Bug 1402410, Make nss-softokn verify that RSA exponent is not smaller…

… than 0x10001, when NSS is built with full FIPS support; r=fkiefer, r=kaie
sailfishos-mirror · Oct 12, 2017 · c78f97a · c78f97a
1 parent 4de427d
commit c78f97a
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c
@@ -318,6 +318,13 @@ RSA_NewKey(int keySizeInBits, SECItem *publicExponent)
     key->version.data[0] = 0;
     /* 3.  Set the public exponent */
     SECITEM_TO_MPINT(*publicExponent, &e);
+#ifndef NSS_FIPS_DISABLED
+    /* check the exponent size  we  */
+    if (mp_cmp_d(&e, 0x10001) < 0) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        goto cleanup;
+    }
+#endif
     kiter = 0;
     max_attempts = 5 * (keySizeInBits / 2); /* FIPS 186-4 B.3.3 steps 4.7 and 5.8 */
     do {

diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh
@@ -1260,6 +1260,10 @@ MODSCRIPT
   CU_ACTION="Setting invalid database password in FIPS mode"
   RETEXPECTED=255
   certu -W -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -@ "${R_FIPSBADPWFILE}" 2>&1
+  CU_ACTION="Attempt to generate a key with exponent of 3 (too small)"
+  certu -G -k rsa -g 2048 -y 3 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}" 
+  CU_ACTION="Attempt to generate a key with exponent of 17 (too small)"
+  certu -G -k rsa -g 2048 -y 17 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}" 
   RETEXPECTED=0
 
   CU_ACTION="Generate Certificate for ${CERTNAME}"
@@ -1268,6 +1272,20 @@ MODSCRIPT
   if [ "$RET" -eq 0 ]; then
     cert_log "SUCCESS: FIPS passed"
   fi
+
+}
+
+########################## cert_rsa_exponent #################################
+# local shell function to verify small rsa exponent can be used (only
+# run if FIPS has not been turned on in the build).
+##############################################################################
+cert_rsa_exponent()
+{
+  echo "$SCRIPTNAME: Verify that small RSA exponents still work  =============="
+  CU_ACTION="Attempt to generate a key with exponent of 3"
+  certu -G -k rsa -g 2048 -y 3 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}" 
+  CU_ACTION="Attempt to generate a key with exponent of 17"
+  certu -G -k rsa -g 2048 -y 17 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}" 
 }
 
 ############################## cert_eccurves ###########################
@@ -1977,6 +1995,8 @@ cert_ssl
 cert_smime_client
 if [[ -n "$NSS_TEST_ENABLE_FIPS" ]]; then
     cert_fips
+else
+    cert_rsa_exponent
 fi
 cert_eccurves
 cert_extensions