Skip to content

[WIP/RFC] X509 import #697

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 10 commits into
base: new-rsa-api
Choose a base branch
from
Draft

[WIP/RFC] X509 import #697

wants to merge 10 commits into from

Conversation

@sjaeckel
Copy link
Member

@sjaeckel sjaeckel commented Sep 8, 2025

Start implemeting X.509 APIs.

In #693 this was requested and I was already at it and now we have the first part: Parsing of an X.509 certificate and the cryptographic validation of such a certificate.

NB: This does not yet contain the logic that is required to determine whether a CA is eligible to sign a certificate etc.

Checklist

  • documentation is added or updated
  • tests are added or updated

@sjaeckel sjaeckel requested review from karel-m and levitte September 8, 2025 12:20
@sjaeckel sjaeckel marked this pull request as draft September 8, 2025 12:21
@sjaeckel sjaeckel force-pushed the x509_import branch 8 times, most recently from a342826 to d9b0684 Compare September 11, 2025 12:50
@sjaeckel sjaeckel force-pushed the some-improvements branch 2 times, most recently from 028775e to 6fe53a5 Compare September 12, 2025 16:50
Base automatically changed from some-improvements to develop September 15, 2025 13:35
@sjaeckel sjaeckel mentioned this pull request Oct 3, 2025
Merged
@sjaeckel
Add support for separate MGF1 hashes
d894a31 
Update PKCS#1-PSS and RSA APIs that allow passing a separate hash index for
the MGF1 hash.

Signed-off-by: Steffen Jaeckel <[email protected]>
@sjaeckel
Add support for RSA-PSS keys
1620330 
Signed-off-by: Steffen Jaeckel <[email protected]>
@sjaeckel
Refactor SubjectPublicKeyInfo import
15815a8 
Slightly minimize both space and time when importing a
SubjectPublicKeyInfo. Time for ECC keys stays the same.

Those tests were done with X.509 support already available, but later these
commits were split up to be independent of the X.509 feature.

Running the entire set of pem files through `x509_verify` via [0]
resp. the timing app via [1] resulted in the following data:

Before this patch:

[0]
```
==1031519== HEAP SUMMARY:
==1031519==     in use at exit: 0 bytes in 0 blocks
==1031519==   total heap usage: 424,057 allocs, 424,057 frees, 73,527,730 bytes allocated
```

[1]
```
x509 cert-rsa-pss.pem    :     50021 cycles
x509 LTC_CA.pem          :     10335 cycles
x509 LTC_S0.pem          :     47284 cycles
x509 LTC_SS0.pem         :     36687 cycles
x509 secp384r1.pem       :   1985416 cycles
x509 secp521r1.pem       :   3287773 cycles
x509 LTC_SSS0.pem        :     25086 cycles
x509 secp224r1.pem       :    775807 cycles
```

After this patch:

[0]
```
==1043548== HEAP SUMMARY:
==1043548==     in use at exit: 0 bytes in 0 blocks
==1043548==   total heap usage: 337,244 allocs, 337,244 frees, 65,047,463 bytes allocated
```

[1]
```
x509 cert-rsa-pss.pem    :     32568 cycles
x509 LTC_CA.pem          :      5478 cycles
x509 LTC_S0.pem          :     36093 cycles
x509 LTC_SS0.pem         :     23351 cycles
x509 secp384r1.pem       :   1984030 cycles
x509 secp521r1.pem       :   3303396 cycles
x509 LTC_SSS0.pem        :     13220 cycles
x509 secp224r1.pem       :    781534 cycles
```

[0] find tests/x509 -name '*.pem' -exec valgrind --leak-check=full --show-leak-kinds=all './x509_verify' {} \+
[1] ./timing x509

Signed-off-by: Steffen Jaeckel <[email protected]>
@sjaeckel
Introduce new RSA API.
71d72b2 
This also:
a) deprecates the old RSA and PKCS#1 API.
b) reverts the changes done to them in order to make the now deprecated API
   compatible again with the last release.

The fixes commit mentioned below is the testcase for the Bleichenbacher
attack, which works now again as expected.

Fixes: 9d03c38 ("add flags to `der_decode_sequence()`")
Signed-off-by: Steffen Jaeckel <[email protected]>
@sjaeckel sjaeckel changed the base branch from develop to new-rsa-api November 19, 2025 14:44
@sjaeckel
Add X.509 APIs
57effe5 
Signed-off-by: Steffen Jaeckel <[email protected]>
@sjaeckel
Add demos/x509_verify.c
d35840f 
Signed-off-by: Steffen Jaeckel <[email protected]>
@sjaeckel
Add x509_test()
0354a95 
This includes the certificates included in the test suites of OpenSSL
and GnuTLS.

Signed-off-by: Steffen Jaeckel <[email protected]>
@sjaeckel
Add x509_import_spki() to timing.c
a1afebf 
Signed-off-by: Steffen Jaeckel <[email protected]>
@sjaeckel
Extend coverage
7b6662f 
Run x509_verify for all certs.

Signed-off-by: Steffen Jaeckel <[email protected]>
@sjaeckel
Update makefiles
60ddcf5
@sjaeckel sjaeckel added this to the next-next milestone Nov 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@levitte levitte Awaiting requested review from levitte

@karel-m karel-m Awaiting requested review from karel-m

Assignees

No one assigned

Labels

enhancement feature

Projects

None yet

Milestone

next-next

Development

Successfully merging this pull request may close these issues.

2 participants

@sjaeckel