search

notaryproject / notary

Notary is a project that allows anyone to have trust over arbitrary collections of data
Apache License 2.0
3.23k stars 511 forks source link

Move hardware crypto service to RSA PSS #91

Closed diogomonica closed 8 years ago

diogomonica commented 9 years ago

Currently rsa_hardware_crypto_service.go is using a PKCS1v15 for the verifier. We need to change this to PSS.

aaronlehmann commented 9 years ago

PKCS11 provides CKM_SHA256_RSA_PKCS_PSS: http://www.cryptsoft.com/pkcs11doc/v230/group__SEC__11__1__17__PKCS____1__RSA__PSS__SIGNATURE__WITH__SHA__1____SHA__256____SHA__384__OR__SHA__512.html#CKM_SHA256_RSA_PKCS_PSS

It should be a very simple change to use this instead of PKCS1v15.

Should we fall back to PKCS1v15 if PSS doesn't work for some reason (maybe not all HSMs support it?)

diogomonica commented 9 years ago

I'm still an apologist of removing PKCS1v15 :/