[gnutls-devel] GnuTLS | WIP: fips: Improve signatures self-tests (!1073)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Fri Jan 31 14:03:27 CET 2020

Anderson Sasaki commented on a discussion on lib/crypto-selftests-pk.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1073#note_280113450

>  		goto cleanup;
>  	}
> -	/* Test if the signature we generate matches the stored */
> +	ret = gnutls_privkey_sign_data(key, dig, 0, &signed_data, &sig);

Yes, indeed it makes both tests to behave similarly.

There were 2 issues the lab found during FIPS gap analysis:
 - PK_KNOWN_TEST wouldn't generate a signature for non-deterministic sigs. It would be only a verification test for these.
 - PK_TEST wouldn't compare the generated signature with a known signature. It only generates a signatures and verify the generated signature. This would be a problem when both signature generation and verification are broken (it could generate a wrong signature and use a broken verification that would result in successful verification).

To address these, comparison with a known signature was added to PK_TEST and generation of signature in all cases was added to PK_KNOWN_TEST.

Indeed, both work similarly after the changes and maybe could be unified.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1073#note_280113450
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200131/61fa7e3c/attachment.html>

More information about the Gnutls-devel mailing list