Merge pull request #7676 from valeriosetti/issue7485

PK: add support for check_pair() with "opaque" EC keys
2023-06-05 15:51:03 +02:00 · 2023-06-05 15:51:03 +02:00 · b47fb4cdd8
commit b47fb4cdd8
parent 763c19afcb ede0c4676e
4 changed files with 71 additions and 7 deletions
--- a/library/pk.c
+++ b/library/pk.c
@ -825,7 +825,8 @@ int mbedtls_pk_check_pair(const mbedtls_pk_context *pub,
            return MBEDTLS_ERR_PK_TYPE_MISMATCH;
        }
    } else {
-        if (pub->pk_info != prv->pk_info) {
+        if ((prv->pk_info->type != MBEDTLS_PK_OPAQUE) &&
+            (pub->pk_info != prv->pk_info)) {
            return MBEDTLS_ERR_PK_TYPE_MISMATCH;
        }
    }
--- a/library/pk_internal.h
+++ b/library/pk_internal.h
@ -86,11 +86,11 @@ static inline mbedtls_ecp_group_id mbedtls_pk_get_group_id(const mbedtls_pk_cont
    mbedtls_ecp_group_id id;

 #if defined(MBEDTLS_USE_PSA_CRYPTO)
-    psa_key_attributes_t opaque_attrs = PSA_KEY_ATTRIBUTES_INIT;
-    psa_key_type_t opaque_key_type;
-    psa_ecc_family_t curve;
-
    if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
+        psa_key_attributes_t opaque_attrs = PSA_KEY_ATTRIBUTES_INIT;
+        psa_key_type_t opaque_key_type;
+        psa_ecc_family_t curve;
+
        if (psa_get_key_attributes(pk->priv_id, &opaque_attrs) != PSA_SUCCESS) {
            return MBEDTLS_ECP_DP_NONE;
        }
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@ -1669,6 +1669,53 @@ static int pk_opaque_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
 #endif /* !MBEDTLS_PK_CAN_ECDSA_SIGN && !MBEDTLS_RSA_C */
 }

+static int pk_opaque_ec_check_pair(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
+                                   int (*f_rng)(void *, unsigned char *, size_t),
+                                   void *p_rng)
+{
+    /* The main difference between this function and eckey_check_pair_psa() is
+     * that in the opaque case the private key is always stored in PSA side no
+     * matter if MBEDTLS_PK_USE_PSA_EC_DATA is enabled or not.
+     * When MBEDTLS_PK_USE_PSA_EC_DATA is enabled, we can simply use the
+     * eckey_check_pair_psa(). */
+    (void) f_rng;
+    (void) p_rng;
+
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+    return eckey_check_pair_psa(pub, prv);
+#elif defined(MBEDTLS_ECP_LIGHT)
+    psa_status_t status;
+    uint8_t exp_pub_key[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN];
+    size_t exp_pub_key_len = 0;
+    uint8_t pub_key[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN];
+    size_t pub_key_len = 0;
+    int ret;
+
+    status = psa_export_public_key(prv->priv_id, exp_pub_key, sizeof(exp_pub_key),
+                                   &exp_pub_key_len);
+    if (status != PSA_SUCCESS) {
+        ret = psa_pk_status_to_mbedtls(status);
+        return ret;
+    }
+    ret = mbedtls_ecp_point_write_binary(&(mbedtls_pk_ec_ro(*pub)->grp),
+                                         &(mbedtls_pk_ec_ro(*pub)->Q),
+                                         MBEDTLS_ECP_PF_UNCOMPRESSED,
+                                         &pub_key_len, pub_key, sizeof(pub_key));
+    if (ret != 0) {
+        return ret;
+    }
+    if ((exp_pub_key_len != pub_key_len) ||
+        memcmp(exp_pub_key, pub_key, exp_pub_key_len)) {
+        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+    }
+    return 0;
+#else
+    (void) pub;
+    (void) prv;
+    return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
+}
+
 const mbedtls_pk_info_t mbedtls_pk_ecdsa_opaque_info = {
    MBEDTLS_PK_OPAQUE,
    "Opaque",
@ -1682,7 +1729,7 @@ const mbedtls_pk_info_t mbedtls_pk_ecdsa_opaque_info = {
 #endif
    NULL, /* decrypt - not relevant */
    NULL, /* encrypt - not relevant */
-    NULL, /* check_pair - could be done later or left NULL */
+    pk_opaque_ec_check_pair,
    NULL, /* alloc - no need to allocate new data dynamically */
    NULL, /* free - as for the alloc, there is no data to free */
 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@ -562,6 +562,9 @@ exit:
 void mbedtls_pk_check_pair(char *pub_file, char *prv_file, int ret)
 {
    mbedtls_pk_context pub, prv, alt;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    mbedtls_svc_key_id_t opaque_key_id = MBEDTLS_SVC_KEY_ID_INIT;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */

    mbedtls_pk_init(&pub);
    mbedtls_pk_init(&prv);
@ -575,7 +578,7 @@ void mbedtls_pk_check_pair(char *pub_file, char *prv_file, int ret)
    if (ret == MBEDTLS_ERR_ECP_BAD_INPUT_DATA) {
        ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
    }
-#endif
+#endif /* MBEDTLS_USE_PSA_CRYPTO */

    TEST_ASSERT(mbedtls_pk_parse_public_keyfile(&pub, pub_file) == 0);
    TEST_ASSERT(mbedtls_pk_parse_keyfile(&prv, prv_file, NULL,
@ -596,7 +599,20 @@ void mbedtls_pk_check_pair(char *pub_file, char *prv_file, int ret)
                    == ret);
    }
 #endif
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    if (mbedtls_pk_get_type(&prv) == MBEDTLS_PK_ECKEY) {
+        TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&prv, &opaque_key_id,
+                                             PSA_ALG_ANY_HASH,
+                                             PSA_KEY_USAGE_EXPORT, 0), 0);
+        TEST_EQUAL(mbedtls_pk_check_pair(&pub, &prv, mbedtls_test_rnd_std_rand,
+                                         NULL), ret);
+    }
+#endif

+exit:
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    psa_destroy_key(opaque_key_id);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
    mbedtls_pk_free(&pub);
    mbedtls_pk_free(&prv);
    mbedtls_pk_free(&alt);