pk: use CRYPTO_CLIENT as guard for PK-PSA bridge functions instead of CRYPTO_C
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h
index d2e8674..fde302f 100644
--- a/include/mbedtls/pk.h
+++ b/include/mbedtls/pk.h
@@ -390,77 +390,6 @@
const mbedtls_svc_key_id_t key);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-/**
- * \brief Create a PK context starting from a key stored in PSA.
- * This key:
- * - must be exportable and
- * - must be an RSA or EC key pair or public key (FFDH is not supported in PK).
- *
- * The resulting PK object will be a transparent type:
- * - #MBEDTLS_PK_RSA for RSA keys or
- * - #MBEDTLS_PK_ECKEY for EC keys.
- *
- * Once this functions returns the PK object will be completely
- * independent from the original PSA key that it was generated
- * from.
- * Calling mbedtls_pk_sign(), mbedtls_pk_verify(),
- * mbedtls_pk_encrypt(), mbedtls_pk_decrypt() on the resulting
- * PK context will perform the corresponding algorithm for that
- * PK context type.
- * * For ECDSA, the choice of deterministic vs randomized will
- * be based on the compile-time setting #MBEDTLS_ECDSA_DETERMINISTIC.
- * * For an RSA key, the output PK context will allow both
- * encrypt/decrypt and sign/verify regardless of the original
- * key's policy.
- * The original key's policy determines the output key's padding
- * mode: PCKS1 v2.1 is set if the PSA key policy is OAEP or PSS,
- * otherwise PKCS1 v1.5 is set.
- *
- * \param key_id The key identifier of the key stored in PSA.
- * \param pk The PK context that will be filled. It must be initialized,
- * but not set up.
- *
- * \return 0 on success.
- * \return #MBEDTLS_ERR_PK_BAD_INPUT_DATA in case the provided input
- * parameters are not correct.
- */
-int mbedtls_pk_copy_from_psa(mbedtls_svc_key_id_t key_id, mbedtls_pk_context *pk);
-
-/**
- * \brief Create a PK context for the public key of a PSA key.
- *
- * The key must be an RSA or ECC key. It can be either a
- * public key or a key pair, and only the public key is copied.
- * The resulting PK object will be a transparent type:
- * - #MBEDTLS_PK_RSA for RSA keys or
- * - #MBEDTLS_PK_ECKEY for EC keys.
- *
- * Once this functions returns the PK object will be completely
- * independent from the original PSA key that it was generated
- * from.
- * Calling mbedtls_pk_verify() or
- * mbedtls_pk_encrypt() on the resulting
- * PK context will perform the corresponding algorithm for that
- * PK context type.
- *
- * For an RSA key, the output PK context will allow both
- * encrypt and verify regardless of the original key's policy.
- * The original key's policy determines the output key's padding
- * mode: PCKS1 v2.1 is set if the PSA key policy is OAEP or PSS,
- * otherwise PKCS1 v1.5 is set.
- *
- * \param key_id The key identifier of the key stored in PSA.
- * \param pk The PK context that will be filled. It must be initialized,
- * but not set up.
- *
- * \return 0 on success.
- * \return MBEDTLS_ERR_PK_BAD_INPUT_DATA in case the provided input
- * parameters are not correct.
- */
-int mbedtls_pk_copy_public_from_psa(mbedtls_svc_key_id_t key_id, mbedtls_pk_context *pk);
-#endif /* MBEDTLS_PSA_CRYPTO_C */
-
#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
/**
* \brief Initialize an RSA-alt context
@@ -529,7 +458,7 @@
* PSA_ALG_RSA_PKCS1V15_CRYPT,
* PSA_ALG_ECDSA(hash),
* PSA_ALG_ECDH, where hash is a specific hash.
- * \param usage PSA usage flag to check against, must be composed of:
+ * \param usage PSA usage flag to check against, must be composed of:
* PSA_KEY_USAGE_SIGN_HASH
* PSA_KEY_USAGE_DECRYPT
* PSA_KEY_USAGE_DERIVE.
@@ -550,7 +479,7 @@
psa_key_usage_t usage);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
-#if defined(MBEDTLS_PSA_CRYPTO_C)
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
/**
* \brief Determine valid PSA attributes that can be used to
* import a key into PSA.
@@ -710,7 +639,76 @@
int mbedtls_pk_import_into_psa(const mbedtls_pk_context *pk,
const psa_key_attributes_t *attributes,
mbedtls_svc_key_id_t *key_id);
-#endif /* MBEDTLS_PSA_CRYPTO_C */
+
+/**
+ * \brief Create a PK context starting from a key stored in PSA.
+ * This key:
+ * - must be exportable and
+ * - must be an RSA or EC key pair or public key (FFDH is not supported in PK).
+ *
+ * The resulting PK object will be a transparent type:
+ * - #MBEDTLS_PK_RSA for RSA keys or
+ * - #MBEDTLS_PK_ECKEY for EC keys.
+ *
+ * Once this functions returns the PK object will be completely
+ * independent from the original PSA key that it was generated
+ * from.
+ * Calling mbedtls_pk_sign(), mbedtls_pk_verify(),
+ * mbedtls_pk_encrypt(), mbedtls_pk_decrypt() on the resulting
+ * PK context will perform the corresponding algorithm for that
+ * PK context type.
+ * * For ECDSA, the choice of deterministic vs randomized will
+ * be based on the compile-time setting #MBEDTLS_ECDSA_DETERMINISTIC.
+ * * For an RSA key, the output PK context will allow both
+ * encrypt/decrypt and sign/verify regardless of the original
+ * key's policy.
+ * The original key's policy determines the output key's padding
+ * mode: PCKS1 v2.1 is set if the PSA key policy is OAEP or PSS,
+ * otherwise PKCS1 v1.5 is set.
+ *
+ * \param key_id The key identifier of the key stored in PSA.
+ * \param pk The PK context that will be filled. It must be initialized,
+ * but not set up.
+ *
+ * \return 0 on success.
+ * \return #MBEDTLS_ERR_PK_BAD_INPUT_DATA in case the provided input
+ * parameters are not correct.
+ */
+int mbedtls_pk_copy_from_psa(mbedtls_svc_key_id_t key_id, mbedtls_pk_context *pk);
+
+/**
+ * \brief Create a PK context for the public key of a PSA key.
+ *
+ * The key must be an RSA or ECC key. It can be either a
+ * public key or a key pair, and only the public key is copied.
+ * The resulting PK object will be a transparent type:
+ * - #MBEDTLS_PK_RSA for RSA keys or
+ * - #MBEDTLS_PK_ECKEY for EC keys.
+ *
+ * Once this functions returns the PK object will be completely
+ * independent from the original PSA key that it was generated
+ * from.
+ * Calling mbedtls_pk_verify() or
+ * mbedtls_pk_encrypt() on the resulting
+ * PK context will perform the corresponding algorithm for that
+ * PK context type.
+ *
+ * For an RSA key, the output PK context will allow both
+ * encrypt and verify regardless of the original key's policy.
+ * The original key's policy determines the output key's padding
+ * mode: PCKS1 v2.1 is set if the PSA key policy is OAEP or PSS,
+ * otherwise PKCS1 v1.5 is set.
+ *
+ * \param key_id The key identifier of the key stored in PSA.
+ * \param pk The PK context that will be filled. It must be initialized,
+ * but not set up.
+ *
+ * \return 0 on success.
+ * \return MBEDTLS_ERR_PK_BAD_INPUT_DATA in case the provided input
+ * parameters are not correct.
+ */
+int mbedtls_pk_copy_public_from_psa(mbedtls_svc_key_id_t key_id, mbedtls_pk_context *pk);
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
/**
* \brief Verify signature (including padding if relevant).
diff --git a/library/pk.c b/library/pk.c
index 1d85c92..ccc2eac 100644
--- a/library/pk.c
+++ b/library/pk.c
@@ -380,7 +380,7 @@
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
-#if defined(MBEDTLS_PSA_CRYPTO_C)
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
#if defined(MBEDTLS_RSA_C)
static psa_algorithm_t psa_algorithm_for_rsa(const mbedtls_rsa_context *rsa,
int want_crypt)
@@ -577,7 +577,14 @@
}
psa_set_key_usage_flags(attributes, more_usage);
+ /* Key's enrollment is available only when an Mbed TLS implementation of PSA
+ * Crypto is being used, i.e. when MBEDTLS_PSA_CRYPTO_C is defined.
+ * Even though we don't officially support using other implementations of PSA
+ * Crypto with TLS and X.509 (yet), we try to keep vendor's customizations
+ * separated. */
+#if defined(MBEDTLS_PSA_CRYPTO_C)
psa_set_key_enrollment_algorithm(attributes, PSA_ALG_NONE);
+#endif
return 0;
}
@@ -854,7 +861,136 @@
return import_pair_into_psa(pk, attributes, key_id);
}
}
-#endif /* MBEDTLS_PSA_CRYPTO_C */
+
+static int copy_from_psa(mbedtls_svc_key_id_t key_id,
+ mbedtls_pk_context *pk,
+ int public_only)
+{
+ psa_status_t status;
+ psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+ psa_key_type_t key_type;
+ psa_algorithm_t alg_type;
+ size_t key_bits;
+ /* Use a buffer size large enough to contain either a key pair or public key. */
+ unsigned char exp_key[PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE];
+ size_t exp_key_len;
+ int ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+
+ if (pk == NULL) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ status = psa_get_key_attributes(key_id, &key_attr);
+ if (status != PSA_SUCCESS) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ if (public_only) {
+ status = psa_export_public_key(key_id, exp_key, sizeof(exp_key), &exp_key_len);
+ } else {
+ status = psa_export_key(key_id, exp_key, sizeof(exp_key), &exp_key_len);
+ }
+ if (status != PSA_SUCCESS) {
+ ret = PSA_PK_TO_MBEDTLS_ERR(status);
+ goto exit;
+ }
+
+ key_type = psa_get_key_type(&key_attr);
+ if (public_only) {
+ key_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(key_type);
+ }
+ key_bits = psa_get_key_bits(&key_attr);
+ alg_type = psa_get_key_algorithm(&key_attr);
+
+#if defined(MBEDTLS_RSA_C)
+ if ((key_type == PSA_KEY_TYPE_RSA_KEY_PAIR) ||
+ (key_type == PSA_KEY_TYPE_RSA_PUBLIC_KEY)) {
+
+ ret = mbedtls_pk_setup(pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA));
+ if (ret != 0) {
+ goto exit;
+ }
+
+ if (key_type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
+ ret = mbedtls_rsa_parse_key(mbedtls_pk_rsa(*pk), exp_key, exp_key_len);
+ } else {
+ ret = mbedtls_rsa_parse_pubkey(mbedtls_pk_rsa(*pk), exp_key, exp_key_len);
+ }
+ if (ret != 0) {
+ goto exit;
+ }
+
+ mbedtls_md_type_t md_type = MBEDTLS_MD_NONE;
+ if (PSA_ALG_GET_HASH(alg_type) != PSA_ALG_ANY_HASH) {
+ md_type = mbedtls_md_type_from_psa_alg(alg_type);
+ }
+
+ if (PSA_ALG_IS_RSA_OAEP(alg_type) || PSA_ALG_IS_RSA_PSS(alg_type)) {
+ ret = mbedtls_rsa_set_padding(mbedtls_pk_rsa(*pk), MBEDTLS_RSA_PKCS_V21, md_type);
+ } else if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg_type) ||
+ alg_type == PSA_ALG_RSA_PKCS1V15_CRYPT) {
+ ret = mbedtls_rsa_set_padding(mbedtls_pk_rsa(*pk), MBEDTLS_RSA_PKCS_V15, md_type);
+ }
+ if (ret != 0) {
+ goto exit;
+ }
+ } else
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+ if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type) ||
+ PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(key_type)) {
+ mbedtls_ecp_group_id grp_id;
+
+ ret = mbedtls_pk_setup(pk, mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY));
+ if (ret != 0) {
+ goto exit;
+ }
+
+ grp_id = mbedtls_ecc_group_from_psa(PSA_KEY_TYPE_ECC_GET_FAMILY(key_type), key_bits);
+ ret = mbedtls_pk_ecc_set_group(pk, grp_id);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type)) {
+ ret = mbedtls_pk_ecc_set_key(pk, exp_key, exp_key_len);
+ if (ret != 0) {
+ goto exit;
+ }
+ ret = mbedtls_pk_ecc_set_pubkey_from_prv(pk, exp_key, exp_key_len,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE);
+ } else {
+ ret = mbedtls_pk_ecc_set_pubkey(pk, exp_key, exp_key_len);
+ }
+ if (ret != 0) {
+ goto exit;
+ }
+ } else
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+ {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+exit:
+ psa_reset_key_attributes(&key_attr);
+ mbedtls_platform_zeroize(exp_key, sizeof(exp_key));
+
+ return ret;
+}
+
+int mbedtls_pk_copy_from_psa(mbedtls_svc_key_id_t key_id,
+ mbedtls_pk_context *pk)
+{
+ return copy_from_psa(key_id, pk, 0);
+}
+
+int mbedtls_pk_copy_public_from_psa(mbedtls_svc_key_id_t key_id,
+ mbedtls_pk_context *pk)
+{
+ return copy_from_psa(key_id, pk, 1);
+}
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
/*
* Helper for mbedtls_pk_sign and mbedtls_pk_verify
@@ -1378,136 +1514,4 @@
return ctx->pk_info->type;
}
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-static int copy_from_psa(mbedtls_svc_key_id_t key_id,
- mbedtls_pk_context *pk,
- int public_only)
-{
- psa_status_t status;
- psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
- psa_key_type_t key_type;
- psa_algorithm_t alg_type;
- size_t key_bits;
- /* Use a buffer size large enough to contain either a key pair or public key. */
- unsigned char exp_key[PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE];
- size_t exp_key_len;
- int ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
-
- if (pk == NULL) {
- return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
- }
-
- status = psa_get_key_attributes(key_id, &key_attr);
- if (status != PSA_SUCCESS) {
- return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
- }
-
- if (public_only) {
- status = psa_export_public_key(key_id, exp_key, sizeof(exp_key), &exp_key_len);
- } else {
- status = psa_export_key(key_id, exp_key, sizeof(exp_key), &exp_key_len);
- }
- if (status != PSA_SUCCESS) {
- ret = PSA_PK_TO_MBEDTLS_ERR(status);
- goto exit;
- }
-
- key_type = psa_get_key_type(&key_attr);
- if (public_only) {
- key_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(key_type);
- }
- key_bits = psa_get_key_bits(&key_attr);
- alg_type = psa_get_key_algorithm(&key_attr);
-
-#if defined(MBEDTLS_RSA_C)
- if ((key_type == PSA_KEY_TYPE_RSA_KEY_PAIR) ||
- (key_type == PSA_KEY_TYPE_RSA_PUBLIC_KEY)) {
-
- ret = mbedtls_pk_setup(pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA));
- if (ret != 0) {
- goto exit;
- }
-
- if (key_type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
- ret = mbedtls_rsa_parse_key(mbedtls_pk_rsa(*pk), exp_key, exp_key_len);
- } else {
- ret = mbedtls_rsa_parse_pubkey(mbedtls_pk_rsa(*pk), exp_key, exp_key_len);
- }
- if (ret != 0) {
- goto exit;
- }
-
- mbedtls_md_type_t md_type = MBEDTLS_MD_NONE;
- if (PSA_ALG_GET_HASH(alg_type) != PSA_ALG_ANY_HASH) {
- md_type = mbedtls_md_type_from_psa_alg(alg_type);
- }
-
- if (PSA_ALG_IS_RSA_OAEP(alg_type) || PSA_ALG_IS_RSA_PSS(alg_type)) {
- ret = mbedtls_rsa_set_padding(mbedtls_pk_rsa(*pk), MBEDTLS_RSA_PKCS_V21, md_type);
- } else if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg_type) ||
- alg_type == PSA_ALG_RSA_PKCS1V15_CRYPT) {
- ret = mbedtls_rsa_set_padding(mbedtls_pk_rsa(*pk), MBEDTLS_RSA_PKCS_V15, md_type);
- }
- if (ret != 0) {
- goto exit;
- }
- } else
-#endif /* MBEDTLS_RSA_C */
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
- if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type) ||
- PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(key_type)) {
- mbedtls_ecp_group_id grp_id;
-
- ret = mbedtls_pk_setup(pk, mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY));
- if (ret != 0) {
- goto exit;
- }
-
- grp_id = mbedtls_ecc_group_from_psa(PSA_KEY_TYPE_ECC_GET_FAMILY(key_type), key_bits);
- ret = mbedtls_pk_ecc_set_group(pk, grp_id);
- if (ret != 0) {
- goto exit;
- }
-
- if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type)) {
- ret = mbedtls_pk_ecc_set_key(pk, exp_key, exp_key_len);
- if (ret != 0) {
- goto exit;
- }
- ret = mbedtls_pk_ecc_set_pubkey_from_prv(pk, exp_key, exp_key_len,
- mbedtls_psa_get_random,
- MBEDTLS_PSA_RANDOM_STATE);
- } else {
- ret = mbedtls_pk_ecc_set_pubkey(pk, exp_key, exp_key_len);
- }
- if (ret != 0) {
- goto exit;
- }
- } else
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
- {
- return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
- }
-
-exit:
- psa_reset_key_attributes(&key_attr);
- mbedtls_platform_zeroize(exp_key, sizeof(exp_key));
-
- return ret;
-}
-
-
-int mbedtls_pk_copy_from_psa(mbedtls_svc_key_id_t key_id,
- mbedtls_pk_context *pk)
-{
- return copy_from_psa(key_id, pk, 0);
-}
-
-int mbedtls_pk_copy_public_from_psa(mbedtls_svc_key_id_t key_id,
- mbedtls_pk_context *pk)
-{
- return copy_from_psa(key_id, pk, 1);
-}
-#endif /* MBEDTLS_PSA_CRYPTO_C */
-
#endif /* MBEDTLS_PK_C */