1 /*
2 * Public Key abstraction layer: wrapper functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20 #include "common.h"
21
22 #if defined(MBEDTLS_PK_C)
23 #include "pk_wrap.h"
24 #include "mbedtls/error.h"
25
26 /* Even if RSA not activated, for the sake of RSA-alt */
27 #include "mbedtls/rsa.h"
28
29 #include <string.h>
30
31 #if defined(MBEDTLS_ECP_C)
32 #include "mbedtls/ecp.h"
33 #endif
34
35 #if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECP_C)
36 #include "pkwrite.h"
37 #endif
38
39 #if defined(MBEDTLS_ECDSA_C)
40 #include "mbedtls/ecdsa.h"
41 #endif
42
43 #if defined(MBEDTLS_USE_PSA_CRYPTO)
44 #include "mbedtls/asn1write.h"
45 #endif
46
47 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
48 #include "mbedtls/platform_util.h"
49 #endif
50
51 #if defined(MBEDTLS_USE_PSA_CRYPTO)
52 #include "psa/crypto.h"
53 #include "mbedtls/psa_util.h"
54 #include "mbedtls/asn1.h"
55 #include "hash_info.h"
56 #endif
57
58 #include "mbedtls/platform.h"
59
60 #include <limits.h>
61 #include <stdint.h>
62
63 #if defined(MBEDTLS_PSA_CRYPTO_C)
mbedtls_pk_error_from_psa(psa_status_t status)64 int mbedtls_pk_error_from_psa( psa_status_t status )
65 {
66 switch( status )
67 {
68 case PSA_SUCCESS:
69 return( 0 );
70 case PSA_ERROR_INVALID_HANDLE:
71 return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
72 case PSA_ERROR_NOT_PERMITTED:
73 return( MBEDTLS_ERR_ERROR_GENERIC_ERROR );
74 case PSA_ERROR_BUFFER_TOO_SMALL:
75 return( MBEDTLS_ERR_PK_BUFFER_TOO_SMALL );
76 case PSA_ERROR_NOT_SUPPORTED:
77 return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
78 case PSA_ERROR_INVALID_ARGUMENT:
79 return( MBEDTLS_ERR_PK_INVALID_ALG );
80 case PSA_ERROR_INSUFFICIENT_MEMORY:
81 return( MBEDTLS_ERR_PK_ALLOC_FAILED );
82 case PSA_ERROR_BAD_STATE:
83 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
84 case PSA_ERROR_COMMUNICATION_FAILURE:
85 case PSA_ERROR_HARDWARE_FAILURE:
86 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
87 case PSA_ERROR_DATA_CORRUPT:
88 case PSA_ERROR_DATA_INVALID:
89 case PSA_ERROR_STORAGE_FAILURE:
90 return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
91 case PSA_ERROR_CORRUPTION_DETECTED:
92 return( MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED );
93 default:
94 return( MBEDTLS_ERR_ERROR_GENERIC_ERROR );
95 }
96 }
97
98 #if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) || \
99 defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR)
mbedtls_pk_error_from_psa_rsa(psa_status_t status)100 int mbedtls_pk_error_from_psa_rsa( psa_status_t status )
101 {
102 switch( status )
103 {
104 case PSA_ERROR_NOT_PERMITTED:
105 case PSA_ERROR_INVALID_ARGUMENT:
106 case PSA_ERROR_INVALID_HANDLE:
107 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
108 case PSA_ERROR_BUFFER_TOO_SMALL:
109 return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
110 case PSA_ERROR_INSUFFICIENT_ENTROPY:
111 return( MBEDTLS_ERR_RSA_RNG_FAILED );
112 case PSA_ERROR_INVALID_SIGNATURE:
113 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
114 case PSA_ERROR_INVALID_PADDING:
115 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
116 default:
117 return( mbedtls_pk_error_from_psa( status ) );
118 }
119 }
120 #endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY || PSA_WANT_KEY_TYPE_RSA_KEY_PAIR */
121
122 #endif /* MBEDTLS_PSA_CRYPTO_C */
123
124 #if defined(MBEDTLS_USE_PSA_CRYPTO)
125
126 #if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
mbedtls_pk_error_from_psa_ecdsa(psa_status_t status)127 int mbedtls_pk_error_from_psa_ecdsa( psa_status_t status )
128 {
129 switch( status )
130 {
131 case PSA_ERROR_NOT_PERMITTED:
132 case PSA_ERROR_INVALID_ARGUMENT:
133 return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
134 case PSA_ERROR_INVALID_HANDLE:
135 return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
136 case PSA_ERROR_BUFFER_TOO_SMALL:
137 return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
138 case PSA_ERROR_INSUFFICIENT_ENTROPY:
139 return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
140 case PSA_ERROR_INVALID_SIGNATURE:
141 return( MBEDTLS_ERR_ECP_VERIFY_FAILED );
142 default:
143 return( mbedtls_pk_error_from_psa( status ) );
144 }
145 }
146 #endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
147
148 #endif /* MBEDTLS_USE_PSA_CRYPTO */
149
150 #if defined(MBEDTLS_RSA_C)
rsa_can_do(mbedtls_pk_type_t type)151 static int rsa_can_do( mbedtls_pk_type_t type )
152 {
153 return( type == MBEDTLS_PK_RSA ||
154 type == MBEDTLS_PK_RSASSA_PSS );
155 }
156
rsa_get_bitlen(const void * ctx)157 static size_t rsa_get_bitlen( const void *ctx )
158 {
159 const mbedtls_rsa_context * rsa = (const mbedtls_rsa_context *) ctx;
160 return( 8 * mbedtls_rsa_get_len( rsa ) );
161 }
162
163 #if defined(MBEDTLS_USE_PSA_CRYPTO)
rsa_verify_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)164 static int rsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
165 const unsigned char *hash, size_t hash_len,
166 const unsigned char *sig, size_t sig_len )
167 {
168 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
169 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
170 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
171 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
172 psa_status_t status;
173 mbedtls_pk_context key;
174 int key_len;
175 unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES];
176 psa_algorithm_t psa_alg_md =
177 PSA_ALG_RSA_PKCS1V15_SIGN( mbedtls_hash_info_psa_from_md( md_alg ) );
178 size_t rsa_len = mbedtls_rsa_get_len( rsa );
179
180 #if SIZE_MAX > UINT_MAX
181 if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len )
182 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
183 #endif /* SIZE_MAX > UINT_MAX */
184
185 if( sig_len < rsa_len )
186 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
187
188 /* mbedtls_pk_write_pubkey_der() expects a full PK context;
189 * re-construct one to make it happy */
190 key.pk_info = &mbedtls_rsa_info;
191 key.pk_ctx = ctx;
192 key_len = mbedtls_pk_write_pubkey_der( &key, buf, sizeof( buf ) );
193 if( key_len <= 0 )
194 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
195
196 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH );
197 psa_set_key_algorithm( &attributes, psa_alg_md );
198 psa_set_key_type( &attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY );
199
200 status = psa_import_key( &attributes,
201 buf + sizeof( buf ) - key_len, key_len,
202 &key_id );
203 if( status != PSA_SUCCESS )
204 {
205 ret = mbedtls_pk_error_from_psa( status );
206 goto cleanup;
207 }
208
209 status = psa_verify_hash( key_id, psa_alg_md, hash, hash_len,
210 sig, sig_len );
211 if( status != PSA_SUCCESS )
212 {
213 ret = mbedtls_pk_error_from_psa_rsa( status );
214 goto cleanup;
215 }
216 ret = 0;
217
218 cleanup:
219 status = psa_destroy_key( key_id );
220 if( ret == 0 && status != PSA_SUCCESS )
221 ret = mbedtls_pk_error_from_psa( status );
222
223 return( ret );
224 }
225 #else
rsa_verify_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)226 static int rsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
227 const unsigned char *hash, size_t hash_len,
228 const unsigned char *sig, size_t sig_len )
229 {
230 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
231 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
232 size_t rsa_len = mbedtls_rsa_get_len( rsa );
233
234 #if SIZE_MAX > UINT_MAX
235 if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len )
236 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
237 #endif /* SIZE_MAX > UINT_MAX */
238
239 if( sig_len < rsa_len )
240 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
241
242 if( ( ret = mbedtls_rsa_pkcs1_verify( rsa, md_alg,
243 (unsigned int) hash_len,
244 hash, sig ) ) != 0 )
245 return( ret );
246
247 /* The buffer contains a valid signature followed by extra data.
248 * We have a special error code for that so that so that callers can
249 * use mbedtls_pk_verify() to check "Does the buffer start with a
250 * valid signature?" and not just "Does the buffer contain a valid
251 * signature?". */
252 if( sig_len > rsa_len )
253 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
254
255 return( 0 );
256 }
257 #endif
258
259 #if defined(MBEDTLS_PSA_CRYPTO_C)
mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t alg,mbedtls_rsa_context * rsa_ctx,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len)260 int mbedtls_pk_psa_rsa_sign_ext( psa_algorithm_t alg,
261 mbedtls_rsa_context *rsa_ctx,
262 const unsigned char *hash, size_t hash_len,
263 unsigned char *sig, size_t sig_size,
264 size_t *sig_len )
265 {
266 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
267 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
268 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
269 psa_status_t status;
270 mbedtls_pk_context key;
271 int key_len;
272 unsigned char buf[MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES];
273 mbedtls_pk_info_t pk_info = mbedtls_rsa_info;
274
275 *sig_len = mbedtls_rsa_get_len( rsa_ctx );
276 if( sig_size < *sig_len )
277 return( MBEDTLS_ERR_PK_BUFFER_TOO_SMALL );
278
279 /* mbedtls_pk_write_key_der() expects a full PK context;
280 * re-construct one to make it happy */
281 key.pk_info = &pk_info;
282 key.pk_ctx = rsa_ctx;
283 key_len = mbedtls_pk_write_key_der( &key, buf, sizeof( buf ) );
284 if( key_len <= 0 )
285 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
286 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_HASH );
287 psa_set_key_algorithm( &attributes, alg );
288 psa_set_key_type( &attributes, PSA_KEY_TYPE_RSA_KEY_PAIR );
289
290 status = psa_import_key( &attributes,
291 buf + sizeof( buf ) - key_len, key_len,
292 &key_id );
293 if( status != PSA_SUCCESS )
294 {
295 ret = mbedtls_pk_error_from_psa( status );
296 goto cleanup;
297 }
298 status = psa_sign_hash( key_id, alg, hash, hash_len,
299 sig, sig_size, sig_len );
300 if( status != PSA_SUCCESS )
301 {
302 ret = mbedtls_pk_error_from_psa_rsa( status );
303 goto cleanup;
304 }
305
306 ret = 0;
307
308 cleanup:
309 status = psa_destroy_key( key_id );
310 if( ret == 0 && status != PSA_SUCCESS )
311 ret = mbedtls_pk_error_from_psa( status );
312 return( ret );
313 }
314 #endif /* MBEDTLS_PSA_CRYPTO_C */
315
316 #if defined(MBEDTLS_USE_PSA_CRYPTO)
rsa_sign_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)317 static int rsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
318 const unsigned char *hash, size_t hash_len,
319 unsigned char *sig, size_t sig_size, size_t *sig_len,
320 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
321 {
322 ((void) f_rng);
323 ((void) p_rng);
324
325 psa_algorithm_t psa_md_alg;
326 psa_md_alg = mbedtls_hash_info_psa_from_md( md_alg );
327 if( psa_md_alg == 0 )
328 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
329
330 return( mbedtls_pk_psa_rsa_sign_ext( PSA_ALG_RSA_PKCS1V15_SIGN(
331 psa_md_alg ),
332 ctx, hash, hash_len,
333 sig, sig_size, sig_len ) );
334 }
335 #else
rsa_sign_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)336 static int rsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
337 const unsigned char *hash, size_t hash_len,
338 unsigned char *sig, size_t sig_size, size_t *sig_len,
339 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
340 {
341 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
342
343 #if SIZE_MAX > UINT_MAX
344 if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len )
345 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
346 #endif /* SIZE_MAX > UINT_MAX */
347
348 *sig_len = mbedtls_rsa_get_len( rsa );
349 if( sig_size < *sig_len )
350 return( MBEDTLS_ERR_PK_BUFFER_TOO_SMALL );
351
352 return( mbedtls_rsa_pkcs1_sign( rsa, f_rng, p_rng,
353 md_alg, (unsigned int) hash_len,
354 hash, sig ) );
355 }
356 #endif
357
358 #if defined(MBEDTLS_USE_PSA_CRYPTO)
rsa_decrypt_wrap(void * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)359 static int rsa_decrypt_wrap( void *ctx,
360 const unsigned char *input, size_t ilen,
361 unsigned char *output, size_t *olen, size_t osize,
362 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
363 {
364 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
365 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
366 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
367 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
368 psa_status_t status;
369 mbedtls_pk_context key;
370 int key_len;
371 unsigned char buf[MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES];
372
373 ((void) f_rng);
374 ((void) p_rng);
375
376 #if !defined(MBEDTLS_RSA_ALT)
377 if( rsa->padding != MBEDTLS_RSA_PKCS_V15 )
378 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
379 #endif /* !MBEDTLS_RSA_ALT */
380
381 if( ilen != mbedtls_rsa_get_len( rsa ) )
382 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
383
384 /* mbedtls_pk_write_key_der() expects a full PK context;
385 * re-construct one to make it happy */
386 key.pk_info = &mbedtls_rsa_info;
387 key.pk_ctx = ctx;
388 key_len = mbedtls_pk_write_key_der( &key, buf, sizeof( buf ) );
389 if( key_len <= 0 )
390 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
391
392 psa_set_key_type( &attributes, PSA_KEY_TYPE_RSA_KEY_PAIR );
393 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT );
394 psa_set_key_algorithm( &attributes, PSA_ALG_RSA_PKCS1V15_CRYPT );
395
396 status = psa_import_key( &attributes,
397 buf + sizeof( buf ) - key_len, key_len,
398 &key_id );
399 if( status != PSA_SUCCESS )
400 {
401 ret = mbedtls_pk_error_from_psa( status );
402 goto cleanup;
403 }
404
405 status = psa_asymmetric_decrypt( key_id, PSA_ALG_RSA_PKCS1V15_CRYPT,
406 input, ilen,
407 NULL, 0,
408 output, osize, olen );
409 if( status != PSA_SUCCESS )
410 {
411 ret = mbedtls_pk_error_from_psa_rsa( status );
412 goto cleanup;
413 }
414
415 ret = 0;
416
417 cleanup:
418 mbedtls_platform_zeroize( buf, sizeof( buf ) );
419 status = psa_destroy_key( key_id );
420 if( ret == 0 && status != PSA_SUCCESS )
421 ret = mbedtls_pk_error_from_psa( status );
422
423 return( ret );
424 }
425 #else
rsa_decrypt_wrap(void * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)426 static int rsa_decrypt_wrap( void *ctx,
427 const unsigned char *input, size_t ilen,
428 unsigned char *output, size_t *olen, size_t osize,
429 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
430 {
431 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
432
433 if( ilen != mbedtls_rsa_get_len( rsa ) )
434 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
435
436 return( mbedtls_rsa_pkcs1_decrypt( rsa, f_rng, p_rng,
437 olen, input, output, osize ) );
438 }
439 #endif
440
441 #if defined(MBEDTLS_USE_PSA_CRYPTO)
rsa_encrypt_wrap(void * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)442 static int rsa_encrypt_wrap( void *ctx,
443 const unsigned char *input, size_t ilen,
444 unsigned char *output, size_t *olen, size_t osize,
445 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
446 {
447 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
448 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
449 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
450 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
451 psa_status_t status;
452 mbedtls_pk_context key;
453 int key_len;
454 unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES];
455
456 ((void) f_rng);
457 ((void) p_rng);
458
459 #if !defined(MBEDTLS_RSA_ALT)
460 if( rsa->padding != MBEDTLS_RSA_PKCS_V15 )
461 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
462 #endif
463
464 if( mbedtls_rsa_get_len( rsa ) > osize )
465 return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
466
467 /* mbedtls_pk_write_pubkey_der() expects a full PK context;
468 * re-construct one to make it happy */
469 key.pk_info = &mbedtls_rsa_info;
470 key.pk_ctx = ctx;
471 key_len = mbedtls_pk_write_pubkey_der( &key, buf, sizeof( buf ) );
472 if( key_len <= 0 )
473 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
474
475 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT );
476 psa_set_key_algorithm( &attributes, PSA_ALG_RSA_PKCS1V15_CRYPT );
477 psa_set_key_type( &attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY );
478
479 status = psa_import_key( &attributes,
480 buf + sizeof( buf ) - key_len, key_len,
481 &key_id );
482 if( status != PSA_SUCCESS )
483 {
484 ret = mbedtls_pk_error_from_psa( status );
485 goto cleanup;
486 }
487
488 status = psa_asymmetric_encrypt( key_id, PSA_ALG_RSA_PKCS1V15_CRYPT,
489 input, ilen,
490 NULL, 0,
491 output, osize, olen );
492 if( status != PSA_SUCCESS )
493 {
494 ret = mbedtls_pk_error_from_psa_rsa( status );
495 goto cleanup;
496 }
497
498 ret = 0;
499
500 cleanup:
501 status = psa_destroy_key( key_id );
502 if( ret == 0 && status != PSA_SUCCESS )
503 ret = mbedtls_pk_error_from_psa( status );
504
505 return( ret );
506 }
507 #else
rsa_encrypt_wrap(void * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)508 static int rsa_encrypt_wrap( void *ctx,
509 const unsigned char *input, size_t ilen,
510 unsigned char *output, size_t *olen, size_t osize,
511 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
512 {
513 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
514 *olen = mbedtls_rsa_get_len( rsa );
515
516 if( *olen > osize )
517 return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
518
519 return( mbedtls_rsa_pkcs1_encrypt( rsa, f_rng, p_rng,
520 ilen, input, output ) );
521 }
522 #endif
523
rsa_check_pair_wrap(const void * pub,const void * prv,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)524 static int rsa_check_pair_wrap( const void *pub, const void *prv,
525 int (*f_rng)(void *, unsigned char *, size_t),
526 void *p_rng )
527 {
528 (void) f_rng;
529 (void) p_rng;
530 return( mbedtls_rsa_check_pub_priv( (const mbedtls_rsa_context *) pub,
531 (const mbedtls_rsa_context *) prv ) );
532 }
533
rsa_alloc_wrap(void)534 static void *rsa_alloc_wrap( void )
535 {
536 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_rsa_context ) );
537
538 if( ctx != NULL )
539 mbedtls_rsa_init( (mbedtls_rsa_context *) ctx );
540
541 return( ctx );
542 }
543
rsa_free_wrap(void * ctx)544 static void rsa_free_wrap( void *ctx )
545 {
546 mbedtls_rsa_free( (mbedtls_rsa_context *) ctx );
547 mbedtls_free( ctx );
548 }
549
rsa_debug(const void * ctx,mbedtls_pk_debug_item * items)550 static void rsa_debug( const void *ctx, mbedtls_pk_debug_item *items )
551 {
552 #if defined(MBEDTLS_RSA_ALT)
553 /* Not supported */
554 (void) ctx;
555 (void) items;
556 #else
557 items->type = MBEDTLS_PK_DEBUG_MPI;
558 items->name = "rsa.N";
559 items->value = &( ((mbedtls_rsa_context *) ctx)->N );
560
561 items++;
562
563 items->type = MBEDTLS_PK_DEBUG_MPI;
564 items->name = "rsa.E";
565 items->value = &( ((mbedtls_rsa_context *) ctx)->E );
566 #endif
567 }
568
569 const mbedtls_pk_info_t mbedtls_rsa_info = {
570 MBEDTLS_PK_RSA,
571 "RSA",
572 rsa_get_bitlen,
573 rsa_can_do,
574 rsa_verify_wrap,
575 rsa_sign_wrap,
576 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
577 NULL,
578 NULL,
579 #endif
580 rsa_decrypt_wrap,
581 rsa_encrypt_wrap,
582 rsa_check_pair_wrap,
583 rsa_alloc_wrap,
584 rsa_free_wrap,
585 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
586 NULL,
587 NULL,
588 #endif
589 rsa_debug,
590 };
591 #endif /* MBEDTLS_RSA_C */
592
593 #if defined(MBEDTLS_ECP_C)
594 /*
595 * Generic EC key
596 */
eckey_can_do(mbedtls_pk_type_t type)597 static int eckey_can_do( mbedtls_pk_type_t type )
598 {
599 return( type == MBEDTLS_PK_ECKEY ||
600 type == MBEDTLS_PK_ECKEY_DH ||
601 type == MBEDTLS_PK_ECDSA );
602 }
603
eckey_get_bitlen(const void * ctx)604 static size_t eckey_get_bitlen( const void *ctx )
605 {
606 return( ((mbedtls_ecp_keypair *) ctx)->grp.pbits );
607 }
608
609 #if defined(MBEDTLS_ECDSA_C)
610 /* Forward declarations */
611 static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
612 const unsigned char *hash, size_t hash_len,
613 const unsigned char *sig, size_t sig_len );
614
615 static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
616 const unsigned char *hash, size_t hash_len,
617 unsigned char *sig, size_t sig_size, size_t *sig_len,
618 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
619
eckey_verify_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)620 static int eckey_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
621 const unsigned char *hash, size_t hash_len,
622 const unsigned char *sig, size_t sig_len )
623 {
624 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
625 mbedtls_ecdsa_context ecdsa;
626
627 mbedtls_ecdsa_init( &ecdsa );
628
629 if( ( ret = mbedtls_ecdsa_from_keypair( &ecdsa, ctx ) ) == 0 )
630 ret = ecdsa_verify_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len );
631
632 mbedtls_ecdsa_free( &ecdsa );
633
634 return( ret );
635 }
636
eckey_sign_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)637 static int eckey_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
638 const unsigned char *hash, size_t hash_len,
639 unsigned char *sig, size_t sig_size, size_t *sig_len,
640 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
641 {
642 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
643 mbedtls_ecdsa_context ecdsa;
644
645 mbedtls_ecdsa_init( &ecdsa );
646
647 if( ( ret = mbedtls_ecdsa_from_keypair( &ecdsa, ctx ) ) == 0 )
648 ret = ecdsa_sign_wrap( &ecdsa, md_alg, hash, hash_len,
649 sig, sig_size, sig_len,
650 f_rng, p_rng );
651
652 mbedtls_ecdsa_free( &ecdsa );
653
654 return( ret );
655 }
656
657 #if defined(MBEDTLS_ECP_RESTARTABLE)
658 /* Forward declarations */
659 static int ecdsa_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
660 const unsigned char *hash, size_t hash_len,
661 const unsigned char *sig, size_t sig_len,
662 void *rs_ctx );
663
664 static int ecdsa_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
665 const unsigned char *hash, size_t hash_len,
666 unsigned char *sig, size_t sig_size, size_t *sig_len,
667 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
668 void *rs_ctx );
669
670 /*
671 * Restart context for ECDSA operations with ECKEY context
672 *
673 * We need to store an actual ECDSA context, as we need to pass the same to
674 * the underlying ecdsa function, so we can't create it on the fly every time.
675 */
676 typedef struct
677 {
678 mbedtls_ecdsa_restart_ctx ecdsa_rs;
679 mbedtls_ecdsa_context ecdsa_ctx;
680 } eckey_restart_ctx;
681
eckey_rs_alloc(void)682 static void *eckey_rs_alloc( void )
683 {
684 eckey_restart_ctx *rs_ctx;
685
686 void *ctx = mbedtls_calloc( 1, sizeof( eckey_restart_ctx ) );
687
688 if( ctx != NULL )
689 {
690 rs_ctx = ctx;
691 mbedtls_ecdsa_restart_init( &rs_ctx->ecdsa_rs );
692 mbedtls_ecdsa_init( &rs_ctx->ecdsa_ctx );
693 }
694
695 return( ctx );
696 }
697
eckey_rs_free(void * ctx)698 static void eckey_rs_free( void *ctx )
699 {
700 eckey_restart_ctx *rs_ctx;
701
702 if( ctx == NULL)
703 return;
704
705 rs_ctx = ctx;
706 mbedtls_ecdsa_restart_free( &rs_ctx->ecdsa_rs );
707 mbedtls_ecdsa_free( &rs_ctx->ecdsa_ctx );
708
709 mbedtls_free( ctx );
710 }
711
eckey_verify_rs_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len,void * rs_ctx)712 static int eckey_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
713 const unsigned char *hash, size_t hash_len,
714 const unsigned char *sig, size_t sig_len,
715 void *rs_ctx )
716 {
717 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
718 eckey_restart_ctx *rs = rs_ctx;
719
720 /* Should never happen */
721 if( rs == NULL )
722 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
723
724 /* set up our own sub-context if needed (that is, on first run) */
725 if( rs->ecdsa_ctx.grp.pbits == 0 )
726 MBEDTLS_MPI_CHK( mbedtls_ecdsa_from_keypair( &rs->ecdsa_ctx, ctx ) );
727
728 MBEDTLS_MPI_CHK( ecdsa_verify_rs_wrap( &rs->ecdsa_ctx,
729 md_alg, hash, hash_len,
730 sig, sig_len, &rs->ecdsa_rs ) );
731
732 cleanup:
733 return( ret );
734 }
735
eckey_sign_rs_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,void * rs_ctx)736 static int eckey_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
737 const unsigned char *hash, size_t hash_len,
738 unsigned char *sig, size_t sig_size, size_t *sig_len,
739 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
740 void *rs_ctx )
741 {
742 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
743 eckey_restart_ctx *rs = rs_ctx;
744
745 /* Should never happen */
746 if( rs == NULL )
747 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
748
749 /* set up our own sub-context if needed (that is, on first run) */
750 if( rs->ecdsa_ctx.grp.pbits == 0 )
751 MBEDTLS_MPI_CHK( mbedtls_ecdsa_from_keypair( &rs->ecdsa_ctx, ctx ) );
752
753 MBEDTLS_MPI_CHK( ecdsa_sign_rs_wrap( &rs->ecdsa_ctx, md_alg,
754 hash, hash_len, sig, sig_size, sig_len,
755 f_rng, p_rng, &rs->ecdsa_rs ) );
756
757 cleanup:
758 return( ret );
759 }
760 #endif /* MBEDTLS_ECP_RESTARTABLE */
761 #endif /* MBEDTLS_ECDSA_C */
762
eckey_check_pair(const void * pub,const void * prv,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)763 static int eckey_check_pair( const void *pub, const void *prv,
764 int (*f_rng)(void *, unsigned char *, size_t),
765 void *p_rng )
766 {
767 return( mbedtls_ecp_check_pub_priv( (const mbedtls_ecp_keypair *) pub,
768 (const mbedtls_ecp_keypair *) prv,
769 f_rng, p_rng ) );
770 }
771
eckey_alloc_wrap(void)772 static void *eckey_alloc_wrap( void )
773 {
774 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecp_keypair ) );
775
776 if( ctx != NULL )
777 mbedtls_ecp_keypair_init( ctx );
778
779 return( ctx );
780 }
781
eckey_free_wrap(void * ctx)782 static void eckey_free_wrap( void *ctx )
783 {
784 mbedtls_ecp_keypair_free( (mbedtls_ecp_keypair *) ctx );
785 mbedtls_free( ctx );
786 }
787
eckey_debug(const void * ctx,mbedtls_pk_debug_item * items)788 static void eckey_debug( const void *ctx, mbedtls_pk_debug_item *items )
789 {
790 items->type = MBEDTLS_PK_DEBUG_ECP;
791 items->name = "eckey.Q";
792 items->value = &( ((mbedtls_ecp_keypair *) ctx)->Q );
793 }
794
795 const mbedtls_pk_info_t mbedtls_eckey_info = {
796 MBEDTLS_PK_ECKEY,
797 "EC",
798 eckey_get_bitlen,
799 eckey_can_do,
800 #if defined(MBEDTLS_ECDSA_C)
801 eckey_verify_wrap,
802 eckey_sign_wrap,
803 #if defined(MBEDTLS_ECP_RESTARTABLE)
804 eckey_verify_rs_wrap,
805 eckey_sign_rs_wrap,
806 #endif
807 #else /* MBEDTLS_ECDSA_C */
808 NULL,
809 NULL,
810 #endif /* MBEDTLS_ECDSA_C */
811 NULL,
812 NULL,
813 eckey_check_pair,
814 eckey_alloc_wrap,
815 eckey_free_wrap,
816 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
817 eckey_rs_alloc,
818 eckey_rs_free,
819 #endif
820 eckey_debug,
821 };
822
823 /*
824 * EC key restricted to ECDH
825 */
eckeydh_can_do(mbedtls_pk_type_t type)826 static int eckeydh_can_do( mbedtls_pk_type_t type )
827 {
828 return( type == MBEDTLS_PK_ECKEY ||
829 type == MBEDTLS_PK_ECKEY_DH );
830 }
831
832 const mbedtls_pk_info_t mbedtls_eckeydh_info = {
833 MBEDTLS_PK_ECKEY_DH,
834 "EC_DH",
835 eckey_get_bitlen, /* Same underlying key structure */
836 eckeydh_can_do,
837 NULL,
838 NULL,
839 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
840 NULL,
841 NULL,
842 #endif
843 NULL,
844 NULL,
845 eckey_check_pair,
846 eckey_alloc_wrap, /* Same underlying key structure */
847 eckey_free_wrap, /* Same underlying key structure */
848 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
849 NULL,
850 NULL,
851 #endif
852 eckey_debug, /* Same underlying key structure */
853 };
854 #endif /* MBEDTLS_ECP_C */
855
856 #if defined(MBEDTLS_ECDSA_C)
ecdsa_can_do(mbedtls_pk_type_t type)857 static int ecdsa_can_do( mbedtls_pk_type_t type )
858 {
859 return( type == MBEDTLS_PK_ECDSA );
860 }
861
862 #if defined(MBEDTLS_USE_PSA_CRYPTO)
863 /*
864 * An ASN.1 encoded signature is a sequence of two ASN.1 integers. Parse one of
865 * those integers and convert it to the fixed-length encoding expected by PSA.
866 */
extract_ecdsa_sig_int(unsigned char ** from,const unsigned char * end,unsigned char * to,size_t to_len)867 static int extract_ecdsa_sig_int( unsigned char **from, const unsigned char *end,
868 unsigned char *to, size_t to_len )
869 {
870 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
871 size_t unpadded_len, padding_len;
872
873 if( ( ret = mbedtls_asn1_get_tag( from, end, &unpadded_len,
874 MBEDTLS_ASN1_INTEGER ) ) != 0 )
875 {
876 return( ret );
877 }
878
879 while( unpadded_len > 0 && **from == 0x00 )
880 {
881 ( *from )++;
882 unpadded_len--;
883 }
884
885 if( unpadded_len > to_len || unpadded_len == 0 )
886 return( MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
887
888 padding_len = to_len - unpadded_len;
889 memset( to, 0x00, padding_len );
890 memcpy( to + padding_len, *from, unpadded_len );
891 ( *from ) += unpadded_len;
892
893 return( 0 );
894 }
895
896 /*
897 * Convert a signature from an ASN.1 sequence of two integers
898 * to a raw {r,s} buffer. Note: the provided sig buffer must be at least
899 * twice as big as int_size.
900 */
extract_ecdsa_sig(unsigned char ** p,const unsigned char * end,unsigned char * sig,size_t int_size)901 static int extract_ecdsa_sig( unsigned char **p, const unsigned char *end,
902 unsigned char *sig, size_t int_size )
903 {
904 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
905 size_t tmp_size;
906
907 if( ( ret = mbedtls_asn1_get_tag( p, end, &tmp_size,
908 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
909 return( ret );
910
911 /* Extract r */
912 if( ( ret = extract_ecdsa_sig_int( p, end, sig, int_size ) ) != 0 )
913 return( ret );
914 /* Extract s */
915 if( ( ret = extract_ecdsa_sig_int( p, end, sig + int_size, int_size ) ) != 0 )
916 return( ret );
917
918 return( 0 );
919 }
920
ecdsa_verify_wrap(void * ctx_arg,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)921 static int ecdsa_verify_wrap( void *ctx_arg, mbedtls_md_type_t md_alg,
922 const unsigned char *hash, size_t hash_len,
923 const unsigned char *sig, size_t sig_len )
924 {
925 mbedtls_ecdsa_context *ctx = ctx_arg;
926 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
927 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
928 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
929 psa_status_t status;
930 mbedtls_pk_context key;
931 int key_len;
932 unsigned char buf[MBEDTLS_PK_ECP_PUB_DER_MAX_BYTES];
933 unsigned char *p;
934 mbedtls_pk_info_t pk_info = mbedtls_eckey_info;
935 psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA_ANY;
936 size_t curve_bits;
937 psa_ecc_family_t curve =
938 mbedtls_ecc_group_to_psa( ctx->grp.id, &curve_bits );
939 const size_t signature_part_size = ( ctx->grp.nbits + 7 ) / 8;
940 ((void) md_alg);
941
942 if( curve == 0 )
943 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
944
945 /* mbedtls_pk_write_pubkey() expects a full PK context;
946 * re-construct one to make it happy */
947 key.pk_info = &pk_info;
948 key.pk_ctx = ctx;
949 p = buf + sizeof( buf );
950 key_len = mbedtls_pk_write_pubkey( &p, buf, &key );
951 if( key_len <= 0 )
952 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
953
954 psa_set_key_type( &attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY( curve ) );
955 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH );
956 psa_set_key_algorithm( &attributes, psa_sig_md );
957
958 status = psa_import_key( &attributes,
959 buf + sizeof( buf ) - key_len, key_len,
960 &key_id );
961 if( status != PSA_SUCCESS )
962 {
963 ret = mbedtls_pk_error_from_psa( status );
964 goto cleanup;
965 }
966
967 /* We don't need the exported key anymore and can
968 * reuse its buffer for signature extraction. */
969 if( 2 * signature_part_size > sizeof( buf ) )
970 {
971 ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
972 goto cleanup;
973 }
974
975 p = (unsigned char*) sig;
976 if( ( ret = extract_ecdsa_sig( &p, sig + sig_len, buf,
977 signature_part_size ) ) != 0 )
978 {
979 goto cleanup;
980 }
981
982 status = psa_verify_hash( key_id, psa_sig_md,
983 hash, hash_len,
984 buf, 2 * signature_part_size );
985 if( status != PSA_SUCCESS )
986 {
987 ret = mbedtls_pk_error_from_psa_ecdsa( status );
988 goto cleanup;
989 }
990
991 if( p != sig + sig_len )
992 {
993 ret = MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
994 goto cleanup;
995 }
996 ret = 0;
997
998 cleanup:
999 status = psa_destroy_key( key_id );
1000 if( ret == 0 && status != PSA_SUCCESS )
1001 ret = mbedtls_pk_error_from_psa( status );
1002
1003 return( ret );
1004 }
1005 #else /* MBEDTLS_USE_PSA_CRYPTO */
ecdsa_verify_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)1006 static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
1007 const unsigned char *hash, size_t hash_len,
1008 const unsigned char *sig, size_t sig_len )
1009 {
1010 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1011 ((void) md_alg);
1012
1013 ret = mbedtls_ecdsa_read_signature( (mbedtls_ecdsa_context *) ctx,
1014 hash, hash_len, sig, sig_len );
1015
1016 if( ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH )
1017 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
1018
1019 return( ret );
1020 }
1021 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1022
1023 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1024 /*
1025 * Simultaneously convert and move raw MPI from the beginning of a buffer
1026 * to an ASN.1 MPI at the end of the buffer.
1027 * See also mbedtls_asn1_write_mpi().
1028 *
1029 * p: pointer to the end of the output buffer
1030 * start: start of the output buffer, and also of the mpi to write at the end
1031 * n_len: length of the mpi to read from start
1032 */
asn1_write_mpibuf(unsigned char ** p,unsigned char * start,size_t n_len)1033 static int asn1_write_mpibuf( unsigned char **p, unsigned char *start,
1034 size_t n_len )
1035 {
1036 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1037 size_t len = 0;
1038
1039 if( (size_t)( *p - start ) < n_len )
1040 return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
1041
1042 len = n_len;
1043 *p -= len;
1044 memmove( *p, start, len );
1045
1046 /* ASN.1 DER encoding requires minimal length, so skip leading 0s.
1047 * Neither r nor s should be 0, but as a failsafe measure, still detect
1048 * that rather than overflowing the buffer in case of a PSA error. */
1049 while( len > 0 && **p == 0x00 )
1050 {
1051 ++(*p);
1052 --len;
1053 }
1054
1055 /* this is only reached if the signature was invalid */
1056 if( len == 0 )
1057 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
1058
1059 /* if the msb is 1, ASN.1 requires that we prepend a 0.
1060 * Neither r nor s can be 0, so we can assume len > 0 at all times. */
1061 if( **p & 0x80 )
1062 {
1063 if( *p - start < 1 )
1064 return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
1065
1066 *--(*p) = 0x00;
1067 len += 1;
1068 }
1069
1070 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
1071 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start,
1072 MBEDTLS_ASN1_INTEGER ) );
1073
1074 return( (int) len );
1075 }
1076
1077 /* Transcode signature from PSA format to ASN.1 sequence.
1078 * See ecdsa_signature_to_asn1 in ecdsa.c, but with byte buffers instead of
1079 * MPIs, and in-place.
1080 *
1081 * [in/out] sig: the signature pre- and post-transcoding
1082 * [in/out] sig_len: signature length pre- and post-transcoding
1083 * [int] buf_len: the available size the in/out buffer
1084 */
pk_ecdsa_sig_asn1_from_psa(unsigned char * sig,size_t * sig_len,size_t buf_len)1085 static int pk_ecdsa_sig_asn1_from_psa( unsigned char *sig, size_t *sig_len,
1086 size_t buf_len )
1087 {
1088 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1089 size_t len = 0;
1090 const size_t rs_len = *sig_len / 2;
1091 unsigned char *p = sig + buf_len;
1092
1093 MBEDTLS_ASN1_CHK_ADD( len, asn1_write_mpibuf( &p, sig + rs_len, rs_len ) );
1094 MBEDTLS_ASN1_CHK_ADD( len, asn1_write_mpibuf( &p, sig, rs_len ) );
1095
1096 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &p, sig, len ) );
1097 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &p, sig,
1098 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
1099
1100 memmove( sig, p, len );
1101 *sig_len = len;
1102
1103 return( 0 );
1104 }
1105
1106 /* Locate an ECDSA privateKey in a RFC 5915, or SEC1 Appendix C.4 ASN.1 buffer
1107 *
1108 * [in/out] buf: ASN.1 buffer start as input - ECDSA privateKey start as output
1109 * [in] end: ASN.1 buffer end
1110 * [out] key_len: the ECDSA privateKey length in bytes
1111 */
find_ecdsa_private_key(unsigned char ** buf,unsigned char * end,size_t * key_len)1112 static int find_ecdsa_private_key( unsigned char **buf, unsigned char *end,
1113 size_t *key_len )
1114 {
1115 size_t len;
1116 int ret;
1117
1118 /*
1119 * RFC 5915, or SEC1 Appendix C.4
1120 *
1121 * ECPrivateKey ::= SEQUENCE {
1122 * version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
1123 * privateKey OCTET STRING,
1124 * parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
1125 * publicKey [1] BIT STRING OPTIONAL
1126 * }
1127 */
1128
1129 if( ( ret = mbedtls_asn1_get_tag( buf, end, &len,
1130 MBEDTLS_ASN1_CONSTRUCTED |
1131 MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
1132 return( ret );
1133
1134 /* version */
1135 if( ( ret = mbedtls_asn1_get_tag( buf, end, &len,
1136 MBEDTLS_ASN1_INTEGER ) ) != 0 )
1137 return( ret );
1138
1139 *buf += len;
1140
1141 /* privateKey */
1142 if( ( ret = mbedtls_asn1_get_tag( buf, end, &len,
1143 MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
1144 return( ret );
1145
1146 *key_len = len;
1147
1148 return 0;
1149 }
1150
ecdsa_sign_wrap(void * ctx_arg,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1151 static int ecdsa_sign_wrap( void *ctx_arg, mbedtls_md_type_t md_alg,
1152 const unsigned char *hash, size_t hash_len,
1153 unsigned char *sig, size_t sig_size, size_t *sig_len,
1154 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
1155 {
1156 mbedtls_ecdsa_context *ctx = ctx_arg;
1157 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1158 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1159 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
1160 psa_status_t status;
1161 mbedtls_pk_context key;
1162 size_t key_len;
1163 unsigned char buf[MBEDTLS_PK_ECP_PRV_DER_MAX_BYTES];
1164 unsigned char *p;
1165 psa_algorithm_t psa_sig_md =
1166 PSA_ALG_ECDSA( mbedtls_hash_info_psa_from_md( md_alg ) );
1167 size_t curve_bits;
1168 psa_ecc_family_t curve =
1169 mbedtls_ecc_group_to_psa( ctx->grp.id, &curve_bits );
1170
1171 /* PSA has its own RNG */
1172 ((void) f_rng);
1173 ((void) p_rng);
1174
1175 if( curve == 0 )
1176 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
1177
1178 /* mbedtls_pk_write_key_der() expects a full PK context;
1179 * re-construct one to make it happy */
1180 key.pk_info = &mbedtls_eckey_info;
1181 key.pk_ctx = ctx;
1182 key_len = mbedtls_pk_write_key_der( &key, buf, sizeof( buf ) );
1183 if( key_len <= 0 )
1184 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
1185
1186 p = buf + sizeof( buf ) - key_len;
1187 ret = find_ecdsa_private_key( &p, buf + sizeof( buf ), &key_len );
1188 if( ret != 0 )
1189 goto cleanup;
1190
1191 psa_set_key_type( &attributes, PSA_KEY_TYPE_ECC_KEY_PAIR( curve ) );
1192 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_HASH );
1193 psa_set_key_algorithm( &attributes, psa_sig_md );
1194
1195 status = psa_import_key( &attributes,
1196 p, key_len,
1197 &key_id );
1198 if( status != PSA_SUCCESS )
1199 {
1200 ret = mbedtls_pk_error_from_psa( status );
1201 goto cleanup;
1202 }
1203
1204 status = psa_sign_hash( key_id, psa_sig_md, hash, hash_len,
1205 sig, sig_size, sig_len );
1206 if( status != PSA_SUCCESS )
1207 {
1208 ret = mbedtls_pk_error_from_psa_ecdsa( status );
1209 goto cleanup;
1210 }
1211
1212 ret = pk_ecdsa_sig_asn1_from_psa( sig, sig_len, sig_size );
1213
1214 cleanup:
1215 mbedtls_platform_zeroize( buf, sizeof( buf ) );
1216 status = psa_destroy_key( key_id );
1217 if( ret == 0 && status != PSA_SUCCESS )
1218 ret = mbedtls_pk_error_from_psa( status );
1219
1220 return( ret );
1221 }
1222 #else
ecdsa_sign_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1223 static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
1224 const unsigned char *hash, size_t hash_len,
1225 unsigned char *sig, size_t sig_size, size_t *sig_len,
1226 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
1227 {
1228 return( mbedtls_ecdsa_write_signature( (mbedtls_ecdsa_context *) ctx,
1229 md_alg, hash, hash_len,
1230 sig, sig_size, sig_len,
1231 f_rng, p_rng ) );
1232 }
1233 #endif
1234
1235 #if defined(MBEDTLS_ECP_RESTARTABLE)
ecdsa_verify_rs_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len,void * rs_ctx)1236 static int ecdsa_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
1237 const unsigned char *hash, size_t hash_len,
1238 const unsigned char *sig, size_t sig_len,
1239 void *rs_ctx )
1240 {
1241 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1242 ((void) md_alg);
1243
1244 ret = mbedtls_ecdsa_read_signature_restartable(
1245 (mbedtls_ecdsa_context *) ctx,
1246 hash, hash_len, sig, sig_len,
1247 (mbedtls_ecdsa_restart_ctx *) rs_ctx );
1248
1249 if( ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH )
1250 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
1251
1252 return( ret );
1253 }
1254
ecdsa_sign_rs_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,void * rs_ctx)1255 static int ecdsa_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
1256 const unsigned char *hash, size_t hash_len,
1257 unsigned char *sig, size_t sig_size, size_t *sig_len,
1258 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
1259 void *rs_ctx )
1260 {
1261 return( mbedtls_ecdsa_write_signature_restartable(
1262 (mbedtls_ecdsa_context *) ctx,
1263 md_alg, hash, hash_len, sig, sig_size, sig_len, f_rng, p_rng,
1264 (mbedtls_ecdsa_restart_ctx *) rs_ctx ) );
1265
1266 }
1267 #endif /* MBEDTLS_ECP_RESTARTABLE */
1268
ecdsa_alloc_wrap(void)1269 static void *ecdsa_alloc_wrap( void )
1270 {
1271 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecdsa_context ) );
1272
1273 if( ctx != NULL )
1274 mbedtls_ecdsa_init( (mbedtls_ecdsa_context *) ctx );
1275
1276 return( ctx );
1277 }
1278
ecdsa_free_wrap(void * ctx)1279 static void ecdsa_free_wrap( void *ctx )
1280 {
1281 mbedtls_ecdsa_free( (mbedtls_ecdsa_context *) ctx );
1282 mbedtls_free( ctx );
1283 }
1284
1285 #if defined(MBEDTLS_ECP_RESTARTABLE)
ecdsa_rs_alloc(void)1286 static void *ecdsa_rs_alloc( void )
1287 {
1288 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecdsa_restart_ctx ) );
1289
1290 if( ctx != NULL )
1291 mbedtls_ecdsa_restart_init( ctx );
1292
1293 return( ctx );
1294 }
1295
ecdsa_rs_free(void * ctx)1296 static void ecdsa_rs_free( void *ctx )
1297 {
1298 mbedtls_ecdsa_restart_free( ctx );
1299 mbedtls_free( ctx );
1300 }
1301 #endif /* MBEDTLS_ECP_RESTARTABLE */
1302
1303 const mbedtls_pk_info_t mbedtls_ecdsa_info = {
1304 MBEDTLS_PK_ECDSA,
1305 "ECDSA",
1306 eckey_get_bitlen, /* Compatible key structures */
1307 ecdsa_can_do,
1308 ecdsa_verify_wrap,
1309 ecdsa_sign_wrap,
1310 #if defined(MBEDTLS_ECP_RESTARTABLE)
1311 ecdsa_verify_rs_wrap,
1312 ecdsa_sign_rs_wrap,
1313 #endif
1314 NULL,
1315 NULL,
1316 eckey_check_pair, /* Compatible key structures */
1317 ecdsa_alloc_wrap,
1318 ecdsa_free_wrap,
1319 #if defined(MBEDTLS_ECP_RESTARTABLE)
1320 ecdsa_rs_alloc,
1321 ecdsa_rs_free,
1322 #endif
1323 eckey_debug, /* Compatible key structures */
1324 };
1325 #endif /* MBEDTLS_ECDSA_C */
1326
1327 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
1328 /*
1329 * Support for alternative RSA-private implementations
1330 */
1331
rsa_alt_can_do(mbedtls_pk_type_t type)1332 static int rsa_alt_can_do( mbedtls_pk_type_t type )
1333 {
1334 return( type == MBEDTLS_PK_RSA );
1335 }
1336
rsa_alt_get_bitlen(const void * ctx)1337 static size_t rsa_alt_get_bitlen( const void *ctx )
1338 {
1339 const mbedtls_rsa_alt_context *rsa_alt = (const mbedtls_rsa_alt_context *) ctx;
1340
1341 return( 8 * rsa_alt->key_len_func( rsa_alt->key ) );
1342 }
1343
rsa_alt_sign_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1344 static int rsa_alt_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
1345 const unsigned char *hash, size_t hash_len,
1346 unsigned char *sig, size_t sig_size, size_t *sig_len,
1347 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
1348 {
1349 mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx;
1350
1351 #if SIZE_MAX > UINT_MAX
1352 if( UINT_MAX < hash_len )
1353 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
1354 #endif /* SIZE_MAX > UINT_MAX */
1355
1356 *sig_len = rsa_alt->key_len_func( rsa_alt->key );
1357 if( *sig_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE )
1358 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
1359 if( *sig_len > sig_size )
1360 return( MBEDTLS_ERR_PK_BUFFER_TOO_SMALL );
1361
1362 return( rsa_alt->sign_func( rsa_alt->key, f_rng, p_rng,
1363 md_alg, (unsigned int) hash_len, hash, sig ) );
1364 }
1365
rsa_alt_decrypt_wrap(void * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1366 static int rsa_alt_decrypt_wrap( void *ctx,
1367 const unsigned char *input, size_t ilen,
1368 unsigned char *output, size_t *olen, size_t osize,
1369 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
1370 {
1371 mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx;
1372
1373 ((void) f_rng);
1374 ((void) p_rng);
1375
1376 if( ilen != rsa_alt->key_len_func( rsa_alt->key ) )
1377 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1378
1379 return( rsa_alt->decrypt_func( rsa_alt->key,
1380 olen, input, output, osize ) );
1381 }
1382
1383 #if defined(MBEDTLS_RSA_C)
rsa_alt_check_pair(const void * pub,const void * prv,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1384 static int rsa_alt_check_pair( const void *pub, const void *prv,
1385 int (*f_rng)(void *, unsigned char *, size_t),
1386 void *p_rng )
1387 {
1388 unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
1389 unsigned char hash[32];
1390 size_t sig_len = 0;
1391 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1392
1393 if( rsa_alt_get_bitlen( prv ) != rsa_get_bitlen( pub ) )
1394 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
1395
1396 memset( hash, 0x2a, sizeof( hash ) );
1397
1398 if( ( ret = rsa_alt_sign_wrap( (void *) prv, MBEDTLS_MD_NONE,
1399 hash, sizeof( hash ),
1400 sig, sizeof( sig ), &sig_len,
1401 f_rng, p_rng ) ) != 0 )
1402 {
1403 return( ret );
1404 }
1405
1406 if( rsa_verify_wrap( (void *) pub, MBEDTLS_MD_NONE,
1407 hash, sizeof( hash ), sig, sig_len ) != 0 )
1408 {
1409 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
1410 }
1411
1412 return( 0 );
1413 }
1414 #endif /* MBEDTLS_RSA_C */
1415
rsa_alt_alloc_wrap(void)1416 static void *rsa_alt_alloc_wrap( void )
1417 {
1418 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_rsa_alt_context ) );
1419
1420 if( ctx != NULL )
1421 memset( ctx, 0, sizeof( mbedtls_rsa_alt_context ) );
1422
1423 return( ctx );
1424 }
1425
rsa_alt_free_wrap(void * ctx)1426 static void rsa_alt_free_wrap( void *ctx )
1427 {
1428 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_rsa_alt_context ) );
1429 mbedtls_free( ctx );
1430 }
1431
1432 const mbedtls_pk_info_t mbedtls_rsa_alt_info = {
1433 MBEDTLS_PK_RSA_ALT,
1434 "RSA-alt",
1435 rsa_alt_get_bitlen,
1436 rsa_alt_can_do,
1437 NULL,
1438 rsa_alt_sign_wrap,
1439 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1440 NULL,
1441 NULL,
1442 #endif
1443 rsa_alt_decrypt_wrap,
1444 NULL,
1445 #if defined(MBEDTLS_RSA_C)
1446 rsa_alt_check_pair,
1447 #else
1448 NULL,
1449 #endif
1450 rsa_alt_alloc_wrap,
1451 rsa_alt_free_wrap,
1452 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1453 NULL,
1454 NULL,
1455 #endif
1456 NULL,
1457 };
1458
1459 #endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
1460
1461 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1462
pk_opaque_alloc_wrap(void)1463 static void *pk_opaque_alloc_wrap( void )
1464 {
1465 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_svc_key_id_t ) );
1466
1467 /* no _init() function to call, as calloc() already zeroized */
1468
1469 return( ctx );
1470 }
1471
pk_opaque_free_wrap(void * ctx)1472 static void pk_opaque_free_wrap( void *ctx )
1473 {
1474 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_svc_key_id_t ) );
1475 mbedtls_free( ctx );
1476 }
1477
pk_opaque_get_bitlen(const void * ctx)1478 static size_t pk_opaque_get_bitlen( const void *ctx )
1479 {
1480 const mbedtls_svc_key_id_t *key = (const mbedtls_svc_key_id_t *) ctx;
1481 size_t bits;
1482 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1483
1484 if( PSA_SUCCESS != psa_get_key_attributes( *key, &attributes ) )
1485 return( 0 );
1486
1487 bits = psa_get_key_bits( &attributes );
1488 psa_reset_key_attributes( &attributes );
1489 return( bits );
1490 }
1491
pk_opaque_ecdsa_can_do(mbedtls_pk_type_t type)1492 static int pk_opaque_ecdsa_can_do( mbedtls_pk_type_t type )
1493 {
1494 return( type == MBEDTLS_PK_ECKEY ||
1495 type == MBEDTLS_PK_ECDSA );
1496 }
1497
pk_opaque_rsa_can_do(mbedtls_pk_type_t type)1498 static int pk_opaque_rsa_can_do( mbedtls_pk_type_t type )
1499 {
1500 return( type == MBEDTLS_PK_RSA ||
1501 type == MBEDTLS_PK_RSASSA_PSS );
1502 }
1503
pk_opaque_sign_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1504 static int pk_opaque_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
1505 const unsigned char *hash, size_t hash_len,
1506 unsigned char *sig, size_t sig_size, size_t *sig_len,
1507 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
1508 {
1509 #if !defined(MBEDTLS_ECDSA_C) && !defined(MBEDTLS_RSA_C)
1510 ((void) ctx);
1511 ((void) md_alg);
1512 ((void) hash);
1513 ((void) hash_len);
1514 ((void) sig);
1515 ((void) sig_size);
1516 ((void) sig_len);
1517 ((void) f_rng);
1518 ((void) p_rng);
1519 return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
1520 #else /* !MBEDTLS_ECDSA_C && !MBEDTLS_RSA_C */
1521 const mbedtls_svc_key_id_t *key = (const mbedtls_svc_key_id_t *) ctx;
1522 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1523 psa_algorithm_t alg;
1524 psa_key_type_t type;
1525 psa_status_t status;
1526
1527 /* PSA has its own RNG */
1528 (void) f_rng;
1529 (void) p_rng;
1530
1531 status = psa_get_key_attributes( *key, &attributes );
1532 if( status != PSA_SUCCESS )
1533 return( mbedtls_pk_error_from_psa( status ) );
1534
1535 type = psa_get_key_type( &attributes );
1536 psa_reset_key_attributes( &attributes );
1537
1538 #if defined(MBEDTLS_ECDSA_C)
1539 if( PSA_KEY_TYPE_IS_ECC_KEY_PAIR( type ) )
1540 alg = PSA_ALG_ECDSA( mbedtls_hash_info_psa_from_md( md_alg ) );
1541 else
1542 #endif /* MBEDTLS_ECDSA_C */
1543 #if defined(MBEDTLS_RSA_C)
1544 if( PSA_KEY_TYPE_IS_RSA( type ) )
1545 alg = PSA_ALG_RSA_PKCS1V15_SIGN( mbedtls_hash_info_psa_from_md( md_alg ) );
1546 else
1547 #endif /* MBEDTLS_RSA_C */
1548 return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
1549
1550 /* make the signature */
1551 status = psa_sign_hash( *key, alg, hash, hash_len,
1552 sig, sig_size, sig_len );
1553 if( status != PSA_SUCCESS )
1554 {
1555 #if defined(MBEDTLS_ECDSA_C)
1556 if( PSA_KEY_TYPE_IS_ECC_KEY_PAIR( type ) )
1557 return( mbedtls_pk_error_from_psa_ecdsa( status ) );
1558 else
1559 #endif /* MBEDTLS_ECDSA_C */
1560 #if defined(MBEDTLS_RSA_C)
1561 if( PSA_KEY_TYPE_IS_RSA( type ) )
1562 return( mbedtls_pk_error_from_psa_rsa( status ) );
1563 else
1564 #endif /* MBEDTLS_RSA_C */
1565 return( mbedtls_pk_error_from_psa( status ) );
1566 }
1567
1568 #if defined(MBEDTLS_ECDSA_C)
1569 if( PSA_KEY_TYPE_IS_ECC_KEY_PAIR( type ) )
1570 /* transcode it to ASN.1 sequence */
1571 return( pk_ecdsa_sig_asn1_from_psa( sig, sig_len, sig_size ) );
1572 #endif /* MBEDTLS_ECDSA_C */
1573
1574 return 0;
1575 #endif /* !MBEDTLS_ECDSA_C && !MBEDTLS_RSA_C */
1576 }
1577
1578 const mbedtls_pk_info_t mbedtls_pk_ecdsa_opaque_info = {
1579 MBEDTLS_PK_OPAQUE,
1580 "Opaque",
1581 pk_opaque_get_bitlen,
1582 pk_opaque_ecdsa_can_do,
1583 NULL, /* verify - will be done later */
1584 pk_opaque_sign_wrap,
1585 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1586 NULL, /* restartable verify - not relevant */
1587 NULL, /* restartable sign - not relevant */
1588 #endif
1589 NULL, /* decrypt - not relevant */
1590 NULL, /* encrypt - not relevant */
1591 NULL, /* check_pair - could be done later or left NULL */
1592 pk_opaque_alloc_wrap,
1593 pk_opaque_free_wrap,
1594 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1595 NULL, /* restart alloc - not relevant */
1596 NULL, /* restart free - not relevant */
1597 #endif
1598 NULL, /* debug - could be done later, or even left NULL */
1599 };
1600
1601 #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR)
pk_opaque_rsa_decrypt(void * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1602 static int pk_opaque_rsa_decrypt( void *ctx,
1603 const unsigned char *input, size_t ilen,
1604 unsigned char *output, size_t *olen, size_t osize,
1605 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
1606 {
1607 const mbedtls_svc_key_id_t *key = (const mbedtls_svc_key_id_t *) ctx;
1608 psa_status_t status;
1609
1610 /* PSA has its own RNG */
1611 (void) f_rng;
1612 (void) p_rng;
1613
1614 status = psa_asymmetric_decrypt( *key, PSA_ALG_RSA_PKCS1V15_CRYPT,
1615 input, ilen,
1616 NULL, 0,
1617 output, osize, olen );
1618 if( status != PSA_SUCCESS )
1619 {
1620 return( mbedtls_pk_error_from_psa_rsa( status ) );
1621 }
1622
1623 return 0;
1624 }
1625 #endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR */
1626
1627 const mbedtls_pk_info_t mbedtls_pk_rsa_opaque_info = {
1628 MBEDTLS_PK_OPAQUE,
1629 "Opaque",
1630 pk_opaque_get_bitlen,
1631 pk_opaque_rsa_can_do,
1632 NULL, /* verify - will be done later */
1633 pk_opaque_sign_wrap,
1634 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1635 NULL, /* restartable verify - not relevant */
1636 NULL, /* restartable sign - not relevant */
1637 #endif
1638 #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR)
1639 pk_opaque_rsa_decrypt,
1640 #else
1641 NULL, /* decrypt - not available */
1642 #endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY */
1643 NULL, /* encrypt - will be done later */
1644 NULL, /* check_pair - could be done later or left NULL */
1645 pk_opaque_alloc_wrap,
1646 pk_opaque_free_wrap,
1647 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1648 NULL, /* restart alloc - not relevant */
1649 NULL, /* restart free - not relevant */
1650 #endif
1651 NULL, /* debug - could be done later, or even left NULL */
1652 };
1653
1654 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1655
1656 #endif /* MBEDTLS_PK_C */
1657
