Merge pull request #116 from Nitrokey/rsa-backend

Migrate RSA support to `trussed-rsa-backend`

Cargo.toml

@@ -27,6 +27,7 @@ log = "0.4"
 serde = { version = "1.0", default-features = false }
 subtle = { version = "2.4.1", default-features = false }
 trussed = "0.1.0"
+trussed-rsa-alloc = { git = "https://github.com/Nitrokey/trussed-rsa-backend", rev = "311d2366f99cc300b03d61e7f6a0a07abd3e8700", optional = true }
 serde_repr = "0.1"
 hex-literal = "0.3.4"
 
@@ -45,6 +46,7 @@ regex = "1.6.0"
 stoppable_thread = "0.2.1"
 test-log = "0.2.10"
 trussed = { version = "0.1.0", features = ["virt"] }
+trussed-rsa-alloc = { git = "https://github.com/Nitrokey/trussed-rsa-backend", rev = "311d2366f99cc300b03d61e7f6a0a07abd3e8700", features = ["virt"] }
 rand = "0.8.5"
 ron = "0.8"
 serde_cbor = "0.11"
@@ -53,8 +55,9 @@ hex = { version = "0.4", features = ["serde"] }
 [features]
 std = []
 virtual = ["std", "vpicc"]
-rsa2048 = ["trussed/rsa2048"]
-rsa4096 = ["rsa2048", "trussed/rsa4096"]
+rsa = ["trussed-rsa-alloc"]
+rsa2048 = ["rsa"]
+rsa4096 = ["rsa2048"]
 rsa4096-gen = ["rsa4096"]
 dangerous-test-real-card = []
 
@@ -68,10 +71,9 @@ log-error = []
 
 [patch.crates-io]
 interchange = { git = "https://github.com/trussed-dev/interchange", rev = "fe5633466640e1e9a8c06d9b5dd1d0af08c272af" }
-littlefs2 = { git = "https://github.com/Nitrokey/littlefs2", tag = "v0.3.2-nitrokey-1" }
-littlefs2-sys = { git = "https://github.com/Nitrokey/littlefs2-sys", tag = "v0.1.6-nitrokey-1" }
 p256-cortex-m4 = { git = "https://github.com/Nitrokey/p256-cortex-m4", tag = "v0.1.0-alpha.6-nitrokey-1" }
-trussed = { git = "https://github.com/Nitrokey/trussed" , tag = "v0.1.0-nitrokey.6" }
+littlefs2 = { git = "https://github.com/Nitrokey/littlefs2", tag = "v0.3.2-nitrokey-2" }
+trussed = { git = "https://github.com/Nitrokey/trussed" , tag = "v0.1.0-nitrokey.8" }
 
 [package.metadata.docs.rs]
 all-features = true

examples/virtual.rs

@@ -25,10 +25,15 @@
 
 // TODO: add CLI
 
+#[cfg(not(feature = "rsa"))]
+use trussed::virt::with_ram_client;
+#[cfg(feature = "rsa")]
+use trussed_rsa_alloc::virt::with_ram_client;
+
 fn main() {
     env_logger::init();
 
-    trussed::virt::with_ram_client("opcard", |client| {
+    with_ram_client("opcard", |client| {
         let card = opcard::Card::new(client, opcard::Options::default());
         let mut virtual_card = opcard::VirtualCard::new(card);
         let vpicc = vpicc::connect().expect("failed to connect to vpicc");

src/command/gen.rs

@@ -13,6 +13,9 @@ use crate::utils::InspectErr;
 
 const KEYGEN_DO_TAG: &[u8] = &hex!("7f49");
 
+#[cfg(feature = "rsa")]
+use trussed_rsa_alloc::RsaPublicParts;
+
 fn serialize_pub<const R: usize, T: trussed::Client>(
     algo: CurveAlgo,
     ctx: LoadedContext<'_, R, T>,
@@ -35,11 +38,14 @@ pub fn sign<const R: usize, T: trussed::Client>(
             gen_ec_key(ctx.lend(), KeyType::Sign, CurveAlgo::EcDsaP256)
         }
         SignatureAlgorithm::Rsa2048 => {
-            gen_rsa_key(ctx.lend(), KeyType::Sign, Mechanism::Rsa2048Pkcs)
+            gen_rsa_key(ctx.lend(), KeyType::Sign, Mechanism::Rsa2048Pkcs1v15)
+        }
+        SignatureAlgorithm::Rsa3072 => {
+            gen_rsa_key(ctx.lend(), KeyType::Sign, Mechanism::Rsa3072Pkcs1v15)
         }
         SignatureAlgorithm::Rsa4096 => {
             #[cfg(feature = "rsa4096-gen")]
-            return gen_rsa_key(ctx.lend(), KeyType::Sign, Mechanism::Rsa4096Pkcs);
+            return gen_rsa_key(ctx.lend(), KeyType::Sign, Mechanism::Rsa4096Pkcs1v15);
             #[cfg(not(feature = "rsa4096-gen"))]
             return Err(Status::FunctionNotSupported);
         }
@@ -55,11 +61,14 @@ pub fn dec<const R: usize, T: trussed::Client>(
         DecryptionAlgorithm::X255 => gen_ec_key(ctx.lend(), KeyType::Dec, CurveAlgo::X255),
         DecryptionAlgorithm::EcDhP256 => gen_ec_key(ctx.lend(), KeyType::Dec, CurveAlgo::EcDhP256),
         DecryptionAlgorithm::Rsa2048 => {
-            gen_rsa_key(ctx.lend(), KeyType::Dec, Mechanism::Rsa2048Pkcs)
+            gen_rsa_key(ctx.lend(), KeyType::Dec, Mechanism::Rsa2048Pkcs1v15)
+        }
+        DecryptionAlgorithm::Rsa3072 => {
+            gen_rsa_key(ctx.lend(), KeyType::Dec, Mechanism::Rsa3072Pkcs1v15)
         }
         DecryptionAlgorithm::Rsa4096 => {
             #[cfg(feature = "rsa4096-gen")]
-            return gen_rsa_key(ctx.lend(), KeyType::Dec, Mechanism::Rsa4096Pkcs);
+            return gen_rsa_key(ctx.lend(), KeyType::Dec, Mechanism::Rsa4096Pkcs1v15);
             #[cfg(not(feature = "rsa4096-gen"))]
             return Err(Status::FunctionNotSupported);
         }
@@ -77,18 +86,21 @@ pub fn aut<const R: usize, T: trussed::Client>(
             gen_ec_key(ctx.lend(), KeyType::Aut, CurveAlgo::EcDsaP256)
         }
         AuthenticationAlgorithm::Rsa2048 => {
-            gen_rsa_key(ctx.lend(), KeyType::Aut, Mechanism::Rsa2048Pkcs)
+            gen_rsa_key(ctx.lend(), KeyType::Aut, Mechanism::Rsa2048Pkcs1v15)
+        }
+        AuthenticationAlgorithm::Rsa3072 => {
+            gen_rsa_key(ctx.lend(), KeyType::Aut, Mechanism::Rsa3072Pkcs1v15)
         }
         AuthenticationAlgorithm::Rsa4096 => {
             #[cfg(feature = "rsa4096-gen")]
-            return gen_rsa_key(ctx.lend(), KeyType::Aut, Mechanism::Rsa4096Pkcs);
+            return gen_rsa_key(ctx.lend(), KeyType::Aut, Mechanism::Rsa4096Pkcs1v15);
             #[cfg(not(feature = "rsa4096-gen"))]
             return Err(Status::FunctionNotSupported);
         }
     }
 }
 
-#[cfg(feature = "rsa2048")]
+#[cfg(feature = "rsa")]
 fn gen_rsa_key<const R: usize, T: trussed::Client>(
     ctx: LoadedContext<'_, R, T>,
     key: KeyType,
@@ -175,8 +187,9 @@ pub fn read_sign<const R: usize, T: trussed::Client>(
     match algo {
         SignatureAlgorithm::Ed255 => read_ec_key(ctx.lend(), key_id, CurveAlgo::Ed255),
         SignatureAlgorithm::EcDsaP256 => read_ec_key(ctx.lend(), key_id, CurveAlgo::EcDsaP256),
-        SignatureAlgorithm::Rsa2048 => read_rsa_key(ctx.lend(), key_id, Mechanism::Rsa2048Pkcs),
-        SignatureAlgorithm::Rsa4096 => read_rsa_key(ctx.lend(), key_id, Mechanism::Rsa4096Pkcs),
+        SignatureAlgorithm::Rsa2048 => read_rsa_key(ctx.lend(), key_id, Mechanism::Rsa2048Pkcs1v15),
+        SignatureAlgorithm::Rsa3072 => read_rsa_key(ctx.lend(), key_id, Mechanism::Rsa3072Pkcs1v15),
+        SignatureAlgorithm::Rsa4096 => read_rsa_key(ctx.lend(), key_id, Mechanism::Rsa4096Pkcs1v15),
     }
 }
 
@@ -193,8 +206,15 @@ pub fn read_dec<const R: usize, T: trussed::Client>(
     match algo {
         DecryptionAlgorithm::X255 => read_ec_key(ctx.lend(), key_id, CurveAlgo::X255),
         DecryptionAlgorithm::EcDhP256 => read_ec_key(ctx.lend(), key_id, CurveAlgo::EcDhP256),
-        DecryptionAlgorithm::Rsa2048 => read_rsa_key(ctx.lend(), key_id, Mechanism::Rsa2048Pkcs),
-        DecryptionAlgorithm::Rsa4096 => read_rsa_key(ctx.lend(), key_id, Mechanism::Rsa4096Pkcs),
+        DecryptionAlgorithm::Rsa2048 => {
+            read_rsa_key(ctx.lend(), key_id, Mechanism::Rsa2048Pkcs1v15)
+        }
+        DecryptionAlgorithm::Rsa3072 => {
+            read_rsa_key(ctx.lend(), key_id, Mechanism::Rsa3072Pkcs1v15)
+        }
+        DecryptionAlgorithm::Rsa4096 => {
+            read_rsa_key(ctx.lend(), key_id, Mechanism::Rsa4096Pkcs1v15)
+        }
     }
 }
 
@@ -212,10 +232,13 @@ pub fn read_aut<const R: usize, T: trussed::Client>(
         AuthenticationAlgorithm::Ed255 => read_ec_key(ctx.lend(), key_id, CurveAlgo::Ed255),
         AuthenticationAlgorithm::EcDsaP256 => read_ec_key(ctx.lend(), key_id, CurveAlgo::EcDsaP256),
         AuthenticationAlgorithm::Rsa2048 => {
-            read_rsa_key(ctx.lend(), key_id, Mechanism::Rsa2048Pkcs)
+            read_rsa_key(ctx.lend(), key_id, Mechanism::Rsa2048Pkcs1v15)
+        }
+        AuthenticationAlgorithm::Rsa3072 => {
+            read_rsa_key(ctx.lend(), key_id, Mechanism::Rsa3072Pkcs1v15)
         }
         AuthenticationAlgorithm::Rsa4096 => {
-            read_rsa_key(ctx.lend(), key_id, Mechanism::Rsa4096Pkcs)
+            read_rsa_key(ctx.lend(), key_id, Mechanism::Rsa4096Pkcs1v15)
         }
     }
 }
@@ -267,7 +290,7 @@ fn read_ec_key<const R: usize, T: trussed::Client>(
     ctx.reply.prepend_len(offset)
 }
 
-#[cfg(feature = "rsa2048")]
+#[cfg(feature = "rsa")]
 fn read_rsa_key<const R: usize, T: trussed::Client>(
     mut ctx: LoadedContext<'_, R, T>,
     key_id: KeyId,
@@ -284,38 +307,35 @@ fn read_rsa_key<const R: usize, T: trussed::Client>(
     ctx.reply.expand(KEYGEN_DO_TAG)?;
     let offset = ctx.reply.len();
 
-    let serialized_n =
-        try_syscall!(client.serialize_key(mechanism, public_key, KeySerialization::RsaN))
+    let pubkey_data =
+        try_syscall!(client.serialize_key(mechanism, public_key, KeySerialization::RsaParts))
             .map_err(|_err| {
                 error!("Failed to serialize public key N: {_err:?}");
                 syscall!(client.delete(public_key));
                 Status::UnspecifiedNonpersistentExecutionError
             })?
             .serialized_key;
+    let parsed_pubkey_data: RsaPublicParts =
+        trussed::postcard_deserialize(&pubkey_data).map_err(|_err| {
+            error!("Failed to deserialize public key");
+            syscall!(client.delete(public_key));
+            Status::UnspecifiedNonpersistentExecutionError
+        })?;
     ctx.reply.expand(&[0x81])?;
-    ctx.reply.append_len(serialized_n.len())?;
-    ctx.reply.expand(&serialized_n)?;
-    drop(serialized_n);
+    ctx.reply.append_len(parsed_pubkey_data.n.len())?;
+    ctx.reply.expand(parsed_pubkey_data.n)?;
 
-    let serialized_e =
-        try_syscall!(client.serialize_key(mechanism, public_key, KeySerialization::RsaE))
-            .map_err(|_err| {
-                error!("Failed to serialize public key E: {_err:?}");
-                syscall!(client.delete(public_key));
-                Status::UnspecifiedNonpersistentExecutionError
-            })?
-            .serialized_key;
     ctx.reply.expand(&[0x82])?;
-    ctx.reply.append_len(serialized_e.len())?;
-    ctx.reply.expand(&serialized_e)?;
+    ctx.reply.append_len(parsed_pubkey_data.e.len())?;
+    ctx.reply.expand(parsed_pubkey_data.e)?;
 
     ctx.reply.prepend_len(offset)?;
 
     syscall!(client.delete(public_key));
     Ok(())
 }
 
-#[cfg(not(feature = "rsa2048"))]
+#[cfg(not(feature = "rsa"))]
 fn gen_rsa_key<const R: usize, T: trussed::Client>(
     _ctx: LoadedContext<'_, R, T>,
     _key: KeyType,
@@ -324,7 +344,7 @@ fn gen_rsa_key<const R: usize, T: trussed::Client>(
     Err(Status::FunctionNotSupported)
 }
 
-#[cfg(not(feature = "rsa2048"))]
+#[cfg(not(feature = "rsa"))]
 fn read_rsa_key<const R: usize, T: trussed::Client>(
     _ctx: LoadedContext<'_, R, T>,
     _key_id: KeyId,

src/command/private_key_template.rs

@@ -13,6 +13,9 @@ use crate::types::*;
 const PRIVATE_KEY_TEMPLATE_DO: u16 = 0x4D;
 const CONCATENATION_KEY_DATA_DO: u16 = 0x5F48;
 
+#[cfg(feature = "rsa")]
+use trussed_rsa_alloc::RsaImportFormat;
+
 // § 4.4.3.12
 pub fn put_private_key_template<const R: usize, T: trussed::Client>(
     ctx: LoadedContext<'_, R, T>,
@@ -40,8 +43,9 @@ pub fn put_sign<const R: usize, T: trussed::Client>(
     let key_id = match attr {
         SignatureAlgorithm::EcDsaP256 => put_ec(ctx.lend(), CurveAlgo::EcDsaP256)?,
         SignatureAlgorithm::Ed255 => put_ec(ctx.lend(), CurveAlgo::Ed255)?,
-        SignatureAlgorithm::Rsa2048 => put_rsa(ctx.lend(), Mechanism::Rsa2048Pkcs)?,
-        SignatureAlgorithm::Rsa4096 => put_rsa(ctx.lend(), Mechanism::Rsa4096Pkcs)?,
+        SignatureAlgorithm::Rsa2048 => put_rsa(ctx.lend(), Mechanism::Rsa2048Pkcs1v15)?,
+        SignatureAlgorithm::Rsa3072 => put_rsa(ctx.lend(), Mechanism::Rsa3072Pkcs1v15)?,
+        SignatureAlgorithm::Rsa4096 => put_rsa(ctx.lend(), Mechanism::Rsa4096Pkcs1v15)?,
     }
     .map(|key_id| (key_id, KeyOrigin::Imported));
     let old_key_id = ctx
@@ -70,8 +74,9 @@ pub fn put_dec<const R: usize, T: trussed::Client>(
     let key_id = match attr {
         DecryptionAlgorithm::EcDhP256 => put_ec(ctx.lend(), CurveAlgo::EcDhP256)?,
         DecryptionAlgorithm::X255 => put_ec(ctx.lend(), CurveAlgo::X255)?,
-        DecryptionAlgorithm::Rsa2048 => put_rsa(ctx.lend(), Mechanism::Rsa2048Pkcs)?,
-        DecryptionAlgorithm::Rsa4096 => put_rsa(ctx.lend(), Mechanism::Rsa4096Pkcs)?,
+        DecryptionAlgorithm::Rsa2048 => put_rsa(ctx.lend(), Mechanism::Rsa2048Pkcs1v15)?,
+        DecryptionAlgorithm::Rsa3072 => put_rsa(ctx.lend(), Mechanism::Rsa3072Pkcs1v15)?,
+        DecryptionAlgorithm::Rsa4096 => put_rsa(ctx.lend(), Mechanism::Rsa4096Pkcs1v15)?,
     }
     .map(|key_id| (key_id, KeyOrigin::Imported));
     let old_key_id = ctx
@@ -100,8 +105,9 @@ pub fn put_aut<const R: usize, T: trussed::Client>(
     let key_id = match attr {
         AuthenticationAlgorithm::EcDsaP256 => put_ec(ctx.lend(), CurveAlgo::EcDsaP256)?,
         AuthenticationAlgorithm::Ed255 => put_ec(ctx.lend(), CurveAlgo::Ed255)?,
-        AuthenticationAlgorithm::Rsa2048 => put_rsa(ctx.lend(), Mechanism::Rsa2048Pkcs)?,
-        AuthenticationAlgorithm::Rsa4096 => put_rsa(ctx.lend(), Mechanism::Rsa4096Pkcs)?,
+        AuthenticationAlgorithm::Rsa2048 => put_rsa(ctx.lend(), Mechanism::Rsa2048Pkcs1v15)?,
+        AuthenticationAlgorithm::Rsa3072 => put_rsa(ctx.lend(), Mechanism::Rsa3072Pkcs1v15)?,
+        AuthenticationAlgorithm::Rsa4096 => put_rsa(ctx.lend(), Mechanism::Rsa4096Pkcs1v15)?,
     }
     .map(|key_id| (key_id, KeyOrigin::Imported));
     let old_key_id = ctx
@@ -169,8 +175,8 @@ fn put_ec<const R: usize, T: trussed::Client>(
     Ok(Some(key))
 }
 
-#[cfg(feature = "rsa2048")]
-fn parse_rsa_template(data: &[u8]) -> Option<trussed::types::RsaCrtImportFormat<'_>> {
+#[cfg(feature = "rsa")]
+fn parse_rsa_template(data: &[u8]) -> Option<RsaImportFormat> {
     use crate::tlv::take_len;
     const TEMPLATE_DO: u16 = 0x7F48;
 
@@ -192,17 +198,14 @@ fn parse_rsa_template(data: &[u8]) -> Option<trussed::types::RsaCrtImportFormat<
         template = d;
     }
     let key_data = get_do(&[PRIVATE_KEY_TEMPLATE_DO, CONCATENATION_KEY_DATA_DO], data)?;
-    Some(trussed::types::RsaCrtImportFormat {
+    Some(RsaImportFormat {
         e: key_data.get(res[0].0..res[0].1)?,
         p: key_data.get(res[1].0..res[1].1)?,
         q: key_data.get(res[2].0..res[2].1)?,
-        qinv: &[],
-        dp: &[],
-        dq: &[],
     })
 }
 
-#[cfg(feature = "rsa2048")]
+#[cfg(feature = "rsa")]
 fn put_rsa<const R: usize, T: trussed::Client>(
     ctx: LoadedContext<'_, R, T>,
     mechanism: Mechanism,
@@ -222,7 +225,7 @@ fn put_rsa<const R: usize, T: trussed::Client>(
         mechanism,
         &key_message,
         ctx.options.storage,
-        KeySerialization::RsaCrt
+        KeySerialization::RsaParts
     ))
     .map_err(|_err| {
         warn!("Failed to store key: {_err:?}");
@@ -232,7 +235,7 @@ fn put_rsa<const R: usize, T: trussed::Client>(
     Ok(Some(key))
 }
 
-#[cfg(not(feature = "rsa2048"))]
+#[cfg(not(feature = "rsa"))]
 fn put_rsa<const R: usize, T: trussed::Client>(
     _ctx: LoadedContext<'_, R, T>,
     _mechanism: Mechanism,

src/command/pso.rs

@@ -71,8 +71,9 @@ pub fn sign<const R: usize, T: trussed::Client>(
             }
             sign_ec(ctx, key_id, Mechanism::P256Prehashed)
         }
-        SignatureAlgorithm::Rsa2048 => sign_rsa(ctx, key_id, Mechanism::Rsa2048Pkcs),
-        SignatureAlgorithm::Rsa4096 => sign_rsa(ctx, key_id, Mechanism::Rsa4096Pkcs),
+        SignatureAlgorithm::Rsa2048 => sign_rsa(ctx, key_id, Mechanism::Rsa2048Pkcs1v15),
+        SignatureAlgorithm::Rsa3072 => sign_rsa(ctx, key_id, Mechanism::Rsa3072Pkcs1v15),
+        SignatureAlgorithm::Rsa4096 => sign_rsa(ctx, key_id, Mechanism::Rsa4096Pkcs1v15),
     }
 }
 
@@ -129,8 +130,9 @@ fn int_aut_key_mecha_uif<const R: usize, T: trussed::Client>(
                 AuthenticationAlgorithm::EcDsaP256 => (Mechanism::P256Prehashed, RsaOrEcc::Ecc),
                 AuthenticationAlgorithm::Ed255 => (Mechanism::Ed255, RsaOrEcc::Ecc),
 
-                AuthenticationAlgorithm::Rsa2048 => (Mechanism::Rsa2048Pkcs, RsaOrEcc::Rsa),
-                AuthenticationAlgorithm::Rsa4096 => (Mechanism::Rsa4096Pkcs, RsaOrEcc::Rsa),
+                AuthenticationAlgorithm::Rsa2048 => (Mechanism::Rsa2048Pkcs1v15, RsaOrEcc::Rsa),
+                AuthenticationAlgorithm::Rsa3072 => (Mechanism::Rsa3072Pkcs1v15, RsaOrEcc::Rsa),
+                AuthenticationAlgorithm::Rsa4096 => (Mechanism::Rsa4096Pkcs1v15, RsaOrEcc::Rsa),
             },
         ),
         KeyRef::Dec => (
@@ -141,8 +143,9 @@ fn int_aut_key_mecha_uif<const R: usize, T: trussed::Client>(
                     return Err(Status::ConditionsOfUseNotSatisfied);
                 }
                 DecryptionAlgorithm::EcDhP256 => (Mechanism::P256Prehashed, RsaOrEcc::Ecc),
-                DecryptionAlgorithm::Rsa2048 => (Mechanism::Rsa2048Pkcs, RsaOrEcc::Rsa),
-                DecryptionAlgorithm::Rsa4096 => (Mechanism::Rsa4096Pkcs, RsaOrEcc::Rsa),
+                DecryptionAlgorithm::Rsa2048 => (Mechanism::Rsa2048Pkcs1v15, RsaOrEcc::Rsa),
+                DecryptionAlgorithm::Rsa3072 => (Mechanism::Rsa3072Pkcs1v15, RsaOrEcc::Rsa),
+                DecryptionAlgorithm::Rsa4096 => (Mechanism::Rsa4096Pkcs1v15, RsaOrEcc::Rsa),
             },
         ),
     };
@@ -195,8 +198,9 @@ fn decipher_key_mecha_uif<const R: usize, T: trussed::Client>(
             match ctx.state.persistent.dec_alg() {
                 DecryptionAlgorithm::X255 => (Mechanism::X255, RsaOrEcc::Ecc),
                 DecryptionAlgorithm::EcDhP256 => (Mechanism::P256, RsaOrEcc::Ecc),
-                DecryptionAlgorithm::Rsa2048 => (Mechanism::Rsa2048Pkcs, RsaOrEcc::Rsa),
-                DecryptionAlgorithm::Rsa4096 => (Mechanism::Rsa4096Pkcs, RsaOrEcc::Rsa),
+                DecryptionAlgorithm::Rsa2048 => (Mechanism::Rsa2048Pkcs1v15, RsaOrEcc::Rsa),
+                DecryptionAlgorithm::Rsa3072 => (Mechanism::Rsa3072Pkcs1v15, RsaOrEcc::Rsa),
+                DecryptionAlgorithm::Rsa4096 => (Mechanism::Rsa4096Pkcs1v15, RsaOrEcc::Rsa),
             },
         ),
         KeyRef::Aut => (
@@ -208,8 +212,9 @@ fn decipher_key_mecha_uif<const R: usize, T: trussed::Client>(
                     return Err(Status::ConditionsOfUseNotSatisfied);
                 }
 
-                AuthenticationAlgorithm::Rsa2048 => (Mechanism::Rsa2048Pkcs, RsaOrEcc::Rsa),
-                AuthenticationAlgorithm::Rsa4096 => (Mechanism::Rsa4096Pkcs, RsaOrEcc::Rsa),
+                AuthenticationAlgorithm::Rsa2048 => (Mechanism::Rsa2048Pkcs1v15, RsaOrEcc::Rsa),
+                AuthenticationAlgorithm::Rsa3072 => (Mechanism::Rsa3072Pkcs1v15, RsaOrEcc::Rsa),
+                AuthenticationAlgorithm::Rsa4096 => (Mechanism::Rsa4096Pkcs1v15, RsaOrEcc::Rsa),
             },
         ),
     };