-
Notifications
You must be signed in to change notification settings - Fork 711
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable RSA-PSS signatures in pkcs11-tool #1146
Conversation
Cool. That addresses one of the problems. (I have only looked at you description and have no way to test it.) The other part of @mouse07410's problem is using OpenSSL utilities with libp11/engine for devices that do not support CKM_X_509. Unlike other padding methods where the padding can be striped off and the data sent to the card via CKM_RSA_PKCS1, OpenSSL PSS padding can not be stripped as there is not enough information passed to determine the PSS parameters. Libp11 would need to call PKCS#11. |
Some tokens (I have first-hand experience with YubiHSM2 device in beta-testing) can do Also, |
src/tools/pkcs11-tool.c
Outdated
@@ -227,6 +233,9 @@ static const char *option_help[] = { | |||
"Derive a secret key using another key and some data", | |||
"Derive ECDHpass DER encoded pubkey for compatibility with some PKCS#11 implementations", | |||
"Specify mechanism (use -M for a list of supported mechanisms)", | |||
"Specify hash algorithm used with generic RSA-PSS signature", | |||
"Specify MGF (Message Generation Function) used for RSA-PSS signatures (possible values are MGF1-SHA1 to MGF1-SHA512)", | |||
"Specify how many bytes should be used for salt in RSA-PSS signatures (default 0)", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think default here should be the same as OpenSSL. And OpenSSL uses salt length equal to the digest size (rsa_pss_saltlen:-1
) as its RSA-PSS default.
In the meanwhile, I've extended your PR with saltlen default to digest size (see https://github.com/mouse07410/OpenSC.git branch 1146), and confirm that your PR works OK:
Are you considering making a similar PR for RSA-OAEP encryption? Update
|
In the above example it has: Since this is listing the PSS parameters, I would assume the "hashAlg: hash algorithm used in the PSS encoding; if the signature
|
@dengert thank you - you're right. Fixed:
@Jakuje please take a look at my branch. I think addresses the issues I brought up, and fixes the problem @dengert pointed out. |
I'd like to see that. Such a code would issue calls to What's currently missing is:
|
I would also like to see the terms "sLen length, in bytes, of the salt value used in the PSS encoding; typical The convention used by OpenSL of -1 to use the length of the message hash could be the default. So if user does not specify anything, slen = hlen. would be used. User can provide 0 or any other length if they want to specify a specific length or no salt at all. RFC 8017 Section 9.1 Note 4 says: |
Thank you for ideas and comments. I will try to address them during the next week. I am traveling at this moment. |
Thank you for the comments and especially the fixes and changes made by @mouse07410 in the meantime. I cherry-picked them into this branch, but I cleaned up the spaces into tabs to be consistent with the rest of the code. I didn't squash the changes yet to be clear what was fixed where.
I don't think so. Using PSS in drivers (or rather libopensc directly, for cards with
That should not be so hard once we have PSS around, at least for |
src/tools/pkcs11-tool.c
Outdated
break; | ||
default: | ||
sLen = 0; | ||
break; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure if we should silently fall back to 0
length salt in case we got something unknown. It can bite us later (SHA224
, SHA3
?). We should probably exit here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see your point. But I'm not sure how we'd do a clean exit here without overly complicating things on the caller side.
As for SHA-3 and SHA224 - why don't we add them right now and be done with it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All the way around pkcs11-tool
, the we call util_fatal()
, which calls exit. It is not nice, but it does its job for these unexpected situations. I
We can add CKM_SHA224
straight away, but there is no CKM_
for SHA3 yet in latest PKCS#11 standard. And when it will be there, we will forget about this switch.
I will add a commits addressing this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, thanks. Makes sense to me. For an executable like pkcs11-tool
using util_fatal()
should be OK.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Darn... We must be using different PKCS#11 include files?!
. . . . .
CC cardos-tool.o
pkcs11-tool.c:1637:8: error: use of undeclared identifier 'CKM_SHA224'
case CKM_SHA224:
^
1 error generated.
make[3]: *** [pkcs11-tool.o] Error 1
. . . . .
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nope. I just did not check it compiles. I checked only the PKCS#11 specification, which defines them:
I added them in b051d3b from the above source so it should build fine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, thanks. Now everything compiles OK. ;-)
Thank you! And I appreciate you taking care of spaces-vs-tabs, as I'm not keen on setting Emacs configuration for the appropriate indentation styles that different project have :-(.
I'm not sure what you're disagreeing with here. As far as I can see, there are two classes of devices: As long as we're limiting our discussion to the Once the YubiHSM2 driver gets involved - it wouldn't be feasible (IMHO) to call
That was my thinking too.
AFAIK, it does.
:-) Come on, doesn't the eager community count? :-) |
@frankmorgner could I ask to merge this PR rather sooner than later please? Thanks! |
@Jakuje, please have a look at the VS build error https://ci.appveyor.com/project/LudovicRousseau/opensc/build/0.17.0.1411/job/wuut4wowdja1lilj#L927 |
…and "-2") are processed correctly, and compatible with OpenSSL
…ables inside the code)
b051d3b
to
375e1c2
Compare
Sorry, I always have a hard time to find the errors in the VS builds. That was obviously related to the |
…avoid compilers complaining
OK, I put that back because the gcc complains about non-returning functions after the |
Looks like an engine problem. |
@Jakuje I'm having a strange problem. The fault is probably with the
So it looks like the "generic" mechanism |
I believe the "generic" mechanism RSA-PKCS-PSS is expecting a hash of the message that matches the size of the hashAlg=SHA256 A SPY trace would show what is getting passed. PKCS|#11 v2.40 says: RSA-PKCS-PSS does not include message hashing. What is the size of The |
The @mouse07410 for the OEAP please, open a separate pull request. It is getting confusing here. Anyway, about the
|
Spot on! Thank you! Correcting this,
I am editing the man page to reflect this. |
@Jakuje You are right on the -2. His earlier examples used -1 and had saltlLen = 48. I mixed them up. His latest does not say what key size. But with: saltlen = modlen - hashlen -2 I see @mouse07410 has it working now. The RSA-PKCS-PSS is not really "generic". It is used to pass in the hash of the message which must match in size of a hash from the PKCS#11 hashAlg parameter. |
Yes, sorry. That was my initial confusion, that it should be something like generic algoritm. Also for example RFC 4055 talks about default hash and mgf functions (SHA-1 based) so I took the opportunity to add also this while improving the documentation and removing the bogus "generic". I also used See latest commit. |
src/pkcs11/pkcs11-spy.c
Outdated
@@ -969,6 +969,15 @@ C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HA | |||
enter("C_SignInit"); | |||
spy_dump_ulong_in("hSession", hSession); | |||
fprintf(spy_output, "pMechanism->type=%s\n", lookup_enum(MEC_T, pMechanism->mechanism)); | |||
if (pMechanism->pParameter != NULL) { /* XXX assuming PSS parameter */ | |||
CK_RSA_PKCS_PSS_PARAMS *param = | |||
(CK_RSA_PKCS_PSS_PARAMS *) pMechanism->pParameter; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we test for the actual parameter type? casting here and dereferencing later may lead to unexpected behavior...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, we should. But since this was the first mechanism using parameter, I wanted to avoid listing all the PSS mechanisms. But as we will have OEAP too, we should certainly do that. I will submit an update tomorrow. It is quite late here in Europe.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What other parameter types are possible in C_SignInit
? Certainly not OAEP (which belongs to C_DecryptInit
).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh ... my bad. It was very late yesterday. But reading through the PKCS#11 mechanisms specification, we can see that for example 2.8.9 General-length AES-MAC is a mechanism that has parameters and is using/can use the C_Sign
interface.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, thanks. Understood. Made the same change for OAEP in ...spy.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI done. All checks passed.
thanks |
@mouse07410 do you have any progress with the OAEP? I saw no changes in your branch for some time nor I see the PR here. I would be happy to review and test it as it will be done. |
Of course ;-) Everything's finished and working in my fork of OpenSC. The relevant commits went in before the merge with yours showed up, as I wanted to keep my master in sync with the upstream, but not at the cost of holding down the necessary features or fixes.
@Jakuje please try it, and report if you can. Also, feel free to make a PR to the master. ;) |
* Add missing SHA224 RSA algorithms * Fix wrong replacement in pkcs11-tool manual page * Add MGF and PSS_PARAMS definitions in PKCS#11 header file * Inspect PSS signature parameters in pkcs11-spy * Enable RSA-PSS signatures in pkcs11-tool * Added short names to RSA-PSS methods * Reintroduce portable NORETURN indication for functions and use it to avoid compilers complaining
The PSS signatures in PKCS#11 require parameters to mechanism info passed to
SignInit()
. They need to be adjustable for different hash algorithms (in generic RSA-PSS) and different MGFs. The definitions inpkcs11.h
header file come from current PKCS#11 specification. The change also affectspkcs11-spy
module, which now lists these parameters, if they are present.Comments and naming improvements welcomed. This adds support for RSA-PSS into pkcs11-tool to use with other PKCS#11 modules. It does not add a support in the drivers in OpenSC, but it is also something I would like to investigate too.
There are also few more unrelated commits including typos (manual page), adding a few more mechanisms from PKCS#11 specification (
SHA224
).Checklist