foster/deno
0
0
Fork 0
mirror of https://github.com/denoland/deno.git synced 2025-03-03 09:31:22 -05:00
Code Issues Packages 1 Wiki Activity

fix(ext/crypto): validate maskGenAlgorithm asn1 in importKey (#13421)

Browse source
This commit is contained in:
Divy Srivastava 2022-01-19 20:12:43 +05:30 committed by GitHub
parent 2ab21dafa7
commit 4da41ca8fd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 27 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

64
ext/crypto/import_key.rs
View file

@ -5,6 +5,7 @@ use elliptic_curve::pkcs8::der::Decodable as Pkcs8Decodable;
use elliptic_curve::pkcs8::PrivateKeyInfo;
use ring::signature::EcdsaKeyPair;
use rsa::pkcs1::UIntBytes;
use rsa::pkcs8::AlgorithmIdentifier;
use serde::Deserialize;
use serde::Serialize;
use spki::der::Encodable;
@ -191,6 +192,28 @@ fn import_key_rsa_jwk(
}
}
fn validate_mask_gen(
mask_gen_algorithm: &AlgorithmIdentifier,
hash_algorithm: &AlgorithmIdentifier,
) -> Result<(), deno_core::anyhow::Error> {
if mask_gen_algorithm.oid != ID_MFG1 {
return Err(not_supported_error("unsupported mask gen algorithm"));
}
let parameters = mask_gen_algorithm
.parameters_any()
.map_err(|_| not_supported_error("unsupported parameters"))?;
let mgf1_hash_identifier = AlgorithmIdentifier::try_from(parameters)
.map_err(|_| not_supported_error("unsupported parameters"))?;
// The hash function on which MGF1 is based.
mgf1_hash_identifier
.assert_algorithm_oid(hash_algorithm.oid)
.map_err(|_| not_supported_error("unsupported parameters"))?;
Ok(())
}
fn import_key_rsassa(
key_data: KeyData,
hash: ShaHash,
@ -359,12 +382,7 @@ fn import_key_rsapss(
return Err(not_supported_error("unsupported hash algorithm"));
}
// TODO(lucacasonato):
// If the parameters field of the maskGenAlgorithm field of params
// is not an instance of the HashAlgorithm ASN.1 type that is
// identical in content to the hashAlgorithm field of params,
// throw a NotSupportedError.
validate_mask_gen(&params.mask_gen_algorithm, &hash_alg)?;
hash
}
_ => return Err(data_error("unsupported algorithm")),
@ -439,16 +457,7 @@ fn import_key_rsapss(
_ => return Err(data_error("unsupported hash algorithm")),
};
if params.mask_gen_algorithm.oid != ID_MFG1 {
return Err(not_supported_error("unsupported mask gen algorithm"));
}
// TODO(lucacasonato):
// If the parameters field of the maskGenAlgorithm field of params
// is not an instance of the HashAlgorithm ASN.1 type that is
// identical in content to the hashAlgorithm field of params,
// throw a NotSupportedError.
validate_mask_gen(&params.mask_gen_algorithm, &hash_alg)?;
hash
}
_ => return Err(data_error("unsupported algorithm")),
@ -534,16 +543,7 @@ fn import_key_rsaoaep(
_ => return Err(data_error("unsupported hash algorithm")),
};
if params.mask_gen_algorithm.oid != ID_MFG1 {
return Err(not_supported_error("unsupported hash algorithm"));
}
// TODO(lucacasonato):
// If the parameters field of the maskGenAlgorithm field of params
// is not an instance of the HashAlgorithm ASN.1 type that is
// identical in content to the hashAlgorithm field of params,
// throw a NotSupportedError.
validate_mask_gen(&params.mask_gen_algorithm, &hash_alg)?;
hash
}
_ => return Err(data_error("unsupported algorithm")),
@ -617,17 +617,7 @@ fn import_key_rsaoaep(
ID_SHA512_OID => Some(ShaHash::Sha512),
_ => return Err(data_error("unsupported hash algorithm")),
};
if params.mask_gen_algorithm.oid != ID_MFG1 {
return Err(not_supported_error("unsupported mask gen algorithm"));
}
// TODO(lucacasonato):
// If the parameters field of the maskGenAlgorithm field of params
// is not an instance of the HashAlgorithm ASN.1 type that is
// identical in content to the hashAlgorithm field of params,
// throw a NotSupportedError.
validate_mask_gen(&params.mask_gen_algorithm, &hash_alg)?;
hash
}
_ => return Err(data_error("unsupported algorithm")),