tpm2: add support for padding-only RSASSA
Perform PKCS1-padding-only signing for RSASSA if hashing algorithm is
TPM_ALG_NULL in TPM2_Sign parameters and in the key public area.
This feature is guarded by SUPPORT_PADDING_ONLY_RSASSA macro.
BUG=chrome-os-partner:60967
BRANCH=none
TEST=On a unowned machine with TPM2: corp enroll, login, install
a network certificate (gECC or GMC), then:
a) retrieve the public key from the installed certificate
LIBCHAPS=`ls /usr/lib**/libchaps.so`
CERTID=`pkcs11-tool --module=$LIBCHAPS --slot=1 --type=cert \
-O | grep "ID:" | awk '{print $2}'`
pkcs11-tool --module=$LIBCHAPS --slot=1 --id=$CERTID \
--type=cert -r > /tmp/cert
openssl x509 -inform der -pubkey -noout -in /tmp/cert > /tmp/pub.key
b) sign a sample text using the private key for the certificate and
MD5-RSA-PKCS mechanism, not supported by TPM2_Sign command:
echo "ABCDEF" > /tmp/1.txt
pkcs11-tool --module=$LIBCHAPS --slot=1 --id=$CERTID --sign \
-i /tmp/1.txt -o /tmp/1.sig -m MD5-RSA-PKCS
c) verify signature:
openssl dgst -md5 -verify /tmp/pub.key -signature /tmp/1.sig /tmp/1.txt
Step (b) should succeed and step (c) should return "Verified OK".
Change-Id: Iefc85d163089d6f7e09b3e7a41e1df33ba88fa3b
Signed-off-by: Andrey Pronin <apronin@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/420811
Reviewed-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Darren Krahn <dkrahn@chromium.org>
diff --git a/CpriRSA.c b/CpriRSA.c
index a436716..c3f5d62 100644
--- a/CpriRSA.c
+++ b/CpriRSA.c
@@ -805,11 +805,19 @@
INT32 fillSize;
pAssert(eOut != NULL && hIn != NULL);
// Can't use this scheme if the algorithm doesn't have a DER string defined.
- if(derSize == 0 )
+ if(
+#if defined(SUPPORT_PADDING_ONLY_RSASSA) && SUPPORT_PADDING_ONLY_RSASSA == YES
+ hashAlg != TPM_ALG_NULL &&
+#endif
+ derSize == 0)
return CRYPT_SCHEME;
// If the digest size of 'hashAl' doesn't match the input digest size, then
// the DER will misidentify the digest so return an error
- if((unsigned)_cpri__GetDigestSize(hashAlg) != hInSize)
+ if(
+#if defined(SUPPORT_PADDING_ONLY_RSASSA) && SUPPORT_PADDING_ONLY_RSASSA == YES
+ hashAlg != TPM_ALG_NULL &&
+#endif
+ (unsigned)_cpri__GetDigestSize(hashAlg) != hInSize)
return CRYPT_PARAMETER;
fillSize = eOutSize - derSize - hInSize - 3;
// Make sure that this combination will fit in the provided space
diff --git a/Implementation.h b/Implementation.h
index f67d513..a503d2a 100644
--- a/Implementation.h
+++ b/Implementation.h
@@ -357,6 +357,7 @@
#define ALG_SM4_VALUE 0x0013
#if defined ALG_RSASSA && ALG_RSASSA == YES
#define TPM_ALG_RSASSA (TPM_ALG_ID)(0x0014)
+#define SUPPORT_PADDING_ONLY_RSASSA YES
#endif
#define ALG_RSASSA_VALUE 0x0014
#if defined ALG_RSAES && ALG_RSAES == YES
diff --git a/Sign.c b/Sign.c
index f0e29f9..10b673b 100644
--- a/Sign.c
+++ b/Sign.c
@@ -63,7 +63,11 @@
// NOTE: this does not guarantee that the 'digest' is actually produced using
// the indicated hash algorithm, but at least it might be.
{
- if( in->digest.t.size
+ if(
+#if defined(SUPPORT_PADDING_ONLY_RSASSA) && SUPPORT_PADDING_ONLY_RSASSA == YES
+ in->inScheme.details.any.hashAlg != TPM_ALG_NULL &&
+#endif
+ in->digest.t.size
!= CryptGetHashDigestSize(in->inScheme.details.any.hashAlg))
return TPM_RC_SIZE + RC_Sign_digest;
}
diff --git a/tpm_generated.c b/tpm_generated.c
index b471be1..e3c72ab 100644
--- a/tpm_generated.c
+++ b/tpm_generated.c
@@ -2349,7 +2349,11 @@
TPM_RC TPMS_SIG_SCHEME_RSASSA_Unmarshal(TPMS_SIG_SCHEME_RSASSA* target,
BYTE** buffer,
INT32* size) {
+#if defined(SUPPORT_PADDING_ONLY_RSASSA) && SUPPORT_PADDING_ONLY_RSASSA == YES
+ return TPMI_ALG_HASH_Unmarshal(&target->hashAlg, buffer, size, TRUE);
+#else
return TPMS_SCHEME_HASH_Unmarshal(target, buffer, size);
+#endif
}
UINT16 TPMS_ENC_SCHEME_OAEP_Marshal(TPMS_ENC_SCHEME_OAEP* source,