diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 215606da57..92e9bf4bc4 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -947,6 +947,206 @@ static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, } #endif /* MBEDTLS_USE_PSA_CRYPTO */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) +/* + * Simultaneously convert and move raw MPI from the beginning of a buffer + * to an ASN.1 MPI at the end of the buffer. + * See also mbedtls_asn1_write_mpi(). + * + * p: pointer to the end of the output buffer + * start: start of the output buffer, and also of the mpi to write at the end + * n_len: length of the mpi to read from start + */ +static int asn1_write_mpibuf( unsigned char **p, unsigned char *start, + size_t n_len ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t len = 0; + + if( (size_t)( *p - start ) < n_len ) + return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); + + len = n_len; + *p -= len; + memmove( *p, start, len ); + + /* ASN.1 DER encoding requires minimal length, so skip leading 0s. + * Neither r nor s should be 0, but as a failsafe measure, still detect + * that rather than overflowing the buffer in case of a PSA error. */ + while( len > 0 && **p == 0x00 ) + { + ++(*p); + --len; + } + + /* this is only reached if the signature was invalid */ + if( len == 0 ) + return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED ); + + /* if the msb is 1, ASN.1 requires that we prepend a 0. + * Neither r nor s can be 0, so we can assume len > 0 at all times. */ + if( **p & 0x80 ) + { + if( *p - start < 1 ) + return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); + + *--(*p) = 0x00; + len += 1; + } + + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, + MBEDTLS_ASN1_INTEGER ) ); + + return( (int) len ); +} + +/* Transcode signature from PSA format to ASN.1 sequence. + * See ecdsa_signature_to_asn1 in ecdsa.c, but with byte buffers instead of + * MPIs, and in-place. + * + * [in/out] sig: the signature pre- and post-transcoding + * [in/out] sig_len: signature length pre- and post-transcoding + * [int] buf_len: the available size the in/out buffer + */ +static int pk_ecdsa_sig_asn1_from_psa( unsigned char *sig, size_t *sig_len, + size_t buf_len ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t len = 0; + const size_t rs_len = *sig_len / 2; + unsigned char *p = sig + buf_len; + + MBEDTLS_ASN1_CHK_ADD( len, asn1_write_mpibuf( &p, sig + rs_len, rs_len ) ); + MBEDTLS_ASN1_CHK_ADD( len, asn1_write_mpibuf( &p, sig, rs_len ) ); + + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &p, sig, len ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &p, sig, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ); + + memmove( sig, p, len ); + *sig_len = len; + + return( 0 ); +} + +/* Locate an ECDSA privateKey in a RFC 5915, or SEC1 Appendix C.4 ASN.1 buffer + * + * [in/out] buf: ASN.1 buffer start as input - ECDSA privateKey start as output + * [in] end: ASN.1 buffer end + * [out] key_len: the ECDSA privateKey length in bytes + */ +static int find_ecdsa_private_key( unsigned char **buf, unsigned char *end, + size_t *key_len ) +{ + size_t len; + int ret; + + /* + * RFC 5915, or SEC1 Appendix C.4 + * + * ECPrivateKey ::= SEQUENCE { + * version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1), + * privateKey OCTET STRING, + * parameters [0] ECParameters {{ NamedCurve }} OPTIONAL, + * publicKey [1] BIT STRING OPTIONAL + * } + */ + + if( ( ret = mbedtls_asn1_get_tag( buf, end, &len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) + return( ret ); + + /* version */ + if( ( ret = mbedtls_asn1_get_tag( buf, end, &len, + MBEDTLS_ASN1_INTEGER ) ) != 0 ) + return( ret ); + + *buf += len; + + /* privateKey */ + if( ( ret = mbedtls_asn1_get_tag( buf, end, &len, + MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) + return( ret ); + + *key_len = len; + + return 0; +} + +static int ecdsa_sign_wrap( void *ctx_arg, mbedtls_md_type_t md_alg, + const unsigned char *hash, size_t hash_len, + unsigned char *sig, size_t sig_size, size_t *sig_len, + int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) +{ + mbedtls_ecdsa_context *ctx = ctx_arg; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; + psa_status_t status; + mbedtls_pk_context key; + size_t key_len; + unsigned char buf[MBEDTLS_PK_ECP_PRV_DER_MAX_BYTES]; + unsigned char *p; + psa_algorithm_t psa_sig_md = + PSA_ALG_ECDSA( mbedtls_psa_translate_md( md_alg ) ); + size_t curve_bits; + psa_ecc_family_t curve = + mbedtls_ecc_group_to_psa( ctx->grp.id, &curve_bits ); + + /* PSA has its own RNG */ + ((void) f_rng); + ((void) p_rng); + + if( curve == 0 ) + return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); + + /* mbedtls_pk_write_key_der() expects a full PK context; + * re-construct one to make it happy */ + key.pk_info = &mbedtls_eckey_info; + key.pk_ctx = ctx; + key_len = mbedtls_pk_write_key_der( &key, buf, sizeof( buf ) ); + if( key_len <= 0 ) + return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); + + p = buf + sizeof( buf ) - key_len; + ret = find_ecdsa_private_key( &p, buf + sizeof( buf ), &key_len ); + if( ret != 0 ) + goto cleanup; + + psa_set_key_type( &attributes, PSA_KEY_TYPE_ECC_KEY_PAIR( curve ) ); + psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_HASH ); + psa_set_key_algorithm( &attributes, psa_sig_md ); + + status = psa_import_key( &attributes, + p, key_len, + &key_id ); + if( status != PSA_SUCCESS ) + { + ret = mbedtls_pk_error_from_psa( status ); + goto cleanup; + } + + status = psa_sign_hash( key_id, psa_sig_md, hash, hash_len, + sig, sig_size, sig_len ); + if( status != PSA_SUCCESS ) + { + ret = mbedtls_pk_error_from_psa_ecdca( status ); + goto cleanup; + } + + ret = pk_ecdsa_sig_asn1_from_psa( sig, sig_len, sig_size ); + +cleanup: + mbedtls_platform_zeroize( buf, sizeof( buf ) ); + status = psa_destroy_key( key_id ); + if( ret == 0 && status != PSA_SUCCESS ) + ret = mbedtls_pk_error_from_psa( status ); + + return( ret ); +} +#else static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, const unsigned char *hash, size_t hash_len, unsigned char *sig, size_t sig_size, size_t *sig_len, @@ -957,6 +1157,7 @@ static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, sig, sig_size, sig_len, f_rng, p_rng ) ); } +#endif #if defined(MBEDTLS_ECP_RESTARTABLE) static int ecdsa_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg, @@ -1224,92 +1425,6 @@ static int pk_opaque_can_do( mbedtls_pk_type_t type ) type == MBEDTLS_PK_ECDSA ); } -#if defined(MBEDTLS_ECDSA_C) - -/* - * Simultaneously convert and move raw MPI from the beginning of a buffer - * to an ASN.1 MPI at the end of the buffer. - * See also mbedtls_asn1_write_mpi(). - * - * p: pointer to the end of the output buffer - * start: start of the output buffer, and also of the mpi to write at the end - * n_len: length of the mpi to read from start - */ -static int asn1_write_mpibuf( unsigned char **p, unsigned char *start, - size_t n_len ) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t len = 0; - - if( (size_t)( *p - start ) < n_len ) - return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); - - len = n_len; - *p -= len; - memmove( *p, start, len ); - - /* ASN.1 DER encoding requires minimal length, so skip leading 0s. - * Neither r nor s should be 0, but as a failsafe measure, still detect - * that rather than overflowing the buffer in case of a PSA error. */ - while( len > 0 && **p == 0x00 ) - { - ++(*p); - --len; - } - - /* this is only reached if the signature was invalid */ - if( len == 0 ) - return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED ); - - /* if the msb is 1, ASN.1 requires that we prepend a 0. - * Neither r nor s can be 0, so we can assume len > 0 at all times. */ - if( **p & 0x80 ) - { - if( *p - start < 1 ) - return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); - - *--(*p) = 0x00; - len += 1; - } - - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, - MBEDTLS_ASN1_INTEGER ) ); - - return( (int) len ); -} - -/* Transcode signature from PSA format to ASN.1 sequence. - * See ecdsa_signature_to_asn1 in ecdsa.c, but with byte buffers instead of - * MPIs, and in-place. - * - * [in/out] sig: the signature pre- and post-transcoding - * [in/out] sig_len: signature length pre- and post-transcoding - * [int] buf_len: the available size the in/out buffer - */ -static int pk_ecdsa_sig_asn1_from_psa( unsigned char *sig, size_t *sig_len, - size_t buf_len ) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t len = 0; - const size_t rs_len = *sig_len / 2; - unsigned char *p = sig + buf_len; - - MBEDTLS_ASN1_CHK_ADD( len, asn1_write_mpibuf( &p, sig + rs_len, rs_len ) ); - MBEDTLS_ASN1_CHK_ADD( len, asn1_write_mpibuf( &p, sig, rs_len ) ); - - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &p, sig, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &p, sig, - MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ); - - memmove( sig, p, len ); - *sig_len = len; - - return( 0 ); -} - -#endif /* MBEDTLS_ECDSA_C */ - static int pk_opaque_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, const unsigned char *hash, size_t hash_len, unsigned char *sig, size_t sig_size, size_t *sig_len, diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 1e88191373..947fcc442c 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -83,11 +83,14 @@ void x509_csr_check( char * key_file, char * cert_req_check_file, int md_type, mbedtls_pk_context key; mbedtls_x509write_csr req; unsigned char buf[4096]; - unsigned char check_buf[4000]; int ret; - size_t olen = 0, pem_len = 0, buf_index; - int der_len = -1; +#if !defined(MBEDTLS_USE_PSA_CRYPTO) + unsigned char check_buf[4000]; FILE *f; + size_t olen = 0; +#endif /* !MBEDTLS_USE_PSA_CRYPTO */ + size_t pem_len = 0, buf_index; + int der_len = -1; const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1"; mbedtls_test_rnd_pseudo_info rnd_info; @@ -119,6 +122,12 @@ void x509_csr_check( char * key_file, char * cert_req_check_file, int md_type, TEST_ASSERT( buf[buf_index] == 0 ); } +#if defined(MBEDTLS_USE_PSA_CRYPTO) + // When using PSA crypto, RNG isn't controllable, so cert_req_check_file can't be used + (void)cert_req_check_file; + buf[pem_len] = '\0'; + TEST_ASSERT( x509_crt_verifycsr( buf, pem_len + 1 ) == 0 ); +#else f = fopen( cert_req_check_file, "r" ); TEST_ASSERT( f != NULL ); olen = fread( check_buf, 1, sizeof( check_buf ), f ); @@ -126,6 +135,7 @@ void x509_csr_check( char * key_file, char * cert_req_check_file, int md_type, TEST_ASSERT( olen >= pem_len - 1 ); TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ der_len = mbedtls_x509write_csr_der( &req, buf, sizeof( buf ), mbedtls_test_rnd_pseudo_rand, @@ -135,7 +145,15 @@ void x509_csr_check( char * key_file, char * cert_req_check_file, int md_type, if( der_len == 0 ) goto exit; - ret = mbedtls_x509write_csr_der( &req, buf, (size_t)( der_len - 1 ), +#if defined(MBEDTLS_USE_PSA_CRYPTO) + // When using PSA crypto, RNG isn't controllable, result length isn't + // deterministic over multiple runs, removing a single byte isn't enough to + // go into the MBEDTLS_ERR_ASN1_BUF_TOO_SMALL error case + der_len /= 2; +#else + der_len -= 1; +#endif + ret = mbedtls_x509write_csr_der( &req, buf, (size_t)( der_len ), mbedtls_test_rnd_pseudo_rand, &rnd_info ); TEST_ASSERT( ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );