Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Export RSA key attributes from mbedtls context to support TLSv1.3 #202

Merged
merged 9 commits into from
Oct 16, 2024
Merged

Export RSA key attributes from mbedtls context to support TLSv1.3 #202

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
e4018ff
Populate RSA key from mbedtls context to support TLSv1.3
DakshitBabbar Oct 10, 2024
426774f
Fix CI build failures
kar-rahul-aws Oct 14, 2024
8ae6f40
Fix unit tests
aggarg Oct 14, 2024
473f865
Fix system tests
aggarg Oct 15, 2024
531a733
Fix cbmc
aggarg Oct 15, 2024
6b3e78c
Fix CI checks
aggarg Oct 15, 2024
ed94018
Add unit tests for changes in source
kar-rahul-aws Oct 16, 2024
ccf4c20
Fix formatting
kar-rahul-aws Oct 16, 2024
65d4ac7
Fix sanitizer failures
aggarg Oct 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .github/.cSpellWords.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ DUNITTEST
DUNITY
ecdh
ecjpake
EABNVYL
ECKEY
FAAOCAQE
Fithb
Expand All @@ -51,6 +52,7 @@ HKDF
isystem
JITP
JITR
JLATES
Karthikeyan
lcov
LPDWORD
Expand Down Expand Up @@ -103,11 +105,14 @@ utest
vect
Vect
VECT
VEIQ
VQIDAQAB
Wunused
xfindobjectwithlabelandclass
xgetslotlist
xinitializepkcs
xtea
XTEA
yfiv
zeroize
ZEROIZE
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,7 @@ locations below:
| Location |
| :------------------------------------------------------------------------------------------------------------------: |
| [AWS IoT Device SDK for Embedded C](https://github.com/aws/aws-iot-device-sdk-embedded-C#releases-and-documentation) |
| [FreeRTOS.org](https://freertos.org/Documentation/api-ref/corePKCS11/docs/doxygen/output/html/index.html) |
| [FreeRTOS.org](https://freertos.github.io/corePKCS11/v3.6.1/) |

Note that the latest included version of corePKCS11 may differ across
repositories.
Expand Down
8 changes: 4 additions & 4 deletions docs/doxygen/include/size_table.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,12 @@
</tr>
<tr>
<td>core_pkcs11_mbedtls.c</td>
<td><center>9.0K</center></td>
<td><center>7.4K</center></td>
<td><center>9.4K</center></td>
<td><center>7.7K</center></td>
</tr>
<tr>
<td><b>Total estimates</b></td>
<td><b><center>10.3K</center></b></td>
<td><b><center>8.4K</center></b></td>
<td><b><center>10.7K</center></b></td>
<td><b><center>8.7K</center></b></td>
</tr>
</table>
198 changes: 189 additions & 9 deletions source/portable/mbedtls/core_pkcs11_mbedtls.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -779,6 +779,156 @@ static CK_RV prvRsaContextParse( const CK_ATTRIBUTE * pxAttribute,
return xResult;
}

/**
* @brief Populates attribute values for an RSA key from the mbed TLS context.
*/
static CK_RV prvGetAttributesFromRsaContext( CK_ATTRIBUTE * pxAttribute,
const mbedtls_rsa_context * pxRsaContext )
{
CK_RV xResult = CKR_OK;
int32_t lMbedTLSResult = 0;
mbedtls_mpi * pxMpi = ( mbedtls_mpi * ) pxAttribute->pValue;

mbedtls_mpi_init( pxMpi );

switch( pxAttribute->type )
{
case ( CKA_MODULUS ):

lMbedTLSResult = mbedtls_mpi_grow( pxMpi, pxRsaContext->N.n );

if( lMbedTLSResult == 0 )
{
lMbedTLSResult = mbedtls_rsa_export( pxRsaContext,
pxMpi, /* N */
NULL, /* P */
NULL, /* Q */
NULL, /* D */
NULL ); /* E */
}

break;

case ( CKA_PUBLIC_EXPONENT ):

lMbedTLSResult = mbedtls_mpi_grow( pxMpi, pxRsaContext->E.n );

if( lMbedTLSResult == 0 )
{
lMbedTLSResult = mbedtls_rsa_export( pxRsaContext,
NULL, /* N */
NULL, /* P */
NULL, /* Q */
NULL, /* D */
pxMpi ); /* E */
}

break;

case ( CKA_PRIME_1 ):

lMbedTLSResult = mbedtls_mpi_grow( pxMpi, pxRsaContext->P.n );

if( lMbedTLSResult == 0 )
{
lMbedTLSResult = mbedtls_rsa_export( pxRsaContext,
NULL, /* N */
pxMpi, /* P */
NULL, /* Q */
NULL, /* D */
NULL ); /* E */
}

break;

case ( CKA_PRIME_2 ):

lMbedTLSResult = mbedtls_mpi_grow( pxMpi, pxRsaContext->Q.n );

if( lMbedTLSResult == 0 )
{
lMbedTLSResult = mbedtls_rsa_export( pxRsaContext,
NULL, /* N */
NULL, /* P */
pxMpi, /* Q */
NULL, /* D */
NULL ); /* E */
}

break;

case ( CKA_PRIVATE_EXPONENT ):

lMbedTLSResult = mbedtls_mpi_grow( pxMpi, pxRsaContext->D.n );

if( lMbedTLSResult == 0 )
{
lMbedTLSResult = mbedtls_rsa_export( pxRsaContext,
NULL, /* N */
NULL, /* P */
NULL, /* Q */
pxMpi, /* D */
NULL ); /* E */
}

break;

case ( CKA_EXPONENT_1 ):

lMbedTLSResult = mbedtls_mpi_grow( pxMpi, pxRsaContext->DP.n );

if( lMbedTLSResult == 0 )
{
lMbedTLSResult = mbedtls_rsa_export_crt( pxRsaContext,
pxMpi, /* DP */
NULL, /* DQ */
NULL ); /* QP */
}

break;

case ( CKA_EXPONENT_2 ):

lMbedTLSResult = mbedtls_mpi_grow( pxMpi, pxRsaContext->DQ.n );

if( lMbedTLSResult == 0 )
{
lMbedTLSResult = mbedtls_rsa_export_crt( pxRsaContext,
NULL, /* DP */
pxMpi, /* DQ */
NULL ); /* QP */
}

break;

default:

/* This is the CKA_COEFFICIENT case. The type is checked in
* C_GetAttributeValue. */
lMbedTLSResult = mbedtls_mpi_grow( pxMpi, pxRsaContext->QP.n );

if( lMbedTLSResult == 0 )
{
lMbedTLSResult = mbedtls_rsa_export_crt( pxRsaContext,
NULL, /* DP */
NULL, /* DQ */
pxMpi ); /* QP */
}

break;
}

if( lMbedTLSResult != 0 )
{
LogError( ( "Failed to parse RSA private key attributes: mbed TLS error = %s : %s.",
mbedtlsHighLevelCodeOrDefault( lMbedTLSResult ),
mbedtlsLowLevelCodeOrDefault( lMbedTLSResult ) ) );
xResult = CKR_FUNCTION_FAILED;
}

return xResult;
}

/**
* @brief Parses attribute values for a RSA Key.
*/
Expand Down Expand Up @@ -3076,6 +3226,7 @@ CK_DECLARE_FUNCTION( CK_RV, C_GetAttributeValue )( CK_SESSION_HANDLE hSession,
mbedtls_x509_crt xMbedX509Context = { 0 };
mbedtls_pk_type_t xKeyType;
const mbedtls_ecp_keypair * pxKeyPair;
const mbedtls_rsa_context * pxRsaContext;
CK_KEY_TYPE xPkcsKeyType = ( CK_KEY_TYPE ) ~0UL;
CK_OBJECT_CLASS xClass = ~0UL;
CK_BYTE_PTR pxObjectValue = NULL;
Expand Down Expand Up @@ -3294,15 +3445,6 @@ CK_DECLARE_FUNCTION( CK_RV, C_GetAttributeValue )( CK_SESSION_HANDLE hSession,

break;

case CKA_PRIVATE_EXPONENT:

LogError( ( "Failed to parse attribute. "
"CKA_PRIVATE_EXPONENT is private data." ) );
xResult = CKR_ATTRIBUTE_SENSITIVE;
pTemplate[ iAttrib ].ulValueLen = CK_UNAVAILABLE_INFORMATION;

break;

case CKA_EC_PARAMS:

if( pTemplate[ iAttrib ].pValue == NULL )
Expand Down Expand Up @@ -3384,6 +3526,44 @@ CK_DECLARE_FUNCTION( CK_RV, C_GetAttributeValue )( CK_SESSION_HANDLE hSession,

break;

case CKA_MODULUS:
case CKA_PUBLIC_EXPONENT:
case CKA_PRIME_1:
case CKA_PRIME_2:
case CKA_PRIVATE_EXPONENT:
case CKA_EXPONENT_1:
case CKA_EXPONENT_2:
case CKA_COEFFICIENT:

if( pTemplate[ iAttrib ].pValue == NULL )
{
pTemplate[ iAttrib ].ulValueLen = sizeof( mbedtls_mpi );
}
else
{
if( pTemplate[ iAttrib ].ulValueLen == sizeof( mbedtls_mpi ) )
{
pxRsaContext = ( mbedtls_rsa_context * ) xKeyContext.pk_ctx;

if( pxRsaContext != NULL )
{
xResult = prvGetAttributesFromRsaContext( &( pTemplate[ iAttrib ] ),
pxRsaContext );
}
else
{
xResult = CKR_FUNCTION_FAILED;
pTemplate[ iAttrib ].ulValueLen = CK_UNAVAILABLE_INFORMATION;
}
}
else
{
xResult = CKR_BUFFER_TOO_SMALL;
}
}

break;

default:
LogError( ( "Failed to parse attribute. Received unknown "
"attribute type." ) );
Expand Down
2 changes: 1 addition & 1 deletion test/mbedtls_integration/mbedtls_integration_test.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -954,7 +954,7 @@ static void commonValidateCredentialStorageRSA( const char * pPrivateKeyLabel,
TEST_ASSERT_EQUAL_MEMORY_MESSAGE( expectedCertInDer, template.pValue, template.ulValueLen, "GetAttributeValue returned incorrect data for RSA certificate" );

/* Check that the private key cannot be retrieved. */
template.type = CKA_PRIVATE_EXPONENT;
template.type = CKA_VALUE;
template.pValue = keyComponent;
template.ulValueLen = sizeof( keyComponent );
result = globalFunctionList->C_GetAttributeValue( globalSession, privateKeyHandle, &template, 1 );
Expand Down
Loading
Loading