pk_wrap: add support for ECDSA verify for opaque keys
This commit also add tests to verify the functionality
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
diff --git a/library/pk_wrap.c b/library/pk_wrap.c
index 75904c4..4f7094a 100644
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@@ -781,6 +781,36 @@
return ret;
}
+static int ecdsa_verify_wrap_opaque(mbedtls_pk_context *pk,
+ mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ const unsigned char *sig, size_t sig_len)
+{
+ (void) md_alg;
+ unsigned char key[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN];
+ size_t key_len;
+ psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+ psa_ecc_family_t curve;
+ size_t curve_bits;
+ psa_status_t status;
+
+ status = psa_get_key_attributes(pk->priv_id, &key_attr);
+ if (status != PSA_SUCCESS) {
+ return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
+ }
+ curve = PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(&key_attr));
+ curve_bits = psa_get_key_bits(&key_attr);
+ psa_reset_key_attributes(&key_attr);
+
+ status = psa_export_public_key(pk->priv_id, key, sizeof(key), &key_len);
+ if (status != PSA_SUCCESS) {
+ return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
+ }
+
+ return ecdsa_verify_psa(key, key_len, curve, curve_bits,
+ hash, hash_len, sig, sig_len);
+}
+
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
static int ecdsa_verify_wrap(mbedtls_pk_context *pk,
mbedtls_md_type_t md_alg,
@@ -1757,7 +1787,7 @@
"Opaque",
pk_opaque_get_bitlen,
pk_opaque_ecdsa_can_do,
- NULL, /* verify - will be done later */
+ ecdsa_verify_wrap_opaque,
ecdsa_sign_wrap_opaque,
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
NULL, /* restartable verify - not relevant */
diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index 4074e13..a204841 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -223,8 +223,6 @@
mbedtls_pk_init(&pk2);
USE_PSA_INIT();
- TEST_ASSERT(psa_crypto_init() == PSA_SUCCESS);
-
TEST_ASSERT(mbedtls_pk_setup_opaque(&pk, MBEDTLS_SVC_KEY_ID_INIT) ==
MBEDTLS_ERR_PK_BAD_INPUT_DATA);
@@ -261,10 +259,11 @@
}
/* unsupported operations: verify, decrypt, encrypt */
- TEST_ASSERT(mbedtls_pk_verify(&pk, md_alg,
- b1, sizeof(b1), b2, sizeof(b2))
- == MBEDTLS_ERR_PK_TYPE_MISMATCH);
- if (key_is_rsa == 0) {
+ if (key_is_rsa == 1) {
+ TEST_ASSERT(mbedtls_pk_verify(&pk, md_alg,
+ b1, sizeof(b1), b2, sizeof(b2))
+ == MBEDTLS_ERR_PK_TYPE_MISMATCH);
+ } else {
TEST_ASSERT(mbedtls_pk_decrypt(&pk, b1, sizeof(b1),
b2, &len, sizeof(b2),
NULL, NULL)
@@ -1367,6 +1366,11 @@
TEST_ASSERT(mbedtls_pk_sign(&pk, MBEDTLS_MD_SHA256,
hash, sizeof(hash), sig, sizeof(sig), &sig_len,
NULL, NULL) == 0);
+ /* Only opaque EC keys support verification. */
+ if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(psa_type_arg)) {
+ TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_SHA256,
+ hash, sizeof(hash), sig, sig_len) == 0);
+ }
/* Export underlying public key for re-importing in a psa context. */
#if defined(MBEDTLS_PK_WRITE_C)