Some fixes for EdDSA signatures + test coverage #497
Conversation
Signed-off-by: Jakub Jelen <[email protected]>
Signed-off-by: Jakub Jelen <[email protected]>
Signed-off-by: Jakub Jelen <[email protected]>
Signed-off-by: Jakub Jelen <[email protected]>
| ret = EVP_DigestSignFinal(sign_md[c], sig, &size); | ||
| if (mdname == NULL) { | ||
| ret = | ||
| EVP_DigestSign(sign_md[c], sig, &size, data, sizeof(data)); |
There was a problem hiding this comment.
Given we do not really need multiple calls, would it mak sense to always just use the one shot call for all cases?
There was a problem hiding this comment.
Right, this would simplify things. I can change it as I hope no algorithm depends on having update.
|
|
||
| /* PKCS #11 parameters are mandatory for Ed448 key type anyway */ | ||
| if (size == ED448_BIT_SIZE) { | ||
| sigctx->use_eddsa_params = CK_TRUE; |
There was a problem hiding this comment.
I do not think this is correct, rather we should select an instance, presumably based on the default and bit lengths and then call through the same code at lines 2322 onward.
What are you doing here is effectively setting
sigctx->use_eddsa_params = CK_TRUE;
sigctx->eddsa_params.phFlag = CK_FALSE;
by omitting to set the phFlag.
I think the correct fix here involves spinning off the instance selection to a helper function, and if no params are set, calling it with "Ed25519" is size == ED25519_BIT_SIZE and with "Ed448" if ED448_BIT_SIZE
An option is to also pre-set instance constants, then if there are params they will overwrite the instance variable with whatever came from the OSSL_SIGNATURE_PARAM_INSTANCE
Once all params are handled, unconditionally call the cose that sets the various flags based on instance name.
There was a problem hiding this comment.
Please, check the table in the pkcs#11 specs:
https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.html#_Toc30061191
What are you doing here is effectively setting
this is intentional. The phFlag is false in this default default. I can set it explicitly if it will make it more clear
Missing instance name on the openssl level results in Ed448/Ed25519. I find it overcomplicated going through the openssl instance if we do not have any from the caller. The code from lines 2322 just really sets use_eddsa_params and phFlag. Moreover we return on the line 2311 when there are no parameters provided.
Description
There was a logic error in creating the eddsa signature params for pkcs11, that when
OSSL_SIGNATURE_PARAM_INSTANCEOSSL_PARAM was not provided, the pkcs11 parameters were not created and Ed448 operations were failing.For some reason, the pkcs11 parameters are required for the Ed448 even if no prehashing nor context is used.
Additionally, if only the context is provided by OpenSSL/caller, we also need to provide the correct parameters, which was not handled before.
Unfortunately, this is not the issue I was after during last days.
Checklist
Reviewer's checklist: