Changeset 100442 in vbox for trunk/include

Timestamp:

Jul 8, 2023 11:10:51 AM (18 months ago)

Author:

vboxsync

Message:

IPRT,OpenSSL: Support ECDSA for verficiation purposes when IPRT links with OpenSSL. This required quite a bit of cleanups, so not entirely no-risk. bugref:10479 ticketref:21621

Location:

trunk/include/iprt

Files:

• crypto/key.h (modified) (3 diffs)
• crypto/pkix.h (modified) (5 diffs)
• crypto/x509.h (modified) (4 diffs)
• err.h (modified) (2 diffs)
• mangling.h (modified) (3 diffs)

trunk/include/iprt/crypto/key.h

@@ -66 +66 @@
     /** RSA public key. */
     RTCRKEYTYPE_RSA_PUBLIC,
+    /** ECDSA private key. */
+    RTCRKEYTYPE_ECDSA_PRIVATE,
+    /** ECDSA public key. */
+    RTCRKEYTYPE_ECDSA_PUBLIC,
     /** End of key types. */
     RTCRKEYTYPE_END,
@@ -75 +79 @@
 RTDECL(int)             RTCrKeyCreateFromSubjectPublicKeyInfo(PRTCRKEY phKey, struct RTCRX509SUBJECTPUBLICKEYINFO const *pSrc,
                                                               PRTERRINFO pErrInfo, const char *pszErrorTag);
-RTDECL(int)             RTCrKeyCreateFromPublicAlgorithmAndBits(PRTCRKEY phKey,  PCRTASN1OBJID pAlgorithm,
-                                                                PCRTASN1BITSTRING pPublicKey,
+RTDECL(int)             RTCrKeyCreateFromPublicAlgorithmAndBits(PRTCRKEY phKey, PCRTASN1OBJID pAlgorithm,
+                                                                PCRTASN1DYNTYPE pParameters, PCRTASN1BITSTRING pPublicKey,
                                                                 PRTERRINFO pErrInfo, const char *pszErrorTag);
 RTDECL(int)             RTCrKeyCreateFromPemSection(PRTCRKEY phKey, uint32_t fFlags, struct RTCRPEMSECTION const *pSection,
@@ -105 +109 @@
 RTDECL(int)             RTCrKeyQueryRsaModulus(RTCRKEY hKey, PRTBIGNUM pModulus);
 RTDECL(int)             RTCrKeyQueryRsaPrivateExponent(RTCRKEY hKey, PRTBIGNUM pPrivateExponent);
+RTDECL(int)             RTCrKeyVerifyParameterCompatibility(RTCRKEY hKey, PCRTASN1DYNTYPE pParameters, bool fForSignature,
+                                                            PCRTASN1OBJID pAlgorithm, PRTERRINFO pErrInfo);
+
 
 /** Public key markers. */

trunk/include/iprt/crypto/pkix.h

@@ -60 +60 @@
  * @param   pAlgorithm      The signature algorithm (digest w/ cipher).
  * @param   hPublicKey      The public key.
- * @param   pParameters     Parameter to the public key algorithm. Optional.
+ * @param   pParameters     The signature parameters (not key, those are already
+ *                          kept by hPublicKey).
  * @param   pSignatureValue The signature value.
  * @param   pvData          The signed data.
@@ -81 +82 @@
  * @param   pAlgorithm      The signature algorithm (digest w/ cipher).
  * @param   hPublicKey      The public key.
- * @param   pParameters     Parameter to the public key algorithm. Optional.
+ * @param   pParameters     The signature parameters (not key, those are already
+ *                          kept by hPublicKey).
  * @param   pvSignedDigest  The signed digest.
  * @param   cbSignedDigest  The signed digest size.
@@ -146 +148 @@
  *
  * @returns Cipher OID string on success, NULL on failure.
- * @param   pAlgorithm      The signature algorithm (digest w/ cipher).
+ * @param   pAlgorithm          The signature algorithm (hash function w/ cipher).
+ * @sa      RTCrX509AlgorithmIdentifier_GetEncryptionOid,
+ *          RTCrX509AlgorithmIdentifier_GetEncryptionOidFromOid
  */
 RTDECL(const char *) RTCrPkixGetCiperOidFromSignatureAlgorithm(PCRTASN1OBJID pAlgorithm);
+
+/**
+ * Gets the cipher OID matching the given signature algorithm OID.
+ *
+ * @returns Cipher OID string on success, NULL on failure.
+ * @param   pszSignatureOid     The signature algorithm ID (hash function w/ cipher).
+ * @sa      RTCrX509AlgorithmIdentifier_GetEncryptionOid,
+ *          RTCrX509AlgorithmIdentifier_GetEncryptionOidFromOid
+ */
+RTDECL(const char *) RTCrPkixGetCiperOidFromSignatureAlgorithmOid(const char *pszSignatureOid);
 
 
@@ -170 +184 @@
 #define RTCR_PKCS1_SHA512T224_WITH_RSA_OID          "1.2.840.113549.1.1.15"
 #define RTCR_PKCS1_SHA512T256_WITH_RSA_OID          "1.2.840.113549.1.1.16"
+/** @} */
+
+/** @name ANSI X9.62 Object Identifiers (OIDs)
+ * @{ */
+#define RTCR_X962_ECDSA_OID                         "1.2.840.10045.2.1"
+#define RTCR_X962_ECDSA_WITH_SHA1_OID               "1.2.840.10045.4.1"
+#define RTCR_X962_ECDSA_WITH_SHA2_OID               "1.2.840.10045.4.3"
+#define RTCR_X962_ECDSA_WITH_SHA224_OID             "1.2.840.10045.4.3.1"
+#define RTCR_X962_ECDSA_WITH_SHA256_OID             "1.2.840.10045.4.3.2"
+#define RTCR_X962_ECDSA_WITH_SHA384_OID             "1.2.840.10045.4.3.3"
+#define RTCR_X962_ECDSA_WITH_SHA512_OID             "1.2.840.10045.4.3.4"
+/** @}  */
+
+/** @name NIST Object Identifiers (OIDs)
+ * @{ */
+#define RTCR_NIST_ALGORITHM_OID                     "2.16.840.1.101.3.4"
+#define RTCR_NIST_HASH_ALGS_OID                     "2.16.840.1.101.3.4.2"
+#define RTCR_NIST_SIG_ALGS_OID                      "2.16.840.1.101.3.4.3"
+#define RTCR_NIST_SHA3_224_WITH_ECDSA_OID           "2.16.840.1.101.3.4.3.9"
+#define RTCR_NIST_SHA3_256_WITH_ECDSA_OID           "2.16.840.1.101.3.4.3.10"
+#define RTCR_NIST_SHA3_384_WITH_ECDSA_OID           "2.16.840.1.101.3.4.3.11"
+#define RTCR_NIST_SHA3_512_WITH_ECDSA_OID           "2.16.840.1.101.3.4.3.12"
+#define RTCR_NIST_SHA3_224_WITH_RSA_OID             "2.16.840.1.101.3.4.3.13"
+#define RTCR_NIST_SHA3_256_WITH_RSA_OID             "2.16.840.1.101.3.4.3.14"
+#define RTCR_NIST_SHA3_384_WITH_RSA_OID             "2.16.840.1.101.3.4.3.15"
+#define RTCR_NIST_SHA3_512_WITH_RSA_OID             "2.16.840.1.101.3.4.3.16"
 /** @}  */
 
@@ -300 +340 @@
  * @param   ppvOpaque   Where to store an opaque schema parameter. Optional.
  */
-PCRTCRPKIXSIGNATUREDESC RTCrPkixSignatureFindByObjIdString(const char *pszObjId, void *ppvOpaque);
+PCRTCRPKIXSIGNATUREDESC RTCrPkixSignatureFindByObjIdString(const char *pszObjId, void **ppvOpaque);
 
 /**

trunk/include/iprt/crypto/x509.h

@@ -81 +81 @@
  *
  * @returns Valid RTDIGESTTYPE on success, RTDIGESTTYPE_INVALID on failure.
- * @param   pThis           The IPRT representation of a X.509 algorithm
- *                          identifier object.
- */
-RTDECL(RTDIGESTTYPE) RTCrX509AlgorithmIdentifier_QueryDigestType(PCRTCRX509ALGORITHMIDENTIFIER pThis);
+ * @param   pThis               The IPRT representation of a X.509 algorithm
+ *                              identifier object.
+ * @param   fPureDigestsOnly    Whether to only match IDs that only identify
+ *                              digest algorithms, or whether to also include
+ *                              IDs that mixes hash and encryption/whatever.
+ */
+RTDECL(RTDIGESTTYPE) RTCrX509AlgorithmIdentifier_GetDigestType(PCRTCRX509ALGORITHMIDENTIFIER pThis, bool fPureDigestsOnly);
 
 /**
@@ -90 +93 @@
  *
  * @returns The digest size in bytes, UINT32_MAX if unknown digest.
- * @param   pThis           The IPRT representation of a X.509 algorithm
- *                          identifier object.
- */
-RTDECL(uint32_t) RTCrX509AlgorithmIdentifier_QueryDigestSize(PCRTCRX509ALGORITHMIDENTIFIER pThis);
+ * @param   pThis               The IPRT representation of a X.509 algorithm
+ *                              identifier object.
+ * @param   fPureDigestsOnly    Whether to only match IDs that only identify
+ *                              digest algorithms, or whether to also include
+ *                              IDs that mixes hash and encryption/whatever.
+ */
+RTDECL(uint32_t) RTCrX509AlgorithmIdentifier_GetDigestSize(PCRTCRX509ALGORITHMIDENTIFIER pThis, bool fPureDigestsOnly);
+
+/**
+ * Tries to get the encryption OID from the algorithm.
+ *
+ * @returns The encryption (cipher) OID  on success, NULL on failure.
+ * @param   pThis               The IPRT representation of a X.509 algorithm
+ *                              identifier object.
+ * @param   fMustIncludeHash    Whether the algorithm ID represented by @a pThis
+ *                              must include a hash (true) or whether it is
+ *                              okay to accept pure encryption IDs as well
+ *                              (false).
+ */
+RTDECL(const char *) RTCrX509AlgorithmIdentifier_GetEncryptionOid(PCRTCRX509ALGORITHMIDENTIFIER pThis, bool fMustIncludeHash);
+
+/**
+ * Tries to get the encryption OID from the given algorithm OID string.
+ *
+ * @returns The encryption (cipher) OID  on success, NULL on failure.
+ * @param   pszAlgorithmOid     The IPRT representation of a X.509 algorithm
+ *                              identifier object.
+ * @param   fMustIncludeHash    Whether @a pszAlgorithmOid must include a hash
+ *                              (true) or whether it is okay to accept pure
+ *                              encryption IDs as well (false).
+ */
+RTDECL(const char *) RTCrX509AlgorithmIdentifier_GetEncryptionOidFromOid(const char *pszAlgorithmOid, bool fMustIncludeHash);
 
 RTDECL(int) RTCrX509AlgorithmIdentifier_CompareWithString(PCRTCRX509ALGORITHMIDENTIFIER pThis, const char *pszObjId);
@@ -155 +186 @@
 #define RTCRX509ALGORITHMIDENTIFIERID_MD4               "1.2.840.113549.2.4"
 #define RTCRX509ALGORITHMIDENTIFIERID_MD5               "1.2.840.113549.2.5"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA0              "1.3.14.3.2.18"
 #define RTCRX509ALGORITHMIDENTIFIERID_SHA1              "1.3.14.3.2.26"
 #define RTCRX509ALGORITHMIDENTIFIERID_SHA256            "2.16.840.1.101.3.4.2.1"
@@ -188 +220 @@
 #define RTCRX509ALGORITHMIDENTIFIERID_SHA3_384_WITH_RSA     "2.16.840.1.101.3.4.3.15"
 #define RTCRX509ALGORITHMIDENTIFIERID_SHA3_512_WITH_RSA     "2.16.840.1.101.3.4.3.16"
+#define RTCRX509ALGORITHMIDENTIFIERID_ECDSA                 "1.2.840.10045.2.1"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_ECDSA       "1.2.840.10045.4.1"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_ECDSA     "1.2.840.10045.4.3.1"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_ECDSA     "1.2.840.10045.4.3.2"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_ECDSA     "1.2.840.10045.4.3.3"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_ECDSA     "1.2.840.10045.4.3.4"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_224_WITH_ECDSA   "2.16.840.1.101.3.4.3.9"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_256_WITH_ECDSA   "2.16.840.1.101.3.4.3.10"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_384_WITH_ECDSA   "2.16.840.1.101.3.4.3.11"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_512_WITH_ECDSA   "2.16.840.1.101.3.4.3.12"
 /** @} */
 

trunk/include/iprt/err.h

@@ -2170 +2170 @@
 /** Expected RSA public key. */
 #define VERR_CR_PKIX_NOT_RSA_PUBLIC_KEY             (-23524)
+/** Expected ECDSA private key. */
+#define VERR_CR_PKIX_NOT_ECDSA_PRIVATE_KEY          (-23525)
+/** Expected ECDSA public key. */
+#define VERR_CR_PKIX_NOT_ECDSA_PUBLIC_KEY           (-23526)
+/** OpenSSL failed to decode the key parameters. */
+#define VERR_CR_PKIX_OSSL_D2I_KEY_PARAMS_FAILED     (-23527)
 /** @} */
 
@@ -2213 +2219 @@
 /** Failed to generate RSA key. */
 #define VERR_CR_KEY_GEN_FAILED_RSA                  (-23815)
+/** Key algorithm parameters not expected. */
+#define VERR_CR_KEY_ALGO_PARAMS_UNEXPECTED          (-23816)
+/** Key algorithm parameters are required but missing. */
+#define VERR_CR_KEY_ALGO_PARAMS_MISSING             (-23817)
+/** Key algorithm parameters are not known/supported. */
+#define VERR_CR_KEY_ALGO_PARAMS_UNKNOWN             (-23818)
+/** Algorithm parameters does not match the key. */
+#define VERR_CR_KEY_ALGO_PARAMS_MISMATCH            (-23819)
+
 /** @} */
 

trunk/include/iprt/mangling.h

@@ -3528 +3528 @@
 # define RTCrKeyQueryRsaModulus                         RT_MANGLER(RTCrKeyQueryRsaModulus)
 # define RTCrKeyQueryRsaPrivateExponent                 RT_MANGLER(RTCrKeyQueryRsaPrivateExponent)
+# define RTCrKeyVerifyParameterCompatibility            RT_MANGLER(RTCrKeyVerifyParameterCompatibility)
 # define RTCrRc4                                        RT_MANGLER(RTCrRc4)
 # define RTCrRc4SetKey                                  RT_MANGLER(RTCrRc4SetKey)
@@ -3709 +3710 @@
 # define RTCrPkixSignatureVerifyOctetString             RT_MANGLER(RTCrPkixSignatureVerifyOctetString)
 # define RTCrPkixGetCiperOidFromSignatureAlgorithm      RT_MANGLER(RTCrPkixGetCiperOidFromSignatureAlgorithm)
+# define RTCrPkixGetCiperOidFromSignatureAlgorithmOid   RT_MANGLER(RTCrPkixGetCiperOidFromSignatureAlgorithmOid)
 # define RTCrPkixPubKeySignDigest                       RT_MANGLER(RTCrPkixPubKeySignDigest)
 # define RTCrPkixPubKeyVerifySignature                  RT_MANGLER(RTCrPkixPubKeyVerifySignature)
@@ -3867 +3869 @@
 # define RTCrX509AlgorithmIdentifier_Delete             RT_MANGLER(RTCrX509AlgorithmIdentifier_Delete)
 # define RTCrX509AlgorithmIdentifier_Enum               RT_MANGLER(RTCrX509AlgorithmIdentifier_Enum)
-# define RTCrX509AlgorithmIdentifier_QueryDigestSize    RT_MANGLER(RTCrX509AlgorithmIdentifier_QueryDigestSize)
-# define RTCrX509AlgorithmIdentifier_QueryDigestType    RT_MANGLER(RTCrX509AlgorithmIdentifier_QueryDigestType)
+# define RTCrX509AlgorithmIdentifier_GetDigestSize      RT_MANGLER(RTCrX509AlgorithmIdentifier_GetDigestSize)
+# define RTCrX509AlgorithmIdentifier_GetDigestType      RT_MANGLER(RTCrX509AlgorithmIdentifier_GetDigestType)
+# define RTCrX509AlgorithmIdentifier_GetEncryptionOid   RT_MANGLER(RTCrX509AlgorithmIdentifier_GetEncryptionOid)
+# define RTCrX509AlgorithmIdentifier_GetEncryptionOidFromOid RT_MANGLER(RTCrX509AlgorithmIdentifier_GetEncryptionOidFromOid)
 # define RTCrX509AlgorithmIdentifiers_Compare           RT_MANGLER(RTCrX509AlgorithmIdentifiers_Compare)
 # define RTCrX509AlgorithmIdentifiers_Delete            RT_MANGLER(RTCrX509AlgorithmIdentifiers_Delete)