x509: no longer emit the previous custom format for provable parameters

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2017-08-01 14:43:04 +0200
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2017-08-07 14:51:19 +0200
commit: 3b876ea64d9f390f749bb0ee9a6b779daace69f9 (patch)
tree: b5ad1698b803c5a3605939e3cdf3ef606280ee1f
parent: f6cd10ad3c6d1e781832fc6c7a33f2413e3128bf (diff)
download: gnutls-3b876ea64d9f390f749bb0ee9a6b779daace69f9.tar.gz
6 files changed, 24 insertions, 112 deletions
diff --git a/lib/gnutls.asn b/lib/gnutls.asn
index e006b6d5b7..570d8263fd 100644
--- a/lib/gnutls.asn
+++ b/lib/gnutls.asn
@@ -26,18 +26,14 @@ RSAPrivateKey ::= SEQUENCE {
   exponent1        INTEGER, -- (Usually large) d mod (p-1)
   exponent2        INTEGER, -- (Usually large) d mod (q-1)
   coefficient      INTEGER, -- (Usually large) (inverse of q) mod p
-  otherInfo	   RSAOtherInfo OPTIONAL
+  otherPrimeInfos  OtherPrimeInfos OPTIONAL
 }
 
 ProvableSeed ::= SEQUENCE {
-  algorithm OBJECT IDENTIFIER,
+  algorithm OBJECT IDENTIFIER, -- the hash algorithm OID used for FIPS186-4 generation
   seed OCTET STRING
 }
 
-RSAOtherInfo ::= CHOICE {
-  otherPrimeInfos	OtherPrimeInfos, -- the hash algorithm OID used for FIPS186-4 generation
-  seed		    [1] ProvableSeed
-}
 
 OtherPrimeInfos ::= SEQUENCE SIZE(1..MAX) OF OtherPrimeInfo
 
@@ -84,8 +80,7 @@ DSAPrivateKey ::= SEQUENCE {
   q        INTEGER,
   g        INTEGER,
   Y        INTEGER, -- public
-  priv     INTEGER,
-  seed [1] ProvableSeed OPTIONAL
+  priv     INTEGER
 }
 
 -- from PKCS#3
diff --git a/lib/gnutls_asn1_tab.c b/lib/gnutls_asn1_tab.c
index 587e54ed36..d58f864c0b 100644
--- a/lib/gnutls_asn1_tab.c
+++ b/lib/gnutls_asn1_tab.c
@@ -20,14 +20,10 @@ const asn1_static_node gnutls_asn1_tab[] = {
   { "exponent1", 1073741827, NULL },
   { "exponent2", 1073741827, NULL },
   { "coefficient", 1073741827, NULL },
-  { "otherInfo", 16386, "RSAOtherInfo"},
+  { "otherPrimeInfos", 16386, "OtherPrimeInfos"},
   { "ProvableSeed", 1610612741, NULL },
   { "algorithm", 1073741836, NULL },
   { "seed", 7, NULL },
-  { "RSAOtherInfo", 1610612754, NULL },
-  { "otherPrimeInfos", 1073741826, "OtherPrimeInfos"},
-  { "seed", 536879106, "ProvableSeed"},
-  { NULL, 2056, "1"},
   { "OtherPrimeInfos", 1612709899, NULL },
   { "MAX", 1074266122, "1"},
   { NULL, 2, "OtherPrimeInfo"},
@@ -57,9 +53,7 @@ const asn1_static_node gnutls_asn1_tab[] = {
   { "q", 1073741827, NULL },
   { "g", 1073741827, NULL },
   { "Y", 1073741827, NULL },
-  { "priv", 1073741827, NULL },
-  { "seed", 536895490, "ProvableSeed"},
-  { NULL, 2056, "1"},
+  { "priv", 3, NULL },
   { "DHParameter", 1610612741, NULL },
   { "prime", 1073741827, NULL },
   { "base", 1073741827, NULL },
diff --git a/lib/x509/key_encode.c b/lib/x509/key_encode.c
index 98b9769b59..d9d2cc8984 100644
--- a/lib/x509/key_encode.c
+++ b/lib/x509/key_encode.c
@@ -490,7 +490,7 @@ _gnutls_x509_write_dsa_pubkey(gnutls_pk_params_st * params,
 /* Encodes the RSA parameters into an ASN.1 RSA private key structure.
  */
 static int
-_gnutls_asn1_encode_rsa(ASN1_TYPE * c2, gnutls_pk_params_st * params, unsigned compat)
+_gnutls_asn1_encode_rsa(ASN1_TYPE * c2, gnutls_pk_params_st * params)
 {
 	int result, ret;
 	uint8_t null = '\0';
@@ -596,34 +596,11 @@ _gnutls_asn1_encode_rsa(ASN1_TYPE * c2, gnutls_pk_params_st * params, unsigned c
 		goto cleanup;
 	}
 
-	if (compat == 0 && (params->flags & GNUTLS_PK_FLAG_PROVABLE) && params->seed_size > 0) {
-		if ((result = asn1_write_value(*c2, "otherInfo",
-					       "seed", 1)) != ASN1_SUCCESS) {
-			gnutls_assert();
-			ret = _gnutls_asn2err(result);
-			goto cleanup;
-		}
-
-		if ((result = asn1_write_value(*c2, "otherInfo.seed.seed",
-					       params->seed, params->seed_size)) != ASN1_SUCCESS) {
-			gnutls_assert();
-			ret = _gnutls_asn2err(result);
-			goto cleanup;
-		}
-
-		if ((result = asn1_write_value(*c2, "otherInfo.seed.algorithm",
-					       gnutls_digest_get_oid(params->palgo), 1)) != ASN1_SUCCESS) {
-			gnutls_assert();
-			ret = _gnutls_asn2err(result);
-			goto cleanup;
-		}
-	} else {
-		if ((result = asn1_write_value(*c2, "otherInfo",
-					       NULL, 0)) != ASN1_SUCCESS) {
-			gnutls_assert();
-			ret = _gnutls_asn2err(result);
-			goto cleanup;
-		}
+	if ((result = asn1_write_value(*c2, "otherPrimeInfos",
+				       NULL, 0)) != ASN1_SUCCESS) {
+		gnutls_assert();
+		ret = _gnutls_asn2err(result);
+		goto cleanup;
 	}
 
 	if ((result =
@@ -756,7 +733,7 @@ cleanup:
 /* Encodes the DSA parameters into an ASN.1 DSAPrivateKey structure.
  */
 static int
-_gnutls_asn1_encode_dsa(ASN1_TYPE * c2, gnutls_pk_params_st * params, unsigned compat)
+_gnutls_asn1_encode_dsa(ASN1_TYPE * c2, gnutls_pk_params_st * params)
 {
 	int result, ret;
 	const uint8_t null = '\0';
@@ -816,24 +793,6 @@ _gnutls_asn1_encode_dsa(ASN1_TYPE * c2, gnutls_pk_params_st * params, unsigned c
 		goto cleanup;
 	}
 
-	if (params->seed_size > 0 && compat == 0) {
-		if ((result = asn1_write_value(*c2, "seed.seed",
-					       params->seed, params->seed_size)) != ASN1_SUCCESS) {
-			gnutls_assert();
-			ret = _gnutls_asn2err(result);
-			goto cleanup;
-		}
-
-		if ((result = asn1_write_value(*c2, "seed.algorithm",
-					       gnutls_digest_get_oid(params->palgo), 1)) != ASN1_SUCCESS) {
-			gnutls_assert();
-			ret = _gnutls_asn2err(result);
-			goto cleanup;
-		}
-	} else {
-		(void)asn1_write_value(*c2, "seed", NULL, 0);
-	}
-
 	if ((result =
 	     asn1_write_value(*c2, "version", &null, 1)) != ASN1_SUCCESS) {
 		gnutls_assert();
@@ -850,14 +809,14 @@ cleanup:
 }
 
 int _gnutls_asn1_encode_privkey(ASN1_TYPE * c2,
-				gnutls_pk_params_st * params, unsigned compat)
+				gnutls_pk_params_st * params)
 {
 	switch (params->algo) {
 	case GNUTLS_PK_RSA:
 	case GNUTLS_PK_RSA_PSS:
-		return _gnutls_asn1_encode_rsa(c2, params, compat);
+		return _gnutls_asn1_encode_rsa(c2, params);
 	case GNUTLS_PK_DSA:
-		return _gnutls_asn1_encode_dsa(c2, params, compat);
+		return _gnutls_asn1_encode_dsa(c2, params);
 	case GNUTLS_PK_ECDSA:
 	case GNUTLS_PK_EDDSA_ED25519:
 		return _gnutls_asn1_encode_ecc(c2, params);
diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c
index 81ff5c6db3..09a9bf03d3 100644
--- a/lib/x509/privkey.c
+++ b/lib/x509/privkey.c
@@ -113,7 +113,7 @@ gnutls_x509_privkey_cpy(gnutls_x509_privkey_t dst,
 
 	ret =
 	    _gnutls_asn1_encode_privkey(&dst->key,
-					&dst->params, src->flags&GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT);
+					&dst->params);
 	if (ret < 0) {
 		gnutls_assert();
 		gnutls_pk_params_release(&dst->params);
@@ -132,8 +132,6 @@ _gnutls_privkey_decode_pkcs1_rsa_key(const gnutls_datum_t * raw_key,
 {
 	int result;
 	ASN1_TYPE pkey_asn;
-	char tmp[64];
-	int tmp_size;
 
 	gnutls_pk_params_init(&pkey->params);
 
@@ -220,29 +218,6 @@ _gnutls_privkey_decode_pkcs1_rsa_key(const gnutls_datum_t * raw_key,
 	pkey->params.params_nr = RSA_PRIVATE_PARAMS;
 	pkey->params.algo = GNUTLS_PK_RSA;
 
-	tmp_size = sizeof(tmp);
-	result = asn1_read_value(pkey_asn, "otherInfo", tmp, &tmp_size);
-	if (result == ASN1_SUCCESS && strcmp(tmp, "seed") == 0) {
-		gnutls_datum_t v;
-		char oid[MAX_OID_SIZE];
-		int oid_size;
-
-		oid_size = sizeof(oid);
-		result = asn1_read_value(pkey_asn, "otherInfo.seed.algorithm", oid, &oid_size);
-		if (result == ASN1_SUCCESS) {
-			pkey->params.palgo = gnutls_oid_to_digest(oid);
-		}
-
-		result = _gnutls_x509_read_value(pkey_asn, "otherInfo.seed.seed", &v);
-		if (result >= 0) {
-			if (v.size <= sizeof(pkey->params.seed)) {
-				memcpy(pkey->params.seed, v.data, v.size);
-				pkey->params.seed_size = v.size;
-			}
-			gnutls_free(v.data);
-		}
-	}
-
 	return pkey_asn;
 
       error:
@@ -466,8 +441,6 @@ decode_dsa_key(const gnutls_datum_t * raw_key, gnutls_x509_privkey_t pkey)
 
 #define PEM_KEY_DSA "DSA PRIVATE KEY"
 #define PEM_KEY_RSA "RSA PRIVATE KEY"
-#define PEM_KEY_DSA_PROVABLE "FIPS186-4 DSA PRIVATE KEY"
-#define PEM_KEY_RSA_PROVABLE "FIPS186-4 RSA PRIVATE KEY"
 #define PEM_KEY_ECC "EC PRIVATE KEY"
 #define PEM_KEY_PKCS8 "PRIVATE KEY"
 
@@ -547,8 +520,6 @@ gnutls_x509_privkey_import(gnutls_x509_privkey_t key,
 				IF_CHECK_FOR(PEM_KEY_RSA, GNUTLS_PK_RSA, ptr, begin_ptr, left, key)
 				else IF_CHECK_FOR(PEM_KEY_ECC, GNUTLS_PK_EC, ptr, begin_ptr, left, key)
 				else IF_CHECK_FOR(PEM_KEY_DSA, GNUTLS_PK_DSA, ptr, begin_ptr, left, key)
-				else IF_CHECK_FOR(PEM_KEY_RSA_PROVABLE, GNUTLS_PK_RSA, ptr, begin_ptr, left, key)
-				else IF_CHECK_FOR(PEM_KEY_DSA_PROVABLE, GNUTLS_PK_DSA, ptr, begin_ptr, left, key)
 
 				if (key->params.algo == GNUTLS_PK_UNKNOWN && left >= sizeof(PEM_KEY_PKCS8)) {
 					if (memcmp(ptr, PEM_KEY_PKCS8, sizeof(PEM_KEY_PKCS8)-1) == 0) {
@@ -996,7 +967,7 @@ gnutls_x509_privkey_import_rsa_raw2(gnutls_x509_privkey_t key,
 
 	ret =
 	    _gnutls_asn1_encode_privkey(&key->key,
-					&key->params, key->flags&GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT);
+					&key->params);
 	if (ret < 0) {
 		gnutls_assert();
 		goto cleanup;
@@ -1092,7 +1063,7 @@ gnutls_x509_privkey_import_dsa_raw(gnutls_x509_privkey_t key,
 
 	ret =
 	    _gnutls_asn1_encode_privkey(&key->key,
-					&key->params, key->flags&GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT);
+					&key->params);
 	if (ret < 0) {
 		gnutls_assert();
 		goto cleanup;
@@ -1330,15 +1301,9 @@ gnutls_x509_privkey_set_spki(gnutls_x509_privkey_t key, const gnutls_x509_spki_t
 static const char *set_msg(gnutls_x509_privkey_t key)
 {
 	if (GNUTLS_PK_IS_RSA(key->params.algo)) {
-		if (key->params.seed_size > 0 && !(key->flags&GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT))
-			return PEM_KEY_RSA_PROVABLE;
-		else
-			return PEM_KEY_RSA;
+		return PEM_KEY_RSA;
 	} else if (key->params.algo == GNUTLS_PK_DSA) {
-		if (key->params.seed_size > 0 && !(key->flags&GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT))
-			return PEM_KEY_DSA_PROVABLE;
-		else
-			return PEM_KEY_DSA;
+		return PEM_KEY_DSA;
 	} else if (key->params.algo == GNUTLS_PK_EC)
 		return PEM_KEY_ECC;
 	else
@@ -1733,7 +1698,7 @@ gnutls_x509_privkey_generate2(gnutls_x509_privkey_t key,
 		}
 	}
 
-	ret = _gnutls_asn1_encode_privkey(&key->key, &key->params, key->flags&GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT);
+	ret = _gnutls_asn1_encode_privkey(&key->key, &key->params);
 	if (ret < 0) {
 		gnutls_assert();
 		goto cleanup;
@@ -2179,8 +2144,7 @@ int gnutls_x509_privkey_fix(gnutls_x509_privkey_t key)
 
 		ret =
 		    _gnutls_asn1_encode_privkey(&key->key,
-						&key->params,
-						key->flags&GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT);
+						&key->params);
 		if (ret < 0) {
 			gnutls_assert();
 			return ret;
diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c
index 46351dca25..4cad7bfcdc 100644
--- a/lib/x509/privkey_pkcs8.c
+++ b/lib/x509/privkey_pkcs8.c
@@ -1170,7 +1170,7 @@ _decode_pkcs8_dsa_key(ASN1_TYPE pkcs8_asn, gnutls_x509_privkey_t pkey)
 
 	ret =
 	    _gnutls_asn1_encode_privkey(&pkey->key,
-					&pkey->params, pkey->flags&GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT);
+					&pkey->params);
 	if (ret < 0) {
 		gnutls_assert();
 		goto error;
diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h
index e325c06bf2..3dd3985cf3 100644
--- a/lib/x509/x509_int.h
+++ b/lib/x509/x509_int.h
@@ -258,7 +258,7 @@ _gnutls_x509_read_ecc_params(uint8_t * der, int dersize,
 			     unsigned int *curve);
 
 int _gnutls_asn1_encode_privkey(ASN1_TYPE * c2,
-				gnutls_pk_params_st * params, unsigned compat);
+				gnutls_pk_params_st * params);
 
 void _gnutls_x509_privkey_get_spki_params(gnutls_x509_privkey_t key,
 					  gnutls_x509_spki_st * params);
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2017-08-01 14:43:04 +0200
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2017-08-07 14:51:19 +0200
commit	3b876ea64d9f390f749bb0ee9a6b779daace69f9 (patch)
tree	b5ad1698b803c5a3605939e3cdf3ef606280ee1f
parent	f6cd10ad3c6d1e781832fc6c7a33f2413e3128bf (diff)
download	gnutls-3b876ea64d9f390f749bb0ee9a6b779daace69f9.tar.gz