diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 20:34:10 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 20:34:10 +0000 |
commit | e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc (patch) | |
tree | 68cb5ef9081156392f1dd62a00c6ccc1451b93df /epan/dissectors/asn1/pkcs1 | |
parent | Initial commit. (diff) | |
download | wireshark-e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc.tar.xz wireshark-e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc.zip |
Adding upstream version 4.2.2.upstream/4.2.2
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'epan/dissectors/asn1/pkcs1')
-rw-r--r-- | epan/dissectors/asn1/pkcs1/CMakeLists.txt | 39 | ||||
-rw-r--r-- | epan/dissectors/asn1/pkcs1/PKIXAlgs-2009.asn | 649 | ||||
-rw-r--r-- | epan/dissectors/asn1/pkcs1/packet-pkcs1-template.c | 174 | ||||
-rw-r--r-- | epan/dissectors/asn1/pkcs1/packet-pkcs1-template.h | 18 | ||||
-rw-r--r-- | epan/dissectors/asn1/pkcs1/pkcs1.cnf | 45 |
5 files changed, 925 insertions, 0 deletions
diff --git a/epan/dissectors/asn1/pkcs1/CMakeLists.txt b/epan/dissectors/asn1/pkcs1/CMakeLists.txt new file mode 100644 index 00000000..31df28c8 --- /dev/null +++ b/epan/dissectors/asn1/pkcs1/CMakeLists.txt @@ -0,0 +1,39 @@ +# CMakeLists.txt +# +# Wireshark - Network traffic analyzer +# By Gerald Combs <gerald@wireshark.org> +# Copyright 1998 Gerald Combs +# +# SPDX-License-Identifier: GPL-2.0-or-later +# + +set( PROTOCOL_NAME pkcs1 ) + +set( PROTO_OPT ) + +set( EXT_ASN_FILE_LIST +) + +set( ASN_FILE_LIST + PKIXAlgs-2009.asn +) + +set( EXTRA_DIST + ${ASN_FILE_LIST} + packet-${PROTOCOL_NAME}-template.c + packet-${PROTOCOL_NAME}-template.h + ${PROTOCOL_NAME}.cnf +) + +set( SRC_FILES + ${EXTRA_DIST} + ${EXT_ASN_FILE_LIST} +) + +set( A2W_FLAGS -b ) + +set( EXTRA_CNF + "${CMAKE_CURRENT_BINARY_DIR}/../x509af/x509af-exp.cnf" +) + +ASN2WRS() diff --git a/epan/dissectors/asn1/pkcs1/PKIXAlgs-2009.asn b/epan/dissectors/asn1/pkcs1/PKIXAlgs-2009.asn new file mode 100644 index 00000000..b19dcfbf --- /dev/null +++ b/epan/dissectors/asn1/pkcs1/PKIXAlgs-2009.asn @@ -0,0 +1,649 @@ +-- +-- Transcribed from RFC 5912 +-- + +PKIXAlgs-2009 { iso(1) identified-organization(3) dod(6) + internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkix1-algorithms2008-02(56) } + + DEFINITIONS EXPLICIT TAGS ::= + BEGIN + IMPORTS + + PUBLIC-KEY, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM, SMIME-CAPS + FROM AlgorithmInformation-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58)} + + mda-sha224, mda-sha256, mda-sha384, mda-sha512 + FROM PKIX1-PSS-OAEP-Algorithms-2009 + {iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkix1-rsa-pkalgs-02(54)} + +-- Additional IMPORT for Wireshark + AlgorithmIdentifier + FROM AuthenticationFramework {joint-iso-itu-t ds(5) module(1) + authenticationFramework(7) 4}; + + + -- + -- Public Key (pk-) Algorithms + -- + + PublicKeys PUBLIC-KEY ::= { + pk-rsa | + pk-dsa | + pk-dh | + pk-kea | + pk-rsaSSA-PSS, + ..., + pk-ec | + pk-ecDH | + pk-ecMQV + } + + -- + -- Signature Algorithms (sa-) + -- + + SignatureAlgs SIGNATURE-ALGORITHM ::= { + sa-rsaWithMD2 | + sa-rsaWithMD5 | + sa-rsaWithSHA1 | + sa-dsaWithSHA1 | + sa-ecdsaWithSHA1, + ..., -- Extensible + sa-dsaWithSHA224 | + sa-dsaWithSHA256 | + sa-ecdsaWithSHA224 | + sa-ecdsaWithSHA256 | + sa-ecdsaWithSHA384 | + sa-ecdsaWithSHA512, + ..., + sa-rsaSSA-PSS + } + + -- + -- S/MIME CAPS for algorithms in this document + -- + -- For all of the algorithms laid out in this document, the + -- parameters field for the S/MIME capabilities is defined as + -- ABSENT as there are no specific values that need to be known + -- by the receiver for negotiation. + + -- + + SMimeCaps SMIME-CAPS ::= { + sa-rsaWithMD2.&smimeCaps | + sa-rsaWithMD5.&smimeCaps | + sa-rsaWithSHA1.&smimeCaps | + sa-dsaWithSHA1.&smimeCaps | + sa-dsaWithSHA224.&smimeCaps | + sa-dsaWithSHA256.&smimeCaps | + sa-ecdsaWithSHA1.&smimeCaps | + sa-ecdsaWithSHA224.&smimeCaps | + sa-ecdsaWithSHA256.&smimeCaps | + sa-ecdsaWithSHA384.&smimeCaps | + sa-ecdsaWithSHA512.&smimeCaps, + ... } + + -- RSA PK Algorithm, Parameters, and Keys + +-- pk-rsa PUBLIC-KEY ::= { +-- IDENTIFIER rsaEncryption +-- KEY RSAPublicKey +-- PARAMS TYPE NULL ARE absent + -- Private key format not in this module -- +-- CERT-KEY-USAGE {digitalSignature, nonRepudiation, +-- keyEncipherment, dataEncipherment, keyCertSign, cRLSign} +-- } + + rsaEncryption OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) + pkcs-1(1) 1 } + + RSAPublicKey ::= SEQUENCE { + modulus INTEGER, -- n + publicExponent INTEGER -- e + } + +-- Wireshark additions to ensure compatibility with the original PKCS1.asn + +DigestInfo ::= SEQUENCE { + digestAlgorithm DigestAlgorithmIdentifier, + digest Digest +} + +DigestAlgorithmIdentifier ::= AlgorithmIdentifier + +Digest ::= OCTET STRING + +-- End of Wireshark additions + + -- DSA PK Algorithm, Parameters, and Keys + +-- pk-dsa PUBLIC-KEY ::= { +-- IDENTIFIER id-dsa +-- KEY DSAPublicKey +-- PARAMS TYPE DSA-Params ARE inheritable + -- Private key format not in this module -- +-- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, +-- cRLSign } +-- } + + id-dsa OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 } + + DSA-Params ::= SEQUENCE { + p INTEGER, + q INTEGER, + g INTEGER + } + + DSAPublicKey ::= INTEGER -- public key, y + + -- Diffie-Hellman PK Algorithm, Parameters, and Keys + +-- pk-dh PUBLIC-KEY ::= { +-- IDENTIFIER dhpublicnumber +-- KEY DHPublicKey +-- PARAMS TYPE DomainParameters ARE inheritable + -- Private key format not in this module -- +-- CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly } +-- } + + dhpublicnumber OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) ansi-x942(10046) + number-type(2) 1 } + + DomainParameters ::= SEQUENCE { + p INTEGER, -- odd prime, p=jq +1 + g INTEGER, -- generator, g + q INTEGER, -- factor of p-1 + j INTEGER OPTIONAL, -- subgroup factor, j>= 2 + validationParams ValidationParams OPTIONAL + } + + ValidationParams ::= SEQUENCE { + seed BIT STRING, + pgenCounter INTEGER + } + + DHPublicKey ::= INTEGER -- public key, y = g^x mod p + + -- KEA PK Algorithm and Parameters + +-- pk-kea PUBLIC-KEY ::= { +-- IDENTIFIER id-keyExchangeAlgorithm + -- key is not encoded -- +-- PARAMS TYPE KEA-Params-Id ARE required + -- Private key format not in this module -- +-- CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly } +-- } + + id-keyExchangeAlgorithm OBJECT IDENTIFIER ::= { + joint-iso-itu-t(2) country(16) us(840) organization(1) + gov(101) dod(2) infosec(1) algorithms(1) 22 } + + KEA-Params-Id ::= OCTET STRING + + -- RSASSA-PSS (RFC 4055) + +-- pk-rsaSSA-PSS PUBLIC-KEY ::= { +-- IDENTIFIER id-RSASSA-PSS +-- KEY RSAPublicKey +-- PARAMS TYPE RSASSA-PSS-params ARE optional +-- CERT-KEY-USAGE { nonRepudiation, digitalSignature, keyCertSign, cRLSign } +-- } + + id-mgf1 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) + pkcs-1(1) 8 } + + id-RSASSA-PSS OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) + pkcs-1(1) 10 } + + HashAlgorithm ::= AlgorithmIdentifier{DIGEST-ALGORITHM, + {HashAlgorithms}} + + HashAlgorithms DIGEST-ALGORITHM ::= { + { IDENTIFIER id-sha1 PARAMS TYPE NULL ARE preferredPresent }, + ... + } + + -- sha1Identifier AlgorithmIdentifier ::= { + -- algorithmId id-sha1, + -- parameters NULL + -- } + + MaskGenAlgorithm ::= AlgorithmIdentifier{ALGORITHM, + {PKCS1MGFAlgorithms}} + + -- mgf1SHA1 MaskGenAlgorithm ::= { + -- algorithmId id-mgf1, + -- parameters HashAlgorithm : sha1Identifier + -- } + + PKCS1MGFAlgorithms ALGORITHM ::= { + { IDENTIFIER id-mgf1 PARAMS TYPE HashAlgorithm ARE required }, + ... + } + + -- AlgorithmIdentifier parameters for id-RSASSA-PSS. + -- Note that the tags in this Sequence are explicit. + -- Note: The hash algorithm in hashAlgorithm and in + -- maskGenAlgorithm should be the same. + + RSASSA-PSS-params ::= SEQUENCE { + hashAlgorithm [0] HashAlgorithm DEFAULT sha1Identifier, + maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT mgf1SHA1, + saltLength [2] INTEGER DEFAULT 20, + trailerField [3] INTEGER DEFAULT 1 + } + + + -- Elliptic Curve (EC) Signatures: Unrestricted Algorithms + -- (Section 2.1.1 of RFC 5480) + -- + -- EC Unrestricted Algorithm ID -- -- this is used for ECDSA + +-- pk-ec PUBLIC-KEY ::= { +-- IDENTIFIER id-ecPublicKey +-- KEY ECPoint +-- PARAMS TYPE ECParameters ARE required + -- Private key format not in this module -- +-- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyAgreement, +-- keyCertSign, cRLSign } +-- } + + ECPoint ::= OCTET STRING -- see RFC 5480 for syntax and restrictions + + id-ecPublicKey OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } + + -- Elliptic Curve (EC) Signatures: Restricted Algorithms + -- (Section 2.1.2 of RFC 5480) + -- + -- EC Diffie-Hellman Algorithm ID + +-- pk-ecDH PUBLIC-KEY ::= { +-- IDENTIFIER id-ecDH +-- KEY ECPoint +-- PARAMS TYPE ECParameters ARE required + -- Private key format not in this module -- +-- CERT-KEY-USAGE { keyAgreement, encipherOnly, decipherOnly } +-- } + + id-ecDH OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) schemes(1) + ecdh(12) } + + -- EC Menezes-Qu-Vanstone Algorithm ID + +-- pk-ecMQV PUBLIC-KEY ::= { +-- IDENTIFIER id-ecMQV +-- KEY ECPoint +-- PARAMS TYPE ECParameters ARE required + -- Private key format not in this module -- +-- CERT-KEY-USAGE { keyAgreement, encipherOnly, decipherOnly } +-- } + + id-ecMQV OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) schemes(1) + ecmqv(13) } + + -- Parameters and Keys for both Restricted and Unrestricted EC + + ECParameters ::= CHOICE { + specifiedCurve SpecifiedECDomain, -- From RFC 3279 / SEC 1 + namedCurve OBJECT IDENTIFIER + -- implicitlyCA NULL + + -- Wireshark note: the PKIXAlgs-2009 module from RFC 5912 only allows + -- namedCurve to be used. This ECParameters type is however a subset of + -- the type defined in X9.62 and RFC 3279 which additionally defines + -- 'specified' and 'implicitlyCA'. Since the explicitly specified curve + -- parameters were spotted in the wild as part of exploiting CVE-2020-0601, + -- we will include it here anyway. We do not include implicitlyCA, it does + -- not appear to be supported by OpenSSL, unlike the other two fields. + } + (WITH COMPONENTS {namedCurve PRESENT}) + + -- ECParameters from RFC 3279, but renamed to SpecifiedECDomain (RFC 5480). + -- Adapted from https://tools.ietf.org/html/rfc3279#page-14 + + SpecifiedECDomain ::= SEQUENCE { + version ECPVer, -- version is always 1 + fieldID FieldID, -- identifies the finite field over + -- which the curve is defined + curve Curve, -- coefficients a and b of the + -- elliptic curve + base ECPoint, -- specifies the base point P + -- on the elliptic curve + order INTEGER, -- the order n of the base point + cofactor INTEGER OPTIONAL -- The integer h = #E(Fq)/n + } + + ECPVer ::= INTEGER {ecpVer1(1)} + + FieldID ::= SEQUENCE { + fieldType OBJECT IDENTIFIER, + parameters ANY DEFINED BY fieldType } + + Curve ::= SEQUENCE { + a FieldElement, + b FieldElement, + seed BIT STRING OPTIONAL } + + FieldElement ::= OCTET STRING + + -- FieldID.parameters definitions, OIDs are listed in pkcs1.cnf + -- https://tools.ietf.org/html/rfc3279#page-21 + + Prime-p ::= INTEGER -- Finite field F(p), where p is an odd prime + + -- Sec 2.1.1.1 Named Curve + + CURVE ::= CLASS { &id OBJECT IDENTIFIER UNIQUE } + WITH SYNTAX { ID &id } + + NamedCurve CURVE ::= { + { ID secp192r1 } | { ID sect163k1 } | { ID sect163r2 } | + { ID secp224r1 } | { ID sect233k1 } | { ID sect233r1 } | + { ID secp256r1 } | { ID sect283k1 } | { ID sect283r1 } | + { ID secp384r1 } | { ID sect409k1 } | { ID sect409r1 } | + { ID secp521r1 } | { ID sect571k1 } | { ID sect571r1 }, + ... -- Extensible + } + + -- Note in [X9.62] the curves are referred to as 'ansiX9' as + -- opposed to 'sec'. For example, secp192r1 is the same curve as + -- ansix9p192r1. + + -- Note that in [PKI-ALG] the secp192r1 curve was referred to as + -- prime192v1 and the secp256r1 curve was referred to as + -- prime256v1. + + -- Note that [FIPS186-3] refers to secp192r1 as P-192, + -- secp224r1 as P-224, secp256r1 as P-256, secp384r1 as P-384, + -- and secp521r1 as P-521. + + secp192r1 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) + prime(1) 1 } + + sect163k1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) curve(0) 1 } + + sect163r2 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) curve(0) 15 } + + secp224r1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) curve(0) 33 } + + sect233k1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) curve(0) 26 } + + sect233r1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) curve(0) 27 } + + secp256r1 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) + prime(1) 7 } + + sect283k1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) curve(0) 16 } + + sect283r1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) curve(0) 17 } + + secp384r1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) curve(0) 34 } + + sect409k1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) curve(0) 36 } + + sect409r1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) curve(0) 37 } + + secp521r1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) curve(0) 35 } + + sect571k1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) curve(0) 38 } + + sect571r1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) curve(0) 39 } + + -- RSA with MD-2 + +-- sa-rsaWithMD2 SIGNATURE-ALGORITHM ::= { +-- IDENTIFIER md2WithRSAEncryption +-- PARAMS TYPE NULL ARE required +-- HASHES { mda-md2 } +-- PUBLIC-KEYS { pk-rsa } +-- SMIME-CAPS { IDENTIFIED BY md2WithRSAEncryption } +-- } + + md2WithRSAEncryption OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) + pkcs-1(1) 2 } + + -- RSA with MD-5 + +-- sa-rsaWithMD5 SIGNATURE-ALGORITHM ::= { +-- IDENTIFIER md5WithRSAEncryption +-- PARAMS TYPE NULL ARE required +-- HASHES { mda-md5 } +-- PUBLIC-KEYS { pk-rsa } +-- SMIME-CAPS { IDENTIFIED BY md5WithRSAEncryption } +-- } + + md5WithRSAEncryption OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) + pkcs-1(1) 4 } + + -- RSA with SHA-1 + +-- sa-rsaWithSHA1 SIGNATURE-ALGORITHM ::= { +-- IDENTIFIER sha1WithRSAEncryption +-- PARAMS TYPE NULL ARE required +-- HASHES { mda-sha1 } +-- PUBLIC-KEYS { pk-rsa } +-- SMIME-CAPS {IDENTIFIED BY sha1WithRSAEncryption } +-- } + + sha1WithRSAEncryption OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) + pkcs-1(1) 5 } + + -- DSA with SHA-1 + +-- sa-dsaWithSHA1 SIGNATURE-ALGORITHM ::= { +-- IDENTIFIER dsa-with-sha1 +-- VALUE DSA-Sig-Value +-- PARAMS TYPE NULL ARE absent +-- HASHES { mda-sha1 } +-- PUBLIC-KEYS { pk-dsa } +-- SMIME-CAPS { IDENTIFIED BY dsa-with-sha1 } +-- } + + dsa-with-sha1 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 3 } + + -- DSA with SHA-224 + +-- sa-dsaWithSHA224 SIGNATURE-ALGORITHM ::= { +-- IDENTIFIER dsa-with-sha224 +-- VALUE DSA-Sig-Value +-- PARAMS TYPE NULL ARE absent +-- HASHES { mda-sha224 } +-- PUBLIC-KEYS { pk-dsa } +-- SMIME-CAPS { IDENTIFIED BY dsa-with-sha224 } +-- } + + dsa-with-sha224 OBJECT IDENTIFIER ::= { + joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) + csor(3) algorithms(4) id-dsa-with-sha2(3) 1 } + + -- DSA with SHA-256 + +-- sa-dsaWithSHA256 SIGNATURE-ALGORITHM ::= { +-- IDENTIFIER dsa-with-sha256 +-- VALUE DSA-Sig-Value +-- PARAMS TYPE NULL ARE absent +-- HASHES { mda-sha256 } +-- PUBLIC-KEYS { pk-dsa } +-- SMIME-CAPS { IDENTIFIED BY dsa-with-sha256 } +-- } + + dsa-with-sha256 OBJECT IDENTIFIER ::= { + joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) + csor(3) algorithms(4) id-dsa-with-sha2(3) 2 } + + -- ECDSA with SHA-1 + +-- sa-ecdsaWithSHA1 SIGNATURE-ALGORITHM ::= { +-- IDENTIFIER ecdsa-with-SHA1 +-- VALUE ECDSA-Sig-Value +-- PARAMS TYPE NULL ARE absent +-- HASHES { mda-sha1 } +-- PUBLIC-KEYS { pk-ec } +-- SMIME-CAPS {IDENTIFIED BY ecdsa-with-SHA1 } +-- } + + ecdsa-with-SHA1 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) ansi-X9-62(10045) + signatures(4) 1 } + + -- ECDSA with SHA-224 + +-- sa-ecdsaWithSHA224 SIGNATURE-ALGORITHM ::= { +-- IDENTIFIER ecdsa-with-SHA224 +-- VALUE ECDSA-Sig-Value +-- PARAMS TYPE NULL ARE absent +-- HASHES { mda-sha224 } +-- PUBLIC-KEYS { pk-ec } +-- SMIME-CAPS { IDENTIFIED BY ecdsa-with-SHA224 } +-- } + + ecdsa-with-SHA224 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) + ecdsa-with-SHA2(3) 1 } + + -- ECDSA with SHA-256 + +-- sa-ecdsaWithSHA256 SIGNATURE-ALGORITHM ::= { +-- IDENTIFIER ecdsa-with-SHA256 +-- VALUE ECDSA-Sig-Value +-- PARAMS TYPE NULL ARE absent +-- HASHES { mda-sha256 } +-- PUBLIC-KEYS { pk-ec } +-- SMIME-CAPS { IDENTIFIED BY ecdsa-with-SHA256 } +-- } + + ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) + ecdsa-with-SHA2(3) 2 } + + -- ECDSA with SHA-384 + +-- sa-ecdsaWithSHA384 SIGNATURE-ALGORITHM ::= { +-- IDENTIFIER ecdsa-with-SHA384 +-- VALUE ECDSA-Sig-Value +-- PARAMS TYPE NULL ARE absent +-- HASHES { mda-sha384 } +-- PUBLIC-KEYS { pk-ec } +-- SMIME-CAPS { IDENTIFIED BY ecdsa-with-SHA384 } +-- } + + ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) + ecdsa-with-SHA2(3) 3 } + + -- ECDSA with SHA-512 + +-- sa-ecdsaWithSHA512 SIGNATURE-ALGORITHM ::= { +-- IDENTIFIER ecdsa-with-SHA512 +-- VALUE ECDSA-Sig-Value +-- PARAMS TYPE NULL ARE absent +-- HASHES { mda-sha512 } +-- PUBLIC-KEYS { pk-ec } +-- SMIME-CAPS { IDENTIFIED BY ecdsa-with-SHA512 } +-- } + + ecdsa-with-SHA512 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) + ecdsa-with-SHA2(3) 4 } + + -- + -- Signature Values + -- + + -- DSA + + DSA-Sig-Value ::= SEQUENCE { + r INTEGER, + s INTEGER + } + + -- ECDSA + + ECDSA-Sig-Value ::= SEQUENCE { + r INTEGER, + s INTEGER + } + + -- + -- Message Digest Algorithms (mda-) + -- + + HashAlgs DIGEST-ALGORITHM ::= { + mda-md2 | + mda-md5 | + mda-sha1, + ... -- Extensible + } + -- MD-2 + +-- mda-md2 DIGEST-ALGORITHM ::= { +-- IDENTIFIER id-md2 +-- PARAMS TYPE NULL ARE preferredAbsent +-- } + + id-md2 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) + digestAlgorithm(2) 2 } + + -- MD-5 + +-- mda-md5 DIGEST-ALGORITHM ::= { +-- IDENTIFIER id-md5 +-- PARAMS TYPE NULL ARE preferredAbsent +-- } + + id-md5 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) + digestAlgorithm(2) 5 } + + -- SHA-1 + +-- mda-sha1 DIGEST-ALGORITHM ::= { +-- IDENTIFIER id-sha1 +-- PARAMS TYPE NULL ARE preferredAbsent +-- } + + id-sha1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) oiw(14) secsig(3) + algorithm(2) 26 } + + -- SHA-2 family (from RFC 3447) + + id-sha256 OBJECT IDENTIFIER ::= { + joint-iso-itu-t(2) country(16) us(840) organization(1) + gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1 } + + END diff --git a/epan/dissectors/asn1/pkcs1/packet-pkcs1-template.c b/epan/dissectors/asn1/pkcs1/packet-pkcs1-template.c new file mode 100644 index 00000000..4254adb2 --- /dev/null +++ b/epan/dissectors/asn1/pkcs1/packet-pkcs1-template.c @@ -0,0 +1,174 @@ +/* packet-pkcs1.c + * Routines for PKCS#1/RFC2313 packet dissection + * Ronnie Sahlberg 2004 + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "config.h" + +#include <epan/packet.h> +#include <epan/oids.h> +#include <epan/asn1.h> + +#include "packet-ber.h" +#include "packet-pkcs1.h" +#include "packet-x509af.h" + +#define PNAME "PKCS#1" +#define PSNAME "PKCS-1" +#define PFNAME "pkcs-1" + +void proto_register_pkcs1(void); +void proto_reg_handoff_pkcs1(void); + +/* Initialize the protocol and registered fields */ +static int proto_pkcs1 = -1; +#include "packet-pkcs1-hf.c" + +/* Initialize the subtree pointers */ +#include "packet-pkcs1-ett.c" + +#include "packet-pkcs1-fn.c" + +/*--- proto_register_pkcs1 ----------------------------------------------*/ +void proto_register_pkcs1(void) { + + /* List of fields */ + static hf_register_info hf[] = { +#include "packet-pkcs1-hfarr.c" + }; + + /* List of subtrees */ + static gint *ett[] = { +#include "packet-pkcs1-ettarr.c" + }; + + /* Register protocol */ + proto_pkcs1 = proto_register_protocol(PNAME, PSNAME, PFNAME); + + /* Register fields and subtrees */ + proto_register_field_array(proto_pkcs1, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); + +} + + +/*--- proto_reg_handoff_pkcs1 -------------------------------------------*/ +void proto_reg_handoff_pkcs1(void) { +#include "packet-pkcs1-dis-tab.c" + + register_ber_oid_dissector("1.2.840.113549.2.2", dissect_ber_oid_NULL_callback, proto_pkcs1, "md2"); + register_ber_oid_dissector("1.2.840.113549.2.4", dissect_ber_oid_NULL_callback, proto_pkcs1, "md4"); + register_ber_oid_dissector("1.2.840.113549.2.5", dissect_ber_oid_NULL_callback, proto_pkcs1, "md5"); + + register_ber_oid_dissector("1.2.840.113549.1.1.1", dissect_ber_oid_NULL_callback, proto_pkcs1, "rsaEncryption"); + register_ber_oid_dissector("1.2.840.113549.1.1.2", dissect_ber_oid_NULL_callback, proto_pkcs1, "md2WithRSAEncryption"); + register_ber_oid_dissector("1.2.840.113549.1.1.3", dissect_ber_oid_NULL_callback, proto_pkcs1, "md4WithRSAEncryption"); + register_ber_oid_dissector("1.2.840.113549.1.1.4", dissect_ber_oid_NULL_callback, proto_pkcs1, "md5WithRSAEncryption"); + + + /* these two are not from RFC2313 but pulled in from + http://www.alvestrand.no/objectid/1.2.840.113549.1.1.html + */ + register_ber_oid_dissector("1.2.840.113549.1.1.5", dissect_ber_oid_NULL_callback, proto_pkcs1, "sha1WithRSAEncryption"); + register_ber_oid_dissector("1.2.840.113549.1.1.6", dissect_ber_oid_NULL_callback, proto_pkcs1, "rsaOAEPEncryptionSET"); + + /* these sha2 algorithms are from RFC3447 */ + register_ber_oid_dissector("1.2.840.113549.1.1.11", dissect_ber_oid_NULL_callback, proto_pkcs1, "sha256WithRSAEncryption"); + register_ber_oid_dissector("1.2.840.113549.1.1.12", dissect_ber_oid_NULL_callback, proto_pkcs1, "sha384WithRSAEncryption"); + register_ber_oid_dissector("1.2.840.113549.1.1.13", dissect_ber_oid_NULL_callback, proto_pkcs1, "sha512WithRSAEncryption"); + register_ber_oid_dissector("1.2.840.113549.1.1.14", dissect_ber_oid_NULL_callback, proto_pkcs1, "sha224WithRSAEncryption"); + + /* ECDSA SHA-1 algorithm from RFC 3279 */ + register_ber_oid_dissector("1.2.840.10045.4.1", dissect_ber_oid_NULL_callback, proto_pkcs1, "ecdsa-with-SHA1"); + + /* SM2-with-SM3 from GM/T 0006 Cryptographic application identifier criterion specification */ + register_ber_oid_dissector("1.2.156.10197.1.501", dissect_ber_oid_NULL_callback, proto_pkcs1, "SM2-with-SM3"); + + /* ECDSA SHA2 algorithms from X9.62, RFC5480, RFC 5758, RFC 5912 */ + register_ber_oid_dissector("1.2.840.10045.4.3.1", dissect_ber_oid_NULL_callback, proto_pkcs1, "ecdsa-with-SHA224"); + register_ber_oid_dissector("1.2.840.10045.4.3.2", dissect_ber_oid_NULL_callback, proto_pkcs1, "ecdsa-with-SHA256"); + register_ber_oid_dissector("1.2.840.10045.4.3.3", dissect_ber_oid_NULL_callback, proto_pkcs1, "ecdsa-with-SHA384"); + register_ber_oid_dissector("1.2.840.10045.4.3.4", dissect_ber_oid_NULL_callback, proto_pkcs1, "ecdsa-with-SHA512"); + + /* DSA SHA2 algorithms from FIPS186-3, RFC5480, RFC 5758, RFC 5912 */ + register_ber_oid_dissector("2.16.840.1.101.3.4.3.1", dissect_ber_oid_NULL_callback, proto_pkcs1, "id-dsa-with-sha224"); + register_ber_oid_dissector("2.16.840.1.101.3.4.3.2", dissect_ber_oid_NULL_callback, proto_pkcs1, "id-dsa-with-sha256"); + + oid_add_from_string("secp192r1","1.2.840.10045.3.1.1"); + oid_add_from_string("sect163k1","1.3.132.0.1"); + oid_add_from_string("sect163r2","1.3.132.0.15"); + oid_add_from_string("secp224r1","1.3.132.0.33"); + oid_add_from_string("sect233k1","1.3.132.0.26"); + oid_add_from_string("sect233r1","1.3.132.0.27"); + oid_add_from_string("secp256r1","1.2.840.10045.3.1.7"); + oid_add_from_string("sect283k1","1.3.132.0.16"); + oid_add_from_string("sect283r1","1.3.132.0.17"); + oid_add_from_string("secp384r1","1.3.132.0.34"); + oid_add_from_string("sect409k1","1.3.132.0.36"); + oid_add_from_string("sect409r1","1.3.132.0.37"); + oid_add_from_string("secp521r1","1.3.132.0.35"); + oid_add_from_string("sect571k1","1.3.132.0.38"); + oid_add_from_string("sect571r1","1.3.132.0.39"); + + /* SM2 from GM/T 0006 Cryptographic application identifier criterion specification */ + oid_add_from_string("sm2","1.2.156.10197.1.301"); + + /* sha2 family, see RFC3447 and http://www.oid-info.com/get/2.16.840.1.101.3.4.2 */ + oid_add_from_string("sha256", "2.16.840.1.101.3.4.2.1"); + oid_add_from_string("sha384", "2.16.840.1.101.3.4.2.2"); + oid_add_from_string("sha512", "2.16.840.1.101.3.4.2.3"); + oid_add_from_string("sha224", "2.16.840.1.101.3.4.2.4"); + + /* SM3 from GM/T 0006 Cryptographic application identifier criterion specification */ + oid_add_from_string("sm3","1.2.156.10197.1.401"); + + /* PQC digital signature algorithms from OQS-OpenSSL, + see https://github.com/open-quantum-safe/openssl/blob/OQS-OpenSSL_1_1_1-stable/oqs-template/oqs-sig-info.md */ + oid_add_from_string("dilithium2", "1.3.6.1.4.1.2.267.7.4.4"); + oid_add_from_string("p256_dilithium2", "1.3.9999.2.7.1"); + oid_add_from_string("rsa3072_dilithium2", "1.3.9999.2.7.2"); + oid_add_from_string("dilithium3", "1.3.6.1.4.1.2.267.7.6.5"); + oid_add_from_string("p384_dilithium3", "1.3.9999.2.7.3"); + oid_add_from_string("dilithium5", "1.3.6.1.4.1.2.267.7.8.7"); + oid_add_from_string("p521_dilithium5", "1.3.9999.2.7.4"); + oid_add_from_string("dilithium2_aes", "1.3.6.1.4.1.2.267.11.4.4"); + oid_add_from_string("p256_dilithium2_aes", "1.3.9999.2.11.1"); + oid_add_from_string("rsa3072_dilithium2_aes", "1.3.9999.2.11.2"); + oid_add_from_string("dilithium3_aes", "1.3.6.1.4.1.2.267.11.6.5"); + oid_add_from_string("p384_dilithium3_aes", "1.3.9999.2.11.3"); + oid_add_from_string("dilithium5_aes", "1.3.6.1.4.1.2.267.11.8.7"); + oid_add_from_string("p521_dilithium5_aes", "1.3.9999.2.11.4"); + oid_add_from_string("falcon512", "1.3.9999.3.1"); + oid_add_from_string("p256_falcon512", "1.3.9999.3.2"); + oid_add_from_string("rsa3072_falcon512", "1.3.9999.3.3"); + oid_add_from_string("falcon1024", "1.3.9999.3.4"); + oid_add_from_string("p521_falcon1024", "1.3.9999.3.5"); + oid_add_from_string("picnicl1full", "1.3.6.1.4.1.311.89.2.1.7"); + oid_add_from_string("p256_picnicl1full", "1.3.6.1.4.1.311.89.2.1.8"); + oid_add_from_string("rsa3072_picnicl1full", "1.3.6.1.4.1.311.89.2.1.9"); + oid_add_from_string("picnic3l1", "1.3.6.1.4.1.311.89.2.1.21"); + oid_add_from_string("p256_picnic3l1", "1.3.6.1.4.1.311.89.2.1.22"); + oid_add_from_string("rsa3072_picnic3l1", "1.3.6.1.4.1.311.89.2.1.23"); + oid_add_from_string("rainbowIclassic", "1.3.9999.5.1.1.1"); + oid_add_from_string("p256_rainbowIclassic", "1.3.9999.5.1.2.1"); + oid_add_from_string("rsa3072_rainbowIclassic", "1.3.9999.5.1.3.1"); + oid_add_from_string("rainbowVclassic", "1.3.9999.5.3.1.1"); + oid_add_from_string("p521_rainbowVclassic", "1.3.9999.5.3.2.1"); + oid_add_from_string("sphincsharaka128frobust", "1.3.9999.6.1.1"); + oid_add_from_string("p256_sphincsharaka128frobust", "1.3.9999.6.1.2"); + oid_add_from_string("rsa3072_sphincsharaka128frobust", "1.3.9999.6.1.3"); + oid_add_from_string("sphincssha256128frobust", "1.3.9999.6.4.1"); + oid_add_from_string("p256_sphincssha256128frobust", "1.3.9999.6.4.2"); + oid_add_from_string("rsa3072_sphincssha256128frobust", "1.3.9999.6.4.3"); + oid_add_from_string("sphincsshake256128frobust", "1.3.9999.6.7.1"); + oid_add_from_string("p256_sphincsshake256128frobust", "1.3.9999.6.7.2"); + oid_add_from_string("rsa3072_sphincsshake256128frobust", "1.3.9999.6.7.3"); + +} + diff --git a/epan/dissectors/asn1/pkcs1/packet-pkcs1-template.h b/epan/dissectors/asn1/pkcs1/packet-pkcs1-template.h new file mode 100644 index 00000000..c93ccfe1 --- /dev/null +++ b/epan/dissectors/asn1/pkcs1/packet-pkcs1-template.h @@ -0,0 +1,18 @@ +/* packet-pkcs1.h + * Routines for PKCS#1/RFC2313 packet dissection + * Ronnie Sahlberg 2004 + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef PACKET_PKCS1_H +#define PACKET_PKCS1_H + +#include "packet-pkcs1-exp.h" + +#endif /* PACKET_PKCS1_H */ + diff --git a/epan/dissectors/asn1/pkcs1/pkcs1.cnf b/epan/dissectors/asn1/pkcs1/pkcs1.cnf new file mode 100644 index 00000000..55622890 --- /dev/null +++ b/epan/dissectors/asn1/pkcs1/pkcs1.cnf @@ -0,0 +1,45 @@ +# pkcs1.cnf +# PKCS#1 conformation file + +#.IMPORT ../x509af/x509af-exp.cnf + +#.EXPORTS + +RSAPublicKey +DigestInfo + +#.NO_EMIT + +#.TYPE_RENAME + +#.FIELD_RENAME + +#.FN_PARS FieldID/fieldType + FN_VARIANT = _str VAL_PTR = &actx->external.direct_reference + +#.FN_BODY FieldID/parameters + offset = call_ber_oid_callback(actx->external.direct_reference, tvb, offset, actx->pinfo, tree, NULL); + +#.REGISTER +DSA-Params B "1.2.840.10040.4.1" "id-dsa" +DomainParameters B "1.2.840.10046.2.1" "dhpublicnumber" +KEA-Params-Id B "2.16.840.1.101.2.1.1.22" "id-keyExchangeAlgorithm" +ECParameters B "1.2.840.10045.2.1" "id-ecPublicKey" +ECParameters B "1.3.132.1.12" "id-ecDH" +ECParameters B "1.2.840.10045.2.13" "id-ecMQV" +RSASSA-PSS-params B "1.2.840.113549.1.1.10" "id-RSASSA-PSS" +HashAlgorithm B "1.2.840.113549.1.1.8" "id-mgf1" +Prime-p B "1.2.840.10045.1.1" "prime-field" + +#.NO_EMIT +DSAPublicKey +DHPublicKey +DSA-Sig-Value +ECDSA-Sig-Value + +#.TYPE_ATTR +RSAPublicKey/modulus TYPE = FT_BYTES DISPLAY = BASE_NONE + +#.END + + |