Closed simonjbeaumont closed 1 week ago
@Lukasa this is ready for another pass when you have time.
@Lukasa OK, thanks for the latest round of feedback. I've addressed all that now, so it's ready for another pass.
@Lukasa as we discussed, now that we have ArbitraryPrecisionInteger
and FiniteFieldArithmeticContext
moved to CryptoBoringWrapper
, I've replaced the use of manually managed BIGNUM
in the implementation with the memory managed types. Hopefully this makes it much easier to be confident in the correctness.
@swift-server-bot test this please
Motivation
RFC 9474 defines the RSA Blind Signatures protocol^0, which are a useful building block of privacy-preserving schemes.
Modifications
This PR adds the following public API surface to implement the RSA Blind Signatures protocol:
It also adds tests using the test vectors from the RFC, where possible. That is, for each of the operations except for
blind
, which we don't have the BoringSSL APIs that would allow us to inject the fixed salt value from the test vectors.While it's possible to implement the server-side operations using Security framework, it does not expose the APIs we would need to implement the client-side operations so, because the goal is to also provide the client-side operations in a subsequent PR, the implementation uses BoringSSL on all platforms.
In order to construct the RSA keys from the test vector parameters, some BoringSSL helpers were added.
Result
New API in the
_CryptoExtras
module for the the RSA Blind Signatures protocol as defined in RFC 9474, with support for all named variants: for theRSABSSA_SHA384_PSS_Randomized
,RSABSSA_SHA384_PSS_Deterministic
,RSABSSA_SHA384_PSSZERO_Randomized
, andRSABSSA_SHA384_PSSZERO_Deterministic
.