diff options
author | Robert Relyea <rrelyea@redhat.com> | 2021-04-01 15:13:20 -0700 |
---|---|---|
committer | Robert Relyea <rrelyea@redhat.com> | 2021-04-01 15:13:20 -0700 |
commit | 674e421abbb469ac3a78156f1a720c3353733895 (patch) | |
tree | 767cb5e85d741e253234a4f8b3baeae328ea181f /lib/nss | |
parent | 6880a00af4c3509963f54d76e403da9acf6d58d6 (diff) | |
download | nss-hg-674e421abbb469ac3a78156f1a720c3353733895.tar.gz |
Bug 1702663 Need to support RSA PSS with Hashing PKCS #11 Mechanisms.
FIPS requires that we supply a hash and sign interface for our supported
signing algorithms to be validated. We already have those interfaces in
softoken for RSA PKCS1, DSA, and ECDSA. However, we don't test those
interfaces, now do we supply a way for an application to access those
interfaces (usually applications use the VFY_ and SGN_ interfaces which
handles the hashing an verify/sign operations).
We also have a generic pk11_signature_tests class in pk11_gtest, but only ecdsa
and some rsa pss tests uses it.
This patch rectifies all of these deficiencies:
lib/softokn
1) Hash and sign/verify mechanisms have been added to softoken to support PSS
hash and sign.
2) The rsa, dsa, and ecdsa hash and sign algorithms were also cleaned up by
creating a fake CKM_SHA1 which matches CKM_SHA_1 so that we can fully use the
same macros for all the hash types.
1&2 was sufficient to provide the goals of this task, however we wanted to be
able to add tests for this functionality..
lib/pk11wrap
3) Two new functions were added: PK11_CreateContextByPubKey and
PK11_CreateContextByPrivKey. These allow you to create multipart contexts with
Public and Private keys. This is a requirement to support hash and sign, as
they are multi-part operations (rather then just signing a hash, which is a
single part operation). With these functions, you can now use the PK11_DigestOp
and PK11_DigestFinal to complete a signature or verify optiation.
gtests/pk11_gtest
4) Add hash and sign/hash and verify support to the generic
pk11_signature_tests.h.
5) pk11_dsa_unittest.cc, pk11_rsa_unittest.cc, and the remainder of
pk11_rsapss_unittest.cc (Wycheproof tests) were moved to use the
pk11_signature_tests common implementation rather then their own.
6) pk11_ecdsa_unittest.cc was updated to support the hash&sign/verify combo
mechanism.
7) With multiple functions using pk11_signature_tests.h, The large functions
are moved to pk11_signature_tests.cpp.
8) The test vectors themselves were not changes, now just test against the
traditional hash first then verify interfaces and the hash and verify
interfaces.
Differential Revision: https://phabricator.services.mozilla.com/D110641
Diffstat (limited to 'lib/nss')
-rw-r--r-- | lib/nss/nss.def | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/lib/nss/nss.def b/lib/nss/nss.def index db912e1ec..91486ceff 100644 --- a/lib/nss/nss.def +++ b/lib/nss/nss.def @@ -1219,4 +1219,11 @@ PK11_HPKE_ExportContext; PK11_HPKE_ImportContext; ;+ local: ;+ *; -;+};
\ No newline at end of file +;+}; +;+NSS_3.64 { # NSS 3.64 release +;+ global: +PK11_CreateContextByPubKey; +PK11_CreateContextByPrivKey; +;+ local: +;+ *; +;+}; |