Use Conscrypt for RSA SSA PSS if available.

Also, make RSA SSA PSS available in FIPS-only mode and in ConfigurationFips140v2. The new Conscrypt-based implementation is faster and allocates a lot less memory. PiperOrigin-RevId: 653600487 Change-Id: I9bd43211e16671dacf437d1459284934544e7b09
morambro · Jul 18, 2024 · 2214526 · 2214526
1 parent 3b26a2d
commit 2214526
Show file tree

Hide file tree

Showing 10 changed files with 79 additions and 35 deletions.
diff --git a/src/main/java/com/google/crypto/tink/BUILD.bazel b/src/main/java/com/google/crypto/tink/BUILD.bazel
@@ -910,7 +910,11 @@ android_library(
         "//src/main/java/com/google/crypto/tink/signature:public_key_verify_wrapper-android",
         "//src/main/java/com/google/crypto/tink/signature:rsa_ssa_pkcs1_private_key-android",
         "//src/main/java/com/google/crypto/tink/signature:rsa_ssa_pkcs1_public_key-android",
+        "//src/main/java/com/google/crypto/tink/signature:rsa_ssa_pss_private_key-android",
+        "//src/main/java/com/google/crypto/tink/signature:rsa_ssa_pss_public_key-android",
         "//src/main/java/com/google/crypto/tink/signature/internal:rsa_ssa_pkcs1_verify_conscrypt-android",
+        "//src/main/java/com/google/crypto/tink/signature/internal:rsa_ssa_pss_sign_conscrypt-android",
+        "//src/main/java/com/google/crypto/tink/signature/internal:rsa_ssa_pss_verify_conscrypt-android",
         "//src/main/java/com/google/crypto/tink/subtle:aes_gcm_jce-android",
         "//src/main/java/com/google/crypto/tink/subtle:ecdsa_sign_jce-android",
         "//src/main/java/com/google/crypto/tink/subtle:ecdsa_verify_jce-android",
@@ -952,7 +956,11 @@ java_library(
         "//src/main/java/com/google/crypto/tink/signature:public_key_verify_wrapper",
         "//src/main/java/com/google/crypto/tink/signature:rsa_ssa_pkcs1_private_key",
         "//src/main/java/com/google/crypto/tink/signature:rsa_ssa_pkcs1_public_key",
+        "//src/main/java/com/google/crypto/tink/signature:rsa_ssa_pss_private_key",
+        "//src/main/java/com/google/crypto/tink/signature:rsa_ssa_pss_public_key",
         "//src/main/java/com/google/crypto/tink/signature/internal:rsa_ssa_pkcs1_verify_conscrypt",
+        "//src/main/java/com/google/crypto/tink/signature/internal:rsa_ssa_pss_sign_conscrypt",
+        "//src/main/java/com/google/crypto/tink/signature/internal:rsa_ssa_pss_verify_conscrypt",
         "//src/main/java/com/google/crypto/tink/subtle:aes_gcm_jce",
         "//src/main/java/com/google/crypto/tink/subtle:ecdsa_sign_jce",
         "//src/main/java/com/google/crypto/tink/subtle:ecdsa_verify_jce",

diff --git a/src/main/java/com/google/crypto/tink/ConfigurationFips140v2.java b/src/main/java/com/google/crypto/tink/ConfigurationFips140v2.java
@@ -38,7 +38,11 @@
 import com.google.crypto.tink.signature.PublicKeyVerifyWrapper;
 import com.google.crypto.tink.signature.RsaSsaPkcs1PrivateKey;
 import com.google.crypto.tink.signature.RsaSsaPkcs1PublicKey;
+import com.google.crypto.tink.signature.RsaSsaPssPrivateKey;
+import com.google.crypto.tink.signature.RsaSsaPssPublicKey;
 import com.google.crypto.tink.signature.internal.RsaSsaPkcs1VerifyConscrypt;
+import com.google.crypto.tink.signature.internal.RsaSsaPssSignConscrypt;
+import com.google.crypto.tink.signature.internal.RsaSsaPssVerifyConscrypt;
 import com.google.crypto.tink.subtle.AesGcmJce;
 import com.google.crypto.tink.subtle.EcdsaSignJce;
 import com.google.crypto.tink.subtle.EcdsaVerifyJce;
@@ -107,6 +111,16 @@ public static Configuration get() throws GeneralSecurityException {
             ConfigurationFips140v2::rsaSsaPkcs1VerifyCreate,
             RsaSsaPkcs1PublicKey.class,
             PublicKeyVerify.class));
+    builder.registerPrimitiveConstructor(
+        PrimitiveConstructor.create(
+            ConfigurationFips140v2::rsaSsaPssSignCreate,
+            RsaSsaPssPrivateKey.class,
+            PublicKeySign.class));
+    builder.registerPrimitiveConstructor(
+        PrimitiveConstructor.create(
+            ConfigurationFips140v2::rsaSsaPssVerifyCreate,
+            RsaSsaPssPublicKey.class,
+            PublicKeyVerify.class));
 
     return InternalConfiguration.createFromPrimitiveRegistry(builder.build());
   }
@@ -134,4 +148,24 @@ private static PublicKeyVerify rsaSsaPkcs1VerifyCreate(RsaSsaPkcs1PublicKey key)
     }
     return RsaSsaPkcs1VerifyConscrypt.create(key);
   }
+
+  private static PublicKeySign rsaSsaPssSignCreate(RsaSsaPssPrivateKey key)
+      throws GeneralSecurityException {
+    if (key.getParameters().getModulusSizeBits() != 2048
+        && key.getParameters().getModulusSizeBits() != 3072) {
+      throw new GeneralSecurityException(
+          "Cannot create FIPS-compliant PublicKeySign: wrong RsaSsaPss key modulus size");
+    }
+    return RsaSsaPssSignConscrypt.create(key);
+  }
+
+  private static PublicKeyVerify rsaSsaPssVerifyCreate(RsaSsaPssPublicKey key)
+      throws GeneralSecurityException {
+    if (key.getParameters().getModulusSizeBits() != 2048
+        && key.getParameters().getModulusSizeBits() != 3072) {
+      throw new GeneralSecurityException(
+          "Cannot create FIPS-compliant PublicKeyVerify: wrong RsaSsaPss key modulus size");
+    }
+    return RsaSsaPssVerifyConscrypt.create(key);
+  }
 }
diff --git a/src/main/java/com/google/crypto/tink/signature/BUILD.bazel b/src/main/java/com/google/crypto/tink/signature/BUILD.bazel
@@ -9,15 +9,11 @@ java_library(
     srcs = ["SignatureConfig.java"],
     deps = [
         ":ecdsa_sign_key_manager",
-        ":ecdsa_verify_key_manager",
         ":ed25519_private_key_manager",
-        ":ed25519_public_key_manager",
         ":public_key_sign_wrapper",
         ":public_key_verify_wrapper",
         ":rsa_ssa_pkcs1_sign_key_manager",
-        ":rsa_ssa_pkcs1_verify_key_manager",
         ":rsa_ssa_pss_sign_key_manager",
-        ":rsa_ssa_pss_verify_key_manager",
         "//proto:config_java_proto",
         "//src/main/java/com/google/crypto/tink/config:tink_fips",
     ],
@@ -504,15 +500,11 @@ android_library(
     srcs = ["SignatureConfig.java"],
     deps = [
         ":ecdsa_sign_key_manager-android",
-        ":ecdsa_verify_key_manager-android",
         ":ed25519_private_key_manager-android",
-        ":ed25519_public_key_manager-android",
         ":public_key_sign_wrapper-android",
         ":public_key_verify_wrapper-android",
         ":rsa_ssa_pkcs1_sign_key_manager-android",
-        ":rsa_ssa_pkcs1_verify_key_manager-android",
         ":rsa_ssa_pss_sign_key_manager-android",
-        ":rsa_ssa_pss_verify_key_manager-android",
         "//proto:config_java_proto_lite",
         "//src/main/java/com/google/crypto/tink/config:tink_fips-android",
     ],

diff --git a/src/main/java/com/google/crypto/tink/signature/RsaSsaPssSignKeyManager.java b/src/main/java/com/google/crypto/tink/signature/RsaSsaPssSignKeyManager.java
@@ -184,15 +184,17 @@ private static Map<String, Parameters> namedParameters() throws GeneralSecurityE
         return Collections.unmodifiableMap(result);
   }
 
+  private static final TinkFipsUtil.AlgorithmFipsCompatibility FIPS =
+      TinkFipsUtil.AlgorithmFipsCompatibility.ALGORITHM_REQUIRES_BORINGCRYPTO;
+
   /**
    * Registers the {@link RsaSsaPssSignKeyManager} and the {@link RsaSsaPssVerifyKeyManager} with
    * the registry, so that the the RsaSsaPss-Keys can be used with Tink.
    */
   public static void registerPair(boolean newKeyAllowed) throws GeneralSecurityException {
-    // Tink's RSA SSA PSS algorithm in Java is currently not FIPS compatible, because it doesn't
-    // use BoringSSL.
-    if (!TinkFipsUtil.AlgorithmFipsCompatibility.ALGORITHM_NOT_FIPS.isCompatible()) {
-      throw new GeneralSecurityException("Registering RSA SSA PSS is not supported in FIPS mode");
+    if (!FIPS.isCompatible()) {
+      throw new GeneralSecurityException(
+          "Can not use RSA SSA PSS in FIPS-mode, as BoringCrypto module is not available.");
     }
     RsaSsaPssProtoSerialization.register();
     MutableParametersRegistry.globalInstance().putAll(namedParameters());
@@ -201,8 +203,10 @@ public static void registerPair(boolean newKeyAllowed) throws GeneralSecurityExc
     MutablePrimitiveRegistry.globalInstance()
         .registerPrimitiveConstructor(PUBLIC_KEY_VERIFY_PRIMITIVE_CONSTRUCTOR);
     MutableKeyCreationRegistry.globalInstance().add(KEY_CREATOR, RsaSsaPssParameters.class);
-    KeyManagerRegistry.globalInstance().registerKeyManager(legacyPrivateKeyManager, newKeyAllowed);
-    KeyManagerRegistry.globalInstance().registerKeyManager(legacyPublicKeyManager, false);
+    KeyManagerRegistry.globalInstance()
+        .registerKeyManagerWithFipsCompatibility(legacyPrivateKeyManager, FIPS, newKeyAllowed);
+    KeyManagerRegistry.globalInstance()
+        .registerKeyManagerWithFipsCompatibility(legacyPublicKeyManager, FIPS, false);
   }
 
   /**

diff --git a/src/main/java/com/google/crypto/tink/signature/SignatureConfig.java b/src/main/java/com/google/crypto/tink/signature/SignatureConfig.java
@@ -126,13 +126,13 @@ public static void register() throws GeneralSecurityException {
 
     EcdsaSignKeyManager.registerPair(/*newKeyAllowed=*/ true);
     RsaSsaPkcs1SignKeyManager.registerPair(/*newKeyAllowed=*/ true);
+    RsaSsaPssSignKeyManager.registerPair(/* newKeyAllowed= */ true);
 
     if (TinkFips.useOnlyFips()) {
       // If Tink is built in FIPS-mode do not register algorithms which are not compatible.
       return;
     }
 
-    RsaSsaPssSignKeyManager.registerPair(/*newKeyAllowed=*/ true);
     Ed25519PrivateKeyManager.registerPair(/*newKeyAllowed=*/ true);
   }
 

diff --git a/src/main/java/com/google/crypto/tink/subtle/BUILD.bazel b/src/main/java/com/google/crypto/tink/subtle/BUILD.bazel
@@ -307,6 +307,7 @@ java_library(
         "//src/main/java/com/google/crypto/tink/internal:util",
         "//src/main/java/com/google/crypto/tink/signature:rsa_ssa_pss_parameters",
         "//src/main/java/com/google/crypto/tink/signature:rsa_ssa_pss_public_key",
+        "//src/main/java/com/google/crypto/tink/signature/internal:rsa_ssa_pss_verify_conscrypt",
         "@maven//:com_google_errorprone_error_prone_annotations",
     ],
 )
@@ -495,6 +496,7 @@ java_library(
         "//src/main/java/com/google/crypto/tink/signature:rsa_ssa_pss_parameters",
         "//src/main/java/com/google/crypto/tink/signature:rsa_ssa_pss_private_key",
         "//src/main/java/com/google/crypto/tink/signature:rsa_ssa_pss_public_key",
+        "//src/main/java/com/google/crypto/tink/signature/internal:rsa_ssa_pss_sign_conscrypt",
         "//src/main/java/com/google/crypto/tink/util:secret_big_integer",
         "@maven//:com_google_errorprone_error_prone_annotations",
     ],
@@ -1081,6 +1083,7 @@ android_library(
         "//src/main/java/com/google/crypto/tink/signature:rsa_ssa_pss_parameters-android",
         "//src/main/java/com/google/crypto/tink/signature:rsa_ssa_pss_private_key-android",
         "//src/main/java/com/google/crypto/tink/signature:rsa_ssa_pss_public_key-android",
+        "//src/main/java/com/google/crypto/tink/signature/internal:rsa_ssa_pss_sign_conscrypt-android",
         "//src/main/java/com/google/crypto/tink/util:secret_big_integer-android",
         "@maven//:com_google_errorprone_error_prone_annotations",
     ],
@@ -1101,6 +1104,7 @@ android_library(
         "//src/main/java/com/google/crypto/tink/internal:util-android",
         "//src/main/java/com/google/crypto/tink/signature:rsa_ssa_pss_parameters-android",
         "//src/main/java/com/google/crypto/tink/signature:rsa_ssa_pss_public_key-android",
+        "//src/main/java/com/google/crypto/tink/signature/internal:rsa_ssa_pss_verify_conscrypt-android",
         "@maven//:com_google_errorprone_error_prone_annotations",
     ],
 )

diff --git a/src/main/java/com/google/crypto/tink/subtle/RsaSsaPssSignJce.java b/src/main/java/com/google/crypto/tink/subtle/RsaSsaPssSignJce.java
@@ -23,6 +23,7 @@
 import com.google.crypto.tink.signature.RsaSsaPssParameters;
 import com.google.crypto.tink.signature.RsaSsaPssPrivateKey;
 import com.google.crypto.tink.signature.RsaSsaPssPublicKey;
+import com.google.crypto.tink.signature.internal.RsaSsaPssSignConscrypt;
 import com.google.crypto.tink.subtle.Enums.HashType;
 import com.google.crypto.tink.util.SecretBigInteger;
 import com.google.errorprone.annotations.Immutable;
@@ -80,9 +81,7 @@ private InternalImpl(
         byte[] outputPrefix,
         byte[] messageSuffix)
         throws GeneralSecurityException {
-      // TODO(b/182987934): This check is incorrect.
-      // We will change this once support for RSA PSS in FIPS mode is added.
-      if (!FIPS.isCompatible()) {
+      if (TinkFipsUtil.useOnlyFips()) {
         throw new GeneralSecurityException(
             "Can not use RSA PSS in FIPS-mode, as BoringCrypto module is not available.");
       }
@@ -209,6 +208,9 @@ private byte[] emsaPssEncode(byte[] message, int emBits) throws GeneralSecurityE
 
   @AccessesPartialKey
   public static PublicKeySign create(RsaSsaPssPrivateKey key) throws GeneralSecurityException {
+    if (RsaSsaPssSignConscrypt.isSupported()) {
+      return RsaSsaPssSignConscrypt.create(key);
+    }
     KeyFactory kf = EngineFactory.KEY_FACTORY.getInstance("RSA");
     RSAPrivateCrtKey privateKey =
         (RSAPrivateCrtKey)

diff --git a/src/main/java/com/google/crypto/tink/subtle/RsaSsaPssVerifyJce.java b/src/main/java/com/google/crypto/tink/subtle/RsaSsaPssVerifyJce.java
@@ -24,6 +24,7 @@
 import com.google.crypto.tink.internal.EnumTypeProtoConverter;
 import com.google.crypto.tink.signature.RsaSsaPssParameters;
 import com.google.crypto.tink.signature.RsaSsaPssPublicKey;
+import com.google.crypto.tink.signature.internal.RsaSsaPssVerifyConscrypt;
 import com.google.crypto.tink.subtle.Enums.HashType;
 import com.google.errorprone.annotations.Immutable;
 import java.math.BigInteger;
@@ -81,7 +82,7 @@ private InternalImpl(
         byte[] outputPrefix,
         byte[] messageSuffix)
         throws GeneralSecurityException {
-      if (!FIPS.isCompatible()) {
+      if (TinkFipsUtil.useOnlyFips()) {
         throw new GeneralSecurityException(
             "Can not use RSA PSS in FIPS-mode, as BoringCrypto module is not available.");
       }
@@ -235,11 +236,13 @@ public void verify(final byte[] signature, final byte[] data) throws GeneralSecu
 
   @AccessesPartialKey
   public static PublicKeyVerify create(RsaSsaPssPublicKey key) throws GeneralSecurityException {
-
-    KeyFactory kf = EngineFactory.KEY_FACTORY.getInstance("RSA");
+    if (RsaSsaPssVerifyConscrypt.isSupported()) {
+      return RsaSsaPssVerifyConscrypt.create(key);
+    }
+    KeyFactory keyFactory = EngineFactory.KEY_FACTORY.getInstance("RSA");
     RSAPublicKey publicKey =
         (RSAPublicKey)
-            kf.generatePublic(
+            keyFactory.generatePublic(
                 new RSAPublicKeySpec(key.getModulus(), key.getParameters().getPublicExponent()));
     RsaSsaPssParameters params = key.getParameters();
     return new InternalImpl(

diff --git a/src/test/java/com/google/crypto/tink/ConfigurationFips140v2Test.java b/src/test/java/com/google/crypto/tink/ConfigurationFips140v2Test.java
@@ -351,7 +351,7 @@ public void config_containsEcdsaVerifyForPublicKeyVerify() throws Exception {
                   + "Yu_neotgQ0hzbI5gry7ajdYy9-2lNx_76aBZoOUu9HCJ-UsfSOI8"));
 
   @Test
-  public void config_disallowsRsaSsaPssSignForPublicKeySign() throws Exception {
+  public void config_containsRsaSsaPssSignForPublicKeySign() throws Exception {
     RsaSsaPssProtoSerialization.register();
     RsaSsaPssParameters parameters =
         RsaSsaPssParameters.builder()
@@ -382,13 +382,12 @@ public void config_disallowsRsaSsaPssSignForPublicKeySign() throws Exception {
             .addEntry(KeysetHandle.importKey(key).withRandomId().makePrimary())
             .build();
 
-    assertThrows(
-        GeneralSecurityException.class,
-        () -> keysetHandle.getPrimitive(ConfigurationFips140v2.get(), PublicKeySign.class));
+    assertThat(keysetHandle.getPrimitive(ConfigurationFips140v2.get(), PublicKeySign.class))
+        .isNotNull();
   }
 
   @Test
-  public void config_disallowsRsaSsaPssVerifyForPublicKeyVerify() throws Exception {
+  public void config_containsRsaSsaPssVerifyForPublicKeyVerify() throws Exception {
     RsaSsaPssProtoSerialization.register();
     RsaSsaPssParameters parameters =
         RsaSsaPssParameters.builder()
@@ -406,9 +405,8 @@ public void config_disallowsRsaSsaPssVerifyForPublicKeyVerify() throws Exception
             .addEntry(KeysetHandle.importKey(key).withRandomId().makePrimary())
             .build();
 
-    assertThrows(
-        GeneralSecurityException.class,
-        () -> keysetHandle.getPrimitive(ConfigurationFips140v2.get(), PublicKeyVerify.class));
+    assertThat(keysetHandle.getPrimitive(ConfigurationFips140v2.get(), PublicKeyVerify.class))
+        .isNotNull();
   }
 
   @Test

diff --git a/src/test/java/com/google/crypto/tink/signature/SignatureConfigTest.java b/src/test/java/com/google/crypto/tink/signature/SignatureConfigTest.java
@@ -74,6 +74,10 @@ public void onlyFips_shouldRegisterFipsKeyTypes() throws Exception {
 
     assertThat(KeysetHandle.generateNew(PredefinedSignatureParameters.RSA_SSA_PKCS1_3072_SHA256_F4))
         .isNotNull();
+    assertThat(
+            KeysetHandle.generateNew(
+                PredefinedSignatureParameters.RSA_SSA_PSS_3072_SHA256_SHA256_32_F4))
+        .isNotNull();
     assertThat(KeysetHandle.generateNew(PredefinedSignatureParameters.ECDSA_P256)).isNotNull();
   }
 
@@ -85,11 +89,6 @@ public void onlyFips_shouldNotRegisterNonFipsKeyTypes() throws Exception {
 
     SignatureConfig.register();
 
-    assertThrows(
-        GeneralSecurityException.class,
-        () ->
-            KeysetHandle.generateNew(
-                PredefinedSignatureParameters.RSA_SSA_PSS_3072_SHA256_SHA256_32_F4));
     assertThrows(
         GeneralSecurityException.class,
         () -> KeysetHandle.generateNew(PredefinedSignatureParameters.ED25519));