-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[design] Functions for explicitly fetched signature algorithms #22672
base: master
Are you sure you want to change the base?
[design] Functions for explicitly fetched signature algorithms #22672
Conversation
317c78b
to
07c769d
Compare
This design is still missing some provider interfaces to be added. I'm currently looking more closely at that. But don't let that stop you from commenting or discussing further in #22671, input is welcome! |
07c769d
to
b986ca5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good so far, although I need to think through how applications should change to be able to use these new functions but still work with old providers and legacy.
doc/designs/functions-for-explicitly-fetched-signature-algorithms.md
Outdated
Show resolved
Hide resolved
doc/designs/functions-for-explicitly-fetched-signature-algorithms.md
Outdated
Show resolved
Hide resolved
This new functionality won't support legacy. This is about explicitly fetched algorithms, there's nothing legacy about that. The streaming functions (update, final) will also not be possible to use with old providers. The one-shot functions should continue to work transparently, however. |
doc/designs/functions-for-explicitly-fetched-signature-algorithms.md
Outdated
Show resolved
Hide resolved
doc/designs/functions-for-explicitly-fetched-signature-algorithms.md
Outdated
Show resolved
Hide resolved
doc/designs/functions-for-explicitly-fetched-signature-algorithms.md
Outdated
Show resolved
Hide resolved
This PR is waiting for the creator to make requested changes but it has not been updated for 30 days. If you have made changes or commented to the reviewer please make sure you re-request a review (see icon in the 'reviewers' section). |
This PR is waiting for the creator to make requested changes but it has not been updated for 61 days. If you have made changes or commented to the reviewer please make sure you re-request a review (see icon in the 'reviewers' section). |
a4be04b
to
1dd902c
Compare
Rebased... Also, I had forgotten that this was still draft, it should have been made ready for review a while ago. |
This PR is waiting for the creator to make requested changes but it has not been updated for 30 days. If you have made changes or commented to the reviewer please make sure you re-request a review (see icon in the 'reviewers' section). |
This PR is waiting for the creator to make requested changes but it has not been updated for 61 days. If you have made changes or commented to the reviewer please make sure you re-request a review (see icon in the 'reviewers' section). |
This PR has been closed. It was waiting for the creator to make requested changes but it has not been updated for 90 days. |
@levitte please drop the unrelated fuzz-corpora submodule change. |
1dd902c
to
e50903a
Compare
I squashed and rebased too, while I was at it |
@vdukhovni this is a relevant discussion #23240 (comment) |
There was a discussion on how ED25519 would fit in this API proposal, considering its double-pass nature (which I had frankly forgotten). To me, that would make it perfectly suitable for oneshot functionality (which is essentially what int EVP_PKEY_sign_init_ex2(EVP_PKEY_CTX *pctx,
EVP_SIGNATURE *algo, const OSSL_PARAM params[]); ... and then call In provider terms, I would have an ED25519 implementation implement All that said, what you could call such a signature implementation? |
That's why you need all these APIs:
Let's look at which algos would implement what:
Let me explain the Ed25519ph - the primitive operation signs a hash value created with SHA-512, the oneshot data uses SHA-512 to hash arbitrary message (in one shot) and then signs the hash value with the Ed25519ph primitive and similarly for the streaming data signature. As you can see for some algorithms all the three operations make sense and are doing something different. |
To me, the "primitive operation" sounds exactly like feeding a SHA-512 hash result to ED25519. This is, incidently, exactly what RFC8032 says:
So in a way, one could say that it makes ED25519 the "primitive" for ED25519ph. UPDATE: The "primitive" ED25519ph, as you express it, makes it exactly the same as ED25519, the only difference being that tbs (in I think we, again, need to actually define, at least for ourselves, what we want "primitive" to mean, on a conceptual level... at least if we want to continue with that distinction. |
In a chat, @t8m and I came to the following definition of "primitive":
I'll try to work that into the design text |
There's been an exchange in #23240 that lead me to think that "primitive" isn't the best name for what's been discussed. How about "digest" or "prehash": int EVP_PKEY_sign_init_for_digest(EVP_PKEY_CTX *pctx,
EVP_SIGNATURE *algo, const OSSL_PARAM params[]); I think that gives a better idea what this is supposed to do. While I'm at it, "message" might also be a better name than "data"... (I imagine that |
Heh, and that's why I hate the I have strong opinion the existing EVP_PKEY_sign_init() must be internally just an alias (apart from the EVP_SIGNATURE argument) for the primitive sign init (or whatever you call it). Otherwise this will be unimplementable properly on the provider side. Or, in other words, on the provider side you have to reflect the difference between the primitive and data inits otherwise the same confusion that is on the EVP API side will happen on the provider side. |
In light of PKCS#1, where the cryptographic primitives are RSAEP, RSADP, RSASP1 and RSAVP1, using "primitive" for something that's a bit higher level can be quite confusing. Meanwhile, the intent with this form is explicitly to take a pre-hash as input, right? I find it more clear if the function name reflects that intention.
Agreed, and if you look at the updated design, that's what I did. |
It's a source of confusion. For example, if you come from reading PKCS#1, the primitives are cryptographic primitives are RSAEP, RSADP, RSASP1 and RSAVP1. They take raw data (represented as numbers) with no further assumptions made on them. That's a fairly intuitive use of the word "primitive", actually meaning primitive. Of course, |
The problem is that this function has to be able to do both - the sign primitive and the sign digest operations. But yeah, I am not going to insist on the |
I was hoping you'd see it that way. That is, instead of thinking in terms of how things are implemented, we should focus on the semantic properties of the APIs. And as @davidben pointed out, these are:
We're presently missing a IUF APIs for Ed25519ph and Ed448ph, which would be nice to also expose via David |
What we don't have is a IUF API that uses a full, explicitly fetched EVP_SIGNATURE. That would be useful for, like you said, ED25519ph, but also sha256WithRSAEncryption. That's what this design is for. |
Yes. Does the prior discussion then suggest a better name than "primitive"? Given IUF, we want some sort of context, that may as well capture at least the full signature algorithm (RSAwithXXX or Ed25519ph, ...), and perhaps also the key (unless that's part of "init", with "create" or "new" allocating the context). Do you have a fully fleshed out IUF API (modulo its name)? |
This design is all about extending the This actually summarizes what's written in the design file. I encourage you to have a closer look. |
Of course one option would be to call the new function for the sign primitive or sign digest operation just EVP_PKEY_sign_init_ex(). Whether that makes it good enough name to not be confused with the EVP_PKEY_sign_message_init() I do not know. |
That was my original design (it would have to be |
Yeah, unfortunately, given there is no better name that would encompass both primitive (i.e. no padding in case of RSA) and less-primitive operations (i.e. PKCS1 1.5 or PSS padding). |
#### Signing a stream | ||
|
||
``` C | ||
int EVP_PKEY_sign_init_for_message(EVP_PKEY_CTX *pctx, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would call it EVP_PKEY_sign_message_init().
const unsigned char *in, size_t inlen); | ||
int EVP_PKEY_sign_final(EVP_PKEY_CTX *ctx, | ||
unsigned char *sig, size_t *siglen); | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We will also need a oneshot. I.e., EVP_PKEY_sign_message(). And I would change those two above to EVP_PKEY_sign_message_update() and EVP_PKEY_sign_message_final().
doc/designs/functions-for-explicitly-fetched-signature-algorithms.md
Outdated
Show resolved
Hide resolved
This PR is in a state where it requires action by @openssl/committers but the last update was 30 days ago |
@vdukhovni, you've asked me to provide some demo code for you to look at. I'm currently working on the implementation in #23416, which includes enhanced documentation of both EVP_PKEY_sign.pod and EVP_PKEY_verify.pod, with a number of examples in each. Is that good enough to at least eyeball? (all examples refer to "RSA-SHA256", which I haven't finished implementing next, but am currently working on, with the hope to be done today or tomorrow) |
This design goes into more details what was outlined in the design for [fetching composite (PKEY) algorithms and using them]. It also changes what functionality will be used for this. The design for signature was originally to add modified initializers for DigestSign and DigestVerify, but recent OTC discussions redirected us to have a closer look at EVP_PKEY_sign() and EVP_PKEY_verify(). [fetching composite (PKEY) algorithms and using them]: ./fetching-composite-algorithms.md
This modifies the design - yet again - as discussions have revealed aspects that weren't immediately apparent.
This mostly expands the explanatory text, but also makes a statement on how the new functionality is designed.
720e57e
to
b48d288
Compare
This design goes into more details what was outlined in the design for
fetching composite (PKEY) algorithms and using them.
It also changes what functionality will be used for this. The design for
signature was originally to add modified initializers for DigestSign and
DigestVerify, but recent OTC discussions redirected us to have a closer look
at
EVP_PKEY_sign()
andEVP_PKEY_verify()
.Finally, it also takes into account the need to specify the signature
to be verified against with
EVP_PKEY_verify()
streaming functions,which has been discussed in #22357.
Related to #22357 (in progress), #22129 (merged), and openssl/project#231