Topics

[PATCH] Truncate hashes for ECDSA signing, to allow SHA512 to work

David Woodhouse
 

It does mean that we are lying to the TPM about what the hash is, but
since it had no business knowing that anyway, it doesn't matter.

This fixes the problems which occur when OpenSSL decides to use SHA512
for CertificateVerify.

Signed-off-by: David Woodhouse <dwmw2@...>
---
e_tpm2-ecc.c | 10 ++++++++++
tests/create_ecc.sh | 2 +-
2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/e_tpm2-ecc.c b/e_tpm2-ecc.c
index 21a636c..e622180 100644
--- a/e_tpm2-ecc.c
+++ b/e_tpm2-ecc.c
@@ -139,6 +139,16 @@ static ECDSA_SIG *tpm2_ecdsa_sign(const unsigned char *dgst, int dgst_len,
int num_commands;
struct policy_command *commands;
TPM_ALG_ID nameAlg;
+ int curvebits;
+
+ /* FIPS-186-4 ยง6.4 says "When the length of the output of the hash
+ * function is greater than the bit length of n, then the leftmost
+ * n bits of the hash function output block shall be used in any
+ * calculation using the hash function output during the generation
+ * or verification of a digital signature." */
+ curvebits = EC_GROUP_order_bits(EC_KEY_get0_group(eck));
+ if (curvebits && dgst_len > curvebits / 8)
+ dgst_len = curvebits / 8;

/* The TPM insists on knowing the digest type, so
* calculate that from the size */
diff --git a/tests/create_ecc.sh b/tests/create_ecc.sh
index 061cedb..092c743 100755
--- a/tests/create_ecc.sh
+++ b/tests/create_ecc.sh
@@ -14,7 +14,7 @@ for curve in $(${bindir}/create_tpm2_key --list-curves); do
echo "Checking curve ${curve}"
${bindir}/create_tpm2_key -p 81000001 --ecc ${curve} key.tpm || \
exit 1
- for hash in sha1 sha256 sha384; do
+ for hash in sha1 sha256 sha384 sha512; do
openssl req -new -x509 -${hash} -subj '/CN=test/' -key key.tpm -engine tpm2 -keyform engine -out tmp.crt && \
openssl verify -CAfile tmp.crt -check_ss_sig tmp.crt || \
exit 1