From dbf18b8a7713d76c0be307af40e97cd7c564aa53 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Thu, 15 Nov 2012 10:38:05 +0100 Subject: public_key: Simplified PKCS-7 and PKCS-10 specs. Used defenitions from PKIX1Explicit88 to avoid most of the overcomplicated InformationalFrameWork (and friends) ASN-1 specs. We want to keep the public_key API as small and simple as possible. --- lib/public_key/asn1/Makefile | 11 +++------ lib/public_key/asn1/OTP-PUB-KEY.set.asn | 2 ++ lib/public_key/asn1/PKCS-10.asn1 | 33 +++++++++++++------------ lib/public_key/asn1/PKCS-7.asn1 | 42 ++++++++++++++++++++------------ lib/public_key/asn1/PKCS-FRAME.set.asn | 2 -- lib/public_key/asn1/PKIX1Explicit88.asn1 | 5 ++-- lib/public_key/src/pubkey_pem.erl | 4 ++- lib/public_key/src/public_key.erl | 4 +-- lib/public_key/test/public_key_SUITE.erl | 8 ++++-- 9 files changed, 63 insertions(+), 48 deletions(-) diff --git a/lib/public_key/asn1/Makefile b/lib/public_key/asn1/Makefile index c8426411d3..957c332cad 100644 --- a/lib/public_key/asn1/Makefile +++ b/lib/public_key/asn1/Makefile @@ -41,7 +41,7 @@ RELSYSDIR = $(RELEASE_PATH)/lib/public_key-$(VSN) ASN_TOP = OTP-PUB-KEY PKCS-FRAME ASN_MODULES = PKIX1Explicit88 PKIX1Implicit88 PKIX1Algorithms88 \ PKIXAttributeCertificate PKCS-1 PKCS-3 PKCS-7 PKCS-8 PKCS-10 PKCS5v2-0 OTP-PKIX \ - AuthenticationFramework InformationFramework UsefulDefinitions SelectedAttributeTypes + InformationFramework ASN_ASNS = $(ASN_MODULES:%=%.asn1) ASN_ERLS = $(ASN_TOP:%=%.erl) ASN_HRLS = $(ASN_TOP:%=%.hrl) @@ -113,15 +113,12 @@ OTP-PUB-KEY.asn1db: PKIX1Algorithms88.asn1 \ PKIXAttributeCertificate.asn1 \ PKCS-1.asn1\ PKCS-3.asn1\ + PKCS-7.asn1\ + PKCS-10.asn1\ + InformationFramework.asn1\ OTP-PKIX.asn1 $(EBIN)/PKCS-FRAME.beam: PKCS-FRAME.erl PKCS-FRAME.hrl PKCS-FRAME.erl PKCS-FRAME.hrl: PKCS-FRAME.asn1db PKCS-FRAME.asn1db: PKCS5v2-0.asn1\ PKCS-8.asn1\ - PKCS-7.asn1\ - PKCS-10.asn1\ - AuthenticationFramework.asn1\ - InformationFramework.asn1\ - UsefulDefinitions.asn1\ - SelectedAttributeTypes.asn1 diff --git a/lib/public_key/asn1/OTP-PUB-KEY.set.asn b/lib/public_key/asn1/OTP-PUB-KEY.set.asn index 5c76d13115..f8fb318c93 100644 --- a/lib/public_key/asn1/OTP-PUB-KEY.set.asn +++ b/lib/public_key/asn1/OTP-PUB-KEY.set.asn @@ -6,3 +6,5 @@ PKIX1Algorithms88.asn1 PKCS-1.asn1 PKCS-3.asn1 DSS.asn1 +PKCS-7.asn1 +PKCS-10.asn1 diff --git a/lib/public_key/asn1/PKCS-10.asn1 b/lib/public_key/asn1/PKCS-10.asn1 index 09db4f9460..333104d230 100644 --- a/lib/public_key/asn1/PKCS-10.asn1 +++ b/lib/public_key/asn1/PKCS-10.asn1 @@ -13,50 +13,53 @@ BEGIN IMPORTS -informationFramework, authenticationFramework - FROM UsefulDefinitions {joint-iso-itu-t(2) ds(5) module(1) - usefulDefinitions(0) 3} +--informationFramework, authenticationFramework +-- FROM UsefulDefinitions {joint-iso-itu-t(2) ds(5) module(1) +-- usefulDefinitions(0) 3} -ATTRIBUTE, Name + ATTRIBUTE FROM InformationFramework informationFramework -ALGORITHM - FROM AuthenticationFramework authenticationFramework; + Name + FROM PKIX1Explicit88 --InformationFramework informationFramework + + ALGORITHM + FROM PKCS-7; --AuthenticationFramework authenticationFramework; -- Certificate requests CertificationRequestInfo ::= SEQUENCE { version INTEGER { v1(0) } (v1,...), subject Name, - subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }}, + subjectPKInfo SubjectPublicKeyInfo-PKCS-10{{ PKInfoAlgorithms }}, attributes [0] Attributes{{ CRIAttributes }} } -SubjectPublicKeyInfo {ALGORITHM: IOSet} ::= SEQUENCE { - algorithm AlgorithmIdentifier {{IOSet}}, +SubjectPublicKeyInfo-PKCS-10 {ALGORITHM: IOSet} ::= SEQUENCE { + algorithm AlgorithmIdentifierPKCS-10{{IOSet}}, subjectPublicKey BIT STRING } PKInfoAlgorithms ALGORITHM ::= { ... -- add any locally defined algorithms here -- } -Attributes { ATTRIBUTE:IOSet } ::= SET OF Attribute{{ IOSet }} +Attributes { ATTRIBUTE:IOSet } ::= SET OF AttributePKCS-10{{ IOSet }} CRIAttributes ATTRIBUTE ::= { - ... -- add any locally defined attributes here -- } +... -- add any locally defined attributes here -- } -Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE { +AttributePKCS-10 { ATTRIBUTE:IOSet } ::= SEQUENCE { type ATTRIBUTE.&id({IOSet}), values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type}) } CertificationRequest ::= SEQUENCE { certificationRequestInfo CertificationRequestInfo, - signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }}, + signatureAlgorithm AlgorithmIdentifierPKCS-10{{ SignatureAlgorithms }}, signature BIT STRING } -AlgorithmIdentifier {ALGORITHM:IOSet } ::= SEQUENCE { +AlgorithmIdentifierPKCS-10 {ALGORITHM:IOSet } ::= SEQUENCE { algorithm ALGORITHM.&id({IOSet}), parameters ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL } @@ -64,4 +67,4 @@ AlgorithmIdentifier {ALGORITHM:IOSet } ::= SEQUENCE { SignatureAlgorithms ALGORITHM ::= { ... -- add any locally defined algorithms here -- } -END \ No newline at end of file +END diff --git a/lib/public_key/asn1/PKCS-7.asn1 b/lib/public_key/asn1/PKCS-7.asn1 index f80954398e..a6dfd57d80 100644 --- a/lib/public_key/asn1/PKCS-7.asn1 +++ b/lib/public_key/asn1/PKCS-7.asn1 @@ -16,12 +16,12 @@ informationFramework, authenticationFramework FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1) usefulDefinitions(0) 3} - Name, ATTRIBUTE + ATTRIBUTE FROM InformationFramework informationFramework - ALGORITHM, Certificate, CertificateSerialNumber, + Name, Certificate, CertificateSerialNumber, CertificateList, Time - FROM AuthenticationFramework authenticationFramework; + FROM PKIX1Explicit88; -- AuthenticationFramework authenticationFramework; -- contentType, messageDigest, signingTime -- , counterSignature @@ -30,8 +30,20 @@ informationFramework, authenticationFramework -- -- 6. Useful types -- + +-- inlined from AuthenticationFramework + +ALGORITHM ::= CLASS {&Type OPTIONAL, + &id OBJECT IDENTIFIER UNIQUE +}WITH SYNTAX {[&Type] + IDENTIFIED BY &id +} + +-- inlined from PKCS-9 + pkcs-9 OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9} + contentType ATTRIBUTE ::= { WITH SYNTAX ContentType -- EQUALITY MATCHING RULE objectIdentifierMatch @@ -69,16 +81,16 @@ SigningTime ::= Time -- imported from ISO/IEC 9594-8 -- Also defined in X.509 -- Redeclared here as a parameterized type -AlgorithmIdentifier {ALGORITHM:IOSet} ::= SEQUENCE { +AlgorithmIdentifierPKSC-7 {ALGORITHM:IOSet} ::= SEQUENCE { algorithm ALGORITHM.&id({IOSet}), parameters ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL } -- Also defined in X.501 -- Redeclared here as a parameterized type -Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE { - type ATTRIBUTE.&id({IOSet}), - values SET SIZE (1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type}) +AttributePKCS-7 { ATTRIBUTE:IOSet } ::= SEQUENCE { + type ATTRIBUTE.&id({IOSet}), + values SET SIZE (1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type}) } CertificateRevocationLists ::= @@ -91,21 +103,21 @@ CRLSequence ::= SEQUENCE OF CertificateList ContentEncryptionAlgorithmIdentifier ::= - AlgorithmIdentifier {{ContentEncryptionAlgorithms}} + AlgorithmIdentifierPKSC-7 {{ContentEncryptionAlgorithms}} ContentEncryptionAlgorithms ALGORITHM ::= { ... -- add any application-specific algorithms here } DigestAlgorithmIdentifier ::= - AlgorithmIdentifier {{DigestAlgorithms}} + AlgorithmIdentifierPKSC-7 {{DigestAlgorithms}} DigestAlgorithms ALGORITHM ::= { ... -- add any application-specific algorithms here } DigestEncryptionAlgorithmIdentifier ::= - AlgorithmIdentifier {{DigestEncryptionAlgorithms}} + AlgorithmIdentifierPKSC-7 {{DigestEncryptionAlgorithms}} DigestEncryptionAlgorithms ALGORITHM ::= { ... -- add any application-specific algorithms here @@ -127,7 +139,7 @@ IssuerAndSerialNumber ::= SEQUENCE { } KeyEncryptionAlgorithmIdentifier ::= - AlgorithmIdentifier {{KeyEncryptionAlgorithms}} + AlgorithmIdentifierPKSC-7 {{KeyEncryptionAlgorithms}} KeyEncryptionAlgorithms ALGORITHM ::= { ... -- add any application-specific algorithms here @@ -213,8 +225,8 @@ SignerInfo ::= SEQUENCE { IssuerAndSerialNumber, digestAlgorithm DigestAlgorithmIdentifier, authenticatedAttributes CHOICE { - aaSet [0] IMPLICIT SET OF Attribute {{Authenticated}}, - aaSequence [2] EXPLICIT SEQUENCE OF Attribute {{Authenticated}} + aaSet [0] IMPLICIT SET OF AttributePKCS-7 {{Authenticated}}, + aaSequence [2] EXPLICIT SEQUENCE OF AttributePKCS-7 {{Authenticated}} -- Explicit because easier to compute digest on sequence of attributes and then reuse -- encoded sequence in aaSequence. } OPTIONAL, @@ -222,8 +234,8 @@ SignerInfo ::= SEQUENCE { DigestEncryptionAlgorithmIdentifier, encryptedDigest EncryptedDigest, unauthenticatedAttributes CHOICE { - uaSet [1] IMPLICIT SET OF Attribute {{Unauthenticated}}, - uaSequence [3] IMPLICIT SEQUENCE OF Attribute {{Unauthenticated}} + uaSet [1] IMPLICIT SET OF AttributePKCS-7 {{Unauthenticated}}, + uaSequence [3] IMPLICIT SEQUENCE OF AttributePKCS-7 {{Unauthenticated}} } OPTIONAL } (WITH COMPONENTS { ..., version (siVer1), authenticatedAttributes (WITH COMPONENTS { ..., aaSequence ABSENT }), diff --git a/lib/public_key/asn1/PKCS-FRAME.set.asn b/lib/public_key/asn1/PKCS-FRAME.set.asn index 64da71509d..69b6727bef 100644 --- a/lib/public_key/asn1/PKCS-FRAME.set.asn +++ b/lib/public_key/asn1/PKCS-FRAME.set.asn @@ -1,4 +1,2 @@ PKCS-8.asn1 -PKCS-7.asn1 PKCS5v2-0.asn1 -PKCS-10.asn1 diff --git a/lib/public_key/asn1/PKIX1Explicit88.asn1 b/lib/public_key/asn1/PKIX1Explicit88.asn1 index 03e9da3e05..91758d7269 100644 --- a/lib/public_key/asn1/PKIX1Explicit88.asn1 +++ b/lib/public_key/asn1/PKIX1Explicit88.asn1 @@ -206,13 +206,12 @@ DomainComponent ::= IA5String -- Legacy attributes -pkcs-9 OBJECT IDENTIFIER ::= - { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } - id-emailAddress AttributeType ::= { pkcs-9 1 } EmailAddress ::= IA5String (SIZE (1..ub-emailaddress-length)) +-- Legacy attributes + -- naming data types -- Name ::= CHOICE { -- only one possibility for now -- diff --git a/lib/public_key/src/pubkey_pem.erl b/lib/public_key/src/pubkey_pem.erl index 15290387ff..4012825f20 100644 --- a/lib/public_key/src/pubkey_pem.erl +++ b/lib/public_key/src/pubkey_pem.erl @@ -219,7 +219,9 @@ pem_end(<<"-----BEGIN ENCRYPTED PRIVATE KEY-----">>) -> pem_end(<<"-----BEGIN CERTIFICATE REQUEST-----">>) -> <<"-----END CERTIFICATE REQUEST-----">>; pem_end(<<"-----BEGIN PKCS7-----">>) -> - <<"-----END PKCS7-----">>. + <<"-----END PKCS7-----">>; +pem_end(_) -> + undefined. asn1_type(<<"-----BEGIN CERTIFICATE-----">>) -> 'Certificate'; diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl index f7252d18a6..d5df53e848 100644 --- a/lib/public_key/src/public_key.erl +++ b/lib/public_key/src/public_key.erl @@ -176,9 +176,7 @@ der_decode(Asn1Type, Der) when is_atom(Asn1Type), is_binary(Der) -> %% Description: Encodes a public key entity with asn1 DER encoding. %%-------------------------------------------------------------------- der_encode(Asn1Type, Entity) when (Asn1Type == 'PrivateKeyInfo') or - (Asn1Type == 'EncryptedPrivateKeyInfo') or - (Asn1Type == 'CertificationRequest') - -> + (Asn1Type == 'EncryptedPrivateKeyInfo') -> try {ok, Encoded} = 'PKCS-FRAME':encode(Asn1Type, Entity), iolist_to_binary(Encoded) diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl index eeecdb7d8f..8dfd068d91 100644 --- a/lib/public_key/test/public_key_SUITE.erl +++ b/lib/public_key/test/public_key_SUITE.erl @@ -111,7 +111,7 @@ all() -> groups() -> [{pem_decode_encode, [], [dsa_pem, rsa_pem, encrypted_pem, - dh_pem, cert_pem]}, + dh_pem, cert_pem, pkcs10_pem]}, {ssh_public_key_decode_encode, [], [ssh_rsa_public_key, ssh_dsa_public_key, ssh_rfc4716_rsa_comment, ssh_rfc4716_dsa_comment, ssh_rfc4716_rsa_subject, ssh_known_hosts, @@ -263,7 +263,11 @@ pkcs10_pem(Config) when is_list(Config) -> erl_make_certs:der_to_pem(filename:join(Datadir, "new_req.pem"), [Entry]), - public_key:der_decode('CertificationRequest', DerPKCS10). + PKCS10 = public_key:der_decode('CertificationRequest', DerPKCS10), + PKCS10 = public_key:pem_entry_decode(Entry), + + Entry = public_key:pem_entry_encode('CertificationRequest', PKCS10). + %%-------------------------------------------------------------------- cert_pem(doc) -> -- cgit v1.2.3