Skip to content

pkcs5: allow empty algId prf parameter for PBES2 params #1521

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tarcieri merged 5 commits into from
Sep 17, 2024
Merged

pkcs5: allow empty algId prf parameter for PBES2 params #1521

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
8f18cda
Allow PBES2 encoding without NULL value for the algId prf parameter
ancwrd1 Sep 16, 2024
7711c94
Formatting
ancwrd1 Sep 16, 2024
3571e54
Added a test vector for the new unit test and a note about application.
ancwrd1 Sep 17, 2024
1d90a9f
Formatted sources
ancwrd1 Sep 17, 2024
947af76
Additional comment
ancwrd1 Sep 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 0 additions & 3 deletions pkcs5/src/pbes2/kdf.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -336,9 +336,6 @@ impl TryFrom<AlgorithmIdentifierRef<'_>> for Pbkdf2Prf {
if !params.is_null() {
return Err(params.tag().value_error());
}
} else {
// TODO(tarcieri): support OPTIONAL parameters?
return Err(Tag::Null.value_error());
}

match alg.oid {
Expand Down
Binary file added pkcs5/tests/examples/pbes2_aes-256-cbc_hmacWithSHA256_algid-no-param.der
View file
Open in desktop
Binary file not shown.
35 changes: 35 additions & 0 deletions pkcs5/tests/pbes2.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,16 @@ const PBES2_PBKDF2_SHA256_AES256CBC_ALG_ID: &[u8] = &hex!(
4801650304012a0410b2d02d78b2efd9dff694cf8e0af40925"
);

/// PBES2 + PBKDF2-SHA256 + AES-256-CBC `AlgorithmIdentifier` example without PRF NULL parameter.
///
/// Generated by Smallstep CLI: `step certificate p12 out.p12 in.crt in.key`, extracted from PKCS#12.
/// `tests/examples/pbes2_aes-256-cbc_hmacWithSHA256_algid-no-param.der` test vector.
const PBES2_PBKDF2_SHA256_AES256CBC_ALG_ID_NO_NULL_PARAM: &[u8] = &hex!(
"305d06092a864886f70d01050d3050302f06092a864886f70d01050c30220410
0c12aa39d743d1633ddbb615a5ec1b6a02020800300a06082a864886f70d0209
301d060960864801650304012a0410baba52272b5a30263d62f81ae27ad768"
);

/// PBES2 + scrypt + AES-256-CBC `AlgorithmIdentifier` example.
///
/// Generated by OpenSSL and extracted from the `pkcs8` crate's
Expand Down Expand Up @@ -96,6 +106,31 @@ fn decode_pbes2_pbkdf2_sha256_aes256cbc() {
}
}

/// Decoding test for PBES2 + PBKDF2-SHA256 + AES-256-CBC `AlgorithmIdentifier` without NULL prf parameter
#[test]
fn decode_pbes2_pbkdf2_sha256_aes256cbc_without_null_parameter() {
let scheme =
pkcs5::EncryptionScheme::try_from(PBES2_PBKDF2_SHA256_AES256CBC_ALG_ID_NO_NULL_PARAM)
.unwrap();
let params = scheme.pbes2().unwrap();

let pbkdf2_params = params.kdf.pbkdf2().unwrap();
assert_eq!(
pbkdf2_params.salt.as_bytes(),
&hex!("0C12AA39D743D1633DDBB615A5EC1B6A")
);
assert_eq!(pbkdf2_params.iteration_count, 2048);
assert_eq!(pbkdf2_params.key_length, None);
assert_eq!(pbkdf2_params.prf, pbes2::Pbkdf2Prf::HmacWithSha256);

match params.encryption {
pbes2::EncryptionScheme::Aes256Cbc { iv } => {
assert_eq!(iv, hex!("BABA52272B5A30263D62F81AE27AD768"));
}
other => panic!("unexpected encryption scheme: {:?}", other),
}
}

/// Decoding test for PBES2 + scrypt + AES-256-CBC `AlgorithmIdentifier`
#[test]
fn decode_pbes2_scrypt_aes256cbc() {
Expand Down