Improving EC account key parsing (see #37275). (#37276)

(cherry picked from commit ec977988b35caacd0f13470ef62d55ec91d16de1)
pull/38160/head
Felix Fontein 7 years ago committed by René Moser
parent ca3457458f
commit 3ac91f7e28

@ -598,40 +598,44 @@ class ACMEAccount(object):
} }
elif account_key_type == 'ec': elif account_key_type == 'ec':
pub_data = re.search( pub_data = re.search(
r"pub:\s*\n\s+04:([a-f0-9\:\s]+?)\nASN1 OID: (\S+)\nNIST CURVE: (\S+)", r"pub:\s*\n\s+04:([a-f0-9\:\s]+?)\nASN1 OID: (\S+)(?:\nNIST CURVE: (\S+))?",
to_text(out, errors='surrogate_or_strict'), re.MULTILINE | re.DOTALL) to_text(out, errors='surrogate_or_strict'), re.MULTILINE | re.DOTALL)
if pub_data is None: if pub_data is None:
return 'cannot parse elliptic curve key', {} return 'cannot parse elliptic curve key', {}
pub_hex = binascii.unhexlify(re.sub(r"(\s|:)", "", pub_data.group(1)).encode("utf-8")) pub_hex = binascii.unhexlify(re.sub(r"(\s|:)", "", pub_data.group(1)).encode("utf-8"))
curve = pub_data.group(3).lower() asn1_oid_curve = pub_data.group(2).lower()
if curve == 'p-256': nist_curve = pub_data.group(3).lower() if pub_data.group(3) else None
if asn1_oid_curve == 'prime256v1' or nist_curve == 'p-256':
bits = 256 bits = 256
alg = 'ES256' alg = 'ES256'
hash = 'sha256' hash = 'sha256'
point_size = 32 point_size = 32
elif curve == 'p-384': curve = 'P-256'
elif asn1_oid_curve == 'secp384r1' or nist_curve == 'p-384':
bits = 384 bits = 384
alg = 'ES384' alg = 'ES384'
hash = 'sha384' hash = 'sha384'
point_size = 48 point_size = 48
elif curve == 'p-521': curve = 'P-384'
elif asn1_oid_curve == 'secp521r1' or nist_curve == 'p-521':
# Not yet supported on Let's Encrypt side, see # Not yet supported on Let's Encrypt side, see
# https://github.com/letsencrypt/boulder/issues/2217 # https://github.com/letsencrypt/boulder/issues/2217
bits = 521 bits = 521
alg = 'ES512' alg = 'ES512'
hash = 'sha512' hash = 'sha512'
point_size = 66 point_size = 66
curve = 'P-521'
else: else:
return 'unknown elliptic curve: %s' % curve, {} return 'unknown elliptic curve: %s / %s' % (asn1_oid_curve, nist_curve), {}
bytes = (bits + 7) // 8 bytes = (bits + 7) // 8
if len(pub_hex) != 2 * bytes: if len(pub_hex) != 2 * bytes:
return 'bad elliptic curve point (%s)' % curve, {} return 'bad elliptic curve point (%s / %s)' % (asn1_oid_curve, nist_curve), {}
return None, { return None, {
'type': 'ec', 'type': 'ec',
'alg': alg, 'alg': alg,
'jwk': { 'jwk': {
"kty": "EC", "kty": "EC",
"crv": curve.upper(), "crv": curve,
"x": nopad_b64(pub_hex[:bytes]), "x": nopad_b64(pub_hex[:bytes]),
"y": nopad_b64(pub_hex[bytes:]), "y": nopad_b64(pub_hex[bytes:]),
}, },

Loading…
Cancel
Save