psa_crypto_ecp: add helper for checking EC parameters
This commit also updates "test_suite_psa_crypto.data" replacing PSA_ERROR_NOT_SUPPORTED with PSA_ERROR_INVALID_ARGUMENT when a wrong bit size is provided while importing key. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This commit is contained in:
parent
d36c313b53
commit
673868be5d
2 changed files with 63 additions and 21 deletions
|
@ -32,6 +32,60 @@
|
||||||
defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
|
defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
|
||||||
defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \
|
defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \
|
||||||
defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
|
defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
|
||||||
|
/* Helper function to verify if the provided EC's family and key bit size are
|
||||||
|
* valid. */
|
||||||
|
static int check_ecc_parameters(psa_ecc_family_t family, size_t bits, int allow_bit_size_roundup)
|
||||||
|
{
|
||||||
|
switch (family) {
|
||||||
|
case PSA_ECC_FAMILY_SECP_R1:
|
||||||
|
switch (bits) {
|
||||||
|
case 192:
|
||||||
|
case 224:
|
||||||
|
case 256:
|
||||||
|
case 384:
|
||||||
|
case 521:
|
||||||
|
return PSA_SUCCESS;
|
||||||
|
case 528:
|
||||||
|
if (allow_bit_size_roundup) {
|
||||||
|
return PSA_SUCCESS;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
|
||||||
|
case PSA_ECC_FAMILY_BRAINPOOL_P_R1:
|
||||||
|
switch (bits) {
|
||||||
|
case 256:
|
||||||
|
case 384:
|
||||||
|
case 512:
|
||||||
|
return PSA_SUCCESS;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
|
||||||
|
case PSA_ECC_FAMILY_MONTGOMERY:
|
||||||
|
switch (bits) {
|
||||||
|
case 448:
|
||||||
|
case 255:
|
||||||
|
return PSA_SUCCESS;
|
||||||
|
case 256:
|
||||||
|
if (allow_bit_size_roundup) {
|
||||||
|
return PSA_SUCCESS;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
|
||||||
|
case PSA_ECC_FAMILY_SECP_K1:
|
||||||
|
switch (bits) {
|
||||||
|
case 192:
|
||||||
|
case 224:
|
||||||
|
case 256:
|
||||||
|
return PSA_SUCCESS;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
return PSA_ERROR_INVALID_ARGUMENT;
|
||||||
|
}
|
||||||
|
|
||||||
psa_status_t mbedtls_psa_ecp_load_representation(
|
psa_status_t mbedtls_psa_ecp_load_representation(
|
||||||
psa_key_type_t type, size_t curve_bits,
|
psa_key_type_t type, size_t curve_bits,
|
||||||
const uint8_t *data, size_t data_length,
|
const uint8_t *data, size_t data_length,
|
||||||
|
@ -41,7 +95,6 @@ psa_status_t mbedtls_psa_ecp_load_representation(
|
||||||
psa_status_t status;
|
psa_status_t status;
|
||||||
mbedtls_ecp_keypair *ecp = NULL;
|
mbedtls_ecp_keypair *ecp = NULL;
|
||||||
size_t curve_bytes = data_length;
|
size_t curve_bytes = data_length;
|
||||||
size_t curve_bits_check;
|
|
||||||
int explicit_bits = (curve_bits != 0);
|
int explicit_bits = (curve_bits != 0);
|
||||||
|
|
||||||
if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type) &&
|
if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type) &&
|
||||||
|
@ -83,27 +136,16 @@ psa_status_t mbedtls_psa_ecp_load_representation(
|
||||||
}
|
}
|
||||||
mbedtls_ecp_keypair_init(ecp);
|
mbedtls_ecp_keypair_init(ecp);
|
||||||
|
|
||||||
|
status = check_ecc_parameters(PSA_KEY_TYPE_ECC_GET_FAMILY(type), curve_bits,
|
||||||
|
!explicit_bits);
|
||||||
|
if (status != PSA_SUCCESS) {
|
||||||
|
goto exit;
|
||||||
|
}
|
||||||
|
|
||||||
/* Load the group. */
|
/* Load the group. */
|
||||||
grp_id = mbedtls_ecc_group_from_psa(PSA_KEY_TYPE_ECC_GET_FAMILY(type),
|
grp_id = mbedtls_ecc_group_from_psa(PSA_KEY_TYPE_ECC_GET_FAMILY(type),
|
||||||
curve_bits);
|
curve_bits);
|
||||||
if (grp_id == MBEDTLS_ECP_DP_NONE) {
|
if (grp_id == MBEDTLS_ECP_DP_NONE) {
|
||||||
/* We can't distinguish between a nonsensical family/size combination
|
|
||||||
* (which would warrant PSA_ERROR_INVALID_ARGUMENT) and a
|
|
||||||
* well-regarded curve that Mbed TLS just doesn't know about (which
|
|
||||||
* would warrant PSA_ERROR_NOT_SUPPORTED). For uniformity with how
|
|
||||||
* curves that Mbed TLS knows about but for which support is disabled
|
|
||||||
* at build time, return NOT_SUPPORTED. */
|
|
||||||
status = PSA_ERROR_NOT_SUPPORTED;
|
|
||||||
goto exit;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Get the exact number of bits which are necessary for this key. This is
|
|
||||||
* used to validate the "curve_bits" input parameter (only in case it was
|
|
||||||
* provided).
|
|
||||||
* Note: we intentionally ignore the return value of mbedtls_ecc_group_to_psa()
|
|
||||||
* because we are only interested in the curve's bit size. */
|
|
||||||
mbedtls_ecc_group_to_psa(grp_id, &curve_bits_check);
|
|
||||||
if (explicit_bits && (curve_bits_check != curve_bits)) {
|
|
||||||
status = PSA_ERROR_NOT_SUPPORTED;
|
status = PSA_ERROR_NOT_SUPPORTED;
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
|
@ -684,7 +684,7 @@ import_with_data:"":PSA_KEY_TYPE_RAW_DATA:8:PSA_ERROR_INVALID_ARGUMENT
|
||||||
|
|
||||||
PSA import EC keypair: explicit bit-size=255 for secp256r1
|
PSA import EC keypair: explicit bit-size=255 for secp256r1
|
||||||
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
|
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
|
||||||
import_with_data:"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):255:PSA_ERROR_NOT_SUPPORTED
|
import_with_data:"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):255:PSA_ERROR_INVALID_ARGUMENT
|
||||||
|
|
||||||
PSA import EC keypair: explicit bit-size=521 for secp521r1 (good)
|
PSA import EC keypair: explicit bit-size=521 for secp521r1 (good)
|
||||||
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_521
|
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_521
|
||||||
|
@ -692,7 +692,7 @@ import_with_data:"01b1b6ad07bb79e7320da59860ea28e055284f6058f279de666e06d435d2af
|
||||||
|
|
||||||
PSA import EC keypair: explicit bit-size=528 for secp521r1 (bad)
|
PSA import EC keypair: explicit bit-size=528 for secp521r1 (bad)
|
||||||
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_521
|
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_521
|
||||||
import_with_data:"01b1b6ad07bb79e7320da59860ea28e055284f6058f279de666e06d435d2af7bda28d99fa47b7dd0963e16b0073078ee8b8a38d966a582f46d19ff95df3ad9685aae":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):528:PSA_ERROR_NOT_SUPPORTED
|
import_with_data:"01b1b6ad07bb79e7320da59860ea28e055284f6058f279de666e06d435d2af7bda28d99fa47b7dd0963e16b0073078ee8b8a38d966a582f46d19ff95df3ad9685aae":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):528:PSA_ERROR_INVALID_ARGUMENT
|
||||||
|
|
||||||
PSA import EC keypair: explicit bit-size, DER format
|
PSA import EC keypair: explicit bit-size, DER format
|
||||||
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
|
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
|
||||||
|
@ -716,7 +716,7 @@ import_with_data:"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba0120
|
||||||
|
|
||||||
PSA import EC keypair: implicit bit-size, not a valid length
|
PSA import EC keypair: implicit bit-size, not a valid length
|
||||||
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
|
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
|
||||||
import_with_data:"0123456789abcdef0123456789abcdef":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):0:PSA_ERROR_NOT_SUPPORTED
|
import_with_data:"0123456789abcdef0123456789abcdef":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):0:PSA_ERROR_INVALID_ARGUMENT
|
||||||
|
|
||||||
PSA import EC keypair: secp256r1, all-bits-zero (bad)
|
PSA import EC keypair: secp256r1, all-bits-zero (bad)
|
||||||
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
|
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
|
||||||
|
|
Loading…
Reference in a new issue