Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sphincsplus: accept PUB key as PEM encoded ASN.1 objects #26025

Merged
merged 1 commit into from
Jan 29, 2025
Merged

sphincsplus: accept PUB key as PEM encoded ASN.1 objects #26025

merged 1 commit into from
Jan 29, 2025

Conversation

vbendeb
Copy link

@vbendeb vbendeb commented Jan 26, 2025

Some HSMs distribute SPX pub keys as PEM encoded ANS.1 objects. The approach so far has been to manually extract the 32 byte key material from the object. This patch adds parsing code for processing the ANS.1 key files.

The algorithm type is deduced from the ANN.1 OID, and is hardcoded to the value generated by Crypto4a HSM for SHA2 128S Simple encoding. This OID has not yet been standardized and could change in the future.

Tested on an opentitatn owner's firmware by passing to --spx-key first the raw SPX key and then the HSM generated PEM file, and observing the unchanged contents of the resulting image.

@vbendeb vbendeb requested a review from a team as a code owner January 26, 2025 23:50
@vbendeb vbendeb requested review from jon-flatley, cfrantz and pamaury and removed request for a team January 26, 2025 23:50
@vbendeb
Copy link
Author

vbendeb commented Jan 26, 2025
edited
Loading

support SPX key extraction from both raw and ANS.1 PEM files.

@vbendeb
Copy link
Author

vbendeb commented Jan 28, 2025

guys, any comments on this?

cfrantz
cfrantz reviewed Jan 28, 2025
View reviewed changes
Copy link
Contributor

@cfrantz cfrantz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with a couple of nits.

sw/host/sphincsplus/key.rs Outdated Show resolved Hide resolved
sw/host/sphincsplus/key.rs Outdated Show resolved Hide resolved
@vbendeb
Copy link
Author

vbendeb commented Jan 28, 2025

PTAL

sphincsplus: accept PUB key as PEM encoded ASN.1 objects
021a510 
Some HSMs distribute SPX pub keys as PEM encoded ANS.1 objects. The
approach so far has been to manually extract the 32 byte key material
from the object. This patch adds parsing code for processing the ANS.1
key files.

The supported algorithm is slh-dsa-sha2-128s-with-sha256, its OID is
defined in
https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration#heading1725030685275_13

Tested on an opentitatn owner's firmware by passing to --spx-key first
the raw SPX key and then the HSM generated PEM file, and observing the
unchanged contents of the resulting image.

Signed-off-by: Vadim Bendebury <[email protected]>
@vbendeb
Copy link
Author

vbendeb commented Jan 29, 2025

build error seems unrelated, can this be merged?

@cfrantz cfrantz merged commit fb326fc into lowRISC:master Jan 29, 2025
38 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cfrantz cfrantz cfrantz approved these changes

@jon-flatley jon-flatley Awaiting requested review from jon-flatley jon-flatley is a code owner automatically assigned from lowRISC/ot-rust-reviewers

@pamaury pamaury Awaiting requested review from pamaury

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vbendeb @cfrantz