New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add TEE_ALG_RSASSA_PKCS1_V1_5 #2524
Conversation
74d71e6
to
1bd6b44
Compare
This PR consists of two parts, one update of LTC and one update of OP-TEE. |
Ok, I will split it into two commits. |
OK, good. :-) |
Yes good indeed, it means we should take as a separate (and prerequisite) task to update LTC to the latest version... |
ab2c007
to
e9cbd3c
Compare
Yes, it would be nice to update LTC altogether (judging by the timestamps in some of the files it's as old as 2007, and there have been releases since then in LTC), but as far as I can tell, that would be a very lengthy process, given how many modifications were made to it over the time in this repository compared to the original one. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rephrase the commit. something like :
libtomcrypt: port LTC_PKCS_1_V1_5_NA1 from ltc v1.18.2
This change ports LTC_PKCS_1_V1_5_NA1 from libtomcrypt v1.18.2. This scheme is used for...
Chnage in ltc_provider could go in the 2nd commit.
Remove core/lib/libtomcrypt/src/pk/rsa/rsa_sign_hash.c.bak from the change.
@@ -13,6 +13,9 @@ | |||
#include <string_ext.h> | |||
#include <string.h> | |||
#include <tee_api_types.h> | |||
#if defined(CFG_SECURE_KEY_SERVICES) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can remove the condition
@@ -270,6 +273,9 @@ static TEE_Result tee_algo_to_ltc_hashindex(uint32_t algo, int *ltc_hashindex) | |||
case TEE_ALG_HMAC_SHA512: | |||
*ltc_hashindex = find_hash("sha512"); | |||
break; | |||
#endif | |||
#if defined(CFG_SECURE_KEY_SERVICES) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can remove the condition, here and below.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rephrase the commit comment. Something like:
utee: support prehash RSA sign and verify
Add TEE Core Internal API extension TEE_ALG_RSASSA_PKCS1_V1_5 to sing/verify pre-hashed ... This rely on libtomcryp LTC_PKCS_1_V1_5_NA1 ...
core/tee/tee_svc_cryp.c
Outdated
@@ -19,7 +19,7 @@ | |||
#include <utee_defines.h> | |||
#include <util.h> | |||
#if defined(CFG_CRYPTO_HKDF) || defined(CFG_CRYPTO_CONCAT_KDF) || \ | |||
defined(CFG_CRYPTO_PBKDF2) | |||
defined(CFG_CRYPTO_PBKDF2) || defined(CFG_SECURE_KEY_STORAGE) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would prefer another CFG_
. Maybe introduce CFG_CRYPTO_RSASSA
to default enable in the related make script.
I even wonder if we could not simply drop the condition and always include tee_api_defines_extensions.h.
core/tee/tee_svc_cryp.c
Outdated
@@ -3277,6 +3277,9 @@ TEE_Result syscall_asymm_operate(unsigned long state, | |||
} | |||
break; | |||
|
|||
#if defined(CFG_SECURE_KEY_SERVICES) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would prefer another CFG_
. Maybe introduce CFG_CRYPTO_RSASSA
to default enable in the related make script.
@@ -0,0 +1,162 @@ | |||
// SPDX-License-Identifier: BSD-2-Clause |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please remove this file
Hi @EDVTAZ and thank for this PR. I think it is clean. Please try to format the commit comments as those already merged in the optee_os git tree. It helps maintenance. @jforissier I have had a quick look a ltc update. Most changes are ok but few descriptors which requires updates in the tee_ltc_provider.c. Maybe there are other things to take care of.. |
No, the last global sync was against a50cb361 2 years ago, and we have picked a few upstream commits since then. |
The first commit should be split further. It should contain only the LTC changes (no change to any OP-TEE files). From what I can tell, it is exactly a cherry-pick of upstream commit aa4bae5ae9a2 ("add option to do PKCS#1 v1.5 EMSA without ASN.1 around hash"), correct? If so, please mention this commit in the commit comment. The IBART error (4003.18) has to be investigated, too. |
@etienne-lms yes, we can merge this feature without a full LTC sync. |
...and then we also want:
|
e9cbd3c
to
e3e7e10
Compare
I removed the accidentally committed backup file, and some of the Tomorrow I will investigate the IBART error and start working on an xtest test case and some documentation. |
e3e7e10
to
6ecc5d0
Compare
IBART error was present, because I was working with an older version of OPTEE, that didn't have this commit: e770203 . I rebased my branch, so the tests should be good now. |
This test checks the TEE_ALG_RSASSA_PKCS1_V1_5 extension, that allows to sign data without including the hash OID in the signature. The test vector data is copied from one of the already present vectors, with the hash OID manually removed in the signature. Link: <OP-TEE/optee_os#2524> Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
This test checks the TEE_ALG_RSASSA_PKCS1_V1_5 extension, that allows to sign data without including the hash OID in the signature. The test vector data is copied from one of the already present vectors, with the hash OID manually removed in the signature. Link: <OP-TEE/optee_os#2524> Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
This test checks the TEE_ALG_RSASSA_PKCS1_V1_5 extension, that allows to sign data without including the hash OID in the signature. The test vector data is copied from one of the already present vectors, with the hash OID manually removed in the signature. Link: <OP-TEE/optee_os#2524> Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
6ecc5d0
to
ab54dfc
Compare
I created the xtest test case, see: OP-TEE/optee_test#309 I also found some some errors in my code while testing, which I corrected in 06f2d21 |
ab54dfc
to
d63afdc
Compare
I have created the documentation for the extension, please let me know if it's all right. |
d63afdc
to
66ea0db
Compare
* PKCS#1 v1.5 RSASSA pre-hashed sign/verify | ||
*/ | ||
|
||
#define TEE_ALG_RSASSA_PKCS1_V1_5 0x70007830 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This defines a value in a range that as far as I can tell is reserved for future specifications.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jenswi-linaro indeed this is a problem. The future Internal Core API specification v1.2 (currently numbered v1.1.2.51) gets rid of the structure of algorithm identifiers (table 6-12) and defines a whole range for implementation-defined identifiers (0xF0000000-0xF0FFFFFF). A value in that range would be an option I guess, but that certainly means more invasive changes to the OP-TEE code which currently assumes the structure defined in the current spec.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jenswi-linaro @jforissier then would 0xF0000830
be all right for this define?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@EDVTAZ I think it should be OK.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@EDVTAZ ...but 0xF0000001
would be even better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've tried to make this work, but a lot of macros that are used all over the place rely on the identifier's value having the above mentioned structure. Most of the time the macros are called in switch statements, so I can't insert cases for an identifier that doesn't follow the structure. I've inserted if-else statements before switch statements to get around this, but it seems I'm missing something somewhere, because it fails to work. The resulting code is also ugly and hard to read.
Could we maybe find a value that works with the current macros, or just keep the current value until the changes @jforissier mentioned get implemented?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jforissier @EDVTAZ , just a gentle reminder about this, since it seems like the discussion suddenly stopped (a since I also think it is a useful addition).
This test checks the TEE_ALG_RSASSA_PKCS1_V1_5 extension, that allows to sign data without including the hash OID in the signature. The test vector data is copied from one of the already present vectors, with the hash OID manually removed in the signature. Link: <OP-TEE/optee_os#2524> Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
Sorry this took so long, I've had a lot to do in the past month. The above two commits change the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems a good way to approach the algorithm class problem.
return CRYPT_PK_INVALID_PADDING; | ||
} | ||
|
||
if (padding == LTC_PKCS_1_PSS) { | ||
if (padding != LTC_PKCS_1_V1_5_NA1) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So now we're testing the hash for LTC_PKCS_1_V1_5
too. A bugfix?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These changes were taken from the libtomcrypt repo: libtom/libtomcrypt@aa4bae5#diff-f8abc0f8fcc24d9959cf4792e56ccce5L58 I think it is intentional, although it is not mentioned in the commit message.
/* test OID */ | ||
if ((reallen == outlen) && | ||
(digestinfo[0].size == hash_descriptor[hash_idx]->OIDlen) && | ||
(XMEMCMP(digestinfo[0].data, hash_descriptor[hash_idx]->OID, sizeof(unsigned long) * hash_descriptor[hash_idx]->OIDlen) == 0) && |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why change from XMEM_NEQ()
to XMEMCMP()
(same for the other lines below)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change was introduced here: libtom/libtomcrypt@e9c90e7#diff-f8abc0f8fcc24d9959cf4792e56ccce5
core/tee/tee_svc_cryp.c
Outdated
@@ -2062,6 +2069,9 @@ TEE_Result syscall_cryp_state_alloc(unsigned long algo, unsigned long mode, | |||
break; | |||
case TEE_OPERATION_ASYMMETRIC_CIPHER: | |||
case TEE_OPERATION_ASYMMETRIC_SIGNATURE: | |||
#ifdef CFG_CRYPTO_RSASSA_NA1 | |||
RSASSA_NA1: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Labels should use lower case letters.
I think it's possible to the the __maybe_unused
attribute on labels too, if that works please remove the ifdef here.
core/tee/tee_svc_cryp.c
Outdated
if (data_len != hash_size) { | ||
res = TEE_ERROR_BAD_PARAMETERS; | ||
break; | ||
#ifdef CFG_CRYPTO_RSASSA_NA1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This ifdef and the one below clutters the code. It seems it would be harmless to remove them. If you agree please remove them, else we'll need to find some other way to avoid having them here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I'm not mistaken, TEE_ALG_RSASSA_PKCS1_V1_5
is included here in this file, so to remove the ifdef in question, we would need to remove all the ifdefs that guard the include that I linked.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This ifdeffing isn't OK so it will need to be fixed. I'm OK with unconditionally including tee_api_defines_extensions.h
, another option is to put in a helper function cs->algo != TEE_ALG_RSASSA_PKCS1_V1_5
that would return true if CFG_CRYPTO_RSASSA_NA1
isn't defined. However, I'd prefer the less complicated solution.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I removed the guards
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hello @EDVTAZ,
Could you rebase your commits on latest HEAD of the master branch?
Also, since your current patch serie is a collection of changes and late fixup, could you squash the fixup commits into their related change commit? to make a well formed patch serie.
b77e96b
to
52f6493
Compare
I've rebased and squashed the commits that belong together, I hope it's all right like this. |
@EDVTAZ , Travis failed because it hit the time limit. I don't think we have to bother about that. IBART passes which indicates that things are fine. |
For "libtomcrypt: port LTC_PKCS_1_V1_5_NA1 from ltc v1.18.2" please apply: |
This change ports LTC_PKCS_1_V1_5_NA1 from libtomcrypt v1.18.2. This scheme allows to do PKCS#1 v1.5 EMSA without ASN.1 around the hash. It is used for implementing the pkcs#11 CKM_RSA_PKCS mechanism for signing and verifying in SKS. This commit is a cherry pick of aa4bae5ae9a2 from the libtomcrypt repository. Link: <libtom/libtomcrypt@aa4bae5ae9a2> Acked-by: Jens Wiklander <jens.wiklander@linaro.org> Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
This change integrates the LTC_PKCS_1_V1_5_NA1 into OPTEE as an extension as TEE_ALG_RSASSA_PKCS1_V1_5. This scheme allows to do PKCS#1 v1.5 EMSA without ASN.1 around the hash. It is used for implementing the pkcs#11 CKM_RSA_PKCS mechanism for signing and verifying in SKS. Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
Add TEE Core Internal API extension TEE_ALG_RSASSA_PKCS1_V1_5 to sign/verify pre-hashed PKCS#1 v1.5 EMSA without ASN.1 around the hash. This relies on libtomcrypt LTC_PKCS_1_V1_5_NA1. The extension can be turned on with CFG_CRYPTO_RSASSA_NA1. Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
Add documentation for the the TEE_ALG_RSASSA_V1_5 extension. Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
52f6493
to
82711c5
Compare
Look ok to me, just a late comment: |
This test checks the TEE_ALG_RSASSA_PKCS1_V1_5 extension, that allows to sign data without including the hash OID in the signature. The test vector data is copied from one of the already present vectors, with the hash OID manually removed in the signature. Link: <OP-TEE/optee_os#2524> Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
3f41ee4
to
c72d18a
Compare
I have added |
For "mk/config.mk: default enable CFG_CRYPTO_RSASSA_NA1": |
Enable the TEE_ALG_RSASSA_PKCS1_V1_5 extension by default. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
c72d18a
to
7b4c58b
Compare
This test checks the TEE_ALG_RSASSA_PKCS1_V1_5 extension, that allows to sign data without including the hash OID in the signature. The test vector data is copied from one of the already present vectors, with the hash OID manually removed in the signature. Link: <OP-TEE/optee_os#2524> Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
I've been working with @etienne-lms, to add asymmetrical algorithms to the
SKS proposal. While testing with OpenSSH, I came across the usage of the
CKM_RSA_PKCS mechanism with the C_Sign function, which I couldn't implement
with the current cryptographic TEE API.
This extension allows signing and verifying raw/pre-hashed data,
without specifying a hash function. It is needed for implementing
the pkcs#11 CKM_RSA_PKCS mechanism for signing and verifying in SKS.
This patch adds the extension to the API and updates parts of
libtomcrypt to a newer version, to support this algorithm.
Signed-off-by: Gabor Szekely szvgabor@gmail.com