Author: svn-role
Date: Sun Feb 11 04:00:08 2018
New Revision: 1823806
URL: http://svn.apache.org/viewvc?rev=1823806&view=rev
Log:
Merge r1822996 from trunk:
* r1822996
Fix x509 parser to handle RSASSA-PSS certificates.
Justification:
JavaHL needs this to handle failure to verify such certs.
'svn auth' also affected.
Votes:
+1: philip, rhuijben, stsp, brane
Modified:
subversion/branches/1.10.x/ (props changed)
subversion/branches/1.10.x/STATUS
subversion/branches/1.10.x/subversion/libsvn_subr/x509parse.c
subversion/branches/1.10.x/subversion/tests/libsvn_subr/x509-test.c
Propchange: subversion/branches/1.10.x/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Sun Feb 11 04:00:08 2018
@@ -100,4 +100,4 @@
/subversion/branches/verify-at-commit:1462039-1462408
/subversion/branches/verify-keep-going:1439280-1546110
/subversion/branches/wc-collate-path:1402685-1480384
-/subversion/trunk:1817837,1817856,1818577-1818578,1818584,1818651,1818662,1818727,1818801,1818803,1818807,1818868,1818871,1819036-1819037,1819043,1819049,1819052,1819093,1819146,1819162,1819444,1819556-1819557,1819603,1819804,1819911,1820046-1820047,1820518,1820718,1821183,1821224,1821621,1821678,1822401,1823202-1823203
+/subversion/trunk:1817837,1817856,1818577-1818578,1818584,1818651,1818662,1818727,1818801,1818803,1818807,1818868,1818871,1819036-1819037,1819043,1819049,1819052,1819093,1819146,1819162,1819444,1819556-1819557,1819603,1819804,1819911,1820046-1820047,1820518,1820718,1821183,1821224,1821621,1821678,1822401,1822996,1823202-1823203
Modified: subversion/branches/1.10.x/STATUS
URL:
http://svn.apache.org/viewvc/subversion/branches/1.10.x/STATUS?rev=1823806&r1=1823805&r2=1823806&view=diff
==============================================================================
--- subversion/branches/1.10.x/STATUS (original)
+++ subversion/branches/1.10.x/STATUS Sun Feb 11 04:00:08 2018
@@ -21,14 +21,6 @@ Veto-blocked changes:
Approved changes:
=================
- * r1822996
- Fix x509 parser to handle RSASSA-PSS certificates.
- Justification:
- JavaHL needs this to handle failure to verify such certs.
- 'svn auth' also affected.
- Votes:
- +1: philip, rhuijben, stsp, brane
-
* r1820778
Make mod_dav_svn report commit capabilities based on SVNMasterVersion.
Justification:
Modified: subversion/branches/1.10.x/subversion/libsvn_subr/x509parse.c
URL:
http://svn.apache.org/viewvc/subversion/branches/1.10.x/subversion/libsvn_subr/x509parse.c?rev=1823806&r1=1823805&r2=1823806&view=diff
==============================================================================
--- subversion/branches/1.10.x/subversion/libsvn_subr/x509parse.c (original)
+++ subversion/branches/1.10.x/subversion/libsvn_subr/x509parse.c Sun Feb 11
04:00:08 2018
@@ -262,13 +262,34 @@ x509_get_alg(const unsigned char **p, co
if (*p == end)
return SVN_NO_ERROR;
+
+ /* The OID encoding of 1.2.840.113549.1.1.10 (id-RSASSA-PSS) */
+#define OID_RSASSA_PSS "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x0a"
- /*
- * assume the algorithm parameters must be NULL
- */
- err = asn1_get_tag(p, end, &len, ASN1_NULL);
- if (err)
- return svn_error_create(SVN_ERR_X509_CERT_INVALID_ALG, err, NULL);
+ if (equal(alg->p, alg->len, OID_RSASSA_PSS, sizeof(OID_RSASSA_PSS) - 1))
+ {
+ /* Skip over algorithm parameters for id-RSASSA-PSS (RFC 8017)
+ *
+ * RSASSA-PSS-params ::= SEQUENCE {
+ * hashAlgorithm [0] HashAlgorithm DEFAULT sha1,
+ * maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT mgf1SHA1,
+ * saltLength [2] INTEGER DEFAULT 20,
+ * trailerField [3] TrailerField DEFAULT trailerFieldBC
+ * }
+ */
+ err = asn1_get_tag(p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE);
+ if (err)
+ return svn_error_create(SVN_ERR_X509_CERT_INVALID_ALG, err, NULL);
+
+ *p += len;
+ }
+ else
+ {
+ /* Algorithm parameters must be NULL for other algorithms */
+ err = asn1_get_tag(p, end, &len, ASN1_NULL);
+ if (err)
+ return svn_error_create(SVN_ERR_X509_CERT_INVALID_ALG, err, NULL);
+ }
if (*p != end)
{
Modified: subversion/branches/1.10.x/subversion/tests/libsvn_subr/x509-test.c
URL:
http://svn.apache.org/viewvc/subversion/branches/1.10.x/subversion/tests/libsvn_subr/x509-test.c?rev=1823806&r1=1823805&r2=1823806&view=diff
==============================================================================
--- subversion/branches/1.10.x/subversion/tests/libsvn_subr/x509-test.c
(original)
+++ subversion/branches/1.10.x/subversion/tests/libsvn_subr/x509-test.c Sun Feb
11 04:00:08 2018
@@ -592,6 +592,32 @@ static struct x509_test cert_tests[] = {
"good.example.com",
"9693f17e59205f41ca2e14450d151b945651b2d7"
},
+ /* Signed using RSASSA-PSS algorithm with algorithm parameters */
+ {
+ "MIICsjCCAWkCCQDHslXYA8hCxTA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQC"
+ "AaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiBAICAN4wKjEUMBIGA1UECgwL"
+ "TXkgTG9jYWwgQ0ExEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xODAyMDIxNjQ4MzVa"
+ "Fw0xODAyMDMxNjQ4MzVaMC4xGDAWBgNVBAoMD015IExvY2FsIFNlcnZlcjESMBAG"
+ "A1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCues61"
+ "JXXpLQI5yeg4aCLWRfvnJY7wnuU6FSA++3wwCJREx1/7ebnP9RRRqqKM+ZeeFMC+"
+ "UlJE3ft2tJTDOVk9j6qjvKrJUKM1YkIe0lARxs4RtZKDGfOdBhw/+iD+6fZzhL0n"
+ "+w+dIJGzl6ADWsE/x9yjDTkdgbtxHrx/76K0KQIDAQABMD4GCSqGSIb3DQEBCjAx"
+ "oA0wCwYJYIZIAWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIEAgIA"
+ "3gOCAQEABYRAijCSGyFdSuUYALUnNzPylqYXlW+dMKPywlUrFEhKnvS+FD9twerI"
+ "8kT4MDW6XvhScmL1MCDPNAkFY92UqaUrgT80oyrbpuakVrxFSS1i28xy8+kXAWYq"
+ "RNQVaME1NqnATYF0ZMD5xQK4rpa76gvWj3K8Lt++9EjjbkNiirIIMQEOxh1lwnDQ"
+ "81q1Rk6iujlnVDGHDQ+w8reE6fKfSWfv1EaQRcjNKCuzrW8WNN387G2byvwaaKeL"
+ "M7lV7wiV6PwrTNTZzVG3cWKDOEP1mGE7gyMu66siLECo8U95+ahK7O6vfeT3m3gv"
+ "7kzWNYozAQtBSC7b0WqWbVrzWI4HSg==",
+ "O=My Local Server, CN=localhost",
+ "2.5.4.10 2.5.4.3",
+ "O=My Local CA, CN=localhost",
+ "2.5.4.10 2.5.4.3",
+ "2018-02-02T16:48:35.000000Z ",
+ "2018-02-03T16:48:35.000000Z ",
+ "localhost",
+ "25ab5a059acfc793fc0d3734d426794a4ca7b631"
+ },
{ NULL }
};
