Implement PCT for EDDSA #23408
Implement PCT for EDDSA #23408
Conversation
openssl-machine
added
the
hold: cla required
|
There is a PR #22112 that implements the POST for EdDSA. Also we would need a signed CLA to be able to accept this contribution. |
t8m
added
branch: master
|
Yes, I notice there is a PR for EDDSA self-test. Therefore, I just implement PCT here. I will send a signed CLA as soon as possible. |
|
A signed ICAL have been sent to legal@opensslfoundation.org with title By the way, I also notice there is a PR to add EDDSA support to EVP_PKEY_sign/verify. |
| OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT, | ||
| OSSL_SELF_TEST_DESC_PCT_EDDSA); | ||
|
|
||
| alg = EVP_SIGNATURE_fetch(ecx->libctx, instance, NULL); |
There was a problem hiding this comment.
If you look at other places that do this, they all avoid the overhead of doing the fetch by calling directly into low level API's. Its bad enough that we need to do this in the first place :). So crypto/ecx.h would be better to use for this.
Could you also add a comment block to the top of the function that references the relevant section in the FIPS 140-3 IG that forces us to do this..
There was a problem hiding this comment.
Does it need to do sign + verify or is just doing a KAT sufficient for this purpose?
There was a problem hiding this comment.
If you look at other places that do this, they all avoid the overhead of doing the fetch by calling directly into low level API's. Its bad enough that we need to do this in the first place :). So crypto/ecx.h would be better to use for this.
Yes, I noticed that RSA and ECDSA use low-level API like ECDSA_do_sign to do this, but didn't aware there are ossl_ed25519_sign and other APIs for EDDSA.
I will try to change the implementation using them. Thank you.
Could you also add a comment block to the top of the function that references the relevant section in the FIPS 140-3 IG that forces us to do this..
Of course, I will add it in next commit.
Does it need to do sign + verify or is just doing a KAT sufficient for this purpose?
The addition comment in IG says
Though not a CAST, a pairwise consistency test (PCT) shall be conducted for every generated
public and private key pair for the applicable approved algorithm ... shall be performed.
If at the time a PCT on a key pair is performed it is known whether the keys will be used in a key
agreement scheme, digital signature algorithm or to perform a key transport, then the PCT shall be
performed consistent with the intended use of the keys ..., even if the underlying standard does not
require a PCT.
... The PCT shall be performed either when keys are generated/imported, prior to the first
exportation, or prior to the first operational use (if not exported before the first use).
In my opinion, I think it is needed to do sign + verify for every generated key, just like DSA, ECDSA and RSA.
If there is a worry about it, I may ask our lab to confirm it.
There was a problem hiding this comment.
As we cant use X25519/X448 in FIPS 140-3 currently, then we know that the keygen result can only be used for signature purposes.. Until that changes we can only do the sign test here :)
There was a problem hiding this comment.
The question is whether this has to be part of the key generation algorithm or if it would be sufficient to make mandatory that an application uses EVP_PKEY_pairwise_check() before the first use of the keypair. However please note that EVP_PKEY_pairwise_check() does not do a PCT for EdDSA keys - it just regenerates the public key from the private key and compares the result with the original public key. So we would have to change the pairwise check anyway.
There was a problem hiding this comment.
The question is whether this has to be part of the key generation algorithm or if it would be sufficient to make mandatory that an application uses EVP_PKEY_pairwise_check() before the first use of the keypair.
After confirming with our lab, the lab states that PCT should be performed automatically as soon as the key is generated. Therefore, it should be a part of the key generation.
So we would have to change the pairwise check anyway.
Please let me confirm it again, so I should replace callings of ossl_ed*_public_from_private with ecd_keygen_pairwise_test (maybe rename to a more common name) in ecx_key_pairwise_check for types ECX_KEY_TYPE_ED25519 and ECX_KEY_TYPE_ED448. Is it right?
There was a problem hiding this comment.
Please let me confirm it again, so I should replace callings of
ossl_ed*_public_from_privatewithecd_keygen_pairwise_test(maybe rename to a more common name) inecx_key_pairwise_checkfor typesECX_KEY_TYPE_ED25519andECX_KEY_TYPE_ED448. Is it right?
I would do that at least within the FIPS_MODULE ifdefs. @slontis What is your opinion? IMO the current pairwise check for EdDSA keys is not FIPS compliant.
There was a problem hiding this comment.
The commit pushed.
I make it run sign + verify operations in FIPS provider and original operation in default provider.
t8m
added
approval: review pending
|
CI is relevant |
github-actions
bot
added
the
severity: fips change
| @@ -756,6 +867,23 @@ static int ecx_key_pairwise_check(const ECX_KEY *ecx, int type) | |||
| case ECX_KEY_TYPE_X448: | |||
| ossl_x448_public_from_private(pub, ecx->privkey); | |||
| break; | |||
| default: | |||
There was a problem hiding this comment.
Is the validate required to use the same test? (Not sure they need to be the same,
especially since at some point the X25519/X448 might be allowed, so the PCT in the keygen could be either in that case sign or encrypt.) @t8m do you have any opinion on this?
There was a problem hiding this comment.
Since X25519/X448 currently is not approved but allowed algorithm, I think it may be not required to use the same test.
There was a problem hiding this comment.
IMO the validate() call should do the same as required for FIPS at least in the FIPS_MODULE case. So it covers the - PCT validation of the keypair on import case. I do not see any problem with doing the existing thing for the X* keys and doing this PCT for ED* keys in validate().
t8m
added
the
approval: otc review pending
0140454
force-pushed
the
feat-eddsa-pct
branch
from
89c12de
to
6f2ffd9
Compare
|
openssl-machine
removed
the
hold: cla required
0140454
force-pushed
the
feat-eddsa-pct
branch
from
2d3f42d
to
27d3632
Compare
t8m
removed
the
approval: otc review pending
|
Hi @t8m , The
Is it possible to get more information about failure? |
|
The CI failure is unrelated |
According to FIPS 140-3 IG 10.3.A Additonal Comment 1, a PCT shall be performed consistent with the intended use of the keys. This commit implements PCT for EDDSA via performing sign and verify operations after key generated.
0140454
force-pushed
the
feat-eddsa-pct
branch
from
27d3632
to
10b5238
Compare
|
Rebased dev branch onto current master branch. |
paulidale
added
approval: done
openssl-machine
added
approval: ready to merge
|
This pull request is ready to merge |
|
Squashed and merged to the master branch. Thank you for your contribution. |
According to FIPS 140-3 IG 10.3.A Additonal Comment 1, a PCT shall be performed consistent with the intended use of the keys. This commit implements PCT for EDDSA via performing sign and verify operations after key generated. Also use the same pairwise test logic in EVP_PKEY_keygen and EVP_PKEY_pairwise_check for EDDSA in FIPS_MODULE. Add OSSL_SELF_TEST_DESC_PCT_EDDSA to OSSL_PROVIDER-FIPS page. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #23408)
According to FIPS 140-3 IG 10.3.A Additonal Comment 1, a PCT shall be performed consistent with the intended use of the keys.
This commit implements PCT for EDDSA via performing sign and verify operations after key generated.
Checklist