Add missing f_rng/p_rng arguments to x509write_crt
diff --git a/include/polarssl/x509write.h b/include/polarssl/x509write.h
index 3aa76c6..715a646 100644
--- a/include/polarssl/x509write.h
+++ b/include/polarssl/x509write.h
@@ -373,11 +373,20 @@
* \param crt certificate to write away
* \param buf buffer to write to
* \param size size of the buffer
+ * \param f_rng RNG function (for signature, see note)
+ * \param p_rng RNG parameter
*
* \return length of data written if successful, or a specific
* error code
+ *
+ * \note f_rng may be NULL if RSA is used for signature and the
+ * signature is made offline (otherwise f_rng is desirable
+ * for countermeasures against timing attacks).
+ * ECDSA signatures always require a non-NULL f_rng.
*/
-int x509write_crt_der( x509write_cert *ctx, unsigned char *buf, size_t size );
+int x509write_crt_der( x509write_cert *ctx, unsigned char *buf, size_t size,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng );
/**
* \brief Write a public key to a DER structure
@@ -441,10 +450,19 @@
* \param crt certificate to write away
* \param buf buffer to write to
* \param size size of the buffer
+ * \param f_rng RNG function (for signature, see note)
+ * \param p_rng RNG parameter
*
* \return 0 successful, or a specific error code
+ *
+ * \note f_rng may be NULL if RSA is used for signature and the
+ * signature is made offline (otherwise f_rng is desirable
+ * for countermeasures against timing attacks).
+ * ECDSA signatures always require a non-NULL f_rng.
*/
-int x509write_crt_pem( x509write_cert *ctx, unsigned char *buf, size_t size );
+int x509write_crt_pem( x509write_cert *ctx, unsigned char *buf, size_t size,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng );
/**
* \brief Write a public key to a PEM string
diff --git a/library/x509write.c b/library/x509write.c
index 2b1688b..dffdf74 100644
--- a/library/x509write.c
+++ b/library/x509write.c
@@ -905,7 +905,9 @@
return( len );
}
-int x509write_crt_der( x509write_cert *ctx, unsigned char *buf, size_t size )
+int x509write_crt_der( x509write_cert *ctx, unsigned char *buf, size_t size,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng )
{
int ret;
const char *sig_oid;
@@ -1007,7 +1009,7 @@
md( md_info_from_type( ctx->md_alg ), c, len, hash );
if( ( ret = pk_sign( ctx->issuer_key, ctx->md_alg, hash, 0, sig, &sig_len,
- NULL, NULL ) ) != 0 )
+ f_rng, p_rng ) ) != 0 )
{
return( ret );
}
@@ -1083,13 +1085,15 @@
return( 0 );
}
-int x509write_crt_pem( x509write_cert *crt, unsigned char *buf, size_t size )
+int x509write_crt_pem( x509write_cert *crt, unsigned char *buf, size_t size,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng )
{
int ret;
unsigned char output_buf[4096];
- if( ( ret = x509write_crt_der( crt, output_buf,
- sizeof(output_buf) ) ) < 0 )
+ if( ( ret = x509write_crt_der( crt, output_buf, sizeof(output_buf),
+ f_rng, p_rng ) ) < 0 )
{
return( ret );
}
diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c
index b98f233..e65fb97 100644
--- a/programs/x509/cert_req.c
+++ b/programs/x509/cert_req.c
@@ -34,19 +34,21 @@
#include "polarssl/config.h"
#include "polarssl/x509write.h"
-#include "polarssl/error.h"
#include "polarssl/entropy.h"
#include "polarssl/ctr_drbg.h"
+#include "polarssl/error.h"
-#if !defined(POLARSSL_X509_PARSE_C) || !defined(POLARSSL_FS_IO) || \
- !defined(POLARSSL_ENTROPY_C) || !defined(POLARSSL_CTR_DRBG_C) || \
+#if !defined(POLARSSL_X509_WRITE_C) || !defined(POLARSSL_X509_PARSE_C) || \
+ !defined(POLARSSL_FS_IO) || \
+ !defined(POLARSSL_ENTROPY_C) || !defined(POLARSSL_CTR_DRBG_C) || \
!defined(POLARSSL_ERROR_C)
int main( int argc, char *argv[] )
{
((void) argc);
((void) argv);
- printf( "POLARSSL_X509_PARSE_C and/or POLARSSL_FS_IO and/or "
+ printf( "POLARSSL_X509_WRITE_C and/or POLARSSL_X509_PARSE_C and/or "
+ "POLARSSL_FS_IO and/or "
"POLARSSL_ENTROPY_C and/or POLARSSL_CTR_DRBG_C and/or "
"POLARSSL_ERROR_C not defined.\n");
return( 0 );
@@ -333,6 +335,6 @@
return( ret );
}
-#endif /* POLARSSL_X509_PARSE_C && POLARSSL_FS_IO &&
+#endif /* POLARSSL_X509_WRITE_C && POLARSSL_X509_PARSE_C && POLARSSL_FS_IO &&
POLARSSL_ENTROPY_C && POLARSSL_CTR_DRBG_C &&
POLARSSL_ERROR_C */
diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c
index 8943493..37cea58 100644
--- a/programs/x509/cert_write.c
+++ b/programs/x509/cert_write.c
@@ -33,24 +33,24 @@
#include "polarssl/config.h"
-#include "polarssl/error.h"
-#include "polarssl/rsa.h"
-#include "polarssl/x509.h"
-#include "polarssl/base64.h"
#include "polarssl/x509write.h"
-#include "polarssl/oid.h"
+#include "polarssl/entropy.h"
+#include "polarssl/ctr_drbg.h"
+#include "polarssl/error.h"
-#if !defined(POLARSSL_BIGNUM_C) || !defined(POLARSSL_RSA_C) || \
- !defined(POLARSSL_X509_WRITE_C) || !defined(POLARSSL_FS_IO) || \
+#if !defined(POLARSSL_X509_WRITE_C) || !defined(POLARSSL_X509_PARSE_C) || \
+ !defined(POLARSSL_FS_IO) || \
+ !defined(POLARSSL_ENTROPY_C) || !defined(POLARSSL_CTR_DRBG_C) || \
!defined(POLARSSL_ERROR_C)
int main( int argc, char *argv[] )
{
((void) argc);
((void) argv);
- printf("POLARSSL_BIGNUM_C and/or POLARSSL_RSA_C and/or "
- "POLARSSL_X509_WRITE_C and/or POLARSSL_FS_IO and/or "
- "POLARSSL_ERROR_C not defined.\n");
+ printf( "POLARSSL_X509_WRITE_C and/or POLARSSL_X509_PARSE_C and/or "
+ "POLARSSL_FS_IO and/or "
+ "POLARSSL_ENTROPY_C and/or POLARSSL_CTR_DRBG_C and/or "
+ "POLARSSL_ERROR_C not defined.\n");
return( 0 );
}
#else
@@ -97,7 +97,9 @@
unsigned char ns_cert_type; /* NS cert type */
} opt;
-int write_certificate( x509write_cert *crt, char *output_file )
+int write_certificate( x509write_cert *crt, char *output_file,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng )
{
int ret;
FILE *f;
@@ -105,7 +107,7 @@
size_t len = 0;
memset( output_buf, 0, 4096 );
- if( ( ret = x509write_crt_pem( crt, output_buf, 4096 ) ) < 0 )
+ if( ( ret = x509write_crt_pem( crt, output_buf, 4096, f_rng, p_rng ) ) < 0 )
return( ret );
len = strlen( (char *) output_buf );
@@ -183,6 +185,9 @@
x509_csr csr;
x509write_cert crt;
mpi serial;
+ entropy_context entropy;
+ ctr_drbg_context ctr_drbg;
+ const char *pers = "crt example app";
/*
* Set to sane values
@@ -350,8 +355,29 @@
printf("\n");
+ /*
+ * 0. Seed the PRNG
+ */
+ printf( " . Seeding the random number generator..." );
+ fflush( stdout );
+
+ entropy_init( &entropy );
+ if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy,
+ (const unsigned char *) pers,
+ strlen( pers ) ) ) != 0 )
+ {
+ error_strerror( ret, buf, 1024 );
+ printf( " failed\n ! ctr_drbg_init returned %d - %s\n", ret, buf );
+ goto exit;
+ }
+
+ printf( " ok\n" );
+
// Parse serial to MPI
//
+ printf( " . Reading serial number..." );
+ fflush( stdout );
+
if( ( ret = mpi_read_string( &serial, 10, opt.serial ) ) != 0 )
{
error_strerror( ret, buf, 1024 );
@@ -359,6 +385,8 @@
goto exit;
}
+ printf( " ok\n" );
+
// Parse issuer certificate if present
//
if( !opt.selfsign && strlen( opt.issuer_crt ) )
@@ -597,7 +625,8 @@
printf( " . Writing the certificate..." );
fflush( stdout );
- if( ( ret = write_certificate( &crt, opt.output_file ) ) != 0 )
+ if( ( ret = write_certificate( &crt, opt.output_file,
+ ctr_drbg_random, &ctr_drbg ) ) != 0 )
{
error_strerror( ret, buf, 1024 );
printf( " failed\n ! write_certifcate -0x%02x - %s\n\n", -ret, buf );
@@ -619,5 +648,6 @@
return( ret );
}
-#endif /* POLARSSL_BIGNUM_C && POLARSSL_RSA_C &&
- POLARSSet_serial_X509_WRITE_C && POLARSSL_FS_IO */
+#endif /* POLARSSL_X509_WRITE_C && POLARSSL_X509_PARSE_C && POLARSSL_FS_IO &&
+ POLARSSL_ENTROPY_C && POLARSSL_CTR_DRBG_C &&
+ POLARSSL_ERROR_C */
diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index f916b1c..9352c9e 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -76,7 +76,9 @@
int ret;
size_t olen = sizeof( check_buf );
FILE *f;
+ rnd_pseudo_info rnd_info;
+ memset( &rnd_info, 0x2a, sizeof( rnd_pseudo_info ) );
mpi_init( &serial );
pk_init( &subject_key );
pk_init( &issuer_key );
@@ -101,7 +103,8 @@
TEST_ASSERT( x509write_crt_set_subject_key_identifier( &crt ) == 0 );
TEST_ASSERT( x509write_crt_set_authority_key_identifier( &crt ) == 0 );
- ret = x509write_crt_der( &crt, buf, sizeof(buf) );
+ ret = x509write_crt_der( &crt, buf, sizeof(buf),
+ rnd_pseudo_rand, &rnd_info );
TEST_ASSERT( ret >= 0 );
c = buf + sizeof( buf ) - ret;