1 /*
2 * Public Key abstraction layer
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20 #include "common.h"
21
22 #if defined(MBEDTLS_PK_C)
23 #include "mbedtls/pk.h"
24 #include "pk_wrap.h"
25 #include "pkwrite.h"
26
27 #include "hash_info.h"
28
29 #include "mbedtls/platform_util.h"
30 #include "mbedtls/error.h"
31
32 #if defined(MBEDTLS_RSA_C)
33 #include "mbedtls/rsa.h"
34 #endif
35 #if defined(MBEDTLS_ECP_C)
36 #include "mbedtls/ecp.h"
37 #endif
38 #if defined(MBEDTLS_ECDSA_C)
39 #include "mbedtls/ecdsa.h"
40 #endif
41
42 #if defined(MBEDTLS_PSA_CRYPTO_C)
43 #include "mbedtls/psa_util.h"
44 #endif
45
46 #include <limits.h>
47 #include <stdint.h>
48
49 /*
50 * Initialise a mbedtls_pk_context
51 */
mbedtls_pk_init(mbedtls_pk_context * ctx)52 void mbedtls_pk_init( mbedtls_pk_context *ctx )
53 {
54 ctx->pk_info = NULL;
55 ctx->pk_ctx = NULL;
56 }
57
58 /*
59 * Free (the components of) a mbedtls_pk_context
60 */
mbedtls_pk_free(mbedtls_pk_context * ctx)61 void mbedtls_pk_free( mbedtls_pk_context *ctx )
62 {
63 if( ctx == NULL )
64 return;
65
66 if ( ctx->pk_info != NULL )
67 ctx->pk_info->ctx_free_func( ctx->pk_ctx );
68
69 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_pk_context ) );
70 }
71
72 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
73 /*
74 * Initialize a restart context
75 */
mbedtls_pk_restart_init(mbedtls_pk_restart_ctx * ctx)76 void mbedtls_pk_restart_init( mbedtls_pk_restart_ctx *ctx )
77 {
78 ctx->pk_info = NULL;
79 ctx->rs_ctx = NULL;
80 }
81
82 /*
83 * Free the components of a restart context
84 */
mbedtls_pk_restart_free(mbedtls_pk_restart_ctx * ctx)85 void mbedtls_pk_restart_free( mbedtls_pk_restart_ctx *ctx )
86 {
87 if( ctx == NULL || ctx->pk_info == NULL ||
88 ctx->pk_info->rs_free_func == NULL )
89 {
90 return;
91 }
92
93 ctx->pk_info->rs_free_func( ctx->rs_ctx );
94
95 ctx->pk_info = NULL;
96 ctx->rs_ctx = NULL;
97 }
98 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
99
100 /*
101 * Get pk_info structure from type
102 */
mbedtls_pk_info_from_type(mbedtls_pk_type_t pk_type)103 const mbedtls_pk_info_t * mbedtls_pk_info_from_type( mbedtls_pk_type_t pk_type )
104 {
105 switch( pk_type ) {
106 #if defined(MBEDTLS_RSA_C)
107 case MBEDTLS_PK_RSA:
108 return( &mbedtls_rsa_info );
109 #endif
110 #if defined(MBEDTLS_ECP_C)
111 case MBEDTLS_PK_ECKEY:
112 return( &mbedtls_eckey_info );
113 case MBEDTLS_PK_ECKEY_DH:
114 return( &mbedtls_eckeydh_info );
115 #endif
116 #if defined(MBEDTLS_ECDSA_C)
117 case MBEDTLS_PK_ECDSA:
118 return( &mbedtls_ecdsa_info );
119 #endif
120 /* MBEDTLS_PK_RSA_ALT omitted on purpose */
121 default:
122 return( NULL );
123 }
124 }
125
126 /*
127 * Initialise context
128 */
mbedtls_pk_setup(mbedtls_pk_context * ctx,const mbedtls_pk_info_t * info)129 int mbedtls_pk_setup( mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info )
130 {
131 if( info == NULL || ctx->pk_info != NULL )
132 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
133
134 if( ( ctx->pk_ctx = info->ctx_alloc_func() ) == NULL )
135 return( MBEDTLS_ERR_PK_ALLOC_FAILED );
136
137 ctx->pk_info = info;
138
139 return( 0 );
140 }
141
142 #if defined(MBEDTLS_USE_PSA_CRYPTO)
143 /*
144 * Initialise a PSA-wrapping context
145 */
mbedtls_pk_setup_opaque(mbedtls_pk_context * ctx,const mbedtls_svc_key_id_t key)146 int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx,
147 const mbedtls_svc_key_id_t key )
148 {
149 const mbedtls_pk_info_t *info = NULL;
150 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
151 mbedtls_svc_key_id_t *pk_ctx;
152 psa_key_type_t type;
153
154 if( ctx == NULL || ctx->pk_info != NULL )
155 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
156
157 if( PSA_SUCCESS != psa_get_key_attributes( key, &attributes ) )
158 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
159 type = psa_get_key_type( &attributes );
160 psa_reset_key_attributes( &attributes );
161
162 if( PSA_KEY_TYPE_IS_ECC_KEY_PAIR( type ) )
163 info = &mbedtls_pk_ecdsa_opaque_info;
164 else if( type == PSA_KEY_TYPE_RSA_KEY_PAIR )
165 info = &mbedtls_pk_rsa_opaque_info;
166 else
167 return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
168
169 if( ( ctx->pk_ctx = info->ctx_alloc_func() ) == NULL )
170 return( MBEDTLS_ERR_PK_ALLOC_FAILED );
171
172 ctx->pk_info = info;
173
174 pk_ctx = (mbedtls_svc_key_id_t *) ctx->pk_ctx;
175 *pk_ctx = key;
176
177 return( 0 );
178 }
179 #endif /* MBEDTLS_USE_PSA_CRYPTO */
180
181 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
182 /*
183 * Initialize an RSA-alt context
184 */
mbedtls_pk_setup_rsa_alt(mbedtls_pk_context * ctx,void * key,mbedtls_pk_rsa_alt_decrypt_func decrypt_func,mbedtls_pk_rsa_alt_sign_func sign_func,mbedtls_pk_rsa_alt_key_len_func key_len_func)185 int mbedtls_pk_setup_rsa_alt( mbedtls_pk_context *ctx, void * key,
186 mbedtls_pk_rsa_alt_decrypt_func decrypt_func,
187 mbedtls_pk_rsa_alt_sign_func sign_func,
188 mbedtls_pk_rsa_alt_key_len_func key_len_func )
189 {
190 mbedtls_rsa_alt_context *rsa_alt;
191 const mbedtls_pk_info_t *info = &mbedtls_rsa_alt_info;
192
193 if( ctx->pk_info != NULL )
194 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
195
196 if( ( ctx->pk_ctx = info->ctx_alloc_func() ) == NULL )
197 return( MBEDTLS_ERR_PK_ALLOC_FAILED );
198
199 ctx->pk_info = info;
200
201 rsa_alt = (mbedtls_rsa_alt_context *) ctx->pk_ctx;
202
203 rsa_alt->key = key;
204 rsa_alt->decrypt_func = decrypt_func;
205 rsa_alt->sign_func = sign_func;
206 rsa_alt->key_len_func = key_len_func;
207
208 return( 0 );
209 }
210 #endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
211
212 /*
213 * Tell if a PK can do the operations of the given type
214 */
mbedtls_pk_can_do(const mbedtls_pk_context * ctx,mbedtls_pk_type_t type)215 int mbedtls_pk_can_do( const mbedtls_pk_context *ctx, mbedtls_pk_type_t type )
216 {
217 /* A context with null pk_info is not set up yet and can't do anything.
218 * For backward compatibility, also accept NULL instead of a context
219 * pointer. */
220 if( ctx == NULL || ctx->pk_info == NULL )
221 return( 0 );
222
223 return( ctx->pk_info->can_do( type ) );
224 }
225
226 #if defined(MBEDTLS_USE_PSA_CRYPTO)
227 /*
228 * Tell if a PK can do the operations of the given PSA algorithm
229 */
mbedtls_pk_can_do_ext(const mbedtls_pk_context * ctx,psa_algorithm_t alg,psa_key_usage_t usage)230 int mbedtls_pk_can_do_ext( const mbedtls_pk_context *ctx, psa_algorithm_t alg,
231 psa_key_usage_t usage )
232 {
233 psa_key_usage_t key_usage;
234
235 /* A context with null pk_info is not set up yet and can't do anything.
236 * For backward compatibility, also accept NULL instead of a context
237 * pointer. */
238 if( ctx == NULL || ctx->pk_info == NULL )
239 return( 0 );
240
241 /* Filter out non allowed algorithms */
242 if( PSA_ALG_IS_ECDSA( alg ) == 0 &&
243 PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) == 0 &&
244 PSA_ALG_IS_RSA_PSS( alg ) == 0 &&
245 alg != PSA_ALG_RSA_PKCS1V15_CRYPT &&
246 PSA_ALG_IS_ECDH( alg ) == 0 )
247 return( 0 );
248
249 /* Filter out non allowed usage flags */
250 if( usage == 0 ||
251 ( usage & ~( PSA_KEY_USAGE_SIGN_HASH |
252 PSA_KEY_USAGE_DECRYPT |
253 PSA_KEY_USAGE_DERIVE ) ) != 0 )
254 return( 0 );
255
256 /* Wildcard hash is not allowed */
257 if( PSA_ALG_IS_SIGN_HASH( alg ) &&
258 PSA_ALG_SIGN_GET_HASH( alg ) == PSA_ALG_ANY_HASH )
259 return( 0 );
260
261 if( mbedtls_pk_get_type( ctx ) != MBEDTLS_PK_OPAQUE )
262 {
263 mbedtls_pk_type_t type;
264
265 if( PSA_ALG_IS_ECDSA( alg ) || PSA_ALG_IS_ECDH( alg ) )
266 type = MBEDTLS_PK_ECKEY;
267 else if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) ||
268 alg == PSA_ALG_RSA_PKCS1V15_CRYPT )
269 type = MBEDTLS_PK_RSA;
270 else if( PSA_ALG_IS_RSA_PSS( alg ) )
271 type = MBEDTLS_PK_RSASSA_PSS;
272 else
273 return( 0 );
274
275 if( ctx->pk_info->can_do( type ) == 0 )
276 return( 0 );
277
278 switch( type )
279 {
280 case MBEDTLS_PK_ECKEY:
281 key_usage = PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_DERIVE;
282 break;
283 case MBEDTLS_PK_RSA:
284 case MBEDTLS_PK_RSASSA_PSS:
285 key_usage = PSA_KEY_USAGE_SIGN_HASH |
286 PSA_KEY_USAGE_SIGN_MESSAGE |
287 PSA_KEY_USAGE_DECRYPT;
288 break;
289 default:
290 /* Should never happen */
291 return( 0 );
292 }
293
294 return( ( key_usage & usage ) == usage );
295 }
296
297 const mbedtls_svc_key_id_t *key = (const mbedtls_svc_key_id_t *) ctx->pk_ctx;
298 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
299 psa_algorithm_t key_alg, key_alg2;
300 psa_status_t status;
301
302 status = psa_get_key_attributes( *key, &attributes );
303 if( status != PSA_SUCCESS )
304 return( 0 );
305
306 key_alg = psa_get_key_algorithm( &attributes );
307 key_alg2 = psa_get_key_enrollment_algorithm( &attributes );
308 key_usage = psa_get_key_usage_flags( &attributes );
309 psa_reset_key_attributes( &attributes );
310
311 if( ( key_usage & usage ) != usage )
312 return( 0 );
313
314 /*
315 * Common case: the key alg or alg2 only allows alg.
316 * This will match PSA_ALG_RSA_PKCS1V15_CRYPT & PSA_ALG_IS_ECDH
317 * directly.
318 * This would also match ECDSA/RSA_PKCS1V15_SIGN/RSA_PSS with
319 * a fixed hash on key_alg/key_alg2.
320 */
321 if( alg == key_alg || alg == key_alg2 )
322 return( 1 );
323
324 /*
325 * If key_alg or key_alg2 is a hash-and-sign with a wildcard for the hash,
326 * and alg is the same hash-and-sign family with any hash,
327 * then alg is compliant with this key alg
328 */
329 if( PSA_ALG_IS_SIGN_HASH( alg ) )
330 {
331
332 if( PSA_ALG_IS_SIGN_HASH( key_alg ) &&
333 PSA_ALG_SIGN_GET_HASH( key_alg ) == PSA_ALG_ANY_HASH &&
334 ( alg & ~PSA_ALG_HASH_MASK ) == ( key_alg & ~PSA_ALG_HASH_MASK ) )
335 return( 1 );
336
337 if( PSA_ALG_IS_SIGN_HASH( key_alg2 ) &&
338 PSA_ALG_SIGN_GET_HASH( key_alg2 ) == PSA_ALG_ANY_HASH &&
339 ( alg & ~PSA_ALG_HASH_MASK ) == ( key_alg2 & ~PSA_ALG_HASH_MASK ) )
340 return( 1 );
341 }
342
343 return( 0 );
344 }
345 #endif /* MBEDTLS_USE_PSA_CRYPTO */
346
347 /*
348 * Helper for mbedtls_pk_sign and mbedtls_pk_verify
349 */
pk_hashlen_helper(mbedtls_md_type_t md_alg,size_t * hash_len)350 static inline int pk_hashlen_helper( mbedtls_md_type_t md_alg, size_t *hash_len )
351 {
352 if( *hash_len != 0 )
353 return( 0 );
354
355 *hash_len = mbedtls_hash_info_get_size( md_alg );
356
357 if( *hash_len == 0 )
358 return( -1 );
359
360 return( 0 );
361 }
362
363 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
364 /*
365 * Helper to set up a restart context if needed
366 */
pk_restart_setup(mbedtls_pk_restart_ctx * ctx,const mbedtls_pk_info_t * info)367 static int pk_restart_setup( mbedtls_pk_restart_ctx *ctx,
368 const mbedtls_pk_info_t *info )
369 {
370 /* Don't do anything if already set up or invalid */
371 if( ctx == NULL || ctx->pk_info != NULL )
372 return( 0 );
373
374 /* Should never happen when we're called */
375 if( info->rs_alloc_func == NULL || info->rs_free_func == NULL )
376 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
377
378 if( ( ctx->rs_ctx = info->rs_alloc_func() ) == NULL )
379 return( MBEDTLS_ERR_PK_ALLOC_FAILED );
380
381 ctx->pk_info = info;
382
383 return( 0 );
384 }
385 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
386
387 /*
388 * Verify a signature (restartable)
389 */
mbedtls_pk_verify_restartable(mbedtls_pk_context * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len,mbedtls_pk_restart_ctx * rs_ctx)390 int mbedtls_pk_verify_restartable( mbedtls_pk_context *ctx,
391 mbedtls_md_type_t md_alg,
392 const unsigned char *hash, size_t hash_len,
393 const unsigned char *sig, size_t sig_len,
394 mbedtls_pk_restart_ctx *rs_ctx )
395 {
396 if( ( md_alg != MBEDTLS_MD_NONE || hash_len != 0 ) && hash == NULL )
397 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
398
399 if( ctx->pk_info == NULL ||
400 pk_hashlen_helper( md_alg, &hash_len ) != 0 )
401 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
402
403 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
404 /* optimization: use non-restartable version if restart disabled */
405 if( rs_ctx != NULL &&
406 mbedtls_ecp_restart_is_enabled() &&
407 ctx->pk_info->verify_rs_func != NULL )
408 {
409 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
410
411 if( ( ret = pk_restart_setup( rs_ctx, ctx->pk_info ) ) != 0 )
412 return( ret );
413
414 ret = ctx->pk_info->verify_rs_func( ctx->pk_ctx,
415 md_alg, hash, hash_len, sig, sig_len, rs_ctx->rs_ctx );
416
417 if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
418 mbedtls_pk_restart_free( rs_ctx );
419
420 return( ret );
421 }
422 #else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
423 (void) rs_ctx;
424 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
425
426 if( ctx->pk_info->verify_func == NULL )
427 return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
428
429 return( ctx->pk_info->verify_func( ctx->pk_ctx, md_alg, hash, hash_len,
430 sig, sig_len ) );
431 }
432
433 /*
434 * Verify a signature
435 */
mbedtls_pk_verify(mbedtls_pk_context * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)436 int mbedtls_pk_verify( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
437 const unsigned char *hash, size_t hash_len,
438 const unsigned char *sig, size_t sig_len )
439 {
440 return( mbedtls_pk_verify_restartable( ctx, md_alg, hash, hash_len,
441 sig, sig_len, NULL ) );
442 }
443
444 /*
445 * Verify a signature with options
446 */
mbedtls_pk_verify_ext(mbedtls_pk_type_t type,const void * options,mbedtls_pk_context * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)447 int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options,
448 mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
449 const unsigned char *hash, size_t hash_len,
450 const unsigned char *sig, size_t sig_len )
451 {
452 if( ( md_alg != MBEDTLS_MD_NONE || hash_len != 0 ) && hash == NULL )
453 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
454
455 if( ctx->pk_info == NULL )
456 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
457
458 if( ! mbedtls_pk_can_do( ctx, type ) )
459 return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
460
461 if( type != MBEDTLS_PK_RSASSA_PSS )
462 {
463 /* General case: no options */
464 if( options != NULL )
465 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
466
467 return( mbedtls_pk_verify( ctx, md_alg, hash, hash_len, sig, sig_len ) );
468 }
469
470 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21)
471 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
472 const mbedtls_pk_rsassa_pss_options *pss_opts;
473
474 #if SIZE_MAX > UINT_MAX
475 if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len )
476 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
477 #endif /* SIZE_MAX > UINT_MAX */
478
479 if( options == NULL )
480 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
481
482 pss_opts = (const mbedtls_pk_rsassa_pss_options *) options;
483
484 #if defined(MBEDTLS_USE_PSA_CRYPTO)
485 if( pss_opts->mgf1_hash_id == md_alg &&
486 ( (size_t) pss_opts->expected_salt_len == hash_len ||
487 pss_opts->expected_salt_len == MBEDTLS_RSA_SALT_LEN_ANY ) )
488 {
489 /* see RSA_PUB_DER_MAX_BYTES in pkwrite.c */
490 unsigned char buf[ 38 + 2 * MBEDTLS_MPI_MAX_SIZE ];
491 unsigned char *p;
492 int key_len;
493 size_t signature_length;
494 psa_status_t status = PSA_ERROR_DATA_CORRUPT;
495 psa_status_t destruction_status = PSA_ERROR_DATA_CORRUPT;
496
497 psa_algorithm_t psa_md_alg = mbedtls_hash_info_psa_from_md( md_alg );
498 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
499 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
500 psa_algorithm_t psa_sig_alg =
501 ( pss_opts->expected_salt_len == MBEDTLS_RSA_SALT_LEN_ANY ?
502 PSA_ALG_RSA_PSS_ANY_SALT(psa_md_alg) :
503 PSA_ALG_RSA_PSS(psa_md_alg) );
504 p = buf + sizeof( buf );
505 key_len = mbedtls_pk_write_pubkey( &p, buf, ctx );
506
507 if( key_len < 0 )
508 return( key_len );
509
510 psa_set_key_type( &attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY );
511 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH );
512 psa_set_key_algorithm( &attributes, psa_sig_alg );
513
514 status = psa_import_key( &attributes,
515 buf + sizeof( buf ) - key_len, key_len,
516 &key_id );
517 if( status != PSA_SUCCESS )
518 {
519 psa_destroy_key( key_id );
520 return( mbedtls_pk_error_from_psa( status ) );
521 }
522
523 /* This function requires returning MBEDTLS_ERR_PK_SIG_LEN_MISMATCH
524 * on a valid signature with trailing data in a buffer, but
525 * mbedtls_psa_rsa_verify_hash requires the sig_len to be exact,
526 * so for this reason the passed sig_len is overwritten. Smaller
527 * signature lengths should not be accepted for verification. */
528 signature_length = sig_len > mbedtls_pk_get_len( ctx ) ?
529 mbedtls_pk_get_len( ctx ) : sig_len;
530 status = psa_verify_hash( key_id, psa_sig_alg, hash,
531 hash_len, sig, signature_length );
532 destruction_status = psa_destroy_key( key_id );
533
534 if( status == PSA_SUCCESS && sig_len > mbedtls_pk_get_len( ctx ) )
535 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
536
537 if( status == PSA_SUCCESS )
538 status = destruction_status;
539
540 return( mbedtls_pk_error_from_psa_rsa( status ) );
541 }
542 else
543 #endif
544 {
545 if( sig_len < mbedtls_pk_get_len( ctx ) )
546 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
547
548 ret = mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_pk_rsa( *ctx ),
549 md_alg, (unsigned int) hash_len, hash,
550 pss_opts->mgf1_hash_id,
551 pss_opts->expected_salt_len,
552 sig );
553 if( ret != 0 )
554 return( ret );
555
556 if( sig_len > mbedtls_pk_get_len( ctx ) )
557 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
558
559 return( 0 );
560 }
561 #else
562 return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
563 #endif /* MBEDTLS_RSA_C && MBEDTLS_PKCS1_V21 */
564 }
565
566 /*
567 * Make a signature (restartable)
568 */
mbedtls_pk_sign_restartable(mbedtls_pk_context * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,mbedtls_pk_restart_ctx * rs_ctx)569 int mbedtls_pk_sign_restartable( mbedtls_pk_context *ctx,
570 mbedtls_md_type_t md_alg,
571 const unsigned char *hash, size_t hash_len,
572 unsigned char *sig, size_t sig_size, size_t *sig_len,
573 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
574 mbedtls_pk_restart_ctx *rs_ctx )
575 {
576 if( ( md_alg != MBEDTLS_MD_NONE || hash_len != 0 ) && hash == NULL )
577 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
578
579 if( ctx->pk_info == NULL || pk_hashlen_helper( md_alg, &hash_len ) != 0 )
580 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
581
582 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
583 /* optimization: use non-restartable version if restart disabled */
584 if( rs_ctx != NULL &&
585 mbedtls_ecp_restart_is_enabled() &&
586 ctx->pk_info->sign_rs_func != NULL )
587 {
588 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
589
590 if( ( ret = pk_restart_setup( rs_ctx, ctx->pk_info ) ) != 0 )
591 return( ret );
592
593 ret = ctx->pk_info->sign_rs_func( ctx->pk_ctx, md_alg,
594 hash, hash_len,
595 sig, sig_size, sig_len,
596 f_rng, p_rng, rs_ctx->rs_ctx );
597
598 if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
599 mbedtls_pk_restart_free( rs_ctx );
600
601 return( ret );
602 }
603 #else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
604 (void) rs_ctx;
605 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
606
607 if( ctx->pk_info->sign_func == NULL )
608 return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
609
610 return( ctx->pk_info->sign_func( ctx->pk_ctx, md_alg,
611 hash, hash_len,
612 sig, sig_size, sig_len,
613 f_rng, p_rng ) );
614 }
615
616 /*
617 * Make a signature
618 */
mbedtls_pk_sign(mbedtls_pk_context * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)619 int mbedtls_pk_sign( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
620 const unsigned char *hash, size_t hash_len,
621 unsigned char *sig, size_t sig_size, size_t *sig_len,
622 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
623 {
624 return( mbedtls_pk_sign_restartable( ctx, md_alg, hash, hash_len,
625 sig, sig_size, sig_len,
626 f_rng, p_rng, NULL ) );
627 }
628
629 #if defined(MBEDTLS_PSA_CRYPTO_C)
630 /*
631 * Make a signature given a signature type.
632 */
mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type,mbedtls_pk_context * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)633 int mbedtls_pk_sign_ext( mbedtls_pk_type_t pk_type,
634 mbedtls_pk_context *ctx,
635 mbedtls_md_type_t md_alg,
636 const unsigned char *hash, size_t hash_len,
637 unsigned char *sig, size_t sig_size, size_t *sig_len,
638 int (*f_rng)(void *, unsigned char *, size_t),
639 void *p_rng )
640 {
641 #if defined(MBEDTLS_RSA_C)
642 psa_algorithm_t psa_md_alg;
643 #endif /* MBEDTLS_RSA_C */
644 *sig_len = 0;
645
646 if( ctx->pk_info == NULL )
647 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
648
649 if( ! mbedtls_pk_can_do( ctx, pk_type ) )
650 return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
651
652 if( pk_type != MBEDTLS_PK_RSASSA_PSS )
653 {
654 return( mbedtls_pk_sign( ctx, md_alg, hash, hash_len,
655 sig, sig_size, sig_len, f_rng, p_rng ) );
656 }
657
658 #if defined(MBEDTLS_RSA_C)
659 psa_md_alg = mbedtls_hash_info_psa_from_md( md_alg );
660 if( psa_md_alg == 0 )
661 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
662
663 if( mbedtls_pk_get_type( ctx ) == MBEDTLS_PK_OPAQUE )
664 {
665 const mbedtls_svc_key_id_t *key = (const mbedtls_svc_key_id_t *) ctx->pk_ctx;
666 psa_status_t status;
667
668 status = psa_sign_hash( *key, PSA_ALG_RSA_PSS( psa_md_alg ),
669 hash, hash_len,
670 sig, sig_size, sig_len );
671 return( mbedtls_pk_error_from_psa_rsa( status ) );
672 }
673
674 return( mbedtls_pk_psa_rsa_sign_ext( PSA_ALG_RSA_PSS( psa_md_alg ),
675 ctx->pk_ctx, hash, hash_len,
676 sig, sig_size, sig_len ) );
677 #else /* MBEDTLS_RSA_C */
678 return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
679 #endif /* !MBEDTLS_RSA_C */
680
681 }
682 #endif /* MBEDTLS_PSA_CRYPTO_C */
683
684 /*
685 * Decrypt message
686 */
mbedtls_pk_decrypt(mbedtls_pk_context * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)687 int mbedtls_pk_decrypt( mbedtls_pk_context *ctx,
688 const unsigned char *input, size_t ilen,
689 unsigned char *output, size_t *olen, size_t osize,
690 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
691 {
692 if( ctx->pk_info == NULL )
693 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
694
695 if( ctx->pk_info->decrypt_func == NULL )
696 return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
697
698 return( ctx->pk_info->decrypt_func( ctx->pk_ctx, input, ilen,
699 output, olen, osize, f_rng, p_rng ) );
700 }
701
702 /*
703 * Encrypt message
704 */
mbedtls_pk_encrypt(mbedtls_pk_context * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)705 int mbedtls_pk_encrypt( mbedtls_pk_context *ctx,
706 const unsigned char *input, size_t ilen,
707 unsigned char *output, size_t *olen, size_t osize,
708 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
709 {
710 if( ctx->pk_info == NULL )
711 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
712
713 if( ctx->pk_info->encrypt_func == NULL )
714 return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
715
716 return( ctx->pk_info->encrypt_func( ctx->pk_ctx, input, ilen,
717 output, olen, osize, f_rng, p_rng ) );
718 }
719
720 /*
721 * Check public-private key pair
722 */
mbedtls_pk_check_pair(const mbedtls_pk_context * pub,const mbedtls_pk_context * prv,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)723 int mbedtls_pk_check_pair( const mbedtls_pk_context *pub,
724 const mbedtls_pk_context *prv,
725 int (*f_rng)(void *, unsigned char *, size_t),
726 void *p_rng )
727 {
728 if( pub->pk_info == NULL ||
729 prv->pk_info == NULL )
730 {
731 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
732 }
733
734 if( f_rng == NULL )
735 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
736
737 if( prv->pk_info->check_pair_func == NULL )
738 return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
739
740 if( prv->pk_info->type == MBEDTLS_PK_RSA_ALT )
741 {
742 if( pub->pk_info->type != MBEDTLS_PK_RSA )
743 return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
744 }
745 else
746 {
747 if( pub->pk_info != prv->pk_info )
748 return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
749 }
750
751 return( prv->pk_info->check_pair_func( pub->pk_ctx, prv->pk_ctx, f_rng, p_rng ) );
752 }
753
754 /*
755 * Get key size in bits
756 */
mbedtls_pk_get_bitlen(const mbedtls_pk_context * ctx)757 size_t mbedtls_pk_get_bitlen( const mbedtls_pk_context *ctx )
758 {
759 /* For backward compatibility, accept NULL or a context that
760 * isn't set up yet, and return a fake value that should be safe. */
761 if( ctx == NULL || ctx->pk_info == NULL )
762 return( 0 );
763
764 return( ctx->pk_info->get_bitlen( ctx->pk_ctx ) );
765 }
766
767 /*
768 * Export debug information
769 */
mbedtls_pk_debug(const mbedtls_pk_context * ctx,mbedtls_pk_debug_item * items)770 int mbedtls_pk_debug( const mbedtls_pk_context *ctx, mbedtls_pk_debug_item *items )
771 {
772 if( ctx->pk_info == NULL )
773 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
774
775 if( ctx->pk_info->debug_func == NULL )
776 return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
777
778 ctx->pk_info->debug_func( ctx->pk_ctx, items );
779 return( 0 );
780 }
781
782 /*
783 * Access the PK type name
784 */
mbedtls_pk_get_name(const mbedtls_pk_context * ctx)785 const char *mbedtls_pk_get_name( const mbedtls_pk_context *ctx )
786 {
787 if( ctx == NULL || ctx->pk_info == NULL )
788 return( "invalid PK" );
789
790 return( ctx->pk_info->name );
791 }
792
793 /*
794 * Access the PK type
795 */
mbedtls_pk_get_type(const mbedtls_pk_context * ctx)796 mbedtls_pk_type_t mbedtls_pk_get_type( const mbedtls_pk_context *ctx )
797 {
798 if( ctx == NULL || ctx->pk_info == NULL )
799 return( MBEDTLS_PK_NONE );
800
801 return( ctx->pk_info->type );
802 }
803
804 #if defined(MBEDTLS_USE_PSA_CRYPTO)
805 /*
806 * Load the key to a PSA key slot,
807 * then turn the PK context into a wrapper for that key slot.
808 *
809 * Currently only works for EC & RSA private keys.
810 */
mbedtls_pk_wrap_as_opaque(mbedtls_pk_context * pk,mbedtls_svc_key_id_t * key,psa_algorithm_t alg,psa_key_usage_t usage,psa_algorithm_t alg2)811 int mbedtls_pk_wrap_as_opaque( mbedtls_pk_context *pk,
812 mbedtls_svc_key_id_t *key,
813 psa_algorithm_t alg,
814 psa_key_usage_t usage,
815 psa_algorithm_t alg2 )
816 {
817 #if !defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_RSA_C)
818 ((void) pk);
819 ((void) key);
820 ((void) alg);
821 ((void) usage);
822 ((void) alg2);
823 #else
824 #if defined(MBEDTLS_ECP_C)
825 if( mbedtls_pk_get_type( pk ) == MBEDTLS_PK_ECKEY )
826 {
827 const mbedtls_ecp_keypair *ec;
828 unsigned char d[MBEDTLS_ECP_MAX_BYTES];
829 size_t d_len;
830 psa_ecc_family_t curve_id;
831 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
832 psa_key_type_t key_type;
833 size_t bits;
834 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
835 psa_status_t status;
836
837 /* export the private key material in the format PSA wants */
838 ec = mbedtls_pk_ec( *pk );
839 d_len = PSA_BITS_TO_BYTES( ec->grp.nbits );
840 if( ( ret = mbedtls_mpi_write_binary( &ec->d, d, d_len ) ) != 0 )
841 return( ret );
842
843 curve_id = mbedtls_ecc_group_to_psa( ec->grp.id, &bits );
844 key_type = PSA_KEY_TYPE_ECC_KEY_PAIR( curve_id );
845
846 /* prepare the key attributes */
847 psa_set_key_type( &attributes, key_type );
848 psa_set_key_bits( &attributes, bits );
849 psa_set_key_usage_flags( &attributes, usage );
850 psa_set_key_algorithm( &attributes, alg );
851 if( alg2 != PSA_ALG_NONE )
852 psa_set_key_enrollment_algorithm( &attributes, alg2 );
853
854 /* import private key into PSA */
855 status = psa_import_key( &attributes, d, d_len, key );
856 if( status != PSA_SUCCESS )
857 return( mbedtls_pk_error_from_psa( status ) );
858
859 /* make PK context wrap the key slot */
860 mbedtls_pk_free( pk );
861 mbedtls_pk_init( pk );
862
863 return( mbedtls_pk_setup_opaque( pk, *key ) );
864 }
865 else
866 #endif /* MBEDTLS_ECP_C */
867 #if defined(MBEDTLS_RSA_C)
868 if( mbedtls_pk_get_type( pk ) == MBEDTLS_PK_RSA )
869 {
870 unsigned char buf[MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES];
871 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
872 int key_len;
873 psa_status_t status;
874
875 /* export the private key material in the format PSA wants */
876 key_len = mbedtls_pk_write_key_der( pk, buf, sizeof( buf ) );
877 if( key_len <= 0 )
878 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
879
880 /* prepare the key attributes */
881 psa_set_key_type( &attributes, PSA_KEY_TYPE_RSA_KEY_PAIR );
882 psa_set_key_bits( &attributes, mbedtls_pk_get_bitlen( pk ) );
883 psa_set_key_usage_flags( &attributes, usage );
884 psa_set_key_algorithm( &attributes, alg );
885 if( alg2 != PSA_ALG_NONE )
886 psa_set_key_enrollment_algorithm( &attributes, alg2 );
887
888 /* import private key into PSA */
889 status = psa_import_key( &attributes,
890 buf + sizeof( buf ) - key_len,
891 key_len, key);
892
893 mbedtls_platform_zeroize( buf, sizeof( buf ) );
894
895 if( status != PSA_SUCCESS )
896 return( mbedtls_pk_error_from_psa( status ) );
897
898 /* make PK context wrap the key slot */
899 mbedtls_pk_free( pk );
900 mbedtls_pk_init( pk );
901
902 return( mbedtls_pk_setup_opaque( pk, *key ) );
903 }
904 else
905 #endif /* MBEDTLS_RSA_C */
906 #endif /* !MBEDTLS_ECP_C && !MBEDTLS_RSA_C */
907 return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
908 }
909 #endif /* MBEDTLS_USE_PSA_CRYPTO */
910 #endif /* MBEDTLS_PK_C */
911
