• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /**
2  * \file pk.h
3  *
4  * \brief Public Key abstraction layer
5  */
6 /*
7  *  Copyright The Mbed TLS Contributors
8  *  SPDX-License-Identifier: Apache-2.0
9  *
10  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
11  *  not use this file except in compliance with the License.
12  *  You may obtain a copy of the License at
13  *
14  *  http://www.apache.org/licenses/LICENSE-2.0
15  *
16  *  Unless required by applicable law or agreed to in writing, software
17  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19  *  See the License for the specific language governing permissions and
20  *  limitations under the License.
21  */
22 
23 #ifndef MBEDTLS_PK_H
24 #define MBEDTLS_PK_H
25 #include "mbedtls/private_access.h"
26 
27 #include "mbedtls/build_info.h"
28 
29 #include "mbedtls/md.h"
30 
31 #if defined(MBEDTLS_RSA_C)
32 #include "mbedtls/rsa.h"
33 #endif
34 
35 #if defined(MBEDTLS_ECP_C)
36 #include "mbedtls/ecp.h"
37 #endif
38 
39 #if defined(MBEDTLS_ECDSA_C)
40 #include "mbedtls/ecdsa.h"
41 #endif
42 
43 #if defined(MBEDTLS_USE_PSA_CRYPTO)
44 #include "psa/crypto.h"
45 #endif
46 
47 /** Memory allocation failed. */
48 #define MBEDTLS_ERR_PK_ALLOC_FAILED        -0x3F80
49 /** Type mismatch, eg attempt to encrypt with an ECDSA key */
50 #define MBEDTLS_ERR_PK_TYPE_MISMATCH       -0x3F00
51 /** Bad input parameters to function. */
52 #define MBEDTLS_ERR_PK_BAD_INPUT_DATA      -0x3E80
53 /** Read/write of file failed. */
54 #define MBEDTLS_ERR_PK_FILE_IO_ERROR       -0x3E00
55 /** Unsupported key version */
56 #define MBEDTLS_ERR_PK_KEY_INVALID_VERSION -0x3D80
57 /** Invalid key tag or value. */
58 #define MBEDTLS_ERR_PK_KEY_INVALID_FORMAT  -0x3D00
59 /** Key algorithm is unsupported (only RSA and EC are supported). */
60 #define MBEDTLS_ERR_PK_UNKNOWN_PK_ALG      -0x3C80
61 /** Private key password can't be empty. */
62 #define MBEDTLS_ERR_PK_PASSWORD_REQUIRED   -0x3C00
63 /** Given private key password does not allow for correct decryption. */
64 #define MBEDTLS_ERR_PK_PASSWORD_MISMATCH   -0x3B80
65 /** The pubkey tag or value is invalid (only RSA and EC are supported). */
66 #define MBEDTLS_ERR_PK_INVALID_PUBKEY      -0x3B00
67 /** The algorithm tag or value is invalid. */
68 #define MBEDTLS_ERR_PK_INVALID_ALG         -0x3A80
69 /** Elliptic curve is unsupported (only NIST curves are supported). */
70 #define MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE -0x3A00
71 /** Unavailable feature, e.g. RSA disabled for RSA key. */
72 #define MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE -0x3980
73 /** The buffer contains a valid signature followed by more data. */
74 #define MBEDTLS_ERR_PK_SIG_LEN_MISMATCH    -0x3900
75 /** The output buffer is too small. */
76 #define MBEDTLS_ERR_PK_BUFFER_TOO_SMALL    -0x3880
77 
78 #ifdef __cplusplus
79 extern "C" {
80 #endif
81 
82 /**
83  * \brief          Public key types
84  */
85 typedef enum {
86     MBEDTLS_PK_NONE=0,
87     MBEDTLS_PK_RSA,
88     MBEDTLS_PK_ECKEY,
89     MBEDTLS_PK_ECKEY_DH,
90     MBEDTLS_PK_ECDSA,
91     MBEDTLS_PK_RSA_ALT,
92     MBEDTLS_PK_RSASSA_PSS,
93     MBEDTLS_PK_OPAQUE,
94 } mbedtls_pk_type_t;
95 
96 /**
97  * \brief           Options for RSASSA-PSS signature verification.
98  *                  See \c mbedtls_rsa_rsassa_pss_verify_ext()
99  */
100 typedef struct mbedtls_pk_rsassa_pss_options {
101     /** The digest to use for MGF1 in PSS.
102      *
103      * \note When #MBEDTLS_USE_PSA_CRYPTO is enabled and #MBEDTLS_RSA_C is
104      *       disabled, this must be equal to the \c md_alg argument passed
105      *       to mbedtls_pk_verify_ext(). In a future version of the library,
106      *       this constraint may apply whenever #MBEDTLS_USE_PSA_CRYPTO is
107      *       enabled regardless of the status of #MBEDTLS_RSA_C.
108      */
109     mbedtls_md_type_t mgf1_hash_id;
110 
111     /** The expected length of the salt, in bytes. This may be
112      * #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length.
113      *
114      * \note When #MBEDTLS_USE_PSA_CRYPTO is enabled, only
115      *       #MBEDTLS_RSA_SALT_LEN_ANY is valid. Any other value may be
116      *       ignored (allowing any salt length).
117      */
118     int expected_salt_len;
119 
120 } mbedtls_pk_rsassa_pss_options;
121 
122 /**
123  * \brief           Maximum size of a signature made by mbedtls_pk_sign().
124  */
125 /* We need to set MBEDTLS_PK_SIGNATURE_MAX_SIZE to the maximum signature
126  * size among the supported signature types. Do it by starting at 0,
127  * then incrementally increasing to be large enough for each supported
128  * signature mechanism.
129  *
130  * The resulting value can be 0, for example if MBEDTLS_ECDH_C is enabled
131  * (which allows the pk module to be included) but neither MBEDTLS_ECDSA_C
132  * nor MBEDTLS_RSA_C nor any opaque signature mechanism (PSA or RSA_ALT).
133  */
134 #define MBEDTLS_PK_SIGNATURE_MAX_SIZE 0
135 
136 #if (defined(MBEDTLS_RSA_C) || defined(MBEDTLS_PK_RSA_ALT_SUPPORT)) && \
137     MBEDTLS_MPI_MAX_SIZE > MBEDTLS_PK_SIGNATURE_MAX_SIZE
138 /* For RSA, the signature can be as large as the bignum module allows.
139  * For RSA_ALT, the signature size is not necessarily tied to what the
140  * bignum module can do, but in the absence of any specific setting,
141  * we use that (rsa_alt_sign_wrap in library/pk_wrap.h will check). */
142 #undef MBEDTLS_PK_SIGNATURE_MAX_SIZE
143 #define MBEDTLS_PK_SIGNATURE_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
144 #endif
145 
146 #if defined(MBEDTLS_ECDSA_C) &&                                 \
147     MBEDTLS_ECDSA_MAX_LEN > MBEDTLS_PK_SIGNATURE_MAX_SIZE
148 /* For ECDSA, the ecdsa module exports a constant for the maximum
149  * signature size. */
150 #undef MBEDTLS_PK_SIGNATURE_MAX_SIZE
151 #define MBEDTLS_PK_SIGNATURE_MAX_SIZE MBEDTLS_ECDSA_MAX_LEN
152 #endif
153 
154 #if defined(MBEDTLS_USE_PSA_CRYPTO)
155 #if PSA_SIGNATURE_MAX_SIZE > MBEDTLS_PK_SIGNATURE_MAX_SIZE
156 /* PSA_SIGNATURE_MAX_SIZE is the maximum size of a signature made
157  * through the PSA API in the PSA representation. */
158 #undef MBEDTLS_PK_SIGNATURE_MAX_SIZE
159 #define MBEDTLS_PK_SIGNATURE_MAX_SIZE PSA_SIGNATURE_MAX_SIZE
160 #endif
161 
162 #if PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE + 11 > MBEDTLS_PK_SIGNATURE_MAX_SIZE
163 /* The Mbed TLS representation is different for ECDSA signatures:
164  * PSA uses the raw concatenation of r and s,
165  * whereas Mbed TLS uses the ASN.1 representation (SEQUENCE of two INTEGERs).
166  * Add the overhead of ASN.1: up to (1+2) + 2 * (1+2+1) for the
167  * types, lengths (represented by up to 2 bytes), and potential leading
168  * zeros of the INTEGERs and the SEQUENCE. */
169 #undef MBEDTLS_PK_SIGNATURE_MAX_SIZE
170 #define MBEDTLS_PK_SIGNATURE_MAX_SIZE (PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE + 11)
171 #endif
172 #endif /* defined(MBEDTLS_USE_PSA_CRYPTO) */
173 
174 /**
175  * \brief   The following defines are meant to list ECDSA capabilities of the
176  *          PK module in a general way (without any reference to how this
177  *          is achieved, which can be either through PSA driver or
178  *          MBEDTLS_ECDSA_C)
179  */
180 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
181 #if defined(MBEDTLS_ECDSA_C)
182 #define MBEDTLS_PK_CAN_ECDSA_SIGN
183 #define MBEDTLS_PK_CAN_ECDSA_VERIFY
184 #endif
185 #else /* MBEDTLS_USE_PSA_CRYPTO */
186 #if defined(PSA_WANT_ALG_ECDSA)
187 #if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR)
188 #define MBEDTLS_PK_CAN_ECDSA_SIGN
189 #endif
190 #if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
191 #define MBEDTLS_PK_CAN_ECDSA_VERIFY
192 #endif
193 #endif /* PSA_WANT_ALG_ECDSA */
194 #endif /* MBEDTLS_USE_PSA_CRYPTO */
195 
196 #if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) || defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
197 #define MBEDTLS_PK_CAN_ECDSA_SOME
198 #endif
199 
200 /**
201  * \brief           Types for interfacing with the debug module
202  */
203 typedef enum {
204     MBEDTLS_PK_DEBUG_NONE = 0,
205     MBEDTLS_PK_DEBUG_MPI,
206     MBEDTLS_PK_DEBUG_ECP,
207 } mbedtls_pk_debug_type;
208 
209 /**
210  * \brief           Item to send to the debug module
211  */
212 typedef struct mbedtls_pk_debug_item {
213     mbedtls_pk_debug_type MBEDTLS_PRIVATE(type);
214     const char *MBEDTLS_PRIVATE(name);
215     void *MBEDTLS_PRIVATE(value);
216 } mbedtls_pk_debug_item;
217 
218 /** Maximum number of item send for debugging, plus 1 */
219 #define MBEDTLS_PK_DEBUG_MAX_ITEMS 3
220 
221 /**
222  * \brief           Public key information and operations
223  *
224  * \note        The library does not support custom pk info structures,
225  *              only built-in structures returned by
226  *              mbedtls_cipher_info_from_type().
227  */
228 typedef struct mbedtls_pk_info_t mbedtls_pk_info_t;
229 
230 /**
231  * \brief           Public key container
232  */
233 typedef struct mbedtls_pk_context {
234     const mbedtls_pk_info_t *MBEDTLS_PRIVATE(pk_info);    /**< Public key information         */
235     void *MBEDTLS_PRIVATE(pk_ctx);                        /**< Underlying public key context  */
236 } mbedtls_pk_context;
237 
238 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
239 /**
240  * \brief           Context for resuming operations
241  */
242 typedef struct {
243     const mbedtls_pk_info_t *MBEDTLS_PRIVATE(pk_info);    /**< Public key information         */
244     void *MBEDTLS_PRIVATE(rs_ctx);                        /**< Underlying restart context     */
245 } mbedtls_pk_restart_ctx;
246 #else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
247 /* Now we can declare functions that take a pointer to that */
248 typedef void mbedtls_pk_restart_ctx;
249 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
250 
251 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
252 /**
253  * \brief           Types for RSA-alt abstraction
254  */
255 typedef int (*mbedtls_pk_rsa_alt_decrypt_func)(void *ctx, size_t *olen,
256                                                const unsigned char *input, unsigned char *output,
257                                                size_t output_max_len);
258 typedef int (*mbedtls_pk_rsa_alt_sign_func)(void *ctx,
259                                             int (*f_rng)(void *, unsigned char *, size_t),
260                                             void *p_rng,
261                                             mbedtls_md_type_t md_alg, unsigned int hashlen,
262                                             const unsigned char *hash, unsigned char *sig);
263 typedef size_t (*mbedtls_pk_rsa_alt_key_len_func)(void *ctx);
264 #endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
265 
266 /**
267  * \brief           Return information associated with the given PK type
268  *
269  * \param pk_type   PK type to search for.
270  *
271  * \return          The PK info associated with the type or NULL if not found.
272  */
273 const mbedtls_pk_info_t *mbedtls_pk_info_from_type(mbedtls_pk_type_t pk_type);
274 
275 /**
276  * \brief           Initialize a #mbedtls_pk_context (as NONE).
277  *
278  * \param ctx       The context to initialize.
279  *                  This must not be \c NULL.
280  */
281 void mbedtls_pk_init(mbedtls_pk_context *ctx);
282 
283 /**
284  * \brief           Free the components of a #mbedtls_pk_context.
285  *
286  * \param ctx       The context to clear. It must have been initialized.
287  *                  If this is \c NULL, this function does nothing.
288  *
289  * \note            For contexts that have been set up with
290  *                  mbedtls_pk_setup_opaque(), this does not free the underlying
291  *                  PSA key and you still need to call psa_destroy_key()
292  *                  independently if you want to destroy that key.
293  */
294 void mbedtls_pk_free(mbedtls_pk_context *ctx);
295 
296 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
297 /**
298  * \brief           Initialize a restart context
299  *
300  * \param ctx       The context to initialize.
301  *                  This must not be \c NULL.
302  */
303 void mbedtls_pk_restart_init(mbedtls_pk_restart_ctx *ctx);
304 
305 /**
306  * \brief           Free the components of a restart context
307  *
308  * \param ctx       The context to clear. It must have been initialized.
309  *                  If this is \c NULL, this function does nothing.
310  */
311 void mbedtls_pk_restart_free(mbedtls_pk_restart_ctx *ctx);
312 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
313 
314 /**
315  * \brief           Initialize a PK context with the information given
316  *                  and allocates the type-specific PK subcontext.
317  *
318  * \param ctx       Context to initialize. It must not have been set
319  *                  up yet (type #MBEDTLS_PK_NONE).
320  * \param info      Information to use
321  *
322  * \return          0 on success,
323  *                  MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input,
324  *                  MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure.
325  *
326  * \note            For contexts holding an RSA-alt key, use
327  *                  \c mbedtls_pk_setup_rsa_alt() instead.
328  */
329 int mbedtls_pk_setup(mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info);
330 
331 #if defined(MBEDTLS_USE_PSA_CRYPTO)
332 /**
333  * \brief           Initialize a PK context to wrap a PSA key.
334  *
335  * \note            This function replaces mbedtls_pk_setup() for contexts
336  *                  that wrap a (possibly opaque) PSA key instead of
337  *                  storing and manipulating the key material directly.
338  *
339  * \param ctx       The context to initialize. It must be empty (type NONE).
340  * \param key       The PSA key to wrap, which must hold an ECC or RSA key
341  *                  pair (see notes below).
342  *
343  * \note            The wrapped key must remain valid as long as the
344  *                  wrapping PK context is in use, that is at least between
345  *                  the point this function is called and the point
346  *                  mbedtls_pk_free() is called on this context. The wrapped
347  *                  key might then be independently used or destroyed.
348  *
349  * \note            This function is currently only available for ECC or RSA
350  *                  key pairs (that is, keys containing private key material).
351  *                  Support for other key types may be added later.
352  *
353  * \return          \c 0 on success.
354  * \return          #MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input
355  *                  (context already used, invalid key identifier).
356  * \return          #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the key is not an
357  *                  ECC key pair.
358  * \return          #MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure.
359  */
360 int mbedtls_pk_setup_opaque(mbedtls_pk_context *ctx,
361                             const mbedtls_svc_key_id_t key);
362 #endif /* MBEDTLS_USE_PSA_CRYPTO */
363 
364 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
365 /**
366  * \brief           Initialize an RSA-alt context
367  *
368  * \param ctx       Context to initialize. It must not have been set
369  *                  up yet (type #MBEDTLS_PK_NONE).
370  * \param key       RSA key pointer
371  * \param decrypt_func  Decryption function
372  * \param sign_func     Signing function
373  * \param key_len_func  Function returning key length in bytes
374  *
375  * \return          0 on success, or MBEDTLS_ERR_PK_BAD_INPUT_DATA if the
376  *                  context wasn't already initialized as RSA_ALT.
377  *
378  * \note            This function replaces \c mbedtls_pk_setup() for RSA-alt.
379  */
380 int mbedtls_pk_setup_rsa_alt(mbedtls_pk_context *ctx, void *key,
381                              mbedtls_pk_rsa_alt_decrypt_func decrypt_func,
382                              mbedtls_pk_rsa_alt_sign_func sign_func,
383                              mbedtls_pk_rsa_alt_key_len_func key_len_func);
384 #endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
385 
386 /**
387  * \brief           Get the size in bits of the underlying key
388  *
389  * \param ctx       The context to query. It must have been initialized.
390  *
391  * \return          Key size in bits, or 0 on error
392  */
393 size_t mbedtls_pk_get_bitlen(const mbedtls_pk_context *ctx);
394 
395 /**
396  * \brief           Get the length in bytes of the underlying key
397  *
398  * \param ctx       The context to query. It must have been initialized.
399  *
400  * \return          Key length in bytes, or 0 on error
401  */
mbedtls_pk_get_len(const mbedtls_pk_context * ctx)402 static inline size_t mbedtls_pk_get_len(const mbedtls_pk_context *ctx)
403 {
404     return (mbedtls_pk_get_bitlen(ctx) + 7) / 8;
405 }
406 
407 /**
408  * \brief           Tell if a context can do the operation given by type
409  *
410  * \param ctx       The context to query. It must have been initialized.
411  * \param type      The desired type.
412  *
413  * \return          1 if the context can do operations on the given type.
414  * \return          0 if the context cannot do the operations on the given
415  *                  type. This is always the case for a context that has
416  *                  been initialized but not set up, or that has been
417  *                  cleared with mbedtls_pk_free().
418  */
419 int mbedtls_pk_can_do(const mbedtls_pk_context *ctx, mbedtls_pk_type_t type);
420 
421 #if defined(MBEDTLS_USE_PSA_CRYPTO)
422 /**
423  * \brief           Tell if context can do the operation given by PSA algorithm
424  *
425  * \param ctx       The context to query. It must have been initialized.
426  * \param alg       PSA algorithm to check against, the following are allowed:
427  *                  PSA_ALG_RSA_PKCS1V15_SIGN(hash),
428  *                  PSA_ALG_RSA_PSS(hash),
429  *                  PSA_ALG_RSA_PKCS1V15_CRYPT,
430  *                  PSA_ALG_ECDSA(hash),
431  *                  PSA_ALG_ECDH, where hash is a specific hash.
432  * \param usage  PSA usage flag to check against, must be composed of:
433  *                  PSA_KEY_USAGE_SIGN_HASH
434  *                  PSA_KEY_USAGE_DECRYPT
435  *                  PSA_KEY_USAGE_DERIVE.
436  *                  Context key must match all passed usage flags.
437  *
438  * \warning         Since the set of allowed algorithms and usage flags may be
439  *                  expanded in the future, the return value \c 0 should not
440  *                  be taken in account for non-allowed algorithms and usage
441  *                  flags.
442  *
443  * \return          1 if the context can do operations on the given type.
444  * \return          0 if the context cannot do the operations on the given
445  *                  type, for non-allowed algorithms and usage flags, or
446  *                  for a context that has been initialized but not set up
447  *                  or that has been cleared with mbedtls_pk_free().
448  */
449 int mbedtls_pk_can_do_ext(const mbedtls_pk_context *ctx, psa_algorithm_t alg,
450                           psa_key_usage_t usage);
451 #endif /* MBEDTLS_USE_PSA_CRYPTO */
452 
453 /**
454  * \brief           Verify signature (including padding if relevant).
455  *
456  * \param ctx       The PK context to use. It must have been set up.
457  * \param md_alg    Hash algorithm used.
458  *                  This can be #MBEDTLS_MD_NONE if the signature algorithm
459  *                  does not rely on a hash algorithm (non-deterministic
460  *                  ECDSA, RSA PKCS#1 v1.5).
461  *                  For PKCS#1 v1.5, if \p md_alg is #MBEDTLS_MD_NONE, then
462  *                  \p hash is the DigestInfo structure used by RFC 8017
463  *                  &sect;9.2 steps 3&ndash;6. If \p md_alg is a valid hash
464  *                  algorithm then \p hash is the digest itself, and this
465  *                  function calculates the DigestInfo encoding internally.
466  * \param hash      Hash of the message to sign
467  * \param hash_len  Hash length
468  * \param sig       Signature to verify
469  * \param sig_len   Signature length
470  *
471  * \return          0 on success (signature is valid),
472  *                  #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid
473  *                  signature in sig but its length is less than \p siglen,
474  *                  or a specific error code.
475  *
476  * \note            For RSA keys, the default padding type is PKCS#1 v1.5.
477  *                  Use \c mbedtls_pk_verify_ext( MBEDTLS_PK_RSASSA_PSS, ... )
478  *                  to verify RSASSA_PSS signatures.
479  */
480 int mbedtls_pk_verify(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
481                       const unsigned char *hash, size_t hash_len,
482                       const unsigned char *sig, size_t sig_len);
483 
484 /**
485  * \brief           Restartable version of \c mbedtls_pk_verify()
486  *
487  * \note            Performs the same job as \c mbedtls_pk_verify(), but can
488  *                  return early and restart according to the limit set with
489  *                  \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC
490  *                  operations. For RSA, same as \c mbedtls_pk_verify().
491  *
492  * \param ctx       The PK context to use. It must have been set up.
493  * \param md_alg    Hash algorithm used (see notes)
494  * \param hash      Hash of the message to sign
495  * \param hash_len  Hash length or 0 (see notes)
496  * \param sig       Signature to verify
497  * \param sig_len   Signature length
498  * \param rs_ctx    Restart context (NULL to disable restart)
499  *
500  * \return          See \c mbedtls_pk_verify(), or
501  * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
502  *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
503  */
504 int mbedtls_pk_verify_restartable(mbedtls_pk_context *ctx,
505                                   mbedtls_md_type_t md_alg,
506                                   const unsigned char *hash, size_t hash_len,
507                                   const unsigned char *sig, size_t sig_len,
508                                   mbedtls_pk_restart_ctx *rs_ctx);
509 
510 /**
511  * \brief           Verify signature, with options.
512  *                  (Includes verification of the padding depending on type.)
513  *
514  * \param type      Signature type (inc. possible padding type) to verify
515  * \param options   Pointer to type-specific options, or NULL
516  * \param ctx       The PK context to use. It must have been set up.
517  * \param md_alg    Hash algorithm used (see notes)
518  * \param hash      Hash of the message to sign
519  * \param hash_len  Hash length or 0 (see notes)
520  * \param sig       Signature to verify
521  * \param sig_len   Signature length
522  *
523  * \return          0 on success (signature is valid),
524  *                  #MBEDTLS_ERR_PK_TYPE_MISMATCH if the PK context can't be
525  *                  used for this type of signatures,
526  *                  #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid
527  *                  signature in sig but its length is less than \p siglen,
528  *                  or a specific error code.
529  *
530  * \note            If hash_len is 0, then the length associated with md_alg
531  *                  is used instead, or an error returned if it is invalid.
532  *
533  * \note            md_alg may be MBEDTLS_MD_NONE, only if hash_len != 0
534  *
535  * \note            If type is MBEDTLS_PK_RSASSA_PSS, then options must point
536  *                  to a mbedtls_pk_rsassa_pss_options structure,
537  *                  otherwise it must be NULL. Note that if
538  *                  #MBEDTLS_USE_PSA_CRYPTO is defined, the salt length is not
539  *                  verified as PSA_ALG_RSA_PSS_ANY_SALT is used.
540  */
541 int mbedtls_pk_verify_ext(mbedtls_pk_type_t type, const void *options,
542                           mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
543                           const unsigned char *hash, size_t hash_len,
544                           const unsigned char *sig, size_t sig_len);
545 
546 /**
547  * \brief           Make signature, including padding if relevant.
548  *
549  * \param ctx       The PK context to use. It must have been set up
550  *                  with a private key.
551  * \param md_alg    Hash algorithm used (see notes)
552  * \param hash      Hash of the message to sign
553  * \param hash_len  Hash length
554  * \param sig       Place to write the signature.
555  *                  It must have enough room for the signature.
556  *                  #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough.
557  *                  You may use a smaller buffer if it is large enough
558  *                  given the key type.
559  * \param sig_size  The size of the \p sig buffer in bytes.
560  * \param sig_len   On successful return,
561  *                  the number of bytes written to \p sig.
562  * \param f_rng     RNG function, must not be \c NULL.
563  * \param p_rng     RNG parameter
564  *
565  * \return          0 on success, or a specific error code.
566  *
567  * \note            For RSA keys, the default padding type is PKCS#1 v1.5.
568  *                  There is no interface in the PK module to make RSASSA-PSS
569  *                  signatures yet.
570  *
571  * \note            For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0.
572  *                  For ECDSA, md_alg may never be MBEDTLS_MD_NONE.
573  */
574 int mbedtls_pk_sign(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
575                     const unsigned char *hash, size_t hash_len,
576                     unsigned char *sig, size_t sig_size, size_t *sig_len,
577                     int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
578 
579 #if defined(MBEDTLS_PSA_CRYPTO_C)
580 /**
581  * \brief           Make signature given a signature type.
582  *
583  * \param pk_type   Signature type.
584  * \param ctx       The PK context to use. It must have been set up
585  *                  with a private key.
586  * \param md_alg    Hash algorithm used (see notes)
587  * \param hash      Hash of the message to sign
588  * \param hash_len  Hash length
589  * \param sig       Place to write the signature.
590  *                  It must have enough room for the signature.
591  *                  #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough.
592  *                  You may use a smaller buffer if it is large enough
593  *                  given the key type.
594  * \param sig_size  The size of the \p sig buffer in bytes.
595  * \param sig_len   On successful return,
596  *                  the number of bytes written to \p sig.
597  * \param f_rng     RNG function, must not be \c NULL.
598  * \param p_rng     RNG parameter
599  *
600  * \return          0 on success, or a specific error code.
601  *
602  * \note            When \p pk_type is #MBEDTLS_PK_RSASSA_PSS,
603  *                  see #PSA_ALG_RSA_PSS for a description of PSS options used.
604  *
605  * \note            For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0.
606  *                  For ECDSA, md_alg may never be MBEDTLS_MD_NONE.
607  *
608  */
609 int mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type,
610                         mbedtls_pk_context *ctx,
611                         mbedtls_md_type_t md_alg,
612                         const unsigned char *hash, size_t hash_len,
613                         unsigned char *sig, size_t sig_size, size_t *sig_len,
614                         int (*f_rng)(void *, unsigned char *, size_t),
615                         void *p_rng);
616 #endif /* MBEDTLS_PSA_CRYPTO_C */
617 
618 /**
619  * \brief           Restartable version of \c mbedtls_pk_sign()
620  *
621  * \note            Performs the same job as \c mbedtls_pk_sign(), but can
622  *                  return early and restart according to the limit set with
623  *                  \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC
624  *                  operations. For RSA, same as \c mbedtls_pk_sign().
625  *
626  * \param ctx       The PK context to use. It must have been set up
627  *                  with a private key.
628  * \param md_alg    Hash algorithm used (see notes for mbedtls_pk_sign())
629  * \param hash      Hash of the message to sign
630  * \param hash_len  Hash length
631  * \param sig       Place to write the signature.
632  *                  It must have enough room for the signature.
633  *                  #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough.
634  *                  You may use a smaller buffer if it is large enough
635  *                  given the key type.
636  * \param sig_size  The size of the \p sig buffer in bytes.
637  * \param sig_len   On successful return,
638  *                  the number of bytes written to \p sig.
639  * \param f_rng     RNG function, must not be \c NULL.
640  * \param p_rng     RNG parameter
641  * \param rs_ctx    Restart context (NULL to disable restart)
642  *
643  * \return          See \c mbedtls_pk_sign().
644  * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
645  *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
646  */
647 int mbedtls_pk_sign_restartable(mbedtls_pk_context *ctx,
648                                 mbedtls_md_type_t md_alg,
649                                 const unsigned char *hash, size_t hash_len,
650                                 unsigned char *sig, size_t sig_size, size_t *sig_len,
651                                 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
652                                 mbedtls_pk_restart_ctx *rs_ctx);
653 
654 /**
655  * \brief           Decrypt message (including padding if relevant).
656  *
657  * \param ctx       The PK context to use. It must have been set up
658  *                  with a private key.
659  * \param input     Input to decrypt
660  * \param ilen      Input size
661  * \param output    Decrypted output
662  * \param olen      Decrypted message length
663  * \param osize     Size of the output buffer
664  * \param f_rng     RNG function, must not be \c NULL.
665  * \param p_rng     RNG parameter
666  *
667  * \note            For RSA keys, the default padding type is PKCS#1 v1.5.
668  *
669  * \return          0 on success, or a specific error code.
670  */
671 int mbedtls_pk_decrypt(mbedtls_pk_context *ctx,
672                        const unsigned char *input, size_t ilen,
673                        unsigned char *output, size_t *olen, size_t osize,
674                        int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
675 
676 /**
677  * \brief           Encrypt message (including padding if relevant).
678  *
679  * \param ctx       The PK context to use. It must have been set up.
680  * \param input     Message to encrypt
681  * \param ilen      Message size
682  * \param output    Encrypted output
683  * \param olen      Encrypted output length
684  * \param osize     Size of the output buffer
685  * \param f_rng     RNG function, must not be \c NULL.
686  * \param p_rng     RNG parameter
687  *
688  * \note            \p f_rng is used for padding generation.
689  *
690  * \note            For RSA keys, the default padding type is PKCS#1 v1.5.
691  *
692  * \return          0 on success, or a specific error code.
693  */
694 int mbedtls_pk_encrypt(mbedtls_pk_context *ctx,
695                        const unsigned char *input, size_t ilen,
696                        unsigned char *output, size_t *olen, size_t osize,
697                        int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
698 
699 /**
700  * \brief           Check if a public-private pair of keys matches.
701  *
702  * \param pub       Context holding a public key.
703  * \param prv       Context holding a private (and public) key.
704  * \param f_rng     RNG function, must not be \c NULL.
705  * \param p_rng     RNG parameter
706  *
707  * \return          \c 0 on success (keys were checked and match each other).
708  * \return          #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the keys could not
709  *                  be checked - in that case they may or may not match.
710  * \return          #MBEDTLS_ERR_PK_BAD_INPUT_DATA if a context is invalid.
711  * \return          Another non-zero value if the keys do not match.
712  */
713 int mbedtls_pk_check_pair(const mbedtls_pk_context *pub,
714                           const mbedtls_pk_context *prv,
715                           int (*f_rng)(void *, unsigned char *, size_t),
716                           void *p_rng);
717 
718 /**
719  * \brief           Export debug information
720  *
721  * \param ctx       The PK context to use. It must have been initialized.
722  * \param items     Place to write debug items
723  *
724  * \return          0 on success or MBEDTLS_ERR_PK_BAD_INPUT_DATA
725  */
726 int mbedtls_pk_debug(const mbedtls_pk_context *ctx, mbedtls_pk_debug_item *items);
727 
728 /**
729  * \brief           Access the type name
730  *
731  * \param ctx       The PK context to use. It must have been initialized.
732  *
733  * \return          Type name on success, or "invalid PK"
734  */
735 const char *mbedtls_pk_get_name(const mbedtls_pk_context *ctx);
736 
737 /**
738  * \brief           Get the key type
739  *
740  * \param ctx       The PK context to use. It must have been initialized.
741  *
742  * \return          Type on success.
743  * \return          #MBEDTLS_PK_NONE for a context that has not been set up.
744  */
745 mbedtls_pk_type_t mbedtls_pk_get_type(const mbedtls_pk_context *ctx);
746 
747 #if defined(MBEDTLS_RSA_C)
748 /**
749  * Quick access to an RSA context inside a PK context.
750  *
751  * \warning This function can only be used when the type of the context, as
752  * returned by mbedtls_pk_get_type(), is #MBEDTLS_PK_RSA.
753  * Ensuring that is the caller's responsibility.
754  * Alternatively, you can check whether this function returns NULL.
755  *
756  * \return The internal RSA context held by the PK context, or NULL.
757  */
mbedtls_pk_rsa(const mbedtls_pk_context pk)758 static inline mbedtls_rsa_context *mbedtls_pk_rsa(const mbedtls_pk_context pk)
759 {
760     switch (mbedtls_pk_get_type(&pk)) {
761         case MBEDTLS_PK_RSA:
762             return (mbedtls_rsa_context *) (pk).MBEDTLS_PRIVATE(pk_ctx);
763         default:
764             return NULL;
765     }
766 }
767 #endif /* MBEDTLS_RSA_C */
768 
769 #if defined(MBEDTLS_ECP_C)
770 /**
771  * Quick access to an EC context inside a PK context.
772  *
773  * \warning This function can only be used when the type of the context, as
774  * returned by mbedtls_pk_get_type(), is #MBEDTLS_PK_ECKEY,
775  * #MBEDTLS_PK_ECKEY_DH, or #MBEDTLS_PK_ECDSA.
776  * Ensuring that is the caller's responsibility.
777  * Alternatively, you can check whether this function returns NULL.
778  *
779  * \return The internal EC context held by the PK context, or NULL.
780  */
mbedtls_pk_ec(const mbedtls_pk_context pk)781 static inline mbedtls_ecp_keypair *mbedtls_pk_ec(const mbedtls_pk_context pk)
782 {
783     switch (mbedtls_pk_get_type(&pk)) {
784         case MBEDTLS_PK_ECKEY:
785         case MBEDTLS_PK_ECKEY_DH:
786         case MBEDTLS_PK_ECDSA:
787             return (mbedtls_ecp_keypair *) (pk).MBEDTLS_PRIVATE(pk_ctx);
788         default:
789             return NULL;
790     }
791 }
792 #endif /* MBEDTLS_ECP_C */
793 
794 #if defined(MBEDTLS_PK_PARSE_C)
795 /** \ingroup pk_module */
796 /**
797  * \brief           Parse a private key in PEM or DER format
798  *
799  * \note            If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
800  *                  subsystem must have been initialized by calling
801  *                  psa_crypto_init() before calling this function.
802  *
803  * \param ctx       The PK context to fill. It must have been initialized
804  *                  but not set up.
805  * \param key       Input buffer to parse.
806  *                  The buffer must contain the input exactly, with no
807  *                  extra trailing material. For PEM, the buffer must
808  *                  contain a null-terminated string.
809  * \param keylen    Size of \b key in bytes.
810  *                  For PEM data, this includes the terminating null byte,
811  *                  so \p keylen must be equal to `strlen(key) + 1`.
812  * \param pwd       Optional password for decryption.
813  *                  Pass \c NULL if expecting a non-encrypted key.
814  *                  Pass a string of \p pwdlen bytes if expecting an encrypted
815  *                  key; a non-encrypted key will also be accepted.
816  *                  The empty password is not supported.
817  * \param pwdlen    Size of the password in bytes.
818  *                  Ignored if \p pwd is \c NULL.
819  * \param f_rng     RNG function, must not be \c NULL. Used for blinding.
820  * \param p_rng     RNG parameter
821  *
822  * \note            On entry, ctx must be empty, either freshly initialised
823  *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
824  *                  specific key type, check the result with mbedtls_pk_can_do().
825  *
826  * \note            The key is also checked for correctness.
827  *
828  * \return          0 if successful, or a specific PK or PEM error code
829  */
830 int mbedtls_pk_parse_key(mbedtls_pk_context *ctx,
831                          const unsigned char *key, size_t keylen,
832                          const unsigned char *pwd, size_t pwdlen,
833                          int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
834 
835 /** \ingroup pk_module */
836 /**
837  * \brief           Parse a public key in PEM or DER format
838  *
839  * \note            If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
840  *                  subsystem must have been initialized by calling
841  *                  psa_crypto_init() before calling this function.
842  *
843  * \param ctx       The PK context to fill. It must have been initialized
844  *                  but not set up.
845  * \param key       Input buffer to parse.
846  *                  The buffer must contain the input exactly, with no
847  *                  extra trailing material. For PEM, the buffer must
848  *                  contain a null-terminated string.
849  * \param keylen    Size of \b key in bytes.
850  *                  For PEM data, this includes the terminating null byte,
851  *                  so \p keylen must be equal to `strlen(key) + 1`.
852  *
853  * \note            On entry, ctx must be empty, either freshly initialised
854  *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
855  *                  specific key type, check the result with mbedtls_pk_can_do().
856  *
857  * \note            For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for
858  *                  limitations.
859  *
860  * \note            The key is also checked for correctness.
861  *
862  * \return          0 if successful, or a specific PK or PEM error code
863  */
864 int mbedtls_pk_parse_public_key(mbedtls_pk_context *ctx,
865                                 const unsigned char *key, size_t keylen);
866 
867 #if defined(MBEDTLS_FS_IO)
868 /** \ingroup pk_module */
869 /**
870  * \brief           Load and parse a private key
871  *
872  * \note            If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
873  *                  subsystem must have been initialized by calling
874  *                  psa_crypto_init() before calling this function.
875  *
876  * \param ctx       The PK context to fill. It must have been initialized
877  *                  but not set up.
878  * \param path      filename to read the private key from
879  * \param password  Optional password to decrypt the file.
880  *                  Pass \c NULL if expecting a non-encrypted key.
881  *                  Pass a null-terminated string if expecting an encrypted
882  *                  key; a non-encrypted key will also be accepted.
883  *                  The empty password is not supported.
884  * \param f_rng     RNG function, must not be \c NULL. Used for blinding.
885  * \param p_rng     RNG parameter
886  *
887  * \note            On entry, ctx must be empty, either freshly initialised
888  *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
889  *                  specific key type, check the result with mbedtls_pk_can_do().
890  *
891  * \note            The key is also checked for correctness.
892  *
893  * \return          0 if successful, or a specific PK or PEM error code
894  */
895 int mbedtls_pk_parse_keyfile(mbedtls_pk_context *ctx,
896                              const char *path, const char *password,
897                              int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
898 
899 /** \ingroup pk_module */
900 /**
901  * \brief           Load and parse a public key
902  *
903  * \param ctx       The PK context to fill. It must have been initialized
904  *                  but not set up.
905  * \param path      filename to read the public key from
906  *
907  * \note            On entry, ctx must be empty, either freshly initialised
908  *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If
909  *                  you need a specific key type, check the result with
910  *                  mbedtls_pk_can_do().
911  *
912  * \note            The key is also checked for correctness.
913  *
914  * \return          0 if successful, or a specific PK or PEM error code
915  */
916 int mbedtls_pk_parse_public_keyfile(mbedtls_pk_context *ctx, const char *path);
917 #endif /* MBEDTLS_FS_IO */
918 #endif /* MBEDTLS_PK_PARSE_C */
919 
920 #if defined(MBEDTLS_PK_WRITE_C)
921 /**
922  * \brief           Write a private key to a PKCS#1 or SEC1 DER structure
923  *                  Note: data is written at the end of the buffer! Use the
924  *                        return value to determine where you should start
925  *                        using the buffer
926  *
927  * \param ctx       PK context which must contain a valid private key.
928  * \param buf       buffer to write to
929  * \param size      size of the buffer
930  *
931  * \return          length of data written if successful, or a specific
932  *                  error code
933  */
934 int mbedtls_pk_write_key_der(const mbedtls_pk_context *ctx, unsigned char *buf, size_t size);
935 
936 /**
937  * \brief           Write a public key to a SubjectPublicKeyInfo DER structure
938  *                  Note: data is written at the end of the buffer! Use the
939  *                        return value to determine where you should start
940  *                        using the buffer
941  *
942  * \param ctx       PK context which must contain a valid public or private key.
943  * \param buf       buffer to write to
944  * \param size      size of the buffer
945  *
946  * \return          length of data written if successful, or a specific
947  *                  error code
948  */
949 int mbedtls_pk_write_pubkey_der(const mbedtls_pk_context *ctx, unsigned char *buf, size_t size);
950 
951 #if defined(MBEDTLS_PEM_WRITE_C)
952 /**
953  * \brief           Write a public key to a PEM string
954  *
955  * \param ctx       PK context which must contain a valid public or private key.
956  * \param buf       Buffer to write to. The output includes a
957  *                  terminating null byte.
958  * \param size      Size of the buffer in bytes.
959  *
960  * \return          0 if successful, or a specific error code
961  */
962 int mbedtls_pk_write_pubkey_pem(const mbedtls_pk_context *ctx, unsigned char *buf, size_t size);
963 
964 /**
965  * \brief           Write a private key to a PKCS#1 or SEC1 PEM string
966  *
967  * \param ctx       PK context which must contain a valid private key.
968  * \param buf       Buffer to write to. The output includes a
969  *                  terminating null byte.
970  * \param size      Size of the buffer in bytes.
971  *
972  * \return          0 if successful, or a specific error code
973  */
974 int mbedtls_pk_write_key_pem(const mbedtls_pk_context *ctx, unsigned char *buf, size_t size);
975 #endif /* MBEDTLS_PEM_WRITE_C */
976 #endif /* MBEDTLS_PK_WRITE_C */
977 
978 /*
979  * WARNING: Low-level functions. You probably do not want to use these unless
980  *          you are certain you do ;)
981  */
982 
983 #if defined(MBEDTLS_PK_PARSE_C)
984 /**
985  * \brief           Parse a SubjectPublicKeyInfo DER structure
986  *
987  * \param p         the position in the ASN.1 data
988  * \param end       end of the buffer
989  * \param pk        The PK context to fill. It must have been initialized
990  *                  but not set up.
991  *
992  * \return          0 if successful, or a specific PK error code
993  */
994 int mbedtls_pk_parse_subpubkey(unsigned char **p, const unsigned char *end,
995                                mbedtls_pk_context *pk);
996 #endif /* MBEDTLS_PK_PARSE_C */
997 
998 #if defined(MBEDTLS_PK_WRITE_C)
999 /**
1000  * \brief           Write a subjectPublicKey to ASN.1 data
1001  *                  Note: function works backwards in data buffer
1002  *
1003  * \param p         reference to current position pointer
1004  * \param start     start of the buffer (for bounds-checking)
1005  * \param key       PK context which must contain a valid public or private key.
1006  *
1007  * \return          the length written or a negative error code
1008  */
1009 int mbedtls_pk_write_pubkey(unsigned char **p, unsigned char *start,
1010                             const mbedtls_pk_context *key);
1011 #endif /* MBEDTLS_PK_WRITE_C */
1012 
1013 /*
1014  * Internal module functions. You probably do not want to use these unless you
1015  * know you do.
1016  */
1017 #if defined(MBEDTLS_FS_IO)
1018 int mbedtls_pk_load_file(const char *path, unsigned char **buf, size_t *n);
1019 #endif
1020 
1021 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1022 /**
1023  * \brief           Turn an EC or RSA key into an opaque one.
1024  *
1025  * \warning         This is a temporary utility function for tests. It might
1026  *                  change or be removed at any time without notice.
1027  *
1028  * \param pk        Input: the EC or RSA key to import to a PSA key.
1029  *                  Output: a PK context wrapping that PSA key.
1030  * \param key       Output: a PSA key identifier.
1031  *                  It's the caller's responsibility to call
1032  *                  psa_destroy_key() on that key identifier after calling
1033  *                  mbedtls_pk_free() on the PK context.
1034  * \param alg       The algorithm to allow for use with that key.
1035  * \param usage     The usage to allow for use with that key.
1036  * \param alg2      The secondary algorithm to allow for use with that key.
1037  *
1038  * \return          \c 0 if successful.
1039  * \return          An Mbed TLS error code otherwise.
1040  */
1041 int mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk,
1042                               mbedtls_svc_key_id_t *key,
1043                               psa_algorithm_t alg,
1044                               psa_key_usage_t usage,
1045                               psa_algorithm_t alg2);
1046 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1047 
1048 #ifdef __cplusplus
1049 }
1050 #endif
1051 
1052 #endif /* MBEDTLS_PK_H */
1053