Skip to content

x509-cert: builder: support RandomizedSigner too.#1007

Merged
tarcieri merged 6 commits intoRustCrypto:masterfrom
lumag:builder-upd-2
Apr 19, 2023
Merged

x509-cert: builder: support RandomizedSigner too.#1007
tarcieri merged 6 commits intoRustCrypto:masterfrom
lumag:builder-upd-2

Conversation

@lumag
Copy link
Contributor

@lumag lumag commented Apr 18, 2023

No description provided.

@lumag lumag mentioned this pull request Apr 18, 2023
Merged
lumag added 4 commits April 18, 2023 18:52
@lumag
x509-cert: builder: correct Error type in the comment
986c825 
Correct the comment for builder::Error::Signature: it should mention
signature::Error instead of siganture::Signer.

Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
@lumag
x509-cert: builder: remove unused ::new<Signature> generic parameter
ec33c77 
The Signatue parameter of CertificateBuilder::new() is unused. Let's
drop it. We still bind the signature type at the time of
CertificateBuilder::build() call.

Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
@lumag
x509-cert: builder: support signing with RandomizedSigner
2bff011 
Add support for using RandomizedSigner for signing certificates in
addition to just Signer keys.

Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
@lumag
x509-cert: tests/builder: don't use deprecated rsa API
9460f8e 
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
@lumag
Copy link
Contributor Author

lumag commented Apr 18, 2023

cc @baloo

@lumag
Copy link
Contributor Author

lumag commented Apr 18, 2023

depends on RustCrypto/RSA#299

baloo
baloo reviewed Apr 18, 2023
View reviewed changes
@lumag @baloo
Update x509-cert/src/builder.rs
baeabba 
Co-authored-by: Arthur Gautier <superbaloo+registrations.github@superbaloo.net>
@baloo
Copy link
Member

baloo commented Apr 18, 2023

zlint complains about:

failed lints: {"e_mp_rsassa-pss_parameters_encoding_in_signature_algorithm_correct": LintStatus { status: Error, details: Some("RSASSA-PSS parameters are not properly encoded. 3 presentations are allowed but got the unsupported 303806092a864886f70d01010a302ba00d300b0609608648016503040201a11a301806092a864886f70d010108300b0609608648016503040201") }}

This is in relation to https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#511-rsa

RSASSA-PSS with SHA-256, MGF-1 with SHA-256, and a salt length of 32 bytes.

The encoded AlgorithmIdentifier MUST match the following hex-encoded bytes:

304106092a864886f70d01010a3034a00f300d0609608648016503040201
0500a11c301a06092a864886f70d010108300d0609608648016503040201
0500a203020120

RSASSA-PSS with SHA-384, MGF-1 with SHA-384, and a salt length of 48 bytes.

The encoded AlgorithmIdentifier MUST match the following hex-encoded bytes:

304106092a864886f70d01010a3034a00f300d0609608648016503040202
0500a11c301a06092a864886f70d010108300d0609608648016503040202
0500a203020130

RSASSA-PSS with SHA-512, MGF-1 with SHA-512, and a salt length of 64 bytes.

The encoded AlgorithmIdentifier MUST match the following hex-encoded bytes:

304106092a864886f70d01010a3034a00f300d0609608648016503040203
0500a11c301a06092a864886f70d010108300d0609608648016503040203
0500a203020140

@lumag
Copy link
Contributor Author

lumag commented Apr 18, 2023

@baloo yes, this will be fixed once the rsa crate is updated. See the changes at RustCrypto/RSA#299 and #1010

@baloo
Copy link
Member

baloo commented Apr 18, 2023

ha, oh. got it.

@lumag
Cargo.toml: bump up rsa version to pick up RsaPssParams fixes
390cea1 
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
@lumag
Copy link
Contributor Author

lumag commented Apr 19, 2023

@tarcieri @baloo should be fixed now

@tarcieri tarcieri merged commit 81429f3 into RustCrypto:master Apr 19, 2023
baloo added a commit to baloo/formats that referenced this pull request May 3, 2023
@baloo
x509-cert: v0.2.2
fcb4ea3 
Added
- Certificate builder ([RustCrypto#764])
- Support for `RandomizedSigner` in builder ([RustCrypto#1007])
- Provide parsing profiles ([RustCrypto#987])
- Support for `Time::INFINITY` ([RustCrypto#1024])
- Conversion from `std::net::IpAddr` ([RustCrypto#1035])
- `CertReq` builder ([RustCrypto#1034])

Changed
- use `ErrorKind::Value` for overlength serial ([RustCrypto#988])
- Bump `hex-literal` to v0.4.1 ([RustCrypto#999])
- Builder updates ([RustCrypto#1001])
- better debug info when `zlint` isn't installed ([RustCrypto#1018])
- make SKI optional in leaf certificate ([RustCrypto#1028])
- bump rsa from 0.9.0-pre.2 to 0.9.0 ([RustCrypto#1033])

Fixed
- fix `KeyUsage` bit tests ([RustCrypto#993])
- extraneous PhantomData in `TbsCertificate` ([RustCrypto#1019])
@baloo baloo mentioned this pull request May 3, 2023
Merged
baloo added a commit to baloo/formats that referenced this pull request May 3, 2023
@baloo
x509-cert: v0.2.2
6e29d0b 
Added
- Certificate builder ([RustCrypto#764])
- Support for `RandomizedSigner` in builder ([RustCrypto#1007])
- Provide parsing profiles ([RustCrypto#987])
- Support for `Time::INFINITY` ([RustCrypto#1024])
- Conversion from `std::net::IpAddr` ([RustCrypto#1035])
- `CertReq` builder ([RustCrypto#1034])

Changed
- use `ErrorKind::Value` for overlength serial ([RustCrypto#988])
- Bump `hex-literal` to v0.4.1 ([RustCrypto#999])
- Builder updates ([RustCrypto#1001])
- better debug info when `zlint` isn't installed ([RustCrypto#1018])
- make SKI optional in leaf certificate ([RustCrypto#1028])
- bump rsa from 0.9.0-pre.2 to 0.9.0 ([RustCrypto#1033])

Fixed
- fix `KeyUsage` bit tests ([RustCrypto#993])
- extraneous PhantomData in `TbsCertificate` ([RustCrypto#1017])
baloo added a commit to baloo/formats that referenced this pull request May 10, 2023
@baloo
x509-cert: v0.2.2
c9617ab 
Added
- Certificate builder (RustCrypto#764)
- Support for `RandomizedSigner` in builder (RustCrypto#1007)
- Provide parsing profiles (RustCrypto#987)
- Support for `Time::INFINITY` (RustCrypto#1024)
- Conversion from `std::net::IpAddr` (RustCrypto#1035)
- `CertReq` builder (RustCrypto#1034)
- missing extension implementations (RustCrypto#1050)
- notes about `UTCTime` range being 1970-2049 (RustCrypto#1052)

Changed
- use `ErrorKind::Value` for overlength serial (RustCrypto#988)
- Bump `hex-literal` to v0.4.1 (RustCrypto#999)
- Builder updates (RustCrypto#1001)
- better debug info when `zlint` isn't installed (RustCrypto#1018)
- make SKI optional in leaf certificate (RustCrypto#1028)
- bump rsa from 0.9.0-pre.2 to 0.9.0 (RustCrypto#1033)
- bump rsa from 0.9.1 to 0.9.2 (RustCrypto#1056)

Fixed
- fix `KeyUsage` bit tests (RustCrypto#993)
- extraneous PhantomData in `TbsCertificate` (RustCrypto#1017)
- CI flakiness (RustCrypto#1042)
- usage of ecdsa signer (RustCrypto#1043)
baloo added a commit to baloo/formats that referenced this pull request May 11, 2023
@baloo
x509-cert: v0.2.2
dbeced4 
Added
- Certificate builder (RustCrypto#764)
- Support for `RandomizedSigner` in builder (RustCrypto#1007)
- Provide parsing profiles (RustCrypto#987)
- Support for `Time::INFINITY` (RustCrypto#1024)
- Conversion from `std::net::IpAddr` (RustCrypto#1035)
- `CertReq` builder (RustCrypto#1034)
- missing extension implementations (RustCrypto#1050)
- notes about `UTCTime` range being 1970-2049 (RustCrypto#1052)
- consume the `SignatureBitStringEncoding` trait (RustCrypto#1048)

Changed
- use `ErrorKind::Value` for overlength serial (RustCrypto#988)
- Bump `hex-literal` to v0.4.1 (RustCrypto#999)
- Builder updates (RustCrypto#1001)
- better debug info when `zlint` isn't installed (RustCrypto#1018)
- make SKI optional in leaf certificate (RustCrypto#1028)
- bump rsa from 0.9.0-pre.2 to 0.9.0 (RustCrypto#1033)
- bump rsa from 0.9.1 to 0.9.2 (RustCrypto#1056)

Fixed
- fix `KeyUsage` bit tests (RustCrypto#993)
- extraneous PhantomData in `TbsCertificate` (RustCrypto#1017)
- CI flakiness (RustCrypto#1042)
- usage of ecdsa signer (RustCrypto#1043)
baloo added a commit that referenced this pull request May 19, 2023
@baloo
x509-cert: v0.2.2 (#1040)
bbbc73d 
Added
- Certificate builder (#764)
- Support for `RandomizedSigner` in builder (#1007)
- Provide parsing profiles (#987)
- Support for `Time::INFINITY` (#1024)
- Conversion from `std::net::IpAddr` (#1035)
- `CertReq` builder (#1034)
- missing extension implementations (#1050)
- notes about `UTCTime` range being 1970-2049 (#1052)
- consume the `SignatureBitStringEncoding` trait (#1048)

Changed
- use `ErrorKind::Value` for overlength serial (#988)
- Bump `hex-literal` to v0.4.1 (#999)
- Builder updates (#1001)
- better debug info when `zlint` isn't installed (#1018)
- make SKI optional in leaf certificate (#1028)
- bump rsa from 0.9.0-pre.2 to 0.9.0 (#1033)
- bump rsa from 0.9.1 to 0.9.2 (#1056)

Fixed
- fix `KeyUsage` bit tests (#993)
- extraneous PhantomData in `TbsCertificate` (#1017)
- CI flakiness (#1042)
- usage of ecdsa signer (#1043)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@baloo baloo baloo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lumag @baloo @tarcieri