[WIP] x509af: dissect subjectPublicKeyx509-subjectpublickey

The subjectPublicKey field of a Certificate (TBSCertificate) is defined as type BIT STRING. The actual contents depend on the Algorithm Identifier which is preceding the subjectPublicKey field. This patch (aims to) add(s) support for dissection of the public key. Notes: Currently only RSA is "half-working" and dissected as: subjectPublicKeyInfo algorithm (rsaEncryption) Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption) subjectPublicKey: 3082010a0282010100b7c769e2d0eacaeb929fc08238a9ff... modulus : 0x00b7c769e2d0eacaeb929fc08238a9ffc59cab39c28a2e26... publicExponent: 65537 It should probably become: subjectPublicKeyInfo algorithm (rsaEncryption) Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption) subjectPublicKey RSAPublicKey modulus : ... publicExponent: 65537 Right now DSA and DH keys are displayed instead of subjectPublicKey due to the hf_id reuse. These should get a new hf ID instead. TODO: - Add public key dissections below the BIT STRING subtree. This might require API changes to dissect_ber_bitstring. - Import PKIX1Algorithms2008 module from RFC 5480 (Elliptic Curve Cryptography Subject Public Key Information) which is based on the PKIX1Algorithms88 module from RFC 3279). Then import DSA, DH and others from it. This is more correct than exporting it from the PKCS#1 module. - Check field names, right now these are displayed as a rather useless/generic BER integer field (for the DH and DSA params). Change-Id: Ib92645433b0a0078a947ff0ac26c5e6a64877b93
author: Peter Wu <peter@lekensteyn.nl> 2015-07-03 19:47:00 +0200
committer: Peter Wu <peter@lekensteyn.nl> 2015-07-03 20:01:08 +0200
commit: a17875824df9b1cf76826cc5be300d9d6d3a61a3 (patch)
tree: 7c1a824c5ade66ad267356f76668ca29031c5eca
parent: bd6065f13f41a53ea4b3290500e6ce3462524eac (diff)
download: wireshark-x509-subjectpublickey.tar.gz
6 files changed, 109 insertions, 18 deletions
diff --git a/asn1/pkcs1/pkcs1.cnf b/asn1/pkcs1/pkcs1.cnf
index 1a66217dec..187b10580e 100644
--- a/asn1/pkcs1/pkcs1.cnf
+++ b/asn1/pkcs1/pkcs1.cnf
@@ -8,6 +8,10 @@
 RSAPrivateKey
 RSAPublicKey
 DigestInfo
+# Note: Only RSA is part of PKCS#1, DSA and DH are not. These are exported
+# anyway such that the X.509 Authentication Framework module can make use of it.
+DSAPublicKey
+DHPublicKey
 
 #.NO_EMIT
 
@@ -26,8 +30,6 @@ RSASSA-PSS-params B "1.2.840.113549.1.1.10" "id-RSASSA-PSS"
 HashAlgorithm B "1.2.840.113549.1.1.8" "id-mgf1"
 
 #.NO_EMIT
-DSAPublicKey
-DHPublicKey
 ECPoint
 DSA-Sig-Value
 ECDSA-Sig-Value
diff --git a/asn1/x509af/packet-x509af-template.c b/asn1/x509af/packet-x509af-template.c
index 21211401ff..20484b7e08 100644
--- a/asn1/x509af/packet-x509af-template.c
+++ b/asn1/x509af/packet-x509af-template.c
@@ -33,6 +33,7 @@
 #include "packet-x509if.h"
 #include "packet-x509sat.h"
 #include "packet-ldap.h"
+#include "packet-pkcs1.h"
 
 #define PNAME  "X.509 Authentication Framework"
 #define PSNAME "X509AF"
diff --git a/asn1/x509af/x509af.cnf b/asn1/x509af/x509af.cnf
index e0e6a82166..1b173f0513 100644
--- a/asn1/x509af/x509af.cnf
+++ b/asn1/x509af/x509af.cnf
@@ -81,6 +81,35 @@ CertificateList/signedCertificateList/revokedCertificates/_item/userCertificate
 #.FN_BODY AlgorithmIdentifier/parameters
   offset=call_ber_oid_callback(actx->external.direct_reference, tvb, offset, actx->pinfo, tree, NULL);
 
+#.FN_BODY SubjectPublicKeyInfo/subjectPublicKey
+  tvbuff_t *bs_tvb;
+
+  /* subjectPublicKey is a BIT STRING with an explicit tag. It is DER-encoded,
+   * meaning that the length field consists of hex 8n followed by n octets. */
+  /* TODO: drop dissect_ber_bitstring and use above assumptions? */
+  /* -1 for hf_index and NULL for tree as this only attempts to parse the
+   * bitstring without creating a tree, */
+  dissect_ber_bitstring(FALSE, actx, NULL, tvb, offset,
+                        NULL, -1, -1, &bs_tvb);
+
+  /* See RFC 3279 for possible subjectPublicKey values given an Algorithm ID.
+   * The contents of subjectPublicKey are always explicitly tagged. */
+
+  if (!strcmp(algorithm_id, "1.2.840.113549.1.1.1")) { /* id-rsa */
+    offset += dissect_pkcs1_RSAPublicKey(FALSE, bs_tvb, 0, actx, tree, hf_index);
+
+  } else if (!strcmp(algorithm_id, "1.2.840.10040.4.1")) { /* id-dsa */
+    offset += dissect_pkcs1_DSAPublicKey(FALSE, bs_tvb, 0, actx, tree, hf_index);
+
+  } else if (!strcmp(algorithm_id, "1.2.840.10046.2.1")) { /* dhpublicnumber */
+    offset += dissect_pkcs1_DHPublicKey(FALSE, bs_tvb, 0, actx, tree, hf_index);
+
+  } else {
+    /* unknown key type, display raw contents. */
+    offset = dissect_ber_bitstring(FALSE, actx, tree, tvb, offset,
+                                   NULL, hf_index, -1, NULL);
+  }
+
 #.FN_PARS Extension/extnId
   FN_VARIANT = _str  HF_INDEX = hf_x509af_extension_id  VAL_PTR = &actx->external.direct_reference
 
diff --git a/epan/dissectors/packet-pkcs1.c b/epan/dissectors/packet-pkcs1.c
index 8563604551..354a07464f 100644
--- a/epan/dissectors/packet-pkcs1.c
+++ b/epan/dissectors/packet-pkcs1.c
@@ -216,6 +216,15 @@ dissect_pkcs1_DSA_Params(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offse
 
 
 
+int
+dissect_pkcs1_DSAPublicKey(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+  offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
+                                                NULL);
+
+  return offset;
+}
+
+
 
 static int
 dissect_pkcs1_BIT_STRING(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
@@ -261,6 +270,15 @@ dissect_pkcs1_DomainParameters(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int
 
 
 
+int
+dissect_pkcs1_DHPublicKey(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+  offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
+                                                NULL);
+
+  return offset;
+}
+
+
 
 static int
 dissect_pkcs1_KEA_Params_Id(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
diff --git a/epan/dissectors/packet-pkcs1.h b/epan/dissectors/packet-pkcs1.h
index b056fee21a..d7542ff22a 100644
--- a/epan/dissectors/packet-pkcs1.h
+++ b/epan/dissectors/packet-pkcs1.h
@@ -38,6 +38,8 @@
 int dissect_pkcs1_RSAPublicKey(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
 int dissect_pkcs1_RSAPrivateKey(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
 int dissect_pkcs1_DigestInfo(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+int dissect_pkcs1_DSAPublicKey(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+int dissect_pkcs1_DHPublicKey(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
 
 /*--- End of included file: packet-pkcs1-exp.h ---*/
 #line 28 "../../asn1/pkcs1/packet-pkcs1-template.h"
diff --git a/epan/dissectors/packet-x509af.c b/epan/dissectors/packet-x509af.c
index e3cabe6295..ba0a6e6cf9 100644
--- a/epan/dissectors/packet-x509af.c
+++ b/epan/dissectors/packet-x509af.c
@@ -41,6 +41,7 @@
 #include "packet-x509if.h"
 #include "packet-x509sat.h"
 #include "packet-ldap.h"
+#include "packet-pkcs1.h"
 
 #define PNAME  "X.509 Authentication Framework"
 #define PSNAME "X509AF"
@@ -80,7 +81,7 @@ static int hf_x509af_parameters = -1;             /* T_parameters */
 static int hf_x509af_notBefore = -1;              /* Time */
 static int hf_x509af_notAfter = -1;               /* Time */
 static int hf_x509af_algorithm = -1;              /* AlgorithmIdentifier */
-static int hf_x509af_subjectPublicKey = -1;       /* BIT_STRING */
+static int hf_x509af_subjectPublicKey = -1;       /* T_subjectPublicKey */
 static int hf_x509af_utcTime = -1;                /* UTCTime */
 static int hf_x509af_generalizedTime = -1;        /* GeneralizedTime */
 static int hf_x509af_Extensions_item = -1;        /* Extension */
@@ -132,7 +133,7 @@ static int hf_x509af_q = -1;                      /* INTEGER */
 static int hf_x509af_g = -1;                      /* INTEGER */
 
 /*--- End of included file: packet-x509af-hf.c ---*/
-#line 49 "../../asn1/x509af/packet-x509af-template.c"
+#line 50 "../../asn1/x509af/packet-x509af-template.c"
 
 /* Initialize the subtree pointers */
 static gint ett_pkix_crl = -1;
@@ -173,7 +174,7 @@ static gint ett_x509af_SET_OF_AttributeType = -1;
 static gint ett_x509af_DSS_Params = -1;
 
 /*--- End of included file: packet-x509af-ett.c ---*/
-#line 53 "../../asn1/x509af/packet-x509af-template.c"
+#line 54 "../../asn1/x509af/packet-x509af-template.c"
 static const char *algorithm_id;
 
 /*--- Included file: packet-x509af-fn.c ---*/
@@ -323,7 +324,7 @@ static const ber_choice_t SubjectName_choice[] = {
 
 static int
 dissect_x509af_SubjectName(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 109 "../../asn1/x509af/x509af.cnf"
+#line 138 "../../asn1/x509af/x509af.cnf"
 
   const char* str;
     offset = dissect_ber_choice(actx, tree, tvb, offset,
@@ -342,10 +343,37 @@ dissect_x509af_SubjectName(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int off
 
 
 static int
-dissect_x509af_BIT_STRING(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-  offset = dissect_ber_bitstring(implicit_tag, actx, tree, tvb, offset,
-                                    NULL, hf_index, -1,
-                                    NULL);
+dissect_x509af_T_subjectPublicKey(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+#line 85 "../../asn1/x509af/x509af.cnf"
+  tvbuff_t *bs_tvb;
+
+  /* subjectPublicKey is a BIT STRING with an explicit tag. It is DER-encoded,
+   * meaning that the length field consists of hex 8n followed by n octets. */
+  /* TODO: drop dissect_ber_bitstring and use above assumptions? */
+  /* -1 for hf_index and NULL for tree as this only attempts to parse the
+   * bitstring without creating a tree, */
+  dissect_ber_bitstring(FALSE, actx, NULL, tvb, offset,
+                        NULL, -1, -1, &bs_tvb);
+
+  /* See RFC 3279 for possible subjectPublicKey values given an Algorithm ID.
+   * The contents of subjectPublicKey are always explicitly tagged. */
+
+  if (!strcmp(algorithm_id, "1.2.840.113549.1.1.1")) { /* id-rsa */
+    offset += dissect_pkcs1_RSAPublicKey(FALSE, bs_tvb, 0, actx, tree, hf_index);
+
+  } else if (!strcmp(algorithm_id, "1.2.840.10040.4.1")) { /* id-dsa */
+    offset += dissect_pkcs1_DSAPublicKey(FALSE, bs_tvb, 0, actx, tree, hf_index);
+
+  } else if (!strcmp(algorithm_id, "1.2.840.10046.2.1")) { /* dhpublicnumber */
+    offset += dissect_pkcs1_DHPublicKey(FALSE, bs_tvb, 0, actx, tree, hf_index);
+
+  } else {
+    /* unknown key type, display raw contents. */
+    offset = dissect_ber_bitstring(FALSE, actx, tree, tvb, offset,
+                                   NULL, hf_index, -1, NULL);
+  }
+
+
 
   return offset;
 }
@@ -353,7 +381,7 @@ dissect_x509af_BIT_STRING(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offs
 
 static const ber_sequence_t SubjectPublicKeyInfo_sequence[] = {
   { &hf_x509af_algorithm    , BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_x509af_AlgorithmIdentifier },
-  { &hf_x509af_subjectPublicKey, BER_CLASS_UNI, BER_UNI_TAG_BITSTRING, BER_FLAGS_NOOWNTAG, dissect_x509af_BIT_STRING },
+  { &hf_x509af_subjectPublicKey, BER_CLASS_UNI, BER_UNI_TAG_BITSTRING, BER_FLAGS_NOOWNTAG, dissect_x509af_T_subjectPublicKey },
   { NULL, 0, 0, 0, NULL }
 };
 
@@ -369,7 +397,7 @@ dissect_x509af_SubjectPublicKeyInfo(gboolean implicit_tag _U_, tvbuff_t *tvb _U_
 
 static int
 dissect_x509af_T_extnId(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 88 "../../asn1/x509af/x509af.cnf"
+#line 117 "../../asn1/x509af/x509af.cnf"
   const char *name;
 
     offset = dissect_ber_object_identifier_str(implicit_tag, actx, tree, tvb, offset, hf_x509af_extension_id, &actx->external.direct_reference);
@@ -399,7 +427,7 @@ dissect_x509af_BOOLEAN(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset
 
 static int
 dissect_x509af_T_extnValue(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 99 "../../asn1/x509af/x509af.cnf"
+#line 128 "../../asn1/x509af/x509af.cnf"
   gint8 ber_class;
   gboolean pc, ind;
   gint32 tag;
@@ -467,6 +495,17 @@ dissect_x509af_T_signedCertificate(gboolean implicit_tag _U_, tvbuff_t *tvb _U_,
 }
 
 
+
+static int
+dissect_x509af_BIT_STRING(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+  offset = dissect_ber_bitstring(implicit_tag, actx, tree, tvb, offset,
+                                    NULL, hf_index, -1,
+                                    NULL);
+
+  return offset;
+}
+
+
 static const ber_sequence_t Certificate_sequence[] = {
   { &hf_x509af_signedCertificate, BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_x509af_T_signedCertificate },
   { &hf_x509af_algorithmIdentifier, BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_x509af_AlgorithmIdentifier },
@@ -896,7 +935,7 @@ static int dissect_DSS_Params_PDU(tvbuff_t *tvb _U_, packet_info *pinfo _U_, pro
 
 
 /*--- End of included file: packet-x509af-fn.c ---*/
-#line 55 "../../asn1/x509af/packet-x509af-template.c"
+#line 56 "../../asn1/x509af/packet-x509af-template.c"
 
 const char *x509af_get_last_algorithm_id(void) {
   return algorithm_id;
@@ -1035,7 +1074,7 @@ void proto_register_x509af(void) {
     { &hf_x509af_subjectPublicKey,
       { "subjectPublicKey", "x509af.subjectPublicKey",
         FT_BYTES, BASE_NONE, NULL, 0,
-        "BIT_STRING", HFILL }},
+        NULL, HFILL }},
     { &hf_x509af_utcTime,
       { "utcTime", "x509af.utcTime",
         FT_STRING, BASE_NONE, NULL, 0,
@@ -1234,7 +1273,7 @@ void proto_register_x509af(void) {
         "INTEGER", HFILL }},
 
 /*--- End of included file: packet-x509af-hfarr.c ---*/
-#line 92 "../../asn1/x509af/packet-x509af-template.c"
+#line 93 "../../asn1/x509af/packet-x509af-template.c"
   };
 
   /* List of subtrees */
@@ -1277,7 +1316,7 @@ void proto_register_x509af(void) {
     &ett_x509af_DSS_Params,
 
 /*--- End of included file: packet-x509af-ettarr.c ---*/
-#line 98 "../../asn1/x509af/packet-x509af-template.c"
+#line 99 "../../asn1/x509af/packet-x509af-template.c"
   };
 
   /* Register protocol */
@@ -1320,7 +1359,7 @@ void proto_reg_handoff_x509af(void) {
 
 
 /*--- End of included file: packet-x509af-dis-tab.c ---*/
-#line 126 "../../asn1/x509af/packet-x509af-template.c"
+#line 127 "../../asn1/x509af/packet-x509af-template.c"
 
 	/*XXX these should really go to a better place but since
 	  I have not that ITU standard, I'll put it here for the time
author	Peter Wu <peter@lekensteyn.nl>	2015-07-03 19:47:00 +0200
committer	Peter Wu <peter@lekensteyn.nl>	2015-07-03 20:01:08 +0200
commit	a17875824df9b1cf76826cc5be300d9d6d3a61a3 (patch)
tree	7c1a824c5ade66ad267356f76668ca29031c5eca
parent	bd6065f13f41a53ea4b3290500e6ce3462524eac (diff)
download	wireshark-x509-subjectpublickey.tar.gz