Author: svn-role Date: Sun Feb 11 04:00:08 2018 New Revision: 1823806 URL: http://svn.apache.org/viewvc?rev=1823806&view=rev Log: Merge r1822996 from trunk:
* r1822996 Fix x509 parser to handle RSASSA-PSS certificates. Justification: JavaHL needs this to handle failure to verify such certs. 'svn auth' also affected. Votes: +1: philip, rhuijben, stsp, brane Modified: subversion/branches/1.10.x/ (props changed) subversion/branches/1.10.x/STATUS subversion/branches/1.10.x/subversion/libsvn_subr/x509parse.c subversion/branches/1.10.x/subversion/tests/libsvn_subr/x509-test.c Propchange: subversion/branches/1.10.x/ ------------------------------------------------------------------------------ --- svn:mergeinfo (original) +++ svn:mergeinfo Sun Feb 11 04:00:08 2018 @@ -100,4 +100,4 @@ /subversion/branches/verify-at-commit:1462039-1462408 /subversion/branches/verify-keep-going:1439280-1546110 /subversion/branches/wc-collate-path:1402685-1480384 -/subversion/trunk:1817837,1817856,1818577-1818578,1818584,1818651,1818662,1818727,1818801,1818803,1818807,1818868,1818871,1819036-1819037,1819043,1819049,1819052,1819093,1819146,1819162,1819444,1819556-1819557,1819603,1819804,1819911,1820046-1820047,1820518,1820718,1821183,1821224,1821621,1821678,1822401,1823202-1823203 +/subversion/trunk:1817837,1817856,1818577-1818578,1818584,1818651,1818662,1818727,1818801,1818803,1818807,1818868,1818871,1819036-1819037,1819043,1819049,1819052,1819093,1819146,1819162,1819444,1819556-1819557,1819603,1819804,1819911,1820046-1820047,1820518,1820718,1821183,1821224,1821621,1821678,1822401,1822996,1823202-1823203 Modified: subversion/branches/1.10.x/STATUS URL: http://svn.apache.org/viewvc/subversion/branches/1.10.x/STATUS?rev=1823806&r1=1823805&r2=1823806&view=diff ============================================================================== --- subversion/branches/1.10.x/STATUS (original) +++ subversion/branches/1.10.x/STATUS Sun Feb 11 04:00:08 2018 @@ -21,14 +21,6 @@ Veto-blocked changes: Approved changes: ================= - * r1822996 - Fix x509 parser to handle RSASSA-PSS certificates. - Justification: - JavaHL needs this to handle failure to verify such certs. - 'svn auth' also affected. - Votes: - +1: philip, rhuijben, stsp, brane - * r1820778 Make mod_dav_svn report commit capabilities based on SVNMasterVersion. Justification: Modified: subversion/branches/1.10.x/subversion/libsvn_subr/x509parse.c URL: http://svn.apache.org/viewvc/subversion/branches/1.10.x/subversion/libsvn_subr/x509parse.c?rev=1823806&r1=1823805&r2=1823806&view=diff ============================================================================== --- subversion/branches/1.10.x/subversion/libsvn_subr/x509parse.c (original) +++ subversion/branches/1.10.x/subversion/libsvn_subr/x509parse.c Sun Feb 11 04:00:08 2018 @@ -262,13 +262,34 @@ x509_get_alg(const unsigned char **p, co if (*p == end) return SVN_NO_ERROR; + + /* The OID encoding of 1.2.840.113549.1.1.10 (id-RSASSA-PSS) */ +#define OID_RSASSA_PSS "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x0a" - /* - * assume the algorithm parameters must be NULL - */ - err = asn1_get_tag(p, end, &len, ASN1_NULL); - if (err) - return svn_error_create(SVN_ERR_X509_CERT_INVALID_ALG, err, NULL); + if (equal(alg->p, alg->len, OID_RSASSA_PSS, sizeof(OID_RSASSA_PSS) - 1)) + { + /* Skip over algorithm parameters for id-RSASSA-PSS (RFC 8017) + * + * RSASSA-PSS-params ::= SEQUENCE { + * hashAlgorithm [0] HashAlgorithm DEFAULT sha1, + * maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT mgf1SHA1, + * saltLength [2] INTEGER DEFAULT 20, + * trailerField [3] TrailerField DEFAULT trailerFieldBC + * } + */ + err = asn1_get_tag(p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE); + if (err) + return svn_error_create(SVN_ERR_X509_CERT_INVALID_ALG, err, NULL); + + *p += len; + } + else + { + /* Algorithm parameters must be NULL for other algorithms */ + err = asn1_get_tag(p, end, &len, ASN1_NULL); + if (err) + return svn_error_create(SVN_ERR_X509_CERT_INVALID_ALG, err, NULL); + } if (*p != end) { Modified: subversion/branches/1.10.x/subversion/tests/libsvn_subr/x509-test.c URL: http://svn.apache.org/viewvc/subversion/branches/1.10.x/subversion/tests/libsvn_subr/x509-test.c?rev=1823806&r1=1823805&r2=1823806&view=diff ============================================================================== --- subversion/branches/1.10.x/subversion/tests/libsvn_subr/x509-test.c (original) +++ subversion/branches/1.10.x/subversion/tests/libsvn_subr/x509-test.c Sun Feb 11 04:00:08 2018 @@ -592,6 +592,32 @@ static struct x509_test cert_tests[] = { "good.example.com", "9693f17e59205f41ca2e14450d151b945651b2d7" }, + /* Signed using RSASSA-PSS algorithm with algorithm parameters */ + { + "MIICsjCCAWkCCQDHslXYA8hCxTA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQC" + "AaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiBAICAN4wKjEUMBIGA1UECgwL" + "TXkgTG9jYWwgQ0ExEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xODAyMDIxNjQ4MzVa" + "Fw0xODAyMDMxNjQ4MzVaMC4xGDAWBgNVBAoMD015IExvY2FsIFNlcnZlcjESMBAG" + "A1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCues61" + "JXXpLQI5yeg4aCLWRfvnJY7wnuU6FSA++3wwCJREx1/7ebnP9RRRqqKM+ZeeFMC+" + "UlJE3ft2tJTDOVk9j6qjvKrJUKM1YkIe0lARxs4RtZKDGfOdBhw/+iD+6fZzhL0n" + "+w+dIJGzl6ADWsE/x9yjDTkdgbtxHrx/76K0KQIDAQABMD4GCSqGSIb3DQEBCjAx" + "oA0wCwYJYIZIAWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIEAgIA" + "3gOCAQEABYRAijCSGyFdSuUYALUnNzPylqYXlW+dMKPywlUrFEhKnvS+FD9twerI" + "8kT4MDW6XvhScmL1MCDPNAkFY92UqaUrgT80oyrbpuakVrxFSS1i28xy8+kXAWYq" + "RNQVaME1NqnATYF0ZMD5xQK4rpa76gvWj3K8Lt++9EjjbkNiirIIMQEOxh1lwnDQ" + "81q1Rk6iujlnVDGHDQ+w8reE6fKfSWfv1EaQRcjNKCuzrW8WNN387G2byvwaaKeL" + "M7lV7wiV6PwrTNTZzVG3cWKDOEP1mGE7gyMu66siLECo8U95+ahK7O6vfeT3m3gv" + "7kzWNYozAQtBSC7b0WqWbVrzWI4HSg==", + "O=My Local Server, CN=localhost", + "2.5.4.10 2.5.4.3", + "O=My Local CA, CN=localhost", + "2.5.4.10 2.5.4.3", + "2018-02-02T16:48:35.000000Z ", + "2018-02-03T16:48:35.000000Z ", + "localhost", + "25ab5a059acfc793fc0d3734d426794a4ca7b631" + }, { NULL } };