1This document lists current limitations of the PSA Crypto API (as of version
21.1) that may impact our ability to (1) use it for all crypto operations in
3TLS and X.509 and (2) support isolation of all long-term secrets in TLS (that
4is, goals G1 and G2 in
5[strategy.md](https://github.com/Mbed-TLS/mbedtls/blob/mbedtls-3.6/docs/architecture/psa-migration/strategy.md)).
6
7This is supposed to be a complete list, based on a exhaustive review of crypto
8operations done in TLS and X.509 code, but of course it's still possible that
9subtle-but-important issues have been missed. The only way to be really sure
10is, of course, to actually do the migration work.
11
12Limitations relevant for G1 (performing crypto operations)
13==========================================================
14
15Restartable (aka interruptible) ECC operations
16----------------------------------------------
17
18Support for interruptible ECDSA sign/verify was added to PSA in Mbed TLS 3.4.
19However, support for interruptible ECDH is not present yet. Also, PK, X.509 and
20TLS have not yet been adapted to take advantage of the new PSA APIs. See:
21- <https://github.com/Mbed-TLS/mbedtls/issues/7292>;
22- <https://github.com/Mbed-TLS/mbedtls/issues/7293>;
23- <https://github.com/Mbed-TLS/mbedtls/issues/7294>.
24
25Currently, when `MBEDTLS_ECP_RESTARTABLE` is enabled, some operations that
26should be restartable are not (ECDH in TLS 1.2 clients using ECDHE-ECDSA), as
27they are using PSA instead, and some operations that should use PSA do not
28(signature generation & verification) as they use the legacy API instead, in
29order to get restartable behaviour.
30
31Things that are in the API but not implemented yet
32--------------------------------------------------
33
34PSA Crypto has an API for FFDH, but it's not implemented in Mbed TLS yet.
35(Regarding FFDH, see the next section as well.) See issue [3261][ffdh] on
36github.
37
38[ffdh]: https://github.com/Mbed-TLS/mbedtls/issues/3261
39
40Arbitrary parameters for FFDH
41-----------------------------
42
43(See also the first paragraph in the previous section.)
44
45Currently, the PSA Crypto API can only perform FFDH with a limited set of
46well-known parameters (some of them defined in the spec, but implementations
47are free to extend that set).
48
49TLS 1.2 (and earlier) on the other hand have the server send explicit
50parameters (P and G) in its ServerKeyExchange message. This has been found to
51be suboptimal for security, as it is prohibitively hard for the client to
52verify the strength of these parameters. This led to the development of RFC
537919 which allows use of named groups in TLS 1.2 - however as this is only an
54extension, servers can still send custom parameters if they don't support the
55extension.
56
57In TLS 1.3 the situation will be simpler: named groups are the only
58option, so the current PSA Crypto API is a good match for that. (Not
59coincidentally, all the groups used by RFC 7919 and TLS 1.3 are included
60in the PSA specification.)
61
62There are several options here:
63
641. Implement support for custom FFDH parameters in PSA Crypto: this would pose
65   non-trivial API design problem, but most importantly seems backwards, as
66the crypto community is moving away from custom FFDH parameters. (Could be
67done any time.)
682. Drop the DHE-RSA and DHE-PSK key exchanges in TLS 1.2 when moving to PSA.
69   (For people who want some algorithmic variety in case ECC collapses, FFDH
70would still be available in TLS 1.3, just not in 1.2.) (Can only be done in
714.0 or another major version.)
723. Variant of the precedent: only drop client-side support. Server-side is
73   easy to support in terms of API/protocol, as the server picks the
74parameters: we just need remove the existing `mbedtls_ssl_conf_dh_param_xxx()`
75APIs and tell people to use `mbedtls_ssl_conf_groups()` instead. (Can only be
76done in 4.0 or another major version.)
774. Implement RFC 7919, support DHE-RSA and DHE-PSK only in conjunction with it
78   when moving to PSA. Server-side would work as above; unfortunately
79client-side the only option is to offer named groups and break the handshake
80if the server didn't take on our offer. This is not fully satisfying, but is
81perhaps the least unsatisfying option in terms of result; it's also probably
82the one that requires the most work, but it would deliver value beyond PSA
83migration by implementing RFC 7919. (Implementing RFC 7919 could be done any
84time; making it mandatory can only be done in 4.0 or another major version.)
85
86As of early 2023, the plan is to go with option 2 in Mbed TLS 4.0, which has
87been announced on the mailing-list and got no push-back, see
88<https://github.com/Mbed-TLS/mbedtls/issues/5278>.
89
90RSA-PSS parameters
91------------------
92
93RSA-PSS signatures are defined by PKCS#1 v2, re-published as RFC 8017
94(previously RFC 3447).
95
96As standardized, the signature scheme takes several parameters, in addition to
97the hash algorithm potentially used to hash the message being signed:
98- a hash algorithm used for the encoding function
99- a mask generation function
100  - most commonly MGF1, which in turn is parametrized by a hash algorithm
101- a salt length
102- a trailer field - the value is fixed to 0xBC by PKCS#1 v2.1, but was left
103  configurable in the original scheme; 0xBC is used everywhere in practice.
104
105Both the existing `mbedtls_` API and the PSA API support only MGF1 as the
106generation function (and only 0xBC as the trailer field), but there are
107discrepancies in handling the salt length and which of the various hash
108algorithms can differ from each other.
109
110### API comparison
111
112- RSA:
113  - signature: `mbedtls_rsa_rsassa_pss_sign()`
114    - message hashed externally
115    - encoding hash = MGF1 hash (from context, or argument = message hash)
116    - salt length: always using the maximum legal value
117  - signature: `mbedtls_rsa_rsassa_pss_sign_ext()`
118    - message hashed externally
119    - encoding hash = MGF1 hash (from context, or argument = message hash)
120    - salt length: specified explicitly
121  - verification: `mbedtls_rsassa_pss_verify()`
122    - message hashed externally
123    - encoding hash = MGF1 hash (from context, or argument = message hash)
124    - salt length: any valid length accepted
125  - verification: `mbedtls_rsassa_pss_verify_ext()`
126    - message hashed externally
127    - encoding hash = MGF1 hash from dedicated argument
128    - expected salt length: specified explicitly, can specify "ANY"
129- PK:
130  - signature: not supported
131  - verification: `mbedtls_pk_verify_ext()`
132    - message hashed externally
133    - encoding hash = MGF1 hash, specified explicitly
134    - expected salt length: specified explicitly, can specify "ANY"
135- PSA:
136  - algorithm specification:
137    - hash alg used for message hashing, encoding and MGF1
138    - salt length can be either "standard" (<= hashlen, see note) or "any"
139  - signature generation:
140    - salt length: always <= hashlen (see note) and random salt
141  - verification:
142    - salt length: either <= hashlen (see note), or any depending on algorithm
143
144Note: above, "<= hashlen" means that hashlen is used if possible, but if it
145doesn't fit because the key is too short, then the maximum length that fits is
146used.
147
148The RSA/PK API is in principle more flexible than the PSA Crypto API. The
149following sub-sections study whether and how this matters in practice.
150
151### Use in X.509
152
153RFC 4055 Section 3.1 defines the encoding of RSA-PSS that's used in X.509.
154It allows independently specifying the message hash (also used for encoding
155hash), the MGF (and its hash if MGF1 is used), and the salt length (plus an
156extra parameter "trailer field" that doesn't vary in practice"). These can be
157encoded as part of the key, and of the signature. If both encoding are
158presents, all values must match except possibly for the salt length, where the
159value from the signature parameters is used.
160
161In Mbed TLS, RSA-PSS parameters can be parsed and displayed for various
162objects (certificates, CRLs, CSRs). During parsing, the following properties
163are enforced:
164- the extra "trailer field" parameter must have its default value
165- the mask generation function is MGF1
166- encoding hash = message hashing algorithm (may differ from MGF1 hash)
167
168When it comes to cryptographic operations, only two things are supported:
169- verifying the signature on a certificate from its parent;
170- verifying the signature on a CRL from the issuing CA.
171
172The verification is done using `mbedtls_pk_verify_ext()`.
173
174Note: since X.509 parsing ensures that message hash = encoding hash, and
175`mbedtls_pk_verify_ext()` uses encoding hash = mgf1 hash, it looks like all
176three hash algorithms must be equal, which would be good news as it would
177match a limitation of the PSA API.
178
179It is unclear what parameters people use in practice. It looks like by default
180OpenSSL picks saltlen = keylen - hashlen - 2 (tested with openssl 1.1.1f).
181The `certtool` command provided by GnuTLS seems to be picking saltlen = hashlen
182by default (tested with GnuTLS 3.6.13). FIPS 186-4 requires 0 <= saltlen <=
183hashlen.
184
185### Use in TLS
186
187In TLS 1.2 (or lower), RSA-PSS signatures are never used, except via X.509.
188
189In TLS 1.3, RSA-PSS signatures can be used directly in the protocol (in
190addition to indirect use via X.509). It has two sets of three signature
191algorithm identifiers (for SHA-256, SHA-384 and SHA-512), depending of what
192the OID of the public key is (rsaEncryption or RSASSA-PSS).
193
194In both cases, it specifies that:
195- the mask generation function is MGF1
196- all three hashes are equal
197- the length of the salt MUST be equal to the length of the digest algorithm
198
199When signing, the salt length picked by PSA is the one required by TLS 1.3
200(unless the key is unreasonably small).
201
202When verifying signatures, PSA will by default enforce the salt len is the one
203required by TLS 1.3.
204
205### Current testing - X509
206
207All test files use the default trailer field of 0xBC, as enforced by our
208parser. (There's a negative test for that using the
209`x509_parse_rsassa_pss_params` test function and hex data.)
210
211Files with "bad" in the name are expected to be invalid and rejected in tests.
212
213**Test certificates:**
214
215server9-bad-mgfhash.crt (announcing mgf1(sha224), signed with another mgf)
216         Hash Algorithm: sha256
217         Mask Algorithm: mgf1 with sha224
218          Salt Length: 0xDE
219server9-bad-saltlen.crt (announcing saltlen = 0xDE, signed with another len)
220         Hash Algorithm: sha256
221         Mask Algorithm: mgf1 with sha256
222          Salt Length: 0xDE
223server9-badsign.crt (one bit flipped in the signature)
224         Hash Algorithm: sha1 (default)
225         Mask Algorithm: mgf1 with sha1 (default)
226          Salt Length: 0xEA
227server9-defaults.crt
228         Hash Algorithm: sha1 (default)
229         Mask Algorithm: mgf1 with sha1 (default)
230          Salt Length: 0x14 (default)
231server9-sha224.crt
232         Hash Algorithm: sha224
233         Mask Algorithm: mgf1 with sha224
234          Salt Length: 0xE2
235server9-sha256.crt
236         Hash Algorithm: sha256
237         Mask Algorithm: mgf1 with sha256
238          Salt Length: 0xDE
239server9-sha384.crt
240         Hash Algorithm: sha384
241         Mask Algorithm: mgf1 with sha384
242          Salt Length: 0xCE
243server9-sha512.crt
244         Hash Algorithm: sha512
245         Mask Algorithm: mgf1 with sha512
246          Salt Length: 0xBE
247server9-with-ca.crt
248         Hash Algorithm: sha1 (default)
249         Mask Algorithm: mgf1 with sha1 (default)
250          Salt Length: 0xEA
251server9.crt
252         Hash Algorithm: sha1 (default)
253         Mask Algorithm: mgf1 with sha1 (default)
254          Salt Length: 0xEA
255
256These certificates are signed with a 2048-bit key. It appears that they are
257all using saltlen = keylen - hashlen - 2, except for server9-defaults which is
258using saltlen = hashlen.
259
260**Test CRLs:**
261
262crl-rsa-pss-sha1-badsign.pem
263         Hash Algorithm: sha1 (default)
264         Mask Algorithm: mgf1 with sha1 (default)
265          Salt Length: 0xEA
266crl-rsa-pss-sha1.pem
267         Hash Algorithm: sha1 (default)
268         Mask Algorithm: mgf1 with sha1 (default)
269          Salt Length: 0xEA
270crl-rsa-pss-sha224.pem
271         Hash Algorithm: sha224
272         Mask Algorithm: mgf1 with sha224
273          Salt Length: 0xE2
274crl-rsa-pss-sha256.pem
275         Hash Algorithm: sha256
276         Mask Algorithm: mgf1 with sha256
277          Salt Length: 0xDE
278crl-rsa-pss-sha384.pem
279         Hash Algorithm: sha384
280         Mask Algorithm: mgf1 with sha384
281          Salt Length: 0xCE
282crl-rsa-pss-sha512.pem
283         Hash Algorithm: sha512
284         Mask Algorithm: mgf1 with sha512
285          Salt Length: 0xBE
286
287These CRLs are signed with a 2048-bit key. It appears that they are
288all using saltlen = keylen - hashlen - 2.
289
290**Test CSRs:**
291
292server9.req.sha1
293         Hash Algorithm: sha1 (default)
294         Mask Algorithm: mgf1 with sha1 (default)
295          Salt Length: 0x6A
296server9.req.sha224
297         Hash Algorithm: sha224
298         Mask Algorithm: mgf1 with sha224
299          Salt Length: 0x62
300server9.req.sha256
301         Hash Algorithm: sha256
302         Mask Algorithm: mgf1 with sha256
303          Salt Length: 0x5E
304server9.req.sha384
305         Hash Algorithm: sha384
306         Mask Algorithm: mgf1 with sha384
307          Salt Length: 0x4E
308server9.req.sha512
309         Hash Algorithm: sha512
310         Mask Algorithm: mgf1 with sha512
311          Salt Length: 0x3E
312
313These CSRs are signed with a 2048-bit key. It appears that they are
314all using saltlen = keylen - hashlen - 2.
315
316### Possible courses of action
317
318There's no question about what to do with TLS (any version); the only question
319is about X.509 signature verification. Options include:
320
3211. Doing all verifications with `PSA_ALG_RSA_PSS_ANY_SALT` - while this
322   wouldn't cause a concrete security issue, this would be non-compliant.
3232. Doing verifications with `PSA_ALG_RSA_PSS` when we're lucky and the encoded
324   saltlen happens to match hashlen, and falling back to `ANY_SALT` otherwise.
325Same issue as with the previous point, except more contained.
3263. Reject all certificates with saltlen != hashlen. This includes all
327   certificates generated with OpenSSL using the default parameters, so it's
328probably not acceptable.
3294. Request an extension to the PSA Crypto API and use one of the above options
330   in the meantime. Such an extension seems inconvenient and not motivated by
331strong security arguments, so it's unclear whether it would be accepted.
332
333Since Mbed TLS 3.4, option 1 is implemented.
334
335Limitations relevant for G2 (isolation of long-term secrets)
336============================================================
337
338Currently none.
339