rsa-pss: add tests checking for SHAKE usage in RSA-PSS

FIPS 186-5, RFC 8692, RFC 8702 all agree and specify that Shake shall be used directly as MGF (not as a hash in MGF1). Add tests that try to specify shake hash as MGF1 to ensure that fails. Separately the above standards specify how to use SHAKE as a message digest with either fixed or minimum output lengths. However, currently shake is not part of allowed hashes. Note that rsa_setup_md()/rsa_setup_mgf1_md() call ossl_digest_rsa_sign_get_md_nid() -> ossl_digest_get_approved_nid_with_sha1() -> ossl_digest_get_approved_nid() which only contain sha1/sha2/sha3 digests without XOF. The digest test case will need to be replace if/when shake with minimum output lengths is added to ossl_digest_get_approved_nid(). Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24387)
2024-11-27 05:21:51 +08:00 · 2024-05-11 01:26:55 +01:00 · 2024-05-11 01:26:55 +01:00 · 973ddaa03f
commit 973ddaa03f
parent 7884bedc04
2 changed files with 38 additions and 0 deletions
--- a/providers/common/digest_to_nid.c
+++ b/providers/common/digest_to_nid.c
@ -39,6 +39,7 @@ int ossl_digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len)
 */
 int ossl_digest_get_approved_nid(const EVP_MD *md)
 {
+    /* TODO: FIPS 180-5 RFC 8692 RFC 8702 allow SHAKE */
    static const OSSL_ITEM name_to_nid[] = {
        { NID_sha1,      OSSL_DIGEST_NAME_SHA1      },
        { NID_sha224,    OSSL_DIGEST_NAME_SHA2_224  },
--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
@ -989,6 +989,43 @@ Verify = RSA-PSS-BAD2
 Result = KEYOP_INIT_ERROR
 Reason = invalid salt length

+# Test sign with MGF1 using shake fails
+Sign = RSA-PSS
+Ctrl = digest:sha256
+Ctrl = rsa_padding_mode:pss
+Ctrl = rsa_mgf1_md:shake256
+Input = ""
+Output = ""
+Result = PKEY_CTRL_ERROR
+
+# Test verify with MGF1 using shake fails
+Verify = RSA-PSS
+Ctrl = digest:sha256
+Ctrl = rsa_padding_mode:pss
+Ctrl = rsa_mgf1_md:shake256
+Input = ""
+Output = ""
+Result = PKEY_CTRL_ERROR
+
+# Test sign with digest using shake fails. Remove once FIPS 186-5 /
+# RFC-8702 / RFC-8692 SHAKE digest implemented
+Sign = RSA-PSS
+Ctrl = digest:shake256
+Ctrl = rsa_padding_mode:pss
+Ctrl = rsa_mgf1_md:sha256
+Input = ""
+Output = ""
+Result = PKEY_CTRL_ERROR
+
+# Test sign with digest using shake fails. Remove once FIPS 186-5 /
+# RFC-8702 / RFC-8692 SHAKE digest implemented
+Verify = RSA-PSS
+Ctrl = digest:shake256
+Ctrl = rsa_padding_mode:pss
+Ctrl = rsa_mgf1_md:sha256
+Input = ""
+Output = ""
+Result = PKEY_CTRL_ERROR

 # Additional RSA-PSS and RSA-OAEP tests converted from
 # ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip