1 // SPDX-License-Identifier: Apache-2.0 2 /* 3 * Public Key abstraction layer: wrapper functions 4 * 5 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 * 19 * This file is part of mbed TLS (https://tls.mbed.org) 20 */ 21 22 #if !defined(MBEDTLS_CONFIG_FILE) 23 #include "mbedtls/config.h" 24 #else 25 #include MBEDTLS_CONFIG_FILE 26 #endif 27 28 #if defined(MBEDTLS_PK_C) 29 #include "mbedtls/pk_internal.h" 30 #include "mbedtls/error.h" 31 32 /* Even if RSA not activated, for the sake of RSA-alt */ 33 #include "mbedtls/rsa.h" 34 35 #include <string.h> 36 37 #if defined(MBEDTLS_ECP_C) 38 #include "mbedtls/ecp.h" 39 #endif 40 41 #if defined(MBEDTLS_ECDSA_C) 42 #include "mbedtls/ecdsa.h" 43 #endif 44 45 #if defined(MBEDTLS_USE_PSA_CRYPTO) 46 #include "mbedtls/asn1write.h" 47 #endif 48 49 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT) 50 #include "mbedtls/platform_util.h" 51 #endif 52 53 #if defined(MBEDTLS_USE_PSA_CRYPTO) 54 #include "psa/crypto.h" 55 #include "mbedtls/psa_util.h" 56 #include "mbedtls/asn1.h" 57 #endif 58 59 #if defined(MBEDTLS_PLATFORM_C) 60 #include "mbedtls/platform.h" 61 #else 62 #include <stdlib.h> 63 #define mbedtls_calloc calloc 64 #define mbedtls_free free 65 #endif 66 67 #include <limits.h> 68 #include <stdint.h> 69 70 #if defined(MBEDTLS_RSA_C) 71 static int rsa_can_do( mbedtls_pk_type_t type ) 72 { 73 return( type == MBEDTLS_PK_RSA || 74 type == MBEDTLS_PK_RSASSA_PSS ); 75 } 76 77 static size_t rsa_get_bitlen( const void *ctx ) 78 { 79 const mbedtls_rsa_context * rsa = (const mbedtls_rsa_context *) ctx; 80 return( 8 * mbedtls_rsa_get_len( rsa ) ); 81 } 82 83 static int rsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, 84 const unsigned char *hash, size_t hash_len, 85 const unsigned char *sig, size_t sig_len ) 86 { 87 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 88 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx; 89 size_t rsa_len = mbedtls_rsa_get_len( rsa ); 90 91 #if SIZE_MAX > UINT_MAX 92 if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len ) 93 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 94 #endif /* SIZE_MAX > UINT_MAX */ 95 96 if( sig_len < rsa_len ) 97 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 98 99 if( ( ret = mbedtls_rsa_pkcs1_verify( rsa, NULL, NULL, 100 MBEDTLS_RSA_PUBLIC, md_alg, 101 (unsigned int) hash_len, hash, sig ) ) != 0 ) 102 return( ret ); 103 104 /* The buffer contains a valid signature followed by extra data. 105 * We have a special error code for that so that so that callers can 106 * use mbedtls_pk_verify() to check "Does the buffer start with a 107 * valid signature?" and not just "Does the buffer contain a valid 108 * signature?". */ 109 if( sig_len > rsa_len ) 110 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH ); 111 112 return( 0 ); 113 } 114 115 static int rsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 116 const unsigned char *hash, size_t hash_len, 117 unsigned char *sig, size_t *sig_len, 118 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 119 { 120 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx; 121 122 #if SIZE_MAX > UINT_MAX 123 if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len ) 124 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 125 #endif /* SIZE_MAX > UINT_MAX */ 126 127 *sig_len = mbedtls_rsa_get_len( rsa ); 128 129 return( mbedtls_rsa_pkcs1_sign( rsa, f_rng, p_rng, MBEDTLS_RSA_PRIVATE, 130 md_alg, (unsigned int) hash_len, hash, sig ) ); 131 } 132 133 static int rsa_decrypt_wrap( void *ctx, 134 const unsigned char *input, size_t ilen, 135 unsigned char *output, size_t *olen, size_t osize, 136 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 137 { 138 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx; 139 140 if( ilen != mbedtls_rsa_get_len( rsa ) ) 141 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 142 143 return( mbedtls_rsa_pkcs1_decrypt( rsa, f_rng, p_rng, 144 MBEDTLS_RSA_PRIVATE, olen, input, output, osize ) ); 145 } 146 147 static int rsa_encrypt_wrap( void *ctx, 148 const unsigned char *input, size_t ilen, 149 unsigned char *output, size_t *olen, size_t osize, 150 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 151 { 152 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx; 153 *olen = mbedtls_rsa_get_len( rsa ); 154 155 if( *olen > osize ) 156 return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE ); 157 158 return( mbedtls_rsa_pkcs1_encrypt( rsa, f_rng, p_rng, MBEDTLS_RSA_PUBLIC, 159 ilen, input, output ) ); 160 } 161 162 static int rsa_check_pair_wrap( const void *pub, const void *prv ) 163 { 164 return( mbedtls_rsa_check_pub_priv( (const mbedtls_rsa_context *) pub, 165 (const mbedtls_rsa_context *) prv ) ); 166 } 167 168 static void *rsa_alloc_wrap( void ) 169 { 170 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_rsa_context ) ); 171 172 if( ctx != NULL ) 173 mbedtls_rsa_init( (mbedtls_rsa_context *) ctx, 0, 0 ); 174 175 return( ctx ); 176 } 177 178 static void rsa_free_wrap( void *ctx ) 179 { 180 mbedtls_rsa_free( (mbedtls_rsa_context *) ctx ); 181 mbedtls_free( ctx ); 182 } 183 184 static void rsa_debug( const void *ctx, mbedtls_pk_debug_item *items ) 185 { 186 items->type = MBEDTLS_PK_DEBUG_MPI; 187 items->name = "rsa.N"; 188 items->value = &( ((mbedtls_rsa_context *) ctx)->N ); 189 190 items++; 191 192 items->type = MBEDTLS_PK_DEBUG_MPI; 193 items->name = "rsa.E"; 194 items->value = &( ((mbedtls_rsa_context *) ctx)->E ); 195 } 196 197 const mbedtls_pk_info_t mbedtls_rsa_info = { 198 MBEDTLS_PK_RSA, 199 "RSA", 200 rsa_get_bitlen, 201 rsa_can_do, 202 rsa_verify_wrap, 203 rsa_sign_wrap, 204 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 205 NULL, 206 NULL, 207 #endif 208 rsa_decrypt_wrap, 209 rsa_encrypt_wrap, 210 rsa_check_pair_wrap, 211 rsa_alloc_wrap, 212 rsa_free_wrap, 213 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 214 NULL, 215 NULL, 216 #endif 217 rsa_debug, 218 }; 219 #endif /* MBEDTLS_RSA_C */ 220 221 #if defined(MBEDTLS_ECP_C) 222 /* 223 * Generic EC key 224 */ 225 static int eckey_can_do( mbedtls_pk_type_t type ) 226 { 227 return( type == MBEDTLS_PK_ECKEY || 228 type == MBEDTLS_PK_ECKEY_DH || 229 type == MBEDTLS_PK_ECDSA ); 230 } 231 232 static size_t eckey_get_bitlen( const void *ctx ) 233 { 234 return( ((mbedtls_ecp_keypair *) ctx)->grp.pbits ); 235 } 236 237 #if defined(MBEDTLS_ECDSA_C) 238 /* Forward declarations */ 239 static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, 240 const unsigned char *hash, size_t hash_len, 241 const unsigned char *sig, size_t sig_len ); 242 243 static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 244 const unsigned char *hash, size_t hash_len, 245 unsigned char *sig, size_t *sig_len, 246 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); 247 248 static int eckey_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, 249 const unsigned char *hash, size_t hash_len, 250 const unsigned char *sig, size_t sig_len ) 251 { 252 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 253 mbedtls_ecdsa_context ecdsa; 254 255 mbedtls_ecdsa_init( &ecdsa ); 256 257 if( ( ret = mbedtls_ecdsa_from_keypair( &ecdsa, ctx ) ) == 0 ) 258 ret = ecdsa_verify_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len ); 259 260 mbedtls_ecdsa_free( &ecdsa ); 261 262 return( ret ); 263 } 264 265 static int eckey_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 266 const unsigned char *hash, size_t hash_len, 267 unsigned char *sig, size_t *sig_len, 268 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 269 { 270 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 271 mbedtls_ecdsa_context ecdsa; 272 273 mbedtls_ecdsa_init( &ecdsa ); 274 275 if( ( ret = mbedtls_ecdsa_from_keypair( &ecdsa, ctx ) ) == 0 ) 276 ret = ecdsa_sign_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len, 277 f_rng, p_rng ); 278 279 mbedtls_ecdsa_free( &ecdsa ); 280 281 return( ret ); 282 } 283 284 #if defined(MBEDTLS_ECP_RESTARTABLE) 285 /* Forward declarations */ 286 static int ecdsa_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg, 287 const unsigned char *hash, size_t hash_len, 288 const unsigned char *sig, size_t sig_len, 289 void *rs_ctx ); 290 291 static int ecdsa_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg, 292 const unsigned char *hash, size_t hash_len, 293 unsigned char *sig, size_t *sig_len, 294 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, 295 void *rs_ctx ); 296 297 /* 298 * Restart context for ECDSA operations with ECKEY context 299 * 300 * We need to store an actual ECDSA context, as we need to pass the same to 301 * the underlying ecdsa function, so we can't create it on the fly every time. 302 */ 303 typedef struct 304 { 305 mbedtls_ecdsa_restart_ctx ecdsa_rs; 306 mbedtls_ecdsa_context ecdsa_ctx; 307 } eckey_restart_ctx; 308 309 static void *eckey_rs_alloc( void ) 310 { 311 eckey_restart_ctx *rs_ctx; 312 313 void *ctx = mbedtls_calloc( 1, sizeof( eckey_restart_ctx ) ); 314 315 if( ctx != NULL ) 316 { 317 rs_ctx = ctx; 318 mbedtls_ecdsa_restart_init( &rs_ctx->ecdsa_rs ); 319 mbedtls_ecdsa_init( &rs_ctx->ecdsa_ctx ); 320 } 321 322 return( ctx ); 323 } 324 325 static void eckey_rs_free( void *ctx ) 326 { 327 eckey_restart_ctx *rs_ctx; 328 329 if( ctx == NULL) 330 return; 331 332 rs_ctx = ctx; 333 mbedtls_ecdsa_restart_free( &rs_ctx->ecdsa_rs ); 334 mbedtls_ecdsa_free( &rs_ctx->ecdsa_ctx ); 335 336 mbedtls_free( ctx ); 337 } 338 339 static int eckey_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg, 340 const unsigned char *hash, size_t hash_len, 341 const unsigned char *sig, size_t sig_len, 342 void *rs_ctx ) 343 { 344 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 345 eckey_restart_ctx *rs = rs_ctx; 346 347 /* Should never happen */ 348 if( rs == NULL ) 349 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 350 351 /* set up our own sub-context if needed (that is, on first run) */ 352 if( rs->ecdsa_ctx.grp.pbits == 0 ) 353 MBEDTLS_MPI_CHK( mbedtls_ecdsa_from_keypair( &rs->ecdsa_ctx, ctx ) ); 354 355 MBEDTLS_MPI_CHK( ecdsa_verify_rs_wrap( &rs->ecdsa_ctx, 356 md_alg, hash, hash_len, 357 sig, sig_len, &rs->ecdsa_rs ) ); 358 359 cleanup: 360 return( ret ); 361 } 362 363 static int eckey_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg, 364 const unsigned char *hash, size_t hash_len, 365 unsigned char *sig, size_t *sig_len, 366 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, 367 void *rs_ctx ) 368 { 369 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 370 eckey_restart_ctx *rs = rs_ctx; 371 372 /* Should never happen */ 373 if( rs == NULL ) 374 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 375 376 /* set up our own sub-context if needed (that is, on first run) */ 377 if( rs->ecdsa_ctx.grp.pbits == 0 ) 378 MBEDTLS_MPI_CHK( mbedtls_ecdsa_from_keypair( &rs->ecdsa_ctx, ctx ) ); 379 380 MBEDTLS_MPI_CHK( ecdsa_sign_rs_wrap( &rs->ecdsa_ctx, md_alg, 381 hash, hash_len, sig, sig_len, 382 f_rng, p_rng, &rs->ecdsa_rs ) ); 383 384 cleanup: 385 return( ret ); 386 } 387 #endif /* MBEDTLS_ECP_RESTARTABLE */ 388 #endif /* MBEDTLS_ECDSA_C */ 389 390 static int eckey_check_pair( const void *pub, const void *prv ) 391 { 392 return( mbedtls_ecp_check_pub_priv( (const mbedtls_ecp_keypair *) pub, 393 (const mbedtls_ecp_keypair *) prv ) ); 394 } 395 396 static void *eckey_alloc_wrap( void ) 397 { 398 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecp_keypair ) ); 399 400 if( ctx != NULL ) 401 mbedtls_ecp_keypair_init( ctx ); 402 403 return( ctx ); 404 } 405 406 static void eckey_free_wrap( void *ctx ) 407 { 408 mbedtls_ecp_keypair_free( (mbedtls_ecp_keypair *) ctx ); 409 mbedtls_free( ctx ); 410 } 411 412 static void eckey_debug( const void *ctx, mbedtls_pk_debug_item *items ) 413 { 414 items->type = MBEDTLS_PK_DEBUG_ECP; 415 items->name = "eckey.Q"; 416 items->value = &( ((mbedtls_ecp_keypair *) ctx)->Q ); 417 } 418 419 const mbedtls_pk_info_t mbedtls_eckey_info = { 420 MBEDTLS_PK_ECKEY, 421 "EC", 422 eckey_get_bitlen, 423 eckey_can_do, 424 #if defined(MBEDTLS_ECDSA_C) 425 eckey_verify_wrap, 426 eckey_sign_wrap, 427 #if defined(MBEDTLS_ECP_RESTARTABLE) 428 eckey_verify_rs_wrap, 429 eckey_sign_rs_wrap, 430 #endif 431 #else /* MBEDTLS_ECDSA_C */ 432 NULL, 433 NULL, 434 #endif /* MBEDTLS_ECDSA_C */ 435 NULL, 436 NULL, 437 eckey_check_pair, 438 eckey_alloc_wrap, 439 eckey_free_wrap, 440 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 441 eckey_rs_alloc, 442 eckey_rs_free, 443 #endif 444 eckey_debug, 445 }; 446 447 /* 448 * EC key restricted to ECDH 449 */ 450 static int eckeydh_can_do( mbedtls_pk_type_t type ) 451 { 452 return( type == MBEDTLS_PK_ECKEY || 453 type == MBEDTLS_PK_ECKEY_DH ); 454 } 455 456 const mbedtls_pk_info_t mbedtls_eckeydh_info = { 457 MBEDTLS_PK_ECKEY_DH, 458 "EC_DH", 459 eckey_get_bitlen, /* Same underlying key structure */ 460 eckeydh_can_do, 461 NULL, 462 NULL, 463 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 464 NULL, 465 NULL, 466 #endif 467 NULL, 468 NULL, 469 eckey_check_pair, 470 eckey_alloc_wrap, /* Same underlying key structure */ 471 eckey_free_wrap, /* Same underlying key structure */ 472 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 473 NULL, 474 NULL, 475 #endif 476 eckey_debug, /* Same underlying key structure */ 477 }; 478 #endif /* MBEDTLS_ECP_C */ 479 480 #if defined(MBEDTLS_ECDSA_C) 481 static int ecdsa_can_do( mbedtls_pk_type_t type ) 482 { 483 return( type == MBEDTLS_PK_ECDSA ); 484 } 485 486 #if defined(MBEDTLS_USE_PSA_CRYPTO) 487 /* 488 * An ASN.1 encoded signature is a sequence of two ASN.1 integers. Parse one of 489 * those integers and convert it to the fixed-length encoding expected by PSA. 490 */ 491 static int extract_ecdsa_sig_int( unsigned char **from, const unsigned char *end, 492 unsigned char *to, size_t to_len ) 493 { 494 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 495 size_t unpadded_len, padding_len; 496 497 if( ( ret = mbedtls_asn1_get_tag( from, end, &unpadded_len, 498 MBEDTLS_ASN1_INTEGER ) ) != 0 ) 499 { 500 return( ret ); 501 } 502 503 while( unpadded_len > 0 && **from == 0x00 ) 504 { 505 ( *from )++; 506 unpadded_len--; 507 } 508 509 if( unpadded_len > to_len || unpadded_len == 0 ) 510 return( MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 511 512 padding_len = to_len - unpadded_len; 513 memset( to, 0x00, padding_len ); 514 memcpy( to + padding_len, *from, unpadded_len ); 515 ( *from ) += unpadded_len; 516 517 return( 0 ); 518 } 519 520 /* 521 * Convert a signature from an ASN.1 sequence of two integers 522 * to a raw {r,s} buffer. Note: the provided sig buffer must be at least 523 * twice as big as int_size. 524 */ 525 static int extract_ecdsa_sig( unsigned char **p, const unsigned char *end, 526 unsigned char *sig, size_t int_size ) 527 { 528 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 529 size_t tmp_size; 530 531 if( ( ret = mbedtls_asn1_get_tag( p, end, &tmp_size, 532 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 533 return( ret ); 534 535 /* Extract r */ 536 if( ( ret = extract_ecdsa_sig_int( p, end, sig, int_size ) ) != 0 ) 537 return( ret ); 538 /* Extract s */ 539 if( ( ret = extract_ecdsa_sig_int( p, end, sig + int_size, int_size ) ) != 0 ) 540 return( ret ); 541 542 return( 0 ); 543 } 544 545 static int ecdsa_verify_wrap( void *ctx_arg, mbedtls_md_type_t md_alg, 546 const unsigned char *hash, size_t hash_len, 547 const unsigned char *sig, size_t sig_len ) 548 { 549 mbedtls_ecdsa_context *ctx = ctx_arg; 550 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 551 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 552 psa_key_handle_t key_handle = 0; 553 psa_status_t status; 554 mbedtls_pk_context key; 555 int key_len; 556 /* see ECP_PUB_DER_MAX_BYTES in pkwrite.c */ 557 unsigned char buf[30 + 2 * MBEDTLS_ECP_MAX_BYTES]; 558 unsigned char *p; 559 mbedtls_pk_info_t pk_info = mbedtls_eckey_info; 560 psa_algorithm_t psa_sig_md, psa_md; 561 size_t curve_bits; 562 psa_ecc_curve_t curve = 563 mbedtls_ecc_group_to_psa( ctx->grp.id, &curve_bits ); 564 const size_t signature_part_size = ( ctx->grp.nbits + 7 ) / 8; 565 566 if( curve == 0 ) 567 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 568 569 /* mbedtls_pk_write_pubkey() expects a full PK context; 570 * re-construct one to make it happy */ 571 key.pk_info = &pk_info; 572 key.pk_ctx = ctx; 573 p = buf + sizeof( buf ); 574 key_len = mbedtls_pk_write_pubkey( &p, buf, &key ); 575 if( key_len <= 0 ) 576 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 577 578 psa_md = mbedtls_psa_translate_md( md_alg ); 579 if( psa_md == 0 ) 580 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 581 psa_sig_md = PSA_ALG_ECDSA( psa_md ); 582 583 psa_set_key_type( &attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY( curve ) ); 584 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH ); 585 psa_set_key_algorithm( &attributes, psa_sig_md ); 586 587 status = psa_import_key( &attributes, 588 buf + sizeof( buf ) - key_len, key_len, 589 &key_handle ); 590 if( status != PSA_SUCCESS ) 591 { 592 ret = mbedtls_psa_err_translate_pk( status ); 593 goto cleanup; 594 } 595 596 /* We don't need the exported key anymore and can 597 * reuse its buffer for signature extraction. */ 598 if( 2 * signature_part_size > sizeof( buf ) ) 599 { 600 ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA; 601 goto cleanup; 602 } 603 604 p = (unsigned char*) sig; 605 if( ( ret = extract_ecdsa_sig( &p, sig + sig_len, buf, 606 signature_part_size ) ) != 0 ) 607 { 608 goto cleanup; 609 } 610 611 if( psa_verify_hash( key_handle, psa_sig_md, 612 hash, hash_len, 613 buf, 2 * signature_part_size ) 614 != PSA_SUCCESS ) 615 { 616 ret = MBEDTLS_ERR_ECP_VERIFY_FAILED; 617 goto cleanup; 618 } 619 620 if( p != sig + sig_len ) 621 { 622 ret = MBEDTLS_ERR_PK_SIG_LEN_MISMATCH; 623 goto cleanup; 624 } 625 ret = 0; 626 627 cleanup: 628 psa_destroy_key( key_handle ); 629 return( ret ); 630 } 631 #else /* MBEDTLS_USE_PSA_CRYPTO */ 632 static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, 633 const unsigned char *hash, size_t hash_len, 634 const unsigned char *sig, size_t sig_len ) 635 { 636 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 637 ((void) md_alg); 638 639 ret = mbedtls_ecdsa_read_signature( (mbedtls_ecdsa_context *) ctx, 640 hash, hash_len, sig, sig_len ); 641 642 if( ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH ) 643 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH ); 644 645 return( ret ); 646 } 647 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 648 649 static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 650 const unsigned char *hash, size_t hash_len, 651 unsigned char *sig, size_t *sig_len, 652 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 653 { 654 return( mbedtls_ecdsa_write_signature( (mbedtls_ecdsa_context *) ctx, 655 md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng ) ); 656 } 657 658 #if defined(MBEDTLS_ECP_RESTARTABLE) 659 static int ecdsa_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg, 660 const unsigned char *hash, size_t hash_len, 661 const unsigned char *sig, size_t sig_len, 662 void *rs_ctx ) 663 { 664 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 665 ((void) md_alg); 666 667 ret = mbedtls_ecdsa_read_signature_restartable( 668 (mbedtls_ecdsa_context *) ctx, 669 hash, hash_len, sig, sig_len, 670 (mbedtls_ecdsa_restart_ctx *) rs_ctx ); 671 672 if( ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH ) 673 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH ); 674 675 return( ret ); 676 } 677 678 static int ecdsa_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg, 679 const unsigned char *hash, size_t hash_len, 680 unsigned char *sig, size_t *sig_len, 681 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, 682 void *rs_ctx ) 683 { 684 return( mbedtls_ecdsa_write_signature_restartable( 685 (mbedtls_ecdsa_context *) ctx, 686 md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng, 687 (mbedtls_ecdsa_restart_ctx *) rs_ctx ) ); 688 689 } 690 #endif /* MBEDTLS_ECP_RESTARTABLE */ 691 692 static void *ecdsa_alloc_wrap( void ) 693 { 694 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecdsa_context ) ); 695 696 if( ctx != NULL ) 697 mbedtls_ecdsa_init( (mbedtls_ecdsa_context *) ctx ); 698 699 return( ctx ); 700 } 701 702 static void ecdsa_free_wrap( void *ctx ) 703 { 704 mbedtls_ecdsa_free( (mbedtls_ecdsa_context *) ctx ); 705 mbedtls_free( ctx ); 706 } 707 708 #if defined(MBEDTLS_ECP_RESTARTABLE) 709 static void *ecdsa_rs_alloc( void ) 710 { 711 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecdsa_restart_ctx ) ); 712 713 if( ctx != NULL ) 714 mbedtls_ecdsa_restart_init( ctx ); 715 716 return( ctx ); 717 } 718 719 static void ecdsa_rs_free( void *ctx ) 720 { 721 mbedtls_ecdsa_restart_free( ctx ); 722 mbedtls_free( ctx ); 723 } 724 #endif /* MBEDTLS_ECP_RESTARTABLE */ 725 726 const mbedtls_pk_info_t mbedtls_ecdsa_info = { 727 MBEDTLS_PK_ECDSA, 728 "ECDSA", 729 eckey_get_bitlen, /* Compatible key structures */ 730 ecdsa_can_do, 731 ecdsa_verify_wrap, 732 ecdsa_sign_wrap, 733 #if defined(MBEDTLS_ECP_RESTARTABLE) 734 ecdsa_verify_rs_wrap, 735 ecdsa_sign_rs_wrap, 736 #endif 737 NULL, 738 NULL, 739 eckey_check_pair, /* Compatible key structures */ 740 ecdsa_alloc_wrap, 741 ecdsa_free_wrap, 742 #if defined(MBEDTLS_ECP_RESTARTABLE) 743 ecdsa_rs_alloc, 744 ecdsa_rs_free, 745 #endif 746 eckey_debug, /* Compatible key structures */ 747 }; 748 #endif /* MBEDTLS_ECDSA_C */ 749 750 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT) 751 /* 752 * Support for alternative RSA-private implementations 753 */ 754 755 static int rsa_alt_can_do( mbedtls_pk_type_t type ) 756 { 757 return( type == MBEDTLS_PK_RSA ); 758 } 759 760 static size_t rsa_alt_get_bitlen( const void *ctx ) 761 { 762 const mbedtls_rsa_alt_context *rsa_alt = (const mbedtls_rsa_alt_context *) ctx; 763 764 return( 8 * rsa_alt->key_len_func( rsa_alt->key ) ); 765 } 766 767 static int rsa_alt_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 768 const unsigned char *hash, size_t hash_len, 769 unsigned char *sig, size_t *sig_len, 770 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 771 { 772 mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx; 773 774 #if SIZE_MAX > UINT_MAX 775 if( UINT_MAX < hash_len ) 776 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 777 #endif /* SIZE_MAX > UINT_MAX */ 778 779 *sig_len = rsa_alt->key_len_func( rsa_alt->key ); 780 if( *sig_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE ) 781 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 782 783 return( rsa_alt->sign_func( rsa_alt->key, f_rng, p_rng, MBEDTLS_RSA_PRIVATE, 784 md_alg, (unsigned int) hash_len, hash, sig ) ); 785 } 786 787 static int rsa_alt_decrypt_wrap( void *ctx, 788 const unsigned char *input, size_t ilen, 789 unsigned char *output, size_t *olen, size_t osize, 790 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 791 { 792 mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx; 793 794 ((void) f_rng); 795 ((void) p_rng); 796 797 if( ilen != rsa_alt->key_len_func( rsa_alt->key ) ) 798 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 799 800 return( rsa_alt->decrypt_func( rsa_alt->key, 801 MBEDTLS_RSA_PRIVATE, olen, input, output, osize ) ); 802 } 803 804 #if defined(MBEDTLS_RSA_C) 805 static int rsa_alt_check_pair( const void *pub, const void *prv ) 806 { 807 unsigned char sig[MBEDTLS_MPI_MAX_SIZE]; 808 unsigned char hash[32]; 809 size_t sig_len = 0; 810 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 811 812 if( rsa_alt_get_bitlen( prv ) != rsa_get_bitlen( pub ) ) 813 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 814 815 memset( hash, 0x2a, sizeof( hash ) ); 816 817 if( ( ret = rsa_alt_sign_wrap( (void *) prv, MBEDTLS_MD_NONE, 818 hash, sizeof( hash ), 819 sig, &sig_len, NULL, NULL ) ) != 0 ) 820 { 821 return( ret ); 822 } 823 824 if( rsa_verify_wrap( (void *) pub, MBEDTLS_MD_NONE, 825 hash, sizeof( hash ), sig, sig_len ) != 0 ) 826 { 827 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 828 } 829 830 return( 0 ); 831 } 832 #endif /* MBEDTLS_RSA_C */ 833 834 static void *rsa_alt_alloc_wrap( void ) 835 { 836 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_rsa_alt_context ) ); 837 838 if( ctx != NULL ) 839 memset( ctx, 0, sizeof( mbedtls_rsa_alt_context ) ); 840 841 return( ctx ); 842 } 843 844 static void rsa_alt_free_wrap( void *ctx ) 845 { 846 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_rsa_alt_context ) ); 847 mbedtls_free( ctx ); 848 } 849 850 const mbedtls_pk_info_t mbedtls_rsa_alt_info = { 851 MBEDTLS_PK_RSA_ALT, 852 "RSA-alt", 853 rsa_alt_get_bitlen, 854 rsa_alt_can_do, 855 NULL, 856 rsa_alt_sign_wrap, 857 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 858 NULL, 859 NULL, 860 #endif 861 rsa_alt_decrypt_wrap, 862 NULL, 863 #if defined(MBEDTLS_RSA_C) 864 rsa_alt_check_pair, 865 #else 866 NULL, 867 #endif 868 rsa_alt_alloc_wrap, 869 rsa_alt_free_wrap, 870 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 871 NULL, 872 NULL, 873 #endif 874 NULL, 875 }; 876 877 #endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */ 878 879 #if defined(MBEDTLS_USE_PSA_CRYPTO) 880 881 static void *pk_opaque_alloc_wrap( void ) 882 { 883 void *ctx = mbedtls_calloc( 1, sizeof( psa_key_handle_t ) ); 884 885 /* no _init() function to call, an calloc() already zeroized */ 886 887 return( ctx ); 888 } 889 890 static void pk_opaque_free_wrap( void *ctx ) 891 { 892 mbedtls_platform_zeroize( ctx, sizeof( psa_key_handle_t ) ); 893 mbedtls_free( ctx ); 894 } 895 896 static size_t pk_opaque_get_bitlen( const void *ctx ) 897 { 898 const psa_key_handle_t *key = (const psa_key_handle_t *) ctx; 899 size_t bits; 900 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 901 902 if( PSA_SUCCESS != psa_get_key_attributes( *key, &attributes ) ) 903 return( 0 ); 904 905 bits = psa_get_key_bits( &attributes ); 906 psa_reset_key_attributes( &attributes ); 907 return( bits ); 908 } 909 910 static int pk_opaque_can_do( mbedtls_pk_type_t type ) 911 { 912 /* For now opaque PSA keys can only wrap ECC keypairs, 913 * as checked by setup_psa(). 914 * Also, ECKEY_DH does not really make sense with the current API. */ 915 return( type == MBEDTLS_PK_ECKEY || 916 type == MBEDTLS_PK_ECDSA ); 917 } 918 919 /* 920 * Simultaneously convert and move raw MPI from the beginning of a buffer 921 * to an ASN.1 MPI at the end of the buffer. 922 * See also mbedtls_asn1_write_mpi(). 923 * 924 * p: pointer to the end of the output buffer 925 * start: start of the output buffer, and also of the mpi to write at the end 926 * n_len: length of the mpi to read from start 927 */ 928 static int asn1_write_mpibuf( unsigned char **p, unsigned char *start, 929 size_t n_len ) 930 { 931 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 932 size_t len = 0; 933 934 if( (size_t)( *p - start ) < n_len ) 935 return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); 936 937 len = n_len; 938 *p -= len; 939 memmove( *p, start, len ); 940 941 /* ASN.1 DER encoding requires minimal length, so skip leading 0s. 942 * Neither r nor s should be 0, but as a failsafe measure, still detect 943 * that rather than overflowing the buffer in case of a PSA error. */ 944 while( len > 0 && **p == 0x00 ) 945 { 946 ++(*p); 947 --len; 948 } 949 950 /* this is only reached if the signature was invalid */ 951 if( len == 0 ) 952 return( MBEDTLS_ERR_PK_HW_ACCEL_FAILED ); 953 954 /* if the msb is 1, ASN.1 requires that we prepend a 0. 955 * Neither r nor s can be 0, so we can assume len > 0 at all times. */ 956 if( **p & 0x80 ) 957 { 958 if( *p - start < 1 ) 959 return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); 960 961 *--(*p) = 0x00; 962 len += 1; 963 } 964 965 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) ); 966 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, 967 MBEDTLS_ASN1_INTEGER ) ); 968 969 return( (int) len ); 970 } 971 972 /* Transcode signature from PSA format to ASN.1 sequence. 973 * See ecdsa_signature_to_asn1 in ecdsa.c, but with byte buffers instead of 974 * MPIs, and in-place. 975 * 976 * [in/out] sig: the signature pre- and post-transcoding 977 * [in/out] sig_len: signature length pre- and post-transcoding 978 * [int] buf_len: the available size the in/out buffer 979 */ 980 static int pk_ecdsa_sig_asn1_from_psa( unsigned char *sig, size_t *sig_len, 981 size_t buf_len ) 982 { 983 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 984 size_t len = 0; 985 const size_t rs_len = *sig_len / 2; 986 unsigned char *p = sig + buf_len; 987 988 MBEDTLS_ASN1_CHK_ADD( len, asn1_write_mpibuf( &p, sig + rs_len, rs_len ) ); 989 MBEDTLS_ASN1_CHK_ADD( len, asn1_write_mpibuf( &p, sig, rs_len ) ); 990 991 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &p, sig, len ) ); 992 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &p, sig, 993 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ); 994 995 memmove( sig, p, len ); 996 *sig_len = len; 997 998 return( 0 ); 999 } 1000 1001 static int pk_opaque_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 1002 const unsigned char *hash, size_t hash_len, 1003 unsigned char *sig, size_t *sig_len, 1004 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 1005 { 1006 const psa_key_handle_t *key = (const psa_key_handle_t *) ctx; 1007 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1008 psa_algorithm_t alg = PSA_ALG_ECDSA( mbedtls_psa_translate_md( md_alg ) ); 1009 size_t buf_len; 1010 psa_status_t status; 1011 1012 /* PSA has its own RNG */ 1013 (void) f_rng; 1014 (void) p_rng; 1015 1016 /* PSA needs an output buffer of known size, but our API doesn't provide 1017 * that information. Assume that the buffer is large enough for a 1018 * maximal-length signature with that key (otherwise the application is 1019 * buggy anyway). */ 1020 status = psa_get_key_attributes( *key, &attributes ); 1021 if( status != PSA_SUCCESS ) 1022 return( mbedtls_psa_err_translate_pk( status ) ); 1023 buf_len = MBEDTLS_ECDSA_MAX_SIG_LEN( psa_get_key_bits( &attributes ) ); 1024 psa_reset_key_attributes( &attributes ); 1025 if( buf_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE ) 1026 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 1027 1028 /* make the signature */ 1029 status = psa_sign_hash( *key, alg, hash, hash_len, 1030 sig, buf_len, sig_len ); 1031 if( status != PSA_SUCCESS ) 1032 return( mbedtls_psa_err_translate_pk( status ) ); 1033 1034 /* transcode it to ASN.1 sequence */ 1035 return( pk_ecdsa_sig_asn1_from_psa( sig, sig_len, buf_len ) ); 1036 } 1037 1038 const mbedtls_pk_info_t mbedtls_pk_opaque_info = { 1039 MBEDTLS_PK_OPAQUE, 1040 "Opaque", 1041 pk_opaque_get_bitlen, 1042 pk_opaque_can_do, 1043 NULL, /* verify - will be done later */ 1044 pk_opaque_sign_wrap, 1045 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 1046 NULL, /* restartable verify - not relevant */ 1047 NULL, /* restartable sign - not relevant */ 1048 #endif 1049 NULL, /* decrypt - will be done later */ 1050 NULL, /* encrypt - will be done later */ 1051 NULL, /* check_pair - could be done later or left NULL */ 1052 pk_opaque_alloc_wrap, 1053 pk_opaque_free_wrap, 1054 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 1055 NULL, /* restart alloc - not relevant */ 1056 NULL, /* restart free - not relevant */ 1057 #endif 1058 NULL, /* debug - could be done later, or even left NULL */ 1059 }; 1060 1061 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1062 1063 #endif /* MBEDTLS_PK_C */ 1064