CMP: generalize ossl_cmp_calc_protection() to handle Edwards curves c…

…orrectly

Fixes openssl#21564

Reviewed-by: Dmitry Belyavskiy <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from openssl#21884)

crypto/cmp/cmp_protect.c

@@ -22,9 +22,11 @@
 /*
  * This function is also used by the internal verify_PBMAC() in cmp_vfy.c.
  *
- * Calculate protection for given PKImessage according to
- * the algorithm and parameters in the message header's protectionAlg
+ * Calculate protection for |msg| according to |msg->header->protectionAlg|
  * using the credentials, library context, and property criteria in the ctx.
+ * Unless |msg->header->protectionAlg| is PasswordBasedMAC,
+ * its value is completed according to |ctx->pkey| and |ctx->digest|,
+ * where the latter irrelevant in the case of Edwards curves.
  *
  * returns ASN1_BIT_STRING representing the protection on success, else NULL
  */
@@ -104,23 +106,22 @@ ASN1_BIT_STRING *ossl_cmp_calc_protection(const OSSL_CMP_CTX *ctx,
         OPENSSL_free(prot_part_der);
         return prot;
     } else {
-        int md_nid;
-        const EVP_MD *md = NULL;
+        const EVP_MD *md = ctx->digest;
+        char name[80] = "";
 
         if (ctx->pkey == NULL) {
             ERR_raise(ERR_LIB_CMP,
                       CMP_R_MISSING_KEY_INPUT_FOR_CREATING_PROTECTION);
             return NULL;
         }
-        if (!OBJ_find_sigid_algs(OBJ_obj2nid(algorOID), &md_nid, NULL)
-                || (md = EVP_get_digestbynid(md_nid)) == NULL) {
-            ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_ALGORITHM_ID);
-            return NULL;
-        }
+        if (EVP_PKEY_get_default_digest_name(ctx->pkey, name, sizeof(name)) > 0
+            && strcmp(name, "UNDEF") == 0) /* at least for Ed25519, Ed448 */
+            md = NULL;
 
         if ((prot = ASN1_BIT_STRING_new()) == NULL)
             return NULL;
-        if (ASN1_item_sign_ex(ASN1_ITEM_rptr(OSSL_CMP_PROTECTEDPART), NULL,
+        if (ASN1_item_sign_ex(ASN1_ITEM_rptr(OSSL_CMP_PROTECTEDPART),
+                              msg->header->protectionAlg, /* sets X509_ALGOR */
                               NULL, prot, &prot_part, NULL, ctx->pkey, md,
                               ctx->libctx, ctx->propq))
             return prot;
@@ -216,18 +217,6 @@ static X509_ALGOR *pbmac_algor(const OSSL_CMP_CTX *ctx)
     return alg;
 }
 
-static X509_ALGOR *sig_algor(const OSSL_CMP_CTX *ctx)
-{
-    int nid = 0;
-
-    if (!OBJ_find_sigid_by_algs(&nid, EVP_MD_get_type(ctx->digest),
-                                EVP_PKEY_get_id(ctx->pkey))) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_KEY_TYPE);
-        return 0;
-    }
-    return ossl_X509_ALGOR_from_nid(nid, V_ASN1_UNDEF, NULL);
-}
-
 static int set_senderKID(const OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg,
                          const ASN1_OCTET_STRING *id)
 {
@@ -275,7 +264,7 @@ int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
             goto err;
         }
 
-        if ((msg->header->protectionAlg = sig_algor(ctx)) == NULL)
+        if ((msg->header->protectionAlg = X509_ALGOR_new()) == NULL)
             goto err;
         /* set senderKID to keyIdentifier of the cert according to 5.1.1 */
         if (!set_senderKID(ctx, msg, X509_get0_subject_key_id(ctx->cert)))
@@ -291,6 +280,7 @@ int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
         goto err;
     }
     if (!ctx->unprotectedSend
+        /* protect according to msg->header->protectionAlg partly set above */
             && ((msg->protection = ossl_cmp_calc_protection(ctx, msg)) == NULL))
         goto err;
 

crypto/crmf/crmf_lib.c

@@ -386,8 +386,9 @@ static int create_popo_signature(OSSL_CRMF_POPOSIGNINGKEY *ps,
         digest = NULL;
 
     return ASN1_item_sign_ex(ASN1_ITEM_rptr(OSSL_CRMF_CERTREQUEST),
-                             ps->algorithmIdentifier, NULL, ps->signature, cr,
-                             NULL, pkey, digest, libctx, propq);
+                             ps->algorithmIdentifier, /* sets this X509_ALGOR */
+                             NULL, ps->signature, /* sets the ASN1_BIT_STRING */
+                             cr, NULL, pkey, digest, libctx, propq);
 }
 
 int OSSL_CRMF_MSG_create_popo(int meth, OSSL_CRMF_MSG *crm,

doc/internal/man3/ossl_cmp_msg_protect.pod

@@ -21,6 +21,9 @@ ossl_cmp_msg_add_extraCerts
 ossl_cmp_calc_protection() calculates the protection for the given I<msg>
 according to the algorithm and parameters in the message header's protectionAlg
 using the credentials, library context, and property criteria in the I<ctx>.
+Unless I<msg->header->protectionAlg> is B<PasswordBasedMAC>,
+its value is completed according to I<ctx->pkey> and I<ctx->digest>,
+where the latter irrelevant in the case of Edwards curves.
 
 ossl_cmp_msg_protect() (re-)protects the given message I<msg> using an algorithm
 depending on the available context information given in the I<ctx>.

test/cmp_protect_test.c

@@ -12,6 +12,7 @@
 #include "helpers/cmp_testlib.h"
 
 static const char *ir_protected_f;
+static const char *genm_prot_Ed_f;
 static const char *ir_unprotected_f;
 static const char *ip_PBM_f;
 
@@ -62,10 +63,13 @@ static CMP_PROTECT_TEST_FIXTURE *set_up(const char *const test_case_name)
     return fixture;
 }
 
-static EVP_PKEY *loadedprivkey = NULL;
-static EVP_PKEY *loadedpubkey = NULL;
-static EVP_PKEY *loadedkey = NULL;
-static X509 *cert = NULL;
+static EVP_PKEY *prot_RSA_key = NULL;
+#ifndef OPENSSL_NO_ECX
+static EVP_PKEY *prot_Ed_key = NULL;
+static OSSL_CMP_MSG *genm_protected_Ed;
+#endif
+static EVP_PKEY *server_key = NULL;
+static X509 *server_cert = NULL;
 static unsigned char rand_data[OSSL_CMP_TRANSACTIONID_LENGTH];
 static OSSL_CMP_MSG *ir_unprotected, *ir_protected;
 static X509 *endentity1 = NULL, *endentity2 = NULL,
@@ -94,33 +98,20 @@ static int execute_calc_protection_pbmac_test(CMP_PROTECT_TEST_FIXTURE *fixture)
 }
 
 /*
- * This function works similarly to parts of CMP_verify_signature in cmp_vfy.c,
- * but without the need for an OSSL_CMP_CTX or a X509 certificate
+ * This function works similarly to parts of verify_signature in cmp_vfy.c,
+ * but without the need for an OSSL_CMP_CTX or an X509 certificate.
  */
 static int verify_signature(OSSL_CMP_MSG *msg,
                             ASN1_BIT_STRING *protection,
                             EVP_PKEY *pkey, EVP_MD *digest)
 {
     OSSL_CMP_PROTECTEDPART prot_part;
-    unsigned char *prot_part_der = NULL;
-    int len;
-    EVP_MD_CTX *ctx = NULL;
-    int res;
 
     prot_part.header = OSSL_CMP_MSG_get0_header(msg);
     prot_part.body = msg->body;
-    len = i2d_OSSL_CMP_PROTECTEDPART(&prot_part, &prot_part_der);
-    res =
-        TEST_int_ge(len, 0)
-        && TEST_ptr(ctx = EVP_MD_CTX_new())
-        && TEST_true(EVP_DigestVerifyInit(ctx, NULL, digest, NULL, pkey))
-        && TEST_int_eq(EVP_DigestVerify(ctx, protection->data,
-                                        protection->length,
-                                        prot_part_der, len), 1);
-    /* cleanup */
-    EVP_MD_CTX_free(ctx);
-    OPENSSL_free(prot_part_der);
-    return res;
+    return ASN1_item_verify_ex(ASN1_ITEM_rptr(OSSL_CMP_PROTECTEDPART),
+                               msg->header->protectionAlg, protection,
+                               &prot_part, NULL, pkey, libctx, NULL) > 0;
 }
 
 /* Calls OSSL_CMP_calc_protection and compares and verifies signature */
@@ -130,11 +121,9 @@ static int execute_calc_protection_signature_test(CMP_PROTECT_TEST_FIXTURE *
     ASN1_BIT_STRING *protection =
         ossl_cmp_calc_protection(fixture->cmp_ctx, fixture->msg);
     int ret = (TEST_ptr(protection)
-                   && TEST_true(ASN1_STRING_cmp(protection,
-                                                fixture->msg->protection) == 0)
-                   && TEST_true(verify_signature(fixture->msg, protection,
-                                                 fixture->pubkey,
-                                                 fixture->cmp_ctx->digest)));
+               && TEST_true(verify_signature(fixture->msg, protection,
+                                             fixture->pubkey,
+                                             fixture->cmp_ctx->digest)));
 
     ASN1_BIT_STRING_free(protection);
     return ret;
@@ -157,16 +146,31 @@ static int test_cmp_calc_protection_no_key_no_secret(void)
 static int test_cmp_calc_protection_pkey(void)
 {
     SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
-    fixture->pubkey = loadedpubkey;
-    if (!TEST_true(OSSL_CMP_CTX_set1_pkey(fixture->cmp_ctx, loadedprivkey))
-            || !TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f, libctx))) {
+    fixture->pubkey = prot_RSA_key;
+    if (!TEST_true(OSSL_CMP_CTX_set1_pkey(fixture->cmp_ctx, prot_RSA_key))
+        || !TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f, libctx))) {
         tear_down(fixture);
         fixture = NULL;
     }
     EXECUTE_TEST(execute_calc_protection_signature_test, tear_down);
     return result;
 }
 
+#ifndef OPENSSL_NO_ECX
+static int test_cmp_calc_protection_pkey_Ed(void)
+{
+    SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
+    fixture->pubkey = prot_Ed_key;
+    if (!TEST_true(OSSL_CMP_CTX_set1_pkey(fixture->cmp_ctx, prot_Ed_key))
+        || !TEST_ptr(fixture->msg = load_pkimsg(genm_prot_Ed_f, libctx))) {
+        tear_down(fixture);
+        fixture = NULL;
+    }
+    EXECUTE_TEST(execute_calc_protection_signature_test, tear_down);
+    return result;
+}
+#endif
+
 static int test_cmp_calc_protection_pbmac(void)
 {
     unsigned char sec_insta[] = { 'i', 'n', 's', 't', 'a' };
@@ -236,8 +240,9 @@ static int test_MSG_protect_with_certificate_and_key(void)
     if (!TEST_ptr(fixture->msg =
                   OSSL_CMP_MSG_dup(ir_unprotected))
             || !TEST_true(SET_OPT_UNPROTECTED_SEND(fixture->cmp_ctx, 0))
-            || !TEST_true(OSSL_CMP_CTX_set1_pkey(fixture->cmp_ctx, loadedkey))
-            || !TEST_true(OSSL_CMP_CTX_set1_cert(fixture->cmp_ctx, cert))) {
+            || !TEST_true(OSSL_CMP_CTX_set1_pkey(fixture->cmp_ctx, server_key))
+            || !TEST_true(OSSL_CMP_CTX_set1_cert(fixture->cmp_ctx,
+                                                 server_cert))) {
         tear_down(fixture);
         fixture = NULL;
     }
@@ -255,11 +260,11 @@ static int test_MSG_protect_certificate_based_without_cert(void)
     if (!TEST_ptr(fixture->msg =
                   OSSL_CMP_MSG_dup(ir_unprotected))
             || !TEST_true(SET_OPT_UNPROTECTED_SEND(ctx, 0))
-            || !TEST_true(OSSL_CMP_CTX_set0_newPkey(ctx, 1, loadedkey))) {
+            || !TEST_true(OSSL_CMP_CTX_set0_newPkey(ctx, 1, server_key))) {
         tear_down(fixture);
         fixture = NULL;
     }
-    EVP_PKEY_up_ref(loadedkey);
+    EVP_PKEY_up_ref(server_key);
     EXECUTE_TEST(execute_MSG_protect_test, tear_down);
     return result;
 }
@@ -517,10 +522,13 @@ static int test_X509_STORE_only_self_issued(void)
 
 void cleanup_tests(void)
 {
-    EVP_PKEY_free(loadedprivkey);
-    EVP_PKEY_free(loadedpubkey);
-    EVP_PKEY_free(loadedkey);
-    X509_free(cert);
+    EVP_PKEY_free(prot_RSA_key);
+#ifndef OPENSSL_NO_ECX
+    EVP_PKEY_free(prot_Ed_key);
+    OSSL_CMP_MSG_free(genm_protected_Ed);
+#endif
+    EVP_PKEY_free(server_key);
+    X509_free(server_cert);
     X509_free(endentity1);
     X509_free(endentity2);
     X509_free(root);
@@ -532,14 +540,16 @@ void cleanup_tests(void)
     OSSL_LIB_CTX_free(libctx);
 }
 
-#define USAGE "server.pem IR_protected.der IR_unprotected.der IP_PBM.der " \
+#define USAGE "prot_RSA.pem IR_protected.der prot_Ed.pem " \
+    "GENM_protected_Ed.der IR_unprotected.der IP_PBM.der " \
     "server.crt server.pem EndEntity1.crt EndEntity2.crt Root_CA.crt " \
     "Intermediate_CA.crt module_name [module_conf_file]\n"
 OPT_TEST_DECLARE_USAGE(USAGE)
 
 int setup_tests(void)
 {
-    char *server_f;
+    char *prot_RSA_f;
+    char *prot_Ed_f;
     char *server_key_f;
     char *server_cert_f;
     char *endentity1_f;
@@ -553,32 +563,39 @@ int setup_tests(void)
     }
 
     RAND_bytes(rand_data, OSSL_CMP_TRANSACTIONID_LENGTH);
-    if (!TEST_ptr(server_f = test_get_argument(0))
+    if (!TEST_ptr(prot_RSA_f = test_get_argument(0))
             || !TEST_ptr(ir_protected_f = test_get_argument(1))
-            || !TEST_ptr(ir_unprotected_f = test_get_argument(2))
-            || !TEST_ptr(ip_PBM_f = test_get_argument(3))
-            || !TEST_ptr(server_cert_f = test_get_argument(4))
-            || !TEST_ptr(server_key_f = test_get_argument(5))
-            || !TEST_ptr(endentity1_f = test_get_argument(6))
-            || !TEST_ptr(endentity2_f = test_get_argument(7))
-            || !TEST_ptr(root_f = test_get_argument(8))
-            || !TEST_ptr(intermediate_f = test_get_argument(9))) {
+            || !TEST_ptr(prot_Ed_f = test_get_argument(2))
+            || !TEST_ptr(genm_prot_Ed_f = test_get_argument(3))
+            || !TEST_ptr(ir_unprotected_f = test_get_argument(4))
+            || !TEST_ptr(ip_PBM_f = test_get_argument(5))
+            || !TEST_ptr(server_cert_f = test_get_argument(6))
+            || !TEST_ptr(server_key_f = test_get_argument(7))
+            || !TEST_ptr(endentity1_f = test_get_argument(8))
+            || !TEST_ptr(endentity2_f = test_get_argument(9))
+            || !TEST_ptr(root_f = test_get_argument(10))
+            || !TEST_ptr(intermediate_f = test_get_argument(11))) {
         TEST_error("usage: cmp_protect_test %s", USAGE);
         return 0;
     }
 
-    if (!test_arg_libctx(&libctx, &default_null_provider, &provider, 10, USAGE))
+    if (!test_arg_libctx(&libctx, &default_null_provider, &provider, 12, USAGE))
         return 0;
 
-    if (!TEST_ptr(loadedkey = load_pkey_pem(server_key_f, libctx))
-            || !TEST_ptr(cert = load_cert_pem(server_cert_f, libctx)))
+    if (!TEST_ptr(server_key = load_pkey_pem(server_key_f, libctx))
+            || !TEST_ptr(server_cert = load_cert_pem(server_cert_f, libctx)))
         return 0;
 
-    if (!TEST_ptr(loadedprivkey = load_pkey_pem(server_f, libctx)))
+    if (!TEST_ptr(prot_RSA_key = load_pkey_pem(prot_RSA_f, libctx)))
         return 0;
-    if (TEST_true(EVP_PKEY_up_ref(loadedprivkey)))
-        loadedpubkey = loadedprivkey;
+#ifndef OPENSSL_NO_ECX
+    if (!TEST_ptr(prot_Ed_key = load_pkey_pem(prot_Ed_f, libctx)))
+        return 0;
+#endif
     if (!TEST_ptr(ir_protected = load_pkimsg(ir_protected_f, libctx))
+#ifndef OPENSSL_NO_ECX
+        || !TEST_ptr(genm_protected_Ed = load_pkimsg(genm_prot_Ed_f, libctx))
+#endif
         || !TEST_ptr(ir_unprotected = load_pkimsg(ir_unprotected_f, libctx)))
         return 0;
     if (!TEST_ptr(endentity1 = load_cert_pem(endentity1_f, libctx))
@@ -592,6 +609,9 @@ int setup_tests(void)
     /* Message protection tests */
     ADD_TEST(test_cmp_calc_protection_no_key_no_secret);
     ADD_TEST(test_cmp_calc_protection_pkey);
+#ifndef OPENSSL_NO_ECX
+    ADD_TEST(test_cmp_calc_protection_pkey_Ed);
+#endif
     ADD_TEST(test_cmp_calc_protection_pbmac);
 
     ADD_TEST(test_MSG_protect_with_msg_sig_alg_protection_plus_rsa_key);

test/recipes/65-test_cmp_protect.t

@@ -30,8 +30,10 @@ plan skip_all => "This test is not supported in a shared library build on Window
 plan tests => 2 + ($no_fips ? 0 : 1); #fips test
 
 my @basic_cmd = ("cmp_protect_test",
-                 data_file("server.pem"),
-                 data_file("IR_protected.der"),
+                 data_file("prot_RSA.pem"),
+                 data_file("IR_protected.der"), # signed using prot_RSA.pem
+                 data_file("prot_Ed.pem"), # test/certs/root-ed25519.privkey.pem
+                 data_file("GENM_protected_Ed.der"), # signed using prot_Ed.pem
                  data_file("IR_unprotected.der"),
                  data_file("IP_PBM.der"),
                  data_file("server.crt"),

test/recipes/65-test_cmp_protect_data/prot_Ed.pem

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
+-----END PRIVATE KEY-----

test/recipes/65-test_cmp_protect_data/prot_RSA.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA4ckRrH0UWmIJFj99kBqvCipGjJRAaPkdvWjdDQLglTpI3eZA
+JHnq0ypW/PZccrWjo7mxuvAStEYWF+5Jx6ZFmAsC1K0NNebSAZQoLWYZqiOzkfVV
+pLicMnItNFElfCohBzPCYmF5UlC5yp9PSUEfNwPJqDIRMtw+IlVUV3AJw9TJ3uuW
+q/vWW9r96/gBKKddmj/q2gGT8RC6LxEaolTbhfPbHaA1DFpv1WQFb3oAV3Wq14SO
+Zf9bH1olBVsmBMsUshFEw5MXVrNCv2moM4HtITMyjvZe7eIwHzSzf6dvQjERG6Gv
+Z/i5KOhaqgJCnRKdHHzijz9cLec5p9NSOuC1OwIDAQABAoIBAGiYVO+rIfqc38jG
+sMxJED2NSBFnvE7k2LoeEgktBA0daxQgziYXtIkOXC3jkwAw1RXLuGH5RTDuJt3/
+LX6nsCW3NCCB6lTGERNaJyKg4dLHpzA+juY3/2P/MKHD1bGncpV7jNk2fpV7gBY1
+pu0wld1Oi+S3DPCaxs3w6Zl39Y4Z7oSNf6DRO5lGN3Asc8TSVjIOWpAl8LIg+P2B
+ZvFeHRANVXaV9YmF2uEi7iMgH4vGrK2svsmM9VThVO4ArGcTRTvGYn7aw3/H4Pt+
+lYuhERdpkKBT0tCgIpO5IJXMl4/5RSDTtcBwiJcReN5IHUAItBIPSHcMflNSKG/I
+aQf4u0ECgYEA8+PAyzn096Y2UrKzE75yuadCveLjsUWx2NN5ZMohQru99F4k7Pab
+/Te4qOe5zlxHAPK3LRwvbwUWo5mLfs45wFrSgZoRlYcCuL+JaX0y2oXMMF9E+UkY
+tljMt/HpLo1SfSjN2Sae4LVhC7rWJ43LtyRepptzBPGqd26eLPGAMr8CgYEA7P8u
+RGkMOrMzEKAb0A9smrzq2xW88T1VejqEt6R8mUcNt8PFHMgjuzVU4zDysrlb7G/0
+VSkQWnJxBh1yNGc1Av7YgwicIgApr4ty0hZhLcnKX2VrNw+L/sSe/cnwVAc6RtPK
+RR6xQubuLlrCGcbYXmyn5Jv+nlY0S3uCyDFHqIUCgYAwtpLxhJf7RwWeqva9wNJl
+ZpUcHE9iPwtwxXx/tyfBjoI4Zv11HyS1BQYrJm2kXCYKeHBB4FlREXEeKDMGluZO
+F1XocP+GIDtY71jg6xLXNtY76yt5pzH6ae4p53WtyKhrO1UyRFaDh3bkwuK3b8j6
+wZbuLCpjGGn2BPAvBeWXPQKBgEewKN6op/pZmmi9Bay5/bAQ1TnQKYcPdnuyl9K0
+/ruespeTsFw0bhqC11qhw8gsKZIri0z3TusNEwM2hQU08uQlEnkQcaoXQoTHOcQy
+4NJo575Tf0r4ePBnqXA7VWcViJtEFTszPYtvLzz2VyBU9b4aP+73AN4EVW0/vx+v
+SG3BAoGBAMzESFA2TXwUFmozK5zowIszc995Xqpi7mXKk77WESOpoS1dQ1wF1dSg
+XOwxzFoYovLxcc1K9lqOrod8BV+qGuEfc/PIJ2aiXjvEDeZYX2eWaANNmj4OSLoJ
+MNYj9tZxbq56slD7snf7AgUBnwKz0Pj6H6UsbE3gdJqZWCDyw/bB
+-----END RSA PRIVATE KEY-----