Skip to content

Policy tests with the wrong variant for ECDSA or PSS #10301

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: mbedtls-3.6
Choose a base branch
from
Open

Policy tests with the wrong variant for ECDSA or PSS #10301

wants to merge 2 commits into from
+47 −4

Conversation

gilles-peskine-arm
Copy link
Contributor

Add some PSA policy test cases with the wrong variant for ECDSA (deterministic vs randomized) and for RSASSA-PSS (PSA_ALG_RSA_PSS vs PSA_ALG_RSA_PSS_ANY_SALT).

(This came up in a PSA Crypto working group discussion — currently the PSA API requires ECDSA verification to obey the policy strictly, but says that for ML-DSA the two variants should be treated as interchangeable for verification.)

PR checklist

  • changelog not required because: test only
  • development PR not required because: crypto only
  • TF-PSA-Crypto PR TODO
  • framework PR not required
  • 3.6 PR here
  • tests provided

@gilles-peskine-arm gilles-peskine-arm added needs-review Every commit must be reviewed by at least two team members, needs-backports Backports are missing or are pending review and approval. component-crypto Crypto primitives and low-level interfaces needs-reviewer This PR needs someone to pick it up for review priority-medium Medium priority - this can be reviewed as time permits size-xs Estimated task size: extra small (a few hours at most) labels Jul 15, 2025
@gilles-peskine-arm
Policy tests with the wrong variant for ECDSA or PSS
bbe288f 
ECDSA has two variants (deterministic vs randomized) with the same
verification algorithm, and signature algorithms that are functionally
indistinguishable but have different security properties.

RSA-PSS has two variants in the PSA API (`PSA_ALG_RSA_PSS` vs
`PSA_ALG_RSA_PSS_ANY_SALT`) which have the same signature algorithm, but
functionally different verification: the any-salt variant accepts some
signatures that the default variant rejects (the default variant insists on
a specific salt length).

Add test cases that validate that a key can't be used with the wrong variant.

Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm gilles-peskine-arm force-pushed the psa-ecdsa-verify-other-variant-test-3.6 branch from 751016a to bbe288f Compare July 15, 2025 17:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
component-crypto Crypto primitives and low-level interfaces needs-backports Backports are missing or are pending review and approval. needs-review Every commit must be reviewed by at least two team members, needs-reviewer This PR needs someone to pick it up for review priority-medium Medium priority - this can be reviewed as time permits size-xs Estimated task size: extra small (a few hours at most)
Projects
Non-roadmap pull requests
Status: In Development
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@gilles-peskine-arm