Skip to content

Commit 470ccc3

Browse files
DakshitBabbarDakshitBabbar
authored
Export RSA key attributes from mbedtls context to support TLSv1.3 (#202)
Export RSA key attributes from mbedtls context to support TLSv1.3
1 parent a5cd1c0 commit 470ccc3

File tree

7 files changed

+675
-40
lines changed

7 files changed

+675
-40
lines changed

.github/.cSpellWords.txt

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@ DUNITTEST
3737
DUNITY
3838
ecdh
3939
ecjpake
40+
EABNVYL
4041
ECKEY
4142
FAAOCAQE
4243
Fithb
@@ -51,6 +52,7 @@ HKDF
5152
isystem
5253
JITP
5354
JITR
55+
JLATES
5456
Karthikeyan
5557
lcov
5658
LPDWORD
@@ -103,11 +105,14 @@ utest
103105
vect
104106
Vect
105107
VECT
108+
VEIQ
109+
VQIDAQAB
106110
Wunused
107111
xfindobjectwithlabelandclass
108112
xgetslotlist
109113
xinitializepkcs
110114
xtea
111115
XTEA
116+
yfiv
112117
zeroize
113118
ZEROIZE

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -192,7 +192,7 @@ locations below:
192192
| Location |
193193
| :------------------------------------------------------------------------------------------------------------------: |
194194
| [AWS IoT Device SDK for Embedded C](https://github.com/aws/aws-iot-device-sdk-embedded-C#releases-and-documentation) |
195-
| [FreeRTOS.org](https://freertos.org/Documentation/api-ref/corePKCS11/docs/doxygen/output/html/index.html) |
195+
| [FreeRTOS.org](https://freertos.github.io/corePKCS11/v3.6.1/) |
196196

197197
Note that the latest included version of corePKCS11 may differ across
198198
repositories.

docs/doxygen/include/size_table.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -19,12 +19,12 @@
1919
</tr>
2020
<tr>
2121
<td>core_pkcs11_mbedtls.c</td>
22-
<td><center>9.0K</center></td>
23-
<td><center>7.4K</center></td>
22+
<td><center>9.4K</center></td>
23+
<td><center>7.7K</center></td>
2424
</tr>
2525
<tr>
2626
<td><b>Total estimates</b></td>
27-
<td><b><center>10.3K</center></b></td>
28-
<td><b><center>8.4K</center></b></td>
27+
<td><b><center>10.7K</center></b></td>
28+
<td><b><center>8.7K</center></b></td>
2929
</tr>
3030
</table>

source/portable/mbedtls/core_pkcs11_mbedtls.c

Lines changed: 189 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -779,6 +779,156 @@ static CK_RV prvRsaContextParse( const CK_ATTRIBUTE * pxAttribute,
779779
return xResult;
780780
}
781781

782+
/**
783+
* @brief Populates attribute values for an RSA key from the mbed TLS context.
784+
*/
785+
static CK_RV prvGetAttributesFromRsaContext( CK_ATTRIBUTE * pxAttribute,
786+
const mbedtls_rsa_context * pxRsaContext )
787+
{
788+
CK_RV xResult = CKR_OK;
789+
int32_t lMbedTLSResult = 0;
790+
mbedtls_mpi * pxMpi = ( mbedtls_mpi * ) pxAttribute->pValue;
791+
792+
mbedtls_mpi_init( pxMpi );
793+
794+
switch( pxAttribute->type )
795+
{
796+
case ( CKA_MODULUS ):
797+
798+
lMbedTLSResult = mbedtls_mpi_grow( pxMpi, pxRsaContext->N.n );
799+
800+
if( lMbedTLSResult == 0 )
801+
{
802+
lMbedTLSResult = mbedtls_rsa_export( pxRsaContext,
803+
pxMpi, /* N */
804+
NULL, /* P */
805+
NULL, /* Q */
806+
NULL, /* D */
807+
NULL ); /* E */
808+
}
809+
810+
break;
811+
812+
case ( CKA_PUBLIC_EXPONENT ):
813+
814+
lMbedTLSResult = mbedtls_mpi_grow( pxMpi, pxRsaContext->E.n );
815+
816+
if( lMbedTLSResult == 0 )
817+
{
818+
lMbedTLSResult = mbedtls_rsa_export( pxRsaContext,
819+
NULL, /* N */
820+
NULL, /* P */
821+
NULL, /* Q */
822+
NULL, /* D */
823+
pxMpi ); /* E */
824+
}
825+
826+
break;
827+
828+
case ( CKA_PRIME_1 ):
829+
830+
lMbedTLSResult = mbedtls_mpi_grow( pxMpi, pxRsaContext->P.n );
831+
832+
if( lMbedTLSResult == 0 )
833+
{
834+
lMbedTLSResult = mbedtls_rsa_export( pxRsaContext,
835+
NULL, /* N */
836+
pxMpi, /* P */
837+
NULL, /* Q */
838+
NULL, /* D */
839+
NULL ); /* E */
840+
}
841+
842+
break;
843+
844+
case ( CKA_PRIME_2 ):
845+
846+
lMbedTLSResult = mbedtls_mpi_grow( pxMpi, pxRsaContext->Q.n );
847+
848+
if( lMbedTLSResult == 0 )
849+
{
850+
lMbedTLSResult = mbedtls_rsa_export( pxRsaContext,
851+
NULL, /* N */
852+
NULL, /* P */
853+
pxMpi, /* Q */
854+
NULL, /* D */
855+
NULL ); /* E */
856+
}
857+
858+
break;
859+
860+
case ( CKA_PRIVATE_EXPONENT ):
861+
862+
lMbedTLSResult = mbedtls_mpi_grow( pxMpi, pxRsaContext->D.n );
863+
864+
if( lMbedTLSResult == 0 )
865+
{
866+
lMbedTLSResult = mbedtls_rsa_export( pxRsaContext,
867+
NULL, /* N */
868+
NULL, /* P */
869+
NULL, /* Q */
870+
pxMpi, /* D */
871+
NULL ); /* E */
872+
}
873+
874+
break;
875+
876+
case ( CKA_EXPONENT_1 ):
877+
878+
lMbedTLSResult = mbedtls_mpi_grow( pxMpi, pxRsaContext->DP.n );
879+
880+
if( lMbedTLSResult == 0 )
881+
{
882+
lMbedTLSResult = mbedtls_rsa_export_crt( pxRsaContext,
883+
pxMpi, /* DP */
884+
NULL, /* DQ */
885+
NULL ); /* QP */
886+
}
887+
888+
break;
889+
890+
case ( CKA_EXPONENT_2 ):
891+
892+
lMbedTLSResult = mbedtls_mpi_grow( pxMpi, pxRsaContext->DQ.n );
893+
894+
if( lMbedTLSResult == 0 )
895+
{
896+
lMbedTLSResult = mbedtls_rsa_export_crt( pxRsaContext,
897+
NULL, /* DP */
898+
pxMpi, /* DQ */
899+
NULL ); /* QP */
900+
}
901+
902+
break;
903+
904+
default:
905+
906+
/* This is the CKA_COEFFICIENT case. The type is checked in
907+
* C_GetAttributeValue. */
908+
lMbedTLSResult = mbedtls_mpi_grow( pxMpi, pxRsaContext->QP.n );
909+
910+
if( lMbedTLSResult == 0 )
911+
{
912+
lMbedTLSResult = mbedtls_rsa_export_crt( pxRsaContext,
913+
NULL, /* DP */
914+
NULL, /* DQ */
915+
pxMpi ); /* QP */
916+
}
917+
918+
break;
919+
}
920+
921+
if( lMbedTLSResult != 0 )
922+
{
923+
LogError( ( "Failed to parse RSA private key attributes: mbed TLS error = %s : %s.",
924+
mbedtlsHighLevelCodeOrDefault( lMbedTLSResult ),
925+
mbedtlsLowLevelCodeOrDefault( lMbedTLSResult ) ) );
926+
xResult = CKR_FUNCTION_FAILED;
927+
}
928+
929+
return xResult;
930+
}
931+
782932
/**
783933
* @brief Parses attribute values for a RSA Key.
784934
*/
@@ -3076,6 +3226,7 @@ CK_DECLARE_FUNCTION( CK_RV, C_GetAttributeValue )( CK_SESSION_HANDLE hSession,
30763226
mbedtls_x509_crt xMbedX509Context = { 0 };
30773227
mbedtls_pk_type_t xKeyType;
30783228
const mbedtls_ecp_keypair * pxKeyPair;
3229+
const mbedtls_rsa_context * pxRsaContext;
30793230
CK_KEY_TYPE xPkcsKeyType = ( CK_KEY_TYPE ) ~0UL;
30803231
CK_OBJECT_CLASS xClass = ~0UL;
30813232
CK_BYTE_PTR pxObjectValue = NULL;
@@ -3294,15 +3445,6 @@ CK_DECLARE_FUNCTION( CK_RV, C_GetAttributeValue )( CK_SESSION_HANDLE hSession,
32943445

32953446
break;
32963447

3297-
case CKA_PRIVATE_EXPONENT:
3298-
3299-
LogError( ( "Failed to parse attribute. "
3300-
"CKA_PRIVATE_EXPONENT is private data." ) );
3301-
xResult = CKR_ATTRIBUTE_SENSITIVE;
3302-
pTemplate[ iAttrib ].ulValueLen = CK_UNAVAILABLE_INFORMATION;
3303-
3304-
break;
3305-
33063448
case CKA_EC_PARAMS:
33073449

33083450
if( pTemplate[ iAttrib ].pValue == NULL )
@@ -3384,6 +3526,44 @@ CK_DECLARE_FUNCTION( CK_RV, C_GetAttributeValue )( CK_SESSION_HANDLE hSession,
33843526

33853527
break;
33863528

3529+
case CKA_MODULUS:
3530+
case CKA_PUBLIC_EXPONENT:
3531+
case CKA_PRIME_1:
3532+
case CKA_PRIME_2:
3533+
case CKA_PRIVATE_EXPONENT:
3534+
case CKA_EXPONENT_1:
3535+
case CKA_EXPONENT_2:
3536+
case CKA_COEFFICIENT:
3537+
3538+
if( pTemplate[ iAttrib ].pValue == NULL )
3539+
{
3540+
pTemplate[ iAttrib ].ulValueLen = sizeof( mbedtls_mpi );
3541+
}
3542+
else
3543+
{
3544+
if( pTemplate[ iAttrib ].ulValueLen == sizeof( mbedtls_mpi ) )
3545+
{
3546+
pxRsaContext = ( mbedtls_rsa_context * ) xKeyContext.pk_ctx;
3547+
3548+
if( pxRsaContext != NULL )
3549+
{
3550+
xResult = prvGetAttributesFromRsaContext( &( pTemplate[ iAttrib ] ),
3551+
pxRsaContext );
3552+
}
3553+
else
3554+
{
3555+
xResult = CKR_FUNCTION_FAILED;
3556+
pTemplate[ iAttrib ].ulValueLen = CK_UNAVAILABLE_INFORMATION;
3557+
}
3558+
}
3559+
else
3560+
{
3561+
xResult = CKR_BUFFER_TOO_SMALL;
3562+
}
3563+
}
3564+
3565+
break;
3566+
33873567
default:
33883568
LogError( ( "Failed to parse attribute. Received unknown "
33893569
"attribute type." ) );

test/mbedtls_integration/mbedtls_integration_test.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -954,7 +954,7 @@ static void commonValidateCredentialStorageRSA( const char * pPrivateKeyLabel,
954954
TEST_ASSERT_EQUAL_MEMORY_MESSAGE( expectedCertInDer, template.pValue, template.ulValueLen, "GetAttributeValue returned incorrect data for RSA certificate" );
955955

956956
/* Check that the private key cannot be retrieved. */
957-
template.type = CKA_PRIVATE_EXPONENT;
957+
template.type = CKA_VALUE;
958958
template.pValue = keyComponent;
959959
template.ulValueLen = sizeof( keyComponent );
960960
result = globalFunctionList->C_GetAttributeValue( globalSession, privateKeyHandle, &template, 1 );

0 commit comments

Comments
 (0)