Skip to content

std.crypto: enhance Certificate security #19759

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions lib/std/crypto.zig
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,8 @@ pub const errors = @import("crypto/errors.zig");
pub const tls = @import("crypto/tls.zig");
pub const Certificate = @import("crypto/Certificate.zig");

pub const rsa = @import("crypto/rsa.zig");

/// Side-channels mitigations.
pub const SideChannelsMitigations = enum {
/// No additional side-channel mitigations are applied.
Expand Down Expand Up @@ -307,6 +309,8 @@ test {
_ = errors;
_ = tls;
_ = Certificate;
_ = rsa;
_ = @import("crypto/oid.zig");
}

test "CSPRNG" {
Expand Down
21 changes: 21 additions & 0 deletions lib/std/crypto/25519/ed25519.zig
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
const std = @import("std");
const der = @import("../der.zig");
const crypto = std.crypto;
const debug = std.debug;
const fmt = std.fmt;
Expand Down Expand Up @@ -213,6 +214,26 @@ pub const Ed25519 = struct {
};
}

pub fn fromDer(bytes: []const u8) !Signature {
var parser = der.Parser{ .bytes = bytes };
const seq = try parser.expectSequence();
defer parser.seek(seq.slice.end);

const r = try parser.expectPrimitive(.integer);
if (r.slice.len() > Curve.encoded_length) return error.InvalidScalar;
const s = try parser.expectPrimitive(.integer);
if (s.slice.len() > @sizeOf(CompressedScalar)) return error.InvalidScalar;

if (parser.index != seq.slice.end) return error.InvalidSequence;
if (parser.index != parser.bytes.len) return error.InvalidSequence;

var res = std.mem.zeroInit(Signature, .{});
@memcpy(res.r[res.r.len - parser.view(r).len ..], parser.view(r));
@memcpy(res.s[res.r.len - parser.view(s).len ..], parser.view(s));

return res;
}

/// Create a Verifier for incremental verification of a signature.
pub fn verifier(self: Signature, public_key: PublicKey) (NonCanonicalError || EncodingError || IdentityElementError)!Verifier {
return Verifier.init(self, public_key);
Expand Down
12 changes: 8 additions & 4 deletions lib/std/crypto/25519/x25519.zig
Original file line number Diff line number Diff line change
Expand Up @@ -19,15 +19,19 @@ pub const X25519 = struct {
pub const public_length = 32;
/// Length (in bytes) of the output of the DH function.
pub const shared_length = 32;
/// Seed (for key pair creation) length in bytes.
pub const seed_length = 32;

pub const PublicKey = [public_length]u8;
pub const SecretKey = [secret_length]u8;

/// An X25519 key pair.
pub const KeyPair = struct {
/// Public part.
public_key: [public_length]u8,
public_key: PublicKey,
/// Secret part.
secret_key: [secret_length]u8,
secret_key: SecretKey,

/// Seed (for key pair creation) length in bytes.
pub const seed_length = 32;

/// Create a new key pair using an optional seed.
pub fn create(seed: ?[seed_length]u8) IdentityElementError!KeyPair {
Expand Down
Loading
Loading