psa_rsa_verify always fails with some compliant alternative implementations #3990
Comments
|
Could you give a concrete example of a correct signature that our implementation of Note that the definition of |
Exactly. But strict implementations would reject any signature when called with different hash parameters. So if we set the padding to |
PSA Crypto always passed MBEDTLS_MD_NONE to Mbed TLS, which worked well as Mbed TLS does not use this parameter for anything beyond determining the input lengths. Some alternative implementations however check the consistency of the algorithm used for pre-hash and for other uses in verification (verify operation and mask generation) and fail if they don't match. This makes all such verifications fail. Furthermore, the PSA Crypto API mandates that the pre-hash and internal uses are aligned as well. Fixes Mbed-TLS#3990. Signed-off-by: Janos Follath <janos.follath@arm.com>
PSA Crypto always passed MBEDTLS_MD_NONE to Mbed TLS, which worked well as Mbed TLS does not use this parameter for anything beyond determining the input lengths. Some alternative implementations however check the consistency of the algorithm used for pre-hash and for other uses in verification (verify operation and mask generation) and fail if they don't match. This makes all such verifications fail. Furthermore, the PSA Crypto API mandates that the pre-hash and internal uses are aligned as well. Fixes Mbed-TLS#3990. Signed-off-by: Janos Follath <janos.follath@arm.com>
PSA Crypto always passed MBEDTLS_MD_NONE to Mbed TLS, which worked well as Mbed TLS does not use this parameter for anything beyond determining the input lengths. Some alternative implementations however check the consistency of the algorithm used for pre-hash and for other uses in verification (verify operation and mask generation) and fail if they don't match. This makes all such verifications fail. Furthermore, the PSA Crypto API mandates that the pre-hash and internal uses are aligned as well. Fixes Mbed-TLS#3990. Signed-off-by: Janos Follath <janos.follath@arm.com>
PSA Crypto always passed MBEDTLS_MD_NONE to Mbed TLS, which worked well as Mbed TLS does not use this parameter for anything beyond determining the input lengths. Some alternative implementations however check the consistency of the algorithm used for pre-hash and for other uses in verification (verify operation and mask generation) and fail if they don't match. This makes all such verifications fail. Furthermore, the PSA Crypto API mandates that the pre-hash and internal uses are aligned as well. Fixes Mbed-TLS#3990. Signed-off-by: Janos Follath <janos.follath@arm.com>
PSA Crypto always passed MBEDTLS_MD_NONE to Mbed TLS, which worked well as Mbed TLS does not use this parameter for anything beyond determining the input lengths. Some alternative implementations however check the consistency of the algorithm used for pre-hash and for other uses in verification (verify operation and mask generation) and fail if they don't match. This makes all such verifications fail. Furthermore, the PSA Crypto API mandates that the pre-hash and internal uses are aligned as well. Fixes Mbed-TLS#3990. Signed-off-by: Janos Follath <janos.follath@arm.com>
Description
psa_rsa_verifyalways passesMBEDTLS_MD_NONEtombedtls_rsa_rsassa_pss_verify()https://github.com/ARMmbed/mbedtls/blob/2b759626a90da9eaa821a6294a12e9a655ca46cf/library/psa_crypto.c#L3760
This works well with the Mbed TLS implementation, but causes all verifications to fail in some alternative implementations. (The standard allows for some flexibility and this can happen with perfectly compliant implementations.)
In particular the Mbed TLS implementation only uses this parameter for determining the input length, but some implementations might enforce that the hash functions match.
Bug
Expected behavior
psa_rsa_verifyworks with compliant alternative implementations.Actual behavior
psa_rsa_verifyalways fails with a compliant alternative implementation.The text was updated successfully, but these errors were encountered: