Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / ab1851e9f2c40942fff243504788795aeaf89961^! / . / keymaster
commitab1851e9f2c40942fff243504788795aeaf89961[log] [tgz]
authorDavid Drysdale <drysdale@google.com>Tue Dec 14 14:32:51 2021 +0000
committerDavid Drysdale <drysdale@google.com>Thu Jan 13 09:13:39 2022 +0000
tree9237b40dce6ce52116759dbed58a1ad8d55d13bb
parentefbebcdf4529bfafc9fc88b2a9ef04a489d475d3 [diff]
Alter spec text for RSA-PSS to match reality

The Key{Mint,Master} spec previously said that RSA-PSS mode should use
SHA-1 for the MGF1 digest, separately from whatever Tag::DIGEST gets
specified as the main digest.

However, both the reference implementation and the VTS/CTS tests
use BoringSSL's defaults, which is to re-use the main digest as the MGF1
digest if none is separately specified.

Given that this behaviour is embedded in many implementations over
several years (and given that there isn't a security implication),
change the spec to match this behaviour.  Also update the VTS test
code to make this clear/obvious.

Test: VtsAidlKeyMintTargetTest, VtsHalKeymasterV4_0TargetTest
Bug: 210424594
Change-Id: I4303f28d094ef4d4b9dc931d6728b1fa040de20d
Ignore-AOSP-First: target internal master first due to merge conflict

diff --git a/keymaster/4.0/IKeymasterDevice.hal b/keymaster/4.0/IKeymasterDevice.hal
index dfde060..1c6ae47 100644
--- a/keymaster/4.0/IKeymasterDevice.hal
+++ b/keymaster/4.0/IKeymasterDevice.hal

@@ -1254,7 +1254,8 @@
      * o PaddingMode::RSA_PSS.  For PSS-padded signature operations, the PSS salt length must match
      *   the size of the PSS digest selected.  The digest specified with Tag::DIGEST in inputParams
      *   on begin() must be used as the PSS digest algorithm, MGF1 must be used as the mask
-     *   generation function and SHA1 must be used as the MGF1 digest algorithm.
+     *   generation function and the digest specified with Tag:DIGEST in inputParams must also be
+     *   used as the MGF1 digest algorithm.
      *
      * o PaddingMode::RSA_OAEP.  The digest specified with Tag::DIGEST in inputParams on begin is
      *   used as the OAEP digest algorithm, MGF1 must be used as the mask generation function and

diff --git a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
index 7676147..6412f3a 100644
--- a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
+++ b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp

@@ -1712,6 +1712,7 @@
                     case PaddingMode::RSA_PSS:
                         EXPECT_GT(EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING), 0);
                         EXPECT_GT(EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, EVP_MD_size(md)), 0);
+                        EXPECT_GT(EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, md), 0);
                         break;
                     case PaddingMode::RSA_PKCS1_1_5_SIGN:
                         // PKCS1 is the default; don't need to set anything.