-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TPM2 ignores EVP_PKEY_CTX_set_rsa_pss_saltlen and always uses max salt #115
Comments
Hmm. I would love to fix this, but the TPM2.0 specification doesn't seem to allow salt values shorter than the maximum. The TPM seems to have no salt len parameter. |
@gotthardp I'm a bit confused now. Latest TPM 2.0 spec part 1 B.7 says this:
FIPS 186-5, section 5.4.g claims this:
I understand "largest size allowed by the key size and message digest size" as largest meeting "0 <= sLen <= hLen" criteria which ends up being just sLen == hLen. see also @vcsjones response here: |
The TPM2.0 specification has changed in this respect, see Change History, Revision 163. The TPM has no way of setting it, but uses either the max length or the hash-size length (up to the vendor). By now, I would assume that implementations have switched to the hash-size based salt length following FIPS 186-4, but the only way to know is to check databooks or test. Hence, the The latest standard is 01.83, but I would expect that many TPM2 chips on the market will conform to some older specification. For example, the most recent ST STSAFE-TPM as well as Infineon OPTIGA TPM follow TPM2.0 revision 1.59 and FIPS 140-3, i.e. the one prior the specification change. |
Would it at least be possible to show some error code when that API is called? Currently it silently ignores and reports back what was set (don't know the implementation details if that is handled on OpenSsl or tpm2 side) - you can only figure out what happens when you put restrictions on the verification side |
I've noticed that when I use TPM2 provider the implementation will ignore EVP_PKEY_CTX_set_rsa_pss_saltlen setting and will always use max salt length instead.
Some implementations don't allow changing or detecting salt length and will always use hLen=sLen as recommended by spec (i.e. .NET) and make the signature not possible to validate there.
Note that this is true regardless if I use placeholder value RSA_PSS_SALTLEN_DIGEST or 32 explicitly (=hLen because I'm using SHA256).
If you validate that with OpenSSL it will accept the signature though because by default it will detect salt length. If you manually change it to RSA_PSS_SALTLEN_DIGEST then it won't verify it.
I believe this might be related to following issues:
also related issue on .NET:
The text was updated successfully, but these errors were encountered: