Add RSA-PSS signing support (TLS 1.3 client mutual authentication with RSA cert)#399
Open
EdouardMALOT wants to merge 1 commit into
Open
Conversation
04b5a7d to
e973e86
Compare
Contributor
Author
|
@fdesbiens : the remaining Secure_Interoperability / run_tests failure is unrelated to this change — the job fails during the "Install softwares" step. |
Contributor
|
Thank you for this PR, @EdouardMALOT, and for all the others you submitted. I am currently on vacation; I will review them once I am back, the week of July 20. |
Contributor
This is expected. The script relies on ifconfig to tweak networking configuration, and this should be modernised. I will spend some time fixing this along with the reviews. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR completes the RSA-PSS support introduced in #377 by adding the signing side: a TLS 1.3 client can now perform mutual authentication (client certificate) with an RSA certificate.
#377 added RSA-PSS verification, which lets a NetX Duo client verify the CertificateVerify sent by an RSA server. However, when the server requests a client certificate, the client must also sign its own CertificateVerify with RSA-PSS — RFC 8446 §4.4.3 forbids RSASSA-PKCS1-v1_5 in CertificateVerify. Before this PR,
_nx_secure_tls_process_certificate_request()returnedNX_SECURE_TLS_UNSUPPORTED_CERT_SIGN_TYPEfor any RSA local certificate in TLS 1.3, making client-cert authentication impossible with RSA keys.This implements
rsa_pss_rsae_sha256(0x0804), which is the mandatory-to-implement signature algorithm for CertificateVerify per RFC 8446 §9.1. Related: #161.Changes
crypto_libraries/inc/nx_crypto_rsa.h— declare_nx_crypto_rsa_pss_sign()crypto_libraries/src/nx_crypto_rsa.c— implement_nx_crypto_rsa_pss_sign(): EMSA-PSS-ENCODE (RFC 8017 §9.1.1), salt length == hash length as required by RFC 8446 §4.2.3, salt generated viaNX_CRYPTO_RAND()(same entropy source as the ECDSA nonce path). The RSA private-key operation is then applied to the encoded message by the existing signing flow.nx_secure/src/nx_secure_tls_process_certificate_request.c— TLS 1.3: instead of rejecting RSA local certificates, selectrsa_pss_rsae_sha256and proceed with the client Certificate/CertificateVerify flownx_secure/src/nx_secure_tls_send_certificate_verify.c— TLS 1.3: build the CertificateVerify message with the SignatureScheme wire code (rsa_pss_rsae_sha256/384/512handled) and the PSS-encoded message, instead of PKCS#1 v1.5 padding (which remains used for TLS 1.2)Notes / limitations
rsa_pss_rsae_sha256unconditionally (the RFC 8446 §9.1 MUST algorithm, supported by any compliant server). The CertificateVerify encoding path itself also supportsrsa_pss_rsae_sha384/512should the selection be extended later.rsa_pss_pss_*variants (RSASSA-PSS certificates,0x0809–0x080b) are out of scope; this covers the common case of classic RSA certificates (rsae).Test plan
rsa_pss_rsae_sha256CertificateVerify accepted by the server (tested against a Mosquitto/OpenSSL broker requiring client certificates)