Merge branch 'iotssl-2597-psa-hashing-x509' into development-psa-proposed
This commit is contained in:
commit
3441d2e4a4
2 changed files with 54 additions and 7 deletions
|
@ -49,6 +49,11 @@
|
||||||
#include "mbedtls/pem.h"
|
#include "mbedtls/pem.h"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
|
#include "psa/crypto.h"
|
||||||
|
#include "mbedtls/psa_util.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_PLATFORM_C)
|
#if defined(MBEDTLS_PLATFORM_C)
|
||||||
#include "mbedtls/platform.h"
|
#include "mbedtls/platform.h"
|
||||||
#else
|
#else
|
||||||
|
@ -1892,16 +1897,35 @@ static int x509_crt_check_signature( const mbedtls_x509_crt *child,
|
||||||
mbedtls_x509_crt *parent,
|
mbedtls_x509_crt *parent,
|
||||||
mbedtls_x509_crt_restart_ctx *rs_ctx )
|
mbedtls_x509_crt_restart_ctx *rs_ctx )
|
||||||
{
|
{
|
||||||
const mbedtls_md_info_t *md_info;
|
|
||||||
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
|
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
|
||||||
|
size_t hash_len;
|
||||||
|
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
|
const mbedtls_md_info_t *md_info;
|
||||||
md_info = mbedtls_md_info_from_type( child->sig_md );
|
md_info = mbedtls_md_info_from_type( child->sig_md );
|
||||||
|
hash_len = mbedtls_md_get_size( md_info );
|
||||||
|
|
||||||
|
/* Note: hash errors can happen only after an internal error */
|
||||||
if( mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash ) != 0 )
|
if( mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash ) != 0 )
|
||||||
|
return( -1 );
|
||||||
|
#else
|
||||||
|
psa_hash_operation_t hash_operation;
|
||||||
|
psa_algorithm_t hash_alg = mbedtls_psa_translate_md( child->sig_md );
|
||||||
|
|
||||||
|
if( psa_hash_setup( &hash_operation, hash_alg ) != PSA_SUCCESS )
|
||||||
|
return( -1 );
|
||||||
|
|
||||||
|
if( psa_hash_update( &hash_operation, child->tbs.p, child->tbs.len )
|
||||||
|
!= PSA_SUCCESS )
|
||||||
{
|
{
|
||||||
/* Note: this can't happen except after an internal error */
|
|
||||||
return( -1 );
|
return( -1 );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if( psa_hash_finish( &hash_operation, hash, sizeof( hash ), &hash_len )
|
||||||
|
!= PSA_SUCCESS )
|
||||||
|
{
|
||||||
|
return( -1 );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||||
/* Skip expensive computation on obvious mismatch */
|
/* Skip expensive computation on obvious mismatch */
|
||||||
if( ! mbedtls_pk_can_do( &parent->pk, child->sig_pk ) )
|
if( ! mbedtls_pk_can_do( &parent->pk, child->sig_pk ) )
|
||||||
return( -1 );
|
return( -1 );
|
||||||
|
@ -1910,7 +1934,7 @@ static int x509_crt_check_signature( const mbedtls_x509_crt *child,
|
||||||
if( rs_ctx != NULL && child->sig_pk == MBEDTLS_PK_ECDSA )
|
if( rs_ctx != NULL && child->sig_pk == MBEDTLS_PK_ECDSA )
|
||||||
{
|
{
|
||||||
return( mbedtls_pk_verify_restartable( &parent->pk,
|
return( mbedtls_pk_verify_restartable( &parent->pk,
|
||||||
child->sig_md, hash, mbedtls_md_get_size( md_info ),
|
child->sig_md, hash, hash_len,
|
||||||
child->sig.p, child->sig.len, &rs_ctx->pk ) );
|
child->sig.p, child->sig.len, &rs_ctx->pk ) );
|
||||||
}
|
}
|
||||||
#else
|
#else
|
||||||
|
@ -1918,7 +1942,7 @@ static int x509_crt_check_signature( const mbedtls_x509_crt *child,
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
return( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &parent->pk,
|
return( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &parent->pk,
|
||||||
child->sig_md, hash, mbedtls_md_get_size( md_info ),
|
child->sig_md, hash, hash_len,
|
||||||
child->sig.p, child->sig.len ) );
|
child->sig.p, child->sig.len ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -37,6 +37,11 @@
|
||||||
#include "mbedtls/asn1write.h"
|
#include "mbedtls/asn1write.h"
|
||||||
#include "mbedtls/platform_util.h"
|
#include "mbedtls/platform_util.h"
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
|
#include "psa/crypto.h"
|
||||||
|
#include "mbedtls/psa_util.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
|
|
||||||
|
@ -136,7 +141,11 @@ int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, s
|
||||||
size_t pub_len = 0, sig_and_oid_len = 0, sig_len;
|
size_t pub_len = 0, sig_and_oid_len = 0, sig_len;
|
||||||
size_t len = 0;
|
size_t len = 0;
|
||||||
mbedtls_pk_type_t pk_alg;
|
mbedtls_pk_type_t pk_alg;
|
||||||
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
|
psa_hash_operation_t hash_operation;
|
||||||
|
size_t hash_len;
|
||||||
|
psa_algorithm_t hash_alg = mbedtls_psa_translate_md( ctx->md_alg );
|
||||||
|
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||||
/*
|
/*
|
||||||
* Prepare data to be signed in tmp_buf
|
* Prepare data to be signed in tmp_buf
|
||||||
*/
|
*/
|
||||||
|
@ -187,9 +196,23 @@ int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, s
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Prepare signature
|
* Prepare signature
|
||||||
|
* Note: hash errors can happen only after an internal error
|
||||||
*/
|
*/
|
||||||
mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, len, hash );
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
|
if( psa_hash_setup( &hash_operation, hash_alg ) != PSA_SUCCESS )
|
||||||
|
return( MBEDTLS_ERR_X509_FATAL_ERROR );
|
||||||
|
|
||||||
|
if( psa_hash_update( &hash_operation, c, len ) != PSA_SUCCESS )
|
||||||
|
return( MBEDTLS_ERR_X509_FATAL_ERROR );
|
||||||
|
|
||||||
|
if( psa_hash_finish( &hash_operation, hash, sizeof( hash ), &hash_len )
|
||||||
|
!= PSA_SUCCESS )
|
||||||
|
{
|
||||||
|
return( MBEDTLS_ERR_X509_FATAL_ERROR );
|
||||||
|
}
|
||||||
|
#else /* MBEDTLS_USE_PSA_CRYPTO */
|
||||||
|
mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, len, hash );
|
||||||
|
#endif
|
||||||
if( ( ret = mbedtls_pk_sign( ctx->key, ctx->md_alg, hash, 0, sig, &sig_len,
|
if( ( ret = mbedtls_pk_sign( ctx->key, ctx->md_alg, hash, 0, sig, &sig_len,
|
||||||
f_rng, p_rng ) ) != 0 )
|
f_rng, p_rng ) ) != 0 )
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in a new issue