-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
request to support RSA OAEP padding #70
Comments
Once 0e84a1e gets merged into https://github.com/OpenSC/libp11, this issue can be closed, IMHO. (In fact, it does even more than I originally asked, by adding PSS signatures.) |
This is great news. I wrote some initial code, but I haven't tested it at all. Could you share the results of your tests? Specifically, whether the data encrypted with a private key on the device can be successfully decrypted with the corresponding public key, and whether the data encrypted with a public key can be successfully decrypted on the device with the corresponding private key. |
Thank you!
I will post them here. My only concern at this point is - I don't fully understand how, e.g., RSA-PSS is done when the token itself only does "plain" raw RSA. But I'll run some more tests and will post the results here. So far they look encouraging, to say the least. |
I don't have the signature testing code yet, will do later. Here's the encryption/decryption code excerpt (in both cases the asymmetric key is on the token :), with most of the checks culled out to save space. Please let me know if this is what you expect, and/or if you'd like something else.
Here's the public key used:
Here's the output:
More output (another invocation):
More:
|
Great. Thank you very much for testing it. I guess it is okay to have public keys "on the token", because libp11 just feeds them into OpenSSL anyway, instead of executing public key operations via PKCS#11.
Each PKCS#11 module is not really just an interface to hardware, but rather a self-contained cryptographic library. Only some sensitive primitives (PRNG or private key computation) have to be performed on the actual hardware. For RSA-PSS signatures this boils down to the RSASP1 primitive, which is also used in the basic PKCS#1 v1.5 signature. The remaining data conversion primitives can technically be implemented in the PKCS#11 (software) module rather than on the (hardware) device. Correct me if I'm wrong, but the OpenSC PKCS#11 module does not seem to implement RSA-OAEP nor RSA-PSS:
What is your output of |
My pleasure - thank you for adding this capability (and so quickly too).
It's more than "okay" - it's a necessity for cases like "encrypted filesystem". Work-arounds could be possible, but way too cumbersome. So thank God that public keys "on the token" work fine.
I just wasn't sure that was the case, not knowing myself where exactly in the code that implementation lives.
Correct, as far as I know:
|
I dug deeper into the guts of OpenSSL, and it doesn't really use OAEP provided by the engine. Instead, it applies its own OAEP padding, and only uses the engine for raw RSA. My commit has also enabled raw RSA support in the From crypto/rsa/rsa_pmeth.c: static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
unsigned char *out, size_t *outlen,
const unsigned char *in, size_t inlen)
{
int ret;
RSA_PKEY_CTX *rctx = ctx->data;
if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
int i;
if (!setup_tbuf(rctx, ctx))
return -1;
ret = RSA_private_decrypt(inlen, in, rctx->tbuf,
ctx->pkey->pkey.rsa, RSA_NO_PADDING);
if (ret <= 0)
return ret;
for (i = 0; i < ret; i++) {
if (rctx->tbuf[i])
break;
}
ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf + i,
ret - i, ret,
rctx->oaep_label,
rctx->oaep_labellen,
rctx->md, rctx->mgf1md);
} else
ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
rctx->pad_mode);
if (ret < 0)
return ret;
*outlen = ret;
return 1;
}
|
Perfect. That's what I expected, more or less. I'll make more extensive cross-library tests (creating something in BouncyCastle or such, and decrypting using my OpenSSL stint, and/or vs versa). But I think what has been already demonstrated is sufficient. Thank you again! |
Since this issue was addressed with simple enabling raw RSA support in the pkcs11_private_decrypt() method, the tests you already performed are more than enough. Thank you again. |
The title says it all: it would be great if
libp11
(p11_rsa.c
andp11_ops.c
in particular) could supportRSA_PKCS1_OAEP_PADDING
in addition toRSA_PKCS1_PADDING
.The text was updated successfully, but these errors were encountered: