Hi Lukas, Ignat,
[Note this is based on Eric Bigger's libcrypto-next branch].
These patches add ML-DSA module signing and RSASSA-PSS module signing. The
first half of the set adds ML-DSA signing:
(1) Add a crypto_sig interface for ML-DSA, verification only.
(2) Modify PKCS#7 support to allow kernel module signatures to carry
authenticatedAttributes as OpenSSL refuses to let them be opted out of
for ML-DSA (CMS_NOATTR). This adds an extra digest calculation to the
process.
Modify PKCS#7 to pass the authenticatedAttributes directly to the
ML-DSA algorithm rather than passing over a digest as is done with RSA
as ML-DSA wants to do its own hashing and will add other stuff into
the hash. We could use hashML-DSA or an external mu instead, but they
aren't standardised for CMS yet.
(3) Add support to the PKCS#7 and X.509 parsers for ML-DSA.
(4) Modify sign-file to handle OpenSSL not permitting CMS_NOATTR with
ML-DSA and add ML-DSA to the choice of algorithm with which to sign
modules. Note that this might need some more 'select' lines in the
Kconfig to select the lib stuff as well.
This is based on Eric's libcrypto-next branch which has the core
implementation of ML-DSA.
The second half of the set adds RSASSA-PSS signing:
(5) Add an info string parameter to the internal signature verification
routines where that does not already exist. This is necessary to pass
extra parameters and is already supported in the KEYCTL_PKEY_VERIFY
keyctl.
Both X.509 and PKCS#7 provide for these parameters to be supplied, but
it is tricky to pass the parameters in a blob with the signature or
key data as there are checks on these sizes that are then violated;
further, the way the parameters are laid out in the ASN.1 doesn't lend
itself easily to simply extracting out a larger blob.
(6) Add RSASSA-PSS support to the RSA driver in crypto/. This parses the
info string to get the verification parameters.
(7) Add support to the PKCS#7 and X.509 parsers for RSASSA-PSS.
(8) Modify sign-file to pass the extra parameters necessary to be able
generate RSASSA-PSS. For the moment, only select MGF1 with the same
hash algorithm as for the data for the mask function. Add RSASSA-PSS
to the choice of algorithm with which to sign modules.
Note that I do still need to add some FIPS tests for both ML-DSA and
RSASSA-PSS in the form of X.509 certs, data and detached PKCS#7 signatures.
I'm not sure if I can use FIPS-standard tests for that.
The patches can also be found here:
https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-pqc
David
Changes
=======
ver #11)
- Rebased on Eric's libcrypto-next branch.
- Added RSASSA-PSS support patches.
ver #10)
- Replaced the Leancrypto ML-DSA implementation with Eric's.
- Fixed Eric's implementation to have MODULE_* info.
- Added a patch to drive Eric's ML-DSA implementation from crypto_sig.
- Removed SHAKE256 from the list of available module hash algorithms.
- Changed a some more ML_DSA to MLDSA in config symbols.
ver #9)
- ML-DSA changes:
- Separate output into four modules (1 common, 3 strength-specific).
- Solves Kconfig issue with needing to select at least one strength.
- Separate the strength-specific crypto-lib APIs.
- This is now generated by preprocessor-templating.
- Remove the multiplexor code.
- Multiplex the crypto-lib APIs by C type.
- Fix the PKCS#7/X.509 code to have the correct algo names.
ver #8)
- Moved the ML-DSA code to lib/crypto/mldsa/.
- Renamed some bits from ml-dsa to mldsa.
- Created a simplified API and placed that in include/crypto/mldsa.h.
- Made the testing code use the simplified API.
- Fixed a warning about implicitly casting between uint16_t and __le16.
ver #7)
- Rebased on Eric's tree as that now contains all the necessary SHA-3
infrastructure and drop the SHA-3 patches from here.
- Added a minimal patch to provide shake256 support for crypto_sig.
- Got rid of the memory allocation wrappers.
- Removed the ML-DSA keypair generation code and the signing code, leaving
only the signature verification code.
- Removed the secret key handling code.
- Removed the secret keys from the kunit tests and the signing testing.
- Removed some unused bits from the ML-DSA code.
- Downgraded the kdoc comments to ordinary comments, but keep the markup
for easier comparison to Leancrypto.
ver #6)
- Added a patch to make the jitterentropy RNG use lib/sha3.
- Added back the crypto/sha3_generic changes.
- Added ML-DSA implementation (still needs more cleanup).
- Added kunit test for ML-DSA.
- Modified PKCS#7 to accommodate ML-DSA.
- Modified PKCS#7 and X.509 to allow ML-DSA to be specified and used.
- Modified sign-file to not use CMS_NOATTR with ML-DSA.
- Allowed SHA3 and SHAKE* algorithms for module signing default.
- Allowed ML-DSA-{44,65,87} to be selected as the module signing default.
ver #5)
- Fix gen-hash-testvecs.py to correctly handle algo names that contain a
dash.
- Fix gen-hash-testvecs.py to not generate HMAC for SHA3-* or SHAKE* as
these don't currently have HMAC variants implemented.
- Fix algo names to be correct.
- Fix kunit module description as it now tests all SHA3 variants.
ver #4)
- Fix a couple of arm64 build problems.
- Doc fixes:
- Fix the description of the algorithm to be closer to the NIST spec's
terminology.
- Don't talk of finialising the context for XOFs.
- Don't say "Return: None".
- Declare the "Context" to be "Any context" and make no mention of the
fact that it might use the FPU.
- Change "initialise" to "initialize".
- Don't warn that the context is relatively large for stack use.
- Use size_t for size parameters/variables.
- Make the module_exit unconditional.
- Dropped the crypto/ dir-affecting patches for the moment.
ver #3)
- Renamed conflicting arm64 functions.
- Made a separate wrapper API for each algorithm in the family.
- Removed sha3_init(), sha3_reinit() and sha3_final().
- Removed sha3_ctx::digest_size.
- Renamed sha3_ctx::partial to sha3_ctx::absorb_offset.
- Refer to the output of SHAKE* as "output" not "digest".
- Moved the Iota transform into the one-round function.
- Made sha3_update() warn if called after sha3_squeeze().
- Simplified the module-load test to not do update after squeeze.
- Added Return: and Context: kdoc statements and expanded the kdoc
headers.
- Added an API description document.
- Overhauled the kunit tests.
- Only have one kunit test.
- Only call the general hash tester on one algo.
- Add separate simple cursory checks for the other algos.
- Add resqueezing tests.
- Add some NIST example tests.
- Changed crypto/sha3_generic to use this
- Added SHAKE128/256 to crypto/sha3_generic and crypto/testmgr
- Folded struct sha3_state into struct sha3_ctx.
ver #2)
- Simplify the endianness handling.
- Rename sha3_final() to sha3_squeeze() and don't clear the context at the
end as it's permitted to continue calling sha3_final() to extract
continuations of the digest (needed by ML-DSA).
- Don't reapply the end marker to the hash state in continuation
sha3_squeeze() unless sha3_update() gets called again (needed by
ML-DSA).
- Give sha3_squeeze() the amount of digest to produce as a parameter
rather than using ctx->digest_size and don't return the amount digested.
- Reimplement sha3_final() as a wrapper around sha3_squeeze() that
extracts ctx->digest_size amount of digest and then zeroes out the
context. The latter is necessary to avoid upsetting
hash-test-template.h.
- Provide a sha3_reinit() function to clear the state, but to leave the
parameters that indicate the hash properties unaffected, allowing for
reuse.
- Provide a sha3_set_digestsize() function to change the size of the
digest to be extracted by sha3_final(). sha3_squeeze() takes a
parameter for this instead.
- Don't pass the digest size as a parameter to shake128/256_init() but
rather default to 128/256 bits as per the function name.
- Provide a sha3_clear() function to zero out the context.
David Howells (8):
crypto: Add ML-DSA crypto_sig support
pkcs7: Allow the signing algo to calculate the digest itself
pkcs7, x509: Add ML-DSA support
modsign: Enable ML-DSA module signing
crypto: Add supplementary info param to asymmetric key signature
verification
crypto: Add RSASSA-PSS support
pkcs7, x509: Add RSASSA-PSS support
modsign: Enable RSASSA-PSS module signing
Documentation/admin-guide/module-signing.rst | 15 +-
certs/Kconfig | 27 ++
certs/Makefile | 4 +
crypto/Kconfig | 10 +
crypto/Makefile | 3 +
crypto/asymmetric_keys/Makefile | 12 +-
crypto/asymmetric_keys/asymmetric_type.c | 1 +
crypto/asymmetric_keys/mgf1_params.asn1 | 12 +
crypto/asymmetric_keys/pkcs7.asn1 | 2 +-
crypto/asymmetric_keys/pkcs7_parser.c | 114 +++---
crypto/asymmetric_keys/pkcs7_verify.c | 52 ++-
crypto/asymmetric_keys/public_key.c | 19 +-
crypto/asymmetric_keys/rsassa_params.asn1 | 25 ++
crypto/asymmetric_keys/rsassa_parser.c | 233 +++++++++++
crypto/asymmetric_keys/rsassa_parser.h | 25 ++
crypto/asymmetric_keys/signature.c | 1 +
crypto/asymmetric_keys/x509.asn1 | 2 +-
crypto/asymmetric_keys/x509_cert_parser.c | 120 ++++--
crypto/asymmetric_keys/x509_parser.h | 33 +-
crypto/asymmetric_keys/x509_public_key.c | 28 +-
crypto/ecdsa-p1363.c | 5 +-
crypto/ecdsa-x962.c | 5 +-
crypto/ecdsa.c | 3 +-
crypto/ecrdsa.c | 3 +-
crypto/mldsa.c | 202 ++++++++++
crypto/rsa.c | 8 +
crypto/rsassa-pkcs1.c | 3 +-
crypto/rsassa-pss.c | 397 +++++++++++++++++++
crypto/sig.c | 3 +-
include/crypto/internal/rsa.h | 2 +
include/crypto/public_key.h | 2 +
include/crypto/sig.h | 9 +-
include/linux/oid_registry.h | 7 +
scripts/sign-file.c | 63 ++-
34 files changed, 1307 insertions(+), 143 deletions(-)
create mode 100644 crypto/asymmetric_keys/mgf1_params.asn1
create mode 100644 crypto/asymmetric_keys/rsassa_params.asn1
create mode 100644 crypto/asymmetric_keys/rsassa_parser.c
create mode 100644 crypto/asymmetric_keys/rsassa_parser.h
create mode 100644 crypto/mldsa.c
create mode 100644 crypto/rsassa-pss.c
