You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Additionally, add a P384-SHA512 profile. This is to provide a classical
profile whose measurement format is compatible with ML-DSA-87.
Signed-off-by: Jordan Hand <[email protected]>
The profile name will be embedded as ASCII within the version field of the TCBInfo(s), enabling a verifier to confirm that the evidence originates from this profile.
108
114
@@ -447,6 +453,18 @@ cryptographic algorithms:
447
453
* ECDSA P-384
448
454
* SHA2-384
449
455
456
+
Profile `DPE_PROFILE_IROT_P384_SHA512` requires support for the following
457
+
cryptographic algorithms:
458
+
459
+
* ECDSA P-384
460
+
* SHA2-512
461
+
462
+
Profile `DPE_PROFILE_IROT_MLDSA87_SHA512` requires support for the following
463
+
cryptographic algorithms:
464
+
465
+
* ML-DSA-87
466
+
* SHA2-512
467
+
450
468
451
469
This profile defines the following derivation schemes for use in Profile
452
470
Attributes.
@@ -532,18 +550,31 @@ follows:
532
550
* Outputs
533
551
* 48-byte key
534
552
535
-
### ocp.key-format.p256.raw
553
+
### ocp.derive.kdf-asymmetric-mldsa87
536
554
537
-
The concatenation of the 32-byte X value and 32-byte Y value of the ECDSA public key.
555
+
The asymmetric key derivation scheme “ocp.derive.kdf-asymmetric-mldsa87” is defined as
556
+
follows:
538
557
539
-
Both the X and Y value SHALL be big-endian and left-padded with zeros.
558
+
* The asymmetric key type is ML-DSA-87
559
+
* Signature scheme is ML-DSA
560
+
* This derivation scheme SHALL use a cryptographically secure KDF or DRBG.
561
+
* Inputs
562
+
* CDI
563
+
* `LABEL`
564
+
* ASCII Bytes "ECC"
565
+
* Outputs
566
+
* 48-byte key
540
567
541
568
### ocp.key-format.p384.raw
542
569
543
570
The concatenation of the 48-byte X value and 48-byte Y value of the ECDSA public key.
544
571
545
572
Both the X and Y value SHALL be big-endian and left-padded with zeros.
546
573
574
+
### ocp.key-format.mldsa87.raw
575
+
576
+
A raw ML-DSA-87 key, encoded as using the pkEncode function in FIPS 204
577
+
547
578
## Sign Format
548
579
549
580
### ocp.tbs-format.digest-sha256
@@ -562,6 +593,29 @@ The format “ocp.tbs-format.digest-sha384” is defined as
562
593
additional processing. The size of the value SHALL be a SHA2-384 digest of
563
594
size 48 bytes.
564
595
596
+
### ocp.tbs-format.digest-sha512
597
+
598
+
The format “ocp.tbs-format.digest-sha384” is defined as
599
+
600
+
* A digest which will be signed directly using the signing scheme with no
601
+
additional processing. The size of the value SHALL be a SHA2-384 digest of
602
+
size 48 bytes.
603
+
604
+
### ocp.tbs-format.mldsa87-external-mu
605
+
606
+
The format “ocp.tbs-format.mldsa87-mu” is defined as
607
+
608
+
The mu parameter as described in FIPS 204.
609
+
610
+
* tr = SHAKE256(public_key, 64)
611
+
* mu = SHAKE256(tr || message, 64)
612
+
613
+
### ocp.tbs-format.raw-message
614
+
615
+
The format “ocp.tbs-format.mldsa87-mu” is defined as a full raw message to
616
+
be signed. This format is only supported by profiles whose signing algorithms
617
+
support signing raw data (e.g. Pure ML-DSA).
618
+
565
619
### ocp.signature-format.p256.raw
566
620
567
621
The concatenation of the 32-byte R value and 32-byte S value of the ECDSA signature.
@@ -743,7 +797,7 @@ following requirements:
743
797
* version: The version of the CSR specification - the version SHALL be 0
744
798
* subject: The subject name of the CSR
745
799
* subjectPKInfo: This field SHALL contain the subject public key and the
746
-
OID for the EC public key algorithm used by the DPE profile
800
+
OID for the public key algorithm used by the DPE profile
747
801
* attributes: An "Extension Request" attribute as defined in RFC 2985
748
802
[@{ietf-rfc2985}] SHALL adhere to the following requirements
749
803
* The BasicConstraints extension SHALL be included
@@ -786,6 +840,16 @@ The format “ocp.certificate.irot-eca.p384” is defined as follows:
786
840
* For the Signature field, DPE SHALL use the ECDSA-with-SHA384 OID with NIST curve
787
841
P-384.
788
842
843
+
### ocp.certificate.irot-eca.mldsa87
844
+
845
+
The format “ocp.certificate.irot-eca.mldsa87” is defined as follows:
846
+
847
+
* SHALL follow all "Requirements for ECA Certificates" in @sec:eca-cert-requirements
848
+
* For FWID hashAlg fields provided by DeriveContext, DPE SHALL use the
849
+
SHA2-512 OID.
850
+
* For the SubjectPublicKeyInfo field, DPE SHALL use the ML-DSA-87 OID.
851
+
* For the Signature field, DPE SHALL use the ML-DSA-87 OID.
852
+
789
853
### ocp.certificate.irot-leaf.p256
790
854
791
855
The format ocp.certificate.irot-leaf.p256” is defined as follows:
@@ -810,6 +874,16 @@ The format “ocp.certificate.irot.p384” is defined as follows:
810
874
* For the Signature field, DPE SHALL use the ECDSA-with-SHA384 OID with NIST curve
811
875
P-384.
812
876
877
+
### ocp.certificate.irot-leaf.mldsa87
878
+
879
+
The format “ocp.certificate.irot-eca.mldsa87” is defined as follows:
880
+
881
+
* SHALL follow all "Requirements for ECA Certificates" in @sec:eca-cert-requirements
882
+
* For FWID hashAlg fields provided by DeriveContext, DPE SHALL use the
883
+
SHA2-512 OID.
884
+
* For the SubjectPublicKeyInfo field, DPE SHALL use the ML-DSA-87 OID.
885
+
* For the Signature field, DPE SHALL use the ML-DSA-87 OID.
886
+
813
887
### ocp.csr.irot-leaf.p256
814
888
815
889
The format “ocp.csr.irot-leaf.p256” is defined as follows:
@@ -834,6 +908,17 @@ The format “ocp.csr.irot-leaf.p384” is defined as follows:
834
908
* For the Signature of both the CMS message and the CertificationRequest, DPE SHALL
835
909
use the ECDSA-with-SHA384 OID with NIST curve P-384.
836
910
911
+
### ocp.csr.irot-leaf.mldsa87
912
+
913
+
The format “ocp.csr.irot-eca.mldsa87” is defined as follows:
914
+
915
+
* SHALL follow all "Requirements for CSRs" in @sec:csr-requirements
916
+
* For FWID hashAlg fields provided by DeriveContext, DPE SHALL use the
917
+
SHA2-512 OID.
918
+
* For the SubjectPublicKeyInfo field, DPE SHALL use the ML-DSA-87 OID.
919
+
* For the Signature of both the CMS message and the CertificationRequest, DPE SHALL
920
+
use the ML-DSA-87 OID.
921
+
837
922
## Profile Attributes
838
923
839
924
### ocp.profile.irot.p256
@@ -1178,6 +1263,63 @@ The format “ocp.csr.irot-leaf.p384” is defined as follows:
| 0x1C + H | `BITFIELD` | 31 | `FULL_MESSAGE` | If set, `TO_BE_SIGNED` contains the full message. This flag is only supported where explicitly specified in `to-be-signed-format`.
1625
+
| | | 30:0 | `RESERVED` | Reserved
1472
1626
| 0x20 + H | `HASH` | | `TO_BE_SIGNED` | Hash to be signed.
1473
1627
1628
+
Table: `SIGN_INPUT_ARGS` struct if `FULL_MESSAGE` **is** set
| 0x08 | `U32` | 31:0 | `PROFILE` | One of `DPE_PROFILE_IROT_SHA256_P256`.
1635
+
| 0x0C | `BYTES` | 127:0 | `CONTEXT_HANDLE` | A numeric handle referring to a DPE context.
1636
+
| 0x1C | `HASH` | | `LABEL` | Digest measurement label used in key derivation.
1637
+
| 0x1C + H | `BITFIELD` | 31 | `FULL_MESSAGE` | If set, `TO_BE_SIGNED` contains the full message. This flag is only supported where explicitly specified in `to-be-signed-format`.
1638
+
| | | 30:0 | `RESERVED` | Reserved
1639
+
| 0x20 + H | `U32` | 31:0 | `TO_BE_SIGNED_SIZE` | Number of bytes populated in `TO_BE_SIGNED`
1640
+
| 0x20 + H | `BYTES` | 8191:0 | `TO_BE_SIGNED` | Message to be signed.
0 commit comments