All of lore.kernel.org
 help / color / mirror / Atom feed
From: Varad Gautam <varad.gautam@suse.com>
To: linux-crypto@vger.kernel.org
Cc: varad.gautam@suse.com, dhowells@redhat.com,
	herbert@gondor.apana.org.au, davem@davemloft.net,
	vt@altlinux.org, tianjia.zhang@linux.alibaba.com,
	keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
	jarkko@kernel.org
Subject: [PATCH v3 00/18] Implement RSASSA-PSS signature verification
Date: Tue, 20 Apr 2021 13:41:05 +0200	[thread overview]
Message-ID: <20210420114124.9684-1-varad.gautam@suse.com> (raw)

Linux currently supports RSA PKCSv1.5 encoding scheme for
signing / verification. This adds support for RSASSA PSS signature
verification as described in RFC8017 [1].

Patch 1 extends the x509 certificate parser to unpack PSS signature
  parameters.
Patches 2-8 pull out the common functions / struct definitions from
  rsa-pkcs1pad.c into rsa-common.c, to be shared across RSA encoding
  scheme implementations.
Patches 9, 10 provide some more plumbing to export the data needed to
  perform PSS operations (salt length, RSA modulus).
Patches 11-16 set up PSS scaffolding and provide the verification
  operation per RFC8017.
Patches 17, 18 turn the final knobs on to allow lowering PSS signatures
  for verification via keyctl.

The patchset is available as a git tree at [2].

Testing:
The implementation was tested by adding reference public keys to the
kernel's keyring via `keyctl padd` and then verifying a known
message digest / signature against this public key via `keyctl pkey_verify`.
The reference vectors were taken from:
- the Wycheproof testsuite [3]
- FIPS 186-2 and 186-4 test vectors [4]

The test harness is available at [5].

Example keyctl usage for PSS verification:
rsa_bits=4096 # 2048/3072/4096
hash_algo=sha256 # sha1/sha224/sha256/sha384/sha512
saltlen=32
# Generate keys, certificate:
openssl req -x509 -newkey rsa:$rsa_bits -nodes -keyout private.pem -out cert.der \
  -days 100 -outform der -$hash_algo -sigopt rsa_padding_mode:pss \
  -sigopt rsa_pss_saltlen:$saltlen -sigopt rsa_mgf1_md:$hash_algo

# Sign data.txt:
openssl dgst -${hash_algo} -sign private.pem -sigopt rsa_padding_mode:pss \
  -sigopt rsa_pss_saltlen:${saltlen} -out sig.bin data.txt

# Digest data.txt:
openssl dgst -${hash_algo} -binary -out data.${hash_algo}.raw data.txt

# Load pubkey into the kernel's keyring:
kv=$(keyctl padd asymmetric "test-key" @u < cert.der)

# Verify with `enc=pss`:
keyctl pkey_verify $kv "0" data.${hash_algo}.raw \
    sig.bin "enc=pss hash=${hash_algo} saltlen=${saltlen} mgfhash=${hash_algo}"

v3:
- Rename pkey_verify parameter for salt length to "saltlen".
- Update Documentation/security/keys/core.rst.
- Add validation for the hash algorithm passed to psspad_setup_shash.

v2:
- Allow certificates where mgf hash algorithm is different from the digest hash
  algorithm.
- Fix sparse warnings on "X.509: Parse RSASSA-PSS style certificates".

https://lore.kernel.org/lkml/20210408141516.11369-1-varad.gautam@suse.com/
https://github.com/varadgautam/kernel/tree/rsassa-psspad-v2

v1 is available at:
https://lore.kernel.org/lkml/20210330202829.4825-1-varad.gautam@suse.com/
https://github.com/varadgautam/kernel/tree/rsassa-psspad

[1] https://tools.ietf.org/html/rfc8017#section-8.1
[2] https://github.com/varadgautam/kernel/tree/rsassa-psspad-v3
[3] https://github.com/google/wycheproof/blob/master/testvectors/
[4] https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/digital-signatures#rsavs
[5] https://github.com/varadgautam/keyctl-rsa-tests


Varad Gautam (18):
  X.509: Parse RSASSA-PSS style certificates
  crypto: rsa-pkcs1pad: Rename pkcs1pad-specific functions to rsapad
  crypto: rsa-pkcs1pad: Extract pkcs1pad_create into a generic helper
  crypto: rsa-pkcs1pad: Pull out child req processing code into helpers
  crypto: rsa-pkcs1pad: Rename pkcs1pad_* structs to rsapad_*
  crypto: rsa: Start moving RSA common code to rsa-common
  crypto: rsa: Move more common code to rsa-common
  crypto: rsa: Move rsapad_akcipher_setup_child and callback to
    rsa-common
  crypto: Extend akcipher API to pass signature parameters
  crypto: rsa: Move struct rsa_mpi_key definition to rsa.h
  crypto: Scaffolding for RSA-PSS signature style
  crypto: rsa-psspad: Introduce shash alloc/dealloc helpers
  crypto: rsa-psspad: Get signature parameters from a given signature
  crypto: Implement MGF1 Mask Generation Function for RSASSA-PSS
  crypto: rsa-psspad: Provide PSS signature verify operation
  crypto: rsa-psspad: Implement signature verify callback
  crypto: Accept pss as valid encoding during signature verification
  keyctl_pkey: Add pkey parameters slen and mgfhash for PSS

 Documentation/security/keys/core.rst      |  14 +-
 crypto/Kconfig                            |   6 +
 crypto/Makefile                           |   2 +
 crypto/asymmetric_keys/Makefile           |   5 +-
 crypto/asymmetric_keys/asymmetric_type.c  |   2 +
 crypto/asymmetric_keys/public_key.c       |  18 +-
 crypto/asymmetric_keys/x509_cert_parser.c | 148 ++++++++
 crypto/asymmetric_keys/x509_rsassa.asn1   |  17 +
 crypto/rsa-common.c                       | 291 ++++++++++++++++
 crypto/rsa-pkcs1pad.c                     | 400 +++-------------------
 crypto/rsa-psspad.c                       | 310 +++++++++++++++++
 crypto/rsa.c                              |  26 +-
 include/crypto/akcipher.h                 |  26 ++
 include/crypto/internal/rsa-common.h      |  61 ++++
 include/crypto/internal/rsa.h             |  10 +
 include/crypto/public_key.h               |   4 +
 include/linux/keyctl.h                    |   2 +
 include/linux/oid_registry.h              |   3 +
 security/keys/keyctl_pkey.c               |  13 +
 19 files changed, 993 insertions(+), 365 deletions(-)
 create mode 100644 crypto/asymmetric_keys/x509_rsassa.asn1
 create mode 100644 crypto/rsa-common.c
 create mode 100644 crypto/rsa-psspad.c
 create mode 100644 include/crypto/internal/rsa-common.h

-- 
2.30.2


             reply	other threads:[~2021-04-20 11:46 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-20 11:41 Varad Gautam [this message]
2021-04-20 11:41 ` [PATCH v3 01/18] X.509: Parse RSASSA-PSS style certificates Varad Gautam
2021-04-20 11:41 ` [PATCH v3 02/18] crypto: rsa-pkcs1pad: Rename pkcs1pad-specific functions to rsapad Varad Gautam
2021-04-20 11:41 ` [PATCH v3 03/18] crypto: rsa-pkcs1pad: Extract pkcs1pad_create into a generic helper Varad Gautam
2021-04-20 11:41 ` [PATCH v3 04/18] crypto: rsa-pkcs1pad: Pull out child req processing code into helpers Varad Gautam
2021-04-20 11:41 ` [PATCH v3 05/18] crypto: rsa-pkcs1pad: Rename pkcs1pad_* structs to rsapad_* Varad Gautam
2021-04-20 11:41 ` [PATCH v3 06/18] crypto: rsa: Start moving RSA common code to rsa-common Varad Gautam
2021-04-20 11:41 ` [PATCH v3 07/18] crypto: rsa: Move more " Varad Gautam
2021-04-20 11:41 ` [PATCH v3 08/18] crypto: rsa: Move rsapad_akcipher_setup_child and callback " Varad Gautam
2021-04-20 11:41 ` [PATCH v3 09/18] crypto: Extend akcipher API to pass signature parameters Varad Gautam
2021-04-20 11:41 ` [PATCH v3 10/18] crypto: rsa: Move struct rsa_mpi_key definition to rsa.h Varad Gautam
2021-04-20 11:41 ` [PATCH v3 11/18] crypto: Scaffolding for RSA-PSS signature style Varad Gautam
2021-04-20 11:41 ` [PATCH v3 12/18] crypto: rsa-psspad: Introduce shash alloc/dealloc helpers Varad Gautam
2021-04-20 11:41 ` [PATCH v3 13/18] crypto: rsa-psspad: Get signature parameters from a given signature Varad Gautam
2021-05-14 10:45   ` Herbert Xu
2021-07-05  9:39     ` Varad Gautam
2023-09-20 17:12     ` Dimitri John Ledkov
2021-04-20 11:41 ` [PATCH v3 14/18] crypto: Implement MGF1 Mask Generation Function for RSASSA-PSS Varad Gautam
2021-04-20 11:41 ` [PATCH v3 15/18] crypto: rsa-psspad: Provide PSS signature verify operation Varad Gautam
2021-04-20 11:41 ` [PATCH v3 16/18] crypto: rsa-psspad: Implement signature verify callback Varad Gautam
2021-04-20 11:41 ` [PATCH v3 17/18] crypto: Accept pss as valid encoding during signature verification Varad Gautam
2021-04-20 11:41 ` [PATCH v3 18/18] keyctl_pkey: Add pkey parameters saltlen and mgfhash for PSS Varad Gautam
2021-04-20 13:27   ` Ben Boeckel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210420114124.9684-1-varad.gautam@suse.com \
    --to=varad.gautam@suse.com \
    --cc=davem@davemloft.net \
    --cc=dhowells@redhat.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=jarkko@kernel.org \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=tianjia.zhang@linux.alibaba.com \
    --cc=vt@altlinux.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.