Commit graph

9076 commits

Author SHA1 Message Date
Jaeden Amero 472c20b4f2
Merge pull request #28 from hanno-arm/ec_pubkey_fmt_adapt_ecdsa_verify_wrap
Adapt ECDSA wrapper to new EC public key format
2019-01-29 10:01:50 +00:00
Hanno Becker d288494c3a Fix outdated comment in ecdsa_verify_wrap() 2019-01-29 08:21:24 +00:00
Jaeden Amero fa6f146bba
Merge pull request #30 from orenc17/its_update
Use new ITS uid type
2019-01-28 13:41:58 +00:00
Jaeden Amero 43bafcca94
Merge pull request #15 from gilles-peskine-arm/psa-signature_policy_wildcard
Support wildcard hash in signature policies
2019-01-28 13:31:14 +00:00
Oren Cohen 231bf5b693 Use new ITS uid type
ITS switched from using uint32_t to psa_its_uid_t (uint64_t)
2019-01-28 14:51:50 +02:00
Gilles Peskine 763fb9a150 Improve the description of PSA_ALG_ANY_HASH
Make it clearer what PSA_ALG_ANY_HASH can and cannot be used for.
2019-01-28 13:29:01 +01:00
Jaeden Amero d46548c833
Merge pull request #23 from orenc17/its_update
Update usage of PSA ITS to comply with v1.0
2019-01-28 12:06:26 +00:00
Hanno Becker 5d5e90a610 Adapt ecdsa_verify_wrap() to new EC public key format
Previously, PSA used SubjectPublicKeyInfo structures to serialize EC public keys.
This has recently been changed to using ECPoint structures instead, but the wrapper
making PSA ECDSA verification available through Mbed TLS' PK API hasn't yet been
adapted accordingly - which is what this commit does.

Luckily, Mbed TLS' PK API offers two functions mbedtls_pk_write_pubkey()
and mbedtls_pk_write_pubkey_der(), the latter exporting a SubjectPublicKeyInfo
structure and the former exporting an ECPoint structure in case of EC public
keys. For the adaptation of the ECDSA wrapper ecdsa_verify_wrap() it is therefore
sufficient to use mbedtls_pk_write_pubkey() instead of mbedtls_pk_write_pubkey_der().
2019-01-28 11:41:37 +00:00
Jaeden Amero 37a8c0c144
Merge pull request #27 from hanno-arm/crypto_submodule_update_prs_6_18_19_sibling
PSA integration sibling: Update crypto submodule (Hash clone, Key Policy Init, Key slot alloc)
2019-01-28 11:33:28 +00:00
Oren Cohen 23a6784cb9 Update usage of PSA ITS to comply with v1.0 2019-01-27 10:19:18 +02:00
Hanno Becker 2169a5e54d PSA: Adapt pk.c, pk_wrap.c, cipher.c to new key policy init API 2019-01-25 14:36:28 +00:00
Hanno Becker 242da1e2c2 PSA: Adapt cipher.c, pk.c, pk_wrap.c to new key slot allocation API 2019-01-25 14:36:28 +00:00
Hanno Becker 330b9a4586 PSA: Adapt ssl_server2 to modified key allocation API 2019-01-25 14:36:28 +00:00
Hanno Becker f3adecf479 PSA: Adapt ssl_server2 to hew key policy initialization API 2019-01-25 14:36:28 +00:00
Hanno Becker 2261a0ff52 PSA: Adapt ssl_client2 to new key policy initialization API 2019-01-25 14:36:28 +00:00
Hanno Becker d74dfc2984 PSA: Adapt ssl_client2 to modified key slot allocation API 2019-01-25 14:36:28 +00:00
Hanno Becker a814ae6f92 PSA: Adapt PK test suite to new key policy initialization API 2019-01-25 14:36:28 +00:00
Hanno Becker fcf659b12d PSA: Adapt PK test suite to modified key slot allocation mechanism 2019-01-25 14:36:28 +00:00
Jaeden Amero 4d69cf1a84
Merge pull request #13 from Patater/pubkey-format
Simplify RSA and EC public key formats
2019-01-25 10:09:40 +00:00
Gilles Peskine eb2d4b9037 Test that HASH_ANY is not meaningful for OAEP
PSA_ALG_HASH_ANY is specified as meaningful only for signature.
2019-01-24 13:05:36 +01:00
Jaeden Amero 21fec0c1c5 psa: Expand documentation for psa_key_agreement()
Document `peer_key` parameter requirements, including an explanation of
how the peer key is used and an example for EC keys.
2019-01-23 17:39:46 +00:00
Jaeden Amero c67200d0e6 psa: Remove extra status handling from import
Remove extra status handling code from psa_import_key_into_slot(). This
helps save a tiny amount of code space, but mainly serves to improve the
readability of the code.
2019-01-23 17:39:46 +00:00
Jaeden Amero cd09d8c83a psa: Refactor psa_import_rsa_key() pk-using code
Move pk-using code to inside psa_import_rsa_key(). This aligns the shape
of psa_import_rsa_key() to match that of psa_import_ec_private_key() and
psa_import_ec_public_key().
2019-01-23 17:39:46 +00:00
Jaeden Amero ccdce90adb psa: Simplify EC public key format
Remove front matter from our EC key format, to make it just the contents
of an ECPoint as defined by SEC1 section 2.3.3.

As a consequence of the simplification, remove the restriction on not
being able to use an ECDH key with ECDSA. There is no longer any OID
specified when importing a key, so we can't reject importing of an ECDH
key for the purpose of ECDSA based on the OID.
2019-01-23 17:39:46 +00:00
Jaeden Amero 97271b37c8 psa: Use psa_status_t in psa_key_agreement_ecdh()
Use the PSA-native status type in psa_key_agreement_ecdh() in
preparation for us calling PSA functions (and not just Mbed TLS
functions) and still being able to return a psa_status_t (without having
to translate it to a Mbed TLS error and then back again).
2019-01-23 17:31:50 +00:00
Jaeden Amero 25384a236e psa: Simplify RSA public key format
Remove pkcs-1 and rsaEncryption front matter from RSA public keys. Move
code that was shared between RSA and other key types (like EC keys) to
be used only with non-RSA keys.
2019-01-23 17:31:50 +00:00
Jaeden Amero 0b6b871056
Merge pull request #22 from ARMmbed/iotssl-2697-psa-key-allocation-crypto
Adapting to the new PSA key slot allocation mechanism
2019-01-23 15:00:19 +00:00
Jaeden Amero cfb7ae9318
Merge pull request #16 from itayzafrir/spm-support-crypto-handles-api
Support for slots to handles crypto API changes under SPM
2019-01-23 13:38:50 +00:00
Andrzej Kurek 54c139f141 Remove unnecessary "#" sign from PSA macros 2019-01-23 06:23:53 -05:00
Andrzej Kurek f410a5c251 Fix indentation of documentation 2019-01-23 06:23:31 -05:00
Andrzej Kurek e1a8187df9 pk_wrap: pass curve size instead of a larger size of the exported key
Whitespace fixes
2019-01-23 06:23:21 -05:00
Andrzej Kurek 1ec0fee458 pk: wrap curve_id before passing it to PSA
Add a helper function in PSA utils
2019-01-23 06:23:12 -05:00
Andrzej Kurek 08dfceaba4 cipher: fixed key ownership scope
Indicate key ownership earlier, so that it gets destroyed on faulty policy setting.
2019-01-23 06:22:42 -05:00
Andrzej Kurek c750932f2c Adapt to the new key allocation mechanism 2019-01-23 06:22:32 -05:00
Gilles Peskine 870f5dc656 Add missing test dependency 2019-01-23 10:42:23 +01:00
Jaeden Amero 494624d299
Merge pull request #18 from gilles-peskine-arm/psa-hash_clone
New function psa_hash_clone
2019-01-22 17:35:25 +00:00
Gilles Peskine eb35d78a11 Style fix 2019-01-22 17:56:16 +01:00
Jaeden Amero 9c0c79e877
Merge pull request #19 from gilles-peskine-arm/psa-no_type_on_allocate_key
Don't require a type and size when creating a key slot
2019-01-22 14:37:08 +00:00
Gilles Peskine e43aa39397 hash_clone: Fix copypasta and add a functional description 2019-01-21 14:50:37 +01:00
Gilles Peskine d40c1fbd50 Don't require a type and size when creating a key slot
Remove the type and bits arguments to psa_allocate_key() and
psa_create_key(). They can be useful if the implementation wants to
know exactly how much space to allocate for the slot, but many
implementations (including ours) don't care, and it's possible to work
around their lack by deferring size-dependent actions to the time when
the key material is created. They are a burden to applications and
make the API more complex, and the benefits aren't worth it.

Change the API and adapt the implementation, the units test and the
sample code accordingly.
2019-01-19 12:20:52 +01:00
Gilles Peskine ebb2c3e419 New function psa_hash_clone
Clone a hash operation.

Test good cases as part as multipart tests. Add new test functions for
the state machine.
2019-01-19 12:03:41 +01:00
itayzafrir 14e7678790 Documentation update regarding SPM integration 2019-01-16 11:16:39 +02:00
itayzafrir 99974e344a SPM integration update due to crypto API changes
When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is being built for SPM (Secure Partition Manager)
integration which separates the code into two parts: NSPE (Non-Secure Processing Environment) and SPE
(Secure Processing Environment). When building for the SPE, an additional header file should be included.
2019-01-16 11:13:19 +02:00
Gilles Peskine 30f77cdfc1 Add a hash wildcard value for hash-and-sign algorithm
You can use PSA_ALG_ANY_HASH to build the algorithm value for a
hash-and-sign algorithm in a policy. Then the policy allows usage with
this hash-and-sign family with any hash.

Test that PSA_ALG_ANY_HASH-based policies allow a specific hash, but
not a different hash-and-sign family. Test that PSA_ALG_ANY_HASH is
not valid for operations, only in policies.
2019-01-14 19:38:56 +01:00
Gilles Peskine d35b489ce5 New macro PSA_ALG_IS_HASH_AND_SIGN
Test for a subclass of public-key algorithm: those that perform
full-domain hashing, i.e. algorithms that can be broken down as
sign(key, hash(message)).
2019-01-14 16:02:15 +01:00
Jaeden Amero 8d4be19517
Merge pull request #7 from gilles-peskine-arm/all_sh-mbedcrypto
[mbedcrypto] all.sh: make it possible to run a subset of the components
2019-01-14 10:47:20 +00:00
Jaeden Amero d3a0c2c779 psa: Document requirements for psa_export_public_key()
Copy the nice and clear documentation from psa_export_key() as to what
implementations are allowed to do regarding key export formats, as the
same applies to public keys.
2019-01-11 17:15:56 +00:00
Jaeden Amero 005401e6a7
Merge pull request #8 from NirSonnenschein/fix_check-names.sh
modify check-names.sh and list-macros.sh to work with PSA constants
2019-01-11 13:22:54 +00:00
Jaeden Amero 83d293951c psa: Call init when importing private EC keys
Previously we weren't initializing the freshly allocated ECP keypair
when importing private EC keys. This didn't seem to cause problems, at
least according to our current test coverage, but it's better to ensure
we don't have a partially initialized object by explicitly initializing
the keypair.
2019-01-10 20:25:55 +00:00
Gilles Peskine e87898709c Rename test_memcheck to test_valgrind
Valgrind is what it does. `memcheck` is how it's implemented.
2019-01-10 18:36:20 +01:00