Skip to content

Commit

Permalink
Export RSA key attributes from mbedtls context to support TLSv1.3 (#202)
Browse files Browse the repository at this point in the history 
Export RSA key attributes from mbedtls context to support TLSv1.3
  • Loading branch information
@DakshitBabbar
DakshitBabbar authored Oct 16, 2024
1 parent a5cd1c0 commit 470ccc3
Show file tree
Hide file tree
Showing 7 changed files with 675 additions and 40 deletions.
5 changes: 5 additions & 0 deletions .github/.cSpellWords.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ DUNITTEST
DUNITY
ecdh
ecjpake
EABNVYL
ECKEY
FAAOCAQE
Fithb
Expand All @@ -51,6 +52,7 @@ HKDF
isystem
JITP
JITR
JLATES
Karthikeyan
lcov
LPDWORD
Expand Down Expand Up @@ -103,11 +105,14 @@ utest
vect
Vect
VECT
VEIQ
VQIDAQAB
Wunused
xfindobjectwithlabelandclass
xgetslotlist
xinitializepkcs
xtea
XTEA
yfiv
zeroize
ZEROIZE
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,7 @@ locations below:
| Location |
| :------------------------------------------------------------------------------------------------------------------: |
| [AWS IoT Device SDK for Embedded C](https://github.com/aws/aws-iot-device-sdk-embedded-C#releases-and-documentation) |
| [FreeRTOS.org](https://freertos.org/Documentation/api-ref/corePKCS11/docs/doxygen/output/html/index.html) |
| [FreeRTOS.org](https://freertos.github.io/corePKCS11/v3.6.1/) |

Note that the latest included version of corePKCS11 may differ across
repositories.
Expand Down
8 changes: 4 additions & 4 deletions docs/doxygen/include/size_table.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,12 @@
</tr>
<tr>
<td>core_pkcs11_mbedtls.c</td>
<td><center>9.0K</center></td>
<td><center>7.4K</center></td>
<td><center>9.4K</center></td>
<td><center>7.7K</center></td>
</tr>
<tr>
<td><b>Total estimates</b></td>
<td><b><center>10.3K</center></b></td>
<td><b><center>8.4K</center></b></td>
<td><b><center>10.7K</center></b></td>
<td><b><center>8.7K</center></b></td>
</tr>
</table>
198 changes: 189 additions & 9 deletions source/portable/mbedtls/core_pkcs11_mbedtls.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -779,6 +779,156 @@ static CK_RV prvRsaContextParse( const CK_ATTRIBUTE * pxAttribute,
return xResult;
}

/**
* @brief Populates attribute values for an RSA key from the mbed TLS context.
*/
static CK_RV prvGetAttributesFromRsaContext( CK_ATTRIBUTE * pxAttribute,
const mbedtls_rsa_context * pxRsaContext )
{
CK_RV xResult = CKR_OK;
int32_t lMbedTLSResult = 0;
mbedtls_mpi * pxMpi = ( mbedtls_mpi * ) pxAttribute->pValue;

mbedtls_mpi_init( pxMpi );

switch( pxAttribute->type )
{
case ( CKA_MODULUS ):

lMbedTLSResult = mbedtls_mpi_grow( pxMpi, pxRsaContext->N.n );

if( lMbedTLSResult == 0 )
{
lMbedTLSResult = mbedtls_rsa_export( pxRsaContext,
pxMpi, /* N */
NULL, /* P */
NULL, /* Q */
NULL, /* D */
NULL ); /* E */
}

break;

case ( CKA_PUBLIC_EXPONENT ):

lMbedTLSResult = mbedtls_mpi_grow( pxMpi, pxRsaContext->E.n );

if( lMbedTLSResult == 0 )
{
lMbedTLSResult = mbedtls_rsa_export( pxRsaContext,
NULL, /* N */
NULL, /* P */
NULL, /* Q */
NULL, /* D */
pxMpi ); /* E */
}

break;

case ( CKA_PRIME_1 ):

lMbedTLSResult = mbedtls_mpi_grow( pxMpi, pxRsaContext->P.n );

if( lMbedTLSResult == 0 )
{
lMbedTLSResult = mbedtls_rsa_export( pxRsaContext,
NULL, /* N */
pxMpi, /* P */
NULL, /* Q */
NULL, /* D */
NULL ); /* E */
}

break;

case ( CKA_PRIME_2 ):

lMbedTLSResult = mbedtls_mpi_grow( pxMpi, pxRsaContext->Q.n );

if( lMbedTLSResult == 0 )
{
lMbedTLSResult = mbedtls_rsa_export( pxRsaContext,
NULL, /* N */
NULL, /* P */
pxMpi, /* Q */
NULL, /* D */
NULL ); /* E */
}

break;

case ( CKA_PRIVATE_EXPONENT ):

lMbedTLSResult = mbedtls_mpi_grow( pxMpi, pxRsaContext->D.n );

if( lMbedTLSResult == 0 )
{
lMbedTLSResult = mbedtls_rsa_export( pxRsaContext,
NULL, /* N */
NULL, /* P */
NULL, /* Q */
pxMpi, /* D */
NULL ); /* E */
}

break;

case ( CKA_EXPONENT_1 ):

lMbedTLSResult = mbedtls_mpi_grow( pxMpi, pxRsaContext->DP.n );

if( lMbedTLSResult == 0 )
{
lMbedTLSResult = mbedtls_rsa_export_crt( pxRsaContext,
pxMpi, /* DP */
NULL, /* DQ */
NULL ); /* QP */
}

break;

case ( CKA_EXPONENT_2 ):

lMbedTLSResult = mbedtls_mpi_grow( pxMpi, pxRsaContext->DQ.n );

if( lMbedTLSResult == 0 )
{
lMbedTLSResult = mbedtls_rsa_export_crt( pxRsaContext,
NULL, /* DP */
pxMpi, /* DQ */
NULL ); /* QP */
}

break;

default:

/* This is the CKA_COEFFICIENT case. The type is checked in
* C_GetAttributeValue. */
lMbedTLSResult = mbedtls_mpi_grow( pxMpi, pxRsaContext->QP.n );

if( lMbedTLSResult == 0 )
{
lMbedTLSResult = mbedtls_rsa_export_crt( pxRsaContext,
NULL, /* DP */
NULL, /* DQ */
pxMpi ); /* QP */
}

break;
}

if( lMbedTLSResult != 0 )
{
LogError( ( "Failed to parse RSA private key attributes: mbed TLS error = %s : %s.",
mbedtlsHighLevelCodeOrDefault( lMbedTLSResult ),
mbedtlsLowLevelCodeOrDefault( lMbedTLSResult ) ) );
xResult = CKR_FUNCTION_FAILED;
}

return xResult;
}

/**
* @brief Parses attribute values for a RSA Key.
*/
Expand Down Expand Up @@ -3076,6 +3226,7 @@ CK_DECLARE_FUNCTION( CK_RV, C_GetAttributeValue )( CK_SESSION_HANDLE hSession,
mbedtls_x509_crt xMbedX509Context = { 0 };
mbedtls_pk_type_t xKeyType;
const mbedtls_ecp_keypair * pxKeyPair;
const mbedtls_rsa_context * pxRsaContext;
CK_KEY_TYPE xPkcsKeyType = ( CK_KEY_TYPE ) ~0UL;
CK_OBJECT_CLASS xClass = ~0UL;
CK_BYTE_PTR pxObjectValue = NULL;
Expand Down Expand Up @@ -3294,15 +3445,6 @@ CK_DECLARE_FUNCTION( CK_RV, C_GetAttributeValue )( CK_SESSION_HANDLE hSession,

break;

case CKA_PRIVATE_EXPONENT:

LogError( ( "Failed to parse attribute. "
"CKA_PRIVATE_EXPONENT is private data." ) );
xResult = CKR_ATTRIBUTE_SENSITIVE;
pTemplate[ iAttrib ].ulValueLen = CK_UNAVAILABLE_INFORMATION;

break;

case CKA_EC_PARAMS:

if( pTemplate[ iAttrib ].pValue == NULL )
Expand Down Expand Up @@ -3384,6 +3526,44 @@ CK_DECLARE_FUNCTION( CK_RV, C_GetAttributeValue )( CK_SESSION_HANDLE hSession,

break;

case CKA_MODULUS:
case CKA_PUBLIC_EXPONENT:
case CKA_PRIME_1:
case CKA_PRIME_2:
case CKA_PRIVATE_EXPONENT:
case CKA_EXPONENT_1:
case CKA_EXPONENT_2:
case CKA_COEFFICIENT:

if( pTemplate[ iAttrib ].pValue == NULL )
{
pTemplate[ iAttrib ].ulValueLen = sizeof( mbedtls_mpi );
}
else
{
if( pTemplate[ iAttrib ].ulValueLen == sizeof( mbedtls_mpi ) )
{
pxRsaContext = ( mbedtls_rsa_context * ) xKeyContext.pk_ctx;

if( pxRsaContext != NULL )
{
xResult = prvGetAttributesFromRsaContext( &( pTemplate[ iAttrib ] ),
pxRsaContext );
}
else
{
xResult = CKR_FUNCTION_FAILED;
pTemplate[ iAttrib ].ulValueLen = CK_UNAVAILABLE_INFORMATION;
}
}
else
{
xResult = CKR_BUFFER_TOO_SMALL;
}
}

break;

default:
LogError( ( "Failed to parse attribute. Received unknown "
"attribute type." ) );
Expand Down
2 changes: 1 addition & 1 deletion test/mbedtls_integration/mbedtls_integration_test.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -954,7 +954,7 @@ static void commonValidateCredentialStorageRSA( const char * pPrivateKeyLabel,
TEST_ASSERT_EQUAL_MEMORY_MESSAGE( expectedCertInDer, template.pValue, template.ulValueLen, "GetAttributeValue returned incorrect data for RSA certificate" );

/* Check that the private key cannot be retrieved. */
template.type = CKA_PRIVATE_EXPONENT;
template.type = CKA_VALUE;
template.pValue = keyComponent;
template.ulValueLen = sizeof( keyComponent );
result = globalFunctionList->C_GetAttributeValue( globalSession, privateKeyHandle, &template, 1 );
Expand Down
Loading

0 comments on commit 470ccc3

Please sign in to comment.