Hi Hongbo, On 4/7/21 10:27 AM, hongbo li wrote: > Hello Varad, > > I also made an implementation of rsa pss: "[PATCH v3 0/4] crypto: add > rsa pss support for x509". > I notice your patches and did some review, find the following > differences between our patches: > 1. You rework the rsa pad framework. This is reasonable. > 2. You did some changes on the keyctl and asymmetric struct. I don't > see the reason. > Because for x509 layer, it only need to know the hash param, and > could ignore other params(salt len, mgfhash). > Let rsa-pss itself parse the pss related params. So it seems we > don't need to change asymmetric's > common struct.
A signature might be generated with a different set of params than those used for signing the x509 certificate that wraps the corresponding pubkey. In this case, using the params that came in when the pubkey was loaded, instead of params for the actual signature would be incorrect. I see struct public_key_signature as the right place to store such state, regardless of where the signature came from (detached or selfsigned). For the same reason, I also prefer the parsing machinery for signature params be kept in x509_cert_parser instead of unpacking a buffer in the PSS akcipher's set_pub_key implementation [1]. Going that way, we also end up parsing these params twice, since x509 needs to unpack the hash algorithm in a pss-specific way anyway. For the IMA usecase, since x509_key_preparse() would have already filled in the params in public_key_signature, asymmetric_verify should be able to find and set these from key->payload before calling verify_signature(). > 3. Why reject the cert whose MGF is different from the hash function > used for signature generation? > My implementation could support different hashes, so don't get your point. The verify operation (psspad_verify_complete [3]) in theory supports it, which I've tested against such certificates crafted via openssl. I chose to reject such certificates early on during x509 parsing since, - these are not a common occurence in practice, and - testing (besides via openssl) without a set of reference vectors to harden the verification against seemed insufficient. I've had some more test runs complete in the meantime, and I'll drop that check in the next round. > 4. I add a test vector and a patch to support using rsa-pss for iam. > 5. Other implementation difference, i.e. the mgf and verify functions. > > Maybe we could merge our patches, what's your opinion? > Sounds good. I'll send out a v2 soon, and if you agree, the test vector [4] and IMA [5] can go on top of it? [1] https://patchwork.kernel.org/project/linux-crypto/patch/1617802906-30513-3-git-send-email-herbert.tenc...@gmail.com/ [2] https://patchwork.kernel.org/project/linux-crypto/patch/1617802906-30513-5-git-send-email-herbert.tenc...@gmail.com/ [3] https://patchwork.kernel.org/project/linux-crypto/patch/20210330202829.4825-2-varad.gau...@suse.com/ [4] https://patchwork.kernel.org/project/linux-crypto/patch/1617802906-30513-4-git-send-email-herbert.tenc...@gmail.com/ Regards, Varad > Best regards > > Hongbo > > Varad Gautam <varad.gau...@suse.com> 于2021年3月31日周三 上午4:31写道: >> >> An X.509 wrapper for a RSASSA-PSS signature contains additional >> signature parameters over the PKCSv.15 encoding scheme. Extend the >> x509 parser to allow parsing RSASSA-PSS encoded certificates, with >> the defaults taken from RFC8017. >> >> A certificate is rejected if the hash function used for the MGF is >> different from the hash function used for signature generation, >> although this is allowed in RFC8017. >> >> References: https://tools.ietf.org/html/rfc8017#appendix-C >> Signed-off-by: Varad Gautam <varad.gau...@suse.com> >> --- >> crypto/asymmetric_keys/Makefile | 5 +- >> crypto/asymmetric_keys/x509_cert_parser.c | 152 ++++++++++++++++++++++ >> crypto/asymmetric_keys/x509_rsassa.asn1 | 17 +++ >> include/crypto/public_key.h | 4 + >> include/linux/oid_registry.h | 3 + >> 5 files changed, 180 insertions(+), 1 deletion(-) >> create mode 100644 crypto/asymmetric_keys/x509_rsassa.asn1 >> > -- SUSE Software Solutions Germany GmbH Maxfeldstr. 5 90409 Nürnberg Germany HRB 36809, AG Nürnberg Geschäftsführer: Felix Imendörffer
