diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index dc808e837..5225c57a7 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -922,28 +922,24 @@ int mbedtls_pk_load_file( const char *path, unsigned char **buf, size_t *n ); * \warning This is a temporary utility function for tests. It might * change or be removed at any time without notice. * - * \note ECDSA & RSA keys are supported. - * For both key types, signing with the specified hash - * is the only allowed use of that key with PK API. - * The RSA key supports RSA-PSS signing with the specified - * hash with the PK EXT API. - * In addition, the ECDSA key is also allowed for ECDH key - * agreement derivation operation using the PSA API. - * * \param pk Input: the EC or RSA key to import to a PSA key. * Output: a PK context wrapping that PSA key. * \param key Output: a PSA key identifier. * It's the caller's responsibility to call * psa_destroy_key() on that key identifier after calling * mbedtls_pk_free() on the PK context. - * \param hash_alg The hash algorithm to allow for use with that key. + * \param alg The algorithm to allow for use with that key. + * \param usage The usage to allow for use with that key. + * \param alg2 The secondary algorithm to allow for use with that key. * * \return \c 0 if successful. * \return An Mbed TLS error code otherwise. */ int mbedtls_pk_wrap_as_opaque( mbedtls_pk_context *pk, mbedtls_svc_key_id_t *key, - psa_algorithm_t hash_alg ); + psa_algorithm_t alg, + psa_key_usage_t usage, + psa_algorithm_t alg2 ); #endif /* MBEDTLS_USE_PSA_CRYPTO */ #ifdef __cplusplus diff --git a/library/pk.c b/library/pk.c index bba2ef7c5..42ff43221 100644 --- a/library/pk.c +++ b/library/pk.c @@ -720,12 +720,16 @@ mbedtls_pk_type_t mbedtls_pk_get_type( const mbedtls_pk_context *ctx ) */ int mbedtls_pk_wrap_as_opaque( mbedtls_pk_context *pk, mbedtls_svc_key_id_t *key, - psa_algorithm_t hash_alg ) + psa_algorithm_t alg, + psa_key_usage_t usage, + psa_algorithm_t alg2 ) { #if !defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_RSA_C) ((void) pk); ((void) key); - ((void) hash_alg); + ((void) alg); + ((void) usage); + ((void) alg2); #else #if defined(MBEDTLS_ECP_C) if( mbedtls_pk_get_type( pk ) == MBEDTLS_PK_ECKEY ) @@ -752,10 +756,10 @@ int mbedtls_pk_wrap_as_opaque( mbedtls_pk_context *pk, /* prepare the key attributes */ psa_set_key_type( &attributes, key_type ); psa_set_key_bits( &attributes, bits ); - psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_HASH | - PSA_KEY_USAGE_DERIVE); - psa_set_key_algorithm( &attributes, PSA_ALG_ECDSA( hash_alg ) ); - psa_set_key_enrollment_algorithm( &attributes, PSA_ALG_ECDH ); + psa_set_key_usage_flags( &attributes, usage ); + psa_set_key_algorithm( &attributes, alg ); + if( alg2 != PSA_ALG_NONE ) + psa_set_key_enrollment_algorithm( &attributes, alg2 ); /* import private key into PSA */ status = psa_import_key( &attributes, d, d_len, key ); @@ -786,11 +790,10 @@ int mbedtls_pk_wrap_as_opaque( mbedtls_pk_context *pk, /* prepare the key attributes */ psa_set_key_type( &attributes, PSA_KEY_TYPE_RSA_KEY_PAIR ); psa_set_key_bits( &attributes, mbedtls_pk_get_bitlen( pk ) ); - psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_HASH ); - psa_set_key_algorithm( &attributes, - PSA_ALG_RSA_PKCS1V15_SIGN( hash_alg ) ); - psa_set_key_enrollment_algorithm( &attributes, - PSA_ALG_RSA_PSS( hash_alg ) ); + psa_set_key_usage_flags( &attributes, usage ); + psa_set_key_algorithm( &attributes, alg ); + if( alg2 != PSA_ALG_NONE ) + psa_set_key_enrollment_algorithm( &attributes, alg2 ); /* import private key into PSA */ status = psa_import_key( &attributes,