diff options
author | slontis <shane.lontis@oracle.com> | 2022-07-15 13:22:01 +0200 |
---|---|---|
committer | Hugo Landau <hlandau@openssl.org> | 2022-11-30 08:31:53 +0100 |
commit | f3090fc710e30a749acaf9e5dfbe20dd163cf15d (patch) | |
tree | 720d4b3cada6e81a69a2b2b68f6e8cf592c3e003 /doc/man7 | |
parent | evp_test: fix rebase mistake with no_gost (diff) | |
download | openssl-f3090fc710e30a749acaf9e5dfbe20dd163cf15d.tar.xz openssl-f3090fc710e30a749acaf9e5dfbe20dd163cf15d.zip |
Implement deterministic ECDSA sign (RFC6979)
This PR is based off the contributions in PR #9223 by Jemmy1228.
It has been modified and reworked to:
(1) Work with providers
(2) Support ECDSA and DSA
(3) Add a KDF HMAC_DRBG implementation that shares code with the RAND HMAC_DRBG.
A nonce_type is passed around inside the Signing API's, in order to support any
future deterministic algorithms.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18809)
Diffstat (limited to 'doc/man7')
-rw-r--r-- | doc/man7/EVP_KDF-HMAC-DRBG.pod | 71 | ||||
-rw-r--r-- | doc/man7/EVP_RAND-HMAC-DRBG.pod | 2 | ||||
-rw-r--r-- | doc/man7/EVP_SIGNATURE-DSA.pod | 2 | ||||
-rw-r--r-- | doc/man7/EVP_SIGNATURE-ECDSA.pod | 2 | ||||
-rw-r--r-- | doc/man7/OSSL_PROVIDER-default.pod | 1 | ||||
-rw-r--r-- | doc/man7/provider-signature.pod | 9 |
6 files changed, 86 insertions, 1 deletions
diff --git a/doc/man7/EVP_KDF-HMAC-DRBG.pod b/doc/man7/EVP_KDF-HMAC-DRBG.pod new file mode 100644 index 0000000000..eb240da333 --- /dev/null +++ b/doc/man7/EVP_KDF-HMAC-DRBG.pod @@ -0,0 +1,71 @@ +=pod + +=head1 NAME + +EVP_KDF-HMAC-DRBG +- The HMAC DRBG DETERMINISTIC EVP_KDF implementation + +=head1 DESCRIPTION + +Support for a deterministic HMAC DRBG using the B<EVP_KDF> API. This is similiar +to L<EVP_RAND-HMAC-DRBG(7)>, but uses fixed values for its entropy and nonce +values. This is used to generate deterministic nonce value required by ECDSA +and DSA (as defined in RFC 6979). + +=head2 Identity + +"HMAC-DRBG-KDF" is the name for this implementation; it can be used +with the EVP_KDF_fetch() function. + +=head2 Supported parameters + +The supported parameters are: + +=over 4 + +=item "digest" (B<OSSL_DRBG_PARAM_DIGEST>) <UTF8 string> + +=item "properties" (B<OSSL_DRBG_PARAM_PROPERTIES>) <UTF8 string> + +These parameters work as described in L<EVP_KDF(3)/PARAMETERS>. + +=item "entropy" (B<OSSL_KDF_PARAM_HMACDRBG_ENTROPY>) <octet string> + +Sets the entropy bytes supplied to the HMAC-DRBG. + +=item "nonce" (B<OSSL_KDF_PARAM_HMACDRBG_NONCE>) <octet string> + +Sets the nonce bytes supplied to the HMAC-DRBG. + +=back + +=head1 NOTES + +A context for KDF HMAC DRBG can be obtained by calling: + + EVP_KDF *kdf = EVP_KDF_fetch(NULL, "HMAC-DRBG-KDF", NULL); + EVP_KDF_CTX *kdf_ctx = EVP_KDF_CTX_new(kdf, NULL); + +=head1 CONFORMING TO + +RFC 6979 + +=head1 SEE ALSO + +L<EVP_KDF(3)>, +L<EVP_KDF(3)/PARAMETERS> + +=head1 HISTORY + +The EVP_KDF-HMAC-DRBG functionality was added in OpenSSL 3.2. + +=head1 COPYRIGHT + +Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/doc/man7/EVP_RAND-HMAC-DRBG.pod b/doc/man7/EVP_RAND-HMAC-DRBG.pod index 54ae61478d..ae3a51dbd7 100644 --- a/doc/man7/EVP_RAND-HMAC-DRBG.pod +++ b/doc/man7/EVP_RAND-HMAC-DRBG.pod @@ -59,7 +59,7 @@ These parameters work as described in L<EVP_RAND(3)/PARAMETERS>. A context for HMAC DRBG can be obtained by calling: EVP_RAND *rand = EVP_RAND_fetch(NULL, "HMAC-DRBG", NULL); - EVP_RAND_CTX *rctx = EVP_RAND_CTX_new(rand); + EVP_RAND_CTX *rctx = EVP_RAND_CTX_new(rand, NULL); =head1 EXAMPLES diff --git a/doc/man7/EVP_SIGNATURE-DSA.pod b/doc/man7/EVP_SIGNATURE-DSA.pod index 4801cf9994..7eeb234f75 100644 --- a/doc/man7/EVP_SIGNATURE-DSA.pod +++ b/doc/man7/EVP_SIGNATURE-DSA.pod @@ -22,6 +22,8 @@ and before calling EVP_PKEY_sign() or EVP_PKEY_verify(). =item "properties" (B<OSSL_SIGNATURE_PARAM_PROPERTIES>) <UTF8 string> +=item "nonce-type" (B<OSSL_SIGNATURE_PARAM_NONCE_TYPE>) <unsigned integer> + The settable parameters are described in L<provider-signature(7)>. =back diff --git a/doc/man7/EVP_SIGNATURE-ECDSA.pod b/doc/man7/EVP_SIGNATURE-ECDSA.pod index 0ac3f78461..b1757f2630 100644 --- a/doc/man7/EVP_SIGNATURE-ECDSA.pod +++ b/doc/man7/EVP_SIGNATURE-ECDSA.pod @@ -21,6 +21,8 @@ and before calling EVP_PKEY_sign() or EVP_PKEY_verify(). =item "properties" (B<OSSL_SIGNATURE_PARAM_PROPERTIES>) <UTF8 string> +=item "nonce-type" (B<OSSL_SIGNATURE_PARAM_NONCE_TYPE>) <unsigned integer> + These parameters are described in L<provider-signature(7)>. =back diff --git a/doc/man7/OSSL_PROVIDER-default.pod b/doc/man7/OSSL_PROVIDER-default.pod index 35ca0f8ccb..9724b0ab23 100644 --- a/doc/man7/OSSL_PROVIDER-default.pod +++ b/doc/man7/OSSL_PROVIDER-default.pod @@ -145,6 +145,7 @@ The OpenSSL default provider supports these operations and algorithms: =item KRB5KDF, see L<EVP_KDF-KRB5KDF(7)> +=item HMAC-DRBG, see L<EVP_KDF-HMAC-DRBG(7)> =back diff --git a/doc/man7/provider-signature.pod b/doc/man7/provider-signature.pod index 7c35037316..d77979cd8e 100644 --- a/doc/man7/provider-signature.pod +++ b/doc/man7/provider-signature.pod @@ -363,6 +363,15 @@ The length of the "digest-size" parameter should not exceed that of a B<size_t>. Gets the DER encoded AlgorithmIdentifier that corresponds to the combination of signature algorithm and digest algorithm for the signature operation. +=item "nonce-type" (B<OSSL_SIGNATURE_PARAM_NONCE_TYPE>) <unsigned integer> + +Set this to 1 to use a deterministic ECDSA or DSA digital signature as +defined in RFC #6979 (See Section 3.2 "Generation of k"). +The default value of 0 uses a random value for the nonce B<k> as defined in +FIPS 186-4 Section 6.3 "Secret Number Generation". +Before using deterministic digital signature please read +RFC #6979 Section 4 "Security Considerations". + =item "kat" (B<OSSL_SIGNATURE_PARAM_KAT>) <unsigned integer> Sets a flag to modify the sign operation to return an error if the initial |