Using xtest_add_attr() API for adding TEE_ATTR_RSA_OAEP_LABEL attribute

Question

Using xtest_add_attr() API for adding TEE_ATTR_RSA_OAEP_LABEL attribute

Hussain1811 opened this issue 3 years ago · 8 comments

xtest_add_attr() needs a buffer parameter as an input.
So, for adding the TEE_ATTR_RSA_OAEP_LABEL attribute, what is the buffer that needs to be given? (modulus/pub_exp/priv_exp/prime1/prime2/exp1/exp2/coeff!?!?)

Answer 1 · 2022-04-12T07:10:12.000Z

Also, should the same OAEP attribute data be provided when calling TEE_AsymmetricEncrypt() and TEE_AsymmetricDecrypt()?

Answer 2 · 2022-04-12T07:29:03.000Z

Hi @Hussain1811,
As per the TEE Internal Core API Specification (tables 6-7 and 6-15), TEE_ATTR_RSA_OAEP_LABEL is a buffer attribute (reference) of binary type. My understanding is, the label can be anything provided that the same value is used for encryption and decryption.

Answer 3 · 2022-04-12T09:07:16.000Z

Well - i get a success even upon using different OAEP label buffers for encrypt, decrypt.
Tried with TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384 and a 1024 bit key
is this a bug?

Answer 4 · 2022-04-12T09:19:11.000Z

Interesting. TBH I don't know, I would have to look more precisely. I think the label is used only during padding so perhaps your data didn't need padding and that is why the label doesn't matter? Again not sure about how OAEP works.

Answer 5 · 2022-04-12T09:45:49.000Z

RSA-OAEP has an upper limit on the data sizes that it can encrypt (according to RFC).
max_input_data_size = (key_size_in_bytes - 2*hash_size_in_bytes - 2)
So, for TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384 with a 1024bit key, the maximum input data size=30 bytes

The test i performed was with 29bytes

Answer 6 · 2022-04-12T09:48:05.000Z

Furthermore, i've seen that XTEST doesn't test this aspect of providing a label attribute buffer for OAEP: https://github.com/OP-TEE/optee_test/blob/master/host/xtest/regression_4000.c#L3925
It provides NULL

Answer 7 · 2022-04-13T09:03:39.000Z

Upon some more reading of https://www.rfc-editor.org/rfc/rfc8017#section-7.1, i have understood that we need to provide an empty string for the OAEP label so as to be in compliance with the RFC. Otherwise, the algorithm allows just about anything that is within the limits for the input of the hash function used for hashing the label.

Answer 8 · 2022-05-14T02:44:04.000Z

This issue has been marked as a stale issue because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this issue will automatically be closed in 5 days. Note that you can always re-open a closed issue at any time.