rustls · ctz · Sep 9, 2024 · Sep 9, 2024 · Sep 9, 2024 · Sep 9, 2024
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -21,7 +21,7 @@ license = "ISC"
 name = "rustls-webpki"
 readme = "README.md"
 repository = "https://github.com/rustls/webpki"
-version = "0.102.7"
+version = "0.102.8"
 
 include = [
     "Cargo.toml",
@@ -80,7 +80,7 @@ ring = ["dep:ring"]
 std = ["alloc", "pki-types/std"]
 
 [dependencies]
-aws-lc-rs = { version = "1.8.1", optional = true, default-features = false, features = ["aws-lc-sys"] }
+aws-lc-rs = { version = "1.9", optional = true, default-features = false, features = ["aws-lc-sys"] }
 pki-types = { package = "rustls-pki-types", version = "1.7", default-features = false }
 ring = { version = "0.17", default-features = false, optional = true }
 untrusted = "0.9"

diff --git a/src/alg_tests.rs b/src/alg_tests.rs
@@ -23,8 +23,9 @@ use crate::verify_cert::Budget;
 use crate::{der, signed_data};
 
 use super::{
-    INVALID_SIGNATURE_FOR_RSA_KEY, OK_IF_RSA_AVAILABLE, SUPPORTED_ALGORITHMS_IN_TESTS,
-    UNSUPPORTED_ECDSA_SHA512_SIGNATURE, UNSUPPORTED_SIGNATURE_ALGORITHM_FOR_RSA_KEY,
+    INVALID_SIGNATURE_FOR_RSA_KEY, OK_IF_POINT_COMPRESSION_SUPPORTED, OK_IF_RSA_AVAILABLE,
+    SUPPORTED_ALGORITHMS_IN_TESTS, UNSUPPORTED_ECDSA_SHA512_SIGNATURE,
+    UNSUPPORTED_SIGNATURE_ALGORITHM_FOR_RSA_KEY,
 };
 
 macro_rules! test_file_bytes {
@@ -346,6 +347,22 @@ test_verify_signed_data!(
     OK_IF_RSA_AVAILABLE
 );
 
+test_verify_signed_data!(
+    test_ecdsa_prime256v1_sha256,
+    "ours/ecdsa-prime256v1-sha256.pem",
+    Ok(())
+);
+test_verify_signed_data!(
+    test_ecdsa_prime256v1_sha256_compressed,
+    "ours/ecdsa-prime256v1-sha256-compressed.pem",
+    OK_IF_POINT_COMPRESSION_SUPPORTED
+);
+test_verify_signed_data!(
+    test_ecdsa_prime256v1_sha256_spki_inside_spki,
+    "ours/ecdsa-prime256v1-sha256-spki-inside-spki.pem",
+    Err(Error::InvalidSignatureForPublicKey)
+);
+
 struct TestSignedData {
     spki: Vec<u8>,
     data: Vec<u8>,

diff --git a/src/aws_lc_rs_algs.rs b/src/aws_lc_rs_algs.rs
@@ -29,6 +29,23 @@ impl SignatureVerificationAlgorithm for AwsLcRsAlgorithm {
         message: &[u8],
         signature: &[u8],
     ) -> Result<(), InvalidSignature> {
+        if matches!(
+            self.public_key_alg_id,
+            alg_id::ECDSA_P256 | alg_id::ECDSA_P384 | alg_id::ECDSA_P521
+        ) {
+            // Restrict the allowed encodings of EC public keys.
+            //
+            // "The first octet of the OCTET STRING indicates whether the key is
+            //  compressed or uncompressed.  The uncompressed form is indicated
+            //  by 0x04 and the compressed form is indicated by either 0x02 or
+            //  0x03 (see 2.3.3 in [SEC1]).  The public key MUST be rejected if
+            //  any other value is included in the first octet."
+            // -- <https://datatracker.ietf.org/doc/html/rfc5480#section-2.2>
+            match public_key.first() {
+                Some(0x04) | Some(0x02) | Some(0x03) => {}
+                _ => return Err(InvalidSignature),
+            };
+        }
         signature::UnparsedPublicKey::new(self.verification_alg, public_key)
             .verify(message, signature)
             .map_err(|_| InvalidSignature)
@@ -190,6 +207,7 @@ mod tests {
     const INVALID_SIGNATURE_FOR_RSA_KEY: Error = Error::InvalidSignatureForPublicKey;
 
     const OK_IF_RSA_AVAILABLE: Result<(), Error> = Ok(());
+    const OK_IF_POINT_COMPRESSION_SUPPORTED: Result<(), Error> = Ok(());
 
     #[path = "alg_tests.rs"]
     mod alg_tests;

diff --git a/src/ring_algs.rs b/src/ring_algs.rs
@@ -198,6 +198,9 @@ mod tests {
         Err(Error::UnsupportedSignatureAlgorithm)
     };
 
+    const OK_IF_POINT_COMPRESSION_SUPPORTED: Result<(), Error> =
+        Err(Error::InvalidSignatureForPublicKey);
+
     #[path = "alg_tests.rs"]
     mod alg_tests;
 }
diff --git a/third-party/chromium/data/verify_signed_data/ours/ecdsa-prime256v1-sha256-compressed.pem b/third-party/chromium/data/verify_signed_data/ours/ecdsa-prime256v1-sha256-compressed.pem
@@ -0,0 +1,37 @@
+Copy of the uncompressed version, but with the public key compressed manually
+using `openssl ec`.
+
+
+$ openssl asn1parse -i < [PUBLIC KEY]
+    0:d=0  hl=2 l=  57 cons: SEQUENCE          
+    2:d=1  hl=2 l=  19 cons:  SEQUENCE          
+    4:d=2  hl=2 l=   7 prim:   OBJECT            :id-ecPublicKey
+   13:d=2  hl=2 l=   8 prim:   OBJECT            :prime256v1
+   23:d=1  hl=2 l=  34 prim:  BIT STRING        
+
+-----BEGIN PUBLIC KEY-----
+MDkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDIgADBKrsc2NXJvIT+4qeZNo7hjLkFJWpRNAEW1IuunJ
+A+tU=
+-----END PUBLIC KEY-----
+
+
+$ openssl asn1parse -i < [ALGORITHM]
+    0:d=0  hl=2 l=  10 cons: SEQUENCE          
+    2:d=1  hl=2 l=   8 prim:  OBJECT            :ecdsa-with-SHA256
+
+-----BEGIN ALGORITHM-----
+MAoGCCqGSM49BAMC
+-----END ALGORITHM-----
+
+-----BEGIN DATA-----
+MTIzNDAw
+-----END DATA-----
+
+
+$ openssl asn1parse -i < [SIGNATURE]
+    0:d=0  hl=2 l=  73 prim: BIT STRING        
+
+-----BEGIN SIGNATURE-----
+A0kAMEYCIQCo6hUMuAEl1zgcTB8dqOneJxH5kXBgQGpz15BFGeUTiAIhAPOrn6aL1HlzpzstQEg
+MK6UMIsnXbsIXJXKIKTKFRJuG
+-----END SIGNATURE-----
diff --git a/...-party/chromium/data/verify_signed_data/ours/ecdsa-prime256v1-sha256-spki-inside-spki.pem b/...-party/chromium/data/verify_signed_data/ours/ecdsa-prime256v1-sha256-spki-inside-spki.pem
@@ -0,0 +1,36 @@
+This is a copy of ecdsa-prime256v1-sha256.pem, but
+with the SPKI BIT STRING being the SPKI again.
+
+
+$ openssl asn1parse -i < [PUBLIC KEY]
+    0:d=0  hl=2 l= 115 cons: SEQUENCE          
+    2:d=1  hl=2 l=  19 cons:  SEQUENCE          
+    4:d=2  hl=2 l=   7 prim:   OBJECT            :id-ecPublicKey
+   13:d=2  hl=2 l=   8 prim:   OBJECT            :prime256v1
+   23:d=1  hl=2 l=  92 prim:  BIT STRING        
+
+-----BEGIN PUBLIC KEY-----
+MHMwEwYHKoZIzj0CAQYIKoZIzj0DAQcDXAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEqux
+zY1cm8hP7ip5k2juGMuQUlalE0ARbUi66ckD61YfZMVeYqqOlugF3V4fO0F6q97Tgn8gdbRqlRu
+g2XVJd
+-----END PUBLIC KEY-----
+
+$ openssl asn1parse -i < [ALGORITHM]
+    0:d=0  hl=2 l=  10 cons: SEQUENCE          
+    2:d=1  hl=2 l=   8 prim:  OBJECT            :ecdsa-with-SHA256
+
+-----BEGIN ALGORITHM-----
+MAoGCCqGSM49BAMC
+-----END ALGORITHM-----
+
+-----BEGIN DATA-----
+MTIzNDAw
+-----END DATA-----
+
+$ openssl asn1parse -i < [SIGNATURE]
+    0:d=0  hl=2 l=  73 prim: BIT STRING        
+
+-----BEGIN SIGNATURE-----
+A0kAMEYCIQCo6hUMuAEl1zgcTB8dqOneJxH5kXBgQGpz15BFGeUTiAIhAPOrn6aL1HlzpzstQEg
+MK6UMIsnXbsIXJXKIKTKFRJuG
+-----END SIGNATURE-----
diff --git a/third-party/chromium/data/verify_signed_data/ours/ecdsa-prime256v1-sha256.pem b/third-party/chromium/data/verify_signed_data/ours/ecdsa-prime256v1-sha256.pem
@@ -0,0 +1,38 @@
+The key, message, and signature come from wycheproof ecdsa_secp256r1_sha256_test.json
+
+The signature was wrapped in an additional BITSTRING.
+
+
+$ openssl asn1parse -i < [PUBLIC KEY]
+    0:d=0  hl=2 l=  89 cons: SEQUENCE          
+    2:d=1  hl=2 l=  19 cons:  SEQUENCE          
+    4:d=2  hl=2 l=   7 prim:   OBJECT            :id-ecPublicKey
+   13:d=2  hl=2 l=   8 prim:   OBJECT            :prime256v1
+   23:d=1  hl=2 l=  66 prim:  BIT STRING        
+
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBKrsc2NXJvIT+4qeZNo7hjLkFJWpRNAEW1IuunJ
+A+tWH2TFXmKqjpboBd1eHztBeqve04J/IHW0apUboNl1SXQ==
+-----END PUBLIC KEY-----
+
+
+$ openssl asn1parse -i < [ALGORITHM]
+    0:d=0  hl=2 l=  10 cons: SEQUENCE          
+    2:d=1  hl=2 l=   8 prim:  OBJECT            :ecdsa-with-SHA256
+
+-----BEGIN ALGORITHM-----
+MAoGCCqGSM49BAMC
+-----END ALGORITHM-----
+
+-----BEGIN DATA-----
+MTIzNDAw
+-----END DATA-----
+
+
+$ openssl asn1parse -i < [SIGNATURE]
+    0:d=0  hl=2 l=  73 prim: BIT STRING        
+
+-----BEGIN SIGNATURE-----
+A0kAMEYCIQCo6hUMuAEl1zgcTB8dqOneJxH5kXBgQGpz15BFGeUTiAIhAPOrn6aL1HlzpzstQEg
+MK6UMIsnXbsIXJXKIKTKFRJuG
+-----END SIGNATURE-----