1 /* 2 * Public Key abstraction layer: wrapper functions 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 */ 19 20 #include "common.h" 21 22 #include "mbedtls/platform_util.h" 23 24 #if defined(MBEDTLS_PK_C) 25 #include "pk_wrap.h" 26 #include "mbedtls/error.h" 27 28 /* Even if RSA not activated, for the sake of RSA-alt */ 29 #include "mbedtls/rsa.h" 30 31 #if defined(MBEDTLS_ECP_C) 32 #include "mbedtls/ecp.h" 33 #endif 34 35 #if defined(MBEDTLS_ECDSA_C) 36 #include "mbedtls/ecdsa.h" 37 #endif 38 39 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PSA_CRYPTO_C) 40 #include "pkwrite.h" 41 #endif 42 43 #if defined(MBEDTLS_PSA_CRYPTO_C) 44 #include "mbedtls/psa_util.h" 45 #define PSA_PK_TO_MBEDTLS_ERR(status) psa_pk_status_to_mbedtls(status) 46 #define PSA_PK_RSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ 47 psa_to_pk_rsa_errors, \ 48 psa_pk_status_to_mbedtls) 49 #define PSA_PK_ECDSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ 50 psa_to_pk_ecdsa_errors, \ 51 psa_pk_status_to_mbedtls) 52 #endif 53 54 #if defined(MBEDTLS_USE_PSA_CRYPTO) 55 #include "psa/crypto.h" 56 #include "hash_info.h" 57 58 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) 59 #include "mbedtls/asn1write.h" 60 #include "mbedtls/asn1.h" 61 #endif 62 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 63 64 #include "mbedtls/platform.h" 65 66 #include <limits.h> 67 #include <stdint.h> 68 #include <string.h> 69 70 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 71 #if defined(MBEDTLS_PSA_CRYPTO_C) 72 int mbedtls_pk_error_from_psa(psa_status_t status) 73 { 74 switch (status) { 75 case PSA_SUCCESS: 76 return 0; 77 case PSA_ERROR_INVALID_HANDLE: 78 return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; 79 case PSA_ERROR_NOT_PERMITTED: 80 return MBEDTLS_ERR_ERROR_GENERIC_ERROR; 81 case PSA_ERROR_BUFFER_TOO_SMALL: 82 return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL; 83 case PSA_ERROR_NOT_SUPPORTED: 84 return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; 85 case PSA_ERROR_INVALID_ARGUMENT: 86 return MBEDTLS_ERR_PK_INVALID_ALG; 87 case PSA_ERROR_INSUFFICIENT_MEMORY: 88 return MBEDTLS_ERR_PK_ALLOC_FAILED; 89 case PSA_ERROR_BAD_STATE: 90 return MBEDTLS_ERR_PK_BAD_INPUT_DATA; 91 case PSA_ERROR_COMMUNICATION_FAILURE: 92 case PSA_ERROR_HARDWARE_FAILURE: 93 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 94 case PSA_ERROR_DATA_CORRUPT: 95 case PSA_ERROR_DATA_INVALID: 96 case PSA_ERROR_STORAGE_FAILURE: 97 return MBEDTLS_ERR_PK_FILE_IO_ERROR; 98 case PSA_ERROR_CORRUPTION_DETECTED: 99 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 100 default: 101 return MBEDTLS_ERR_ERROR_GENERIC_ERROR; 102 } 103 } 104 105 #if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) || \ 106 defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) 107 int mbedtls_pk_error_from_psa_rsa(psa_status_t status) 108 { 109 switch (status) { 110 case PSA_ERROR_NOT_PERMITTED: 111 case PSA_ERROR_INVALID_ARGUMENT: 112 case PSA_ERROR_INVALID_HANDLE: 113 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 114 case PSA_ERROR_BUFFER_TOO_SMALL: 115 return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE; 116 case PSA_ERROR_INSUFFICIENT_ENTROPY: 117 return MBEDTLS_ERR_RSA_RNG_FAILED; 118 case PSA_ERROR_INVALID_SIGNATURE: 119 return MBEDTLS_ERR_RSA_VERIFY_FAILED; 120 case PSA_ERROR_INVALID_PADDING: 121 return MBEDTLS_ERR_RSA_INVALID_PADDING; 122 case PSA_SUCCESS: 123 return 0; 124 case PSA_ERROR_NOT_SUPPORTED: 125 return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; 126 case PSA_ERROR_INSUFFICIENT_MEMORY: 127 return MBEDTLS_ERR_PK_ALLOC_FAILED; 128 case PSA_ERROR_BAD_STATE: 129 return MBEDTLS_ERR_PK_BAD_INPUT_DATA; 130 case PSA_ERROR_COMMUNICATION_FAILURE: 131 case PSA_ERROR_HARDWARE_FAILURE: 132 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 133 case PSA_ERROR_DATA_CORRUPT: 134 case PSA_ERROR_DATA_INVALID: 135 case PSA_ERROR_STORAGE_FAILURE: 136 return MBEDTLS_ERR_PK_FILE_IO_ERROR; 137 case PSA_ERROR_CORRUPTION_DETECTED: 138 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 139 default: 140 return MBEDTLS_ERR_ERROR_GENERIC_ERROR; 141 } 142 } 143 #endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY || PSA_WANT_KEY_TYPE_RSA_KEY_PAIR */ 144 #endif /* MBEDTLS_PSA_CRYPTO_C */ 145 146 #if defined(MBEDTLS_USE_PSA_CRYPTO) 147 #if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) 148 int mbedtls_pk_error_from_psa_ecdsa(psa_status_t status) 149 { 150 switch (status) { 151 case PSA_ERROR_NOT_PERMITTED: 152 case PSA_ERROR_INVALID_ARGUMENT: 153 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; 154 case PSA_ERROR_INVALID_HANDLE: 155 return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; 156 case PSA_ERROR_BUFFER_TOO_SMALL: 157 return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL; 158 case PSA_ERROR_INSUFFICIENT_ENTROPY: 159 return MBEDTLS_ERR_ECP_RANDOM_FAILED; 160 case PSA_ERROR_INVALID_SIGNATURE: 161 return MBEDTLS_ERR_ECP_VERIFY_FAILED; 162 case PSA_SUCCESS: 163 return 0; 164 case PSA_ERROR_NOT_SUPPORTED: 165 return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; 166 case PSA_ERROR_INSUFFICIENT_MEMORY: 167 return MBEDTLS_ERR_PK_ALLOC_FAILED; 168 case PSA_ERROR_BAD_STATE: 169 return MBEDTLS_ERR_PK_BAD_INPUT_DATA; 170 case PSA_ERROR_COMMUNICATION_FAILURE: 171 case PSA_ERROR_HARDWARE_FAILURE: 172 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 173 case PSA_ERROR_DATA_CORRUPT: 174 case PSA_ERROR_DATA_INVALID: 175 case PSA_ERROR_STORAGE_FAILURE: 176 return MBEDTLS_ERR_PK_FILE_IO_ERROR; 177 case PSA_ERROR_CORRUPTION_DETECTED: 178 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 179 default: 180 return MBEDTLS_ERR_ERROR_GENERIC_ERROR; 181 } 182 } 183 #endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */ 184 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 185 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 186 187 #if defined(MBEDTLS_RSA_C) 188 static int rsa_can_do(mbedtls_pk_type_t type) 189 { 190 return type == MBEDTLS_PK_RSA || 191 type == MBEDTLS_PK_RSASSA_PSS; 192 } 193 194 static size_t rsa_get_bitlen(const void *ctx) 195 { 196 const mbedtls_rsa_context *rsa = (const mbedtls_rsa_context *) ctx; 197 return 8 * mbedtls_rsa_get_len(rsa); 198 } 199 200 #if defined(MBEDTLS_USE_PSA_CRYPTO) 201 static int rsa_verify_wrap(void *ctx, mbedtls_md_type_t md_alg, 202 const unsigned char *hash, size_t hash_len, 203 const unsigned char *sig, size_t sig_len) 204 { 205 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) ctx; 206 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 207 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 208 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; 209 psa_status_t status; 210 mbedtls_pk_context key; 211 int key_len; 212 unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES]; 213 psa_algorithm_t psa_alg_md = 214 PSA_ALG_RSA_PKCS1V15_SIGN(mbedtls_hash_info_psa_from_md(md_alg)); 215 size_t rsa_len = mbedtls_rsa_get_len(rsa); 216 217 if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) { 218 return MBEDTLS_ERR_PK_BAD_INPUT_DATA; 219 } 220 221 if (sig_len < rsa_len) { 222 return MBEDTLS_ERR_RSA_VERIFY_FAILED; 223 } 224 225 /* mbedtls_pk_write_pubkey_der() expects a full PK context; 226 * re-construct one to make it happy */ 227 key.pk_info = &mbedtls_rsa_info; 228 key.pk_ctx = ctx; 229 key_len = mbedtls_pk_write_pubkey_der(&key, buf, sizeof(buf)); 230 if (key_len <= 0) { 231 return MBEDTLS_ERR_PK_BAD_INPUT_DATA; 232 } 233 234 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); 235 psa_set_key_algorithm(&attributes, psa_alg_md); 236 psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY); 237 238 status = psa_import_key(&attributes, 239 buf + sizeof(buf) - key_len, key_len, 240 &key_id); 241 if (status != PSA_SUCCESS) { 242 ret = PSA_PK_TO_MBEDTLS_ERR(status); 243 goto cleanup; 244 } 245 246 status = psa_verify_hash(key_id, psa_alg_md, hash, hash_len, 247 sig, sig_len); 248 if (status != PSA_SUCCESS) { 249 ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status); 250 goto cleanup; 251 } 252 ret = 0; 253 254 cleanup: 255 status = psa_destroy_key(key_id); 256 if (ret == 0 && status != PSA_SUCCESS) { 257 ret = PSA_PK_TO_MBEDTLS_ERR(status); 258 } 259 260 return ret; 261 } 262 #else 263 static int rsa_verify_wrap(void *ctx, mbedtls_md_type_t md_alg, 264 const unsigned char *hash, size_t hash_len, 265 const unsigned char *sig, size_t sig_len) 266 { 267 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 268 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) ctx; 269 size_t rsa_len = mbedtls_rsa_get_len(rsa); 270 271 if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) { 272 return MBEDTLS_ERR_PK_BAD_INPUT_DATA; 273 } 274 275 if (sig_len < rsa_len) { 276 return MBEDTLS_ERR_RSA_VERIFY_FAILED; 277 } 278 279 if ((ret = mbedtls_rsa_pkcs1_verify(rsa, md_alg, 280 (unsigned int) hash_len, 281 hash, sig)) != 0) { 282 return ret; 283 } 284 285 /* The buffer contains a valid signature followed by extra data. 286 * We have a special error code for that so that so that callers can 287 * use mbedtls_pk_verify() to check "Does the buffer start with a 288 * valid signature?" and not just "Does the buffer contain a valid 289 * signature?". */ 290 if (sig_len > rsa_len) { 291 return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH; 292 } 293 294 return 0; 295 } 296 #endif 297 298 #if defined(MBEDTLS_PSA_CRYPTO_C) 299 int mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t alg, 300 mbedtls_rsa_context *rsa_ctx, 301 const unsigned char *hash, size_t hash_len, 302 unsigned char *sig, size_t sig_size, 303 size_t *sig_len) 304 { 305 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 306 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 307 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; 308 psa_status_t status; 309 mbedtls_pk_context key; 310 int key_len; 311 unsigned char buf[MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES]; 312 mbedtls_pk_info_t pk_info = mbedtls_rsa_info; 313 314 *sig_len = mbedtls_rsa_get_len(rsa_ctx); 315 if (sig_size < *sig_len) { 316 return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL; 317 } 318 319 /* mbedtls_pk_write_key_der() expects a full PK context; 320 * re-construct one to make it happy */ 321 key.pk_info = &pk_info; 322 key.pk_ctx = rsa_ctx; 323 key_len = mbedtls_pk_write_key_der(&key, buf, sizeof(buf)); 324 if (key_len <= 0) { 325 return MBEDTLS_ERR_PK_BAD_INPUT_DATA; 326 } 327 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); 328 psa_set_key_algorithm(&attributes, alg); 329 psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR); 330 331 status = psa_import_key(&attributes, 332 buf + sizeof(buf) - key_len, key_len, 333 &key_id); 334 if (status != PSA_SUCCESS) { 335 ret = PSA_PK_TO_MBEDTLS_ERR(status); 336 goto cleanup; 337 } 338 status = psa_sign_hash(key_id, alg, hash, hash_len, 339 sig, sig_size, sig_len); 340 if (status != PSA_SUCCESS) { 341 ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status); 342 goto cleanup; 343 } 344 345 ret = 0; 346 347 cleanup: 348 status = psa_destroy_key(key_id); 349 if (ret == 0 && status != PSA_SUCCESS) { 350 ret = PSA_PK_TO_MBEDTLS_ERR(status); 351 } 352 return ret; 353 } 354 #endif /* MBEDTLS_PSA_CRYPTO_C */ 355 356 #if defined(MBEDTLS_USE_PSA_CRYPTO) 357 static int rsa_sign_wrap(void *ctx, mbedtls_md_type_t md_alg, 358 const unsigned char *hash, size_t hash_len, 359 unsigned char *sig, size_t sig_size, size_t *sig_len, 360 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) 361 { 362 ((void) f_rng); 363 ((void) p_rng); 364 365 psa_algorithm_t psa_md_alg; 366 psa_md_alg = mbedtls_hash_info_psa_from_md(md_alg); 367 if (psa_md_alg == 0) { 368 return MBEDTLS_ERR_PK_BAD_INPUT_DATA; 369 } 370 371 return mbedtls_pk_psa_rsa_sign_ext(PSA_ALG_RSA_PKCS1V15_SIGN( 372 psa_md_alg), 373 ctx, hash, hash_len, 374 sig, sig_size, sig_len); 375 } 376 #else 377 static int rsa_sign_wrap(void *ctx, mbedtls_md_type_t md_alg, 378 const unsigned char *hash, size_t hash_len, 379 unsigned char *sig, size_t sig_size, size_t *sig_len, 380 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) 381 { 382 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) ctx; 383 384 if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) { 385 return MBEDTLS_ERR_PK_BAD_INPUT_DATA; 386 } 387 388 *sig_len = mbedtls_rsa_get_len(rsa); 389 if (sig_size < *sig_len) { 390 return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL; 391 } 392 393 return mbedtls_rsa_pkcs1_sign(rsa, f_rng, p_rng, 394 md_alg, (unsigned int) hash_len, 395 hash, sig); 396 } 397 #endif 398 399 #if defined(MBEDTLS_USE_PSA_CRYPTO) 400 static int rsa_decrypt_wrap(void *ctx, 401 const unsigned char *input, size_t ilen, 402 unsigned char *output, size_t *olen, size_t osize, 403 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) 404 { 405 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) ctx; 406 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 407 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 408 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; 409 psa_status_t status; 410 mbedtls_pk_context key; 411 int key_len; 412 unsigned char buf[MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES]; 413 414 ((void) f_rng); 415 ((void) p_rng); 416 417 #if !defined(MBEDTLS_RSA_ALT) 418 if (rsa->padding != MBEDTLS_RSA_PKCS_V15) { 419 return MBEDTLS_ERR_RSA_INVALID_PADDING; 420 } 421 #endif /* !MBEDTLS_RSA_ALT */ 422 423 if (ilen != mbedtls_rsa_get_len(rsa)) { 424 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 425 } 426 427 /* mbedtls_pk_write_key_der() expects a full PK context; 428 * re-construct one to make it happy */ 429 key.pk_info = &mbedtls_rsa_info; 430 key.pk_ctx = ctx; 431 key_len = mbedtls_pk_write_key_der(&key, buf, sizeof(buf)); 432 if (key_len <= 0) { 433 return MBEDTLS_ERR_PK_BAD_INPUT_DATA; 434 } 435 436 psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR); 437 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); 438 psa_set_key_algorithm(&attributes, PSA_ALG_RSA_PKCS1V15_CRYPT); 439 440 status = psa_import_key(&attributes, 441 buf + sizeof(buf) - key_len, key_len, 442 &key_id); 443 if (status != PSA_SUCCESS) { 444 ret = PSA_PK_TO_MBEDTLS_ERR(status); 445 goto cleanup; 446 } 447 448 status = psa_asymmetric_decrypt(key_id, PSA_ALG_RSA_PKCS1V15_CRYPT, 449 input, ilen, 450 NULL, 0, 451 output, osize, olen); 452 if (status != PSA_SUCCESS) { 453 ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status); 454 goto cleanup; 455 } 456 457 ret = 0; 458 459 cleanup: 460 mbedtls_platform_zeroize(buf, sizeof(buf)); 461 status = psa_destroy_key(key_id); 462 if (ret == 0 && status != PSA_SUCCESS) { 463 ret = PSA_PK_TO_MBEDTLS_ERR(status); 464 } 465 466 return ret; 467 } 468 #else 469 static int rsa_decrypt_wrap(void *ctx, 470 const unsigned char *input, size_t ilen, 471 unsigned char *output, size_t *olen, size_t osize, 472 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) 473 { 474 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) ctx; 475 476 if (ilen != mbedtls_rsa_get_len(rsa)) { 477 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 478 } 479 480 return mbedtls_rsa_pkcs1_decrypt(rsa, f_rng, p_rng, 481 olen, input, output, osize); 482 } 483 #endif 484 485 #if defined(MBEDTLS_USE_PSA_CRYPTO) 486 static int rsa_encrypt_wrap(void *ctx, 487 const unsigned char *input, size_t ilen, 488 unsigned char *output, size_t *olen, size_t osize, 489 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) 490 { 491 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) ctx; 492 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 493 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 494 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; 495 psa_status_t status; 496 mbedtls_pk_context key; 497 int key_len; 498 unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES]; 499 500 ((void) f_rng); 501 ((void) p_rng); 502 503 #if !defined(MBEDTLS_RSA_ALT) 504 if (rsa->padding != MBEDTLS_RSA_PKCS_V15) { 505 return MBEDTLS_ERR_RSA_INVALID_PADDING; 506 } 507 #endif 508 509 if (mbedtls_rsa_get_len(rsa) > osize) { 510 return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE; 511 } 512 513 /* mbedtls_pk_write_pubkey_der() expects a full PK context; 514 * re-construct one to make it happy */ 515 key.pk_info = &mbedtls_rsa_info; 516 key.pk_ctx = ctx; 517 key_len = mbedtls_pk_write_pubkey_der(&key, buf, sizeof(buf)); 518 if (key_len <= 0) { 519 return MBEDTLS_ERR_PK_BAD_INPUT_DATA; 520 } 521 522 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 523 psa_set_key_algorithm(&attributes, PSA_ALG_RSA_PKCS1V15_CRYPT); 524 psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY); 525 526 status = psa_import_key(&attributes, 527 buf + sizeof(buf) - key_len, key_len, 528 &key_id); 529 if (status != PSA_SUCCESS) { 530 ret = PSA_PK_TO_MBEDTLS_ERR(status); 531 goto cleanup; 532 } 533 534 status = psa_asymmetric_encrypt(key_id, PSA_ALG_RSA_PKCS1V15_CRYPT, 535 input, ilen, 536 NULL, 0, 537 output, osize, olen); 538 if (status != PSA_SUCCESS) { 539 ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status); 540 goto cleanup; 541 } 542 543 ret = 0; 544 545 cleanup: 546 status = psa_destroy_key(key_id); 547 if (ret == 0 && status != PSA_SUCCESS) { 548 ret = PSA_PK_TO_MBEDTLS_ERR(status); 549 } 550 551 return ret; 552 } 553 #else 554 static int rsa_encrypt_wrap(void *ctx, 555 const unsigned char *input, size_t ilen, 556 unsigned char *output, size_t *olen, size_t osize, 557 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) 558 { 559 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) ctx; 560 *olen = mbedtls_rsa_get_len(rsa); 561 562 if (*olen > osize) { 563 return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE; 564 } 565 566 return mbedtls_rsa_pkcs1_encrypt(rsa, f_rng, p_rng, 567 ilen, input, output); 568 } 569 #endif 570 571 static int rsa_check_pair_wrap(const void *pub, const void *prv, 572 int (*f_rng)(void *, unsigned char *, size_t), 573 void *p_rng) 574 { 575 (void) f_rng; 576 (void) p_rng; 577 return mbedtls_rsa_check_pub_priv((const mbedtls_rsa_context *) pub, 578 (const mbedtls_rsa_context *) prv); 579 } 580 581 static void *rsa_alloc_wrap(void) 582 { 583 void *ctx = mbedtls_calloc(1, sizeof(mbedtls_rsa_context)); 584 585 if (ctx != NULL) { 586 mbedtls_rsa_init((mbedtls_rsa_context *) ctx); 587 } 588 589 return ctx; 590 } 591 592 static void rsa_free_wrap(void *ctx) 593 { 594 mbedtls_rsa_free((mbedtls_rsa_context *) ctx); 595 mbedtls_free(ctx); 596 } 597 598 static void rsa_debug(const void *ctx, mbedtls_pk_debug_item *items) 599 { 600 #if defined(MBEDTLS_RSA_ALT) 601 /* Not supported */ 602 (void) ctx; 603 (void) items; 604 #else 605 items->type = MBEDTLS_PK_DEBUG_MPI; 606 items->name = "rsa.N"; 607 items->value = &(((mbedtls_rsa_context *) ctx)->N); 608 609 items++; 610 611 items->type = MBEDTLS_PK_DEBUG_MPI; 612 items->name = "rsa.E"; 613 items->value = &(((mbedtls_rsa_context *) ctx)->E); 614 #endif 615 } 616 617 const mbedtls_pk_info_t mbedtls_rsa_info = { 618 MBEDTLS_PK_RSA, 619 "RSA", 620 rsa_get_bitlen, 621 rsa_can_do, 622 rsa_verify_wrap, 623 rsa_sign_wrap, 624 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 625 NULL, 626 NULL, 627 #endif 628 rsa_decrypt_wrap, 629 rsa_encrypt_wrap, 630 rsa_check_pair_wrap, 631 rsa_alloc_wrap, 632 rsa_free_wrap, 633 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 634 NULL, 635 NULL, 636 #endif 637 rsa_debug, 638 }; 639 #endif /* MBEDTLS_RSA_C */ 640 641 #if defined(MBEDTLS_ECP_C) 642 /* 643 * Generic EC key 644 */ 645 static int eckey_can_do(mbedtls_pk_type_t type) 646 { 647 return type == MBEDTLS_PK_ECKEY || 648 type == MBEDTLS_PK_ECKEY_DH || 649 type == MBEDTLS_PK_ECDSA; 650 } 651 652 static size_t eckey_get_bitlen(const void *ctx) 653 { 654 return ((mbedtls_ecp_keypair *) ctx)->grp.pbits; 655 } 656 657 #if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) 658 #if defined(MBEDTLS_USE_PSA_CRYPTO) 659 /* 660 * An ASN.1 encoded signature is a sequence of two ASN.1 integers. Parse one of 661 * those integers and convert it to the fixed-length encoding expected by PSA. 662 */ 663 static int extract_ecdsa_sig_int(unsigned char **from, const unsigned char *end, 664 unsigned char *to, size_t to_len) 665 { 666 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 667 size_t unpadded_len, padding_len; 668 669 if ((ret = mbedtls_asn1_get_tag(from, end, &unpadded_len, 670 MBEDTLS_ASN1_INTEGER)) != 0) { 671 return ret; 672 } 673 674 while (unpadded_len > 0 && **from == 0x00) { 675 (*from)++; 676 unpadded_len--; 677 } 678 679 if (unpadded_len > to_len || unpadded_len == 0) { 680 return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; 681 } 682 683 padding_len = to_len - unpadded_len; 684 memset(to, 0x00, padding_len); 685 memcpy(to + padding_len, *from, unpadded_len); 686 (*from) += unpadded_len; 687 688 return 0; 689 } 690 691 /* 692 * Convert a signature from an ASN.1 sequence of two integers 693 * to a raw {r,s} buffer. Note: the provided sig buffer must be at least 694 * twice as big as int_size. 695 */ 696 static int extract_ecdsa_sig(unsigned char **p, const unsigned char *end, 697 unsigned char *sig, size_t int_size) 698 { 699 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 700 size_t tmp_size; 701 702 if ((ret = mbedtls_asn1_get_tag(p, end, &tmp_size, 703 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { 704 return ret; 705 } 706 707 /* Extract r */ 708 if ((ret = extract_ecdsa_sig_int(p, end, sig, int_size)) != 0) { 709 return ret; 710 } 711 /* Extract s */ 712 if ((ret = extract_ecdsa_sig_int(p, end, sig + int_size, int_size)) != 0) { 713 return ret; 714 } 715 716 return 0; 717 } 718 719 static int ecdsa_verify_wrap(void *ctx_arg, mbedtls_md_type_t md_alg, 720 const unsigned char *hash, size_t hash_len, 721 const unsigned char *sig, size_t sig_len) 722 { 723 mbedtls_ecp_keypair *ctx = ctx_arg; 724 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 725 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 726 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; 727 psa_status_t status; 728 size_t key_len; 729 /* This buffer will initially contain the public key and then the signature 730 * but at different points in time. For all curves except secp224k1, which 731 * is not currently supported in PSA, the public key is one byte longer 732 * (header byte + 2 numbers, while the signature is only 2 numbers), 733 * so use that as the buffer size. */ 734 unsigned char buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH]; 735 unsigned char *p; 736 psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA_ANY; 737 size_t curve_bits; 738 psa_ecc_family_t curve = 739 mbedtls_ecc_group_to_psa(ctx->grp.id, &curve_bits); 740 const size_t signature_part_size = (ctx->grp.nbits + 7) / 8; 741 ((void) md_alg); 742 743 if (curve == 0) { 744 return MBEDTLS_ERR_PK_BAD_INPUT_DATA; 745 } 746 747 psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve)); 748 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); 749 psa_set_key_algorithm(&attributes, psa_sig_md); 750 751 ret = mbedtls_ecp_point_write_binary(&ctx->grp, &ctx->Q, 752 MBEDTLS_ECP_PF_UNCOMPRESSED, 753 &key_len, buf, sizeof(buf)); 754 if (ret != 0) { 755 goto cleanup; 756 } 757 758 status = psa_import_key(&attributes, 759 buf, key_len, 760 &key_id); 761 if (status != PSA_SUCCESS) { 762 ret = PSA_PK_TO_MBEDTLS_ERR(status); 763 goto cleanup; 764 } 765 766 /* We don't need the exported key anymore and can 767 * reuse its buffer for signature extraction. */ 768 if (2 * signature_part_size > sizeof(buf)) { 769 ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA; 770 goto cleanup; 771 } 772 773 p = (unsigned char *) sig; 774 if ((ret = extract_ecdsa_sig(&p, sig + sig_len, buf, 775 signature_part_size)) != 0) { 776 goto cleanup; 777 } 778 779 status = psa_verify_hash(key_id, psa_sig_md, 780 hash, hash_len, 781 buf, 2 * signature_part_size); 782 if (status != PSA_SUCCESS) { 783 ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status); 784 goto cleanup; 785 } 786 787 if (p != sig + sig_len) { 788 ret = MBEDTLS_ERR_PK_SIG_LEN_MISMATCH; 789 goto cleanup; 790 } 791 ret = 0; 792 793 cleanup: 794 status = psa_destroy_key(key_id); 795 if (ret == 0 && status != PSA_SUCCESS) { 796 ret = PSA_PK_TO_MBEDTLS_ERR(status); 797 } 798 799 return ret; 800 } 801 #else /* MBEDTLS_USE_PSA_CRYPTO */ 802 static int ecdsa_verify_wrap(void *ctx, mbedtls_md_type_t md_alg, 803 const unsigned char *hash, size_t hash_len, 804 const unsigned char *sig, size_t sig_len) 805 { 806 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 807 ((void) md_alg); 808 809 ret = mbedtls_ecdsa_read_signature((mbedtls_ecdsa_context *) ctx, 810 hash, hash_len, sig, sig_len); 811 812 if (ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) { 813 return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH; 814 } 815 816 return ret; 817 } 818 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 819 #endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */ 820 821 #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) 822 #if defined(MBEDTLS_USE_PSA_CRYPTO) 823 /* 824 * Simultaneously convert and move raw MPI from the beginning of a buffer 825 * to an ASN.1 MPI at the end of the buffer. 826 * See also mbedtls_asn1_write_mpi(). 827 * 828 * p: pointer to the end of the output buffer 829 * start: start of the output buffer, and also of the mpi to write at the end 830 * n_len: length of the mpi to read from start 831 */ 832 static int asn1_write_mpibuf(unsigned char **p, unsigned char *start, 833 size_t n_len) 834 { 835 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 836 size_t len = 0; 837 838 if ((size_t) (*p - start) < n_len) { 839 return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; 840 } 841 842 len = n_len; 843 *p -= len; 844 memmove(*p, start, len); 845 846 /* ASN.1 DER encoding requires minimal length, so skip leading 0s. 847 * Neither r nor s should be 0, but as a failsafe measure, still detect 848 * that rather than overflowing the buffer in case of a PSA error. */ 849 while (len > 0 && **p == 0x00) { 850 ++(*p); 851 --len; 852 } 853 854 /* this is only reached if the signature was invalid */ 855 if (len == 0) { 856 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 857 } 858 859 /* if the msb is 1, ASN.1 requires that we prepend a 0. 860 * Neither r nor s can be 0, so we can assume len > 0 at all times. */ 861 if (**p & 0x80) { 862 if (*p - start < 1) { 863 return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; 864 } 865 866 *--(*p) = 0x00; 867 len += 1; 868 } 869 870 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len)); 871 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, 872 MBEDTLS_ASN1_INTEGER)); 873 874 return (int) len; 875 } 876 877 /* Transcode signature from PSA format to ASN.1 sequence. 878 * See ecdsa_signature_to_asn1 in ecdsa.c, but with byte buffers instead of 879 * MPIs, and in-place. 880 * 881 * [in/out] sig: the signature pre- and post-transcoding 882 * [in/out] sig_len: signature length pre- and post-transcoding 883 * [int] buf_len: the available size the in/out buffer 884 */ 885 static int pk_ecdsa_sig_asn1_from_psa(unsigned char *sig, size_t *sig_len, 886 size_t buf_len) 887 { 888 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 889 size_t len = 0; 890 const size_t rs_len = *sig_len / 2; 891 unsigned char *p = sig + buf_len; 892 893 MBEDTLS_ASN1_CHK_ADD(len, asn1_write_mpibuf(&p, sig + rs_len, rs_len)); 894 MBEDTLS_ASN1_CHK_ADD(len, asn1_write_mpibuf(&p, sig, rs_len)); 895 896 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&p, sig, len)); 897 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&p, sig, 898 MBEDTLS_ASN1_CONSTRUCTED | 899 MBEDTLS_ASN1_SEQUENCE)); 900 901 memmove(sig, p, len); 902 *sig_len = len; 903 904 return 0; 905 } 906 907 static int ecdsa_sign_wrap(void *ctx_arg, mbedtls_md_type_t md_alg, 908 const unsigned char *hash, size_t hash_len, 909 unsigned char *sig, size_t sig_size, size_t *sig_len, 910 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) 911 { 912 mbedtls_ecp_keypair *ctx = ctx_arg; 913 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 914 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 915 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; 916 psa_status_t status; 917 unsigned char buf[MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH]; 918 #if defined(MBEDTLS_ECDSA_DETERMINISTIC) 919 psa_algorithm_t psa_sig_md = 920 PSA_ALG_DETERMINISTIC_ECDSA(mbedtls_hash_info_psa_from_md(md_alg)); 921 #else 922 psa_algorithm_t psa_sig_md = 923 PSA_ALG_ECDSA(mbedtls_hash_info_psa_from_md(md_alg)); 924 #endif 925 size_t curve_bits; 926 psa_ecc_family_t curve = 927 mbedtls_ecc_group_to_psa(ctx->grp.id, &curve_bits); 928 size_t key_len = PSA_BITS_TO_BYTES(curve_bits); 929 930 /* PSA has its own RNG */ 931 ((void) f_rng); 932 ((void) p_rng); 933 934 if (curve == 0) { 935 return MBEDTLS_ERR_PK_BAD_INPUT_DATA; 936 } 937 938 if (key_len > sizeof(buf)) { 939 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 940 } 941 ret = mbedtls_mpi_write_binary(&ctx->d, buf, key_len); 942 if (ret != 0) { 943 goto cleanup; 944 } 945 946 psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(curve)); 947 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); 948 psa_set_key_algorithm(&attributes, psa_sig_md); 949 950 status = psa_import_key(&attributes, 951 buf, key_len, 952 &key_id); 953 if (status != PSA_SUCCESS) { 954 ret = PSA_PK_TO_MBEDTLS_ERR(status); 955 goto cleanup; 956 } 957 958 status = psa_sign_hash(key_id, psa_sig_md, hash, hash_len, 959 sig, sig_size, sig_len); 960 if (status != PSA_SUCCESS) { 961 ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status); 962 goto cleanup; 963 } 964 965 ret = pk_ecdsa_sig_asn1_from_psa(sig, sig_len, sig_size); 966 967 cleanup: 968 mbedtls_platform_zeroize(buf, sizeof(buf)); 969 status = psa_destroy_key(key_id); 970 if (ret == 0 && status != PSA_SUCCESS) { 971 ret = PSA_PK_TO_MBEDTLS_ERR(status); 972 } 973 974 return ret; 975 } 976 #else /* MBEDTLS_USE_PSA_CRYPTO */ 977 static int ecdsa_sign_wrap(void *ctx, mbedtls_md_type_t md_alg, 978 const unsigned char *hash, size_t hash_len, 979 unsigned char *sig, size_t sig_size, size_t *sig_len, 980 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) 981 { 982 return mbedtls_ecdsa_write_signature((mbedtls_ecdsa_context *) ctx, 983 md_alg, hash, hash_len, 984 sig, sig_size, sig_len, 985 f_rng, p_rng); 986 } 987 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 988 #endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */ 989 990 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 991 /* Forward declarations */ 992 static int ecdsa_verify_rs_wrap(void *ctx, mbedtls_md_type_t md_alg, 993 const unsigned char *hash, size_t hash_len, 994 const unsigned char *sig, size_t sig_len, 995 void *rs_ctx); 996 997 static int ecdsa_sign_rs_wrap(void *ctx, mbedtls_md_type_t md_alg, 998 const unsigned char *hash, size_t hash_len, 999 unsigned char *sig, size_t sig_size, size_t *sig_len, 1000 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, 1001 void *rs_ctx); 1002 1003 /* 1004 * Restart context for ECDSA operations with ECKEY context 1005 * 1006 * We need to store an actual ECDSA context, as we need to pass the same to 1007 * the underlying ecdsa function, so we can't create it on the fly every time. 1008 */ 1009 typedef struct { 1010 mbedtls_ecdsa_restart_ctx ecdsa_rs; 1011 mbedtls_ecdsa_context ecdsa_ctx; 1012 } eckey_restart_ctx; 1013 1014 static void *eckey_rs_alloc(void) 1015 { 1016 eckey_restart_ctx *rs_ctx; 1017 1018 void *ctx = mbedtls_calloc(1, sizeof(eckey_restart_ctx)); 1019 1020 if (ctx != NULL) { 1021 rs_ctx = ctx; 1022 mbedtls_ecdsa_restart_init(&rs_ctx->ecdsa_rs); 1023 mbedtls_ecdsa_init(&rs_ctx->ecdsa_ctx); 1024 } 1025 1026 return ctx; 1027 } 1028 1029 static void eckey_rs_free(void *ctx) 1030 { 1031 eckey_restart_ctx *rs_ctx; 1032 1033 if (ctx == NULL) { 1034 return; 1035 } 1036 1037 rs_ctx = ctx; 1038 mbedtls_ecdsa_restart_free(&rs_ctx->ecdsa_rs); 1039 mbedtls_ecdsa_free(&rs_ctx->ecdsa_ctx); 1040 1041 mbedtls_free(ctx); 1042 } 1043 1044 static int eckey_verify_rs_wrap(void *ctx, mbedtls_md_type_t md_alg, 1045 const unsigned char *hash, size_t hash_len, 1046 const unsigned char *sig, size_t sig_len, 1047 void *rs_ctx) 1048 { 1049 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1050 eckey_restart_ctx *rs = rs_ctx; 1051 1052 /* Should never happen */ 1053 if (rs == NULL) { 1054 return MBEDTLS_ERR_PK_BAD_INPUT_DATA; 1055 } 1056 1057 /* set up our own sub-context if needed (that is, on first run) */ 1058 if (rs->ecdsa_ctx.grp.pbits == 0) { 1059 MBEDTLS_MPI_CHK(mbedtls_ecdsa_from_keypair(&rs->ecdsa_ctx, ctx)); 1060 } 1061 1062 MBEDTLS_MPI_CHK(ecdsa_verify_rs_wrap(&rs->ecdsa_ctx, 1063 md_alg, hash, hash_len, 1064 sig, sig_len, &rs->ecdsa_rs)); 1065 1066 cleanup: 1067 return ret; 1068 } 1069 1070 static int eckey_sign_rs_wrap(void *ctx, mbedtls_md_type_t md_alg, 1071 const unsigned char *hash, size_t hash_len, 1072 unsigned char *sig, size_t sig_size, size_t *sig_len, 1073 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, 1074 void *rs_ctx) 1075 { 1076 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1077 eckey_restart_ctx *rs = rs_ctx; 1078 1079 /* Should never happen */ 1080 if (rs == NULL) { 1081 return MBEDTLS_ERR_PK_BAD_INPUT_DATA; 1082 } 1083 1084 /* set up our own sub-context if needed (that is, on first run) */ 1085 if (rs->ecdsa_ctx.grp.pbits == 0) { 1086 MBEDTLS_MPI_CHK(mbedtls_ecdsa_from_keypair(&rs->ecdsa_ctx, ctx)); 1087 } 1088 1089 MBEDTLS_MPI_CHK(ecdsa_sign_rs_wrap(&rs->ecdsa_ctx, md_alg, 1090 hash, hash_len, sig, sig_size, sig_len, 1091 f_rng, p_rng, &rs->ecdsa_rs)); 1092 1093 cleanup: 1094 return ret; 1095 } 1096 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */ 1097 1098 static int eckey_check_pair(const void *pub, const void *prv, 1099 int (*f_rng)(void *, unsigned char *, size_t), 1100 void *p_rng) 1101 { 1102 return mbedtls_ecp_check_pub_priv((const mbedtls_ecp_keypair *) pub, 1103 (const mbedtls_ecp_keypair *) prv, 1104 f_rng, p_rng); 1105 } 1106 1107 static void *eckey_alloc_wrap(void) 1108 { 1109 void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecp_keypair)); 1110 1111 if (ctx != NULL) { 1112 mbedtls_ecp_keypair_init(ctx); 1113 } 1114 1115 return ctx; 1116 } 1117 1118 static void eckey_free_wrap(void *ctx) 1119 { 1120 mbedtls_ecp_keypair_free((mbedtls_ecp_keypair *) ctx); 1121 mbedtls_free(ctx); 1122 } 1123 1124 static void eckey_debug(const void *ctx, mbedtls_pk_debug_item *items) 1125 { 1126 items->type = MBEDTLS_PK_DEBUG_ECP; 1127 items->name = "eckey.Q"; 1128 items->value = &(((mbedtls_ecp_keypair *) ctx)->Q); 1129 } 1130 1131 const mbedtls_pk_info_t mbedtls_eckey_info = { 1132 MBEDTLS_PK_ECKEY, 1133 "EC", 1134 eckey_get_bitlen, 1135 eckey_can_do, 1136 #if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) 1137 ecdsa_verify_wrap, /* Compatible key structures */ 1138 #else 1139 NULL, 1140 #endif 1141 #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) 1142 ecdsa_sign_wrap, /* Compatible key structures */ 1143 #else 1144 NULL, 1145 #endif 1146 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 1147 eckey_verify_rs_wrap, 1148 eckey_sign_rs_wrap, 1149 #endif 1150 NULL, 1151 NULL, 1152 eckey_check_pair, 1153 eckey_alloc_wrap, 1154 eckey_free_wrap, 1155 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 1156 eckey_rs_alloc, 1157 eckey_rs_free, 1158 #endif 1159 eckey_debug, 1160 }; 1161 1162 /* 1163 * EC key restricted to ECDH 1164 */ 1165 static int eckeydh_can_do(mbedtls_pk_type_t type) 1166 { 1167 return type == MBEDTLS_PK_ECKEY || 1168 type == MBEDTLS_PK_ECKEY_DH; 1169 } 1170 1171 const mbedtls_pk_info_t mbedtls_eckeydh_info = { 1172 MBEDTLS_PK_ECKEY_DH, 1173 "EC_DH", 1174 eckey_get_bitlen, /* Same underlying key structure */ 1175 eckeydh_can_do, 1176 NULL, 1177 NULL, 1178 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 1179 NULL, 1180 NULL, 1181 #endif 1182 NULL, 1183 NULL, 1184 eckey_check_pair, 1185 eckey_alloc_wrap, /* Same underlying key structure */ 1186 eckey_free_wrap, /* Same underlying key structure */ 1187 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 1188 NULL, 1189 NULL, 1190 #endif 1191 eckey_debug, /* Same underlying key structure */ 1192 }; 1193 #endif /* MBEDTLS_ECP_C */ 1194 1195 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) 1196 static int ecdsa_can_do(mbedtls_pk_type_t type) 1197 { 1198 return type == MBEDTLS_PK_ECDSA; 1199 } 1200 1201 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 1202 static int ecdsa_verify_rs_wrap(void *ctx, mbedtls_md_type_t md_alg, 1203 const unsigned char *hash, size_t hash_len, 1204 const unsigned char *sig, size_t sig_len, 1205 void *rs_ctx) 1206 { 1207 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1208 ((void) md_alg); 1209 1210 ret = mbedtls_ecdsa_read_signature_restartable( 1211 (mbedtls_ecdsa_context *) ctx, 1212 hash, hash_len, sig, sig_len, 1213 (mbedtls_ecdsa_restart_ctx *) rs_ctx); 1214 1215 if (ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) { 1216 return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH; 1217 } 1218 1219 return ret; 1220 } 1221 1222 static int ecdsa_sign_rs_wrap(void *ctx, mbedtls_md_type_t md_alg, 1223 const unsigned char *hash, size_t hash_len, 1224 unsigned char *sig, size_t sig_size, size_t *sig_len, 1225 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, 1226 void *rs_ctx) 1227 { 1228 return mbedtls_ecdsa_write_signature_restartable( 1229 (mbedtls_ecdsa_context *) ctx, 1230 md_alg, hash, hash_len, sig, sig_size, sig_len, f_rng, p_rng, 1231 (mbedtls_ecdsa_restart_ctx *) rs_ctx); 1232 1233 } 1234 1235 static void *ecdsa_rs_alloc(void) 1236 { 1237 void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecdsa_restart_ctx)); 1238 1239 if (ctx != NULL) { 1240 mbedtls_ecdsa_restart_init(ctx); 1241 } 1242 1243 return ctx; 1244 } 1245 1246 static void ecdsa_rs_free(void *ctx) 1247 { 1248 mbedtls_ecdsa_restart_free(ctx); 1249 mbedtls_free(ctx); 1250 } 1251 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */ 1252 1253 const mbedtls_pk_info_t mbedtls_ecdsa_info = { 1254 MBEDTLS_PK_ECDSA, 1255 "ECDSA", 1256 eckey_get_bitlen, /* Compatible key structures */ 1257 ecdsa_can_do, 1258 #if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) 1259 ecdsa_verify_wrap, /* Compatible key structures */ 1260 #else 1261 NULL, 1262 #endif 1263 #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) 1264 ecdsa_sign_wrap, /* Compatible key structures */ 1265 #else 1266 NULL, 1267 #endif 1268 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 1269 ecdsa_verify_rs_wrap, 1270 ecdsa_sign_rs_wrap, 1271 #endif 1272 NULL, 1273 NULL, 1274 eckey_check_pair, /* Compatible key structures */ 1275 eckey_alloc_wrap, /* Compatible key structures */ 1276 eckey_free_wrap, /* Compatible key structures */ 1277 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 1278 ecdsa_rs_alloc, 1279 ecdsa_rs_free, 1280 #endif 1281 eckey_debug, /* Compatible key structures */ 1282 }; 1283 #endif /* MBEDTLS_PK_CAN_ECDSA_SOME */ 1284 1285 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT) 1286 /* 1287 * Support for alternative RSA-private implementations 1288 */ 1289 1290 static int rsa_alt_can_do(mbedtls_pk_type_t type) 1291 { 1292 return type == MBEDTLS_PK_RSA; 1293 } 1294 1295 static size_t rsa_alt_get_bitlen(const void *ctx) 1296 { 1297 const mbedtls_rsa_alt_context *rsa_alt = (const mbedtls_rsa_alt_context *) ctx; 1298 1299 return 8 * rsa_alt->key_len_func(rsa_alt->key); 1300 } 1301 1302 static int rsa_alt_sign_wrap(void *ctx, mbedtls_md_type_t md_alg, 1303 const unsigned char *hash, size_t hash_len, 1304 unsigned char *sig, size_t sig_size, size_t *sig_len, 1305 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) 1306 { 1307 mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx; 1308 1309 if (UINT_MAX < hash_len) { 1310 return MBEDTLS_ERR_PK_BAD_INPUT_DATA; 1311 } 1312 1313 *sig_len = rsa_alt->key_len_func(rsa_alt->key); 1314 if (*sig_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE) { 1315 return MBEDTLS_ERR_PK_BAD_INPUT_DATA; 1316 } 1317 if (*sig_len > sig_size) { 1318 return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL; 1319 } 1320 1321 return rsa_alt->sign_func(rsa_alt->key, f_rng, p_rng, 1322 md_alg, (unsigned int) hash_len, hash, sig); 1323 } 1324 1325 static int rsa_alt_decrypt_wrap(void *ctx, 1326 const unsigned char *input, size_t ilen, 1327 unsigned char *output, size_t *olen, size_t osize, 1328 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) 1329 { 1330 mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx; 1331 1332 ((void) f_rng); 1333 ((void) p_rng); 1334 1335 if (ilen != rsa_alt->key_len_func(rsa_alt->key)) { 1336 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 1337 } 1338 1339 return rsa_alt->decrypt_func(rsa_alt->key, 1340 olen, input, output, osize); 1341 } 1342 1343 #if defined(MBEDTLS_RSA_C) 1344 static int rsa_alt_check_pair(const void *pub, const void *prv, 1345 int (*f_rng)(void *, unsigned char *, size_t), 1346 void *p_rng) 1347 { 1348 unsigned char sig[MBEDTLS_MPI_MAX_SIZE]; 1349 unsigned char hash[32]; 1350 size_t sig_len = 0; 1351 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1352 1353 if (rsa_alt_get_bitlen(prv) != rsa_get_bitlen(pub)) { 1354 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED; 1355 } 1356 1357 memset(hash, 0x2a, sizeof(hash)); 1358 1359 if ((ret = rsa_alt_sign_wrap((void *) prv, MBEDTLS_MD_NONE, 1360 hash, sizeof(hash), 1361 sig, sizeof(sig), &sig_len, 1362 f_rng, p_rng)) != 0) { 1363 return ret; 1364 } 1365 1366 if (rsa_verify_wrap((void *) pub, MBEDTLS_MD_NONE, 1367 hash, sizeof(hash), sig, sig_len) != 0) { 1368 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED; 1369 } 1370 1371 return 0; 1372 } 1373 #endif /* MBEDTLS_RSA_C */ 1374 1375 static void *rsa_alt_alloc_wrap(void) 1376 { 1377 void *ctx = mbedtls_calloc(1, sizeof(mbedtls_rsa_alt_context)); 1378 1379 if (ctx != NULL) { 1380 memset(ctx, 0, sizeof(mbedtls_rsa_alt_context)); 1381 } 1382 1383 return ctx; 1384 } 1385 1386 static void rsa_alt_free_wrap(void *ctx) 1387 { 1388 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_rsa_alt_context)); 1389 mbedtls_free(ctx); 1390 } 1391 1392 const mbedtls_pk_info_t mbedtls_rsa_alt_info = { 1393 MBEDTLS_PK_RSA_ALT, 1394 "RSA-alt", 1395 rsa_alt_get_bitlen, 1396 rsa_alt_can_do, 1397 NULL, 1398 rsa_alt_sign_wrap, 1399 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 1400 NULL, 1401 NULL, 1402 #endif 1403 rsa_alt_decrypt_wrap, 1404 NULL, 1405 #if defined(MBEDTLS_RSA_C) 1406 rsa_alt_check_pair, 1407 #else 1408 NULL, 1409 #endif 1410 rsa_alt_alloc_wrap, 1411 rsa_alt_free_wrap, 1412 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 1413 NULL, 1414 NULL, 1415 #endif 1416 NULL, 1417 }; 1418 1419 #endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */ 1420 1421 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1422 1423 static void *pk_opaque_alloc_wrap(void) 1424 { 1425 void *ctx = mbedtls_calloc(1, sizeof(mbedtls_svc_key_id_t)); 1426 1427 /* no _init() function to call, as calloc() already zeroized */ 1428 1429 return ctx; 1430 } 1431 1432 static void pk_opaque_free_wrap(void *ctx) 1433 { 1434 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_svc_key_id_t)); 1435 mbedtls_free(ctx); 1436 } 1437 1438 static size_t pk_opaque_get_bitlen(const void *ctx) 1439 { 1440 const mbedtls_svc_key_id_t *key = (const mbedtls_svc_key_id_t *) ctx; 1441 size_t bits; 1442 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1443 1444 if (PSA_SUCCESS != psa_get_key_attributes(*key, &attributes)) { 1445 return 0; 1446 } 1447 1448 bits = psa_get_key_bits(&attributes); 1449 psa_reset_key_attributes(&attributes); 1450 return bits; 1451 } 1452 1453 static int pk_opaque_ecdsa_can_do(mbedtls_pk_type_t type) 1454 { 1455 return type == MBEDTLS_PK_ECKEY || 1456 type == MBEDTLS_PK_ECDSA; 1457 } 1458 1459 static int pk_opaque_rsa_can_do(mbedtls_pk_type_t type) 1460 { 1461 return type == MBEDTLS_PK_RSA || 1462 type == MBEDTLS_PK_RSASSA_PSS; 1463 } 1464 1465 static int pk_opaque_sign_wrap(void *ctx, mbedtls_md_type_t md_alg, 1466 const unsigned char *hash, size_t hash_len, 1467 unsigned char *sig, size_t sig_size, size_t *sig_len, 1468 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) 1469 { 1470 #if !defined(MBEDTLS_PK_CAN_ECDSA_SIGN) && !defined(MBEDTLS_RSA_C) 1471 ((void) ctx); 1472 ((void) md_alg); 1473 ((void) hash); 1474 ((void) hash_len); 1475 ((void) sig); 1476 ((void) sig_size); 1477 ((void) sig_len); 1478 ((void) f_rng); 1479 ((void) p_rng); 1480 return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; 1481 #else /* !MBEDTLS_PK_CAN_ECDSA_SIGN && !MBEDTLS_RSA_C */ 1482 const mbedtls_svc_key_id_t *key = (const mbedtls_svc_key_id_t *) ctx; 1483 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1484 psa_algorithm_t alg; 1485 psa_key_type_t type; 1486 psa_status_t status; 1487 1488 /* PSA has its own RNG */ 1489 (void) f_rng; 1490 (void) p_rng; 1491 1492 status = psa_get_key_attributes(*key, &attributes); 1493 if (status != PSA_SUCCESS) { 1494 return PSA_PK_TO_MBEDTLS_ERR(status); 1495 } 1496 1497 type = psa_get_key_type(&attributes); 1498 psa_reset_key_attributes(&attributes); 1499 1500 #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) 1501 if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(type)) { 1502 alg = PSA_ALG_ECDSA(mbedtls_hash_info_psa_from_md(md_alg)); 1503 } else 1504 #endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */ 1505 #if defined(MBEDTLS_RSA_C) 1506 if (PSA_KEY_TYPE_IS_RSA(type)) { 1507 alg = PSA_ALG_RSA_PKCS1V15_SIGN(mbedtls_hash_info_psa_from_md(md_alg)); 1508 } else 1509 #endif /* MBEDTLS_RSA_C */ 1510 return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; 1511 1512 /* make the signature */ 1513 status = psa_sign_hash(*key, alg, hash, hash_len, 1514 sig, sig_size, sig_len); 1515 if (status != PSA_SUCCESS) { 1516 #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) 1517 if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(type)) { 1518 return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status); 1519 } else 1520 #endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */ 1521 #if defined(MBEDTLS_RSA_C) 1522 if (PSA_KEY_TYPE_IS_RSA(type)) { 1523 return PSA_PK_RSA_TO_MBEDTLS_ERR(status); 1524 } else 1525 #endif /* MBEDTLS_RSA_C */ 1526 return PSA_PK_TO_MBEDTLS_ERR(status); 1527 } 1528 1529 #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) 1530 if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(type)) { 1531 /* transcode it to ASN.1 sequence */ 1532 return pk_ecdsa_sig_asn1_from_psa(sig, sig_len, sig_size); 1533 } 1534 #endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */ 1535 1536 return 0; 1537 #endif /* !MBEDTLS_PK_CAN_ECDSA_SIGN && !MBEDTLS_RSA_C */ 1538 } 1539 1540 const mbedtls_pk_info_t mbedtls_pk_ecdsa_opaque_info = { 1541 MBEDTLS_PK_OPAQUE, 1542 "Opaque", 1543 pk_opaque_get_bitlen, 1544 pk_opaque_ecdsa_can_do, 1545 NULL, /* verify - will be done later */ 1546 pk_opaque_sign_wrap, 1547 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 1548 NULL, /* restartable verify - not relevant */ 1549 NULL, /* restartable sign - not relevant */ 1550 #endif 1551 NULL, /* decrypt - not relevant */ 1552 NULL, /* encrypt - not relevant */ 1553 NULL, /* check_pair - could be done later or left NULL */ 1554 pk_opaque_alloc_wrap, 1555 pk_opaque_free_wrap, 1556 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 1557 NULL, /* restart alloc - not relevant */ 1558 NULL, /* restart free - not relevant */ 1559 #endif 1560 NULL, /* debug - could be done later, or even left NULL */ 1561 }; 1562 1563 #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) 1564 static int pk_opaque_rsa_decrypt(void *ctx, 1565 const unsigned char *input, size_t ilen, 1566 unsigned char *output, size_t *olen, size_t osize, 1567 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) 1568 { 1569 const mbedtls_svc_key_id_t *key = (const mbedtls_svc_key_id_t *) ctx; 1570 psa_status_t status; 1571 1572 /* PSA has its own RNG */ 1573 (void) f_rng; 1574 (void) p_rng; 1575 1576 status = psa_asymmetric_decrypt(*key, PSA_ALG_RSA_PKCS1V15_CRYPT, 1577 input, ilen, 1578 NULL, 0, 1579 output, osize, olen); 1580 if (status != PSA_SUCCESS) { 1581 return PSA_PK_RSA_TO_MBEDTLS_ERR(status); 1582 } 1583 1584 return 0; 1585 } 1586 #endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR */ 1587 1588 const mbedtls_pk_info_t mbedtls_pk_rsa_opaque_info = { 1589 MBEDTLS_PK_OPAQUE, 1590 "Opaque", 1591 pk_opaque_get_bitlen, 1592 pk_opaque_rsa_can_do, 1593 NULL, /* verify - will be done later */ 1594 pk_opaque_sign_wrap, 1595 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 1596 NULL, /* restartable verify - not relevant */ 1597 NULL, /* restartable sign - not relevant */ 1598 #endif 1599 #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) 1600 pk_opaque_rsa_decrypt, 1601 #else 1602 NULL, /* decrypt - not available */ 1603 #endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY */ 1604 NULL, /* encrypt - will be done later */ 1605 NULL, /* check_pair - could be done later or left NULL */ 1606 pk_opaque_alloc_wrap, 1607 pk_opaque_free_wrap, 1608 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 1609 NULL, /* restart alloc - not relevant */ 1610 NULL, /* restart free - not relevant */ 1611 #endif 1612 NULL, /* debug - could be done later, or even left NULL */ 1613 }; 1614 1615 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1616 1617 #endif /* MBEDTLS_PK_C */ 1618