From c4143f7dbb77d1ccf37047f1b4b44a33c2f24f93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Gonz=C3=A1lez?= Date: Tue, 7 May 2024 12:24:38 +0100 Subject: [PATCH] Cargo.toml: Temporary patch rcgen crate for RSA-PSS CSR support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RSA-PSS CSR creation functionality has been recently added. For creating the CSRs, we are currently using rcgen. For RSA-PSS, rcgen defined the PKCS_RSA_PSS_SHA256 type, which should be used instead of the currently used one (PKCS_RSA_SHA256). Unfortunately, rcgen does not expose this type as there have been some issues validating the CSR creation of this type. This has been tested using real RSA PSS keys and the functionality works as expected. * Patch rcgen to expose the PKCS_RSA_PSS_SHA256 type. The patch applies until these changes get fixed/merged upstream in rcgen. * Use this type in parsec-tool CSR creation for RSA-PSS. Signed-off-by: Tomás González --- .gitignore | 1 - Cargo.lock | 2 -- Cargo.toml | 6 ++++ patches/rcgen+0.9.3.patch | 58 +++++++++++++++++++++++++++++++++++ src/subcommands/create_csr.rs | 11 +++---- tests/ci.sh | 8 +++++ 6 files changed, 77 insertions(+), 9 deletions(-) create mode 100644 patches/rcgen+0.9.3.patch diff --git a/.gitignore b/.gitignore index 5330c45..d77fd80 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,2 @@ /target -*patch .devcontainer diff --git a/Cargo.lock b/Cargo.lock index a7e48a8..1e3a7d3 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1076,8 +1076,6 @@ dependencies = [ [[package]] name = "rcgen" version = "0.9.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6413f3de1edee53342e6138e75b56d32e7bc6e332b3bd62d497b1929d4cfbcdd" dependencies = [ "pem", "ring", diff --git a/Cargo.toml b/Cargo.toml index a7816c7..94c94a4 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -29,6 +29,12 @@ sha2 = "0.9.9" log = "0.4.14" rcgen = { version = "0.9.2", features = ["pem"] } +[package.metadata.patch] +crates=["rcgen"] + +[patch.crates-io] +rcgen = { path = './target/patch/rcgen-0.9.3' } + [lib] name = "parsec_tool" path = "src/lib.rs" diff --git a/patches/rcgen+0.9.3.patch b/patches/rcgen+0.9.3.patch new file mode 100644 index 0000000..f42eebb --- /dev/null +++ b/patches/rcgen+0.9.3.patch @@ -0,0 +1,58 @@ +diff --git a/src/lib.rs b/src/lib.rs +index 565b3d6..23998c3 100644 +--- a/src/lib.rs ++++ b/src/lib.rs +@@ -1500,6 +1500,9 @@ impl KeyPair { + } else if alg == &PKCS_RSA_PSS_SHA256 { + let rsakp = RsaKeyPair::from_pkcs8(pkcs8)?; + KeyPairKind::Rsa(rsakp, &signature::RSA_PSS_SHA256) ++ } else if alg == &PKCS_RSA_PSS_SHA384 { ++ let rsakp = RsaKeyPair::from_pkcs8(pkcs8)?; ++ KeyPairKind::Rsa(rsakp, &signature::RSA_PSS_SHA384) + } else { + panic!("Unknown SignatureAlgorithm specified!"); + }; +@@ -1886,6 +1889,7 @@ impl SignatureAlgorithm { + &PKCS_RSA_SHA384, + &PKCS_RSA_SHA512, + //&PKCS_RSA_PSS_SHA256, ++ //&PKCS_RSA_PSS_SHA384, + &PKCS_ECDSA_P256_SHA256, + &PKCS_ECDSA_P384_SHA384, + &PKCS_ED25519 +@@ -1938,17 +1942,32 @@ pub static PKCS_RSA_SHA512 :SignatureAlgorithm = SignatureAlgorithm { + // support those: https://github.com/briansmith/ring/issues/1353 + // + /// RSA signing with PKCS#1 2.1 RSASSA-PSS padding and SHA-256 hashing as per [RFC 4055](https://tools.ietf.org/html/rfc4055) +-static PKCS_RSA_PSS_SHA256 :SignatureAlgorithm = SignatureAlgorithm { ++pub static PKCS_RSA_PSS_SHA256 :SignatureAlgorithm = SignatureAlgorithm { + // We could also use OID_RSA_ENCRYPTION here, but it's recommended + // to use ID-RSASSA-PSS if possible. + oids_sign_alg :&[&OID_RSASSA_PSS], + sign_alg :SignAlgo::Rsa(), +- oid_components : &OID_RSASSA_PSS,//&[1, 2, 840, 113549, 1, 1, 13], ++ oid_components : &OID_RSASSA_PSS,//&[1, 2, 840, 113549, 1, 1, 11], + // rSASSA-PSS-SHA256-Params in RFC 4055 + params : SignatureAlgorithmParams::RsaPss { + // id-sha256 in https://datatracker.ietf.org/doc/html/rfc4055#section-2.1 + hash_algorithm : &[2, 16, 840, 1, 101, 3, 4, 2, 1], +- salt_length : 20, ++ salt_length : 32, ++ }, ++}; ++ ++/// RSA signing with PKCS#1 2.1 RSASSA-PSS padding and SHA-384 hashing as per [RFC 4055](https://tools.ietf.org/html/rfc4055) ++pub static PKCS_RSA_PSS_SHA384 :SignatureAlgorithm = SignatureAlgorithm { ++ // We could also use OID_RSA_ENCRYPTION here, but it's recommended ++ // to use ID-RSASSA-PSS if possible. ++ oids_sign_alg :&[&OID_RSASSA_PSS], ++ sign_alg :SignAlgo::Rsa(), ++ oid_components : &OID_RSASSA_PSS,//&[1, 2, 840, 113549, 1, 1, 12], ++ // rSASSA-PSS-SHA384-Params in RFC 4055 ++ params : SignatureAlgorithmParams::RsaPss { ++ // id-sha384 in https://datatracker.ietf.org/doc/html/rfc4055#section-2.1 ++ hash_algorithm : &[2, 16, 840, 1, 101, 3, 4, 2, 2], ++ salt_length : 32, + }, + }; + diff --git a/src/subcommands/create_csr.rs b/src/subcommands/create_csr.rs index 6af10a2..a25cac6 100644 --- a/src/subcommands/create_csr.rs +++ b/src/subcommands/create_csr.rs @@ -14,8 +14,8 @@ use parsec_client::core::interface::operations::psa_key_attributes::{EccFamily, use parsec_client::BasicClient; use rcgen::{ Certificate, CertificateParams, DistinguishedName, DnType, KeyPair, RcgenError, RemoteKeyPair, - SignatureAlgorithm, PKCS_ECDSA_P256_SHA256, PKCS_ECDSA_P384_SHA384, PKCS_RSA_SHA256, - PKCS_RSA_SHA384, PKCS_RSA_SHA512, + SignatureAlgorithm, PKCS_ECDSA_P256_SHA256, PKCS_ECDSA_P384_SHA384, PKCS_RSA_PSS_SHA256, + PKCS_RSA_PSS_SHA384, PKCS_RSA_SHA256, PKCS_RSA_SHA384, PKCS_RSA_SHA512, }; /// Creates an X509 Certificate Signing Request (CSR) from a keypair, using the signing algorithm @@ -183,10 +183,9 @@ impl CreateCsr { Err(ToolErrorKind::NotSupported.into()) } AsymmetricSignature::RsaPss { hash_alg } => match hash_alg { - SignHash::Specific(Hash::Sha256) => Ok(&PKCS_RSA_SHA256), - SignHash::Specific(Hash::Sha384) => Ok(&PKCS_RSA_SHA384), - SignHash::Specific(Hash::Sha512) => Ok(&PKCS_RSA_SHA512), - SignHash::Any => Ok(&PKCS_RSA_SHA256), // Default hash algorithm for the tool. + SignHash::Specific(Hash::Sha256) => Ok(&PKCS_RSA_PSS_SHA256), + SignHash::Specific(Hash::Sha384) => Ok(&PKCS_RSA_PSS_SHA384), + SignHash::Any => Ok(&PKCS_RSA_PSS_SHA256), // Default hash algorithm for the tool. _ => { // The algorithm is specific, but not one that RCGEN can use, so fail the operation. error!("Signing key requires use of hashing algorithm ({:?}), which is not supported for certificate requests.", alg); diff --git a/tests/ci.sh b/tests/ci.sh index e4ed22a..56cfab3 100755 --- a/tests/ci.sh +++ b/tests/ci.sh @@ -56,6 +56,14 @@ fi ######### # Build # ######### + +#TODO: This applies the rcgen patch that exposes the PKCS_RSA_PSS_SHA256 and PKCS_RSA_PSS_SHA384 types. Remove this +# when the corresponding patch gets merged. Also remove rcgen+0.9.3.patch. +rustup install 1.77.1 # We know that this version works for patch-crate +cargo install +1.77.1 patch-crate --version 0.1.9 +cargo patch-crate + +rustup version RUST_BACKTRACE=1 cargo build RUST_BACKTRACE=1 cargo build --features spiffe-auth