KAS ECC KDF expects .maclen as range

QuentinGouchet commented 4 years ago

The KAS ECC KDF with no KC expects the .maclen to be a range but the specs say it is an integer. We currently specific the .maclen as: .maclen = 256, but the server returns

ACVPProxy (10:35:37) () Verbose: Process following server response:

[
  {
    "acvVersion": "1.0"
  },
  {
    "error": "Validation error(s) on JSON payload.",
    "context": [
      "KAS-ECC-1.0: MacLength Range;At least one kasModeKdfOption is
required.",
      "KAS-ECC-1.0: MacLength Range;At least one kasModeKdfOption is
required.",
      "KAS-ECC-1.0: MacLength Range;At least one kasModeKdfOption is
required.",
      "KAS-ECC-1.0: MacLength Range;At least one kasModeKdfOption is
required."
    ]
  }
]

here is the cipher registration:

{
        "algorithm":"ECDSA",
        "mode":"sigGen",
        "revision":"1.0",
        "componentTest":false,
        "capabilities":[
          {
            "curve":[
              "P-224",
              "P-256",
              "P-384",
              "P-521"
            ],
            "hashAlg":[
              "SHA2-224",
              "SHA2-256",
              "SHA2-384",
              "SHA2-512",
              "SHA2-512/224",
              "SHA2-512/256"
            ]
          }
        ],
        "prereqVals":[
          {
            "algorithm":"SHA",
            "valValue":"same"
          },
          {
            "algorithm":"DRBG",
            "valValue":"same"
          }
        ]
      },

...

 {
        "revision":"1.0",
        "algorithm":"KAS-ECC",
        "prereqVals":[
          {
            "algorithm":"SHA",
            "valValue":"same"
          },
          {
            "algorithm":"DRBG",
            "valValue":"same"
          },
          {
            "algorithm":"ECDSA",
            "valValue":"same"
          }
        ],
        "function":[
          "keyPairGen",
          "fullVal"
        ],
        "scheme":{
          "ephemeralUnified":{
            "kasRole":[
              "initiator",
              "responder"
            ],
            "kdfNoKc":{
              "kdfOption":{
                "concatenation":"",
                "ASN1":""
              },
              "parameterSet":{
                "eb":{
                  "curve":"P-224",
                  "hashAlg":[
                    "SHA2-256"
                  ],
                  "macOption":{
                    "HMAC-SHA2-256":{
                      "keyLen":[
                        256
                      ]
                    }
                  }
                }
              }
            }
          }
        }
      },

Kritner commented 4 years ago

No OI Pattern has been specified for your KDF option: https://usnistgov.github.io/ACVP/artifacts/acvp_sub_kas_ecc.html#rfc.section.3.10
macLen has not been specified under your "macOption" object, it is expected to be an integer supporting the largest macLen possible for the IUT

QuentinGouchet commented 4 years ago

Thanks Russ! I removed ASN1 as a KDF option, and replaced .oipattern with: .oipattern = "literal[123456789CAFECAFE434156536964a1b2c3d4e5b16c5f78ef56e8c14a561]"

Did not realize we needed literal[].

Closing issue.

usnistgov / ACVP

KAS ECC KDF expects .maclen as range #940