Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: sailfishos-mirror/nss
base: 7496e5f6b88b12600716ff79d55c6d4787b44278
Choose a base ref
...
head repository: sailfishos-mirror/nss
compare: f945d56b45e026bcf0a307419758e68c85ad3b47
Choose a head ref
  • 3 commits
  • 15 files changed
  • 1 contributor

Commits on Apr 1, 2021

  1. Bug 1702663 Need to support RSA PSS with Hashing PKCS #11 Mechanisms. 

    FIPS requires that we supply a hash and sign interface for our supported
signing algorithms to be validated. We already have those interfaces in
softoken for RSA PKCS1, DSA, and ECDSA. However, we don't test those
interfaces, now do we supply a way for an application to access those
interfaces (usually applications use the VFY_ and SGN_ interfaces which
handles the hashing an verify/sign operations).

We also have a generic pk11_signature_tests class in pk11_gtest, but only ecdsa
and some rsa pss tests uses it.

This patch rectifies all of these deficiencies:

lib/softokn
1) Hash and sign/verify mechanisms have been added to softoken to support PSS
hash and sign.
2) The rsa, dsa, and ecdsa hash and sign algorithms were also cleaned up by
creating a fake CKM_SHA1 which matches CKM_SHA_1 so that we can fully use the
same macros for all the hash types.

1&2 was sufficient to provide the goals of this task, however we wanted to be
able to add tests for this functionality..

lib/pk11wrap
3) Two new functions were added: PK11_CreateContextByPubKey and
PK11_CreateContextByPrivKey. These allow you to create multipart contexts with
Public and Private keys. This is a requirement to support hash and sign, as
they are multi-part operations (rather then just signing a hash, which is a
single part operation). With these functions, you can now use the PK11_DigestOp
and PK11_DigestFinal to complete a signature or verify optiation.

gtests/pk11_gtest
4) Add hash and sign/hash and verify support to the generic
pk11_signature_tests.h.
5) pk11_dsa_unittest.cc, pk11_rsa_unittest.cc, and the remainder of
pk11_rsapss_unittest.cc (Wycheproof tests) were moved to use the
pk11_signature_tests common implementation rather then their own.
6) pk11_ecdsa_unittest.cc was updated to support the hash&sign/verify combo
mechanism.
7) With multiple functions using pk11_signature_tests.h, The large functions
are moved to pk11_signature_tests.cpp.
8) The test vectors themselves were not changes, now just test against the
traditional hash first then verify interfaces and the hash and verify
interfaces.

Differential Revision: https://phabricator.services.mozilla.com/D110641

--HG--
extra : rebase_source : d2ec6b9589562cedd4aca45b79a649162eadc5ec
    @rjrelyea
    rjrelyea committed Apr 1, 2021
    Copy the full SHA
    5023aee View commit details
    Browse the repository at this point in the history

Commits on Apr 29, 2021

  1. Fix bad merge of PSS patch

    @rjrelyea
    rjrelyea committed Apr 29, 2021
    Copy the full SHA
    71573d7 View commit details
    Browse the repository at this point in the history

  2. (sigh) abi check file has a file location change after the merge

    @rjrelyea
    rjrelyea committed Apr 29, 2021
    Copy the full SHA
    f945d56 View commit details
    Browse the repository at this point in the history