From b26b472e0b90e83d565c9c8d64d6fc2591c286c5 Mon Sep 17 00:00:00 2001
From: Jack Lloyd <jack@randombit.net>
Date: Thu, 9 May 2019 10:49:38 -0400
Subject: Fix decoding of RSA-OAEP certs

GH #1943
---
 src/lib/x509/x509cert.cpp             |  6 +-----
 src/tests/data/x509/misc/rsa_oaep.pem | 29 +++++++++++++++++++++++++++++
 src/tests/unit_x509.cpp               | 18 ++++++++++++++++++
 3 files changed, 48 insertions(+), 5 deletions(-)
 create mode 100644 src/tests/data/x509/misc/rsa_oaep.pem

(limited to 'src')

diff --git a/src/lib/x509/x509cert.cpp b/src/lib/x509/x509cert.cpp
index de4b0ed7a..0212267ec 100644
--- a/src/lib/x509/x509cert.cpp
+++ b/src/lib/x509/x509cert.cpp
@@ -176,17 +176,13 @@ std::unique_ptr<X509_Certificate_Data> parse_x509_cert_body(const X509_Object& o
                throw Decoding_Error("Algorithm identifier mismatch");
                }
             }
-         if(public_key_info[1] == "OAEP")
-            {
-            throw Decoding_Error("Decoding subject public keys of type RSAES-OAEP is currently not supported");
-            }
          }
       else
          {
          // oid = rsaEncryption -> parameters field MUST contain NULL
          if(public_key_alg_id != AlgorithmIdentifier(public_key_alg_id.get_oid(), AlgorithmIdentifier::USE_NULL_PARAM))
             {
-            throw Decoding_Error("Parameters field MUST contain NULL");
+            throw Decoding_Error("RSA algorithm parameters field MUST contain NULL");
             }
          }
       }
diff --git a/src/tests/data/x509/misc/rsa_oaep.pem b/src/tests/data/x509/misc/rsa_oaep.pem
new file mode 100644
index 000000000..d41247b44
--- /dev/null
+++ b/src/tests/data/x509/misc/rsa_oaep.pem
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE5zCCA8+gAwIBAgIED7qWsDANBgkqhkiG9w0BAQUFADB3MQswCQYDVQQGEwJE
+RTEPMA0GA1UECBMGU2F4b255MSEwHwYDVQQKExhJbmZpbmVvbiBUZWNobm9sb2dp
+ZXMgQUcxDDAKBgNVBAsTA0FJTTEmMCQGA1UEAxMdSUZYIFRQTSBFSyBJbnRlcm1l
+ZGlhdGUgQ0EgNTMwHhcNMTcxMjAxMTMzMDE2WhcNMjcxMjAxMTMzMDE2WjAAMIIB
+NzAiBgkqhkiG9w0BAQcwFaITMBEGCSqGSIb3DQEBCQQEVENQQQOCAQ8AMIIBCgKC
+AQEAvOAaP0aHfViksZjaNBKAj5hgahNl5di3uWyVo3NPeJmsFHalWWsSf/+VX5Hs
+HScUD5Ow2zFL0G54VfJ0dw/RfJ/XZOWmcO7C3Bp+Qpph6N4Fgfw6FxKAIAe9ZUIi
+borYEOVGLwXd0IQf4MRznOKQE0niAKWFQ9QYi5M4qPdT6BOUM6cWPK/nautnh9l6
+uFrpxJs4E+309G2MZaM1nApYLe5ZdzrViz2X7sTTlFrULT7EFf3ow9QQVpn4nEZn
+O+uNDQQzOhqIFf2iniGLf8Q+dhtq6ll1aEbeCtqgFiMPPyPXhk/fE9dCMTa7UxIF
+GOmDyW+1hEws9k0qVK35q0vl3QIDAQABo4IB2zCCAdcwUQYDVR0RAQH/BEcwRaRD
+MEExFjAUBgVngQUCAQwLaWQ6NDk0NjU4MDAxEzARBgVngQUCAgwIU0xCIDk2NjAx
+EjAQBgVngQUCAwwHaWQ6MDQyQjAMBgNVHRMBAf8EAjAAMIG8BgNVHSABAf8EgbEw
+ga4wgasGC2CGSAGG+EUBBy8BMIGbMDkGCCsGAQUFBwIBFi1odHRwOi8vd3d3LnZl
+cmlzaWduLmNvbS9yZXBvc2l0b3J5L2luZGV4Lmh0bWwwXgYIKwYBBQUHAgIwUh5Q
+AFQAQwBQAEEAIABUAHIAdQBzAHQAZQBkACAAUABsAGEAdABmAG8AcgBtACAATQBv
+AGQAdQBsAGUAIABFAG4AZABvAHIAcwBlAG0AZQBuAHQwHwYDVR0jBBgwFoAUKneg
+40LLxscu4/r8Owp7zqfJzk4wgZMGA1UdCQSBizCBiDA6BgNVBDQxMzALMAkGBSsO
+AwIaBQAwJDAiBgkqhkiG9w0BAQcwFaITMBEGCSqGSIb3DQEBCQQEVENQQTAWBgVn
+gQUCEDENMAsMAzEuMgIBAgIBAzAyBgVngQUCEjEpMCcBAf+gAwoBAaEDCgEAogMK
+AQCjEDAOFgMzLjEKAQQKAQIBAf8BAf8wDQYJKoZIhvcNAQEFBQADggEBAFs7LBVG
+F5GTjNTlug4aXwFfddchI75jPt9oHNfYyxo2CnPUBWeF2XauJtmNp8uMl5vxPMqf
+Wbon4cTIajWR370U89N3cxSKMqNPsI8Kc9nY8uLw4VxMntArCzCg6P0dtE7qlzy9
+MV+2eo8cLlhRUVic6xCrbfqq/+8Yq/q8uVK8yaf+v04fZ7btKKn5C45tjHV7DNI6
+anBnclfL5tV02uit7XMKGEmfnMLkx+vZHJRoVu9f9/R2XWNWyZPGY3noICmMCqh/
+mVxVsiqEi6SrGphSUd/TaQDlfHXu0UOaKTH0xZti50dOqW0mBk0Jfqio7fRYFOlk
+dFIrr2o7AWuAYg4=
+-----END CERTIFICATE-----
diff --git a/src/tests/unit_x509.cpp b/src/tests/unit_x509.cpp
index 63310b7a7..29739eb85 100644
--- a/src/tests/unit_x509.cpp
+++ b/src/tests/unit_x509.cpp
@@ -418,6 +418,23 @@ Test::Result test_crl_dn_name()
    return result;
    }
 
+Test::Result test_rsa_oaep()
+   {
+   Test::Result result("RSA OAEP decoding");
+
+#if defined(BOTAN_HAS_RSA)
+   Botan::X509_Certificate cert(Test::data_file("x509/misc/rsa_oaep.pem"));
+
+   auto public_key = cert.load_subject_public_key();
+   result.test_not_null("Decoding RSA-OAEP worked", public_key.get());
+   auto pk_info = cert.subject_public_key_algo();
+
+   result.test_eq("RSA-OAEP OID", pk_info.get_oid().to_string(), Botan::OIDS::lookup("RSA/OAEP").to_string());
+#endif
+
+   return result;
+   }
+
 Test::Result test_x509_decode_list()
    {
    Test::Result result("X509_Certificate list decode");
@@ -1598,6 +1615,7 @@ class X509_Cert_Unit_Tests final : public Test
          results.push_back(test_x509_bmpstring());
          results.push_back(test_crl_dn_name());
          results.push_back(test_x509_decode_list());
+         results.push_back(test_rsa_oaep());
          results.push_back(test_x509_authority_info_access_extension());
 #endif
 
-- 
cgit v1.2.3