summaryrefslogtreecommitdiffstats
path: root/doc/man7
diff options
context:
space:
mode:
authorslontis <shane.lontis@oracle.com>2022-07-15 13:22:01 +0200
committerHugo Landau <hlandau@openssl.org>2022-11-30 08:31:53 +0100
commitf3090fc710e30a749acaf9e5dfbe20dd163cf15d (patch)
tree720d4b3cada6e81a69a2b2b68f6e8cf592c3e003 /doc/man7
parentevp_test: fix rebase mistake with no_gost (diff)
downloadopenssl-f3090fc710e30a749acaf9e5dfbe20dd163cf15d.tar.xz
openssl-f3090fc710e30a749acaf9e5dfbe20dd163cf15d.zip
Implement deterministic ECDSA sign (RFC6979)
This PR is based off the contributions in PR #9223 by Jemmy1228. It has been modified and reworked to: (1) Work with providers (2) Support ECDSA and DSA (3) Add a KDF HMAC_DRBG implementation that shares code with the RAND HMAC_DRBG. A nonce_type is passed around inside the Signing API's, in order to support any future deterministic algorithms. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18809)
Diffstat (limited to 'doc/man7')
-rw-r--r--doc/man7/EVP_KDF-HMAC-DRBG.pod71
-rw-r--r--doc/man7/EVP_RAND-HMAC-DRBG.pod2
-rw-r--r--doc/man7/EVP_SIGNATURE-DSA.pod2
-rw-r--r--doc/man7/EVP_SIGNATURE-ECDSA.pod2
-rw-r--r--doc/man7/OSSL_PROVIDER-default.pod1
-rw-r--r--doc/man7/provider-signature.pod9
6 files changed, 86 insertions, 1 deletions
diff --git a/doc/man7/EVP_KDF-HMAC-DRBG.pod b/doc/man7/EVP_KDF-HMAC-DRBG.pod
new file mode 100644
index 0000000000..eb240da333
--- /dev/null
+++ b/doc/man7/EVP_KDF-HMAC-DRBG.pod
@@ -0,0 +1,71 @@
+=pod
+
+=head1 NAME
+
+EVP_KDF-HMAC-DRBG
+- The HMAC DRBG DETERMINISTIC EVP_KDF implementation
+
+=head1 DESCRIPTION
+
+Support for a deterministic HMAC DRBG using the B<EVP_KDF> API. This is similiar
+to L<EVP_RAND-HMAC-DRBG(7)>, but uses fixed values for its entropy and nonce
+values. This is used to generate deterministic nonce value required by ECDSA
+and DSA (as defined in RFC 6979).
+
+=head2 Identity
+
+"HMAC-DRBG-KDF" is the name for this implementation; it can be used
+with the EVP_KDF_fetch() function.
+
+=head2 Supported parameters
+
+The supported parameters are:
+
+=over 4
+
+=item "digest" (B<OSSL_DRBG_PARAM_DIGEST>) <UTF8 string>
+
+=item "properties" (B<OSSL_DRBG_PARAM_PROPERTIES>) <UTF8 string>
+
+These parameters work as described in L<EVP_KDF(3)/PARAMETERS>.
+
+=item "entropy" (B<OSSL_KDF_PARAM_HMACDRBG_ENTROPY>) <octet string>
+
+Sets the entropy bytes supplied to the HMAC-DRBG.
+
+=item "nonce" (B<OSSL_KDF_PARAM_HMACDRBG_NONCE>) <octet string>
+
+Sets the nonce bytes supplied to the HMAC-DRBG.
+
+=back
+
+=head1 NOTES
+
+A context for KDF HMAC DRBG can be obtained by calling:
+
+ EVP_KDF *kdf = EVP_KDF_fetch(NULL, "HMAC-DRBG-KDF", NULL);
+ EVP_KDF_CTX *kdf_ctx = EVP_KDF_CTX_new(kdf, NULL);
+
+=head1 CONFORMING TO
+
+RFC 6979
+
+=head1 SEE ALSO
+
+L<EVP_KDF(3)>,
+L<EVP_KDF(3)/PARAMETERS>
+
+=head1 HISTORY
+
+The EVP_KDF-HMAC-DRBG functionality was added in OpenSSL 3.2.
+
+=head1 COPYRIGHT
+
+Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man7/EVP_RAND-HMAC-DRBG.pod b/doc/man7/EVP_RAND-HMAC-DRBG.pod
index 54ae61478d..ae3a51dbd7 100644
--- a/doc/man7/EVP_RAND-HMAC-DRBG.pod
+++ b/doc/man7/EVP_RAND-HMAC-DRBG.pod
@@ -59,7 +59,7 @@ These parameters work as described in L<EVP_RAND(3)/PARAMETERS>.
A context for HMAC DRBG can be obtained by calling:
EVP_RAND *rand = EVP_RAND_fetch(NULL, "HMAC-DRBG", NULL);
- EVP_RAND_CTX *rctx = EVP_RAND_CTX_new(rand);
+ EVP_RAND_CTX *rctx = EVP_RAND_CTX_new(rand, NULL);
=head1 EXAMPLES
diff --git a/doc/man7/EVP_SIGNATURE-DSA.pod b/doc/man7/EVP_SIGNATURE-DSA.pod
index 4801cf9994..7eeb234f75 100644
--- a/doc/man7/EVP_SIGNATURE-DSA.pod
+++ b/doc/man7/EVP_SIGNATURE-DSA.pod
@@ -22,6 +22,8 @@ and before calling EVP_PKEY_sign() or EVP_PKEY_verify().
=item "properties" (B<OSSL_SIGNATURE_PARAM_PROPERTIES>) <UTF8 string>
+=item "nonce-type" (B<OSSL_SIGNATURE_PARAM_NONCE_TYPE>) <unsigned integer>
+
The settable parameters are described in L<provider-signature(7)>.
=back
diff --git a/doc/man7/EVP_SIGNATURE-ECDSA.pod b/doc/man7/EVP_SIGNATURE-ECDSA.pod
index 0ac3f78461..b1757f2630 100644
--- a/doc/man7/EVP_SIGNATURE-ECDSA.pod
+++ b/doc/man7/EVP_SIGNATURE-ECDSA.pod
@@ -21,6 +21,8 @@ and before calling EVP_PKEY_sign() or EVP_PKEY_verify().
=item "properties" (B<OSSL_SIGNATURE_PARAM_PROPERTIES>) <UTF8 string>
+=item "nonce-type" (B<OSSL_SIGNATURE_PARAM_NONCE_TYPE>) <unsigned integer>
+
These parameters are described in L<provider-signature(7)>.
=back
diff --git a/doc/man7/OSSL_PROVIDER-default.pod b/doc/man7/OSSL_PROVIDER-default.pod
index 35ca0f8ccb..9724b0ab23 100644
--- a/doc/man7/OSSL_PROVIDER-default.pod
+++ b/doc/man7/OSSL_PROVIDER-default.pod
@@ -145,6 +145,7 @@ The OpenSSL default provider supports these operations and algorithms:
=item KRB5KDF, see L<EVP_KDF-KRB5KDF(7)>
+=item HMAC-DRBG, see L<EVP_KDF-HMAC-DRBG(7)>
=back
diff --git a/doc/man7/provider-signature.pod b/doc/man7/provider-signature.pod
index 7c35037316..d77979cd8e 100644
--- a/doc/man7/provider-signature.pod
+++ b/doc/man7/provider-signature.pod
@@ -363,6 +363,15 @@ The length of the "digest-size" parameter should not exceed that of a B<size_t>.
Gets the DER encoded AlgorithmIdentifier that corresponds to the combination of
signature algorithm and digest algorithm for the signature operation.
+=item "nonce-type" (B<OSSL_SIGNATURE_PARAM_NONCE_TYPE>) <unsigned integer>
+
+Set this to 1 to use a deterministic ECDSA or DSA digital signature as
+defined in RFC #6979 (See Section 3.2 "Generation of k").
+The default value of 0 uses a random value for the nonce B<k> as defined in
+FIPS 186-4 Section 6.3 "Secret Number Generation".
+Before using deterministic digital signature please read
+RFC #6979 Section 4 "Security Considerations".
+
=item "kat" (B<OSSL_SIGNATURE_PARAM_KAT>) <unsigned integer>
Sets a flag to modify the sign operation to return an error if the initial