mbedtls: Use ASN1Writer instead of hacking it up
This commit is contained in:
Kedar Sovani
parent
316de9c97a
commit
034d169cf5
2 changed files with 18 additions and 47 deletions
|
|
@ -26,7 +26,8 @@ use crate::{
|
||||||
use log::error;
|
use log::error;
|
||||||
use num_derive::FromPrimitive;
|
use num_derive::FromPrimitive;
|
||||||
|
|
||||||
use self::{asn1_writer::ASN1Writer, printer::CertPrinter};
|
pub use self::asn1_writer::ASN1Writer;
|
||||||
|
use self::printer::CertPrinter;
|
||||||
|
|
||||||
// As per https://datatracker.ietf.org/doc/html/rfc5280
|
// As per https://datatracker.ietf.org/doc/html/rfc5280
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -29,7 +29,12 @@ use mbedtls::{
|
||||||
};
|
};
|
||||||
|
|
||||||
use super::CryptoKeyPair;
|
use super::CryptoKeyPair;
|
||||||
use crate::error::Error;
|
use crate::{
|
||||||
|
// TODO: We should move ASN1Writer out of Cert,
|
||||||
|
// so Crypto doesn't have to depend on Cert
|
||||||
|
cert::{ASN1Writer, CertConsumer},
|
||||||
|
error::Error,
|
||||||
|
};
|
||||||
|
|
||||||
pub struct HmacSha256 {
|
pub struct HmacSha256 {
|
||||||
inner: Hmac,
|
inner: Hmac,
|
||||||
|
|
@ -183,7 +188,7 @@ impl CryptoKeyPair for KeyPair {
|
||||||
|
|
||||||
// current rust-mbedTLS APIs the signature to be in DER format
|
// current rust-mbedTLS APIs the signature to be in DER format
|
||||||
let mut mbedtls_sign = [0u8; super::EC_SIGNATURE_LEN_BYTES * 3];
|
let mut mbedtls_sign = [0u8; super::EC_SIGNATURE_LEN_BYTES * 3];
|
||||||
let len = convert_r_s_to_asn1_sign(signature, &mut mbedtls_sign);
|
let len = convert_r_s_to_asn1_sign(signature, &mut mbedtls_sign)?;
|
||||||
let mbedtls_sign = &mbedtls_sign[..len];
|
let mbedtls_sign = &mbedtls_sign[..len];
|
||||||
|
|
||||||
if let Err(e) = tmp_key.verify(hash::Type::Sha256, &msg_hash, mbedtls_sign) {
|
if let Err(e) = tmp_key.verify(hash::Type::Sha256, &msg_hash, mbedtls_sign) {
|
||||||
|
|
@ -195,51 +200,16 @@ impl CryptoKeyPair for KeyPair {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
fn convert_r_s_to_asn1_sign(signature: &[u8], mbedtls_sign: &mut [u8]) -> usize {
|
fn convert_r_s_to_asn1_sign(signature: &[u8], mbedtls_sign: &mut [u8]) -> Result<usize, Error> {
|
||||||
let mut offset = 0;
|
let r = &signature[0..32];
|
||||||
mbedtls_sign[offset] = 0x30;
|
let s = &signature[32..64];
|
||||||
offset += 1;
|
|
||||||
let mut len = 68;
|
|
||||||
if (signature[0] & 0x80) == 0x80 {
|
|
||||||
len += 1;
|
|
||||||
}
|
|
||||||
if (signature[32] & 0x80) == 0x80 {
|
|
||||||
len += 1;
|
|
||||||
}
|
|
||||||
mbedtls_sign[offset] = len;
|
|
||||||
offset += 1;
|
|
||||||
mbedtls_sign[offset] = 0x02;
|
|
||||||
offset += 1;
|
|
||||||
if (signature[0] & 0x80) == 0x80 {
|
|
||||||
// It seems if topmost bit is 1, there is an extra 0
|
|
||||||
mbedtls_sign[offset] = 33;
|
|
||||||
offset += 1;
|
|
||||||
mbedtls_sign[offset] = 0;
|
|
||||||
offset += 1;
|
|
||||||
} else {
|
|
||||||
mbedtls_sign[offset] = 32;
|
|
||||||
offset += 1;
|
|
||||||
}
|
|
||||||
mbedtls_sign[offset..(offset + 32)].copy_from_slice(&signature[..32]);
|
|
||||||
offset += 32;
|
|
||||||
|
|
||||||
mbedtls_sign[offset] = 0x02;
|
let mut wr = ASN1Writer::new(mbedtls_sign);
|
||||||
offset += 1;
|
wr.start_seq("")?;
|
||||||
if (signature[32] & 0x80) == 0x80 {
|
wr.integer("r", r)?;
|
||||||
// It seems if topmost bit is 1, there is an extra 0
|
wr.integer("s", s)?;
|
||||||
mbedtls_sign[offset] = 33;
|
wr.end_seq()?;
|
||||||
offset += 1;
|
Ok(wr.as_slice().len())
|
||||||
mbedtls_sign[offset] = 0;
|
|
||||||
offset += 1;
|
|
||||||
} else {
|
|
||||||
mbedtls_sign[offset] = 32;
|
|
||||||
offset += 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
mbedtls_sign[offset..(offset + 32)].copy_from_slice(&signature[32..64]);
|
|
||||||
offset += 32;
|
|
||||||
|
|
||||||
offset
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// mbedTLS sign() function directly encodes the signature in ASN1. The lower level function
|
// mbedTLS sign() function directly encodes the signature in ASN1. The lower level function
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue