1 /*
2 * PSA hashing layer on top of Mbed TLS software crypto
3 */
4 /*
5 * Copyright The Mbed TLS Contributors
6 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
7 */
8
9 #include "common.h"
10
11 /* This is needed for MBEDTLS_ERR_XXX macros */
12 #include <mbedtls/error.h>
13
14 #if defined(MBEDTLS_ASN1_WRITE_C)
15 #include <mbedtls/asn1write.h>
16 #include <psa/crypto_sizes.h>
17 #endif
18
19 #include "psa_util_internal.h"
20
21 #if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
22
23 #include <psa/crypto.h>
24
25 #if defined(MBEDTLS_MD_LIGHT)
26 #include <mbedtls/md.h>
27 #endif
28 #if defined(MBEDTLS_LMS_C)
29 #include <mbedtls/lms.h>
30 #endif
31 #if defined(MBEDTLS_SSL_TLS_C) && \
32 (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
33 #include <mbedtls/ssl.h>
34 #endif
35 #if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) || \
36 defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
37 #include <mbedtls/rsa.h>
38 #endif
39 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \
40 defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
41 #include <mbedtls/ecp.h>
42 #endif
43 #if defined(MBEDTLS_PK_C)
44 #include <mbedtls/pk.h>
45 #endif
46 #if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
47 #include <mbedtls/cipher.h>
48 #endif
49 #include <mbedtls/entropy.h>
50
51 /* PSA_SUCCESS is kept at the top of each error table since
52 * it's the most common status when everything functions properly. */
53 #if defined(MBEDTLS_MD_LIGHT)
54 const mbedtls_error_pair_t psa_to_md_errors[] =
55 {
56 { PSA_SUCCESS, 0 },
57 { PSA_ERROR_NOT_SUPPORTED, MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE },
58 { PSA_ERROR_INVALID_ARGUMENT, MBEDTLS_ERR_MD_BAD_INPUT_DATA },
59 { PSA_ERROR_INSUFFICIENT_MEMORY, MBEDTLS_ERR_MD_ALLOC_FAILED }
60 };
61 #endif
62
63 #if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
64 const mbedtls_error_pair_t psa_to_cipher_errors[] =
65 {
66 { PSA_SUCCESS, 0 },
67 { PSA_ERROR_NOT_SUPPORTED, MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE },
68 { PSA_ERROR_INVALID_ARGUMENT, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA },
69 { PSA_ERROR_INSUFFICIENT_MEMORY, MBEDTLS_ERR_CIPHER_ALLOC_FAILED }
70 };
71 #endif
72
73 #if defined(MBEDTLS_LMS_C)
74 const mbedtls_error_pair_t psa_to_lms_errors[] =
75 {
76 { PSA_SUCCESS, 0 },
77 { PSA_ERROR_BUFFER_TOO_SMALL, MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL },
78 { PSA_ERROR_INVALID_ARGUMENT, MBEDTLS_ERR_LMS_BAD_INPUT_DATA }
79 };
80 #endif
81
82 #if defined(MBEDTLS_SSL_TLS_C) && \
83 (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
84 const mbedtls_error_pair_t psa_to_ssl_errors[] =
85 {
86 { PSA_SUCCESS, 0 },
87 { PSA_ERROR_INSUFFICIENT_MEMORY, MBEDTLS_ERR_SSL_ALLOC_FAILED },
88 { PSA_ERROR_NOT_SUPPORTED, MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE },
89 { PSA_ERROR_INVALID_SIGNATURE, MBEDTLS_ERR_SSL_INVALID_MAC },
90 { PSA_ERROR_INVALID_ARGUMENT, MBEDTLS_ERR_SSL_BAD_INPUT_DATA },
91 { PSA_ERROR_BAD_STATE, MBEDTLS_ERR_SSL_INTERNAL_ERROR },
92 { PSA_ERROR_BUFFER_TOO_SMALL, MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL }
93 };
94 #endif
95
96 #if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) || \
97 defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
98 const mbedtls_error_pair_t psa_to_pk_rsa_errors[] =
99 {
100 { PSA_SUCCESS, 0 },
101 { PSA_ERROR_NOT_PERMITTED, MBEDTLS_ERR_RSA_BAD_INPUT_DATA },
102 { PSA_ERROR_INVALID_ARGUMENT, MBEDTLS_ERR_RSA_BAD_INPUT_DATA },
103 { PSA_ERROR_INVALID_HANDLE, MBEDTLS_ERR_RSA_BAD_INPUT_DATA },
104 { PSA_ERROR_BUFFER_TOO_SMALL, MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE },
105 { PSA_ERROR_INSUFFICIENT_ENTROPY, MBEDTLS_ERR_RSA_RNG_FAILED },
106 { PSA_ERROR_INVALID_SIGNATURE, MBEDTLS_ERR_RSA_VERIFY_FAILED },
107 { PSA_ERROR_INVALID_PADDING, MBEDTLS_ERR_RSA_INVALID_PADDING }
108 };
109 #endif
110
111 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \
112 defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
113 const mbedtls_error_pair_t psa_to_pk_ecdsa_errors[] =
114 {
115 { PSA_SUCCESS, 0 },
116 { PSA_ERROR_NOT_PERMITTED, MBEDTLS_ERR_ECP_BAD_INPUT_DATA },
117 { PSA_ERROR_INVALID_ARGUMENT, MBEDTLS_ERR_ECP_BAD_INPUT_DATA },
118 { PSA_ERROR_INVALID_HANDLE, MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE },
119 { PSA_ERROR_BUFFER_TOO_SMALL, MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL },
120 { PSA_ERROR_INSUFFICIENT_ENTROPY, MBEDTLS_ERR_ECP_RANDOM_FAILED },
121 { PSA_ERROR_INVALID_SIGNATURE, MBEDTLS_ERR_ECP_VERIFY_FAILED }
122 };
123 #endif
124
psa_generic_status_to_mbedtls(psa_status_t status)125 int psa_generic_status_to_mbedtls(psa_status_t status)
126 {
127 switch (status) {
128 case PSA_SUCCESS:
129 return 0;
130 case PSA_ERROR_NOT_SUPPORTED:
131 return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
132 case PSA_ERROR_CORRUPTION_DETECTED:
133 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
134 case PSA_ERROR_COMMUNICATION_FAILURE:
135 case PSA_ERROR_HARDWARE_FAILURE:
136 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
137 case PSA_ERROR_NOT_PERMITTED:
138 default:
139 return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
140 }
141 }
142
psa_status_to_mbedtls(psa_status_t status,const mbedtls_error_pair_t * local_translations,size_t local_errors_num,int (* fallback_f)(psa_status_t))143 int psa_status_to_mbedtls(psa_status_t status,
144 const mbedtls_error_pair_t *local_translations,
145 size_t local_errors_num,
146 int (*fallback_f)(psa_status_t))
147 {
148 for (size_t i = 0; i < local_errors_num; i++) {
149 if (status == local_translations[i].psa_status) {
150 return local_translations[i].mbedtls_error;
151 }
152 }
153 return fallback_f(status);
154 }
155
156 #if defined(MBEDTLS_PK_C)
psa_pk_status_to_mbedtls(psa_status_t status)157 int psa_pk_status_to_mbedtls(psa_status_t status)
158 {
159 switch (status) {
160 case PSA_ERROR_INVALID_HANDLE:
161 return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
162 case PSA_ERROR_BUFFER_TOO_SMALL:
163 return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
164 case PSA_ERROR_NOT_SUPPORTED:
165 return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
166 case PSA_ERROR_INVALID_ARGUMENT:
167 return MBEDTLS_ERR_PK_INVALID_ALG;
168 case PSA_ERROR_NOT_PERMITTED:
169 return MBEDTLS_ERR_PK_TYPE_MISMATCH;
170 case PSA_ERROR_INSUFFICIENT_MEMORY:
171 return MBEDTLS_ERR_PK_ALLOC_FAILED;
172 case PSA_ERROR_BAD_STATE:
173 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
174 case PSA_ERROR_DATA_CORRUPT:
175 case PSA_ERROR_DATA_INVALID:
176 case PSA_ERROR_STORAGE_FAILURE:
177 return MBEDTLS_ERR_PK_FILE_IO_ERROR;
178 default:
179 return psa_generic_status_to_mbedtls(status);
180 }
181 }
182 #endif /* MBEDTLS_PK_C */
183
184 /****************************************************************/
185 /* Key management */
186 /****************************************************************/
187
188 #if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
mbedtls_ecc_group_to_psa(mbedtls_ecp_group_id grpid,size_t * bits)189 psa_ecc_family_t mbedtls_ecc_group_to_psa(mbedtls_ecp_group_id grpid,
190 size_t *bits)
191 {
192 switch (grpid) {
193 #if defined(MBEDTLS_ECP_HAVE_SECP192R1)
194 case MBEDTLS_ECP_DP_SECP192R1:
195 *bits = 192;
196 return PSA_ECC_FAMILY_SECP_R1;
197 #endif
198 #if defined(MBEDTLS_ECP_HAVE_SECP224R1)
199 case MBEDTLS_ECP_DP_SECP224R1:
200 *bits = 224;
201 return PSA_ECC_FAMILY_SECP_R1;
202 #endif
203 #if defined(MBEDTLS_ECP_HAVE_SECP256R1)
204 case MBEDTLS_ECP_DP_SECP256R1:
205 *bits = 256;
206 return PSA_ECC_FAMILY_SECP_R1;
207 #endif
208 #if defined(MBEDTLS_ECP_HAVE_SECP384R1)
209 case MBEDTLS_ECP_DP_SECP384R1:
210 *bits = 384;
211 return PSA_ECC_FAMILY_SECP_R1;
212 #endif
213 #if defined(MBEDTLS_ECP_HAVE_SECP521R1)
214 case MBEDTLS_ECP_DP_SECP521R1:
215 *bits = 521;
216 return PSA_ECC_FAMILY_SECP_R1;
217 #endif
218 #if defined(MBEDTLS_ECP_HAVE_BP256R1)
219 case MBEDTLS_ECP_DP_BP256R1:
220 *bits = 256;
221 return PSA_ECC_FAMILY_BRAINPOOL_P_R1;
222 #endif
223 #if defined(MBEDTLS_ECP_HAVE_BP384R1)
224 case MBEDTLS_ECP_DP_BP384R1:
225 *bits = 384;
226 return PSA_ECC_FAMILY_BRAINPOOL_P_R1;
227 #endif
228 #if defined(MBEDTLS_ECP_HAVE_BP512R1)
229 case MBEDTLS_ECP_DP_BP512R1:
230 *bits = 512;
231 return PSA_ECC_FAMILY_BRAINPOOL_P_R1;
232 #endif
233 #if defined(MBEDTLS_ECP_HAVE_CURVE25519)
234 case MBEDTLS_ECP_DP_CURVE25519:
235 *bits = 255;
236 return PSA_ECC_FAMILY_MONTGOMERY;
237 #endif
238 #if defined(MBEDTLS_ECP_HAVE_SECP192K1)
239 case MBEDTLS_ECP_DP_SECP192K1:
240 *bits = 192;
241 return PSA_ECC_FAMILY_SECP_K1;
242 #endif
243 #if defined(MBEDTLS_ECP_HAVE_SECP224K1)
244 /* secp224k1 is not and will not be supported in PSA (#3541). */
245 #endif
246 #if defined(MBEDTLS_ECP_HAVE_SECP256K1)
247 case MBEDTLS_ECP_DP_SECP256K1:
248 *bits = 256;
249 return PSA_ECC_FAMILY_SECP_K1;
250 #endif
251 #if defined(MBEDTLS_ECP_HAVE_CURVE448)
252 case MBEDTLS_ECP_DP_CURVE448:
253 *bits = 448;
254 return PSA_ECC_FAMILY_MONTGOMERY;
255 #endif
256 default:
257 *bits = 0;
258 return 0;
259 }
260 }
261
mbedtls_ecc_group_from_psa(psa_ecc_family_t family,size_t bits)262 mbedtls_ecp_group_id mbedtls_ecc_group_from_psa(psa_ecc_family_t family,
263 size_t bits)
264 {
265 switch (family) {
266 case PSA_ECC_FAMILY_SECP_R1:
267 switch (bits) {
268 #if defined(PSA_WANT_ECC_SECP_R1_192)
269 case 192:
270 return MBEDTLS_ECP_DP_SECP192R1;
271 #endif
272 #if defined(PSA_WANT_ECC_SECP_R1_224)
273 case 224:
274 return MBEDTLS_ECP_DP_SECP224R1;
275 #endif
276 #if defined(PSA_WANT_ECC_SECP_R1_256)
277 case 256:
278 return MBEDTLS_ECP_DP_SECP256R1;
279 #endif
280 #if defined(PSA_WANT_ECC_SECP_R1_384)
281 case 384:
282 return MBEDTLS_ECP_DP_SECP384R1;
283 #endif
284 #if defined(PSA_WANT_ECC_SECP_R1_521)
285 case 521:
286 return MBEDTLS_ECP_DP_SECP521R1;
287 #endif
288 }
289 break;
290
291 case PSA_ECC_FAMILY_BRAINPOOL_P_R1:
292 switch (bits) {
293 #if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
294 case 256:
295 return MBEDTLS_ECP_DP_BP256R1;
296 #endif
297 #if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
298 case 384:
299 return MBEDTLS_ECP_DP_BP384R1;
300 #endif
301 #if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
302 case 512:
303 return MBEDTLS_ECP_DP_BP512R1;
304 #endif
305 }
306 break;
307
308 case PSA_ECC_FAMILY_MONTGOMERY:
309 switch (bits) {
310 #if defined(PSA_WANT_ECC_MONTGOMERY_255)
311 case 255:
312 return MBEDTLS_ECP_DP_CURVE25519;
313 #endif
314 #if defined(PSA_WANT_ECC_MONTGOMERY_448)
315 case 448:
316 return MBEDTLS_ECP_DP_CURVE448;
317 #endif
318 }
319 break;
320
321 case PSA_ECC_FAMILY_SECP_K1:
322 switch (bits) {
323 #if defined(PSA_WANT_ECC_SECP_K1_192)
324 case 192:
325 return MBEDTLS_ECP_DP_SECP192K1;
326 #endif
327 #if defined(PSA_WANT_ECC_SECP_K1_224)
328 /* secp224k1 is not and will not be supported in PSA (#3541). */
329 #endif
330 #if defined(PSA_WANT_ECC_SECP_K1_256)
331 case 256:
332 return MBEDTLS_ECP_DP_SECP256K1;
333 #endif
334 }
335 break;
336 }
337
338 return MBEDTLS_ECP_DP_NONE;
339 }
340 #endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
341
342 /* Wrapper function allowing the classic API to use the PSA RNG.
343 *
344 * `mbedtls_psa_get_random(MBEDTLS_PSA_RANDOM_STATE, ...)` calls
345 * `psa_generate_random(...)`. The state parameter is ignored since the
346 * PSA API doesn't support passing an explicit state.
347 */
mbedtls_psa_get_random(void * p_rng,unsigned char * output,size_t output_size)348 int mbedtls_psa_get_random(void *p_rng,
349 unsigned char *output,
350 size_t output_size)
351 {
352 /* This function takes a pointer to the RNG state because that's what
353 * classic mbedtls functions using an RNG expect. The PSA RNG manages
354 * its own state internally and doesn't let the caller access that state.
355 * So we just ignore the state parameter, and in practice we'll pass
356 * NULL. */
357 (void) p_rng;
358 psa_status_t status = psa_generate_random(output, output_size);
359 if (status == PSA_SUCCESS) {
360 return 0;
361 } else {
362 return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
363 }
364 }
365
366 #endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
367
368 #if defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA)
369
370 /**
371 * \brief Convert a single raw coordinate to DER ASN.1 format. The output der
372 * buffer is filled backward (i.e. starting from its end).
373 *
374 * \param raw_buf Buffer containing the raw coordinate to be
375 * converted.
376 * \param raw_len Length of raw_buf in bytes. This must be > 0.
377 * \param der_buf_start Pointer to the beginning of the buffer which
378 * will be filled with the DER converted data.
379 * \param der_buf_end End of the buffer used to store the DER output.
380 *
381 * \return On success, the amount of data (in bytes) written to
382 * the DER buffer.
383 * \return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL if the provided der
384 * buffer is too small to contain all the converted data.
385 * \return MBEDTLS_ERR_ASN1_INVALID_DATA if the input raw
386 * coordinate is null (i.e. all zeros).
387 *
388 * \warning Raw and der buffer must not be overlapping.
389 */
convert_raw_to_der_single_int(const unsigned char * raw_buf,size_t raw_len,unsigned char * der_buf_start,unsigned char * der_buf_end)390 static int convert_raw_to_der_single_int(const unsigned char *raw_buf, size_t raw_len,
391 unsigned char *der_buf_start,
392 unsigned char *der_buf_end)
393 {
394 unsigned char *p = der_buf_end;
395 int len;
396 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
397
398 /* ASN.1 DER encoding requires minimal length, so skip leading 0s.
399 * Provided input MPIs should not be 0, but as a failsafe measure, still
400 * detect that and return error in case. */
401 while (*raw_buf == 0x00) {
402 ++raw_buf;
403 --raw_len;
404 if (raw_len == 0) {
405 return MBEDTLS_ERR_ASN1_INVALID_DATA;
406 }
407 }
408 len = (int) raw_len;
409
410 /* Copy the raw coordinate to the end of der_buf. */
411 if ((p - der_buf_start) < len) {
412 return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
413 }
414 p -= len;
415 memcpy(p, raw_buf, len);
416
417 /* If MSb is 1, ASN.1 requires that we prepend a 0. */
418 if (*p & 0x80) {
419 if ((p - der_buf_start) < 1) {
420 return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
421 }
422 --p;
423 *p = 0x00;
424 ++len;
425 }
426
427 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&p, der_buf_start, len));
428 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&p, der_buf_start, MBEDTLS_ASN1_INTEGER));
429
430 return len;
431 }
432
mbedtls_ecdsa_raw_to_der(size_t bits,const unsigned char * raw,size_t raw_len,unsigned char * der,size_t der_size,size_t * der_len)433 int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_len,
434 unsigned char *der, size_t der_size, size_t *der_len)
435 {
436 unsigned char r[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
437 unsigned char s[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
438 const size_t coordinate_len = PSA_BITS_TO_BYTES(bits);
439 size_t len = 0;
440 unsigned char *p = der + der_size;
441 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
442
443 if (raw_len != (2 * coordinate_len)) {
444 return MBEDTLS_ERR_ASN1_INVALID_DATA;
445 }
446
447 /* Since raw and der buffers might overlap, dump r and s before starting
448 * the conversion. */
449 memcpy(r, raw, coordinate_len);
450 memcpy(s, raw + coordinate_len, coordinate_len);
451
452 /* der buffer will initially be written starting from its end so we pick s
453 * first and then r. */
454 ret = convert_raw_to_der_single_int(s, coordinate_len, der, p);
455 if (ret < 0) {
456 return ret;
457 }
458 p -= ret;
459 len += ret;
460
461 ret = convert_raw_to_der_single_int(r, coordinate_len, der, p);
462 if (ret < 0) {
463 return ret;
464 }
465 p -= ret;
466 len += ret;
467
468 /* Add ASN.1 header (len + tag). */
469 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&p, der, len));
470 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&p, der,
471 MBEDTLS_ASN1_CONSTRUCTED |
472 MBEDTLS_ASN1_SEQUENCE));
473
474 /* memmove the content of der buffer to its beginnig. */
475 memmove(der, p, len);
476 *der_len = len;
477
478 return 0;
479 }
480
481 /**
482 * \brief Convert a single integer from ASN.1 DER format to raw.
483 *
484 * \param der Buffer containing the DER integer value to be
485 * converted.
486 * \param der_len Length of the der buffer in bytes.
487 * \param raw Output buffer that will be filled with the
488 * converted data. This should be at least
489 * coordinate_size bytes and it must be zeroed before
490 * calling this function.
491 * \param coordinate_size Size (in bytes) of a single coordinate in raw
492 * format.
493 *
494 * \return On success, the amount of DER data parsed from the
495 * provided der buffer.
496 * \return MBEDTLS_ERR_ASN1_UNEXPECTED_TAG if the integer tag
497 * is missing in the der buffer.
498 * \return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH if the integer
499 * is null (i.e. all zeros) or if the output raw buffer
500 * is too small to contain the converted raw value.
501 *
502 * \warning Der and raw buffers must not be overlapping.
503 */
convert_der_to_raw_single_int(unsigned char * der,size_t der_len,unsigned char * raw,size_t coordinate_size)504 static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len,
505 unsigned char *raw, size_t coordinate_size)
506 {
507 unsigned char *p = der;
508 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
509 size_t unpadded_len, padding_len = 0;
510
511 /* Get the length of ASN.1 element (i.e. the integer we need to parse). */
512 ret = mbedtls_asn1_get_tag(&p, p + der_len, &unpadded_len,
513 MBEDTLS_ASN1_INTEGER);
514 if (ret != 0) {
515 return ret;
516 }
517
518 /* It's invalid to have:
519 * - unpadded_len == 0.
520 * - MSb set without a leading 0x00 (leading 0x00 is checked below). */
521 if (((unpadded_len == 0) || (*p & 0x80) != 0)) {
522 return MBEDTLS_ERR_ASN1_INVALID_DATA;
523 }
524
525 /* Skip possible leading zero */
526 if (*p == 0x00) {
527 p++;
528 unpadded_len--;
529 /* It is not allowed to have more than 1 leading zero.
530 * Ignore the case in which unpadded_len = 0 because that's a 0 encoded
531 * in ASN.1 format (i.e. 020100). */
532 if ((unpadded_len > 0) && (*p == 0x00)) {
533 return MBEDTLS_ERR_ASN1_INVALID_DATA;
534 }
535 }
536
537 if (unpadded_len > coordinate_size) {
538 /* Parsed number is longer than the maximum expected value. */
539 return MBEDTLS_ERR_ASN1_INVALID_DATA;
540 }
541 padding_len = coordinate_size - unpadded_len;
542 /* raw buffer was already zeroed by the calling function so zero-padding
543 * operation is skipped here. */
544 memcpy(raw + padding_len, p, unpadded_len);
545 p += unpadded_len;
546
547 return (int) (p - der);
548 }
549
mbedtls_ecdsa_der_to_raw(size_t bits,const unsigned char * der,size_t der_len,unsigned char * raw,size_t raw_size,size_t * raw_len)550 int mbedtls_ecdsa_der_to_raw(size_t bits, const unsigned char *der, size_t der_len,
551 unsigned char *raw, size_t raw_size, size_t *raw_len)
552 {
553 unsigned char raw_tmp[PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE];
554 unsigned char *p = (unsigned char *) der;
555 size_t data_len;
556 size_t coordinate_size = PSA_BITS_TO_BYTES(bits);
557 int ret;
558
559 /* The output raw buffer should be at least twice the size of a raw
560 * coordinate in order to store r and s. */
561 if (raw_size < coordinate_size * 2) {
562 return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
563 }
564
565 /* Check that the provided input DER buffer has the right header. */
566 ret = mbedtls_asn1_get_tag(&p, der + der_len, &data_len,
567 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
568 if (ret != 0) {
569 return ret;
570 }
571
572 memset(raw_tmp, 0, 2 * coordinate_size);
573
574 /* Extract r */
575 ret = convert_der_to_raw_single_int(p, data_len, raw_tmp, coordinate_size);
576 if (ret < 0) {
577 return ret;
578 }
579 p += ret;
580 data_len -= ret;
581
582 /* Extract s */
583 ret = convert_der_to_raw_single_int(p, data_len, raw_tmp + coordinate_size,
584 coordinate_size);
585 if (ret < 0) {
586 return ret;
587 }
588 p += ret;
589 data_len -= ret;
590
591 /* Check that we consumed all the input der data. */
592 if ((size_t) (p - der) != der_len) {
593 return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
594 }
595
596 memcpy(raw, raw_tmp, 2 * coordinate_size);
597 *raw_len = 2 * coordinate_size;
598
599 return 0;
600 }
601
602 #endif /* MBEDTLS_PSA_UTIL_HAVE_ECDSA */
603
