Enforce minimum key size when generating RSA key size
Add configuration to enforce minimum size when generating a RSA key, it's default value is 1024 bits since this the minimum secure value currently but it can be any value greater than or equal 128 bits. Tests were modifed to accommodate for this change. Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
This commit is contained in:
parent
51ed3139d1
commit
76336c3e4d
6 changed files with 40 additions and 19 deletions
|
@ -1335,6 +1335,15 @@
|
|||
*/
|
||||
//#define MBEDTLS_RSA_NO_CRT
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_RSA_MIN_KEY_SIZE
|
||||
*
|
||||
* Minimum RSA key size allowed in bits.
|
||||
*
|
||||
* Minimum possible value is 128 bits.
|
||||
*/
|
||||
#define MBEDTLS_RSA_MIN_KEY_SIZE 1024
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SELF_TEST
|
||||
*
|
||||
|
|
|
@ -550,6 +550,11 @@ int mbedtls_rsa_gen_key(mbedtls_rsa_context *ctx,
|
|||
goto cleanup;
|
||||
}
|
||||
|
||||
if (nbits < MBEDTLS_RSA_MIN_KEY_SIZE) {
|
||||
ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
/*
|
||||
* find primes P and Q with Q < P so that:
|
||||
* 1. |P-Q| > 2^( nbits / 2 - 100 )
|
||||
|
|
|
@ -8,9 +8,9 @@ PK write valid parameters
|
|||
depends_on:MBEDTLS_RSA_C
|
||||
valid_parameters_pkwrite:"308204a20201000282010100a9021f3d406ad555538bfd36ee82652e15615e89bfb8e84590dbee881652d3f143504796125964876bfd2be046f973beddcf92e1915bed66a06f8929794580d0836ad54143775f397c09044782b0573970eda3ec15191ea8330847c10542a9fd4cc3b4dfdd061f4d1051406773130f40f86d81255f0ab153c6307e1539acf95aee7f929ea6055be7139785b52392d9d42406d50925897507dda61a8f3f0919bead652c64eb959bdcfe415e17a6da6c5b69cc02ba142c16249c4adccdd0f7526773f12da023fd7ef431ca2d70ca890b04db2ea64f706e9ecebd5889e253599e6e5a9265e2883f0c9419a3dde5e89d9513ed29dbab7012dc5aca6b17ab528254b10203010001028201001689f5e89142ae18a6ffb0513715a4b0b4a13b9e5b3729a2bd62d738c6e15cea7bf3a4d85ab2193a0628c9452bb1f0c1af8b132789df1c95e72778bf5330f5b0d915d242d5e0818e85001ed5fa93d1ce13455deb0a15438562e8e3c8d60ec1e4c9ebff9f2b36b9cde9332cc79f0d17a7ae79cc1353cd75409ad9b4b6d7ee3d82af6f3207656cf2ac98947c15c398db0cebf8dc3eef5398269480cdd09411b960273ae3f364da09af849f24aa87346c58618ea91d9d6cd1d3932c80dbfc1f0a4166a9036911999ca27761079f0ce02db02c1c909ff9b4278578d7bb1b54b2b7082fc9e864b6b394e331c0d11a9a68255565b6dd477f4119c5809839520700711102818100d7db987ad86de6a9b0749fb5da80bacde3bebd72dcc83f60a27db74f927ac3661386577bfce5b4a00ad024682401d6aad29713c8e223b53415305ca07559821099b187fdd1bad3dc4dec9da96f5fa6128331e8f7d89f1e1a788698d1a27256dc7cd392f04e531a9e38e7265bf4fd7eec01e7835e9b1a0dd8923e440381be1c2702818100c87025fff7a493c623404966fbc8b32ed164ca620ad1a0ad11ef42fd12118456017856a8b42e5d4ad36104e9dc9f8a2f3003c3957ffddb20e2f4e3fc3cf2cdddae01f57a56de4fd24b91ab6d3e5cc0e8af0473659594a6bbfdaacf958f19c8d508eac12d8977616af6877106288093d37904a139220c1bc278ea56edc086976702818043e708685c7cf5fa9b4f948e1856366d5e1f3a694f9a8e954f884c89f3823ac5798ee12657bfcaba2dac9c47464c6dc2fecc17a531be19da706fee336bb6e47b645dbc71d3eff9856bddeb1ac9b644ffbdd58d7ba9e1240f1faaf797ba8a4d58becbaf85789e1bd979fcfccc209d3db7f0416bc9eef09b3a6d86b8ce8199d4310281804f4b86ccffe49d0d8ace98fb63ea9f708b284ba483d130b6a75cb76cb4e4372d6b41774f20912319420ca4cbfc1b25a8cb5f01d6381f6ebc50ed3ef08010327f5ba2acc1ac7220b3fa6f7399314db2879b0db0b5647abd87abb01295815a5b086491b2c0d81c616ed67ef8a8ce0727f446711d7323d4147b5828a52143c43b4b028180540756beba83c20a0bda11d6dec706a71744ff28090cec079dffb507d82828038fe657f61496a20317f779cb683ce8196c29a6fe28839a282eef4de57773be56808b0c3e2ac7747e2b200b2fbf20b55258cd24622a1ce0099de098ab0855106ae087f08b0c8c346d81619400c1b4838e33ed9ff90f05db8fccf8fb7ab881ca12"
|
||||
|
||||
PK utils: RSA 512-bit
|
||||
PK utils: RSA 1024-bit
|
||||
depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
|
||||
pk_utils:MBEDTLS_PK_RSA:512:512:64:"RSA"
|
||||
pk_utils:MBEDTLS_PK_RSA:1024:1024:128:"RSA"
|
||||
|
||||
PK utils: ECKEY SECP192R1
|
||||
depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_DP_SECP192R1_ENABLED
|
||||
|
@ -402,7 +402,7 @@ pk_sign_verify:MBEDTLS_PK_ECKEY_DH:MBEDTLS_ECP_DP_SECP192R1:MBEDTLS_ERR_PK_TYPE_
|
|||
|
||||
RSA sign-verify
|
||||
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_GENPRIME
|
||||
pk_sign_verify:MBEDTLS_PK_RSA:512:0:0
|
||||
pk_sign_verify:MBEDTLS_PK_RSA:1024:0:0
|
||||
|
||||
RSA encrypt-decrypt test
|
||||
depends_on:MBEDTLS_PKCS1_V15
|
||||
|
|
|
@ -21,8 +21,8 @@
|
|||
/* Used for properly sizing the key buffer in pk_genkey_ec() */
|
||||
#include "psa_util_internal.h"
|
||||
|
||||
#define RSA_KEY_SIZE 512
|
||||
#define RSA_KEY_LEN 64
|
||||
#define RSA_KEY_SIZE 1024
|
||||
#define RSA_KEY_LEN 128
|
||||
|
||||
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
|
||||
static int pk_genkey_ec(mbedtls_pk_context *pk, mbedtls_ecp_group_id grp_id)
|
||||
|
@ -1198,8 +1198,8 @@ void pk_rsa_alt()
|
|||
mbedtls_rsa_context raw;
|
||||
mbedtls_pk_context rsa, alt;
|
||||
mbedtls_pk_debug_item dbg_items[10];
|
||||
unsigned char hash[50], sig[64];
|
||||
unsigned char msg[50], ciph[64], test[50];
|
||||
unsigned char hash[50], sig[RSA_KEY_LEN];
|
||||
unsigned char msg[50], ciph[RSA_KEY_LEN], test[50];
|
||||
size_t sig_len, ciph_len, test_len;
|
||||
int ret = MBEDTLS_ERR_PK_TYPE_MISMATCH;
|
||||
|
||||
|
|
|
@ -6984,27 +6984,27 @@ depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES
|
|||
generate_key:PSA_KEY_TYPE_AES:64:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CTR:PSA_ERROR_INVALID_ARGUMENT:0
|
||||
|
||||
PSA generate key: RSA, 512 bits, good, sign (PKCS#1 v1.5)
|
||||
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
|
||||
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_RSA_MIN_KEY_SIZE <= 512
|
||||
generate_key:PSA_KEY_TYPE_RSA_KEY_PAIR:512:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_SUCCESS:0
|
||||
|
||||
PSA generate key: RSA, 1016 bits, good, sign (PKCS#1 v1.5)
|
||||
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
|
||||
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_RSA_MIN_KEY_SIZE <= 1016
|
||||
generate_key:PSA_KEY_TYPE_RSA_KEY_PAIR:1016:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_SUCCESS:0
|
||||
|
||||
PSA generate key: RSA, 1024 bits, good, sign (PSS SHA-256)
|
||||
depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
|
||||
depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_RSA_MIN_KEY_SIZE <= 1024
|
||||
generate_key:PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_SUCCESS:0
|
||||
|
||||
PSA generate key: RSA, 1024 bits, good, sign (PSS-any-salt SHA-256)
|
||||
depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
|
||||
depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_RSA_MIN_KEY_SIZE <= 1024
|
||||
generate_key:PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):PSA_SUCCESS:0
|
||||
|
||||
PSA generate key: RSA, 512 bits, good, encrypt (PKCS#1 v1.5)
|
||||
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
|
||||
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_RSA_MIN_KEY_SIZE <= 512
|
||||
generate_key:PSA_KEY_TYPE_RSA_KEY_PAIR:512:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_SUCCESS:0
|
||||
|
||||
PSA generate key: RSA, 1024 bits, good, encrypt (OAEP SHA-256)
|
||||
depends_on:PSA_WANT_ALG_RSA_OAEP:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
|
||||
depends_on:PSA_WANT_ALG_RSA_OAEP:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_RSA_MIN_KEY_SIZE <= 1024
|
||||
generate_key:PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256):PSA_SUCCESS:0
|
||||
|
||||
PSA generate key: RSA, 0 bits: invalid
|
||||
|
@ -7043,22 +7043,22 @@ depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_EC
|
|||
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):448:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:PSA_SUCCESS:0
|
||||
|
||||
PSA generate key: RSA, default e
|
||||
generate_key_rsa:512:"":PSA_SUCCESS
|
||||
generate_key_rsa:1024:"":PSA_SUCCESS
|
||||
|
||||
PSA generate key: RSA, e=3
|
||||
generate_key_rsa:512:"03":PSA_SUCCESS
|
||||
generate_key_rsa:1024:"03":PSA_SUCCESS
|
||||
|
||||
PSA generate key: RSA, e=65537
|
||||
generate_key_rsa:512:"010001":PSA_SUCCESS
|
||||
generate_key_rsa:1024:"010001":PSA_SUCCESS
|
||||
|
||||
PSA generate key: RSA, e=513
|
||||
generate_key_rsa:512:"0201":PSA_SUCCESS
|
||||
generate_key_rsa:1024:"0201":PSA_SUCCESS
|
||||
|
||||
PSA generate key: RSA, e=1
|
||||
generate_key_rsa:512:"01":PSA_ERROR_INVALID_ARGUMENT
|
||||
generate_key_rsa:1024:"01":PSA_ERROR_INVALID_ARGUMENT
|
||||
|
||||
PSA generate key: RSA, e=2
|
||||
generate_key_rsa:512:"01":PSA_ERROR_INVALID_ARGUMENT
|
||||
generate_key_rsa:1024:"01":PSA_ERROR_INVALID_ARGUMENT
|
||||
|
||||
PSA generate key: FFDH, 2048 bits, good
|
||||
depends_on:PSA_WANT_ALG_FFDH:MBEDTLS_PSA_WANT_KEY_TYPE_DH_KEY_PAIR_LEGACY
|
||||
|
|
|
@ -386,8 +386,13 @@ RSA Public (Data = 0)
|
|||
mbedtls_rsa_public:"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":2048:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":"3":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":0
|
||||
|
||||
RSA Generate Key - 128bit key
|
||||
depends_on:MBEDTLS_RSA_MIN_KEY_SIZE == 128
|
||||
mbedtls_rsa_gen_key:128:3:0
|
||||
|
||||
RSA Generate Key - 128bit key (Less than minimum size)
|
||||
depends_on:MBEDTLS_RSA_MIN_KEY_SIZE > 128
|
||||
mbedtls_rsa_gen_key:128:3:MBEDTLS_ERR_RSA_BAD_INPUT_DATA
|
||||
|
||||
RSA Generate Key (Number of bits too small)
|
||||
mbedtls_rsa_gen_key:127:3:MBEDTLS_ERR_RSA_BAD_INPUT_DATA
|
||||
|
||||
|
@ -395,9 +400,11 @@ RSA Generate Key (Exponent too small)
|
|||
mbedtls_rsa_gen_key:128:2:MBEDTLS_ERR_RSA_BAD_INPUT_DATA
|
||||
|
||||
RSA Generate Key - 1024 bit key
|
||||
depends_on:MBEDTLS_RSA_MIN_KEY_SIZE <= 1024
|
||||
mbedtls_rsa_gen_key:1024:3:0
|
||||
|
||||
RSA Generate Key - 2048 bit key
|
||||
depends_on:MBEDTLS_RSA_MIN_KEY_SIZE <= 2048
|
||||
mbedtls_rsa_gen_key:2048:3:0
|
||||
|
||||
RSA Generate Key - 1025 bit key
|
||||
|
|
Loading…
Reference in a new issue