Some fixes for EdDSA signatures + test coverage #497
Conversation
|
|
||
| /* PKCS #11 parameters are mandatory for Ed448 key type anyway */ | ||
| if (size == ED448_BIT_SIZE) { | ||
| sigctx->use_eddsa_params = CK_TRUE; |
There was a problem hiding this comment.
I do not think this is correct, rather we should select an instance, presumably based on the default and bit lengths and then call through the same code at lines 2322 onward.
What are you doing here is effectively setting
sigctx->use_eddsa_params = CK_TRUE;
sigctx->eddsa_params.phFlag = CK_FALSE;
by omitting to set the phFlag.
I think the correct fix here involves spinning off the instance selection to a helper function, and if no params are set, calling it with "Ed25519" is size == ED25519_BIT_SIZE and with "Ed448" if ED448_BIT_SIZE
An option is to also pre-set instance constants, then if there are params they will overwrite the instance variable with whatever came from the OSSL_SIGNATURE_PARAM_INSTANCE
Once all params are handled, unconditionally call the cose that sets the various flags based on instance name.
There was a problem hiding this comment.
Please, check the table in the pkcs#11 specs:
https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.html#_Toc30061191
What are you doing here is effectively setting
this is intentional. The phFlag is false in this default default. I can set it explicitly if it will make it more clear
Missing instance name on the openssl level results in Ed448/Ed25519. I find it overcomplicated going through the openssl instance if we do not have any from the caller. The code from lines 2322 just really sets use_eddsa_params and phFlag. Moreover we return on the line 2311 when there are no parameters provided.
There was a problem hiding this comment.
It is a side effect, I anted it explicit, and that can be done easily, I can do it as a followup PR if you like
The EdDSA supports only one-shot signatures so we need to get rid of the Update + Final semantics in favor of the one-shot operation. Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
tests/setup.sh
Outdated
| # echo "${EDPUBURI}" | ||
| # echo "${EDPRIURI}" | ||
| # echo "${EDCRTURI}" | ||
| # this requires OpenSC 0.26.0, which is not available in Ubuntu yet |
There was a problem hiding this comment.
at this point we have many checks scattered through setup.sh that test for this or that OS and it makes it difficult to find and change them.
What about having an initial section in setup.sh that sets some generic variables like:
ED448SUPPORT=1
ED25519SUPPORT=1
ECASPARAMETERS=1
and then we have a set of checks that will turn these variables off if the specific system/library we are testing on does not support the primitive.
The actual setup code then just tests for the ED448SUPPORT (or other) variable to decide whether to run the specific setup part.
There was a problem hiding this comment.
Its not that many. Just for Ed25519, Ed448 and the explicit curves (which are now moved to the meson). The Ed448 depends on the Ed25519 and the Ed448 needs specific OpenSC version (where I just figured out there is no easy way to find opensc version from any cli). Given that the mapping is sometimes based on the software token, sometimes on opensc version, I am not sure if moving the checks to some other place would make it more readable.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
When we import the EdDSA key from file, we always use the printable string choice in the EC_PARAMS. But the key on token can use OID in which case, we will not be able to match these two keys. Previously, the fallback involved getting the EC_GROUP from the EC_PARAMS, but this really works only with the ECDSA keys. On EdDSA keys, we always fail as the EdDSA keys do not have any EC_GROUP defined in OpenSSL and there is no conversion from the EC_PARAMS that contain printable string so the matching needs to be done differently than with the ECDSA keys. Previously, this worked because the Ed25519 keys we used had always representation with printable string so we were able to match the EC_PARAM strings byte-by-byte. Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Description
There was a logic error in creating the eddsa signature params for pkcs11, that when
OSSL_SIGNATURE_PARAM_INSTANCEOSSL_PARAM was not provided, the pkcs11 parameters were not created and Ed448 operations were failing.For some reason, the pkcs11 parameters are required for the Ed448 even if no prehashing nor context is used.
Additionally, if only the context is provided by OpenSSL/caller, we also need to provide the correct parameters, which was not handled before.
Unfortunately, this is not the issue I was after during last days.
Checklist
Reviewer's checklist: