Add RSA-PSS signature verification support (TLS 1.3 with RSA cert)#377
Add RSA-PSS signature verification support (TLS 1.3 with RSA cert)#377EdouardMALOT wants to merge 2 commits intoeclipse-threadx:devfrom
Conversation
EdouardMALOT
changed the title
|
@eclipseefa recheck |
EdouardMALOT
changed the title
EdouardMALOT
changed the title
|
Thank you for this contribution, @EdouardMALOT. We will review and provide feedback. |
There was a problem hiding this comment.
Overall, a strong and useful contribution. Thanks.
The PR only implements verification. While this allows a NetX Duo client to verify a server's RSA certificate in TLS 1.3, NetX Duo still cannot act as a server with an RSA certificate (or a client with client-cert) in TLS 1.3 because it lacks RSA-PSS signing logic. It could be worthwhile to add _nx_crypto_rsa_pss_sign to complete the RSA-PSS support for both directions.
That said, this is not mandatory and should probably be done in a different PR.
There was a problem hiding this comment.
The transcript hash used as input for the CertificateVerify signature is hardcoded to 32 bytes:
1 NX_SECURE_MEMCPY(&handshake_hash[64 + 34], transcript_hash, 32);
2 handshake_hash_length = 130;This is correct for SHA-256 but broken for SHA-384 and SHA-512. Since the PR adds support for rsa_pss_rsae_sha384 and rsa_pss_rsae_sha512, these algorithms will fail verification because the transcript hash will be truncated to 32 bytes.
There was a problem hiding this comment.
The handshake_hash buffer is defined as static UCHAR handshake_hash[64 + 34 + 32]; (130 bytes). For SHA-512, the required size to hold the padded context (64 + 34 bytes) plus the transcript hash (64 bytes) is 162 bytes. The current buffer size will cause an overflow or truncation if SHA-512 is used.
This should also be fixed in nx_secure_tls_send_certificate_verify.c, I think.
There was a problem hiding this comment.
In _nx_crypto_rsa_pss_mgf1, hash_buf[64] is used. This is safe for SHA-512 but lacks a check to ensure the hash output of the selected hash_method does not exceed the buffer size.
Address review feedback on RSA-PSS PR: - Resize handshake_hash buffer from 130 to 162 bytes (64+34+64) in both nx_secure_tls_process_certificate_verify.c and nx_secure_tls_send_certificate_verify.c to fit SHA-512 transcript. - Replace hardcoded 32-byte transcript hash copy with dynamic length derived from hash_method->nx_crypto_ICV_size_in_bits. - Add bounds check in _nx_crypto_rsa_pss_mgf1 to reject hash_method whose output exceeds the local hash_buf size.
|
Thanks @fdesbiens for the review! All three blocking points are addressed in commit
About |
2 participants
Summary
This PR adds RSA-PSS (Probabilistic Signature Scheme) signature verification support to NetX Duo, as defined in RFC 8017 §8.1.
RSA-PSS is required for TLS 1.3 compliance: RFC 8446 §4.2.3 mandates the use of RSA-PSS for all RSA-based signatures in TLS 1.3 handshakes.
Changes
crypto_libraries/inc/nx_crypto_const.h— addNX_CRYPTO_DIGITAL_SIGNATURE_RSAPSSconstant (0x00050004)crypto_libraries/inc/nx_crypto_rsa.h— declare_nx_crypto_rsa_pss_verify()crypto_libraries/src/nx_crypto_rsa.c— implement:_nx_crypto_rsa_pss_mgf1()— Mask Generation Function 1 (RFC 8017 §B.2.1)_nx_crypto_rsa_pss_verify()— PSS encoding verification (salt length == hash length, as required by RFC 8446 §4.2.3)nx_secure/src/nx_secure_tls_process_certificate_verify.c— handleNX_CRYPTO_DIGITAL_SIGNATURE_RSAPSSin CertificateVerify processingnx_secure/src/nx_secure_tls_send_clienthello_extensions.c— advertise RSA-PSS signature algorithms in ClientHello extensionsTest plan
rsa_pss_rsae_sha256,rsa_pss_rsae_sha384, andrsa_pss_rsae_sha512is correctly verifiedNX_CRYPTO_NOT_SUCCESSFUL