1 /*
2 * Public Key abstraction layer: wrapper functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7
8 #include "common.h"
9
10 #include "mbedtls/platform_util.h"
11
12 #if defined(MBEDTLS_PK_C)
13 #include "pk_wrap.h"
14 #include "pk_internal.h"
15 #include "mbedtls/error.h"
16 #include "mbedtls/psa_util.h"
17
18 /* Even if RSA not activated, for the sake of RSA-alt */
19 #include "mbedtls/rsa.h"
20
21 #if defined(MBEDTLS_ECP_C)
22 #include "mbedtls/ecp.h"
23 #endif
24
25 #if defined(MBEDTLS_ECDSA_C)
26 #include "mbedtls/ecdsa.h"
27 #endif
28
29 #if defined(MBEDTLS_USE_PSA_CRYPTO)
30 #include "psa_util_internal.h"
31 #include "psa/crypto.h"
32 #include "mbedtls/psa_util.h"
33
34 #if defined(MBEDTLS_RSA_C)
35 #include "pkwrite.h"
36 #include "rsa_internal.h"
37 #endif
38
39 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
40 #include "mbedtls/asn1write.h"
41 #include "mbedtls/asn1.h"
42 #endif
43 #endif /* MBEDTLS_USE_PSA_CRYPTO */
44
45 #include "mbedtls/platform.h"
46
47 #include <limits.h>
48 #include <stdint.h>
49 #include <string.h>
50
51 #if defined(MBEDTLS_RSA_C)
rsa_can_do(mbedtls_pk_type_t type)52 static int rsa_can_do(mbedtls_pk_type_t type)
53 {
54 return type == MBEDTLS_PK_RSA ||
55 type == MBEDTLS_PK_RSASSA_PSS;
56 }
57
rsa_get_bitlen(mbedtls_pk_context * pk)58 static size_t rsa_get_bitlen(mbedtls_pk_context *pk)
59 {
60 const mbedtls_rsa_context *rsa = (const mbedtls_rsa_context *) pk->pk_ctx;
61 return mbedtls_rsa_get_bitlen(rsa);
62 }
63
64 #if defined(MBEDTLS_USE_PSA_CRYPTO)
rsa_verify_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)65 static int rsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
66 const unsigned char *hash, size_t hash_len,
67 const unsigned char *sig, size_t sig_len)
68 {
69 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
70 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
71 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
72 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
73 psa_status_t status;
74 int key_len;
75 unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES];
76 unsigned char *p = buf + sizeof(buf);
77 psa_algorithm_t psa_alg_md;
78 size_t rsa_len = mbedtls_rsa_get_len(rsa);
79
80 #if SIZE_MAX > UINT_MAX
81 if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
82 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
83 }
84 #endif
85
86 if (mbedtls_rsa_get_padding_mode(rsa) == MBEDTLS_RSA_PKCS_V21) {
87 psa_alg_md = PSA_ALG_RSA_PSS(mbedtls_md_psa_alg_from_type(md_alg));
88 } else {
89 psa_alg_md = PSA_ALG_RSA_PKCS1V15_SIGN(mbedtls_md_psa_alg_from_type(md_alg));
90 }
91
92 if (sig_len < rsa_len) {
93 return MBEDTLS_ERR_RSA_VERIFY_FAILED;
94 }
95
96 key_len = mbedtls_rsa_write_pubkey(rsa, buf, &p);
97 if (key_len <= 0) {
98 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
99 }
100
101 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
102 psa_set_key_algorithm(&attributes, psa_alg_md);
103 psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY);
104
105 status = psa_import_key(&attributes,
106 buf + sizeof(buf) - key_len, key_len,
107 &key_id);
108 if (status != PSA_SUCCESS) {
109 ret = PSA_PK_TO_MBEDTLS_ERR(status);
110 goto cleanup;
111 }
112
113 status = psa_verify_hash(key_id, psa_alg_md, hash, hash_len,
114 sig, sig_len);
115 if (status != PSA_SUCCESS) {
116 ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
117 goto cleanup;
118 }
119 ret = 0;
120
121 cleanup:
122 status = psa_destroy_key(key_id);
123 if (ret == 0 && status != PSA_SUCCESS) {
124 ret = PSA_PK_TO_MBEDTLS_ERR(status);
125 }
126
127 return ret;
128 }
129 #else /* MBEDTLS_USE_PSA_CRYPTO */
rsa_verify_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)130 static int rsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
131 const unsigned char *hash, size_t hash_len,
132 const unsigned char *sig, size_t sig_len)
133 {
134 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
135 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
136 size_t rsa_len = mbedtls_rsa_get_len(rsa);
137
138 #if SIZE_MAX > UINT_MAX
139 if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
140 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
141 }
142 #endif
143
144 if (sig_len < rsa_len) {
145 return MBEDTLS_ERR_RSA_VERIFY_FAILED;
146 }
147
148 if ((ret = mbedtls_rsa_pkcs1_verify(rsa, md_alg,
149 (unsigned int) hash_len,
150 hash, sig)) != 0) {
151 return ret;
152 }
153
154 /* The buffer contains a valid signature followed by extra data.
155 * We have a special error code for that so that so that callers can
156 * use mbedtls_pk_verify() to check "Does the buffer start with a
157 * valid signature?" and not just "Does the buffer contain a valid
158 * signature?". */
159 if (sig_len > rsa_len) {
160 return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
161 }
162
163 return 0;
164 }
165 #endif /* MBEDTLS_USE_PSA_CRYPTO */
166
167 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t alg,mbedtls_rsa_context * rsa_ctx,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len)168 int mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t alg,
169 mbedtls_rsa_context *rsa_ctx,
170 const unsigned char *hash, size_t hash_len,
171 unsigned char *sig, size_t sig_size,
172 size_t *sig_len)
173 {
174 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
175 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
176 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
177 psa_status_t status;
178 int key_len;
179 unsigned char *buf = NULL;
180 unsigned char *p;
181
182 buf = mbedtls_calloc(1, MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES);
183 if (buf == NULL) {
184 return MBEDTLS_ERR_PK_ALLOC_FAILED;
185 }
186 p = buf + MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES;
187
188 *sig_len = mbedtls_rsa_get_len(rsa_ctx);
189 if (sig_size < *sig_len) {
190 mbedtls_free(buf);
191 return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
192 }
193
194 key_len = mbedtls_rsa_write_key(rsa_ctx, buf, &p);
195 if (key_len <= 0) {
196 mbedtls_free(buf);
197 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
198 }
199 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
200 psa_set_key_algorithm(&attributes, alg);
201 psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
202
203 status = psa_import_key(&attributes,
204 buf + MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES - key_len, key_len,
205 &key_id);
206 if (status != PSA_SUCCESS) {
207 ret = PSA_PK_TO_MBEDTLS_ERR(status);
208 goto cleanup;
209 }
210 status = psa_sign_hash(key_id, alg, hash, hash_len,
211 sig, sig_size, sig_len);
212 if (status != PSA_SUCCESS) {
213 ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
214 goto cleanup;
215 }
216
217 ret = 0;
218
219 cleanup:
220 mbedtls_free(buf);
221 status = psa_destroy_key(key_id);
222 if (ret == 0 && status != PSA_SUCCESS) {
223 ret = PSA_PK_TO_MBEDTLS_ERR(status);
224 }
225 return ret;
226 }
227 #endif /* MBEDTLS_USE_PSA_CRYPTO */
228
229 #if defined(MBEDTLS_USE_PSA_CRYPTO)
rsa_sign_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)230 static int rsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
231 const unsigned char *hash, size_t hash_len,
232 unsigned char *sig, size_t sig_size, size_t *sig_len,
233 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
234 {
235 ((void) f_rng);
236 ((void) p_rng);
237
238 psa_algorithm_t psa_md_alg;
239 psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg);
240 if (psa_md_alg == 0) {
241 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
242 }
243 psa_algorithm_t psa_alg;
244 if (mbedtls_rsa_get_padding_mode(mbedtls_pk_rsa(*pk)) == MBEDTLS_RSA_PKCS_V21) {
245 psa_alg = PSA_ALG_RSA_PSS(psa_md_alg);
246 } else {
247 psa_alg = PSA_ALG_RSA_PKCS1V15_SIGN(psa_md_alg);
248 }
249
250 return mbedtls_pk_psa_rsa_sign_ext(psa_alg, pk->pk_ctx, hash, hash_len,
251 sig, sig_size, sig_len);
252 }
253 #else /* MBEDTLS_USE_PSA_CRYPTO */
rsa_sign_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)254 static int rsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
255 const unsigned char *hash, size_t hash_len,
256 unsigned char *sig, size_t sig_size, size_t *sig_len,
257 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
258 {
259 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
260
261 #if SIZE_MAX > UINT_MAX
262 if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
263 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
264 }
265 #endif
266
267 *sig_len = mbedtls_rsa_get_len(rsa);
268 if (sig_size < *sig_len) {
269 return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
270 }
271
272 return mbedtls_rsa_pkcs1_sign(rsa, f_rng, p_rng,
273 md_alg, (unsigned int) hash_len,
274 hash, sig);
275 }
276 #endif /* MBEDTLS_USE_PSA_CRYPTO */
277
278 #if defined(MBEDTLS_USE_PSA_CRYPTO)
rsa_decrypt_wrap(mbedtls_pk_context * pk,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)279 static int rsa_decrypt_wrap(mbedtls_pk_context *pk,
280 const unsigned char *input, size_t ilen,
281 unsigned char *output, size_t *olen, size_t osize,
282 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
283 {
284 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
285 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
286 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
287 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
288 psa_algorithm_t psa_md_alg, decrypt_alg;
289 psa_status_t status;
290 int key_len;
291 unsigned char buf[MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES];
292 unsigned char *p = buf + sizeof(buf);
293
294 ((void) f_rng);
295 ((void) p_rng);
296
297 if (ilen != mbedtls_rsa_get_len(rsa)) {
298 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
299 }
300
301 key_len = mbedtls_rsa_write_key(rsa, buf, &p);
302 if (key_len <= 0) {
303 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
304 }
305
306 psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
307 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
308 if (mbedtls_rsa_get_padding_mode(rsa) == MBEDTLS_RSA_PKCS_V21) {
309 psa_md_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) mbedtls_rsa_get_md_alg(rsa));
310 decrypt_alg = PSA_ALG_RSA_OAEP(psa_md_alg);
311 } else {
312 decrypt_alg = PSA_ALG_RSA_PKCS1V15_CRYPT;
313 }
314 psa_set_key_algorithm(&attributes, decrypt_alg);
315
316 status = psa_import_key(&attributes,
317 buf + sizeof(buf) - key_len, key_len,
318 &key_id);
319 if (status != PSA_SUCCESS) {
320 ret = PSA_PK_TO_MBEDTLS_ERR(status);
321 goto cleanup;
322 }
323
324 status = psa_asymmetric_decrypt(key_id, decrypt_alg,
325 input, ilen,
326 NULL, 0,
327 output, osize, olen);
328 if (status != PSA_SUCCESS) {
329 ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
330 goto cleanup;
331 }
332
333 ret = 0;
334
335 cleanup:
336 mbedtls_platform_zeroize(buf, sizeof(buf));
337 status = psa_destroy_key(key_id);
338 if (ret == 0 && status != PSA_SUCCESS) {
339 ret = PSA_PK_TO_MBEDTLS_ERR(status);
340 }
341
342 return ret;
343 }
344 #else /* MBEDTLS_USE_PSA_CRYPTO */
rsa_decrypt_wrap(mbedtls_pk_context * pk,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)345 static int rsa_decrypt_wrap(mbedtls_pk_context *pk,
346 const unsigned char *input, size_t ilen,
347 unsigned char *output, size_t *olen, size_t osize,
348 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
349 {
350 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
351
352 if (ilen != mbedtls_rsa_get_len(rsa)) {
353 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
354 }
355
356 return mbedtls_rsa_pkcs1_decrypt(rsa, f_rng, p_rng,
357 olen, input, output, osize);
358 }
359 #endif /* MBEDTLS_USE_PSA_CRYPTO */
360
361 #if defined(MBEDTLS_USE_PSA_CRYPTO)
rsa_encrypt_wrap(mbedtls_pk_context * pk,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)362 static int rsa_encrypt_wrap(mbedtls_pk_context *pk,
363 const unsigned char *input, size_t ilen,
364 unsigned char *output, size_t *olen, size_t osize,
365 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
366 {
367 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
368 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
369 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
370 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
371 psa_algorithm_t psa_md_alg, psa_encrypt_alg;
372 psa_status_t status;
373 int key_len;
374 unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES];
375 unsigned char *p = buf + sizeof(buf);
376
377 ((void) f_rng);
378 ((void) p_rng);
379
380 if (mbedtls_rsa_get_len(rsa) > osize) {
381 return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
382 }
383
384 key_len = mbedtls_rsa_write_pubkey(rsa, buf, &p);
385 if (key_len <= 0) {
386 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
387 }
388
389 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
390 if (mbedtls_rsa_get_padding_mode(rsa) == MBEDTLS_RSA_PKCS_V21) {
391 psa_md_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) mbedtls_rsa_get_md_alg(rsa));
392 psa_encrypt_alg = PSA_ALG_RSA_OAEP(psa_md_alg);
393 } else {
394 psa_encrypt_alg = PSA_ALG_RSA_PKCS1V15_CRYPT;
395 }
396 psa_set_key_algorithm(&attributes, psa_encrypt_alg);
397 psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY);
398
399 status = psa_import_key(&attributes,
400 buf + sizeof(buf) - key_len, key_len,
401 &key_id);
402 if (status != PSA_SUCCESS) {
403 ret = PSA_PK_TO_MBEDTLS_ERR(status);
404 goto cleanup;
405 }
406
407 status = psa_asymmetric_encrypt(key_id, psa_encrypt_alg,
408 input, ilen,
409 NULL, 0,
410 output, osize, olen);
411 if (status != PSA_SUCCESS) {
412 ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
413 goto cleanup;
414 }
415
416 ret = 0;
417
418 cleanup:
419 status = psa_destroy_key(key_id);
420 if (ret == 0 && status != PSA_SUCCESS) {
421 ret = PSA_PK_TO_MBEDTLS_ERR(status);
422 }
423
424 return ret;
425 }
426 #else /* MBEDTLS_USE_PSA_CRYPTO */
rsa_encrypt_wrap(mbedtls_pk_context * pk,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)427 static int rsa_encrypt_wrap(mbedtls_pk_context *pk,
428 const unsigned char *input, size_t ilen,
429 unsigned char *output, size_t *olen, size_t osize,
430 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
431 {
432 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
433 *olen = mbedtls_rsa_get_len(rsa);
434
435 if (*olen > osize) {
436 return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
437 }
438
439 return mbedtls_rsa_pkcs1_encrypt(rsa, f_rng, p_rng,
440 ilen, input, output);
441 }
442 #endif /* MBEDTLS_USE_PSA_CRYPTO */
443
rsa_check_pair_wrap(mbedtls_pk_context * pub,mbedtls_pk_context * prv,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)444 static int rsa_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
445 int (*f_rng)(void *, unsigned char *, size_t),
446 void *p_rng)
447 {
448 (void) f_rng;
449 (void) p_rng;
450 return mbedtls_rsa_check_pub_priv((const mbedtls_rsa_context *) pub->pk_ctx,
451 (const mbedtls_rsa_context *) prv->pk_ctx);
452 }
453
rsa_alloc_wrap(void)454 static void *rsa_alloc_wrap(void)
455 {
456 void *ctx = mbedtls_calloc(1, sizeof(mbedtls_rsa_context));
457
458 if (ctx != NULL) {
459 mbedtls_rsa_init((mbedtls_rsa_context *) ctx);
460 }
461
462 return ctx;
463 }
464
rsa_free_wrap(void * ctx)465 static void rsa_free_wrap(void *ctx)
466 {
467 mbedtls_rsa_free((mbedtls_rsa_context *) ctx);
468 mbedtls_free(ctx);
469 }
470
rsa_debug(mbedtls_pk_context * pk,mbedtls_pk_debug_item * items)471 static void rsa_debug(mbedtls_pk_context *pk, mbedtls_pk_debug_item *items)
472 {
473 #if defined(MBEDTLS_RSA_ALT)
474 /* Not supported */
475 (void) pk;
476 (void) items;
477 #else
478 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
479
480 items->type = MBEDTLS_PK_DEBUG_MPI;
481 items->name = "rsa.N";
482 items->value = &(rsa->N);
483
484 items++;
485
486 items->type = MBEDTLS_PK_DEBUG_MPI;
487 items->name = "rsa.E";
488 items->value = &(rsa->E);
489 #endif
490 }
491
492 const mbedtls_pk_info_t mbedtls_rsa_info = {
493 .type = MBEDTLS_PK_RSA,
494 .name = "RSA",
495 .get_bitlen = rsa_get_bitlen,
496 .can_do = rsa_can_do,
497 .verify_func = rsa_verify_wrap,
498 .sign_func = rsa_sign_wrap,
499 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
500 .verify_rs_func = NULL,
501 .sign_rs_func = NULL,
502 .rs_alloc_func = NULL,
503 .rs_free_func = NULL,
504 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
505 .decrypt_func = rsa_decrypt_wrap,
506 .encrypt_func = rsa_encrypt_wrap,
507 .check_pair_func = rsa_check_pair_wrap,
508 .ctx_alloc_func = rsa_alloc_wrap,
509 .ctx_free_func = rsa_free_wrap,
510 .debug_func = rsa_debug,
511 };
512 #endif /* MBEDTLS_RSA_C */
513
514 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
515 /*
516 * Generic EC key
517 */
eckey_can_do(mbedtls_pk_type_t type)518 static int eckey_can_do(mbedtls_pk_type_t type)
519 {
520 return type == MBEDTLS_PK_ECKEY ||
521 type == MBEDTLS_PK_ECKEY_DH ||
522 type == MBEDTLS_PK_ECDSA;
523 }
524
eckey_get_bitlen(mbedtls_pk_context * pk)525 static size_t eckey_get_bitlen(mbedtls_pk_context *pk)
526 {
527 #if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
528 return pk->ec_bits;
529 #else /* MBEDTLS_PK_USE_PSA_EC_DATA */
530 mbedtls_ecp_keypair *ecp = (mbedtls_ecp_keypair *) pk->pk_ctx;
531 return ecp->grp.pbits;
532 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
533 }
534
535 #if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
536 #if defined(MBEDTLS_USE_PSA_CRYPTO)
537 /* Common helper for ECDSA verify using PSA functions. */
ecdsa_verify_psa(unsigned char * key,size_t key_len,psa_ecc_family_t curve,size_t curve_bits,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)538 static int ecdsa_verify_psa(unsigned char *key, size_t key_len,
539 psa_ecc_family_t curve, size_t curve_bits,
540 const unsigned char *hash, size_t hash_len,
541 const unsigned char *sig, size_t sig_len)
542 {
543 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
544 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
545 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
546 psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA_ANY;
547 size_t signature_len = PSA_ECDSA_SIGNATURE_SIZE(curve_bits);
548 size_t converted_sig_len;
549 unsigned char extracted_sig[PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE];
550 unsigned char *p;
551 psa_status_t status;
552
553 if (curve == 0) {
554 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
555 }
556
557 psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve));
558 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
559 psa_set_key_algorithm(&attributes, psa_sig_md);
560
561 status = psa_import_key(&attributes, key, key_len, &key_id);
562 if (status != PSA_SUCCESS) {
563 ret = PSA_PK_TO_MBEDTLS_ERR(status);
564 goto cleanup;
565 }
566
567 if (signature_len > sizeof(extracted_sig)) {
568 ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
569 goto cleanup;
570 }
571
572 p = (unsigned char *) sig;
573 ret = mbedtls_ecdsa_der_to_raw(curve_bits, p, sig_len, extracted_sig,
574 sizeof(extracted_sig), &converted_sig_len);
575 if (ret != 0) {
576 goto cleanup;
577 }
578
579 if (converted_sig_len != signature_len) {
580 ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
581 goto cleanup;
582 }
583
584 status = psa_verify_hash(key_id, psa_sig_md, hash, hash_len,
585 extracted_sig, signature_len);
586 if (status != PSA_SUCCESS) {
587 ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
588 goto cleanup;
589 }
590
591 ret = 0;
592
593 cleanup:
594 status = psa_destroy_key(key_id);
595 if (ret == 0 && status != PSA_SUCCESS) {
596 ret = PSA_PK_TO_MBEDTLS_ERR(status);
597 }
598
599 return ret;
600 }
601
ecdsa_opaque_verify_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)602 static int ecdsa_opaque_verify_wrap(mbedtls_pk_context *pk,
603 mbedtls_md_type_t md_alg,
604 const unsigned char *hash, size_t hash_len,
605 const unsigned char *sig, size_t sig_len)
606 {
607 (void) md_alg;
608 unsigned char key[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN];
609 size_t key_len;
610 psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
611 psa_ecc_family_t curve;
612 size_t curve_bits;
613 psa_status_t status;
614
615 status = psa_get_key_attributes(pk->priv_id, &key_attr);
616 if (status != PSA_SUCCESS) {
617 return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
618 }
619 curve = PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(&key_attr));
620 curve_bits = psa_get_key_bits(&key_attr);
621 psa_reset_key_attributes(&key_attr);
622
623 status = psa_export_public_key(pk->priv_id, key, sizeof(key), &key_len);
624 if (status != PSA_SUCCESS) {
625 return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
626 }
627
628 return ecdsa_verify_psa(key, key_len, curve, curve_bits,
629 hash, hash_len, sig, sig_len);
630 }
631
632 #if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
ecdsa_verify_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)633 static int ecdsa_verify_wrap(mbedtls_pk_context *pk,
634 mbedtls_md_type_t md_alg,
635 const unsigned char *hash, size_t hash_len,
636 const unsigned char *sig, size_t sig_len)
637 {
638 (void) md_alg;
639 psa_ecc_family_t curve = pk->ec_family;
640 size_t curve_bits = pk->ec_bits;
641
642 return ecdsa_verify_psa(pk->pub_raw, pk->pub_raw_len, curve, curve_bits,
643 hash, hash_len, sig, sig_len);
644 }
645 #else /* MBEDTLS_PK_USE_PSA_EC_DATA */
ecdsa_verify_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)646 static int ecdsa_verify_wrap(mbedtls_pk_context *pk,
647 mbedtls_md_type_t md_alg,
648 const unsigned char *hash, size_t hash_len,
649 const unsigned char *sig, size_t sig_len)
650 {
651 (void) md_alg;
652 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
653 mbedtls_ecp_keypair *ctx = pk->pk_ctx;
654 unsigned char key[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
655 size_t key_len;
656 size_t curve_bits;
657 psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(ctx->grp.id, &curve_bits);
658
659 ret = mbedtls_ecp_point_write_binary(&ctx->grp, &ctx->Q,
660 MBEDTLS_ECP_PF_UNCOMPRESSED,
661 &key_len, key, sizeof(key));
662 if (ret != 0) {
663 return ret;
664 }
665
666 return ecdsa_verify_psa(key, key_len, curve, curve_bits,
667 hash, hash_len, sig, sig_len);
668 }
669 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
670 #else /* MBEDTLS_USE_PSA_CRYPTO */
ecdsa_verify_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)671 static int ecdsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
672 const unsigned char *hash, size_t hash_len,
673 const unsigned char *sig, size_t sig_len)
674 {
675 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
676 ((void) md_alg);
677
678 ret = mbedtls_ecdsa_read_signature((mbedtls_ecdsa_context *) pk->pk_ctx,
679 hash, hash_len, sig, sig_len);
680
681 if (ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) {
682 return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
683 }
684
685 return ret;
686 }
687 #endif /* MBEDTLS_USE_PSA_CRYPTO */
688 #endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
689
690 #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
691 #if defined(MBEDTLS_USE_PSA_CRYPTO)
692 /* Common helper for ECDSA sign using PSA functions.
693 * Instead of extracting key's properties in order to check which kind of ECDSA
694 * signature it supports, we try both deterministic and non-deterministic.
695 */
ecdsa_sign_psa(mbedtls_svc_key_id_t key_id,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len)696 static int ecdsa_sign_psa(mbedtls_svc_key_id_t key_id, mbedtls_md_type_t md_alg,
697 const unsigned char *hash, size_t hash_len,
698 unsigned char *sig, size_t sig_size, size_t *sig_len)
699 {
700 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
701 psa_status_t status;
702 psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
703 size_t key_bits = 0;
704
705 status = psa_get_key_attributes(key_id, &key_attr);
706 if (status != PSA_SUCCESS) {
707 return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
708 }
709 key_bits = psa_get_key_bits(&key_attr);
710 psa_reset_key_attributes(&key_attr);
711
712 status = psa_sign_hash(key_id,
713 PSA_ALG_DETERMINISTIC_ECDSA(mbedtls_md_psa_alg_from_type(md_alg)),
714 hash, hash_len, sig, sig_size, sig_len);
715 if (status == PSA_SUCCESS) {
716 goto done;
717 } else if (status != PSA_ERROR_NOT_PERMITTED) {
718 return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
719 }
720
721 status = psa_sign_hash(key_id,
722 PSA_ALG_ECDSA(mbedtls_md_psa_alg_from_type(md_alg)),
723 hash, hash_len, sig, sig_size, sig_len);
724 if (status != PSA_SUCCESS) {
725 return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
726 }
727
728 done:
729 ret = mbedtls_ecdsa_raw_to_der(key_bits, sig, *sig_len, sig, sig_size, sig_len);
730
731 return ret;
732 }
733
ecdsa_opaque_sign_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)734 static int ecdsa_opaque_sign_wrap(mbedtls_pk_context *pk,
735 mbedtls_md_type_t md_alg,
736 const unsigned char *hash, size_t hash_len,
737 unsigned char *sig, size_t sig_size,
738 size_t *sig_len,
739 int (*f_rng)(void *, unsigned char *, size_t),
740 void *p_rng)
741 {
742 ((void) f_rng);
743 ((void) p_rng);
744
745 return ecdsa_sign_psa(pk->priv_id, md_alg, hash, hash_len, sig, sig_size,
746 sig_len);
747 }
748
749 #if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
750 /* When PK_USE_PSA_EC_DATA is defined opaque and non-opaque keys end up
751 * using the same function. */
752 #define ecdsa_sign_wrap ecdsa_opaque_sign_wrap
753 #else /* MBEDTLS_PK_USE_PSA_EC_DATA */
ecdsa_sign_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)754 static int ecdsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
755 const unsigned char *hash, size_t hash_len,
756 unsigned char *sig, size_t sig_size, size_t *sig_len,
757 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
758 {
759 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
760 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
761 psa_status_t status;
762 mbedtls_ecp_keypair *ctx = pk->pk_ctx;
763 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
764 unsigned char buf[MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH];
765 size_t curve_bits;
766 psa_ecc_family_t curve =
767 mbedtls_ecc_group_to_psa(ctx->grp.id, &curve_bits);
768 size_t key_len = PSA_BITS_TO_BYTES(curve_bits);
769 psa_algorithm_t psa_hash = mbedtls_md_psa_alg_from_type(md_alg);
770 psa_algorithm_t psa_sig_md = MBEDTLS_PK_PSA_ALG_ECDSA_MAYBE_DET(psa_hash);
771 ((void) f_rng);
772 ((void) p_rng);
773
774 if (curve == 0) {
775 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
776 }
777
778 if (key_len > sizeof(buf)) {
779 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
780 }
781 ret = mbedtls_mpi_write_binary(&ctx->d, buf, key_len);
782 if (ret != 0) {
783 goto cleanup;
784 }
785
786 psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
787 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
788 psa_set_key_algorithm(&attributes, psa_sig_md);
789
790 status = psa_import_key(&attributes, buf, key_len, &key_id);
791 if (status != PSA_SUCCESS) {
792 ret = PSA_PK_TO_MBEDTLS_ERR(status);
793 goto cleanup;
794 }
795
796 ret = ecdsa_sign_psa(key_id, md_alg, hash, hash_len, sig, sig_size, sig_len);
797
798 cleanup:
799 mbedtls_platform_zeroize(buf, sizeof(buf));
800 status = psa_destroy_key(key_id);
801 if (ret == 0 && status != PSA_SUCCESS) {
802 ret = PSA_PK_TO_MBEDTLS_ERR(status);
803 }
804
805 return ret;
806 }
807 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
808 #else /* MBEDTLS_USE_PSA_CRYPTO */
ecdsa_sign_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)809 static int ecdsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
810 const unsigned char *hash, size_t hash_len,
811 unsigned char *sig, size_t sig_size, size_t *sig_len,
812 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
813 {
814 return mbedtls_ecdsa_write_signature((mbedtls_ecdsa_context *) pk->pk_ctx,
815 md_alg, hash, hash_len,
816 sig, sig_size, sig_len,
817 f_rng, p_rng);
818 }
819 #endif /* MBEDTLS_USE_PSA_CRYPTO */
820 #endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
821
822 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
823 /* Forward declarations */
824 static int ecdsa_verify_rs_wrap(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
825 const unsigned char *hash, size_t hash_len,
826 const unsigned char *sig, size_t sig_len,
827 void *rs_ctx);
828
829 static int ecdsa_sign_rs_wrap(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
830 const unsigned char *hash, size_t hash_len,
831 unsigned char *sig, size_t sig_size, size_t *sig_len,
832 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
833 void *rs_ctx);
834
835 /*
836 * Restart context for ECDSA operations with ECKEY context
837 *
838 * We need to store an actual ECDSA context, as we need to pass the same to
839 * the underlying ecdsa function, so we can't create it on the fly every time.
840 */
841 typedef struct {
842 mbedtls_ecdsa_restart_ctx ecdsa_rs;
843 mbedtls_ecdsa_context ecdsa_ctx;
844 } eckey_restart_ctx;
845
eckey_rs_alloc(void)846 static void *eckey_rs_alloc(void)
847 {
848 eckey_restart_ctx *rs_ctx;
849
850 void *ctx = mbedtls_calloc(1, sizeof(eckey_restart_ctx));
851
852 if (ctx != NULL) {
853 rs_ctx = ctx;
854 mbedtls_ecdsa_restart_init(&rs_ctx->ecdsa_rs);
855 mbedtls_ecdsa_init(&rs_ctx->ecdsa_ctx);
856 }
857
858 return ctx;
859 }
860
eckey_rs_free(void * ctx)861 static void eckey_rs_free(void *ctx)
862 {
863 eckey_restart_ctx *rs_ctx;
864
865 if (ctx == NULL) {
866 return;
867 }
868
869 rs_ctx = ctx;
870 mbedtls_ecdsa_restart_free(&rs_ctx->ecdsa_rs);
871 mbedtls_ecdsa_free(&rs_ctx->ecdsa_ctx);
872
873 mbedtls_free(ctx);
874 }
875
eckey_verify_rs_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len,void * rs_ctx)876 static int eckey_verify_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
877 const unsigned char *hash, size_t hash_len,
878 const unsigned char *sig, size_t sig_len,
879 void *rs_ctx)
880 {
881 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
882 eckey_restart_ctx *rs = rs_ctx;
883
884 /* Should never happen */
885 if (rs == NULL) {
886 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
887 }
888
889 /* set up our own sub-context if needed (that is, on first run) */
890 if (rs->ecdsa_ctx.grp.pbits == 0) {
891 MBEDTLS_MPI_CHK(mbedtls_ecdsa_from_keypair(&rs->ecdsa_ctx, pk->pk_ctx));
892 }
893
894 MBEDTLS_MPI_CHK(ecdsa_verify_rs_wrap(pk,
895 md_alg, hash, hash_len,
896 sig, sig_len, &rs->ecdsa_rs));
897
898 cleanup:
899 return ret;
900 }
901
eckey_sign_rs_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,void * rs_ctx)902 static int eckey_sign_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
903 const unsigned char *hash, size_t hash_len,
904 unsigned char *sig, size_t sig_size, size_t *sig_len,
905 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
906 void *rs_ctx)
907 {
908 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
909 eckey_restart_ctx *rs = rs_ctx;
910
911 /* Should never happen */
912 if (rs == NULL) {
913 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
914 }
915
916 /* set up our own sub-context if needed (that is, on first run) */
917 if (rs->ecdsa_ctx.grp.pbits == 0) {
918 MBEDTLS_MPI_CHK(mbedtls_ecdsa_from_keypair(&rs->ecdsa_ctx, pk->pk_ctx));
919 }
920
921 MBEDTLS_MPI_CHK(ecdsa_sign_rs_wrap(pk, md_alg,
922 hash, hash_len, sig, sig_size, sig_len,
923 f_rng, p_rng, &rs->ecdsa_rs));
924
925 cleanup:
926 return ret;
927 }
928 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
929
930 #if defined(MBEDTLS_USE_PSA_CRYPTO)
931 #if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
eckey_check_pair_psa(mbedtls_pk_context * pub,mbedtls_pk_context * prv)932 static int eckey_check_pair_psa(mbedtls_pk_context *pub, mbedtls_pk_context *prv)
933 {
934 psa_status_t status;
935 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
936 uint8_t prv_key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
937 size_t prv_key_len;
938 mbedtls_svc_key_id_t key_id = prv->priv_id;
939
940 status = psa_export_public_key(key_id, prv_key_buf, sizeof(prv_key_buf),
941 &prv_key_len);
942 ret = PSA_PK_TO_MBEDTLS_ERR(status);
943 if (ret != 0) {
944 return ret;
945 }
946
947 if (memcmp(prv_key_buf, pub->pub_raw, pub->pub_raw_len) != 0) {
948 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
949 }
950
951 return 0;
952 }
953 #else /* MBEDTLS_PK_USE_PSA_EC_DATA */
eckey_check_pair_psa(mbedtls_pk_context * pub,mbedtls_pk_context * prv)954 static int eckey_check_pair_psa(mbedtls_pk_context *pub, mbedtls_pk_context *prv)
955 {
956 psa_status_t status;
957 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
958 uint8_t prv_key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
959 size_t prv_key_len;
960 psa_status_t destruction_status;
961 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
962 psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
963 uint8_t pub_key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
964 size_t pub_key_len;
965 size_t curve_bits;
966 const psa_ecc_family_t curve =
967 mbedtls_ecc_group_to_psa(mbedtls_pk_ec_ro(*prv)->grp.id, &curve_bits);
968 const size_t curve_bytes = PSA_BITS_TO_BYTES(curve_bits);
969
970 if (curve == 0) {
971 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
972 }
973
974 psa_set_key_type(&key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
975 psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_EXPORT);
976
977 ret = mbedtls_mpi_write_binary(&mbedtls_pk_ec_ro(*prv)->d,
978 prv_key_buf, curve_bytes);
979 if (ret != 0) {
980 mbedtls_platform_zeroize(prv_key_buf, sizeof(prv_key_buf));
981 return ret;
982 }
983
984 status = psa_import_key(&key_attr, prv_key_buf, curve_bytes, &key_id);
985 mbedtls_platform_zeroize(prv_key_buf, sizeof(prv_key_buf));
986 ret = PSA_PK_TO_MBEDTLS_ERR(status);
987 if (ret != 0) {
988 return ret;
989 }
990
991 // From now on prv_key_buf is used to store the public key of prv.
992 status = psa_export_public_key(key_id, prv_key_buf, sizeof(prv_key_buf),
993 &prv_key_len);
994 ret = PSA_PK_TO_MBEDTLS_ERR(status);
995 destruction_status = psa_destroy_key(key_id);
996 if (ret != 0) {
997 return ret;
998 } else if (destruction_status != PSA_SUCCESS) {
999 return PSA_PK_TO_MBEDTLS_ERR(destruction_status);
1000 }
1001
1002 ret = mbedtls_ecp_point_write_binary(&mbedtls_pk_ec_rw(*pub)->grp,
1003 &mbedtls_pk_ec_rw(*pub)->Q,
1004 MBEDTLS_ECP_PF_UNCOMPRESSED,
1005 &pub_key_len, pub_key_buf,
1006 sizeof(pub_key_buf));
1007 if (ret != 0) {
1008 return ret;
1009 }
1010
1011 if (memcmp(prv_key_buf, pub_key_buf, curve_bytes) != 0) {
1012 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
1013 }
1014
1015 return 0;
1016 }
1017 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
1018
eckey_check_pair_wrap(mbedtls_pk_context * pub,mbedtls_pk_context * prv,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1019 static int eckey_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
1020 int (*f_rng)(void *, unsigned char *, size_t),
1021 void *p_rng)
1022 {
1023 (void) f_rng;
1024 (void) p_rng;
1025 return eckey_check_pair_psa(pub, prv);
1026 }
1027 #else /* MBEDTLS_USE_PSA_CRYPTO */
eckey_check_pair_wrap(mbedtls_pk_context * pub,mbedtls_pk_context * prv,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1028 static int eckey_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
1029 int (*f_rng)(void *, unsigned char *, size_t),
1030 void *p_rng)
1031 {
1032 return mbedtls_ecp_check_pub_priv((const mbedtls_ecp_keypair *) pub->pk_ctx,
1033 (const mbedtls_ecp_keypair *) prv->pk_ctx,
1034 f_rng, p_rng);
1035 }
1036 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1037
1038 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1039 #if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
1040 /* When PK_USE_PSA_EC_DATA is defined opaque and non-opaque keys end up
1041 * using the same function. */
1042 #define ecdsa_opaque_check_pair_wrap eckey_check_pair_wrap
1043 #else /* MBEDTLS_PK_USE_PSA_EC_DATA */
ecdsa_opaque_check_pair_wrap(mbedtls_pk_context * pub,mbedtls_pk_context * prv,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1044 static int ecdsa_opaque_check_pair_wrap(mbedtls_pk_context *pub,
1045 mbedtls_pk_context *prv,
1046 int (*f_rng)(void *, unsigned char *, size_t),
1047 void *p_rng)
1048 {
1049 psa_status_t status;
1050 uint8_t exp_pub_key[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN];
1051 size_t exp_pub_key_len = 0;
1052 uint8_t pub_key[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN];
1053 size_t pub_key_len = 0;
1054 int ret;
1055 (void) f_rng;
1056 (void) p_rng;
1057
1058 status = psa_export_public_key(prv->priv_id, exp_pub_key, sizeof(exp_pub_key),
1059 &exp_pub_key_len);
1060 if (status != PSA_SUCCESS) {
1061 ret = psa_pk_status_to_mbedtls(status);
1062 return ret;
1063 }
1064 ret = mbedtls_ecp_point_write_binary(&(mbedtls_pk_ec_ro(*pub)->grp),
1065 &(mbedtls_pk_ec_ro(*pub)->Q),
1066 MBEDTLS_ECP_PF_UNCOMPRESSED,
1067 &pub_key_len, pub_key, sizeof(pub_key));
1068 if (ret != 0) {
1069 return ret;
1070 }
1071 if ((exp_pub_key_len != pub_key_len) ||
1072 memcmp(exp_pub_key, pub_key, exp_pub_key_len)) {
1073 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
1074 }
1075 return 0;
1076 }
1077 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
1078 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1079
1080 #if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
eckey_alloc_wrap(void)1081 static void *eckey_alloc_wrap(void)
1082 {
1083 void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecp_keypair));
1084
1085 if (ctx != NULL) {
1086 mbedtls_ecp_keypair_init(ctx);
1087 }
1088
1089 return ctx;
1090 }
1091
eckey_free_wrap(void * ctx)1092 static void eckey_free_wrap(void *ctx)
1093 {
1094 mbedtls_ecp_keypair_free((mbedtls_ecp_keypair *) ctx);
1095 mbedtls_free(ctx);
1096 }
1097 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
1098
eckey_debug(mbedtls_pk_context * pk,mbedtls_pk_debug_item * items)1099 static void eckey_debug(mbedtls_pk_context *pk, mbedtls_pk_debug_item *items)
1100 {
1101 #if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
1102 items->type = MBEDTLS_PK_DEBUG_PSA_EC;
1103 items->name = "eckey.Q";
1104 items->value = pk;
1105 #else /* MBEDTLS_PK_USE_PSA_EC_DATA */
1106 mbedtls_ecp_keypair *ecp = (mbedtls_ecp_keypair *) pk->pk_ctx;
1107 items->type = MBEDTLS_PK_DEBUG_ECP;
1108 items->name = "eckey.Q";
1109 items->value = &(ecp->Q);
1110 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
1111 }
1112
1113 const mbedtls_pk_info_t mbedtls_eckey_info = {
1114 .type = MBEDTLS_PK_ECKEY,
1115 .name = "EC",
1116 .get_bitlen = eckey_get_bitlen,
1117 .can_do = eckey_can_do,
1118 #if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
1119 .verify_func = ecdsa_verify_wrap, /* Compatible key structures */
1120 #else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1121 .verify_func = NULL,
1122 #endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1123 #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
1124 .sign_func = ecdsa_sign_wrap, /* Compatible key structures */
1125 #else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1126 .sign_func = NULL,
1127 #endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1128 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1129 .verify_rs_func = eckey_verify_rs_wrap,
1130 .sign_rs_func = eckey_sign_rs_wrap,
1131 .rs_alloc_func = eckey_rs_alloc,
1132 .rs_free_func = eckey_rs_free,
1133 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1134 .decrypt_func = NULL,
1135 .encrypt_func = NULL,
1136 .check_pair_func = eckey_check_pair_wrap,
1137 #if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
1138 .ctx_alloc_func = NULL,
1139 .ctx_free_func = NULL,
1140 #else /* MBEDTLS_PK_USE_PSA_EC_DATA */
1141 .ctx_alloc_func = eckey_alloc_wrap,
1142 .ctx_free_func = eckey_free_wrap,
1143 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
1144 .debug_func = eckey_debug,
1145 };
1146
1147 /*
1148 * EC key restricted to ECDH
1149 */
eckeydh_can_do(mbedtls_pk_type_t type)1150 static int eckeydh_can_do(mbedtls_pk_type_t type)
1151 {
1152 return type == MBEDTLS_PK_ECKEY ||
1153 type == MBEDTLS_PK_ECKEY_DH;
1154 }
1155
1156 const mbedtls_pk_info_t mbedtls_eckeydh_info = {
1157 .type = MBEDTLS_PK_ECKEY_DH,
1158 .name = "EC_DH",
1159 .get_bitlen = eckey_get_bitlen, /* Same underlying key structure */
1160 .can_do = eckeydh_can_do,
1161 .verify_func = NULL,
1162 .sign_func = NULL,
1163 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1164 .verify_rs_func = NULL,
1165 .sign_rs_func = NULL,
1166 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1167 .decrypt_func = NULL,
1168 .encrypt_func = NULL,
1169 .check_pair_func = eckey_check_pair_wrap,
1170 #if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
1171 .ctx_alloc_func = NULL,
1172 .ctx_free_func = NULL,
1173 #else /* MBEDTLS_PK_USE_PSA_EC_DATA */
1174 .ctx_alloc_func = eckey_alloc_wrap, /* Same underlying key structure */
1175 .ctx_free_func = eckey_free_wrap, /* Same underlying key structure */
1176 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
1177 .debug_func = eckey_debug, /* Same underlying key structure */
1178 };
1179
1180 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
ecdsa_can_do(mbedtls_pk_type_t type)1181 static int ecdsa_can_do(mbedtls_pk_type_t type)
1182 {
1183 return type == MBEDTLS_PK_ECDSA;
1184 }
1185
1186 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
ecdsa_verify_rs_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len,void * rs_ctx)1187 static int ecdsa_verify_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
1188 const unsigned char *hash, size_t hash_len,
1189 const unsigned char *sig, size_t sig_len,
1190 void *rs_ctx)
1191 {
1192 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1193 ((void) md_alg);
1194
1195 ret = mbedtls_ecdsa_read_signature_restartable(
1196 (mbedtls_ecdsa_context *) pk->pk_ctx,
1197 hash, hash_len, sig, sig_len,
1198 (mbedtls_ecdsa_restart_ctx *) rs_ctx);
1199
1200 if (ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) {
1201 return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
1202 }
1203
1204 return ret;
1205 }
1206
ecdsa_sign_rs_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,void * rs_ctx)1207 static int ecdsa_sign_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
1208 const unsigned char *hash, size_t hash_len,
1209 unsigned char *sig, size_t sig_size, size_t *sig_len,
1210 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
1211 void *rs_ctx)
1212 {
1213 return mbedtls_ecdsa_write_signature_restartable(
1214 (mbedtls_ecdsa_context *) pk->pk_ctx,
1215 md_alg, hash, hash_len, sig, sig_size, sig_len, f_rng, p_rng,
1216 (mbedtls_ecdsa_restart_ctx *) rs_ctx);
1217
1218 }
1219
ecdsa_rs_alloc(void)1220 static void *ecdsa_rs_alloc(void)
1221 {
1222 void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecdsa_restart_ctx));
1223
1224 if (ctx != NULL) {
1225 mbedtls_ecdsa_restart_init(ctx);
1226 }
1227
1228 return ctx;
1229 }
1230
ecdsa_rs_free(void * ctx)1231 static void ecdsa_rs_free(void *ctx)
1232 {
1233 mbedtls_ecdsa_restart_free(ctx);
1234 mbedtls_free(ctx);
1235 }
1236 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1237
1238 const mbedtls_pk_info_t mbedtls_ecdsa_info = {
1239 .type = MBEDTLS_PK_ECDSA,
1240 .name = "ECDSA",
1241 .get_bitlen = eckey_get_bitlen, /* Compatible key structures */
1242 .can_do = ecdsa_can_do,
1243 #if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
1244 .verify_func = ecdsa_verify_wrap, /* Compatible key structures */
1245 #else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1246 .verify_func = NULL,
1247 #endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1248 #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
1249 .sign_func = ecdsa_sign_wrap, /* Compatible key structures */
1250 #else /* MBEDTLS_PK_CAN_ECDSA_SIGN */
1251 .sign_func = NULL,
1252 #endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
1253 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1254 .verify_rs_func = ecdsa_verify_rs_wrap,
1255 .sign_rs_func = ecdsa_sign_rs_wrap,
1256 .rs_alloc_func = ecdsa_rs_alloc,
1257 .rs_free_func = ecdsa_rs_free,
1258 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1259 .decrypt_func = NULL,
1260 .encrypt_func = NULL,
1261 .check_pair_func = eckey_check_pair_wrap, /* Compatible key structures */
1262 #if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
1263 .ctx_alloc_func = NULL,
1264 .ctx_free_func = NULL,
1265 #else /* MBEDTLS_PK_USE_PSA_EC_DATA */
1266 .ctx_alloc_func = eckey_alloc_wrap, /* Compatible key structures */
1267 .ctx_free_func = eckey_free_wrap, /* Compatible key structures */
1268 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
1269 .debug_func = eckey_debug, /* Compatible key structures */
1270 };
1271 #endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
1272 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
1273
1274 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
1275 /*
1276 * Support for alternative RSA-private implementations
1277 */
1278
rsa_alt_can_do(mbedtls_pk_type_t type)1279 static int rsa_alt_can_do(mbedtls_pk_type_t type)
1280 {
1281 return type == MBEDTLS_PK_RSA;
1282 }
1283
rsa_alt_get_bitlen(mbedtls_pk_context * pk)1284 static size_t rsa_alt_get_bitlen(mbedtls_pk_context *pk)
1285 {
1286 const mbedtls_rsa_alt_context *rsa_alt = pk->pk_ctx;
1287
1288 return 8 * rsa_alt->key_len_func(rsa_alt->key);
1289 }
1290
rsa_alt_sign_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1291 static int rsa_alt_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
1292 const unsigned char *hash, size_t hash_len,
1293 unsigned char *sig, size_t sig_size, size_t *sig_len,
1294 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
1295 {
1296 mbedtls_rsa_alt_context *rsa_alt = pk->pk_ctx;
1297
1298 #if SIZE_MAX > UINT_MAX
1299 if (UINT_MAX < hash_len) {
1300 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
1301 }
1302 #endif
1303
1304 *sig_len = rsa_alt->key_len_func(rsa_alt->key);
1305 if (*sig_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE) {
1306 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
1307 }
1308 if (*sig_len > sig_size) {
1309 return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
1310 }
1311
1312 return rsa_alt->sign_func(rsa_alt->key, f_rng, p_rng,
1313 md_alg, (unsigned int) hash_len, hash, sig);
1314 }
1315
rsa_alt_decrypt_wrap(mbedtls_pk_context * pk,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1316 static int rsa_alt_decrypt_wrap(mbedtls_pk_context *pk,
1317 const unsigned char *input, size_t ilen,
1318 unsigned char *output, size_t *olen, size_t osize,
1319 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
1320 {
1321 mbedtls_rsa_alt_context *rsa_alt = pk->pk_ctx;
1322
1323 ((void) f_rng);
1324 ((void) p_rng);
1325
1326 if (ilen != rsa_alt->key_len_func(rsa_alt->key)) {
1327 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1328 }
1329
1330 return rsa_alt->decrypt_func(rsa_alt->key,
1331 olen, input, output, osize);
1332 }
1333
1334 #if defined(MBEDTLS_RSA_C)
rsa_alt_check_pair(mbedtls_pk_context * pub,mbedtls_pk_context * prv,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1335 static int rsa_alt_check_pair(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
1336 int (*f_rng)(void *, unsigned char *, size_t),
1337 void *p_rng)
1338 {
1339 unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
1340 unsigned char hash[32];
1341 size_t sig_len = 0;
1342 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1343
1344 if (rsa_alt_get_bitlen(prv) != rsa_get_bitlen(pub)) {
1345 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
1346 }
1347
1348 memset(hash, 0x2a, sizeof(hash));
1349
1350 if ((ret = rsa_alt_sign_wrap(prv, MBEDTLS_MD_NONE,
1351 hash, sizeof(hash),
1352 sig, sizeof(sig), &sig_len,
1353 f_rng, p_rng)) != 0) {
1354 return ret;
1355 }
1356
1357 if (rsa_verify_wrap(pub, MBEDTLS_MD_NONE,
1358 hash, sizeof(hash), sig, sig_len) != 0) {
1359 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
1360 }
1361
1362 return 0;
1363 }
1364 #endif /* MBEDTLS_RSA_C */
1365
rsa_alt_alloc_wrap(void)1366 static void *rsa_alt_alloc_wrap(void)
1367 {
1368 void *ctx = mbedtls_calloc(1, sizeof(mbedtls_rsa_alt_context));
1369
1370 if (ctx != NULL) {
1371 memset(ctx, 0, sizeof(mbedtls_rsa_alt_context));
1372 }
1373
1374 return ctx;
1375 }
1376
rsa_alt_free_wrap(void * ctx)1377 static void rsa_alt_free_wrap(void *ctx)
1378 {
1379 mbedtls_zeroize_and_free(ctx, sizeof(mbedtls_rsa_alt_context));
1380 }
1381
1382 const mbedtls_pk_info_t mbedtls_rsa_alt_info = {
1383 .type = MBEDTLS_PK_RSA_ALT,
1384 .name = "RSA-alt",
1385 .get_bitlen = rsa_alt_get_bitlen,
1386 .can_do = rsa_alt_can_do,
1387 .verify_func = NULL,
1388 .sign_func = rsa_alt_sign_wrap,
1389 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1390 .verify_rs_func = NULL,
1391 .sign_rs_func = NULL,
1392 .rs_alloc_func = NULL,
1393 .rs_free_func = NULL,
1394 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1395 .decrypt_func = rsa_alt_decrypt_wrap,
1396 .encrypt_func = NULL,
1397 #if defined(MBEDTLS_RSA_C)
1398 .check_pair_func = rsa_alt_check_pair,
1399 #else
1400 .check_pair_func = NULL,
1401 #endif
1402 .ctx_alloc_func = rsa_alt_alloc_wrap,
1403 .ctx_free_func = rsa_alt_free_wrap,
1404 .debug_func = NULL,
1405 };
1406 #endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
1407
1408 #if defined(MBEDTLS_USE_PSA_CRYPTO)
opaque_get_bitlen(mbedtls_pk_context * pk)1409 static size_t opaque_get_bitlen(mbedtls_pk_context *pk)
1410 {
1411 size_t bits;
1412 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1413
1414 if (PSA_SUCCESS != psa_get_key_attributes(pk->priv_id, &attributes)) {
1415 return 0;
1416 }
1417
1418 bits = psa_get_key_bits(&attributes);
1419 psa_reset_key_attributes(&attributes);
1420 return bits;
1421 }
1422
1423 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
ecdsa_opaque_can_do(mbedtls_pk_type_t type)1424 static int ecdsa_opaque_can_do(mbedtls_pk_type_t type)
1425 {
1426 return type == MBEDTLS_PK_ECKEY ||
1427 type == MBEDTLS_PK_ECDSA;
1428 }
1429
1430 const mbedtls_pk_info_t mbedtls_ecdsa_opaque_info = {
1431 .type = MBEDTLS_PK_OPAQUE,
1432 .name = "Opaque",
1433 .get_bitlen = opaque_get_bitlen,
1434 .can_do = ecdsa_opaque_can_do,
1435 #if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
1436 .verify_func = ecdsa_opaque_verify_wrap,
1437 #else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1438 .verify_func = NULL,
1439 #endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1440 #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
1441 .sign_func = ecdsa_opaque_sign_wrap,
1442 #else /* MBEDTLS_PK_CAN_ECDSA_SIGN */
1443 .sign_func = NULL,
1444 #endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
1445 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1446 .verify_rs_func = NULL,
1447 .sign_rs_func = NULL,
1448 .rs_alloc_func = NULL,
1449 .rs_free_func = NULL,
1450 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1451 .decrypt_func = NULL,
1452 .encrypt_func = NULL,
1453 .check_pair_func = ecdsa_opaque_check_pair_wrap,
1454 .ctx_alloc_func = NULL,
1455 .ctx_free_func = NULL,
1456 .debug_func = NULL,
1457 };
1458 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
1459
rsa_opaque_can_do(mbedtls_pk_type_t type)1460 static int rsa_opaque_can_do(mbedtls_pk_type_t type)
1461 {
1462 return type == MBEDTLS_PK_RSA ||
1463 type == MBEDTLS_PK_RSASSA_PSS;
1464 }
1465
1466 #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
rsa_opaque_decrypt(mbedtls_pk_context * pk,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1467 static int rsa_opaque_decrypt(mbedtls_pk_context *pk,
1468 const unsigned char *input, size_t ilen,
1469 unsigned char *output, size_t *olen, size_t osize,
1470 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
1471 {
1472 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1473 psa_algorithm_t alg;
1474 psa_key_type_t type;
1475 psa_status_t status;
1476
1477 /* PSA has its own RNG */
1478 (void) f_rng;
1479 (void) p_rng;
1480
1481 status = psa_get_key_attributes(pk->priv_id, &attributes);
1482 if (status != PSA_SUCCESS) {
1483 return PSA_PK_TO_MBEDTLS_ERR(status);
1484 }
1485
1486 type = psa_get_key_type(&attributes);
1487 alg = psa_get_key_algorithm(&attributes);
1488 psa_reset_key_attributes(&attributes);
1489
1490 if (!PSA_KEY_TYPE_IS_RSA(type)) {
1491 return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
1492 }
1493
1494 status = psa_asymmetric_decrypt(pk->priv_id, alg, input, ilen, NULL, 0, output, osize, olen);
1495 if (status != PSA_SUCCESS) {
1496 return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
1497 }
1498
1499 return 0;
1500 }
1501 #endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
1502
rsa_opaque_sign_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1503 static int rsa_opaque_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
1504 const unsigned char *hash, size_t hash_len,
1505 unsigned char *sig, size_t sig_size, size_t *sig_len,
1506 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
1507 {
1508 #if defined(MBEDTLS_RSA_C)
1509 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1510 psa_algorithm_t alg;
1511 psa_key_type_t type;
1512 psa_status_t status;
1513
1514 /* PSA has its own RNG */
1515 (void) f_rng;
1516 (void) p_rng;
1517
1518 status = psa_get_key_attributes(pk->priv_id, &attributes);
1519 if (status != PSA_SUCCESS) {
1520 return PSA_PK_TO_MBEDTLS_ERR(status);
1521 }
1522
1523 type = psa_get_key_type(&attributes);
1524 alg = psa_get_key_algorithm(&attributes);
1525 psa_reset_key_attributes(&attributes);
1526
1527 if (PSA_KEY_TYPE_IS_RSA(type)) {
1528 alg = (alg & ~PSA_ALG_HASH_MASK) | mbedtls_md_psa_alg_from_type(md_alg);
1529 } else {
1530 return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
1531 }
1532
1533 status = psa_sign_hash(pk->priv_id, alg, hash, hash_len, sig, sig_size, sig_len);
1534 if (status != PSA_SUCCESS) {
1535 if (PSA_KEY_TYPE_IS_RSA(type)) {
1536 return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
1537 } else {
1538 return PSA_PK_TO_MBEDTLS_ERR(status);
1539 }
1540 }
1541
1542 return 0;
1543 #else /* !MBEDTLS_RSA_C */
1544 ((void) pk);
1545 ((void) md_alg);
1546 ((void) hash);
1547 ((void) hash_len);
1548 ((void) sig);
1549 ((void) sig_size);
1550 ((void) sig_len);
1551 ((void) f_rng);
1552 ((void) p_rng);
1553 return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
1554 #endif /* !MBEDTLS_RSA_C */
1555 }
1556
1557 const mbedtls_pk_info_t mbedtls_rsa_opaque_info = {
1558 .type = MBEDTLS_PK_OPAQUE,
1559 .name = "Opaque",
1560 .get_bitlen = opaque_get_bitlen,
1561 .can_do = rsa_opaque_can_do,
1562 .verify_func = NULL,
1563 .sign_func = rsa_opaque_sign_wrap,
1564 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1565 .verify_rs_func = NULL,
1566 .sign_rs_func = NULL,
1567 .rs_alloc_func = NULL,
1568 .rs_free_func = NULL,
1569 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1570 #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
1571 .decrypt_func = rsa_opaque_decrypt,
1572 #else /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
1573 .decrypt_func = NULL,
1574 #endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
1575 .encrypt_func = NULL,
1576 .check_pair_func = NULL,
1577 .ctx_alloc_func = NULL,
1578 .ctx_free_func = NULL,
1579 .debug_func = NULL,
1580 };
1581
1582 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1583
1584 #endif /* MBEDTLS_PK_C */
1585
