Skip to content

CryptoPkg: Add digest-based RSA-PSS sign and verify APIs#12302

Merged
mergify[bot] merged 2 commits intotianocore:masterfrom
baranee:add-rsa-pss-verify-digest
Apr 7, 2026
Merged

CryptoPkg: Add digest-based RSA-PSS sign and verify APIs#12302
mergify[bot] merged 2 commits intotianocore:masterfrom
baranee:add-rsa-pss-verify-digest

Conversation

@baranee
Copy link
Copy Markdown
Contributor

@baranee baranee commented Mar 17, 2026
edited
Loading

Description

Add RsaPssSignDigest() and RsaPssVerifyDigest() to BaseCryptLib for signing/verifying precomputed digests.
Provide OpenSSL/MbedTLS/Null implementations, expose via EDKII_CRYPTO_PROTOCOL (v24), and
add PCD controls for independent service enabling.
Include unit tests.

  • Breaking change?
    • Breaking change - Does this PR cause a break in build or boot behavior?
    • Examples: Does it add a new library class or move a module to a different repo.
  • Impacts security?
    • Security - Does this PR have a direct security impact?
    • Examples: Crypto algorithm change or buffer overflow fix.
  • Includes tests?
    • Tests - Does this PR include any explicit test code?
    • Examples: Unit tests or integration tests.

How This Was Tested

Verified by invoking the new API with OpenSSL(SMM) and MbedTLS(PEI) implementations

Integration Instructions

N/A

@github-actions github-actions Bot added the impact:testing This contribution includes tests such as unit and/or integration tests. label Mar 17, 2026
@baranee baranee force-pushed the add-rsa-pss-verify-digest branch 2 times, most recently from 0250408 to 8bd6036 Compare March 17, 2026 16:20
@baranee baranee marked this pull request as ready for review March 17, 2026 17:40
jyao1
jyao1 reviewed Mar 24, 2026
View reviewed changes
Comment thread CryptoPkg/Readme.md
@jyao1
Copy link
Copy Markdown
Contributor

jyao1 commented Mar 24, 2026

Also need to update PcdCryptoServiceFamilyEnable.h to add new API.

@baranee
Copy link
Copy Markdown
Contributor Author

baranee commented Mar 25, 2026

Also need to update PcdCryptoServiceFamilyEnable.h to add new API.

My current thought is that the existing RsaPss.Services.Sign and RsaPss.Services.Verify could still cover both the message (current APIs) and digest (new SignDigest/VerifyDigest) variants. I didn’t realize we expect a 1:1 mapping between every public API and a distinct PCD bit. That said, I’m open to enhancing PcdCryptoServiceFamilyEnable.h as needed.

@baranee baranee force-pushed the add-rsa-pss-verify-digest branch 2 times, most recently from f179d1c to 8fc2598 Compare March 26, 2026 18:25
@baranee baranee changed the title CryptoPkg: Add digest-based RSA-PSS verify API CryptoPkg: Add digest-based RSA-PSS sign and verify APIs Mar 26, 2026
@jyao1
Copy link
Copy Markdown
Contributor

jyao1 commented Mar 27, 2026

the existing RsaPss.Services.Sign and RsaPss.Services.Verify could still cover both the message (current APIs) and digest (new SignDigest/VerifyDigest) variants.

Question: If the existing API can support current Digest Variant, then why we need a new specific API for VerifyDigest?

@baranee
Copy link
Copy Markdown
Contributor Author

baranee commented Mar 27, 2026

Question: If the existing API can support current Digest Variant, then why we need a new specific API for VerifyDigest?

I’ve clarified that the Sign and Verify bits in PcdCryptoServiceFamilyEnable.h cover both message‑ and digest‑level variants (capabilities, not API names). Per feedback, I added explicit RsaPss.Services.SignDigest and RsaPss.Services.VerifyDigest bits in the latest commit.

@baranee baranee force-pushed the add-rsa-pss-verify-digest branch 2 times, most recently from 105ce67 to e8b10ca Compare April 2, 2026 19:17
@baranee
CryptoPkg: Add digest-based RSA-PSS sign and verify APIs
22f1413 
Add RsaPssSignDigest() and RsaPssVerifyDigest() to BaseCryptLib for
signing/verifying precomputed digests. Provide OpenSSL/MbedTLS/Null
implementations, expose via EDKII_CRYPTO_PROTOCOL (v24), and add PCD
controls for independent service enabling. Include unit tests.

Signed-off-by: Anbazhagan Baraneedharan <anbazhagan@hp.com>
@baranee baranee force-pushed the add-rsa-pss-verify-digest branch from e8b10ca to 22f1413 Compare April 2, 2026 21:56
@baranee
Copy link
Copy Markdown
Contributor Author

baranee commented Apr 6, 2026

@jyao1 Let me know any other concern needs to be addressed for this PR?

@jyao1 jyao1 added the push Auto push patch series in PR if all checks pass label Apr 7, 2026
@mergify mergify Bot added the queued label Apr 7, 2026
@mergify
Copy link
Copy Markdown

mergify Bot commented Apr 7, 2026
edited
Loading

Merge Queue Status

  • Entered queue2026-04-07 11:05 UTC · Rule: default
  • Checks passed · in-place
  • Merged2026-04-07 12:26 UTC · at 19c13ed383ce45b386526aeeab9476d240608746

This pull request spent 1 hour 21 minutes 40 seconds in the queue, including 1 hour 21 minutes 26 seconds running CI.

Required conditions to merge
  • #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • #review-threads-unresolved = 0 [🛡 GitHub branch protection]
  • any of [🛡 GitHub branch protection]:
    • check-success = tianocore.PatchCheck
    • check-neutral = tianocore.PatchCheck
    • check-skipped = tianocore.PatchCheck
  • any of [🛡 GitHub branch protection]:
    • check-success = ArmVirtPkg - Ubuntu GCC - PR
    • check-neutral = ArmVirtPkg - Ubuntu GCC - PR
    • check-skipped = ArmVirtPkg - Ubuntu GCC - PR
  • any of [🛡 GitHub branch protection]:
    • check-success = EmulatorPkg - Ubuntu GCC - PR
    • check-neutral = EmulatorPkg - Ubuntu GCC - PR
    • check-skipped = EmulatorPkg - Ubuntu GCC - PR
  • any of [🛡 GitHub branch protection]:
    • check-success = EmulatorPkg - Windows VS - PR
    • check-neutral = EmulatorPkg - Windows VS - PR
    • check-skipped = EmulatorPkg - Windows VS - PR
  • any of [🛡 GitHub branch protection]:
    • check-success = OvmfPkg - Ubuntu GCC - PR
    • check-neutral = OvmfPkg - Ubuntu GCC - PR
    • check-skipped = OvmfPkg - Ubuntu GCC - PR
  • any of [🛡 GitHub branch protection]:
    • check-success = OvmfPkg - Windows VS - PR
    • check-neutral = OvmfPkg - Windows VS - PR
    • check-skipped = OvmfPkg - Windows VS - PR
  • any of [🛡 GitHub branch protection]:
    • check-success = Windows VS - PR
    • check-neutral = Windows VS - PR
    • check-skipped = Windows VS - PR
  • any of [🛡 GitHub branch protection]:
    • check-success = Ubuntu GCC - PR
    • check-neutral = Ubuntu GCC - PR
    • check-skipped = Ubuntu GCC - PR
  • any of [🛡 GitHub branch protection]:
    • check-success = Validate Pull Request Formatting
    • check-neutral = Validate Pull Request Formatting
    • check-skipped = Validate Pull Request Formatting
  • any of [🛡 GitHub branch protection]:
    • check-success = ArmVirtPkg - Ubuntu - CLANGPDB
    • check-neutral = ArmVirtPkg - Ubuntu - CLANGPDB
    • check-skipped = ArmVirtPkg - Ubuntu - CLANGPDB
  • any of [🛡 GitHub branch protection]:
    • check-success = OvmfPkg - Ubuntu - CLANGPDB
    • check-neutral = OvmfPkg - Ubuntu - CLANGPDB
    • check-skipped = OvmfPkg - Ubuntu - CLANGPDB
  • any of [🛡 GitHub branch protection]:
    • check-success = Ubuntu - CLANGPDB
    • check-neutral = Ubuntu - CLANGPDB
    • check-skipped = Ubuntu - CLANGPDB
  • any of [🛡 GitHub branch protection]:
    • check-success = Windows - CLANGPDB
    • check-neutral = Windows - CLANGPDB
    • check-skipped = Windows - CLANGPDB

@mergify mergify Bot merged commit b3fdc09 into tianocore:master Apr 7, 2026
154 of 155 checks passed
@mergify mergify Bot removed the queued label Apr 7, 2026
@baranee baranee deleted the add-rsa-pss-verify-digest branch April 12, 2026 17:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jyao1 jyao1 jyao1 approved these changes

@Flickdm Flickdm Awaiting requested review from Flickdm

@liyi77 liyi77 Awaiting requested review from liyi77

Assignees

No one assigned

Labels

impact:testing This contribution includes tests such as unit and/or integration tests. push Auto push patch series in PR if all checks pass

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@baranee @jyao1