diff options
| author | Divy Srivastava <dj.srivastava23@gmail.com> | 2022-01-19 20:12:43 +0530 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-01-19 20:12:43 +0530 |
| commit | 4da41ca8fdc503d9ed050dca1b956345ef152185 (patch) | |
| tree | 8a9da4c8f6d6553ed904d52af1ba72efaadb228f | |
| parent | 2ab21dafa768b3bb89f9a7f6550648263bc065d1 (diff) | |
fix(ext/crypto): validate maskGenAlgorithm asn1 in importKey (#13421)
| -rw-r--r-- | ext/crypto/import_key.rs | 64 |
1 files changed, 27 insertions, 37 deletions
diff --git a/ext/crypto/import_key.rs b/ext/crypto/import_key.rs index 6d6b11c52..b929f38bb 100644 --- a/ext/crypto/import_key.rs +++ b/ext/crypto/import_key.rs @@ -5,6 +5,7 @@ use elliptic_curve::pkcs8::der::Decodable as Pkcs8Decodable; use elliptic_curve::pkcs8::PrivateKeyInfo; use ring::signature::EcdsaKeyPair; use rsa::pkcs1::UIntBytes; +use rsa::pkcs8::AlgorithmIdentifier; use serde::Deserialize; use serde::Serialize; use spki::der::Encodable; @@ -191,6 +192,28 @@ fn import_key_rsa_jwk( } } +fn validate_mask_gen( + mask_gen_algorithm: &AlgorithmIdentifier, + hash_algorithm: &AlgorithmIdentifier, +) -> Result<(), deno_core::anyhow::Error> { + if mask_gen_algorithm.oid != ID_MFG1 { + return Err(not_supported_error("unsupported mask gen algorithm")); + } + + let parameters = mask_gen_algorithm + .parameters_any() + .map_err(|_| not_supported_error("unsupported parameters"))?; + let mgf1_hash_identifier = AlgorithmIdentifier::try_from(parameters) + .map_err(|_| not_supported_error("unsupported parameters"))?; + + // The hash function on which MGF1 is based. + mgf1_hash_identifier + .assert_algorithm_oid(hash_algorithm.oid) + .map_err(|_| not_supported_error("unsupported parameters"))?; + + Ok(()) +} + fn import_key_rsassa( key_data: KeyData, hash: ShaHash, @@ -359,12 +382,7 @@ fn import_key_rsapss( return Err(not_supported_error("unsupported hash algorithm")); } - // TODO(lucacasonato): - // If the parameters field of the maskGenAlgorithm field of params - // is not an instance of the HashAlgorithm ASN.1 type that is - // identical in content to the hashAlgorithm field of params, - // throw a NotSupportedError. - + validate_mask_gen(¶ms.mask_gen_algorithm, &hash_alg)?; hash } _ => return Err(data_error("unsupported algorithm")), @@ -439,16 +457,7 @@ fn import_key_rsapss( _ => return Err(data_error("unsupported hash algorithm")), }; - if params.mask_gen_algorithm.oid != ID_MFG1 { - return Err(not_supported_error("unsupported mask gen algorithm")); - } - - // TODO(lucacasonato): - // If the parameters field of the maskGenAlgorithm field of params - // is not an instance of the HashAlgorithm ASN.1 type that is - // identical in content to the hashAlgorithm field of params, - // throw a NotSupportedError. - + validate_mask_gen(¶ms.mask_gen_algorithm, &hash_alg)?; hash } _ => return Err(data_error("unsupported algorithm")), @@ -534,16 +543,7 @@ fn import_key_rsaoaep( _ => return Err(data_error("unsupported hash algorithm")), }; - if params.mask_gen_algorithm.oid != ID_MFG1 { - return Err(not_supported_error("unsupported hash algorithm")); - } - - // TODO(lucacasonato): - // If the parameters field of the maskGenAlgorithm field of params - // is not an instance of the HashAlgorithm ASN.1 type that is - // identical in content to the hashAlgorithm field of params, - // throw a NotSupportedError. - + validate_mask_gen(¶ms.mask_gen_algorithm, &hash_alg)?; hash } _ => return Err(data_error("unsupported algorithm")), @@ -617,17 +617,7 @@ fn import_key_rsaoaep( ID_SHA512_OID => Some(ShaHash::Sha512), _ => return Err(data_error("unsupported hash algorithm")), }; - - if params.mask_gen_algorithm.oid != ID_MFG1 { - return Err(not_supported_error("unsupported mask gen algorithm")); - } - - // TODO(lucacasonato): - // If the parameters field of the maskGenAlgorithm field of params - // is not an instance of the HashAlgorithm ASN.1 type that is - // identical in content to the hashAlgorithm field of params, - // throw a NotSupportedError. - + validate_mask_gen(¶ms.mask_gen_algorithm, &hash_alg)?; hash } _ => return Err(data_error("unsupported algorithm")), |