Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Dependents: TYBLE16_simple_data_logger TYBLE16_MP3_Air
pk_wrap.c
00001 /* 00002 * Public Key abstraction layer: wrapper functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 00022 #if !defined(MBEDTLS_CONFIG_FILE) 00023 #include "mbedtls/config.h" 00024 #else 00025 #include MBEDTLS_CONFIG_FILE 00026 #endif 00027 00028 #if defined(MBEDTLS_PK_C) 00029 #include "mbedtls/pk_internal.h" 00030 00031 /* Even if RSA not activated, for the sake of RSA-alt */ 00032 #include "mbedtls/rsa.h" 00033 00034 #include <string.h> 00035 00036 #if defined(MBEDTLS_ECP_C) 00037 #include "mbedtls/ecp.h" 00038 #endif 00039 00040 #if defined(MBEDTLS_ECDSA_C) 00041 #include "mbedtls/ecdsa.h" 00042 #endif 00043 00044 #if defined(MBEDTLS_USE_PSA_CRYPTO) 00045 #include "mbedtls/asn1write.h" 00046 #endif 00047 00048 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT) 00049 #include "mbedtls/platform_util.h" 00050 #endif 00051 00052 #if defined(MBEDTLS_USE_PSA_CRYPTO) 00053 #include "psa/crypto.h" 00054 #include "mbedtls/psa_util.h" 00055 #include "mbedtls/asn1.h" 00056 #endif 00057 00058 #if defined(MBEDTLS_PLATFORM_C) 00059 #include "mbedtls/platform.h" 00060 #else 00061 #include <stdlib.h> 00062 #define mbedtls_calloc calloc 00063 #define mbedtls_free free 00064 #endif 00065 00066 #include <limits.h> 00067 #include <stdint.h> 00068 00069 #if defined(MBEDTLS_RSA_C) 00070 static int rsa_can_do( mbedtls_pk_type_t type ) 00071 { 00072 return( type == MBEDTLS_PK_RSA || 00073 type == MBEDTLS_PK_RSASSA_PSS ); 00074 } 00075 00076 static size_t rsa_get_bitlen( const void *ctx ) 00077 { 00078 const mbedtls_rsa_context * rsa = (const mbedtls_rsa_context *) ctx; 00079 return( 8 * mbedtls_rsa_get_len( rsa ) ); 00080 } 00081 00082 static int rsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, 00083 const unsigned char *hash, size_t hash_len, 00084 const unsigned char *sig, size_t sig_len ) 00085 { 00086 int ret; 00087 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx; 00088 size_t rsa_len = mbedtls_rsa_get_len( rsa ); 00089 00090 #if SIZE_MAX > UINT_MAX 00091 if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len ) 00092 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 00093 #endif /* SIZE_MAX > UINT_MAX */ 00094 00095 if( sig_len < rsa_len ) 00096 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 00097 00098 if( ( ret = mbedtls_rsa_pkcs1_verify( rsa, NULL, NULL, 00099 MBEDTLS_RSA_PUBLIC, md_alg, 00100 (unsigned int) hash_len, hash, sig ) ) != 0 ) 00101 return( ret ); 00102 00103 /* The buffer contains a valid signature followed by extra data. 00104 * We have a special error code for that so that so that callers can 00105 * use mbedtls_pk_verify() to check "Does the buffer start with a 00106 * valid signature?" and not just "Does the buffer contain a valid 00107 * signature?". */ 00108 if( sig_len > rsa_len ) 00109 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH ); 00110 00111 return( 0 ); 00112 } 00113 00114 static int rsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 00115 const unsigned char *hash, size_t hash_len, 00116 unsigned char *sig, size_t *sig_len, 00117 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 00118 { 00119 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx; 00120 00121 #if SIZE_MAX > UINT_MAX 00122 if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len ) 00123 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 00124 #endif /* SIZE_MAX > UINT_MAX */ 00125 00126 *sig_len = mbedtls_rsa_get_len( rsa ); 00127 00128 return( mbedtls_rsa_pkcs1_sign( rsa, f_rng, p_rng, MBEDTLS_RSA_PRIVATE, 00129 md_alg, (unsigned int) hash_len, hash, sig ) ); 00130 } 00131 00132 static int rsa_decrypt_wrap( void *ctx, 00133 const unsigned char *input, size_t ilen, 00134 unsigned char *output, size_t *olen, size_t osize, 00135 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 00136 { 00137 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx; 00138 00139 if( ilen != mbedtls_rsa_get_len( rsa ) ) 00140 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00141 00142 return( mbedtls_rsa_pkcs1_decrypt( rsa, f_rng, p_rng, 00143 MBEDTLS_RSA_PRIVATE, olen, input, output, osize ) ); 00144 } 00145 00146 static int rsa_encrypt_wrap( void *ctx, 00147 const unsigned char *input, size_t ilen, 00148 unsigned char *output, size_t *olen, size_t osize, 00149 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 00150 { 00151 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx; 00152 *olen = mbedtls_rsa_get_len( rsa ); 00153 00154 if( *olen > osize ) 00155 return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE ); 00156 00157 return( mbedtls_rsa_pkcs1_encrypt( rsa, f_rng, p_rng, MBEDTLS_RSA_PUBLIC, 00158 ilen, input, output ) ); 00159 } 00160 00161 static int rsa_check_pair_wrap( const void *pub, const void *prv ) 00162 { 00163 return( mbedtls_rsa_check_pub_priv( (const mbedtls_rsa_context *) pub, 00164 (const mbedtls_rsa_context *) prv ) ); 00165 } 00166 00167 static void *rsa_alloc_wrap( void ) 00168 { 00169 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_rsa_context ) ); 00170 00171 if( ctx != NULL ) 00172 mbedtls_rsa_init( (mbedtls_rsa_context *) ctx, 0, 0 ); 00173 00174 return( ctx ); 00175 } 00176 00177 static void rsa_free_wrap( void *ctx ) 00178 { 00179 mbedtls_rsa_free( (mbedtls_rsa_context *) ctx ); 00180 mbedtls_free( ctx ); 00181 } 00182 00183 static void rsa_debug( const void *ctx, mbedtls_pk_debug_item *items ) 00184 { 00185 items->type = MBEDTLS_PK_DEBUG_MPI; 00186 items->name = "rsa.N"; 00187 items->value = &( ((mbedtls_rsa_context *) ctx)->N ); 00188 00189 items++; 00190 00191 items->type = MBEDTLS_PK_DEBUG_MPI; 00192 items->name = "rsa.E"; 00193 items->value = &( ((mbedtls_rsa_context *) ctx)->E ); 00194 } 00195 00196 const mbedtls_pk_info_t mbedtls_rsa_info = { 00197 MBEDTLS_PK_RSA, 00198 "RSA", 00199 rsa_get_bitlen, 00200 rsa_can_do, 00201 rsa_verify_wrap, 00202 rsa_sign_wrap, 00203 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 00204 NULL, 00205 NULL, 00206 #endif 00207 rsa_decrypt_wrap, 00208 rsa_encrypt_wrap, 00209 rsa_check_pair_wrap, 00210 rsa_alloc_wrap, 00211 rsa_free_wrap, 00212 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 00213 NULL, 00214 NULL, 00215 #endif 00216 rsa_debug, 00217 }; 00218 #endif /* MBEDTLS_RSA_C */ 00219 00220 #if defined(MBEDTLS_ECP_C) 00221 /* 00222 * Generic EC key 00223 */ 00224 static int eckey_can_do( mbedtls_pk_type_t type ) 00225 { 00226 return( type == MBEDTLS_PK_ECKEY || 00227 type == MBEDTLS_PK_ECKEY_DH || 00228 type == MBEDTLS_PK_ECDSA ); 00229 } 00230 00231 static size_t eckey_get_bitlen( const void *ctx ) 00232 { 00233 return( ((mbedtls_ecp_keypair *) ctx)->grp.pbits ); 00234 } 00235 00236 #if defined(MBEDTLS_ECDSA_C) 00237 /* Forward declarations */ 00238 static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, 00239 const unsigned char *hash, size_t hash_len, 00240 const unsigned char *sig, size_t sig_len ); 00241 00242 static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 00243 const unsigned char *hash, size_t hash_len, 00244 unsigned char *sig, size_t *sig_len, 00245 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); 00246 00247 static int eckey_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, 00248 const unsigned char *hash, size_t hash_len, 00249 const unsigned char *sig, size_t sig_len ) 00250 { 00251 int ret; 00252 mbedtls_ecdsa_context ecdsa; 00253 00254 mbedtls_ecdsa_init( &ecdsa ); 00255 00256 if( ( ret = mbedtls_ecdsa_from_keypair( &ecdsa, ctx ) ) == 0 ) 00257 ret = ecdsa_verify_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len ); 00258 00259 mbedtls_ecdsa_free( &ecdsa ); 00260 00261 return( ret ); 00262 } 00263 00264 static int eckey_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 00265 const unsigned char *hash, size_t hash_len, 00266 unsigned char *sig, size_t *sig_len, 00267 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 00268 { 00269 int ret; 00270 mbedtls_ecdsa_context ecdsa; 00271 00272 mbedtls_ecdsa_init( &ecdsa ); 00273 00274 if( ( ret = mbedtls_ecdsa_from_keypair( &ecdsa, ctx ) ) == 0 ) 00275 ret = ecdsa_sign_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len, 00276 f_rng, p_rng ); 00277 00278 mbedtls_ecdsa_free( &ecdsa ); 00279 00280 return( ret ); 00281 } 00282 00283 #if defined(MBEDTLS_ECP_RESTARTABLE) 00284 /* Forward declarations */ 00285 static int ecdsa_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg, 00286 const unsigned char *hash, size_t hash_len, 00287 const unsigned char *sig, size_t sig_len, 00288 void *rs_ctx ); 00289 00290 static int ecdsa_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg, 00291 const unsigned char *hash, size_t hash_len, 00292 unsigned char *sig, size_t *sig_len, 00293 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, 00294 void *rs_ctx ); 00295 00296 /* 00297 * Restart context for ECDSA operations with ECKEY context 00298 * 00299 * We need to store an actual ECDSA context, as we need to pass the same to 00300 * the underlying ecdsa function, so we can't create it on the fly every time. 00301 */ 00302 typedef struct 00303 { 00304 mbedtls_ecdsa_restart_ctx ecdsa_rs; 00305 mbedtls_ecdsa_context ecdsa_ctx; 00306 } eckey_restart_ctx; 00307 00308 static void *eckey_rs_alloc( void ) 00309 { 00310 eckey_restart_ctx *rs_ctx; 00311 00312 void *ctx = mbedtls_calloc( 1, sizeof( eckey_restart_ctx ) ); 00313 00314 if( ctx != NULL ) 00315 { 00316 rs_ctx = ctx; 00317 mbedtls_ecdsa_restart_init( &rs_ctx->ecdsa_rs ); 00318 mbedtls_ecdsa_init( &rs_ctx->ecdsa_ctx ); 00319 } 00320 00321 return( ctx ); 00322 } 00323 00324 static void eckey_rs_free( void *ctx ) 00325 { 00326 eckey_restart_ctx *rs_ctx; 00327 00328 if( ctx == NULL) 00329 return; 00330 00331 rs_ctx = ctx; 00332 mbedtls_ecdsa_restart_free( &rs_ctx->ecdsa_rs ); 00333 mbedtls_ecdsa_free( &rs_ctx->ecdsa_ctx ); 00334 00335 mbedtls_free( ctx ); 00336 } 00337 00338 static int eckey_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg, 00339 const unsigned char *hash, size_t hash_len, 00340 const unsigned char *sig, size_t sig_len, 00341 void *rs_ctx ) 00342 { 00343 int ret; 00344 eckey_restart_ctx *rs = rs_ctx; 00345 00346 /* Should never happen */ 00347 if( rs == NULL ) 00348 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 00349 00350 /* set up our own sub-context if needed (that is, on first run) */ 00351 if( rs->ecdsa_ctx.grp.pbits == 0 ) 00352 MBEDTLS_MPI_CHK( mbedtls_ecdsa_from_keypair( &rs->ecdsa_ctx, ctx ) ); 00353 00354 MBEDTLS_MPI_CHK( ecdsa_verify_rs_wrap( &rs->ecdsa_ctx, 00355 md_alg, hash, hash_len, 00356 sig, sig_len, &rs->ecdsa_rs ) ); 00357 00358 cleanup: 00359 return( ret ); 00360 } 00361 00362 static int eckey_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg, 00363 const unsigned char *hash, size_t hash_len, 00364 unsigned char *sig, size_t *sig_len, 00365 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, 00366 void *rs_ctx ) 00367 { 00368 int ret; 00369 eckey_restart_ctx *rs = rs_ctx; 00370 00371 /* Should never happen */ 00372 if( rs == NULL ) 00373 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 00374 00375 /* set up our own sub-context if needed (that is, on first run) */ 00376 if( rs->ecdsa_ctx.grp.pbits == 0 ) 00377 MBEDTLS_MPI_CHK( mbedtls_ecdsa_from_keypair( &rs->ecdsa_ctx, ctx ) ); 00378 00379 MBEDTLS_MPI_CHK( ecdsa_sign_rs_wrap( &rs->ecdsa_ctx, md_alg, 00380 hash, hash_len, sig, sig_len, 00381 f_rng, p_rng, &rs->ecdsa_rs ) ); 00382 00383 cleanup: 00384 return( ret ); 00385 } 00386 #endif /* MBEDTLS_ECP_RESTARTABLE */ 00387 #endif /* MBEDTLS_ECDSA_C */ 00388 00389 static int eckey_check_pair( const void *pub, const void *prv ) 00390 { 00391 return( mbedtls_ecp_check_pub_priv( (const mbedtls_ecp_keypair *) pub, 00392 (const mbedtls_ecp_keypair *) prv ) ); 00393 } 00394 00395 static void *eckey_alloc_wrap( void ) 00396 { 00397 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecp_keypair ) ); 00398 00399 if( ctx != NULL ) 00400 mbedtls_ecp_keypair_init( ctx ); 00401 00402 return( ctx ); 00403 } 00404 00405 static void eckey_free_wrap( void *ctx ) 00406 { 00407 mbedtls_ecp_keypair_free( (mbedtls_ecp_keypair *) ctx ); 00408 mbedtls_free( ctx ); 00409 } 00410 00411 static void eckey_debug( const void *ctx, mbedtls_pk_debug_item *items ) 00412 { 00413 items->type = MBEDTLS_PK_DEBUG_ECP; 00414 items->name = "eckey.Q"; 00415 items->value = &( ((mbedtls_ecp_keypair *) ctx)->Q ); 00416 } 00417 00418 const mbedtls_pk_info_t mbedtls_eckey_info = { 00419 MBEDTLS_PK_ECKEY, 00420 "EC", 00421 eckey_get_bitlen, 00422 eckey_can_do, 00423 #if defined(MBEDTLS_ECDSA_C) 00424 eckey_verify_wrap, 00425 eckey_sign_wrap, 00426 #if defined(MBEDTLS_ECP_RESTARTABLE) 00427 eckey_verify_rs_wrap, 00428 eckey_sign_rs_wrap, 00429 #endif 00430 #else /* MBEDTLS_ECDSA_C */ 00431 NULL, 00432 NULL, 00433 #endif /* MBEDTLS_ECDSA_C */ 00434 NULL, 00435 NULL, 00436 eckey_check_pair, 00437 eckey_alloc_wrap, 00438 eckey_free_wrap, 00439 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 00440 eckey_rs_alloc, 00441 eckey_rs_free, 00442 #endif 00443 eckey_debug, 00444 }; 00445 00446 /* 00447 * EC key restricted to ECDH 00448 */ 00449 static int eckeydh_can_do( mbedtls_pk_type_t type ) 00450 { 00451 return( type == MBEDTLS_PK_ECKEY || 00452 type == MBEDTLS_PK_ECKEY_DH ); 00453 } 00454 00455 const mbedtls_pk_info_t mbedtls_eckeydh_info = { 00456 MBEDTLS_PK_ECKEY_DH, 00457 "EC_DH", 00458 eckey_get_bitlen, /* Same underlying key structure */ 00459 eckeydh_can_do, 00460 NULL, 00461 NULL, 00462 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 00463 NULL, 00464 NULL, 00465 #endif 00466 NULL, 00467 NULL, 00468 eckey_check_pair, 00469 eckey_alloc_wrap, /* Same underlying key structure */ 00470 eckey_free_wrap, /* Same underlying key structure */ 00471 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 00472 NULL, 00473 NULL, 00474 #endif 00475 eckey_debug, /* Same underlying key structure */ 00476 }; 00477 #endif /* MBEDTLS_ECP_C */ 00478 00479 #if defined(MBEDTLS_ECDSA_C) 00480 static int ecdsa_can_do( mbedtls_pk_type_t type ) 00481 { 00482 return( type == MBEDTLS_PK_ECDSA ); 00483 } 00484 00485 #if defined(MBEDTLS_USE_PSA_CRYPTO) 00486 /* 00487 * An ASN.1 encoded signature is a sequence of two ASN.1 integers. Parse one of 00488 * those integers and convert it to the fixed-length encoding expected by PSA. 00489 */ 00490 static int extract_ecdsa_sig_int( unsigned char **from, const unsigned char *end, 00491 unsigned char *to, size_t to_len ) 00492 { 00493 int ret; 00494 size_t unpadded_len, padding_len; 00495 00496 if( ( ret = mbedtls_asn1_get_tag( from, end, &unpadded_len, 00497 MBEDTLS_ASN1_INTEGER ) ) != 0 ) 00498 { 00499 return( ret ); 00500 } 00501 00502 while( unpadded_len > 0 && **from == 0x00 ) 00503 { 00504 ( *from )++; 00505 unpadded_len--; 00506 } 00507 00508 if( unpadded_len > to_len || unpadded_len == 0 ) 00509 return( MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 00510 00511 padding_len = to_len - unpadded_len; 00512 memset( to, 0x00, padding_len ); 00513 memcpy( to + padding_len, *from, unpadded_len ); 00514 ( *from ) += unpadded_len; 00515 00516 return( 0 ); 00517 } 00518 00519 /* 00520 * Convert a signature from an ASN.1 sequence of two integers 00521 * to a raw {r,s} buffer. Note: the provided sig buffer must be at least 00522 * twice as big as int_size. 00523 */ 00524 static int extract_ecdsa_sig( unsigned char **p, const unsigned char *end, 00525 unsigned char *sig, size_t int_size ) 00526 { 00527 int ret; 00528 size_t tmp_size; 00529 00530 if( ( ret = mbedtls_asn1_get_tag( p, end, &tmp_size, 00531 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 00532 return( ret ); 00533 00534 /* Extract r */ 00535 if( ( ret = extract_ecdsa_sig_int( p, end, sig, int_size ) ) != 0 ) 00536 return( ret ); 00537 /* Extract s */ 00538 if( ( ret = extract_ecdsa_sig_int( p, end, sig + int_size, int_size ) ) != 0 ) 00539 return( ret ); 00540 00541 return( 0 ); 00542 } 00543 00544 static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, 00545 const unsigned char *hash, size_t hash_len, 00546 const unsigned char *sig, size_t sig_len ) 00547 { 00548 int ret; 00549 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 00550 psa_key_handle_t key_handle = 0; 00551 psa_status_t status; 00552 mbedtls_pk_context key; 00553 int key_len; 00554 /* see ECP_PUB_DER_MAX_BYTES in pkwrite.c */ 00555 unsigned char buf[30 + 2 * MBEDTLS_ECP_MAX_BYTES]; 00556 unsigned char *p; 00557 mbedtls_pk_info_t pk_info = mbedtls_eckey_info; 00558 psa_algorithm_t psa_sig_md, psa_md; 00559 psa_ecc_curve_t curve = mbedtls_psa_translate_ecc_group( 00560 ( (mbedtls_ecdsa_context *) ctx )->grp.id ); 00561 const size_t signature_part_size = ( ( (mbedtls_ecdsa_context *) ctx )->grp.nbits + 7 ) / 8; 00562 00563 if( curve == 0 ) 00564 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 00565 00566 /* mbedtls_pk_write_pubkey() expects a full PK context; 00567 * re-construct one to make it happy */ 00568 key.pk_info = &pk_info; 00569 key.pk_ctx = ctx; 00570 p = buf + sizeof( buf ); 00571 key_len = mbedtls_pk_write_pubkey( &p, buf, &key ); 00572 if( key_len <= 0 ) 00573 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 00574 00575 psa_md = mbedtls_psa_translate_md( md_alg ); 00576 if( psa_md == 0 ) 00577 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 00578 psa_sig_md = PSA_ALG_ECDSA( psa_md ); 00579 00580 psa_set_key_type( &attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY( curve ) ); 00581 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY ); 00582 psa_set_key_algorithm( &attributes, psa_sig_md ); 00583 00584 status = psa_import_key( &attributes, 00585 buf + sizeof( buf ) - key_len, key_len, 00586 &key_handle ); 00587 if( status != PSA_SUCCESS ) 00588 { 00589 ret = mbedtls_psa_err_translate_pk( status ); 00590 goto cleanup; 00591 } 00592 00593 /* We don't need the exported key anymore and can 00594 * reuse its buffer for signature extraction. */ 00595 if( 2 * signature_part_size > sizeof( buf ) ) 00596 { 00597 ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA; 00598 goto cleanup; 00599 } 00600 00601 p = (unsigned char*) sig; 00602 if( ( ret = extract_ecdsa_sig( &p, sig + sig_len, buf, 00603 signature_part_size ) ) != 0 ) 00604 { 00605 goto cleanup; 00606 } 00607 00608 if( psa_asymmetric_verify( key_handle, psa_sig_md, 00609 hash, hash_len, 00610 buf, 2 * signature_part_size ) 00611 != PSA_SUCCESS ) 00612 { 00613 ret = MBEDTLS_ERR_ECP_VERIFY_FAILED; 00614 goto cleanup; 00615 } 00616 00617 if( p != sig + sig_len ) 00618 { 00619 ret = MBEDTLS_ERR_PK_SIG_LEN_MISMATCH; 00620 goto cleanup; 00621 } 00622 ret = 0; 00623 00624 cleanup: 00625 psa_destroy_key( key_handle ); 00626 return( ret ); 00627 } 00628 #else /* MBEDTLS_USE_PSA_CRYPTO */ 00629 static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, 00630 const unsigned char *hash, size_t hash_len, 00631 const unsigned char *sig, size_t sig_len ) 00632 { 00633 int ret; 00634 ((void) md_alg); 00635 00636 ret = mbedtls_ecdsa_read_signature( (mbedtls_ecdsa_context *) ctx, 00637 hash, hash_len, sig, sig_len ); 00638 00639 if( ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH ) 00640 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH ); 00641 00642 return( ret ); 00643 } 00644 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 00645 00646 static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 00647 const unsigned char *hash, size_t hash_len, 00648 unsigned char *sig, size_t *sig_len, 00649 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 00650 { 00651 return( mbedtls_ecdsa_write_signature( (mbedtls_ecdsa_context *) ctx, 00652 md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng ) ); 00653 } 00654 00655 #if defined(MBEDTLS_ECP_RESTARTABLE) 00656 static int ecdsa_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg, 00657 const unsigned char *hash, size_t hash_len, 00658 const unsigned char *sig, size_t sig_len, 00659 void *rs_ctx ) 00660 { 00661 int ret; 00662 ((void) md_alg); 00663 00664 ret = mbedtls_ecdsa_read_signature_restartable( 00665 (mbedtls_ecdsa_context *) ctx, 00666 hash, hash_len, sig, sig_len, 00667 (mbedtls_ecdsa_restart_ctx *) rs_ctx ); 00668 00669 if( ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH ) 00670 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH ); 00671 00672 return( ret ); 00673 } 00674 00675 static int ecdsa_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg, 00676 const unsigned char *hash, size_t hash_len, 00677 unsigned char *sig, size_t *sig_len, 00678 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, 00679 void *rs_ctx ) 00680 { 00681 return( mbedtls_ecdsa_write_signature_restartable( 00682 (mbedtls_ecdsa_context *) ctx, 00683 md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng, 00684 (mbedtls_ecdsa_restart_ctx *) rs_ctx ) ); 00685 00686 } 00687 #endif /* MBEDTLS_ECP_RESTARTABLE */ 00688 00689 static void *ecdsa_alloc_wrap( void ) 00690 { 00691 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecdsa_context ) ); 00692 00693 if( ctx != NULL ) 00694 mbedtls_ecdsa_init( (mbedtls_ecdsa_context *) ctx ); 00695 00696 return( ctx ); 00697 } 00698 00699 static void ecdsa_free_wrap( void *ctx ) 00700 { 00701 mbedtls_ecdsa_free( (mbedtls_ecdsa_context *) ctx ); 00702 mbedtls_free( ctx ); 00703 } 00704 00705 #if defined(MBEDTLS_ECP_RESTARTABLE) 00706 static void *ecdsa_rs_alloc( void ) 00707 { 00708 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecdsa_restart_ctx ) ); 00709 00710 if( ctx != NULL ) 00711 mbedtls_ecdsa_restart_init( ctx ); 00712 00713 return( ctx ); 00714 } 00715 00716 static void ecdsa_rs_free( void *ctx ) 00717 { 00718 mbedtls_ecdsa_restart_free( ctx ); 00719 mbedtls_free( ctx ); 00720 } 00721 #endif /* MBEDTLS_ECP_RESTARTABLE */ 00722 00723 const mbedtls_pk_info_t mbedtls_ecdsa_info = { 00724 MBEDTLS_PK_ECDSA, 00725 "ECDSA", 00726 eckey_get_bitlen, /* Compatible key structures */ 00727 ecdsa_can_do, 00728 ecdsa_verify_wrap, 00729 ecdsa_sign_wrap, 00730 #if defined(MBEDTLS_ECP_RESTARTABLE) 00731 ecdsa_verify_rs_wrap, 00732 ecdsa_sign_rs_wrap, 00733 #endif 00734 NULL, 00735 NULL, 00736 eckey_check_pair, /* Compatible key structures */ 00737 ecdsa_alloc_wrap, 00738 ecdsa_free_wrap, 00739 #if defined(MBEDTLS_ECP_RESTARTABLE) 00740 ecdsa_rs_alloc, 00741 ecdsa_rs_free, 00742 #endif 00743 eckey_debug, /* Compatible key structures */ 00744 }; 00745 #endif /* MBEDTLS_ECDSA_C */ 00746 00747 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT) 00748 /* 00749 * Support for alternative RSA-private implementations 00750 */ 00751 00752 static int rsa_alt_can_do( mbedtls_pk_type_t type ) 00753 { 00754 return( type == MBEDTLS_PK_RSA ); 00755 } 00756 00757 static size_t rsa_alt_get_bitlen( const void *ctx ) 00758 { 00759 const mbedtls_rsa_alt_context *rsa_alt = (const mbedtls_rsa_alt_context *) ctx; 00760 00761 return( 8 * rsa_alt->key_len_func( rsa_alt->key ) ); 00762 } 00763 00764 static int rsa_alt_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 00765 const unsigned char *hash, size_t hash_len, 00766 unsigned char *sig, size_t *sig_len, 00767 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 00768 { 00769 mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx; 00770 00771 #if SIZE_MAX > UINT_MAX 00772 if( UINT_MAX < hash_len ) 00773 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 00774 #endif /* SIZE_MAX > UINT_MAX */ 00775 00776 *sig_len = rsa_alt->key_len_func( rsa_alt->key ); 00777 00778 return( rsa_alt->sign_func( rsa_alt->key, f_rng, p_rng, MBEDTLS_RSA_PRIVATE, 00779 md_alg, (unsigned int) hash_len, hash, sig ) ); 00780 } 00781 00782 static int rsa_alt_decrypt_wrap( void *ctx, 00783 const unsigned char *input, size_t ilen, 00784 unsigned char *output, size_t *olen, size_t osize, 00785 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 00786 { 00787 mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx; 00788 00789 ((void) f_rng); 00790 ((void) p_rng); 00791 00792 if( ilen != rsa_alt->key_len_func( rsa_alt->key ) ) 00793 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00794 00795 return( rsa_alt->decrypt_func( rsa_alt->key, 00796 MBEDTLS_RSA_PRIVATE, olen, input, output, osize ) ); 00797 } 00798 00799 #if defined(MBEDTLS_RSA_C) 00800 static int rsa_alt_check_pair( const void *pub, const void *prv ) 00801 { 00802 unsigned char sig[MBEDTLS_MPI_MAX_SIZE]; 00803 unsigned char hash[32]; 00804 size_t sig_len = 0; 00805 int ret; 00806 00807 if( rsa_alt_get_bitlen( prv ) != rsa_get_bitlen( pub ) ) 00808 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00809 00810 memset( hash, 0x2a, sizeof( hash ) ); 00811 00812 if( ( ret = rsa_alt_sign_wrap( (void *) prv, MBEDTLS_MD_NONE, 00813 hash, sizeof( hash ), 00814 sig, &sig_len, NULL, NULL ) ) != 0 ) 00815 { 00816 return( ret ); 00817 } 00818 00819 if( rsa_verify_wrap( (void *) pub, MBEDTLS_MD_NONE, 00820 hash, sizeof( hash ), sig, sig_len ) != 0 ) 00821 { 00822 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00823 } 00824 00825 return( 0 ); 00826 } 00827 #endif /* MBEDTLS_RSA_C */ 00828 00829 static void *rsa_alt_alloc_wrap( void ) 00830 { 00831 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_rsa_alt_context ) ); 00832 00833 if( ctx != NULL ) 00834 memset( ctx, 0, sizeof( mbedtls_rsa_alt_context ) ); 00835 00836 return( ctx ); 00837 } 00838 00839 static void rsa_alt_free_wrap( void *ctx ) 00840 { 00841 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_rsa_alt_context ) ); 00842 mbedtls_free( ctx ); 00843 } 00844 00845 const mbedtls_pk_info_t mbedtls_rsa_alt_info = { 00846 MBEDTLS_PK_RSA_ALT, 00847 "RSA-alt", 00848 rsa_alt_get_bitlen, 00849 rsa_alt_can_do, 00850 NULL, 00851 rsa_alt_sign_wrap, 00852 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 00853 NULL, 00854 NULL, 00855 #endif 00856 rsa_alt_decrypt_wrap, 00857 NULL, 00858 #if defined(MBEDTLS_RSA_C) 00859 rsa_alt_check_pair, 00860 #else 00861 NULL, 00862 #endif 00863 rsa_alt_alloc_wrap, 00864 rsa_alt_free_wrap, 00865 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 00866 NULL, 00867 NULL, 00868 #endif 00869 NULL, 00870 }; 00871 00872 #endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */ 00873 00874 #if defined(MBEDTLS_USE_PSA_CRYPTO) 00875 00876 static void *pk_opaque_alloc_wrap( void ) 00877 { 00878 void *ctx = mbedtls_calloc( 1, sizeof( psa_key_handle_t ) ); 00879 00880 /* no _init() function to call, an calloc() already zeroized */ 00881 00882 return( ctx ); 00883 } 00884 00885 static void pk_opaque_free_wrap( void *ctx ) 00886 { 00887 mbedtls_platform_zeroize( ctx, sizeof( psa_key_handle_t ) ); 00888 mbedtls_free( ctx ); 00889 } 00890 00891 static size_t pk_opaque_get_bitlen( const void *ctx ) 00892 { 00893 const psa_key_handle_t *key = (const psa_key_handle_t *) ctx; 00894 size_t bits; 00895 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 00896 00897 if( PSA_SUCCESS != psa_get_key_attributes( *key, &attributes ) ) 00898 return( 0 ); 00899 00900 bits = psa_get_key_bits( &attributes ); 00901 psa_reset_key_attributes( &attributes ); 00902 return( bits ); 00903 } 00904 00905 static int pk_opaque_can_do( mbedtls_pk_type_t type ) 00906 { 00907 /* For now opaque PSA keys can only wrap ECC keypairs, 00908 * as checked by setup_psa(). 00909 * Also, ECKEY_DH does not really make sense with the current API. */ 00910 return( type == MBEDTLS_PK_ECKEY || 00911 type == MBEDTLS_PK_ECDSA ); 00912 } 00913 00914 /* 00915 * Simultaneously convert and move raw MPI from the beginning of a buffer 00916 * to an ASN.1 MPI at the end of the buffer. 00917 * See also mbedtls_asn1_write_mpi(). 00918 * 00919 * p: pointer to the end of the output buffer 00920 * start: start of the output buffer, and also of the mpi to write at the end 00921 * n_len: length of the mpi to read from start 00922 */ 00923 static int asn1_write_mpibuf( unsigned char **p, unsigned char *start, 00924 size_t n_len ) 00925 { 00926 int ret; 00927 size_t len = 0; 00928 00929 if( (size_t)( *p - start ) < n_len ) 00930 return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); 00931 00932 len = n_len; 00933 *p -= len; 00934 memmove( *p, start, len ); 00935 00936 /* ASN.1 DER encoding requires minimal length, so skip leading 0s. 00937 * Neither r nor s should be 0, but as a failsafe measure, still detect 00938 * that rather than overflowing the buffer in case of a PSA error. */ 00939 while( len > 0 && **p == 0x00 ) 00940 { 00941 ++(*p); 00942 --len; 00943 } 00944 00945 /* this is only reached if the signature was invalid */ 00946 if( len == 0 ) 00947 return( MBEDTLS_ERR_PK_HW_ACCEL_FAILED ); 00948 00949 /* if the msb is 1, ASN.1 requires that we prepend a 0. 00950 * Neither r nor s can be 0, so we can assume len > 0 at all times. */ 00951 if( **p & 0x80 ) 00952 { 00953 if( *p - start < 1 ) 00954 return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); 00955 00956 *--(*p) = 0x00; 00957 len += 1; 00958 } 00959 00960 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) ); 00961 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, 00962 MBEDTLS_ASN1_INTEGER ) ); 00963 00964 return( (int) len ); 00965 } 00966 00967 /* Transcode signature from PSA format to ASN.1 sequence. 00968 * See ecdsa_signature_to_asn1 in ecdsa.c, but with byte buffers instead of 00969 * MPIs, and in-place. 00970 * 00971 * [in/out] sig: the signature pre- and post-transcoding 00972 * [in/out] sig_len: signature length pre- and post-transcoding 00973 * [int] buf_len: the available size the in/out buffer 00974 */ 00975 static int pk_ecdsa_sig_asn1_from_psa( unsigned char *sig, size_t *sig_len, 00976 size_t buf_len ) 00977 { 00978 int ret; 00979 size_t len = 0; 00980 const size_t rs_len = *sig_len / 2; 00981 unsigned char *p = sig + buf_len; 00982 00983 MBEDTLS_ASN1_CHK_ADD( len, asn1_write_mpibuf( &p, sig + rs_len, rs_len ) ); 00984 MBEDTLS_ASN1_CHK_ADD( len, asn1_write_mpibuf( &p, sig, rs_len ) ); 00985 00986 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &p, sig, len ) ); 00987 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &p, sig, 00988 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ); 00989 00990 memmove( sig, p, len ); 00991 *sig_len = len; 00992 00993 return( 0 ); 00994 } 00995 00996 static int pk_opaque_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 00997 const unsigned char *hash, size_t hash_len, 00998 unsigned char *sig, size_t *sig_len, 00999 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 01000 { 01001 const psa_key_handle_t *key = (const psa_key_handle_t *) ctx; 01002 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 01003 psa_algorithm_t alg = PSA_ALG_ECDSA( mbedtls_psa_translate_md( md_alg ) ); 01004 size_t buf_len; 01005 psa_status_t status; 01006 01007 /* PSA has its own RNG */ 01008 (void) f_rng; 01009 (void) p_rng; 01010 01011 /* PSA needs an output buffer of known size, but our API doesn't provide 01012 * that information. Assume that the buffer is large enough for a 01013 * maximal-length signature with that key (otherwise the application is 01014 * buggy anyway). */ 01015 status = psa_get_key_attributes( *key, &attributes ); 01016 if( status != PSA_SUCCESS ) 01017 return( mbedtls_psa_err_translate_pk( status ) ); 01018 buf_len = MBEDTLS_ECDSA_MAX_SIG_LEN( psa_get_key_bits( &attributes ) ); 01019 psa_reset_key_attributes( &attributes ); 01020 01021 /* make the signature */ 01022 status = psa_asymmetric_sign( *key, alg, hash, hash_len, 01023 sig, buf_len, sig_len ); 01024 if( status != PSA_SUCCESS ) 01025 return( mbedtls_psa_err_translate_pk( status ) ); 01026 01027 /* transcode it to ASN.1 sequence */ 01028 return( pk_ecdsa_sig_asn1_from_psa( sig, sig_len, buf_len ) ); 01029 } 01030 01031 const mbedtls_pk_info_t mbedtls_pk_opaque_info = { 01032 MBEDTLS_PK_OPAQUE, 01033 "Opaque", 01034 pk_opaque_get_bitlen, 01035 pk_opaque_can_do, 01036 NULL, /* verify - will be done later */ 01037 pk_opaque_sign_wrap, 01038 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 01039 NULL, /* restartable verify - not relevant */ 01040 NULL, /* restartable sign - not relevant */ 01041 #endif 01042 NULL, /* decrypt - will be done later */ 01043 NULL, /* encrypt - will be done later */ 01044 NULL, /* check_pair - could be done later or left NULL */ 01045 pk_opaque_alloc_wrap, 01046 pk_opaque_free_wrap, 01047 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 01048 NULL, /* restart alloc - not relevant */ 01049 NULL, /* restart free - not relevant */ 01050 #endif 01051 NULL, /* debug - could be done later, or even left NULL */ 01052 }; 01053 01054 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 01055 01056 #endif /* MBEDTLS_PK_C */
Generated on Tue Jul 12 2022 13:54:41 by
