Skip to content

[WIP/RFC] X509 import #697

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 18 commits into
base: some-improvements
Choose a base branch
from
Draft

[WIP/RFC] X509 import #697

wants to merge 18 commits into from

Conversation

sjaeckel
Copy link
Member

@sjaeckel sjaeckel commented Sep 8, 2025

Start implemeting X.509 APIs.

In #693 this was requested and I was already at it and now we have the first part: Parsing of an X.509 certificate and the cryptographic validation of such a certificate.

NB: This does not yet contain the logic that is required to determine whether a CA is eligible to sign a certificate etc.

Checklist

  • documentation is added or updated
  • tests are added or updated

@sjaeckel sjaeckel requested review from levitte and karel-m September 8, 2025 12:20
@sjaeckel sjaeckel marked this pull request as draft September 8, 2025 12:21
@sjaeckel sjaeckel force-pushed the x509_import branch 8 times, most recently from a342826 to d9b0684 Compare September 11, 2025 12:50
@sjaeckel sjaeckel force-pushed the some-improvements branch 2 times, most recently from 028775e to 6fe53a5 Compare September 12, 2025 16:50
@sjaeckel
Extract static function as x509_get_pka()
3c5f7d9 
Signed-off-by: Steffen Jaeckel <[email protected]>
@sjaeckel
Export static function as x509_import_spki()
99cf07c 
Signed-off-by: Steffen Jaeckel <[email protected]>
@sjaeckel
Re-factor s_import_pkcs8()
1909a83 
Signed-off-by: Steffen Jaeckel <[email protected]>
@sjaeckel
Extend der_flexi_sequence_cmp()
c7f8160 
To be able to do a bit more, add an optional handler callback function.
Additional to that, also make it possible to mark elements as optional.

Signed-off-by: Steffen Jaeckel <[email protected]>
@sjaeckel
Add X.509 APIs
da03777 
Signed-off-by: Steffen Jaeckel <[email protected]>
@sjaeckel
Add demos/x509_verify.c
d21beac 
Signed-off-by: Steffen Jaeckel <[email protected]>
@sjaeckel
Add demos/der_print_flexi.c
f1b818e 
Signed-off-by: Steffen Jaeckel <[email protected]>
@sjaeckel
Use new der_print_flexi() API
04be494 
Signed-off-by: Steffen Jaeckel <[email protected]>
@sjaeckel
Add support for separate MGF1 hashes
4a2473a 
Update PKCS#1-PSS and RSA APIs that allow passing a separate hash index for
the MGF1 hash.

Signed-off-by: Steffen Jaeckel <[email protected]>
@sjaeckel
Add support for RSA-PSS keys
51a3976 
Signed-off-by: Steffen Jaeckel <[email protected]>
@sjaeckel
A BitString of length 0 can be only 3bytes long
e8858bc 
Signed-off-by: Steffen Jaeckel <[email protected]>
@sjaeckel
Add x509_test()
3a49d92 
This includes the certificates included in the test suites of OpenSSL
and GnuTLS.

Signed-off-by: Steffen Jaeckel <[email protected]>
@sjaeckel
Update makefiles
a00107b
@sjaeckel
Use rsa_init() to initialize an rsa_key
7703c52 
(and you should do that too)

Signed-off-by: Steffen Jaeckel <[email protected]>
@sjaeckel
Add x509_import_spki() to timing.c
aa39e39 
Signed-off-by: Steffen Jaeckel <[email protected]>
@sjaeckel
Refactor SubjectPublicKeyInfo import
e6605ca 
Slightly minimize both space and time when importing a
SubjectPublicKeyInfo. Time for ECC keys stays the same.

Running the entire set of pem files through `x509_verify` via [0]
resp. the timing app via [1] resulted in the following data:

Before this patch:

[0]
```
==1031519== HEAP SUMMARY:
==1031519==     in use at exit: 0 bytes in 0 blocks
==1031519==   total heap usage: 424,057 allocs, 424,057 frees, 73,527,730 bytes allocated
```

[1]
```
x509 cert-rsa-pss.pem    :     50021 cycles
x509 LTC_CA.pem          :     10335 cycles
x509 LTC_S0.pem          :     47284 cycles
x509 LTC_SS0.pem         :     36687 cycles
x509 secp384r1.pem       :   1985416 cycles
x509 secp521r1.pem       :   3287773 cycles
x509 LTC_SSS0.pem        :     25086 cycles
x509 secp224r1.pem       :    775807 cycles
```

After this patch:

[0]
```
==1043548== HEAP SUMMARY:
==1043548==     in use at exit: 0 bytes in 0 blocks
==1043548==   total heap usage: 337,244 allocs, 337,244 frees, 65,047,463 bytes allocated
```

[1]
```
x509 cert-rsa-pss.pem    :     32568 cycles
x509 LTC_CA.pem          :      5478 cycles
x509 LTC_S0.pem          :     36093 cycles
x509 LTC_SS0.pem         :     23351 cycles
x509 secp384r1.pem       :   1984030 cycles
x509 secp521r1.pem       :   3303396 cycles
x509 LTC_SSS0.pem        :     13220 cycles
x509 secp224r1.pem       :    781534 cycles
```

[0] find tests/x509 -name '*.pem' -exec valgrind --leak-check=full --show-leak-kinds=all './x509_verify' {} \+
[1] ./timing x509

Signed-off-by: Steffen Jaeckel <[email protected]>
@sjaeckel
Extend coverage
def00a6 
Run x509_verify for all certs.

Signed-off-by: Steffen Jaeckel <[email protected]>
@sjaeckel
Put realloc logic into pem_read()
6ae30f2 
Signed-off-by: Steffen Jaeckel <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@levitte levitte Awaiting requested review from levitte

@karel-m karel-m Awaiting requested review from karel-m

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@sjaeckel