[openssl-dev] [openssl-users] pkeyutl does not invoke hash?

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Wed Jan 20 13:34:42 UTC 2016 

On 1/20/16, 5:10 , "Hubert Kario" <hkario at redhat.com> wrote:

>On Tuesday 19 January 2016 22:16:23 Blumenthal, Uri - 0553 - MITLL wrote:
>> Looks good. I might add an *explicit* statement “pkeyutl does not
>> invoke the specified digest function”.
>> 
>> Yes I realize it could be seen as repetitive. I’d much rather be
>> repetitive than risk misunderstanding. And there are no praises for
>> the shortest man page. :-)
>
>I don't want to do that because AFAIK, for Ed25519 and Ed448 the hash
>*is* integral part of the signature process and you pass *the whole*
>message-to-be-signed to the signature function, not its hash.

I think the above confuses (mixes together) two different things:
signature *function* and signature *implementation*.
In practice (IMHO, based on my experience with such things) the
*implementation* on tokens (such as smart cards) will always be split, so
the hashing is done in software while the actual ECC operation is
performed on the token.

It appears to me that pkeyutl is more an instrument to access those
primitive operations, unlike dgst that provides access to the “true”
(complete) signature function that includes hashing. So no matter what
draft-josefsson-eddsa-ed25519-02 says, the hashing would have to be done
in software, and the result passed to the token for the actual signing.

>So, unless the above is false, I'd rather not add such absolute
>statements.

I see your point. Would leave the decision to you, in light of the above.
Because the exact purpose of pkeyutl is unclear to me, I can’t insist.

Assuming pkeyutl does provide access to the “complete EdDSA function” as
specified in the draft above, one possibility is to add even more words,
and explicitly state where the digest for sure is NOT invoked (RSA, DSA,
ECDSA), and maybe where it is (EdDSA, maybe other future schemes)...

>But please correct me if I'm wrong.

Likewise. :-)


>>>On Monday 18 January 2016 19:22:19 Blumenthal, Uri - 0553 - MITLL
>wrote:
>> >> My preference would be to explain exactly - to avoid confusion and
>> >> problems arising from possible misunderstanding.
>> >> 
>> >> As I said, however, I can live with either - as by now *I* at least
>> >> understand what this code does. ;-)
>> >> 
>> >> But it doesn't seem fair for those who did not benefit from
>> >> studying
>> >> the piles of openssl-users and openssl-dev archives.
>> >
>> >OK, I've updated the PR: https://github.com/openssl/openssl/pull/554
>> >https://github.com/tomato42/openssl/commit/f37b5e639e57c2d4c3b404c24e
>> >cb11b 8ec627e9b
>> >
>> >> Sent from my BlackBerry 10 smartphone on the
>> >> Verizon Wireless 4G LTE network. Original Message
>> >> From: Hubert Kario
>> >> Sent: Monday, January 18, 2016 06:23
>> >> To: openssl-dev at openssl.org
>> >> Reply To: openssl-dev at openssl.org
>> >> Subject: Re: [openssl-dev] [openssl-users] pkeyutl does not invoke
>> >> hash?
>> >> 
>> >> On Friday 15 January 2016 00:02:43 Dr. Stephen Henson wrote:
>> >> > On Thu, Jan 14, 2016, Blumenthal, Uri - 0553 - MITLL wrote:
>> >> > > On 1/14/16, 16:51 , "openssl-dev on behalf of Dr. Stephen
>> >> > > Henson"
>> >> > > 
>> >> > > <openssl-dev-bounces at openssl.org on behalf of
>> >> > > steve at openssl.org>
>> >> 
>> >> wrote:
>> >> > > >On Thu, Jan 14, 2016, Salz, Rich wrote:
>> >> > > >> Okay, how about this. First, remove the NOTES subhead. Add
>> >> > > >> this
>> >> > > >> to
>> >> > > >>
>> >> > > >>the end of the first paragraph:
>> >> > > >> This program does not hash the input data and requires the
>> >> > > >> input
>> >> > > >> data
>> >> > > >> to be of the proper size, and must not be greater than the
>> >> > > >> size
>> >> > > >> of
>> >> > > >> the public key field or modulus. See dgst(1) for a unified
>> >> > > >> Interace.
>> >> > > >
>> >> > > >The comment about the public key field or modulus is only true
>> >> > > >for
>> >> > > >some public
>> >> > > >key algorithms (e.g. RSA).
>> >> > > 
>> >> > > Public key modulus would be true for RSA and DSA. Field would
>> >> > > be
>> >> > > true for ECDSA (and I daresay EdDSA). What other signatures do
>> >> > > we
>> >> > > have?
>> >> > 
>> >> > For RSA the maximum size depends on the padding mode and is
>> >> > typically
>> >> > less than the modulus.
>> >> > 
>> >> > For ECDSA it can be exceed the field size: it is truncated in
>> >> > that
>> >> > case.
>> >> 
>> >> True, but what should we put in the man page? Explain the above
>> >> exactly, or just not mention the limit at all?
>
>-- 
>Regards,
>Hubert Kario
>Senior Quality Engineer, QE BaseOS Security team
>Web: www.cz.redhat.com
>Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4308 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160120/dd60e255/attachment.bin>

More information about the openssl-dev mailing list