Add TEE_ALG_RSASSA_PKCS1_V1_5 #2524
Conversation
EDVTAZ
force-pushed
the
RSA_extension
branch
from
74d71e6
to
1bd6b44
Compare
|
This PR consists of two parts, one update of LTC and one update of OP-TEE. |
|
Ok, I will split it into two commits. |
|
OK, good. :-) |
|
Yes good indeed, it means we should take as a separate (and prerequisite) task to update LTC to the latest version... |
EDVTAZ
force-pushed
the
RSA_extension
branch
2 times, most recently
from
ab2c007
to
e9cbd3c
Compare
|
Yes, it would be nice to update LTC altogether (judging by the timestamps in some of the files it's as old as 2007, and there have been releases since then in LTC), but as far as I can tell, that would be a very lengthy process, given how many modifications were made to it over the time in this repository compared to the original one. |
There was a problem hiding this comment.
rephrase the commit. something like :
libtomcrypt: port LTC_PKCS_1_V1_5_NA1 from ltc v1.18.2
This change ports LTC_PKCS_1_V1_5_NA1 from libtomcrypt v1.18.2. This scheme is used for...
Chnage in ltc_provider could go in the 2nd commit.
Remove core/lib/libtomcrypt/src/pk/rsa/rsa_sign_hash.c.bak from the change.
| @@ -13,6 +13,9 @@ | |||
| #include <string_ext.h> | |||
| #include <string.h> | |||
| #include <tee_api_types.h> | |||
| #if defined(CFG_SECURE_KEY_SERVICES) | |||
There was a problem hiding this comment.
can remove the condition
| @@ -270,6 +273,9 @@ static TEE_Result tee_algo_to_ltc_hashindex(uint32_t algo, int *ltc_hashindex) | |||
| case TEE_ALG_HMAC_SHA512: | |||
| *ltc_hashindex = find_hash("sha512"); | |||
| break; | |||
| #endif | |||
| #if defined(CFG_SECURE_KEY_SERVICES) | |||
There was a problem hiding this comment.
can remove the condition, here and below.
core/tee/tee_svc_cryp.c
Outdated
| @@ -19,7 +19,7 @@ | |||
| #include <utee_defines.h> | |||
| #include <util.h> | |||
| #if defined(CFG_CRYPTO_HKDF) || defined(CFG_CRYPTO_CONCAT_KDF) || \ | |||
| defined(CFG_CRYPTO_PBKDF2) | |||
| defined(CFG_CRYPTO_PBKDF2) || defined(CFG_SECURE_KEY_STORAGE) | |||
There was a problem hiding this comment.
I would prefer another CFG_. Maybe introduce CFG_CRYPTO_RSASSA to default enable in the related make script.
I even wonder if we could not simply drop the condition and always include tee_api_defines_extensions.h.
core/tee/tee_svc_cryp.c
Outdated
| @@ -3277,6 +3277,9 @@ TEE_Result syscall_asymm_operate(unsigned long state, | |||
| } | |||
| break; | |||
|
|
|||
| #if defined(CFG_SECURE_KEY_SERVICES) | |||
There was a problem hiding this comment.
I would prefer another CFG_. Maybe introduce CFG_CRYPTO_RSASSA to default enable in the related make script.
| @@ -0,0 +1,162 @@ | |||
| // SPDX-License-Identifier: BSD-2-Clause | |||
There was a problem hiding this comment.
Please remove this file
|
Hi @EDVTAZ and thank for this PR. I think it is clean. Please try to format the commit comments as those already merged in the optee_os git tree. It helps maintenance. @jforissier I have had a quick look a ltc update. Most changes are ok but few descriptors which requires updates in the tee_ltc_provider.c. Maybe there are other things to take care of.. |
No, the last global sync was against a50cb361 2 years ago, and we have picked a few upstream commits since then. |
|
The first commit should be split further. It should contain only the LTC changes (no change to any OP-TEE files). From what I can tell, it is exactly a cherry-pick of upstream commit aa4bae5ae9a2 ("add option to do PKCS#1 v1.5 EMSA without ASN.1 around hash"), correct? If so, please mention this commit in the commit comment. The IBART error (4003.18) has to be investigated, too. |
|
@etienne-lms yes, we can merge this feature without a full LTC sync. |
|
...and then we also want:
|
EDVTAZ
force-pushed
the
RSA_extension
branch
from
e9cbd3c
to
e3e7e10
Compare
|
I removed the accidentally committed backup file, and some of the Tomorrow I will investigate the IBART error and start working on an xtest test case and some documentation. |
EDVTAZ
force-pushed
the
RSA_extension
branch
from
e3e7e10
to
6ecc5d0
Compare
|
IBART error was present, because I was working with an older version of OPTEE, that didn't have this commit: e770203 . I rebased my branch, so the tests should be good now. |
This test checks the TEE_ALG_RSASSA_PKCS1_V1_5 extension, that allows to sign data without including the hash OID in the signature. The test vector data is copied from one of the already present vectors, with the hash OID manually removed in the signature. Link: <OP-TEE/optee_os#2524> Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
This test checks the TEE_ALG_RSASSA_PKCS1_V1_5 extension, that allows to sign data without including the hash OID in the signature. The test vector data is copied from one of the already present vectors, with the hash OID manually removed in the signature. Link: <OP-TEE/optee_os#2524> Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
This test checks the TEE_ALG_RSASSA_PKCS1_V1_5 extension, that allows to sign data without including the hash OID in the signature. The test vector data is copied from one of the already present vectors, with the hash OID manually removed in the signature. Link: <OP-TEE/optee_os#2524> Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
EDVTAZ
force-pushed
the
RSA_extension
branch
from
6ecc5d0
to
ab54dfc
Compare
|
I created the xtest test case, see: OP-TEE/optee_test#309 I also found some some errors in my code while testing, which I corrected in 06f2d21 |
EDVTAZ
force-pushed
the
RSA_extension
branch
from
ab54dfc
to
d63afdc
Compare
|
I have created the documentation for the extension, please let me know if it's all right. |
EDVTAZ
force-pushed
the
RSA_extension
branch
from
d63afdc
to
66ea0db
Compare
| * PKCS#1 v1.5 RSASSA pre-hashed sign/verify | ||
| */ | ||
|
|
||
| #define TEE_ALG_RSASSA_PKCS1_V1_5 0x70007830 |
There was a problem hiding this comment.
This defines a value in a range that as far as I can tell is reserved for future specifications.
There was a problem hiding this comment.
@jenswi-linaro indeed this is a problem. The future Internal Core API specification v1.2 (currently numbered v1.1.2.51) gets rid of the structure of algorithm identifiers (table 6-12) and defines a whole range for implementation-defined identifiers (0xF0000000-0xF0FFFFFF). A value in that range would be an option I guess, but that certainly means more invasive changes to the OP-TEE code which currently assumes the structure defined in the current spec.
There was a problem hiding this comment.
@jenswi-linaro @jforissier then would 0xF0000830 be all right for this define?
There was a problem hiding this comment.
@EDVTAZ I think it should be OK.
There was a problem hiding this comment.
@EDVTAZ ...but 0xF0000001 would be even better.
There was a problem hiding this comment.
I've tried to make this work, but a lot of macros that are used all over the place rely on the identifier's value having the above mentioned structure. Most of the time the macros are called in switch statements, so I can't insert cases for an identifier that doesn't follow the structure. I've inserted if-else statements before switch statements to get around this, but it seems I'm missing something somewhere, because it fails to work. The resulting code is also ugly and hard to read.
Could we maybe find a value that works with the current macros, or just keep the current value until the changes @jforissier mentioned get implemented?
There was a problem hiding this comment.
@jforissier @EDVTAZ , just a gentle reminder about this, since it seems like the discussion suddenly stopped (a since I also think it is a useful addition).
This test checks the TEE_ALG_RSASSA_PKCS1_V1_5 extension, that allows to sign data without including the hash OID in the signature. The test vector data is copied from one of the already present vectors, with the hash OID manually removed in the signature. Link: <OP-TEE/optee_os#2524> Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
|
Sorry this took so long, I've had a lot to do in the past month. The above two commits change the |
| return CRYPT_PK_INVALID_PADDING; | ||
| } | ||
|
|
||
| if (padding == LTC_PKCS_1_PSS) { | ||
| if (padding != LTC_PKCS_1_V1_5_NA1) { |
There was a problem hiding this comment.
So now we're testing the hash for LTC_PKCS_1_V1_5 too. A bugfix?
There was a problem hiding this comment.
These changes were taken from the libtomcrypt repo: libtom/libtomcrypt@aa4bae5#diff-f8abc0f8fcc24d9959cf4792e56ccce5L58 I think it is intentional, although it is not mentioned in the commit message.
| /* test OID */ | ||
| if ((reallen == outlen) && | ||
| (digestinfo[0].size == hash_descriptor[hash_idx]->OIDlen) && | ||
| (XMEMCMP(digestinfo[0].data, hash_descriptor[hash_idx]->OID, sizeof(unsigned long) * hash_descriptor[hash_idx]->OIDlen) == 0) && |
There was a problem hiding this comment.
Why change from XMEM_NEQ() to XMEMCMP() (same for the other lines below)?
There was a problem hiding this comment.
This change was introduced here: libtom/libtomcrypt@e9c90e7#diff-f8abc0f8fcc24d9959cf4792e56ccce5
core/tee/tee_svc_cryp.c
Outdated
| @@ -2062,6 +2069,9 @@ TEE_Result syscall_cryp_state_alloc(unsigned long algo, unsigned long mode, | |||
| break; | |||
| case TEE_OPERATION_ASYMMETRIC_CIPHER: | |||
| case TEE_OPERATION_ASYMMETRIC_SIGNATURE: | |||
| #ifdef CFG_CRYPTO_RSASSA_NA1 | |||
| RSASSA_NA1: | |||
There was a problem hiding this comment.
Labels should use lower case letters.
I think it's possible to the the __maybe_unused attribute on labels too, if that works please remove the ifdef here.
core/tee/tee_svc_cryp.c
Outdated
| if (data_len != hash_size) { | ||
| res = TEE_ERROR_BAD_PARAMETERS; | ||
| break; | ||
| #ifdef CFG_CRYPTO_RSASSA_NA1 |
There was a problem hiding this comment.
This ifdef and the one below clutters the code. It seems it would be harmless to remove them. If you agree please remove them, else we'll need to find some other way to avoid having them here.
There was a problem hiding this comment.
If I'm not mistaken, TEE_ALG_RSASSA_PKCS1_V1_5 is included here in this file, so to remove the ifdef in question, we would need to remove all the ifdefs that guard the include that I linked.
There was a problem hiding this comment.
This ifdeffing isn't OK so it will need to be fixed. I'm OK with unconditionally including tee_api_defines_extensions.h, another option is to put in a helper function cs->algo != TEE_ALG_RSASSA_PKCS1_V1_5 that would return true if CFG_CRYPTO_RSASSA_NA1 isn't defined. However, I'd prefer the less complicated solution.
There was a problem hiding this comment.
hello @EDVTAZ,
Could you rebase your commits on latest HEAD of the master branch?
Also, since your current patch serie is a collection of changes and late fixup, could you squash the fixup commits into their related change commit? to make a well formed patch serie.
EDVTAZ
force-pushed
the
RSA_extension
branch
from
b77e96b
to
52f6493
Compare
|
I've rebased and squashed the commits that belong together, I hope it's all right like this. |
|
@EDVTAZ , Travis failed because it hit the time limit. I don't think we have to bother about that. IBART passes which indicates that things are fine. |
|
For "libtomcrypt: port LTC_PKCS_1_V1_5_NA1 from ltc v1.18.2" please apply: |
This change ports LTC_PKCS_1_V1_5_NA1 from libtomcrypt v1.18.2. This scheme allows to do PKCS#1 v1.5 EMSA without ASN.1 around the hash. It is used for implementing the pkcs#11 CKM_RSA_PKCS mechanism for signing and verifying in SKS. This commit is a cherry pick of aa4bae5ae9a2 from the libtomcrypt repository. Link: <libtom/libtomcrypt@aa4bae5ae9a2> Acked-by: Jens Wiklander <jens.wiklander@linaro.org> Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
This change integrates the LTC_PKCS_1_V1_5_NA1 into OPTEE as an extension as TEE_ALG_RSASSA_PKCS1_V1_5. This scheme allows to do PKCS#1 v1.5 EMSA without ASN.1 around the hash. It is used for implementing the pkcs#11 CKM_RSA_PKCS mechanism for signing and verifying in SKS. Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
Add TEE Core Internal API extension TEE_ALG_RSASSA_PKCS1_V1_5 to sign/verify pre-hashed PKCS#1 v1.5 EMSA without ASN.1 around the hash. This relies on libtomcrypt LTC_PKCS_1_V1_5_NA1. The extension can be turned on with CFG_CRYPTO_RSASSA_NA1. Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
Add documentation for the the TEE_ALG_RSASSA_V1_5 extension. Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
EDVTAZ
force-pushed
the
RSA_extension
branch
from
52f6493
to
82711c5
Compare
|
Look ok to me, just a late comment: |
This test checks the TEE_ALG_RSASSA_PKCS1_V1_5 extension, that allows to sign data without including the hash OID in the signature. The test vector data is copied from one of the already present vectors, with the hash OID manually removed in the signature. Link: <OP-TEE/optee_os#2524> Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
EDVTAZ
force-pushed
the
RSA_extension
branch
from
3f41ee4
to
c72d18a
Compare
|
I have added |
|
For "mk/config.mk: default enable CFG_CRYPTO_RSASSA_NA1": |
Enable the TEE_ALG_RSASSA_PKCS1_V1_5 extension by default. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
EDVTAZ
force-pushed
the
RSA_extension
branch
from
c72d18a
to
7b4c58b
Compare
This test checks the TEE_ALG_RSASSA_PKCS1_V1_5 extension, that allows to sign data without including the hash OID in the signature. The test vector data is copied from one of the already present vectors, with the hash OID manually removed in the signature. Link: <OP-TEE/optee_os#2524> Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
I've been working with @etienne-lms, to add asymmetrical algorithms to the
SKS proposal. While testing with OpenSSH, I came across the usage of the
CKM_RSA_PKCS mechanism with the C_Sign function, which I couldn't implement
with the current cryptographic TEE API.
This extension allows signing and verifying raw/pre-hashed data,
without specifying a hash function. It is needed for implementing
the pkcs#11 CKM_RSA_PKCS mechanism for signing and verifying in SKS.
This patch adds the extension to the API and updates parts of
libtomcrypt to a newer version, to support this algorithm.
Signed-off-by: Gabor Szekely szvgabor@gmail.com