mirror of
https://github.com/cuberite/polarssl.git
synced 2025-10-03 10:34:16 -04:00
Merge pull request #7392 from valeriosetti/issue7388
PK: use PSA to complete public key when USE_PSA is enabled
This commit is contained in:
Manuel Pégourié-Gonnard
GitHub
commit
b16a50eeab
@ -1104,9 +1104,10 @@ cleanup:
|
|||||||
* - write the raw content of public key "pub" to a local buffer
|
* - write the raw content of public key "pub" to a local buffer
|
||||||
* - compare the two buffers
|
* - compare the two buffers
|
||||||
*/
|
*/
|
||||||
static int eckey_check_pair_psa(const void *pub, const void *prv)
|
static int eckey_check_pair_psa(const mbedtls_ecp_keypair *pub,
|
||||||
|
const mbedtls_ecp_keypair *prv)
|
||||||
{
|
{
|
||||||
psa_status_t status;
|
psa_status_t status, destruction_status;
|
||||||
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
|
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
|
||||||
mbedtls_ecp_keypair *prv_ctx = (mbedtls_ecp_keypair *) prv;
|
mbedtls_ecp_keypair *prv_ctx = (mbedtls_ecp_keypair *) prv;
|
||||||
mbedtls_ecp_keypair *pub_ctx = (mbedtls_ecp_keypair *) pub;
|
mbedtls_ecp_keypair *pub_ctx = (mbedtls_ecp_keypair *) pub;
|
||||||
@ -1133,20 +1134,21 @@ static int eckey_check_pair_psa(const void *pub, const void *prv)
|
|||||||
}
|
}
|
||||||
|
|
||||||
status = psa_import_key(&key_attr, prv_key_buf, curve_bytes, &key_id);
|
status = psa_import_key(&key_attr, prv_key_buf, curve_bytes, &key_id);
|
||||||
if (status != PSA_SUCCESS) {
|
ret = PSA_PK_TO_MBEDTLS_ERR(status);
|
||||||
ret = PSA_PK_TO_MBEDTLS_ERR(status);
|
if (ret != 0) {
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
mbedtls_platform_zeroize(prv_key_buf, sizeof(prv_key_buf));
|
mbedtls_platform_zeroize(prv_key_buf, sizeof(prv_key_buf));
|
||||||
|
|
||||||
ret = PSA_PK_TO_MBEDTLS_ERR(psa_export_public_key(key_id,
|
status = psa_export_public_key(key_id, prv_key_buf, sizeof(prv_key_buf),
|
||||||
prv_key_buf,
|
&prv_key_len);
|
||||||
sizeof(prv_key_buf),
|
ret = PSA_PK_TO_MBEDTLS_ERR(status);
|
||||||
&prv_key_len));
|
destruction_status = psa_destroy_key(key_id);
|
||||||
status = psa_destroy_key(key_id);
|
if (ret != 0) {
|
||||||
if (ret != 0 || status != PSA_SUCCESS) {
|
return ret;
|
||||||
return (ret != 0) ? ret : PSA_PK_TO_MBEDTLS_ERR(status);
|
} else if (destruction_status != PSA_SUCCESS) {
|
||||||
|
return PSA_PK_TO_MBEDTLS_ERR(destruction_status);
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = mbedtls_ecp_point_write_binary(&pub_ctx->grp, &pub_ctx->Q,
|
ret = mbedtls_ecp_point_write_binary(&pub_ctx->grp, &pub_ctx->Q,
|
||||||
@ -1172,8 +1174,7 @@ static int eckey_check_pair(const void *pub, const void *prv,
|
|||||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
(void) f_rng;
|
(void) f_rng;
|
||||||
(void) p_rng;
|
(void) p_rng;
|
||||||
return eckey_check_pair_psa((const mbedtls_ecp_keypair *) pub,
|
return eckey_check_pair_psa(pub, prv);
|
||||||
(const mbedtls_ecp_keypair *) prv);
|
|
||||||
#else /* MBEDTLS_USE_PSA_CRYPTO */
|
#else /* MBEDTLS_USE_PSA_CRYPTO */
|
||||||
return mbedtls_ecp_check_pub_priv((const mbedtls_ecp_keypair *) pub,
|
return mbedtls_ecp_check_pub_priv((const mbedtls_ecp_keypair *) pub,
|
||||||
(const mbedtls_ecp_keypair *) prv,
|
(const mbedtls_ecp_keypair *) prv,
|
||||||
|
|||||||
@ -48,6 +48,14 @@
|
|||||||
#include "mbedtls/pkcs12.h"
|
#include "mbedtls/pkcs12.h"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PSA_CRYPTO_C)
|
||||||
|
#include "mbedtls/psa_util.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
|
#include "psa/crypto.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
#include "mbedtls/platform.h"
|
#include "mbedtls/platform.h"
|
||||||
|
|
||||||
#if defined(MBEDTLS_FS_IO)
|
#if defined(MBEDTLS_FS_IO)
|
||||||
@ -869,6 +877,57 @@ cleanup:
|
|||||||
#endif /* MBEDTLS_RSA_C */
|
#endif /* MBEDTLS_RSA_C */
|
||||||
|
|
||||||
#if defined(MBEDTLS_ECP_C)
|
#if defined(MBEDTLS_ECP_C)
|
||||||
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
|
/*
|
||||||
|
* Helper function for deriving a public key from its private counterpart by
|
||||||
|
* using PSA functions.
|
||||||
|
*/
|
||||||
|
static int pk_derive_public_key(mbedtls_ecp_group *grp, mbedtls_ecp_point *Q,
|
||||||
|
const mbedtls_mpi *d)
|
||||||
|
{
|
||||||
|
psa_status_t status, destruction_status;
|
||||||
|
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
|
||||||
|
size_t curve_bits;
|
||||||
|
psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(grp->id, &curve_bits);
|
||||||
|
/* This buffer is used to store the private key at first and then the
|
||||||
|
* public one (but not at the same time). Therefore we size it for the
|
||||||
|
* latter since it's bigger. */
|
||||||
|
unsigned char key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
|
||||||
|
size_t key_len = PSA_BITS_TO_BYTES(curve_bits);
|
||||||
|
mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
psa_set_key_type(&key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
|
||||||
|
psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_EXPORT);
|
||||||
|
|
||||||
|
ret = mbedtls_mpi_write_binary(d, key_buf, key_len);
|
||||||
|
if (ret != 0) {
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
status = psa_import_key(&key_attr, key_buf, key_len, &key_id);
|
||||||
|
ret = psa_pk_status_to_mbedtls(status);
|
||||||
|
if (ret != 0) {
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
mbedtls_platform_zeroize(key_buf, sizeof(key_buf));
|
||||||
|
|
||||||
|
status = psa_export_public_key(key_id, key_buf, sizeof(key_buf), &key_len);
|
||||||
|
ret = psa_pk_status_to_mbedtls(status);
|
||||||
|
destruction_status = psa_destroy_key(key_id);
|
||||||
|
if (ret != 0) {
|
||||||
|
return ret;
|
||||||
|
} else if (destruction_status != PSA_SUCCESS) {
|
||||||
|
return psa_pk_status_to_mbedtls(destruction_status);
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = mbedtls_ecp_point_read_binary(grp, Q, key_buf, key_len);
|
||||||
|
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Parse a SEC1 encoded private EC key
|
* Parse a SEC1 encoded private EC key
|
||||||
*/
|
*/
|
||||||
@ -975,11 +1034,21 @@ static int pk_parse_key_sec1_der(mbedtls_ecp_keypair *eck,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!pubkey_done &&
|
if (!pubkey_done) {
|
||||||
(ret = mbedtls_ecp_mul(&eck->grp, &eck->Q, &eck->d, &eck->grp.G,
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
f_rng, p_rng)) != 0) {
|
(void) f_rng;
|
||||||
mbedtls_ecp_keypair_free(eck);
|
(void) p_rng;
|
||||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
|
if ((ret = pk_derive_public_key(&eck->grp, &eck->Q, &eck->d)) != 0) {
|
||||||
|
mbedtls_ecp_keypair_free(eck);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
#else /* MBEDTLS_USE_PSA_CRYPTO */
|
||||||
|
if ((ret = mbedtls_ecp_mul(&eck->grp, &eck->Q, &eck->d, &eck->grp.G,
|
||||||
|
f_rng, p_rng)) != 0) {
|
||||||
|
mbedtls_ecp_keypair_free(eck);
|
||||||
|
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((ret = mbedtls_ecp_check_privkey(&eck->grp, &eck->d)) != 0) {
|
if ((ret = mbedtls_ecp_check_privkey(&eck->grp, &eck->d)) != 0) {
|
||||||
|
|||||||
@ -101,6 +101,7 @@ void pk_parse_keyfile_ec(char *key_file, char *password, int result)
|
|||||||
mbedtls_pk_context ctx;
|
mbedtls_pk_context ctx;
|
||||||
int res;
|
int res;
|
||||||
|
|
||||||
|
USE_PSA_INIT();
|
||||||
mbedtls_pk_init(&ctx);
|
mbedtls_pk_init(&ctx);
|
||||||
|
|
||||||
res = mbedtls_pk_parse_keyfile(&ctx, key_file, password,
|
res = mbedtls_pk_parse_keyfile(&ctx, key_file, password,
|
||||||
@ -117,6 +118,7 @@ void pk_parse_keyfile_ec(char *key_file, char *password, int result)
|
|||||||
|
|
||||||
exit:
|
exit:
|
||||||
mbedtls_pk_free(&ctx);
|
mbedtls_pk_free(&ctx);
|
||||||
|
USE_PSA_DONE();
|
||||||
}
|
}
|
||||||
/* END_CASE */
|
/* END_CASE */
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user