commit ccdce90adb3438ff094c5a0c0681413a230e28a6
author Jaeden Amero <jaeden@patater.com> Thu Jan 10 11:42:27 2019 +0000
committer Jaeden Amero <jaeden.amero@arm.com> Wed Jan 23 17:39:46 2019 +0000
tree 2ef7e6852ca46953b04c8bb59bfe6327c7dcd289
parent 97271b37c8d008da7a202840f35d22cca785a00c

psa: Simplify EC public key format

Remove front matter from our EC key format, to make it just the contents
of an ECPoint as defined by SEC1 section 2.3.3.

As a consequence of the simplification, remove the restriction on not
being able to use an ECDH key with ECDSA. There is no longer any OID
specified when importing a key, so we can't reject importing of an ECDH
key for the purpose of ECDSA based on the OID.

include/psa/crypto.h

diff --git a/include/psa/crypto.h b/include/psa/crypto.h
index 3168026..f0c8e7d 100644
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h
@@ -482,6 +482,14 @@
  *      modulus            INTEGER,    -- n
  *      publicExponent     INTEGER  }  -- e
  *   ```
+ * - For elliptic curve public keys (key types for which
+ *   #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true), the format is the uncompressed
+ *   representation defined by SEC1 §2.3.3 as the content of an ECPoint:
+ *   Let `m` be the bit size associated with the curve, i.e. the bit size of
+ *   `q` for a curve over `F_q`. The representation consists of:
+ *      - The byte 0x04;
+ *      - `x_P` as a `ceiling(m/8)`-byte string, big-endian;
+ *      - `y_P` as a `ceiling(m/8)`-byte string, big-endian.
  *
  * For other public key types, the format is the DER representation defined by
  * RFC 5280 as `SubjectPublicKeyInfo`, with the `subjectPublicKey` format
@@ -509,30 +517,6 @@
  *      g                  INTEGER  }
  *   DSAPublicKey ::= INTEGER -- public key, Y
  *   ```
- * - For elliptic curve public keys (key types for which
- *   #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true),
- *   the `subjectPublicKey` format is defined by RFC 3279 §2.3.5 as
- *   `ECPoint`, which contains the uncompressed
- *   representation defined by SEC1 §2.3.3.
- *   The OID is `id-ecPublicKey`,
- *   and the parameters must be given as a `namedCurve` OID as specified in
- *   RFC 5480 §2.1.1.1 or other applicable standards.
- *   ```
- *   ansi-X9-62 OBJECT IDENTIFIER ::=
- *                           { iso(1) member-body(2) us(840) 10045 }
- *   id-public-key-type OBJECT IDENTIFIER  ::= { ansi-X9.62 2 }
- *   id-ecPublicKey OBJECT IDENTIFIER ::= { id-publicKeyType 1 }
- *
- *   ECPoint ::= ...
- *      -- first 8 bits: 0x04;
- *      -- then x_P as a `ceiling(m/8)`-byte string, big endian;
- *      -- then y_P as a `ceiling(m/8)`-byte string, big endian;
- *      -- where `m` is the bit size associated with the curve,
- *      --       i.e. the bit size of `q` for a curve over `F_q`.
- *
- *   EcpkParameters ::= CHOICE { -- other choices are not allowed
- *      namedCurve    OBJECT IDENTIFIER }
- *   ```
  *
  * \param handle            Handle to the key to export.
  * \param[out] data         Buffer where the key data is to be written.
@@ -2160,7 +2144,9 @@
  *                                in the same format that psa_import_key()
  *                                accepts. The standard formats for public
  *                                keys are documented in the documentation
- *                                of psa_export_public_key().
+ *                                of psa_export_public_key(). For EC keys, it
+ *                                must also be of the same group as the private
+ *                                key.
  * \param peer_key_length         Size of \p peer_key in bytes.
  * \param alg                     The key agreement algorithm to compute
  *                                (\c PSA_ALG_XXX value such that

include/psa/crypto_sizes.h

diff --git a/include/psa/crypto_sizes.h b/include/psa/crypto_sizes.h
index 89fc96b..9ad0536 100644
--- a/include/psa/crypto_sizes.h
+++ b/include/psa/crypto_sizes.h
@@ -493,26 +493,16 @@
 
 /* Maximum size of the export encoding of an ECC public key.
  *
- * SubjectPublicKeyInfo  ::=  SEQUENCE  {
- *      algorithm            AlgorithmIdentifier,
- *      subjectPublicKey     BIT STRING  } -- contains ECPoint
- * AlgorithmIdentifier  ::=  SEQUENCE  {
- *      algorithm               OBJECT IDENTIFIER,
- *      parameters              OBJECT IDENTIFIER } -- namedCurve
- * ECPoint ::= ...
- *    -- first 8 bits: 0x04;
- *    -- then x_P as a `ceiling(m/8)`-byte string, big endian;
- *    -- then y_P as a `ceiling(m/8)`-byte string, big endian;
- *    -- where `m` is the bit size associated with the curve.
+ * The representation of an ECC public key is:
+ *      - The byte 0x04;
+ *      - `x_P` as a `ceiling(m/8)`-byte string, big-endian;
+ *      - `y_P` as a `ceiling(m/8)`-byte string, big-endian;
+ *      - where m is the bit size associated with the curve.
  *
- * - 2 * 4 bytes of SEQUENCE overhead;
- * - 1 + 1 + 7 bytes of algorithm (id-ecPublicKey OID);
- * - 1 + 1 + 12 bytes of namedCurve OID;
- * - 4 bytes of BIT STRING overhead;
- * - 1 byte + 2 * point size in ECPoint.
+ * - 1 byte + 2 * point size.
  */
 #define PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits)        \
-    (2 * PSA_BITS_TO_BYTES(key_bits) + 36)
+    (2 * PSA_BITS_TO_BYTES(key_bits) + 1)
 
 /* Maximum size of the export encoding of an ECC key pair.
  *