pkcs7: add RSA-PSS support for SignedData#9742
pkcs7: add RSA-PSS support for SignedData#9742sameehj wants to merge 1 commit intowolfSSL:masterfrom
Conversation
sameehj
force-pushed
the
pkcs7-rsa-pss
branch
6 times, most recently
from
c4749c5 to
38bcb07
Compare
|
retest this please |
sameehj
force-pushed
the
pkcs7-rsa-pss
branch
16 times, most recently
from
a4ff167 to
2f8e307
Compare
|
retest this please |
sameehj
force-pushed
the
pkcs7-rsa-pss
branch
from
2f8e307 to
1185846
Compare
|
retest this please |
sameehj
force-pushed
the
pkcs7-rsa-pss
branch
2 times, most recently
from
cb9f6e4 to
d4d412b
Compare
dgarske
left a comment
dgarske
left a comment
There was a problem hiding this comment.
Also needs conflict resolved with rebase. Thanks
wolfcrypt/src/asn.c
Outdated
| word32 rsapssOidSz = sizeof(sigRsaSsaPssOid); | ||
| /* MGF1 OID 1.2.840.113549.1.1.8 */ | ||
| static const byte mgf1Oid[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x08 }; | ||
| byte tmpBuf[128]; |
There was a problem hiding this comment.
Can you use a macro or enum that already exists for the 128? Also if its really that big you should have a WOLFSSL_SMALL_STACK option. We do have some helper macros for that... see WC_ALLOC_VAR_EX
There was a problem hiding this comment.
Defined RSA_PSS_ALGOID_TMPBUF_SZ macro for the 128-byte buffer size. Added WOLFSSL_SMALL_STACK support using XMALLOC/XFREE for heap allocation of the temp buffer.
wolfcrypt/src/pkcs7.c
Outdated
| XMEMSET(pkcs7, 0, sizeof(wc_PKCS7)); | ||
| pkcs7->isDynamic = (isDynamic != 0); | ||
| #if defined(WC_RSA_PSS) && !defined(NO_RSA) | ||
| pkcs7->pssSaltLen = -1; |
There was a problem hiding this comment.
Why -1 for the defaults on these?
wolfcrypt/src/pkcs7.c
Outdated
| * Use MAX_ENCRYPTED_KEY_SZ (512) to cover RSA keys up to 4096-bit. */ | ||
| byte digest[MAX_ENCRYPTED_KEY_SZ]; | ||
| RsaKey key[1]; | ||
| DecodedCert stack_dCert; |
There was a problem hiding this comment.
Can't you just use DecodedCert dCert[1];?
wolfcrypt/src/asn.c
Outdated
| /* ASN tag for trailerField. */ | ||
| #define ASN_TAG_RSA_PSS_TRAILER (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 3) | ||
| #endif | ||
| /* RSASSA-PSS-params EXPLICIT context tags (constructed, per X.680/X.690). |
There was a problem hiding this comment.
@SparkiDev please review these changes specifically. Thanks
tests/api/test_pkcs7.c
Outdated
|
|
||
| ExpectIntEQ(wc_InitRng(&rng), 0); | ||
| ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId)); | ||
| ExpectIntEQ(wc_PKCS7_Init(pkcs7, HEAP_HINT, INVALID_DEVID), 0); |
There was a problem hiding this comment.
wc_PKCS7_New already calls wc_PKCS7_Init internally, so this zeroes the struct again, discarding testDevId and replacing it with INVALID_DEVID.
There was a problem hiding this comment.
Fixed. Removed the redundant wc_PKCS7_Init after wc_PKCS7_New; testDevId is now preserved.
| * Uses info->pk.rsa (in/inLen = digest, out/outLen = signature, | ||
| * key, rng). With WOLF_CRYPTO_CB_RSA_PAD, info->pk.rsa.padding | ||
| * supplies hash and salt length. */ | ||
| ret = wc_RsaFunction(info->pk.rsa.in, info->pk.rsa.inLen, |
There was a problem hiding this comment.
wc_RsaFunction is the raw RSA private key operation (no PSS padding applied). A developer reading this as example code for WC_PK_TYPE_RSA_PSS would implement a callback that performs a raw unpadded RSA operation, producing a cryptographically invalid signature. The example should use wc_RsaPSS_Sign_ex (or at minimum include a prominent comment that PSS padding must be applied before/after the raw operation).
There was a problem hiding this comment.
Fixed. Example now uses wc_RsaPSS_Sign_ex (with PSS padding) instead of raw wc_RsaFunction.
wolfcrypt/src/asn.c
Outdated
| * @return 0 on success. | ||
| * Uses manual (non-template) ASN.1 parsing for both WOLFSSL_ASN_TEMPLATE and | ||
| * non-template builds. The ASN template approach (rsaPssParamsASN / | ||
| * GetASN_Items) was removed because the EXPLICIT constructed context tags |
There was a problem hiding this comment.
Make it work then.
The code was there and it needs to be made to work.
There was a problem hiding this comment.
It didn't at some point, now it works
sameehj
force-pushed
the
pkcs7-rsa-pss
branch
2 times, most recently
from
db85770 to
1289ea8
Compare
wolfcrypt/src/aes.c
Outdated
|
|
||
| #include <wolfssl/wolfcrypt/aes.h> | ||
|
|
||
| #if defined(__clang__) |
There was a problem hiding this comment.
@douzzer thoughts on this? I am not sure I like adding a pragma here. Since you are working in aes.c right now curious your thoughts.
There was a problem hiding this comment.
I tried to drop, this is usually triggered with -pedantic, let's see if the CI complains.
wolfcrypt/src/asn.c
Outdated
| #define ASN_TAG_RSA_PSS_SALTLEN (ASN_CONTEXT_SPECIFIC | 2) | ||
| /* ASN tag for trailerField. */ | ||
| #define ASN_TAG_RSA_PSS_TRAILER (ASN_CONTEXT_SPECIFIC | 3) | ||
| #define ASN_TAG_RSA_PSS_HASH (ASN_CONTEXT_SPECIFIC | 0) |
There was a problem hiding this comment.
Do we need to loose the original comments and formatting?
sameehj
force-pushed
the
pkcs7-rsa-pss
branch
4 times, most recently
from
dd416f8 to
2379563
Compare
|
Jenkins retest this please. FIPS v3 test failed history lost. |
| } | ||
|
|
||
| saltLen = pkcs7->pssParamsPresent | ||
| ? pkcs7->pssSaltLen : RSA_PSS_SALT_LEN_DEFAULT; |
There was a problem hiding this comment.
make[2]: warning: -j9 forced in submake: resetting jobserver mode.
wolfcrypt/src/pkcs7.c: In function ‘wc_PKCS7_RsaPssVerify’:
wolfcrypt/src/pkcs7.c:4471:45: error: ‘RSA_PSS_SALT_LEN_DEFAULT’ undeclared (first use in this function)
4471 | ? pkcs7->pssSaltLen : RSA_PSS_SALT_LEN_DEFAULT;
| ^~~~~~~~~~~~~~~~~~~~~~~~
wolfcrypt/src/pkcs7.c:4471:45: note: each undeclared identifier is reported only once for each function it appears in
https://cloud.wolfssl-test.com/jenkins/job/wolfSSL/job/PRB-fips-repo-and-harness-test-v3-part1/7210/
|
retest this please |
sameehj
force-pushed
the
pkcs7-rsa-pss
branch
2 times, most recently
from
4304044 to
5db768e
Compare
Add full RSA-PSS (RSASSA-PSS) support to PKCS#7 SignedData encoding and verification. This change enables SignerInfo.signatureAlgorithm to use id-RSASSA-PSS with explicit RSASSA-PSS-params (hash, MGF1, salt length), as required by RFC 4055 and CMS profiles. Key changes: - Add RSA-PSS encode and verify paths for PKCS7 SignedData - Encode full RSASSA-PSS AlgorithmIdentifier parameters - Decode RSA-PSS parameters from SignerInfo for verification - Treat RSA-PSS like ECDSA (sign raw digest, not DigestInfo) - Fix certificate signatureAlgorithm parameter length handling - Add API test coverage for RSA-PSS SignedData This resolves failures when using RSA-PSS signer certificates (e.g. -173 invalid signature algorithm) and maintains backward compatibility with RSA PKCS#1 v1.5 and ECDSA. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
sameehj
force-pushed
the
pkcs7-rsa-pss
branch
from
5db768e to
c254c5d
Compare
|
retest this please |
5 participants
Add full RSA-PSS (RSASSA-PSS) support to PKCS#7 SignedData encoding and verification.
This change enables
SignerInfo.signatureAlgorithmto use id-RSASSA-PSS with explicit RSASSA-PSS-params (hash, MGF1, salt length), as required by RFC 4055 and CMS profiles.Key changes:
This resolves failures when using RSA-PSS signer certificates (e.g. -173 invalid signature algorithm) and maintains backward compatibility with RSA PKCS#1 v1.5 and ECDSA.
Testing
test_wc_PKCS7_EncodeSignedData_RSA_PSS(guarded byHAVE_PKCS7,WC_RSA_PSS, RSA, filesystem, SHA-256). Usescerts/rsapss/client-rsapss.derandclient-rsapss-priv.der; encodes SignedData and optionally round-trip verifies.os-check.ymlupdated with build--enable-pkcs7 CPPFLAGS=-DWC_RSA_PSS.Checklist