From 7599a7744e72f5db0043aa9e2f2e8cd987f8856b Mon Sep 17 00:00:00 2001 From: pespacek Date: Mon, 7 Feb 2022 14:40:55 +0100 Subject: [PATCH 1/8] X.509: use PSA for hashing under USE_PSA_CRYPTO When MBEDTLS_USE_PSA_CRYPTO is enabled, use psa_hash_xxx rather than mbedtls_md_xxx. Signed-off-by: pespacek --- ChangeLog.d/MD-X.509-hashing.txt | 2 + library/x509_crt.c | 50 ++++++++++++++------- library/x509write_crt.c | 76 +++++++++++++++++++++++++++++--- library/x509write_csr.c | 19 ++++---- 4 files changed, 115 insertions(+), 32 deletions(-) create mode 100644 ChangeLog.d/MD-X.509-hashing.txt diff --git a/ChangeLog.d/MD-X.509-hashing.txt b/ChangeLog.d/MD-X.509-hashing.txt new file mode 100644 index 0000000000..2ca989c806 --- /dev/null +++ b/ChangeLog.d/MD-X.509-hashing.txt @@ -0,0 +1,2 @@ +Features + * The X.509 module now uses PSA hash acceleration if present. diff --git a/library/x509_crt.c b/library/x509_crt.c index c8654445dd..b7eb617180 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -47,7 +47,8 @@ #if defined(MBEDTLS_USE_PSA_CRYPTO) #include "psa/crypto.h" #include "mbedtls/psa_util.h" -#endif +#include "psa/crypto_values.h" +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" @@ -2336,8 +2337,14 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, const mbedtls_x509_crt_profile *profile ) { int flags = 0; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + unsigned char hash[PSA_HASH_MAX_SIZE]; + psa_algorithm_t psa_algorithm; +#else unsigned char hash[MBEDTLS_MD_MAX_SIZE]; const mbedtls_md_info_t *md_info; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + size_t hash_length; if( ca == NULL ) return( flags ); @@ -2370,8 +2377,21 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, if( x509_profile_check_pk_alg( profile, crl_list->sig_pk ) != 0 ) flags |= MBEDTLS_X509_BADCRL_BAD_PK; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_algorithm = mbedtls_psa_translate_md( crl_list->sig_md ); + if(psa_hash_compute( psa_algorithm, + crl_list->tbs.p, + crl_list->tbs.len, + hash,PSA_HASH_MAX_SIZE, + &hash_length ) != PSA_SUCCESS ) +#else md_info = mbedtls_md_info_from_type( crl_list->sig_md ); - if( mbedtls_md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash ) != 0 ) + hash_length = mbedtls_md_get_size( md_info ); + if( mbedtls_md( md_info, + crl_list->tbs.p, + crl_list->tbs.len, + hash ) != 0 ) +#endif /* MBEDTLS_USE_PSA_CRYPTO */ { /* Note: this can't happen except after an internal error */ flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; @@ -2382,7 +2402,7 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, flags |= MBEDTLS_X509_BADCERT_BAD_KEY; if( mbedtls_pk_verify_ext( crl_list->sig_pk, crl_list->sig_opts, &ca->pk, - crl_list->sig_md, hash, mbedtls_md_get_size( md_info ), + crl_list->sig_md, hash, hash_length, crl_list->sig.p, crl_list->sig.len ) != 0 ) { flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; @@ -2421,9 +2441,9 @@ static int x509_crt_check_signature( const mbedtls_x509_crt *child, mbedtls_x509_crt *parent, mbedtls_x509_crt_restart_ctx *rs_ctx ) { - unsigned char hash[MBEDTLS_MD_MAX_SIZE]; size_t hash_len; #if !defined(MBEDTLS_USE_PSA_CRYPTO) + unsigned char hash[MBEDTLS_MD_MAX_SIZE]; const mbedtls_md_info_t *md_info; md_info = mbedtls_md_info_from_type( child->sig_md ); hash_len = mbedtls_md_get_size( md_info ); @@ -2432,23 +2452,21 @@ static int x509_crt_check_signature( const mbedtls_x509_crt *child, if( mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash ) != 0 ) return( -1 ); #else - psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT; + unsigned char hash[PSA_HASH_MAX_SIZE]; psa_algorithm_t hash_alg = mbedtls_psa_translate_md( child->sig_md ); + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - if( psa_hash_setup( &hash_operation, hash_alg ) != PSA_SUCCESS ) - return( -1 ); - - if( psa_hash_update( &hash_operation, child->tbs.p, child->tbs.len ) - != PSA_SUCCESS ) + status = psa_hash_compute( hash_alg, + child->tbs.p, + child->tbs.len, + hash, + PSA_HASH_MAX_SIZE, + &hash_len ); + if( status != PSA_SUCCESS ) { - return( -1 ); + return MBEDTLS_ERR_ERROR_GENERIC_ERROR; } - if( psa_hash_finish( &hash_operation, hash, sizeof( hash ), &hash_len ) - != PSA_SUCCESS ) - { - return( -1 ); - } #endif /* MBEDTLS_USE_PSA_CRYPTO */ /* Skip expensive computation on obvious mismatch */ if( ! mbedtls_pk_can_do( &parent->pk, child->sig_pk ) ) diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 17b3e7966b..44a97296f0 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -40,6 +40,11 @@ #include "mbedtls/pem.h" #endif /* MBEDTLS_PEM_WRITE_C */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) +#include "psa/crypto.h" +#include "mbedtls/psa_util.h" +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx ) { memset( ctx, 0, sizeof( mbedtls_x509write_cert ) ); @@ -169,6 +174,11 @@ int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx, #if defined(MBEDTLS_SHA1_C) int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ctx ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + size_t hash_length; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */ unsigned char *c = buf + sizeof(buf); @@ -178,10 +188,24 @@ int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ct MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->subject_key ) ); +#if defined(MBEDTLS_USE_PSA_CRYPTO) + status = psa_hash_compute( PSA_ALG_SHA_1, + buf + sizeof( buf ) - len, + len, + buf + sizeof( buf ) - 20 , + PSA_HASH_LENGTH(PSA_ALG_SHA_1), + &hash_length ); + if( status != PSA_SUCCESS ) + { + return( MBEDTLS_ERR_ERROR_GENERIC_ERROR ); + } +#else ret = mbedtls_sha1( buf + sizeof( buf ) - len, len, - buf + sizeof( buf ) - 20 ); + buf + sizeof( buf ) - 20 ); if( ret != 0 ) return( ret ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + c = buf + sizeof( buf ) - 20; len = 20; @@ -197,6 +221,11 @@ int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ct int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + size_t hash_length; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */ unsigned char *c = buf + sizeof( buf ); @@ -205,11 +234,24 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert * memset( buf, 0, sizeof(buf) ); MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->issuer_key ) ); - +#if defined(MBEDTLS_USE_PSA_CRYPTO) + status = psa_hash_compute( PSA_ALG_SHA_1, + buf + sizeof( buf ) - len, + len, + buf + sizeof( buf ) - 20 , + PSA_HASH_LENGTH(PSA_ALG_SHA_1), + &hash_length ); + if( status != PSA_SUCCESS ) + { + return( MBEDTLS_ERR_ERROR_GENERIC_ERROR ); + } +#else ret = mbedtls_sha1( buf + sizeof( buf ) - len, len, - buf + sizeof( buf ) - 20 ); + buf + sizeof( buf ) - 20 ); if( ret != 0 ) return( ret ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + c = buf + sizeof( buf ) - 20; len = 20; @@ -330,8 +372,16 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, const char *sig_oid; size_t sig_oid_len = 0; unsigned char *c, *c2; - unsigned char hash[64]; unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE]; + size_t hash_length = 0; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_algorithm_t psa_algorithm; + unsigned char hash[PSA_HASH_MAX_SIZE]; +#else + unsigned char hash[64]; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len; size_t len = 0; mbedtls_pk_type_t pk_alg; @@ -466,14 +516,30 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, */ /* Compute hash of CRT. */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_algorithm = mbedtls_psa_translate_md( ctx->md_alg ); + + status = psa_hash_compute( psa_algorithm, + c, + len, + hash, + PSA_HASH_MAX_SIZE, + &hash_length ); + if( status != PSA_SUCCESS ) + { + return MBEDTLS_ERR_ERROR_GENERIC_ERROR; + } +#else if( ( ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, len, hash ) ) != 0 ) { return( ret ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + if( ( ret = mbedtls_pk_sign( ctx->issuer_key, ctx->md_alg, - hash, 0, sig, sizeof( sig ), &sig_len, + hash, hash_length, sig, sizeof( sig ), &sig_len, f_rng, p_rng ) ) != 0 ) { return( ret ); diff --git a/library/x509write_csr.c b/library/x509write_csr.c index 555f296315..a9fc8ba1ac 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -35,7 +35,7 @@ #if defined(MBEDTLS_USE_PSA_CRYPTO) #include "psa/crypto.h" #include "mbedtls/psa_util.h" -#endif +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #include #include @@ -149,7 +149,6 @@ static int x509write_csr_der_internal( mbedtls_x509write_csr *ctx, size_t len = 0; mbedtls_pk_type_t pk_alg; #if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT; size_t hash_len; psa_algorithm_t hash_alg = mbedtls_psa_translate_md( ctx->md_alg ); #endif /* MBEDTLS_USE_PSA_CRYPTO */ @@ -219,16 +218,14 @@ static int x509write_csr_der_internal( mbedtls_x509write_csr *ctx, * Note: hash errors can happen only after an internal error */ #if defined(MBEDTLS_USE_PSA_CRYPTO) - if( psa_hash_setup( &hash_operation, hash_alg ) != PSA_SUCCESS ) - return( MBEDTLS_ERR_X509_FATAL_ERROR ); - - if( psa_hash_update( &hash_operation, c, len ) != PSA_SUCCESS ) - return( MBEDTLS_ERR_X509_FATAL_ERROR ); - - if( psa_hash_finish( &hash_operation, hash, sizeof( hash ), &hash_len ) - != PSA_SUCCESS ) + if( psa_hash_compute( hash_alg, + c, + len, + hash, + PSA_HASH_MAX_SIZE, + &hash_len ) != PSA_SUCCESS ) { - return( MBEDTLS_ERR_X509_FATAL_ERROR ); + return ( MBEDTLS_ERR_X509_FATAL_ERROR ); } #else /* MBEDTLS_USE_PSA_CRYPTO */ ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, len, hash ); From 3110c7b340f04a438cedc8465d88d94a1f7fddf7 Mon Sep 17 00:00:00 2001 From: pespacek Date: Mon, 14 Feb 2022 15:07:41 +0100 Subject: [PATCH 2/8] Changing error codes. Change from MBEDTLS_ERR_ERROR_GENERIC_ERROR to MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED where PSA crypto is used. Signed-off-by: pespacek --- library/x509_crt.c | 2 +- library/x509write_crt.c | 4 ++-- library/x509write_csr.c | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/library/x509_crt.c b/library/x509_crt.c index b7eb617180..b0c2d481a9 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -2464,7 +2464,7 @@ static int x509_crt_check_signature( const mbedtls_x509_crt *child, &hash_len ); if( status != PSA_SUCCESS ) { - return MBEDTLS_ERR_ERROR_GENERIC_ERROR; + return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED ); } #endif /* MBEDTLS_USE_PSA_CRYPTO */ diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 44a97296f0..b0589cc20e 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -243,7 +243,7 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert * &hash_length ); if( status != PSA_SUCCESS ) { - return( MBEDTLS_ERR_ERROR_GENERIC_ERROR ); + return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED ); } #else ret = mbedtls_sha1( buf + sizeof( buf ) - len, len, @@ -527,7 +527,7 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, &hash_length ); if( status != PSA_SUCCESS ) { - return MBEDTLS_ERR_ERROR_GENERIC_ERROR; + return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED ); } #else if( ( ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, diff --git a/library/x509write_csr.c b/library/x509write_csr.c index a9fc8ba1ac..a58374f3da 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -225,7 +225,7 @@ static int x509write_csr_der_internal( mbedtls_x509write_csr *ctx, PSA_HASH_MAX_SIZE, &hash_len ) != PSA_SUCCESS ) { - return ( MBEDTLS_ERR_X509_FATAL_ERROR ); + return ( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED ); } #else /* MBEDTLS_USE_PSA_CRYPTO */ ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, len, hash ); From b9f07a79a718c5e246babb78fe951790eb864f73 Mon Sep 17 00:00:00 2001 From: pespacek Date: Mon, 14 Feb 2022 15:13:26 +0100 Subject: [PATCH 3/8] Changing buffer size checks. Signed-off-by: pespacek --- library/x509_crt.c | 6 +++--- library/x509write_crt.c | 6 +++--- library/x509write_csr.c | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/library/x509_crt.c b/library/x509_crt.c index b0c2d481a9..c12685d1ef 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -47,7 +47,6 @@ #if defined(MBEDTLS_USE_PSA_CRYPTO) #include "psa/crypto.h" #include "mbedtls/psa_util.h" -#include "psa/crypto_values.h" #endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_PLATFORM_C) @@ -2382,7 +2381,8 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, if(psa_hash_compute( psa_algorithm, crl_list->tbs.p, crl_list->tbs.len, - hash,PSA_HASH_MAX_SIZE, + hash, + sizeof( hash ), &hash_length ) != PSA_SUCCESS ) #else md_info = mbedtls_md_info_from_type( crl_list->sig_md ); @@ -2460,7 +2460,7 @@ static int x509_crt_check_signature( const mbedtls_x509_crt *child, child->tbs.p, child->tbs.len, hash, - PSA_HASH_MAX_SIZE, + sizeof( hash ), &hash_len ); if( status != PSA_SUCCESS ) { diff --git a/library/x509write_crt.c b/library/x509write_crt.c index b0589cc20e..6703474bdc 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -236,9 +236,9 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert * mbedtls_pk_write_pubkey( &c, buf, ctx->issuer_key ) ); #if defined(MBEDTLS_USE_PSA_CRYPTO) status = psa_hash_compute( PSA_ALG_SHA_1, - buf + sizeof( buf ) - len, + buf + sizeof(buf) - len, len, - buf + sizeof( buf ) - 20 , + buf + sizeof(buf) - 20, PSA_HASH_LENGTH(PSA_ALG_SHA_1), &hash_length ); if( status != PSA_SUCCESS ) @@ -523,7 +523,7 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, c, len, hash, - PSA_HASH_MAX_SIZE, + sizeof( hash ), &hash_length ); if( status != PSA_SUCCESS ) { diff --git a/library/x509write_csr.c b/library/x509write_csr.c index a58374f3da..591fb6d04d 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -222,7 +222,7 @@ static int x509write_csr_der_internal( mbedtls_x509write_csr *ctx, c, len, hash, - PSA_HASH_MAX_SIZE, + sizeof( hash ), &hash_len ) != PSA_SUCCESS ) { return ( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED ); From a7a646986f90a38fb19a762133d5cc065bbcda1f Mon Sep 17 00:00:00 2001 From: pespacek Date: Mon, 14 Feb 2022 15:18:43 +0100 Subject: [PATCH 4/8] Improving readability Signed-off-by: pespacek --- library/x509_crt.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/library/x509_crt.c b/library/x509_crt.c index c12685d1ef..14bedddbbf 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -2384,6 +2384,11 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, hash, sizeof( hash ), &hash_length ) != PSA_SUCCESS ) + { + /* Note: this can't happen except after an internal error */ + flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; + break; + } #else md_info = mbedtls_md_info_from_type( crl_list->sig_md ); hash_length = mbedtls_md_get_size( md_info ); @@ -2391,12 +2396,13 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, crl_list->tbs.p, crl_list->tbs.len, hash ) != 0 ) -#endif /* MBEDTLS_USE_PSA_CRYPTO */ { /* Note: this can't happen except after an internal error */ flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; break; } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + if( x509_profile_check_key( profile, &ca->pk ) != 0 ) flags |= MBEDTLS_X509_BADCERT_BAD_KEY; From a6e955e7296ff1e0fdda6a1bf9a0864b31ae3bc0 Mon Sep 17 00:00:00 2001 From: pespacek Date: Mon, 14 Feb 2022 15:20:57 +0100 Subject: [PATCH 5/8] X.509: x509write_crt_set_key_identifier created Function mbedtls_x509write_crt_set_key_identifier was implemented to provide functionality of both mbedtls_x509write_crt_set_authority_key_identifier and mbedtls_x509write_crt_set_subject_key_identifier. Signed-off-by: pespacek --- library/x509write_crt.c | 120 ++++++++++++++++++++-------------------- 1 file changed, 59 insertions(+), 61 deletions(-) diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 6703474bdc..be73876952 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -172,68 +172,36 @@ int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx, } #if defined(MBEDTLS_SHA1_C) -int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ctx ) +static int mbedtls_x509write_crt_set_key_identifier( mbedtls_x509write_cert +*ctx, + int is_ca, + unsigned char tag ) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - size_t hash_length; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */ unsigned char *c = buf + sizeof(buf); size_t len = 0; - - memset( buf, 0, sizeof(buf) ); - MBEDTLS_ASN1_CHK_ADD( len, - mbedtls_pk_write_pubkey( &c, buf, ctx->subject_key ) ); - -#if defined(MBEDTLS_USE_PSA_CRYPTO) - status = psa_hash_compute( PSA_ALG_SHA_1, - buf + sizeof( buf ) - len, - len, - buf + sizeof( buf ) - 20 , - PSA_HASH_LENGTH(PSA_ALG_SHA_1), - &hash_length ); - if( status != PSA_SUCCESS ) - { - return( MBEDTLS_ERR_ERROR_GENERIC_ERROR ); - } -#else - ret = mbedtls_sha1( buf + sizeof( buf ) - len, len, - buf + sizeof( buf ) - 20 ); - if( ret != 0 ) - return( ret ); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - - c = buf + sizeof( buf ) - 20; - len = 20; - - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, - mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_OCTET_STRING ) ); - - return mbedtls_x509write_crt_set_extension( ctx, - MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER, - MBEDTLS_OID_SIZE( MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER ), - 0, buf + sizeof(buf) - len, len ); -} - -int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx ) -{ #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; size_t hash_length; #endif /* MBEDTLS_USE_PSA_CRYPTO */ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */ - unsigned char *c = buf + sizeof( buf ); - size_t len = 0; - memset( buf, 0, sizeof(buf) ); - MBEDTLS_ASN1_CHK_ADD( len, - mbedtls_pk_write_pubkey( &c, buf, ctx->issuer_key ) ); + if( is_ca ) + { + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_pk_write_pubkey( &c, + buf, + ctx->issuer_key ) ); + } + else + { + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_pk_write_pubkey( &c, + buf, + ctx->subject_key ) ); + } + #if defined(MBEDTLS_USE_PSA_CRYPTO) status = psa_hash_compute( PSA_ALG_SHA_1, buf + sizeof(buf) - len, @@ -257,18 +225,48 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert * MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); MBEDTLS_ASN1_CHK_ADD( len, - mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | 0 ) ); + mbedtls_asn1_write_tag( &c, buf, tag ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, - mbedtls_asn1_write_tag( &c, buf, - MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE ) ); + if( is_ca ) // writes AuthorityKeyIdentifier sequence + { + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len )); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_asn1_write_tag( &c, + buf, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE ) ); + return mbedtls_x509write_crt_set_extension( + ctx, + MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER, + MBEDTLS_OID_SIZE( MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER ), + 0, + buf + sizeof( buf ) - len, + len ); + } + else + { + return mbedtls_x509write_crt_set_extension( + ctx, + MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER, + MBEDTLS_OID_SIZE( MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER ), + 0, + buf + sizeof( buf ) - len, + len ); + } +} - return mbedtls_x509write_crt_set_extension( - ctx, MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER, - MBEDTLS_OID_SIZE( MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER ), - 0, buf + sizeof( buf ) - len, len ); +int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ctx ) +{ + return mbedtls_x509write_crt_set_key_identifier( ctx, + 0, + MBEDTLS_ASN1_OCTET_STRING ); +} + +int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx ) +{ + return mbedtls_x509write_crt_set_key_identifier( ctx, + 1, + (MBEDTLS_ASN1_CONTEXT_SPECIFIC | 0) ); } #endif /* MBEDTLS_SHA1_C */ From 3015148ae6ae89d19947c66136d5b005ecf8b2e3 Mon Sep 17 00:00:00 2001 From: pespacek Date: Thu, 17 Feb 2022 15:18:47 +0100 Subject: [PATCH 6/8] Improving readability Signed-off-by: pespacek --- library/x509write_crt.c | 44 ++++++++++++++--------------------------- 1 file changed, 15 insertions(+), 29 deletions(-) diff --git a/library/x509write_crt.c b/library/x509write_crt.c index be73876952..07f5851bb4 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -187,27 +187,19 @@ static int mbedtls_x509write_crt_set_key_identifier( mbedtls_x509write_cert #endif /* MBEDTLS_USE_PSA_CRYPTO */ memset( buf, 0, sizeof(buf) ); - if( is_ca ) - { - MBEDTLS_ASN1_CHK_ADD( len, - mbedtls_pk_write_pubkey( &c, - buf, - ctx->issuer_key ) ); - } - else - { - MBEDTLS_ASN1_CHK_ADD( len, - mbedtls_pk_write_pubkey( &c, - buf, - ctx->subject_key ) ); - } + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, + buf, + is_ca ? + ctx->issuer_key : + ctx->subject_key ) ); + #if defined(MBEDTLS_USE_PSA_CRYPTO) status = psa_hash_compute( PSA_ALG_SHA_1, buf + sizeof(buf) - len, len, buf + sizeof(buf) - 20, - PSA_HASH_LENGTH(PSA_ALG_SHA_1), + 20, &hash_length ); if( status != PSA_SUCCESS ) { @@ -235,24 +227,18 @@ static int mbedtls_x509write_crt_set_key_identifier( mbedtls_x509write_cert buf, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ); - return mbedtls_x509write_crt_set_extension( + } + return mbedtls_x509write_crt_set_extension( ctx, - MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER, - MBEDTLS_OID_SIZE( MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER ), + is_ca ? MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER : + MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER, + is_ca ? MBEDTLS_OID_SIZE( + MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER ) : + MBEDTLS_OID_SIZE( + MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER ), 0, buf + sizeof( buf ) - len, len ); - } - else - { - return mbedtls_x509write_crt_set_extension( - ctx, - MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER, - MBEDTLS_OID_SIZE( MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER ), - 0, - buf + sizeof( buf ) - len, - len ); - } } int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ctx ) From d924e559440ace0b2442be7fb1fdb161f95f84e1 Mon Sep 17 00:00:00 2001 From: pespacek Date: Mon, 28 Feb 2022 11:49:54 +0100 Subject: [PATCH 7/8] Improving readability of x509_crt and x509write_crt Signed-off-by: pespacek --- library/x509_crt.c | 13 ++++++------- library/x509write_crt.c | 36 ++++++++++++++++++------------------ 2 files changed, 24 insertions(+), 25 deletions(-) diff --git a/library/x509_crt.c b/library/x509_crt.c index 14bedddbbf..d19502ce1e 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -2378,12 +2378,12 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_algorithm = mbedtls_psa_translate_md( crl_list->sig_md ); - if(psa_hash_compute( psa_algorithm, - crl_list->tbs.p, - crl_list->tbs.len, - hash, - sizeof( hash ), - &hash_length ) != PSA_SUCCESS ) + if( psa_hash_compute( psa_algorithm, + crl_list->tbs.p, + crl_list->tbs.len, + hash, + sizeof( hash ), + &hash_length ) != PSA_SUCCESS ) { /* Note: this can't happen except after an internal error */ flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; @@ -2403,7 +2403,6 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, } #endif /* MBEDTLS_USE_PSA_CRYPTO */ - if( x509_profile_check_key( profile, &ca->pk ) != 0 ) flags |= MBEDTLS_X509_BADCERT_BAD_KEY; diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 07f5851bb4..0d252636b9 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -187,11 +187,12 @@ static int mbedtls_x509write_crt_set_key_identifier( mbedtls_x509write_cert #endif /* MBEDTLS_USE_PSA_CRYPTO */ memset( buf, 0, sizeof(buf) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, - buf, - is_ca ? - ctx->issuer_key : - ctx->subject_key ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_pk_write_pubkey( &c, + buf, + is_ca ? + ctx->issuer_key : + ctx->subject_key ) ); #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -216,8 +217,7 @@ static int mbedtls_x509write_crt_set_key_identifier( mbedtls_x509write_cert len = 20; MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, - mbedtls_asn1_write_tag( &c, buf, tag ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, tag ) ); if( is_ca ) // writes AuthorityKeyIdentifier sequence { @@ -228,17 +228,17 @@ static int mbedtls_x509write_crt_set_key_identifier( mbedtls_x509write_cert MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ); } - return mbedtls_x509write_crt_set_extension( - ctx, - is_ca ? MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER : - MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER, - is_ca ? MBEDTLS_OID_SIZE( - MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER ) : - MBEDTLS_OID_SIZE( - MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER ), - 0, - buf + sizeof( buf ) - len, - len ); + + if( is_ca ) + return mbedtls_x509write_crt_set_extension( ctx, + MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER, + MBEDTLS_OID_SIZE( MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER ), + 0, buf + sizeof(buf) - len, len ); + + return mbedtls_x509write_crt_set_extension( ctx, + MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER, + MBEDTLS_OID_SIZE( MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER ), + 0, buf + sizeof(buf) - len, len ); } int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ctx ) From b9ca22dead231bf203604067fb78a09b4c7782e1 Mon Sep 17 00:00:00 2001 From: pespacek Date: Mon, 7 Mar 2022 13:30:01 +0100 Subject: [PATCH 8/8] Improving readability of x509_crt and x509write_crt for PR Signed-off-by: pespacek --- library/x509write_crt.c | 17 ++++++++--------- library/x509write_csr.c | 2 +- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 0d252636b9..6d1e7b34df 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -172,8 +172,7 @@ int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx, } #if defined(MBEDTLS_SHA1_C) -static int mbedtls_x509write_crt_set_key_identifier( mbedtls_x509write_cert -*ctx, +static int mbedtls_x509write_crt_set_key_identifier( mbedtls_x509write_cert *ctx, int is_ca, unsigned char tag ) { @@ -230,15 +229,15 @@ static int mbedtls_x509write_crt_set_key_identifier( mbedtls_x509write_cert } if( is_ca ) - return mbedtls_x509write_crt_set_extension( ctx, + return( mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER, MBEDTLS_OID_SIZE( MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER ), - 0, buf + sizeof(buf) - len, len ); - - return mbedtls_x509write_crt_set_extension( ctx, - MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER, - MBEDTLS_OID_SIZE( MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER ), - 0, buf + sizeof(buf) - len, len ); + 0, buf + sizeof(buf) - len, len ) ); + else + return( mbedtls_x509write_crt_set_extension( ctx, + MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER, + MBEDTLS_OID_SIZE( MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER ), + 0, buf + sizeof(buf) - len, len ) ); } int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ctx ) diff --git a/library/x509write_csr.c b/library/x509write_csr.c index 591fb6d04d..1cee318f9a 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -225,7 +225,7 @@ static int x509write_csr_der_internal( mbedtls_x509write_csr *ctx, sizeof( hash ), &hash_len ) != PSA_SUCCESS ) { - return ( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED ); + return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED ); } #else /* MBEDTLS_USE_PSA_CRYPTO */ ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, len, hash );