TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / OP-TEE / optee_os / d2d2912d8950b80a567e90fc8c4b62e5d9355542 / . / lib / libmbedtls / mbedtls / library / pk_wrap.c
blob: 107e912acee6da01c8a05698f79797754b696d72 [file] [log] [blame]
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1/*
2 * Public Key abstraction layer: wrapper functions
3 *
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]18 */
19
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]20#include "common.h"
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]21
22#if defined(MBEDTLS_PK_C)
23#include "mbedtls/pk_internal.h"
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]24#include "mbedtls/error.h"
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]25
26/* Even if RSA not activated, for the sake of RSA-alt */
27#include "mbedtls/rsa.h"
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]28
29#include <string.h>
30
31#if defined(MBEDTLS_ECP_C)
32#include "mbedtls/ecp.h"
33#endif
34
35#if defined(MBEDTLS_ECDSA_C)
36#include "mbedtls/ecdsa.h"
37#endif
38
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]39#if defined(MBEDTLS_USE_PSA_CRYPTO)
40#include "mbedtls/asn1write.h"
41#endif
42
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]43#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
44#include "mbedtls/platform_util.h"
45#endif
46
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]47#if defined(MBEDTLS_USE_PSA_CRYPTO)
48#include "psa/crypto.h"
49#include "mbedtls/psa_util.h"
50#include "mbedtls/asn1.h"
51#endif
52
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]53#if defined(MBEDTLS_PLATFORM_C)
54#include "mbedtls/platform.h"
55#else
56#include <stdlib.h>
57#define mbedtls_calloc calloc
58#define mbedtls_free free
59#endif
60
61#include <limits.h>
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]62#include <stdint.h>
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]63
64#if defined(MBEDTLS_RSA_C)
65static int rsa_can_do( mbedtls_pk_type_t type )
66{
67 return( type == MBEDTLS_PK_RSA ||
68 type == MBEDTLS_PK_RSASSA_PSS );
69}
70
71static size_t rsa_get_bitlen( const void *ctx )
72{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]73 const mbedtls_rsa_context * rsa = (const mbedtls_rsa_context *) ctx;
74 return( 8 * mbedtls_rsa_get_len( rsa ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]75}
76
77static int rsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
78 const unsigned char *hash, size_t hash_len,
79 const unsigned char *sig, size_t sig_len )
80{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]81 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]82 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
83 size_t rsa_len = mbedtls_rsa_get_len( rsa );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]84
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]85#if SIZE_MAX > UINT_MAX
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]86 if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len )
87 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]88#endif /* SIZE_MAX > UINT_MAX */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]89
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]90 if( sig_len < rsa_len )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]91 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
92
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]93 if( ( ret = mbedtls_rsa_pkcs1_verify( rsa, NULL, NULL,
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]94 MBEDTLS_RSA_PUBLIC, md_alg,
95 (unsigned int) hash_len, hash, sig ) ) != 0 )
96 return( ret );
97
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]98 /* The buffer contains a valid signature followed by extra data.
99 * We have a special error code for that so that so that callers can
100 * use mbedtls_pk_verify() to check "Does the buffer start with a
101 * valid signature?" and not just "Does the buffer contain a valid
102 * signature?". */
103 if( sig_len > rsa_len )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]104 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
105
106 return( 0 );
107}
108
109static int rsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
110 const unsigned char *hash, size_t hash_len,
111 unsigned char *sig, size_t *sig_len,
112 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
113{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]114 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
115
116#if SIZE_MAX > UINT_MAX
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]117 if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len )
118 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]119#endif /* SIZE_MAX > UINT_MAX */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]120
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]121 *sig_len = mbedtls_rsa_get_len( rsa );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]122
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]123 return( mbedtls_rsa_pkcs1_sign( rsa, f_rng, p_rng, MBEDTLS_RSA_PRIVATE,
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]124 md_alg, (unsigned int) hash_len, hash, sig ) );
125}
126
127static int rsa_decrypt_wrap( void *ctx,
128 const unsigned char *input, size_t ilen,
129 unsigned char *output, size_t *olen, size_t osize,
130 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
131{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]132 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
133
134 if( ilen != mbedtls_rsa_get_len( rsa ) )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]135 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
136
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]137 return( mbedtls_rsa_pkcs1_decrypt( rsa, f_rng, p_rng,
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]138 MBEDTLS_RSA_PRIVATE, olen, input, output, osize ) );
139}
140
141static int rsa_encrypt_wrap( void *ctx,
142 const unsigned char *input, size_t ilen,
143 unsigned char *output, size_t *olen, size_t osize,
144 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
145{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]146 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
147 *olen = mbedtls_rsa_get_len( rsa );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]148
149 if( *olen > osize )
150 return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
151
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]152 return( mbedtls_rsa_pkcs1_encrypt( rsa, f_rng, p_rng, MBEDTLS_RSA_PUBLIC,
153 ilen, input, output ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]154}
155
156static int rsa_check_pair_wrap( const void *pub, const void *prv )
157{
158 return( mbedtls_rsa_check_pub_priv( (const mbedtls_rsa_context *) pub,
159 (const mbedtls_rsa_context *) prv ) );
160}
161
162static void *rsa_alloc_wrap( void )
163{
164 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_rsa_context ) );
165
166 if( ctx != NULL )
167 mbedtls_rsa_init( (mbedtls_rsa_context *) ctx, 0, 0 );
168
169 return( ctx );
170}
171
172static void rsa_free_wrap( void *ctx )
173{
174 mbedtls_rsa_free( (mbedtls_rsa_context *) ctx );
175 mbedtls_free( ctx );
176}
177
178static void rsa_debug( const void *ctx, mbedtls_pk_debug_item *items )
179{
180 items->type = MBEDTLS_PK_DEBUG_MPI;
181 items->name = "rsa.N";
182 items->value = &( ((mbedtls_rsa_context *) ctx)->N );
183
184 items++;
185
186 items->type = MBEDTLS_PK_DEBUG_MPI;
187 items->name = "rsa.E";
188 items->value = &( ((mbedtls_rsa_context *) ctx)->E );
189}
190
191const mbedtls_pk_info_t mbedtls_rsa_info = {
192 MBEDTLS_PK_RSA,
193 "RSA",
194 rsa_get_bitlen,
195 rsa_can_do,
196 rsa_verify_wrap,
197 rsa_sign_wrap,
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]198#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
199 NULL,
200 NULL,
201#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]202 rsa_decrypt_wrap,
203 rsa_encrypt_wrap,
204 rsa_check_pair_wrap,
205 rsa_alloc_wrap,
206 rsa_free_wrap,
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]207#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
208 NULL,
209 NULL,
210#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]211 rsa_debug,
212};
213#endif /* MBEDTLS_RSA_C */
214
215#if defined(MBEDTLS_ECP_C)
216/*
217 * Generic EC key
218 */
219static int eckey_can_do( mbedtls_pk_type_t type )
220{
221 return( type == MBEDTLS_PK_ECKEY ||
222 type == MBEDTLS_PK_ECKEY_DH ||
223 type == MBEDTLS_PK_ECDSA );
224}
225
226static size_t eckey_get_bitlen( const void *ctx )
227{
228 return( ((mbedtls_ecp_keypair *) ctx)->grp.pbits );
229}
230
231#if defined(MBEDTLS_ECDSA_C)
232/* Forward declarations */
233static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
234 const unsigned char *hash, size_t hash_len,
235 const unsigned char *sig, size_t sig_len );
236
237static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
238 const unsigned char *hash, size_t hash_len,
239 unsigned char *sig, size_t *sig_len,
240 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
241
242static int eckey_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
243 const unsigned char *hash, size_t hash_len,
244 const unsigned char *sig, size_t sig_len )
245{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]246 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]247 mbedtls_ecdsa_context ecdsa;
248
249 mbedtls_ecdsa_init( &ecdsa );
250
251 if( ( ret = mbedtls_ecdsa_from_keypair( &ecdsa, ctx ) ) == 0 )
252 ret = ecdsa_verify_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len );
253
254 mbedtls_ecdsa_free( &ecdsa );
255
256 return( ret );
257}
258
259static int eckey_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
260 const unsigned char *hash, size_t hash_len,
261 unsigned char *sig, size_t *sig_len,
262 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
263{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]264 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]265 mbedtls_ecdsa_context ecdsa;
266
267 mbedtls_ecdsa_init( &ecdsa );
268
269 if( ( ret = mbedtls_ecdsa_from_keypair( &ecdsa, ctx ) ) == 0 )
270 ret = ecdsa_sign_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len,
271 f_rng, p_rng );
272
273 mbedtls_ecdsa_free( &ecdsa );
274
275 return( ret );
276}
277
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]278#if defined(MBEDTLS_ECP_RESTARTABLE)
279/* Forward declarations */
280static int ecdsa_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
281 const unsigned char *hash, size_t hash_len,
282 const unsigned char *sig, size_t sig_len,
283 void *rs_ctx );
284
285static int ecdsa_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
286 const unsigned char *hash, size_t hash_len,
287 unsigned char *sig, size_t *sig_len,
288 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
289 void *rs_ctx );
290
291/*
292 * Restart context for ECDSA operations with ECKEY context
293 *
294 * We need to store an actual ECDSA context, as we need to pass the same to
295 * the underlying ecdsa function, so we can't create it on the fly every time.
296 */
297typedef struct
298{
299 mbedtls_ecdsa_restart_ctx ecdsa_rs;
300 mbedtls_ecdsa_context ecdsa_ctx;
301} eckey_restart_ctx;
302
303static void *eckey_rs_alloc( void )
304{
305 eckey_restart_ctx *rs_ctx;
306
307 void *ctx = mbedtls_calloc( 1, sizeof( eckey_restart_ctx ) );
308
309 if( ctx != NULL )
310 {
311 rs_ctx = ctx;
312 mbedtls_ecdsa_restart_init( &rs_ctx->ecdsa_rs );
313 mbedtls_ecdsa_init( &rs_ctx->ecdsa_ctx );
314 }
315
316 return( ctx );
317}
318
319static void eckey_rs_free( void *ctx )
320{
321 eckey_restart_ctx *rs_ctx;
322
323 if( ctx == NULL)
324 return;
325
326 rs_ctx = ctx;
327 mbedtls_ecdsa_restart_free( &rs_ctx->ecdsa_rs );
328 mbedtls_ecdsa_free( &rs_ctx->ecdsa_ctx );
329
330 mbedtls_free( ctx );
331}
332
333static int eckey_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
334 const unsigned char *hash, size_t hash_len,
335 const unsigned char *sig, size_t sig_len,
336 void *rs_ctx )
337{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]338 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]339 eckey_restart_ctx *rs = rs_ctx;
340
341 /* Should never happen */
342 if( rs == NULL )
343 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
344
345 /* set up our own sub-context if needed (that is, on first run) */
346 if( rs->ecdsa_ctx.grp.pbits == 0 )
347 MBEDTLS_MPI_CHK( mbedtls_ecdsa_from_keypair( &rs->ecdsa_ctx, ctx ) );
348
349 MBEDTLS_MPI_CHK( ecdsa_verify_rs_wrap( &rs->ecdsa_ctx,
350 md_alg, hash, hash_len,
351 sig, sig_len, &rs->ecdsa_rs ) );
352
353cleanup:
354 return( ret );
355}
356
357static int eckey_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
358 const unsigned char *hash, size_t hash_len,
359 unsigned char *sig, size_t *sig_len,
360 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
361 void *rs_ctx )
362{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]363 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]364 eckey_restart_ctx *rs = rs_ctx;
365
366 /* Should never happen */
367 if( rs == NULL )
368 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
369
370 /* set up our own sub-context if needed (that is, on first run) */
371 if( rs->ecdsa_ctx.grp.pbits == 0 )
372 MBEDTLS_MPI_CHK( mbedtls_ecdsa_from_keypair( &rs->ecdsa_ctx, ctx ) );
373
374 MBEDTLS_MPI_CHK( ecdsa_sign_rs_wrap( &rs->ecdsa_ctx, md_alg,
375 hash, hash_len, sig, sig_len,
376 f_rng, p_rng, &rs->ecdsa_rs ) );
377
378cleanup:
379 return( ret );
380}
381#endif /* MBEDTLS_ECP_RESTARTABLE */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]382#endif /* MBEDTLS_ECDSA_C */
383
384static int eckey_check_pair( const void *pub, const void *prv )
385{
386 return( mbedtls_ecp_check_pub_priv( (const mbedtls_ecp_keypair *) pub,
387 (const mbedtls_ecp_keypair *) prv ) );
388}
389
390static void *eckey_alloc_wrap( void )
391{
392 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecp_keypair ) );
393
394 if( ctx != NULL )
395 mbedtls_ecp_keypair_init( ctx );
396
397 return( ctx );
398}
399
400static void eckey_free_wrap( void *ctx )
401{
402 mbedtls_ecp_keypair_free( (mbedtls_ecp_keypair *) ctx );
403 mbedtls_free( ctx );
404}
405
406static void eckey_debug( const void *ctx, mbedtls_pk_debug_item *items )
407{
408 items->type = MBEDTLS_PK_DEBUG_ECP;
409 items->name = "eckey.Q";
410 items->value = &( ((mbedtls_ecp_keypair *) ctx)->Q );
411}
412
413const mbedtls_pk_info_t mbedtls_eckey_info = {
414 MBEDTLS_PK_ECKEY,
415 "EC",
416 eckey_get_bitlen,
417 eckey_can_do,
418#if defined(MBEDTLS_ECDSA_C)
419 eckey_verify_wrap,
420 eckey_sign_wrap,
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]421#if defined(MBEDTLS_ECP_RESTARTABLE)
422 eckey_verify_rs_wrap,
423 eckey_sign_rs_wrap,
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]424#endif
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]425#else /* MBEDTLS_ECDSA_C */
426 NULL,
427 NULL,
428#endif /* MBEDTLS_ECDSA_C */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]429 NULL,
430 NULL,
431 eckey_check_pair,
432 eckey_alloc_wrap,
433 eckey_free_wrap,
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]434#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
435 eckey_rs_alloc,
436 eckey_rs_free,
437#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]438 eckey_debug,
439};
440
441/*
442 * EC key restricted to ECDH
443 */
444static int eckeydh_can_do( mbedtls_pk_type_t type )
445{
446 return( type == MBEDTLS_PK_ECKEY ||
447 type == MBEDTLS_PK_ECKEY_DH );
448}
449
450const mbedtls_pk_info_t mbedtls_eckeydh_info = {
451 MBEDTLS_PK_ECKEY_DH,
452 "EC_DH",
453 eckey_get_bitlen, /* Same underlying key structure */
454 eckeydh_can_do,
455 NULL,
456 NULL,
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]457#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
458 NULL,
459 NULL,
460#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]461 NULL,
462 NULL,
463 eckey_check_pair,
464 eckey_alloc_wrap, /* Same underlying key structure */
465 eckey_free_wrap, /* Same underlying key structure */
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]466#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
467 NULL,
468 NULL,
469#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]470 eckey_debug, /* Same underlying key structure */
471};
472#endif /* MBEDTLS_ECP_C */
473
474#if defined(MBEDTLS_ECDSA_C)
475static int ecdsa_can_do( mbedtls_pk_type_t type )
476{
477 return( type == MBEDTLS_PK_ECDSA );
478}
479
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]480#if defined(MBEDTLS_USE_PSA_CRYPTO)
481/*
482 * An ASN.1 encoded signature is a sequence of two ASN.1 integers. Parse one of
483 * those integers and convert it to the fixed-length encoding expected by PSA.
484 */
485static int extract_ecdsa_sig_int( unsigned char **from, const unsigned char *end,
486 unsigned char *to, size_t to_len )
487{
488 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
489 size_t unpadded_len, padding_len;
490
491 if( ( ret = mbedtls_asn1_get_tag( from, end, &unpadded_len,
492 MBEDTLS_ASN1_INTEGER ) ) != 0 )
493 {
494 return( ret );
495 }
496
497 while( unpadded_len > 0 && **from == 0x00 )
498 {
499 ( *from )++;
500 unpadded_len--;
501 }
502
503 if( unpadded_len > to_len || unpadded_len == 0 )
504 return( MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
505
506 padding_len = to_len - unpadded_len;
507 memset( to, 0x00, padding_len );
508 memcpy( to + padding_len, *from, unpadded_len );
509 ( *from ) += unpadded_len;
510
511 return( 0 );
512}
513
514/*
515 * Convert a signature from an ASN.1 sequence of two integers
516 * to a raw {r,s} buffer. Note: the provided sig buffer must be at least
517 * twice as big as int_size.
518 */
519static int extract_ecdsa_sig( unsigned char **p, const unsigned char *end,
520 unsigned char *sig, size_t int_size )
521{
522 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
523 size_t tmp_size;
524
525 if( ( ret = mbedtls_asn1_get_tag( p, end, &tmp_size,
526 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
527 return( ret );
528
529 /* Extract r */
530 if( ( ret = extract_ecdsa_sig_int( p, end, sig, int_size ) ) != 0 )
531 return( ret );
532 /* Extract s */
533 if( ( ret = extract_ecdsa_sig_int( p, end, sig + int_size, int_size ) ) != 0 )
534 return( ret );
535
536 return( 0 );
537}
538
539static int ecdsa_verify_wrap( void *ctx_arg, mbedtls_md_type_t md_alg,
540 const unsigned char *hash, size_t hash_len,
541 const unsigned char *sig, size_t sig_len )
542{
543 mbedtls_ecdsa_context *ctx = ctx_arg;
544 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
545 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]546 psa_key_id_t key_id = 0;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]547 psa_status_t status;
548 mbedtls_pk_context key;
549 int key_len;
550 /* see ECP_PUB_DER_MAX_BYTES in pkwrite.c */
551 unsigned char buf[30 + 2 * MBEDTLS_ECP_MAX_BYTES];
552 unsigned char *p;
553 mbedtls_pk_info_t pk_info = mbedtls_eckey_info;
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]554 psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA_ANY;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]555 size_t curve_bits;
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]556 psa_ecc_family_t curve =
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]557 mbedtls_ecc_group_to_psa( ctx->grp.id, &curve_bits );
558 const size_t signature_part_size = ( ctx->grp.nbits + 7 ) / 8;
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]559 ((void) md_alg);
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]560
561 if( curve == 0 )
562 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
563
564 /* mbedtls_pk_write_pubkey() expects a full PK context;
565 * re-construct one to make it happy */
566 key.pk_info = &pk_info;
567 key.pk_ctx = ctx;
568 p = buf + sizeof( buf );
569 key_len = mbedtls_pk_write_pubkey( &p, buf, &key );
570 if( key_len <= 0 )
571 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
572
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]573 psa_set_key_type( &attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY( curve ) );
574 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH );
575 psa_set_key_algorithm( &attributes, psa_sig_md );
576
577 status = psa_import_key( &attributes,
578 buf + sizeof( buf ) - key_len, key_len,
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]579 &key_id );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]580 if( status != PSA_SUCCESS )
581 {
582 ret = mbedtls_psa_err_translate_pk( status );
583 goto cleanup;
584 }
585
586 /* We don't need the exported key anymore and can
587 * reuse its buffer for signature extraction. */
588 if( 2 * signature_part_size > sizeof( buf ) )
589 {
590 ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
591 goto cleanup;
592 }
593
594 p = (unsigned char*) sig;
595 if( ( ret = extract_ecdsa_sig( &p, sig + sig_len, buf,
596 signature_part_size ) ) != 0 )
597 {
598 goto cleanup;
599 }
600
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]601 if( psa_verify_hash( key_id, psa_sig_md,
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]602 hash, hash_len,
603 buf, 2 * signature_part_size )
604 != PSA_SUCCESS )
605 {
606 ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
607 goto cleanup;
608 }
609
610 if( p != sig + sig_len )
611 {
612 ret = MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
613 goto cleanup;
614 }
615 ret = 0;
616
617cleanup:
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]618 psa_destroy_key( key_id );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]619 return( ret );
620}
621#else /* MBEDTLS_USE_PSA_CRYPTO */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]622static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
623 const unsigned char *hash, size_t hash_len,
624 const unsigned char *sig, size_t sig_len )
625{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]626 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]627 ((void) md_alg);
628
629 ret = mbedtls_ecdsa_read_signature( (mbedtls_ecdsa_context *) ctx,
630 hash, hash_len, sig, sig_len );
631
632 if( ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH )
633 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
634
635 return( ret );
636}
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]637#endif /* MBEDTLS_USE_PSA_CRYPTO */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]638
639static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
640 const unsigned char *hash, size_t hash_len,
641 unsigned char *sig, size_t *sig_len,
642 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
643{
644 return( mbedtls_ecdsa_write_signature( (mbedtls_ecdsa_context *) ctx,
645 md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng ) );
646}
647
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]648#if defined(MBEDTLS_ECP_RESTARTABLE)
649static int ecdsa_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
650 const unsigned char *hash, size_t hash_len,
651 const unsigned char *sig, size_t sig_len,
652 void *rs_ctx )
653{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]654 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]655 ((void) md_alg);
656
657 ret = mbedtls_ecdsa_read_signature_restartable(
658 (mbedtls_ecdsa_context *) ctx,
659 hash, hash_len, sig, sig_len,
660 (mbedtls_ecdsa_restart_ctx *) rs_ctx );
661
662 if( ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH )
663 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
664
665 return( ret );
666}
667
668static int ecdsa_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
669 const unsigned char *hash, size_t hash_len,
670 unsigned char *sig, size_t *sig_len,
671 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
672 void *rs_ctx )
673{
674 return( mbedtls_ecdsa_write_signature_restartable(
675 (mbedtls_ecdsa_context *) ctx,
676 md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng,
677 (mbedtls_ecdsa_restart_ctx *) rs_ctx ) );
678
679}
680#endif /* MBEDTLS_ECP_RESTARTABLE */
681
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]682static void *ecdsa_alloc_wrap( void )
683{
684 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecdsa_context ) );
685
686 if( ctx != NULL )
687 mbedtls_ecdsa_init( (mbedtls_ecdsa_context *) ctx );
688
689 return( ctx );
690}
691
692static void ecdsa_free_wrap( void *ctx )
693{
694 mbedtls_ecdsa_free( (mbedtls_ecdsa_context *) ctx );
695 mbedtls_free( ctx );
696}
697
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]698#if defined(MBEDTLS_ECP_RESTARTABLE)
699static void *ecdsa_rs_alloc( void )
700{
701 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecdsa_restart_ctx ) );
702
703 if( ctx != NULL )
704 mbedtls_ecdsa_restart_init( ctx );
705
706 return( ctx );
707}
708
709static void ecdsa_rs_free( void *ctx )
710{
711 mbedtls_ecdsa_restart_free( ctx );
712 mbedtls_free( ctx );
713}
714#endif /* MBEDTLS_ECP_RESTARTABLE */
715
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]716const mbedtls_pk_info_t mbedtls_ecdsa_info = {
717 MBEDTLS_PK_ECDSA,
718 "ECDSA",
719 eckey_get_bitlen, /* Compatible key structures */
720 ecdsa_can_do,
721 ecdsa_verify_wrap,
722 ecdsa_sign_wrap,
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]723#if defined(MBEDTLS_ECP_RESTARTABLE)
724 ecdsa_verify_rs_wrap,
725 ecdsa_sign_rs_wrap,
726#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]727 NULL,
728 NULL,
729 eckey_check_pair, /* Compatible key structures */
730 ecdsa_alloc_wrap,
731 ecdsa_free_wrap,
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]732#if defined(MBEDTLS_ECP_RESTARTABLE)
733 ecdsa_rs_alloc,
734 ecdsa_rs_free,
735#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]736 eckey_debug, /* Compatible key structures */
737};
738#endif /* MBEDTLS_ECDSA_C */
739
740#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
741/*
742 * Support for alternative RSA-private implementations
743 */
744
745static int rsa_alt_can_do( mbedtls_pk_type_t type )
746{
747 return( type == MBEDTLS_PK_RSA );
748}
749
750static size_t rsa_alt_get_bitlen( const void *ctx )
751{
752 const mbedtls_rsa_alt_context *rsa_alt = (const mbedtls_rsa_alt_context *) ctx;
753
754 return( 8 * rsa_alt->key_len_func( rsa_alt->key ) );
755}
756
757static int rsa_alt_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
758 const unsigned char *hash, size_t hash_len,
759 unsigned char *sig, size_t *sig_len,
760 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
761{
762 mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx;
763
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]764#if SIZE_MAX > UINT_MAX
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]765 if( UINT_MAX < hash_len )
766 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]767#endif /* SIZE_MAX > UINT_MAX */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]768
769 *sig_len = rsa_alt->key_len_func( rsa_alt->key );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]770 if( *sig_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE )
771 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]772
773 return( rsa_alt->sign_func( rsa_alt->key, f_rng, p_rng, MBEDTLS_RSA_PRIVATE,
774 md_alg, (unsigned int) hash_len, hash, sig ) );
775}
776
777static int rsa_alt_decrypt_wrap( void *ctx,
778 const unsigned char *input, size_t ilen,
779 unsigned char *output, size_t *olen, size_t osize,
780 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
781{
782 mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx;
783
784 ((void) f_rng);
785 ((void) p_rng);
786
787 if( ilen != rsa_alt->key_len_func( rsa_alt->key ) )
788 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
789
790 return( rsa_alt->decrypt_func( rsa_alt->key,
791 MBEDTLS_RSA_PRIVATE, olen, input, output, osize ) );
792}
793
794#if defined(MBEDTLS_RSA_C)
795static int rsa_alt_check_pair( const void *pub, const void *prv )
796{
797 unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
798 unsigned char hash[32];
799 size_t sig_len = 0;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]800 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]801
802 if( rsa_alt_get_bitlen( prv ) != rsa_get_bitlen( pub ) )
803 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
804
805 memset( hash, 0x2a, sizeof( hash ) );
806
807 if( ( ret = rsa_alt_sign_wrap( (void *) prv, MBEDTLS_MD_NONE,
808 hash, sizeof( hash ),
809 sig, &sig_len, NULL, NULL ) ) != 0 )
810 {
811 return( ret );
812 }
813
814 if( rsa_verify_wrap( (void *) pub, MBEDTLS_MD_NONE,
815 hash, sizeof( hash ), sig, sig_len ) != 0 )
816 {
817 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
818 }
819
820 return( 0 );
821}
822#endif /* MBEDTLS_RSA_C */
823
824static void *rsa_alt_alloc_wrap( void )
825{
826 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_rsa_alt_context ) );
827
828 if( ctx != NULL )
829 memset( ctx, 0, sizeof( mbedtls_rsa_alt_context ) );
830
831 return( ctx );
832}
833
834static void rsa_alt_free_wrap( void *ctx )
835{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]836 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_rsa_alt_context ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]837 mbedtls_free( ctx );
838}
839
840const mbedtls_pk_info_t mbedtls_rsa_alt_info = {
841 MBEDTLS_PK_RSA_ALT,
842 "RSA-alt",
843 rsa_alt_get_bitlen,
844 rsa_alt_can_do,
845 NULL,
846 rsa_alt_sign_wrap,
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]847#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
848 NULL,
849 NULL,
850#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]851 rsa_alt_decrypt_wrap,
852 NULL,
853#if defined(MBEDTLS_RSA_C)
854 rsa_alt_check_pair,
855#else
856 NULL,
857#endif
858 rsa_alt_alloc_wrap,
859 rsa_alt_free_wrap,
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]860#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
861 NULL,
862 NULL,
863#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]864 NULL,
865};
866
867#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
868
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]869#if defined(MBEDTLS_USE_PSA_CRYPTO)
870
871static void *pk_opaque_alloc_wrap( void )
872{
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]873 void *ctx = mbedtls_calloc( 1, sizeof( psa_key_id_t ) );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]874
875 /* no _init() function to call, an calloc() already zeroized */
876
877 return( ctx );
878}
879
880static void pk_opaque_free_wrap( void *ctx )
881{
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]882 mbedtls_platform_zeroize( ctx, sizeof( psa_key_id_t ) );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]883 mbedtls_free( ctx );
884}
885
886static size_t pk_opaque_get_bitlen( const void *ctx )
887{
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]888 const psa_key_id_t *key = (const psa_key_id_t *) ctx;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]889 size_t bits;
890 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
891
892 if( PSA_SUCCESS != psa_get_key_attributes( *key, &attributes ) )
893 return( 0 );
894
895 bits = psa_get_key_bits( &attributes );
896 psa_reset_key_attributes( &attributes );
897 return( bits );
898}
899
900static int pk_opaque_can_do( mbedtls_pk_type_t type )
901{
902 /* For now opaque PSA keys can only wrap ECC keypairs,
903 * as checked by setup_psa().
904 * Also, ECKEY_DH does not really make sense with the current API. */
905 return( type == MBEDTLS_PK_ECKEY ||
906 type == MBEDTLS_PK_ECDSA );
907}
908
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]909#if defined(MBEDTLS_ECDSA_C)
910
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]911/*
912 * Simultaneously convert and move raw MPI from the beginning of a buffer
913 * to an ASN.1 MPI at the end of the buffer.
914 * See also mbedtls_asn1_write_mpi().
915 *
916 * p: pointer to the end of the output buffer
917 * start: start of the output buffer, and also of the mpi to write at the end
918 * n_len: length of the mpi to read from start
919 */
920static int asn1_write_mpibuf( unsigned char **p, unsigned char *start,
921 size_t n_len )
922{
923 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
924 size_t len = 0;
925
926 if( (size_t)( *p - start ) < n_len )
927 return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
928
929 len = n_len;
930 *p -= len;
931 memmove( *p, start, len );
932
933 /* ASN.1 DER encoding requires minimal length, so skip leading 0s.
934 * Neither r nor s should be 0, but as a failsafe measure, still detect
935 * that rather than overflowing the buffer in case of a PSA error. */
936 while( len > 0 && **p == 0x00 )
937 {
938 ++(*p);
939 --len;
940 }
941
942 /* this is only reached if the signature was invalid */
943 if( len == 0 )
944 return( MBEDTLS_ERR_PK_HW_ACCEL_FAILED );
945
946 /* if the msb is 1, ASN.1 requires that we prepend a 0.
947 * Neither r nor s can be 0, so we can assume len > 0 at all times. */
948 if( **p & 0x80 )
949 {
950 if( *p - start < 1 )
951 return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
952
953 *--(*p) = 0x00;
954 len += 1;
955 }
956
957 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
958 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start,
959 MBEDTLS_ASN1_INTEGER ) );
960
961 return( (int) len );
962}
963
964/* Transcode signature from PSA format to ASN.1 sequence.
965 * See ecdsa_signature_to_asn1 in ecdsa.c, but with byte buffers instead of
966 * MPIs, and in-place.
967 *
968 * [in/out] sig: the signature pre- and post-transcoding
969 * [in/out] sig_len: signature length pre- and post-transcoding
970 * [int] buf_len: the available size the in/out buffer
971 */
972static int pk_ecdsa_sig_asn1_from_psa( unsigned char *sig, size_t *sig_len,
973 size_t buf_len )
974{
975 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
976 size_t len = 0;
977 const size_t rs_len = *sig_len / 2;
978 unsigned char *p = sig + buf_len;
979
980 MBEDTLS_ASN1_CHK_ADD( len, asn1_write_mpibuf( &p, sig + rs_len, rs_len ) );
981 MBEDTLS_ASN1_CHK_ADD( len, asn1_write_mpibuf( &p, sig, rs_len ) );
982
983 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &p, sig, len ) );
984 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &p, sig,
985 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
986
987 memmove( sig, p, len );
988 *sig_len = len;
989
990 return( 0 );
991}
992
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]993#endif /* MBEDTLS_ECDSA_C */
994
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]995static int pk_opaque_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
996 const unsigned char *hash, size_t hash_len,
997 unsigned char *sig, size_t *sig_len,
998 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
999{
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1000#if !defined(MBEDTLS_ECDSA_C)
1001 ((void) ctx);
1002 ((void) md_alg);
1003 ((void) hash);
1004 ((void) hash_len);
1005 ((void) sig);
1006 ((void) sig_len);
1007 ((void) f_rng);
1008 ((void) p_rng);
1009 return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
1010#else /* !MBEDTLS_ECDSA_C */
1011 const psa_key_id_t *key = (const psa_key_id_t *) ctx;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1012 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1013 psa_algorithm_t alg = PSA_ALG_ECDSA( mbedtls_psa_translate_md( md_alg ) );
1014 size_t buf_len;
1015 psa_status_t status;
1016
1017 /* PSA has its own RNG */
1018 (void) f_rng;
1019 (void) p_rng;
1020
1021 /* PSA needs an output buffer of known size, but our API doesn't provide
1022 * that information. Assume that the buffer is large enough for a
1023 * maximal-length signature with that key (otherwise the application is
1024 * buggy anyway). */
1025 status = psa_get_key_attributes( *key, &attributes );
1026 if( status != PSA_SUCCESS )
1027 return( mbedtls_psa_err_translate_pk( status ) );
1028 buf_len = MBEDTLS_ECDSA_MAX_SIG_LEN( psa_get_key_bits( &attributes ) );
1029 psa_reset_key_attributes( &attributes );
1030 if( buf_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE )
1031 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
1032
1033 /* make the signature */
1034 status = psa_sign_hash( *key, alg, hash, hash_len,
1035 sig, buf_len, sig_len );
1036 if( status != PSA_SUCCESS )
1037 return( mbedtls_psa_err_translate_pk( status ) );
1038
1039 /* transcode it to ASN.1 sequence */
1040 return( pk_ecdsa_sig_asn1_from_psa( sig, sig_len, buf_len ) );
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1041#endif /* !MBEDTLS_ECDSA_C */
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1042}
1043
1044const mbedtls_pk_info_t mbedtls_pk_opaque_info = {
1045 MBEDTLS_PK_OPAQUE,
1046 "Opaque",
1047 pk_opaque_get_bitlen,
1048 pk_opaque_can_do,
1049 NULL, /* verify - will be done later */
1050 pk_opaque_sign_wrap,
1051#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1052 NULL, /* restartable verify - not relevant */
1053 NULL, /* restartable sign - not relevant */
1054#endif
1055 NULL, /* decrypt - will be done later */
1056 NULL, /* encrypt - will be done later */
1057 NULL, /* check_pair - could be done later or left NULL */
1058 pk_opaque_alloc_wrap,
1059 pk_opaque_free_wrap,
1060#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1061 NULL, /* restart alloc - not relevant */
1062 NULL, /* restart free - not relevant */
1063#endif
1064 NULL, /* debug - could be done later, or even left NULL */
1065};
1066
1067#endif /* MBEDTLS_USE_PSA_CRYPTO */
1068
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1069#endif /* MBEDTLS_PK_C */