Add a minimum rsa key size config to psa config
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index dcd28e9..49e218c 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -1336,15 +1336,6 @@
//#define MBEDTLS_RSA_NO_CRT
/**
- * \def MBEDTLS_RSA_MIN_KEY_SIZE
- *
- * Minimum RSA key size allowed in bits.
- *
- * Minimum possible value is 128 bits.
- */
-#define MBEDTLS_RSA_MIN_KEY_SIZE 1024
-
-/**
* \def MBEDTLS_SELF_TEST
*
* Enable the checkup functions (*_self_test).
@@ -3700,6 +3691,9 @@
//#define MBEDTLS_ECP_WINDOW_SIZE 4 /**< Maximum window size used */
//#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */
+/* RSA OPTIONS */
+//#define MBEDTLS_RSA_MIN_KEY_SIZE 1024 /**< Minimum RSA key size allowed in bits (Minimum possible value is 128 bits)*/
+
/* Entropy options */
//#define MBEDTLS_ENTROPY_MAX_SOURCES 20 /**< Maximum number of sources supported */
//#define MBEDTLS_ENTROPY_MAX_GATHER 128 /**< Maximum amount requested from entropy sources */
diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h
index 3d57aa2..8045e6b 100644
--- a/include/mbedtls/rsa.h
+++ b/include/mbedtls/rsa.h
@@ -85,6 +85,10 @@
// Regular implementation
//
+#if !defined(MBEDTLS_RSA_MIN_KEY_SIZE)
+#define MBEDTLS_RSA_MIN_KEY_SIZE 1024
+#endif
+
/**
* \brief The RSA context structure.
*/
diff --git a/include/psa/crypto_sizes.h b/include/psa/crypto_sizes.h
index 8cc965b..fd0eeb9 100644
--- a/include/psa/crypto_sizes.h
+++ b/include/psa/crypto_sizes.h
@@ -208,6 +208,18 @@
* operations, and does not need to accept all key sizes up to the limit. */
#define PSA_VENDOR_RSA_MAX_KEY_BITS 4096
+/* The minimum size of an RSA key on this implementation, in bits.
+ * This is a vendor-specific macro.
+ *
+ * Limits RSA key generation to a minimum due to security reasons.
+ * This value cannot be less than 128 bits.
+ */
+#if defined(MBEDTLS_RSA_MIN_KEY_SIZE)
+#define PSA_VENDOR_RSA_MIN_KEY_BITS MBEDTLS_RSA_MIN_KEY_SIZE
+#else
+#define PSA_VENDOR_RSA_MIN_KEY_BITS 1024
+#endif
+
/* The maximum size of an DH key on this implementation, in bits.
*
* Note that an implementation may set different size limits for different
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index c890e12..4e1f41b 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -7374,6 +7374,9 @@
if (bits > PSA_VENDOR_RSA_MAX_KEY_BITS) {
return PSA_ERROR_NOT_SUPPORTED;
}
+ if (bits < PSA_VENDOR_RSA_MIN_KEY_BITS) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
/* Accept only byte-aligned keys, for the same reasons as
* in psa_import_rsa_key(). */
diff --git a/tests/suites/test_suite_rsa.data b/tests/suites/test_suite_rsa.data
index 3df82f5..f9b6685 100644
--- a/tests/suites/test_suite_rsa.data
+++ b/tests/suites/test_suite_rsa.data
@@ -385,13 +385,12 @@
RSA Public (Data = 0)
mbedtls_rsa_public:"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":2048:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"3":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":0
-RSA Generate Key - 128bit key
-depends_on:MBEDTLS_RSA_MIN_KEY_SIZE == 128
-mbedtls_rsa_gen_key:128:3:0
+RSA Generate Key (Minimum size key)
+mbedtls_rsa_gen_key:MBEDTLS_RSA_MIN_KEY_SIZE:3:0
-RSA Generate Key - 128bit key (Less than minimum size)
-depends_on:MBEDTLS_RSA_MIN_KEY_SIZE > 128
-mbedtls_rsa_gen_key:128:3:MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+RSA Generate Key (Key less than minimum size)
+depends_on:MBEDTLS_RSA_MIN_KEY_SIZE > 130
+mbedtls_rsa_gen_key:MBEDTLS_RSA_MIN_KEY_SIZE-2:3:MBEDTLS_ERR_RSA_BAD_INPUT_DATA
RSA Generate Key (Number of bits too small)
mbedtls_rsa_gen_key:127:3:MBEDTLS_ERR_RSA_BAD_INPUT_DATA
@@ -407,9 +406,9 @@
depends_on:MBEDTLS_RSA_MIN_KEY_SIZE <= 2048
mbedtls_rsa_gen_key:2048:3:0
-RSA Generate Key - 1025 bit key
+RSA Generate Key (Odd sized key)
# mbedtls_rsa_gen_key only supports even-sized keys
-mbedtls_rsa_gen_key:1025:3:MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+mbedtls_rsa_gen_key:MBEDTLS_RSA_MIN_KEY_SIZE+1:3:MBEDTLS_ERR_RSA_BAD_INPUT_DATA
RSA Validate Params, toy example
mbedtls_rsa_validate_params:"f":"3":"5":"3":"3":0:0