Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provider currency updates #125

Open
wants to merge 14 commits into
base: master
Choose a base branch
from
Open

Provider currency updates #125

wants to merge 14 commits into from

Conversation

ifranzki
Copy link
Contributor

@ifranzki ifranzki commented Mar 6, 2025

  • Support deterministic EC signatures (nonzero OSSL_SIGNATURE_PARAM_NONCE_TYPE) via fallback provider.
  • Support EC DHKEM (SSL_PKEY_PARAM_DHKEM_IKM) via fallback provider.
  • Support SignMessage and VerifyMessage API (since OpenSSL 3.4) for ECDSA and RSA for composite hash-then-sign algorithms.
  • Support import RSA keys from just P and Q (OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ, since OpenSSL 3.3).
  • Misc updates and fixes

Closes: #119
Closes: #114

@ifranzki
test/provider: Refactor EC, RSA, and DH key check testcases
817ed9e 
Refactor the code to make it easier to enhance and to read.

Signed-off-by: Ingo Franzki <[email protected]>
@ifranzki
provider: Allow ECDSA deterministic signatures, but use fallback
685dc43 
Tolerate the use of deterministic signatures (OSSL_SIGNATURE_PARAM_NONCE_TYPE
set to a non-zero value), but use the fallback provider for calculating
a deterministic signature.

Signed-off-by: Ingo Franzki <[email protected]>
@ifranzki
test/provider: Add tests for ECDSA deterministic signatures
95d5f0e 
Perform a deterministic signature with IBMCA and the default provider
using the same key, and compare the resulting signatures.

Signed-off-by: Ingo Franzki <[email protected]>
@ifranzki
provider: Allow the DHKEM-IKM option for EC keygen, but use fallback …
8af3740 
…provider

Tolerate the use of DKHEM-IKM EC key generation (OSSL_PKEY_PARAM_DHKEM_IKM
set to a non-empty buffer), but use the fallback provider for generating
the EC key.

Signed-off-by: Ingo Franzki <[email protected]>
@ifranzki
test/provider: Add tests for DHKEM-IKM option with EC keygen
926aaa4 
Use the DHKEM-IKM option with EC keygen with the IBMCA provider and the
default provider and compare the generated keys, they must be equal.
This only works for P-256, P-384, and P-521 curves.

Signed-off-by: Ingo Franzki <[email protected]>
@ifranzki ifranzki requested a review from jschmidb March 6, 2025 07:30
jschmidb
jschmidb reviewed Mar 6, 2025
View reviewed changes
ifranzki added 7 commits March 6, 2025 11:16
@ifranzki
provider: Add support for SignMessage and VerifyMessage API for ECDSA
47fee70 
Add support for the new EVP_PKEY_sign_message_xxx() and
EVP_PKEY_verify_message_xxx() API with combined digest and sign
algorithms such as 'ECDSA-SHAxxx'.

This new API was added with OpenSSL 3.4.0 and requires changes in the
providers to support it.

Signed-off-by: Ingo Franzki <[email protected]>
@ifranzki
provider: Add support for SignMessage and VerifyMessage API for RSA
032be6b 
Add support for the new EVP_PKEY_sign_message_xxx() and
EVP_PKEY_verify_message_xxx() API with combined digest and sign
algorithms such as 'RSA-SHAxxx'.

Note that RSA-PSS is not supported by this API.

This new API was added with OpenSSL 3.4.0 and requires changes in the
providers to support it.

Signed-off-by: Ingo Franzki <[email protected]>
@ifranzki
test/provider: Add tests for SignMessage and VerifyMessage API
ad96b92 
Add tests to perform the new EVP_PKEY_sign_message_xxx() and
EVP_PKEY_verify_message_xxx() API with combined digest and sign
algorithms such as 'ECDSA-SHAxxx' or 'RSA-SHAxxx'.

Signed-off-by: Ingo Franzki <[email protected]>
@ifranzki
provider: Don't allow to use XOF digests
8e9e2e2 
Check if the selected digest is an XOF digest and fail if so.

Signed-off-by: Ingo Franzki <[email protected]>
@ifranzki
configure: Add --enable-sanitizer config option
ddfdc76 
... for easy enabling of the sanitizer for a build.

Signed-off-by: Ingo Franzki <[email protected]>
@ifranzki
provider: Fix a sanitizer build warning
abd9d6d 
p_ibmca.c:882:9: warning: '__builtin_strncpy' specified bound 4096 equals
                 destination size [-Wstringop-truncation]
  882 |         strncpy(prov_name, provctx->name, sizeof(prov_name));
      |         ^

Signed-off-by: Ingo Franzki <[email protected]>
@ifranzki
test/engine: Fix sanitizer findings
f90b993 
Signed-off-by: Ingo Franzki <[email protected]>
ifranzki added 2 commits March 6, 2025 12:17
@ifranzki
provider: Add support for OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ on import
acef9b9 
When importing a private RSA key from params, allow that only private CRT
key components OSSL_PARAM_RSA_FACTOR1, OSSL_PARAM_RSA_FACTOR2, as well as
the public key components OSSL_PARAM_RSA_N and OSSL_PKEY_PARAM_RSA_E are
available in the params, when also OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ
with a nonzero value is contained. In this case the other CRT components
are calculated to form a complete CRT key.

OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ is available since OpenSSL 3.3.

Signed-off-by: Ingo Franzki <[email protected]>
@ifranzki
test/provider: Add test for import with OSSL_PKEY_PARAM_RSA_DERIVE_FR…
6b4af03 
…OM_PQ

Add tests to perform an export of an RSA key to params, and then import the
params but only with OSSL_PARAM_RSA_FACTOR1, OSSL_PARAM_RSA_FACTOR2,
OSSL_PARAM_RSA_N and OSSL_PKEY_PARAM_RSA_E, and with param
OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ set to 1. The resulting key is expected
to be equal to the original key.

Signed-off-by: Ingo Franzki <[email protected]>
@ifranzki ifranzki force-pushed the provider-currency-updates branch from 48f1340 to 6b4af03 Compare March 6, 2025 11:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jschmidb jschmidb jschmidb approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@ifranzki @jschmidb