mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-16 08:42:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

pk: simplify mbedtls_pk_sign_ext()

Browse Source 
In case of opaque keys skip the check of the supported primary/enrollment
algorithms. Just try to perfom the signature and if the wrapped key
does not support RSA PSS the operation will fail automatically.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This commit is contained in:
Valerio Setti 2024-03-21 16:23:34 +01:00
parent 42a3954cd3
commit afa6d51442
1 changed files with 9 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
library/pk.c
View File

@ -1327,43 +1327,19 @@ int mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type,
} }
if (mbedtls_pk_get_type(ctx) == MBEDTLS_PK_OPAQUE) { if (mbedtls_pk_get_type(ctx) == MBEDTLS_PK_OPAQUE) {
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
psa_algorithm_t psa_alg, sign_alg;
#if defined(MBEDTLS_PSA_CRYPTO_C)
psa_algorithm_t psa_enrollment_alg;
#endif /* MBEDTLS_PSA_CRYPTO_C */
psa_status_t status; psa_status_t status;
status = psa_get_key_attributes(ctx->priv_id, &key_attr); /* PSA_ALG_RSA_PSS() behaves the same as PSA_ALG_RSA_PSS_ANY_SALT() when
if (status != PSA_SUCCESS) { * performing a signature, but they are encoded differently. Instead of
return PSA_PK_RSA_TO_MBEDTLS_ERR(status); * extracting the proper one from the wrapped key policy, just try both. */
} status = psa_sign_hash(ctx->priv_id, PSA_ALG_RSA_PSS(psa_md_alg),
psa_alg = psa_get_key_algorithm(&key_attr);
#if defined(MBEDTLS_PSA_CRYPTO_C)
psa_enrollment_alg = psa_get_key_enrollment_algorithm(&key_attr);
#endif /* MBEDTLS_PSA_CRYPTO_C */
psa_reset_key_attributes(&key_attr);
/* Since we're PK type is MBEDTLS_PK_RSASSA_PSS at least one between
* alg and enrollment alg should be of type RSA_PSS. */
if (PSA_ALG_IS_RSA_PSS(psa_alg)) {
sign_alg = psa_alg;
}
#if defined(MBEDTLS_PSA_CRYPTO_C)
else if (PSA_ALG_IS_RSA_PSS(psa_enrollment_alg)) {
sign_alg = psa_enrollment_alg;
}
#endif /* MBEDTLS_PSA_CRYPTO_C */
else {
/* The opaque key has no RSA PSS algorithm associated. */
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
}
/* Adjust the hashing algorithm. */
sign_alg = (sign_alg & ~PSA_ALG_HASH_MASK) | PSA_ALG_GET_HASH(psa_md_alg);
status = psa_sign_hash(ctx->priv_id, sign_alg,
hash, hash_len, hash, hash_len,
sig, sig_size, sig_len); sig, sig_size, sig_len);
if (status == PSA_ERROR_NOT_PERMITTED) {
status = psa_sign_hash(ctx->priv_id, PSA_ALG_RSA_PSS_ANY_SALT(psa_md_alg),
hash, hash_len,
sig, sig_size, sig_len);
}
return PSA_PK_RSA_TO_MBEDTLS_ERR(status); return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
} }