New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement PCT for EDDSA #23408
Implement PCT for EDDSA #23408
Conversation
There is a PR #22112 that implements the POST for EdDSA. Also we would need a signed CLA to be able to accept this contribution. |
Yes, I notice there is a PR for EDDSA self-test. Therefore, I just implement PCT here. I will send a signed CLA as soon as possible. |
A signed ICAL have been sent to legal@opensslfoundation.org with title By the way, I also notice there is a PR to add EDDSA support to EVP_PKEY_sign/verify. |
OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT, | ||
OSSL_SELF_TEST_DESC_PCT_EDDSA); | ||
|
||
alg = EVP_SIGNATURE_fetch(ecx->libctx, instance, NULL); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you look at other places that do this, they all avoid the overhead of doing the fetch by calling directly into low level API's. Its bad enough that we need to do this in the first place :). So crypto/ecx.h would be better to use for this.
Could you also add a comment block to the top of the function that references the relevant section in the FIPS 140-3 IG that forces us to do this..
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it need to do sign + verify or is just doing a KAT sufficient for this purpose?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you look at other places that do this, they all avoid the overhead of doing the fetch by calling directly into low level API's. Its bad enough that we need to do this in the first place :). So crypto/ecx.h would be better to use for this.
Yes, I noticed that RSA and ECDSA use low-level API like ECDSA_do_sign
to do this, but didn't aware there are ossl_ed25519_sign
and other APIs for EDDSA.
I will try to change the implementation using them. Thank you.
Could you also add a comment block to the top of the function that references the relevant section in the FIPS 140-3 IG that forces us to do this..
Of course, I will add it in next commit.
Does it need to do sign + verify or is just doing a KAT sufficient for this purpose?
The addition comment in IG says
Though not a CAST, a pairwise consistency test (PCT) shall be conducted for every generated
public and private key pair for the applicable approved algorithm ... shall be performed.
If at the time a PCT on a key pair is performed it is known whether the keys will be used in a key
agreement scheme, digital signature algorithm or to perform a key transport, then the PCT shall be
performed consistent with the intended use of the keys ..., even if the underlying standard does not
require a PCT.
... The PCT shall be performed either when keys are generated/imported, prior to the first
exportation, or prior to the first operational use (if not exported before the first use).
In my opinion, I think it is needed to do sign + verify for every generated key, just like DSA, ECDSA and RSA.
If there is a worry about it, I may ask our lab to confirm it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As we cant use X25519/X448 in FIPS 140-3 currently, then we know that the keygen result can only be used for signature purposes.. Until that changes we can only do the sign test here :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The question is whether this has to be part of the key generation algorithm or if it would be sufficient to make mandatory that an application uses EVP_PKEY_pairwise_check() before the first use of the keypair. However please note that EVP_PKEY_pairwise_check() does not do a PCT for EdDSA keys - it just regenerates the public key from the private key and compares the result with the original public key. So we would have to change the pairwise check anyway.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The question is whether this has to be part of the key generation algorithm or if it would be sufficient to make mandatory that an application uses EVP_PKEY_pairwise_check() before the first use of the keypair.
After confirming with our lab, the lab states that PCT should be performed automatically as soon as the key is generated. Therefore, it should be a part of the key generation.
So we would have to change the pairwise check anyway.
Please let me confirm it again, so I should replace callings of ossl_ed*_public_from_private
with ecd_keygen_pairwise_test
(maybe rename to a more common name) in ecx_key_pairwise_check
for types ECX_KEY_TYPE_ED25519
and ECX_KEY_TYPE_ED448
. Is it right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please let me confirm it again, so I should replace callings of
ossl_ed*_public_from_private
withecd_keygen_pairwise_test
(maybe rename to a more common name) inecx_key_pairwise_check
for typesECX_KEY_TYPE_ED25519
andECX_KEY_TYPE_ED448
. Is it right?
I would do that at least within the FIPS_MODULE ifdefs. @slontis What is your opinion? IMO the current pairwise check for EdDSA keys is not FIPS compliant.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The commit pushed.
I make it run sign + verify operations in FIPS provider and original operation in default provider.
CI is relevant |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add to doc/man7/OSSL_PROVIDER-FIPS.pod also
@@ -756,6 +867,23 @@ static int ecx_key_pairwise_check(const ECX_KEY *ecx, int type) | |||
case ECX_KEY_TYPE_X448: | |||
ossl_x448_public_from_private(pub, ecx->privkey); | |||
break; | |||
default: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the validate required to use the same test? (Not sure they need to be the same,
especially since at some point the X25519/X448 might be allowed, so the PCT in the keygen could be either in that case sign or encrypt.) @t8m do you have any opinion on this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since X25519/X448 currently is not approved but allowed algorithm, I think it may be not required to use the same test.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO the validate() call should do the same as required for FIPS at least in the FIPS_MODULE case. So it covers the - PCT validation of the keypair on import case. I do not see any problem with doing the existing thing for the X* keys and doing this PCT for ED* keys in validate().
89c12de
to
6f2ffd9
Compare
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just one minor nit
2d3f42d
to
27d3632
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK if CI passes
Hi @t8m , The
Is it possible to get more information about failure? |
The CI failure is unrelated |
According to FIPS 140-3 IG 10.3.A Additonal Comment 1, a PCT shall be performed consistent with the intended use of the keys. This commit implements PCT for EDDSA via performing sign and verify operations after key generated.
27d3632
to
10b5238
Compare
Rebased dev branch onto current master branch. |
This pull request is ready to merge |
Squashed and merged to the master branch. Thank you for your contribution. |
According to FIPS 140-3 IG 10.3.A Additonal Comment 1, a PCT shall be performed consistent with the intended use of the keys. This commit implements PCT for EDDSA via performing sign and verify operations after key generated. Also use the same pairwise test logic in EVP_PKEY_keygen and EVP_PKEY_pairwise_check for EDDSA in FIPS_MODULE. Add OSSL_SELF_TEST_DESC_PCT_EDDSA to OSSL_PROVIDER-FIPS page. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #23408)
According to FIPS 140-3 IG 10.3.A Additonal Comment 1, a PCT shall be performed consistent with the intended use of the keys.
This commit implements PCT for EDDSA via performing sign and verify operations after key generated.
Checklist