2023-02-20 18:08:30 +01:00
|
|
|
/*
|
|
|
|
* Driver entry points for p256-m
|
|
|
|
*/
|
|
|
|
/*
|
|
|
|
* Copyright The Mbed TLS Contributors
|
|
|
|
* SPDX-License-Identifier: Apache-2.0
|
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
|
|
* not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
|
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
|
|
|
|
2023-01-12 17:29:02 +01:00
|
|
|
#include "mbedtls/platform.h"
|
|
|
|
#include "p256-m_driver_entrypoints.h"
|
|
|
|
#include "p256-m/p256-m.h"
|
|
|
|
#include "psa/crypto.h"
|
2023-04-18 18:00:17 +02:00
|
|
|
#include <stddef.h>
|
2023-08-07 10:56:12 +02:00
|
|
|
#include <string.h>
|
2023-08-08 05:41:07 +02:00
|
|
|
#include "psa_crypto_driver_wrappers.h"
|
2023-01-12 17:29:02 +01:00
|
|
|
|
2023-09-20 20:49:47 +02:00
|
|
|
#if defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED)
|
2023-01-12 17:29:02 +01:00
|
|
|
|
2023-04-19 04:31:10 +02:00
|
|
|
/* INFORMATION ON PSA KEY EXPORT FORMATS:
|
|
|
|
*
|
|
|
|
* PSA exports SECP256R1 keys in two formats:
|
|
|
|
* 1. Keypair format: 32 byte string which is just the private key (public key
|
|
|
|
* can be calculated from the private key)
|
|
|
|
* 2. Public Key format: A leading byte 0x04 (indicating uncompressed format),
|
|
|
|
* followed by the 64 byte public key. This results in a
|
|
|
|
* total of 65 bytes.
|
|
|
|
*
|
|
|
|
* p256-m's internal format for private keys matches PSA. Its format for public
|
2023-09-20 09:28:02 +02:00
|
|
|
* keys is only 64 bytes: the same as PSA but without the leading byte (0x04).
|
2023-04-19 04:31:10 +02:00
|
|
|
* Hence, when passing public keys from PSA to p256-m, the leading byte is
|
|
|
|
* removed.
|
2023-08-09 11:53:09 +02:00
|
|
|
*
|
|
|
|
* Shared secret and signature have the same format between PSA and p256-m.
|
2023-04-19 04:31:10 +02:00
|
|
|
*/
|
2023-08-09 11:53:09 +02:00
|
|
|
#define PSA_PUBKEY_SIZE 65
|
|
|
|
#define PSA_PUBKEY_HEADER_BYTE 0x04
|
|
|
|
#define P256_PUBKEY_SIZE 64
|
|
|
|
#define PRIVKEY_SIZE 32
|
|
|
|
#define SHARED_SECRET_SIZE 32
|
|
|
|
#define SIGNATURE_SIZE 64
|
|
|
|
|
|
|
|
#define CURVE_BITS 256
|
2023-04-19 04:31:10 +02:00
|
|
|
|
|
|
|
/* Convert between p256-m and PSA error codes */
|
|
|
|
static psa_status_t p256_to_psa_error(int ret)
|
2023-01-12 17:29:02 +01:00
|
|
|
{
|
2023-03-21 19:56:31 +01:00
|
|
|
switch (ret) {
|
2023-01-12 17:29:02 +01:00
|
|
|
case P256_SUCCESS:
|
2023-03-21 19:56:31 +01:00
|
|
|
return PSA_SUCCESS;
|
2023-01-12 17:29:02 +01:00
|
|
|
case P256_INVALID_PUBKEY:
|
|
|
|
case P256_INVALID_PRIVKEY:
|
2023-03-21 19:56:31 +01:00
|
|
|
return PSA_ERROR_INVALID_ARGUMENT;
|
2023-01-12 17:29:02 +01:00
|
|
|
case P256_INVALID_SIGNATURE:
|
2023-03-21 19:56:31 +01:00
|
|
|
return PSA_ERROR_INVALID_SIGNATURE;
|
2023-01-12 17:29:02 +01:00
|
|
|
case P256_RANDOM_FAILED:
|
|
|
|
default:
|
2023-03-21 19:56:31 +01:00
|
|
|
return PSA_ERROR_GENERIC_ERROR;
|
2023-01-12 17:29:02 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-08-07 10:56:12 +02:00
|
|
|
psa_status_t p256_transparent_import_key(const psa_key_attributes_t *attributes,
|
|
|
|
const uint8_t *data,
|
|
|
|
size_t data_length,
|
|
|
|
uint8_t *key_buffer,
|
|
|
|
size_t key_buffer_size,
|
|
|
|
size_t *key_buffer_length,
|
|
|
|
size_t *bits)
|
|
|
|
{
|
|
|
|
/* Check the key size */
|
2023-08-09 11:53:09 +02:00
|
|
|
if (*bits != 0 && *bits != CURVE_BITS) {
|
2023-08-07 10:56:12 +02:00
|
|
|
return PSA_ERROR_NOT_SUPPORTED;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Validate the key (and its type and size) */
|
|
|
|
psa_key_type_t type = psa_get_key_type(attributes);
|
|
|
|
if (type == PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1)) {
|
2023-08-09 11:53:09 +02:00
|
|
|
if (data_length != PSA_PUBKEY_SIZE) {
|
2023-08-07 10:56:12 +02:00
|
|
|
return *bits == 0 ? PSA_ERROR_NOT_SUPPORTED : PSA_ERROR_INVALID_ARGUMENT;
|
|
|
|
}
|
2023-09-20 09:28:02 +02:00
|
|
|
/* See INFORMATION ON PSA KEY EXPORT FORMATS near top of file */
|
2023-08-07 10:56:12 +02:00
|
|
|
if (p256_validate_pubkey(data + 1) != P256_SUCCESS) {
|
|
|
|
return PSA_ERROR_INVALID_ARGUMENT;
|
|
|
|
}
|
|
|
|
} else if (type == PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)) {
|
2023-08-09 11:53:09 +02:00
|
|
|
if (data_length != PRIVKEY_SIZE) {
|
2023-08-07 10:56:12 +02:00
|
|
|
return *bits == 0 ? PSA_ERROR_NOT_SUPPORTED : PSA_ERROR_INVALID_ARGUMENT;
|
|
|
|
}
|
|
|
|
if (p256_validate_privkey(data) != P256_SUCCESS) {
|
|
|
|
return PSA_ERROR_INVALID_ARGUMENT;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
return PSA_ERROR_NOT_SUPPORTED;
|
|
|
|
}
|
2023-08-09 11:53:09 +02:00
|
|
|
*bits = CURVE_BITS;
|
2023-08-07 10:56:12 +02:00
|
|
|
|
|
|
|
/* We only support the export format for input, so just copy. */
|
|
|
|
if (key_buffer_size < data_length) {
|
|
|
|
return PSA_ERROR_BUFFER_TOO_SMALL;
|
|
|
|
}
|
|
|
|
memcpy(key_buffer, data, data_length);
|
|
|
|
*key_buffer_length = data_length;
|
|
|
|
|
|
|
|
return PSA_SUCCESS;
|
|
|
|
}
|
|
|
|
|
2023-08-07 11:18:05 +02:00
|
|
|
psa_status_t p256_transparent_export_public_key(const psa_key_attributes_t *attributes,
|
|
|
|
const uint8_t *key_buffer,
|
|
|
|
size_t key_buffer_size,
|
|
|
|
uint8_t *data,
|
|
|
|
size_t data_size,
|
|
|
|
size_t *data_length)
|
|
|
|
{
|
|
|
|
/* Is this the right curve? */
|
|
|
|
size_t bits = psa_get_key_bits(attributes);
|
|
|
|
psa_key_type_t type = psa_get_key_type(attributes);
|
2023-08-09 11:53:09 +02:00
|
|
|
if (bits != CURVE_BITS || type != PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)) {
|
2023-08-07 11:18:05 +02:00
|
|
|
return PSA_ERROR_NOT_SUPPORTED;
|
|
|
|
}
|
|
|
|
|
2023-08-08 12:23:42 +02:00
|
|
|
/* Validate sizes, as p256-m expects fixed-size buffers */
|
2023-08-09 11:53:09 +02:00
|
|
|
if (key_buffer_size != PRIVKEY_SIZE) {
|
2023-09-20 09:22:29 +02:00
|
|
|
return PSA_ERROR_INVALID_ARGUMENT;
|
2023-08-07 11:18:05 +02:00
|
|
|
}
|
2023-08-09 11:53:09 +02:00
|
|
|
if (data_size < PSA_PUBKEY_SIZE) {
|
2023-08-07 11:18:05 +02:00
|
|
|
return PSA_ERROR_BUFFER_TOO_SMALL;
|
|
|
|
}
|
|
|
|
|
2023-09-20 09:28:02 +02:00
|
|
|
/* See INFORMATION ON PSA KEY EXPORT FORMATS near top of file */
|
2023-08-09 11:53:09 +02:00
|
|
|
data[0] = PSA_PUBKEY_HEADER_BYTE;
|
2023-08-07 11:18:05 +02:00
|
|
|
int ret = p256_public_from_private(data + 1, key_buffer);
|
2023-08-08 12:23:42 +02:00
|
|
|
if (ret == P256_SUCCESS) {
|
2023-08-09 11:53:09 +02:00
|
|
|
*data_length = PSA_PUBKEY_SIZE;
|
2023-08-07 11:18:05 +02:00
|
|
|
}
|
|
|
|
|
2023-08-08 12:23:42 +02:00
|
|
|
return p256_to_psa_error(ret);
|
2023-08-07 11:18:05 +02:00
|
|
|
}
|
|
|
|
|
2023-01-23 15:59:29 +01:00
|
|
|
psa_status_t p256_transparent_generate_key(
|
2023-01-12 17:29:02 +01:00
|
|
|
const psa_key_attributes_t *attributes,
|
|
|
|
uint8_t *key_buffer,
|
|
|
|
size_t key_buffer_size,
|
2023-03-21 19:56:31 +01:00
|
|
|
size_t *key_buffer_length)
|
2023-01-12 17:29:02 +01:00
|
|
|
{
|
|
|
|
/* We don't use this argument, but the specification mandates the signature
|
|
|
|
* of driver entry-points. (void) used to avoid compiler warning. */
|
|
|
|
(void) attributes;
|
|
|
|
|
2023-08-08 12:23:42 +02:00
|
|
|
/* Validate sizes, as p256-m expects fixed-size buffers */
|
2023-08-09 11:53:09 +02:00
|
|
|
if (key_buffer_size != PRIVKEY_SIZE) {
|
2023-08-08 12:23:42 +02:00
|
|
|
return PSA_ERROR_BUFFER_TOO_SMALL;
|
2023-03-21 19:56:31 +01:00
|
|
|
}
|
2023-01-12 17:29:02 +01:00
|
|
|
|
|
|
|
/*
|
|
|
|
* p256-m's keypair generation function outputs both public and private
|
|
|
|
* keys. Allocate a buffer to which the public key will be written. The
|
|
|
|
* private key will be written to key_buffer, which is passed to this
|
|
|
|
* function as an argument. */
|
2023-08-09 11:53:09 +02:00
|
|
|
uint8_t public_key_buffer[P256_PUBKEY_SIZE];
|
2023-01-12 17:29:02 +01:00
|
|
|
|
2023-08-08 12:23:42 +02:00
|
|
|
int ret = p256_gen_keypair(key_buffer, public_key_buffer);
|
|
|
|
if (ret == P256_SUCCESS) {
|
2023-08-09 11:53:09 +02:00
|
|
|
*key_buffer_length = PRIVKEY_SIZE;
|
2023-03-21 19:56:31 +01:00
|
|
|
}
|
2023-01-12 17:29:02 +01:00
|
|
|
|
2023-08-08 12:23:42 +02:00
|
|
|
return p256_to_psa_error(ret);
|
2023-01-12 17:29:02 +01:00
|
|
|
}
|
|
|
|
|
2023-01-23 15:59:29 +01:00
|
|
|
psa_status_t p256_transparent_key_agreement(
|
2023-01-12 17:29:02 +01:00
|
|
|
const psa_key_attributes_t *attributes,
|
|
|
|
const uint8_t *key_buffer,
|
|
|
|
size_t key_buffer_size,
|
|
|
|
psa_algorithm_t alg,
|
|
|
|
const uint8_t *peer_key,
|
|
|
|
size_t peer_key_length,
|
|
|
|
uint8_t *shared_secret,
|
|
|
|
size_t shared_secret_size,
|
2023-03-21 19:56:31 +01:00
|
|
|
size_t *shared_secret_length)
|
2023-01-12 17:29:02 +01:00
|
|
|
{
|
|
|
|
/* We don't use these arguments, but the specification mandates the
|
|
|
|
* sginature of driver entry-points. (void) used to avoid compiler
|
|
|
|
* warning. */
|
|
|
|
(void) attributes;
|
|
|
|
(void) alg;
|
|
|
|
|
2023-08-08 12:23:42 +02:00
|
|
|
/* Validate sizes, as p256-m expects fixed-size buffers */
|
2023-08-09 11:53:09 +02:00
|
|
|
if (key_buffer_size != PRIVKEY_SIZE || peer_key_length != PSA_PUBKEY_SIZE) {
|
2023-08-08 12:23:42 +02:00
|
|
|
return PSA_ERROR_INVALID_ARGUMENT;
|
|
|
|
}
|
2023-08-09 11:53:09 +02:00
|
|
|
if (shared_secret_size < SHARED_SECRET_SIZE) {
|
2023-08-08 12:23:42 +02:00
|
|
|
return PSA_ERROR_BUFFER_TOO_SMALL;
|
2023-03-21 19:56:31 +01:00
|
|
|
}
|
2023-01-12 17:29:02 +01:00
|
|
|
|
2023-09-20 09:28:02 +02:00
|
|
|
/* See INFORMATION ON PSA KEY EXPORT FORMATS near top of file */
|
2023-09-20 16:12:46 +02:00
|
|
|
const uint8_t *peer_key_p256m = peer_key + 1;
|
2023-09-20 09:28:02 +02:00
|
|
|
int ret = p256_ecdh_shared_secret(shared_secret, key_buffer, peer_key_p256m);
|
2023-08-08 12:23:42 +02:00
|
|
|
if (ret == P256_SUCCESS) {
|
2023-08-09 11:53:09 +02:00
|
|
|
*shared_secret_length = SHARED_SECRET_SIZE;
|
2023-03-21 19:56:31 +01:00
|
|
|
}
|
2023-01-12 17:29:02 +01:00
|
|
|
|
2023-08-08 12:23:42 +02:00
|
|
|
return p256_to_psa_error(ret);
|
2023-01-12 17:29:02 +01:00
|
|
|
}
|
|
|
|
|
2023-01-23 15:59:29 +01:00
|
|
|
psa_status_t p256_transparent_sign_hash(
|
2023-01-12 17:29:02 +01:00
|
|
|
const psa_key_attributes_t *attributes,
|
|
|
|
const uint8_t *key_buffer,
|
|
|
|
size_t key_buffer_size,
|
|
|
|
psa_algorithm_t alg,
|
|
|
|
const uint8_t *hash,
|
|
|
|
size_t hash_length,
|
|
|
|
uint8_t *signature,
|
|
|
|
size_t signature_size,
|
2023-03-21 19:56:31 +01:00
|
|
|
size_t *signature_length)
|
2023-01-12 17:29:02 +01:00
|
|
|
{
|
|
|
|
/* We don't use these arguments, but the specification mandates the
|
|
|
|
* sginature of driver entry-points. (void) used to avoid compiler
|
|
|
|
* warning. */
|
|
|
|
(void) attributes;
|
|
|
|
(void) alg;
|
|
|
|
|
2023-08-08 12:23:42 +02:00
|
|
|
/* Validate sizes, as p256-m expects fixed-size buffers */
|
2023-08-09 11:53:09 +02:00
|
|
|
if (key_buffer_size != PRIVKEY_SIZE) {
|
2023-09-20 09:22:29 +02:00
|
|
|
return PSA_ERROR_INVALID_ARGUMENT;
|
2023-08-08 12:23:42 +02:00
|
|
|
}
|
2023-08-09 11:53:09 +02:00
|
|
|
if (signature_size < SIGNATURE_SIZE) {
|
2023-08-08 12:23:42 +02:00
|
|
|
return PSA_ERROR_BUFFER_TOO_SMALL;
|
2023-03-21 19:56:31 +01:00
|
|
|
}
|
2023-01-12 17:29:02 +01:00
|
|
|
|
2023-08-08 12:23:42 +02:00
|
|
|
int ret = p256_ecdsa_sign(signature, key_buffer, hash, hash_length);
|
|
|
|
if (ret == P256_SUCCESS) {
|
2023-08-09 11:53:09 +02:00
|
|
|
*signature_length = SIGNATURE_SIZE;
|
2023-03-21 19:56:31 +01:00
|
|
|
}
|
2023-01-12 17:29:02 +01:00
|
|
|
|
2023-08-08 12:23:42 +02:00
|
|
|
return p256_to_psa_error(ret);
|
2023-01-12 17:29:02 +01:00
|
|
|
}
|
|
|
|
|
2023-08-09 11:53:09 +02:00
|
|
|
/* This function expects the key buffer to contain a PSA public key,
|
2023-01-12 17:29:02 +01:00
|
|
|
* as exported by psa_export_public_key() */
|
2023-01-23 15:59:29 +01:00
|
|
|
static psa_status_t p256_verify_hash_with_public_key(
|
2023-01-12 17:29:02 +01:00
|
|
|
const uint8_t *key_buffer,
|
|
|
|
size_t key_buffer_size,
|
|
|
|
const uint8_t *hash,
|
|
|
|
size_t hash_length,
|
|
|
|
const uint8_t *signature,
|
2023-03-21 19:56:31 +01:00
|
|
|
size_t signature_length)
|
2023-01-12 17:29:02 +01:00
|
|
|
{
|
2023-08-08 12:23:42 +02:00
|
|
|
/* Validate sizes, as p256-m expects fixed-size buffers */
|
2023-08-09 11:53:09 +02:00
|
|
|
if (key_buffer_size != PSA_PUBKEY_SIZE || *key_buffer != PSA_PUBKEY_HEADER_BYTE) {
|
2023-09-20 09:22:29 +02:00
|
|
|
return PSA_ERROR_INVALID_ARGUMENT;
|
2023-08-08 12:23:42 +02:00
|
|
|
}
|
2023-08-09 11:53:09 +02:00
|
|
|
if (signature_length != SIGNATURE_SIZE) {
|
2023-08-08 12:23:42 +02:00
|
|
|
return PSA_ERROR_INVALID_SIGNATURE;
|
2023-03-21 19:56:31 +01:00
|
|
|
}
|
2023-01-12 17:29:02 +01:00
|
|
|
|
2023-09-20 09:28:02 +02:00
|
|
|
/* See INFORMATION ON PSA KEY EXPORT FORMATS near top of file */
|
|
|
|
const uint8_t *public_key_p256m = key_buffer + 1;
|
|
|
|
int ret = p256_ecdsa_verify(signature, public_key_p256m, hash, hash_length);
|
2023-01-12 17:29:02 +01:00
|
|
|
|
2023-08-08 12:23:42 +02:00
|
|
|
return p256_to_psa_error(ret);
|
2023-01-12 17:29:02 +01:00
|
|
|
}
|
|
|
|
|
2023-01-23 15:59:29 +01:00
|
|
|
psa_status_t p256_transparent_verify_hash(
|
2023-01-12 17:29:02 +01:00
|
|
|
const psa_key_attributes_t *attributes,
|
|
|
|
const uint8_t *key_buffer,
|
|
|
|
size_t key_buffer_size,
|
|
|
|
psa_algorithm_t alg,
|
|
|
|
const uint8_t *hash,
|
|
|
|
size_t hash_length,
|
|
|
|
const uint8_t *signature,
|
2023-03-21 19:56:31 +01:00
|
|
|
size_t signature_length)
|
2023-01-12 17:29:02 +01:00
|
|
|
{
|
|
|
|
/* We don't use this argument, but the specification mandates the signature
|
|
|
|
* of driver entry-points. (void) used to avoid compiler warning. */
|
|
|
|
(void) alg;
|
|
|
|
|
|
|
|
psa_status_t status;
|
2023-08-09 11:53:09 +02:00
|
|
|
uint8_t public_key_buffer[PSA_PUBKEY_SIZE];
|
|
|
|
size_t public_key_buffer_size = PSA_PUBKEY_SIZE;
|
2023-04-18 18:00:17 +02:00
|
|
|
|
2023-08-09 11:53:09 +02:00
|
|
|
size_t public_key_length = PSA_PUBKEY_SIZE;
|
2023-04-18 18:00:17 +02:00
|
|
|
/* As p256-m doesn't require dynamic allocation, we want to avoid it in
|
|
|
|
* the entrypoint functions as well. psa_driver_wrapper_export_public_key()
|
|
|
|
* requires size_t*, so we use a pointer to a stack variable. */
|
|
|
|
size_t *public_key_length_ptr = &public_key_length;
|
2023-01-12 17:29:02 +01:00
|
|
|
|
2023-04-19 04:31:10 +02:00
|
|
|
/* The contents of key_buffer may either be the 32 byte private key
|
|
|
|
* (keypair format), or 0x04 followed by the 64 byte public key (public
|
|
|
|
* key format). To ensure the key is in the latter format, the public key
|
|
|
|
* is exported. */
|
2023-01-12 17:29:02 +01:00
|
|
|
status = psa_driver_wrapper_export_public_key(
|
2023-03-21 19:56:31 +01:00
|
|
|
attributes,
|
|
|
|
key_buffer,
|
|
|
|
key_buffer_size,
|
|
|
|
public_key_buffer,
|
|
|
|
public_key_buffer_size,
|
2023-04-18 18:00:17 +02:00
|
|
|
public_key_length_ptr);
|
2023-03-21 19:56:31 +01:00
|
|
|
if (status != PSA_SUCCESS) {
|
2023-01-12 17:29:02 +01:00
|
|
|
goto exit;
|
2023-03-21 19:56:31 +01:00
|
|
|
}
|
2023-01-12 17:29:02 +01:00
|
|
|
|
2023-01-23 15:59:29 +01:00
|
|
|
status = p256_verify_hash_with_public_key(
|
2023-03-21 19:56:31 +01:00
|
|
|
public_key_buffer,
|
|
|
|
public_key_buffer_size,
|
|
|
|
hash,
|
|
|
|
hash_length,
|
|
|
|
signature,
|
|
|
|
signature_length);
|
2023-01-12 17:29:02 +01:00
|
|
|
|
|
|
|
exit:
|
2023-03-21 19:56:31 +01:00
|
|
|
return status;
|
2023-01-12 17:29:02 +01:00
|
|
|
}
|
|
|
|
|
2023-09-20 20:49:47 +02:00
|
|
|
#endif /* MBEDTLS_PSA_P256M_DRIVER_ENABLED */
|