-
Notifications
You must be signed in to change notification settings - Fork 729
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ECDSA flags #2190
ECDSA flags #2190
Conversation
CKM_ECDSA and CKM_ECDSA_SHA1 cannot be registered in the same way. We need to use sc_pkcs11_register_sign_and_hash_mechanism () for CKM_ECDSA_SHA1. This fix also enables more ECDSA-SHAxxx mechanisms in framework-pkcs15.c Tested: MyEID 4.0.1 (secp256r1 with SHA1, SHA224, SHA256, SHA384, SHA512) CI tests (Travis + OsEID) for ECDSA-SHAxxx mechanisms are also enabled.
This PR is based on discussion with @popovec in OpenSC#2181 and OpenSC#2187 which was cherry-picked as 5e53008 This has been tested with PIV, MyEID and Smartcard-HSM. with ECDSA keys. The main fixes include : - Setting "flags" in card drivers - added code to sc_pkcs15-compute-signature for handle ECDSA with hashes - code in framework-pkcs15.c Signatures made by pkcs11-tool -sigm verify with openssl but pkcs11-tool --verify does not work with ECDSA but does with RSA I suspect it has to do with: and some then creating the wrong PKCS11 mechanisms It should work with the epass2003 which does hashes in the driver.
Thanks, I looked at patch - looks good. There is also SC_ALGORITHM_ECDSA_HASH_SHA1 in Just one comment to ECDSA verify .. ECDSA verify operation is completely different from RSA. RSA is running in symmetric way i.e. what is encrypted by public key this is decrypted by private key .. and in reverse.. if I do encrypt with private key = signature , then decrypt with public key return back the signature = verify. ECDSA has no such symmetry, even private key is only one number, public key two numbers. Repeated signing of the same data will return different numbers (r, s) in each signature. This is because a different temporal key is used. From a mathematical point of view, ECDSA verification is a different operation than an ECDSA signature. Maybe some of (OpenSC) supported cards offer It is likely that ECDSA verification support must be completely rewritten and left to openssl. |
The --signature-format openssl in pkcs11-tool does the correct operation to convert the OpenSSL formated signature to rs for PKCS11 This commit modifies pkcs11/openssl.c to convert back to sequence for EVP_VerifyFinal Without this mod the signature file was passed unmodified to PKCS11, then to EVP_VerifyFinal but this violates PKCS11 standard. On branch ECDSA-flags Changes to be committed: modified: openssl.c
This last commit fixes the problem with opensc-pkcs11.so verify of ECDSA-SHA* signatures. The pkcs11-tool verify --signature-format openssl now works as expected when reading a ECDSA signature file in the openssl sequence format, it is converted to the PKCS11 format of r,s. the pkcs11/openssl.c will now that the r,s and convert to openssl sequence for EVP_VerifyFinal. |
I tested this patch with MyEID and OsEID card, all ECDSA-SHAxxx mechanism seems running ok (with all supported EC keys). Verification works as expected, except verify of RAW ECDSA...
I added some code into openssl.c (patch below) .. now ECDSA verify is working. It would be good to integrate this code into your patch.
|
Yesterday opendnssec/SoftHSMv2#590 fixed a bug for EVP_md_null() OpenSC has not used this in the past, but I would bet we could use it for ECDSA and even RSA.
Are you willing to look at this? If not, your mod should work. |
Thanks for the information. I'll look into it. Openssl offers more options for signature verification. |
I tested the solution using
for The function For completeness, if anyone would like to test this (of course, this is just a part of the code that should be used with the above patch):
|
Sounds like your mod is better then trying to use EVP_md_null. |
Details from openssl: The Here relevant part (openssl from debian sources 1.1.1i):
It seems to me, that it is not possible to use |
Does it make sense from security point of view to allow raw ECDSA? |
PKCS#11 defines the CKM_ECDSA so OpenSC supports it.
But that does not answer your question. The answer may be ECDSA is not
used for encryption.
For signature verification the verifier knows the data to be signed and
thus the hash. Or knows or brut force tries to guess the short data. But if
found they have not learned anything. The r,s is used to prove the signer
knows the private key not the hash.
…On Tue, Dec 29, 2020, 2:33 PM Mouse ***@***.***> wrote:
Does it make sense from security point of view to allow raw ECDSA?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#2190 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGTIMPTN4NZ2F3MCJCBQGDSXI4JDANCNFSM4VESSDVA>
.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if (EVP_PKEY_get0_EC_KEY(pkey))
- if here NULL is returned, key is inconsistent witch the ECDSA operation. I suggest to return CKR_KEY_TYPE_INCONSISTENT in this case, and not to call EVP_VerifyFinal()
Are you referring to line 493? |
This test is fine, if the key is not an EC key, we cannot proceed .. line 507: I think it would be better to change line 507: |
There is no real difference between the security of raw ECDSA (ie CKM_ECDSA) and those using "strong" hashing" such as CKM_ECDSA_SHA256. In recent years the weakness in ECDSA implementations has been because of the poor selection of the random number (i.e. playstation 3 attack) or side channel attacks due to attacks on scalar arithmetic (see Minerva attack). I think there are use cases for raw ECDSA where small amounts of data are exchanged for signing/verification. To minimize attacks on the random number aspects "deterministic" ECDSA can be used (see RFC 6979)- where a random number number is not used. Although I'm not sure a PKCS#11 mechanism has been defined for this - even in 3.0 |
Look at original code: if (md_ctx) { This works for RSA. The mod inserted an EC only version: |
Oh yes, you're right. Currently, only the public RSA or public EC key can be found here. If it's not an EC key, we can really complete the operation with the RSA key. |
On branch ECDSA-flags Changes to be committed: modified: framework-pkcs15.c
ECDSA Signatures with hashes
Fixes:#2181 (Partially)
Checklist