Coverage Report

Created: 2025-03-01 06:26

/src/mbedtls/library/pk_wrap.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 *  Public Key abstraction layer: wrapper functions
3
 *
4
 *  Copyright The Mbed TLS Contributors
5
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6
 */
7
8
#include "common.h"
9
10
#include "mbedtls/platform_util.h"
11
12
#if defined(MBEDTLS_PK_C)
13
#include "pk_wrap.h"
14
#include "pk_internal.h"
15
#include "mbedtls/error.h"
16
#include "mbedtls/psa_util.h"
17
18
/* Even if RSA not activated, for the sake of RSA-alt */
19
#include "mbedtls/rsa.h"
20
21
#if defined(MBEDTLS_ECP_C)
22
#include "mbedtls/ecp.h"
23
#endif
24
25
#if defined(MBEDTLS_ECDSA_C)
26
#include "mbedtls/ecdsa.h"
27
#endif
28
29
#if defined(MBEDTLS_USE_PSA_CRYPTO)
30
#include "psa_util_internal.h"
31
#include "psa/crypto.h"
32
#include "mbedtls/psa_util.h"
33
34
#if defined(MBEDTLS_RSA_C)
35
#include "pkwrite.h"
36
#include "rsa_internal.h"
37
#endif
38
39
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
40
#include "mbedtls/asn1write.h"
41
#include "mbedtls/asn1.h"
42
#endif
43
#endif  /* MBEDTLS_USE_PSA_CRYPTO */
44
45
#include "mbedtls/platform.h"
46
47
#include <limits.h>
48
#include <stdint.h>
49
#include <string.h>
50
51
#if defined(MBEDTLS_RSA_C)
52
static int rsa_can_do(mbedtls_pk_type_t type)
53
0
{
54
0
    return type == MBEDTLS_PK_RSA ||
55
0
           type == MBEDTLS_PK_RSASSA_PSS;
56
0
}
57
58
static size_t rsa_get_bitlen(mbedtls_pk_context *pk)
59
0
{
60
0
    const mbedtls_rsa_context *rsa = (const mbedtls_rsa_context *) pk->pk_ctx;
61
0
    return mbedtls_rsa_get_bitlen(rsa);
62
0
}
63
64
#if defined(MBEDTLS_USE_PSA_CRYPTO)
65
static int rsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
66
                           const unsigned char *hash, size_t hash_len,
67
                           const unsigned char *sig, size_t sig_len)
68
0
{
69
0
    mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
70
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
71
0
    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
72
0
    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
73
0
    psa_status_t status;
74
0
    int key_len;
75
0
    unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES];
76
0
    unsigned char *p = buf + sizeof(buf);
77
0
    psa_algorithm_t psa_alg_md;
78
0
    size_t rsa_len = mbedtls_rsa_get_len(rsa);
79
80
0
#if SIZE_MAX > UINT_MAX
81
0
    if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
82
0
        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
83
0
    }
84
0
#endif
85
86
0
    if (mbedtls_rsa_get_padding_mode(rsa) == MBEDTLS_RSA_PKCS_V21) {
87
0
        psa_alg_md = PSA_ALG_RSA_PSS(mbedtls_md_psa_alg_from_type(md_alg));
88
0
    } else {
89
0
        psa_alg_md = PSA_ALG_RSA_PKCS1V15_SIGN(mbedtls_md_psa_alg_from_type(md_alg));
90
0
    }
91
92
0
    if (sig_len < rsa_len) {
93
0
        return MBEDTLS_ERR_RSA_VERIFY_FAILED;
94
0
    }
95
96
0
    key_len = mbedtls_rsa_write_pubkey(rsa, buf, &p);
97
0
    if (key_len <= 0) {
98
0
        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
99
0
    }
100
101
0
    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
102
0
    psa_set_key_algorithm(&attributes, psa_alg_md);
103
0
    psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY);
104
105
0
    status = psa_import_key(&attributes,
106
0
                            buf + sizeof(buf) - key_len, key_len,
107
0
                            &key_id);
108
0
    if (status != PSA_SUCCESS) {
109
0
        ret = PSA_PK_TO_MBEDTLS_ERR(status);
110
0
        goto cleanup;
111
0
    }
112
113
0
    status = psa_verify_hash(key_id, psa_alg_md, hash, hash_len,
114
0
                             sig, sig_len);
115
0
    if (status != PSA_SUCCESS) {
116
0
        ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
117
0
        goto cleanup;
118
0
    }
119
0
    ret = 0;
120
121
0
cleanup:
122
0
    status = psa_destroy_key(key_id);
123
0
    if (ret == 0 && status != PSA_SUCCESS) {
124
0
        ret = PSA_PK_TO_MBEDTLS_ERR(status);
125
0
    }
126
127
0
    return ret;
128
0
}
129
#else /* MBEDTLS_USE_PSA_CRYPTO */
130
static int rsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
131
                           const unsigned char *hash, size_t hash_len,
132
                           const unsigned char *sig, size_t sig_len)
133
{
134
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
135
    mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
136
    size_t rsa_len = mbedtls_rsa_get_len(rsa);
137
138
#if SIZE_MAX > UINT_MAX
139
    if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
140
        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
141
    }
142
#endif
143
144
    if (sig_len < rsa_len) {
145
        return MBEDTLS_ERR_RSA_VERIFY_FAILED;
146
    }
147
148
    if ((ret = mbedtls_rsa_pkcs1_verify(rsa, md_alg,
149
                                        (unsigned int) hash_len,
150
                                        hash, sig)) != 0) {
151
        return ret;
152
    }
153
154
    /* The buffer contains a valid signature followed by extra data.
155
     * We have a special error code for that so that so that callers can
156
     * use mbedtls_pk_verify() to check "Does the buffer start with a
157
     * valid signature?" and not just "Does the buffer contain a valid
158
     * signature?". */
159
    if (sig_len > rsa_len) {
160
        return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
161
    }
162
163
    return 0;
164
}
165
#endif /* MBEDTLS_USE_PSA_CRYPTO */
166
167
#if defined(MBEDTLS_USE_PSA_CRYPTO)
168
int  mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t alg,
169
                                 mbedtls_rsa_context *rsa_ctx,
170
                                 const unsigned char *hash, size_t hash_len,
171
                                 unsigned char *sig, size_t sig_size,
172
                                 size_t *sig_len)
173
0
{
174
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
175
0
    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
176
0
    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
177
0
    psa_status_t status;
178
0
    int key_len;
179
0
    unsigned char *buf = NULL;
180
0
    unsigned char *p;
181
182
0
    buf = mbedtls_calloc(1, MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES);
183
0
    if (buf == NULL) {
184
0
        return MBEDTLS_ERR_PK_ALLOC_FAILED;
185
0
    }
186
0
    p = buf + MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES;
187
188
0
    *sig_len = mbedtls_rsa_get_len(rsa_ctx);
189
0
    if (sig_size < *sig_len) {
190
0
        mbedtls_free(buf);
191
0
        return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
192
0
    }
193
194
0
    key_len = mbedtls_rsa_write_key(rsa_ctx, buf, &p);
195
0
    if (key_len <= 0) {
196
0
        mbedtls_free(buf);
197
0
        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
198
0
    }
199
0
    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
200
0
    psa_set_key_algorithm(&attributes, alg);
201
0
    psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
202
203
0
    status = psa_import_key(&attributes,
204
0
                            buf + MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES - key_len, key_len,
205
0
                            &key_id);
206
0
    if (status != PSA_SUCCESS) {
207
0
        ret = PSA_PK_TO_MBEDTLS_ERR(status);
208
0
        goto cleanup;
209
0
    }
210
0
    status = psa_sign_hash(key_id, alg, hash, hash_len,
211
0
                           sig, sig_size, sig_len);
212
0
    if (status != PSA_SUCCESS) {
213
0
        ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
214
0
        goto cleanup;
215
0
    }
216
217
0
    ret = 0;
218
219
0
cleanup:
220
0
    mbedtls_free(buf);
221
0
    status = psa_destroy_key(key_id);
222
0
    if (ret == 0 && status != PSA_SUCCESS) {
223
0
        ret = PSA_PK_TO_MBEDTLS_ERR(status);
224
0
    }
225
0
    return ret;
226
0
}
227
#endif /* MBEDTLS_USE_PSA_CRYPTO */
228
229
#if defined(MBEDTLS_USE_PSA_CRYPTO)
230
static int rsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
231
                         const unsigned char *hash, size_t hash_len,
232
                         unsigned char *sig, size_t sig_size, size_t *sig_len,
233
                         int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
234
0
{
235
0
    ((void) f_rng);
236
0
    ((void) p_rng);
237
238
0
    psa_algorithm_t psa_md_alg;
239
0
    psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg);
240
0
    if (psa_md_alg == 0) {
241
0
        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
242
0
    }
243
0
    psa_algorithm_t psa_alg;
244
0
    if (mbedtls_rsa_get_padding_mode(mbedtls_pk_rsa(*pk)) == MBEDTLS_RSA_PKCS_V21) {
245
0
        psa_alg = PSA_ALG_RSA_PSS(psa_md_alg);
246
0
    } else {
247
0
        psa_alg = PSA_ALG_RSA_PKCS1V15_SIGN(psa_md_alg);
248
0
    }
249
250
0
    return mbedtls_pk_psa_rsa_sign_ext(psa_alg, pk->pk_ctx, hash, hash_len,
251
0
                                       sig, sig_size, sig_len);
252
0
}
253
#else /* MBEDTLS_USE_PSA_CRYPTO */
254
static int rsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
255
                         const unsigned char *hash, size_t hash_len,
256
                         unsigned char *sig, size_t sig_size, size_t *sig_len,
257
                         int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
258
{
259
    mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
260
261
#if SIZE_MAX > UINT_MAX
262
    if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
263
        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
264
    }
265
#endif
266
267
    *sig_len = mbedtls_rsa_get_len(rsa);
268
    if (sig_size < *sig_len) {
269
        return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
270
    }
271
272
    return mbedtls_rsa_pkcs1_sign(rsa, f_rng, p_rng,
273
                                  md_alg, (unsigned int) hash_len,
274
                                  hash, sig);
275
}
276
#endif /* MBEDTLS_USE_PSA_CRYPTO */
277
278
#if defined(MBEDTLS_USE_PSA_CRYPTO)
279
static int rsa_decrypt_wrap(mbedtls_pk_context *pk,
280
                            const unsigned char *input, size_t ilen,
281
                            unsigned char *output, size_t *olen, size_t osize,
282
                            int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
283
0
{
284
0
    mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
285
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
286
0
    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
287
0
    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
288
0
    psa_algorithm_t psa_md_alg, decrypt_alg;
289
0
    psa_status_t status;
290
0
    int key_len;
291
0
    unsigned char buf[MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES];
292
0
    unsigned char *p = buf + sizeof(buf);
293
294
0
    ((void) f_rng);
295
0
    ((void) p_rng);
296
297
0
    if (ilen != mbedtls_rsa_get_len(rsa)) {
298
0
        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
299
0
    }
300
301
0
    key_len = mbedtls_rsa_write_key(rsa, buf, &p);
302
0
    if (key_len <= 0) {
303
0
        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
304
0
    }
305
306
0
    psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
307
0
    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
308
0
    if (mbedtls_rsa_get_padding_mode(rsa) == MBEDTLS_RSA_PKCS_V21) {
309
0
        psa_md_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) mbedtls_rsa_get_md_alg(rsa));
310
0
        decrypt_alg = PSA_ALG_RSA_OAEP(psa_md_alg);
311
0
    } else {
312
0
        decrypt_alg = PSA_ALG_RSA_PKCS1V15_CRYPT;
313
0
    }
314
0
    psa_set_key_algorithm(&attributes, decrypt_alg);
315
316
0
    status = psa_import_key(&attributes,
317
0
                            buf + sizeof(buf) - key_len, key_len,
318
0
                            &key_id);
319
0
    if (status != PSA_SUCCESS) {
320
0
        ret = PSA_PK_TO_MBEDTLS_ERR(status);
321
0
        goto cleanup;
322
0
    }
323
324
0
    status = psa_asymmetric_decrypt(key_id, decrypt_alg,
325
0
                                    input, ilen,
326
0
                                    NULL, 0,
327
0
                                    output, osize, olen);
328
0
    if (status != PSA_SUCCESS) {
329
0
        ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
330
0
        goto cleanup;
331
0
    }
332
333
0
    ret = 0;
334
335
0
cleanup:
336
0
    mbedtls_platform_zeroize(buf, sizeof(buf));
337
0
    status = psa_destroy_key(key_id);
338
0
    if (ret == 0 && status != PSA_SUCCESS) {
339
0
        ret = PSA_PK_TO_MBEDTLS_ERR(status);
340
0
    }
341
342
0
    return ret;
343
0
}
344
#else /* MBEDTLS_USE_PSA_CRYPTO */
345
static int rsa_decrypt_wrap(mbedtls_pk_context *pk,
346
                            const unsigned char *input, size_t ilen,
347
                            unsigned char *output, size_t *olen, size_t osize,
348
                            int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
349
{
350
    mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
351
352
    if (ilen != mbedtls_rsa_get_len(rsa)) {
353
        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
354
    }
355
356
    return mbedtls_rsa_pkcs1_decrypt(rsa, f_rng, p_rng,
357
                                     olen, input, output, osize);
358
}
359
#endif /* MBEDTLS_USE_PSA_CRYPTO */
360
361
#if defined(MBEDTLS_USE_PSA_CRYPTO)
362
static int rsa_encrypt_wrap(mbedtls_pk_context *pk,
363
                            const unsigned char *input, size_t ilen,
364
                            unsigned char *output, size_t *olen, size_t osize,
365
                            int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
366
0
{
367
0
    mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
368
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
369
0
    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
370
0
    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
371
0
    psa_algorithm_t psa_md_alg, psa_encrypt_alg;
372
0
    psa_status_t status;
373
0
    int key_len;
374
0
    unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES];
375
0
    unsigned char *p = buf + sizeof(buf);
376
377
0
    ((void) f_rng);
378
0
    ((void) p_rng);
379
380
0
    if (mbedtls_rsa_get_len(rsa) > osize) {
381
0
        return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
382
0
    }
383
384
0
    key_len = mbedtls_rsa_write_pubkey(rsa, buf, &p);
385
0
    if (key_len <= 0) {
386
0
        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
387
0
    }
388
389
0
    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
390
0
    if (mbedtls_rsa_get_padding_mode(rsa) == MBEDTLS_RSA_PKCS_V21) {
391
0
        psa_md_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) mbedtls_rsa_get_md_alg(rsa));
392
0
        psa_encrypt_alg = PSA_ALG_RSA_OAEP(psa_md_alg);
393
0
    } else {
394
0
        psa_encrypt_alg = PSA_ALG_RSA_PKCS1V15_CRYPT;
395
0
    }
396
0
    psa_set_key_algorithm(&attributes, psa_encrypt_alg);
397
0
    psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY);
398
399
0
    status = psa_import_key(&attributes,
400
0
                            buf + sizeof(buf) - key_len, key_len,
401
0
                            &key_id);
402
0
    if (status != PSA_SUCCESS) {
403
0
        ret = PSA_PK_TO_MBEDTLS_ERR(status);
404
0
        goto cleanup;
405
0
    }
406
407
0
    status = psa_asymmetric_encrypt(key_id, psa_encrypt_alg,
408
0
                                    input, ilen,
409
0
                                    NULL, 0,
410
0
                                    output, osize, olen);
411
0
    if (status != PSA_SUCCESS) {
412
0
        ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
413
0
        goto cleanup;
414
0
    }
415
416
0
    ret = 0;
417
418
0
cleanup:
419
0
    status = psa_destroy_key(key_id);
420
0
    if (ret == 0 && status != PSA_SUCCESS) {
421
0
        ret = PSA_PK_TO_MBEDTLS_ERR(status);
422
0
    }
423
424
0
    return ret;
425
0
}
426
#else /* MBEDTLS_USE_PSA_CRYPTO */
427
static int rsa_encrypt_wrap(mbedtls_pk_context *pk,
428
                            const unsigned char *input, size_t ilen,
429
                            unsigned char *output, size_t *olen, size_t osize,
430
                            int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
431
{
432
    mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
433
    *olen = mbedtls_rsa_get_len(rsa);
434
435
    if (*olen > osize) {
436
        return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
437
    }
438
439
    return mbedtls_rsa_pkcs1_encrypt(rsa, f_rng, p_rng,
440
                                     ilen, input, output);
441
}
442
#endif /* MBEDTLS_USE_PSA_CRYPTO */
443
444
static int rsa_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
445
                               int (*f_rng)(void *, unsigned char *, size_t),
446
                               void *p_rng)
447
0
{
448
0
    (void) f_rng;
449
0
    (void) p_rng;
450
0
    return mbedtls_rsa_check_pub_priv((const mbedtls_rsa_context *) pub->pk_ctx,
451
0
                                      (const mbedtls_rsa_context *) prv->pk_ctx);
452
0
}
453
454
static void *rsa_alloc_wrap(void)
455
0
{
456
0
    void *ctx = mbedtls_calloc(1, sizeof(mbedtls_rsa_context));
457
458
0
    if (ctx != NULL) {
459
0
        mbedtls_rsa_init((mbedtls_rsa_context *) ctx);
460
0
    }
461
462
0
    return ctx;
463
0
}
464
465
static void rsa_free_wrap(void *ctx)
466
0
{
467
0
    mbedtls_rsa_free((mbedtls_rsa_context *) ctx);
468
0
    mbedtls_free(ctx);
469
0
}
470
471
static void rsa_debug(mbedtls_pk_context *pk, mbedtls_pk_debug_item *items)
472
0
{
473
#if defined(MBEDTLS_RSA_ALT)
474
    /* Not supported */
475
    (void) pk;
476
    (void) items;
477
#else
478
0
    mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
479
480
0
    items->type = MBEDTLS_PK_DEBUG_MPI;
481
0
    items->name = "rsa.N";
482
0
    items->value = &(rsa->N);
483
484
0
    items++;
485
486
0
    items->type = MBEDTLS_PK_DEBUG_MPI;
487
0
    items->name = "rsa.E";
488
0
    items->value = &(rsa->E);
489
0
#endif
490
0
}
491
492
const mbedtls_pk_info_t mbedtls_rsa_info = {
493
    .type = MBEDTLS_PK_RSA,
494
    .name = "RSA",
495
    .get_bitlen = rsa_get_bitlen,
496
    .can_do = rsa_can_do,
497
    .verify_func = rsa_verify_wrap,
498
    .sign_func = rsa_sign_wrap,
499
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
500
    .verify_rs_func = NULL,
501
    .sign_rs_func = NULL,
502
    .rs_alloc_func = NULL,
503
    .rs_free_func = NULL,
504
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
505
    .decrypt_func = rsa_decrypt_wrap,
506
    .encrypt_func = rsa_encrypt_wrap,
507
    .check_pair_func = rsa_check_pair_wrap,
508
    .ctx_alloc_func = rsa_alloc_wrap,
509
    .ctx_free_func = rsa_free_wrap,
510
    .debug_func = rsa_debug,
511
};
512
#endif /* MBEDTLS_RSA_C */
513
514
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
515
/*
516
 * Generic EC key
517
 */
518
static int eckey_can_do(mbedtls_pk_type_t type)
519
0
{
520
0
    return type == MBEDTLS_PK_ECKEY ||
521
0
           type == MBEDTLS_PK_ECKEY_DH ||
522
0
           type == MBEDTLS_PK_ECDSA;
523
0
}
524
525
static size_t eckey_get_bitlen(mbedtls_pk_context *pk)
526
0
{
527
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
528
    return pk->ec_bits;
529
#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
530
0
    mbedtls_ecp_keypair *ecp = (mbedtls_ecp_keypair *) pk->pk_ctx;
531
0
    return ecp->grp.pbits;
532
0
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
533
0
}
534
535
#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
536
#if defined(MBEDTLS_USE_PSA_CRYPTO)
537
/* Common helper for ECDSA verify using PSA functions. */
538
static int ecdsa_verify_psa(unsigned char *key, size_t key_len,
539
                            psa_ecc_family_t curve, size_t curve_bits,
540
                            const unsigned char *hash, size_t hash_len,
541
                            const unsigned char *sig, size_t sig_len)
542
0
{
543
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
544
0
    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
545
0
    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
546
0
    psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA_ANY;
547
0
    size_t signature_len = PSA_ECDSA_SIGNATURE_SIZE(curve_bits);
548
0
    size_t converted_sig_len;
549
0
    unsigned char extracted_sig[PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE];
550
0
    unsigned char *p;
551
0
    psa_status_t status;
552
553
0
    if (curve == 0) {
554
0
        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
555
0
    }
556
557
0
    psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve));
558
0
    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
559
0
    psa_set_key_algorithm(&attributes, psa_sig_md);
560
561
0
    status = psa_import_key(&attributes, key, key_len, &key_id);
562
0
    if (status != PSA_SUCCESS) {
563
0
        ret = PSA_PK_TO_MBEDTLS_ERR(status);
564
0
        goto cleanup;
565
0
    }
566
567
0
    if (signature_len > sizeof(extracted_sig)) {
568
0
        ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
569
0
        goto cleanup;
570
0
    }
571
572
0
    p = (unsigned char *) sig;
573
0
    ret = mbedtls_ecdsa_der_to_raw(curve_bits, p, sig_len, extracted_sig,
574
0
                                   sizeof(extracted_sig), &converted_sig_len);
575
0
    if (ret != 0) {
576
0
        goto cleanup;
577
0
    }
578
579
0
    if (converted_sig_len != signature_len) {
580
0
        ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
581
0
        goto cleanup;
582
0
    }
583
584
0
    status = psa_verify_hash(key_id, psa_sig_md, hash, hash_len,
585
0
                             extracted_sig, signature_len);
586
0
    if (status != PSA_SUCCESS) {
587
0
        ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
588
0
        goto cleanup;
589
0
    }
590
591
0
    ret = 0;
592
593
0
cleanup:
594
0
    status = psa_destroy_key(key_id);
595
0
    if (ret == 0 && status != PSA_SUCCESS) {
596
0
        ret = PSA_PK_TO_MBEDTLS_ERR(status);
597
0
    }
598
599
0
    return ret;
600
0
}
601
602
static int ecdsa_opaque_verify_wrap(mbedtls_pk_context *pk,
603
                                    mbedtls_md_type_t md_alg,
604
                                    const unsigned char *hash, size_t hash_len,
605
                                    const unsigned char *sig, size_t sig_len)
606
0
{
607
0
    (void) md_alg;
608
0
    unsigned char key[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN];
609
0
    size_t key_len;
610
0
    psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
611
0
    psa_ecc_family_t curve;
612
0
    size_t curve_bits;
613
0
    psa_status_t status;
614
615
0
    status = psa_get_key_attributes(pk->priv_id, &key_attr);
616
0
    if (status != PSA_SUCCESS) {
617
0
        return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
618
0
    }
619
0
    curve = PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(&key_attr));
620
0
    curve_bits = psa_get_key_bits(&key_attr);
621
0
    psa_reset_key_attributes(&key_attr);
622
623
0
    status = psa_export_public_key(pk->priv_id, key, sizeof(key), &key_len);
624
0
    if (status != PSA_SUCCESS) {
625
0
        return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
626
0
    }
627
628
0
    return ecdsa_verify_psa(key, key_len, curve, curve_bits,
629
0
                            hash, hash_len, sig, sig_len);
630
0
}
631
632
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
633
static int ecdsa_verify_wrap(mbedtls_pk_context *pk,
634
                             mbedtls_md_type_t md_alg,
635
                             const unsigned char *hash, size_t hash_len,
636
                             const unsigned char *sig, size_t sig_len)
637
{
638
    (void) md_alg;
639
    psa_ecc_family_t curve = pk->ec_family;
640
    size_t curve_bits = pk->ec_bits;
641
642
    return ecdsa_verify_psa(pk->pub_raw, pk->pub_raw_len, curve, curve_bits,
643
                            hash, hash_len, sig, sig_len);
644
}
645
#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
646
static int ecdsa_verify_wrap(mbedtls_pk_context *pk,
647
                             mbedtls_md_type_t md_alg,
648
                             const unsigned char *hash, size_t hash_len,
649
                             const unsigned char *sig, size_t sig_len)
650
0
{
651
0
    (void) md_alg;
652
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
653
0
    mbedtls_ecp_keypair *ctx = pk->pk_ctx;
654
0
    unsigned char key[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
655
0
    size_t key_len;
656
0
    size_t curve_bits;
657
0
    psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(ctx->grp.id, &curve_bits);
658
659
0
    ret = mbedtls_ecp_point_write_binary(&ctx->grp, &ctx->Q,
660
0
                                         MBEDTLS_ECP_PF_UNCOMPRESSED,
661
0
                                         &key_len, key, sizeof(key));
662
0
    if (ret != 0) {
663
0
        return ret;
664
0
    }
665
666
0
    return ecdsa_verify_psa(key, key_len, curve, curve_bits,
667
0
                            hash, hash_len, sig, sig_len);
668
0
}
669
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
670
#else /* MBEDTLS_USE_PSA_CRYPTO */
671
static int ecdsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
672
                             const unsigned char *hash, size_t hash_len,
673
                             const unsigned char *sig, size_t sig_len)
674
{
675
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
676
    ((void) md_alg);
677
678
    ret = mbedtls_ecdsa_read_signature((mbedtls_ecdsa_context *) pk->pk_ctx,
679
                                       hash, hash_len, sig, sig_len);
680
681
    if (ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) {
682
        return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
683
    }
684
685
    return ret;
686
}
687
#endif /* MBEDTLS_USE_PSA_CRYPTO */
688
#endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
689
690
#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
691
#if defined(MBEDTLS_USE_PSA_CRYPTO)
692
/* Common helper for ECDSA sign using PSA functions.
693
 * Instead of extracting key's properties in order to check which kind of ECDSA
694
 * signature it supports, we try both deterministic and non-deterministic.
695
 */
696
static int ecdsa_sign_psa(mbedtls_svc_key_id_t key_id, mbedtls_md_type_t md_alg,
697
                          const unsigned char *hash, size_t hash_len,
698
                          unsigned char *sig, size_t sig_size, size_t *sig_len)
699
0
{
700
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
701
0
    psa_status_t status;
702
0
    psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
703
0
    size_t key_bits = 0;
704
705
0
    status = psa_get_key_attributes(key_id, &key_attr);
706
0
    if (status != PSA_SUCCESS) {
707
0
        return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
708
0
    }
709
0
    key_bits = psa_get_key_bits(&key_attr);
710
0
    psa_reset_key_attributes(&key_attr);
711
712
0
    status = psa_sign_hash(key_id,
713
0
                           PSA_ALG_DETERMINISTIC_ECDSA(mbedtls_md_psa_alg_from_type(md_alg)),
714
0
                           hash, hash_len, sig, sig_size, sig_len);
715
0
    if (status == PSA_SUCCESS) {
716
0
        goto done;
717
0
    } else if (status != PSA_ERROR_NOT_PERMITTED) {
718
0
        return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
719
0
    }
720
721
0
    status = psa_sign_hash(key_id,
722
0
                           PSA_ALG_ECDSA(mbedtls_md_psa_alg_from_type(md_alg)),
723
0
                           hash, hash_len, sig, sig_size, sig_len);
724
0
    if (status != PSA_SUCCESS) {
725
0
        return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
726
0
    }
727
728
0
done:
729
0
    ret = mbedtls_ecdsa_raw_to_der(key_bits, sig, *sig_len, sig, sig_size, sig_len);
730
731
0
    return ret;
732
0
}
733
734
static int ecdsa_opaque_sign_wrap(mbedtls_pk_context *pk,
735
                                  mbedtls_md_type_t md_alg,
736
                                  const unsigned char *hash, size_t hash_len,
737
                                  unsigned char *sig, size_t sig_size,
738
                                  size_t *sig_len,
739
                                  int (*f_rng)(void *, unsigned char *, size_t),
740
                                  void *p_rng)
741
0
{
742
0
    ((void) f_rng);
743
0
    ((void) p_rng);
744
745
0
    return ecdsa_sign_psa(pk->priv_id, md_alg, hash, hash_len, sig, sig_size,
746
0
                          sig_len);
747
0
}
748
749
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
750
/* When PK_USE_PSA_EC_DATA is defined opaque and non-opaque keys end up
751
 * using the same function. */
752
#define ecdsa_sign_wrap     ecdsa_opaque_sign_wrap
753
#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
754
static int ecdsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
755
                           const unsigned char *hash, size_t hash_len,
756
                           unsigned char *sig, size_t sig_size, size_t *sig_len,
757
                           int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
758
0
{
759
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
760
0
    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
761
0
    psa_status_t status;
762
0
    mbedtls_ecp_keypair *ctx = pk->pk_ctx;
763
0
    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
764
0
    unsigned char buf[MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH];
765
0
    size_t curve_bits;
766
0
    psa_ecc_family_t curve =
767
0
        mbedtls_ecc_group_to_psa(ctx->grp.id, &curve_bits);
768
0
    size_t key_len = PSA_BITS_TO_BYTES(curve_bits);
769
0
    psa_algorithm_t psa_hash = mbedtls_md_psa_alg_from_type(md_alg);
770
0
    psa_algorithm_t psa_sig_md = MBEDTLS_PK_PSA_ALG_ECDSA_MAYBE_DET(psa_hash);
771
0
    ((void) f_rng);
772
0
    ((void) p_rng);
773
774
0
    if (curve == 0) {
775
0
        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
776
0
    }
777
778
0
    if (key_len > sizeof(buf)) {
779
0
        return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
780
0
    }
781
0
    ret = mbedtls_mpi_write_binary(&ctx->d, buf, key_len);
782
0
    if (ret != 0) {
783
0
        goto cleanup;
784
0
    }
785
786
0
    psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
787
0
    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
788
0
    psa_set_key_algorithm(&attributes, psa_sig_md);
789
790
0
    status = psa_import_key(&attributes, buf, key_len, &key_id);
791
0
    if (status != PSA_SUCCESS) {
792
0
        ret = PSA_PK_TO_MBEDTLS_ERR(status);
793
0
        goto cleanup;
794
0
    }
795
796
0
    ret = ecdsa_sign_psa(key_id, md_alg, hash, hash_len, sig, sig_size, sig_len);
797
798
0
cleanup:
799
0
    mbedtls_platform_zeroize(buf, sizeof(buf));
800
0
    status = psa_destroy_key(key_id);
801
0
    if (ret == 0 && status != PSA_SUCCESS) {
802
0
        ret = PSA_PK_TO_MBEDTLS_ERR(status);
803
0
    }
804
805
0
    return ret;
806
0
}
807
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
808
#else /* MBEDTLS_USE_PSA_CRYPTO */
809
static int ecdsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
810
                           const unsigned char *hash, size_t hash_len,
811
                           unsigned char *sig, size_t sig_size, size_t *sig_len,
812
                           int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
813
{
814
    return mbedtls_ecdsa_write_signature((mbedtls_ecdsa_context *) pk->pk_ctx,
815
                                         md_alg, hash, hash_len,
816
                                         sig, sig_size, sig_len,
817
                                         f_rng, p_rng);
818
}
819
#endif /* MBEDTLS_USE_PSA_CRYPTO */
820
#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
821
822
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
823
/* Forward declarations */
824
static int ecdsa_verify_rs_wrap(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
825
                                const unsigned char *hash, size_t hash_len,
826
                                const unsigned char *sig, size_t sig_len,
827
                                void *rs_ctx);
828
829
static int ecdsa_sign_rs_wrap(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
830
                              const unsigned char *hash, size_t hash_len,
831
                              unsigned char *sig, size_t sig_size, size_t *sig_len,
832
                              int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
833
                              void *rs_ctx);
834
835
/*
836
 * Restart context for ECDSA operations with ECKEY context
837
 *
838
 * We need to store an actual ECDSA context, as we need to pass the same to
839
 * the underlying ecdsa function, so we can't create it on the fly every time.
840
 */
841
typedef struct {
842
    mbedtls_ecdsa_restart_ctx ecdsa_rs;
843
    mbedtls_ecdsa_context ecdsa_ctx;
844
} eckey_restart_ctx;
845
846
static void *eckey_rs_alloc(void)
847
0
{
848
0
    eckey_restart_ctx *rs_ctx;
849
850
0
    void *ctx = mbedtls_calloc(1, sizeof(eckey_restart_ctx));
851
852
0
    if (ctx != NULL) {
853
0
        rs_ctx = ctx;
854
0
        mbedtls_ecdsa_restart_init(&rs_ctx->ecdsa_rs);
855
0
        mbedtls_ecdsa_init(&rs_ctx->ecdsa_ctx);
856
0
    }
857
858
0
    return ctx;
859
0
}
860
861
static void eckey_rs_free(void *ctx)
862
0
{
863
0
    eckey_restart_ctx *rs_ctx;
864
865
0
    if (ctx == NULL) {
866
0
        return;
867
0
    }
868
869
0
    rs_ctx = ctx;
870
0
    mbedtls_ecdsa_restart_free(&rs_ctx->ecdsa_rs);
871
0
    mbedtls_ecdsa_free(&rs_ctx->ecdsa_ctx);
872
873
0
    mbedtls_free(ctx);
874
0
}
875
876
static int eckey_verify_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
877
                                const unsigned char *hash, size_t hash_len,
878
                                const unsigned char *sig, size_t sig_len,
879
                                void *rs_ctx)
880
0
{
881
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
882
0
    eckey_restart_ctx *rs = rs_ctx;
883
884
    /* Should never happen */
885
0
    if (rs == NULL) {
886
0
        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
887
0
    }
888
889
    /* set up our own sub-context if needed (that is, on first run) */
890
0
    if (rs->ecdsa_ctx.grp.pbits == 0) {
891
0
        MBEDTLS_MPI_CHK(mbedtls_ecdsa_from_keypair(&rs->ecdsa_ctx, pk->pk_ctx));
892
0
    }
893
894
0
    MBEDTLS_MPI_CHK(ecdsa_verify_rs_wrap(pk,
895
0
                                         md_alg, hash, hash_len,
896
0
                                         sig, sig_len, &rs->ecdsa_rs));
897
898
0
cleanup:
899
0
    return ret;
900
0
}
901
902
static int eckey_sign_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
903
                              const unsigned char *hash, size_t hash_len,
904
                              unsigned char *sig, size_t sig_size, size_t *sig_len,
905
                              int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
906
                              void *rs_ctx)
907
0
{
908
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
909
0
    eckey_restart_ctx *rs = rs_ctx;
910
911
    /* Should never happen */
912
0
    if (rs == NULL) {
913
0
        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
914
0
    }
915
916
    /* set up our own sub-context if needed (that is, on first run) */
917
0
    if (rs->ecdsa_ctx.grp.pbits == 0) {
918
0
        MBEDTLS_MPI_CHK(mbedtls_ecdsa_from_keypair(&rs->ecdsa_ctx, pk->pk_ctx));
919
0
    }
920
921
0
    MBEDTLS_MPI_CHK(ecdsa_sign_rs_wrap(pk, md_alg,
922
0
                                       hash, hash_len, sig, sig_size, sig_len,
923
0
                                       f_rng, p_rng, &rs->ecdsa_rs));
924
925
0
cleanup:
926
0
    return ret;
927
0
}
928
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
929
930
#if defined(MBEDTLS_USE_PSA_CRYPTO)
931
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
932
static int eckey_check_pair_psa(mbedtls_pk_context *pub, mbedtls_pk_context *prv)
933
{
934
    psa_status_t status;
935
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
936
    uint8_t prv_key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
937
    size_t prv_key_len;
938
    mbedtls_svc_key_id_t key_id = prv->priv_id;
939
940
    status = psa_export_public_key(key_id, prv_key_buf, sizeof(prv_key_buf),
941
                                   &prv_key_len);
942
    ret = PSA_PK_TO_MBEDTLS_ERR(status);
943
    if (ret != 0) {
944
        return ret;
945
    }
946
947
    if (memcmp(prv_key_buf, pub->pub_raw, pub->pub_raw_len) != 0) {
948
        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
949
    }
950
951
    return 0;
952
}
953
#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
954
static int eckey_check_pair_psa(mbedtls_pk_context *pub, mbedtls_pk_context *prv)
955
0
{
956
0
    psa_status_t status;
957
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
958
0
    uint8_t prv_key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
959
0
    size_t prv_key_len;
960
0
    psa_status_t destruction_status;
961
0
    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
962
0
    psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
963
0
    uint8_t pub_key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
964
0
    size_t pub_key_len;
965
0
    size_t curve_bits;
966
0
    const psa_ecc_family_t curve =
967
0
        mbedtls_ecc_group_to_psa(mbedtls_pk_ec_ro(*prv)->grp.id, &curve_bits);
968
0
    const size_t curve_bytes = PSA_BITS_TO_BYTES(curve_bits);
969
970
0
    if (curve == 0) {
971
0
        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
972
0
    }
973
974
0
    psa_set_key_type(&key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
975
0
    psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_EXPORT);
976
977
0
    ret = mbedtls_mpi_write_binary(&mbedtls_pk_ec_ro(*prv)->d,
978
0
                                   prv_key_buf, curve_bytes);
979
0
    if (ret != 0) {
980
0
        mbedtls_platform_zeroize(prv_key_buf, sizeof(prv_key_buf));
981
0
        return ret;
982
0
    }
983
984
0
    status = psa_import_key(&key_attr, prv_key_buf, curve_bytes, &key_id);
985
0
    mbedtls_platform_zeroize(prv_key_buf, sizeof(prv_key_buf));
986
0
    ret = PSA_PK_TO_MBEDTLS_ERR(status);
987
0
    if (ret != 0) {
988
0
        return ret;
989
0
    }
990
991
    // From now on prv_key_buf is used to store the public key of prv.
992
0
    status = psa_export_public_key(key_id, prv_key_buf, sizeof(prv_key_buf),
993
0
                                   &prv_key_len);
994
0
    ret = PSA_PK_TO_MBEDTLS_ERR(status);
995
0
    destruction_status = psa_destroy_key(key_id);
996
0
    if (ret != 0) {
997
0
        return ret;
998
0
    } else if (destruction_status != PSA_SUCCESS) {
999
0
        return PSA_PK_TO_MBEDTLS_ERR(destruction_status);
1000
0
    }
1001
1002
0
    ret = mbedtls_ecp_point_write_binary(&mbedtls_pk_ec_rw(*pub)->grp,
1003
0
                                         &mbedtls_pk_ec_rw(*pub)->Q,
1004
0
                                         MBEDTLS_ECP_PF_UNCOMPRESSED,
1005
0
                                         &pub_key_len, pub_key_buf,
1006
0
                                         sizeof(pub_key_buf));
1007
0
    if (ret != 0) {
1008
0
        return ret;
1009
0
    }
1010
1011
0
    if (memcmp(prv_key_buf, pub_key_buf, curve_bytes) != 0) {
1012
0
        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
1013
0
    }
1014
1015
0
    return 0;
1016
0
}
1017
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
1018
1019
static int eckey_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
1020
                                 int (*f_rng)(void *, unsigned char *, size_t),
1021
                                 void *p_rng)
1022
0
{
1023
0
    (void) f_rng;
1024
0
    (void) p_rng;
1025
0
    return eckey_check_pair_psa(pub, prv);
1026
0
}
1027
#else /* MBEDTLS_USE_PSA_CRYPTO */
1028
static int eckey_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
1029
                                 int (*f_rng)(void *, unsigned char *, size_t),
1030
                                 void *p_rng)
1031
{
1032
    return mbedtls_ecp_check_pub_priv((const mbedtls_ecp_keypair *) pub->pk_ctx,
1033
                                      (const mbedtls_ecp_keypair *) prv->pk_ctx,
1034
                                      f_rng, p_rng);
1035
}
1036
#endif /* MBEDTLS_USE_PSA_CRYPTO */
1037
1038
#if defined(MBEDTLS_USE_PSA_CRYPTO)
1039
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
1040
/* When PK_USE_PSA_EC_DATA is defined opaque and non-opaque keys end up
1041
 * using the same function. */
1042
#define ecdsa_opaque_check_pair_wrap    eckey_check_pair_wrap
1043
#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
1044
static int ecdsa_opaque_check_pair_wrap(mbedtls_pk_context *pub,
1045
                                        mbedtls_pk_context *prv,
1046
                                        int (*f_rng)(void *, unsigned char *, size_t),
1047
                                        void *p_rng)
1048
0
{
1049
0
    psa_status_t status;
1050
0
    uint8_t exp_pub_key[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN];
1051
0
    size_t exp_pub_key_len = 0;
1052
0
    uint8_t pub_key[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN];
1053
0
    size_t pub_key_len = 0;
1054
0
    int ret;
1055
0
    (void) f_rng;
1056
0
    (void) p_rng;
1057
1058
0
    status = psa_export_public_key(prv->priv_id, exp_pub_key, sizeof(exp_pub_key),
1059
0
                                   &exp_pub_key_len);
1060
0
    if (status != PSA_SUCCESS) {
1061
0
        ret = psa_pk_status_to_mbedtls(status);
1062
0
        return ret;
1063
0
    }
1064
0
    ret = mbedtls_ecp_point_write_binary(&(mbedtls_pk_ec_ro(*pub)->grp),
1065
0
                                         &(mbedtls_pk_ec_ro(*pub)->Q),
1066
0
                                         MBEDTLS_ECP_PF_UNCOMPRESSED,
1067
0
                                         &pub_key_len, pub_key, sizeof(pub_key));
1068
0
    if (ret != 0) {
1069
0
        return ret;
1070
0
    }
1071
0
    if ((exp_pub_key_len != pub_key_len) ||
1072
0
        memcmp(exp_pub_key, pub_key, exp_pub_key_len)) {
1073
0
        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
1074
0
    }
1075
0
    return 0;
1076
0
}
1077
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
1078
#endif /* MBEDTLS_USE_PSA_CRYPTO */
1079
1080
#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
1081
static void *eckey_alloc_wrap(void)
1082
0
{
1083
0
    void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecp_keypair));
1084
1085
0
    if (ctx != NULL) {
1086
0
        mbedtls_ecp_keypair_init(ctx);
1087
0
    }
1088
1089
0
    return ctx;
1090
0
}
1091
1092
static void eckey_free_wrap(void *ctx)
1093
0
{
1094
0
    mbedtls_ecp_keypair_free((mbedtls_ecp_keypair *) ctx);
1095
0
    mbedtls_free(ctx);
1096
0
}
1097
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
1098
1099
static void eckey_debug(mbedtls_pk_context *pk, mbedtls_pk_debug_item *items)
1100
0
{
1101
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
1102
    items->type = MBEDTLS_PK_DEBUG_PSA_EC;
1103
    items->name = "eckey.Q";
1104
    items->value = pk;
1105
#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
1106
0
    mbedtls_ecp_keypair *ecp = (mbedtls_ecp_keypair *) pk->pk_ctx;
1107
0
    items->type = MBEDTLS_PK_DEBUG_ECP;
1108
0
    items->name = "eckey.Q";
1109
0
    items->value = &(ecp->Q);
1110
0
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
1111
0
}
1112
1113
const mbedtls_pk_info_t mbedtls_eckey_info = {
1114
    .type = MBEDTLS_PK_ECKEY,
1115
    .name = "EC",
1116
    .get_bitlen = eckey_get_bitlen,
1117
    .can_do = eckey_can_do,
1118
#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
1119
    .verify_func = ecdsa_verify_wrap,   /* Compatible key structures */
1120
#else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1121
    .verify_func = NULL,
1122
#endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1123
#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
1124
    .sign_func = ecdsa_sign_wrap,   /* Compatible key structures */
1125
#else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1126
    .sign_func = NULL,
1127
#endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1128
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1129
    .verify_rs_func = eckey_verify_rs_wrap,
1130
    .sign_rs_func = eckey_sign_rs_wrap,
1131
    .rs_alloc_func = eckey_rs_alloc,
1132
    .rs_free_func = eckey_rs_free,
1133
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1134
    .decrypt_func = NULL,
1135
    .encrypt_func = NULL,
1136
    .check_pair_func = eckey_check_pair_wrap,
1137
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
1138
    .ctx_alloc_func = NULL,
1139
    .ctx_free_func = NULL,
1140
#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
1141
    .ctx_alloc_func = eckey_alloc_wrap,
1142
    .ctx_free_func = eckey_free_wrap,
1143
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
1144
    .debug_func = eckey_debug,
1145
};
1146
1147
/*
1148
 * EC key restricted to ECDH
1149
 */
1150
static int eckeydh_can_do(mbedtls_pk_type_t type)
1151
0
{
1152
0
    return type == MBEDTLS_PK_ECKEY ||
1153
0
           type == MBEDTLS_PK_ECKEY_DH;
1154
0
}
1155
1156
const mbedtls_pk_info_t mbedtls_eckeydh_info = {
1157
    .type = MBEDTLS_PK_ECKEY_DH,
1158
    .name = "EC_DH",
1159
    .get_bitlen = eckey_get_bitlen,         /* Same underlying key structure */
1160
    .can_do = eckeydh_can_do,
1161
    .verify_func = NULL,
1162
    .sign_func = NULL,
1163
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1164
    .verify_rs_func = NULL,
1165
    .sign_rs_func = NULL,
1166
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1167
    .decrypt_func = NULL,
1168
    .encrypt_func = NULL,
1169
    .check_pair_func = eckey_check_pair_wrap,
1170
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
1171
    .ctx_alloc_func = NULL,
1172
    .ctx_free_func = NULL,
1173
#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
1174
    .ctx_alloc_func = eckey_alloc_wrap,   /* Same underlying key structure */
1175
    .ctx_free_func = eckey_free_wrap,    /* Same underlying key structure */
1176
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
1177
    .debug_func = eckey_debug,            /* Same underlying key structure */
1178
};
1179
1180
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
1181
static int ecdsa_can_do(mbedtls_pk_type_t type)
1182
0
{
1183
0
    return type == MBEDTLS_PK_ECDSA;
1184
0
}
1185
1186
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1187
static int ecdsa_verify_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
1188
                                const unsigned char *hash, size_t hash_len,
1189
                                const unsigned char *sig, size_t sig_len,
1190
                                void *rs_ctx)
1191
0
{
1192
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1193
0
    ((void) md_alg);
1194
1195
0
    ret = mbedtls_ecdsa_read_signature_restartable(
1196
0
        (mbedtls_ecdsa_context *) pk->pk_ctx,
1197
0
        hash, hash_len, sig, sig_len,
1198
0
        (mbedtls_ecdsa_restart_ctx *) rs_ctx);
1199
1200
0
    if (ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) {
1201
0
        return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
1202
0
    }
1203
1204
0
    return ret;
1205
0
}
1206
1207
static int ecdsa_sign_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
1208
                              const unsigned char *hash, size_t hash_len,
1209
                              unsigned char *sig, size_t sig_size, size_t *sig_len,
1210
                              int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
1211
                              void *rs_ctx)
1212
0
{
1213
0
    return mbedtls_ecdsa_write_signature_restartable(
1214
0
        (mbedtls_ecdsa_context *) pk->pk_ctx,
1215
0
        md_alg, hash, hash_len, sig, sig_size, sig_len, f_rng, p_rng,
1216
0
        (mbedtls_ecdsa_restart_ctx *) rs_ctx);
1217
1218
0
}
1219
1220
static void *ecdsa_rs_alloc(void)
1221
0
{
1222
0
    void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecdsa_restart_ctx));
1223
1224
0
    if (ctx != NULL) {
1225
0
        mbedtls_ecdsa_restart_init(ctx);
1226
0
    }
1227
1228
0
    return ctx;
1229
0
}
1230
1231
static void ecdsa_rs_free(void *ctx)
1232
0
{
1233
0
    mbedtls_ecdsa_restart_free(ctx);
1234
0
    mbedtls_free(ctx);
1235
0
}
1236
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1237
1238
const mbedtls_pk_info_t mbedtls_ecdsa_info = {
1239
    .type = MBEDTLS_PK_ECDSA,
1240
    .name = "ECDSA",
1241
    .get_bitlen = eckey_get_bitlen,     /* Compatible key structures */
1242
    .can_do = ecdsa_can_do,
1243
#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
1244
    .verify_func = ecdsa_verify_wrap,   /* Compatible key structures */
1245
#else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1246
    .verify_func = NULL,
1247
#endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1248
#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
1249
    .sign_func = ecdsa_sign_wrap,   /* Compatible key structures */
1250
#else /* MBEDTLS_PK_CAN_ECDSA_SIGN */
1251
    .sign_func = NULL,
1252
#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
1253
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1254
    .verify_rs_func = ecdsa_verify_rs_wrap,
1255
    .sign_rs_func = ecdsa_sign_rs_wrap,
1256
    .rs_alloc_func = ecdsa_rs_alloc,
1257
    .rs_free_func = ecdsa_rs_free,
1258
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1259
    .decrypt_func = NULL,
1260
    .encrypt_func = NULL,
1261
    .check_pair_func = eckey_check_pair_wrap,   /* Compatible key structures */
1262
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
1263
    .ctx_alloc_func = NULL,
1264
    .ctx_free_func = NULL,
1265
#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
1266
    .ctx_alloc_func = eckey_alloc_wrap,   /* Compatible key structures */
1267
    .ctx_free_func = eckey_free_wrap,   /* Compatible key structures */
1268
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
1269
    .debug_func = eckey_debug,        /* Compatible key structures */
1270
};
1271
#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
1272
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
1273
1274
#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
1275
/*
1276
 * Support for alternative RSA-private implementations
1277
 */
1278
1279
static int rsa_alt_can_do(mbedtls_pk_type_t type)
1280
0
{
1281
0
    return type == MBEDTLS_PK_RSA;
1282
0
}
1283
1284
static size_t rsa_alt_get_bitlen(mbedtls_pk_context *pk)
1285
0
{
1286
0
    const mbedtls_rsa_alt_context *rsa_alt = pk->pk_ctx;
1287
1288
0
    return 8 * rsa_alt->key_len_func(rsa_alt->key);
1289
0
}
1290
1291
static int rsa_alt_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
1292
                             const unsigned char *hash, size_t hash_len,
1293
                             unsigned char *sig, size_t sig_size, size_t *sig_len,
1294
                             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
1295
0
{
1296
0
    mbedtls_rsa_alt_context *rsa_alt = pk->pk_ctx;
1297
1298
0
#if SIZE_MAX > UINT_MAX
1299
0
    if (UINT_MAX < hash_len) {
1300
0
        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
1301
0
    }
1302
0
#endif
1303
1304
0
    *sig_len = rsa_alt->key_len_func(rsa_alt->key);
1305
0
    if (*sig_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE) {
1306
0
        return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
1307
0
    }
1308
0
    if (*sig_len > sig_size) {
1309
0
        return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
1310
0
    }
1311
1312
0
    return rsa_alt->sign_func(rsa_alt->key, f_rng, p_rng,
1313
0
                              md_alg, (unsigned int) hash_len, hash, sig);
1314
0
}
1315
1316
static int rsa_alt_decrypt_wrap(mbedtls_pk_context *pk,
1317
                                const unsigned char *input, size_t ilen,
1318
                                unsigned char *output, size_t *olen, size_t osize,
1319
                                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
1320
0
{
1321
0
    mbedtls_rsa_alt_context *rsa_alt = pk->pk_ctx;
1322
1323
0
    ((void) f_rng);
1324
0
    ((void) p_rng);
1325
1326
0
    if (ilen != rsa_alt->key_len_func(rsa_alt->key)) {
1327
0
        return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1328
0
    }
1329
1330
0
    return rsa_alt->decrypt_func(rsa_alt->key,
1331
0
                                 olen, input, output, osize);
1332
0
}
1333
1334
#if defined(MBEDTLS_RSA_C)
1335
static int rsa_alt_check_pair(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
1336
                              int (*f_rng)(void *, unsigned char *, size_t),
1337
                              void *p_rng)
1338
0
{
1339
0
    unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
1340
0
    unsigned char hash[32];
1341
0
    size_t sig_len = 0;
1342
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1343
1344
0
    if (rsa_alt_get_bitlen(prv) != rsa_get_bitlen(pub)) {
1345
0
        return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
1346
0
    }
1347
1348
0
    memset(hash, 0x2a, sizeof(hash));
1349
1350
0
    if ((ret = rsa_alt_sign_wrap(prv, MBEDTLS_MD_NONE,
1351
0
                                 hash, sizeof(hash),
1352
0
                                 sig, sizeof(sig), &sig_len,
1353
0
                                 f_rng, p_rng)) != 0) {
1354
0
        return ret;
1355
0
    }
1356
1357
0
    if (rsa_verify_wrap(pub, MBEDTLS_MD_NONE,
1358
0
                        hash, sizeof(hash), sig, sig_len) != 0) {
1359
0
        return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
1360
0
    }
1361
1362
0
    return 0;
1363
0
}
1364
#endif /* MBEDTLS_RSA_C */
1365
1366
static void *rsa_alt_alloc_wrap(void)
1367
0
{
1368
0
    void *ctx = mbedtls_calloc(1, sizeof(mbedtls_rsa_alt_context));
1369
1370
0
    if (ctx != NULL) {
1371
0
        memset(ctx, 0, sizeof(mbedtls_rsa_alt_context));
1372
0
    }
1373
1374
0
    return ctx;
1375
0
}
1376
1377
static void rsa_alt_free_wrap(void *ctx)
1378
0
{
1379
0
    mbedtls_zeroize_and_free(ctx, sizeof(mbedtls_rsa_alt_context));
1380
0
}
1381
1382
const mbedtls_pk_info_t mbedtls_rsa_alt_info = {
1383
    .type = MBEDTLS_PK_RSA_ALT,
1384
    .name = "RSA-alt",
1385
    .get_bitlen = rsa_alt_get_bitlen,
1386
    .can_do = rsa_alt_can_do,
1387
    .verify_func = NULL,
1388
    .sign_func = rsa_alt_sign_wrap,
1389
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1390
    .verify_rs_func = NULL,
1391
    .sign_rs_func = NULL,
1392
    .rs_alloc_func = NULL,
1393
    .rs_free_func = NULL,
1394
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1395
    .decrypt_func = rsa_alt_decrypt_wrap,
1396
    .encrypt_func = NULL,
1397
#if defined(MBEDTLS_RSA_C)
1398
    .check_pair_func = rsa_alt_check_pair,
1399
#else
1400
    .check_pair_func = NULL,
1401
#endif
1402
    .ctx_alloc_func = rsa_alt_alloc_wrap,
1403
    .ctx_free_func = rsa_alt_free_wrap,
1404
    .debug_func = NULL,
1405
};
1406
#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
1407
1408
#if defined(MBEDTLS_USE_PSA_CRYPTO)
1409
static size_t opaque_get_bitlen(mbedtls_pk_context *pk)
1410
0
{
1411
0
    size_t bits;
1412
0
    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1413
1414
0
    if (PSA_SUCCESS != psa_get_key_attributes(pk->priv_id, &attributes)) {
1415
0
        return 0;
1416
0
    }
1417
1418
0
    bits = psa_get_key_bits(&attributes);
1419
0
    psa_reset_key_attributes(&attributes);
1420
0
    return bits;
1421
0
}
1422
1423
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
1424
static int ecdsa_opaque_can_do(mbedtls_pk_type_t type)
1425
0
{
1426
0
    return type == MBEDTLS_PK_ECKEY ||
1427
0
           type == MBEDTLS_PK_ECDSA;
1428
0
}
1429
1430
const mbedtls_pk_info_t mbedtls_ecdsa_opaque_info = {
1431
    .type = MBEDTLS_PK_OPAQUE,
1432
    .name = "Opaque",
1433
    .get_bitlen = opaque_get_bitlen,
1434
    .can_do = ecdsa_opaque_can_do,
1435
#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
1436
    .verify_func = ecdsa_opaque_verify_wrap,
1437
#else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1438
    .verify_func = NULL,
1439
#endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1440
#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
1441
    .sign_func = ecdsa_opaque_sign_wrap,
1442
#else /* MBEDTLS_PK_CAN_ECDSA_SIGN */
1443
    .sign_func = NULL,
1444
#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
1445
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1446
    .verify_rs_func = NULL,
1447
    .sign_rs_func = NULL,
1448
    .rs_alloc_func = NULL,
1449
    .rs_free_func = NULL,
1450
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1451
    .decrypt_func = NULL,
1452
    .encrypt_func = NULL,
1453
    .check_pair_func = ecdsa_opaque_check_pair_wrap,
1454
    .ctx_alloc_func = NULL,
1455
    .ctx_free_func = NULL,
1456
    .debug_func = NULL,
1457
};
1458
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
1459
1460
static int rsa_opaque_can_do(mbedtls_pk_type_t type)
1461
0
{
1462
0
    return type == MBEDTLS_PK_RSA ||
1463
0
           type == MBEDTLS_PK_RSASSA_PSS;
1464
0
}
1465
1466
#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
1467
static int rsa_opaque_decrypt(mbedtls_pk_context *pk,
1468
                              const unsigned char *input, size_t ilen,
1469
                              unsigned char *output, size_t *olen, size_t osize,
1470
                              int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
1471
0
{
1472
0
    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1473
0
    psa_algorithm_t alg;
1474
0
    psa_key_type_t type;
1475
0
    psa_status_t status;
1476
1477
    /* PSA has its own RNG */
1478
0
    (void) f_rng;
1479
0
    (void) p_rng;
1480
1481
0
    status = psa_get_key_attributes(pk->priv_id, &attributes);
1482
0
    if (status != PSA_SUCCESS) {
1483
0
        return PSA_PK_TO_MBEDTLS_ERR(status);
1484
0
    }
1485
1486
0
    type = psa_get_key_type(&attributes);
1487
0
    alg = psa_get_key_algorithm(&attributes);
1488
0
    psa_reset_key_attributes(&attributes);
1489
1490
0
    if (!PSA_KEY_TYPE_IS_RSA(type)) {
1491
0
        return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
1492
0
    }
1493
1494
0
    status = psa_asymmetric_decrypt(pk->priv_id, alg, input, ilen, NULL, 0, output, osize, olen);
1495
0
    if (status != PSA_SUCCESS) {
1496
0
        return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
1497
0
    }
1498
1499
0
    return 0;
1500
0
}
1501
#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
1502
1503
static int rsa_opaque_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
1504
                                const unsigned char *hash, size_t hash_len,
1505
                                unsigned char *sig, size_t sig_size, size_t *sig_len,
1506
                                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
1507
0
{
1508
0
#if defined(MBEDTLS_RSA_C)
1509
0
    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1510
0
    psa_algorithm_t alg;
1511
0
    psa_key_type_t type;
1512
0
    psa_status_t status;
1513
1514
    /* PSA has its own RNG */
1515
0
    (void) f_rng;
1516
0
    (void) p_rng;
1517
1518
0
    status = psa_get_key_attributes(pk->priv_id, &attributes);
1519
0
    if (status != PSA_SUCCESS) {
1520
0
        return PSA_PK_TO_MBEDTLS_ERR(status);
1521
0
    }
1522
1523
0
    type = psa_get_key_type(&attributes);
1524
0
    alg = psa_get_key_algorithm(&attributes);
1525
0
    psa_reset_key_attributes(&attributes);
1526
1527
0
    if (PSA_KEY_TYPE_IS_RSA(type)) {
1528
0
        alg = (alg & ~PSA_ALG_HASH_MASK) | mbedtls_md_psa_alg_from_type(md_alg);
1529
0
    } else {
1530
0
        return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
1531
0
    }
1532
1533
0
    status = psa_sign_hash(pk->priv_id, alg, hash, hash_len, sig, sig_size, sig_len);
1534
0
    if (status != PSA_SUCCESS) {
1535
0
        if (PSA_KEY_TYPE_IS_RSA(type)) {
1536
0
            return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
1537
0
        } else {
1538
0
            return PSA_PK_TO_MBEDTLS_ERR(status);
1539
0
        }
1540
0
    }
1541
1542
0
    return 0;
1543
#else /* !MBEDTLS_RSA_C */
1544
    ((void) pk);
1545
    ((void) md_alg);
1546
    ((void) hash);
1547
    ((void) hash_len);
1548
    ((void) sig);
1549
    ((void) sig_size);
1550
    ((void) sig_len);
1551
    ((void) f_rng);
1552
    ((void) p_rng);
1553
    return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
1554
#endif /* !MBEDTLS_RSA_C */
1555
0
}
1556
1557
const mbedtls_pk_info_t mbedtls_rsa_opaque_info = {
1558
    .type = MBEDTLS_PK_OPAQUE,
1559
    .name = "Opaque",
1560
    .get_bitlen = opaque_get_bitlen,
1561
    .can_do = rsa_opaque_can_do,
1562
    .verify_func = NULL,
1563
    .sign_func = rsa_opaque_sign_wrap,
1564
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1565
    .verify_rs_func = NULL,
1566
    .sign_rs_func = NULL,
1567
    .rs_alloc_func = NULL,
1568
    .rs_free_func = NULL,
1569
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1570
#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
1571
    .decrypt_func = rsa_opaque_decrypt,
1572
#else /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
1573
    .decrypt_func = NULL,
1574
#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
1575
    .encrypt_func = NULL,
1576
    .check_pair_func = NULL,
1577
    .ctx_alloc_func = NULL,
1578
    .ctx_free_func = NULL,
1579
    .debug_func = NULL,
1580
};
1581
1582
#endif /* MBEDTLS_USE_PSA_CRYPTO */
1583
1584
#endif /* MBEDTLS_PK_C */