PKCS7: fix signature verification for hybrids

Signed-off-by: Stephan Mueller <smueller@chronox.de>

Author: smuellerDD

apps/src/sbsign.c

@@ -20,6 +20,15 @@
  * This implementation is intended to provide a drop-in replacement for the
  * sbsign tool from
  * http://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git.
+ *
+ * The following differences exist though:
+ *
+ * - Unlike OpenSSL, leancrypto's certificate parsing only supports one
+ *   certificate per PEM file (OpenSSL supports multiple PEM-formatted
+ *   certificate blobs in one file). Thus, if you have multiple additional
+ *   certificates you want to provide with --addcert, have one DER or PEM
+ *   formatted certificate per file, but supply each file with a separate
+ *   --addcert option.
  */
 #define _GNU_SOURCE
 

apps/tests/meson.build

@@ -585,6 +585,32 @@ if (host_machine.system() != 'windows' and
 			   ],
 		     timeout: 300, suite: regression,
 		     should_fail: fips140_negative_expect_fail)
+
+		test('X.509/PKCS8 keygen/siggen/sigver ML-DSA87-ED448',
+		     siggen_test_script,
+		     args: [ 'ML-DSA87-ED448',
+			     lc_x509_generator.full_path(),
+			     lc_pkcs7_generator.full_path(),
+			   ],
+		     timeout: 300, suite: regression,
+		     should_fail: fips140_negative_expect_fail)
+		test('X.509/PKCS8 keygen/siggen/sigver ML-DSA65-ED25519',
+		     siggen_test_script,
+		     args: [ 'ML-DSA65-ED25519',
+			     lc_x509_generator.full_path(),
+			     lc_pkcs7_generator.full_path(),
+			   ],
+		     timeout: 300, suite: regression,
+		     should_fail: fips140_negative_expect_fail)
+		test('X.509/PKCS8 keygen/siggen/sigver ML-DSA44-ED25519',
+		     siggen_test_script,
+		     args: [ 'ML-DSA44-ED25519',
+			     lc_x509_generator.full_path(),
+			     lc_pkcs7_generator.full_path(),
+			   ],
+		     timeout: 300, suite: regression,
+		     should_fail: fips140_negative_expect_fail)
+
 		test('X.509/PKCS8 keygen/siggen/sigver LC - OpenSSL Interop SLH-DSA-SHAKE-128F',
 		     siggen_test_script,
 		     args: [ 'SLH-DSA-SHAKE-128F',
@@ -663,6 +689,35 @@ if (host_machine.system() != 'windows' and
 			   ],
 		     timeout: 300, suite: regression,
 		     should_fail: fips140_negative_expect_fail)
+
+		test('Secure boot sbsign tool ML-DSA87-ED448',
+		     sbsign_test_script,
+		     args: [ 'ML-DSA87-ED448',
+			     lc_x509_generator.full_path(),
+			     sbsign.full_path(),
+			     lc_pkcs7_generator.full_path(),
+			   ],
+		     timeout: 300, suite: regression,
+		     should_fail: fips140_negative_expect_fail)
+		test('Secure boot sbsign tool ML-DSA65-ED25519',
+		     sbsign_test_script,
+		     args: [ 'ML-DSA65-ED25519',
+			     lc_x509_generator.full_path(),
+			     sbsign.full_path(),
+			     lc_pkcs7_generator.full_path(),
+			   ],
+		     timeout: 300, suite: regression,
+		     should_fail: fips140_negative_expect_fail)
+		test('Secure boot sbsign tool ML-DSA44-ED25519',
+		     sbsign_test_script,
+		     args: [ 'ML-DSA44-ED25519',
+			     lc_x509_generator.full_path(),
+			     sbsign.full_path(),
+			     lc_pkcs7_generator.full_path(),
+			   ],
+		     timeout: 300, suite: regression,
+		     should_fail: fips140_negative_expect_fail)
+
 		test('Secure boot sbsign tool SLH-DSA-SHAKE-128F',
 		     sbsign_test_script,
 		     args: [ 'SLH-DSA-SHAKE-128F',

apps/tests/sbsign_test.sh

@@ -6,7 +6,8 @@
 # the following steps:
 #
 # 1. compile leancrypto with sbign tool enabled
-# 2. update variable SBSIGN below to point to the sbsign tool
+# 2. update variables LC_X509_GENERATOR, SBSIGN, LC_PKCS7_GENERATOR below to
+#    point to the respective applications
 # 3. Execute this script
 #
 # Expected result: no failures should be shown

asn1/src/asym_key_dilithium_ed25519.c

@@ -22,6 +22,7 @@
 #include "lc_dilithium.h"
 #include "lc_hash.h"
 #include "lc_sphincs.h"
+#include "pkcs7_internal.h"
 #include "ret_checkers.h"
 #include "small_stack_support.h"
 #include "x509_algorithm_mapper.h"
@@ -274,6 +275,7 @@ int public_key_decode_dilithium_ed25519(
 static int
 public_key_dilithium_ed25519_get_data(const uint8_t **data_ptr,
 				      size_t *data_len,
+				      int *authattrs_tag,
 				      const struct lc_public_key_signature *sig)
 {
 	/*
@@ -285,16 +287,45 @@ public_key_dilithium_ed25519_get_data(const uint8_t **data_ptr,
 	if (sig->authattrs) {
 		*data_ptr = sig->authattrs;
 		*data_len = sig->authattrs_size;
+		if (authattrs_tag)
+			*authattrs_tag = 1;
 		return 0;
 	} else if (sig->raw_data) {
 		*data_ptr = sig->raw_data;
 		*data_len = sig->raw_data_len;
+		if (authattrs_tag)
+			*authattrs_tag = 0;
 		return 0;
 	} else {
 		return -EOPNOTSUPP;
 	}
 }
 
+static int lc_xof_authattr(const struct lc_hash *xof, const uint8_t *in,
+			   size_t inlen, uint8_t *digest, size_t digestlen,
+			   int authattrs_tag)
+{
+	LC_HASH_CTX_ON_STACK(hash_ctx, xof);
+	int ret;
+
+	CKINT(lc_hash_init(hash_ctx));
+	if (authattrs_tag) {
+		lc_hash_update(hash_ctx, &lc_pkcs7_authattr_tag,
+			       sizeof(lc_pkcs7_authattr_tag));
+	}
+	lc_hash_update(hash_ctx, in, inlen);
+	lc_hash_set_digestsize(hash_ctx, digestlen);
+	if (lc_hash_digestsize(hash_ctx) != digestlen) {
+		memset(digest, 0, digestlen);
+		return 0;
+	}
+	lc_hash_final(hash_ctx, digest);
+
+out:
+	lc_hash_zero(hash_ctx);
+	return ret;
+}
+
 int public_key_verify_signature_dilithium_ed25519(
 	const struct lc_public_key *pkey,
 	const struct lc_public_key_signature *sig)
@@ -307,15 +338,16 @@ int public_key_verify_signature_dilithium_ed25519(
 	const struct lc_hash *hash_algo;
 	const uint8_t *dilithium_src, *ed25519_src, *randomizer, *data_ptr;
 	size_t dilithium_src_len, ed25519_src_len, data_len;
-	int ret;
+	int ret, authattrs_tag;
 	LC_DILITHIUM_ED25519_CTX_ON_STACK(ctx);
 	LC_DECLARE_MEM(ws, struct workspace, sizeof(uint64_t));
 
 	/* A signature verification does not work with a private key */
 	if (pkey->key_is_private)
 		return -EKEYREJECTED;
 
-	CKINT(public_key_dilithium_ed25519_get_data(&data_ptr, &data_len, sig));
+	CKINT(public_key_dilithium_ed25519_get_data(&data_ptr, &data_len,
+						    &authattrs_tag, sig));
 
 	if (sig->s_size <
 	    (LC_ED25519_SIGBYTES + LC_X509_SIGNATURE_RANDOMIZER_SIZE))
@@ -348,8 +380,8 @@ int public_key_verify_signature_dilithium_ed25519(
 
 	CKINT(lc_x509_sig_type_to_hash(sig->pkey_algo, &hash_algo));
 	/* XOF works as digest size of 64 bytes is same as XOF size */
-	CKINT(lc_xof(hash_algo, data_ptr, data_len, ws->ph_message,
-		     sizeof(ws->ph_message)));
+	CKINT(lc_xof_authattr(hash_algo, data_ptr, data_len, ws->ph_message,
+			      sizeof(ws->ph_message), authattrs_tag));
 
 	/*
 	 * TODO currently no ctx is supported. This implies that ctx == NULL.
@@ -393,7 +425,8 @@ int public_key_generate_signature_dilithium_ed25519(
 	LC_DILITHIUM_ED25519_CTX_ON_STACK(ctx);
 	LC_DECLARE_MEM(ws, struct workspace, sizeof(uint64_t));
 
-	CKINT(public_key_dilithium_ed25519_get_data(&data_ptr, &data_len, sig));
+	CKINT(public_key_dilithium_ed25519_get_data(&data_ptr, &data_len, NULL,
+						    sig));
 
 	/* Generate the randomizer value */
 	CKINT(lc_rng_generate(lc_seeded_rng, (uint8_t *)"X509.Comp.Sig.25519",

asn1/src/asym_key_dilithium_ed448.c

@@ -22,6 +22,7 @@
 #include "lc_dilithium.h"
 #include "lc_hash.h"
 #include "lc_sphincs.h"
+#include "pkcs7_internal.h"
 #include "ret_checkers.h"
 #include "small_stack_support.h"
 #include "x509_algorithm_mapper.h"
@@ -284,6 +285,7 @@ int public_key_decode_dilithium_ed448(
 
 static int
 public_key_dilithium_ed448_get_data(const uint8_t **data_ptr, size_t *data_len,
+				    int *authattrs_tag,
 				    const struct lc_public_key_signature *sig)
 {
 	/*
@@ -295,16 +297,45 @@ public_key_dilithium_ed448_get_data(const uint8_t **data_ptr, size_t *data_len,
 	if (sig->authattrs) {
 		*data_ptr = sig->authattrs;
 		*data_len = sig->authattrs_size;
+		if (authattrs_tag)
+			*authattrs_tag = 1;
 		return 0;
 	} else if (sig->raw_data) {
 		*data_ptr = sig->raw_data;
 		*data_len = sig->raw_data_len;
+		if (authattrs_tag)
+			*authattrs_tag = 0;
 		return 0;
 	} else {
 		return -EOPNOTSUPP;
 	}
 }
 
+static int lc_xof_authattr(const struct lc_hash *xof, const uint8_t *in,
+			   size_t inlen, uint8_t *digest, size_t digestlen,
+			   int authattrs_tag)
+{
+	LC_HASH_CTX_ON_STACK(hash_ctx, xof);
+	int ret;
+
+	CKINT(lc_hash_init(hash_ctx));
+	if (authattrs_tag) {
+		lc_hash_update(hash_ctx, &lc_pkcs7_authattr_tag,
+			       sizeof(lc_pkcs7_authattr_tag));
+	}
+	lc_hash_update(hash_ctx, in, inlen);
+	lc_hash_set_digestsize(hash_ctx, digestlen);
+	if (lc_hash_digestsize(hash_ctx) != digestlen) {
+		memset(digest, 0, digestlen);
+		return 0;
+	}
+	lc_hash_final(hash_ctx, digest);
+
+out:
+	lc_hash_zero(hash_ctx);
+	return ret;
+}
+
 int public_key_verify_signature_dilithium_ed448(
 	const struct lc_public_key *pkey,
 	const struct lc_public_key_signature *sig)
@@ -317,15 +348,16 @@ int public_key_verify_signature_dilithium_ed448(
 	const struct lc_hash *hash_algo;
 	const uint8_t *dilithium_src, *ed448_src, *randomizer, *data_ptr;
 	size_t dilithium_src_len, ed448_src_len, data_len;
-	int ret;
+	int ret, authattrs_tag;
 	LC_DILITHIUM_ED448_CTX_ON_STACK(ctx);
 	LC_DECLARE_MEM(ws, struct workspace, sizeof(uint64_t));
 
 	/* A signature verification does not work with a private key */
 	if (pkey->key_is_private)
 		return -EKEYREJECTED;
 
-	CKINT(public_key_dilithium_ed448_get_data(&data_ptr, &data_len, sig));
+	CKINT(public_key_dilithium_ed448_get_data(&data_ptr, &data_len,
+						  &authattrs_tag, sig));
 
 	if (sig->s_size <
 	    (LC_ED448_SIGBYTES + LC_X509_SIGNATURE_RANDOMIZER_SIZE))
@@ -358,8 +390,8 @@ int public_key_verify_signature_dilithium_ed448(
 
 	CKINT(lc_x509_sig_type_to_hash(sig->pkey_algo, &hash_algo));
 	/* XOF works as digest size of 64 bytes is same as XOF size */
-	CKINT(lc_xof(hash_algo, data_ptr, data_len, ws->ph_message,
-		     sizeof(ws->ph_message)));
+	CKINT(lc_xof_authattr(hash_algo, data_ptr, data_len, ws->ph_message,
+			      sizeof(ws->ph_message), authattrs_tag));
 
 	/*
 	 * TODO currently no ctx is supported. This implies that ctx == NULL.
@@ -403,7 +435,8 @@ int public_key_generate_signature_dilithium_ed448(
 	LC_DILITHIUM_ED448_CTX_ON_STACK(ctx);
 	LC_DECLARE_MEM(ws, struct workspace, sizeof(uint64_t));
 
-	CKINT(public_key_dilithium_ed448_get_data(&data_ptr, &data_len, sig));
+	CKINT(public_key_dilithium_ed448_get_data(&data_ptr, &data_len, NULL,
+						  sig));
 
 	/* Generate the randomizer value */
 	CKINT(lc_rng_generate(lc_seeded_rng, (uint8_t *)"X509.Comp.Sig.448", 17,