Bug 1088140 - support RSA-PSS signatures on certificates in the certi…

…ficate verifier r=jschanck Differential Revision: https://phabricator.services.mozilla.com/D141780
dothq · Mar 24, 2022 · 7cd2342 · 7cd2342
1 parent caf282f
commit 7cd2342
Show file tree

Hide file tree

Showing 11 changed files with 65 additions and 0 deletions.
diff --git a/security/apps/AppTrustDomain.cpp b/security/apps/AppTrustDomain.cpp
@@ -237,6 +237,14 @@ Result AppTrustDomain::VerifyRSAPKCS1SignedData(Input data,
                                      subjectPublicKeyInfo, nullptr);
 }
 
+Result AppTrustDomain::VerifyRSAPSSSignedData(Input data,
+                                              DigestAlgorithm digestAlgorithm,
+                                              Input signature,
+                                              Input subjectPublicKeyInfo) {
+  return VerifyRSAPSSSignedDataNSS(data, digestAlgorithm, signature,
+                                   subjectPublicKeyInfo, nullptr);
+}
+
 Result AppTrustDomain::CheckECDSACurveIsAcceptable(
     EndEntityOrCA /*endEntityOrCA*/, NamedCurve curve) {
   switch (curve) {

diff --git a/security/apps/AppTrustDomain.h b/security/apps/AppTrustDomain.h
@@ -55,6 +55,10 @@ class AppTrustDomain final : public mozilla::pkix::TrustDomain {
       mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm,
       mozilla::pkix::Input signature,
       mozilla::pkix::Input subjectPublicKeyInfo) override;
+  virtual Result VerifyRSAPSSSignedData(
+      mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm,
+      mozilla::pkix::Input signature,
+      mozilla::pkix::Input subjectPublicKeyInfo) override;
   virtual Result CheckECDSACurveIsAcceptable(
       mozilla::pkix::EndEntityOrCA endEntityOrCA,
       mozilla::pkix::NamedCurve curve) override;

diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -1479,6 +1479,13 @@ Result NSSCertDBTrustDomain::VerifyRSAPKCS1SignedData(
                                      subjectPublicKeyInfo, mPinArg);
 }
 
+Result NSSCertDBTrustDomain::VerifyRSAPSSSignedData(
+    Input data, DigestAlgorithm digestAlgorithm, Input signature,
+    Input subjectPublicKeyInfo) {
+  return VerifyRSAPSSSignedDataNSS(data, digestAlgorithm, signature,
+                                   subjectPublicKeyInfo, mPinArg);
+}
+
 Result NSSCertDBTrustDomain::CheckECDSACurveIsAcceptable(
     EndEntityOrCA /*endEntityOrCA*/, NamedCurve curve) {
   switch (curve) {

diff --git a/security/certverifier/NSSCertDBTrustDomain.h b/security/certverifier/NSSCertDBTrustDomain.h
@@ -176,6 +176,11 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
       mozilla::pkix::Input signature,
       mozilla::pkix::Input subjectPublicKeyInfo) override;
 
+  virtual Result VerifyRSAPSSSignedData(
+      mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm,
+      mozilla::pkix::Input signature,
+      mozilla::pkix::Input subjectPublicKeyInfo) override;
+
   virtual Result CheckECDSACurveIsAcceptable(
       mozilla::pkix::EndEntityOrCA endEntityOrCA,
       mozilla::pkix::NamedCurve curve) override;

diff --git a/security/certverifier/OCSPVerificationTrustDomain.cpp b/security/certverifier/OCSPVerificationTrustDomain.cpp
@@ -66,6 +66,13 @@ Result OCSPVerificationTrustDomain::VerifyRSAPKCS1SignedData(
       data, digestAlgorithm, signature, subjectPublicKeyInfo);
 }
 
+Result OCSPVerificationTrustDomain::VerifyRSAPSSSignedData(
+    Input data, DigestAlgorithm digestAlgorithm, Input signature,
+    Input subjectPublicKeyInfo) {
+  return mCertDBTrustDomain.VerifyRSAPSSSignedData(
+      data, digestAlgorithm, signature, subjectPublicKeyInfo);
+}
+
 Result OCSPVerificationTrustDomain::CheckECDSACurveIsAcceptable(
     EndEntityOrCA aEEOrCA, NamedCurve aCurve) {
   return mCertDBTrustDomain.CheckECDSACurveIsAcceptable(aEEOrCA, aCurve);

diff --git a/security/certverifier/OCSPVerificationTrustDomain.h b/security/certverifier/OCSPVerificationTrustDomain.h
@@ -43,6 +43,11 @@ class OCSPVerificationTrustDomain : public mozilla::pkix::TrustDomain {
       mozilla::pkix::Input signature,
       mozilla::pkix::Input subjectPublicKeyInfo) override;
 
+  virtual Result VerifyRSAPSSSignedData(
+      mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm,
+      mozilla::pkix::Input signature,
+      mozilla::pkix::Input subjectPublicKeyInfo) override;
+
   virtual Result CheckECDSACurveIsAcceptable(
       mozilla::pkix::EndEntityOrCA endEntityOrCA,
       mozilla::pkix::NamedCurve curve) override;

diff --git a/security/ct/CTLogVerifier.cpp b/security/ct/CTLogVerifier.cpp
@@ -87,6 +87,10 @@ class SignatureParamsTrustDomain final : public TrustDomain {
     return Result::FATAL_ERROR_LIBRARY_FAILURE;
   }
 
+  Result VerifyRSAPSSSignedData(Input, DigestAlgorithm, Input, Input) override {
+    return Result::FATAL_ERROR_LIBRARY_FAILURE;
+  }
+
   Result CheckValidityIsAcceptable(Time, Time, EndEntityOrCA,
                                    KeyPurposeId) override {
     return Result::FATAL_ERROR_LIBRARY_FAILURE;

diff --git a/security/ct/tests/gtest/CTTestUtils.cpp b/security/ct/tests/gtest/CTTestUtils.cpp
@@ -727,6 +727,14 @@ class OCSPExtensionTrustDomain : public TrustDomain {
                                        subjectPublicKeyInfo, nullptr);
   }
 
+  pkix::Result VerifyRSAPSSSignedData(Input data,
+                                      DigestAlgorithm digestAlgorithm,
+                                      Input signature,
+                                      Input subjectPublicKeyInfo) override {
+    return VerifyRSAPSSSignedDataNSS(data, digestAlgorithm, signature,
+                                     subjectPublicKeyInfo, nullptr);
+  }
+
   pkix::Result CheckValidityIsAcceptable(Time, Time, EndEntityOrCA,
                                          KeyPurposeId) override {
     ADD_FAILURE();

diff --git a/security/manager/ssl/CSTrustDomain.cpp b/security/manager/ssl/CSTrustDomain.cpp
@@ -153,6 +153,14 @@ Result CSTrustDomain::VerifyRSAPKCS1SignedData(Input data,
                                      subjectPublicKeyInfo, nullptr);
 }
 
+Result CSTrustDomain::VerifyRSAPSSSignedData(Input data,
+                                             DigestAlgorithm digestAlgorithm,
+                                             Input signature,
+                                             Input subjectPublicKeyInfo) {
+  return VerifyRSAPSSSignedDataNSS(data, digestAlgorithm, signature,
+                                   subjectPublicKeyInfo, nullptr);
+}
+
 Result CSTrustDomain::CheckECDSACurveIsAcceptable(EndEntityOrCA endEntityOrCA,
                                                   NamedCurve curve) {
   switch (curve) {

diff --git a/security/manager/ssl/CSTrustDomain.h b/security/manager/ssl/CSTrustDomain.h
@@ -50,6 +50,10 @@ class CSTrustDomain final : public mozilla::pkix::TrustDomain {
       mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm,
       mozilla::pkix::Input signature,
       mozilla::pkix::Input subjectPublicKeyInfo) override;
+  virtual Result VerifyRSAPSSSignedData(
+      mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm,
+      mozilla::pkix::Input signature,
+      mozilla::pkix::Input subjectPublicKeyInfo) override;
   virtual Result CheckECDSACurveIsAcceptable(
       mozilla::pkix::EndEntityOrCA endEntityOrCA,
       mozilla::pkix::NamedCurve curve) override;

diff --git a/security/manager/ssl/nsNSSIOLayer.cpp b/security/manager/ssl/nsNSSIOLayer.cpp
@@ -2066,6 +2066,11 @@ class ClientAuthCertNonverifyingTrustDomain final : public TrustDomain {
       Input subjectPublicKeyInfo) override {
     return Success;
   }
+  virtual mozilla::pkix::Result VerifyRSAPSSSignedData(
+      Input data, DigestAlgorithm, Input signature,
+      Input subjectPublicKeyInfo) override {
+    return Success;
+  }
   virtual mozilla::pkix::Result CheckECDSACurveIsAcceptable(
       EndEntityOrCA endEntityOrCA, NamedCurve curve) override {
     return Success;