Daiki Ueno ueno@gnu.org writes:
This series of patches implements the RSA-PSS signature scheme, as specified in RFC 3447. To keep the interface minimal but to allow TLS 1.3 implementations on top of this, only SHA256/384/512 variants are provided.
Thanks! Sorry I've been a bit offline and not able to comment earlier.
The prototypes of the top-level functions are as follows:
int rsa_pss_shaXXX_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s);
Are you confident all pieces are side-channel silent, as indicated by the _tr suffix? It's possible to do some testing of that using valgrind; that's not done as thoroughly as I'd like, but one example is in testsuite/memeql-test.c.
For MGF, "mask generation function 1" backed by the same hash algorithm is always used, as indicated in [1]. I thought it might make sense to provide more flexible variants, such as rsa_pss_{sign_tr,verify} analogous to rsa_pkcs1_*, but realized that parsing ASN.1 encoded parameters would require extra complexity.
There's some asn.1 parsing code in nettle, see asn1.h, but I agree it's preferable to not have sign or verify functions depend on that.
Suggestions appreciated.
I'm writing some more detailed comments as replies to the other patch emails.
Regards, /Niels