commit 30978516d3e0f73524ce93f28b0c480a52ebecdc
author Roland Mikhel <roland.mikhel@arm.com> Wed Feb 08 14:06:58 2023 +0100
committer Dávid Vincze <david.vincze@arm.com> Wed Apr 26 13:27:44 2023 +0200
tree 18eeca246142c2e6874c3b90b13736cbb6745173
parent 6205c10fea004687bb9fa8cae0130c31e758f1b7

sim: Remove curve specific ECDSA TLVs

Remove those TLVs that are tied to a specific curve and modify the
code to use the new generic ECDSA TLV.

Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: Iffe9052580c99e75118cf5df4286e0e9a2af4a8c

sim/src/image.rs

diff --git a/sim/src/image.rs b/sim/src/image.rs
index d484dc0..424f646 100644
--- a/sim/src/image.rs
+++ b/sim/src/image.rs
@@ -1889,10 +1889,7 @@
             TlvGen::new_rsa3072_pss()
         } else if Caps::EcdsaP256.present() {
             TlvGen::new_ecdsa()
-        } else if Caps::EcdsaSig.present() {
-            TlvGen::new_generic_ecdsa()
-        }
-         else if Caps::Ed25519.present() {
+        } else if Caps::Ed25519.present() {
             TlvGen::new_ed25519()
         } else {
             TlvGen::new_hash_only()

sim/src/tlv.rs

diff --git a/sim/src/tlv.rs b/sim/src/tlv.rs
index ad0cce5..cc5165a 100644
--- a/sim/src/tlv.rs
+++ b/sim/src/tlv.rs
@@ -51,7 +51,6 @@
     KEYHASH = 0x01,
     SHA256 = 0x10,
     RSA2048 = 0x20,
-    ECDSA256 = 0x22,
     RSA3072 = 0x23,
     ED25519 = 0x24,
     ECDSASIG = 0x25,
@@ -157,19 +156,12 @@
     #[allow(dead_code)]
     pub fn new_ecdsa() -> TlvGen {
         TlvGen {
-            kinds: vec![TlvKinds::SHA256, TlvKinds::ECDSA256],
+            kinds: vec![TlvKinds::SHA256, TlvKinds::ECDSASIG],
             ..Default::default()
         }
     }
 
     #[allow(dead_code)]
-    pub fn new_generic_ecdsa() -> TlvGen {
-        TlvGen {
-            kinds: vec![TlvKinds::SHA256,TlvKinds::ECDSASIG],
-            ..Default::default()}
-    }
-
-    #[allow(dead_code)]
     pub fn new_ed25519() -> TlvGen {
         TlvGen {
             kinds: vec![TlvKinds::SHA256, TlvKinds::ED25519],
@@ -242,7 +234,7 @@
         };
         TlvGen {
             flags: flag,
-            kinds: vec![TlvKinds::SHA256, TlvKinds::ECDSA256, TlvKinds::ENCKW],
+            kinds: vec![TlvKinds::SHA256, TlvKinds::ECDSASIG, TlvKinds::ENCKW],
             ..Default::default()
         }
     }
@@ -270,7 +262,7 @@
         };
         TlvGen {
             flags: flag,
-            kinds: vec![TlvKinds::SHA256, TlvKinds::ECDSA256, TlvKinds::ENCEC256],
+            kinds: vec![TlvKinds::SHA256, TlvKinds::ECDSASIG, TlvKinds::ENCEC256],
             ..Default::default()
         }
     }
@@ -363,20 +355,16 @@
             estimate += 4 + 32; // keyhash
             estimate += 4 + 384; // RSA3072
         }
-        if self.kinds.contains(&TlvKinds::ECDSA256) {
-            estimate += 4 + 32; // keyhash
-
-            // ECDSA signatures are encoded as ASN.1 with the x and y values stored as signed
-            // integers.  As such, the size can vary by 2 bytes, if the 256-bit value has the high
-            // bit, it takes an extra 0 byte to avoid it being seen as a negative number.
-            estimate += 4 + 72; // ECDSA256 (varies)
-        }
         if self.kinds.contains(&TlvKinds::ED25519) {
             estimate += 4 + 32; // keyhash
             estimate += 4 + 64; // ED25519 signature.
         }
         if self.kinds.contains(&TlvKinds::ECDSASIG) {
             estimate += 4 + 32; // keyhash
+
+            // ECDSA signatures are encoded as ASN.1 with the x and y values stored as signed
+            // integers.  As such, the size can vary by 2 bytes, if the 256-bit value has the high
+            // bit, it takes an extra 0 byte to avoid it being seen as a negative number.
             estimate += 4 + 72; // ECDSA256 (varies)
         }
 
@@ -462,7 +450,7 @@
             // signature verification can be validated.
             let mut corrupt_hash = self.gen_corrupted;
             for k in &[TlvKinds::RSA2048, TlvKinds::RSA3072,
-                TlvKinds::ECDSA256, TlvKinds::ED25519, TlvKinds::ECDSASIG]
+                TlvKinds::ED25519, TlvKinds::ECDSASIG]
             {
                 if self.kinds.contains(k) {
                     corrupt_hash = false;
@@ -560,32 +548,6 @@
             result.write_u16::<LittleEndian>(signature.len() as u16).unwrap();
             result.extend_from_slice(&signature);
         }
-
-        if self.kinds.contains(&TlvKinds::ECDSA256) {
-            let keyhash = digest::digest(&digest::SHA256, ECDSA256_PUB_KEY);
-            let keyhash = keyhash.as_ref();
-
-            assert!(keyhash.len() == 32);
-            result.write_u16::<LittleEndian>(TlvKinds::KEYHASH as u16).unwrap();
-            result.write_u16::<LittleEndian>(32).unwrap();
-            result.extend_from_slice(keyhash);
-
-            let key_bytes = pem::parse(include_bytes!("../../root-ec-p256-pkcs8.pem").as_ref()).unwrap();
-            assert_eq!(key_bytes.tag, "PRIVATE KEY");
-
-            let key_pair = EcdsaKeyPair::from_pkcs8(&ECDSA_P256_SHA256_ASN1_SIGNING,
-                                                    &key_bytes.contents).unwrap();
-            let rng = rand::SystemRandom::new();
-            let signature = key_pair.sign(&rng, &sig_payload).unwrap();
-
-            result.write_u16::<LittleEndian>(TlvKinds::ECDSA256 as u16).unwrap();
-
-            let signature = signature.as_ref().to_vec();
-
-            result.write_u16::<LittleEndian>(signature.len() as u16).unwrap();
-            result.extend_from_slice(signature.as_ref());
-        }
-
         if self.kinds.contains(&TlvKinds::ED25519) {
             let keyhash = digest::digest(&digest::SHA256, ED25519_PUB_KEY);
             let keyhash = keyhash.as_ref();