commit f5ee4b3da4225b0a52fbaf0fd1e4d55d3c97ee67
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu Oct 21 13:04:01 2021 +0200
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Tue Jan 18 09:13:14 2022 +0100
tree 9df1a3a85afd35111ca700a2bd672d7f86fe8fc8
parent b902164cf0e5786926a891da46b8a0daef0d71fb

Add data about RSA-PSS test files

Data gathered with:

    for c in server9*.crt; do echo $c; openssl x509 -noout -text -in $c |
        grep '^    Signature Algorithm: rsassaPss' -A3 | sed '1d'; done
    for c in crl-rsa-pss-*; do echo $c; openssl crl -noout -text -in $c |
        grep '^    Signature Algorithm: rsassaPss' -A3 | sed '1d'; done
    for c in server9.req.*; do echo $c; openssl req -noout -text -in $c |
        grep '^    Signature Algorithm: rsassaPss' -A3 | sed '1d'; done

Unfortunately there is no record of how these files have been generated.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

docs/architecture/psa-migration/psa-limitations.md

diff --git a/docs/architecture/psa-migration/psa-limitations.md b/docs/architecture/psa-migration/psa-limitations.md
index 05a4d54..d5d7d07 100644
--- a/docs/architecture/psa-migration/psa-limitations.md
+++ b/docs/architecture/psa-migration/psa-limitations.md
@@ -122,7 +122,7 @@
 In Mbed TLS, RSA-PSS parameters can be parsed and displayed for various
 objects (certificates, CRLs, CSRs). During parsing, the following properties
 are enforced:
-- (the extra "trailer field" parameter must has its default value)
+- (the extra "trailer field" parameter must have its default value)
 - the mask generation function is MGF1
 - encoding hash = message hashing algorithm (may differ from MGF1 hash)
 
@@ -147,6 +147,8 @@
 
 It is unclear what parameters people use in practice.
 
+TODO: look at what OpenSSL and GnuTLS do by default?
+
 ### Use in TLS
 
 In TLS 1.2 (or lower), RSA-PSS signatures are never used, except via X.509.
@@ -170,16 +172,113 @@
 
 ### Current testing - X509
 
-TODO: look at the parameters used by the various test files
+TODO: look at hex testing (do we have negative testing of bad trailer field?)
 
-- server9.crt
-    -HASH
-    -badsign
-    -defaults
-    -bad-saltlen
-    -bad-mgfhash
-- crl-rsa-pss-HASH.pem
-- server9.req.HASH
+All test files use the default trailer field of 0xBC. Files with "bad" in the
+name are expected to be invalid and rejected in tests.
+
+**Test certificates:**
+
+server9-bad-mgfhash.crt (announcing mgf1(sha224), signed with another mgf)
+         Hash Algorithm: sha256
+         Mask Algorithm: mgf1 with sha224
+          Salt Length: 0xDE
+server9-bad-saltlen.crt (announcing saltlen = 0xDE, signed with another len)
+         Hash Algorithm: sha256
+         Mask Algorithm: mgf1 with sha256
+          Salt Length: 0xDE
+server9-badsign.crt (one bit flipped in the signature)
+         Hash Algorithm: sha1 (default)
+         Mask Algorithm: mgf1 with sha1 (default)
+          Salt Length: 0xEA
+server9-defaults.crt
+         Hash Algorithm: sha1 (default)
+         Mask Algorithm: mgf1 with sha1 (default)
+          Salt Length: 0x14 (default)
+server9-sha224.crt
+         Hash Algorithm: sha224
+         Mask Algorithm: mgf1 with sha224
+          Salt Length: 0xE2
+server9-sha256.crt
+         Hash Algorithm: sha256
+         Mask Algorithm: mgf1 with sha256
+          Salt Length: 0xDE
+server9-sha384.crt
+         Hash Algorithm: sha384
+         Mask Algorithm: mgf1 with sha384
+          Salt Length: 0xCE
+server9-sha512.crt
+         Hash Algorithm: sha512
+         Mask Algorithm: mgf1 with sha512
+          Salt Length: 0xBE
+server9-with-ca.crt
+         Hash Algorithm: sha1 (default)
+         Mask Algorithm: mgf1 with sha1 (default)
+          Salt Length: 0xEA
+server9.crt
+         Hash Algorithm: sha1 (default)
+         Mask Algorithm: mgf1 with sha1 (default)
+          Salt Length: 0xEA
+
+These certificates are signed with a 2048-bit key. It appears that they are
+all using saltlen = keylen - hashlen - 2, except for server9-defaults which is
+using saltlen = hashlen.
+
+**Test CRLs:**
+
+crl-rsa-pss-sha1-badsign.pem
+         Hash Algorithm: sha1 (default)
+         Mask Algorithm: mgf1 with sha1 (default)
+          Salt Length: 0xEA
+crl-rsa-pss-sha1.pem
+         Hash Algorithm: sha1 (default)
+         Mask Algorithm: mgf1 with sha1 (default)
+          Salt Length: 0xEA
+crl-rsa-pss-sha224.pem
+         Hash Algorithm: sha224
+         Mask Algorithm: mgf1 with sha224
+          Salt Length: 0xE2
+crl-rsa-pss-sha256.pem
+         Hash Algorithm: sha256
+         Mask Algorithm: mgf1 with sha256
+          Salt Length: 0xDE
+crl-rsa-pss-sha384.pem
+         Hash Algorithm: sha384
+         Mask Algorithm: mgf1 with sha384
+          Salt Length: 0xCE
+crl-rsa-pss-sha512.pem
+         Hash Algorithm: sha512
+         Mask Algorithm: mgf1 with sha512
+          Salt Length: 0xBE
+
+These CRLs are signed with a 2048-bit key. It appears that they are
+all using saltlen = keylen - hashlen - 2.
+
+**Test CSRs:**
+
+server9.req.sha1
+         Hash Algorithm: sha1 (default)
+         Mask Algorithm: mgf1 with sha1 (default)
+          Salt Length: 0x6A
+server9.req.sha224
+         Hash Algorithm: sha224
+         Mask Algorithm: mgf1 with sha224
+          Salt Length: 0x62
+server9.req.sha256
+         Hash Algorithm: sha256
+         Mask Algorithm: mgf1 with sha256
+          Salt Length: 0x5E
+server9.req.sha384
+         Hash Algorithm: sha384
+         Mask Algorithm: mgf1 with sha384
+          Salt Length: 0x4E
+server9.req.sha512
+         Hash Algorithm: sha512
+         Mask Algorithm: mgf1 with sha512
+          Salt Length: 0x3E
+
+These CSRss are signed with a 2048-bit key. It appears that they are
+all using saltlen = keylen - hashlen - 2.
 
 ### Possible course of actions