2017-03-02 20:15:22 +08:00
|
|
|
#! /usr/bin/env perl
|
2023-09-07 16:59:15 +08:00
|
|
|
# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved.
|
2017-03-02 20:15:22 +08:00
|
|
|
#
|
2018-12-06 20:05:25 +08:00
|
|
|
# Licensed under the Apache License 2.0 (the "License"). You may not use
|
2017-03-02 20:15:22 +08:00
|
|
|
# this file except in compliance with the License. You can obtain a copy
|
|
|
|
# in the file LICENSE in the source distribution or at
|
|
|
|
# https://www.openssl.org/source/license.html
|
|
|
|
|
|
|
|
|
|
|
|
use strict;
|
|
|
|
use warnings;
|
|
|
|
|
|
|
|
use File::Spec;
|
2022-06-20 05:40:46 +08:00
|
|
|
use OpenSSL::Test qw/:DEFAULT with srctop_file data_file/;
|
2017-03-02 20:15:22 +08:00
|
|
|
use OpenSSL::Test::Utils;
|
|
|
|
|
|
|
|
setup("test_rsapss");
|
|
|
|
|
2023-09-08 01:22:25 +08:00
|
|
|
plan tests => 18;
|
2017-03-02 20:15:22 +08:00
|
|
|
|
|
|
|
#using test/testrsa.pem which happens to be a 512 bit RSA
|
|
|
|
ok(run(app(['openssl', 'dgst', '-sign', srctop_file('test', 'testrsa.pem'), '-sha1',
|
2020-05-12 00:27:04 +08:00
|
|
|
'-sigopt', 'rsa_padding_mode:pss',
|
|
|
|
'-sigopt', 'rsa_pss_saltlen:max',
|
|
|
|
'-sigopt', 'rsa_mgf1_md:sha512',
|
|
|
|
'-out', 'testrsapss-restricted.sig',
|
2017-03-15 00:01:19 +08:00
|
|
|
srctop_file('test', 'testrsa.pem')])),
|
2020-05-12 00:27:04 +08:00
|
|
|
"openssl dgst -sign [plain RSA key, PSS padding mode, PSS restrictions]");
|
|
|
|
|
|
|
|
ok(run(app(['openssl', 'dgst', '-sign', srctop_file('test', 'testrsa.pem'), '-sha1',
|
|
|
|
'-sigopt', 'rsa_padding_mode:pss',
|
|
|
|
'-out', 'testrsapss-unrestricted.sig',
|
|
|
|
srctop_file('test', 'testrsa.pem')])),
|
|
|
|
"openssl dgst -sign [plain RSA key, PSS padding mode, no PSS restrictions]");
|
2017-03-02 20:15:22 +08:00
|
|
|
|
2021-06-10 15:58:43 +08:00
|
|
|
ok(!run(app(['openssl', 'dgst', '-sign', srctop_file('test', 'testrsa.pem'), '-sha512',
|
|
|
|
'-sigopt', 'rsa_padding_mode:pss', '-sigopt', 'rsa_pss_saltlen:max',
|
|
|
|
'-sigopt', 'rsa_mgf1_md:sha512', srctop_file('test', 'testrsa.pem')])),
|
|
|
|
"openssl dgst -sign, expect to fail gracefully");
|
|
|
|
|
|
|
|
ok(!run(app(['openssl', 'dgst', '-sign', srctop_file('test', 'testrsa.pem'), '-sha512',
|
|
|
|
'-sigopt', 'rsa_padding_mode:pss', '-sigopt', 'rsa_pss_saltlen:2147483647',
|
|
|
|
'-sigopt', 'rsa_mgf1_md:sha1', srctop_file('test', 'testrsa.pem')])),
|
|
|
|
"openssl dgst -sign, expect to fail gracefully");
|
|
|
|
|
|
|
|
ok(!run(app(['openssl', 'dgst', '-prverify', srctop_file('test', 'testrsa.pem'), '-sha512',
|
|
|
|
'-sigopt', 'rsa_padding_mode:pss', '-sigopt', 'rsa_pss_saltlen:max',
|
|
|
|
'-sigopt', 'rsa_mgf1_md:sha512', '-signature', 'testrsapss.sig',
|
|
|
|
srctop_file('test', 'testrsa.pem')])),
|
|
|
|
"openssl dgst -prverify, expect to fail gracefully");
|
2017-03-02 20:15:22 +08:00
|
|
|
|
2020-05-12 00:27:04 +08:00
|
|
|
ok(run(app(['openssl', 'dgst', '-prverify', srctop_file('test', 'testrsa.pem'),
|
|
|
|
'-sha1',
|
|
|
|
'-sigopt', 'rsa_padding_mode:pss',
|
|
|
|
'-sigopt', 'rsa_pss_saltlen:max',
|
|
|
|
'-sigopt', 'rsa_mgf1_md:sha512',
|
|
|
|
'-signature', 'testrsapss-restricted.sig',
|
|
|
|
srctop_file('test', 'testrsa.pem')])),
|
|
|
|
"openssl dgst -prverify [plain RSA key, PSS padding mode, PSS restrictions]");
|
|
|
|
|
2022-11-21 21:33:57 +08:00
|
|
|
ok(run(app(['openssl', 'dgst', '-prverify', srctop_file('test', 'testrsa.pem'),
|
|
|
|
'-sha1',
|
|
|
|
'-sigopt', 'rsa_padding_mode:pss',
|
|
|
|
'-sigopt', 'rsa_pss_saltlen:42',
|
|
|
|
'-sigopt', 'rsa_mgf1_md:sha512',
|
|
|
|
'-signature', 'testrsapss-restricted.sig',
|
|
|
|
srctop_file('test', 'testrsa.pem')])),
|
|
|
|
"openssl dgst -sign rsa512bit.pem -sha1 -sigopt rsa_pss_saltlen:max produces 42 bits of PSS salt");
|
|
|
|
|
signature: Clamp PSS salt len to MD len
FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
the hash function output block (in bytes)."
Introduce a new option RSA_PSS_SALTLEN_AUTO_DIGEST_MAX and make it the
default. The new value will behave like RSA_PSS_SALTLEN_AUTO, but will
not use more than the digest length when signing, so that FIPS 186-4 is
not violated. This value has two advantages when compared with
RSA_PSS_SALTLEN_DIGEST: (1) It will continue to do auto-detection when
verifying signatures for maximum compatibility, where
RSA_PSS_SALTLEN_DIGEST would fail for other digest sizes. (2) It will
work for combinations where the maximum salt length is smaller than the
digest size, which typically happens with large digest sizes (e.g.,
SHA-512) and small RSA keys.
J.-S. Coron shows in "Optimal Security Proofs for PSS and Other
Signature Schemes. Advances in Cryptology – Eurocrypt 2002, volume 2332
of Lecture Notes in Computer Science, pp. 272 – 287. Springer Verlag,
2002." that longer salts than the output size of modern hash functions
do not increase security: "For example,for an application in which at
most one billion signatures will be generated, k0 = 30 bits of random
salt are actually sufficient to guarantee the same level of security as
RSA, and taking a larger salt does not increase the security level."
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19724)
2022-11-18 19:35:33 +08:00
|
|
|
ok(run(app(['openssl', 'dgst', '-prverify', srctop_file('test', 'testrsa.pem'),
|
|
|
|
'-sha1',
|
|
|
|
'-sigopt', 'rsa_padding_mode:pss',
|
|
|
|
'-sigopt', 'rsa_pss_saltlen:auto-digestmax',
|
|
|
|
'-sigopt', 'rsa_mgf1_md:sha512',
|
|
|
|
'-signature', 'testrsapss-restricted.sig',
|
|
|
|
srctop_file('test', 'testrsa.pem')])),
|
|
|
|
"openssl dgst -prverify rsa512bit.pem -sha1 -sigopt rsa_pss_saltlen:auto-digestmax verifies signatures with saltlen > digestlen");
|
|
|
|
|
2020-05-12 00:27:04 +08:00
|
|
|
ok(run(app(['openssl', 'dgst', '-prverify', srctop_file('test', 'testrsa.pem'),
|
|
|
|
'-sha1',
|
|
|
|
'-sigopt', 'rsa_padding_mode:pss',
|
|
|
|
'-signature', 'testrsapss-unrestricted.sig',
|
2017-03-02 20:15:22 +08:00
|
|
|
srctop_file('test', 'testrsa.pem')])),
|
2020-05-12 00:27:04 +08:00
|
|
|
"openssl dgst -prverify [plain RSA key, PSS padding mode, no PSS restrictions]");
|
2022-03-17 03:30:38 +08:00
|
|
|
|
signature: Clamp PSS salt len to MD len
FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
the hash function output block (in bytes)."
Introduce a new option RSA_PSS_SALTLEN_AUTO_DIGEST_MAX and make it the
default. The new value will behave like RSA_PSS_SALTLEN_AUTO, but will
not use more than the digest length when signing, so that FIPS 186-4 is
not violated. This value has two advantages when compared with
RSA_PSS_SALTLEN_DIGEST: (1) It will continue to do auto-detection when
verifying signatures for maximum compatibility, where
RSA_PSS_SALTLEN_DIGEST would fail for other digest sizes. (2) It will
work for combinations where the maximum salt length is smaller than the
digest size, which typically happens with large digest sizes (e.g.,
SHA-512) and small RSA keys.
J.-S. Coron shows in "Optimal Security Proofs for PSS and Other
Signature Schemes. Advances in Cryptology – Eurocrypt 2002, volume 2332
of Lecture Notes in Computer Science, pp. 272 – 287. Springer Verlag,
2002." that longer salts than the output size of modern hash functions
do not increase security: "For example,for an application in which at
most one billion signatures will be generated, k0 = 30 bits of random
salt are actually sufficient to guarantee the same level of security as
RSA, and taking a larger salt does not increase the security level."
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19724)
2022-11-18 19:35:33 +08:00
|
|
|
ok(run(app(['openssl', 'dgst', '-sign', srctop_file('test', 'testrsa.pem'), '-sha1',
|
|
|
|
'-sigopt', 'rsa_padding_mode:pss',
|
|
|
|
'-sigopt', 'rsa_pss_saltlen:auto-digestmax',
|
|
|
|
'-out', 'testrsapss-sha1-autodigestmax.sig',
|
|
|
|
srctop_file('test', 'testrsa.pem')])),
|
|
|
|
"openssl dgst -sign -sha1 -rsa_pss_saltlen:auto-digestmax");
|
|
|
|
ok(run(app(['openssl', 'dgst', '-prverify', srctop_file('test', 'testrsa.pem'), '-sha1',
|
|
|
|
'-sigopt', 'rsa_padding_mode:pss',
|
|
|
|
'-sigopt', 'rsa_pss_saltlen:20',
|
|
|
|
'-signature', 'testrsapss-sha1-autodigestmax.sig',
|
|
|
|
srctop_file('test', 'testrsa.pem')])),
|
|
|
|
"openssl dgst -sign -sha1 -rsa_padding_mode:auto-digestmax produces 20 (i.e., digestlen) bits of PSS salt");
|
|
|
|
|
|
|
|
ok(run(app(['openssl', 'dgst', '-sign', srctop_file('test', 'testrsa.pem'), '-sha256',
|
|
|
|
'-sigopt', 'rsa_padding_mode:pss',
|
|
|
|
'-sigopt', 'rsa_pss_saltlen:auto-digestmax',
|
|
|
|
'-out', 'testrsapss-sha256-autodigestmax.sig',
|
|
|
|
srctop_file('test', 'testrsa.pem')])),
|
|
|
|
"openssl dgst -sign -sha256 -rsa_pss_saltlen:auto-digestmax");
|
|
|
|
ok(run(app(['openssl', 'dgst', '-prverify', srctop_file('test', 'testrsa.pem'), '-sha256',
|
|
|
|
'-sigopt', 'rsa_padding_mode:pss',
|
|
|
|
'-sigopt', 'rsa_pss_saltlen:30',
|
|
|
|
'-signature', 'testrsapss-sha256-autodigestmax.sig',
|
|
|
|
srctop_file('test', 'testrsa.pem')])),
|
|
|
|
"openssl dgst -sign rsa512bit.pem -sha256 -rsa_padding_mode:auto-digestmax produces 30 bits of PSS salt (due to 512bit key)");
|
|
|
|
|
2022-03-17 03:30:38 +08:00
|
|
|
# Test that RSA-PSS keys are supported by genpkey and rsa commands.
|
|
|
|
{
|
|
|
|
my $rsapss = "rsapss.key";
|
|
|
|
ok(run(app(['openssl', 'genpkey', '-algorithm', 'RSA-PSS',
|
|
|
|
'-pkeyopt', 'rsa_keygen_bits:1024',
|
2023-08-23 15:20:52 +08:00
|
|
|
'-pkeyopt', 'rsa_keygen_pubexp:65537',
|
|
|
|
'-pkeyopt', 'rsa_keygen_primes:2',
|
2022-03-17 03:30:38 +08:00
|
|
|
'--out', $rsapss])));
|
|
|
|
ok(run(app(['openssl', 'rsa', '-check',
|
|
|
|
'-in', $rsapss])));
|
|
|
|
}
|
2022-06-20 05:40:46 +08:00
|
|
|
|
|
|
|
ok(!run(app([ 'openssl', 'rsa',
|
|
|
|
'-in' => data_file('negativesaltlen.pem')],
|
|
|
|
'-out' => 'badout')));
|
2023-09-08 01:22:25 +08:00
|
|
|
|
|
|
|
ok(run(app(['openssl', 'genpkey', '-algorithm', 'RSA-PSS', '-pkeyopt', 'rsa_keygen_bits:1024',
|
|
|
|
'-pkeyopt', 'rsa_pss_keygen_md:SHA256', '-pkeyopt', 'rsa_pss_keygen_saltlen:10',
|
|
|
|
'-out', 'testrsapss.pem'])),
|
|
|
|
"openssl genpkey RSA-PSS with pss parameters");
|
|
|
|
ok(run(app(['openssl', 'pkey', '-in', 'testrsapss.pem', '-pubout', '-text'])),
|
|
|
|
"openssl pkey, execute rsa_pub_encode with pss parameters");
|
|
|
|
unlink 'testrsapss.pem';
|