diff options
| author | Job Snijders <job@cvs.openbsd.org> | 2023-10-19 17:05:56 +0000 |
|---|---|---|
| committer | Job Snijders <job@cvs.openbsd.org> | 2023-10-19 17:05:56 +0000 |
| commit | 43395569ed4589d62eb0c7a1486ffcad6f49b5e8 (patch) | |
| tree | 8985d6ec9539e4380ab9a1815953407121eb3f96 /usr.sbin/rpki-client/validate.c | |
| parent | 7d51bc525b50035c8fbcc035f01d366214d95cdc (diff) | |
Add experimental support for secp256r1 aka P-256 aka prime256v1
ECDSA signatures are much smaller than RSA signatures while offering
similar security. Adding support for P-256 now allows CA developers
to test their implementations, and paving the way for signers in the
production environment in the future to take advantage of ECDSA.
OK tb@
Diffstat (limited to 'usr.sbin/rpki-client/validate.c')
| -rw-r--r-- | usr.sbin/rpki-client/validate.c | 69 |
1 files changed, 55 insertions, 14 deletions
diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c index 1638c2846fe..8e3a08793a0 100644 --- a/usr.sbin/rpki-client/validate.c +++ b/usr.sbin/rpki-client/validate.c @@ -1,4 +1,4 @@ -/* $OpenBSD: validate.c,v 1.67 2023/09/25 08:48:14 job Exp $ */ +/* $OpenBSD: validate.c,v 1.68 2023/10/19 17:05:55 job Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -643,24 +643,13 @@ valid_uuid(const char *s) } } -int -valid_ca_pkey(const char *fn, EVP_PKEY *pkey) +static int +valid_ca_pkey_rsa(const char *fn, EVP_PKEY *pkey) { RSA *rsa; const BIGNUM *rsa_e; int key_bits; - if (pkey == NULL) { - warnx("%s: failure, pkey is NULL", fn); - return 0; - } - - if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA) { - warnx("%s: Expected EVP_PKEY_RSA, got %d", fn, - EVP_PKEY_base_id(pkey)); - return 0; - } - if ((key_bits = EVP_PKEY_bits(pkey)) != 2048) { warnx("%s: RFC 7935: expected 2048-bit modulus, got %d bits", fn, key_bits); @@ -684,3 +673,55 @@ valid_ca_pkey(const char *fn, EVP_PKEY *pkey) return 1; } + +static int +valid_ca_pkey_ec(const char *fn, EVP_PKEY *pkey) +{ + EC_KEY *ec; + const EC_GROUP *group; + int nid; + const char *cname; + + if ((ec = EVP_PKEY_get0_EC_KEY(pkey)) == NULL) { + warnx("%s: failed to extract ECDSA public key", fn); + return 0; + } + + if ((group = EC_KEY_get0_group(ec)) == NULL) { + warnx("%s: EC_KEY_get0_group failed", fn); + return 0; + } + + nid = EC_GROUP_get_curve_name(group); + if (nid != NID_X9_62_prime256v1) { + if ((cname = EC_curve_nid2nist(nid)) == NULL) + cname = OBJ_nid2sn(nid); + warnx("%s: Expected P-256, got %s", fn, cname); + return 0; + } + + if (!EC_KEY_check_key(ec)) { + warnx("%s: EC_KEY_check_key failed", fn); + return 0; + } + + return 1; +} + +int +valid_ca_pkey(const char *fn, EVP_PKEY *pkey) +{ + if (pkey == NULL) { + warnx("%s: failure, pkey is NULL", fn); + return 0; + } + + if (EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA) + return valid_ca_pkey_rsa(fn, pkey); + + if (EVP_PKEY_base_id(pkey) == EVP_PKEY_EC) + return valid_ca_pkey_ec(fn, pkey); + + warnx("%s: unsupported public key algorithm", fn); + return 0; +} |