| Antonio de Angelis | 557451d | 2022-11-22 15:30:09 +0000 | [diff] [blame] | 1 | /*
|
| 2 | * SPDX-License-Identifier: Apache-2.0
|
| 3 | *
|
| 4 | * Copyright (c) 2023 Arm Limited
|
| 5 | */
|
| 6 |
|
| 7 | #include <string.h>
|
| 8 |
|
| 9 | #include "mcuboot_config/mcuboot_config.h"
|
| 10 |
|
| 11 | #ifdef MCUBOOT_SIGN_ECDSA
|
| 12 | #include "bootutil_priv.h"
|
| 13 | #include "bootutil/sign_key.h"
|
| 14 | #include "bootutil/fault_injection_hardening.h"
|
| 15 |
|
| 16 | #include "bootutil/crypto/ecdsa.h"
|
| 17 |
|
| 18 | static fih_ret
|
| 19 | bootutil_cmp_ecdsa_sig(bootutil_ecdsa_context *ctx, uint8_t *hash, uint32_t hlen,
|
| 20 | uint8_t *sig, size_t slen)
|
| 21 | {
|
| 22 | int rc = -1;
|
| 23 | FIH_DECLARE(fih_rc, FIH_FAILURE);
|
| 24 |
|
| 25 | /* PSA Crypto APIs allow the verification in a single call */
|
| 26 | rc = bootutil_ecdsa_verify(ctx, hash, hlen, sig, slen);
|
| 27 |
|
| 28 | fih_rc = fih_ret_encode_zero_equality(rc);
|
| 29 | if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
|
| 30 | FIH_SET(fih_rc, FIH_FAILURE);
|
| 31 | }
|
| 32 |
|
| 33 | FIH_RET(fih_rc);
|
| 34 | }
|
| 35 |
|
| 36 | fih_ret
|
| 37 | bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen,
|
| 38 | uint8_t key_id)
|
| 39 | {
|
| 40 | int rc = -1;
|
| 41 | FIH_DECLARE(fih_rc, FIH_FAILURE);
|
| 42 | uint8_t *cp;
|
| 43 | uint8_t *end;
|
| 44 | bootutil_ecdsa_context ctx;
|
| 45 |
|
| 46 | bootutil_ecdsa_init(&ctx);
|
| 47 |
|
| 48 | cp = (uint8_t *)bootutil_keys[key_id].key;
|
| 49 | end = cp + *bootutil_keys[key_id].len;
|
| 50 |
|
| 51 | /* The key used for signature verification is a public ECDSA key */
|
| 52 | rc = bootutil_ecdsa_parse_public_key(&ctx, &cp, end);
|
| 53 | if (rc) {
|
| 54 | goto out;
|
| 55 | }
|
| 56 |
|
| 57 | FIH_CALL(bootutil_cmp_ecdsa_sig, fih_rc, &ctx, hash, hlen, sig, slen);
|
| 58 |
|
| 59 | out:
|
| 60 | bootutil_ecdsa_drop(&ctx);
|
| 61 |
|
| 62 | FIH_RET(fih_rc);
|
| 63 | }
|
| 64 | #endif /* MCUBOOT_SIGN_ECDSA */
|