Skip to content

Stop using RSA_* functions for signatures #57

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Apr 25, 2023
Merged

Conversation

ueno
Copy link
Collaborator

@ueno ueno commented Mar 31, 2023

For creating and verifying PKCS#1 v1.5 signatures in a pre-hashed manner, we used the legacy RSA_sign and RSA_verify functions, which bypass the system-wide disablement of SHA-1 and shorter RSA key length usage inconsistently with the OpenSSL 3.0 default on RHEL.

This switches to using our _goboringcrypto_EVP_{sign,verify}_raw, which internally use EVP_PKEY_ functions.

@ueno ueno marked this pull request as ready for review April 4, 2023 13:08
@ueno ueno requested review from derekparker and simo5 April 4, 2023 13:09
@ueno ueno changed the title Stop using RSA_* functions Stop using RSA_* functions for signatures Apr 6, 2023
@ueno ueno force-pushed the wip/rsa-evp branch 2 times, most recently from 40bcb96 to 8d955ba Compare April 7, 2023 08:37
Copy link
Collaborator

@simo5 simo5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good in general but I wonder why the change in behavior for msgIsHashed cases, I think we wanted to enforce hashing in the FIPS boundary in the past?

@ueno
Copy link
Collaborator Author

ueno commented Apr 7, 2023

Afaik we later had to revert that enforcement as the crypto/rsa.SignPKCS1v15 takes hashed bytes and there are still some use of PKCS#1 v1.5 signatures in applications.

For creating and verifying PKCS#1 v1.5 signatures in a pre-hashed
manner, we used the legacy RSA_sign and RSA_verify functions, which
bypass the system-wide disablement of SHA-1 and shorter RSA key length
usage inconsistently with the OpenSSL 3.0 default on RHEL.

This switches to using our _goboringcrypto_EVP_{sign,verify}_raw,
which internally use EVP_PKEY_ functions.

Signed-off-by: Daiki Ueno <[email protected]>
This switches _goboringcrypto_RSA_generate_key_fips to using
EVP_PKEY_keygen function instead of RSA_generate_key_ex.

The accessors functions around the RSA * type, such as
RSA_get0_crt_params, are still used, though they are not a
cryptographic operation so this patch leaves it as they are for now.

Signed-off-by: Daiki Ueno <[email protected]>
@ueno ueno requested a review from dbenoit17 April 12, 2023 07:38
Copy link
Contributor

@derekparker derekparker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ueno ueno merged commit ac2a11f into golang-fips:master Apr 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants