Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pk: Enable RSASSA-PSS key parsing #154

Open
wants to merge 1 commit into
base: development
Choose a base branch
from
Open

pk: Enable RSASSA-PSS key parsing #154

wants to merge 1 commit into from
+8 −2

Conversation

benmcollins
Copy link

Description

mbedtls_pk_parse_key() and mbedtls_pk_parse_public_key() would not load RSASSA-PSS keys generated by OpenSSL (PEM or DER).

This patch adds the OID needed for asn1 matching and a few other tweaks to let the key get loaded.

I've confirmed that this produces correct signature in LibJWT by doing:

  • Generate RSASSA-PSS sig in OpenSSL

    • Verify in MbedTLS

  • Generate RSASSA-PSS sig in GnuTLS

    • Verify in MbedTLS

  • Generate RSASSA-PSS sig in MbedTLS

    • Verify in OpenSSL
    • Verify in GnuTLS

Note, you obviously have to use:

mbedtls_rsa_set_padding()
mbedtls_rsa_rsassa_pss_sign()
mbedtls_rsa_rsassa_pss_verify()

To get the correct RSASSA-PSS signatures and verification done.

PR checklist

Please remove the segment/s on either side of the | symbol as appropriate, and add any relevant link/s to the end of the line.
If the provided content is part of the present PR remove the # symbol.

@benmcollins
pk: Enable RSASSA-PSS key parsing
321cd17 
mbedtls_pk_parse_key() and mbedtls_pk_parse_public_key() would not load
RSASSA-PSS keys generated by OpenSSL (PEM or DER).

This patch adds the OID needed for asn1 matching and a few other tweaks
to let the key get loaded.

I've confirmed that this produces correct signature in LibJWT by doing:

- Generate RSASSA-PSS sig in OpenSSL
  * Verify in MbedTLS

- Generate RSASSA-PSS sig in GnuTLS
  * Verify in MbedTLS

- Generate RSASSA-PSS sig in MbedTLS
  * Verify in OpenSSL
  * Verify in GnuTLS

Note, you obviously have to use:

    mbedtls_rsa_set_padding()
    mbedtls_rsa_rsassa_pss_sign()
    mbedtls_rsa_rsassa_pss_verify()

To get the correct signatures and verification done.

Signed-off-by: Ben Collins <[email protected]>
@benmcollins benmcollins mentioned this pull request Jan 13, 2025
Open
1 task
benmcollins added a commit to benmcollins/libjwt that referenced this pull request Jan 13, 2025
@benmcollins
Add correct RSASSA-PSS support in mbedTLS.
bdceed6 
Tested with patched MbedTLS

Mbed-TLS/TF-PSA-Crypto#154

Signed-off-by: Ben Collins <[email protected]>
@Harry-Ramsey Harry-Ramsey added enhancement New feature or request needs-review Every commit must be reviewed by at least two team members needs-reviewer This PR needs someone to pick it up for review size-xs Estimated task size: extra small (a few hours at most) labels Jan 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement New feature or request needs-review Every commit must be reviewed by at least two team members needs-reviewer This PR needs someone to pick it up for review size-xs Estimated task size: extra small (a few hours at most)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@benmcollins @Harry-Ramsey