• yun
  • Member
  • Offline
  • Registered: 2013-03-27
  • Posts: 14

Topic: RSA padding schemes support in wolfSSL embedded SSL

Hi All,

I am wondering whether the RSA implementation in wolfSSL supports any of the  padding schemes defined in FIPS 186-3 (ANS X9.31, PKCS #1 V1.5 or PSS).

It seems to me that the methods RsaPad() and RsaUnpad() in ctaocrypt/src do not support any of the above padding schemes.

Additionally, for signature generation, the caller must pass the already hashed message to RsaSSL_sign(). Is it correct?

Are the padding support and the hashing step implemented in another package than ctaocrypt?

Thanks,
Yun

Share

  • From: Bozeman, MT
  • Registered: 2010-10-20
  • Posts: 647

Re: RSA padding schemes support in wolfSSL embedded SSL

Hi Yun,

I am wondering whether the RSA implementation in wolfSSL supports any of the  padding schemes defined in FIPS 186-3 (ANS X9.31, PKCS #1 V1.5 or PSS).

wolfSSL's RSA implementation supports the padding schemes as specified in PKCS #1.

Additionally, for signature generation, the caller must pass the already hashed message to RsaSSL_sign(). Is it correct?

Yes, typically the user will hash the data first, then do a RsaSSL_sign() with it.  Similar to what we describe in Section 12.2 of the wolfSSL Manual (http://yassl.com/yaSSL/Docs-cyassl-manu … vices.html).

Are the padding support and the hashing step implemented in another package than ctaocrypt?

All hashing and padding features are included in our wolfSSL/wolfCrypt package.

Best Regards,
Chris

https://www.wolfssl.com

chrisc's Website

Share

  • yun
  • Member
  • Offline
  • Registered: 2013-03-27
  • Posts: 14

Re: RSA padding schemes support in wolfSSL embedded SSL

Hi Chris,

Thanks for your quick reply! I looked at the code in rsa.c. As far as I understand, the padding does not support the PKCS#1 padding for RSA encryption and signing.

According to PKCS#1:
For signing with RSA: The encoded message has the structure of 0x00||0x01||0XFF... 0XFF||T, whereas T encodes the ID of the hash function and Hash(M) into an ANS.1 value.

For encryption with RSA: The encoded message has the structure of 0x00||0x02||PS||0x||M.
PS can be 0XFFs or random bytes.

RsaPad in rsa.c implements the following:
Hash(M)||0X00||PS||0X00. Depending on the RSA_BLOCK_TYPE_1 (for siging) or RSA_BLOCK_TYPE_2 (for encryption), PS is either 0xFFs or random bytes.

Do I understand correctly?

Best regards,
Yun

Share

  • From: Bozeman, MT
  • Registered: 2010-10-20
  • Posts: 647

Re: RSA padding schemes support in wolfSSL embedded SSL

Hi Yun,

wolfSSL embedded SSL correctly implements PKCS #1 v1.5 padding from RFC 2313 (http://tools.ietf.org/html/rfc2313) in RsaPad() of rsa.c.  As stated in the RFC:

1)  For signing (RSA_BLOCK_TYPE_1), RsaPad() does:

0x00||0x01||PS||0x00||D

where PS is 0xFF.

2)  For encryption (RSA_BLOCK_TYPE_2), RsaPad() does:

0x00||0x02||PS||0x00||D

where PS is random non-zero bytes.

Does that make sense?

Best Regards,
Chris

https://www.wolfssl.com

chrisc's Website

Share

  • yun
  • Member
  • Offline
  • Registered: 2013-03-27
  • Posts: 14

Re: RSA padding schemes support in wolfSSL embedded SSL

Hi Chris,

You are right! wolfSSL's implementation is conform with PKCS#1 v1.5.

To create a signature conform with PKCS#1 v1.5, I need to do the following steps:

1. get SHA1 or SHA256 digest for the message, e.g. "digest" of size "digestSize"

2. encSigSz = EncodeSignature(encodedSig, digest, digestSize, typeH);
    For SHA1, typeH = SHAh (defined in asn.h). For SHA256, typeH = SHA256h

3. RsaSSL_sign (encodedSig, encSigSz, signedMsg, keySizeInBytes, key, rng)

The second step was not clear to me before (the manual did not mention this step).

Thanks,

Yun

Share