-
Notifications
You must be signed in to change notification settings - Fork 713
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAEP (RFC8017) padding check/removal #2475
Conversation
Than you! Could you make this OpenSSL 3.0.0 compatible as well? |
... see #2438 for examples for the new APIs |
2cff23b
to
b5fa710
Compare
Customization to API 3.0: |
Pardon my ignorance - do we want to move to OpenSSL-3.0 (aka,?break compatibility with 1.1.1), or add 3.0 (keeping support for both APIs)? |
Code in this PR is correct for both versions. When compiling with both versions of openssl, I did not find any "deprecated" functions. |
please discuss this in #2438 |
I checked the changes, and the code above should not cause problems with OpenSSL 3.0 (no deprecated functions and it keeps compatibility with both OpenSSL 1.1.1 and 3.0). |
Thanks! |
Can you update the |
If the card does not support OAEP, but RSA RAW operation is available, OAEP padding check/removal is now supported by the software.
modified: src/tests/p11test/virt_cacard_ref.json
thank you |
Here's what I get with the current master:
It says |
OAEP padding uses optional "label", here part from https://www.rfc-editor.org/rfc/rfc8017.html :
PKCS#11 allow us to specify this label as parameter:
There is no support for this optional I planned to write it, but I need to test it - ideally using openssl - but I didn't find support for specifying "label" for openssl decrypt operations (rsautl, pkeyutl). When I find a reasonable way to do this in OpenSC (a problem similar to PSS salt-length how to pass pkcs#11 parameter to libopensc), including an independent test via openssl (or another cryptographic library .. soft-hsm, etc.), I will write the code for entering the |
@popovec are you saying that the "source_len = 0" refers to the label? And that's why it's OK, at least for now? |
From pkcs#11 view - this is OAEP parameter. Messages from pkcs11-tool are only informative. I understand that this information may be confusing, but in fact it is not a error. There is no |
Who is that message for? If it's for the user - then let's make it less confusing for the user. If for developer - let's avoid printing it out unless developer explicitly asks for it. Anyway, in my fork I changed the text from PKCS#11-pure but confusing, to "impure" but clear. |
PKCS#11 .. how to perform a OAEP decrypt operation: Initialize the decrypt operation ..
For OAEP, we have these parameters .. this is how PKCS#11 defines them, and whether they are confusing or not, we won't do anything about it.
Would be better to change After the decrypt operation is initialized, the real decrypt follows (and here are the real data for decrypt
|
RFC 8017 says: Appendix A.2.1 then says currently there is only one type : and says "The default label is an empty string (so that lHash will contain the hash of the empty string):' So I assume this "Label" is the "source data"? PKCS11 curr-v3.0 "Table 6, PKCS #1 RSA OAEP: Encoding parameter sources" So it looks like CKZ_DATA_SPECIFIED is just a fancy way to say if there is any data i.e. Label present or not. But it also allows for future types of sources.
I read both PKCS11 and RFC8017 to say if source is 0, then the pointer and the length must also be zero, which says to hash the NULL string. But we should also allow for future types of sources. But for now source is 0 or 1. and ASN.1 as defined in Appendix A.2.1. |
https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.html#_Toc30061136 Setting the "CK_RSA_PKCS_OAEP_SOURCE_TYPE" to "CKZ_DATA_SPECIFIED = 0x00000001UL" allow us to provide "CK_VOID_PTR pSourceData;" and "CK_ULONG ulSourceDataLen;". I already found how to pass "label" into openssl oaep encrypt operation (-pkeyopt rsa_oaep_label:314F - the "label" is set to string "\x31\x4f"). This switch is working for me (openssl 1.1.1k-1+deb11u1). The man page for pkeyutl have no mention of this switch. I will prepare a PR (for pkcs#11 module and for pkcs11-tool) that will allow to perform decryption using OAEP inclusive the "label" - of course also with a test, openssl encrypt then opensc pkcs#11 decrypt. |
So I assume: |
Technically this is same as openssl function If we are to be very benevolent, all the above cases will generate the same result and we will not report an error. |
Yes it is - and for the benefit of users I think it should be named "label", as opposed to the obscure PKCS11-internal confusing term currently used in the code.
Yes, I think we do want to be benevolent here. |
Continuation of OAEP patch (pkcs#11 code and test code in pkcs11-tool) is available under #2484. Thanks for any comments and testing. |
If the card does not support OAEP, but RSA RAW operation is available,
OAEP padding check/removal is now supported by the software.
OAEP decrypt is tested by github actions (OsEID simulation).