From aee1096c660daaad24bea1716558bd348391cfbf Mon Sep 17 00:00:00 2001 From: Sergio Arroutbi Date: Thu, 11 Jan 2024 17:25:46 +0100 Subject: [PATCH 1/6] Fix test compilation warnings (#127) Resolves: #116 Signed-off-by: Sergio Arroutbi --- tests/alg_encr.c | 9 ++++++--- tests/api_b64.c | 3 +++ 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/tests/alg_encr.c b/tests/alg_encr.c index 5adf1891..ab7dfb61 100644 --- a/tests/alg_encr.c +++ b/tests/alg_encr.c @@ -64,9 +64,12 @@ test(const jose_hook_alg_t *a, const char *pt, json_t *cek, bool iter) assert(d); if (iter) { - uint8_t *xxx = ebuf; - for (size_t i = 0; i < elen; i++) - assert(d->feed(d, &xxx[i], 1)); + if (elen) { + uint8_t *xxx = ebuf; + for (size_t i = 0; i < elen; i++) { + assert(d->feed(d, &xxx[i], 1)); + } + } } else { assert(d->feed(d, ebuf, elen)); } diff --git a/tests/api_b64.c b/tests/api_b64.c index 027e7bfe..2e447398 100644 --- a/tests/api_b64.c +++ b/tests/api_b64.c @@ -62,6 +62,7 @@ main(int argc, char *argv[]) for (uint16_t i = 0; i <= UINT8_MAX; i++) { union encoding enc = { i }; uint8_t dec[3] = {}; + assert(dec != NULL); assert(jose_b64_dec_buf(enc.enc, 1, dec, sizeof(dec)) == SIZE_MAX); } @@ -74,6 +75,7 @@ main(int argc, char *argv[]) for (uint16_t i = 0; i <= UINT8_MAX; i++) { uint8_t dec[3] = { i }; union encoding enc = {}; + assert(dec != NULL); assert(jose_b64_enc_buf(dec, 1, enc.enc, sizeof(enc.enc)) == 2); set(val, enc.idx); } @@ -106,6 +108,7 @@ main(int argc, char *argv[]) for (uint16_t j = 0; j <= UINT8_MAX; j++) { uint8_t dec[3] = { i, j }; union encoding enc = {}; + assert(dec != NULL); assert(jose_b64_enc_buf(dec, 2, enc.enc, sizeof(enc.enc)) == 3); set(val, enc.idx); } From 45367ddb4545fcfaa26001824b875555edafafac Mon Sep 17 00:00:00 2001 From: Sergio Arroutbi Date: Thu, 11 Jan 2024 17:32:02 +0100 Subject: [PATCH 2/6] Increase test program/scripts timeout values (#131) Resolves: #110 Signed-off-by: Sergio Arroutbi --- tests/meson.build | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/meson.build b/tests/meson.build index 59f071d8..37b910a8 100644 --- a/tests/meson.build +++ b/tests/meson.build @@ -37,14 +37,14 @@ foreach p: progs if p == 'api_b64' to = 1800 else - to = 30 + to = 180 endif test(p, exe, timeout: to) endforeach foreach s: scripts exe = find_program('./' + s) - test(s, exe, env: e, timeout: 60) + test(s, exe, env: e, timeout: 900) endforeach subdir('issue-75') From 58112dff656dcb6644e912bdee4c64a5ed3f63ee Mon Sep 17 00:00:00 2001 From: Sunil Dhayal <53350866+sunil-dhayal@users.noreply.github.com> Date: Fri, 15 Dec 2023 17:05:31 +0530 Subject: [PATCH 3/6] =?UTF-8?q?lib/openssl/rsaes.c:=20Fix=20issue=20where?= =?UTF-8?q?=20`jose=5Fhook=5Falg=5Ffind`=20failed=20to=20find=20the=20?= =?UTF-8?q?=E2=80=A6=20=E2=80=A6existance=20of=20RSA=5FOAEP=20algorithm?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After upgrading to openssl 3.x, decryption of cipher started failing with error `decryption algorithm not found, could not decode key`. After investigation it was found that before openssl 3.x, EVP_PKEY_CTX_set_rsa_oaep_md used to be a MACRO but with openssl 3.x, it became a function. To fix this, modify the check for MACRO to make it work with openssl version 3.x or higher. ''' Without this patch, algorithms listed by `jose_hook_alg_find` function: PS512, PS384, PS256, RS512, RS384, RS256, HS512, HS384, HS256, S1, S224, S256, S384, S512, ES512, ES384, ES256, ECMR, ECDH, A256GCM, A192GCM, A128GCM, A256CBC-HS512, A192CBC-HS384, A128CBC-HS256, DEF After appling this patch algorithms listed by `jose_hook_alg_find` function: PS512, PS384, PS256, RS512, RS384, RS256, PS512, PS384, PS256, RS512, RS384, RS256, RSA-OAEP-512, RSA-OAEP-384, RSA-OAEP-256, RSA-OAEP-224, RSA-OAEP, RSA1_5, PBES2-HS512+A256KW, PBES2-HS384+A192KW, PBES2-HS256+A128KW, HS512, HS384, HS256, S1, S224, S256, S384, S512, ES512, ES384, ES256, ECMR, ECDH-ES+A256KW, ECDH-ES+A192KW, ECDH-ES+A128KW, ECDH-ES, ECDH, dir, A256KW, A192KW, A128KW, A256GCMKW, A192GCMKW, A128GCMKW ''' Signed-off-by: sunil-dhayal --- lib/openssl/rsaes.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/openssl/rsaes.c b/lib/openssl/rsaes.c index f2bc4141..932538b5 100644 --- a/lib/openssl/rsaes.c +++ b/lib/openssl/rsaes.c @@ -25,7 +25,7 @@ #include -#ifdef EVP_PKEY_CTX_set_rsa_oaep_md +#if defined (EVP_PKEY_CTX_set_rsa_oaep_md) || (OPENSSL_VERSION_NUMBER >= 0x30000000L) #define NAMES "RSA1_5", "RSA-OAEP", "RSA-OAEP-224", "RSA-OAEP-256", "RSA-OAEP-384", "RSA-OAEP-512" #define HAVE_OAEP #else From 253549a1ca56caf2401d5a8e61fb75a5f93c4e1d Mon Sep 17 00:00:00 2001 From: Howard Holm Date: Wed, 17 Jan 2024 06:32:33 -0500 Subject: [PATCH 4/6] Update CI (#8) (#129) * Clean up this messed up pull. CentOS Stream 9 seems to work with clang and since changes would be needed to deal with clang in SCL for CentOS 7 it's pretty clear that never worked although the gcc build seems fine. * Add optional dependencies to ensure everything possible builds. And add "setup" to avoid meson warning. --- .github/workflows/build.yml | 11 ++++++++--- .github/workflows/install-dependencies | 20 ++++++++++++++------ README.md | 6 +++--- 3 files changed, 25 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0d7dcda5..4c043382 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -14,11 +14,13 @@ jobs: - clang os: - fedora:latest - - quay.io/centos/centos:stream8 - quay.io/centos/centos:stream9 + - quay.io/centos/centos:stream8 - debian:testing - debian:latest - ubuntu:rolling + - ubuntu:jammy + - ubuntu:focal stable:: [true] include: - compiler: gcc @@ -33,6 +35,9 @@ jobs: - compiler: clang os: ubuntu:devel stable: false + - compiler: gcc + os: centos:7 + stable: true steps: - uses: actions/checkout@v3 @@ -48,7 +53,7 @@ jobs: mkdir -p build && cd build export ninja=$(command -v ninja) [ -z "${ninja}" ] && export ninja=$(command -v ninja-build) - meson .. || cat meson-logs/meson-log.txt >&2 + meson setup .. || cat meson-logs/meson-log.txt >&2 ${ninja} - name: Run tests @@ -95,7 +100,7 @@ jobs: mkdir -p build && cd build export ninja=$(command -v ninja) [ -z "${ninja}" ] && export ninja=$(command -v ninja-build) - CFLAGS=-I$(brew --prefix openssl)/include LDFLAGS=-L$(brew --prefix openssl)/lib PKG_CONFIG_PATH=$(brew --prefix openssl)/lib/pkgconfig meson .. || cat meson-logs/meson-log.txt >&2 + CFLAGS=-I$(brew --prefix openssl)/include LDFLAGS=-L$(brew --prefix openssl)/lib PKG_CONFIG_PATH=$(brew --prefix openssl)/lib/pkgconfig meson setup .. || cat meson-logs/meson-log.txt >&2 ${ninja} - name: Run tests diff --git a/.github/workflows/install-dependencies b/.github/workflows/install-dependencies index 26b5b955..836ea7ca 100755 --- a/.github/workflows/install-dependencies +++ b/.github/workflows/install-dependencies @@ -1,6 +1,6 @@ #!/bin/sh -ex -COMMON="meson curl git file bzip2 ${CC}" +COMMON="meson curl git file bzip2 asciidoc jq ${CC}" case "${DISTRO}" in osx:*) @@ -30,14 +30,22 @@ debian:*|ubuntu:*) dnf -y install ${COMMON} pkgconfig openssl-devel zlib-devel jansson-devel ;; -*centos:*) +centos:7) yum -y clean all yum -y --setopt=deltarpm=0 update - yum install -y yum-utils epel-release - yum config-manager -y --set-enabled crb \ - || yum config-manager -y --set-enabled powertools || : - yum -y --allowerasing install ${COMMON} + yum install -y yum-utils epel-release centos-release-scl llvm-toolset-7 + yum -y install ${COMMON} yum-builddep -y jose ;; + +*centos:stream*) + dnf -y clean all + dnf -y --allowerasing --setopt=deltarpm=0 update + dnf install -y yum-utils epel-release + dnf config-manager -y --set-enabled crb \ + || dnf config-manager -y --set-enabled powertools || : + dnf -y --allowerasing install ${COMMON} + dnf builddep -y jose + ;; esac # vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: diff --git a/README.md b/README.md index 57f99fe2..a3805585 100644 --- a/README.md +++ b/README.md @@ -112,7 +112,7 @@ Decryption failed! Building Jose is fairly straightforward: $ mkdir build && cd build - $ meson .. --prefix=/usr + $ meson setup .. --prefix=/usr $ ninja $ sudo ninja install @@ -123,9 +123,9 @@ You can even run the tests if you'd like: To build a FreeBSD, HardenedBSD or OPNsense package use: - (as root) # pkg install meson pkgconf jansson openssl + (as root) # pkg install meson pkgconf jansson openssl jq $ mkdir build && cd build - $ meson .. --prefix=/usr/local + $ meson setup .. --prefix=/usr/local $ ninja $ meson test (as root) # ninja install From c1569b7a1999f0b56ddcead605e6253881db0e71 Mon Sep 17 00:00:00 2001 From: Howard Holm Date: Thu, 1 Feb 2024 08:55:00 -0500 Subject: [PATCH 5/6] Meson changes (#135) * Use the object vs string for jansson in meson.build * Avoid meson warnings --- meson.build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meson.build b/meson.build index 96a25699..76f110d0 100644 --- a/meson.build +++ b/meson.build @@ -62,7 +62,7 @@ pkg.generate( requires_private: [ 'zlib', 'libcrypto' ], libraries: libjose_lib, - requires: 'jansson', + requires: jansson, ) if a2x.found() From e6a7ae7612b1d8f6b46bc70a21493265dbfcc20b Mon Sep 17 00:00:00 2001 From: Ilia Mirkin Date: Thu, 1 Feb 2024 10:20:27 -0500 Subject: [PATCH 6/6] Add ES256K support (#90) --- README.md | 1 + lib/openssl/ec.c | 3 ++- lib/openssl/ecdsa.c | 29 +++++++++++++++++++++++++---- lib/openssl/jwk.c | 4 +++- tests/jose-jwk-gen | 1 + 5 files changed, 32 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index a3805585..b8f45c92 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,7 @@ José is extensively tested against the RFC test vectors. | ES256 | YES | Signature | EC | | ES384 | YES | Signature | EC | | ES512 | YES | Signature | EC | +| ES256K | YES | Signature | EC | | PS256 | YES | Signature | RSA | | PS384 | YES | Signature | RSA | | PS512 | YES | Signature | RSA | diff --git a/lib/openssl/ec.c b/lib/openssl/ec.c index 46433a30..0301f063 100644 --- a/lib/openssl/ec.c +++ b/lib/openssl/ec.c @@ -48,10 +48,11 @@ jwk_make_execute(jose_cfg_t *cfg, json_t *jwk) if (json_unpack(jwk, "{s?s}", "crv", &crv) < 0) return false; - switch (str2enum(crv, "P-256", "P-384", "P-521", NULL)) { + switch (str2enum(crv, "P-256", "P-384", "P-521", "secp256k1", NULL)) { case 0: nid = NID_X9_62_prime256v1; break; case 1: nid = NID_secp384r1; break; case 2: nid = NID_secp521r1; break; + case 3: nid = NID_secp256k1; break; default: return false; } diff --git a/lib/openssl/ecdsa.c b/lib/openssl/ecdsa.c index 263e931f..df887d6b 100644 --- a/lib/openssl/ecdsa.c +++ b/lib/openssl/ecdsa.c @@ -22,7 +22,7 @@ #include -#define NAMES "ES256", "ES384", "ES512" +#define NAMES "ES256", "ES384", "ES512", "ES256K" typedef struct { jose_io_t io; @@ -137,6 +137,19 @@ alg2crv(const char *alg) case 0: return "P-256"; case 1: return "P-384"; case 2: return "P-521"; + case 3: return "secp256k1"; + default: return NULL; + } +} + +static const char * +alg2hash(const char *alg) +{ + switch (str2enum(alg, NAMES, NULL)) { + case 0: return "S256"; + case 1: return "S384"; + case 2: return "S512"; + case 3: return "S256"; default: return NULL; } } @@ -200,10 +213,11 @@ alg_sign_sug(const jose_hook_alg_t *alg, jose_cfg_t *cfg, const json_t *jwk) if (!type || strcmp(type, "EC") != 0) return NULL; - switch (str2enum(curv, "P-256", "P-384", "P-521", NULL)) { + switch (str2enum(curv, "P-256", "P-384", "P-521", "secp256k1", NULL)) { case 0: return "ES256"; case 1: return "ES384"; case 2: return "ES512"; + case 3: return "ES256K"; default: return NULL; } } @@ -216,7 +230,7 @@ alg_sign_sig(const jose_hook_alg_t *alg, jose_cfg_t *cfg, json_t *jws, jose_io_auto_t *io = NULL; io_t *i = NULL; - halg = jose_hook_alg_find(JOSE_HOOK_ALG_KIND_HASH, &alg->name[1]); + halg = jose_hook_alg_find(JOSE_HOOK_ALG_KIND_HASH, alg2hash(alg->name)); if (!halg) return NULL; @@ -248,7 +262,7 @@ alg_sign_ver(const jose_hook_alg_t *alg, jose_cfg_t *cfg, const json_t *jws, jose_io_auto_t *io = NULL; io_t *i = NULL; - halg = jose_hook_alg_find(JOSE_HOOK_ALG_KIND_HASH, &alg->name[1]); + halg = jose_hook_alg_find(JOSE_HOOK_ALG_KIND_HASH, alg2hash(alg->name)); if (!halg) return NULL; @@ -302,6 +316,13 @@ constructor(void) .sign.sug = alg_sign_sug, .sign.sig = alg_sign_sig, .sign.ver = alg_sign_ver }, + { .kind = JOSE_HOOK_ALG_KIND_SIGN, + .name = "ES256K", + .sign.sprm = "sign", + .sign.vprm = "verify", + .sign.sug = alg_sign_sug, + .sign.sig = alg_sign_sig, + .sign.ver = alg_sign_ver }, {} }; diff --git a/lib/openssl/jwk.c b/lib/openssl/jwk.c index 8fc1dd73..1e8f3118 100644 --- a/lib/openssl/jwk.c +++ b/lib/openssl/jwk.c @@ -169,6 +169,7 @@ jose_openssl_jwk_from_EC_POINT(jose_cfg_t *cfg, const EC_GROUP *grp, case NID_X9_62_prime256v1: crv = "P-256"; break; case NID_secp384r1: crv = "P-384"; break; case NID_secp521r1: crv = "P-521"; break; + case NID_secp256k1: crv = "secp256k1"; break; default: return NULL; } @@ -366,10 +367,11 @@ jose_openssl_jwk_to_EC_KEY(jose_cfg_t *cfg, const json_t *jwk) if (strcmp(kty, "EC") != 0) return NULL; - switch (str2enum(crv, "P-256", "P-384", "P-521", NULL)) { + switch (str2enum(crv, "P-256", "P-384", "P-521", "secp256k1", NULL)) { case 0: nid = NID_X9_62_prime256v1; break; case 1: nid = NID_secp384r1; break; case 2: nid = NID_secp521r1; break; + case 3: nid = NID_secp256k1; break; default: return NULL; } diff --git a/tests/jose-jwk-gen b/tests/jose-jwk-gen index 364ba22c..063fd4e1 100755 --- a/tests/jose-jwk-gen +++ b/tests/jose-jwk-gen @@ -17,6 +17,7 @@ done jose jwk gen -i '{ "kty": "EC", "crv": "P-256" }' jose jwk gen -i '{ "kty": "EC", "crv": "P-384" }' jose jwk gen -i '{ "kty": "EC", "crv": "P-521" }' +jose jwk gen -i '{ "kty": "EC", "crv": "secp256k1" }' jose jwk gen -i '{ "kty": "RSA", "bits": 3072 }' ! jose jwk gen -i '{ "kty": "RSA", "bits": 3072, "e": 257 }'