ECC import: more useful choice of INVALID_ARGUMENT vs NOT_SUPPORTED

Attempting to create an ECC key with a curve specification that is not valid can plausibly fail with PSA_ERROR_INVALID_ARGUMENT ("this is not a curve specification at all") or PSA_ERROR_NOT_SUPPORTED ("this may be a curve specification, but not one I support"). The choice of error is somewhat subjective. Before this commit, due to happenstance in the implementation, an attempt to use a curve that is declared in the PSA API but not implemented in Mbed TLS returned PSA_ERROR_INVALID_ARGUMENT, whereas an attempt to use a curve that Mbed TLS supports but for which support was disabled at compile-time returned PSA_ERROR_NOT_SUPPORTED. This inconsistency made it difficult to write negative tests that could work whether the curve is implemented via Mbed TLS code or via a driver. After this commit, any attempt to use parameters that are not recognized fails with NOT_SUPPORTED, whether a curve with the specified size might plausibly exist or not, because "might plausibly exist" is not something Mbed TLS can determine. To keep returning INVALID_ARGUMENT when importing an ECC key with an explicit "bits" attribute that is inconsistent with the size of the key material, this commit changes the way mbedtls_ecc_group_of_psa() works: it now works on a size in bits rather than bytes, with an extra flag indicating whether the bit-size must be exact or not. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-07-29 11:41:15 +03:00 · 2021-01-27 15:44:45 +01:00
parent a0832d47f7
commit 2fa6b5f503
7 changed files with 109 additions and 51 deletions
--- a/include/psa/crypto_extra.h
+++ b/include/psa/crypto_extra.h
@ -637,16 +637,21 @@ static inline psa_ecc_family_t mbedtls_ecc_group_to_psa( mbedtls_ecp_group_id gr
 *
 * \param curve         A PSA elliptic curve identifier
 *                      (`PSA_ECC_FAMILY_xxx`).
- * \param byte_length   The byte-length of a private key on \p curve.
+ * \param bits          The bit-length of a private key on \p curve.
+ * \param bits_is_sloppy If true, \p bits may be the bit-length rounded up
+ *                      to the nearest multiple of 8. This allows the caller
+ *                      to infer the exact curve from the length of a key
+ *                      which is supplied as a byte string.
 *
 * \return              The corresponding Mbed TLS elliptic curve identifier
 *                      (`MBEDTLS_ECP_DP_xxx`).
 * \return              #MBEDTLS_ECP_DP_NONE if \c curve is not recognized.
- * \return              #MBEDTLS_ECP_DP_NONE if \p byte_length is not
+ * \return              #MBEDTLS_ECP_DP_NONE if \p bits is not
 *                      correct for \p curve.
 */
 mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_family_t curve,
-                                               size_t byte_length );
+                                               size_t bits,
+                                               int bits_is_sloppy );
 #endif /* MBEDTLS_ECP_C */

 /**@}*/