Adapt mbedtls_pk_write_pubkey_der() to the new PSA public key format

Context: There are two public key writing functions in Mbed TLS. First, mbedtls_pk_write_pubkey(), which exports a public key in the form of a SubjectPublicKey structure containing the raw keying material (for example, EC point coordinates for an EC public key, without reference to the underlying curve). Secondly, mbedtls_pk_write_pubkey_der(), which exports a public key in the form of a SubjectPublicKeyInfo structure, wrapping the SubjectPublicKey structure by additional information identifying the type of public key (and for ECC, e.g., it'd also contain the ECC group identifier). The implementation of mbedtls_pk_write_pubkey_der() calls mbedtls_pk_write_pubkey() first and then adds the corresponding algorithm identifier wrapper. Both of these functions need to be provided for PSA-based opaque PK contexts, based on PSA's public key export function. Previously, PSA used the SubjectPublicKeyInfo structure as its export format, so mbedtls_pk_write_pubkey_der() could be easily implemented, while mbedtls_pk_write_pubkey() would need to trim the output of the PSA export. The previous implementation of mbedtls_pk_write_pubkey() is not quite right because it calls PSA export doesn't do any trimming, hence exporting the large SubjectPublicKeyInfo structure instead of the small SubjectPublicKey. mbedtls_pk_write_pubkey_der(), in turn, immediately returns after calling mbedtls_pk_write_pubkey(), hence also returning the SubjectPublicKeyInfo structure, which is correct. By now, the PSA public key export format has changed to the smaller SubjectPublicKey structure. This means that, now, mbedtls_pk_write_pubkey() can be implemented by just calling the PSA export, and that mbedtls_pk_write_pubkey_der() needs to add the algorithm information around it, just as in the other types of PK contexts. While not correct for the old format, the existing code for mbedtls_pk_write_pubkey() is therefore correct for the new PSA public key format, and needs no change apart from the missing pointer shift in the last commit. The implementation of mbedtls_pk_write_pubkey_der() needs a special code path for PSA-based opaque PK contexts, as the PK context only contains the PSA key handle, and the PSA API needs to be used to extract the underlying EC curve to be able to write the AlgorithmParameter structure that's part of the SubjectPublicKeyInfo structure. That's what this commit does, (hopefully) making both mbedtls_pk_write_pubkey() and mbedtls_pk_write_pubkey_der() export the correctly formatted public key based on the new PSA public key format.
2019-02-01 10:07:07 +00:00 · 2019-02-01 10:07:07 +00:00 · 493c171a1c
commit 493c171a1c
parent 812e12452a
2 changed files with 42 additions and 11 deletions
--- a/include/mbedtls/psa_util.h
+++ b/include/mbedtls/psa_util.h
@ -41,6 +41,7 @@
 #include "ecp.h"
 #include "md.h"
 #include "pk.h"
+#include "oid.h"

 /* Translations for symmetric crypto. */

--- a/library/pkwrite.c
+++ b/library/pkwrite.c
@ -197,16 +197,13 @@ int mbedtls_pk_write_pubkey_der( mbedtls_pk_context *key, unsigned char *buf, si
    int ret;
    unsigned char *c;
    size_t len = 0, par_len = 0, oid_len;
+    mbedtls_pk_type_t pk_type;
    const char *oid;

    c = buf + size;

    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, key ) );

-    if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_OPAQUE )
-    {
-        return( (int) len );
-    }
    if( c - buf < 1 )
        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );

@ -221,18 +218,51 @@ int mbedtls_pk_write_pubkey_der( mbedtls_pk_context *key, unsigned char *buf, si
    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_BIT_STRING ) );

-    if( ( ret = mbedtls_oid_get_oid_by_pk_alg( mbedtls_pk_get_type( key ),
-                                       &oid, &oid_len ) ) != 0 )
-    {
-        return( ret );
-    }
-
+    pk_type = mbedtls_pk_get_type( key );
 #if defined(MBEDTLS_ECP_C)
-    if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_ECKEY )
+    if( pk_type == MBEDTLS_PK_ECKEY )
    {
        MBEDTLS_ASN1_CHK_ADD( par_len, pk_write_ec_param( &c, buf, mbedtls_pk_ec( *key ) ) );
    }
 #endif
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    if( pk_type == MBEDTLS_PK_OPAQUE )
+    {
+        psa_status_t status;
+        psa_key_type_t key_type;
+        psa_key_handle_t handle;
+        psa_ecc_curve_t curve;
+
+        handle = *((psa_key_handle_t*) key->pk_ctx );
+
+        status = psa_get_key_information( handle, &key_type,
+                                          NULL /* bitsize not needed */ );
+        if( status != PSA_SUCCESS )
+            return( MBEDTLS_ERR_PK_HW_ACCEL_FAILED );
+
+        curve = PSA_KEY_TYPE_GET_CURVE( key_type );
+        if( curve == 0 )
+            return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+
+        ret = mbedtls_psa_get_ecc_oid_from_id( curve, &oid, &oid_len );
+        if( ret != 0 )
+            return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+
+        /* Write EC algorithm parameters; that's akin
+         * to pk_write_ec_param() above. */
+        MBEDTLS_ASN1_CHK_ADD( par_len, mbedtls_asn1_write_oid( &c, buf,
+                                                               oid, oid_len ) );
+
+        /* The rest of the function works as for legacy EC contexts. */
+        pk_type = MBEDTLS_PK_ECKEY;
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+    if( ( ret = mbedtls_oid_get_oid_by_pk_alg( pk_type, &oid,
+                                               &oid_len ) ) != 0 )
+    {
+        return( ret );
+    }

    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_algorithm_identifier( &c, buf, oid, oid_len,
                                                        par_len ) );