/src/mbedtls/library/pk_ecc.c

Source (jump to first uncovered line)
/*
 *  ECC setters for PK.
 *
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 */

#include "common.h"

#include "mbedtls/pk.h"
#include "mbedtls/error.h"
#include "mbedtls/ecp.h"
#include "pk_internal.h"

#if defined(MBEDTLS_PK_C) && defined(MBEDTLS_PK_HAVE_ECC_KEYS)

int mbedtls_pk_ecc_set_group(mbedtls_pk_context *pk, mbedtls_ecp_group_id grp_id)
{
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
    size_t ec_bits;
    psa_ecc_family_t ec_family = mbedtls_ecc_group_to_psa(grp_id, &ec_bits);

    /* group may already be initialized; if so, make sure IDs match */
    if ((pk->ec_family != 0 && pk->ec_family != ec_family) ||
        (pk->ec_bits != 0 && pk->ec_bits != ec_bits)) {
        return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
    }

    /* set group */
    pk->ec_family = ec_family;
    pk->ec_bits = ec_bits;

    return 0;
#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
    mbedtls_ecp_keypair *ecp = mbedtls_pk_ec_rw(*pk);

    /* grp may already be initialized; if so, make sure IDs match */
    if (mbedtls_pk_ec_ro(*pk)->grp.id != MBEDTLS_ECP_DP_NONE &&
        mbedtls_pk_ec_ro(*pk)->grp.id != grp_id) {
        return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
    }

    /* set group */
    return mbedtls_ecp_group_load(&(ecp->grp), grp_id);
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
}

int mbedtls_pk_ecc_set_key(mbedtls_pk_context *pk, unsigned char *key, size_t key_len)
{
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
    psa_key_usage_t flags;
    psa_status_t status;

    psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(pk->ec_family));
    if (pk->ec_family == PSA_ECC_FAMILY_MONTGOMERY) {
        /* Do not set algorithm here because Montgomery keys cannot do ECDSA and
         * the PK module cannot do ECDH. When the key will be used in TLS for
         * ECDH, it will be exported and then re-imported with proper flags
         * and algorithm. */
        flags = PSA_KEY_USAGE_EXPORT;
    } else {
        psa_set_key_algorithm(&attributes,
                              MBEDTLS_PK_PSA_ALG_ECDSA_MAYBE_DET(PSA_ALG_ANY_HASH));
        flags = PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE |
                PSA_KEY_USAGE_EXPORT;
    }
    psa_set_key_usage_flags(&attributes, flags);

    status = psa_import_key(&attributes, key, key_len, &pk->priv_id);
    return psa_pk_status_to_mbedtls(status);

#else /* MBEDTLS_PK_USE_PSA_EC_DATA */

    mbedtls_ecp_keypair *eck = mbedtls_pk_ec_rw(*pk);
    int ret = mbedtls_ecp_read_key(eck->grp.id, eck, key, key_len);
    if (ret != 0) {
        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
    }
    return 0;
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
}

int mbedtls_pk_ecc_set_pubkey_from_prv(mbedtls_pk_context *pk,
                                       const unsigned char *prv, size_t prv_len,
                                       int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
{
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)

    (void) f_rng;
    (void) p_rng;
    (void) prv;
    (void) prv_len;
    psa_status_t status;

    status = psa_export_public_key(pk->priv_id, pk->pub_raw, sizeof(pk->pub_raw),
                                   &pk->pub_raw_len);
    return psa_pk_status_to_mbedtls(status);

#elif defined(MBEDTLS_USE_PSA_CRYPTO) /* && !MBEDTLS_PK_USE_PSA_EC_DATA */

    (void) f_rng;
    (void) p_rng;
    psa_status_t status;

    mbedtls_ecp_keypair *eck = (mbedtls_ecp_keypair *) pk->pk_ctx;
    size_t curve_bits;
    psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(eck->grp.id, &curve_bits);

    /* Import private key into PSA, from serialized input */
    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
    psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
    psa_set_key_type(&key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
    psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_EXPORT);
    status = psa_import_key(&key_attr, prv, prv_len, &key_id);
    if (status != PSA_SUCCESS) {
        return psa_pk_status_to_mbedtls(status);
    }

    /* Export public key from PSA */
    unsigned char pub[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
    size_t pub_len;
    status = psa_export_public_key(key_id, pub, sizeof(pub), &pub_len);
    psa_status_t destruction_status = psa_destroy_key(key_id);
    if (status != PSA_SUCCESS) {
        return psa_pk_status_to_mbedtls(status);
    } else if (destruction_status != PSA_SUCCESS) {
        return psa_pk_status_to_mbedtls(destruction_status);
    }

    /* Load serialized public key into ecp_keypair structure */
    return mbedtls_ecp_point_read_binary(&eck->grp, &eck->Q, pub, pub_len);

#else /* MBEDTLS_USE_PSA_CRYPTO */

    (void) prv;
    (void) prv_len;

    mbedtls_ecp_keypair *eck = (mbedtls_ecp_keypair *) pk->pk_ctx;
    return mbedtls_ecp_mul(&eck->grp, &eck->Q, &eck->d, &eck->grp.G, f_rng, p_rng);

#endif /* MBEDTLS_USE_PSA_CRYPTO */
}

#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
/*
 * Set the public key: fallback using ECP_LIGHT in the USE_PSA_EC_DATA case.
 *
 * Normally, when MBEDTLS_PK_USE_PSA_EC_DATA is enabled, we only use PSA
 * functions to handle keys. However, currently psa_import_key() does not
 * support compressed points. In case that support was explicitly requested,
 * this fallback uses ECP functions to get the job done. This is the reason
 * why MBEDTLS_PK_PARSE_EC_COMPRESSED auto-enables MBEDTLS_ECP_LIGHT.
 *
 * [in/out] pk: in: must have the group set, see mbedtls_pk_ecc_set_group().
 *              out: will have the public key set.
 * [in] pub, pub_len: the public key as an ECPoint,
 *                    in any format supported by ECP.
 *
 * Return:
 * - 0 on success;
 * - MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the format is potentially valid
 *   but not supported;
 * - another error code otherwise.
 */
static int pk_ecc_set_pubkey_psa_ecp_fallback(mbedtls_pk_context *pk,
                                              const unsigned char *pub,
                                              size_t pub_len)
{
#if !defined(MBEDTLS_PK_PARSE_EC_COMPRESSED)
    (void) pk;
    (void) pub;
    (void) pub_len;
    return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
#else /* MBEDTLS_PK_PARSE_EC_COMPRESSED */
    mbedtls_ecp_keypair ecp_key;
    mbedtls_ecp_group_id ecp_group_id;
    int ret;

    ecp_group_id = mbedtls_ecc_group_from_psa(pk->ec_family, pk->ec_bits);

    mbedtls_ecp_keypair_init(&ecp_key);
    ret = mbedtls_ecp_group_load(&(ecp_key.grp), ecp_group_id);
    if (ret != 0) {
        goto exit;
    }
    ret = mbedtls_ecp_point_read_binary(&(ecp_key.grp), &ecp_key.Q,
                                        pub, pub_len);
    if (ret != 0) {
        goto exit;
    }
    ret = mbedtls_ecp_point_write_binary(&(ecp_key.grp), &ecp_key.Q,
                                         MBEDTLS_ECP_PF_UNCOMPRESSED,
                                         &pk->pub_raw_len, pk->pub_raw,
                                         sizeof(pk->pub_raw));

exit:
    mbedtls_ecp_keypair_free(&ecp_key);
    return ret;
#endif /* MBEDTLS_PK_PARSE_EC_COMPRESSED */
}
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */

int mbedtls_pk_ecc_set_pubkey(mbedtls_pk_context *pk, const unsigned char *pub, size_t pub_len)
{
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)

    /* Load the key */
    if (!PSA_ECC_FAMILY_IS_WEIERSTRASS(pk->ec_family) || *pub == 0x04) {
        /* Format directly supported by PSA:
         * - non-Weierstrass curves that only have one format;
         * - uncompressed format for Weierstrass curves. */
        if (pub_len > sizeof(pk->pub_raw)) {
            return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
        }
        memcpy(pk->pub_raw, pub, pub_len);
        pk->pub_raw_len = pub_len;
    } else {
        /* Other format, try the fallback */
        int ret = pk_ecc_set_pubkey_psa_ecp_fallback(pk, pub, pub_len);
        if (ret != 0) {
            return ret;
        }
    }

    /* Validate the key by trying to import it */
    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
    psa_key_attributes_t key_attrs = PSA_KEY_ATTRIBUTES_INIT;

    psa_set_key_usage_flags(&key_attrs, 0);
    psa_set_key_type(&key_attrs, PSA_KEY_TYPE_ECC_PUBLIC_KEY(pk->ec_family));
    psa_set_key_bits(&key_attrs, pk->ec_bits);

    if ((psa_import_key(&key_attrs, pk->pub_raw, pk->pub_raw_len,
                        &key_id) != PSA_SUCCESS) ||
        (psa_destroy_key(key_id) != PSA_SUCCESS)) {
        return MBEDTLS_ERR_PK_INVALID_PUBKEY;
    }

    return 0;

#else /* MBEDTLS_PK_USE_PSA_EC_DATA */

    int ret;
    mbedtls_ecp_keypair *ec_key = (mbedtls_ecp_keypair *) pk->pk_ctx;
    ret = mbedtls_ecp_point_read_binary(&ec_key->grp, &ec_key->Q, pub, pub_len);
    if (ret != 0) {
        return ret;
    }
    return mbedtls_ecp_check_pubkey(&ec_key->grp, &ec_key->Q);

#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
}

#endif /* MBEDTLS_PK_C && MBEDTLS_PK_HAVE_ECC_KEYS */

Coverage Report

Created: 2025-03-01 06:26

Line	Count	Source (jump to first uncovered line)
1		/*
2		* ECC setters for PK.
3		*
4		* Copyright The Mbed TLS Contributors
5		* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6		*/
7
8		#include "common.h"
9
10		#include "mbedtls/pk.h"
11		#include "mbedtls/error.h"
12		#include "mbedtls/ecp.h"
13		#include "pk_internal.h"
14
15		#if defined(MBEDTLS_PK_C) && defined(MBEDTLS_PK_HAVE_ECC_KEYS)
16
17		int mbedtls_pk_ecc_set_group(mbedtls_pk_context *pk, mbedtls_ecp_group_id grp_id)
18	0	{
19		#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
20		size_t ec_bits;
21		psa_ecc_family_t ec_family = mbedtls_ecc_group_to_psa(grp_id, &ec_bits);
22
23		/* group may already be initialized; if so, make sure IDs match */
24		if ((pk->ec_family != 0 && pk->ec_family != ec_family) \|\|
25		(pk->ec_bits != 0 && pk->ec_bits != ec_bits)) {
26		return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
27		}
28
29		/* set group */
30		pk->ec_family = ec_family;
31		pk->ec_bits = ec_bits;
32
33		return 0;
34		#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
35	0	mbedtls_ecp_keypair ecp = mbedtls_pk_ec_rw(pk);
36
37		/* grp may already be initialized; if so, make sure IDs match */
38	0	if (mbedtls_pk_ec_ro(*pk)->grp.id != MBEDTLS_ECP_DP_NONE &&
39	0	mbedtls_pk_ec_ro(*pk)->grp.id != grp_id) {
40	0	return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
41	0	}
42
43		/* set group */
44	0	return mbedtls_ecp_group_load(&(ecp->grp), grp_id);
45	0	#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
46	0	}
47
48		int mbedtls_pk_ecc_set_key(mbedtls_pk_context pk, unsigned char key, size_t key_len)
49	0	{
50		#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
51		psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
52		psa_key_usage_t flags;
53		psa_status_t status;
54
55		psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(pk->ec_family));
56		if (pk->ec_family == PSA_ECC_FAMILY_MONTGOMERY) {
57		/* Do not set algorithm here because Montgomery keys cannot do ECDSA and
58		* the PK module cannot do ECDH. When the key will be used in TLS for
59		* ECDH, it will be exported and then re-imported with proper flags
60		* and algorithm. */
61		flags = PSA_KEY_USAGE_EXPORT;
62		} else {
63		psa_set_key_algorithm(&attributes,
64		MBEDTLS_PK_PSA_ALG_ECDSA_MAYBE_DET(PSA_ALG_ANY_HASH));
65		flags = PSA_KEY_USAGE_SIGN_HASH \| PSA_KEY_USAGE_SIGN_MESSAGE \|
66		PSA_KEY_USAGE_EXPORT;
67		}
68		psa_set_key_usage_flags(&attributes, flags);
69
70		status = psa_import_key(&attributes, key, key_len, &pk->priv_id);
71		return psa_pk_status_to_mbedtls(status);
72
73		#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
74
75	0	mbedtls_ecp_keypair eck = mbedtls_pk_ec_rw(pk);
76	0	int ret = mbedtls_ecp_read_key(eck->grp.id, eck, key, key_len);
77	0	if (ret != 0) {
78	0	return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
79	0	}
80	0	return 0;
81	0	#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
82	0	}
83
84		int mbedtls_pk_ecc_set_pubkey_from_prv(mbedtls_pk_context *pk,
85		const unsigned char *prv, size_t prv_len,
86		int (f_rng)(void , unsigned char , size_t), void p_rng)
87	0	{
88		#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
89
90		(void) f_rng;
91		(void) p_rng;
92		(void) prv;
93		(void) prv_len;
94		psa_status_t status;
95
96		status = psa_export_public_key(pk->priv_id, pk->pub_raw, sizeof(pk->pub_raw),
97		&pk->pub_raw_len);
98		return psa_pk_status_to_mbedtls(status);
99
100		#elif defined(MBEDTLS_USE_PSA_CRYPTO) /* && !MBEDTLS_PK_USE_PSA_EC_DATA */
101
102	0	(void) f_rng;
103	0	(void) p_rng;
104	0	psa_status_t status;
105
106	0	mbedtls_ecp_keypair eck = (mbedtls_ecp_keypair ) pk->pk_ctx;
107	0	size_t curve_bits;
108	0	psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(eck->grp.id, &curve_bits);
109
110		/* Import private key into PSA, from serialized input */
111	0	mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
112	0	psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
113	0	psa_set_key_type(&key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
114	0	psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_EXPORT);
115	0	status = psa_import_key(&key_attr, prv, prv_len, &key_id);
116	0	if (status != PSA_SUCCESS) {
117	0	return psa_pk_status_to_mbedtls(status);
118	0	}
119
120		/* Export public key from PSA */
121	0	unsigned char pub[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
122	0	size_t pub_len;
123	0	status = psa_export_public_key(key_id, pub, sizeof(pub), &pub_len);
124	0	psa_status_t destruction_status = psa_destroy_key(key_id);
125	0	if (status != PSA_SUCCESS) {
126	0	return psa_pk_status_to_mbedtls(status);
127	0	} else if (destruction_status != PSA_SUCCESS) {
128	0	return psa_pk_status_to_mbedtls(destruction_status);
129	0	}
130
131		/* Load serialized public key into ecp_keypair structure */
132	0	return mbedtls_ecp_point_read_binary(&eck->grp, &eck->Q, pub, pub_len);
133
134		#else /* MBEDTLS_USE_PSA_CRYPTO */
135
136		(void) prv;
137		(void) prv_len;
138
139		mbedtls_ecp_keypair eck = (mbedtls_ecp_keypair ) pk->pk_ctx;
140		return mbedtls_ecp_mul(&eck->grp, &eck->Q, &eck->d, &eck->grp.G, f_rng, p_rng);
141
142		#endif /* MBEDTLS_USE_PSA_CRYPTO */
143	0	}
144
145		#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
146		/*
147		* Set the public key: fallback using ECP_LIGHT in the USE_PSA_EC_DATA case.
148		*
149		* Normally, when MBEDTLS_PK_USE_PSA_EC_DATA is enabled, we only use PSA
150		* functions to handle keys. However, currently psa_import_key() does not
151		* support compressed points. In case that support was explicitly requested,
152		* this fallback uses ECP functions to get the job done. This is the reason
153		* why MBEDTLS_PK_PARSE_EC_COMPRESSED auto-enables MBEDTLS_ECP_LIGHT.
154		*
155		* [in/out] pk: in: must have the group set, see mbedtls_pk_ecc_set_group().
156		* out: will have the public key set.
157		* [in] pub, pub_len: the public key as an ECPoint,
158		* in any format supported by ECP.
159		*
160		* Return:
161		* - 0 on success;
162		* - MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the format is potentially valid
163		* but not supported;
164		* - another error code otherwise.
165		*/
166		static int pk_ecc_set_pubkey_psa_ecp_fallback(mbedtls_pk_context *pk,
167		const unsigned char *pub,
168		size_t pub_len)
169		{
170		#if !defined(MBEDTLS_PK_PARSE_EC_COMPRESSED)
171		(void) pk;
172		(void) pub;
173		(void) pub_len;
174		return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
175		#else /* MBEDTLS_PK_PARSE_EC_COMPRESSED */
176		mbedtls_ecp_keypair ecp_key;
177		mbedtls_ecp_group_id ecp_group_id;
178		int ret;
179
180		ecp_group_id = mbedtls_ecc_group_from_psa(pk->ec_family, pk->ec_bits);
181
182		mbedtls_ecp_keypair_init(&ecp_key);
183		ret = mbedtls_ecp_group_load(&(ecp_key.grp), ecp_group_id);
184		if (ret != 0) {
185		goto exit;
186		}
187		ret = mbedtls_ecp_point_read_binary(&(ecp_key.grp), &ecp_key.Q,
188		pub, pub_len);
189		if (ret != 0) {
190		goto exit;
191		}
192		ret = mbedtls_ecp_point_write_binary(&(ecp_key.grp), &ecp_key.Q,
193		MBEDTLS_ECP_PF_UNCOMPRESSED,
194		&pk->pub_raw_len, pk->pub_raw,
195		sizeof(pk->pub_raw));
196
197		exit:
198		mbedtls_ecp_keypair_free(&ecp_key);
199		return ret;
200		#endif /* MBEDTLS_PK_PARSE_EC_COMPRESSED */
201		}
202		#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
203
204		int mbedtls_pk_ecc_set_pubkey(mbedtls_pk_context pk, const unsigned char pub, size_t pub_len)
205	0	{
206		#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
207
208		/* Load the key */
209		if (!PSA_ECC_FAMILY_IS_WEIERSTRASS(pk->ec_family) \|\| *pub == 0x04) {
210		/* Format directly supported by PSA:
211		* - non-Weierstrass curves that only have one format;
212		* - uncompressed format for Weierstrass curves. */
213		if (pub_len > sizeof(pk->pub_raw)) {
214		return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
215		}
216		memcpy(pk->pub_raw, pub, pub_len);
217		pk->pub_raw_len = pub_len;
218		} else {
219		/* Other format, try the fallback */
220		int ret = pk_ecc_set_pubkey_psa_ecp_fallback(pk, pub, pub_len);
221		if (ret != 0) {
222		return ret;
223		}
224		}
225
226		/* Validate the key by trying to import it */
227		mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
228		psa_key_attributes_t key_attrs = PSA_KEY_ATTRIBUTES_INIT;
229
230		psa_set_key_usage_flags(&key_attrs, 0);
231		psa_set_key_type(&key_attrs, PSA_KEY_TYPE_ECC_PUBLIC_KEY(pk->ec_family));
232		psa_set_key_bits(&key_attrs, pk->ec_bits);
233
234		if ((psa_import_key(&key_attrs, pk->pub_raw, pk->pub_raw_len,
235		&key_id) != PSA_SUCCESS) \|\|
236		(psa_destroy_key(key_id) != PSA_SUCCESS)) {
237		return MBEDTLS_ERR_PK_INVALID_PUBKEY;
238		}
239
240		return 0;
241
242		#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
243
244	0	int ret;
245	0	mbedtls_ecp_keypair ec_key = (mbedtls_ecp_keypair ) pk->pk_ctx;
246	0	ret = mbedtls_ecp_point_read_binary(&ec_key->grp, &ec_key->Q, pub, pub_len);
247	0	if (ret != 0) {
248	0	return ret;
249	0	}
250	0	return mbedtls_ecp_check_pubkey(&ec_key->grp, &ec_key->Q);
251
252	0	#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
253	0	}
254
255		#endif /* MBEDTLS_PK_C && MBEDTLS_PK_HAVE_ECC_KEYS */