PSA RSA needs pk_write

The PSA crypto code needs mbedtls_pk_write_key_der() and mbedtls_pk_write_pubkey() when using RSA without drivers. We were already forcing MBEDTLS_PK_WRITE_C when MBEDTLS_USE_PSA_CRYPTO is enabled. Do so also when MBEDTLS_PSA_CRYPTO_C is enabled as well as MBEDTLS_RSA_C, even without MBEDTLS_USE_PSA_CRYPTO. Fixes #6408. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-04-16 08:42:50 +00:00 · 2022-10-11 20:59:29 +02:00 · 2022-10-11 20:59:29 +02:00 · fd94304f9d
commit fd94304f9d
parent 58e5d804ee
2 changed files with 19 additions and 1 deletions
--- a/ChangeLog.d/psa_rsa_needs_pk.txt
+++ b/ChangeLog.d/psa_rsa_needs_pk.txt
@ -0,0 +1,3 @@
+Bugfix
+   * Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not
+     MBEDTLS_USE_PSA_CRYPTO or MBEDTLS_PK_WRITE_C. Fixes #6408.
--- a/include/mbedtls/build_info.h
+++ b/include/mbedtls/build_info.h
@ -74,7 +74,22 @@
 #include MBEDTLS_USER_CONFIG_FILE
 #endif

-#if defined(MBEDTLS_PK_C) && defined(MBEDTLS_USE_PSA_CRYPTO)
+/* The PK wrappers need pk_write functions to format RSA key objects
+ * when they are dispatching to the PSA API. This happens under USE_PSA_CRYPTO,
+ * and also even without USE_PSA_CRYPTO for mbedtls_pk_sign_ext().
+ * PSA crypto also needs pk_write to export RSA keys (otherwise the build
+ * goes through but psa_export_key() and psa_export_public_key() fail on
+ * RSA keys).
+ */
+#if defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_RSA_C)
+#define MBEDTLS_PK_C
+#define MBEDTLS_PK_WRITE_C
+#endif
+
+/* Under MBEDTLS_USE_PSA_CRYPTO, the pk module needs pk_write functions
+ * to pass ECC keys to PSA. */
+#if defined(MBEDTLS_PK_C) &&                                    \
+    defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECP_C)
 #define MBEDTLS_PK_WRITE_C
 #endif