Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid size in RSA/sigGen SHAKE-128 in PSS/mgf1 #277

Closed
sandor-szendro-i4p opened this issue Aug 10, 2023 · 9 comments
Closed

Invalid size in RSA/sigGen SHAKE-128 in PSS/mgf1 #277

sandor-szendro-i4p opened this issue Aug 10, 2023 · 9 comments
Assignees
Milestone

Comments

@sandor-szendro-i4p
Copy link

environment
Demo

testSessionId
428747

vsId
1774510

Algorithm registration
{
"revision":"FIPS186-5",
"algorithm":"RSA",
"mode":"sigGen",
"capabilities":[
{
"sigType":"pkcs1v1.5",
"properties":[
{
"modulo":2048,
"hashPair":[
{
"hashAlg":"SHA2-224"
},
{
"hashAlg":"SHA2-256"
},
{
"hashAlg":"SHA2-384"
},
{
"hashAlg":"SHA2-512"
},
{
"hashAlg":"SHA3-224"
},
{
"hashAlg":"SHA3-256"
},
{
"hashAlg":"SHA3-384"
},
{
"hashAlg":"SHA3-512"
}
]
},
{
"modulo":3072,
"hashPair":[
{
"hashAlg":"SHA2-224"
},
{
"hashAlg":"SHA2-256"
},
{
"hashAlg":"SHA2-384"
},
{
"hashAlg":"SHA2-512"
},
{
"hashAlg":"SHA3-224"
},
{
"hashAlg":"SHA3-256"
},
{
"hashAlg":"SHA3-384"
},
{
"hashAlg":"SHA3-512"
}
]
},
{
"modulo":4096,
"hashPair":[
{
"hashAlg":"SHA2-224"
},
{
"hashAlg":"SHA2-256"
},
{
"hashAlg":"SHA2-384"
},
{
"hashAlg":"SHA2-512"
},
{
"hashAlg":"SHA3-224"
},
{
"hashAlg":"SHA3-256"
},
{
"hashAlg":"SHA3-384"
},
{
"hashAlg":"SHA3-512"
}
]
}
]
},
{
"sigType":"pss",
"properties":[
{
"modulo":2048,
"maskFunction":[
"mgf1"
],
"hashPair":[
{
"hashAlg":"SHA2-224",
"saltLen":28
},
{
"hashAlg":"SHA2-256",
"saltLen":32
},
{
"hashAlg":"SHA2-384",
"saltLen":48
},
{
"hashAlg":"SHA2-512",
"saltLen":64
},
{
"hashAlg":"SHA3-224",
"saltLen":28
},
{
"hashAlg":"SHA3-256",
"saltLen":32
},
{
"hashAlg":"SHA3-384",
"saltLen":48
},
{
"hashAlg":"SHA3-512",
"saltLen":64
},
{
"hashAlg":"SHAKE-128",
"saltLen":16
},
{
"hashAlg":"SHAKE-256",
"saltLen":32
}
]
},
{
"modulo":3072,
"maskFunction":[
"mgf1"
],
"hashPair":[
{
"hashAlg":"SHA2-224",
"saltLen":28
},
{
"hashAlg":"SHA2-256",
"saltLen":32
},
{
"hashAlg":"SHA2-384",
"saltLen":48
},
{
"hashAlg":"SHA2-512",
"saltLen":64
},
{
"hashAlg":"SHA3-224",
"saltLen":28
},
{
"hashAlg":"SHA3-256",
"saltLen":32
},
{
"hashAlg":"SHA3-384",
"saltLen":48
},
{
"hashAlg":"SHA3-512",
"saltLen":64
},
{
"hashAlg":"SHAKE-128",
"saltLen":16
},
{
"hashAlg":"SHAKE-256",
"saltLen":32
}
]
},
{
"modulo":4096,
"maskFunction":[
"mgf1"
],
"hashPair":[
{
"hashAlg":"SHA2-224",
"saltLen":28
},
{
"hashAlg":"SHA2-256",
"saltLen":32
},
{
"hashAlg":"SHA2-384",
"saltLen":48
},
{
"hashAlg":"SHA2-512",
"saltLen":64
},
{
"hashAlg":"SHA3-224",
"saltLen":28
},
{
"hashAlg":"SHA3-256",
"saltLen":32
},
{
"hashAlg":"SHA3-384",
"saltLen":48
},
{
"hashAlg":"SHA3-512",
"saltLen":64
},
{
"hashAlg":"SHAKE-128",
"saltLen":16
},
{
"hashAlg":"SHAKE-256",
"saltLen":32
}
]
}
]
}

Endpoint in which the error is experienced
https://demo.acvts.nist.gov/acvp/v1/testSessions GET

Expected behavior
For RSA/sigGen when sigType is "pss" and maskFunction is "mgf1" and hashAlg is SHAKE-128 the expected results returned by ACVP server only the first 16 bytes of the 32 bytes of the SHAKE-128 output is used in the mask generation function.

Additional context
According to FIPS 186-5 5.4.1 Mask Generation Functions in RSASSA-PSS refers to B.2.1 of RFC 8017. B.2.1 of RFC 8017 contains the steps for using the mask generation function, where step 3 is:
"For counter from 0 to \ceil (maskLen / hLen) - 1, do the following:"
By examination of the expected test vectors we think in this step instead of hLen, hLen / 2 is used.
This means for SHAKE-128 instead of maskLen / 32 -1, maskLen / 16 -1 is used.
We think maskLen / 32 -1 should be used.

In case of SHAKE-256 32 bytes are used instead of 64.

@jbrock24 jbrock24 self-assigned this Aug 14, 2023
@jbrock24
Copy link
Collaborator

@sandor-szendro-i4p Looking into this

@livebe01
Copy link
Collaborator

Thanks for letting us know. I think I see where the issue is. I'm working on it now. I'll give you an update when it's been fixed.

@jbrock24 jbrock24 removed their assignment Aug 30, 2023
@livebe01 livebe01 added this to the v1.1.0.31 milestone Aug 31, 2023
@livebe01
Copy link
Collaborator

We have a fix in for this. It will go out in the next release.

@szendros
Copy link

Thanks for the fix, I will be able to test it on monday.

@livebe01
Copy link
Collaborator

Thank you!

@livebe01
Copy link
Collaborator

The fix for this is on Demo in release v1.1.0.31.

@szendros
Copy link

I tested it on Demo and it works for me.
Thank you, this can be closed.

@livebe01
Copy link
Collaborator

Thanks. Appreciate the confirmation!

@livebe01
Copy link
Collaborator

The fix for this is on Prod in release v1.1.0.31.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants