-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
extras: Add APIs for RSA Blind Signatures #232
base: main
Are you sure you want to change the base?
extras: Add APIs for RSA Blind Signatures #232
Conversation
) == 1 else { | ||
throw CryptoKitError.internalBoringSSLError() | ||
} | ||
precondition(outputCount == signatureByteCount) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did you test this on enough key sizes that it's always true? (eg. if first bytes are 0, they are not getting trimmed)
Just want to make sure we don't crash if we have an oddly formatted private key generated some day.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah. Let me double check on this, thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looked again at this and we compute signatureByteCount
using BoringSSL RSA_size
which returns the size of the modulus in bytes (as opposed to the key size). I also confirmed that BoringSSL RSA_sign_raw
allocates a buffer of that size and sets out_len
to the same.
dbe6e60
to
60f26f0
Compare
606f74d
to
7c37d7a
Compare
@Lukasa this is ready for another pass when you have time. |
4c25c87
to
ec0d4da
Compare
@Lukasa OK, thanks for the latest round of feedback. I've addressed all that now, so it's ready for another pass. |
Motivation
RFC 9474 defines the RSA Blind Signatures protocol1, which are a useful building block of privacy-preserving schemes.
Modifications
This PR adds the following public API surface to implement the RSA Blind Signatures protocol:
It also adds tests using the test vectors from the RFC, where possible. That is, for each of the operations except for
blind
, which we don't have the BoringSSL APIs that would allow us to inject the fixed salt value from the test vectors.While it's possible to implement the server-side operations using Security framework, it does not expose the APIs we would need to implement the client-side operations so, because the goal is to also provide the client-side operations in a subsequent PR, the implementation uses BoringSSL on all platforms.
In order to construct the RSA keys from the test vector parameters, some BoringSSL helpers were added.
The implementation has been done without the need for
ArbitraryPrecisionInteger
, which currently exists as an internal type in theCrypto
module. The API has been designed to not preclude its use at a future time, should we have it available, e.g. theBlindInverse
type is entirely opaque and its underlying representation could be changed as an implementation detail.Result
New API in the
_CryptoExtras
module for the the RSA Blind Signatures protocol as defined in RFC 9474, with support for all named variants: for theRSABSSA_SHA384_PSS_Randomized
,RSABSSA_SHA384_PSS_Deterministic
,RSABSSA_SHA384_PSSZERO_Randomized
, andRSABSSA_SHA384_PSSZERO_Deterministic
.Footnotes
https://datatracker.ietf.org/doc/rfc9474/ ↩