I think we have some EDKII tool will use the Signing capability, but it is not
needed during BIOS boot. That is why Signing function is in Ext.c, while verify
function in in Basic.c
Please also add crypto unit test for both API -
https://github.com/tianocore/edk2/tree/master/CryptoPkg/Test
Tha
Hi Jiewen,
Thanks for sharing these references.
We are currently using Salt Length of digest length.
I will add the test for new API in the unit test framework in the next version
of the patch.
In reference to adding support for RsaPssSign() API : This maybe due to my
ignorance, but I am unawa
HI Sachin
Sorry, I forget to add link for the reference.
1) TPM2 Library Specification, part 2 structure
(https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM2_r1p64_Part2_Structures_15may2021.pdf)
describes the PSS salt length.
For the TPM_ALG_RSAPSS signing scheme, ...
The salt s
Hi Jiewen,
I reviewed RFC 8017 and I could not find any specific 'recommendations' on salt
length to be used during signing with PSS encoding scheme.
However, in Section D.5.2.2.1(Notes 2) of IEEE 1363a-2004, it is recommended to
use salt length atleast equal to the hash digest length.
We can
Right. That has PROs and CONs.
On one hand, that allows maximum compatibility, salt could be HASH_SIZE or MAX,
or even 0 ?
On the other hand, what if the consumer only wants to accept a specific length?
E.g. TPM in FIPS mode and TLS requires SaltLength==HashLength.
Thank you
Yao Jiewen
> ---
Hi Jiewen,
>From Section 9.1 in RFC 8017:
" Note that the verification operation follows reverse steps to recover
salt and then forward steps to recompute and compare H."
Therefore, salt length can be inferred from the PSS block structure during
verification operation.
I opted for 'RSA_PSS_S
Hi Sachin
May I know why you hardcode PSS salt length to be RSA_PSS_SALTLEN_AUTO ?
Thank you
Yao Jiewen
> -Original Message-
> From: Agrawal, Sachin
> Sent: Tuesday, April 20, 2021 10:02 AM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen ; Wang, Jian J ;
> Lu, XiaoyuX ; Jiang, Guomin ;
> A
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3314
This patch uses Openssl's EVP API's to perform RSASSA-PSS verification
of a binary blob.
Cc: Jiewen Yao
Cc: Jian J Wang
Cc: Xiaoyu Lu
Cc: Guomin Jiang
Signed-off-by: Sachin Agrawal
---
CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPss.c
