public_key: Handle key params only present in SignatureAlgorithm of a cert #10023
Conversation
CT Test Results 2 files 17 suites 4m 38s ⏱️ Results for commit 3c1957e. ♻️ This comment has been updated with latest results. To speed up review, make sure that you have read Contributing to Erlang/OTP and that all checks pass. See the TESTING and DEVELOPMENT HowTo guides for details about how to run test locally. Artifacts// Erlang/OTP Github Action Bot |
IngelaAndin
force-pushed
the
ingela/public_key/pss-params-sig-alg/OTP-19699
branch
2 times, most recently
from
4534fd1 to
23493b2
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
IngelaAndin
force-pushed
the
ingela/public_key/pss-params-sig-alg/OTP-19699
branch
from
23493b2 to
3cea4cd
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR adds handling for RSA-PSS key parameters when they are only present in the certificate’s signature algorithm (not in the SubjectPublicKeyInfo), and adds corresponding tests.
- Introduces a new
key_params/2helper to extract PSS parameters from the signature algorithm if missing from the key info. - Updates
validate_signature/6to usekey_params/2before verifying. - Adds
pkix_pss_params_in_signalgtests inpublic_key_SUITE.erland cleans up an EDDSA test case.
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| lib/public_key/src/pubkey_cert.erl | Added key_params/2, updated validate_signature/6 callsite. |
| lib/public_key/test/public_key_SUITE.erl | Added PSS‐params tests and minor EDDSA test cleanup. |
Comments suppressed due to low confidence (3)
lib/public_key/src/pubkey_cert.erl:2200
- [nitpick] Consider adding a docstring above
key_params/2to explain when and why it extracts parameters from the certificate's signature algorithm, improving maintainability and clarity.
key_params(#'OTPCertificate'{tbsCertificate = TBSCert}, Params) when Params == asn1_NOVALUE;
lib/public_key/test/public_key_SUITE.erl:1466
- Add a test case covering the scenario where key parameters are explicitly
'NULL'in theSubjectPublicKeyInfoto ensurekey_params/2correctly handles bothasn1_NOVALUEand'NULL'inputs.
pkix_pss_params_in_signalg() ->
lib/public_key/src/pubkey_cert.erl:261
- [nitpick] The parameter name
KeyParams0is not descriptive; consider renaming it to something likeRawKeyParamsorInitialParamsto clarify its purpose before transformation.
validate_signature(Cert, DerCert, Key, KeyParams0,
3cea4cd to
3071429
Compare
IngelaAndin
force-pushed
the
ingela/public_key/pss-params-sig-alg/OTP-19699
branch
from
3ff492d to
c894e8e
Compare
IngelaAndin
added
the
testing
lib/public_key/src/pubkey_cert.erl
Outdated
| } = TBSCert, | ||
| %% Sometimes parameters may be missing in issuer's "SubjectPublicKeyInfo" but included in | ||
| %% the certs "SignatureAlgorithm" for RSA PSS signatures. | ||
| case Algo of |
There was a problem hiding this comment.
maybe this case is not needed?
- if you match on
?'id-RSASSA-PSS'in function head - 2nd case clause would be handled by existing 2nd function clause
There was a problem hiding this comment.
I did not due avoiding long lines, but I split it differently so as to be able to match in function head which I normally prefer.
IngelaAndin
force-pushed
the
ingela/public_key/pss-params-sig-alg/OTP-19699
branch
from
c894e8e to
986d49e
Compare
Not explicitly. I think the ASN.1 specs makes it quite possible and it makes sense for RSA keys as you can then upgrade an existing intermediat RSA cert to an RSA-PSS-PSS cert without changing the intermediate cert. And OpenSSL will verify this chain. |
IngelaAndin
added
full-build-and-check
IngelaAndin
force-pushed
the
ingela/public_key/pss-params-sig-alg/OTP-19699
branch
from
986d49e to
972991c
Compare
… certificate closes erlang#9632
IngelaAndin
force-pushed
the
ingela/public_key/pss-params-sig-alg/OTP-19699
branch
from
972991c to
3c1957e
Compare
closes #9632