Commit 1001202d authored by Soby Mathew's avatar Soby Mathew
Browse files

Add support for RSASSAPSS algorithm in mbedtls crypto driver



This patch adds support for RSASSA-PSS Signature Algorithm for
X509 certificates in mbedtls crypto driver. Now the driver supports
RSA PKCS2_1 standard as mandated by TBBR.

NOTE: With this patch, the PKCS1_5 standard compliant RSA signature
is deprecated.

Change-Id: I9cf6d073370b710cc36a7b374a55ec96c0496461
Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
parent 38aacad3
...@@ -60,7 +60,7 @@ static int verify_signature(void *data_ptr, unsigned int data_len, ...@@ -60,7 +60,7 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
mbedtls_asn1_buf signature; mbedtls_asn1_buf signature;
mbedtls_md_type_t md_alg; mbedtls_md_type_t md_alg;
mbedtls_pk_type_t pk_alg; mbedtls_pk_type_t pk_alg;
mbedtls_pk_context pk; mbedtls_pk_context pk = {0};
int rc; int rc;
void *sig_opts = NULL; void *sig_opts = NULL;
const mbedtls_md_info_t *md_info; const mbedtls_md_info_t *md_info;
...@@ -76,7 +76,7 @@ static int verify_signature(void *data_ptr, unsigned int data_len, ...@@ -76,7 +76,7 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
} }
/* Get the actual signature algorithm (MD + PK) */ /* Get the actual signature algorithm (MD + PK) */
rc = mbedtls_oid_get_sig_alg(&sig_oid, &md_alg, &pk_alg); rc = mbedtls_x509_get_sig_alg(&sig_oid, &sig_params, &md_alg, &pk_alg, &sig_opts);
if (rc != 0) { if (rc != 0) {
return CRYPTO_ERR_SIGNATURE; return CRYPTO_ERR_SIGNATURE;
} }
...@@ -87,7 +87,8 @@ static int verify_signature(void *data_ptr, unsigned int data_len, ...@@ -87,7 +87,8 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
end = (unsigned char *)(p + pk_len); end = (unsigned char *)(p + pk_len);
rc = mbedtls_pk_parse_subpubkey(&p, end, &pk); rc = mbedtls_pk_parse_subpubkey(&p, end, &pk);
if (rc != 0) { if (rc != 0) {
return CRYPTO_ERR_SIGNATURE; rc = CRYPTO_ERR_SIGNATURE;
goto end2;
} }
/* Get the signature (bitstring) */ /* Get the signature (bitstring) */
...@@ -97,7 +98,7 @@ static int verify_signature(void *data_ptr, unsigned int data_len, ...@@ -97,7 +98,7 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
rc = mbedtls_asn1_get_bitstring_null(&p, end, &signature.len); rc = mbedtls_asn1_get_bitstring_null(&p, end, &signature.len);
if (rc != 0) { if (rc != 0) {
rc = CRYPTO_ERR_SIGNATURE; rc = CRYPTO_ERR_SIGNATURE;
goto end; goto end1;
} }
signature.p = p; signature.p = p;
...@@ -105,13 +106,13 @@ static int verify_signature(void *data_ptr, unsigned int data_len, ...@@ -105,13 +106,13 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
md_info = mbedtls_md_info_from_type(md_alg); md_info = mbedtls_md_info_from_type(md_alg);
if (md_info == NULL) { if (md_info == NULL) {
rc = CRYPTO_ERR_SIGNATURE; rc = CRYPTO_ERR_SIGNATURE;
goto end; goto end1;
} }
p = (unsigned char *)data_ptr; p = (unsigned char *)data_ptr;
rc = mbedtls_md(md_info, p, data_len, hash); rc = mbedtls_md(md_info, p, data_len, hash);
if (rc != 0) { if (rc != 0) {
rc = CRYPTO_ERR_SIGNATURE; rc = CRYPTO_ERR_SIGNATURE;
goto end; goto end1;
} }
/* Verify the signature */ /* Verify the signature */
...@@ -120,14 +121,16 @@ static int verify_signature(void *data_ptr, unsigned int data_len, ...@@ -120,14 +121,16 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
signature.p, signature.len); signature.p, signature.len);
if (rc != 0) { if (rc != 0) {
rc = CRYPTO_ERR_SIGNATURE; rc = CRYPTO_ERR_SIGNATURE;
goto end; goto end1;
} }
/* Signature verification success */ /* Signature verification success */
rc = CRYPTO_SUCCESS; rc = CRYPTO_SUCCESS;
end: end1:
mbedtls_pk_free(&pk); mbedtls_pk_free(&pk);
end2:
mbedtls_free(sig_opts);
return rc; return rc;
} }
......
...@@ -22,12 +22,15 @@ ...@@ -22,12 +22,15 @@
/* Prevent mbed TLS from using snprintf so that it can use tf_snprintf. */ /* Prevent mbed TLS from using snprintf so that it can use tf_snprintf. */
#define MBEDTLS_PLATFORM_SNPRINTF_ALT #define MBEDTLS_PLATFORM_SNPRINTF_ALT
#if !ERROR_DEPRECATED
#define MBEDTLS_PKCS1_V15 #define MBEDTLS_PKCS1_V15
#endif
#define MBEDTLS_PKCS1_V21 #define MBEDTLS_PKCS1_V21
#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION #define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
#define MBEDTLS_X509_CHECK_KEY_USAGE #define MBEDTLS_X509_CHECK_KEY_USAGE
#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE #define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
#define MBEDTLS_ASN1_PARSE_C #define MBEDTLS_ASN1_PARSE_C
#define MBEDTLS_ASN1_WRITE_C #define MBEDTLS_ASN1_WRITE_C
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment