Implement deterministic ECDSA sign (RFC6979)

[Jemmy1228]

Implements RFC6979 deterministic ECDSA/DSA sign (in this commit, only ECDSA is available)

ECDSA deterministic sign is now available by specifying "ecdsa_nonce_type:deterministic" when signing.
for example:

openssl dgst -sha1  -sign private.key -sigopt ecdsa_nonce_type:deterministic < test.data > test.sha1

Maybe fixed #2078

Checklist

• documentation is added or updated
• tests are added or updated

I haven't thought of that there would be so many comments in this PR.
I read through this thread and list the up-to-date TO-DOs here:

• Add Test Vectors (Finished here but not pushed in this PR)
• Prevent the use of rand_local.h
• Modify CHANGES
• Move the code into EVP
• Rename ctrls
• Prevent the use of RUN_ONCE (Fixed in 5cf5342)

[beldmit]

Is it possible to implement the deterministic signature schema via special EVP ctrl call?

[Jemmy1228]

@beldmit It seems all signing calls would finally call EC_KEY_METHOD->sign_sig, in this case it would be ossl_ecdsa_sign_sig defined in crypto/ec/ec_kmeth.c . However, this method doesn't accept parameter about hash method, as I think, this has to be changed...

[Jemmy1228]

@beldmit I missunderstood your meaning just now....
Yes, it is implemented via EVP ctrl call. ctrl_call can only set hash algorithm in the ctx. However, when producing ECDSA signatures, neither the ctx nor the hash nid will be passed to the real method that does the signing (ossl_ecdsa_sign_sig)

[Jemmy1228]

Maybe call sign_setup directly in EVP, initialize k_reverse and r before calling sign_sig is a good way?

[Jemmy1228]

Okay, I will change the code tonnight.
But, should I add a new user visible API for deterministic sign ?

[bbbrumley]

@JemmyLoveJenny At a minimum, you should integrate the test vectors from RFC 6979 as plaintext EVP tests.

If you need help with that, my team has some tooling. Tagging @romen

[kroeckx]

I suggest that you only add new APIs when it's actually needed. We want users to switch to the EVP API. If it's easy to do with the EVP API, I suggest you only add support for it in the EVP API.

[Jemmy1228]

@kroeckx Actually, the EVP ctx pmeth->sign would call ECDSA_sign. You mean that I can skip that method and call the kmeth->sign_sig directly in EVP ?

[Jemmy1228]

@bbbrumley Yes, I will integrate these test vectors into EVP test finally.

[Jemmy1228]

@kroeckx
Please have a look at the new commit.
User visible APIs are not modified this time.

[Jemmy1228]

I have some questions about the checks

1. [Solved] I should fill in the ICLA form in my language or English? If in Englilsh, the "Full Name" field would be my legal name in English form or the name that Engilsh-speaking people call me?

2. [Solved] AppVeyor build fails and show the following result ..........

3. Some of the Travis CI fail reasons are the same as AppVeyor, the others are related to documentation and MAKE UPDATE (mknum.pl). Whether it means there are no more errors with the code?

[mattcaswell]

I should fill in the ICLA form in my language or English?

Yes.

If in Englilsh, the "Full Name" field would be my legal name in English form or the name that Engilsh-speaking people call me?

Please give your legal name in English.

[Jemmy1228]

@beldmit Updated according to your suggestions

[slontis]

I thought this code looked familiar.
Did you look at HMAC_DRBG.c ?
@paulidale would there be some way to rework this so it can use the drbg code?

Have a look at test/drbg_cavs_test.c for an example of how to drive the code..

[slontis]

Travis failures are relevant. You have a memory leak somewhere.
Use valgrind on ./test/ecdsatest to track it down

[paulidale]

Did you look at HMAC_DRBG.c

The similarity is great. Direct sharing of internal code between the two possibly isn't a great idea but if there was a way of using the HMAC-DRBG to get the same output, that would be worthwhile.

[Jemmy1228]

@slontis Is the Travis ECDSA tests still failing? I thought it was solved in the most recent commit.

[slontis]

Maybe you havent pushed the new commits?

[Jemmy1228]

@slontis
No, I've pushed it .
AppVeyor build contain ECDSA tests, it shows that tests passed.
I think the reason why Travis CI fails is that I didn't MAKE UPDATE (update libcrypto.num) and I didn't update the documentation.
Is the ECDSA tests still failing now? I didnt't find ECDSA failure in the Travis build log

[slontis]

I looked in travis 26035.2 (open the raw log and search for not ok)

[slontis]

If you look at the options for each build e.g for 26035.2 you will see what options it uses..
i.e "no-asm -Werror --debug no-afalgeng no-shared enable-crypto-mdebug enable-rc5 enable-md2"
So you can do the same locally and see if you reproduce the error. It is finding a problem because of the enable-crypto-mdebug option.
If you are using linux I would just run valgrind on the test.

[Jemmy1228]

@slontis Oh, I see it... but it is confusing to me, some ECDH tests failed, even tests unrelated to EC failed...
I'm sorry that I'm at school now and won't be able to make commits until I get home.
I'll re-formate code and look into the ECDSA failure later.

[slontis]

No problems.. All those tests use ECDSA. Fix the one problem in a simpler test (which is a memory leak) and the others will most likely all be fixed also..

[Jemmy1228]

@mspncp I noticed that OpenSSL has recently changed the RAND_DRBG API as described in #12509
I have read the documentation and find that it suggests using EVP_RAND_CTX instead.
I was suggested to write something like this example

If I understood it correctly, the fetched RAND_DRBG_CTX would call the real random generator to provide entropy and nonce, which means I have no chance to provide my own ones.

I read the evp_test.c in order to find out how to specify custom entropy and nonce.
It seems that it first fetches a EVP_RAND-TEST-RAND and its EVP_RAND_CTX
Then, it fetches the real EVP_RAND and set the previous EVP_RAND_CTX as the parent.
Finally, set OSSL_RAND_PARAM_TEST_ parameter for the first EVP_RAND_CTX

I wonder if this is the correct way of specifying custom entropy and nonce?
I don't know the purpose of chaining EVP_RAND_CTX, does it mean that the child will obtain entropy and nonce from the parent?

[paulidale]

I read the evp_test.c in order to find out how to specify custom entropy and nonce.
It seems that it first fetches a EVP_RAND-TEST-RAND and its EVP_RAND_CTX
Then, it fetches the real EVP_RAND and set the previous EVP_RAND_CTX as the parent.
Finally, set OSSL_RAND_PARAM_TEST_ parameter for the first EVP_RAND_CTX

Currently, this is the only way to feed a random number generator specific seed material. Another place that does this is the FIPS known answer tests. Look for self_test_drbg() in providers/fips/self_test_kats.c. The code is pretty similar.

[Sajjon]

What is the status of this PR? How can we get it merged? And also, sorry if this is completely off-topic, but how does BoringSSL and OpenSSL sync feature wise? Does Google's BoringSSL get updated with features X, Y, Z when added to OpenSSL? I.e. if we get deterministic signing (RFC6979) merged into OpenSSL, is it likely that BoringSSL will follow and implement that/cherry-pick that commit and merge it into their code base?

[vdukhovni]

May I ask whether there are still plans to get this PR (deterministic signing ala RFC6979) merged.

For example, "Knot DNS" now supports deterministic zone signing, but only when linked with GnuTLS. I really do think we should have an interoperable implementation in at least a 3.1 release, if not in any earlier versions...

[t8m]

May I ask whether there are still plans to get this PR (deterministic signing ala RFC6979) merged.

For example, "Knot DNS" now supports deterministic zone signing, but only when linked with GnuTLS. I really do think we should have an interoperable implementation in at least a 3.1 release, if not in any earlier versions...

I'd say why not. If someone brings it up-to-date with the current master branch which means making it into a provided implementation.

[vdukhovni]

I'd say why not. If someone brings it up-to-date with the current master branch which means making it into a provided implementation.

What do you mean by a "provided implementation"? Do you mean a separate provider? Or do you mean a feature (EVP_PKEY_CTX control operation?) of the default implementation?

Any volunteers to resume this effort?

[t8m]

I mean a feature of the existing implementation. The question is if it should be a separate algorithm or just a parameter of the existing ECDSA.

[mattcaswell]

OTC: Can be reviewed through the normal review process.

Please rebase

[romen]

@bbbrumley I just don't know what to do next...... I read through this PR just now, and I find that there are many suggestions. However, these things can't be done by myself.

For example, OpenSSL officials should provide an answer to the question "How to name the control parameters?" and "How to disable the DRBG length requirement without including rand_local.h"

@openssl/otc These questions should be answered to allow @JemmyLoveJenny to continue the work

@JemmyLoveJenny , despite the delays, are you still willing to work on this PR?

[Jemmy1228]

@JemmyLoveJenny , despite the delays, are you still willing to work on this PR?

Yes, I'm still willing to work on this PR. But as you have mentioned, I need to know what to do next.
I will try to rebase this PR in a few days.

[openssl-machine]

This PR has been closed. It was waiting for the creator to make requested changes but it has not been updated for 90 days.

[slontis]

Hi @Jemmy1228 I have created a new PR #18809 based off your great work. (I have referenced you in the commit - hope that is ok).