forked from usnistgov/ACVP
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathacvp_sub_rsa.txt
3976 lines (3144 loc) · 229 KB
/
acvp_sub_rsa.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
TBD A. Vassilev, Ed.
Internet-Draft National Institute of Standards and Technology
Intended status: Informational February 1, 2018
Expires: August 5, 2018
ACVP RSA Algorithm Validation JSON Specification
draft-ietf-acvp-subrsa-1.0
Abstract
This document defines the JSON schema for testing RSA algorithm and
component implementations for conformance to [FIPS186-4] and
[SP800-56B] with the ACVP specification.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 5, 2018.
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Vassilev Expires August 5, 2018 [Page 1]
Internet-Draft RSA Alg JSON February 2018
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. Supported RSA Algorithm modes . . . . . . . . . . . . . . . . 3
3. Test Types and Test Coverage . . . . . . . . . . . . . . . . 4
3.1. Test Coverage . . . . . . . . . . . . . . . . . . . . . . 5
3.1.1. Requirements Covered . . . . . . . . . . . . . . . . 5
3.1.2. Requirements Not Covered . . . . . . . . . . . . . . 5
4. Capabilities Registration . . . . . . . . . . . . . . . . . . 6
4.1. Required Prerequisite Algorithms for RSA Mode Validations 6
4.2. Supported RSA Capabilities . . . . . . . . . . . . . . . 7
4.3. Supported RSA Modes Capabilities . . . . . . . . . . . . 9
4.3.1. The keyGen Mode Capabilities . . . . . . . . . . . . 9
4.3.1.1. keyGen Full Set Of Capabilities . . . . . . . . . 9
4.3.2. The sigGen Mode Capabilities . . . . . . . . . . . . 12
4.3.2.1. sigGen Capabilities . . . . . . . . . . . . . . . 13
4.3.3. The sigVer Mode Capabilities . . . . . . . . . . . . 14
4.3.3.1. sigVer Capabilities . . . . . . . . . . . . . . . 14
4.3.4. The legacySigVer Mode Capabilities . . . . . . . . . 16
4.3.5. The signaturePrimitive Mode Capabilities . . . . . . 18
4.3.6. The decryptionPrimitive Mode Capabilities . . . . . . 18
5. Supported DSA Conformances . . . . . . . . . . . . . . . . . 19
6. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . 19
6.1. Test Groups JSON Schema . . . . . . . . . . . . . . . . . 20
6.2. Test Case JSON Schema . . . . . . . . . . . . . . . . . . 22
7. Test Vector Responses . . . . . . . . . . . . . . . . . . . . 23
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 27
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27
10. Security Considerations . . . . . . . . . . . . . . . . . . . 27
11. Normative References . . . . . . . . . . . . . . . . . . . . 27
Appendix A. Example RSA Capabilities JSON Objects . . . . . . . 28
A.1. Example keyGen with Provable Primes and Provable Primes
with Conditions Capabilities JSON Objects . . . . . . . . 28
A.1.1. Example keyGen with Probable Primes Capabilities JSON
Object . . . . . . . . . . . . . . . . . . . . . . . 30
A.1.2. Example keyGen with Provable Conditional Primes with
Probable Factors Capabilities JSON Object . . . . . . 31
A.2. Example RSA sigGen Capabilities JSON Objects . . . . . . 32
A.3. Example RSA sigVer Capabilities JSON Objects . . . . . . 35
A.4. Example RSA legacySigVer Capabilities JSON Objects . . . 39
A.5. Example signaturePrimitive Capabilities JSON Objects . . 41
A.6. Example decryptionPrimitive Capabilities JSON Objects . . 41
Appendix B. Example Test Vectors JSON Objects . . . . . . . . . 41
B.1. Example Test Vectors for keyGen JSON Objects . . . . . . 41
B.2. Example Test Vectors for keyGen when
infoGeneratedByServer is true . . . . . . . . . . . . . . 46
B.3. Example Test Vectors for sigGen JSON Objects . . . . . . 48
Vassilev Expires August 5, 2018 [Page 2]
Internet-Draft RSA Alg JSON February 2018
B.4. Example Test Vectors for sigVer JSON Objects . . . . . . 51
B.5. Example Test Vectors for legacySigVer JSON Objects . . . 56
B.6. Example Test Vectors for signaturePrimitive JSON Objects 56
B.7. Example Test Vectors for decryptionPrimitive JSON Objects 57
Appendix C. Example Test Results JSON Objects . . . . . . . . . 58
C.1. Example keyGen Test Results JSON Objects . . . . . . . . 58
C.2. Example sigGen Test Results JSON Objects . . . . . . . . 64
C.3. Example sigVer Test Results JSON Objects . . . . . . . . 67
C.4. Example legacySigVer Test Results JSON Objects . . . . . 69
C.5. Example signaturePrimitive Test Results JSON Objects . . 69
C.6. Example decryptionPrimitive Test Results JSON Objects . . 70
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 71
1. Introduction
The Automated Crypto Validation Protocol (ACVP) defines a mechanism
to automatically verify the cryptographic implementation of a
software or hardware crypto module. The ACVP specification defines
how a crypto module communicates with an ACVP server, including
crypto capabilities negotiation, session management, authentication,
vector processing and more. The ACVP specification does not define
algorithm specific JSON constructs for performing the crypto
validation. A series of ACVP sub-specifications define the
constructs for testing individual crypto algorithms. Each sub-
specification addresses a specific class of crypto algorithms. This
sub-specification defines the JSON constructs for testing RSA
algorithm and component implementations for conformance to
[FIPS186-4] and [SP800-56B] using ACVP.
1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted in RFC 2119 [RFC2119].
2. Supported RSA Algorithm modes
The following RSA algorithm modes may be advertised by the ACVP
compliant crypto module:
Vassilev Expires August 5, 2018 [Page 3]
Internet-Draft RSA Alg JSON February 2018
+----------------------+-----------------------+
| JSON algorithm value | JSON mode value |
+----------------------+-----------------------+
| "RSA" | "keyGen" |
| | "sigGen" |
| | "sigVer" |
| | "legacySigVer" |
| | "signaturePrimitive" |
| | "decryptionPrimitive" |
+----------------------+-----------------------+
Table 1: Supported RSA Algorithm Modes JSON Values
3. Test Types and Test Coverage
The ACVP testing for RSA allows conformance testing for all modes of
using the algorithm as specified in [FIPS186-4]: key generation,
signature generation, signature verification, and component
primitives. ACVP testing for RSA also allows conformance testing for
[SP800-56B]: decryption primitives. Correspondingly, ACVP allows
testing of the five different methods for key generation in
[FIPS186-4], Appendix B.3.
RSA / keyGen "AFT"/"GDT" - Algorithm Functional Test and Generated
Data Test. The IUT is REQUIRED to generate RSA keys based on the
group level information provided by the ACVP server. TBD... AFT
and GDT differences.
RSA / keyGen "KAT" - Known Answer Test. A static set of tests for
varying sets of capabilities, in this test mode the IUT is
expected to generate keys based on the provided static
information.
RSA / sigGen "GDT" - Generated Data Test. The IUT is REQUIRED to
generate valid signatures given the ACVP provided messages / test
group contraints.
RSA / sigVer "GDT" - Generated Data Test. The ACVP server SHALL
generate a series of signatures which MAY or MAY NOT be valid.
The IUT is REQUIRED to evaluate the provided signatures for
validity.
RSA / legacySigVer "GDT" - Generated Data Test. Similar to
"sigVer" except the testing SHALL only include SHA1 as a valid
hashing algorithm. The IUT is REQUIRED to evaluate the validity
of the ACVP provided signatures.
Vassilev Expires August 5, 2018 [Page 4]
Internet-Draft RSA Alg JSON February 2018
RSA / signaturePrimitive "AFT" - Algorithm Functional Test. This
is a component test where the IUT is REQUIRED to determine if the
ACVP provided message is a valid candidate for signing given the
n/d values. If the candidate message is valid for signing, the
IUT SHALL provide a signature for the test case.
RSA / decryptionPrimitive "AFT" - Algorithm Functional Test. With
this component test, the IUT is REQUIRED to decrypt the ACVP
provided ciphertext. The IUT SHALL generate e/n values, and must
provide the number decryption failures as specified by the ACVP
server test group information.
3.1. Test Coverage
The tests described in this document have the intention of ensuring
an implementation is conformant to [FIPS186-4].
3.1.1. Requirements Covered
FIPS.186-4 - 3 General Discussion. Key generation, signature
generation, and signature validation are all within scope of ACVP
server testing.
FIPS.186-4 - 5 The RSA Digital Signature Algorithm. The ACVP
server provides a means of testing the generation of RSA keys.
The ACVP server SHALL support a variety of RSA capabilities
functionS for the creation and delivery of tests to/from the IUT.
Key pair generation testing SHALL be provided by the ACVP server.
Both Signature Generation and Validation testing mechanmisms SHALL
be provided by the ACVP server.
FIPS.186-2. The ACVP server MAY provide a means of testing legacy
RSA functions such as RSA.sigVer. This testing is provided to
ensure an IUT is capable of verifying a signature that is no
longer approved for generation, given the same capabilities.
SP800-106 - (3) Randomized Hashing and (4) Digital Signatures
Using Randomized Hashing. The IUT SHALL be provided or provide a
random value that should be used to "randomize" a message prior to
signing and/or verifying an original message.
3.1.2. Requirements Not Covered
FIPS.186-4 - 3 General Discussion. Assurances of private key
secrecy and ownership SHALL NOT be within scope of ACVP testing.
FIPS.186-4 - 5 The RSA Digital Signature Algorithm. Though the
ACVP server SHALL support a variety of parameter sizes/hash
Vassilev Expires August 5, 2018 [Page 5]
Internet-Draft RSA Alg JSON February 2018
functions, the IUT's selection of these is out of scope of
testing. Key pair management SHALL NOT be within scope of ACVP
testing.
SP800-106 - 3.3 The Random Value. DSA, ECDSA, and RSA have random
values generated as per their signing process, this random value
can be used as the input to the message randomization function,
doing so however is out of scope of this testing.
4. Capabilities Registration
ACVP requires cryptographic modules to register their capabilities.
This allows the cryptographic module to advertise support for
specific algorithms and their modes, notifying the ACVP server which
algorithms need test vectors generated for the validation process.
This section describes the constructs for advertising support of the
RSA algorithm in all allowed modes to the ACVP server - see
[FIPS186-4] for details.
4.1. Required Prerequisite Algorithms for RSA Mode Validations
Each RSA Mode implementation relies on other cryptographic primitives
(algorithms) - see [FIPS186-4]. For example, a keyGen implementation
uses underlying DRBG and hash algorithms. In some cases, a single
RSA Mode implementation may use several primitives of the same type.
For example, two different DRBG implementations may be used in the
keyGen algorithms in Appendix B.3.3 in [FIPS186-4], one in step 4.2
and another in step 5.2. Each of these underlying algorithm
primitives must be validated, either separately or as part of the
same submission. ACVP provides a mechanism for specifying the
required prerequisites:
Vassilev Expires August 5, 2018 [Page 6]
Internet-Draft RSA Alg JSON February 2018
+--------------+--------------+--------------+-----------+----------+
| JSON Value | Description | JSON type | Valid | Optional |
| | | | Values | |
+--------------+--------------+--------------+-----------+----------+
| algorithm | a | value | "SHA", | No |
| | prerequisite | | "DRBG" | |
| | algorithm | | | |
| | | | | |
| valValue | algorithm | value | actual | No |
| | validation | | number, | |
| | number | | e.g. | |
| | | | "123456", | |
| | | | or "same" | |
| | | | | |
| prereqAlgVal | prerequistie | object with | see above | No |
| | algorithm | algorithm | | |
| | validation | and valValue | | |
| | | properties | | |
| | | | | |
| prereqVals | prerequistie | array of | see above | No |
| | algorithm | prereqAlgVal | | |
| | validations | objects | | |
+--------------+--------------+--------------+-----------+----------+
Table 2: Required RSA Modes Prerequisite Algorithms JSON Values
4.2. Supported RSA Capabilities
The algorithm capabilities are advertised as JSON objects within the
'algorithms' value of the ACVP registration message. The
'algorithms' value is an array, where each array element is an
individual JSON object defined in this section. The 'algorithms'
value is part of the 'capability_exchange' element of the ACVP JSON
registration message. See the ACVP specification for details on the
registration message.
Each RSA algorithm capability advertised is a self-contained JSON
object. The following JSON values are used for RSA algorithm
capabilities:
+-----------+------------+------------+-------------------+---------+
| JSON | Descriptio | JSON type | Valid Values | Optiona |
| Value | n | | | l |
+-----------+------------+------------+-------------------+---------+
| algorithm | The RSA | value | "RSA" | No |
| | algorithm | | | |
| | to be | | | |
| | validated | | | |
Vassilev Expires August 5, 2018 [Page 7]
Internet-Draft RSA Alg JSON February 2018
| | | | | |
| mode | The RSA | value | "keyGen", | No |
| | algorithm | | "sigGen", | |
| | mode to be | | "sigVer", | |
| | validated | | "legacySigVer", " | |
| | | | signaturePrimitiv | |
| | | | e", "decryptionPr | |
| | | | imitive" | |
| | | | | |
| revision | The | value | "1.0" | No |
| | algorithm | | | |
| | testing | | | |
| | revision | | | |
| | to use. | | | |
| | | | | |
| prereqVal | The prereq | array of p | array | No |
| s | uisite | rereqAlgVa | | |
| | algorithm | l objects | | |
| | validation | - see Sect | | |
| | s | ion 4.1 | | |
| | | | | |
| capabilit | Array of | array of | See Table 1 and | No |
| ies | JSON | JSON | Section 4.3 | |
| | objects | objects, | | |
| | | each with | | |
| | | fields | | |
| | | pertaining | | |
| | | to the | | |
| | | global RSA | | |
| | | mode | | |
| | | indicated | | |
| | | above and | | |
| | | identified | | |
| | | uniquely | | |
| | | by the com | | |
| | | bination | | |
| | | of the RSA | | |
| | | "mode" and | | |
| | | indicated | | |
| | | properties | | |
| conforman | Used to | Array of | See Section 5 | Yes |
| ces | denote the | strings | | |
| | conformanc | | | |
| | es that | | | |
| | can apply | | | |
| | to | | | |
| | specific | | | |
| | modes of | | | |
Vassilev Expires August 5, 2018 [Page 8]
Internet-Draft RSA Alg JSON February 2018
| | DSA. | | | |
+-----------+------------+------------+-------------------+---------+
Table 3: RSA Algorithm Capabilities JSON Values
4.3. Supported RSA Modes Capabilities
The RSA mode capabilities are advertised as JSON objects within the
'capabilities' value of the ACVP registration message - see Table 3.
The 'capabilities' value is an array, where each array element is a
JSON object corresponding to a particular RSA mode defined in this
section. The 'capabilities' value is part of the
'capability_exchange' element of the ACVP JSON registration message.
See the ACVP specification for details on the registration message.
Each RSA mode's capabilities are advertised as JSON objects.
4.3.1. The keyGen Mode Capabilities
The RSA keyGen mode capabilities are advertised as JSON objects,
which are elements of the 'capabilities' array in the ACVP
registration message. See the ACVP specification for details on the
registration message.
Each RSA keyGen mode capability set is advertised as a self-contained
JSON object.
The following subsections define the capabilities that may be
advertised by the ACVP compliant crypto modules.
4.3.1.1. keyGen Full Set Of Capabilities
The complete list of RSA key generation capabilities may be
advertised by the ACVP compliant crypto module:
+------------------+---------------+------+--------------+----------+
| JSON Value | Description | JSON | Valid Values | Optional |
| | | type | | |
+------------------+---------------+------+--------------+----------+
| randPQ | Key | valu | "B.3.2", | No |
| | Generation | e | "B.3.3", | |
| | mode to be | | "B.3.4", | |
| | validated. | | "B.3.5", | |
| | Random P and | | "B.3.6" | |
| | Q primes | | | |
| | generated as | | | |
| | (see | | | |
| | [FIPS186-4]): | | | |
Vassilev Expires August 5, 2018 [Page 9]
Internet-Draft RSA Alg JSON February 2018
| | provable | | | |
| | primes | | | |
| | (Appendix | | | |
| | B.3.2); | | | |
| | probable | | | |
| | primes | | | |
| | (Appendix | | | |
| | B.3.3); | | | |
| | provable | | | |
| | primes with | | | |
| | conditions | | | |
| | (Appendix | | | |
| | B.3.4); prova | | | |
| | ble/probable | | | |
| | primes with | | | |
| | conditions | | | |
| | (Appendix | | | |
| | B.3.5); | | | |
| | probable | | | |
| | primes with | | | |
| | conditions | | | |
| | (Appendix | | | |
| | B.3.6) | | | |
| | | | | |
| infoGeneratedByS | This flag | valu | true or | Yes |
| erver | indicates | e | false | |
| | that the | | | |
| | server is | | | |
| | responsible | | | |
| | for | | | |
| | generating | | | |
| | inputs for | | | |
| | Key | | | |
| | Generation | | | |
| | tests. This | | | |
| | flag is not | | | |
| | relevant to | | | |
| | KeyGen mode | | | |
| | "B.3.3" | | | |
| | Random | | | |
| | Probable | | | |
| | Primes | | | |
| | | | | |
| pubExpMode | Supports | valu | "fixed" or | Yes |
| | fixed or | e | "random" | |
| | random public | | | |
| | key exponent | | | |
| | e | | | |
Vassilev Expires August 5, 2018 [Page 10]
Internet-Draft RSA Alg JSON February 2018
| | | | | |
| fixedPubExp | The value of | valu | hex | Yes |
| | the public | e | | |
| | key exponent | | | |
| | e in hex if | | | |
| | pubExpMode is | | | |
| | "fixed" | | | |
| | | | | |
| keyFormat | The preferred | valu | "standard" | Yes |
| | private key | e | or "crt" | |
| | format. The | | | |
| | "standard" | | | |
| | format has | | | |
| | "p", "q", and | | | |
| | "d" as the | | | |
| | components of | | | |
| | the private | | | |
| | key. The | | | |
| | "crt" | | | |
| | (Chinese | | | |
| | Remainder | | | |
| | Theorem) | | | |
| | format has | | | |
| | "p", "q", | | | |
| | "dmp1" (d | | | |
| | modulo p-1), | | | |
| | "dmq1" (d | | | |
| | modulo q-1), | | | |
| | and "iqmp" | | | |
| | (inverse q | | | |
| | modulo p) as | | | |
| | the | | | |
| | components. | | | |
| | | | | |
| properties | An array of | arra | | Yes |
| | objects | y | | |
| | containing | | | |
| | properties | | | |
| | for all | | | |
| | supported | | | |
| | moduli, | | | |
| | primality | | | |
| | test, and | | | |
| | hash | | | |
| | algorithms | | | |
| | for a single | | | |
| | key | | | |
| | generation | | | |
Vassilev Expires August 5, 2018 [Page 11]
Internet-Draft RSA Alg JSON February 2018
| | mode | | | |
| | | | | |
| modulo | supported RSA | valu | 2048, 3072 | Yes |
| | modulo for | e | or 4096 | |
| | the randPQ | | | |
| | mode - see | | | |
| | [FIPS186-4], | | | |
| | Appendix B.3 | | | |
| | | | | |
| hashAlg | Supported | arra | any non- | Yes, app |
| | hash | y | empty subset | licable |
| | algorithms | | of {"SHA-1", | for |
| | for the | | "SHA2-224", | randPQ |
| | randPQ mode - | | "SHA2-256", | B.3.2, |
| | see | | "SHA2-384", | B.3.4, |
| | [FIPS186-4], | | "SHA2-512", | B.3.5 |
| | Appendix B.3 | | "SHA2-512/22 | |
| | | | 4", "SHA2-51 | |
| | | | 2/256"} | |
| | | | | |
| primeTest | Primality | arra | any non- | Yes, app |
| | test rounds | y | empty subset | licable |
| | of Miller- | | of {"tblC2", | for |
| | Rabin from | | "tblC3"} | randPQ |
| | Table C.2 or | | | B.3.3, |
| | Table C.3 in | | | B.3.5, |
| | [FIPS186-4], | | | B.3.6 |
| | Appendix C.3 | | | |
+------------------+---------------+------+--------------+----------+
Table 4: RSA keyGen Capabilities JSON Values
4.3.2. The sigGen Mode Capabilities
The RSA sigGen mode capabilities are advertised as JSON objects
within the 'capabilities' array as part of the 'capability_exchange'
element of the ACVP JSON registration message. See the ACVP
specification for details on the registration message.
Each RSA sigGen mode capability is advertised as a self-contained
JSON object consisting of the algorithm, mode, and capabilities
array. The capabilities array may contain multiple elements, each
pertaining to a sigType that is supported by the client for the RSA
mode being advertised.
The following subsections define the capabilities that may be
advertised by the ACVP compliant crypto modules.
Vassilev Expires August 5, 2018 [Page 12]
Internet-Draft RSA Alg JSON February 2018
4.3.2.1. sigGen Capabilities
The following RSA signature generation capabilities may be advertised
by the ACVP compliant crypto module:
+------------+-----------------+-------+-----------------+----------+
| JSON value | Description | JSON | Valid values | Optional |
| | | type | | |
+------------+-----------------+-------+-----------------+----------+
| sigType | supported RSA | value | one of | No |
| | signature types | | {"ansx9.31", | |
| | - see | | "pkcs1v1.5", | |
| | [FIPS186-4], | | "pss"} | |
| | Section 5 | | | |
| | | | | |
| properties | properties | array | a single modulo | No |
| | supported for | | with an array | |
| | this sigType - | | of at least one | |
| | see | | hashPair | |
| | [FIPS186-4], | | | |
| | Section 5 | | | |
| | | | | |
| modulo | supported RSA | value | one of the | No |
| | moduli for | | supported | |
| | signature | | modulo sizes | |
| | generation - | | {2048, 3072, | |
| | see | | 4096} | |
| | [FIPS186-4], | | | |
| | Section 5 | | | |
| | | | | |
| hashPair | supported hash | array | an array of | No |
| | algorithms and | | objects | |
| | optional salt | | containing a | |
| | length for | | hashAlg and an | |
| | signature | | optional | |
| | generation for | | saltLen | |
| | this sigType | | | |
| | and modulo - | | | |
| | see | | | |
| | [SP800-131A], | | | |
| | Section 9 | | | |
| | | | | |
| hashAlg | supported hash | value | any value from | No |
| | algorithm for | | {"SHA2-224", | |
| | signature | | "SHA2-256", | |
| | generation for | | "SHA2-384", | |
| | this sigType | | "SHA2-512", | |
| | and modulo - | | "SHA2-512/224", | |
Vassilev Expires August 5, 2018 [Page 13]
Internet-Draft RSA Alg JSON February 2018
| | see | | "SHA2-512/256"} | |
| | [SP800-131A], | | | |
| | Section 9 | | | |
| | | | | |
| saltLen | supported salt | value | any integer | Yes |
| | lengths in | | value subject | |
| | bytes for PSS | | to the | |
| | signature | | constraint in | |
| | generation - | | the note below. | |
| | see | | | |
| | [FIPS186-4], | | | |
| | Section 5.5. | | | |
| | See also note | | | |
| | below. | | | |
+------------+-----------------+-------+-----------------+----------+
Table 5: Supported RSA sigGen moduli and hash options JSON Values
Note: the salt length for each hash algorithm used in PSS signature
generation is between 0 and the length of the corresponding hash
function output block (in bytes), the end points included.
4.3.3. The sigVer Mode Capabilities
The RSA sigVer mode capabilities are advertised as JSON objects
within the array of 'capabilities' as part of the
'capability_exchange' element of the ACVP JSON registration message.
See the ACVP specification for details on the registration message.
Each RSA sigVer mode capability is advertised as a self-contained
JSON object consisting of the algorithm, mode, and capabilities
array. The capabilities array may contain multiple elements, each
pertaining to a sigType that is supported by the client for the RSA
mode being advertised.
The following subsections define the capabilities that may be
advertised by the ACVP compliant crypto modules.
4.3.3.1. sigVer Capabilities
The following RSA signature verification capabilities may be
advertised by the ACVP compliant crypto module:
+-------------+----------------+-------+-----------------+----------+
| JSON value | Description | JSON | Valid values | Optional |
| | | type | | |
+-------------+----------------+-------+-----------------+----------+
| sigType | supported RSA | value | one of | No |
Vassilev Expires August 5, 2018 [Page 14]
Internet-Draft RSA Alg JSON February 2018
| | signature | | {"ansx9.31", | |
| | types - see | | "pkcs1v1.5", | |
| | [FIPS186-4], | | "pss"} | |
| | Section 5 | | | |
| | | | | |
| properties | properties | array | a single modulo | No |
| | supported for | | with an array | |
| | this sigType | | of at least one | |
| | - see | | hashPair | |
| | [FIPS186-4], | | | |
| | Section 5 | | | |
| | | | | |
| modulo | supported RSA | value | one of the | No |
| | moduli for | | supported | |
| | signature | | modulo sizes | |
| | verification - | | {1024, 2048, | |
| | see | | 3072, 4096} | |
| | [FIPS186-4], | | | |
| | Section 5 | | | |
| | | | | |
| hashPair | supported hash | array | an array of | No |
| | algorithms and | | objects | |
| | optional salt | | containing a | |
| | length for | | hashAlg and an | |
| | signature | | optional | |
| | verification | | saltLen | |
| | for this | | | |
| | sigType and | | | |
| | modulo - see | | | |
| | [SP800-131A], | | | |
| | Section 9 | | | |
| | | | | |
| hashAlg | supported hash | value | any value from | No |
| | algorithm for | | {"SHA-1", | |
| | signature | | "SHA2-224", | |
| | verification | | "SHA2-256", | |
| | for this | | "SHA2-384", | |
| | sigType and | | "SHA2-512", | |
| | modulo - see | | "SHA2-512/224", | |
| | [SP800-131A], | | "SHA2-512/256"} | |
| | Section 9 | | | |
| | | | | |
| saltLen | supported salt | value | any integer | Yes |
| | lengths in | | value subject | |
| | bytes for PSS | | to the | |
| | signature | | constraint in | |
| | verification - | | the note below. | |
| | see | | | |
Vassilev Expires August 5, 2018 [Page 15]
Internet-Draft RSA Alg JSON February 2018
| | [FIPS186-4], | | | |
| | Section 5.5. | | | |
| | See also note | | | |
| | below. | | | |
| | | | | |
| pubExpMode | type of public | value | "fixed" or | Yes |
| | exponent | | "random" | |
| | | | | |
| fixedPubExp | if pubExpMode | value | hex | Yes |
| | is defined as | | | |
| | "fixed", this | | | |
| | is the | | | |
| | corresponding | | | |
| | public | | | |
| | exponent value | | | |
+-------------+----------------+-------+-----------------+----------+
Table 6: Supported RSA sigVer moduli and hash options JSON Values
Note: the salt length for each hash algorithm used in PSS signature
generation is between 0 and the length of the corresponding hash
function output block (in bytes), the end points included. The
exception to this rule is using "SHA2-512" with a modulo of 1024.
The maximum salt length for this combination is 62 bytes instead of
the expected 64 bytes.
4.3.4. The legacySigVer Mode Capabilities
The RSA legacySigVer mode capabilities are advertised as JSON objects
within the array of 'capabilities' as part of the
'capability_exchange' element of the ACVP JSON registration message.
See the ACVP specification for details on the registration message.
Each RSA legacySigVer mode capability is advertised as a self-
contained JSON object consisting of the algorithm, mode, and
capabilities array. The capabilities array may contain multiple
elements, each pertaining to a sigType that is supported by the
client for the RSA mode being advertised.
The following subsections define the capabilities that may be
advertised by the ACVP compliant crypto modules.
+-------------+-------------------+-------+--------------+----------+
| JSON value | Description | JSON | Valid values | Optional |
| | | type | | |
+-------------+-------------------+-------+--------------+----------+
| sigType | supported RSA | value | one of | No |
| | legacy signature | | {"ansx9.31", | |
Vassilev Expires August 5, 2018 [Page 16]
Internet-Draft RSA Alg JSON February 2018
| | types - see | | "pkcs1v1.5", | |
| | [FIPS186-4], | | "pss"} | |
| | Section 5 | | | |
| | | | | |
| properties | RSA legacy | array | modulo, | No |
| | signature | | hashAlg, and | |
| | verification | | saltLen | |
| | parameters - see | | (when | |
| | [FIPS186-4], | | sigType is | |
| | Section 5 | | "pss") | |
| | | | | |
| modulo | supported RSA | value | any one of | No |
| | modulo for | | the | |
| | signature | | supported | |
| | verification - | | modulo sizes | |
| | see [FIPS186-4], | | {1024, 1536, | |
| | Section 5 | | 2048, 3072, | |
| | | | 4096} | |
| | | | | |
| hashPair | supported hash | array | an array of | No |
| | algorithms and | | objects | |
| | optional salt | | containing a | |
| | length for | | hashAlg and | |
| | signature | | an optional | |
| | verification for | | saltLen | |
| | this sigType and | | | |
| | modulo - see | | | |
| | [SP800-131A], | | | |
| | Section 9 | | | |
| | | | | |
| hashAlg | supported hash | array | any non- | No |
| | algorithms for | | empty subset | |
| | this sigType and | | of {"SHA-1", | |
| | modulo - see | | "SHA2-224", | |
| | [SP800-131A], | | "SHA2-256", | |
| | Section 9 | | "SHA2-384", | |
| | | | "SHA2-512"} | |
| | | | | |
| saltLen | supported salt | array | array of | Yes |
| | lengths for PSS | | values for | |
| | signature | | each hash | |
| | verification - | | algorithm | |
| | see [FIPS186-4], | | used subject | |
| | Section 5.5. See | | to the | |
| | also note below. | | constraint | |
| | | | in the note | |
| | | | below. | |
| | | | | |
Vassilev Expires August 5, 2018 [Page 17]
Internet-Draft RSA Alg JSON February 2018
| pubExpMode | type of public | value | "fixed" or | Yes |
| | exponent | | "random" | |
| | | | | |
| fixedPubExp | if pubExpMode is | value | hex | Yes |
| | defined as | | | |
| | "fixed", this is | | | |
| | the corresponding | | | |
| | public exponent | | | |
| | value | | | |
+-------------+-------------------+-------+--------------+----------+
Table 7: Supported RSA legacySigVer moduli and hash options JSON
Values
Note: the salt length for each hash algorithm used in PSS signature
generation is between 0 and the length of the corresponding hash
function output block (in bytes), the end points included.
4.3.5. The signaturePrimitive Mode Capabilities
The RSA signaturePrimitive mode capabilities (otherwise known as
RSASP1 in [RFC3447]) are advertised as JSON objects within the array
of 'capabilities' as part of the 'capability_exchange' element of the
ACVP JSON registration message. See the ACVP specification for
details on the registration message. A single property is allowed in
the registration. KeyFormat as described above. In this mode, the
only tested capability is the correct exponentiation of 's = msg^d
mod n', where 'msg' is a message between '0' and 'n - 1', 'd' is the
private exponent and 'n' is the modulus, all supplied by the testing
ACVP server. In the event that 'keyFormat' is defined as 'crt', then
'd' is replaced with 'dmp1', 'dmq1', and 'iqmp'. Only 2048-bit RSA
keys are allowed for this capability. There are no properties
specified for this capability. See Appendix B.6 for additional
details on constraints for 'msg' and 'n'. See the ACVP specification
for details on the registration message.
4.3.6. The decryptionPrimitive Mode Capabilities
The RSA decryptionPrimitive mode capabilities are advertised as JSON
objects within the array of 'capabilities' as part of the
'capability_exchange' element of the ACVP JSON registration message.
A single property is allowed in the registration, 'modulo' with the
only approved value of 2048. In this mode, the only tested
capability is the correct exponentiation 's = cipherText^d mod n',