search

wolfSSL / wolfssl

The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3!
https://www.wolfssl.com
GNU General Public License v2.0
2.36k stars 834 forks source link

[Bug]: Missing Code for Supported Algorithms in Signature.h/Signature.c #8178

Closed opencrypto closed 1 week ago

opencrypto commented 1 week ago

Contact Details

massimiliano.pala@wellsfargo.com

Version

Master Branch

Description

The signature.c/signature.h file seem to only be able to handle RSA or ECC keys but no support for RSAPSS, ML-DSA, or other signatures is present. Are these functions supposed to be generic? If they are, we need to add support for all the supported signing algorithms or, if they are not meant to be generic, add a qualifier (e.g., "traditional_only"?)

Reproduction steps

./autogen.sh && \ ./configure --prefix=/opt/wolfssl --enable-opensslall \ --enable-dilithium --enable-kyber --enable-falcon \ --enable-ocsp --enable-ocspstapling \ --enable-experimental --enable-rsapss --enable-ed25519 --enable-curve25519 \ --enable-ed448 --enable-curve448 --enable-psk \ --enable-brainpool --enable-ecccustcurves \ --enable-keygen --enable-certgen --enable-certreq \ --enable-certext --enable-pkcs8 --enable-asyncthreads \ --enable-dual-alg-certs --enable-examples --enable-debug && \ make

Relevant log output

Signature.h:38

enum wc_SignatureType {
    WC_SIGNATURE_TYPE_NONE = 0,
    WC_SIGNATURE_TYPE_ECC = 1,
    WC_SIGNATURE_TYPE_RSA = 2,
    WC_SIGNATURE_TYPE_RSA_W_ENC = 3 /* Adds DER header via wc_EncodeSignature */
};
anhu commented 1 week ago

Hi @opencrypto ,

Thanks for pointing this out!! These function did not need to be aware of those algorithms for TLS 1.3 to support those algorithms so it was not done. Is there any particular reason you would like these functions to support RSAPSS and/or ML-DSA?

Warm regards, Anthony

opencrypto commented 1 week ago

Hi Anthony!

I am just adding the mldsa composite and I noticed that in some examples those functions are used and extending the examples to use the new algorithm would fail.

One of the things I am failing to find is how to load or save a private key without having to use long switch statements (e.g. a generic function to load a key), is there such a thing or is there a suggested/example pattern for private keys load/save?

anhu commented 1 week ago

Hello!

I would simply follow the patterns that are already present for Kyber and Dilithium. Yes, that means adding to the switch statements.

Warm regards, Anthony

opencrypto commented 1 week ago

Thank you, Anthony! So, I guess we can close this ticket as not being relevant.

I will work on a couple of functions to help loading keys in different formats.

I was planning to (a) load the p8 file, (b) check the OID of the key, and (c) use the appropriate function to load the key.

What function shall I use to process the P8 file? ToTraditionalInline_ex2()?

anhu commented 1 week ago

I like to start from the API level and go down from there. Look at wolfSSL_CTX_use_PrivateKey_file() and you can trace down to lower level functions.

As you suggested, I will now mark this ticket as closed. Thanks!! Warm regards, Anthony