Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR addresses RSA-PSS signing in
tls13crypto
.Type of change
Motivation and Context
RSA-PSS is among the mandatory signature algorithms to implement for RFC 8446.
Changes
I've extended
sign
intls13crypto
to handle the RSA-PSS case, and also adaptedcertificate_verify
to build the correct message when sending out an RSA signature.Some specific things, where I'm not sure how I did it is necessarily how it should be done:
cert
tosign
, so thatlibcrux
can extract an RSA public key. This public key can then be used to build the actual signing key given the private exponent bytes in thesk
argument. This meant changing the waysign
is called in one location where we have the certificate around anyway. Alternatively we would have to get all the information forlibcrux
fromsk
, which probably means parsing a full ASN.1 private key from those bytes, i.e. extending the minimal parser intls13cert
to do that. The way I did it now seemed like an okay compromise to me.certificate_verify
message for ECDSA certificates, it was clear how long the signature should be and this is actually checked. In the case of RSA signatures the length depends on the length of the key, which is not available at the point where the check should take place (I think). Must this length be checked or is that more a sanity check for the steps before?Checklist
Fixes #