1 /*
2  *  PSA RSA layer on top of Mbed TLS crypto
3  */
4 /*
5  *  Copyright The Mbed TLS Contributors
6  *  SPDX-License-Identifier: Apache-2.0
7  *
8  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
9  *  not use this file except in compliance with the License.
10  *  You may obtain a copy of the License at
11  *
12  *  http://www.apache.org/licenses/LICENSE-2.0
13  *
14  *  Unless required by applicable law or agreed to in writing, software
15  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17  *  See the License for the specific language governing permissions and
18  *  limitations under the License.
19  */
20 
21 #include "common.h"
22 
23 #if defined(MBEDTLS_PSA_CRYPTO_C)
24 
25 #include <psa/crypto.h>
26 #include "psa_crypto_core.h"
27 #include "psa_crypto_random_impl.h"
28 #include "psa_crypto_rsa.h"
29 #include "psa_crypto_hash.h"
30 
31 #include <stdlib.h>
32 #include <string.h>
33 #include "mbedtls/platform.h"
34 #if !defined(MBEDTLS_PLATFORM_C)
35 #define mbedtls_calloc calloc
36 #define mbedtls_free   free
37 #endif
38 
39 #include <mbedtls/rsa.h>
40 #include <mbedtls/error.h>
41 #include <mbedtls/pk.h>
42 #include "pk_wrap.h"
43 
44 #if ( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||  \
45       ( defined(PSA_CRYPTO_DRIVER_TEST) &&                   \
46         defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) ) )
47 #define BUILTIN_KEY_TYPE_RSA_KEY_PAIR    1
48 #endif
49 
50 #if ( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) ||  \
51       ( defined(PSA_CRYPTO_DRIVER_TEST) &&                   \
52         defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY) ) )
53 #define BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY  1
54 #endif
55 
56 #if ( defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||  \
57       ( defined(PSA_CRYPTO_DRIVER_TEST) &&                   \
58         defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN) &&  \
59         defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V15) ) )
60 #define BUILTIN_ALG_RSA_PKCS1V15_SIGN  1
61 #endif
62 
63 #if ( defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) ||  \
64       ( defined(PSA_CRYPTO_DRIVER_TEST) &&         \
65         defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PSS) &&  \
66         defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21) ) )
67 #define BUILTIN_ALG_RSA_PSS 1
68 #endif
69 
70 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
71     defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \
72     defined(BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
73     defined(BUILTIN_ALG_RSA_PSS) || \
74     defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
75     defined(BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
76 
77 /* Mbed TLS doesn't support non-byte-aligned key sizes (i.e. key sizes
78  * that are not a multiple of 8) well. For example, there is only
79  * mbedtls_rsa_get_len(), which returns a number of bytes, and no
80  * way to return the exact bit size of a key.
81  * To keep things simple, reject non-byte-aligned key sizes. */
psa_check_rsa_key_byte_aligned(const mbedtls_rsa_context * rsa)82 static psa_status_t psa_check_rsa_key_byte_aligned(
83     const mbedtls_rsa_context *rsa )
84 {
85     mbedtls_mpi n;
86     psa_status_t status;
87     mbedtls_mpi_init( &n );
88     status = mbedtls_to_psa_error(
89         mbedtls_rsa_export( rsa, &n, NULL, NULL, NULL, NULL ) );
90     if( status == PSA_SUCCESS )
91     {
92         if( mbedtls_mpi_bitlen( &n ) % 8 != 0 )
93             status = PSA_ERROR_NOT_SUPPORTED;
94     }
95     mbedtls_mpi_free( &n );
96     return( status );
97 }
98 
mbedtls_psa_rsa_load_representation(psa_key_type_t type,const uint8_t * data,size_t data_length,mbedtls_rsa_context ** p_rsa)99 psa_status_t mbedtls_psa_rsa_load_representation(
100     psa_key_type_t type, const uint8_t *data, size_t data_length,
101     mbedtls_rsa_context **p_rsa )
102 {
103     psa_status_t status;
104     mbedtls_pk_context ctx;
105     size_t bits;
106     mbedtls_pk_init( &ctx );
107 
108     /* Parse the data. */
109     if( PSA_KEY_TYPE_IS_KEY_PAIR( type ) )
110         status = mbedtls_to_psa_error(
111             mbedtls_pk_parse_key( &ctx, data, data_length, NULL, 0,
112                 mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE ) );
113     else
114         status = mbedtls_to_psa_error(
115             mbedtls_pk_parse_public_key( &ctx, data, data_length ) );
116     if( status != PSA_SUCCESS )
117         goto exit;
118 
119     /* We have something that the pkparse module recognizes. If it is a
120      * valid RSA key, store it. */
121     if( mbedtls_pk_get_type( &ctx ) != MBEDTLS_PK_RSA )
122     {
123         status = PSA_ERROR_INVALID_ARGUMENT;
124         goto exit;
125     }
126 
127     /* The size of an RSA key doesn't have to be a multiple of 8. Mbed TLS
128      * supports non-byte-aligned key sizes, but not well. For example,
129      * mbedtls_rsa_get_len() returns the key size in bytes, not in bits. */
130     bits = PSA_BYTES_TO_BITS( mbedtls_rsa_get_len( mbedtls_pk_rsa( ctx ) ) );
131     if( bits > PSA_VENDOR_RSA_MAX_KEY_BITS )
132     {
133         status = PSA_ERROR_NOT_SUPPORTED;
134         goto exit;
135     }
136     status = psa_check_rsa_key_byte_aligned( mbedtls_pk_rsa( ctx ) );
137     if( status != PSA_SUCCESS )
138         goto exit;
139 
140     /* Copy out the pointer to the RSA context, and reset the PK context
141      * such that pk_free doesn't free the RSA context we just grabbed. */
142     *p_rsa = mbedtls_pk_rsa( ctx );
143     ctx.pk_info = NULL;
144 
145 exit:
146     mbedtls_pk_free( &ctx );
147     return( status );
148 }
149 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
150         * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) ||
151         * defined(BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
152         * defined(BUILTIN_ALG_RSA_PSS) ||
153         * defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
154         * defined(BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
155 
156 #if defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
157     defined(BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
158 
rsa_import_key(const psa_key_attributes_t * attributes,const uint8_t * data,size_t data_length,uint8_t * key_buffer,size_t key_buffer_size,size_t * key_buffer_length,size_t * bits)159 static psa_status_t rsa_import_key(
160     const psa_key_attributes_t *attributes,
161     const uint8_t *data, size_t data_length,
162     uint8_t *key_buffer, size_t key_buffer_size,
163     size_t *key_buffer_length, size_t *bits )
164 {
165     psa_status_t status;
166     mbedtls_rsa_context *rsa = NULL;
167 
168     /* Parse input */
169     status = mbedtls_psa_rsa_load_representation( attributes->core.type,
170                                                   data,
171                                                   data_length,
172                                                   &rsa );
173     if( status != PSA_SUCCESS )
174         goto exit;
175 
176     *bits = (psa_key_bits_t) PSA_BYTES_TO_BITS( mbedtls_rsa_get_len( rsa ) );
177 
178     /* Re-export the data to PSA export format, such that we can store export
179      * representation in the key slot. Export representation in case of RSA is
180      * the smallest representation that's allowed as input, so a straight-up
181      * allocation of the same size as the input buffer will be large enough. */
182     status = mbedtls_psa_rsa_export_key( attributes->core.type,
183                                          rsa,
184                                          key_buffer,
185                                          key_buffer_size,
186                                          key_buffer_length );
187 exit:
188     /* Always free the RSA object */
189     mbedtls_rsa_free( rsa );
190     mbedtls_free( rsa );
191 
192     return( status );
193 }
194 
mbedtls_psa_rsa_export_key(psa_key_type_t type,mbedtls_rsa_context * rsa,uint8_t * data,size_t data_size,size_t * data_length)195 psa_status_t mbedtls_psa_rsa_export_key( psa_key_type_t type,
196                                          mbedtls_rsa_context *rsa,
197                                          uint8_t *data,
198                                          size_t data_size,
199                                          size_t *data_length )
200 {
201 #if defined(MBEDTLS_PK_WRITE_C)
202     int ret;
203     mbedtls_pk_context pk;
204     uint8_t *pos = data + data_size;
205 
206     mbedtls_pk_init( &pk );
207     pk.pk_info = &mbedtls_rsa_info;
208     pk.pk_ctx = rsa;
209 
210     /* PSA Crypto API defines the format of an RSA key as a DER-encoded
211      * representation of the non-encrypted PKCS#1 RSAPrivateKey for a
212      * private key and of the RFC3279 RSAPublicKey for a public key. */
213     if( PSA_KEY_TYPE_IS_KEY_PAIR( type ) )
214         ret = mbedtls_pk_write_key_der( &pk, data, data_size );
215     else
216         ret = mbedtls_pk_write_pubkey( &pos, data, &pk );
217 
218     if( ret < 0 )
219     {
220         /* Clean up in case pk_write failed halfway through. */
221         memset( data, 0, data_size );
222         return( mbedtls_to_psa_error( ret ) );
223     }
224 
225     /* The mbedtls_pk_xxx functions write to the end of the buffer.
226      * Move the data to the beginning and erase remaining data
227      * at the original location. */
228     if( 2 * (size_t) ret <= data_size )
229     {
230         memcpy( data, data + data_size - ret, ret );
231         memset( data + data_size - ret, 0, ret );
232     }
233     else if( (size_t) ret < data_size )
234     {
235         memmove( data, data + data_size - ret, ret );
236         memset( data + ret, 0, data_size - ret );
237     }
238 
239     *data_length = ret;
240     return( PSA_SUCCESS );
241 #else
242     (void) type;
243     (void) rsa;
244     (void) data;
245     (void) data_size;
246     (void) data_length;
247     return( PSA_ERROR_NOT_SUPPORTED );
248 #endif /* MBEDTLS_PK_WRITE_C */
249 }
250 
rsa_export_public_key(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,uint8_t * data,size_t data_size,size_t * data_length)251 static psa_status_t rsa_export_public_key(
252     const psa_key_attributes_t *attributes,
253     const uint8_t *key_buffer, size_t key_buffer_size,
254     uint8_t *data, size_t data_size, size_t *data_length )
255 {
256     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
257     mbedtls_rsa_context *rsa = NULL;
258 
259     status = mbedtls_psa_rsa_load_representation(
260                  attributes->core.type, key_buffer, key_buffer_size, &rsa );
261     if( status != PSA_SUCCESS )
262         return( status );
263 
264     status = mbedtls_psa_rsa_export_key( PSA_KEY_TYPE_RSA_PUBLIC_KEY,
265                                          rsa,
266                                          data,
267                                          data_size,
268                                          data_length );
269 
270     mbedtls_rsa_free( rsa );
271     mbedtls_free( rsa );
272 
273     return( status );
274 }
275 #endif /* defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
276         * defined(BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
277 
278 #if defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && \
279     defined(MBEDTLS_GENPRIME)
psa_rsa_read_exponent(const uint8_t * domain_parameters,size_t domain_parameters_size,int * exponent)280 static psa_status_t psa_rsa_read_exponent( const uint8_t *domain_parameters,
281                                            size_t domain_parameters_size,
282                                            int *exponent )
283 {
284     size_t i;
285     uint32_t acc = 0;
286 
287     if( domain_parameters_size == 0 )
288     {
289         *exponent = 65537;
290         return( PSA_SUCCESS );
291     }
292 
293     /* Mbed TLS encodes the public exponent as an int. For simplicity, only
294      * support values that fit in a 32-bit integer, which is larger than
295      * int on just about every platform anyway. */
296     if( domain_parameters_size > sizeof( acc ) )
297         return( PSA_ERROR_NOT_SUPPORTED );
298     for( i = 0; i < domain_parameters_size; i++ )
299         acc = ( acc << 8 ) | domain_parameters[i];
300     if( acc > INT_MAX )
301         return( PSA_ERROR_NOT_SUPPORTED );
302     *exponent = acc;
303     return( PSA_SUCCESS );
304 }
305 
rsa_generate_key(const psa_key_attributes_t * attributes,uint8_t * key_buffer,size_t key_buffer_size,size_t * key_buffer_length)306 static psa_status_t rsa_generate_key(
307     const psa_key_attributes_t *attributes,
308     uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length )
309 {
310     psa_status_t status;
311     mbedtls_rsa_context rsa;
312     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
313     int exponent;
314 
315     status = psa_rsa_read_exponent( attributes->domain_parameters,
316                                     attributes->domain_parameters_size,
317                                     &exponent );
318     if( status != PSA_SUCCESS )
319         return( status );
320 
321     mbedtls_rsa_init( &rsa );
322     ret = mbedtls_rsa_gen_key( &rsa,
323                                mbedtls_psa_get_random,
324                                MBEDTLS_PSA_RANDOM_STATE,
325                                (unsigned int)attributes->core.bits,
326                                exponent );
327     if( ret != 0 )
328         return( mbedtls_to_psa_error( ret ) );
329 
330     status = mbedtls_psa_rsa_export_key( attributes->core.type,
331                                          &rsa, key_buffer, key_buffer_size,
332                                          key_buffer_length );
333     mbedtls_rsa_free( &rsa );
334 
335     return( status );
336 }
337 #endif /* defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR)
338         * defined(MBEDTLS_GENPRIME) */
339 
340 /****************************************************************/
341 /* Sign/verify hashes */
342 /****************************************************************/
343 
344 #if defined(BUILTIN_ALG_RSA_PKCS1V15_SIGN) || defined(BUILTIN_ALG_RSA_PSS)
345 
346 /* Decode the hash algorithm from alg and store the mbedtls encoding in
347  * md_alg. Verify that the hash length is acceptable. */
psa_rsa_decode_md_type(psa_algorithm_t alg,size_t hash_length,mbedtls_md_type_t * md_alg)348 static psa_status_t psa_rsa_decode_md_type( psa_algorithm_t alg,
349                                             size_t hash_length,
350                                             mbedtls_md_type_t *md_alg )
351 {
352     psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH( alg );
353     const mbedtls_md_info_t *md_info = mbedtls_md_info_from_psa( hash_alg );
354     *md_alg = mbedtls_md_get_type( md_info );
355 
356     /* The Mbed TLS RSA module uses an unsigned int for hash length
357      * parameters. Validate that it fits so that we don't risk an
358      * overflow later. */
359 #if SIZE_MAX > UINT_MAX
360     if( hash_length > UINT_MAX )
361         return( PSA_ERROR_INVALID_ARGUMENT );
362 #endif
363 
364     /* For signatures using a hash, the hash length must be correct. */
365     if( alg != PSA_ALG_RSA_PKCS1V15_SIGN_RAW )
366     {
367         if( md_info == NULL )
368             return( PSA_ERROR_NOT_SUPPORTED );
369         if( mbedtls_md_get_size( md_info ) != hash_length )
370             return( PSA_ERROR_INVALID_ARGUMENT );
371     }
372 
373     return( PSA_SUCCESS );
374 }
375 
rsa_sign_hash(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg,const uint8_t * hash,size_t hash_length,uint8_t * signature,size_t signature_size,size_t * signature_length)376 static psa_status_t rsa_sign_hash(
377     const psa_key_attributes_t *attributes,
378     const uint8_t *key_buffer, size_t key_buffer_size,
379     psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
380     uint8_t *signature, size_t signature_size, size_t *signature_length )
381 {
382     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
383     mbedtls_rsa_context *rsa = NULL;
384     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
385     mbedtls_md_type_t md_alg;
386 
387     status = mbedtls_psa_rsa_load_representation( attributes->core.type,
388                                                   key_buffer,
389                                                   key_buffer_size,
390                                                   &rsa );
391     if( status != PSA_SUCCESS )
392         return( status );
393 
394     status = psa_rsa_decode_md_type( alg, hash_length, &md_alg );
395     if( status != PSA_SUCCESS )
396         goto exit;
397 
398     if( signature_size < mbedtls_rsa_get_len( rsa ) )
399     {
400         status = PSA_ERROR_BUFFER_TOO_SMALL;
401         goto exit;
402     }
403 
404 #if defined(BUILTIN_ALG_RSA_PKCS1V15_SIGN)
405     if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) )
406     {
407         ret = mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V15,
408                                        MBEDTLS_MD_NONE );
409         if( ret == 0 )
410         {
411             ret = mbedtls_rsa_pkcs1_sign( rsa,
412                                           mbedtls_psa_get_random,
413                                           MBEDTLS_PSA_RANDOM_STATE,
414                                           md_alg,
415                                           (unsigned int) hash_length,
416                                           hash,
417                                           signature );
418         }
419     }
420     else
421 #endif /* BUILTIN_ALG_RSA_PKCS1V15_SIGN */
422 #if defined(BUILTIN_ALG_RSA_PSS)
423     if( PSA_ALG_IS_RSA_PSS( alg ) )
424     {
425         ret = mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg );
426 
427         if( ret == 0 )
428         {
429             ret = mbedtls_rsa_rsassa_pss_sign( rsa,
430                                                mbedtls_psa_get_random,
431                                                MBEDTLS_PSA_RANDOM_STATE,
432                                                MBEDTLS_MD_NONE,
433                                                (unsigned int) hash_length,
434                                                hash,
435                                                signature );
436         }
437     }
438     else
439 #endif /* BUILTIN_ALG_RSA_PSS */
440     {
441         status = PSA_ERROR_INVALID_ARGUMENT;
442         goto exit;
443     }
444 
445     if( ret == 0 )
446         *signature_length = mbedtls_rsa_get_len( rsa );
447     status = mbedtls_to_psa_error( ret );
448 
449 exit:
450     mbedtls_rsa_free( rsa );
451     mbedtls_free( rsa );
452 
453     return( status );
454 }
455 
456 #if defined(BUILTIN_ALG_RSA_PSS)
rsa_pss_expected_salt_len(psa_algorithm_t alg,const mbedtls_rsa_context * rsa,size_t hash_length)457 static int rsa_pss_expected_salt_len( psa_algorithm_t alg,
458                                       const mbedtls_rsa_context *rsa,
459                                       size_t hash_length )
460 {
461     if( PSA_ALG_IS_RSA_PSS_ANY_SALT( alg ) )
462         return( MBEDTLS_RSA_SALT_LEN_ANY );
463     /* Otherwise: standard salt length, i.e. largest possible salt length
464      * up to the hash length. */
465     int klen = (int) mbedtls_rsa_get_len( rsa ); // known to fit
466     int hlen = (int) hash_length; // known to fit
467     int room = klen - 2 - hlen;
468     if( room < 0 )
469         return( 0 ); // there is no valid signature in this case anyway
470     else if( room > hlen )
471         return( hlen );
472     else
473         return( room );
474 }
475 #endif
476 
rsa_verify_hash(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg,const uint8_t * hash,size_t hash_length,const uint8_t * signature,size_t signature_length)477 static psa_status_t rsa_verify_hash(
478     const psa_key_attributes_t *attributes,
479     const uint8_t *key_buffer, size_t key_buffer_size,
480     psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
481     const uint8_t *signature, size_t signature_length )
482 {
483     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
484     mbedtls_rsa_context *rsa = NULL;
485     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
486     mbedtls_md_type_t md_alg;
487 
488     status = mbedtls_psa_rsa_load_representation( attributes->core.type,
489                                                   key_buffer,
490                                                   key_buffer_size,
491                                                   &rsa );
492     if( status != PSA_SUCCESS )
493         goto exit;
494 
495     status = psa_rsa_decode_md_type( alg, hash_length, &md_alg );
496     if( status != PSA_SUCCESS )
497         goto exit;
498 
499     if( signature_length != mbedtls_rsa_get_len( rsa ) )
500     {
501         status = PSA_ERROR_INVALID_SIGNATURE;
502         goto exit;
503     }
504 
505 #if defined(BUILTIN_ALG_RSA_PKCS1V15_SIGN)
506     if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) )
507     {
508         ret = mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V15,
509                                        MBEDTLS_MD_NONE );
510         if( ret == 0 )
511         {
512             ret = mbedtls_rsa_pkcs1_verify( rsa,
513                                             md_alg,
514                                             (unsigned int) hash_length,
515                                             hash,
516                                             signature );
517         }
518     }
519     else
520 #endif /* BUILTIN_ALG_RSA_PKCS1V15_SIGN */
521 #if defined(BUILTIN_ALG_RSA_PSS)
522     if( PSA_ALG_IS_RSA_PSS( alg ) )
523     {
524         ret = mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg );
525         if( ret == 0 )
526         {
527             int slen = rsa_pss_expected_salt_len( alg, rsa, hash_length );
528             ret = mbedtls_rsa_rsassa_pss_verify_ext( rsa,
529                                                      md_alg,
530                                                      (unsigned) hash_length,
531                                                      hash,
532                                                      md_alg,
533                                                      slen,
534                                                      signature );
535         }
536     }
537     else
538 #endif /* BUILTIN_ALG_RSA_PSS */
539     {
540         status = PSA_ERROR_INVALID_ARGUMENT;
541         goto exit;
542     }
543 
544     /* Mbed TLS distinguishes "invalid padding" from "valid padding but
545      * the rest of the signature is invalid". This has little use in
546      * practice and PSA doesn't report this distinction. */
547     status = ( ret == MBEDTLS_ERR_RSA_INVALID_PADDING ) ?
548              PSA_ERROR_INVALID_SIGNATURE :
549              mbedtls_to_psa_error( ret );
550 
551 exit:
552     mbedtls_rsa_free( rsa );
553     mbedtls_free( rsa );
554 
555     return( status );
556 }
557 
558 #endif /* defined(BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
559         * defined(BUILTIN_ALG_RSA_PSS) */
560 
561 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
562     defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
563 
mbedtls_psa_rsa_import_key(const psa_key_attributes_t * attributes,const uint8_t * data,size_t data_length,uint8_t * key_buffer,size_t key_buffer_size,size_t * key_buffer_length,size_t * bits)564 psa_status_t mbedtls_psa_rsa_import_key(
565     const psa_key_attributes_t *attributes,
566     const uint8_t *data, size_t data_length,
567     uint8_t *key_buffer, size_t key_buffer_size,
568     size_t *key_buffer_length, size_t *bits )
569 {
570     return( rsa_import_key( attributes, data, data_length,
571                             key_buffer, key_buffer_size,
572                             key_buffer_length, bits ) );
573 }
574 
mbedtls_psa_rsa_export_public_key(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,uint8_t * data,size_t data_size,size_t * data_length)575 psa_status_t mbedtls_psa_rsa_export_public_key(
576     const psa_key_attributes_t *attributes,
577     const uint8_t *key_buffer, size_t key_buffer_size,
578     uint8_t *data, size_t data_size, size_t *data_length )
579 {
580     return( rsa_export_public_key( attributes, key_buffer, key_buffer_size,
581                                    data, data_size, data_length ) );
582 }
583 
584 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
585         * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
586 
587 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && \
588     defined(MBEDTLS_GENPRIME)
mbedtls_psa_rsa_generate_key(const psa_key_attributes_t * attributes,uint8_t * key_buffer,size_t key_buffer_size,size_t * key_buffer_length)589 psa_status_t mbedtls_psa_rsa_generate_key(
590     const psa_key_attributes_t *attributes,
591     uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length )
592 {
593     return( rsa_generate_key( attributes, key_buffer, key_buffer_size,
594                               key_buffer_length ) );
595 }
596 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR)
597         * defined(MBEDTLS_GENPRIME) */
598 
599 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
600     defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
mbedtls_psa_rsa_sign_hash(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg,const uint8_t * hash,size_t hash_length,uint8_t * signature,size_t signature_size,size_t * signature_length)601 psa_status_t mbedtls_psa_rsa_sign_hash(
602     const psa_key_attributes_t *attributes,
603     const uint8_t *key_buffer, size_t key_buffer_size,
604     psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
605     uint8_t *signature, size_t signature_size, size_t *signature_length )
606 {
607     return( rsa_sign_hash(
608                 attributes,
609                 key_buffer, key_buffer_size,
610                 alg, hash, hash_length,
611                 signature, signature_size, signature_length ) );
612 }
613 
mbedtls_psa_rsa_verify_hash(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg,const uint8_t * hash,size_t hash_length,const uint8_t * signature,size_t signature_length)614 psa_status_t mbedtls_psa_rsa_verify_hash(
615     const psa_key_attributes_t *attributes,
616     const uint8_t *key_buffer, size_t key_buffer_size,
617     psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
618     const uint8_t *signature, size_t signature_length )
619 {
620     return( rsa_verify_hash(
621                 attributes,
622                 key_buffer, key_buffer_size,
623                 alg, hash, hash_length,
624                 signature, signature_length ) );
625 }
626 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
627         * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
628 
629 /*
630  * BEYOND THIS POINT, TEST DRIVER ENTRY POINTS ONLY.
631  */
632 
633 #if defined(PSA_CRYPTO_DRIVER_TEST)
634 
635 #if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) || \
636     defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY)
637 
mbedtls_test_driver_rsa_import_key(const psa_key_attributes_t * attributes,const uint8_t * data,size_t data_length,uint8_t * key_buffer,size_t key_buffer_size,size_t * key_buffer_length,size_t * bits)638 psa_status_t mbedtls_test_driver_rsa_import_key(
639     const psa_key_attributes_t *attributes,
640     const uint8_t *data, size_t data_length,
641     uint8_t *key_buffer, size_t key_buffer_size,
642     size_t *key_buffer_length, size_t *bits )
643 {
644     return( rsa_import_key( attributes, data, data_length,
645                             key_buffer, key_buffer_size,
646                             key_buffer_length, bits ) );
647 }
648 
mbedtls_test_driver_rsa_export_public_key(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,uint8_t * data,size_t data_size,size_t * data_length)649 psa_status_t mbedtls_test_driver_rsa_export_public_key(
650     const psa_key_attributes_t *attributes,
651     const uint8_t *key_buffer, size_t key_buffer_size,
652     uint8_t *data, size_t data_size, size_t *data_length )
653 {
654     return( rsa_export_public_key( attributes, key_buffer, key_buffer_size,
655                                    data, data_size, data_length ) );
656 }
657 
658 #endif /* defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) ||
659           defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY) */
660 
661 #if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR)
mbedtls_transparent_test_driver_rsa_generate_key(const psa_key_attributes_t * attributes,uint8_t * key_buffer,size_t key_buffer_size,size_t * key_buffer_length)662 psa_status_t mbedtls_transparent_test_driver_rsa_generate_key(
663     const psa_key_attributes_t *attributes,
664     uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length )
665 {
666     return( rsa_generate_key( attributes, key_buffer, key_buffer_size,
667                               key_buffer_length ) );
668 }
669 #endif /* defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) */
670 
671 #if defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN) || \
672     defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PSS)
mbedtls_transparent_test_driver_rsa_sign_hash(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg,const uint8_t * hash,size_t hash_length,uint8_t * signature,size_t signature_size,size_t * signature_length)673 psa_status_t mbedtls_transparent_test_driver_rsa_sign_hash(
674     const psa_key_attributes_t *attributes,
675     const uint8_t *key_buffer, size_t key_buffer_size,
676     psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
677     uint8_t *signature, size_t signature_size, size_t *signature_length )
678 {
679 #if defined(MBEDTLS_RSA_C) && \
680     (defined(MBEDTLS_PKCS1_V15) || defined(MBEDTLS_PKCS1_V21))
681     return( rsa_sign_hash(
682                 attributes,
683                 key_buffer, key_buffer_size,
684                 alg, hash, hash_length,
685                 signature, signature_size, signature_length ) );
686 #else
687     (void)attributes;
688     (void)key_buffer;
689     (void)key_buffer_size;
690     (void)alg;
691     (void)hash;
692     (void)hash_length;
693     (void)signature;
694     (void)signature_size;
695     (void)signature_length;
696     return( PSA_ERROR_NOT_SUPPORTED );
697 #endif
698 }
699 
mbedtls_transparent_test_driver_rsa_verify_hash(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg,const uint8_t * hash,size_t hash_length,const uint8_t * signature,size_t signature_length)700 psa_status_t mbedtls_transparent_test_driver_rsa_verify_hash(
701     const psa_key_attributes_t *attributes,
702     const uint8_t *key_buffer, size_t key_buffer_size,
703     psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
704     const uint8_t *signature, size_t signature_length )
705 {
706 #if defined(MBEDTLS_RSA_C) && \
707     (defined(MBEDTLS_PKCS1_V15) || defined(MBEDTLS_PKCS1_V21))
708     return( rsa_verify_hash(
709                 attributes,
710                 key_buffer, key_buffer_size,
711                 alg, hash, hash_length,
712                 signature, signature_length ) );
713 #else
714     (void)attributes;
715     (void)key_buffer;
716     (void)key_buffer_size;
717     (void)alg;
718     (void)hash;
719     (void)hash_length;
720     (void)signature;
721     (void)signature_length;
722     return( PSA_ERROR_NOT_SUPPORTED );
723 #endif
724 }
725 #endif /* defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN) ||
726         * defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PSS) */
727 
728 #endif /* PSA_CRYPTO_DRIVER_TEST */
729 
730 #endif /* MBEDTLS_PSA_CRYPTO_C */
731