| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 8 Apr 2021 16:14:58 +0200
From: Varad Gautam <varad.gautam@...e.com>
To: linux-crypto@...r.kernel.org
CC: varad.gautam@...e.com, dhowells@...hat.com,
herbert@...dor.apana.org.au, davem@...emloft.net, vt@...linux.org,
tianjia.zhang@...ux.alibaba.com, keyrings@...r.kernel.org,
linux-kernel@...r.kernel.org, jarkko@...nel.org
Subject: [PATCH v2 00/18] Implement RSASSA-PSS signature verification
Linux currently supports RSA PKCSv1.5 encoding scheme for
signing / verification. This adds support for RSASSA PSS signature
verification as described in RFC8017 [1].
Patch 1 extends the x509 certificate parser to unpack PSS signature
parameters.
Patches 2-8 pull out the common functions / struct definitions from
rsa-pkcs1pad.c into rsa-common.c, to be shared across RSA encoding
scheme implementations.
Patches 9, 10 provide some more plumbing to export the data needed to
perform PSS operations (salt length, RSA modulus).
Patches 11-16 set up PSS scaffolding and provide the verification
operation per RFC8017.
Patches 17, 18 turn the final knobs on to allow lowering PSS signatures
for verification via keyctl.
The patchset is available as a git tree at [2].
Testing:
The implementation was tested by adding reference public keys to the
kernel's keyring via `keyctl padd` and then verifying a known
message digest / signature against this public key via `keyctl pkey_verify`.
The reference vectors were taken from:
- the Wycheproof testsuite [3]
- FIPS 186-2 and 186-4 test vectors [4]
The test harness is available at [5].
Example keyctl usage for PSS verification:
rsa_bits=4096 # 2048/3072/4096
hash_algo=sha256 # sha1/sha224/sha256/sha384/sha512
saltlen=32
# Generate keys, certificate:
openssl req -x509 -newkey rsa:$rsa_bits -nodes -keyout private.pem -out cert.der \
-days 100 -outform der -$hash_algo -sigopt rsa_padding_mode:pss \
-sigopt rsa_pss_saltlen:$saltlen -sigopt rsa_mgf1_md:$hash_algo
# Sign data.txt:
openssl dgst -${hash_algo} -sign private.pem -sigopt rsa_padding_mode:pss \
-sigopt rsa_pss_saltlen:${saltlen} -out sig.bin data.txt
# Digest data.txt:
openssl dgst -${hash_algo} -binary -out data.${hash_algo}.raw data.txt
# Load pubkey into the kernel's keyring:
kv=$(keyctl padd asymmetric "test-key" @u < cert.der)
# Verify with `enc=pss`:
keyctl pkey_verify $kv "0" data.${hash_algo}.raw \
sig.bin "enc=pss hash=${hash_algo} slen=${saltlen} mgfhash=${hash_algo}"
v2:
- Allow certificates where mgf hash algorithm is different from the digest hash
algorithm.
- Fix sparse warnings on "X.509: Parse RSASSA-PSS style certificates".
v1 is available at [6][7].
[1] https://tools.ietf.org/html/rfc8017#section-8.1
[2] https://github.com/varadgautam/kernel/tree/rsassa-psspad-v2
[3] https://github.com/google/wycheproof/blob/master/testvectors/
[4] https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/digital-signatures#rsavs
[5] https://github.com/varadgautam/keyctl-rsa-tests
[6] https://lore.kernel.org/lkml/20210330202829.4825-1-varad.gautam@suse.com/
[7] https://github.com/varadgautam/kernel/tree/rsassa-psspad
Varad Gautam (18):
X.509: Parse RSASSA-PSS style certificates
crypto: rsa-pkcs1pad: Rename pkcs1pad-specific functions to rsapad
crypto: rsa-pkcs1pad: Extract pkcs1pad_create into a generic helper
crypto: rsa-pkcs1pad: Pull out child req processing code into helpers
crypto: rsa-pkcs1pad: Rename pkcs1pad_* structs to rsapad_*
crypto: rsa: Start moving RSA common code to rsa-common
crypto: rsa: Move more common code to rsa-common
crypto: rsa: Move rsapad_akcipher_setup_child and callback to
rsa-common
crypto: Extend akcipher API to pass signature parameters
crypto: rsa: Move struct rsa_mpi_key definition to rsa.h
crypto: Scaffolding for RSA-PSS signature style
crypto: rsa-psspad: Introduce shash alloc/dealloc helpers
crypto: rsa-psspad: Get signature parameters from a given signature
crypto: Implement MGF1 Mask Generation Function for RSASSA-PSS
crypto: rsa-psspad: Provide PSS signature verify operation
crypto: rsa-psspad: Implement signature verify callback
crypto: Accept pss as valid encoding during signature verification
keyctl_pkey: Add pkey parameters slen and mgfhash for PSS
crypto/Kconfig | 6 +
crypto/Makefile | 2 +
crypto/asymmetric_keys/Makefile | 5 +-
crypto/asymmetric_keys/asymmetric_type.c | 2 +
crypto/asymmetric_keys/public_key.c | 18 +-
crypto/asymmetric_keys/x509_cert_parser.c | 148 ++++++++
crypto/asymmetric_keys/x509_rsassa.asn1 | 17 +
crypto/rsa-common.c | 291 ++++++++++++++++
crypto/rsa-pkcs1pad.c | 400 +++-------------------
crypto/rsa-psspad.c | 291 ++++++++++++++++
crypto/rsa.c | 26 +-
include/crypto/akcipher.h | 26 ++
include/crypto/internal/rsa-common.h | 61 ++++
include/crypto/internal/rsa.h | 10 +
include/crypto/public_key.h | 4 +
include/linux/keyctl.h | 2 +
include/linux/oid_registry.h | 3 +
security/keys/keyctl_pkey.c | 13 +
18 files changed, 961 insertions(+), 364 deletions(-)
create mode 100644 crypto/asymmetric_keys/x509_rsassa.asn1
create mode 100644 crypto/rsa-common.c
create mode 100644 crypto/rsa-psspad.c
create mode 100644 include/crypto/internal/rsa-common.h
--
2.30.2
Powered by blists - more mailing lists