TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / fcee740b835f6dcbca1fa4aa42998c3269caad8e^! / .
commitfcee740b835f6dcbca1fa4aa42998c3269caad8e[log] [tgz]
authorGilles Peskine <Gilles.Peskine@arm.com>Tue Oct 11 21:15:24 2022 +0200
committerGilles Peskine <Gilles.Peskine@arm.com>Tue Oct 11 21:15:24 2022 +0200
treecdc489198c52b28547868141861b6d30e62ebe9b
parentaef1ba679d6a9e09aa08912c0a704570141d3cba [diff]
Automatically enable PK_PARSE for RSA in PSA

PSA crypto currently needs MBEDTLS_PK_PARSE_C to parse RSA keys to do almost
anything with them (import, get attributes, export public from private, any
cryptographic operations). Force it on, for symmetry with what we're doing
for MBEDTLS_PK_WRITE_C. Fixes #6409.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

diff --git a/ChangeLog.d/psa_rsa_needs_pk.txt b/ChangeLog.d/psa_rsa_needs_pk.txt
index 3421aff..995963d 100644
--- a/ChangeLog.d/psa_rsa_needs_pk.txt
+++ b/ChangeLog.d/psa_rsa_needs_pk.txt

@@ -1,3 +1,5 @@
 Bugfix
    * Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not
      MBEDTLS_USE_PSA_CRYPTO or MBEDTLS_PK_WRITE_C. Fixes #6408.
+   * Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not
+     MBEDTLS_PK_PARSE_C. Fixes #6409.

diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h
index 21e63f1..b043789 100644
--- a/include/mbedtls/build_info.h
+++ b/include/mbedtls/build_info.h

@@ -79,11 +79,12 @@
  * and also even without USE_PSA_CRYPTO for mbedtls_pk_sign_ext().
  * PSA crypto also needs pk_write to export RSA keys (otherwise the build
  * goes through but psa_export_key() and psa_export_public_key() fail on
- * RSA keys).
+ * RSA keys), and pk_parse to work with RSA keys in almost any way.
  */
 #if defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_RSA_C)
 #define MBEDTLS_PK_C
 #define MBEDTLS_PK_WRITE_C
+#define MBEDTLS_PK_PARSE_C
 #endif
 
 /* Under MBEDTLS_USE_PSA_CRYPTO, the pk module needs pk_write functions

diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index fa41604..30ab9ba 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh

@@ -1572,11 +1572,11 @@
   scripts/config.py unset MBEDTLS_PEM_WRITE_C
   scripts/config.py unset MBEDTLS_PKCS12_C
   scripts/config.py unset MBEDTLS_PKCS5_C
-  # MBEDTLS_PK_WRITE_C is actually currently needed for RSA key export,
-  # but build_info.h will reenable it.
+  # MBEDTLS_PK_PARSE_C and MBEDTLS_PK_WRITE_C are actually currently needed
+  # in PSA code to work with RSA keys. We don't require users to set those:
+  # they will be reenabled in build_info.h.
+  scripts/config.py unset MBEDTLS_PK_PARSE_C
   scripts/config.py unset MBEDTLS_PK_WRITE_C
-  # At this time, we can't unset MBEDTLS_PK_PARSE_C, because it's needed
-  # for RSA in PSA (see https://github.com/Mbed-TLS/mbedtls/issues/6408).
   make CFLAGS='-O1 -Werror' all test
   are_empty_libraries library/libmbedx509.* library/libmbedtls.*
 }