Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Backport 2.x] psa: Support RSA signature without MBEDTLS_GENPRIME #4546

Merged
merged 2 commits into from
May 27, 2021
Merged

[Backport 2.x] psa: Support RSA signature without MBEDTLS_GENPRIME #4546

merged 2 commits into from
May 27, 2021

Conversation

Patater
Copy link
Contributor

@Patater Patater commented May 21, 2021
edited by gilles-peskine-arm
Loading

Backport of #4513

Description

On space-constrained platforms, it is a useful configuration to be able
to import/export and perform RSA key pair operations, but to exclude RSA
key generation, potentially saving flash space. It is not possible to
express this with the PSA_WANT_ configuration system at the present
time. However, in previous versions of Mbed TLS (v2.24.0 and earlier) it
was possible to configure a software PSA implementation which was
capable of making RSA signatures but not capable of generating RSA keys.
To do this, one unset MBEDTLS_GENPRIME.

Since the addition of MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR, this
expressivity was lost. Expressing that you wanted to work with RSA key
pairs forced you to include the ability to generate key pairs as well.

Change psa_crypto_rsa.c to only call mbedtls_rsa_gen_key() if
MBEDTLS_GENPRIME is also set. This restores the configuration behavior
present in Mbed TLS v2.24.0 and earlier versions.

It left as a future exercise to add the ability to PSA to be able to
express a desire for a software or accelerator configuration that
includes RSA key pair operations, like signature, but excludes key pair
generation.

Without this change, linker errors will occur when attempts to call,
which doesn't exist when MBEDTLS_GENPRIME is unset.
psa_crypto_rsa.c.obj: in function rsa_generate_key': psa_crypto_rsa.c:320: undefined reference to mbedtls_rsa_gen_key'

Fixes #4512

Signed-off-by: Jaeden Amero jaeden.amero@arm.com

Status

READY

Requires Backporting

Yes, development_2.x

Migrations

NO

Additional comments

Any additional information that could be of interest

Todos

  • Tests
  • [ ] Documentation
  • Changelog updated
  • Backported

Steps to test or reproduce

Build with MBEDTLS_GENPRIME unset.

Patater added 2 commits May 21, 2021 10:20
@Patater
psa: Add missing RSA test dependency
9657334 
The test "PSA generate key: RSA, 1024 bits, good, encrypt (OAEP
SHA-256)" had a dependency on MBEDTLS_GENPRIME, but this was not listed
in the dependencies. Add MBEDTLS_GENPRIME to the test's dependencies to
ensure it has what it needs to run.

Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
@Patater
psa: Support RSA signature without MBEDTLS_GENPRIME
c17f293 
On space-constrained platforms, it is a useful configuration to be able
to import/export and perform RSA key pair operations, but to exclude RSA
key generation, potentially saving flash space. It is not possible to
express this with the PSA_WANT_ configuration system at the present
time. However, in previous versions of Mbed TLS (v2.24.0 and earlier) it
was possible to configure a software PSA implementation which was
capable of making RSA signatures but not capable of generating RSA keys.
To do this, one unset MBEDTLS_GENPRIME.

Since the addition of MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR, this
expressivity was lost. Expressing that you wanted to work with RSA key
pairs forced you to include the ability to generate key pairs as well.

Change psa_crypto_rsa.c to only call mbedtls_rsa_gen_key() if
MBEDTLS_GENPRIME is also set. This restores the configuration behavior
present in Mbed TLS v2.24.0 and earlier versions.

It left as a future exercise to add the ability to PSA to be able to
express a desire for a software or accelerator configuration that
includes RSA key pair operations, like signature, but excludes key pair
generation.

Without this change, linker errors will occur when attempts to call,
which doesn't exist when MBEDTLS_GENPRIME is unset.
    psa_crypto_rsa.c.obj: in function `rsa_generate_key':
    psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key'

Fixes Mbed-TLS#4512

Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
@Patater Patater mentioned this pull request May 21, 2021
Merged
4 tasks
@Patater Patater changed the title psa: Support RSA signature without MBEDTLS_GENPRIME [Backport 2.x] psa: Support RSA signature without MBEDTLS_GENPRIME May 21, 2021
@tom-daubney-arm tom-daubney-arm added needs-review Every commit must be reviewed by at least two team members, needs-reviewer This PR needs someone to pick it up for review size-s Estimated task size: small (~2d) component-psa PSA keystore/dispatch layer (storage, drivers, …) labels May 24, 2021
@gilles-peskine-arm gilles-peskine-arm added single-reviewer This PR qualifies for having only one reviewer and removed needs-review Every commit must be reviewed by at least two team members, needs-reviewer This PR needs someone to pick it up for review labels May 25, 2021
@ronald-cron-arm ronald-cron-arm merged commit 9df7209 into Mbed-TLS:development_2.x May 27, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ronald-cron-arm ronald-cron-arm ronald-cron-arm approved these changes

@gilles-peskine-arm gilles-peskine-arm gilles-peskine-arm approved these changes

Assignees
No one assigned
Labels
component-psa PSA keystore/dispatch layer (storage, drivers, …) single-reviewer This PR qualifies for having only one reviewer size-s Estimated task size: small (~2d)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Patater @gilles-peskine-arm @ronald-cron-arm @tom-daubney-arm