On Fri, May 22, 2009, Martin Kaiser wrote: > Dear all, > > I'm working on support for X.509 certificates with RSASSA-PSS signatures > according to PKCS1 #2.1 and RFC 4055. As I would like to come up with > something that can be included in the main tree, I'm sending this > mail to ask for your advice and to make sure I'm heading in the right > direction. > > My first step is to support verification of X.509 certificates with a > PSS signature that uses the default PSS parameters. > > Low-level routines for PSS signatures have been present for a long time. > The signature type (PKCS1.5 or PSS) can be set for an EVP_PKEY_CTX > object. > > X.509 signature verification is based on EVP_MD_CTX. > EVP_VerifyInit_ex(), EVP_VerifyUpdate() and EVP_VerifyFinal() are called > on the EVP_MD_CTX. > > EVP_VerifyFinal() uses a local EVP_PKEY_CTX object that is configured > according to the EVP_MD_CTX' flags. > > I thought of different approaches > > - add a new flag similar to EVP_MD_FLAG_PKEY_METHOD_SIGNATURE > This would require a new sha1_md which in turn would require a new > NID_sha1Pss (or so) to have a unique match in obj_xref.txt > -> looks like this will end up in a mess > > - base the signature verification on EVP_PKEY_CTX rather than EVP_MD_CTX > -> I understand that EVP_VerifyInit/Update/Final() is the most > abstract API for this and should be used for X.509 signature > verification > > - therefore, my proposal is to use the pctx field of EVP_MD_CTX to set > up the PSS-related parameters in ASN1_item_verify(). EVP_VerifyFinal() > is changed to set up the local EVP_PKEY_CTX only if the EVP_MD_CTX' pctx > field is unset. > > I attach a simple patch against 1.0.0-beta2 that outlines the basic > idea. It is far from ready (e.g. PSS parameters are not checked) but it > should be sufficient for discussing the approach. > > I would very much appreciate your comments. >
Sorry for not replying to your private mail. I'd been considering how to do this and several other things got in the way. I don't think hard coding NIDs into the verify routines is the way to go. The new EVP_PKEY API in 1.0.0 is intended to remove as much of that stuff as possible. The best approach IMHO is to have a new "pss" public key algorithm to handle the case of PSS only keys and pass the ASN1 structures down to the specific method API via the ctrl mechanism. The existing RSA methods could also then switch to pss if the appropriate structures are present. I realise that's a bit vague at present, I'll have a think about it a bit more. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
