Address review comments

commit: 8c2631b6d36951c8f37d2318d28ceb6409bc4830 [log] [tgz]
author: Jack Lloyd <jack.lloyd@fortanix.com> Thu Jan 23 17:23:52 2020 -0500
committer: Jack Lloyd <jack.lloyd@fortanix.com> Thu Jan 23 17:23:52 2020 -0500
tree: cfd49e74118c1e283770d072272e75ecc12064df
parent: 80cc81103918e33b293b51c306b047b1e1911b72 [diff] [blame]
diff --git a/library/pkparse.c b/library/pkparse.c
index 2311986..724197d 100644
--- a/library/pkparse.c
+++ b/library/pkparse.c

@@ -769,6 +769,17 @@
         goto cleanup;
     p += len;
 
+    /*
+    * The RSA CRT parameters DP, DQ and QP are nominally redundant, in
+    * that they can be easily recomputed from D, P and Q. However by
+    * parsing them from the PKCS1 structure it is possible to avoid
+    * recalculating them which both reduces the overhead of loading
+    * RSA private keys into memory and also avoids side channels which
+    * can arise when computing those values, since all of D, P, and Q
+    * are secret. See https://eprint.iacr.org/2020/055 for a
+    * description of one such attack.
+    */
+
     /* Import DP */
     if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
                                       MBEDTLS_ASN1_INTEGER ) ) != 0 ||
commit	8c2631b6d36951c8f37d2318d28ceb6409bc4830	[log] [tgz]
author	Jack Lloyd <jack.lloyd@fortanix.com>	Thu Jan 23 17:23:52 2020 -0500
committer	Jack Lloyd <jack.lloyd@fortanix.com>	Thu Jan 23 17:23:52 2020 -0500
tree	cfd49e74118c1e283770d072272e75ecc12064df
parent	80cc81103918e33b293b51c306b047b1e1911b72 [diff] [blame]