diff --git a/Userland/Libraries/LibTLS/Certificate.cpp b/Userland/Libraries/LibTLS/Certificate.cpp index 5d9cdd4161a..aea4f4db94d 100644 --- a/Userland/Libraries/LibTLS/Certificate.cpp +++ b/Userland/Libraries/LibTLS/Certificate.cpp @@ -202,15 +202,23 @@ static ErrorOr parse_algorithm_identifier(Crypto::ASN1::Dec return AlgorithmIdentifier(algorithm); } + // https://www.ietf.org/rfc/rfc5758.txt // When the ecdsa-with-SHA224, ecdsa-with-SHA256, ecdsa-with-SHA384, or // ecdsa-with-SHA512 algorithm identifier appears in the algorithm field // as an AlgorithmIdentifier, the encoding MUST omit the parameters // field. + + // https://datatracker.ietf.org/doc/html/rfc8410#section-9 + // For all of the OIDs, the parameters MUST be absent. Array, 8> no_parameter_algorithms = { ecdsa_with_sha224_encryption_oid, ecdsa_with_sha256_encryption_oid, ecdsa_with_sha384_encryption_oid, ecdsa_with_sha512_encryption_oid, + x25519_oid, + x448_oid, + ed25519_oid, + ed448_oid }; bool is_no_parameter_algorithm = false; @@ -379,10 +387,22 @@ ErrorOr parse_subject_public_key_info(Crypto::ASN1::Decoder& d return public_key; } - if (public_key.algorithm.identifier.span() == ec_public_key_encryption_oid.span()) { - // Note: Raw key is already stored, so we can just exit out at this point. - EXIT_SCOPE(); - return public_key; + // https://datatracker.ietf.org/doc/html/rfc8410#section-9 + // For all of the OIDs, the parameters MUST be absent. + Array, 5> no_parameter_algorithms = { + ec_public_key_encryption_oid, + x25519_oid, + x448_oid, + ed25519_oid, + ed448_oid + }; + + for (auto const& inner : no_parameter_algorithms) { + if (public_key.algorithm.identifier.span() == inner.span()) { + // Note: Raw key is already stored, so we can just exit out at this point. + EXIT_SCOPE(); + return public_key; + } } String algo_oid = TRY(String::join("."sv, public_key.algorithm.identifier)); @@ -426,10 +446,22 @@ ErrorOr parse_private_key_info(Crypto::ASN1::Decoder& decoder, Vecto return private_key; } - if (private_key.algorithm.identifier.span() == ec_public_key_encryption_oid.span()) { - // Note: Raw key is already stored, so we can just exit out at this point. - EXIT_SCOPE(); - return private_key; + // https://datatracker.ietf.org/doc/html/rfc8410#section-9 + // For all of the OIDs, the parameters MUST be absent. + Array, 5> no_parameter_algorithms = { + ec_public_key_encryption_oid, + x25519_oid, + x448_oid, + ed25519_oid, + ed448_oid + }; + + for (auto const& inner : no_parameter_algorithms) { + if (private_key.algorithm.identifier.span() == inner.span()) { + // Note: Raw key is already stored, so we can just exit out at this point. + EXIT_SCOPE(); + return private_key; + } } String algo_oid = TRY(String::join("."sv, private_key.algorithm.identifier)); diff --git a/Userland/Libraries/LibTLS/Certificate.h b/Userland/Libraries/LibTLS/Certificate.h index 69559b4482f..2aa26ff5db3 100644 --- a/Userland/Libraries/LibTLS/Certificate.h +++ b/Userland/Libraries/LibTLS/Certificate.h @@ -31,9 +31,13 @@ constexpr static Array ecdsa_with_sha256_encryption_oid { 1, 2, 840, 10045, 4, 3, 2 }, ecdsa_with_sha384_encryption_oid { 1, 2, 840, 10045, 4, 3, 3 }, ecdsa_with_sha512_encryption_oid { 1, 2, 840, 10045, 4, 3, 4 }, - ec_public_key_encryption_oid { 1, 2, 840, 10045, 2, 1 }; + ec_public_key_encryption_oid { 1, 2, 840, 10045, 2, 1 }, + x25519_oid { 1, 3, 101, 110 }, + x448_oid { 1, 3, 101, 111 }, + ed25519_oid { 1, 3, 101, 112 }, + ed448_oid { 1, 3, 101, 113 }; -constexpr static Array, 9> known_algorithm_identifiers { +constexpr static Array, 10> known_algorithm_identifiers { rsa_encryption_oid, rsa_md5_encryption_oid, rsa_sha1_encryption_oid, @@ -42,7 +46,8 @@ constexpr static Array, 9> known_algorithm_identifiers { rsa_sha512_encryption_oid, ecdsa_with_sha256_encryption_oid, ecdsa_with_sha384_encryption_oid, - ec_public_key_encryption_oid + ec_public_key_encryption_oid, + x25519_oid }; constexpr static Array