From 0483e3d65272a20ca13baf4e1f6e93b154d87892 Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Mon, 4 Oct 2021 11:13:22 +0200 Subject: [PATCH 1/6] Add key_opaque option to ssl_server2.c + test Signed-off-by: Przemyslaw Stekiel --- programs/ssl/ssl_server2.c | 32 +++++++++++++++++++++++++++++++- tests/ssl-opt.sh | 15 +++++++++++++++ 2 files changed, 46 insertions(+), 1 deletion(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index e8e4ed8aea..abc9b5f5d4 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -80,6 +80,7 @@ int main( void ) #define DFL_CA_PATH "" #define DFL_CRT_FILE "" #define DFL_KEY_FILE "" +#define DFL_KEY_OPAQUE 0 #define DFL_KEY_PWD "" #define DFL_CRT_FILE2 "" #define DFL_KEY_FILE2 "" @@ -200,6 +201,13 @@ int main( void ) #else #define USAGE_IO "" #endif /* MBEDTLS_X509_CRT_PARSE_C */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_X509_CRT_PARSE_C) +#define USAGE_KEY_OPAQUE \ + " key_opaque=%%d Handle your private key as if it were opaque\n" \ + " default: 0 (disabled)\n" +#else +#define USAGE_KEY_OPAQUE "" +#endif #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) #define USAGE_SSL_ASYNC \ @@ -483,6 +491,7 @@ int main( void ) " cert_req_ca_list=%%d default: 1 (send ca list)\n" \ " options: 1 (send ca list), 0 (don't send)\n" \ USAGE_IO \ + USAGE_KEY_OPAQUE \ "\n" \ USAGE_PSK \ USAGE_CA_CALLBACK \ @@ -567,6 +576,7 @@ struct options const char *ca_path; /* the path with the CA certificate(s) reside */ const char *crt_file; /* the file with the server certificate */ const char *key_file; /* the file with the server key */ + int key_opaque; /* handle private key as if it were opaque */ const char *key_pwd; /* the password for the server key */ const char *crt_file2; /* the file with the 2nd server certificate */ const char *key_file2; /* the file with the 2nd server key */ @@ -1315,6 +1325,9 @@ int main( int argc, char *argv[] ) mbedtls_pk_context pkey; mbedtls_x509_crt srvcert2; mbedtls_pk_context pkey2; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_key_id_t key_slot = 0; /* invalid key slot */ +#endif int key_cert_init = 0, key_cert_init2 = 0; #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) ssl_async_key_context_t ssl_async_keys; @@ -1491,6 +1504,7 @@ int main( int argc, char *argv[] ) opt.ca_path = DFL_CA_PATH; opt.crt_file = DFL_CRT_FILE; opt.key_file = DFL_KEY_FILE; + opt.key_opaque = DFL_KEY_OPAQUE; opt.key_pwd = DFL_KEY_PWD; opt.crt_file2 = DFL_CRT_FILE2; opt.key_file2 = DFL_KEY_FILE2; @@ -1622,6 +1636,10 @@ int main( int argc, char *argv[] ) opt.key_file = q; else if( strcmp( p, "key_pwd" ) == 0 ) opt.key_pwd = q; +#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_X509_CRT_PARSE_C) + else if( strcmp( p, "key_opaque" ) == 0 ) + opt.key_opaque = atoi( q ); +#endif else if( strcmp( p, "crt_file2" ) == 0 ) opt.crt_file2 = q; else if( strcmp( p, "key_file2" ) == 0 ) @@ -2473,11 +2491,23 @@ int main( int argc, char *argv[] ) (unsigned int) -ret ); goto exit; } +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( opt.key_opaque != 0 ) + { + if( ( ret = mbedtls_pk_wrap_as_opaque( &pkey2, &key_slot, + PSA_ALG_SHA_256 ) ) != 0 ) + { + mbedtls_printf( " failed\n ! " + "mbedtls_pk_wrap_as_opaque returned -0x%x\n\n", (unsigned int) -ret ); + goto exit; + } + } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ key_cert_init2 = 2; #endif /* MBEDTLS_ECDSA_C */ } - mbedtls_printf( " ok\n" ); + mbedtls_printf( " ok (key type: %s)\n", mbedtls_pk_get_name( &pkey2 ) ); #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 66c648573b..d6fef13013 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1444,6 +1444,21 @@ run_test "Opaque key for client authentication" \ -S "error" \ -C "error" +# Test using an opaque private key for server authentication +requires_config_enabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_X509_CRT_PARSE_C +requires_config_enabled MBEDTLS_ECDSA_C +requires_config_enabled MBEDTLS_SHA256_C +run_test "Opaque key for server authentication" \ + "$P_SRV auth_mode=required key_opaque=1" \ + "$P_CLI crt_file=data_files/server5.crt \ + key_file=data_files/server5.key" \ + 0 \ + -c "Verifying peer X.509 certificate... ok" \ + -s "key type: Opaque" \ + -S "error" \ + -C "error" + # Test ciphersuites which we expect to be fully supported by PSA Crypto # and check that we don't fall back to Mbed TLS' internal crypto primitives. run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM From 575f23c3d5bad874a03b3def02fa68a5458cdc9b Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Wed, 6 Oct 2021 11:31:49 +0200 Subject: [PATCH 2/6] add client/server opaque test Signed-off-by: Przemyslaw Stekiel --- tests/ssl-opt.sh | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index d6fef13013..7d0b31381f 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1459,6 +1459,23 @@ run_test "Opaque key for server authentication" \ -S "error" \ -C "error" +# Test using an opaque private key for client/server authentication +requires_config_enabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_X509_CRT_PARSE_C +requires_config_enabled MBEDTLS_ECDSA_C +requires_config_enabled MBEDTLS_SHA256_C +run_test "Opaque key for client/server authentication" \ + "$P_SRV auth_mode=required key_opaque=1" \ + "$P_CLI key_opaque=1 crt_file=data_files/server5.crt \ + key_file=data_files/server5.key" \ + 0 \ + -c "key type: Opaque" \ + -c "Verifying peer X.509 certificate... ok" \ + -s "key type: Opaque" \ + -s "Verifying peer X.509 certificate... ok" \ + -S "error" \ + -C "error" + # Test ciphersuites which we expect to be fully supported by PSA Crypto # and check that we don't fall back to Mbed TLS' internal crypto primitives. run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM From db0ed7c57999ddc2f50c841a6df94ef242599876 Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Thu, 7 Oct 2021 15:11:32 +0200 Subject: [PATCH 3/6] ssl_server2.c: fix build err (key_slot - unused variable) Signed-off-by: Przemyslaw Stekiel --- programs/ssl/ssl_server2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index abc9b5f5d4..68e92b7121 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1325,7 +1325,7 @@ int main( int argc, char *argv[] ) mbedtls_pk_context pkey; mbedtls_x509_crt srvcert2; mbedtls_pk_context pkey2; -#if defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_USE_PSA_CRYPTO) psa_key_id_t key_slot = 0; /* invalid key slot */ #endif int key_cert_init = 0, key_cert_init2 = 0; From 8132c2ff46d532ce9350860b25f6955d842438f6 Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Thu, 21 Oct 2021 12:26:58 +0200 Subject: [PATCH 4/6] Address review comments Signed-off-by: Przemyslaw Stekiel --- programs/ssl/ssl_server2.c | 50 ++++++++++++++++++++++++++------------ tests/ssl-opt.sh | 4 +-- 2 files changed, 37 insertions(+), 17 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 68e92b7121..c23d73045f 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -203,7 +203,7 @@ int main( void ) #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_X509_CRT_PARSE_C) #define USAGE_KEY_OPAQUE \ - " key_opaque=%%d Handle your private key as if it were opaque\n" \ + " key_opaque=%%d Handle your private keys as if they were opaque\n" \ " default: 0 (disabled)\n" #else #define USAGE_KEY_OPAQUE "" @@ -1325,8 +1325,9 @@ int main( int argc, char *argv[] ) mbedtls_pk_context pkey; mbedtls_x509_crt srvcert2; mbedtls_pk_context pkey2; -#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_key_id_t key_slot = 0; /* invalid key slot */ + psa_key_id_t key_slot2 = 0; /* invalid key slot */ #endif int key_cert_init = 0, key_cert_init2 = 0; #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) @@ -2491,23 +2492,38 @@ int main( int argc, char *argv[] ) (unsigned int) -ret ); goto exit; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if( opt.key_opaque != 0 ) - { - if( ( ret = mbedtls_pk_wrap_as_opaque( &pkey2, &key_slot, - PSA_ALG_SHA_256 ) ) != 0 ) - { - mbedtls_printf( " failed\n ! " - "mbedtls_pk_wrap_as_opaque returned -0x%x\n\n", (unsigned int) -ret ); - goto exit; - } - } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ key_cert_init2 = 2; #endif /* MBEDTLS_ECDSA_C */ } - mbedtls_printf( " ok (key type: %s)\n", mbedtls_pk_get_name( &pkey2 ) ); +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( opt.key_opaque != 0 ) + { + if ( mbedtls_pk_get_type( &pkey ) == MBEDTLS_PK_ECKEY ) + { + if( ( ret = mbedtls_pk_wrap_as_opaque( &pkey, &key_slot, + PSA_ALG_SHA_256 ) ) != 0 ) + { + mbedtls_printf( " failed\n ! " + "mbedtls_pk_wrap_as_opaque returned -0x%x\n\n", (unsigned int) -ret ); + goto exit; + } + } + + if ( mbedtls_pk_get_type( &pkey2 ) == MBEDTLS_PK_ECKEY ) + { + if( ( ret = mbedtls_pk_wrap_as_opaque( &pkey2, &key_slot2, + PSA_ALG_SHA_256 ) ) != 0 ) + { + mbedtls_printf( " failed\n ! " + "mbedtls_pk_wrap_as_opaque returned -0x%x\n\n", (unsigned int) -ret ); + goto exit; + } + } + } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + + mbedtls_printf( " ok (key types: %s - %s)\n", mbedtls_pk_get_name( &pkey ), mbedtls_pk_get_name( &pkey2 ) ); #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO) @@ -3953,6 +3969,10 @@ exit: mbedtls_pk_free( &pkey ); mbedtls_x509_crt_free( &srvcert2 ); mbedtls_pk_free( &pkey2 ); +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_destroy_key( key_slot ); + psa_destroy_key( key_slot2 ); +#endif #endif #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) for( i = 0; (size_t) i < ssl_async_keys.slots_used; i++ ) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 7d0b31381f..628fad9560 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1455,7 +1455,7 @@ run_test "Opaque key for server authentication" \ key_file=data_files/server5.key" \ 0 \ -c "Verifying peer X.509 certificate... ok" \ - -s "key type: Opaque" \ + -s "key types: RSA - Opaque" \ -S "error" \ -C "error" @@ -1471,7 +1471,7 @@ run_test "Opaque key for client/server authentication" \ 0 \ -c "key type: Opaque" \ -c "Verifying peer X.509 certificate... ok" \ - -s "key type: Opaque" \ + -s "key types: RSA - Opaque" \ -s "Verifying peer X.509 certificate... ok" \ -S "error" \ -C "error" From c2d2f217fbba6ae7f275a5c3741e36bb4a674e56 Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Tue, 26 Oct 2021 12:21:45 +0200 Subject: [PATCH 5/6] ssl_client2/ssl_server_2: use PSA_ALG_ANY_HASH as algorithm for opaque key Signed-off-by: Przemyslaw Stekiel --- programs/ssl/ssl_client2.c | 2 +- programs/ssl/ssl_server2.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index a970503c87..cd9c8bf356 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1692,7 +1692,7 @@ int main( int argc, char *argv[] ) if( opt.key_opaque != 0 ) { if( ( ret = mbedtls_pk_wrap_as_opaque( &pkey, &key_slot, - PSA_ALG_SHA_256 ) ) != 0 ) + PSA_ALG_ANY_HASH ) ) != 0 ) { mbedtls_printf( " failed\n ! " "mbedtls_pk_wrap_as_opaque returned -0x%x\n\n", (unsigned int) -ret ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index c23d73045f..1700405ed3 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -2502,7 +2502,7 @@ int main( int argc, char *argv[] ) if ( mbedtls_pk_get_type( &pkey ) == MBEDTLS_PK_ECKEY ) { if( ( ret = mbedtls_pk_wrap_as_opaque( &pkey, &key_slot, - PSA_ALG_SHA_256 ) ) != 0 ) + PSA_ALG_ANY_HASH ) ) != 0 ) { mbedtls_printf( " failed\n ! " "mbedtls_pk_wrap_as_opaque returned -0x%x\n\n", (unsigned int) -ret ); @@ -2513,7 +2513,7 @@ int main( int argc, char *argv[] ) if ( mbedtls_pk_get_type( &pkey2 ) == MBEDTLS_PK_ECKEY ) { if( ( ret = mbedtls_pk_wrap_as_opaque( &pkey2, &key_slot2, - PSA_ALG_SHA_256 ) ) != 0 ) + PSA_ALG_ANY_HASH ) ) != 0 ) { mbedtls_printf( " failed\n ! " "mbedtls_pk_wrap_as_opaque returned -0x%x\n\n", (unsigned int) -ret ); From bb5d48307325ca4f2ee8c3cdcc81de4112222944 Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Tue, 26 Oct 2021 12:25:27 +0200 Subject: [PATCH 6/6] ssl-opt.sh: adapt paramteters of key opaque cases Signed-off-by: Przemyslaw Stekiel --- tests/ssl-opt.sh | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 628fad9560..e0abd3f71e 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1435,12 +1435,15 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C run_test "Opaque key for client authentication" \ - "$P_SRV auth_mode=required" \ + "$P_SRV auth_mode=required crt_file=data_files/server5.crt \ + key_file=data_files/server5.key" \ "$P_CLI key_opaque=1 crt_file=data_files/server5.crt \ key_file=data_files/server5.key" \ 0 \ -c "key type: Opaque" \ + -c "Ciphersuite is TLS-ECDHE-ECDSA" \ -s "Verifying peer X.509 certificate... ok" \ + -s "Ciphersuite is TLS-ECDHE-ECDSA" \ -S "error" \ -C "error" @@ -1450,12 +1453,15 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C run_test "Opaque key for server authentication" \ - "$P_SRV auth_mode=required key_opaque=1" \ + "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server5.crt \ + key_file=data_files/server5.key" \ "$P_CLI crt_file=data_files/server5.crt \ key_file=data_files/server5.key" \ 0 \ -c "Verifying peer X.509 certificate... ok" \ - -s "key types: RSA - Opaque" \ + -c "Ciphersuite is TLS-ECDHE-ECDSA" \ + -s "key types: Opaque - invalid PK" \ + -s "Ciphersuite is TLS-ECDHE-ECDSA" \ -S "error" \ -C "error" @@ -1465,14 +1471,17 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C run_test "Opaque key for client/server authentication" \ - "$P_SRV auth_mode=required key_opaque=1" \ + "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server5.crt \ + key_file=data_files/server5.key" \ "$P_CLI key_opaque=1 crt_file=data_files/server5.crt \ key_file=data_files/server5.key" \ 0 \ -c "key type: Opaque" \ -c "Verifying peer X.509 certificate... ok" \ - -s "key types: RSA - Opaque" \ + -c "Ciphersuite is TLS-ECDHE-ECDSA" \ + -s "key types: Opaque - invalid PK" \ -s "Verifying peer X.509 certificate... ok" \ + -s "Ciphersuite is TLS-ECDHE-ECDSA" \ -S "error" \ -C "error"