Add support for RSA PK Opaque key

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-15 12:01:26 +01:00 · 2022-03-15 12:01:26 +01:00 · eabbf9d907
commit eabbf9d907
parent 1b05aff3ad
3 changed files with 53 additions and 9 deletions
--- a/library/pk.c
+++ b/library/pk.c
@ -153,7 +153,7 @@ int mbedtls_pk_setup( mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info )
 int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx,
                             const mbedtls_svc_key_id_t key )
 {
-    const mbedtls_pk_info_t * const info = &mbedtls_pk_opaque_info;
+    const mbedtls_pk_info_t *info = NULL;
    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
    mbedtls_svc_key_id_t *pk_ctx;
    psa_key_type_t type;
@ -166,9 +166,12 @@ int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx,
    type = psa_get_key_type( &attributes );
    psa_reset_key_attributes( &attributes );

-    /* Current implementation of can_do() relies on this. */
-    if( ! PSA_KEY_TYPE_IS_ECC_KEY_PAIR( type ) )
-        return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE) ;
+    if( PSA_KEY_TYPE_IS_ECC_KEY_PAIR( type ) )
+        info = &mbedtls_pk_ecdsa_opaque_info;
+    else if( PSA_KEY_TYPE_IS_RSA( type ) )
+        info = &mbedtls_pk_rsa_opaque_info;
+    else
+        return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );

    if( ( ctx->pk_ctx = info->ctx_alloc_func() ) == NULL )
        return( MBEDTLS_ERR_PK_ALLOC_FAILED );
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@ -1493,15 +1493,20 @@ static size_t pk_opaque_get_bitlen( const void *ctx )
    return( bits );
 }

-static int pk_opaque_can_do( mbedtls_pk_type_t type )
+static int pk_opaque_ecdsa_can_do( mbedtls_pk_type_t type )
 {
-    /* For now opaque PSA keys can only wrap ECC keypairs,
+    /* For now ECDSA opaque PSA keys can only wrap ECC keypairs,
     * as checked by setup_psa().
     * Also, ECKEY_DH does not really make sense with the current API. */
    return( type == MBEDTLS_PK_ECKEY ||
            type == MBEDTLS_PK_ECDSA );
 }

+static int pk_opaque_rsa_can_do( mbedtls_pk_type_t type )
+{
+    return( type == MBEDTLS_PK_RSA );
+}
+
 static int pk_opaque_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
                   const unsigned char *hash, size_t hash_len,
                   unsigned char *sig, size_t sig_size, size_t *sig_len,
@ -1521,8 +1526,20 @@ static int pk_opaque_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
 #else /* !MBEDTLS_ECDSA_C */
    const mbedtls_svc_key_id_t *key = (const mbedtls_svc_key_id_t *) ctx;
    psa_algorithm_t alg = PSA_ALG_ECDSA( mbedtls_psa_translate_md( md_alg ) );
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_type_t type;
    psa_status_t status;

+    status = psa_get_key_attributes( *key, &attributes );
+    if( status != PSA_SUCCESS )
+        return( mbedtls_pk_error_from_psa_ecdca( status ) );
+
+    type = psa_get_key_type( &attributes );
+    psa_reset_key_attributes( &attributes );
+
+    if( ! PSA_KEY_TYPE_IS_ECC_KEY_PAIR( type ) )
+        return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
+
    /* PSA has its own RNG */
    (void) f_rng;
    (void) p_rng;
@ -1538,11 +1555,34 @@ static int pk_opaque_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
 #endif /* !MBEDTLS_ECDSA_C */
 }

-const mbedtls_pk_info_t mbedtls_pk_opaque_info = {
+const mbedtls_pk_info_t mbedtls_pk_ecdsa_opaque_info = {
    MBEDTLS_PK_OPAQUE,
    "Opaque",
    pk_opaque_get_bitlen,
-    pk_opaque_can_do,
+    pk_opaque_ecdsa_can_do,
+    NULL, /* verify - will be done later */
+    pk_opaque_sign_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL, /* restartable verify - not relevant */
+    NULL, /* restartable sign - not relevant */
+#endif
+    NULL, /* decrypt - will be done later */
+    NULL, /* encrypt - will be done later */
+    NULL, /* check_pair - could be done later or left NULL */
+    pk_opaque_alloc_wrap,
+    pk_opaque_free_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL, /* restart alloc - not relevant */
+    NULL, /* restart free - not relevant */
+#endif
+    NULL, /* debug - could be done later, or even left NULL */
+};
+
+const mbedtls_pk_info_t mbedtls_pk_rsa_opaque_info = {
+    MBEDTLS_PK_OPAQUE,
+    "Opaque",
+    pk_opaque_get_bitlen,
+    pk_opaque_rsa_can_do,
    NULL, /* verify - will be done later */
    pk_opaque_sign_wrap,
 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
--- a/library/pk_wrap.h
+++ b/library/pk_wrap.h
@ -136,7 +136,8 @@ extern const mbedtls_pk_info_t mbedtls_rsa_alt_info;
 #endif

 #if defined(MBEDTLS_USE_PSA_CRYPTO)
-extern const mbedtls_pk_info_t mbedtls_pk_opaque_info;
+extern const mbedtls_pk_info_t mbedtls_pk_ecdsa_opaque_info;
+extern const mbedtls_pk_info_t mbedtls_pk_rsa_opaque_info;

 #if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
 int mbedtls_pk_error_from_psa_ecdsa( psa_status_t status );