| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 May 2024 16:18:15 +0300 From: "Jarkko Sakkinen" <jarkko@...nel.org> To: "Stefan Berger" <stefanb@...ux.ibm.com>, "Herbert Xu" <herbert@...dor.apana.org.au> Cc: <linux-crypto@...r.kernel.org>, "David S. Miller" <davem@...emloft.net>, <linux-kernel@...r.kernel.org> Subject: Re: [PATCH] crypto: ecdsa: Fix the public key format description On Tue May 28, 2024 at 3:37 PM EEST, Stefan Berger wrote: > > > On 5/27/24 18:59, Jarkko Sakkinen wrote: > > On Tue May 28, 2024 at 1:49 AM EEST, Jarkko Sakkinen wrote: > >> On Tue May 28, 2024 at 1:31 AM EEST, Jarkko Sakkinen wrote: > >>>> ret = crypto_akcipher_set_pub_key(tfm, data, 3 * x_size + 1); > >> > >> Noticed this mistake i.e. fixed it with "2 * x_size + 1" > >> > >> This is results earlier failure: > >> > >> ecdsa: (tpm2_key_ecdsa_query+0x10d/0x170 <- ecdsa_set_pub_key) arg1=0xffffffea > >> > >> Totally lost with the expected input format after trying out various > >> options. > > > > OK got it working with: > > > > ptr = &data[0]; > > *ptr++ = 0x04; /* uncompressed */ > > memcpy(&ptr[0], &x[2], x_size); > > memcpy(&ptr[x_size], &x[2 + x_size + 2], x_size); > > ret = crypto_akcipher_set_pub_key(tfm, data, 2 * x_size + 1); > > crypto_free_akcipher(tfm); > > > > Had still a few "off-bys". > > > > Makes me wonder why this is not in ASN.1. > > E.g. TPM2 stuff and for instance RSA code takes ASN.1. > > > > This all and the required prefix byte really should be explained in > > the documentation of this function. I.e. follows the RFC in the sense > > that number is big-endian and has the prefix byte, but it does not > > follow it in the sense that x and y are not in input octect strings. > > > > Why is that? Does not feel right intuitively. > > You found the appropriate documentation -- thanks. > The old function documentation stated that it takes 'raw uncompressed > key data from an x509 certificate'. So, one should take the data from > the x509 certificate starting with 0x04 as shown here. > > Subject Public Key Info: > Public Key Algorithm: id-ecPublicKey > Public-Key: (256 bit) > pub: > 04:c0:55:b4:68:7a:80:bc:0e:ba:b3:66:40:5f:07: > aa:27:d4:da:b4:79:2e:4d:a4:f4:f4:33:b1:22:6a: > 6c:e9:8c:30:8d:6c:df:ac:65:f0:93:d9:7a:70:7a: > 05:dc:7a:7d:b3:91:18:22:9a:5c:86:9a:87:72:3b: > 32:1a:92:81:1d > ASN1 OID: prime256v1 > NIST CURVE: P-256 > > > These are two concatenated x & y coordinates with a leading 0x4. The > numbers are not ints in ASN.1 format but 'plain' integers. > > A *signature*, however, is in ASN.1: > > Signature Value: > 30:45:02:21:00:d9:d7:64:ba:5d:03:07:ee:20:a0:12:16:46: > 31:e6:8e:66:0c:17:0d:74:07:87:58:5a:13:fc:14:62:98:9a: > 99:02:20:59:ff:29:9c:52:b9:0a:35:3c:4b:03:bb:47:0e:c8: > 3e:2d:cb:3e:1c:d3:51:88:91:b1:40:e3:03:86:1b:2a:e8 > > 30:45 => sequence containing 69 bytes > 02:21: => first coordinate with 0x21 bytes > 00:d9 => 0x21 bytes of ASN.1 integer with leading 0 to make the > following 0x20-byte integer a positive number (its most significant bit > is set). > 02:20: => int with 0x20 bytes > ... Ah, thanks for this insight! I found this out by trial and error but good to see that it matches with the "theory". Thank you. BR, Jarkko
Powered by blists - more mailing lists