Merge pull request #6410 from gilles-peskine-arm/psa-pkparse-pkwrite-3.2
PSA with RSA requires PK_WRITE and PK_PARSE
This commit is contained in:
Ronald Cron
GitHub
commit
c9176a03a7
6 changed files with 65 additions and 8 deletions
5
ChangeLog.d/psa_rsa_needs_pk.txt
Normal file
5
ChangeLog.d/psa_rsa_needs_pk.txt
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
Bugfix
|
||||
* Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not
|
||||
MBEDTLS_USE_PSA_CRYPTO or MBEDTLS_PK_WRITE_C. Fixes #6408.
|
||||
* Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not
|
||||
MBEDTLS_PK_PARSE_C. Fixes #6409.
|
||||
|
|
@ -74,7 +74,23 @@
|
|||
#include MBEDTLS_USER_CONFIG_FILE
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_PK_C) && defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
/* The PK wrappers need pk_write functions to format RSA key objects
|
||||
* when they are dispatching to the PSA API. This happens under USE_PSA_CRYPTO,
|
||||
* and also even without USE_PSA_CRYPTO for mbedtls_pk_sign_ext().
|
||||
* PSA crypto also needs pk_write to export RSA keys (otherwise the build
|
||||
* goes through but psa_export_key() and psa_export_public_key() fail on
|
||||
* RSA keys), and pk_parse to work with RSA keys in almost any way.
|
||||
*/
|
||||
#if defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_RSA_C)
|
||||
#define MBEDTLS_PK_C
|
||||
#define MBEDTLS_PK_WRITE_C
|
||||
#define MBEDTLS_PK_PARSE_C
|
||||
#endif
|
||||
|
||||
/* Under MBEDTLS_USE_PSA_CRYPTO, the pk module needs pk_write functions
|
||||
* to pass ECC keys to PSA. */
|
||||
#if defined(MBEDTLS_PK_C) && \
|
||||
defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECP_C)
|
||||
#define MBEDTLS_PK_WRITE_C
|
||||
#endif
|
||||
|
||||
|
|
|
|||
BIN
tests/data_files/dh.optlen.der
Normal file
BIN
tests/data_files/dh.optlen.der
Normal file
Binary file not shown.
|
|
@ -1717,6 +1717,37 @@ component_build_crypto_full () {
|
|||
are_empty_libraries library/libmbedx509.* library/libmbedtls.*
|
||||
}
|
||||
|
||||
component_test_crypto_for_psa_service () {
|
||||
msg "build: make, config for PSA crypto service"
|
||||
scripts/config.py crypto
|
||||
scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
|
||||
# Disable things that are not needed for just cryptography, to
|
||||
# reach a configuration that would be typical for a PSA cryptography
|
||||
# service providing all implemented PSA algorithms.
|
||||
# System stuff
|
||||
scripts/config.py unset MBEDTLS_ERROR_C
|
||||
scripts/config.py unset MBEDTLS_TIMING_C
|
||||
scripts/config.py unset MBEDTLS_VERSION_FEATURES
|
||||
# Crypto stuff with no PSA interface
|
||||
scripts/config.py unset MBEDTLS_BASE64_C
|
||||
# Keep MBEDTLS_CIPHER_C because psa_crypto_cipher, CCM and GCM need it.
|
||||
scripts/config.py unset MBEDTLS_HKDF_C # PSA's HKDF is independent
|
||||
# Keep MBEDTLS_MD_C because deterministic ECDSA needs it for HMAC_DRBG.
|
||||
scripts/config.py unset MBEDTLS_NIST_KW_C
|
||||
scripts/config.py unset MBEDTLS_PEM_PARSE_C
|
||||
scripts/config.py unset MBEDTLS_PEM_WRITE_C
|
||||
scripts/config.py unset MBEDTLS_PKCS12_C
|
||||
scripts/config.py unset MBEDTLS_PKCS5_C
|
||||
# MBEDTLS_PK_PARSE_C and MBEDTLS_PK_WRITE_C are actually currently needed
|
||||
# in PSA code to work with RSA keys. We don't require users to set those:
|
||||
# they will be reenabled in build_info.h.
|
||||
scripts/config.py unset MBEDTLS_PK_C
|
||||
scripts/config.py unset MBEDTLS_PK_PARSE_C
|
||||
scripts/config.py unset MBEDTLS_PK_WRITE_C
|
||||
make CFLAGS='-O1 -Werror' all test
|
||||
are_empty_libraries library/libmbedx509.* library/libmbedtls.*
|
||||
}
|
||||
|
||||
component_build_crypto_baremetal () {
|
||||
msg "build: make, crypto only, baremetal config"
|
||||
scripts/config.py crypto_baremetal
|
||||
|
|
|
|||
|
|
@ -109,11 +109,16 @@ dhm_make_public:MBEDTLS_MPI_MAX_SIZE:"5":0
|
|||
Diffie-Hellman MPI_MAX_SIZE + 1 modulus
|
||||
dhm_make_public:MBEDTLS_MPI_MAX_SIZE + 1:"5":MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED+MBEDTLS_ERR_MPI_BAD_INPUT_DATA
|
||||
|
||||
Diffie-Hellman load parameters from file [#1]
|
||||
DH load parameters from PEM file (1024-bit, g=2)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C
|
||||
dhm_file:"data_files/dhparams.pem":"9e35f430443a09904f3a39a979797d070df53378e79c2438bef4e761f3c714553328589b041c809be1d6c6b5f1fc9f47d3a25443188253a992a56818b37ba9de5a40d362e56eff0be5417474c125c199272c8fe41dea733df6f662c92ae76556e755d10c64e6a50968f67fc6ea73d0dca8569be2ba204e23580d8bca2f4975b3":"02":128
|
||||
|
||||
Diffie-Hellman load parameters from file [#2]
|
||||
DH load parameters from PEM file (2048-bit, large g, privateValueLength)
|
||||
depends_on:MBEDTLS_PEM_PARSE_C
|
||||
dhm_file:"data_files/dh.optlen.pem":"b3126aeaf47153c7d67f403030b292b5bd5a6c9eae1c137af34087fce2a36a578d70c5c560ad2bdb924c4a4dbee20a1671be7103ce87defa76908936803dbeca60c33e1289c1a03ac2c6c4e49405e5902fa0596a1cbaa895cc402d5213ed4a5f1f5ba8b5e1ed3da951a4c475afeb0ca660b7368c38c8e809f382d96ae19e60dc984e61cb42b5dfd723322acf327f9e413cda6400c15c5b2ea1fa34405d83982fba40e6d852da3d91019bf23511314254dc211a90833e5b1798ee52a78198c555644729ad92f060367c74ded37704adfc273a4a33fec821bd2ebd3bc051730e97a4dd14d2b766062592f5eec09d16bb50efebf2cc00dd3e0e3418e60ec84870f7":"800abfe7dc667aa17bcd7c04614bc221a65482ccc04b604602b0e131908a938ea11b48dc515dab7abcbb1e0c7fd66511edc0d86551b7632496e03df94357e1c4ea07a7ce1e381a2fcafdff5f5bf00df828806020e875c00926e4d011f88477a1b01927d73813cad4847c6396b9244621be2b00b63c659253318413443cd244215cd7fd4cbe796e82c6cf70f89cc0c528fb8e344809b31876e7ef739d5160d095c9684188b0c8755c7a468d47f56d6db9ea012924ecb0556fb71312a8d7c93bb2898ea08ee54eeb594548285f06a973cbbe2a0cb02e90f323fe045521f34c68354a6d3e95dbfff1eb64692edc0a44f3d3e408d0e479a541e779a6054259e2d854":256
|
||||
|
||||
DH load parameters from DER file (2048-bit, large g, privateValueLength)
|
||||
dhm_file:"data_files/dh.optlen.der":"b3126aeaf47153c7d67f403030b292b5bd5a6c9eae1c137af34087fce2a36a578d70c5c560ad2bdb924c4a4dbee20a1671be7103ce87defa76908936803dbeca60c33e1289c1a03ac2c6c4e49405e5902fa0596a1cbaa895cc402d5213ed4a5f1f5ba8b5e1ed3da951a4c475afeb0ca660b7368c38c8e809f382d96ae19e60dc984e61cb42b5dfd723322acf327f9e413cda6400c15c5b2ea1fa34405d83982fba40e6d852da3d91019bf23511314254dc211a90833e5b1798ee52a78198c555644729ad92f060367c74ded37704adfc273a4a33fec821bd2ebd3bc051730e97a4dd14d2b766062592f5eec09d16bb50efebf2cc00dd3e0e3418e60ec84870f7":"800abfe7dc667aa17bcd7c04614bc221a65482ccc04b604602b0e131908a938ea11b48dc515dab7abcbb1e0c7fd66511edc0d86551b7632496e03df94357e1c4ea07a7ce1e381a2fcafdff5f5bf00df828806020e875c00926e4d011f88477a1b01927d73813cad4847c6396b9244621be2b00b63c659253318413443cd244215cd7fd4cbe796e82c6cf70f89cc0c528fb8e344809b31876e7ef739d5160d095c9684188b0c8755c7a468d47f56d6db9ea012924ecb0556fb71312a8d7c93bb2898ea08ee54eeb594548285f06a973cbbe2a0cb02e90f323fe045521f34c68354a6d3e95dbfff1eb64692edc0a44f3d3e408d0e479a541e779a6054259e2d854":256
|
||||
|
||||
Diffie-Hellman selftest
|
||||
dhm_selftest:
|
||||
|
|
|
|||
|
|
@ -521,23 +521,23 @@ depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA
|
|||
pk_rsa_verify_ext_test_vec:"ae6e43dd387c25741e42fc3570cdfc52e4f51a2343294f3b677dfe01cd5339f6":MBEDTLS_MD_SHA256:1024:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:94:129:MBEDTLS_ERR_RSA_VERIFY_FAILED
|
||||
|
||||
Check pair #1 (EC, OK)
|
||||
depends_on:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
||||
depends_on:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_PEM_PARSE_C
|
||||
mbedtls_pk_check_pair:"data_files/ec_256_pub.pem":"data_files/ec_256_prv.pem":0
|
||||
|
||||
Check pair #2 (EC, bad)
|
||||
depends_on:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
||||
depends_on:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_PEM_PARSE_C
|
||||
mbedtls_pk_check_pair:"data_files/ec_256_pub.pem":"data_files/server5.key":MBEDTLS_ERR_ECP_BAD_INPUT_DATA
|
||||
|
||||
Check pair #3 (RSA, OK)
|
||||
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PEM_PARSE_C
|
||||
mbedtls_pk_check_pair:"data_files/server1.pubkey":"data_files/server1.key":0
|
||||
|
||||
Check pair #4 (RSA, bad)
|
||||
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
|
||||
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PEM_PARSE_C
|
||||
mbedtls_pk_check_pair:"data_files/server1.pubkey":"data_files/server2.key":MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
|
||||
|
||||
Check pair #5 (RSA vs EC)
|
||||
depends_on:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C
|
||||
depends_on:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_PEM_PARSE_C
|
||||
mbedtls_pk_check_pair:"data_files/ec_256_pub.pem":"data_files/server1.key":MBEDTLS_ERR_PK_TYPE_MISMATCH
|
||||
|
||||
RSA hash_len overflow (size_t vs unsigned int)
|
||||
|
|
|
|||
Loading…
Reference in a new issue