Adapt ASN1_item_sign_ctx() for use with provided keypairs by levitte · Pull Request #10920 · openssl/openssl

levitte · 2020-01-21T20:12:12Z

The mechanism to do this is to ask the signature operation for the DER
encoded AlgorithmIdentifier that corresponds to the combination of
signature algorithm and digest algorithm.

The provided DSA implementation is adapted to suit.

levitte · 2020-01-21T20:12:53Z

The EXPERIMENTAL (#10797) test failure that triggered this is test_req

providers/implementations/signature/dsa.c

crypto/dsa/dsa_aid.c

mattcaswell · 2020-01-22T11:40:05Z

Travis failure appears relevant.

levitte · 2020-01-22T12:07:42Z

There will be corresponding work for ASN1_item_verify_ctx. That's a bit more involved because of horrid SM2 hackery in x_all.c. I'm pondering if I should make that a separate PR or include that in this PR. Thoughts?

levitte · 2020-01-22T20:03:11Z

Travis failure appears relevant.

It should be fine now

slontis · 2020-01-23T10:09:28Z

It should be fine now

Rebuilt the failing travis tests (now that the error in master is fixed).
This should now only show real errors

slontis · 2020-01-23T23:58:29Z

There is a memory leak..

include/openssl/core_names.h

providers/implementations/signature/dsa.c

paulidale · 2020-01-24T07:25:24Z

Is Travis relevant here? (fuzz test failure).

slontis · 2020-01-24T08:16:43Z

Is Travis relevant here? (fuzz test failure).

Its a memory leak picked up by asan

levitte · 2020-01-24T18:42:38Z

Time for a re-review

providers/implementations/signature/dsa.c

crypto/dsa/dsa_aid.c

The mechanism to do this is to ask the signature operation for the DER encoded AlgorithmIdentifier that corresponds to the combination of signature algorithm and digest algorithm.

…tifiers

…thmidentifiers

crypto/asn1/a_sign.c

The mechanism to do this is to ask the signature operation for the DER encoded AlgorithmIdentifier that corresponds to the combination of signature algorithm and digest algorithm. Reviewed-by: Shane Lontis <[email protected]> (Merged from #10920)

…tifiers Reviewed-by: Shane Lontis <[email protected]> (Merged from #10920)

Reviewed-by: Shane Lontis <[email protected]> (Merged from #10920)

levitte · 2020-01-28T07:12:03Z

Merged

d5aef59 Adapt ASN1_item_sign_ctx() for use with provided keypairs
505b41f PROV: Adapt the DSA signature implementation to provide Algorithmidentifiers
0cb3f4f test_evp_extra_test.c: don't rely on exact parameter position

paulidale · 2020-01-30T05:13:47Z

crypto/dsa/dsa_aid.c

+ENCODE_ALGORITHMIDENTIFIER_SHAx(sha3_224, 5);
+ENCODE_ALGORITHMIDENTIFIER_SHAx(sha3_256, 6);
+ENCODE_ALGORITHMIDENTIFIER_SHAx(sha3_384, 7);
+ENCODE_ALGORITHMIDENTIFIER_SHAx(sha3_512, 8);


This is perfect for FIPS. It isn't so good if dsa-with-XXX exists for other digests. Probably more of an issue for ECDSA than here.

levitte added branch: master Applies to master branch approval: review pending This pull request needs review by a committer labels Jan 21, 2020

slontis reviewed Jan 22, 2020

View reviewed changes

providers/implementations/signature/dsa.c Outdated Show resolved Hide resolved

slontis reviewed Jan 22, 2020

View reviewed changes

crypto/dsa/dsa_aid.c Outdated Show resolved Hide resolved

levitte force-pushed the prov-algorithmidentifier branch from 6e0f879 to 4b10f1d Compare January 23, 2020 17:36