:cf:69:b4:c2:4d:62:2f:b5:b9:e5:0c:d6:cc:87:45:a2:4c: + 29:a0:6d:50:60:4e:7b:c8:21:37:a0:12:1b:13:10:6e:ac:5c: + cc:07:21:ed:0b:e2:81:eb:7c:c8:e0:dc:cb:1f:8c:7e:38:6f: + 1e:1c:ab:91:93:d0:ec:b4:ce:5e:7e:eb:7f:cf:e0:6c:f9:80: + 29:04:4c:e4:e5:ab:69:ff:b3:18:ba:54:09:cd:ef:bd:6f:b7: + 64:1f:33:ef:08:84:93:3a:2b:81:ab:60:98:9c:08:ac:5c:55: + 06:44:bb:e5:4c:92:cb:a6:2f:8f:40:92:2d:80:43:a4:97:28: + 18:17:0e:8e:54:94 +-----BEGIN CERTIFICATE----- +MIIGxTCCBPygAwIBAgIUNPslunYaS/k4KitNUBceezIx4zAwPgYJKoZIhvcNAQEK +MDGgDTALBglghkgBZQMEAgKhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAICogQC +AgFOMIG2MQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwH +Qm96ZW1hbjEXMBUGA1UECgwOd29sZlNTTF9SU0FQU1MxFjAUBgNVBAsMDUNsaWVu +dC1SU0FQU1MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJ +ARYQaW5mb0B3b2xmc3NsLmNvbTEXMBUGCgmSJomT8ixkAQEMB3dvbGZTU0wwHhcN +MjIwNzI1MDIyNzU1WhcNMjUwNDIwMDIyNzU1WjCBtjELMAkGA1UEBhMCVVMxEDAO +BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFzAVBgNVBAoMDndvbGZT +U0xfUlNBUFNTMRYwFAYDVQQLDA1DbGllbnQtUlNBUFNTMRgwFgYDVQQDDA93d3cu +d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20xFzAV +BgoJkiaJk/IsZAEBDAd3b2xmU1NMMIIBoDALBgkqhkiG9w0BAQoDggGPADCCAYoC +ggGBALsGKOR/yUF2vibGqboI5jWcM6A8W6uVI9drYdMui43tHNlXrhpp4s5liC5l +D8vxecssRpY+P1tZ5be1sTx8JuRWIVFdBHnZf1xxVOkemcH3vmwPe+9GjUAOo2vO +mJtsDW3TJJ2e6GglnEZgkjdicyF3Gr1c8BFt7rlvso42VD7hcms2yYhIhhhs+Nex +4OTXDCoVzJIzhL1xGgdwqgMk4c7CKLjjg/+6GVC3riL9++twcLAtF6A+qoVQQ2Ik +XQBRuBH62MYGQAe9SrBCcFLPF5WxU/xojRO+oA7ES8sXcs3NCy7/ZkJQzHZ9cE59 +Yxbl2uH7mWwdBmyr7tM2Tsc0X/fQHlD9/kE5KVzhx7/EUDZ1ijZNCWrKKswatw2L +Fm1IBzlh9cgHWpy/0qXxOTt+v2Ixk7opWskJ1wAwPtgYjJ6nKHVJqok03loUKV38 +RwWraoQPVyxkqzuYs9ZIutvxA9Ag95/vfVJQKONI7Sk+/v+Go2Q9fymio5NS5WrD +qRNEzwIDAQABo4IBZzCCAWMwHQYDVR0OBBYEFIwBn04RJCi/PuqC6lQqyQ/15MVH +MIH2BgNVHSMEge4wgeuAFIwBn04RJCi/PuqC6lQqyQ/15MVHoYG8pIG5MIG2MQsw +CQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEX +MBUGA1UECgwOd29sZlNTTF9SU0FQU1MxFjAUBgNVBAsMDUNsaWVudC1SU0FQU1Mx +GDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 +b2xmc3NsLmNvbTEXMBUGCgmSJomT8ixkAQEMB3dvbGZTU0yCFDT7Jbp2Gkv5OCor +TVAXHnsyMeMwMAwGA1UdEwQFMAMBAf8wHAYDVR0RBBUwE4ILZXhhbXBsZS5jb22H +BH8AAAEwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMD4GCSqGSIb3DQEB +CjAxoA0wCwYJYIZIAWUDBAICoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAqIE +AgIBTgOCAYEAagvqLPG4BNmPpKS+ERtAL928vke7Hj3vBU+ixHhZecqG2dPP9mGd +p1wiSN7gUyeKWeLXjQPiCmRVIoHpabTE0ViEp4UNFtLA7tcQckZz6phhhXeotkDU +STah4G/IbOwTbuVL2NTnvgNWA9RsZ50wxMV4aMxg6Yj3Wm8x/yZjpY3SMM+hvPs/ +0C+jutkD7Pu4twJGmM13QLpnRlXp4xa/qXotSe4ZxjLEBLEDen7Fvfi2rH/PSs6v +RK4Uy8dp/nyj52NJtDzmizNgkvfPvsiUx/I70gNrcSvT9uDpsrriK1ZeW7HXI5JT +1JDpZJ6H1udKdHuoeEYcJBlb4DIhks9ptMJNYi+1ueUM1syHRaJMKaBtUGBOe8gh +N6ASGxMQbqxczAch7Qviget8yODcyx+MfjhvHhyrkZPQ7LTOXn7rf8/gbPmAKQRM +5OWraf+zGLpUCc3vvW+3ZB8z7wiEkzorgatgmJwIrFxVBkS75UySy6Yvj0CSLYBD +pJcoGBcOjlSU +-----END CERTIFICATE----- diff --git a/certs/rsapss/client-rsapss-key.der b/certs/rsapss/client-rsapss-key.der new file mode 100644 index 0000000000000000000000000000000000000000..e6c2a33e311e8eba0acaf45bcd0325c797217139 GIT binary patch literal 342 zcmXqLVhl2{W#iOp^Jx3d%gD%OV6cGKfSZjoq0NIam6?T!aiNrf1VWwzMQ#x@6Qcri z6C*!^K@%evQxhX2!?E^#3GL3cN7g*~Wg{ee{QRq!Ba@3B@tV6E+df$OCR}W9gI3hf zh1=idy46_usXP`>in5r_%`CjMDo$`=z;EeXG2yV?&a?_%nr!&Cgwev*oYCxB z&;j+|!N1r24co)iFtPE>+dwz5YT3TeY#z-Tg5EopSHGClH~CAi?5{I58iBToGbY$K zXzjeC)c&D&=kncWmfTfco7$oAQO5rc%cm&*plzltK@!*Z-+O%L+XtJIx6f|$5cFPG zBNw@5YtK8qX8y05CYB|qXZ>1sIr(a4)tyhg&Th;C%Qwt9E4tY%&N+_NhdF7c=7n(9 f=OOnuJT0^||0tYRAoRI?24}zg!{F$Y5a0#;Mij(e|B}k&(;5U;(cIHydX{n+IbmGYb>rLMa0Ygggg|+#+Ts zMg^88mSqM_EQ^>J8JLe|!}jgK<^cUV3}@ds@)Z3&XNzW?6iJKsLooV9=uFmo z)kQPC4PKc1e7&#vbX`KTg+>hTPMa61A(!u&?~juc3cDETQgkHr(7fer%J;VxT=Sgo zDy+RDTBY%u;Hk<~L1x#9mnZGmF8wELwR7K5k@EMsUS_S1?I~~Pt^dA!>rbY}MusQJ zPt3YaALi;?JlgrGkkyfO`Rli{d#+qunaXfunFWsn`>~GZ`0DR-1fpX9et34Ocd6y= zn|mJ4TJ^Fz`5CX$+Zn8aia(Bo-rOsC`&?M~gz6`|9(M*fB;|<2eg5yjbMDh#nXoy9 zB~xE7XgF}>d`ZNLjR${vq}c8B+y3Qq&Xmr&7G;nd?zJB}S9D!s?(fI?OAE93P1H1Q z%cxEMyXD}T^J<%=t^PmDOWklvqsaBM-?rH9D(j-f?R(dkJiQRK`{2Fa%MNm_wv2+S zN&1)hWZUD1LY6Zd4x3MB-Qf9K^ zmwx3J#CiuXnuX>vH8zNNSZ&}9IX_2kVbMa4LpwI??7qW&@j~;{Qwu%kem?T9aH745 zM_5|^s|ym}!XMqZ!y}+$Z~E$u9*=nY&(#{~wX66tmBkGz;ysTSYi>Si^}cmWvqaJo zQOO$CMQdx^mc7!Ssj&R@@2r-00SxCVd+#^yUS4H>zTYT!xk2sRS&zNG{A6lu@SM^Y z->BP_;Iw_7^#rHm4F*@g_D08;-<T6GXO~|V`EF*i(Z(C_`r^3#{ z^us^OJ)RbSz9M+IU|IQf<;iO`Zbw~+dHSV%WhtN2ZZ8S{%@&U}@;<%)!q3bhF-O?< zp|!&u!|zWtSnA#@o|@Fhc;csyhA+=a%PX8rjSZ#Dx9+d3%9;{cpe^P6%`rPEf679g zl?SShxi1#!dFTD=^|^@;QbV`$8hv;3Q zP;o!9uJY~jX#bOL9Xjv1gKs7<@D`3bh~dLGQ1|Le!q6VoSd NW2{T}e=qD;1px9+SiArL literal 0 HcmV?d00001 diff --git a/certs/rsapss/client-rsapss-priv.pem b/certs/rsapss/client-rsapss-priv.pem new file mode 100644 index 000000000..a256a3360 --- /dev/null +++ b/certs/rsapss/client-rsapss-priv.pem @@ -0,0 +1,29 @@ +-----BEGIN PRIVATE KEY----- +MIIE7AIBADA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3 +DQEBCDALBglghkgBZQMEAgGiAwIBIASCBKYwggSiAgEAAoIBAQDGh75gh0N9xKzk ++jwSHcfP6lzEk3LiDTdHMz3gpexXFr2AKlr5obfubUZ8Ok4k4xdiWjiXCwMTpXpe +EaFQ+xttFhNWu3cKe5jMhRHSkzHtdAE4PTcBNtZSwCf7U/uu/Va8AoCRgcztUUYW +ex2O8wZIgygRS7ine+iSjpP0jR36zHwoUT0hmJA/gCq53CKH8I25p7vMpN0lrWWI +KPEcT9wE8loPUrY1hFIY17/e49z28DzJ282xSBFLrnweWay1jO4ugw/1KTQ5dMua ++qbTY9VpetzyDUNGAxCnsJzNFbM2XkNeBUwDYpkp0FcF51TfsOVxOTfxE2ZwEvOH +mAmPH+HnAgMBAAECggEAdyBq5wcjQ2tph3hz5TcDd8ocYkRL0kK14b5oqc1GNLfL +fAVuU45rjOD7Q33E+DNgC78xZ8jOztIjzCBuGOakfV+auReCBcNGW6qZmC6E7gQG +21U4FT1ve3YcR54MTuNrUSN7PFSTv+9dzA2SHf3LzmUM/Nvf8HfUhWSSeVLYI23T +mwhU6VdQCRTk1zFuRNFI1ouekPZ2pLql3a/fWe4v4sxq7yWimUsw6DT5676Dy35g +gzgoXA25POglVNPeN79eHhJW0VlEcsRVwp6nBiPftXDWSZ9FEyu4WySB9hHKeWUR +A0WR05K4txv8VqtDjsUUd+9tSjaFQYdk7Z6v96e1+QKBgQDkY+Q2izXhbS844rny +cQVBBafr7ZuM1NGpZQDYpjgMQAfGiINfe/ecEFpd/fDmyo2lOdvZvOGaqul7Y+YN +Iu2YBREh+MRV2b0V285WV5B75LrjiVBAYmwUXvP/QAzO8r0cVpxxdJXroIDAxM90 +WKixwflIZD65Trf082yUiX6EIwKBgQDeh8LOctcYnfvjL6Vxag80JijbHCaT/bTB +rM8msxs6/+ZuZbDKKHJF8062XYt6O3Kjh72vdOXQUrvB3o3TQB6FPQERqx/b6Axi +/mnktuPhEjmZgMM3lwWwSfsl/mLLs4fGPqepAP3nTKXC7wNbRUJDAI1Pdk7S+m9w +XUtQATZVbQKBgBRIOrANVM+cHqFyoQjCuLC5i9wL0dCD5cqhSZ3zxO5xkT80SFZm +b+rQGPZX4tjcDBAsPzXq7C4MF4f5qyhnfaoOaSMXMHhfScdzKbPJOu+FtIMYYqQV +GXwFoq18RqbqL5kgp+v7aoTuUADOeY3fgbunejfPjzJtpzB9nZrjSvT5AoGASZSO +X4EtimBCt547kELHgDDV9Y1bXDfZmuivHla+vEV9Riety0qQbnzDHB3WTrZ1c4kg +uXFnw/h3SOVz89QRw3Cmd9cjk60o21rQXOX0d6l1DkK7ShhPszjjKG7y7/QPAwgY +nBNN4TtA3DH35CgEfu8hypKOAcj5LChNDMk51AkCgYB1A9rfqXpqlFlwKxpD9kFr +Ym+UoSypwHrGR6MUjO5L6uvOkeBlVbUNMvDgenaPE0h+CFGi+7xqzUvLRZZ3aHVz +5CVbWm4VeCRHxK557adbT8lGiCzvC1PZYAANcmWLvRl53wKpUcYMpiIb3vCMjOCe +n/r41ciXkbYBfmdP7xNOeg== +-----END PRIVATE KEY----- diff --git a/certs/rsapss/client-rsapss.der b/certs/rsapss/client-rsapss.der new file mode 100644 index 0000000000000000000000000000000000000000..596f9bb4e6302fc85c22e06a5bbaaa7aeb14d0d5 GIT binary patch literal 1529 zcmXqLV*P5+#Ikk)GZP~dlZbi5|A>{Rrt-0*@R?hG@8k?LWL{%n%f_kI=F#?@mywan zz+eHd0XG|GLYoI;Dl-cc<3cF|34}ZcirgY*CPoE=#%+e&2Apinp)72|OrgPs0tS2_ z4hIjrZ+>1$VqPLlgq?@oDZeT;H!;sp+&~nhhKq-&e z7w06k&dHy2QWzO|*g=xP!9E6Z;=D#i2IfYl21Z8arlwKiyhf%5CPoHO?$GsE6JrpC zk;>e}$j@NV#K^_e#K_2StbJcXyL0W4HBWxo2+1Bl|0?FluB_IJ5%HCBEqkHwRsET(fa3oosT6I>YZTRK-vIBa)0SM`iDt%8>(8@?@Jw6Ha2 zG`kjbK>c^{?{$B}_AoU}Y&`Qe&`qpbw(m2WN3({Y_m1V&FDCU({?aS^>r9PCpsnJJ z3HA+IJMSp9f9T!0eD|3pcU9M>c4&N*@xR0JDT+U6n`ujs#P$969^d))!RF-cvl~4G zz1P*qMXuS}^G>gs|Es2nWy$GTzm{E2zM5He=M%598?(Uj4Rg+lZZ?Z^j$`#j-$3%pERF9B8ecbHRkN^h&yvQSLpFUiVJ}8_K>ikH zVKrc8Wc+U+1L6s?h#Cktai>-!<`(3ng0gEnOFaVvBP0w}SwOj+Lz|6}m6e^DkqyRT zqCD|3GOW9LfosT%BK~m>S$4_eNzkUKBdc#b)qY&` zRrcObjb+bkG`Sx?4EC8;~}S)s_7~mVSM^;?lHd~yQ*3q*KD@fa7E8Oe2I3P z=E`Eh$!=QvRRr~O|FdbxvmW^5^`TKy>B7xgF%O;m)^vsibw_Am4vj6^KU5^*edpQ<9%9UkUwz0z5EWBGo(7bT>;_u5QYqn}k Vet%008e-^mhON literal 0 HcmV?d00001 diff --git a/certs/rsapss/client-rsapss.pem b/certs/rsapss/client-rsapss.pem new file mode 100644 index 000000000..fb8c8203b --- /dev/null +++ b/certs/rsapss/client-rsapss.pem @@ -0,0 +1,112 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 37:58:ff:58:a9:ca:95:0e:04:64:0e:37:3b:f7:89:09:51:31:03:ac + Signature Algorithm: rsassaPss + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Salt Length: 0x20 + Trailer Field: 0xBC (default) + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = Client-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Validity + Not Before: Jul 25 02:27:55 2022 GMT + Not After : Apr 20 02:27:55 2025 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = Client-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Subject Public Key Info: + Public Key Algorithm: rsassaPss + RSA-PSS Public-Key: (2048 bit) + Modulus: + 00:c6:87:be:60:87:43:7d:c4:ac:e4:fa:3c:12:1d: + c7:cf:ea:5c:c4:93:72:e2:0d:37:47:33:3d:e0:a5: + ec:57:16:bd:80:2a:5a:f9:a1:b7:ee:6d:46:7c:3a: + 4e:24:e3:17:62:5a:38:97:0b:03:13:a5:7a:5e:11: + a1:50:fb:1b:6d:16:13:56:bb:77:0a:7b:98:cc:85: + 11:d2:93:31:ed:74:01:38:3d:37:01:36:d6:52:c0: + 27:fb:53:fb:ae:fd:56:bc:02:80:91:81:cc:ed:51: + 46:16:7b:1d:8e:f3:06:48:83:28:11:4b:b8:a7:7b: + e8:92:8e:93:f4:8d:1d:fa:cc:7c:28:51:3d:21:98: + 90:3f:80:2a:b9:dc:22:87:f0:8d:b9:a7:bb:cc:a4: + dd:25:ad:65:88:28:f1:1c:4f:dc:04:f2:5a:0f:52: + b6:35:84:52:18:d7:bf:de:e3:dc:f6:f0:3c:c9:db: + cd:b1:48:11:4b:ae:7c:1e:59:ac:b5:8c:ee:2e:83: + 0f:f5:29:34:39:74:cb:9a:fa:a6:d3:63:d5:69:7a: + dc:f2:0d:43:46:03:10:a7:b0:9c:cd:15:b3:36:5e: + 43:5e:05:4c:03:62:99:29:d0:57:05:e7:54:df:b0: + e5:71:39:37:f1:13:66:70:12:f3:87:98:09:8f:1f: + e1:e7 + Exponent: 65537 (0x10001) + PSS parameter restrictions: + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Minimum Salt Length: 0x20 + Trailer Field: 0xBC (default) + X509v3 extensions: + X509v3 Subject Key Identifier: + 59:71:87:88:D0:3E:C7:EE:08:4D:80:F2:C9:FC:CF:3D:76:E6:A5:62 + X509v3 Authority Key Identifier: + keyid:59:71:87:88:D0:3E:C7:EE:08:4D:80:F2:C9:FC:CF:3D:76:E6:A5:62 + DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_RSAPSS/OU=Client-RSAPSS/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/UID=wolfSSL + serial:37:58:FF:58:A9:CA:95:0E:04:64:0E:37:3B:F7:89:09:51:31:03:AC + + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Alternative Name: + DNS:example.com, IP Address:127.0.0.1 + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + Signature Algorithm: rsassaPss + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Salt Length: 0x20 + Trailer Field: 0xBC (default) + + ae:d5:d0:0a:ba:a4:12:f1:95:99:15:c5:c6:a4:51:46:64:cb: + ed:15:94:0a:89:5e:d0:7f:e2:cb:64:a6:d2:48:e4:52:b2:5a: + c4:ab:d8:e5:2b:e3:72:f5:1d:de:f9:28:a6:e7:7c:29:0b:e3: + e6:0f:f8:2a:d2:e0:25:c6:c7:54:cb:a5:26:2d:20:c4:01:e5: + fe:9d:c6:4e:f8:ba:7a:84:e3:7c:b3:38:b0:d4:2e:47:57:a4: + 2b:5e:29:a9:73:11:93:46:2a:bf:24:11:2f:6d:ff:06:28:1f: + 05:c0:f2:4a:f0:81:29:22:d4:a4:0c:30:b4:cb:f6:51:72:76: + 4a:cf:67:b0:fb:91:1b:d1:92:fc:ad:2e:6f:f0:49:21:31:05: + 2d:ad:30:ba:fd:0b:6e:05:42:b9:a2:b8:34:3e:de:a7:a9:14: + f3:78:14:69:c6:67:ae:4d:b9:6e:72:4c:2e:95:19:03:22:8e: + 14:bc:51:2a:18:ed:cf:f6:0b:50:25:a5:e2:e0:2e:a6:93:76: + 68:8c:9e:1a:ee:bb:24:0a:93:4f:bf:73:2d:48:e8:43:bd:08: + a1:e2:6d:1d:00:a6:b1:78:43:36:57:8b:28:11:37:71:bb:a3: + f7:a6:93:29:85:28:93:ef:d8:a0:4f:2a:b7:15:09:a4:21:49: + b6:b8:c9:a0 +-----BEGIN CERTIFICATE----- +MIIF9TCCBK2gAwIBAgIUN1j/WKnKlQ4EZA43O/eJCVExA6wwPQYJKoZIhvcNAQEK +MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC +ASAwgbYxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC +b3plbWFuMRcwFQYDVQQKDA53b2xmU1NMX1JTQVBTUzEWMBQGA1UECwwNQ2xpZW50 +LVJTQVBTUzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkB +FhBpbmZvQHdvbGZzc2wuY29tMRcwFQYKCZImiZPyLGQBAQwHd29sZlNTTDAeFw0y +MjA3MjUwMjI3NTVaFw0yNTA0MjAwMjI3NTVaMIG2MQswCQYDVQQGEwJVUzEQMA4G +A1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEXMBUGA1UECgwOd29sZlNT +TF9SU0FQU1MxFjAUBgNVBAsMDUNsaWVudC1SU0FQU1MxGDAWBgNVBAMMD3d3dy53 +b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTEXMBUG +CgmSJomT8ixkAQEMB3dvbGZTU0wwggFSMD0GCSqGSIb3DQEBCjAwoA0wCwYJYIZI +AWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgEgA4IBDwAwggEK +AoIBAQDGh75gh0N9xKzk+jwSHcfP6lzEk3LiDTdHMz3gpexXFr2AKlr5obfubUZ8 +Ok4k4xdiWjiXCwMTpXpeEaFQ+xttFhNWu3cKe5jMhRHSkzHtdAE4PTcBNtZSwCf7 +U/uu/Va8AoCRgcztUUYWex2O8wZIgygRS7ine+iSjpP0jR36zHwoUT0hmJA/gCq5 +3CKH8I25p7vMpN0lrWWIKPEcT9wE8loPUrY1hFIY17/e49z28DzJ282xSBFLrnwe +Way1jO4ugw/1KTQ5dMua+qbTY9VpetzyDUNGAxCnsJzNFbM2XkNeBUwDYpkp0FcF +51TfsOVxOTfxE2ZwEvOHmAmPH+HnAgMBAAGjggFnMIIBYzAdBgNVHQ4EFgQUWXGH +iNA+x+4ITYDyyfzPPXbmpWIwgfYGA1UdIwSB7jCB64AUWXGHiNA+x+4ITYDyyfzP +PXbmpWKhgbykgbkwgbYxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAw +DgYDVQQHDAdCb3plbWFuMRcwFQYDVQQKDA53b2xmU1NMX1JTQVBTUzEWMBQGA1UE +CwwNQ2xpZW50LVJTQVBTUzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJ +KoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMRcwFQYKCZImiZPyLGQBAQwHd29s +ZlNTTIIUN1j/WKnKlQ4EZA43O/eJCVExA6wwDAYDVR0TBAUwAwEB/zAcBgNVHREE +FTATggtleGFtcGxlLmNvbYcEfwAAATAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB +BQUHAwIwPQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0B +AQgwCwYJYIZIAWUDBAIBogMCASADggEBAK7V0Aq6pBLxlZkVxcakUUZky+0VlAqJ +XtB/4stkptJI5FKyWsSr2OUr43L1Hd75KKbnfCkL4+YP+CrS4CXGx1TLpSYtIMQB +5f6dxk74unqE43yzOLDULkdXpCteKalzEZNGKr8kES9t/wYoHwXA8krwgSki1KQM +MLTL9lFydkrPZ7D7kRvRkvytLm/wSSExBS2tMLr9C24FQrmiuDQ+3qepFPN4FGnG +Z65NuW5yTC6VGQMijhS8USoY7c/2C1AlpeLgLqaTdmiMnhruuyQKk0+/cy1I6EO9 +CKHibR0AprF4QzZXiygRN3G7o/emkymFKJPv2KBPKrcVCaQhSba4yaA= +-----END CERTIFICATE----- diff --git a/certs/rsapss/gen-rsapss-keys.sh b/certs/rsapss/gen-rsapss-keys.sh new file mode 100755 index 000000000..b8a3b6790 --- /dev/null +++ b/certs/rsapss/gen-rsapss-keys.sh @@ -0,0 +1,29 @@ +#!/bin/sh + +for key in root ca server client +do + + openssl genpkey -algorithm RSA-PSS -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_pss_keygen_md:sha256 -pkeyopt rsa_pss_keygen_mgf1_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:32 > ${key}-rsapss-priv.pem + + openssl pkey -in ${key}-rsapss-priv.pem -outform DER -out ${key}-rsapss-priv.der + + openssl pkey -in ${key}-rsapss-priv.pem -outform PEM -pubout -out ${key}-rsapss-key.pem + + openssl pkey -in ${key}-rsapss-priv.pem -outform DER -pubout -out ${key}-rsapss-key.der + +done + +for key in root-3072 ca-3072 server-3072 client-3072 +do + + openssl genpkey -algorithm RSA-PSS -pkeyopt rsa_keygen_bits:3072 > ${key}-rsapss-priv.pem + + openssl pkey -in ${key}-rsapss-priv.pem -outform DER -out ${key}-rsapss-priv.der + + openssl pkey -in ${key}-rsapss-priv.pem -outform PEM -pubout -out ${key}-rsapss-key.pem + + openssl pkey -in ${key}-rsapss-priv.pem -outform DER -pubout -out ${key}-rsapss-key.der + +done + + diff --git a/certs/rsapss/include.am b/certs/rsapss/include.am new file mode 100644 index 000000000..fe931d8b5 --- /dev/null +++ b/certs/rsapss/include.am @@ -0,0 +1,59 @@ +# vim:ft=automake +# All paths should be given relative to the root +# + +EXTRA_DIST += \ + certs/rsapss/ca-rsapss.der \ + certs/rsapss/ca-rsapss.pem \ + certs/rsapss/ca-rsapss-key.der \ + certs/rsapss/ca-rsapss-key.pem \ + certs/rsapss/ca-rsapss-priv.der \ + certs/rsapss/ca-rsapss-priv.pem \ + certs/rsapss/client-rsapss.der \ + certs/rsapss/client-rsapss.pem \ + certs/rsapss/client-rsapss-key.der \ + certs/rsapss/client-rsapss-key.pem \ + certs/rsapss/client-rsapss-priv.der \ + certs/rsapss/client-rsapss-priv.pem \ + certs/rsapss/root-rsapss.der \ + certs/rsapss/root-rsapss.pem \ + certs/rsapss/root-rsapss-key.der \ + certs/rsapss/root-rsapss-key.pem \ + certs/rsapss/root-rsapss-priv.der \ + certs/rsapss/root-rsapss-priv.pem \ + certs/rsapss/server-rsapss.der \ + certs/rsapss/server-rsapss.pem \ + certs/rsapss/server-rsapss-cert.pem \ + certs/rsapss/server-rsapss-key.der \ + certs/rsapss/server-rsapss-key.pem \ + certs/rsapss/server-rsapss-priv.der \ + certs/rsapss/server-rsapss-priv.pem \ + certs/rsapss/ca-3072-rsapss.der \ + certs/rsapss/ca-3072-rsapss.pem \ + certs/rsapss/ca-3072-rsapss-key.der \ + certs/rsapss/ca-3072-rsapss-key.pem \ + certs/rsapss/ca-3072-rsapss-priv.der \ + certs/rsapss/ca-3072-rsapss-priv.pem \ + certs/rsapss/client-3072-rsapss.der \ + certs/rsapss/client-3072-rsapss.pem \ + certs/rsapss/client-3072-rsapss-key.der \ + certs/rsapss/client-3072-rsapss-key.pem \ + certs/rsapss/client-3072-rsapss-priv.der \ + certs/rsapss/client-3072-rsapss-priv.pem \ + certs/rsapss/root-3072-rsapss.der \ + certs/rsapss/root-3072-rsapss.pem \ + certs/rsapss/root-3072-rsapss-key.der \ + certs/rsapss/root-3072-rsapss-key.pem \ + certs/rsapss/root-3072-rsapss-priv.der \ + certs/rsapss/root-3072-rsapss-priv.pem \ + certs/rsapss/server-3072-rsapss.der \ + certs/rsapss/server-3072-rsapss.pem \ + certs/rsapss/server-3072-rsapss-cert.pem \ + certs/rsapss/server-3072-rsapss-key.der \ + certs/rsapss/server-3072-rsapss-key.pem \ + certs/rsapss/server-3072-rsapss-priv.der \ + certs/rsapss/server-3072-rsapss-priv.pem + +EXTRA_DIST += \ + certs/rsapss/renew-rsapss-certs.sh \ + certs/rsapss/gen-rsapss-keys.sh diff --git a/certs/rsapss/renew-rsapss-certs.sh b/certs/rsapss/renew-rsapss-certs.sh new file mode 100755 index 000000000..9d36de587 --- /dev/null +++ b/certs/rsapss/renew-rsapss-certs.sh @@ -0,0 +1,191 @@ +#!/bin/bash + +check_result(){ + if [ $1 -ne 0 ]; then + echo "Failed at \"$2\", Abort" + exit 1 + else + echo "Step Succeeded!" + fi +} + +############################################################ +####### update the self-signed root-rsapss.pem ############# +############################################################ +echo "Updating root-rsapss.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\\nMontana\\nBozeman\\nwolfSSL_RSA-PSS\\nRoot-RSA-PSS\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | \ +openssl req -new -key root-rsapss-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out root-rsapss.csr +check_result $? "Generate request" + +openssl x509 -req -in root-rsapss.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -signkey root-rsapss-priv.pem -out root-rsapss.pem +check_result $? "Generate certificate" +rm root-rsapss.csr + +openssl x509 -in root-rsapss.pem -outform DER > root-rsapss.der +check_result $? "Convert to DER" +openssl x509 -in root-rsapss.pem -text > tmp.pem +check_result $? "Add text" +mv tmp.pem root-rsapss.pem +echo "End of section" +echo "---------------------------------------------------------------------" + +############################################################ +####### update ca-rsapss.pem signed by root ################ +############################################################ +echo "Updating ca-rsapss.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\\nMontana\\nBozeman\\nwolfSSL_RSAPSS\\nCA-RSAPSS\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key ca-rsapss-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out ca-rsapss.csr +check_result $? "Generate request" + +openssl x509 -req -in ca-rsapss.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -CA root-rsapss.pem -CAkey root-rsapss-priv.pem -set_serial 01 -out ca-rsapss.pem +check_result $? "Generate certificate" +rm ca-rsapss.csr + +openssl x509 -in ca-rsapss.pem -outform DER > ca-rsapss.der +check_result $? "Convert to DER" +openssl x509 -in ca-rsapss.pem -text > tmp.pem +check_result $? "Add text" +mv tmp.pem ca-rsapss.pem +echo "End of section" +echo "---------------------------------------------------------------------" + +############################################################ +####### update server-rsapss.pem signed by ca ############## +############################################################ +echo "Updating server-rsapss.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\\nMontana\\nBozeman\\nwolfSSL_RSAPSS\\nServer-RSAPSS\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key server-rsapss-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out server-rsapss.csr +check_result $? "Generate request" + +openssl x509 -req -in server-rsapss.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions server_ecc -CA ca-rsapss.pem -CAkey ca-rsapss-priv.pem -set_serial 01 -out server-rsapss-cert.pem +check_result $? "Generate certificate" +rm server-rsapss.csr + +openssl x509 -in server-rsapss-cert.pem -outform DER > server-rsapss.der +check_result $? "Convert to DER" +openssl x509 -in server-rsapss-cert.pem -text > tmp.pem +check_result $? "Add text" +mv tmp.pem server-rsapss-cert.pem +cat server-rsapss-cert.pem ca-rsapss.pem > server-rsapss.pem +check_result $? "Add CA into server cert" +echo "End of section" +echo "---------------------------------------------------------------------" + +############################################################ +####### update the self-signed client-rsapss.pem ########### +############################################################ +echo "Updating client-rsapss.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\\nMontana\\nBozeman\\nwolfSSL_RSAPSS\\nClient-RSAPSS\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key client-rsapss-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out client-rsapss.csr +check_result $? "Generate request" + +openssl x509 -req -in client-rsapss.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions wolfssl_opts -signkey client-rsapss-priv.pem -out client-rsapss.pem +check_result $? "Generate certificate" +rm client-rsapss.csr + +openssl x509 -in client-rsapss.pem -outform DER > client-rsapss.der +check_result $? "Convert to DER" +openssl x509 -in client-rsapss.pem -text > tmp.pem +check_result $? "Add text" +mv tmp.pem client-rsapss.pem +echo "End of section" +echo "---------------------------------------------------------------------" + + +################################################################################ +# 3072-bit keys. RSA-PSS with SHA-384 +################################################################################ + +############################################################ +###### update the self-signed root-3072-rsapss.pem ######### +############################################################ +echo "Updating root-3072-rsapss.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\\nMontana\\nBozeman\\nwolfSSL_RSA-PSS\\nRoot-RSA-PSS\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | \ +openssl req -new -key root-3072-rsapss-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out root-3072-rsapss.csr +check_result $? "Generate request" + +openssl x509 -req -in root-3072-rsapss.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -signkey root-3072-rsapss-priv.pem -sha384 -out root-3072-rsapss.pem +check_result $? "Generate certificate" +rm root-3072-rsapss.csr + +openssl x509 -in root-3072-rsapss.pem -outform DER > root-3072-rsapss.der +check_result $? "Convert to DER" +openssl x509 -in root-3072-rsapss.pem -text > tmp.pem +check_result $? "Add text" +mv tmp.pem root-3072-rsapss.pem +echo "End of section" +echo "---------------------------------------------------------------------" + +############################################################ +###### update ca-3072-rsapss.pem signed by root ############ +############################################################ +echo "Updating ca-3072-rsapss.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\\nMontana\\nBozeman\\nwolfSSL_RSAPSS\\nCA-RSAPSS\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key ca-3072-rsapss-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out ca-3072-rsapss.csr +check_result $? "Generate request" + +openssl x509 -req -in ca-3072-rsapss.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -CA root-3072-rsapss.pem -CAkey root-3072-rsapss-priv.pem -sha384 -set_serial 01 -out ca-3072-rsapss.pem +check_result $? "Generate certificate" +rm ca-3072-rsapss.csr + +openssl x509 -in ca-3072-rsapss.pem -outform DER > ca-3072-rsapss.der +check_result $? "Convert to DER" +openssl x509 -in ca-3072-rsapss.pem -text > tmp.pem +check_result $? "Add text" +mv tmp.pem ca-3072-rsapss.pem +echo "End of section" +echo "---------------------------------------------------------------------" + +############################################################ +###### update server-3072-rsapss.pem signed by ca ########## +############################################################ +echo "Updating server-3072-rsapss.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\\nMontana\\nBozeman\\nwolfSSL_RSAPSS\\nServer-RSAPSS\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key server-3072-rsapss-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out server-3072-rsapss.csr +check_result $? "Generate request" + +openssl x509 -req -in server-3072-rsapss.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions server_ecc -CA ca-3072-rsapss.pem -CAkey ca-3072-rsapss-priv.pem -sha384 -set_serial 01 -out server-3072-rsapss-cert.pem +check_result $? "Generate certificate" +rm server-3072-rsapss.csr + +openssl x509 -in server-3072-rsapss-cert.pem -outform DER > server-3072-rsapss.der +check_result $? "Convert to DER" +openssl x509 -in server-3072-rsapss-cert.pem -text > tmp.pem +check_result $? "Add text" +mv tmp.pem server-3072-rsapss-cert.pem +cat server-3072-rsapss-cert.pem ca-3072-rsapss.pem > server-3072-rsapss.pem +check_result $? "Add CA into server cert" +echo "End of section" +echo "---------------------------------------------------------------------" + +############################################################ +###### update the self-signed client-3072-rsapss.pem ####### +############################################################ +echo "Updating client-3072-rsapss.pem" +echo "" +#pipe the following arguments to openssl req... +echo -e "US\\nMontana\\nBozeman\\nwolfSSL_RSAPSS\\nClient-RSAPSS\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key client-3072-rsapss-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out client-3072-rsapss.csr +check_result $? "Generate request" + +openssl x509 -req -in client-3072-rsapss.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions wolfssl_opts -signkey client-3072-rsapss-priv.pem -sha384 -out client-3072-rsapss.pem +check_result $? "Generate certificate" +rm client-3072-rsapss.csr + +openssl x509 -in client-3072-rsapss.pem -outform DER > client-3072-rsapss.der +check_result $? "Convert to DER" +openssl x509 -in client-3072-rsapss.pem -text > tmp.pem +check_result $? "Add text" +mv tmp.pem client-3072-rsapss.pem +echo "End of section" +echo "---------------------------------------------------------------------" + + diff --git a/certs/rsapss/root-3072-rsapss-key.der b/certs/rsapss/root-3072-rsapss-key.der new file mode 100644 index 0000000000000000000000000000000000000000..fffbf8e52855413da0f5d6616a8a8d36f471c498 GIT binary patch literal 420 zcmXqLVq9Rr&Bm$K=F#?@mywZ+xrwo#!Jvt;i>ZmRkzwuGxBgSqe}!vI*z?qM+cYx? zRo932R<+OQNYtLL^~CQRo0*Ko*4TA3BWD&c3jJjAtX_9;RfVJ4>~Dsg>$$RDf9kQ+ z|M~BM#WH<{cMf?|diL2Lw9B?yH}ToE922RKj%^k@ew>Wh(l?W5wRzsc0M(CA9+g$h znJQFgT3?bXTe-c_rDAdL=Pxqi4Wio*eqXqmJ2UFJP`0N$S4&5MWU<&jnX_9SJm1ff zxa*e7>mbJ}w;g><%?C?a6E5WNmDUE$`)MJ5Z^fCIyU&=qzZy8pM9t_weDG%cv;4e| zCD-nC$9JDI?fMeY#g~0+`q{3mjrGlbHS4xj^aZ}~G`X1Z_`?3^&EioHu1`@AQmdXT z`AbeLHT7Z0?w|hil5gD+xU*q4r^;3C>CLZoHp__ySWIS%>Jb!5Ry3S=xMqLITOIv9 z-;L27-zwa6|!+FWf#|t)0dZXqP$F%gK f?)e?b_s?xs%8|Mp+bKHhNcoJjQ|pyTims literal 0 HcmV?d00001 diff --git a/certs/rsapss/root-3072-rsapss-key.pem b/certs/rsapss/root-3072-rsapss-key.pem new file mode 100644 index 000000000..04e12e56b --- /dev/null +++ b/certs/rsapss/root-3072-rsapss-key.pem @@ -0,0 +1,11 @@ +-----BEGIN PUBLIC KEY----- +MIIBoDALBgkqhkiG9w0BAQoDggGPADCCAYoCggGBAK3N7U+UJ/pXKJC85TW2ljYY +JUXh3qqHmIhhK5cq5E72BjYcOLVdrplZmXABEvkCSXuuwap4QSab9jEJrwpr6/KM +OS/5/uA4pi8A7kBulIy+P8E+azqukebWbDQaVIi2OLj4yVi0jpkMqzduoVAl8eTi +dniclRJ+NX90ZR15t4FEeKNT8/QcF4AVt8H3obMLaVrnEmtJHwqEiHAZcxa+HM20 +4Oe/BGG62kTrUkF6RriOAoPBdQVg0GwOdX1Snvk4F96ozFzd5gKL9TBDHFqYj8PB +2V/mb27xdNbei1+LzjWK9FiKDmval82KarF/g058rrZ4jlHoSTTRaOPQv1uzF1rg +15QgEiZ7nRn6HhZlZeFUu/lPnmPa3BDcsJsJJNULl4PrLLMeFVA4kwZajBESYyEx +kcN8v1TtLC+892OkODZc87txPQ0V9lq8TO54UDFhQL9FKNK1L8EIr77WAwDPGWnj +oLCS7CZCXgKl0S3PuGPfzrMibBrTXYkVmsR3mM2VfwIDAQAB +-----END PUBLIC KEY----- diff --git a/certs/rsapss/root-3072-rsapss-priv.der b/certs/rsapss/root-3072-rsapss-priv.der new file mode 100644 index 0000000000000000000000000000000000000000..08b2be5d130a9d11505c16ea5a03329b112d93d0 GIT binary patch literal 1792 zcmXqLV*A6y$Y8+D#;Mij(e|B}k&%m~iS30!6WbFeMh2!P#zuyi%lrEE6@O|M0<^ z@z3(}K9*d&*B#$|&a~@GL>FK7t?6gGvNqN?`_-)5R?!#u!qenp#^Ve7qc@93J-9wa zK}fB7uH-K{vDDOuA-jM2&r7~_N8rwe*_Aa%`vQtRv+!&Q7goVrFDuWNKn;&@y>;+d3um^QC6)9>Z@u zVjefnge__3`?6x=34OI05fAD=Fa2@3D!5zumEa$SQ?=7JY|ZG&Fr6g2eoxnpDv?Zs zZ%qZ;wHQ7poPX{2Az+nFd^H<;Z_etie>QJ#6`p-@v)fXhwG9gtY@T#(UYgD*we(h2 zLBQ&}yO(`vcqO60?tA-k{*%P}XDu1^zfCi6jBU^ebBq7-Ozz6sclz-U=ebzS*ucN~ zly&MW#)GyqgKtJ04!j_=%qev8{A04|omD+ku2jtpy0b03``#q2rH`L}&N_HuLd%l* zEh!ncYG>AZ#Z{OW?$Maae))y&?5t}XhE{HU2hYyPU^8QOky8A0aoU50yayIHy;N`9 zQxmjz{`Gk08*A4!1Trzj>2zI?JbI)+>XGq@^T7vi_C!tjTJnD3^ZC;vz7~CbyTIr# zXXd0+uN$g`W@gVzTK=51wvX}YgxGC{v6)}y&Tr)sZPEVWcS(KX+;OyDAo9icQ_=T&5AG0m5ES~>y(?9o1&(z{pUJsLsq4B8iwg? z%PicZXAAtE7kd2%Q%I2P~-(nt?rtC=C$R+z!fUiNp~{!H~92?{coqz z_jW_KT+0825*ltBOO3jG*yaZoN^o2R`Jw#|pJ|Vt+v#hC$N$7`_{}0e;Y-91+a;MP z!CDtmB@Mr3$2GoW{ZVfGdZsknQkV{?QOmB(ywe2e%ZtP{&F0P1#E@C>$n^^?s#WO zcK%Xdzm1%4uPpeau{rai)W6?O4ku3k6gx5CJl`XBv0Bd!>n!z7Z@KTZ%(Eba9jw`Ipw)_4vKuks53F2vbouiBsi{5)thk;Y^NzwJa@j^LQpg;J8-@3&025s2Wj~Wc5=%dWe_^Cm!n~7(Y&lXN7(mn zI3D=Bi>dNukgxaYcC$hH zDa97i>k;?t=9)0_d^ou)T3RDH`NYcw40-iB;ffiv`{(3MzUQa@;ps-l?dshdEsKq( zur8gdKX>ci?!%AjcgSV`Jo;z;=XDFu)xgZdUtV6W2hvnroTHbVpKB;@APaXOC!?4^W?ovp1Cjy*IdNVi zBLj0IQv)L-b5qkOab6=+0}~?yD0k4izlm`HDA?g~#N5Q#&tTBR*u~Vu*vPQ<>|6gS z>c7G@ChU1?x^0@7gsSVqd#l=KbR=p|*Lvdjjm=EPVr%TWnUOOK7=?Z^c~-AGxT?ZY zZT2@q&h=c`uRrxz>i_)rz+#y`!#jt(DLwn_587p0t(*AlT8@cSNXIsd9Y0P+Z0VcH zv)VjwVSwt#Cy&Z1=1di;Gp#R4m95;~=u)vb`12PT@dnZD2fr`e%$*taTqxU9o~xy! zK(bhDpUl}U51#L5N!)eI<#mu_mD`R!rsjjCtO*x#_)2So=KZt~zqjH{%-v^9-Cqry zWuj*EA3k_9{#kzB$C7LJy5qagnRb1N=;F)1HT`T?*2el~znXR1D*6Inc$!?yczj`h z^k(s>2iK=42&q-imHZ_qmYVu7WcN@1dC9l#2;A8)n^WZ~_w?r1I-BK011u)9MfC^@ zB`X?EJY2Is`K@u^4CF!5$}AEFVhz|8@PiZxGcx{XVKrc8Wc&}# zMzZ`M0TyN^#x_bbDl;g#q{)1_v95Wh+11(MEh_f^_uP~6+4ZSA(A7NOsZm1ame0ZZ zr8#-7Oj>#mETi3L-+WPOW9V8DCAju`8m`NI8FrMb=M-Su3O1w*1Ib4W0YwK*);@qYUYk zZx@w6x-sg;W$cM>``vQYG@UEe&;RM~%hGGzva*~ny|5K7N%p1gf}!Yt!{ zBKrm2a>+j1Iq`X2tSNfx6;(n8BAVjU*5wBG%rJeqkZtRO6MCI_HT$=ouOSQoM5 Ig!1h|0ImoZ;Q#;t literal 0 HcmV?d00001 diff --git a/certs/rsapss/root-3072-rsapss.pem b/certs/rsapss/root-3072-rsapss.pem new file mode 100644 index 000000000..062c84beb --- /dev/null +++ b/certs/rsapss/root-3072-rsapss.pem @@ -0,0 +1,117 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 34:c6:f6:76:c9:a4:72:95:4c:7e:9a:0c:80:5c:6d:8f:64:f2:19:a5 + Signature Algorithm: rsassaPss + Hash Algorithm: sha384 + Mask Algorithm: mgf1 with sha384 + Salt Length: 0x014E + Trailer Field: 0xBC (default) + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSA-PSS, OU = Root-RSA-PSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Validity + Not Before: Jul 25 02:27:55 2022 GMT + Not After : Apr 20 02:27:55 2025 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSA-PSS, OU = Root-RSA-PSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsassaPss + RSA-PSS Public-Key: (3072 bit) + Modulus: + 00:ad:cd:ed:4f:94:27:fa:57:28:90:bc:e5:35:b6: + 96:36:18:25:45:e1:de:aa:87:98:88:61:2b:97:2a: + e4:4e:f6:06:36:1c:38:b5:5d:ae:99:59:99:70:01: + 12:f9:02:49:7b:ae:c1:aa:78:41:26:9b:f6:31:09: + af:0a:6b:eb:f2:8c:39:2f:f9:fe:e0:38:a6:2f:00: + ee:40:6e:94:8c:be:3f:c1:3e:6b:3a:ae:91:e6:d6: + 6c:34:1a:54:88:b6:38:b8:f8:c9:58:b4:8e:99:0c: + ab:37:6e:a1:50:25:f1:e4:e2:76:78:9c:95:12:7e: + 35:7f:74:65:1d:79:b7:81:44:78:a3:53:f3:f4:1c: + 17:80:15:b7:c1:f7:a1:b3:0b:69:5a:e7:12:6b:49: + 1f:0a:84:88:70:19:73:16:be:1c:cd:b4:e0:e7:bf: + 04:61:ba:da:44:eb:52:41:7a:46:b8:8e:02:83:c1: + 75:05:60:d0:6c:0e:75:7d:52:9e:f9:38:17:de:a8: + cc:5c:dd:e6:02:8b:f5:30:43:1c:5a:98:8f:c3:c1: + d9:5f:e6:6f:6e:f1:74:d6:de:8b:5f:8b:ce:35:8a: + f4:58:8a:0e:6b:da:97:cd:8a:6a:b1:7f:83:4e:7c: + ae:b6:78:8e:51:e8:49:34:d1:68:e3:d0:bf:5b:b3: + 17:5a:e0:d7:94:20:12:26:7b:9d:19:fa:1e:16:65: + 65:e1:54:bb:f9:4f:9e:63:da:dc:10:dc:b0:9b:09: + 24:d5:0b:97:83:eb:2c:b3:1e:15:50:38:93:06:5a: + 8c:11:12:63:21:31:91:c3:7c:bf:54:ed:2c:2f:bc: + f7:63:a4:38:36:5c:f3:bb:71:3d:0d:15:f6:5a:bc: + 4c:ee:78:50:31:61:40:bf:45:28:d2:b5:2f:c1:08: + af:be:d6:03:00:cf:19:69:e3:a0:b0:92:ec:26:42: + 5e:02:a5:d1:2d:cf:b8:63:df:ce:b3:22:6c:1a:d3: + 5d:89:15:9a:c4:77:98:cd:95:7f + Exponent: 65537 (0x10001) + No PSS parameter restrictions + X509v3 extensions: + X509v3 Subject Key Identifier: + AA:71:D3:B1:8A:4B:BB:47:15:47:5F:9B:D0:2B:69:D1:6F:85:5E:F6 + X509v3 Authority Key Identifier: + keyid:AA:71:D3:B1:8A:4B:BB:47:15:47:5F:9B:D0:2B:69:D1:6F:85:5E:F6 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Signature Algorithm: rsassaPss + Hash Algorithm: sha384 + Mask Algorithm: mgf1 with sha384 + Salt Length: 0x014E + Trailer Field: 0xBC (default) + + 66:1c:f4:d8:ae:83:99:36:d5:9b:57:84:24:3f:ff:bc:de:1a: + 4c:ba:f2:8b:51:45:37:6f:42:81:18:1c:da:4c:c1:7f:a5:6c: + 6e:45:02:2a:2e:e0:39:5b:47:9b:d9:e8:75:32:44:02:4b:ac: + 65:74:25:e8:b5:9c:f2:33:90:73:e9:59:4f:20:82:dd:20:1e: + 0f:30:bb:77:b2:4c:c1:67:d1:2d:3e:4f:96:e9:31:3d:f3:0c: + 3a:9b:ee:b1:40:34:e3:a1:af:01:ea:91:d8:ba:58:71:32:23: + 6f:a4:38:6a:f9:00:9a:a9:5a:06:b4:f8:6e:25:55:9d:e2:c0: + 54:e8:88:32:68:1b:64:f6:d1:23:f1:46:01:2d:5e:68:bc:5f: + 86:fb:84:d5:35:67:0a:65:4e:4f:e5:fb:d3:1b:ad:46:6a:6a: + 43:d2:e8:3d:13:74:64:f7:54:37:41:14:2d:a3:f0:c6:57:ac: + 25:f4:cd:00:ee:54:77:13:ce:59:13:55:1e:82:f2:68:ac:b7: + c4:90:ab:82:85:86:32:0c:03:9c:ed:ab:cd:81:ae:3e:d2:f9: + 6c:41:cd:03:56:68:bd:48:e2:d0:c8:8b:b3:e5:f0:aa:28:f8: + 36:2e:14:fb:5e:57:6a:26:60:a8:20:ca:f4:05:8e:41:cf:92: + 43:5f:57:2f:c8:ea:de:cb:b0:00:dc:41:53:e1:10:27:b2:7f: + f8:f4:a5:7b:3f:df:f4:cf:53:e6:11:b4:ea:36:53:68:b6:0b: + 96:5c:7d:d0:a1:77:1c:99:fa:68:c2:19:aa:89:40:cc:42:24: + 33:e3:02:28:d0:04:b9:2f:6f:01:6b:55:95:6d:eb:93:3a:e4: + ed:e5:c8:36:68:df:61:07:d0:0d:77:19:8e:3d:9c:5f:6e:8a: + 05:64:2e:27:78:7a:12:30:14:29:17:96:ae:6d:53:8c:98:35: + e9:a1:06:b5:e0:c8:2e:89:6e:7c:bf:b5:c8:3a:8f:07:d1:7e: + 58:b8:c8:23:db:71 +-----BEGIN CERTIFICATE----- +MIIFjTCCA8SgAwIBAgIUNMb2dsmkcpVMfpoMgFxtj2TyGaUwPgYJKoZIhvcNAQEK +MDGgDTALBglghkgBZQMEAgKhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAICogQC +AgFOMIGdMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwH +Qm96ZW1hbjEYMBYGA1UECgwPd29sZlNTTF9SU0EtUFNTMRUwEwYDVQQLDAxSb290 +LVJTQS1QU1MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJ +ARYQaW5mb0B3b2xmc3NsLmNvbTAeFw0yMjA3MjUwMjI3NTVaFw0yNTA0MjAwMjI3 +NTVaMIGdMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwH +Qm96ZW1hbjEYMBYGA1UECgwPd29sZlNTTF9SU0EtUFNTMRUwEwYDVQQLDAxSb290 +LVJTQS1QU1MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJ +ARYQaW5mb0B3b2xmc3NsLmNvbTCCAaAwCwYJKoZIhvcNAQEKA4IBjwAwggGKAoIB +gQCtze1PlCf6VyiQvOU1tpY2GCVF4d6qh5iIYSuXKuRO9gY2HDi1Xa6ZWZlwARL5 +Akl7rsGqeEEmm/YxCa8Ka+vyjDkv+f7gOKYvAO5AbpSMvj/BPms6rpHm1mw0GlSI +tji4+MlYtI6ZDKs3bqFQJfHk4nZ4nJUSfjV/dGUdebeBRHijU/P0HBeAFbfB96Gz +C2la5xJrSR8KhIhwGXMWvhzNtODnvwRhutpE61JBeka4jgKDwXUFYNBsDnV9Up75 +OBfeqMxc3eYCi/UwQxxamI/Dwdlf5m9u8XTW3otfi841ivRYig5r2pfNimqxf4NO +fK62eI5R6Ek00Wjj0L9bsxda4NeUIBIme50Z+h4WZWXhVLv5T55j2twQ3LCbCSTV +C5eD6yyzHhVQOJMGWowREmMhMZHDfL9U7SwvvPdjpDg2XPO7cT0NFfZavEzueFAx +YUC/RSjStS/BCK++1gMAzxlp46CwkuwmQl4CpdEtz7hj386zImwa012JFZrEd5jN +lX8CAwEAAaNjMGEwHQYDVR0OBBYEFKpx07GKS7tHFUdfm9AradFvhV72MB8GA1Ud +IwQYMBaAFKpx07GKS7tHFUdfm9AradFvhV72MA8GA1UdEwEB/wQFMAMBAf8wDgYD +VR0PAQH/BAQDAgGGMD4GCSqGSIb3DQEBCjAxoA0wCwYJYIZIAWUDBAICoRowGAYJ +KoZIhvcNAQEIMAsGCWCGSAFlAwQCAqIEAgIBTgOCAYEAZhz02K6DmTbVm1eEJD// +vN4aTLryi1FFN29CgRgc2kzBf6VsbkUCKi7gOVtHm9nodTJEAkusZXQl6LWc8jOQ +c+lZTyCC3SAeDzC7d7JMwWfRLT5PlukxPfMMOpvusUA046GvAeqR2LpYcTIjb6Q4 +avkAmqlaBrT4biVVneLAVOiIMmgbZPbRI/FGAS1eaLxfhvuE1TVnCmVOT+X70xut +RmpqQ9LoPRN0ZPdUN0EULaPwxlesJfTNAO5UdxPOWRNVHoLyaKy3xJCrgoWGMgwD +nO2rzYGuPtL5bEHNA1ZovUji0MiLs+Xwqij4Ni4U+15XaiZgqCDK9AWOQc+SQ19X +L8jq3suwANxBU+EQJ7J/+PSlez/f9M9T5hG06jZTaLYLllx90KF3HJn6aMIZqolA +zEIkM+MCKNAEuS9vAWtVlW3rkzrk7eXINmjfYQfQDXcZjj2cX26KBWQuJ3h6EjAU +KReWrm1TjJg16aEGteDILolufL+1yDqPB9F+WLjII9tx +-----END CERTIFICATE----- diff --git a/certs/rsapss/root-rsapss-key.der b/certs/rsapss/root-rsapss-key.der new file mode 100644 index 0000000000000000000000000000000000000000..d43f95aa22ca087f642825c75e852c40e88d267f GIT binary patch literal 342 zcmXqLVhl2{W#iOp^Jx3d%gD%OV6cGKfSZjoq0NIam6?T!aiNrf1VWwzMQ#x@6Qcri z6C*!^K@%evQxhX2!%Qy5Z5JJ?dDe;7J&fu7oqeXCEwJ?2hw10^%YGT|eP6jr@5xp{ z`O}(f#orlevdo$#>g@A8eFtB~`PcU>vYjkbCrCbsp3?W?k%afrOL^BSK6D^YM5t-j;I)4Db8x6sLX2X=qtlE@ML`P{`zl(X3L2G6wbcP=m`otoJAWs}V= i)s-_^E|h9*tnZ)urLMa0Ygggg|+#+Ts zMg^88mK6p~EK8Ue8JLbr)P|dSWyzXI4@9*q0{cM4y&pu2)r(gEVaPRxd zO?pqZ3d*0>Tr2+0NRwsOEKz5l=jl86D$c*YXOZn>nL0u8LG+Zq7mp;ok6y~VR`H?p z@XZZ(#OgANwsJ|I+oaO7;P{_oH;UG5uQ<$Fb-iL$&FVEh>$$GK_TH-FaCcvnmv8Q5 zrp!kiPp7YR$djy?f7xNP$Hk9cpJkYC`ZDFLHSgn3 zOurje-3@)HD`3x&v~Tqt51!VoaleI5&O5OCBbP*u=+EaaUZR}Eo;P@=eZO;oDe2V2 z#xI*}cB!tM(Q=_wYh!)?+#jc=J!qQpxNGyb_g|Tq85tOvniv`4u5)d9_Gijbj%QIz zndU57@V51@TvEl%qmr+mc&=G`E@0ZkC;v45Ok{a-O?IP?nu?>z3Avz&`#d^VDeV5C zcfq!IrR@PGM*;URHy69F&!2@}=+zKHs%sWsS|#fQIin7QZ8kxSCmQXHHwRD&)gy2l;jJ z=N`EKIV;O#bNIlNz)k+kmb`KKTkW+Zn%%YFY3$$K5B;8OVLxsxvPpe!)yP^c$U zVcvCA{01RwrASAN z0{**i?rXn(!M|tJw83z9`acJ`VNQF#++=2*PBXbMi-{#y6dR)^e4YOADRYe2)%=D3!e@S6 z{p(!Uxebd$6n?rsdvfy0m1knlZU6pT(wJx9n7{C^&gHV3_bh)USqAYQz3C;#`KoZz z^hmX3;*wXY*KB*mA<@U)yx^LWSoG)RuDesc@88l{oE(4i|Dt}EIQKPvpC=1n2f1Ow zk19^HrX&9fCbB=&{4JOyTaV4iWoJhI@JJ-Ja%! zh*{6u5&G!a%YdUzMpyWsPiI#DGXK}*JSEPHs!WXy;-_pEO|Sj3@@IhD8ClySe-z%W&`e%1wGtwhGFh)?6$8&PbDG)+|wHpXcd2_$to7 zzGso`WSKfa@gP{Y_B-X zT6Mi*Rn6)(J?puyzxLj$<8XIhl$USrWTwnV98agObjXvi$bH|Z{y5_I=h+`6e@>X? z)~7x#|J)y^rafqy^0;gB zxA$L}m>C%u7bhDe8pyIShsyG?h_Q&ITz%8j-f%DKt>=szJR!Ai^Oo9NGmr;KE3-%# zh&5nWzzhtR^c}&s8CEymK5?&{PkOmQ$&P++)>xsKuT>6j zcUeWS&a5t4{_zNx*O6Z?@1yJb3#RU|+r9d!*X^ncE1PtAPAo{_nsu{B`Q}oqR}Jgj z4;WS{+IYv#Q+jA}VmHs#^3?1DW##FPVampjmc5Mcox8qx(gQzT`(swCXQm&GvRf3e z`;=OI?!KRe^2vEO98XQ#V=I%+u(0CFzh%xT=M_#>zx$P1Wchzq_sltSbp2#E++pwf xB-B`O^GfKdqZfY{n-wzpU3>ZJ0b|V6cdNwCN?m3!%=f6>9#j+T@b_rMLI6Biu=@Z2 literal 0 HcmV?d00001 diff --git a/certs/rsapss/root-rsapss.pem b/certs/rsapss/root-rsapss.pem new file mode 100644 index 000000000..6abe00bae --- /dev/null +++ b/certs/rsapss/root-rsapss.pem @@ -0,0 +1,102 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 34:43:a2:a0:b6:01:0c:e3:6d:0d:e8:2d:8c:75:f8:1c:71:74:0d:72 + Signature Algorithm: rsassaPss + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Salt Length: 0x20 + Trailer Field: 0xBC (default) + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSA-PSS, OU = Root-RSA-PSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Validity + Not Before: Jul 25 02:27:55 2022 GMT + Not After : Apr 20 02:27:55 2025 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSA-PSS, OU = Root-RSA-PSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsassaPss + RSA-PSS Public-Key: (2048 bit) + Modulus: + 00:99:0a:01:b6:d1:40:7b:0c:ae:17:7e:e1:5c:8d: + fb:6b:cc:8f:06:51:75:e6:f0:97:ce:2f:76:fa:31: + bd:ef:79:b2:2e:e4:b5:11:1f:cb:29:ad:17:ee:32: + 29:04:9a:9a:15:43:4c:e7:67:b8:0e:78:cf:eb:de: + 38:6b:42:39:65:90:19:e0:5b:94:8e:e8:e2:18:4b: + c5:d2:6e:d6:78:f0:89:c3:d9:b0:dc:16:7e:68:72: + b5:0a:1b:ce:b2:24:8c:a0:c7:fc:c6:d8:72:ac:b7: + 78:c3:05:7a:d7:78:aa:7c:ab:ac:8c:af:0a:d7:eb: + 4b:b5:2c:40:dd:be:5a:4a:4d:6d:93:02:69:e2:08: + e5:97:a9:40:6e:18:38:6d:ef:8e:27:e3:58:fb:f3: + 9b:f1:19:f9:90:9a:46:8e:27:96:68:ff:76:c3:36: + e3:73:e2:eb:cd:00:97:35:e9:64:cd:3b:0d:e3:f2: + 02:fb:80:aa:dd:55:e1:2d:10:3f:08:62:be:ab:dc: + 48:0c:85:b5:5e:fb:12:c9:9e:c0:bb:f1:0a:18:6c: + 15:f9:e7:44:4a:15:09:73:49:d8:0c:96:f7:dc:d0: + 02:62:ca:91:81:f4:b2:3c:ba:25:a9:98:84:d0:75: + 2a:b1:7f:8f:9d:f8:ca:96:e0:82:94:e3:8a:b3:f6: + ef:f5 + Exponent: 65537 (0x10001) + PSS parameter restrictions: + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Minimum Salt Length: 0x20 + Trailer Field: 0xBC (default) + X509v3 extensions: + X509v3 Subject Key Identifier: + 64:D5:EC:82:87:80:DE:5A:ED:49:98:D8:0C:54:7D:46:9E:A5:3C:D6 + X509v3 Authority Key Identifier: + keyid:64:D5:EC:82:87:80:DE:5A:ED:49:98:D8:0C:54:7D:46:9E:A5:3C:D6 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Signature Algorithm: rsassaPss + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Salt Length: 0x20 + Trailer Field: 0xBC (default) + + 8c:4f:b2:a8:12:6c:80:56:78:44:ac:27:38:26:96:a3:e0:58: + 34:81:48:5f:cd:34:28:bd:b7:f6:6e:95:b4:8d:9a:5a:5a:9e: + a5:40:e4:67:b8:53:db:00:ab:81:db:c8:de:77:0e:1b:a7:30: + 74:b8:8f:4b:05:5d:12:5c:f5:7a:40:ed:ba:3a:58:05:99:7b: + 72:a7:f1:c4:0a:4a:c4:fa:44:ef:5b:7e:8f:70:95:bc:3e:bb: + ab:e5:4a:db:7a:d0:a9:82:2d:0c:c8:a0:64:0a:9a:d9:8c:23: + d9:a5:3a:ea:80:ae:47:c0:31:7a:21:3c:4b:5d:9e:22:e1:34: + c8:bb:0c:d5:77:65:6b:c0:76:77:67:41:56:23:33:e2:a6:e9: + 5f:8d:9d:af:73:92:e0:4e:2d:3f:c6:3a:ab:99:67:c5:5a:3e: + a2:50:bb:ca:26:5f:6d:be:f9:71:1f:63:6e:d8:41:ca:96:bc: + 3d:1c:67:00:a1:78:d4:fe:a6:43:64:cf:20:ca:7b:ee:fa:65: + 72:39:ff:9a:8b:99:9c:9c:2d:4e:1d:b0:dc:07:8a:f2:12:81: + 78:d9:d4:55:aa:c5:d1:fb:73:36:71:01:4e:d6:e9:ea:e0:01: + 5c:95:ee:aa:16:cd:1a:d3:00:31:6f:48:7d:b7:52:7c:53:40: + fd:c5:58:a1 +-----BEGIN CERTIFICATE----- +MIIEvTCCA3WgAwIBAgIUNEOioLYBDONtDegtjHX4HHF0DXIwPQYJKoZIhvcNAQEK +MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC +ASAwgZ0xCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC +b3plbWFuMRgwFgYDVQQKDA93b2xmU1NMX1JTQS1QU1MxFTATBgNVBAsMDFJvb3Qt +UlNBLVBTUzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkB +FhBpbmZvQHdvbGZzc2wuY29tMB4XDTIyMDcyNTAyMjc1NVoXDTI1MDQyMDAyMjc1 +NVowgZ0xCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC +b3plbWFuMRgwFgYDVQQKDA93b2xmU1NMX1JTQS1QU1MxFTATBgNVBAsMDFJvb3Qt +UlNBLVBTUzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkB +FhBpbmZvQHdvbGZzc2wuY29tMIIBUjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFl +AwQCAaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIBIAOCAQ8AMIIBCgKC +AQEAmQoBttFAewyuF37hXI37a8yPBlF15vCXzi92+jG973myLuS1ER/LKa0X7jIp +BJqaFUNM52e4DnjP6944a0I5ZZAZ4FuUjujiGEvF0m7WePCJw9mw3BZ+aHK1ChvO +siSMoMf8xthyrLd4wwV613iqfKusjK8K1+tLtSxA3b5aSk1tkwJp4gjll6lAbhg4 +be+OJ+NY+/Ob8Rn5kJpGjieWaP92wzbjc+LrzQCXNelkzTsN4/IC+4Cq3VXhLRA/ +CGK+q9xIDIW1XvsSyZ7Au/EKGGwV+edEShUJc0nYDJb33NACYsqRgfSyPLolqZiE +0HUqsX+PnfjKluCClOOKs/bv9QIDAQABo2MwYTAdBgNVHQ4EFgQUZNXsgoeA3lrt +SZjYDFR9Rp6lPNYwHwYDVR0jBBgwFoAUZNXsgoeA3lrtSZjYDFR9Rp6lPNYwDwYD +VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwPQYJKoZIhvcNAQEKMDCgDTAL +BglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCASADggEB +AIxPsqgSbIBWeESsJzgmlqPgWDSBSF/NNCi9t/ZulbSNmlpanqVA5Ge4U9sAq4Hb +yN53DhunMHS4j0sFXRJc9XpA7bo6WAWZe3Kn8cQKSsT6RO9bfo9wlbw+u6vlStt6 +0KmCLQzIoGQKmtmMI9mlOuqArkfAMXohPEtdniLhNMi7DNV3ZWvAdndnQVYjM+Km +6V+Nna9zkuBOLT/GOquZZ8VaPqJQu8omX22++XEfY27YQcqWvD0cZwCheNT+pkNk +zyDKe+76ZXI5/5qLmZycLU4dsNwHivISgXjZ1FWqxdH7czZxAU7W6ergAVyV7qoW +zRrTADFvSH23UnxTQP3FWKE= +-----END CERTIFICATE----- diff --git a/certs/rsapss/server-3072-rsapss-cert.pem b/certs/rsapss/server-3072-rsapss-cert.pem new file mode 100644 index 000000000..ff9871fcd --- /dev/null +++ b/certs/rsapss/server-3072-rsapss-cert.pem @@ -0,0 +1,122 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: rsassaPss + Hash Algorithm: sha384 + Mask Algorithm: mgf1 with sha384 + Salt Length: 0x014E + Trailer Field: 0xBC (default) + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = CA-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Validity + Not Before: Jul 25 02:27:55 2022 GMT + Not After : Apr 20 02:27:55 2025 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = Server-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Subject Public Key Info: + Public Key Algorithm: rsassaPss + RSA-PSS Public-Key: (3072 bit) + Modulus: + 00:be:84:78:d3:6b:7d:b2:ae:51:88:68:6a:33:f1: + f9:c5:1a:6f:97:71:94:22:f4:c2:f0:49:88:2b:a4: + 4d:15:6f:db:cc:d4:c6:6f:75:a6:e2:22:06:af:91: + 26:4e:a0:2d:97:17:95:0b:40:1a:75:23:9b:b1:e0: + d7:5d:cc:0d:5f:09:9e:c9:b7:3d:f8:e5:62:bb:34: + 75:99:0c:e6:da:7d:95:40:ee:5f:27:76:f9:ca:d6: + 0d:1e:a7:06:9f:c5:75:57:96:44:b9:73:f4:de:aa: + a9:af:be:4b:98:f3:6c:c8:da:d9:a2:26:35:21:40: + e7:67:4b:e2:d9:c4:4f:b8:96:54:17:59:d8:ca:af: + b1:56:47:be:15:5b:05:d3:29:cc:ec:2b:99:fa:13: + 1a:2a:d0:61:d1:41:c2:27:5d:d9:a7:f2:29:28:eb: + fb:e5:89:c5:01:83:88:1d:dc:70:1a:8f:2f:3b:e5: + 34:e8:5b:ef:ed:76:5f:8a:51:ea:2d:92:c2:e6:86: + 6d:6a:92:93:c3:6d:04:c5:95:68:07:fe:9a:32:d9: + 38:c8:06:eb:33:92:b9:0b:ce:2e:c3:6b:6a:a2:41: + 6a:ce:09:e7:4a:90:a8:2f:59:0e:76:dc:4f:b8:86: + d0:4b:95:e6:1b:e4:c6:59:26:ef:1c:00:4e:ce:fb: + cf:63:05:7e:a6:d4:09:39:fe:d3:79:49:f2:6a:6a: + 1a:17:cb:13:a5:3d:d9:fa:b0:a4:5f:18:e8:e5:5c: + 4b:38:d5:d8:b8:76:35:a0:0b:e1:98:b9:58:c3:88: + e5:f8:4a:e6:d0:84:a3:5e:4d:85:c9:d6:7f:9d:9f: + 35:28:66:56:04:25:cc:1b:4c:f7:e3:cb:39:be:e0: + 5f:a8:93:bd:a1:0b:cd:63:e0:16:07:af:40:0b:cb: + 6e:3f:81:0c:cd:80:bf:13:f1:92:57:a1:48:17:d2: + 29:b0:5a:a2:d5:42:84:c8:6c:09:31:c6:05:92:dd: + a3:f7:56:ed:e7:5f:29:88:eb:4b + Exponent: 65537 (0x10001) + No PSS parameter restrictions + X509v3 extensions: + X509v3 Subject Key Identifier: + C8:F1:E9:1E:60:01:C8:23:CC:D7:98:B3:BB:65:7A:32:C4:4B:93:39 + X509v3 Authority Key Identifier: + keyid:F8:42:CC:88:C9:C8:18:F9:D3:B0:24:65:06:4C:FF:55:AB:BF:0E:7F + + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Key Usage: critical + Digital Signature, Key Encipherment, Key Agreement + X509v3 Extended Key Usage: + TLS Web Server Authentication + Netscape Cert Type: + SSL Server + Signature Algorithm: rsassaPss + Hash Algorithm: sha384 + Mask Algorithm: mgf1 with sha384 + Salt Length: 0x014E + Trailer Field: 0xBC (default) + + 68:61:62:4c:67:79:5d:4d:fd:95:14:51:37:f0:d5:d5:b6:f0: + c6:48:cb:23:3c:4c:b6:38:00:63:4d:0e:6a:f6:d0:ba:54:3d: + 40:a4:aa:5b:01:f6:57:c1:13:12:e1:5b:4e:59:21:f7:09:90: + 93:36:ab:44:54:59:f5:f0:da:3a:aa:41:f2:00:a4:fa:3d:8d: + 92:bf:74:84:a2:93:c8:70:d9:5a:2a:ab:47:a9:18:fb:f9:51: + 35:96:89:23:18:7b:a6:ae:1c:88:df:cd:68:ca:3c:8b:03:b2: + b0:c6:6f:9e:1f:fd:00:98:24:72:3b:6a:67:62:ef:28:4a:71: + 6e:b2:53:1c:0b:7c:48:ef:78:6c:73:5d:03:71:44:ac:5c:5e: + a2:75:fd:0b:e4:cc:8c:af:1e:42:9c:b7:d4:02:f4:8e:ad:56: + 77:fe:d0:1b:92:4d:35:ce:3e:bb:e0:43:98:e8:dc:71:e9:fb: + e1:26:17:5c:e1:f2:57:74:45:21:90:42:c1:b0:38:59:7f:0c: + 6a:6e:94:7b:30:a1:fd:10:e0:9b:53:0f:05:19:2d:f6:9a:a3: + 95:f4:52:54:c9:e2:fc:99:0e:64:56:29:31:d2:35:dd:01:b0: + 34:c8:d6:16:40:1a:58:58:62:c1:e4:d8:ee:8e:1d:b2:b7:c9: + 68:07:a5:91:a0:a8:18:c7:5f:80:c6:81:fb:7a:10:17:a8:a5: + 9e:67:d2:ac:31:69:94:ab:36:6f:f6:35:05:c3:80:f3:3e:5f: + 5c:29:d1:13:43:88:1e:79:ac:3d:d3:e0:3d:44:c4:da:c7:1e: + ab:f1:86:07:98:cf:b8:99:5d:6b:7c:3f:c2:c1:ff:1c:b1:8d: + 90:02:45:62:c4:7c:ca:6a:fb:4c:48:bc:73:ad:04:ad:62:87: + 1e:b3:c4:76:a6:a1:27:3d:f5:2a:ca:8e:c0:73:96:08:3c:db: + f7:36:a6:57:a4:98:47:58:cd:56:0e:cd:fc:63:84:b9:df:2f: + 47:bb:8b:0d:7c:54 +-----BEGIN CERTIFICATE----- +MIIFzzCCBAagAwIBAgIBATA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAqEa +MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgKiBAICAU4wgbIxCzAJBgNVBAYTAlVT +MRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRcwFQYDVQQKDA53 +b2xmU1NMX1JTQVBTUzESMBAGA1UECwwJQ0EtUlNBUFNTMRgwFgYDVQQDDA93d3cu +d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20xFzAV +BgoJkiaJk/IsZAEBDAd3b2xmU1NMMB4XDTIyMDcyNTAyMjc1NVoXDTI1MDQyMDAy +Mjc1NVowgbYxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQH +DAdCb3plbWFuMRcwFQYDVQQKDA53b2xmU1NMX1JTQVBTUzEWMBQGA1UECwwNU2Vy +dmVyLVJTQVBTUzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcN +AQkBFhBpbmZvQHdvbGZzc2wuY29tMRcwFQYKCZImiZPyLGQBAQwHd29sZlNTTDCC +AaAwCwYJKoZIhvcNAQEKA4IBjwAwggGKAoIBgQC+hHjTa32yrlGIaGoz8fnFGm+X +cZQi9MLwSYgrpE0Vb9vM1MZvdabiIgavkSZOoC2XF5ULQBp1I5ux4NddzA1fCZ7J +tz345WK7NHWZDObafZVA7l8ndvnK1g0epwafxXVXlkS5c/TeqqmvvkuY82zI2tmi +JjUhQOdnS+LZxE+4llQXWdjKr7FWR74VWwXTKczsK5n6Exoq0GHRQcInXdmn8iko +6/vlicUBg4gd3HAajy875TToW+/tdl+KUeotksLmhm1qkpPDbQTFlWgH/poy2TjI +BuszkrkLzi7Da2qiQWrOCedKkKgvWQ523E+4htBLleYb5MZZJu8cAE7O+89jBX6m +1Ak5/tN5SfJqahoXyxOlPdn6sKRfGOjlXEs41di4djWgC+GYuVjDiOX4SubQhKNe +TYXJ1n+dnzUoZlYEJcwbTPfjyzm+4F+ok72hC81j4BYHr0ALy24/gQzNgL8T8ZJX +oUgX0imwWqLVQoTIbAkxxgWS3aP3Vu3nXymI60sCAwEAAaOBiTCBhjAdBgNVHQ4E +FgQUyPHpHmAByCPM15izu2V6MsRLkzkwHwYDVR0jBBgwFoAU+ELMiMnIGPnTsCRl +Bkz/Vau/Dn8wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCA6gwEwYDVR0lBAww +CgYIKwYBBQUHAwEwEQYJYIZIAYb4QgEBBAQDAgZAMD4GCSqGSIb3DQEBCjAxoA0w +CwYJYIZIAWUDBAICoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAqIEAgIBTgOC +AYEAaGFiTGd5XU39lRRRN/DV1bbwxkjLIzxMtjgAY00OavbQulQ9QKSqWwH2V8ET +EuFbTlkh9wmQkzarRFRZ9fDaOqpB8gCk+j2Nkr90hKKTyHDZWiqrR6kY+/lRNZaJ +Ixh7pq4ciN/NaMo8iwOysMZvnh/9AJgkcjtqZ2LvKEpxbrJTHAt8SO94bHNdA3FE +rFxeonX9C+TMjK8eQpy31AL0jq1Wd/7QG5JNNc4+u+BDmOjccen74SYXXOHyV3RF +IZBCwbA4WX8Mam6UezCh/RDgm1MPBRkt9pqjlfRSVMni/JkOZFYpMdI13QGwNMjW +FkAaWFhiweTY7o4dsrfJaAelkaCoGMdfgMaB+3oQF6ilnmfSrDFplKs2b/Y1BcOA +8z5fXCnRE0OIHnmsPdPgPUTE2sceq/GGB5jPuJlda3w/wsH/HLGNkAJFYsR8ymr7 +TEi8c60ErWKHHrPEdqahJz31KsqOwHOWCDzb9zamV6SYR1jNVg7N/GOEud8vR7uL +DXxU +-----END CERTIFICATE----- diff --git a/certs/rsapss/server-3072-rsapss-key.der b/certs/rsapss/server-3072-rsapss-key.der new file mode 100644 index 0000000000000000000000000000000000000000..81e64e6bcc200959b2f3a94d6d0077495074cc72 GIT binary patch literal 420 zcmXqLVq9Rr&Bm$K=F#?@mywZ+xrwo#!Jvt;i>ZmRkzrp;#pUeUP3rA_j;arxZQ#08A%`&=aaf0o& z@uZ#H=kyL|XDxEfI>-6kYr+csNWQW={yW+(cu##M{p47r+ItxWzjMFOC$rWqyTWPt z?{cN*r>ra~@zcUfZEybCuq0mM#nTvXi>o(wl$kEzemG-i#Nm#oKfIn@XjvTR+j{a^ z{oMJc8fjrHs%NBqzCS)~x$i;ziphHya-U6pAjZDlf%|lxeIw7=hW)}HCxtKc5Wl3k iA!^Z8r8c@^|GI*uJOt(XPbYtG<=%N&f+ikR;^sW&wIw_ zoD;WhE>bg9bat)R|Z?tFr5|+}ska*GYkb3OR z<)1V)UjKgDd6coaL-tOARKLFUQxmk!tT{82rxtKA+55 zx9ke1<-g07o}aR^q{L4PFSWh-Yr~Rwi5E{}ye+QY*imM>fcxQ$oe_sSp8oK9cA;f) zoNw#NYxQ&In`)$mv8bMr_WAz!wB^1B@hc|pUC4bl`GFYwdI#>)dG?JwXB+klf1DJ) z&_n!^=7y+6SDji;aUVAe!GcquOV`6)%fm+N3j^xi>RUdA$ z8NF!uYVc+55|izATW7H)9Di?nv(n@2itt?=@3z@JjlOwKv*h&lW!o<|m^NO27v8L6 ztMjs@R%a;h!LC0}WpZK=|p`;yzZt}@T(>DaP4 zp^CXjtFoje^=I)mf#Ug((tiB6v6LneXH$mcBc2pa{p33ZBrrYyj7?8xVF38 z`w~y7rmJ6Av}#TnxG`kfKe}~l)uIhS3Z{97;+D;e72lsbL#rVr^VO!T!ia}E9)vmO zhHGui_~R>?->~Sw-(9DTJ^tO74R~{;e#+gjbvD-9g@4_cuup#5^tDXB$&)wz*VFQx zZ0>JuuD?V7reJxYn^VV{a}oL7Yxv)7w%NJty7mk?aktdjn~VNWnY{a%<^=sq^E;9z z|E_E3oLcX+;qwPB&1uc^O;;ZgPK*1`$oI;UsqrAg$9pF>EcvZjZTbAzU#+7@c(oU< zV=%d7FB0=QW%858BXRk&1t(R`O5&S7A=Itj*X0VQry8Hk&u6Fhiu+`q{Cw`(vU}aT zF5h{+SJNV}rbL4KoWc^h6e-?AvqLPkO=lelSipaGR;K*?oT+6SLN%k;#ojl(H%VyL z$C&}^j!5qgnLe+2R^I83J8!k0-d%bt=9S8%w2zwJ&i;K>sXhg(jy|rKcFd8(cuPv- z%fvB?k8Qh zy`9(AI5u5+D!k-P%myD#QGqatK5Mi4b>;WhKm2e-=bh2U&+~(<43{|nvQmCqWc=v& z?=C5>P0w6Hh336lmHn;LLrR5v!S`8)O_?r1X75!$x^}I*^VE5*>>r=MrZf6Feu
  • d^7@TB_O z%tzL?9GQQ&_*zYJobY|?1O3e(%@cR7;oC0{~mt4^6=h=s=#&g=C6*NvOTtb<5{ti zkNbA<1~@ytH9t4MWbLwL*4b7Mby8cozln(KI?}7`bNGv@0DF(}V(p(Vo6>R|rwS)? zp3l|exb^4q|4Iw?xz}c%PrnzFJ309O0-NfjUhhV>`9}9dWqR+*oZHo_J~KSw@;Cq6 zeSeQ#iWB`TTV{ zkyEiJzwm@k=Kj5g4_SVh%=yJ6U86d6>E|%jz}~IiNiH4CSMN5-`)Zxh*qOO+-+j)S z|4kD29=vVZUvo^Bxk}PwZfrg2kMZyYAZiEJ?1$W0EA4JyKEEl& W**Y=oqw2c6Jr5l;?@AmK=>h;4+k$QY literal 0 HcmV?d00001 diff --git a/certs/rsapss/server-3072-rsapss-priv.pem b/certs/rsapss/server-3072-rsapss-priv.pem new file mode 100644 index 000000000..4fec8b37c --- /dev/null +++ b/certs/rsapss/server-3072-rsapss-priv.pem @@ -0,0 +1,40 @@ +-----BEGIN PRIVATE KEY----- +MIIG/AIBADALBgkqhkiG9w0BAQoEggboMIIG5AIBAAKCAYEAvoR402t9sq5RiGhq +M/H5xRpvl3GUIvTC8EmIK6RNFW/bzNTGb3Wm4iIGr5EmTqAtlxeVC0AadSObseDX +XcwNXwmeybc9+OViuzR1mQzm2n2VQO5fJ3b5ytYNHqcGn8V1V5ZEuXP03qqpr75L +mPNsyNrZoiY1IUDnZ0vi2cRPuJZUF1nYyq+xVke+FVsF0ynM7CuZ+hMaKtBh0UHC +J13Zp/IpKOv75YnFAYOIHdxwGo8vO+U06Fvv7XZfilHqLZLC5oZtapKTw20ExZVo +B/6aMtk4yAbrM5K5C84uw2tqokFqzgnnSpCoL1kOdtxPuIbQS5XmG+TGWSbvHABO +zvvPYwV+ptQJOf7TeUnyamoaF8sTpT3Z+rCkXxjo5VxLONXYuHY1oAvhmLlYw4jl ++Erm0ISjXk2FydZ/nZ81KGZWBCXMG0z348s5vuBfqJO9oQvNY+AWB69AC8tuP4EM +zYC/E/GSV6FIF9IpsFqi1UKEyGwJMcYFkt2j91bt518piOtLAgMBAAECggGBALdl +MCZc0Ahj84p68NkGMuiA9TD0naQ0tz61mgZgx+892XlIzahXugjutj7lW9nOKXTL +t6a304A1gdfuV4MsPSbiTN9irJ5eufb5ncZx+/wRbc6uaBzGU9jkyoZaRG8ilj11 +IrzfGbYK1QOfDIi0s2B6A4wqeXSEVP1DuKDmb9OBqns7+wvJqs0ijKFkGKxYDbK+ +mh93qfXS2IamZW6d0jrwSpzg5X/laiZ15l7QZ325nb9rec2/SqvtCjVNez7ZiWeM +HQv6I8s8eBVDtSxzxytHHu90SRqC1fQEKnzKMEYAaT/i2sqqorBSIDVuwl6mnl0X +v22YKoBkaeqyanFY4bjgVkFtVyqxaPxNGW+AosD9usszSP7fHVDsxH+U3VauPDu3 +E/rYkL4ftpetAk1jk7L/LipJkzdPOzcvuC/ZEXdxRkKIrM5Yb4usD+6zPLmm1yuY +HhdGZZuzcv+Uk7vmKZAv0p+IYpP7foCJlX9CsPPwCimWg581q8QTZl7/AQ7qOQKB +wQDx3siwpPspeznnxv0qxcQNK6GuADTSPxRc62ST5IHEXm+bEZJ5mmIOl5BVRn9N +RNQJSSYOHPnmyr0XTGnJ887Wpt6LutPc570pOFF8dBgLziCkHmQaDcKbVDkrNZrA +UKAP3ZppH59slXawVSlbrl3fMd6SEprxmVCuxBu7VJeee5puy4jc7Svl3aXaXOok +kmbxKUtDT456ZUxwqsXjeJbGQQgztGSB6aM/L3Jb9Z5e36o3UON9cfuvet+yCfmP +iW0CgcEAyaWyg74L9BK8taRmeQ2hMQbd8i1GvYnWrEGC0uUTpOxcsEwpFRBWGI47 +Nt9+d9+v4fDULO4ysfOfUjoxpEP6OiPtcjPi+/uKGgqy5kRVEp7qqmv2iUgaJAug +95oxgmlEUjbvJfFFiq7c5UOtHfxM/TWYjoj6FzQUUM4wjcAhVaEMe+zBXpHOi1Db +pS0RuPZ+UaMTeH5NgQyrRNBQj9mK55mFHX9j97HrlbWrMGZQUQryxKWvVwLUe/uE +v/PoTMyXAoHAb8jINiO51N0X0RA9l5QZXQDqU3HS98yhi6RbMqLseqYurJt9d+gr +I5VW5qKTWVHTMYt2JBWuRcUziV4OkoC0+q3asvegzTrpSPC3cG5zYplcqp1FJGlx +pLpTRa4bnIBmyY5gu+8ajmOxnCNv3uiCiBITTK1+oOR7zpniOz0Iaf20TTqSQZD3 +teAvs/E3YbmsDA9KsoxFTDofDv9OQChOfsg1kzfvL7+cbCpwjyHAlRaII9KloSeZ +6+s9EZrclUMtAoHADWADPj/N1Suk/rtf3Kmtxm25LQYZyhqpdZWG0uxE6EyRPVRf +6TjDLS/J97LNVbAtn2P0/uHx1OHe8HpRrp6fq1mUt11/sc0WdPG+ug1QQ0LtN86f +dK2mpjtrOuEsZYUL9hQUusSNI0zD9CUQB4wjoyv56YJmbEGVE2MJz20uCNr80/95 +OAed1pnPZ95cbZNT/6A8e2KNS4EGnzLeFRyN3RzOuo0nmVdg0/ZP2479xtJeFfMT +dUcHxw2A2aaZAvcTAoHBAMsrLMCgT0skDJ/5/ar3f44Pkciibn455qzQ+Gx4vG9x +yCxpv70x4QT6NJz6Aht8JZWl81YlUY21S2JEiAPV3YIfTSrMKLlpvr7fCXz/ghje +4O2Cv3zGHQN6GUidXVR4cjJgx4cjcTcLaRk+e2N+0exAkV4UsDRS8OqBDZTqDwBQ +ntOJIUjNyx1Vqe1o/nxsN21EDF5Ya6K/tgEJsObEWfAStlJxm+ELaqk+29PPsmRD +O2FW8SWubrzhQCndGMYUig== +-----END PRIVATE KEY----- diff --git a/certs/rsapss/server-3072-rsapss.der b/certs/rsapss/server-3072-rsapss.der new file mode 100644 index 0000000000000000000000000000000000000000..d1ee7b42fa624b961f7afd3e883e8a1888f0c079 GIT binary patch literal 1491 zcmXqLVm)ur#KN|KnTe5!iILI3j*U~R&77+0+^00#>gM)nxn1Kk$1Kd2k!Kp=MsYSH(SQFy{P$a=) zl(~tqpTVGsv5TpRv5{e4OU32v+D+>MJ2JA2KmI%_l|Q|3iqe-uA3Qs>m-ve2-#&BY zSbpiUM@nq#C#v}^(48(mmD@q8RC)Hs2iIfI@Wyk_JGtHV$J3hLaJ zz3k_yYrJyH+2$WD4WH(+v-r!sRV&x;^PcfJ=ftg>i_}aN9iFFqKe~Cuf5)^C@yHve z)^7}R-zOT)dRg<#8||6Dgr&4DBwlnpq#k>7`6o?{*T0{39%XFqkiAnN)vs^;)Z|6< z`?qEBU4gH3Cmnj$mYX$c^5I;Tqf;~3|IISGX>o$>weh5#+~@QTXJ;*P%sR*U+-t%L z{YbvDJN`S`E_hFUCjI1Cq}qEK2ETK^&nL6iExW>L`R{V2=clYJDe=?7OKord+OQ;E z;>FV#Z;Pupc9fYe;C?t`XT;%-r$4-&U1(Vx=i7SnTK(MlrW$EsEUIUueZD_FZMpA3 z{EEqY7jmCXejvua-humco_!Vuik(Mq(GRF@jnZb0RuSC$?}7EEX+*I zD-47|vZ^dR23%|$+H8!htnAE;27-{B-S)$Yk&%UknTgGT(%jDsN>v$&Nj~Y7vA%z& ziUgW}xO#QlhhrY6m2G^sSuiB~@@0Lyuq(vYVacj!#&6*Vg@qnQ`$Z~#=bSLvY_&^B z6&P;Z>NoDOiTP#^ZfOPH`-Aq05?>xJ9LZxu2ZrSuf`_XZsbV zFMVsn%Ku%Ep5$wK&TjVu=NT{V6u$iZP)$7M;ivEtSH%fV2RB$m*7IcLO{q3m_*dY; z>|lOYN!@R=7Ek>W6ms&>pP76qVVZ`QOz$#oFgbBe%t0z5BI)3h8}IsLH*G(e!M=3j zf)x_S;~S1O{;m=bU$Jyv`lU67nNwDq<$p6}J>2lwEY8e*1XrDPGI6HmO~1^O3S;3)OAEYMtsk jP&|#p=Jt29W#LO^xJR4~<2(B&xn<{lefQnnyfq;Jp2980 literal 0 HcmV?d00001 diff --git a/certs/rsapss/server-3072-rsapss.pem b/certs/rsapss/server-3072-rsapss.pem new file mode 100644 index 000000000..845b6f315 --- /dev/null +++ b/certs/rsapss/server-3072-rsapss.pem @@ -0,0 +1,238 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: rsassaPss + Hash Algorithm: sha384 + Mask Algorithm: mgf1 with sha384 + Salt Length: 0x014E + Trailer Field: 0xBC (default) + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = CA-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Validity + Not Before: Jul 25 02:27:55 2022 GMT + Not After : Apr 20 02:27:55 2025 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = Server-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Subject Public Key Info: + Public Key Algorithm: rsassaPss + RSA-PSS Public-Key: (3072 bit) + Modulus: + 00:be:84:78:d3:6b:7d:b2:ae:51:88:68:6a:33:f1: + f9:c5:1a:6f:97:71:94:22:f4:c2:f0:49:88:2b:a4: + 4d:15:6f:db:cc:d4:c6:6f:75:a6:e2:22:06:af:91: + 26:4e:a0:2d:97:17:95:0b:40:1a:75:23:9b:b1:e0: + d7:5d:cc:0d:5f:09:9e:c9:b7:3d:f8:e5:62:bb:34: + 75:99:0c:e6:da:7d:95:40:ee:5f:27:76:f9:ca:d6: + 0d:1e:a7:06:9f:c5:75:57:96:44:b9:73:f4:de:aa: + a9:af:be:4b:98:f3:6c:c8:da:d9:a2:26:35:21:40: + e7:67:4b:e2:d9:c4:4f:b8:96:54:17:59:d8:ca:af: + b1:56:47:be:15:5b:05:d3:29:cc:ec:2b:99:fa:13: + 1a:2a:d0:61:d1:41:c2:27:5d:d9:a7:f2:29:28:eb: + fb:e5:89:c5:01:83:88:1d:dc:70:1a:8f:2f:3b:e5: + 34:e8:5b:ef:ed:76:5f:8a:51:ea:2d:92:c2:e6:86: + 6d:6a:92:93:c3:6d:04:c5:95:68:07:fe:9a:32:d9: + 38:c8:06:eb:33:92:b9:0b:ce:2e:c3:6b:6a:a2:41: + 6a:ce:09:e7:4a:90:a8:2f:59:0e:76:dc:4f:b8:86: + d0:4b:95:e6:1b:e4:c6:59:26:ef:1c:00:4e:ce:fb: + cf:63:05:7e:a6:d4:09:39:fe:d3:79:49:f2:6a:6a: + 1a:17:cb:13:a5:3d:d9:fa:b0:a4:5f:18:e8:e5:5c: + 4b:38:d5:d8:b8:76:35:a0:0b:e1:98:b9:58:c3:88: + e5:f8:4a:e6:d0:84:a3:5e:4d:85:c9:d6:7f:9d:9f: + 35:28:66:56:04:25:cc:1b:4c:f7:e3:cb:39:be:e0: + 5f:a8:93:bd:a1:0b:cd:63:e0:16:07:af:40:0b:cb: + 6e:3f:81:0c:cd:80:bf:13:f1:92:57:a1:48:17:d2: + 29:b0:5a:a2:d5:42:84:c8:6c:09:31:c6:05:92:dd: + a3:f7:56:ed:e7:5f:29:88:eb:4b + Exponent: 65537 (0x10001) + No PSS parameter restrictions + X509v3 extensions: + X509v3 Subject Key Identifier: + C8:F1:E9:1E:60:01:C8:23:CC:D7:98:B3:BB:65:7A:32:C4:4B:93:39 + X509v3 Authority Key Identifier: + keyid:F8:42:CC:88:C9:C8:18:F9:D3:B0:24:65:06:4C:FF:55:AB:BF:0E:7F + + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Key Usage: critical + Digital Signature, Key Encipherment, Key Agreement + X509v3 Extended Key Usage: + TLS Web Server Authentication + Netscape Cert Type: + SSL Server + Signature Algorithm: rsassaPss + Hash Algorithm: sha384 + Mask Algorithm: mgf1 with sha384 + Salt Length: 0x014E + Trailer Field: 0xBC (default) + + 68:61:62:4c:67:79:5d:4d:fd:95:14:51:37:f0:d5:d5:b6:f0: + c6:48:cb:23:3c:4c:b6:38:00:63:4d:0e:6a:f6:d0:ba:54:3d: + 40:a4:aa:5b:01:f6:57:c1:13:12:e1:5b:4e:59:21:f7:09:90: + 93:36:ab:44:54:59:f5:f0:da:3a:aa:41:f2:00:a4:fa:3d:8d: + 92:bf:74:84:a2:93:c8:70:d9:5a:2a:ab:47:a9:18:fb:f9:51: + 35:96:89:23:18:7b:a6:ae:1c:88:df:cd:68:ca:3c:8b:03:b2: + b0:c6:6f:9e:1f:fd:00:98:24:72:3b:6a:67:62:ef:28:4a:71: + 6e:b2:53:1c:0b:7c:48:ef:78:6c:73:5d:03:71:44:ac:5c:5e: + a2:75:fd:0b:e4:cc:8c:af:1e:42:9c:b7:d4:02:f4:8e:ad:56: + 77:fe:d0:1b:92:4d:35:ce:3e:bb:e0:43:98:e8:dc:71:e9:fb: + e1:26:17:5c:e1:f2:57:74:45:21:90:42:c1:b0:38:59:7f:0c: + 6a:6e:94:7b:30:a1:fd:10:e0:9b:53:0f:05:19:2d:f6:9a:a3: + 95:f4:52:54:c9:e2:fc:99:0e:64:56:29:31:d2:35:dd:01:b0: + 34:c8:d6:16:40:1a:58:58:62:c1:e4:d8:ee:8e:1d:b2:b7:c9: + 68:07:a5:91:a0:a8:18:c7:5f:80:c6:81:fb:7a:10:17:a8:a5: + 9e:67:d2:ac:31:69:94:ab:36:6f:f6:35:05:c3:80:f3:3e:5f: + 5c:29:d1:13:43:88:1e:79:ac:3d:d3:e0:3d:44:c4:da:c7:1e: + ab:f1:86:07:98:cf:b8:99:5d:6b:7c:3f:c2:c1:ff:1c:b1:8d: + 90:02:45:62:c4:7c:ca:6a:fb:4c:48:bc:73:ad:04:ad:62:87: + 1e:b3:c4:76:a6:a1:27:3d:f5:2a:ca:8e:c0:73:96:08:3c:db: + f7:36:a6:57:a4:98:47:58:cd:56:0e:cd:fc:63:84:b9:df:2f: + 47:bb:8b:0d:7c:54 +-----BEGIN CERTIFICATE----- +MIIFzzCCBAagAwIBAgIBATA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAqEa +MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgKiBAICAU4wgbIxCzAJBgNVBAYTAlVT +MRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRcwFQYDVQQKDA53 +b2xmU1NMX1JTQVBTUzESMBAGA1UECwwJQ0EtUlNBUFNTMRgwFgYDVQQDDA93d3cu +d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20xFzAV +BgoJkiaJk/IsZAEBDAd3b2xmU1NMMB4XDTIyMDcyNTAyMjc1NVoXDTI1MDQyMDAy +Mjc1NVowgbYxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQH +DAdCb3plbWFuMRcwFQYDVQQKDA53b2xmU1NMX1JTQVBTUzEWMBQGA1UECwwNU2Vy +dmVyLVJTQVBTUzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcN +AQkBFhBpbmZvQHdvbGZzc2wuY29tMRcwFQYKCZImiZPyLGQBAQwHd29sZlNTTDCC +AaAwCwYJKoZIhvcNAQEKA4IBjwAwggGKAoIBgQC+hHjTa32yrlGIaGoz8fnFGm+X +cZQi9MLwSYgrpE0Vb9vM1MZvdabiIgavkSZOoC2XF5ULQBp1I5ux4NddzA1fCZ7J +tz345WK7NHWZDObafZVA7l8ndvnK1g0epwafxXVXlkS5c/TeqqmvvkuY82zI2tmi +JjUhQOdnS+LZxE+4llQXWdjKr7FWR74VWwXTKczsK5n6Exoq0GHRQcInXdmn8iko +6/vlicUBg4gd3HAajy875TToW+/tdl+KUeotksLmhm1qkpPDbQTFlWgH/poy2TjI +BuszkrkLzi7Da2qiQWrOCedKkKgvWQ523E+4htBLleYb5MZZJu8cAE7O+89jBX6m +1Ak5/tN5SfJqahoXyxOlPdn6sKRfGOjlXEs41di4djWgC+GYuVjDiOX4SubQhKNe +TYXJ1n+dnzUoZlYEJcwbTPfjyzm+4F+ok72hC81j4BYHr0ALy24/gQzNgL8T8ZJX +oUgX0imwWqLVQoTIbAkxxgWS3aP3Vu3nXymI60sCAwEAAaOBiTCBhjAdBgNVHQ4E +FgQUyPHpHmAByCPM15izu2V6MsRLkzkwHwYDVR0jBBgwFoAU+ELMiMnIGPnTsCRl +Bkz/Vau/Dn8wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCA6gwEwYDVR0lBAww +CgYIKwYBBQUHAwEwEQYJYIZIAYb4QgEBBAQDAgZAMD4GCSqGSIb3DQEBCjAxoA0w +CwYJYIZIAWUDBAICoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAqIEAgIBTgOC +AYEAaGFiTGd5XU39lRRRN/DV1bbwxkjLIzxMtjgAY00OavbQulQ9QKSqWwH2V8ET +EuFbTlkh9wmQkzarRFRZ9fDaOqpB8gCk+j2Nkr90hKKTyHDZWiqrR6kY+/lRNZaJ +Ixh7pq4ciN/NaMo8iwOysMZvnh/9AJgkcjtqZ2LvKEpxbrJTHAt8SO94bHNdA3FE +rFxeonX9C+TMjK8eQpy31AL0jq1Wd/7QG5JNNc4+u+BDmOjccen74SYXXOHyV3RF +IZBCwbA4WX8Mam6UezCh/RDgm1MPBRkt9pqjlfRSVMni/JkOZFYpMdI13QGwNMjW +FkAaWFhiweTY7o4dsrfJaAelkaCoGMdfgMaB+3oQF6ilnmfSrDFplKs2b/Y1BcOA +8z5fXCnRE0OIHnmsPdPgPUTE2sceq/GGB5jPuJlda3w/wsH/HLGNkAJFYsR8ymr7 +TEi8c60ErWKHHrPEdqahJz31KsqOwHOWCDzb9zamV6SYR1jNVg7N/GOEud8vR7uL +DXxU +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: rsassaPss + Hash Algorithm: sha384 + Mask Algorithm: mgf1 with sha384 + Salt Length: 0x014E + Trailer Field: 0xBC (default) + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSA-PSS, OU = Root-RSA-PSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Validity + Not Before: Jul 25 02:27:55 2022 GMT + Not After : Apr 20 02:27:55 2025 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = CA-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Subject Public Key Info: + Public Key Algorithm: rsassaPss + RSA-PSS Public-Key: (3072 bit) + Modulus: + 00:c8:2a:40:c8:eb:ae:7c:18:33:cb:38:51:e6:b7: + 7b:11:4f:cd:ea:35:87:64:d9:b2:ca:cf:4b:21:c4: + 86:2a:c7:a3:6f:15:3e:1e:c4:9b:03:81:4b:3a:5d: + 53:62:11:e2:08:df:97:4d:37:3d:78:62:50:40:31: + 2a:70:44:1a:6d:69:49:fc:77:b8:f2:42:09:86:9a: + 5d:39:cd:84:7b:32:8a:3b:b0:4f:bf:3d:d4:05:7e: + c0:aa:28:a5:ce:b1:28:3a:59:d9:19:10:3a:d4:1f: + 91:07:07:73:50:a4:2b:d8:18:1f:22:f8:f4:64:3f: + 13:a0:d8:60:7e:53:4c:3b:97:70:bc:36:e5:be:31: + 97:45:55:ed:a2:5b:87:b5:1b:8e:65:3d:b7:15:08: + d1:12:1a:aa:ec:4e:56:35:70:a7:3e:50:65:f7:3e: + 30:9c:32:db:b2:24:7b:87:02:29:27:12:35:ad:8e: + c3:02:22:13:c2:6e:53:45:f0:16:21:81:e5:d5:b5: + 91:60:8b:d7:5c:bb:c2:70:06:f6:50:41:45:36:7f: + 41:44:89:b6:97:23:be:76:d7:7c:72:7f:ea:f4:19: + 10:17:c3:df:8f:cd:97:20:04:cb:1d:03:6b:09:8f: + d7:7b:84:7d:22:c5:e2:10:cb:cc:11:aa:a1:f5:66: + 85:0e:35:5a:8c:c3:89:61:29:d0:5c:53:2f:09:4b: + 91:7e:ce:e0:12:d3:ce:eb:c9:50:3c:36:f0:a6:b4: + fb:b5:c2:de:61:a0:ac:6f:bc:7e:ef:53:08:9f:b1: + 18:ad:5b:e3:01:23:de:11:a5:1f:7d:d5:b6:f4:72: + 1d:53:75:66:8c:db:61:1e:e9:eb:3c:f3:49:69:82: + b6:20:6b:29:03:a1:be:55:e4:4c:f8:25:a7:a8:a3: + e3:3f:32:1f:ae:a7:2a:9b:6b:56:dd:c9:5a:b1:1a: + 01:a0:13:d2:8e:9a:2c:db:7e:fd:5b:0e:2e:ef:92: + 69:ce:f2:de:ef:d0:2f:09:0e:67 + Exponent: 65537 (0x10001) + No PSS parameter restrictions + X509v3 extensions: + X509v3 Subject Key Identifier: + F8:42:CC:88:C9:C8:18:F9:D3:B0:24:65:06:4C:FF:55:AB:BF:0E:7F + X509v3 Authority Key Identifier: + keyid:AA:71:D3:B1:8A:4B:BB:47:15:47:5F:9B:D0:2B:69:D1:6F:85:5E:F6 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Signature Algorithm: rsassaPss + Hash Algorithm: sha384 + Mask Algorithm: mgf1 with sha384 + Salt Length: 0x014E + Trailer Field: 0xBC (default) + + 39:a8:ef:b1:66:08:50:0b:5e:cb:b2:29:8c:9b:b1:be:21:44: + d6:d8:97:1d:45:dc:52:70:f1:de:ac:74:65:03:6b:af:a0:f0: + 21:61:ce:23:39:33:c8:cb:1e:8f:77:12:1e:5b:99:0c:e1:1b: + 75:cf:1d:d7:12:86:cc:fc:86:90:0f:45:ea:8b:08:47:08:ac: + 56:44:31:f2:c9:23:6b:d5:30:ca:5f:49:b0:4b:8b:36:bd:5c: + 92:fa:86:34:57:80:30:93:29:59:19:a4:dd:f9:91:26:8a:49: + b4:ee:93:aa:e1:b2:06:f6:2f:2a:d9:5b:6d:f9:7c:04:4f:1c: + 7a:cc:8e:39:c2:98:3a:bd:b9:a2:24:82:8f:e4:d8:80:47:73: + 84:6e:bc:20:5c:ac:79:72:a7:6f:e3:c8:3a:9c:cc:83:b1:1f: + e2:65:3b:a1:f5:86:1a:33:53:bc:05:ba:6a:b1:bc:a7:b4:c1: + 44:8c:0a:cc:c2:15:da:c1:dd:dc:31:91:46:5b:48:d8:ea:03: + 78:e1:1f:ce:79:19:c8:6e:d6:3f:4c:f5:3b:b3:e7:2e:b7:46: + 0c:58:cd:ca:56:a6:88:fb:fd:12:d1:27:80:5a:a2:51:96:f8: + 4c:65:8d:71:0b:84:ca:94:f9:9f:c9:38:62:a3:64:cd:91:44: + 50:ed:bb:c0:1d:9b:b8:a4:57:b1:7a:2e:44:57:a5:15:ba:cc: + b3:62:f5:46:aa:cd:fb:53:d3:ed:ef:e3:f4:b2:9b:3f:29:d0: + 00:8c:19:61:48:b6:da:74:27:05:69:7b:df:04:0e:e2:f1:0f: + 1a:fa:92:70:79:78:86:52:60:e1:4d:4e:66:14:ba:86:e2:4e: + dd:e0:d0:f3:c0:2d:6d:3a:16:00:1d:c6:9c:27:6f:a6:5f:21: + 4c:e4:82:14:95:d1:a7:4a:15:13:ba:d8:65:ad:34:a2:93:3a: + d1:49:12:4d:f2:97:f3:e2:8a:83:d2:bf:84:84:c6:87:70:c9: + 38:e0:5f:fe:7f:38 +-----BEGIN CERTIFICATE----- +MIIFjzCCA8agAwIBAgIBATA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAqEa +MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgKiBAICAU4wgZ0xCzAJBgNVBAYTAlVT +MRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRgwFgYDVQQKDA93 +b2xmU1NMX1JTQS1QU1MxFTATBgNVBAsMDFJvb3QtUlNBLVBTUzEYMBYGA1UEAwwP +d3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29t +MB4XDTIyMDcyNTAyMjc1NVoXDTI1MDQyMDAyMjc1NVowgbIxCzAJBgNVBAYTAlVT +MRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRcwFQYDVQQKDA53 +b2xmU1NMX1JTQVBTUzESMBAGA1UECwwJQ0EtUlNBUFNTMRgwFgYDVQQDDA93d3cu +d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20xFzAV +BgoJkiaJk/IsZAEBDAd3b2xmU1NMMIIBoDALBgkqhkiG9w0BAQoDggGPADCCAYoC +ggGBAMgqQMjrrnwYM8s4Uea3exFPzeo1h2TZssrPSyHEhirHo28VPh7EmwOBSzpd +U2IR4gjfl003PXhiUEAxKnBEGm1pSfx3uPJCCYaaXTnNhHsyijuwT7891AV+wKoo +pc6xKDpZ2RkQOtQfkQcHc1CkK9gYHyL49GQ/E6DYYH5TTDuXcLw25b4xl0VV7aJb +h7UbjmU9txUI0RIaquxOVjVwpz5QZfc+MJwy27Ike4cCKScSNa2OwwIiE8JuU0Xw +FiGB5dW1kWCL11y7wnAG9lBBRTZ/QUSJtpcjvnbXfHJ/6vQZEBfD34/NlyAEyx0D +awmP13uEfSLF4hDLzBGqofVmhQ41WozDiWEp0FxTLwlLkX7O4BLTzuvJUDw28Ka0 ++7XC3mGgrG+8fu9TCJ+xGK1b4wEj3hGlH33VtvRyHVN1ZozbYR7p6zzzSWmCtiBr +KQOhvlXkTPglp6ij4z8yH66nKptrVt3JWrEaAaAT0o6aLNt+/VsOLu+Sac7y3u/Q +LwkOZwIDAQABo2MwYTAdBgNVHQ4EFgQU+ELMiMnIGPnTsCRlBkz/Vau/Dn8wHwYD +VR0jBBgwFoAUqnHTsYpLu0cVR1+b0Ctp0W+FXvYwDwYDVR0TAQH/BAUwAwEB/zAO +BgNVHQ8BAf8EBAMCAYYwPgYJKoZIhvcNAQEKMDGgDTALBglghkgBZQMEAgKhGjAY +BgkqhkiG9w0BAQgwCwYJYIZIAWUDBAICogQCAgFOA4IBgQA5qO+xZghQC17LsimM +m7G+IUTW2JcdRdxScPHerHRlA2uvoPAhYc4jOTPIyx6PdxIeW5kM4Rt1zx3XEobM +/IaQD0XqiwhHCKxWRDHyySNr1TDKX0mwS4s2vVyS+oY0V4AwkylZGaTd+ZEmikm0 +7pOq4bIG9i8q2Vtt+XwETxx6zI45wpg6vbmiJIKP5NiAR3OEbrwgXKx5cqdv48g6 +nMyDsR/iZTuh9YYaM1O8BbpqsbyntMFEjArMwhXawd3cMZFGW0jY6gN44R/OeRnI +btY/TPU7s+cut0YMWM3KVqaI+/0S0SeAWqJRlvhMZY1xC4TKlPmfyThio2TNkURQ +7bvAHZu4pFexei5EV6UVusyzYvVGqs37U9Pt7+P0sps/KdAAjBlhSLbadCcFaXvf +BA7i8Q8a+pJweXiGUmDhTU5mFLqG4k7d4NDzwC1tOhYAHcacJ2+mXyFM5IIUldGn +ShUTuthlrTSikzrRSRJN8pfz4oqD0r+EhMaHcMk44F/+fzg= +-----END CERTIFICATE----- diff --git a/certs/rsapss/server-rsapss-cert.pem b/certs/rsapss/server-rsapss-cert.pem new file mode 100644 index 000000000..881f611aa --- /dev/null +++ b/certs/rsapss/server-rsapss-cert.pem @@ -0,0 +1,106 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: rsassaPss + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Salt Length: 0x20 + Trailer Field: 0xBC (default) + Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = CA-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Validity + Not Before: Jul 25 02:27:55 2022 GMT + Not After : Apr 20 02:27:55 2025 GMT + Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_RSAPSS, OU = Server-RSAPSS, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Subject Public Key Info: + Public Key Algorithm: rsassaPss + RSA-PSS Public-Key: (2048 bit) + Modulus: + 00:d7:f7:6c:e1:02:89:cc:9b:74:10:f3:ec:01:cb: + 89:ce:ef:f6:29:62:fc:75:3f:6a:99:ba:d6:88:ec: + ae:b3:20:33:44:d2:06:d7:99:21:bb:f3:40:ce:30: + b0:e1:90:4c:5b:58:75:54:1d:a2:dd:bc:63:01:48: + 43:3b:22:7a:78:2a:65:5b:d8:11:5f:9b:7b:db:21: + 1c:bc:f4:a5:ad:3e:d6:07:41:da:04:1f:ea:78:ec: + 57:f3:53:fd:49:2b:5e:0e:34:02:3b:5e:3e:5f:dc: + 63:da:d4:68:26:1a:61:c9:25:d7:53:16:e7:fb:c0: + a5:2d:59:36:7b:e9:c7:42:cb:9b:15:81:fd:d4:0f: + c5:b7:c6:49:c0:45:77:ea:5b:ac:ca:1e:a5:9c:c1: + 86:1b:f2:9e:ed:66:a0:d1:3b:b6:6f:02:54:69:30: + 0d:ba:55:01:18:c0:5f:7d:b2:ee:a6:bd:89:84:fc: + e8:36:e4:bb:d3:b4:9e:dd:b3:a6:80:32:12:37:30: + 8e:0a:89:54:c5:eb:4b:1c:85:02:2b:f8:26:63:c4: + 23:f8:59:35:18:0e:28:cf:5d:07:49:d8:cc:60:4d: + 3b:fb:27:24:f0:d6:46:0f:c5:5b:16:a5:94:8a:69: + 1a:34:62:cd:e0:32:32:55:b9:16:65:50:11:8b:5e: + 36:83 + Exponent: 65537 (0x10001) + PSS parameter restrictions: + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Minimum Salt Length: 0x20 + Trailer Field: 0xBC (default) + X509v3 extensions: + X509v3 Subject Key Identifier: + 2D:07:69:B0:A1:6F:9F:0C:FA:25:05:B2:CA:97:08:44:DF:0E:97:A8 + X509v3 Authority Key Identifier: + keyid:9E:0C:E0:D3:DF:B6:4B:F3:19:63:5C:CA:6C:93:86:A2:14:53:91:31 + + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Key Usage: critical + Digital Signature, Key Encipherment, Key Agreement + X509v3 Extended Key Usage: + TLS Web Server Authentication + Netscape Cert Type: + SSL Server + Signature Algorithm: rsassaPss + Hash Algorithm: sha256 + Mask Algorithm: mgf1 with sha256 + Salt Length: 0x20 + Trailer Field: 0xBC (default) + + be:97:50:2b:be:31:97:8f:92:ed:52:c6:86:b7:12:3c:08:c2: + 97:40:2d:58:51:1d:4b:c4:66:1f:9b:ca:06:66:14:7d:ba:c6: + 16:7d:18:fb:28:3c:5a:b0:b1:e7:dd:6e:6f:1e:18:74:8c:9b: + 71:b3:4a:94:26:bf:14:00:ab:1c:0b:a0:ae:91:7c:71:9c:25: + c5:9a:2d:8a:a3:39:2a:3c:fa:e5:66:ea:9a:16:85:4c:5e:f4: + 03:0b:59:1d:13:08:76:22:f0:de:8c:1c:d4:67:01:fc:a4:cd: + 12:1a:73:1d:67:b0:df:7a:53:68:80:04:a9:37:aa:3f:30:ac: + ee:58:c9:d9:ba:78:00:ff:72:0f:d9:98:62:8e:e6:16:37:fb: + 86:35:b6:20:9e:30:72:39:a6:c8:68:07:83:1c:ad:86:fb:1a: + 67:39:18:2a:99:1f:1f:36:94:72:a2:af:a5:fc:ca:1d:16:cf: + 55:b5:86:30:dc:fd:8b:d1:db:38:28:20:fc:64:4b:71:d4:91: + 0a:dc:b9:00:f7:9c:af:99:e4:b6:2b:b7:f3:76:81:92:8b:0f: + f7:4a:7a:15:2f:48:5c:a4:59:57:55:ab:9e:9e:fc:81:b4:64: + 4b:8e:37:b7:00:c9:54:a5:ea:f6:b9:9c:2b:60:12:7d:f5:29: + 41:07:5a:a3 +-----BEGIN CERTIFICATE----- +MIIE/zCCA7egAwIBAgIBATA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEa +MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIBIDCBsjELMAkGA1UEBhMCVVMx +EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFzAVBgNVBAoMDndv +bGZTU0xfUlNBUFNTMRIwEAYDVQQLDAlDQS1SU0FQU1MxGDAWBgNVBAMMD3d3dy53 +b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTEXMBUG +CgmSJomT8ixkAQEMB3dvbGZTU0wwHhcNMjIwNzI1MDIyNzU1WhcNMjUwNDIwMDIy +NzU1WjCBtjELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcM +B0JvemVtYW4xFzAVBgNVBAoMDndvbGZTU0xfUlNBUFNTMRYwFAYDVQQLDA1TZXJ2 +ZXItUlNBUFNTMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0B +CQEWEGluZm9Ad29sZnNzbC5jb20xFzAVBgoJkiaJk/IsZAEBDAd3b2xmU1NMMIIB +UjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEBCDAL +BglghkgBZQMEAgGiAwIBIAOCAQ8AMIIBCgKCAQEA1/ds4QKJzJt0EPPsAcuJzu/2 +KWL8dT9qmbrWiOyusyAzRNIG15khu/NAzjCw4ZBMW1h1VB2i3bxjAUhDOyJ6eCpl +W9gRX5t72yEcvPSlrT7WB0HaBB/qeOxX81P9SSteDjQCO14+X9xj2tRoJhphySXX +Uxbn+8ClLVk2e+nHQsubFYH91A/Ft8ZJwEV36lusyh6lnMGGG/Ke7Wag0Tu2bwJU +aTANulUBGMBffbLupr2JhPzoNuS707Se3bOmgDISNzCOColUxetLHIUCK/gmY8Qj ++Fk1GA4oz10HSdjMYE07+yck8NZGD8VbFqWUimkaNGLN4DIyVbkWZVARi142gwID +AQABo4GJMIGGMB0GA1UdDgQWBBQtB2mwoW+fDPolBbLKlwhE3w6XqDAfBgNVHSME +GDAWgBSeDODT37ZL8xljXMpsk4aiFFORMTAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB +/wQEAwIDqDATBgNVHSUEDDAKBggrBgEFBQcDATARBglghkgBhvhCAQEEBAMCBkAw +PQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJ +YIZIAWUDBAIBogMCASADggEBAL6XUCu+MZePku1Sxoa3EjwIwpdALVhRHUvEZh+b +ygZmFH26xhZ9GPsoPFqwsefdbm8eGHSMm3GzSpQmvxQAqxwLoK6RfHGcJcWaLYqj +OSo8+uVm6poWhUxe9AMLWR0TCHYi8N6MHNRnAfykzRIacx1nsN96U2iABKk3qj8w +rO5Yydm6eAD/cg/ZmGKO5hY3+4Y1tiCeMHI5pshoB4McrYb7Gmc5GCqZHx82lHKi +r6X8yh0Wz1W1hjDc/YvR2zgoIPxkS3HUkQrcuQD3nK+Z5LYrt/N2gZKLD/dKehUv +SFykWVdVq56e/IG0ZEuON7cAyVSl6va5nCtgEn31KUEHWqM= +-----END CERTIFICATE----- diff --git a/certs/rsapss/server-rsapss-key.der b/certs/rsapss/server-rsapss-key.der new file mode 100644 index 0000000000000000000000000000000000000000..392cb4ff9f39a1950ff5e14fafd2fb682963c189 GIT binary patch literal 342 zcmXqLVhl2{W#iOp^Jx3d%gD%OV6cGKfSZjoq0NIam6?T!aiNrf1VWwzMQ#x@6Qcri z6C*!^K@%evQxhX2!}aeu51Bg8%q|i5{D$##=ehUaG?V_6+Gow&b*JnnRQwrJzuEBr^d zAM-rmTK+0}%_+I1a}Ksif139;ZNWwBZTUycLV@ literal 0 HcmV?d00001 diff --git a/certs/rsapss/server-rsapss-key.pem b/certs/rsapss/server-rsapss-key.pem new file mode 100644 index 000000000..77c877a08 --- /dev/null +++ b/certs/rsapss/server-rsapss-key.pem @@ -0,0 +1,10 @@ +-----BEGIN PUBLIC KEY----- +MIIBUjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEB +CDALBglghkgBZQMEAgGiAwIBIAOCAQ8AMIIBCgKCAQEA1/ds4QKJzJt0EPPsAcuJ +zu/2KWL8dT9qmbrWiOyusyAzRNIG15khu/NAzjCw4ZBMW1h1VB2i3bxjAUhDOyJ6 +eCplW9gRX5t72yEcvPSlrT7WB0HaBB/qeOxX81P9SSteDjQCO14+X9xj2tRoJhph +ySXXUxbn+8ClLVk2e+nHQsubFYH91A/Ft8ZJwEV36lusyh6lnMGGG/Ke7Wag0Tu2 +bwJUaTANulUBGMBffbLupr2JhPzoNuS707Se3bOmgDISNzCOColUxetLHIUCK/gm +Y8Qj+Fk1GA4oz10HSdjMYE07+yck8NZGD8VbFqWUimkaNGLN4DIyVbkWZVARi142 +gwIDAQAB +-----END PUBLIC KEY----- diff --git a/certs/rsapss/server-rsapss-priv.der b/certs/rsapss/server-rsapss-priv.der new file mode 100644 index 0000000000000000000000000000000000000000..4c3ea7590c7e07e6718142ba95961dc570c4e090 GIT binary patch literal 1266 zcmXqLVtL2J$Y5a0#;Mij(e|B}k&(;5U;(cIHydX{n+IbmGYb>rLMa0Ygggg|+#+Ts zMg^88mK6p~EK8Ue8JLt=o^CZv#W0_%Ix{FbgkVr zcE?*R@~!}^bXToG1XBU4b`PP*THL1jts@H?Xp8r0uR5#MB`sHz_)3Zez z|6bugy8W2v0oU?Z(Q8i0EuC|)P5RTkw`mJ5T5ro|3duC!-4)6xaUi~S)4OGRJ6ry| zFnhB5@|JmbH!o{25;8aFZFt**$NZN$|D)t*-Ln znj8PoXtAYJx-z9qlFmLbG78-(mKq?~9cR|e#LURR$kfEh;5v`(DCecz8)ch!`1YQg za{rp&+%pFrd^(q6{l>%Ec<#K?71@ioG8lec6_&kFs(JS@$Koe><>Kc0hRR&)0*lvP zdbND-#jYE=43AiHT2=P{F1!4@?ZvV7+3vS@usPXXJsQoI%h{}YKy%jYy$7zHd^p>I zN#m#%zY3IPL5C(@M{{ zuWVp2_1$@IV$3D3`;{M;xTStP+FkF&Fn?0Yr++OEPrHYx^ZjZy%D-}CrH>&~VJ9y;$Jh~JnU2Edp-M#O|MPZW0NH=1Y1kThDIyN5X;oP`cd5vN;O-{({`_oJZw#W5X>+l`XkN$}4WEZ|f+l zQa_OUO_sT4)n;p*in**N?q9S_K56{rIzM?v_w4Rd`WL5tQ~r5>*`)>VmV8_1;2J5> zD1GJP{%<*~$F|FSd#rToFVE9C58rZ~2&~IcXFR5EHuuxUkm;Xha&EcBvphuXNc?YK z%f!36H~;^?WYSy@a>J@C#jzJZrnA~;J=E`S;#~eP`;zg`owABc6X&ut)o%PgC!_7v zrn5Oc>`!;d|I4WHFu%LK_I>6Dn{8WG*0eCEg`euFUg;k=&)VQQi_xyteP_fin_ijb z%dlH5mT$2ZmQD-)UhQ0ckS#(>^KF#xr`unD7u4R~n&G|Y-tx6mCLLb*m8r3z_>QxB z=*#6DhwaUkp4L5kcG&T?`n2|rIfwM`me}Y_aLBF|nAK9IdhKMn)RjHw9vR!Qxo#ygch-|js98k=@|iO@dF z+~Tv<@=cMNW?r+7^qt%CLa{}7o`as&|1*9{6=(bA-A|gSwZmE>_O+1{f4p^I5Oys#-pui~ MNY>-o?Y>z*0QIO>2LJ#7 literal 0 HcmV?d00001 diff --git a/certs/rsapss/server-rsapss-priv.pem b/certs/rsapss/server-rsapss-priv.pem new file mode 100644 index 000000000..4ee84357a --- /dev/null +++ b/certs/rsapss/server-rsapss-priv.pem @@ -0,0 +1,29 @@ +-----BEGIN PRIVATE KEY----- +MIIE7gIBADA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3 +DQEBCDALBglghkgBZQMEAgGiAwIBIASCBKgwggSkAgEAAoIBAQDX92zhAonMm3QQ +8+wBy4nO7/YpYvx1P2qZutaI7K6zIDNE0gbXmSG780DOMLDhkExbWHVUHaLdvGMB +SEM7Inp4KmVb2BFfm3vbIRy89KWtPtYHQdoEH+p47FfzU/1JK14ONAI7Xj5f3GPa +1GgmGmHJJddTFuf7wKUtWTZ76cdCy5sVgf3UD8W3xknARXfqW6zKHqWcwYYb8p7t +ZqDRO7ZvAlRpMA26VQEYwF99su6mvYmE/Og25LvTtJ7ds6aAMhI3MI4KiVTF60sc +hQIr+CZjxCP4WTUYDijPXQdJ2MxgTTv7JyTw1kYPxVsWpZSKaRo0Ys3gMjJVuRZl +UBGLXjaDAgMBAAECggEARZ4GxQnSbdh2s7hNjc6U39ZOnczA4PLOZDvsSDsznZ51 +qGujtQAx9apWa6Eag7vGQXPkbncXNy8xIwquUXOt0uqnvdGK2C0A4gRshSS/+3bT ++4boxoebR9u4BkI+1cVbDm0JgyXAKZqbvcDWyeGbQAIoxSoPIgJZvKKTg6I6j3cH +KyVYARmQTWbfVcupY/BlFIw3kSpLU3EYPNjF4hBDiEMsp6CpgipIipY6W2HjWHp1 +YS55S6meflkGnikjzXMcptQkaKA3uJmHgNviwZb1z8si5gvUsAA1TbnekVzSCt95 +8aRGZfHFi39CAJ+SZPL+hOHLR1QnDvqFMm/UxKlMMQKBgQDvSlU0j9rt/xZXWF0F +ZfVzRrU6fCDhHhIUu7ujcIvsIl/rAdnDTHZN12vUPI08VtPI5oxNDly95q683rNm +d17YicbKQFRdxRjdG9RCM0JzIbBUzLlbprCEDixi8enyIGkjjxVwA8oEhquAo+if +GUimrwc+/BhAC8JnHvF2nCC+/QKBgQDnDCTrgYDaQSS0bXIjqNontoh2eifAbfYd +A3yqszsseJ0FNEf0KjTyKP0Kz5OYi5uLyi/RlvYj+d+m0qDupPauQEVZGIEb1NG/ +9mwFxrcc9uMiyv0M5Zzh7QrIUX5oJwHGJzad8rFUl/KZCbTaDKdUFsRf+005Yd1t +2f//0jSDfwKBgQCq1HNd0fFnBTwq4S+Pggmn4WvSM/m5HSGlYZ0Egn2x95xohuqy +zWyMB+W4H/5ofEg33bd972nwPLa0qXyEA2ZXyox7qU9Rnjsw5wQyuquOzBc5guo1 +bxwHOqMfhDsTG2ZT93tDe8EGWCop7VpN8tv1+3B927VoS7zep62UksOh9QKBgHPc +QydV6aeIwz83IuV+5ubDQesnloeInMIv3XQ8LJBAa30QmoR2JdbJdxrUvM7iMz4G +RbR0XznrM5wUQ19omcsHr77d6uBp+ESq7cB3xZtgssXfxMWS3vjsRVvugdT4uosD +XwAVk5c4Gw9jLq2par9gK1l2S2NbEA7mItnGL09BAoGBANvLVWSr7kXEsyH23OX1 +XWbbpBK+OW1zzXsfglkpNkqaxI7OtOghhBOeQC4q/8xOInjNjp7fYpkquEawMobo +cyijj+IotP9pak1vk6tf31UkFtNyCJIM8UwUV/oiFTHFW2h6QOrSLgKnPbetWZH4 +7UAAE0VzM7MI7XIdSObbjpr4 +-----END PRIVATE KEY----- diff --git a/certs/rsapss/server-rsapss.der b/certs/rsapss/server-rsapss.der new file mode 100644 index 0000000000000000000000000000000000000000..9ce45f78741f2ff703a572ab3a8eb509940c85ad GIT binary patch literal 1283 zcmXqLV)<{-#Jqh0GZP~d6Cd< zBoOi(C~}LKnHUue8aEko8*s8QhqAB~TCUS6&T z(okHSqnDhYYbb9Z3wIkQqnJQuURu5bvI3AjT%42CIwyb9NnvE+6^BS2Nm>3yAxdx5fsOTv%0}+r1xOsSkQ;W({i)iVwCdMENBb2#` zk)Oe!iIIz`iII`v`uCiNOr2+Dmk4}*!+5&$-1~2uNqQaeO9B)^T?6cam>i$xxF@JgIs;SnT=l150%y&8lA>cRD>=wDIp1{-fKE zc^+^re-*vvl-$xe2iv4S&3l`+;G*@me5R001KwSsj1mXpYd5`Hwzsq8&kM6ByDx8< zcX#u$1|uPJgFdd#kfX1?Wm=iEf2buNQT`EWD#535K9=3{#+d|P>)+}sAFjFaAB`4U zI;AU9$|ULR10$o*onom0g57au%}mUU42+8#I}IA!3}o4uLuL6`#8^ah*)umR%%9Km zOO@qU!n;xLO&v1JGq_;uG+O`YXa2%TMpc@e=>wP3me)cK0G?Cg}$HZzSerwo7ZP@ty zZeG5eL`l!=!p&Y&)b@)otd`+kux?^a;T+YYvvj)_TWZ<-dYblXmRPG#+!to`L$|gW-1*ym@wSDA!k-lH z!YdQG?(AgvK4<;RC)>2Qe=cjB)Xo3ht4dVgBW6itcdCert->keyOID) { #ifndef NO_RSA + #ifdef WC_RSA_PSS + case RSAPSSk: + #endif case RSAk: if (ssl->options.minRsaKeySz < 0 || args->dCert->pubKeySize < @@ -13612,6 +13615,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, /* decode peer key */ switch (args->dCert->keyOID) { #ifndef NO_RSA + #ifdef WC_RSA_PSS + case RSAPSSk: + #endif case RSAk: { word32 keyIdx = 0; diff --git a/src/ssl.c b/src/ssl.c index d70ad7124..e9a2ed7ce 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -5113,7 +5113,10 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) /* check CA key size */ if (verify) { switch (cert->keyOID) { - #ifndef NO_RSA + #ifndef NO_RSA + #ifdef WC_RSA_PSS + case RSAPSSk: + #endif case RSAk: if (cm->minRsaKeySz < 0 || cert->pubKeySize < (word16)cm->minRsaKeySz) { @@ -5121,7 +5124,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) WOLFSSL_MSG("\tCA RSA key size error"); } break; - #endif /* !NO_RSA */ + #endif /* !NO_RSA */ #ifdef HAVE_ECC case ECDSAk: if (cm->minEccKeySz < 0 || @@ -6519,6 +6522,11 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, else if (cert->keyOID == RSAk) { ssl->options.haveRSA = 1; } + #ifdef WC_RSA_PSS + else if (cert->keyOID == RSAPSSk) { + ssl->options.haveRSA = 1; + } + #endif #endif #ifdef HAVE_ED25519 else if (cert->keyOID == ED25519k) { @@ -6552,6 +6560,11 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, else if (cert->keyOID == RSAk) { ctx->haveRSA = 1; } + #ifdef WC_RSA_PSS + else if (cert->keyOID == RSAPSSk) { + ctx->haveRSA = 1; + } + #endif #endif #ifdef HAVE_ED25519 else if (cert->keyOID == ED25519k) { @@ -6578,6 +6591,9 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, /* check key size of cert unless specified not to */ switch (cert->keyOID) { #ifndef NO_RSA + #ifdef WC_RSA_PSS + case RSAPSSk: + #endif case RSAk: #ifdef WOLF_PRIVATE_KEY_ID keyType = rsa_sa_algo; @@ -8405,6 +8421,11 @@ static int check_cert_key(DerBuffer* cert, DerBuffer* key, void* heap, if (der->keyOID == RSAk) { type = DYNAMIC_TYPE_RSA; } + #ifdef WC_RSA_PSS + if (der->keyOID == RSAPSSk) { + type = DYNAMIC_TYPE_RSA; + } + #endif #endif #ifdef HAVE_ECC if (der->keyOID == ECDSAk) { @@ -8417,7 +8438,11 @@ static int check_cert_key(DerBuffer* cert, DerBuffer* key, void* heap, #ifdef WOLF_CRYPTO_CB if (ret == 0) { #ifndef NO_RSA - if (der->keyOID == RSAk) { + if (der->keyOID == RSAk + #ifdef WC_RSA_PSS + || der->keyOID == RSAPSSk + #endif + ) { ret = wc_CryptoCb_RsaCheckPrivKey((RsaKey*)pkey, der->publicKey, der->pubKeySize); } @@ -8435,7 +8460,11 @@ static int check_cert_key(DerBuffer* cert, DerBuffer* key, void* heap, #endif if (pkey != NULL) { #ifndef NO_RSA - if (der->keyOID == RSAk) { + if (der->keyOID == RSAk + #ifdef WC_RSA_PSS + || der->keyOID == RSAPSSk + #endif + ) { wc_FreeRsaKey((RsaKey*)pkey); } #endif @@ -9195,7 +9224,11 @@ static WOLFSSL_EVP_PKEY* _d2i_PublicKey(int type, WOLFSSL_EVP_PKEY** out, WOLFSSL_MSG("Found PKCS8 header"); pkcs8HeaderSz = (word16)idx; - if ((type == EVP_PKEY_RSA && algId != RSAk) || + if ((type == EVP_PKEY_RSA && algId != RSAk + #ifdef WC_RSA_PSS + && algId != RSAPSSk + #endif + ) || (type == EVP_PKEY_EC && algId != ECDSAk) || (type == EVP_PKEY_DSA && algId != DSAk) || (type == EVP_PKEY_DH && algId != DHk)) { @@ -29465,9 +29498,14 @@ int wolfSSL_ASN1_STRING_canon(WOLFSSL_ASN1_STRING* asn_out, /* Update the available options with public keys. */ switch (x->pubKeyOID) { + #ifndef NO_RSA + #ifdef WC_RSA_PSS + case RSAPSSk: + #endif case RSAk: ctx->haveRSA = 1; break; + #endif #ifdef HAVE_ED25519 case ED25519k: #endif diff --git a/tests/api.c b/tests/api.c index 6b4cad62e..5756d82a9 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2378,6 +2378,62 @@ static int test_wolfSSL_FPKI(void) return 0; } +static int test_wolfSSL_CertRsaPss(void) +{ +/* FIPS v2 and below don't support long salts. */ +#if !defined(NO_RSA) && defined(WC_RSA_PSS) && !defined(NO_FILESYSTEM) && \ + (!defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION > 2))) && (!defined(HAVE_SELFTEST) || \ + (defined(HAVE_SELFTEST_VERSION) && (HAVE_SELFTEST_VERSION > 2))) + XFILE f; + const char* rsaPssSha256Cert = "./certs/rsapss/ca-rsapss.der"; + const char* rsaPssRootSha256Cert = "./certs/rsapss/root-rsapss.pem"; +#ifdef WOLFSSL_SHA384 + const char* rsaPssSha384Cert = "./certs/rsapss/ca-3072-rsapss.der"; + const char* rsaPssRootSha384Cert = "./certs/rsapss/root-3072-rsapss.pem"; +#endif + DecodedCert cert; + byte buf[4096]; + int bytes; + WOLFSSL_CERT_MANAGER* cm; + + printf(testingFmt, "test_CertRsaPss"); + + cm = wolfSSL_CertManagerNew(); + AssertNotNull(cm); + AssertIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CertManagerLoadCA(cm, rsaPssRootSha256Cert, NULL)); +#ifdef WOLFSSL_SHA384 + AssertIntEQ(WOLFSSL_SUCCESS, + wolfSSL_CertManagerLoadCA(cm, rsaPssRootSha384Cert, NULL)); +#endif + + f = XFOPEN(rsaPssSha256Cert, "rb"); + AssertTrue((f != XBADFILE)); + bytes = (int)XFREAD(buf, 1, sizeof(buf), f); + XFCLOSE(f); + wc_InitDecodedCert(&cert, buf, bytes, NULL); + AssertIntEQ(wc_ParseCert(&cert, CERT_TYPE, VERIFY, cm), 0); + wc_FreeDecodedCert(&cert); + +#ifdef WOLFSSL_SHA384 + f = XFOPEN(rsaPssSha384Cert, "rb"); + AssertTrue((f != XBADFILE)); + bytes = (int)XFREAD(buf, 1, sizeof(buf), f); + XFCLOSE(f); + wc_InitDecodedCert(&cert, buf, bytes, NULL); + AssertIntEQ(wc_ParseCert(&cert, CERT_TYPE, VERIFY, cm), 0); + wc_FreeDecodedCert(&cert); +#endif + + wolfSSL_CertManagerFree(cm); + + printf(resultFmt, passed); +#endif + + return 0; +} + static int test_wolfSSL_CertManagerCRL(void) { #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && defined(HAVE_CRL) && \ @@ -18523,6 +18579,12 @@ static int test_wc_RsaPublicKeyDecode(void) int bytes = 0; word32 keySz = 0; word32 tstKeySz = 0; +#if defined(WC_RSA_PSS) && !defined(NO_FILESYSTEM) + XFILE f; + const char* rsaPssPubKey = "./certs/rsapss/ca-rsapss-key.der"; + const char* rsaPssPubKeyNoParams = "./certs/rsapss/ca-3072-rsapss-key.der"; + byte buf[4096]; +#endif tmp = (byte*)XMALLOC(GEN_BUF, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (tmp == NULL) { @@ -18592,6 +18654,23 @@ static int test_wc_RsaPublicKeyDecode(void) ret = (ret == 0 && tstKeySz == keySz/8) ? 0 : WOLFSSL_FATAL_ERROR; } +#if defined(WC_RSA_PSS) && !defined(NO_FILESYSTEM) + f = XFOPEN(rsaPssPubKey, "rb"); + AssertTrue((f != XBADFILE)); + bytes = (int)XFREAD(buf, 1, sizeof(buf), f); + XFCLOSE(f); + idx = 0; + AssertIntEQ(wc_RsaPublicKeyDecode_ex(buf, &idx, bytes, NULL, NULL, NULL, + NULL), 0); + f = XFOPEN(rsaPssPubKeyNoParams, "rb"); + AssertTrue((f != XBADFILE)); + bytes = (int)XFREAD(buf, 1, sizeof(buf), f); + XFCLOSE(f); + idx = 0; + AssertIntEQ(wc_RsaPublicKeyDecode_ex(buf, &idx, bytes, NULL, NULL, NULL, + NULL), 0); +#endif + if (tmp != NULL) { XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); } @@ -57044,6 +57123,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_CertManagerNameConstraint4), TEST_DECL(test_wolfSSL_CertManagerNameConstraint5), TEST_DECL(test_wolfSSL_FPKI), + TEST_DECL(test_wolfSSL_CertRsaPss), TEST_DECL(test_wolfSSL_CertManagerCRL), TEST_DECL(test_wolfSSL_CTX_load_verify_locations_ex), TEST_DECL(test_wolfSSL_CTX_load_verify_buffer_ex), diff --git a/tests/include.am b/tests/include.am index 8fd30f617..77a4a1ca9 100644 --- a/tests/include.am +++ b/tests/include.am @@ -48,6 +48,7 @@ EXTRA_DIST += tests/unit.h \ tests/test-sctp.conf \ tests/test-sctp-sha2.conf \ tests/test-sig.conf \ + tests/test-rsapss.conf \ tests/test-ed25519.conf \ tests/test-ed448.conf \ tests/test-enckeys.conf \ diff --git a/tests/suites.c b/tests/suites.c index fa31b98b7..5add18ab0 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -916,6 +916,20 @@ int SuiteTest(int argc, char** argv) } #endif #endif +#if defined(WC_RSA_PSS) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) && \ + (!defined(HAVE_SELFTEST) || (defined(HAVE_SELFTEST_VERSION) && \ + (HAVE_SELFTEST_VERSION > 2))) + /* add RSA-PSS certificate cipher suite tests */ + XSTRLCPY(argv0[1], "tests/test-rsapss.conf", sizeof(argv0[1])); + printf("starting RSA-PSS extra cipher suite tests\n"); + test_harness(&args); + if (args.return_code != 0) { + printf("error from script %d\n", args.return_code); + args.return_code = EXIT_FAILURE; + goto exit; + } +#endif #if defined(HAVE_CURVE25519) && defined(HAVE_ED25519) && \ defined(HAVE_ED25519_SIGN) && defined(HAVE_ED25519_VERIFY) && \ defined(HAVE_ED25519_KEY_IMPORT) && defined(HAVE_ED25519_KEY_EXPORT) diff --git a/tests/test-rsapss.conf b/tests/test-rsapss.conf new file mode 100644 index 000000000..642feaae2 --- /dev/null +++ b/tests/test-rsapss.conf @@ -0,0 +1,74 @@ +# server TLSv1.2 - RSA PSS SHA256 MGF1 SHA256 +-v 3 +-l DHE-RSA-AES128-GCM-SHA256 +-c ./certs/rsapss/server-rsapss.pem +-k ./certs/rsapss/server-rsapss-priv.pem +-d + +# client TLSv1.2 - RSA PSS SHA256 MGF1 SHA256 +-v 3 +-l DHE-RSA-AES128-GCM-SHA256 +-A ./certs/rsapss/root-rsapss.pem +-C + +# server TLSv1.2 - RSA PSS SHA256 MGF1 SHA256 +-v 3 +-l DHE-RSA-AES128-GCM-SHA256 +-c ./certs/rsapss/server-rsapss.pem +-k ./certs/rsapss/server-rsapss-priv.pem +-A ./certs/rsapss/client-rsapss.pem +-V + +# client TLSv1.2 - RSA PSS SHA256 MGF1 SHA256 +-v 3 +-l DHE-RSA-AES128-GCM-SHA256 +-c ./certs/rsapss/client-rsapss.pem +-k ./certs/rsapss/client-rsapss-priv.pem +-A ./certs/rsapss/root-rsapss.pem +-C + +# server TLSv1.2 - RSA PSS SHA384 MGF1 SHA384 +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 +-c ./certs/rsapss/server-3072-rsapss.pem +-k ./certs/rsapss/server-3072-rsapss-priv.pem +-A ./certs/rsapss/client-3072-rsapss.pem +-V + +# client TLSv1.2 - RSA PSS SHA384 MGF1 SHA384 +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 +-c ./certs/rsapss/client-3072-rsapss.pem +-k ./certs/rsapss/client-3072-rsapss-priv.pem +-A ./certs/rsapss/root-3072-rsapss.pem +-C + +# server TLSv1.3 - RSA PSS SHA384 MGF1 SHA384 +-v 4 +-l TLS13-AES256-GCM-SHA384 +-c ./certs/rsapss/server-rsapss.pem +-k ./certs/rsapss/server-rsapss-priv.pem +-d + +# client TLSv1.3 - RSA PSS SHA384 MGF1 SHA384 +-v 4 +-l TLS13-AES256-GCM-SHA384 +-A ./certs/rsapss/root-rsapss.pem +-C + +# server TLSv1.3 - RSA PSS SHA384 MGF1 SHA384 +-v 4 +-l TLS13-AES256-GCM-SHA384 +-c ./certs/rsapss/server-rsapss.pem +-k ./certs/rsapss/server-rsapss-priv.pem +-A ./certs/rsapss/client-rsapss.pem +-V + +# client TLSv1.3 - RSA PSS SHA384 MGF1 SHA384 +-v 4 +-l TLS13-AES256-GCM-SHA384 +-c ./certs/rsapss/client-rsapss.pem +-k ./certs/rsapss/client-rsapss-priv.pem +-A ./certs/rsapss/root-rsapss.pem +-C + diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 2c35cca5d..4d352b71c 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -2564,6 +2564,53 @@ static int GetInteger7Bit(const byte* input, word32* inOutIdx, word32 maxIdx) *inOutIdx = idx; return b; } + +#ifdef WC_RSA_PSS +/* Get the DER/BER encoding of an ASN.1 INTEGER that has a value of no more than + * 16 bits. + * + * input Buffer holding DER/BER encoded data. + * inOutIdx Current index into buffer to parse. + * maxIdx Length of data in buffer. + * returns BUFFER_E when there is not enough data to parse. + * ASN_PARSE_E when the INTEGER tag is not found or length is invalid. + * Otherwise, the 16-bit value. + */ +static int GetInteger16Bit(const byte* input, word32* inOutIdx, word32 maxIdx) +{ + word32 idx = *inOutIdx; + byte tag; + word16 n; + + if ((idx + 2) > maxIdx) + return BUFFER_E; + + if (GetASNTag(input, &idx, &tag, maxIdx) != 0) + return ASN_PARSE_E; + if (tag != ASN_INTEGER) + return ASN_PARSE_E; + if (input[idx] == 1) { + idx++; + if ((idx + 1) > maxIdx) { + return ASN_PARSE_E; + } + n = input[idx++]; + } + else if (input[idx] == 2) { + idx++; + if ((idx + 2) > maxIdx) { + return ASN_PARSE_E; + } + n = input[idx++]; + n = (n << 8) | input[idx++]; + } + else + return ASN_PARSE_E; + + *inOutIdx = idx; + return n; +} +#endif #endif /* !NO_CERTS */ #endif /* !WOLFSSL_ASN_TEMPLATE */ @@ -2607,6 +2654,9 @@ static const char sigSha256wDsaName[] = "SHA256wDSA"; static const char sigSha3_512wRsaName[] = "sha3_512WithRSAEncryption"; #endif #endif +#ifdef WC_RSA_PSS + static const char sigRsaSsaPssName[] = "rsassaPss"; +#endif #endif /* NO_RSA */ #ifdef HAVE_ECC #ifndef NO_SHA @@ -2701,6 +2751,10 @@ const char* GetSigName(int oid) { return sigSha3_512wRsaName; #endif #endif + #ifdef WC_RSA_PSS + case CTC_RSASSAPSS: + return sigRsaSsaPssName; + #endif #endif /* NO_RSA */ #ifdef HAVE_ECC #ifndef NO_SHA @@ -3885,6 +3939,9 @@ static word32 SetBitString16Bit(word16 val, byte* output) static const byte sigSha3_512wRsaOid[] = {96, 134, 72, 1, 101, 3, 4, 3, 16}; #endif #endif + #ifdef WC_RSA_PSS + static const byte sigRsaSsaPssOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 10}; + #endif #endif /* NO_RSA */ #ifdef HAVE_ECC #ifndef NO_SHA @@ -3937,6 +3994,9 @@ static word32 SetBitString16Bit(word16 val, byte* output) #endif /* NO_DSA */ #ifndef NO_RSA static const byte keyRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 1}; +#ifdef WC_RSA_PSS + static const byte keyRsaPssOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 10}; +#endif #endif /* NO_RSA */ #ifdef HAVE_ECC static const byte keyEcdsaOid[] = {42, 134, 72, 206, 61, 2, 1}; @@ -4131,7 +4191,8 @@ static const byte extExtKeyUsageOcspSignOid[] = {43, 6, 1, 5, 5, 7, 3, 9}; /* csrAttrType */ #define CSR_ATTR_TYPE_OID_BASE(num) {42, 134, 72, 134, 247, 13, 1, 9, num} #if !defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_GEN) || \ - defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) + defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ + defined(WOLFSSL_ASN_TEMPLATE) static const byte attrEmailOid[] = CSR_ATTR_TYPE_OID_BASE(1); #endif #ifdef WOLFSSL_CERT_REQ @@ -4183,7 +4244,11 @@ static const byte dnsSRVOid[] = {43, 6, 1, 5, 5, 7, 8, 7}; defined(WOLFSSL_ASN_TEMPLATE) /* Pilot attribute types (0.9.2342.19200300.100.1.*) */ static const byte uidOid[] = {9, 146, 38, 137, 147, 242, 44, 100, 1, 1}; /* user id */ +#endif +#if defined(WOLFSSL_CERT_GEN) || \ + defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ + defined(WOLFSSL_ASN_TEMPLATE) static const byte dcOid[] = {9, 146, 38, 137, 147, 242, 44, 100, 1, 25}; /* domain component */ #endif @@ -4377,6 +4442,12 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) break; #endif #endif + #ifdef WC_RSA_PSS + case CTC_RSASSAPSS: + oid = sigRsaSsaPssOid; + *oidSz = sizeof(sigRsaSsaPssOid); + break; + #endif #endif /* NO_RSA */ #ifdef HAVE_ECC #ifndef NO_SHA @@ -4471,12 +4542,18 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) *oidSz = sizeof(keyDsaOid); break; #endif /* NO_DSA */ - #ifndef NO_RSA + #ifndef NO_RSA case RSAk: oid = keyRsaOid; *oidSz = sizeof(keyRsaOid); break; - #endif /* NO_RSA */ + #ifdef WC_RSA_PSS + case RSAPSSk: + oid = keyRsaPssOid; + *oidSz = sizeof(keyRsaPssOid); + break; + #endif + #endif /* NO_RSA */ #ifdef HAVE_ECC case ECDSAk: oid = keyEcdsaOid; @@ -5606,8 +5683,8 @@ int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid, /* Set OID type expected. */ GetASN_OID(&dataASN[ALGOIDASN_IDX_OID], oidType); /* Decode the algorithm identifier. */ - ret = GetASN_Items(algoIdASN, dataASN, algoIdASN_Length, 0, input, inOutIdx, - maxIdx); + ret = GetASN_Items(algoIdASN, dataASN, algoIdASN_Length, 0, input, + inOutIdx, maxIdx); } if (ret == 0) { /* Return the OID id/sum. */ @@ -5621,6 +5698,349 @@ int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid, #ifndef NO_RSA +#ifdef WC_RSA_PSS +/* RFC 8017 - PKCS #1 has RSA PSS parameter ASN definition. */ + +/* Convert a hash OID to a hash type. + * + * @param [in] oid Hash OID. + * @param [out] type Hash type. + * @return 0 on success. + * @return ASN_PARSE_E when hash OID not supported for RSA PSS. + */ +static int RsaPssHashOidToType(word32 oid, enum wc_HashType* type) +{ + int ret = 0; + + switch (oid) { + /* SHA-1 is missing as it is the default is not allowed to appear. */ +#ifdef WOLFSSL_SHA224 + case SHA224h: + *type = WC_HASH_TYPE_SHA224; + break; +#endif +#ifndef NO_SHA256 + case SHA256h: + *type = WC_HASH_TYPE_SHA256; + break; +#endif +#ifdef WOLFSSL_SHA384 + case SHA384h: + *type = WC_HASH_TYPE_SHA384; + break; +#endif +#ifdef WOLFSSL_SHA512 + case SHA512h: + *type = WC_HASH_TYPE_SHA512; + break; + /* TODO: SHA512_224h */ + /* TODO: SHA512_256h */ +#endif + default: + ret = ASN_PARSE_E; + break; + } + + return ret; +} + +/* Convert a hash OID to a MGF1 type. + * + * @param [in] oid Hash OID. + * @param [out] mgf MGF type. + * @return 0 on success. + * @return ASN_PARSE_E when hash OID not supported for RSA PSS. + */ +static int RsaPssHashOidToMgf1(word32 oid, int* mgf) +{ + int ret = 0; + + switch (oid) { + /* SHA-1 is missing as it is the default is not allowed to appear. */ +#ifdef WOLFSSL_SHA224 + case SHA224h: + *mgf = WC_MGF1SHA224; + break; +#endif +#ifndef NO_SHA256 + case SHA256h: + *mgf = WC_MGF1SHA256; + break; +#endif +#ifdef WOLFSSL_SHA384 + case SHA384h: + *mgf = WC_MGF1SHA384; + break; +#endif +#ifdef WOLFSSL_SHA512 + case SHA512h: + *mgf = WC_MGF1SHA512; + break; + /* TODO: SHA512_224h */ + /* TODO: SHA512_256h */ +#endif + default: + ret = ASN_PARSE_E; + break; + } + + return ret; +} + +/* Convert a hash OID to a fake signature OID. + * + * @param [in] oid Hash OID. + * @param [out] sigOid Signature OID to pass wto HashForSignature(). + * @return 0 on success. + * @return ASN_PARSE_E when hash OID not supported for RSA PSS. + */ +static int RsaPssHashOidToSigOid(word32 oid, word32* sigOid) +{ + int ret = 0; + + switch (oid) { +#ifndef NO_SHA + case WC_HASH_TYPE_SHA: + *sigOid = CTC_SHAwRSA; + break; +#endif +#ifdef WOLFSSL_SHA224 + case WC_HASH_TYPE_SHA224: + *sigOid = CTC_SHA224wRSA; + break; +#endif +#ifndef NO_SHA256 + case WC_HASH_TYPE_SHA256: + *sigOid = CTC_SHA256wRSA; + break; +#endif +#ifdef WOLFSSL_SHA384 + case WC_HASH_TYPE_SHA384: + *sigOid = CTC_SHA384wRSA; + break; +#endif +#ifdef WOLFSSL_SHA512 + case WC_HASH_TYPE_SHA512: + *sigOid = CTC_SHA512wRSA; + break; +#endif + /* TODO: SHA512_224h */ + /* TODO: SHA512_256h */ + /* Not supported by HashForSignature() */ + default: + ret = ASN_PARSE_E; + break; + } + + return ret; +} + +#ifdef WOLFSSL_ASN_TEMPLATE +/* ASN tag for hashAlgorigthm. */ +#define ASN_TAG_RSA_PSS_HASH (ASN_CONTEXT_SPECIFIC | 0) +/* ASN tag for maskGenAlgorithm. */ +#define ASN_TAG_RSA_PSS_MGF (ASN_CONTEXT_SPECIFIC | 1) +/* ASN tag for saltLength. */ +#define ASN_TAG_RSA_PSS_SALTLEN (ASN_CONTEXT_SPECIFIC | 2) +/* ASN tag for trailerField. */ +#define ASN_TAG_RSA_PSS_TRAILER (ASN_CONTEXT_SPECIFIC | 3) + +/* ASN.1 template for RSA PSS parameters. */ +static const ASNItem rsaPssParamsASN[] = { +/* SEQ */ { 0, ASN_SEQUENCE, 1, 1, 0 }, +/* HASH */ { 1, ASN_TAG_RSA_PSS_HASH, 1, 1, 1 }, +/* HASHSEQ */ { 2, ASN_SEQUENCE, 1, 1, 0 }, +/* HASHOID */ { 3, ASN_OBJECT_ID, 0, 0, 0 }, +/* HASHNULL */ { 3, ASN_TAG_NULL, 0, 0, 1 }, +/* MGF */ { 1, ASN_TAG_RSA_PSS_MGF, 1, 1, 1 }, +/* MGFSEQ */ { 2, ASN_SEQUENCE, 1, 1, 0 }, +/* MGFOID */ { 3, ASN_OBJECT_ID, 0, 0, 0 }, +/* MGFPARAM */ { 3, ASN_SEQUENCE, 1, 1, 0 }, +/* MGFHOID */ { 4, ASN_OBJECT_ID, 0, 0, 0 }, +/* MGFHNULL */ { 4, ASN_TAG_NULL, 0, 0, 1 }, +/* SALTLEN */ { 1, ASN_TAG_RSA_PSS_SALTLEN, 1, 1, 1 }, +/* SALTLENINT */ { 2, ASN_INTEGER, 0, 0, 0 }, +/* TRAILER */ { 1, ASN_TAG_RSA_PSS_TRAILER, 1, 1, 1 }, +/* TRAILERINT */ { 2, ASN_INTEGER, 0, 0, 0 }, +}; +enum { + RSAPSSPARAMSASN_IDX_SEQ = 0, + RSAPSSPARAMSASN_IDX_HASH, + RSAPSSPARAMSASN_IDX_HASHSEQ, + RSAPSSPARAMSASN_IDX_HASHOID, + RSAPSSPARAMSASN_IDX_HASHNULL, + RSAPSSPARAMSASN_IDX_MGF, + RSAPSSPARAMSASN_IDX_MGFSEQ, + RSAPSSPARAMSASN_IDX_MGFOID, + RSAPSSPARAMSASN_IDX_MGFPARAM, + RSAPSSPARAMSASN_IDX_MGFHOID, + RSAPSSPARAMSASN_IDX_MGFHNULL, + RSAPSSPARAMSASN_IDX_SALTLEN, + RSAPSSPARAMSASN_IDX_SALTLENINT, + RSAPSSPARAMSASN_IDX_TRAILER, + RSAPSSPARAMSASN_IDX_TRAILERINT, +}; + +/* Number of items in ASN.1 template for an algorithm identifier. */ +#define rsaPssParamsASN_Length (sizeof(rsaPssParamsASN) / sizeof(ASNItem)) +#else +/* ASN tag for hashAlgorigthm. */ +#define ASN_TAG_RSA_PSS_HASH (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 0) +/* ASN tag for maskGenAlgorithm. */ +#define ASN_TAG_RSA_PSS_MGF (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1) +/* ASN tag for saltLength. */ +#define ASN_TAG_RSA_PSS_SALTLEN (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 2) +/* ASN tag for trailerField. */ +#define ASN_TAG_RSA_PSS_TRAILER (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 3) +#endif + +/* Decode the RSA PSS parameters. + * + * @param [in] params Buffer holding BER encoded RSA PSS parameters. + * @param [in] sz Size of data in buffer in bytes. + * @param [out] hash Hash algorithm to use on message. + * @param [out] mgf MGF algorithm to use with PSS padding. + * @param [out] saltLen Length of salt in PSS padding. + * @return ASN_PARSE_E when the decoding fails. + * @return 0 on success. + */ +static int DecodeRsaPssParams(const byte* params, word32 sz, + enum wc_HashType* hash, int* mgf, int* saltLen) +{ +#ifndef WOLFSSL_ASN_TEMPLATE + int ret = 0; + word32 idx = 0; + int len = 0; + word32 oid; + byte tag; + int length; + + if (GetSequence_ex(params, &idx, &len, sz, 1) < 0) { + ret = ASN_PARSE_E; + } + if (ret == 0) { + if ((idx < sz) && (params[idx] == ASN_TAG_RSA_PSS_HASH)) { + /* Hash algorithm to use on message. */ + if (GetHeader(params, &tag, &idx, &length, sz, 0) < 0) { + ret = ASN_PARSE_E; + } + if (ret == 0) { + if (GetAlgoId(params, &idx, &oid, oidHashType, sz) < 0) { + ret = ASN_PARSE_E; + } + } + if (ret == 0) { + ret = RsaPssHashOidToType(oid, hash); + } + } + else { + /* Default hash algorithm. */ + *hash = WC_HASH_TYPE_SHA; + } + } + if (ret == 0) { + if ((idx < sz) && (params[idx] == ASN_TAG_RSA_PSS_MGF)) { + /* MGF and hash algorithm to use with padding. */ + if (GetHeader(params, &tag, &idx, &length, sz, 0) < 0) { + ret = ASN_PARSE_E; + } + if (ret == 0) { + if (GetAlgoId(params, &idx, &oid, oidIgnoreType, sz) < 0) { + ret = ASN_PARSE_E; + } + } + if ((ret == 0) && (oid != MGF1_OID)) { + ret = ASN_PARSE_E; + } + if (ret == 0) { + ret = GetAlgoId(params, &idx, &oid, oidHashType, sz); + if (ret == 0) { + ret = RsaPssHashOidToMgf1(oid, mgf); + } + } + } + else { + /* Default MGF/Hash algorithm. */ + *mgf = WC_MGF1SHA1; + } + } + if (ret == 0) { + if ((idx < sz) && (params[idx] == ASN_TAG_RSA_PSS_SALTLEN)) { + /* Salt length to use with padding. */ + if (GetHeader(params, &tag, &idx, &length, sz, 0) < 0) { + ret = ASN_PARSE_E; + } + if (ret == 0) { + ret = GetInteger16Bit(params, &idx, sz); + if (ret >= 0) { + *saltLen = ret; + ret = 0; + } + } + } + else { + /* Default salt length. */ + *saltLen = 20; + } + } + if (ret == 0) { + if ((idx < sz) && (params[idx] == ASN_TAG_RSA_PSS_TRAILER)) { + /* Unused - trialerField. */ + if (GetHeader(params, &tag, &idx, &length, sz, 0) < 0) { + ret = ASN_PARSE_E; + } + if (ret == 0) { + ret = GetInteger16Bit(params, &idx, sz); + if (ret > 0) { + ret = 0; + } + } + } + } + if ((ret == 0) && (idx != sz)) { + ret = ASN_PARSE_E; + } + + return ret; +#else + DECL_ASNGETDATA(dataASN, rsaPssParamsASN_Length); + int ret = 0; + word16 sLen = 20; + + CALLOC_ASNGETDATA(dataASN, rsaPssParamsASN_Length, ret, NULL); + if (ret == 0) { + word32 inOutIdx = 0; + /* Default values. */ + *hash = WC_HASH_TYPE_SHA; + *mgf = WC_MGF1SHA1; + + /* Set OID type expected. */ + GetASN_OID(&dataASN[RSAPSSPARAMSASN_IDX_HASHOID], oidHashType); + GetASN_OID(&dataASN[RSAPSSPARAMSASN_IDX_MGFHOID], oidHashType); + /* Place the salt length into 16-bit var sLen. */ + GetASN_Int16Bit(&dataASN[RSAPSSPARAMSASN_IDX_SALTLENINT], &sLen); + /* Decode the algorithm identifier. */ + ret = GetASN_Items(rsaPssParamsASN, dataASN, rsaPssParamsASN_Length, 1, + params, &inOutIdx, sz); + } + if ((ret == 0) && (dataASN[RSAPSSPARAMSASN_IDX_HASHOID].tag != 0)) { + word32 oid = dataASN[RSAPSSPARAMSASN_IDX_HASHOID].data.oid.sum; + ret = RsaPssHashOidToType(oid, hash); + } + if ((ret == 0) && (dataASN[RSAPSSPARAMSASN_IDX_MGFHOID].tag != 0)) { + word32 oid = dataASN[RSAPSSPARAMSASN_IDX_MGFHOID].data.oid.sum; + ret = RsaPssHashOidToMgf1(oid, mgf); + } + if (ret == 0) { + *saltLen = sLen; + } + + FREE_ASNGETDATA(dataASN, NULL); + return ret; +#endif /* WOLFSSL_ASN_TEMPLATE */ +} +#endif /* WC_RSA_PSS */ + #ifndef HAVE_USER_RSA #if defined(WOLFSSL_ASN_TEMPLATE) || (!defined(NO_CERTS) && \ (defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || \ @@ -5878,6 +6298,9 @@ static const ASNItem pkcs8KeyASN[] = { /* PKEY_ALGO_OID_KEY */ { 2, ASN_OBJECT_ID, 0, 0, 0 }, /* PKEY_ALGO_OID_CURVE */ { 2, ASN_OBJECT_ID, 0, 0, 1 }, /* PKEY_ALGO_NULL */ { 2, ASN_TAG_NULL, 0, 0, 1 }, +#ifdef WC_RSA_PSS +/* PKEY_ALGO_PARAM_SEQ */ { 2, ASN_SEQUENCE, 1, 0, 1 }, +#endif /* PKEY_DATA */ { 1, ASN_OCTET_STRING, 0, 0, 0 }, /* attributes [0] Attributes OPTIONAL */ /* [[2: publicKey [1] PublicKey OPTIONAL ]] */ @@ -5889,6 +6312,9 @@ enum { PKCS8KEYASN_IDX_PKEY_ALGO_OID_KEY, PKCS8KEYASN_IDX_PKEY_ALGO_OID_CURVE, PKCS8KEYASN_IDX_PKEY_ALGO_NULL, +#ifdef WC_RSA_PSS + PKCS8KEYASN_IDX_PKEY_ALGO_PARAM_SEQ, +#endif PKCS8KEYASN_IDX_PKEY_DATA, }; @@ -5939,6 +6365,29 @@ int ToTraditionalInline_ex(const byte* input, word32* inOutIdx, word32 sz, return ASN_PARSE_E; idx = idx - 1; /* reset idx after finding tag */ +#ifdef WC_RSA_PSS + if (*algId == RSAPSSk && tag == (ASN_SEQUENCE | ASN_CONSTRUCTED)) { + word32 seqIdx = idx; + int seqLen; + /* Not set when -1. */ + enum wc_HashType hash = WC_HASH_TYPE_NONE; + int mgf = -1; + int saltLen = 0; + + if (GetSequence(input, &idx, &seqLen, sz) < 0) { + return ASN_PARSE_E; + } + /* Get the private key parameters. */ + ret = DecodeRsaPssParams(input + seqIdx, + seqLen + idx - seqIdx, &hash, &mgf, &saltLen); + if (ret != 0) { + return ASN_PARSE_E; + } + /* TODO: store parameters so that usage can be checked. */ + idx += seqLen; + } +#endif + if (tag == ASN_OBJECT_ID) { if (SkipObjectId(input, &idx, sz) < 0) return ASN_PARSE_E; @@ -5995,7 +6444,7 @@ int ToTraditionalInline_ex(const byte* input, word32* inOutIdx, word32 sz, } if (ret == 0) { switch (oid) { - #ifndef NO_RSA + #ifndef NO_RSA case RSAk: /* Must have NULL item but not OBJECT_ID item. */ if ((dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_NULL].tag == 0) || @@ -6003,7 +6452,32 @@ int ToTraditionalInline_ex(const byte* input, word32* inOutIdx, word32 sz, ret = ASN_PARSE_E; } break; + #ifdef WC_RSA_PSS + case RSAPSSk: + /* Must not have NULL item. */ + if (dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_NULL].tag != 0) { + ret = ASN_PARSE_E; + } + if (dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_PARAM_SEQ].tag != 0) { + enum wc_HashType hash; + int mgf; + int saltLen; + const byte* params = GetASNItem_Addr( + dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_PARAM_SEQ], input); + word32 paramsSz = GetASNItem_Length( + dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_PARAM_SEQ], input); + + /* Validate the private key parameters. */ + ret = DecodeRsaPssParams(params, paramsSz, &hash, &mgf, + &saltLen); + if (ret != 0) { + return ASN_PARSE_E; + } + /* TODO: store parameters so that usage can be checked. */ + } + break; #endif + #endif #ifdef HAVE_ECC case ECDSAk: /* Must not have NULL item. */ @@ -6251,6 +6725,9 @@ int wc_CreatePKCS8Key(byte* out, word32* outSz, byte* key, word32 keySz, } /* Only RSA keys have NULL tagged item after OID. */ dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_NULL].noOut = (algoID != RSAk); + #ifdef WC_RSA_PSS + dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_PARAM_SEQ].noOut = 1; + #endif /* Set key data to encode. */ SetASN_Buffer(&dataASN[PKCS8KEYASN_IDX_PKEY_DATA], key, keySz); @@ -6303,7 +6780,11 @@ int wc_CheckPrivateKey(const byte* privKey, word32 privKeySz, #if !defined(NO_RSA) && !defined(NO_ASN_CRYPT) /* test if RSA key */ - if (ks == RSAk) { + if (ks == RSAk + #ifdef WC_RSA_PSS + || ks == RSAPSSk + #endif + ) { #ifdef WOLFSSL_SMALL_STACK RsaKey* a; RsaKey* b = NULL; @@ -8127,6 +8608,7 @@ static int RsaPublicKeyDecodeRawIndex(const byte* input, word32* inOutIdx, if (ret != 0) return ret; } + /* TODO: support RSA PSS */ /* should have bit tag length and seq next */ ret = CheckBitString(input, inOutIdx, NULL, inSz, 1, NULL); @@ -8171,6 +8653,9 @@ static const ASNItem rsaPublicKeyASN[] = { /* ALGOID_SEQ */ { 1, ASN_SEQUENCE, 1, 1, 0 }, /* ALGOID_OID */ { 2, ASN_OBJECT_ID, 0, 0, 0 }, /* ALGOID_NULL */ { 2, ASN_TAG_NULL, 0, 0, 1 }, +#ifdef WC_RSA_PSS +/* ALGOID_P_SEQ */ { 2, ASN_SEQUENCE, 1, 0, 1 }, +#endif /* PUBKEY */ { 1, ASN_BIT_STRING, 0, 1, 0 }, /* RSAPublicKey */ /* PUBKEY_RSA_SEQ */ { 2, ASN_SEQUENCE, 1, 1, 0 }, @@ -8182,6 +8667,9 @@ enum { RSAPUBLICKEYASN_IDX_ALGOID_SEQ, RSAPUBLICKEYASN_IDX_ALGOID_OID, RSAPUBLICKEYASN_IDX_ALGOID_NULL, +#ifdef WC_RSA_PSS + RSAPUBLICKEYASN_IDX_ALGOID_P_SEQ, +#endif RSAPUBLICKEYASN_IDX_PUBKEY, RSAPUBLICKEYASN_IDX_PUBKEY_RSA_SEQ, RSAPUBLICKEYASN_IDX_PUBKEY_RSA_N, @@ -8259,6 +8747,14 @@ int wc_RsaPublicKeyDecode_ex(const byte* input, word32* inOutIdx, word32 inSz, if (ret != 0) return ret; } + #ifdef WC_RSA_PSS + /* Skip RSA PSS parameters. */ + else if (tag == (ASN_SEQUENCE | ASN_CONSTRUCTED)) { + if (GetSequence(input, inOutIdx, &length, inSz) < 0) + return ASN_PARSE_E; + *inOutIdx += length; + } + #endif /* should have bit tag length and seq next */ ret = CheckBitString(input, inOutIdx, NULL, inSz, 1, NULL); @@ -8296,6 +8792,9 @@ int wc_RsaPublicKeyDecode_ex(const byte* input, word32* inOutIdx, word32 inSz, #else DECL_ASNGETDATA(dataASN, rsaPublicKeyASN_Length); int ret = 0; +#ifdef WC_RSA_PSS + word32 oid = RSAk; +#endif /* Check validity of parameters. */ if (input == NULL || inOutIdx == NULL) { @@ -8312,15 +8811,52 @@ int wc_RsaPublicKeyDecode_ex(const byte* input, word32* inOutIdx, word32 inSz, 0, input, inOutIdx, inSz); if (ret != 0) { /* Didn't work - try whole SubjectKeyInfo instead. */ + #ifdef WC_RSA_PSS + /* Could be RSA or RSA PSS key. */ + GetASN_OID(&dataASN[RSAPUBLICKEYASN_IDX_ALGOID_OID], oidKeyType); + #else /* Set the OID to expect. */ GetASN_ExpBuffer(&dataASN[RSAPUBLICKEYASN_IDX_ALGOID_OID], keyRsaOid, sizeof(keyRsaOid)); + #endif /* Decode SubjectKeyInfo. */ ret = GetASN_Items(rsaPublicKeyASN, dataASN, rsaPublicKeyASN_Length, 1, input, inOutIdx, inSz); } } +#ifdef WC_RSA_PSS + if ((ret == 0) && (dataASN[RSAPUBLICKEYASN_IDX_ALGOID_OID].tag != 0)) { + /* Two possible OIDs supported - RSA and RSA PSS. */ + oid = dataASN[RSAPUBLICKEYASN_IDX_ALGOID_OID].data.oid.sum; + if ((oid != RSAk) && (oid != RSAPSSk)) { + ret = ASN_PARSE_E; + } + } + if ((ret == 0) && (dataASN[RSAPUBLICKEYASN_IDX_ALGOID_P_SEQ].tag != 0)) { + /* Can't have NULL and SEQ. */ + if (dataASN[RSAPUBLICKEYASN_IDX_ALGOID_NULL].tag != 0) { + ret = ASN_PARSE_E; + } + /* SEQ present only with RSA PSS. */ + if ((ret == 0) && (oid != RSAPSSk)) { + ret = ASN_PARSE_E; + } + if (ret == 0) { + enum wc_HashType hash; + int mgf; + int saltLen; + const byte* params = GetASNItem_Addr( + dataASN[RSAPUBLICKEYASN_IDX_ALGOID_P_SEQ], input); + word32 paramsSz = GetASNItem_Length( + dataASN[RSAPUBLICKEYASN_IDX_ALGOID_P_SEQ], input); + + /* Validate the private key parameters. */ + ret = DecodeRsaPssParams(params, paramsSz, &hash, &mgf, &saltLen); + /* TODO: store parameters so that usage can be checked. */ + } + } +#endif if (ret == 0) { /* Return the buffers and lengths asked for. */ if (n != NULL) { @@ -10592,12 +11128,58 @@ static int GetCertKey(DecodedCert* cert, const byte* source, word32* inOutIdx, /* Parse each type of public key. */ switch (cert->keyOID) { - #ifndef NO_RSA +#ifndef NO_RSA + #ifdef WC_RSA_PSS + case RSAPSSk: + if (srcIdx != maxIdx && + source[srcIdx] == (ASN_SEQUENCE | ASN_CONSTRUCTED)) { + word32 seqIdx = srcIdx; + int seqLen; + /* Not set when -1. */ + enum wc_HashType hash = WC_HASH_TYPE_NONE; + int mgf = -1; + int saltLen = 0; + /* Defaults for sig algorithm parameters. */ + enum wc_HashType sigHash = WC_HASH_TYPE_SHA; + int sigMgf = WC_MGF1SHA1; + int sigSaltLen = 20; + + if (GetSequence(source, &srcIdx, &seqLen, maxIdx) < 0) { + return ASN_PARSE_E; + } + /* Get the pubic key parameters. */ + ret = DecodeRsaPssParams(source + seqIdx, + seqLen + srcIdx - seqIdx, &hash, &mgf, &saltLen); + if (ret != 0) { + return ASN_PARSE_E; + } + /* Get the signature parameters. */ + ret = DecodeRsaPssParams(source + cert->sigParamsIndex, + cert->sigParamsLength, &sigHash, &sigMgf, &sigSaltLen); + if (ret != 0) { + return ASN_PARSE_E; + } + /* Validated signature params match public key params. */ + if (hash != WC_HASH_TYPE_NONE && hash != sigHash) { + WOLFSSL_MSG("RSA PSS: hash not matching signature hash"); + return ASN_PARSE_E; + } + if (mgf != -1 && mgf != sigMgf) { + WOLFSSL_MSG("RSA PSS: MGF not matching signature MGF"); + return ASN_PARSE_E; + } + if (saltLen > sigSaltLen) { + WOLFSSL_MSG("RSA PSS: sig salt length too small"); + return ASN_PARSE_E; + } + srcIdx += seqLen; + } + FALL_THROUGH; + #endif /* WC_RSA_PSS */ case RSAk: ret = StoreRsaKey(cert, source, &srcIdx, maxIdx); break; - - #endif /* NO_RSA */ +#endif /* NO_RSA */ #ifdef HAVE_ECC case ECDSAk: ret = StoreEccKey(cert, source, &srcIdx, maxIdx, source + pubIdx, @@ -13142,6 +13724,47 @@ int wc_GetCertDates(Cert* cert, struct tm* before, struct tm* after) #endif /* WOLFSSL_CERT_GEN && WOLFSSL_ALT_NAMES */ #endif /* !NO_ASN_TIME */ +#ifndef WOLFSSL_ASN_TEMPLATE +static int GetSigAlg(DecodedCert* cert, word32* sigOid, word32 maxIdx) +{ + int length; + word32 endSeqIdx; + + if (GetSequence(cert->source, &cert->srcIdx, &length, maxIdx) < 0) + return ASN_PARSE_E; + endSeqIdx = cert->srcIdx + length; + + if (GetObjectId(cert->source, &cert->srcIdx, sigOid, oidSigType, + maxIdx) < 0) { + return ASN_OBJECT_ID_E; + } + + if (cert->srcIdx != endSeqIdx) { +#ifdef WC_RSA_PSS + if (*sigOid == CTC_RSASSAPSS) { + cert->sigParamsIndex = cert->srcIdx; + cert->sigParamsLength = endSeqIdx - cert->srcIdx; + } + else +#endif + /* Only allowed a ASN NULL header with zero length. */ + if (endSeqIdx - cert->srcIdx != 2) + return ASN_PARSE_E; + else { + byte tag; + if (GetASNTag(cert->source, &cert->srcIdx, &tag, endSeqIdx) != 0) + return ASN_PARSE_E; + if (tag != ASN_TAG_NULL) + return ASN_PARSE_E; + } + } + + cert->srcIdx = endSeqIdx; + + return 0; +} +#endif + #ifdef WOLFSSL_ASN_TEMPLATE /* TODO: move code around to not require this. */ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt, @@ -13185,8 +13808,7 @@ int wc_GetPubX509(DecodedCert* cert, int verify, int* badDate) #endif /* Using the sigIndex as the upper bound because that's where the * actual certificate data ends. */ - if ( (ret = GetAlgoId(cert->source, &cert->srcIdx, &cert->signatureOID, - oidSigType, cert->sigIndex)) < 0) + if ((ret = GetSigAlg(cert, &cert->signatureOID, cert->sigIndex)) < 0) return ret; WOLFSSL_MSG("Got Algo ID"); @@ -13800,6 +14422,9 @@ void FreeSignatureCtx(SignatureCtx* sigCtx) if (sigCtx->key.ptr) { switch (sigCtx->keyOID) { #ifndef NO_RSA + #ifdef WC_RSA_PSS + case RSAPSSk: + #endif case RSAk: wc_FreeRsaKey(sigCtx->key.rsa); XFREE(sigCtx->key.rsa, sigCtx->heap, DYNAMIC_TYPE_RSA); @@ -14008,9 +14633,17 @@ static int HashForSignature(const byte* buf, word32 bufSz, word32 sigOID, static int ConfirmSignature(SignatureCtx* sigCtx, const byte* buf, word32 bufSz, const byte* key, word32 keySz, word32 keyOID, - const byte* sig, word32 sigSz, word32 sigOID, byte* rsaKeyIdx) + const byte* sig, word32 sigSz, word32 sigOID, + const byte* sigParams, word32 sigParamsSz, + byte* rsaKeyIdx) { int ret = 0; +#ifdef WC_RSA_PSS + /* Defaults */ + enum wc_HashType hash = WC_HASH_TYPE_SHA; + int mgf = WC_MGF1SHA1; + int saltLen = 20; +#endif if (sigCtx == NULL || buf == NULL || bufSz == 0 || key == NULL || keySz == 0 || sig == NULL || sigSz == 0) { @@ -14021,6 +14654,8 @@ static int ConfirmSignature(SignatureCtx* sigCtx, (void)keySz; (void)sig; (void)sigSz; + (void)sigParams; + (void)sigParamsSz; WOLFSSL_ENTER("ConfirmSignature"); @@ -14057,10 +14692,33 @@ static int ConfirmSignature(SignatureCtx* sigCtx, case SIG_STATE_HASH: { - ret = HashForSignature(buf, bufSz, sigOID, sigCtx->digest, - &sigCtx->typeH, &sigCtx->digestSz, 1); - if (ret != 0) { - goto exit_cs; + #ifdef WC_RSA_PSS + if (keyOID == RSAPSSk) { + word32 fakeSigOID = 0; + ret = DecodeRsaPssParams(sigParams, sigParamsSz, &hash, &mgf, + &saltLen); + if (ret != 0) { + goto exit_cs; + } + ret = RsaPssHashOidToSigOid(hash, &fakeSigOID); + if (ret != 0) { + goto exit_cs; + } + /* Decode parameters. */ + ret = HashForSignature(buf, bufSz, fakeSigOID, sigCtx->digest, + &sigCtx->typeH, &sigCtx->digestSz, 1); + if (ret != 0) { + goto exit_cs; + } + } + else + #endif + { + ret = HashForSignature(buf, bufSz, sigOID, sigCtx->digest, + &sigCtx->typeH, &sigCtx->digestSz, 1); + if (ret != 0) { + goto exit_cs; + } } sigCtx->state = SIG_STATE_KEY; @@ -14071,6 +14729,9 @@ static int ConfirmSignature(SignatureCtx* sigCtx, { switch (keyOID) { #ifndef NO_RSA + #ifdef WC_RSA_PSS + case RSAPSSk: + #endif case RSAk: { word32 idx = 0; @@ -14371,6 +15032,13 @@ static int ConfirmSignature(SignatureCtx* sigCtx, { switch (keyOID) { #ifndef NO_RSA + #ifdef WC_RSA_PSS + case RSAPSSk: + /* TODO: pkCbRsaPss - RSA PSS callback. */ + ret = wc_RsaPSS_VerifyInline_ex(sigCtx->sigCpy, sigSz, + &sigCtx->out, hash, mgf, saltLen, sigCtx->key.rsa); + break; + #endif case RSAk: { #if defined(HAVE_PK_CALLBACKS) @@ -14480,6 +15148,29 @@ static int ConfirmSignature(SignatureCtx* sigCtx, { switch (keyOID) { #ifndef NO_RSA + #ifdef WC_RSA_PSS + case RSAPSSk: + #if (defined(HAVE_SELFTEST) && \ + (!defined(HAVE_SELFTEST_VERSION) || \ + (HAVE_SELFTEST_VERSION < 2))) || \ + (defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION < 2)) + ret = wc_RsaPSS_CheckPadding_ex(sigCtx->digest, + sigCtx->digestSz, sigCtx->out, ret, hash, saltLen); + #elif (defined(HAVE_SELFTEST) && \ + (HAVE_SELFTEST_VERSION == 2)) || \ + (defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION == 2)) + ret = wc_RsaPSS_CheckPadding_ex(sigCtx->digest, + sigCtx->digestSz, sigCtx->out, ret, hash, saltLen, + 0); + #else + ret = wc_RsaPSS_CheckPadding_ex2(sigCtx->digest, + sigCtx->digestSz, sigCtx->out, ret, hash, saltLen, + wc_RsaEncryptSize(sigCtx->key.rsa)*8, sigCtx->heap); + #endif + break; + #endif case RSAk: { int encodedSigSz, verifySz; @@ -18125,7 +18816,10 @@ static const ASNItem x509CertASN[] = { /* Algorithm OBJECT IDENTIFIER */ /* TBS_ALGOID_OID */ { 3, ASN_OBJECT_ID, 0, 0, 0 }, /* parameters ANY defined by algorithm OPTIONAL */ -/* TBS_ALGOID_PARAMS */ { 3, ASN_TAG_NULL, 0, 0, 1 }, +/* TBS_ALGOID_PARAMS_NULL */ { 3, ASN_TAG_NULL, 0, 0, 2 }, +#ifdef WC_RSA_PSS +/* TBS_ALGOID_PARAMS */ { 3, ASN_SEQUENCE, 1, 0, 2 }, +#endif /* issuer Name */ /* TBS_ISSUER_SEQ */ { 2, ASN_SEQUENCE, 1, 0, 0 }, /* validity Validity */ @@ -18149,8 +18843,11 @@ static const ASNItem x509CertASN[] = { /* Algorithm OBJECT IDENTIFIER */ /* TBS_SPUBKEYINFO_ALGO_OID */ { 4, ASN_OBJECT_ID, 0, 0, 0 }, /* parameters ANY defined by algorithm OPTIONAL */ -/* TBS_SPUBKEYINFO_ALGO_NOPARAMS */ { 4, ASN_TAG_NULL, 0, 0, 1 }, -/* TBS_SPUBKEYINFO_ALGO_CURVEID */ { 4, ASN_OBJECT_ID, 0, 0, 1 }, +/* TBS_SPUBKEYINFO_ALGO_NULL */ { 4, ASN_TAG_NULL, 0, 0, 2 }, +/* TBS_SPUBKEYINFO_ALGO_CURVEID */ { 4, ASN_OBJECT_ID, 0, 0, 2 }, +#ifdef WC_RSA_PSS +/* TBS_SPUBKEYINFO_ALGO_P_SEQ */ { 4, ASN_SEQUENCE, 1, 0, 2 }, +#endif /* subjectPublicKey BIT STRING */ /* TBS_SPUBKEYINFO_PUBKEY */ { 3, ASN_BIT_STRING, 0, 0, 0 }, /* issuerUniqueID UniqueIdentfier OPTIONAL */ @@ -18166,7 +18863,10 @@ static const ASNItem x509CertASN[] = { /* Algorithm OBJECT IDENTIFIER */ /* SIGALGO_OID */ { 2, ASN_OBJECT_ID, 0, 0, 0 }, /* parameters ANY defined by algorithm OPTIONAL */ -/* SIGALGO_PARAMS */ { 2, ASN_TAG_NULL, 0, 0, 1 }, +/* SIGALGO_PARAMS_NULL */ { 2, ASN_TAG_NULL, 0, 0, 2 }, +#ifdef WC_RSA_PSS +/* SIGALGO_PARAMS */ { 2, ASN_SEQUENCE, 1, 0, 2 }, +#endif /* signature BIT STRING */ /* SIGNATURE */ { 1, ASN_BIT_STRING, 0, 0, 0 }, }; @@ -18178,7 +18878,10 @@ enum { X509CERTASN_IDX_TBS_SERIAL, X509CERTASN_IDX_TBS_ALGOID_SEQ, X509CERTASN_IDX_TBS_ALGOID_OID, + X509CERTASN_IDX_TBS_ALGOID_PARAMS_NULL, +#ifdef WC_RSA_PSS X509CERTASN_IDX_TBS_ALGOID_PARAMS, +#endif X509CERTASN_IDX_TBS_ISSUER_SEQ, X509CERTASN_IDX_TBS_VALIDITY_SEQ, X509CERTASN_IDX_TBS_VALIDITY_NOTB_UTC, @@ -18189,8 +18892,11 @@ enum { X509CERTASN_IDX_TBS_SPUBKEYINFO_SEQ, X509CERTASN_IDX_TBS_SPUBKEYINFO_ALGO_SEQ, X509CERTASN_IDX_TBS_SPUBKEYINFO_ALGO_OID, - X509CERTASN_IDX_TBS_SPUBKEYINFO_ALGO_NOPARAMS, + X509CERTASN_IDX_TBS_SPUBKEYINFO_ALGO_NULL, X509CERTASN_IDX_TBS_SPUBKEYINFO_ALGO_CURVEID, +#ifdef WC_RSA_PSS + X509CERTASN_IDX_TBS_SPUBKEYINFO_ALGO_P_SEQ, +#endif X509CERTASN_IDX_TBS_SPUBKEYINFO_PUBKEY, X509CERTASN_IDX_TBS_ISSUERUID, X509CERTASN_IDX_TBS_SUBJECTUID, @@ -18198,7 +18904,10 @@ enum { X509CERTASN_IDX_TBS_EXT_SEQ, X509CERTASN_IDX_SIGALGO_SEQ, X509CERTASN_IDX_SIGALGO_OID, + X509CERTASN_IDX_SIGALGO_PARAMS_NULL, +#ifdef WC_RSA_PSS X509CERTASN_IDX_SIGALGO_PARAMS, +#endif X509CERTASN_IDX_SIGNATURE, }; @@ -18379,6 +19088,72 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt, } } + if ((ret == 0) && (!done)) { + /* Store the signature information. */ + cert->sigIndex = dataASN[X509CERTASN_IDX_SIGALGO_SEQ].offset; + GetASN_GetConstRef(&dataASN[X509CERTASN_IDX_SIGNATURE], + &cert->signature, &cert->sigLength); + /* Make sure 'signature' and 'signatureAlgorithm' are the same. */ + if (dataASN[X509CERTASN_IDX_SIGALGO_OID].data.oid.sum + != cert->signatureOID) { + WOLFSSL_ERROR_VERBOSE(ASN_SIG_OID_E); + ret = ASN_SIG_OID_E; + } + /* Parameters not allowed after ECDSA or EdDSA algorithm OID. */ + else if (IsSigAlgoECC(cert->signatureOID)) { + if ((dataASN[X509CERTASN_IDX_SIGALGO_PARAMS_NULL].tag != 0) + #ifdef WC_RSA_PSS + || (dataASN[X509CERTASN_IDX_SIGALGO_PARAMS].tag != 0) + #endif + ) { + WOLFSSL_ERROR_VERBOSE(ASN_PARSE_E); + ret = ASN_PARSE_E; + } + } + #ifdef WC_RSA_PSS + /* Check parameters starting with a SEQUENCE. */ + else if (dataASN[X509CERTASN_IDX_SIGALGO_PARAMS].tag != 0) { + word32 oid = dataASN[X509CERTASN_IDX_SIGALGO_OID].data.oid.sum; + word32 sigAlgParamsSz; + + /* Parameters only with RSA PSS. */ + if (oid != CTC_RSASSAPSS) { + WOLFSSL_ERROR_VERBOSE(ASN_PARSE_E); + ret = ASN_PARSE_E; + } + if (ret == 0) { + const byte* tbsParams; + word32 tbsParamsSz; + const byte* sigAlgParams; + + /* Check RSA PSS parameters are the same. */ + tbsParams = + GetASNItem_Addr(dataASN[X509CERTASN_IDX_TBS_ALGOID_PARAMS], + cert->source); + tbsParamsSz = + GetASNItem_Length(dataASN[X509CERTASN_IDX_TBS_ALGOID_PARAMS], + cert->source); + sigAlgParams = + GetASNItem_Addr(dataASN[X509CERTASN_IDX_SIGALGO_PARAMS], + cert->source); + sigAlgParamsSz = + GetASNItem_Length(dataASN[X509CERTASN_IDX_SIGALGO_PARAMS], + cert->source); + if ((tbsParamsSz != sigAlgParamsSz) || + (XMEMCMP(tbsParams, sigAlgParams, tbsParamsSz) != 0)) { + WOLFSSL_ERROR_VERBOSE(ASN_PARSE_E); + ret = ASN_PARSE_E; + } + } + if (ret == 0) { + /* Store parameters for use in signature verification. */ + cert->sigParamsIndex = + dataASN[X509CERTASN_IDX_SIGALGO_PARAMS].offset; + cert->sigParamsLength = sigAlgParamsSz; + } + } + #endif + } if ((ret == 0) && (!done)) { /* Parse the public key. */ idx = dataASN[X509CERTASN_IDX_TBS_SPUBKEYINFO_SEQ].offset; @@ -18432,24 +19207,6 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt, } } - if ((ret == 0) && (!done)) { - /* Store the signature information. */ - cert->sigIndex = dataASN[X509CERTASN_IDX_SIGALGO_SEQ].offset; - GetASN_GetConstRef(&dataASN[X509CERTASN_IDX_SIGNATURE], - &cert->signature, &cert->sigLength); - /* Make sure 'signature' and 'signatureAlgorithm' are the same. */ - if (dataASN[X509CERTASN_IDX_SIGALGO_OID].data.oid.sum - != cert->signatureOID) { - WOLFSSL_ERROR_VERBOSE(ASN_SIG_OID_E); - ret = ASN_SIG_OID_E; - } - /* NULL tagged item not allowed after ECDSA or EdDSA algorithm OID. */ - if (IsSigAlgoECC(cert->signatureOID) && - (dataASN[X509CERTASN_IDX_SIGALGO_PARAMS].tag != 0)) { - WOLFSSL_ERROR_VERBOSE(ASN_PARSE_E); - ret = ASN_PARSE_E; - } - } if ((ret == 0) && (!done) && (badDate != 0)) { /* Parsed whole certificate fine but return any date errors. */ ret = badDate; @@ -18704,7 +19461,7 @@ static const ASNItem certReqASN[] = { /* Algorithm OBJECT IDENTIFIER */ /* INFO_SPUBKEYINFO_ALGOID_OID */ { 4, ASN_OBJECT_ID, 0, 0, 0 }, /* parameters ANY defined by algorithm OPTIONAL */ -/* INFO_SPUBKEYINFO_ALGOID_NOPARAMS */ { 4, ASN_TAG_NULL, 0, 0, 1 }, +/* INFO_SPUBKEYINFO_ALGOID_NULL */ { 4, ASN_TAG_NULL, 0, 0, 1 }, /* INFO_SPUBKEYINFO_ALGOID_CURVEID */ { 4, ASN_OBJECT_ID, 0, 0, 1 }, /* INFO_SPUBKEYINFO_ALGOID_PARAMS */ { 4, ASN_SEQUENCE, 1, 0, 1 }, /* subjectPublicKey BIT STRING */ @@ -18716,7 +19473,7 @@ static const ASNItem certReqASN[] = { /* Algorithm OBJECT IDENTIFIER */ /* INFO_SIGALGO_OID */ { 2, ASN_OBJECT_ID, 0, 0, 0 }, /* parameters ANY defined by algorithm OPTIONAL */ -/* INFO_SIGALGO_NOPARAMS */ { 2, ASN_TAG_NULL, 0, 0, 1 }, +/* INFO_SIGALGO_NULL */ { 2, ASN_TAG_NULL, 0, 0, 1 }, /* signature BIT STRING */ /* INFO_SIGNATURE */ { 1, ASN_BIT_STRING, 0, 0, 0 }, }; @@ -18728,14 +19485,14 @@ enum { CERTREQASN_IDX_INFO_SPUBKEYINFO_SEQ, CERTREQASN_IDX_INFO_SPUBKEYINFO_ALGOID_SEQ, CERTREQASN_IDX_INFO_SPUBKEYINFO_ALGOID_OID, - CERTREQASN_IDX_INFO_SPUBKEYINFO_ALGOID_NOPARAMS, + CERTREQASN_IDX_INFO_SPUBKEYINFO_ALGOID_NULL, CERTREQASN_IDX_INFO_SPUBKEYINFO_ALGOID_CURVEID, CERTREQASN_IDX_INFO_SPUBKEYINFO_ALGOID_PARAMS, CERTREQASN_IDX_INFO_SPUBKEYINFO_PUBKEY, CERTREQASN_IDX_INFO_ATTRS, CERTREQASN_IDX_INFO_SIGALGO_SEQ, CERTREQASN_IDX_INFO_SIGALGO_OID, - CERTREQASN_IDX_INFO_SIGALGO_NOPARAMS, + CERTREQASN_IDX_INFO_SIGALGO_NULL, CERTREQASN_IDX_INFO_SIGNATURE, }; @@ -18858,8 +19615,11 @@ int ParseCert(DecodedCert* cert, int type, int verify, void* cm) #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_DYN_CERT) /* cert->publicKey not stored as copy if WOLFSSL_NO_MALLOC defined */ - if (cert->keyOID == RSAk && - cert->publicKey != NULL && cert->pubKeySize > 0) { + if ((cert->keyOID == RSAk + #ifdef WC_RSA_PSS + || cert->keyOID == RSAPSSk + #endif + ) && cert->publicKey != NULL && cert->pubKeySize > 0) { ptr = (char*) XMALLOC(cert->pubKeySize, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY); if (ptr == NULL) @@ -19052,6 +19812,8 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap, int ret = 0; word32 localIdx; byte tag; + const byte* sigParams = NULL; + word32 sigParamsSz = 0; if (cert == NULL) { @@ -19103,9 +19865,22 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap, idx += len; /* signature */ - if (!req && - GetAlgoId(cert, &idx, &signatureOID, oidSigType, certSz) < 0) - ret = ASN_PARSE_E; + if (!req) { + if (GetAlgoId(cert, &idx, &signatureOID, oidSigType, certSz) < 0) + ret = ASN_PARSE_E; + #ifdef WC_RSA_PSS + else if (signatureOID == CTC_RSASSAPSS) { + int start = idx; + sigParams = cert + idx; + if (GetSequence(cert, &idx, &len, certSz) < 0) + ret = ASN_PARSE_E; + if (ret == 0) { + idx += len; + sigParamsSz = idx - start; + } + } + #endif + } } if (ret == 0) { @@ -19293,6 +20068,29 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap, /* signatureAlgorithm */ if (GetAlgoId(cert, &idx, &oid, oidSigType, certSz) < 0) ret = ASN_PARSE_E; + #ifdef WC_RSA_PSS + else if (signatureOID == CTC_RSASSAPSS) { + word32 sz = idx; + const byte* params = cert + idx; + if (GetSequence(cert, &idx, &len, certSz) < 0) + ret = ASN_PARSE_E; + if (ret == 0) { + idx += len; + sz = idx - sz; + + if (req) { + if ((sz != sigParamsSz) || + (XMEMCMP(sigParams, params, sz) != 0)) { + ret = ASN_PARSE_E; + } + } + else { + sigParams = params; + sigParamsSz = sz; + } + } + } + #endif /* In CSR signature data is not present in body */ if (req) signatureOID = oid; @@ -19310,15 +20108,14 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap, if (ret == 0) { if (pubKey != NULL) { ret = ConfirmSignature(sigCtx, cert + tbsCertIdx, - sigIndex - tbsCertIdx, - pubKey, pubKeySz, pubKeyOID, - cert + idx, len, signatureOID, NULL); + sigIndex - tbsCertIdx, pubKey, pubKeySz, pubKeyOID, + cert + idx, len, signatureOID, sigParams, sigParamsSz, NULL); } else { ret = ConfirmSignature(sigCtx, cert + tbsCertIdx, - sigIndex - tbsCertIdx, - ca->publicKey, ca->pubKeySize, ca->keyOID, - cert + idx, len, signatureOID, NULL); + sigIndex - tbsCertIdx, ca->publicKey, ca->pubKeySize, + ca->keyOID, cert + idx, len, signatureOID, sigParams, + sigParamsSz, NULL); } if (ret != 0) { WOLFSSL_ERROR_VERBOSE(ret); @@ -19349,9 +20146,15 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap, #endif const byte* tbs = NULL; word32 tbsSz = 0; +#ifdef WC_RSA_PSS + const byte* tbsParams = NULL; + word32 tbsParamsSz = 0; +#endif const byte* sig = NULL; word32 sigSz = 0; word32 sigOID = 0; + const byte* sigParams = NULL; + word32 sigParamsSz = 0; const byte* caName = NULL; word32 caNameLen = 0; @@ -19403,7 +20206,37 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap, caNameLen = GetASNItem_Length(dataASN[X509CERTASN_IDX_TBS_ISSUER_SEQ], cert); sigOID = dataASN[X509CERTASN_IDX_SIGALGO_OID].data.oid.sum; + #ifdef WC_RSA_PSS + if (dataASN[X509CERTASN_IDX_TBS_ALGOID_PARAMS].tag != 0) { + tbsParams = + GetASNItem_Addr(dataASN[X509CERTASN_IDX_TBS_ALGOID_PARAMS], + cert); + tbsParamsSz = + GetASNItem_Length(dataASN[X509CERTASN_IDX_TBS_ALGOID_PARAMS], + cert); + } + if (dataASN[X509CERTASN_IDX_SIGALGO_PARAMS].tag != 0) { + sigParams = + GetASNItem_Addr(dataASN[X509CERTASN_IDX_SIGALGO_PARAMS], + cert); + sigParamsSz = + GetASNItem_Length(dataASN[X509CERTASN_IDX_SIGALGO_PARAMS], + cert); + } + #endif GetASN_GetConstRef(&dataASN[X509CERTASN_IDX_SIGNATURE], &sig, &sigSz); + #ifdef WC_RSA_PSS + if (tbsParamsSz != sigParamsSz) { + ret = ASN_PARSE_E; + } + else if ((tbsParamsSz > 0) && (sigOID != CTC_RSASSAPSS)) { + ret = ASN_PARSE_E; + } + else if ((tbsParamsSz > 0) && + (XMEMCMP(tbsParams, sigParams, tbsParamsSz) != 0)) { + ret = ASN_PARSE_E; + } + #endif } } else if (ret == 0) { @@ -19430,6 +20263,13 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap, caNameLen = GetASNItem_Length( dataASN[CERTREQASN_IDX_INFO_SUBJ_SEQ], cert); sigOID = dataASN[CERTREQASN_IDX_INFO_SIGALGO_OID].data.oid.sum; + #ifdef WC_RSA_PSS + sigParams = GetASNItem_Addr(dataASN[X509CERTASN_IDX_SIGALGO_PARAMS], + cert); + sigParamsSz = + GetASNItem_Length(dataASN[X509CERTASN_IDX_SIGALGO_PARAMS], + cert); + #endif GetASN_GetConstRef(&dataASN[CERTREQASN_IDX_INFO_SIGNATURE], &sig, &sigSz); } @@ -19477,7 +20317,7 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap, if (ret == 0) { /* Check signature. */ ret = ConfirmSignature(sigCtx, tbs, tbsSz, pubKey, pubKeySz, pubKeyOID, - sig, sigSz, sigOID, NULL); + sig, sigSz, sigOID, sigParams, sigParamsSz, NULL); if (ret != 0) { WOLFSSL_MSG("Confirm signature failed"); } @@ -19767,13 +20607,13 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) cert->srcIdx = cert->sigIndex; } - if ((ret = GetAlgoId(cert->source, &cert->srcIdx, + if ((ret = GetSigAlg(cert, #ifdef WOLFSSL_CERT_REQ !cert->isCSR ? &confirmOID : &cert->signatureOID, #else &confirmOID, #endif - oidSigType, cert->maxIdx)) < 0) { + cert->maxIdx)) < 0) { return ret; } @@ -20031,6 +20871,12 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) cert->ca->publicKey, cert->ca->pubKeySize, cert->ca->keyOID, cert->signature, cert->sigLength, cert->signatureOID, + #ifdef WC_RSA_PSS + cert->source + cert->sigParamsIndex, + cert->sigParamsLength, + #else + NULL, 0, + #endif sce_tsip_encRsaKeyIdx)) != 0) { if (ret != WC_PENDING_E) { WOLFSSL_MSG("Confirm signature failed"); @@ -20060,6 +20906,11 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) cert->publicKey, cert->pubKeySize, cert->keyOID, cert->signature, cert->sigLength, cert->signatureOID, + #ifdef WC_RSA_PSS + cert->source + cert->sigParamsIndex, cert->sigParamsLength, + #else + NULL, 0, + #endif sce_tsip_encRsaKeyIdx)) != 0) { if (ret != WC_PENDING_E) { WOLFSSL_MSG("Confirm signature failed"); @@ -21942,6 +22793,9 @@ static int SetRsaPublicKey(byte* output, RsaKey* key, int outLen, } /* Set OID for RSA key. */ SetASN_OID(&dataASN[RSAPUBLICKEYASN_IDX_ALGOID_OID], RSAk, oidKeyType); + #ifdef WC_RSA_PSS + dataASN[RSAPUBLICKEYASN_IDX_ALGOID_P_SEQ].noOut = 1; + #endif /* Set public key mp_ints. */ #ifdef HAVE_USER_RSA SetASN_MP(&dataASN[RSAPUBLICKEYASN_IDX_PUBKEY_RSA_N], key->n); @@ -26098,8 +26952,12 @@ static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz, oidSigType); if (IsSigAlgoECC(cert->sigType)) { /* No NULL tagged item with ECDSA and EdDSA signature OIDs. */ - dataASN[X509CERTASN_IDX_TBS_ALGOID_PARAMS].noOut = 1; + dataASN[X509CERTASN_IDX_TBS_ALGOID_PARAMS_NULL].noOut = 1; } + #ifdef WC_RSA_PSS + /* TODO: Encode RSA PSS parameters. */ + dataASN[X509CERTASN_IDX_TBS_ALGOID_PARAMS].noOut = 1; + #endif if (issRawLen > 0) { #if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) || \ defined(WOLFSSL_CERT_REQ) @@ -26114,7 +26972,6 @@ static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz, NULL, issuerSz); } -#ifdef WOLFSSL_ALT_NAMES if (cert->beforeDateSz && cert->afterDateSz) { if (cert->beforeDate[0] == ASN_UTC_TIME) { /* Make space for before date data. */ @@ -26146,7 +27003,6 @@ static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz, } } else -#endif { /* Don't put out UTC before data. */ dataASN[X509CERTASN_IDX_TBS_VALIDITY_NOTB_UTC].noOut = 1; @@ -26223,9 +27079,7 @@ static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz, &cert->subject, cert->heap); } if (ret >= 0) { -#ifdef WOLFSSL_ALT_NAMES if (cert->beforeDateSz == 0 || cert->afterDateSz == 0) -#endif { /* Encode validity into buffer. */ ret = SetValidity( @@ -31847,7 +32701,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, &cert->sigCtx, resp->response, resp->responseSz, cert->publicKey, cert->pubKeySize, cert->keyOID, - resp->sig, resp->sigSz, resp->sigOID, NULL); + resp->sig, resp->sigSz, resp->sigOID, NULL, 0, NULL); if (ret != 0) { WOLFSSL_MSG("\tOCSP Confirm signature failed"); @@ -31884,7 +32738,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, /* ConfirmSignature is blocking here */ sigValid = ConfirmSignature(&sigCtx, resp->response, resp->responseSz, ca->publicKey, ca->pubKeySize, ca->keyOID, - resp->sig, resp->sigSz, resp->sigOID, NULL); + resp->sig, resp->sigSz, resp->sigOID, NULL, 0, NULL); } if (ca == NULL || sigValid != 0) { WOLFSSL_MSG("\tOCSP Confirm signature failed"); @@ -31974,7 +32828,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, /* Check the signature of the response. */ ret = ConfirmSignature(&cert->sigCtx, resp->response, resp->responseSz, cert->publicKey, cert->pubKeySize, cert->keyOID, resp->sig, - resp->sigSz, resp->sigOID, NULL); + resp->sigSz, resp->sigOID, NULL, 0, NULL); if (ret != 0) { WOLFSSL_MSG("\tOCSP Confirm signature failed"); ret = ASN_OCSP_CONFIRM_E; @@ -32004,7 +32858,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, /* Check the signature of the response CA public key. */ sigValid = ConfirmSignature(&sigCtx, resp->response, resp->responseSz, ca->publicKey, ca->pubKeySize, ca->keyOID, - resp->sig, resp->sigSz, resp->sigOID, NULL); + resp->sig, resp->sigSz, resp->sigOID, NULL, 0, NULL); } if ((ca == NULL) || (sigValid != 0)) { /* Didn't find certificate or signature verificate failed. */ @@ -32981,7 +33835,7 @@ int VerifyCRL_Signature(SignatureCtx* sigCtx, const byte* toBeSigned, InitSignatureCtx(sigCtx, heap, INVALID_DEVID); if (ConfirmSignature(sigCtx, toBeSigned, tbsSz, ca->publicKey, ca->pubKeySize, ca->keyOID, signature, sigSz, - signatureOID, NULL) != 0) { + signatureOID, NULL, 0, NULL) != 0) { WOLFSSL_MSG("CRL Confirm signature failed"); WOLFSSL_ERROR_VERBOSE(ASN_CRL_CONFIRM_E); return ASN_CRL_CONFIRM_E; diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 95e6229c8..f7d71451d 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -1052,7 +1052,6 @@ enum Hash_Sum { SHAKE256h = 425 }; - #if !defined(NO_DES3) || !defined(NO_AES) enum Block_Sum { #ifdef WOLFSSL_AES_128 @@ -1081,6 +1080,7 @@ enum Block_Sum { enum Key_Sum { DSAk = 515, RSAk = 645, + RSAPSSk = 654, ECDSAk = 518, ED25519k = 256, /* 1.3.101.112 */ X25519k = 254, /* 1.3.101.110 */ @@ -1119,7 +1119,8 @@ enum Key_Agree { enum KDF_Sum { - PBKDF2_OID = 660 + PBKDF2_OID = 660, + MGF1_OID = 652, }; @@ -1549,6 +1550,10 @@ struct DecodedCert { word32 sigLength; /* length of signature */ word32 signatureOID; /* sum of algorithm object id */ word32 keyOID; /* sum of key algo object id */ +#ifdef WC_RSA_PSS + word32 sigParamsIndex; /* start of signature parameters */ + word32 sigParamsLength; /* length of signature parameters */ +#endif int version; /* cert version, 1 or 3 */ DNS_entry* altNames; /* alt names list of dns entries */ #ifndef IGNORE_NAME_CONSTRAINTS diff --git a/wolfssl/wolfcrypt/asn_public.h b/wolfssl/wolfcrypt/asn_public.h index f17eb7394..f33b3ef93 100644 --- a/wolfssl/wolfcrypt/asn_public.h +++ b/wolfssl/wolfcrypt/asn_public.h @@ -167,6 +167,8 @@ enum Ctc_SigType { CTC_SHA3_384wRSA = 429, CTC_SHA3_512wRSA = 430, + CTC_RSASSAPSS = 654, + CTC_ED25519 = 256, CTC_ED448 = 257,