Separate sign/verify message and hash operations
Previous versions of mbedtls didn't distinguish between
asymmetric sign and verify operations on a hash or message.
They are now treated as separate operations from a usage
control perspective. This change makes the corresponding
hash/message sepration in client and service provider
components.
Signed-off-by: Julian Hall <julian.hall@arm.com>
Change-Id: I134286d66c3943090055171adfdf16270f395aa3
diff --git a/components/service/crypto/client/cpp/crypto_client.h b/components/service/crypto/client/cpp/crypto_client.h
index 2a5e5b9..ccb0714 100644
--- a/components/service/crypto/client/cpp/crypto_client.h
+++ b/components/service/crypto/client/cpp/crypto_client.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -57,7 +57,7 @@
psa_key_id_t id,
uint8_t *data, size_t data_size, size_t *data_length) = 0;
- /* Sign/verify methods */
+ /* Sign/verify hash methods */
virtual psa_status_t sign_hash(
psa_key_id_t id,
psa_algorithm_t alg,
@@ -70,6 +70,19 @@
const uint8_t *hash, size_t hash_length,
const uint8_t *signature, size_t signature_length) = 0;
+ /* Sign/verify message methods */
+ virtual psa_status_t sign_message(
+ psa_key_id_t id,
+ psa_algorithm_t alg,
+ const uint8_t *message, size_t message_length,
+ uint8_t *signature, size_t signature_size, size_t *signature_length) = 0;
+
+ virtual psa_status_t verify_message(
+ psa_key_id_t id,
+ psa_algorithm_t alg,
+ const uint8_t *message, size_t message_length,
+ const uint8_t *signature, size_t signature_length) = 0;
+
/* Asymmetric encrypt/decrypt */
virtual psa_status_t asymmetric_encrypt(
psa_key_id_t id,
diff --git a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp
index 4d9d8f4..4e10f9b 100644
--- a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp
+++ b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -107,6 +107,26 @@
signature, signature_length);
}
+psa_status_t packedc_crypto_client::sign_message(
+ psa_key_id_t id, psa_algorithm_t alg,
+ const uint8_t *message, size_t message_length,
+ uint8_t *signature, size_t signature_size, size_t *signature_length)
+{
+ return crypto_caller_sign_message(&m_client, id, alg,
+ message, message_length,
+ signature, signature_size, signature_length);
+}
+
+psa_status_t packedc_crypto_client::verify_message(
+ psa_key_id_t id, psa_algorithm_t alg,
+ const uint8_t *message, size_t message_length,
+ const uint8_t *signature, size_t signature_length)
+{
+ return crypto_caller_verify_message(&m_client, id, alg,
+ message, message_length,
+ signature, signature_length);
+}
+
psa_status_t packedc_crypto_client::asymmetric_encrypt(
psa_key_id_t id, psa_algorithm_t alg,
const uint8_t *input, size_t input_length,
diff --git a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h
index 377b51d..d74ba60 100644
--- a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h
+++ b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -54,7 +54,7 @@
psa_key_id_t id,
uint8_t *data, size_t data_size, size_t *data_length);
- /* Sign/verify methods */
+ /* Sign/verify hash methods */
psa_status_t sign_hash(
psa_key_id_t id,
psa_algorithm_t alg,
@@ -67,6 +67,19 @@
const uint8_t *hash, size_t hash_length,
const uint8_t *signature, size_t signature_length);
+ /* Sign/verify message methods */
+ psa_status_t sign_message(
+ psa_key_id_t id,
+ psa_algorithm_t alg,
+ const uint8_t *message, size_t message_length,
+ uint8_t *signature, size_t signature_size, size_t *signature_length);
+
+ psa_status_t verify_message(
+ psa_key_id_t id,
+ psa_algorithm_t alg,
+ const uint8_t *message, size_t message_length,
+ const uint8_t *signature, size_t signature_length);
+
/* Asymmetric encrypt/decrypt */
psa_status_t asymmetric_encrypt(
psa_key_id_t id,
diff --git a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp
index 9712ca0..845c9fa 100644
--- a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp
+++ b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp
@@ -387,6 +387,25 @@
const uint8_t *hash, size_t hash_length,
uint8_t *signature, size_t signature_size, size_t *signature_length)
{
+ return asym_sign(ts_crypto_Opcode_SIGN_HASH, id, alg,
+ hash, hash_length,
+ signature, signature_size, signature_length);
+}
+
+psa_status_t protobuf_crypto_client::sign_message(psa_key_id_t id, psa_algorithm_t alg,
+ const uint8_t *message, size_t message_length,
+ uint8_t *signature, size_t signature_size, size_t *signature_length)
+{
+ return asym_sign(ts_crypto_Opcode_SIGN_MESSAGE, id, alg,
+ message, message_length,
+ signature, signature_size, signature_length);
+}
+
+psa_status_t protobuf_crypto_client::asym_sign(uint32_t opcode,
+ psa_key_id_t id, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ uint8_t *signature, size_t signature_size, size_t *signature_length)
+{
size_t req_len;
pb_bytes_array_t *hash_byte_array =
pb_malloc_byte_array_containing_bytes(hash, hash_length);
@@ -416,7 +435,7 @@
pb_encode(&ostream, ts_crypto_SignHashIn_fields, &req_msg);
m_client.rpc_status = rpc_caller_invoke(m_client.caller, call_handle,
- ts_crypto_Opcode_SIGN_HASH, &opstatus, &resp_buf, &resp_len);
+ opcode, &opstatus, &resp_buf, &resp_len);
if (m_client.rpc_status == TS_RPC_CALL_ACCEPTED) {
@@ -462,11 +481,29 @@
return psa_status;
}
-
psa_status_t protobuf_crypto_client::verify_hash(psa_key_id_t id, psa_algorithm_t alg,
const uint8_t *hash, size_t hash_length,
const uint8_t *signature, size_t signature_length)
{
+ return asym_verify(ts_crypto_Opcode_VERIFY_HASH, id, alg,
+ hash, hash_length,
+ signature, signature_length);
+}
+
+psa_status_t protobuf_crypto_client::verify_message(psa_key_id_t id, psa_algorithm_t alg,
+ const uint8_t *message, size_t message_length,
+ const uint8_t *signature, size_t signature_length)
+{
+ return asym_verify(ts_crypto_Opcode_VERIFY_MESSAGE, id, alg,
+ message, message_length,
+ signature, signature_length);
+}
+
+psa_status_t protobuf_crypto_client::asym_verify(uint32_t opcode,
+ psa_key_id_t id, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length)
+{
size_t req_len;
pb_bytes_array_t *hash_byte_array =
pb_malloc_byte_array_containing_bytes(hash, hash_length);
@@ -497,7 +534,7 @@
pb_encode(&ostream, ts_crypto_VerifyHashIn_fields, &req_msg);
m_client.rpc_status = rpc_caller_invoke(m_client.caller, call_handle,
- ts_crypto_Opcode_VERIFY_HASH, &opstatus, &resp_buf, &resp_len);
+ opcode, &opstatus, &resp_buf, &resp_len);
if (m_client.rpc_status == TS_RPC_CALL_ACCEPTED) psa_status = opstatus;
diff --git a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h
index 085d9cf..abe4439 100644
--- a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h
+++ b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -54,7 +54,7 @@
psa_key_id_t id,
uint8_t *data, size_t data_size, size_t *data_length);
- /* Sign/verify methods */
+ /* Sign/verify hash methods */
psa_status_t sign_hash(
psa_key_id_t id,
psa_algorithm_t alg,
@@ -67,6 +67,19 @@
const uint8_t *hash, size_t hash_length,
const uint8_t *signature, size_t signature_length);
+ /* Sign/verify message methods */
+ psa_status_t sign_message(
+ psa_key_id_t id,
+ psa_algorithm_t alg,
+ const uint8_t *message, size_t message_length,
+ uint8_t *signature, size_t signature_size, size_t *signature_length);
+
+ psa_status_t verify_message(
+ psa_key_id_t id,
+ psa_algorithm_t alg,
+ const uint8_t *message, size_t message_length,
+ const uint8_t *signature, size_t signature_length);
+
/* Asymmetric encrypt/decrypt */
psa_status_t asymmetric_encrypt(
psa_key_id_t id,
@@ -221,6 +234,16 @@
private:
+ psa_status_t asym_sign(uint32_t opcode,
+ psa_key_id_t id, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ uint8_t *signature, size_t signature_size, size_t *signature_length);
+
+ psa_status_t asym_verify(uint32_t opcode,
+ psa_key_id_t id, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length);
+
void translate_key_attributes(
ts_crypto_KeyAttributes &proto_attributes,
const psa_key_attributes_t &psa_attributes);