1 /*
2 * Public Key abstraction layer
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20 #include "common.h"
21
22 #if defined(MBEDTLS_PK_C)
23 #include "mbedtls/pk.h"
24 #include "pk_wrap.h"
25 #include "pkwrite.h"
26
27 #include "hash_info.h"
28
29 #include "mbedtls/platform_util.h"
30 #include "mbedtls/error.h"
31
32 #if defined(MBEDTLS_RSA_C)
33 #include "mbedtls/rsa.h"
34 #endif
35 #if defined(MBEDTLS_ECP_C)
36 #include "mbedtls/ecp.h"
37 #endif
38 #if defined(MBEDTLS_ECDSA_C)
39 #include "mbedtls/ecdsa.h"
40 #endif
41
42 #if defined(MBEDTLS_PSA_CRYPTO_C)
43 #include "mbedtls/psa_util.h"
44 #define PSA_PK_TO_MBEDTLS_ERR(status) psa_pk_status_to_mbedtls(status)
45 #define PSA_PK_RSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
46 psa_to_pk_rsa_errors, \
47 psa_pk_status_to_mbedtls)
48 #define PSA_PK_ECDSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
49 psa_to_pk_ecdsa_errors, \
50 psa_pk_status_to_mbedtls)
51 #endif
52
53 #include <limits.h>
54 #include <stdint.h>
55
56 /*
57 * Initialise a mbedtls_pk_context
58 */
mbedtls_pk_init(mbedtls_pk_context * ctx)59 void mbedtls_pk_init(mbedtls_pk_context *ctx)
60 {
61 ctx->pk_info = NULL;
62 ctx->pk_ctx = NULL;
63 }
64
65 /*
66 * Free (the components of) a mbedtls_pk_context
67 */
mbedtls_pk_free(mbedtls_pk_context * ctx)68 void mbedtls_pk_free(mbedtls_pk_context *ctx)
69 {
70 if (ctx == NULL) {
71 return;
72 }
73
74 if (ctx->pk_info != NULL) {
75 ctx->pk_info->ctx_free_func(ctx->pk_ctx);
76 }
77
78 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_pk_context));
79 }
80
81 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
82 /*
83 * Initialize a restart context
84 */
mbedtls_pk_restart_init(mbedtls_pk_restart_ctx * ctx)85 void mbedtls_pk_restart_init(mbedtls_pk_restart_ctx *ctx)
86 {
87 ctx->pk_info = NULL;
88 ctx->rs_ctx = NULL;
89 }
90
91 /*
92 * Free the components of a restart context
93 */
mbedtls_pk_restart_free(mbedtls_pk_restart_ctx * ctx)94 void mbedtls_pk_restart_free(mbedtls_pk_restart_ctx *ctx)
95 {
96 if (ctx == NULL || ctx->pk_info == NULL ||
97 ctx->pk_info->rs_free_func == NULL) {
98 return;
99 }
100
101 ctx->pk_info->rs_free_func(ctx->rs_ctx);
102
103 ctx->pk_info = NULL;
104 ctx->rs_ctx = NULL;
105 }
106 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
107
108 /*
109 * Get pk_info structure from type
110 */
mbedtls_pk_info_from_type(mbedtls_pk_type_t pk_type)111 const mbedtls_pk_info_t *mbedtls_pk_info_from_type(mbedtls_pk_type_t pk_type)
112 {
113 switch (pk_type) {
114 #if defined(MBEDTLS_RSA_C)
115 case MBEDTLS_PK_RSA:
116 return &mbedtls_rsa_info;
117 #endif
118 #if defined(MBEDTLS_ECP_C)
119 case MBEDTLS_PK_ECKEY:
120 return &mbedtls_eckey_info;
121 case MBEDTLS_PK_ECKEY_DH:
122 return &mbedtls_eckeydh_info;
123 #endif
124 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
125 case MBEDTLS_PK_ECDSA:
126 return &mbedtls_ecdsa_info;
127 #endif
128 /* MBEDTLS_PK_RSA_ALT omitted on purpose */
129 default:
130 return NULL;
131 }
132 }
133
134 /*
135 * Initialise context
136 */
mbedtls_pk_setup(mbedtls_pk_context * ctx,const mbedtls_pk_info_t * info)137 int mbedtls_pk_setup(mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info)
138 {
139 if (info == NULL || ctx->pk_info != NULL) {
140 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
141 }
142
143 if ((ctx->pk_ctx = info->ctx_alloc_func()) == NULL) {
144 return MBEDTLS_ERR_PK_ALLOC_FAILED;
145 }
146
147 ctx->pk_info = info;
148
149 return 0;
150 }
151
152 #if defined(MBEDTLS_USE_PSA_CRYPTO)
153 /*
154 * Initialise a PSA-wrapping context
155 */
mbedtls_pk_setup_opaque(mbedtls_pk_context * ctx,const mbedtls_svc_key_id_t key)156 int mbedtls_pk_setup_opaque(mbedtls_pk_context *ctx,
157 const mbedtls_svc_key_id_t key)
158 {
159 const mbedtls_pk_info_t *info = NULL;
160 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
161 mbedtls_svc_key_id_t *pk_ctx;
162 psa_key_type_t type;
163
164 if (ctx == NULL || ctx->pk_info != NULL) {
165 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
166 }
167
168 if (PSA_SUCCESS != psa_get_key_attributes(key, &attributes)) {
169 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
170 }
171 type = psa_get_key_type(&attributes);
172 psa_reset_key_attributes(&attributes);
173
174 if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(type)) {
175 info = &mbedtls_pk_ecdsa_opaque_info;
176 } else if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
177 info = &mbedtls_pk_rsa_opaque_info;
178 } else {
179 return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
180 }
181
182 if ((ctx->pk_ctx = info->ctx_alloc_func()) == NULL) {
183 return MBEDTLS_ERR_PK_ALLOC_FAILED;
184 }
185
186 ctx->pk_info = info;
187
188 pk_ctx = (mbedtls_svc_key_id_t *) ctx->pk_ctx;
189 *pk_ctx = key;
190
191 return 0;
192 }
193 #endif /* MBEDTLS_USE_PSA_CRYPTO */
194
195 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
196 /*
197 * Initialize an RSA-alt context
198 */
mbedtls_pk_setup_rsa_alt(mbedtls_pk_context * ctx,void * key,mbedtls_pk_rsa_alt_decrypt_func decrypt_func,mbedtls_pk_rsa_alt_sign_func sign_func,mbedtls_pk_rsa_alt_key_len_func key_len_func)199 int mbedtls_pk_setup_rsa_alt(mbedtls_pk_context *ctx, void *key,
200 mbedtls_pk_rsa_alt_decrypt_func decrypt_func,
201 mbedtls_pk_rsa_alt_sign_func sign_func,
202 mbedtls_pk_rsa_alt_key_len_func key_len_func)
203 {
204 mbedtls_rsa_alt_context *rsa_alt;
205 const mbedtls_pk_info_t *info = &mbedtls_rsa_alt_info;
206
207 if (ctx->pk_info != NULL) {
208 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
209 }
210
211 if ((ctx->pk_ctx = info->ctx_alloc_func()) == NULL) {
212 return MBEDTLS_ERR_PK_ALLOC_FAILED;
213 }
214
215 ctx->pk_info = info;
216
217 rsa_alt = (mbedtls_rsa_alt_context *) ctx->pk_ctx;
218
219 rsa_alt->key = key;
220 rsa_alt->decrypt_func = decrypt_func;
221 rsa_alt->sign_func = sign_func;
222 rsa_alt->key_len_func = key_len_func;
223
224 return 0;
225 }
226 #endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
227
228 /*
229 * Tell if a PK can do the operations of the given type
230 */
mbedtls_pk_can_do(const mbedtls_pk_context * ctx,mbedtls_pk_type_t type)231 int mbedtls_pk_can_do(const mbedtls_pk_context *ctx, mbedtls_pk_type_t type)
232 {
233 /* A context with null pk_info is not set up yet and can't do anything.
234 * For backward compatibility, also accept NULL instead of a context
235 * pointer. */
236 if (ctx == NULL || ctx->pk_info == NULL) {
237 return 0;
238 }
239
240 return ctx->pk_info->can_do(type);
241 }
242
243 #if defined(MBEDTLS_USE_PSA_CRYPTO)
244 /*
245 * Tell if a PK can do the operations of the given PSA algorithm
246 */
mbedtls_pk_can_do_ext(const mbedtls_pk_context * ctx,psa_algorithm_t alg,psa_key_usage_t usage)247 int mbedtls_pk_can_do_ext(const mbedtls_pk_context *ctx, psa_algorithm_t alg,
248 psa_key_usage_t usage)
249 {
250 psa_key_usage_t key_usage;
251
252 /* A context with null pk_info is not set up yet and can't do anything.
253 * For backward compatibility, also accept NULL instead of a context
254 * pointer. */
255 if (ctx == NULL || ctx->pk_info == NULL) {
256 return 0;
257 }
258
259 /* Filter out non allowed algorithms */
260 if (PSA_ALG_IS_ECDSA(alg) == 0 &&
261 PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) == 0 &&
262 PSA_ALG_IS_RSA_PSS(alg) == 0 &&
263 alg != PSA_ALG_RSA_PKCS1V15_CRYPT &&
264 PSA_ALG_IS_ECDH(alg) == 0) {
265 return 0;
266 }
267
268 /* Filter out non allowed usage flags */
269 if (usage == 0 ||
270 (usage & ~(PSA_KEY_USAGE_SIGN_HASH |
271 PSA_KEY_USAGE_DECRYPT |
272 PSA_KEY_USAGE_DERIVE)) != 0) {
273 return 0;
274 }
275
276 /* Wildcard hash is not allowed */
277 if (PSA_ALG_IS_SIGN_HASH(alg) &&
278 PSA_ALG_SIGN_GET_HASH(alg) == PSA_ALG_ANY_HASH) {
279 return 0;
280 }
281
282 if (mbedtls_pk_get_type(ctx) != MBEDTLS_PK_OPAQUE) {
283 mbedtls_pk_type_t type;
284
285 if (PSA_ALG_IS_ECDSA(alg) || PSA_ALG_IS_ECDH(alg)) {
286 type = MBEDTLS_PK_ECKEY;
287 } else if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) ||
288 alg == PSA_ALG_RSA_PKCS1V15_CRYPT) {
289 type = MBEDTLS_PK_RSA;
290 } else if (PSA_ALG_IS_RSA_PSS(alg)) {
291 type = MBEDTLS_PK_RSASSA_PSS;
292 } else {
293 return 0;
294 }
295
296 if (ctx->pk_info->can_do(type) == 0) {
297 return 0;
298 }
299
300 switch (type) {
301 case MBEDTLS_PK_ECKEY:
302 key_usage = PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_DERIVE;
303 break;
304 case MBEDTLS_PK_RSA:
305 case MBEDTLS_PK_RSASSA_PSS:
306 key_usage = PSA_KEY_USAGE_SIGN_HASH |
307 PSA_KEY_USAGE_SIGN_MESSAGE |
308 PSA_KEY_USAGE_DECRYPT;
309 break;
310 default:
311 /* Should never happen */
312 return 0;
313 }
314
315 return (key_usage & usage) == usage;
316 }
317
318 const mbedtls_svc_key_id_t *key = (const mbedtls_svc_key_id_t *) ctx->pk_ctx;
319 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
320 psa_algorithm_t key_alg, key_alg2;
321 psa_status_t status;
322
323 status = psa_get_key_attributes(*key, &attributes);
324 if (status != PSA_SUCCESS) {
325 return 0;
326 }
327
328 key_alg = psa_get_key_algorithm(&attributes);
329 key_alg2 = psa_get_key_enrollment_algorithm(&attributes);
330 key_usage = psa_get_key_usage_flags(&attributes);
331 psa_reset_key_attributes(&attributes);
332
333 if ((key_usage & usage) != usage) {
334 return 0;
335 }
336
337 /*
338 * Common case: the key alg or alg2 only allows alg.
339 * This will match PSA_ALG_RSA_PKCS1V15_CRYPT & PSA_ALG_IS_ECDH
340 * directly.
341 * This would also match ECDSA/RSA_PKCS1V15_SIGN/RSA_PSS with
342 * a fixed hash on key_alg/key_alg2.
343 */
344 if (alg == key_alg || alg == key_alg2) {
345 return 1;
346 }
347
348 /*
349 * If key_alg or key_alg2 is a hash-and-sign with a wildcard for the hash,
350 * and alg is the same hash-and-sign family with any hash,
351 * then alg is compliant with this key alg
352 */
353 if (PSA_ALG_IS_SIGN_HASH(alg)) {
354
355 if (PSA_ALG_IS_SIGN_HASH(key_alg) &&
356 PSA_ALG_SIGN_GET_HASH(key_alg) == PSA_ALG_ANY_HASH &&
357 (alg & ~PSA_ALG_HASH_MASK) == (key_alg & ~PSA_ALG_HASH_MASK)) {
358 return 1;
359 }
360
361 if (PSA_ALG_IS_SIGN_HASH(key_alg2) &&
362 PSA_ALG_SIGN_GET_HASH(key_alg2) == PSA_ALG_ANY_HASH &&
363 (alg & ~PSA_ALG_HASH_MASK) == (key_alg2 & ~PSA_ALG_HASH_MASK)) {
364 return 1;
365 }
366 }
367
368 return 0;
369 }
370 #endif /* MBEDTLS_USE_PSA_CRYPTO */
371
372 /*
373 * Helper for mbedtls_pk_sign and mbedtls_pk_verify
374 */
pk_hashlen_helper(mbedtls_md_type_t md_alg,size_t * hash_len)375 static inline int pk_hashlen_helper(mbedtls_md_type_t md_alg, size_t *hash_len)
376 {
377 if (*hash_len != 0) {
378 return 0;
379 }
380
381 *hash_len = mbedtls_hash_info_get_size(md_alg);
382
383 if (*hash_len == 0) {
384 return -1;
385 }
386
387 return 0;
388 }
389
390 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
391 /*
392 * Helper to set up a restart context if needed
393 */
pk_restart_setup(mbedtls_pk_restart_ctx * ctx,const mbedtls_pk_info_t * info)394 static int pk_restart_setup(mbedtls_pk_restart_ctx *ctx,
395 const mbedtls_pk_info_t *info)
396 {
397 /* Don't do anything if already set up or invalid */
398 if (ctx == NULL || ctx->pk_info != NULL) {
399 return 0;
400 }
401
402 /* Should never happen when we're called */
403 if (info->rs_alloc_func == NULL || info->rs_free_func == NULL) {
404 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
405 }
406
407 if ((ctx->rs_ctx = info->rs_alloc_func()) == NULL) {
408 return MBEDTLS_ERR_PK_ALLOC_FAILED;
409 }
410
411 ctx->pk_info = info;
412
413 return 0;
414 }
415 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
416
417 /*
418 * Verify a signature (restartable)
419 */
mbedtls_pk_verify_restartable(mbedtls_pk_context * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len,mbedtls_pk_restart_ctx * rs_ctx)420 int mbedtls_pk_verify_restartable(mbedtls_pk_context *ctx,
421 mbedtls_md_type_t md_alg,
422 const unsigned char *hash, size_t hash_len,
423 const unsigned char *sig, size_t sig_len,
424 mbedtls_pk_restart_ctx *rs_ctx)
425 {
426 if ((md_alg != MBEDTLS_MD_NONE || hash_len != 0) && hash == NULL) {
427 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
428 }
429
430 if (ctx->pk_info == NULL ||
431 pk_hashlen_helper(md_alg, &hash_len) != 0) {
432 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
433 }
434
435 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
436 /* optimization: use non-restartable version if restart disabled */
437 if (rs_ctx != NULL &&
438 mbedtls_ecp_restart_is_enabled() &&
439 ctx->pk_info->verify_rs_func != NULL) {
440 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
441
442 if ((ret = pk_restart_setup(rs_ctx, ctx->pk_info)) != 0) {
443 return ret;
444 }
445
446 ret = ctx->pk_info->verify_rs_func(ctx->pk_ctx,
447 md_alg, hash, hash_len, sig, sig_len, rs_ctx->rs_ctx);
448
449 if (ret != MBEDTLS_ERR_ECP_IN_PROGRESS) {
450 mbedtls_pk_restart_free(rs_ctx);
451 }
452
453 return ret;
454 }
455 #else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
456 (void) rs_ctx;
457 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
458
459 if (ctx->pk_info->verify_func == NULL) {
460 return MBEDTLS_ERR_PK_TYPE_MISMATCH;
461 }
462
463 return ctx->pk_info->verify_func(ctx->pk_ctx, md_alg, hash, hash_len,
464 sig, sig_len);
465 }
466
467 /*
468 * Verify a signature
469 */
mbedtls_pk_verify(mbedtls_pk_context * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)470 int mbedtls_pk_verify(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
471 const unsigned char *hash, size_t hash_len,
472 const unsigned char *sig, size_t sig_len)
473 {
474 return mbedtls_pk_verify_restartable(ctx, md_alg, hash, hash_len,
475 sig, sig_len, NULL);
476 }
477
478 /*
479 * Verify a signature with options
480 */
mbedtls_pk_verify_ext(mbedtls_pk_type_t type,const void * options,mbedtls_pk_context * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)481 int mbedtls_pk_verify_ext(mbedtls_pk_type_t type, const void *options,
482 mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
483 const unsigned char *hash, size_t hash_len,
484 const unsigned char *sig, size_t sig_len)
485 {
486 if ((md_alg != MBEDTLS_MD_NONE || hash_len != 0) && hash == NULL) {
487 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
488 }
489
490 if (ctx->pk_info == NULL) {
491 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
492 }
493
494 if (!mbedtls_pk_can_do(ctx, type)) {
495 return MBEDTLS_ERR_PK_TYPE_MISMATCH;
496 }
497
498 if (type != MBEDTLS_PK_RSASSA_PSS) {
499 /* General case: no options */
500 if (options != NULL) {
501 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
502 }
503
504 return mbedtls_pk_verify(ctx, md_alg, hash, hash_len, sig, sig_len);
505 }
506
507 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21)
508 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
509 const mbedtls_pk_rsassa_pss_options *pss_opts;
510
511 if (md_alg == MBEDTLS_MD_NONE && (int)UINT_MAX < (int)hash_len) {
512 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
513 }
514
515 if (options == NULL) {
516 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
517 }
518
519 pss_opts = (const mbedtls_pk_rsassa_pss_options *) options;
520
521 #if defined(MBEDTLS_USE_PSA_CRYPTO)
522 if (pss_opts->mgf1_hash_id == md_alg) {
523 unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES];
524 unsigned char *p;
525 int key_len;
526 size_t signature_length;
527 psa_status_t status = PSA_ERROR_DATA_CORRUPT;
528 psa_status_t destruction_status = PSA_ERROR_DATA_CORRUPT;
529
530 psa_algorithm_t psa_md_alg = mbedtls_hash_info_psa_from_md(md_alg);
531 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
532 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
533 psa_algorithm_t psa_sig_alg = PSA_ALG_RSA_PSS_ANY_SALT(psa_md_alg);
534 p = buf + sizeof(buf);
535 key_len = mbedtls_pk_write_pubkey(&p, buf, ctx);
536
537 if (key_len < 0) {
538 return key_len;
539 }
540
541 psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY);
542 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
543 psa_set_key_algorithm(&attributes, psa_sig_alg);
544
545 status = psa_import_key(&attributes,
546 buf + sizeof(buf) - key_len, key_len,
547 &key_id);
548 if (status != PSA_SUCCESS) {
549 psa_destroy_key(key_id);
550 return PSA_PK_TO_MBEDTLS_ERR(status);
551 }
552
553 /* This function requires returning MBEDTLS_ERR_PK_SIG_LEN_MISMATCH
554 * on a valid signature with trailing data in a buffer, but
555 * mbedtls_psa_rsa_verify_hash requires the sig_len to be exact,
556 * so for this reason the passed sig_len is overwritten. Smaller
557 * signature lengths should not be accepted for verification. */
558 signature_length = sig_len > mbedtls_pk_get_len(ctx) ?
559 mbedtls_pk_get_len(ctx) : sig_len;
560 status = psa_verify_hash(key_id, psa_sig_alg, hash,
561 hash_len, sig, signature_length);
562 destruction_status = psa_destroy_key(key_id);
563
564 if (status == PSA_SUCCESS && sig_len > mbedtls_pk_get_len(ctx)) {
565 return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
566 }
567
568 if (status == PSA_SUCCESS) {
569 status = destruction_status;
570 }
571
572 return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
573 } else
574 #endif
575 {
576 if (sig_len < mbedtls_pk_get_len(ctx)) {
577 return MBEDTLS_ERR_RSA_VERIFY_FAILED;
578 }
579
580 ret = mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_pk_rsa(*ctx),
581 md_alg, (unsigned int) hash_len, hash,
582 pss_opts->mgf1_hash_id,
583 pss_opts->expected_salt_len,
584 sig);
585 if (ret != 0) {
586 return ret;
587 }
588
589 if (sig_len > mbedtls_pk_get_len(ctx)) {
590 return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
591 }
592
593 return 0;
594 }
595 #else
596 return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
597 #endif /* MBEDTLS_RSA_C && MBEDTLS_PKCS1_V21 */
598 }
599
600 /*
601 * Make a signature (restartable)
602 */
mbedtls_pk_sign_restartable(mbedtls_pk_context * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,mbedtls_pk_restart_ctx * rs_ctx)603 int mbedtls_pk_sign_restartable(mbedtls_pk_context *ctx,
604 mbedtls_md_type_t md_alg,
605 const unsigned char *hash, size_t hash_len,
606 unsigned char *sig, size_t sig_size, size_t *sig_len,
607 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
608 mbedtls_pk_restart_ctx *rs_ctx)
609 {
610 if ((md_alg != MBEDTLS_MD_NONE || hash_len != 0) && hash == NULL) {
611 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
612 }
613
614 if (ctx->pk_info == NULL || pk_hashlen_helper(md_alg, &hash_len) != 0) {
615 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
616 }
617
618 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
619 /* optimization: use non-restartable version if restart disabled */
620 if (rs_ctx != NULL &&
621 mbedtls_ecp_restart_is_enabled() &&
622 ctx->pk_info->sign_rs_func != NULL) {
623 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
624
625 if ((ret = pk_restart_setup(rs_ctx, ctx->pk_info)) != 0) {
626 return ret;
627 }
628
629 ret = ctx->pk_info->sign_rs_func(ctx->pk_ctx, md_alg,
630 hash, hash_len,
631 sig, sig_size, sig_len,
632 f_rng, p_rng, rs_ctx->rs_ctx);
633
634 if (ret != MBEDTLS_ERR_ECP_IN_PROGRESS) {
635 mbedtls_pk_restart_free(rs_ctx);
636 }
637
638 return ret;
639 }
640 #else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
641 (void) rs_ctx;
642 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
643
644 if (ctx->pk_info->sign_func == NULL) {
645 return MBEDTLS_ERR_PK_TYPE_MISMATCH;
646 }
647
648 return ctx->pk_info->sign_func(ctx->pk_ctx, md_alg,
649 hash, hash_len,
650 sig, sig_size, sig_len,
651 f_rng, p_rng);
652 }
653
654 /*
655 * Make a signature
656 */
mbedtls_pk_sign(mbedtls_pk_context * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)657 int mbedtls_pk_sign(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
658 const unsigned char *hash, size_t hash_len,
659 unsigned char *sig, size_t sig_size, size_t *sig_len,
660 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
661 {
662 return mbedtls_pk_sign_restartable(ctx, md_alg, hash, hash_len,
663 sig, sig_size, sig_len,
664 f_rng, p_rng, NULL);
665 }
666
667 #if defined(MBEDTLS_PSA_CRYPTO_C)
668 /*
669 * Make a signature given a signature type.
670 */
mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type,mbedtls_pk_context * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)671 int mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type,
672 mbedtls_pk_context *ctx,
673 mbedtls_md_type_t md_alg,
674 const unsigned char *hash, size_t hash_len,
675 unsigned char *sig, size_t sig_size, size_t *sig_len,
676 int (*f_rng)(void *, unsigned char *, size_t),
677 void *p_rng)
678 {
679 #if defined(MBEDTLS_RSA_C)
680 psa_algorithm_t psa_md_alg;
681 #endif /* MBEDTLS_RSA_C */
682 *sig_len = 0;
683
684 if (ctx->pk_info == NULL) {
685 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
686 }
687
688 if (!mbedtls_pk_can_do(ctx, pk_type)) {
689 return MBEDTLS_ERR_PK_TYPE_MISMATCH;
690 }
691
692 if (pk_type != MBEDTLS_PK_RSASSA_PSS) {
693 return mbedtls_pk_sign(ctx, md_alg, hash, hash_len,
694 sig, sig_size, sig_len, f_rng, p_rng);
695 }
696
697 #if defined(MBEDTLS_RSA_C)
698 psa_md_alg = mbedtls_hash_info_psa_from_md(md_alg);
699 if (psa_md_alg == 0) {
700 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
701 }
702
703 if (mbedtls_pk_get_type(ctx) == MBEDTLS_PK_OPAQUE) {
704 const mbedtls_svc_key_id_t *key = (const mbedtls_svc_key_id_t *) ctx->pk_ctx;
705 psa_status_t status;
706
707 status = psa_sign_hash(*key, PSA_ALG_RSA_PSS(psa_md_alg),
708 hash, hash_len,
709 sig, sig_size, sig_len);
710 return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
711 }
712
713 return mbedtls_pk_psa_rsa_sign_ext(PSA_ALG_RSA_PSS(psa_md_alg),
714 ctx->pk_ctx, hash, hash_len,
715 sig, sig_size, sig_len);
716 #else /* MBEDTLS_RSA_C */
717 return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
718 #endif /* !MBEDTLS_RSA_C */
719
720 }
721 #endif /* MBEDTLS_PSA_CRYPTO_C */
722
723 /*
724 * Decrypt message
725 */
mbedtls_pk_decrypt(mbedtls_pk_context * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)726 int mbedtls_pk_decrypt(mbedtls_pk_context *ctx,
727 const unsigned char *input, size_t ilen,
728 unsigned char *output, size_t *olen, size_t osize,
729 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
730 {
731 if (ctx->pk_info == NULL) {
732 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
733 }
734
735 if (ctx->pk_info->decrypt_func == NULL) {
736 return MBEDTLS_ERR_PK_TYPE_MISMATCH;
737 }
738
739 return ctx->pk_info->decrypt_func(ctx->pk_ctx, input, ilen,
740 output, olen, osize, f_rng, p_rng);
741 }
742
743 /*
744 * Encrypt message
745 */
mbedtls_pk_encrypt(mbedtls_pk_context * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)746 int mbedtls_pk_encrypt(mbedtls_pk_context *ctx,
747 const unsigned char *input, size_t ilen,
748 unsigned char *output, size_t *olen, size_t osize,
749 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
750 {
751 if (ctx->pk_info == NULL) {
752 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
753 }
754
755 if (ctx->pk_info->encrypt_func == NULL) {
756 return MBEDTLS_ERR_PK_TYPE_MISMATCH;
757 }
758
759 return ctx->pk_info->encrypt_func(ctx->pk_ctx, input, ilen,
760 output, olen, osize, f_rng, p_rng);
761 }
762
763 /*
764 * Check public-private key pair
765 */
mbedtls_pk_check_pair(const mbedtls_pk_context * pub,const mbedtls_pk_context * prv,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)766 int mbedtls_pk_check_pair(const mbedtls_pk_context *pub,
767 const mbedtls_pk_context *prv,
768 int (*f_rng)(void *, unsigned char *, size_t),
769 void *p_rng)
770 {
771 if (pub->pk_info == NULL ||
772 prv->pk_info == NULL) {
773 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
774 }
775
776 if (f_rng == NULL) {
777 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
778 }
779
780 if (prv->pk_info->check_pair_func == NULL) {
781 return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
782 }
783
784 if (prv->pk_info->type == MBEDTLS_PK_RSA_ALT) {
785 if (pub->pk_info->type != MBEDTLS_PK_RSA) {
786 return MBEDTLS_ERR_PK_TYPE_MISMATCH;
787 }
788 } else {
789 if (pub->pk_info != prv->pk_info) {
790 return MBEDTLS_ERR_PK_TYPE_MISMATCH;
791 }
792 }
793
794 return prv->pk_info->check_pair_func(pub->pk_ctx, prv->pk_ctx, f_rng, p_rng);
795 }
796
797 /*
798 * Get key size in bits
799 */
mbedtls_pk_get_bitlen(const mbedtls_pk_context * ctx)800 size_t mbedtls_pk_get_bitlen(const mbedtls_pk_context *ctx)
801 {
802 /* For backward compatibility, accept NULL or a context that
803 * isn't set up yet, and return a fake value that should be safe. */
804 if (ctx == NULL || ctx->pk_info == NULL) {
805 return 0;
806 }
807
808 return ctx->pk_info->get_bitlen(ctx->pk_ctx);
809 }
810
811 /*
812 * Export debug information
813 */
mbedtls_pk_debug(const mbedtls_pk_context * ctx,mbedtls_pk_debug_item * items)814 int mbedtls_pk_debug(const mbedtls_pk_context *ctx, mbedtls_pk_debug_item *items)
815 {
816 if (ctx->pk_info == NULL) {
817 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
818 }
819
820 if (ctx->pk_info->debug_func == NULL) {
821 return MBEDTLS_ERR_PK_TYPE_MISMATCH;
822 }
823
824 ctx->pk_info->debug_func(ctx->pk_ctx, items);
825 return 0;
826 }
827
828 /*
829 * Access the PK type name
830 */
mbedtls_pk_get_name(const mbedtls_pk_context * ctx)831 const char *mbedtls_pk_get_name(const mbedtls_pk_context *ctx)
832 {
833 if (ctx == NULL || ctx->pk_info == NULL) {
834 return "invalid PK";
835 }
836
837 return ctx->pk_info->name;
838 }
839
840 /*
841 * Access the PK type
842 */
mbedtls_pk_get_type(const mbedtls_pk_context * ctx)843 mbedtls_pk_type_t mbedtls_pk_get_type(const mbedtls_pk_context *ctx)
844 {
845 if (ctx == NULL || ctx->pk_info == NULL) {
846 return MBEDTLS_PK_NONE;
847 }
848
849 return ctx->pk_info->type;
850 }
851
852 #if defined(MBEDTLS_USE_PSA_CRYPTO)
853 /*
854 * Load the key to a PSA key slot,
855 * then turn the PK context into a wrapper for that key slot.
856 *
857 * Currently only works for EC & RSA private keys.
858 */
mbedtls_pk_wrap_as_opaque(mbedtls_pk_context * pk,mbedtls_svc_key_id_t * key,psa_algorithm_t alg,psa_key_usage_t usage,psa_algorithm_t alg2)859 int mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk,
860 mbedtls_svc_key_id_t *key,
861 psa_algorithm_t alg,
862 psa_key_usage_t usage,
863 psa_algorithm_t alg2)
864 {
865 #if !defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_RSA_C)
866 ((void) pk);
867 ((void) key);
868 ((void) alg);
869 ((void) usage);
870 ((void) alg2);
871 #else
872 #if defined(MBEDTLS_ECP_C)
873 if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_ECKEY) {
874 const mbedtls_ecp_keypair *ec;
875 unsigned char d[MBEDTLS_ECP_MAX_BYTES];
876 size_t d_len;
877 psa_ecc_family_t curve_id;
878 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
879 psa_key_type_t key_type;
880 size_t bits;
881 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
882 psa_status_t status;
883
884 /* export the private key material in the format PSA wants */
885 ec = mbedtls_pk_ec(*pk);
886 d_len = PSA_BITS_TO_BYTES(ec->grp.nbits);
887 if ((ret = mbedtls_mpi_write_binary(&ec->d, d, d_len)) != 0) {
888 return ret;
889 }
890
891 curve_id = mbedtls_ecc_group_to_psa(ec->grp.id, &bits);
892 key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(curve_id);
893
894 /* prepare the key attributes */
895 psa_set_key_type(&attributes, key_type);
896 psa_set_key_bits(&attributes, bits);
897 psa_set_key_usage_flags(&attributes, usage);
898 psa_set_key_algorithm(&attributes, alg);
899 if (alg2 != PSA_ALG_NONE) {
900 psa_set_key_enrollment_algorithm(&attributes, alg2);
901 }
902
903 /* import private key into PSA */
904 status = psa_import_key(&attributes, d, d_len, key);
905 if (status != PSA_SUCCESS) {
906 return PSA_PK_TO_MBEDTLS_ERR(status);
907 }
908
909 /* make PK context wrap the key slot */
910 mbedtls_pk_free(pk);
911 mbedtls_pk_init(pk);
912
913 return mbedtls_pk_setup_opaque(pk, *key);
914 } else
915 #endif /* MBEDTLS_ECP_C */
916 #if defined(MBEDTLS_RSA_C)
917 if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_RSA) {
918 unsigned char buf[MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES];
919 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
920 int key_len;
921 psa_status_t status;
922
923 /* export the private key material in the format PSA wants */
924 key_len = mbedtls_pk_write_key_der(pk, buf, sizeof(buf));
925 if (key_len <= 0) {
926 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
927 }
928
929 /* prepare the key attributes */
930 psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
931 psa_set_key_bits(&attributes, mbedtls_pk_get_bitlen(pk));
932 psa_set_key_usage_flags(&attributes, usage);
933 psa_set_key_algorithm(&attributes, alg);
934 if (alg2 != PSA_ALG_NONE) {
935 psa_set_key_enrollment_algorithm(&attributes, alg2);
936 }
937
938 /* import private key into PSA */
939 status = psa_import_key(&attributes,
940 buf + sizeof(buf) - key_len,
941 key_len, key);
942
943 mbedtls_platform_zeroize(buf, sizeof(buf));
944
945 if (status != PSA_SUCCESS) {
946 return PSA_PK_TO_MBEDTLS_ERR(status);
947 }
948
949 /* make PK context wrap the key slot */
950 mbedtls_pk_free(pk);
951 mbedtls_pk_init(pk);
952
953 return mbedtls_pk_setup_opaque(pk, *key);
954 } else
955 #endif /* MBEDTLS_RSA_C */
956 #endif /* !MBEDTLS_ECP_C && !MBEDTLS_RSA_C */
957 return MBEDTLS_ERR_PK_TYPE_MISMATCH;
958 }
959 #endif /* MBEDTLS_USE_PSA_CRYPTO */
960 #endif /* MBEDTLS_PK_C */
961