TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / b814bdabe48d0297a7780739e99c70d966e75455 / . / library / psa_crypto_rsa.c
blob: 4ee0adf9ef42d1dc449e8d29a4d632d20657f47f [file] [log] [blame]
Ronald Cron00b7bfc2020-11-25 15:25:26 +0100[diff] [blame]1/*
2 * PSA RSA layer on top of Mbed TLS crypto
3 */
4/*
5 * Copyright The Mbed TLS Contributors
6 * SPDX-License-Identifier: Apache-2.0
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License"); you may
9 * not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 */
20
21#include "common.h"
22
23#if defined(MBEDTLS_PSA_CRYPTO_C)
24
25#include <psa/crypto.h>
26#include "psa_crypto_core.h"
Ronald Cron9e18fc12020-11-05 17:36:40 +0100[diff] [blame]27#include "psa_crypto_random_impl.h"
Ronald Cron00b7bfc2020-11-25 15:25:26 +0100[diff] [blame]28#include "psa_crypto_rsa.h"
Steven Cooreman5f88e772021-03-15 11:07:12 +0100[diff] [blame]29#include "psa_crypto_hash.h"
Ronald Cron00b7bfc2020-11-25 15:25:26 +0100[diff] [blame]30
31#include <stdlib.h>
32#include <string.h>
33#include "mbedtls/platform.h"
34#if !defined(MBEDTLS_PLATFORM_C)
35#define mbedtls_calloc calloc
36#define mbedtls_free free
37#endif
38
39#include <mbedtls/rsa.h>
40#include <mbedtls/error.h>
41#include <mbedtls/pk.h>
42#include <mbedtls/pk_internal.h>
43
Ronald Cronf1057d32020-11-26 19:19:10 +0100[diff] [blame]44#if ( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
45 ( defined(PSA_CRYPTO_DRIVER_TEST) && \
Ronald Cron2091eed2021-04-09 11:09:54 +0200[diff] [blame]46 defined(MBEDTLS_PSA_CRYPTO_CONFIG) && \
Ronald Cronf1057d32020-11-26 19:19:10 +0100[diff] [blame]47 defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) ) )
48#define BUILTIN_KEY_TYPE_RSA_KEY_PAIR 1
49#endif
50
Ronald Cron2091eed2021-04-09 11:09:54 +0200[diff] [blame]51#if ( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) || \
52 ( defined(PSA_CRYPTO_DRIVER_TEST) && \
53 defined(MBEDTLS_PSA_CRYPTO_CONFIG) && \
Ronald Cronf1057d32020-11-26 19:19:10 +0100[diff] [blame]54 defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY) ) )
55#define BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY 1
56#endif
57
Ronald Crond2fb8542020-12-09 15:18:01 +0100[diff] [blame]58#if ( defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
59 ( defined(PSA_CRYPTO_DRIVER_TEST) && \
Ronald Cron2091eed2021-04-09 11:09:54 +0200[diff] [blame]60 defined(MBEDTLS_PSA_CRYPTO_CONFIG) && \
Ronald Crond2fb8542020-12-09 15:18:01 +0100[diff] [blame]61 defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN) && \
62 defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V15) ) )
63#define BUILTIN_ALG_RSA_PKCS1V15_SIGN 1
64#endif
65
66#if ( defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) || \
67 ( defined(PSA_CRYPTO_DRIVER_TEST) && \
Ronald Cron2091eed2021-04-09 11:09:54 +0200[diff] [blame]68 defined(MBEDTLS_PSA_CRYPTO_CONFIG) && \
Ronald Crond2fb8542020-12-09 15:18:01 +0100[diff] [blame]69 defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PSS) && \
70 defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21) ) )
71#define BUILTIN_ALG_RSA_PSS 1
72#endif
73
Ronald Cron00b7bfc2020-11-25 15:25:26 +0100[diff] [blame]74#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
Ronald Cron00b7bfc2020-11-25 15:25:26 +0100[diff] [blame]75 defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \
Ronald Crond2fb8542020-12-09 15:18:01 +0100[diff] [blame]76 defined(BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
77 defined(BUILTIN_ALG_RSA_PSS) || \
Ronald Cronf1057d32020-11-26 19:19:10 +0100[diff] [blame]78 defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
79 defined(BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
Ronald Cron00b7bfc2020-11-25 15:25:26 +0100[diff] [blame]80
81/* Mbed TLS doesn't support non-byte-aligned key sizes (i.e. key sizes
82 * that are not a multiple of 8) well. For example, there is only
83 * mbedtls_rsa_get_len(), which returns a number of bytes, and no
84 * way to return the exact bit size of a key.
85 * To keep things simple, reject non-byte-aligned key sizes. */
86static psa_status_t psa_check_rsa_key_byte_aligned(
87 const mbedtls_rsa_context *rsa )
88{
89 mbedtls_mpi n;
90 psa_status_t status;
91 mbedtls_mpi_init( &n );
92 status = mbedtls_to_psa_error(
93 mbedtls_rsa_export( rsa, &n, NULL, NULL, NULL, NULL ) );
94 if( status == PSA_SUCCESS )
95 {
96 if( mbedtls_mpi_bitlen( &n ) % 8 != 0 )
97 status = PSA_ERROR_NOT_SUPPORTED;
98 }
99 mbedtls_mpi_free( &n );
100 return( status );
101}
102
103psa_status_t mbedtls_psa_rsa_load_representation(
104 psa_key_type_t type, const uint8_t *data, size_t data_length,
105 mbedtls_rsa_context **p_rsa )
106{
107 psa_status_t status;
108 mbedtls_pk_context ctx;
109 size_t bits;
110 mbedtls_pk_init( &ctx );
111
112 /* Parse the data. */
113 if( PSA_KEY_TYPE_IS_KEY_PAIR( type ) )
114 status = mbedtls_to_psa_error(
115 mbedtls_pk_parse_key( &ctx, data, data_length, NULL, 0 ) );
116 else
117 status = mbedtls_to_psa_error(
118 mbedtls_pk_parse_public_key( &ctx, data, data_length ) );
119 if( status != PSA_SUCCESS )
120 goto exit;
121
122 /* We have something that the pkparse module recognizes. If it is a
123 * valid RSA key, store it. */
124 if( mbedtls_pk_get_type( &ctx ) != MBEDTLS_PK_RSA )
125 {
126 status = PSA_ERROR_INVALID_ARGUMENT;
127 goto exit;
128 }
129
130 /* The size of an RSA key doesn't have to be a multiple of 8. Mbed TLS
131 * supports non-byte-aligned key sizes, but not well. For example,
132 * mbedtls_rsa_get_len() returns the key size in bytes, not in bits. */
133 bits = PSA_BYTES_TO_BITS( mbedtls_rsa_get_len( mbedtls_pk_rsa( ctx ) ) );
134 if( bits > PSA_VENDOR_RSA_MAX_KEY_BITS )
135 {
136 status = PSA_ERROR_NOT_SUPPORTED;
137 goto exit;
138 }
139 status = psa_check_rsa_key_byte_aligned( mbedtls_pk_rsa( ctx ) );
140 if( status != PSA_SUCCESS )
141 goto exit;
142
143 /* Copy out the pointer to the RSA context, and reset the PK context
144 * such that pk_free doesn't free the RSA context we just grabbed. */
145 *p_rsa = mbedtls_pk_rsa( ctx );
146 ctx.pk_info = NULL;
147
148exit:
149 mbedtls_pk_free( &ctx );
150 return( status );
151}
Ronald Cron00b7bfc2020-11-25 15:25:26 +0100[diff] [blame]152#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
Ronald Cron00b7bfc2020-11-25 15:25:26 +0100[diff] [blame]153 * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) ||
Ronald Crond2fb8542020-12-09 15:18:01 +0100[diff] [blame]154 * defined(BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
155 * defined(BUILTIN_ALG_RSA_PSS) ||
Ronald Cronf1057d32020-11-26 19:19:10 +0100[diff] [blame]156 * defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
157 * defined(BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
Ronald Cron00b7bfc2020-11-25 15:25:26 +0100[diff] [blame]158
Ronald Cronf1057d32020-11-26 19:19:10 +0100[diff] [blame]159#if defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
160 defined(BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
Ronald Cronabf2aef2020-11-27 18:13:44 +0100[diff] [blame]161
Ronald Cron784fb322020-11-30 13:55:05 +0100[diff] [blame]162static psa_status_t rsa_import_key(
Ronald Cronabf2aef2020-11-27 18:13:44 +0100[diff] [blame]163 const psa_key_attributes_t *attributes,
164 const uint8_t *data, size_t data_length,
165 uint8_t *key_buffer, size_t key_buffer_size,
166 size_t *key_buffer_length, size_t *bits )
167{
168 psa_status_t status;
169 mbedtls_rsa_context *rsa = NULL;
170
171 /* Parse input */
172 status = mbedtls_psa_rsa_load_representation( attributes->core.type,
173 data,
174 data_length,
175 &rsa );
176 if( status != PSA_SUCCESS )
177 goto exit;
178
179 *bits = (psa_key_bits_t) PSA_BYTES_TO_BITS( mbedtls_rsa_get_len( rsa ) );
180
181 /* Re-export the data to PSA export format, such that we can store export
182 * representation in the key slot. Export representation in case of RSA is
183 * the smallest representation that's allowed as input, so a straight-up
184 * allocation of the same size as the input buffer will be large enough. */
185 status = mbedtls_psa_rsa_export_key( attributes->core.type,
186 rsa,
187 key_buffer,
188 key_buffer_size,
189 key_buffer_length );
190exit:
191 /* Always free the RSA object */
192 mbedtls_rsa_free( rsa );
193 mbedtls_free( rsa );
194
195 return( status );
196}
197
Ronald Crone5ca3d82020-11-26 16:36:16 +0100[diff] [blame]198psa_status_t mbedtls_psa_rsa_export_key( psa_key_type_t type,
199 mbedtls_rsa_context *rsa,
200 uint8_t *data,
201 size_t data_size,
202 size_t *data_length )
203{
204#if defined(MBEDTLS_PK_WRITE_C)
205 int ret;
206 mbedtls_pk_context pk;
207 uint8_t *pos = data + data_size;
208
209 mbedtls_pk_init( &pk );
210 pk.pk_info = &mbedtls_rsa_info;
211 pk.pk_ctx = rsa;
212
213 /* PSA Crypto API defines the format of an RSA key as a DER-encoded
214 * representation of the non-encrypted PKCS#1 RSAPrivateKey for a
215 * private key and of the RFC3279 RSAPublicKey for a public key. */
216 if( PSA_KEY_TYPE_IS_KEY_PAIR( type ) )
217 ret = mbedtls_pk_write_key_der( &pk, data, data_size );
218 else
219 ret = mbedtls_pk_write_pubkey( &pos, data, &pk );
220
221 if( ret < 0 )
222 {
223 /* Clean up in case pk_write failed halfway through. */
224 memset( data, 0, data_size );
225 return( mbedtls_to_psa_error( ret ) );
226 }
227
228 /* The mbedtls_pk_xxx functions write to the end of the buffer.
229 * Move the data to the beginning and erase remaining data
230 * at the original location. */
231 if( 2 * (size_t) ret <= data_size )
232 {
233 memcpy( data, data + data_size - ret, ret );
234 memset( data + data_size - ret, 0, ret );
235 }
236 else if( (size_t) ret < data_size )
237 {
238 memmove( data, data + data_size - ret, ret );
239 memset( data + ret, 0, data_size - ret );
240 }
241
242 *data_length = ret;
243 return( PSA_SUCCESS );
244#else
245 (void) type;
246 (void) rsa;
247 (void) data;
248 (void) data_size;
249 (void) data_length;
250 return( PSA_ERROR_NOT_SUPPORTED );
251#endif /* MBEDTLS_PK_WRITE_C */
252}
253
Ronald Cronf1057d32020-11-26 19:19:10 +0100[diff] [blame]254static psa_status_t rsa_export_public_key(
Ronald Crone5ca3d82020-11-26 16:36:16 +0100[diff] [blame]255 const psa_key_attributes_t *attributes,
256 const uint8_t *key_buffer, size_t key_buffer_size,
257 uint8_t *data, size_t data_size, size_t *data_length )
258{
259 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
260 mbedtls_rsa_context *rsa = NULL;
261
262 status = mbedtls_psa_rsa_load_representation(
263 attributes->core.type, key_buffer, key_buffer_size, &rsa );
264 if( status != PSA_SUCCESS )
265 return( status );
266
267 status = mbedtls_psa_rsa_export_key( PSA_KEY_TYPE_RSA_PUBLIC_KEY,
268 rsa,
269 data,
270 data_size,
271 data_length );
272
273 mbedtls_rsa_free( rsa );
274 mbedtls_free( rsa );
275
276 return( status );
277}
Ronald Cronf1057d32020-11-26 19:19:10 +0100[diff] [blame]278#endif /* defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
279 * defined(BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
280
Jaeden Ameroc17f2932021-05-14 08:34:32 +0100[diff] [blame]281#if defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && \
282 defined(MBEDTLS_GENPRIME)
Ronald Cron2365fde2021-02-08 09:52:24 +0100[diff] [blame]283static psa_status_t psa_rsa_read_exponent( const uint8_t *domain_parameters,
Ronald Cron9e18fc12020-11-05 17:36:40 +0100[diff] [blame]284 size_t domain_parameters_size,
285 int *exponent )
286{
287 size_t i;
288 uint32_t acc = 0;
289
290 if( domain_parameters_size == 0 )
291 {
292 *exponent = 65537;
293 return( PSA_SUCCESS );
294 }
295
296 /* Mbed TLS encodes the public exponent as an int. For simplicity, only
297 * support values that fit in a 32-bit integer, which is larger than
298 * int on just about every platform anyway. */
299 if( domain_parameters_size > sizeof( acc ) )
300 return( PSA_ERROR_NOT_SUPPORTED );
301 for( i = 0; i < domain_parameters_size; i++ )
302 acc = ( acc << 8 ) | domain_parameters[i];
303 if( acc > INT_MAX )
304 return( PSA_ERROR_NOT_SUPPORTED );
305 *exponent = acc;
306 return( PSA_SUCCESS );
307}
308
Ronald Cron3a9c46b2020-11-06 09:38:35 +0100[diff] [blame]309static psa_status_t rsa_generate_key(
Ronald Cron9e18fc12020-11-05 17:36:40 +0100[diff] [blame]310 const psa_key_attributes_t *attributes,
311 uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length )
312{
313 psa_status_t status;
314 mbedtls_rsa_context rsa;
315 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
316 int exponent;
317
Ronald Cron2365fde2021-02-08 09:52:24 +0100[diff] [blame]318 status = psa_rsa_read_exponent( attributes->domain_parameters,
Ronald Cron9e18fc12020-11-05 17:36:40 +0100[diff] [blame]319 attributes->domain_parameters_size,
320 &exponent );
321 if( status != PSA_SUCCESS )
322 return( status );
323
324 mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, MBEDTLS_MD_NONE );
325 ret = mbedtls_rsa_gen_key( &rsa,
326 mbedtls_psa_get_random,
327 MBEDTLS_PSA_RANDOM_STATE,
328 (unsigned int)attributes->core.bits,
329 exponent );
330 if( ret != 0 )
331 return( mbedtls_to_psa_error( ret ) );
332
333 status = mbedtls_psa_rsa_export_key( attributes->core.type,
334 &rsa, key_buffer, key_buffer_size,
335 key_buffer_length );
336 mbedtls_rsa_free( &rsa );
337
338 return( status );
339}
Jaeden Ameroc17f2932021-05-14 08:34:32 +0100[diff] [blame]340#endif /* defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR)
341 * defined(MBEDTLS_GENPRIME) */
Ronald Cron9e18fc12020-11-05 17:36:40 +0100[diff] [blame]342
Ronald Cron7bdbca32020-12-09 13:34:54 +0100[diff] [blame]343/****************************************************************/
344/* Sign/verify hashes */
345/****************************************************************/
346
Ronald Crond2fb8542020-12-09 15:18:01 +0100[diff] [blame]347#if defined(BUILTIN_ALG_RSA_PKCS1V15_SIGN) || defined(BUILTIN_ALG_RSA_PSS)
Ronald Cron7bdbca32020-12-09 13:34:54 +0100[diff] [blame]348
349/* Decode the hash algorithm from alg and store the mbedtls encoding in
350 * md_alg. Verify that the hash length is acceptable. */
351static psa_status_t psa_rsa_decode_md_type( psa_algorithm_t alg,
352 size_t hash_length,
353 mbedtls_md_type_t *md_alg )
354{
355 psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH( alg );
356 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_psa( hash_alg );
357 *md_alg = mbedtls_md_get_type( md_info );
358
359 /* The Mbed TLS RSA module uses an unsigned int for hash length
360 * parameters. Validate that it fits so that we don't risk an
361 * overflow later. */
362#if SIZE_MAX > UINT_MAX
363 if( hash_length > UINT_MAX )
364 return( PSA_ERROR_INVALID_ARGUMENT );
365#endif
366
Janos Follathb23b5742021-06-07 14:34:10 +0100[diff] [blame]367 /* For signatures using a hash, the hash length must be correct. */
368 if( alg != PSA_ALG_RSA_PKCS1V15_SIGN_RAW )
Ronald Cron7bdbca32020-12-09 13:34:54 +0100[diff] [blame]369 {
370 if( md_info == NULL )
371 return( PSA_ERROR_NOT_SUPPORTED );
372 if( mbedtls_md_get_size( md_info ) != hash_length )
373 return( PSA_ERROR_INVALID_ARGUMENT );
374 }
Ronald Cron7bdbca32020-12-09 13:34:54 +0100[diff] [blame]375
376 return( PSA_SUCCESS );
377}
378
Ronald Crond2fb8542020-12-09 15:18:01 +0100[diff] [blame]379static psa_status_t rsa_sign_hash(
Ronald Cron7bdbca32020-12-09 13:34:54 +0100[diff] [blame]380 const psa_key_attributes_t *attributes,
381 const uint8_t *key_buffer, size_t key_buffer_size,
382 psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
383 uint8_t *signature, size_t signature_size, size_t *signature_length )
384{
385 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
386 mbedtls_rsa_context *rsa = NULL;
387 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
388 mbedtls_md_type_t md_alg;
389
390 status = mbedtls_psa_rsa_load_representation( attributes->core.type,
391 key_buffer,
392 key_buffer_size,
393 &rsa );
394 if( status != PSA_SUCCESS )
395 return( status );
396
397 status = psa_rsa_decode_md_type( alg, hash_length, &md_alg );
398 if( status != PSA_SUCCESS )
399 goto exit;
400
401 if( signature_size < mbedtls_rsa_get_len( rsa ) )
402 {
403 status = PSA_ERROR_BUFFER_TOO_SMALL;
404 goto exit;
405 }
406
Ronald Crond2fb8542020-12-09 15:18:01 +0100[diff] [blame]407#if defined(BUILTIN_ALG_RSA_PKCS1V15_SIGN)
Ronald Cron7bdbca32020-12-09 13:34:54 +0100[diff] [blame]408 if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) )
409 {
410 mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V15,
411 MBEDTLS_MD_NONE );
412 ret = mbedtls_rsa_pkcs1_sign( rsa,
413 mbedtls_psa_get_random,
414 MBEDTLS_PSA_RANDOM_STATE,
415 MBEDTLS_RSA_PRIVATE,
416 md_alg,
417 (unsigned int) hash_length,
418 hash,
419 signature );
420 }
421 else
Ronald Crond2fb8542020-12-09 15:18:01 +0100[diff] [blame]422#endif /* BUILTIN_ALG_RSA_PKCS1V15_SIGN */
423#if defined(BUILTIN_ALG_RSA_PSS)
Ronald Cron7bdbca32020-12-09 13:34:54 +0100[diff] [blame]424 if( PSA_ALG_IS_RSA_PSS( alg ) )
425 {
426 mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg );
427 ret = mbedtls_rsa_rsassa_pss_sign( rsa,
428 mbedtls_psa_get_random,
429 MBEDTLS_PSA_RANDOM_STATE,
430 MBEDTLS_RSA_PRIVATE,
431 MBEDTLS_MD_NONE,
432 (unsigned int) hash_length,
433 hash,
434 signature );
435 }
436 else
Ronald Crond2fb8542020-12-09 15:18:01 +0100[diff] [blame]437#endif /* BUILTIN_ALG_RSA_PSS */
Ronald Cron7bdbca32020-12-09 13:34:54 +0100[diff] [blame]438 {
439 status = PSA_ERROR_INVALID_ARGUMENT;
440 goto exit;
441 }
442
443 if( ret == 0 )
444 *signature_length = mbedtls_rsa_get_len( rsa );
445 status = mbedtls_to_psa_error( ret );
446
447exit:
448 mbedtls_rsa_free( rsa );
449 mbedtls_free( rsa );
450
451 return( status );
452}
453
Gilles Peskine44fa40cd2021-10-04 22:15:05 +0200[diff] [blame]454#if defined(BUILTIN_ALG_RSA_PSS)
455static int rsa_pss_expected_salt_len( psa_algorithm_t alg,
456 const mbedtls_rsa_context *rsa,
457 size_t hash_length )
458{
459 if( PSA_ALG_IS_RSA_PSS_ANY_SALT( alg ) )
460 return( MBEDTLS_RSA_SALT_LEN_ANY );
461 /* Otherwise: standard salt length, i.e. largest possible salt length
462 * up to the hash length. */
Gilles Peskinef8362ca2021-10-08 16:28:32 +0200[diff] [blame]463 int klen = (int) mbedtls_rsa_get_len( rsa ); // known to fit
Gilles Peskine44fa40cd2021-10-04 22:15:05 +0200[diff] [blame]464 int hlen = (int) hash_length; // known to fit
465 int room = klen - 2 - hlen;
466 if( room < 0 )
467 return( 0 ); // there is no valid signature in this case anyway
468 else if( room > hlen )
469 return( hlen );
470 else
471 return( room );
472}
473#endif
474
Ronald Crond2fb8542020-12-09 15:18:01 +0100[diff] [blame]475static psa_status_t rsa_verify_hash(
Ronald Cron7bdbca32020-12-09 13:34:54 +0100[diff] [blame]476 const psa_key_attributes_t *attributes,
477 const uint8_t *key_buffer, size_t key_buffer_size,
478 psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
479 const uint8_t *signature, size_t signature_length )
480{
481 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
482 mbedtls_rsa_context *rsa = NULL;
483 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
484 mbedtls_md_type_t md_alg;
485
486 status = mbedtls_psa_rsa_load_representation( attributes->core.type,
487 key_buffer,
488 key_buffer_size,
489 &rsa );
490 if( status != PSA_SUCCESS )
491 goto exit;
492
493 status = psa_rsa_decode_md_type( alg, hash_length, &md_alg );
494 if( status != PSA_SUCCESS )
495 goto exit;
496
497 if( signature_length != mbedtls_rsa_get_len( rsa ) )
498 {
499 status = PSA_ERROR_INVALID_SIGNATURE;
500 goto exit;
501 }
502
Ronald Crond2fb8542020-12-09 15:18:01 +0100[diff] [blame]503#if defined(BUILTIN_ALG_RSA_PKCS1V15_SIGN)
Ronald Cron7bdbca32020-12-09 13:34:54 +0100[diff] [blame]504 if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) )
505 {
506 mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V15,
507 MBEDTLS_MD_NONE );
508 ret = mbedtls_rsa_pkcs1_verify( rsa,
509 mbedtls_psa_get_random,
510 MBEDTLS_PSA_RANDOM_STATE,
511 MBEDTLS_RSA_PUBLIC,
512 md_alg,
513 (unsigned int) hash_length,
514 hash,
515 signature );
516 }
517 else
Ronald Crond2fb8542020-12-09 15:18:01 +0100[diff] [blame]518#endif /* BUILTIN_ALG_RSA_PKCS1V15_SIGN */
519#if defined(BUILTIN_ALG_RSA_PSS)
Ronald Cron7bdbca32020-12-09 13:34:54 +0100[diff] [blame]520 if( PSA_ALG_IS_RSA_PSS( alg ) )
521 {
Gilles Peskine44fa40cd2021-10-04 22:15:05 +0200[diff] [blame]522 int slen = rsa_pss_expected_salt_len( alg, rsa, hash_length );
Ronald Cron7bdbca32020-12-09 13:34:54 +0100[diff] [blame]523 mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg );
Gilles Peskine44fa40cd2021-10-04 22:15:05 +0200[diff] [blame]524 ret = mbedtls_rsa_rsassa_pss_verify_ext( rsa,
525 mbedtls_psa_get_random,
526 MBEDTLS_PSA_RANDOM_STATE,
527 MBEDTLS_RSA_PUBLIC,
528 md_alg,
529 (unsigned int) hash_length,
530 hash,
531 md_alg,
532 slen,
533 signature );
Ronald Cron7bdbca32020-12-09 13:34:54 +0100[diff] [blame]534 }
535 else
Ronald Crond2fb8542020-12-09 15:18:01 +0100[diff] [blame]536#endif /* BUILTIN_ALG_RSA_PSS */
Ronald Cron7bdbca32020-12-09 13:34:54 +0100[diff] [blame]537 {
538 status = PSA_ERROR_INVALID_ARGUMENT;
539 goto exit;
540 }
541
542 /* Mbed TLS distinguishes "invalid padding" from "valid padding but
543 * the rest of the signature is invalid". This has little use in
544 * practice and PSA doesn't report this distinction. */
545 status = ( ret == MBEDTLS_ERR_RSA_INVALID_PADDING ) ?
546 PSA_ERROR_INVALID_SIGNATURE :
547 mbedtls_to_psa_error( ret );
548
549exit:
550 mbedtls_rsa_free( rsa );
551 mbedtls_free( rsa );
552
553 return( status );
554}
555
Ronald Crond2fb8542020-12-09 15:18:01 +0100[diff] [blame]556#endif /* defined(BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
557 * defined(BUILTIN_ALG_RSA_PSS) */
Ronald Cron7bdbca32020-12-09 13:34:54 +0100[diff] [blame]558
Ronald Cronf1057d32020-11-26 19:19:10 +0100[diff] [blame]559#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
560 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
561
Ronald Cron784fb322020-11-30 13:55:05 +0100[diff] [blame]562psa_status_t mbedtls_psa_rsa_import_key(
563 const psa_key_attributes_t *attributes,
564 const uint8_t *data, size_t data_length,
565 uint8_t *key_buffer, size_t key_buffer_size,
566 size_t *key_buffer_length, size_t *bits )
567{
568 return( rsa_import_key( attributes, data, data_length,
569 key_buffer, key_buffer_size,
570 key_buffer_length, bits ) );
571}
572
Ronald Cronf1057d32020-11-26 19:19:10 +0100[diff] [blame]573psa_status_t mbedtls_psa_rsa_export_public_key(
574 const psa_key_attributes_t *attributes,
575 const uint8_t *key_buffer, size_t key_buffer_size,
576 uint8_t *data, size_t data_size, size_t *data_length )
577{
578 return( rsa_export_public_key( attributes, key_buffer, key_buffer_size,
579 data, data_size, data_length ) );
580}
581
Ronald Crone5ca3d82020-11-26 16:36:16 +0100[diff] [blame]582#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
583 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
584
Jaeden Ameroc17f2932021-05-14 08:34:32 +0100[diff] [blame]585#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && \
586 defined(MBEDTLS_GENPRIME)
Ronald Cron3a9c46b2020-11-06 09:38:35 +0100[diff] [blame]587psa_status_t mbedtls_psa_rsa_generate_key(
588 const psa_key_attributes_t *attributes,
589 uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length )
590{
591 return( rsa_generate_key( attributes, key_buffer, key_buffer_size,
592 key_buffer_length ) );
593}
Jaeden Ameroc17f2932021-05-14 08:34:32 +0100[diff] [blame]594#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR)
595 * defined(MBEDTLS_GENPRIME) */
Ronald Cron3a9c46b2020-11-06 09:38:35 +0100[diff] [blame]596
Ronald Crond2fb8542020-12-09 15:18:01 +0100[diff] [blame]597#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
598 defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
599psa_status_t mbedtls_psa_rsa_sign_hash(
600 const psa_key_attributes_t *attributes,
601 const uint8_t *key_buffer, size_t key_buffer_size,
602 psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
603 uint8_t *signature, size_t signature_size, size_t *signature_length )
604{
605 return( rsa_sign_hash(
606 attributes,
607 key_buffer, key_buffer_size,
608 alg, hash, hash_length,
609 signature, signature_size, signature_length ) );
610}
611
612psa_status_t mbedtls_psa_rsa_verify_hash(
613 const psa_key_attributes_t *attributes,
614 const uint8_t *key_buffer, size_t key_buffer_size,
615 psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
616 const uint8_t *signature, size_t signature_length )
617{
618 return( rsa_verify_hash(
619 attributes,
620 key_buffer, key_buffer_size,
621 alg, hash, hash_length,
622 signature, signature_length ) );
623}
624#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
625 * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
626
Ronald Cronf1057d32020-11-26 19:19:10 +0100[diff] [blame]627/*
628 * BEYOND THIS POINT, TEST DRIVER ENTRY POINTS ONLY.
629 */
630
Ronald Cron2091eed2021-04-09 11:09:54 +0200[diff] [blame]631#if defined(PSA_CRYPTO_DRIVER_TEST) && defined(MBEDTLS_PSA_CRYPTO_CONFIG)
Ronald Cronf1057d32020-11-26 19:19:10 +0100[diff] [blame]632
633#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) || \
634 defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY)
Ronald Cron784fb322020-11-30 13:55:05 +0100[diff] [blame]635
Ronald Cron7b7854e2021-03-13 18:19:08 +0100[diff] [blame]636psa_status_t libtestdriver1_mbedtls_psa_rsa_import_key(
Ronald Cron784fb322020-11-30 13:55:05 +0100[diff] [blame]637 const psa_key_attributes_t *attributes,
638 const uint8_t *data, size_t data_length,
639 uint8_t *key_buffer, size_t key_buffer_size,
640 size_t *key_buffer_length, size_t *bits )
641{
642 return( rsa_import_key( attributes, data, data_length,
643 key_buffer, key_buffer_size,
644 key_buffer_length, bits ) );
645}
646
Ronald Cron7b7854e2021-03-13 18:19:08 +0100[diff] [blame]647psa_status_t libtestdriver1_mbedtls_psa_rsa_export_public_key(
Ronald Cronf1057d32020-11-26 19:19:10 +0100[diff] [blame]648 const psa_key_attributes_t *attributes,
649 const uint8_t *key_buffer, size_t key_buffer_size,
650 uint8_t *data, size_t data_size, size_t *data_length )
651{
652 return( rsa_export_public_key( attributes, key_buffer, key_buffer_size,
653 data, data_size, data_length ) );
654}
Ronald Cron784fb322020-11-30 13:55:05 +0100[diff] [blame]655
Ronald Cronf1057d32020-11-26 19:19:10 +0100[diff] [blame]656#endif /* defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) ||
657 defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY) */
658
Ronald Cron3a9c46b2020-11-06 09:38:35 +0100[diff] [blame]659#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR)
Ronald Cron7b7854e2021-03-13 18:19:08 +0100[diff] [blame]660psa_status_t libtestdriver1_mbedtls_psa_rsa_generate_key(
Ronald Cron3a9c46b2020-11-06 09:38:35 +0100[diff] [blame]661 const psa_key_attributes_t *attributes,
662 uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length )
663{
664 return( rsa_generate_key( attributes, key_buffer, key_buffer_size,
665 key_buffer_length ) );
666}
667#endif /* defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) */
668
Ronald Crond2fb8542020-12-09 15:18:01 +0100[diff] [blame]669#if defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN) || \
670 defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PSS)
Ronald Cron7b7854e2021-03-13 18:19:08 +0100[diff] [blame]671psa_status_t libtestdriver1_mbedtls_psa_rsa_sign_hash(
Ronald Crond2fb8542020-12-09 15:18:01 +0100[diff] [blame]672 const psa_key_attributes_t *attributes,
673 const uint8_t *key_buffer, size_t key_buffer_size,
674 psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
675 uint8_t *signature, size_t signature_size, size_t *signature_length )
676{
677#if defined(MBEDTLS_RSA_C) && \
678 (defined(MBEDTLS_PKCS1_V15) || defined(MBEDTLS_PKCS1_V21))
679 return( rsa_sign_hash(
680 attributes,
681 key_buffer, key_buffer_size,
682 alg, hash, hash_length,
683 signature, signature_size, signature_length ) );
684#else
685 (void)attributes;
686 (void)key_buffer;
687 (void)key_buffer_size;
688 (void)alg;
689 (void)hash;
690 (void)hash_length;
691 (void)signature;
692 (void)signature_size;
693 (void)signature_length;
694 return( PSA_ERROR_NOT_SUPPORTED );
695#endif
696}
697
Ronald Cron7b7854e2021-03-13 18:19:08 +0100[diff] [blame]698psa_status_t libtestdriver1_mbedtls_psa_rsa_verify_hash(
Ronald Crond2fb8542020-12-09 15:18:01 +0100[diff] [blame]699 const psa_key_attributes_t *attributes,
700 const uint8_t *key_buffer, size_t key_buffer_size,
701 psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
702 const uint8_t *signature, size_t signature_length )
703{
704#if defined(MBEDTLS_RSA_C) && \
705 (defined(MBEDTLS_PKCS1_V15) || defined(MBEDTLS_PKCS1_V21))
706 return( rsa_verify_hash(
707 attributes,
708 key_buffer, key_buffer_size,
709 alg, hash, hash_length,
710 signature, signature_length ) );
711#else
712 (void)attributes;
713 (void)key_buffer;
714 (void)key_buffer_size;
715 (void)alg;
716 (void)hash;
717 (void)hash_length;
718 (void)signature;
719 (void)signature_length;
720 return( PSA_ERROR_NOT_SUPPORTED );
721#endif
722}
723#endif /* defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN) ||
724 * defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PSS) */
725
Ronald Cron2091eed2021-04-09 11:09:54 +0200[diff] [blame]726#endif /* PSA_CRYPTO_DRIVER_TEST && MBEDTLS_PSA_CRYPTO_CONFIG */
Ronald Cronf1057d32020-11-26 19:19:10 +0100[diff] [blame]727
Ronald Cron00b7bfc2020-11-25 15:25:26 +0100[diff] [blame]728#endif /* MBEDTLS_PSA_CRYPTO_C */