Merge pull request #3786 from stevew817/feature/generate_pubkey_in_driver

Add export_public_key entry point for drivers
This commit is contained in:
Gilles Peskine 2020-11-23 11:54:53 +01:00 committed by GitHub
commit 9aaa3e164a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 280 additions and 11 deletions

View File

@ -0,0 +1,3 @@
Features
* Implementation of the export_public_key interface for PSA Crypto
accelerator drivers, as defined in #3493. Contributed in #3786.

View File

@ -1721,14 +1721,24 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
/* Exporting private -> private */ /* Exporting private -> private */
return( psa_internal_export_key_buffer( slot, data, data_size, data_length ) ); return( psa_internal_export_key_buffer( slot, data, data_size, data_length ) );
} }
/* Need to export the public part of a private key, /* Need to export the public part of a private key,
* so conversion is needed */ * so conversion is needed. Try the accelerators first. */
psa_status_t status = psa_driver_wrapper_export_public_key( slot,
data,
data_size,
data_length );
if( status != PSA_ERROR_NOT_SUPPORTED ||
psa_key_lifetime_is_external( slot->attr.lifetime ) )
return( status );
if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) ) if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
{ {
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \ #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
mbedtls_rsa_context *rsa = NULL; mbedtls_rsa_context *rsa = NULL;
psa_status_t status = psa_load_rsa_representation( status = psa_load_rsa_representation(
slot->attr.type, slot->attr.type,
slot->data.key.data, slot->data.key.data,
slot->data.key.bytes, slot->data.key.bytes,
@ -1757,7 +1767,7 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
mbedtls_ecp_keypair *ecp = NULL; mbedtls_ecp_keypair *ecp = NULL;
psa_status_t status = psa_load_ecp_representation( status = psa_load_ecp_representation(
slot->attr.type, slot->attr.type,
slot->data.key.data, slot->data.key.data,
slot->data.key.bytes, slot->data.key.bytes,

View File

@ -438,6 +438,59 @@ psa_status_t psa_driver_wrapper_validate_key( const psa_key_attributes_t *attrib
#endif /* PSA_CRYPTO_DRIVER_PRESENT */ #endif /* PSA_CRYPTO_DRIVER_PRESENT */
} }
psa_status_t psa_driver_wrapper_export_public_key( const psa_key_slot_t *slot,
uint8_t *data,
size_t data_size,
size_t *data_length )
{
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(slot->attr.lifetime);
psa_key_attributes_t attributes = {
.core = slot->attr
};
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_DRIVER_TEST)
status = test_transparent_export_public_key( &attributes,
slot->data.key.data,
slot->data.key.bytes,
data,
data_size,
data_length );
/* Declared with fallback == true */
if( status != PSA_ERROR_NOT_SUPPORTED )
return( status );
#endif /* PSA_CRYPTO_DRIVER_TEST */
/* Fell through, meaning no accelerator supports this operation */
return( PSA_ERROR_NOT_SUPPORTED );
/* Add cases for opaque driver here */
#if defined(PSA_CRYPTO_DRIVER_TEST)
case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
return( test_opaque_export_public_key( &attributes,
slot->data.key.data,
slot->data.key.bytes,
data,
data_size,
data_length ) );
#endif /* PSA_CRYPTO_DRIVER_TEST */
default:
/* Key is declared with a lifetime not known to us */
return( status );
}
#else /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
(void) slot;
(void) data;
(void) data_size;
(void) data_length;
return( PSA_ERROR_NOT_SUPPORTED );
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
}
/* /*
* Cipher functions * Cipher functions
*/ */

View File

@ -55,6 +55,11 @@ psa_status_t psa_driver_wrapper_validate_key( const psa_key_attributes_t *attrib
size_t data_length, size_t data_length,
size_t *bits ); size_t *bits );
psa_status_t psa_driver_wrapper_export_public_key( const psa_key_slot_t *slot,
uint8_t *data,
size_t data_size,
size_t *data_length );
/* /*
* Cipher functions * Cipher functions
*/ */

View File

@ -58,10 +58,21 @@ psa_status_t test_opaque_generate_key(
const psa_key_attributes_t *attributes, const psa_key_attributes_t *attributes,
uint8_t *key, size_t key_size, size_t *key_length ); uint8_t *key, size_t key_size, size_t *key_length );
psa_status_t test_transparent_validate_key(const psa_key_attributes_t *attributes, psa_status_t test_transparent_validate_key(
const psa_key_attributes_t *attributes,
const uint8_t *data, const uint8_t *data,
size_t data_length, size_t data_length,
size_t *bits); size_t *bits);
psa_status_t test_transparent_export_public_key(
const psa_key_attributes_t *attributes,
const uint8_t *key, size_t key_length,
uint8_t *data, size_t data_size, size_t *data_length );
psa_status_t test_opaque_export_public_key(
const psa_key_attributes_t *attributes,
const uint8_t *key, size_t key_length,
uint8_t *data, size_t data_size, size_t *data_length );
#endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_DRIVER_TEST */
#endif /* PSA_CRYPTO_TEST_DRIVERS_KEY_MANAGEMENT_H */ #endif /* PSA_CRYPTO_TEST_DRIVERS_KEY_MANAGEMENT_H */

View File

@ -137,10 +137,11 @@ psa_status_t test_opaque_generate_key(
return( PSA_ERROR_NOT_SUPPORTED ); return( PSA_ERROR_NOT_SUPPORTED );
} }
psa_status_t test_transparent_validate_key(const psa_key_attributes_t *attributes, psa_status_t test_transparent_validate_key(
const psa_key_attributes_t *attributes,
const uint8_t *data, const uint8_t *data,
size_t data_length, size_t data_length,
size_t *bits) size_t *bits )
{ {
++test_driver_key_management_hooks.hits; ++test_driver_key_management_hooks.hits;
@ -248,4 +249,107 @@ ecp_exit:
* MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY */ * MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY */
} }
psa_status_t test_transparent_export_public_key(
const psa_key_attributes_t *attributes,
const uint8_t *key, size_t key_length,
uint8_t *data, size_t data_size, size_t *data_length )
{
++test_driver_key_management_hooks.hits;
if( test_driver_key_management_hooks.forced_status != PSA_SUCCESS )
return( test_driver_key_management_hooks.forced_status );
if( test_driver_key_management_hooks.forced_output != NULL )
{
if( test_driver_key_management_hooks.forced_output_length > data_size )
return( PSA_ERROR_BUFFER_TOO_SMALL );
memcpy( data, test_driver_key_management_hooks.forced_output,
test_driver_key_management_hooks.forced_output_length );
*data_length = test_driver_key_management_hooks.forced_output_length;
return( PSA_SUCCESS );
}
if( key == NULL || key_length == 0 )
return( PSA_ERROR_INVALID_ARGUMENT );
psa_key_type_t keytype = psa_get_key_type( attributes );
(void) keytype;
#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \
defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)
if( PSA_KEY_TYPE_IS_ECC( keytype ) )
{
if( !PSA_KEY_TYPE_IS_KEY_PAIR( keytype ) )
return( PSA_ERROR_INVALID_ARGUMENT );
/* Mostly copied from psa_crypto.c */
mbedtls_ecp_group_id grp_id = MBEDTLS_ECP_DP_NONE;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
mbedtls_ecp_keypair ecp;
mbedtls_test_rnd_pseudo_info rnd_info;
memset( &rnd_info, 0x5A, sizeof( mbedtls_test_rnd_pseudo_info ) );
if( attributes->domain_parameters_size != 0 )
return( PSA_ERROR_NOT_SUPPORTED );
grp_id = mbedtls_ecc_group_of_psa( PSA_KEY_TYPE_ECC_GET_FAMILY( keytype ),
PSA_BITS_TO_BYTES( psa_get_key_bits( attributes ) ) );
if( grp_id == MBEDTLS_ECP_DP_NONE )
return( PSA_ERROR_NOT_SUPPORTED );
mbedtls_ecp_keypair_init( &ecp );
status = mbedtls_to_psa_error(
mbedtls_ecp_group_load( &ecp.grp, grp_id ) );
if( status != PSA_SUCCESS )
goto ecp_exit;
status = mbedtls_to_psa_error(
mbedtls_ecp_read_key( ecp.grp.id,
&ecp,
key,
key_length ) );
if( status != PSA_SUCCESS )
goto ecp_exit;
/* Calculate the public key */
status = mbedtls_to_psa_error(
mbedtls_ecp_mul( &ecp.grp, &ecp.Q, &ecp.d, &ecp.grp.G,
&mbedtls_test_rnd_pseudo_rand,
&rnd_info ) );
if( status != PSA_SUCCESS )
goto ecp_exit;
status = mbedtls_to_psa_error(
mbedtls_ecp_point_write_binary( &ecp.grp, &ecp.Q,
MBEDTLS_ECP_PF_UNCOMPRESSED,
data_length,
data,
data_size ) );
if( status != PSA_SUCCESS )
memset( data, 0, data_size );
ecp_exit:
mbedtls_ecp_keypair_free( &ecp );
return( status );
}
#endif /* MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR ||
* MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY */
return( PSA_ERROR_NOT_SUPPORTED );
}
psa_status_t test_opaque_export_public_key(
const psa_key_attributes_t *attributes,
const uint8_t *key, size_t key_length,
uint8_t *data, size_t data_size, size_t *data_length )
{
(void) attributes;
(void) key;
(void) key_length;
(void) data;
(void) data_size;
(void) data_length;
return( PSA_ERROR_NOT_SUPPORTED );
}
#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS && PSA_CRYPTO_DRIVER_TEST */ #endif /* MBEDTLS_PSA_CRYPTO_DRIVERS && PSA_CRYPTO_DRIVER_TEST */

View File

@ -59,6 +59,22 @@ validate_key:PSA_ERROR_NOT_SUPPORTED:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_
validate key through transparent driver: error validate key through transparent driver: error
validate_key:PSA_ERROR_GENERIC_ERROR:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ERROR_GENERIC_ERROR validate_key:PSA_ERROR_GENERIC_ERROR:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ERROR_GENERIC_ERROR
export_key private to public through driver: fake
depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
export_key:PSA_SUCCESS:"0102030405":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"":PSA_SUCCESS
export_key private to public through driver: in-driver
depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
export_key:PSA_SUCCESS:"":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"047772656f814b399279d5e1f1781fac6f099a3c5ca1b0e35351834b08b65e0b572590cdaf8f769361bcf34acfc11e5e074e8426bdde04be6e653945449617de45":PSA_SUCCESS
export_key private to public through driver: fallback
depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
export_key:PSA_ERROR_NOT_SUPPORTED:"":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"047772656f814b399279d5e1f1781fac6f099a3c5ca1b0e35351834b08b65e0b572590cdaf8f769361bcf34acfc11e5e074e8426bdde04be6e653945449617de45":PSA_SUCCESS
export_key private to public through driver: error
depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
export_key:PSA_ERROR_GENERIC_ERROR:"":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"":PSA_ERROR_GENERIC_ERROR
PSA symmetric encrypt: AES-CTR, 16 bytes, good PSA symmetric encrypt: AES-CTR, 16 bytes, good
depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR
cipher_encrypt:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"6bc1bee22e409f96e93d7e117393172a":"8f9408fe80a81d3e813da3c7b0b2bd32":0:PSA_SUCCESS:PSA_SUCCESS cipher_encrypt:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"6bc1bee22e409f96e93d7e117393172a":"8f9408fe80a81d3e813da3c7b0b2bd32":0:PSA_SUCCESS:PSA_SUCCESS

View File

@ -218,6 +218,73 @@ exit:
} }
/* END_CASE */ /* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED */
void export_key( int force_status_arg,
data_t *fake_output,
int key_in_type_arg,
data_t *key_in,
int key_out_type_arg,
data_t *expected_output,
int expected_status_arg )
{
psa_status_t force_status = force_status_arg;
psa_status_t expected_status = expected_status_arg;
psa_key_handle_t handle = 0;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_type_t input_key_type = key_in_type_arg;
psa_key_type_t output_key_type = key_out_type_arg;
const uint8_t *expected_output_ptr = NULL;
size_t expected_output_length = 0;
psa_status_t actual_status;
uint8_t actual_output[PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(256)] = {0};
size_t actual_output_length;
test_driver_key_management_hooks = test_driver_key_management_hooks_init();
psa_set_key_type( &attributes, input_key_type );
psa_set_key_bits( &attributes, 256 );
psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT );
PSA_ASSERT( psa_crypto_init( ) );
PSA_ASSERT( psa_import_key( &attributes, key_in->x, key_in->len, &handle ) );
if( fake_output->len > 0 )
{
expected_output_ptr = test_driver_key_management_hooks.forced_output = fake_output->x;
expected_output_length = test_driver_key_management_hooks.forced_output_length =
fake_output->len;
}
else
{
expected_output_ptr = expected_output->x;
expected_output_length = expected_output->len;
}
test_driver_key_management_hooks.hits = 0;
test_driver_key_management_hooks.forced_status = force_status;
if( PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY( output_key_type ) )
actual_status = psa_export_public_key( handle, actual_output, sizeof(actual_output), &actual_output_length );
else
actual_status = psa_export_key( handle, actual_output, sizeof(actual_output), &actual_output_length );
TEST_EQUAL( actual_status, expected_status );
if( PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY( output_key_type ) &&
!PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY( input_key_type ) )
TEST_EQUAL( test_driver_key_management_hooks.hits, 1 );
if( actual_status == PSA_SUCCESS )
{
ASSERT_COMPARE( actual_output, actual_output_length,
expected_output_ptr, expected_output_length );
}
exit:
psa_reset_key_attributes( &attributes );
psa_destroy_key( handle );
PSA_DONE( );
test_driver_key_management_hooks = test_driver_key_management_hooks_init();
}
/* END_CASE */
/* BEGIN_CASE */ /* BEGIN_CASE */
void cipher_encrypt( int alg_arg, int key_type_arg, void cipher_encrypt( int alg_arg, int key_type_arg,
data_t *key_data, data_t *iv, data_t *key_data, data_t *iv,