blob: 6601b3a882cd5f4b075d69dba53ced9d15905b5d [file] [log] [blame]
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +03001/*
Govindraj Rajaa2872f92023-02-03 11:08:00 +00002 * Copyright (c) 2017-2023 ARM Limited and Contributors. All rights reserved.
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +03003 *
4 * SPDX-License-Identifier: BSD-3-Clause
5 */
6
7#include <assert.h>
8#include <stddef.h>
9#include <string.h>
10
Govindraj Rajafd49e8b2023-02-12 20:19:31 +000011#include <mbedtls/oid.h>
12#include <mbedtls/x509.h>
Claus Pedersen785e66c2022-09-12 22:42:58 +000013
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +030014#include <drivers/arm/cryptocell/713/bsv_api.h>
15#include <drivers/arm/cryptocell/713/bsv_crypto_asym_api.h>
16#include <drivers/auth/crypto_mod.h>
17
Govindraj Rajafd49e8b2023-02-12 20:19:31 +000018#include <platform_def.h>
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +030019
20#define LIB_NAME "CryptoCell 713 SBROM"
21#define RSA_SALT_LEN 32
22#define RSA_EXPONENT 65537
23
24/*
25 * AlgorithmIdentifier ::= SEQUENCE {
26 * algorithm OBJECT IDENTIFIER,
27 * parameters ANY DEFINED BY algorithm OPTIONAL
28 * }
29 *
30 * SubjectPublicKeyInfo ::= SEQUENCE {
31 * algorithm AlgorithmIdentifier,
32 * subjectPublicKey BIT STRING
33 * }
34 *
35 * DigestInfo ::= SEQUENCE {
36 * digestAlgorithm AlgorithmIdentifier,
37 * digest OCTET STRING
38 * }
39 *
40 * RSASSA-PSS-params ::= SEQUENCE {
41 * hashAlgorithm [0] HashAlgorithm,
42 * maskGenAlgorithm [1] MaskGenAlgorithm,
43 * saltLength [2] INTEGER,
44 * trailerField [3] TrailerField DEFAULT trailerFieldBC
45 * }
46 */
47
48/*
49 * Initialize the library and export the descriptor
50 */
51static void init(void)
52{
53 CCError_t ret;
54 uint32_t lcs;
55
56 /* Initialize CC SBROM */
57 ret = CC_BsvInit((uintptr_t)PLAT_CRYPTOCELL_BASE);
58 if (ret != CC_OK) {
59 ERROR("CryptoCell CC_BsvInit() error %x\n", ret);
60 panic();
61 }
62
63 /* Initialize lifecycle state */
64 ret = CC_BsvGetAndInitLcs((uintptr_t)PLAT_CRYPTOCELL_BASE, &lcs);
65 if (ret != CC_OK) {
66 ERROR("CryptoCell CC_BsvGetAndInitLcs() error %x\n", ret);
67 panic();
68 }
69}
70
71/*
72 * Verify a signature.
73 *
74 * Parameters are passed using the DER encoding format following the ASN.1
75 * structures detailed above.
76 */
77static int verify_signature(void *data_ptr, unsigned int data_len,
78 void *sig_ptr, unsigned int sig_len,
79 void *sig_alg, unsigned int sig_alg_len,
80 void *pk_ptr, unsigned int pk_len)
81{
82 CCError_t error;
83 CCBsvNBuff_t NBuff;
84 CCBsvSignature_t signature;
Govindraj Rajaa2872f92023-02-03 11:08:00 +000085 int rc, exp, expected_salt_len;
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +030086 mbedtls_asn1_buf sig_oid, alg_oid, params;
Govindraj Rajaa2872f92023-02-03 11:08:00 +000087 mbedtls_md_type_t md_alg, mgf1_hash_id;
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +030088 mbedtls_pk_type_t pk_alg;
Govindraj Rajaa2872f92023-02-03 11:08:00 +000089
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +030090 size_t len;
91 uint8_t *p, *end;
92 CCHashResult_t digest;
93 CCBool_t is_verified;
94 /* This is a rather large array, we don't want it on stack */
95 static uint32_t workspace[BSV_RSA_WORKSPACE_MIN_SIZE];
96
97 /* Verify the signature algorithm */
98 /* Get pointers to signature OID and parameters */
99 p = sig_alg;
100 end = p + sig_alg_len;
101 rc = mbedtls_asn1_get_alg(&p, end, &sig_oid, &params);
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000102 if (rc != 0) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300103 return CRYPTO_ERR_SIGNATURE;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000104 }
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300105
106 /* Get the actual signature algorithm (MD + PK) */
107 rc = mbedtls_oid_get_sig_alg(&sig_oid, &md_alg, &pk_alg);
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000108 if (rc != 0) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300109 return CRYPTO_ERR_SIGNATURE;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000110 }
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300111
112 /* The CryptoCell only supports RSASSA-PSS signature */
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000113 if (pk_alg != MBEDTLS_PK_RSASSA_PSS || md_alg != MBEDTLS_MD_NONE) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300114 return CRYPTO_ERR_SIGNATURE;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000115 }
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300116
117 /* Verify the RSASSA-PSS params */
118 /* The trailer field is verified to be 0xBC internally by this API */
119 rc = mbedtls_x509_get_rsassa_pss_params(&params, &md_alg,
Govindraj Rajaa2872f92023-02-03 11:08:00 +0000120 &mgf1_hash_id,
121 &expected_salt_len);
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000122 if (rc != 0) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300123 return CRYPTO_ERR_SIGNATURE;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000124 }
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300125
126 /* The CryptoCell only supports SHA256 as hash algorithm */
127 if (md_alg != MBEDTLS_MD_SHA256 ||
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000128 mgf1_hash_id != MBEDTLS_MD_SHA256) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300129 return CRYPTO_ERR_SIGNATURE;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000130 }
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300131
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000132 if (expected_salt_len != RSA_SALT_LEN) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300133 return CRYPTO_ERR_SIGNATURE;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000134 }
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300135
136 /* Parse the public key */
137 p = pk_ptr;
138 end = p + pk_len;
139 rc = mbedtls_asn1_get_tag(&p, end, &len,
140 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000141 if (rc != 0) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300142 return CRYPTO_ERR_SIGNATURE;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000143 }
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300144
145 end = p + len;
146 rc = mbedtls_asn1_get_alg_null(&p, end, &alg_oid);
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000147 if (rc != 0) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300148 return CRYPTO_ERR_SIGNATURE;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000149 }
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300150
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000151 if (mbedtls_oid_get_pk_alg(&alg_oid, &pk_alg) != 0) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300152 return CRYPTO_ERR_SIGNATURE;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000153 }
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300154
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000155 if (pk_alg != MBEDTLS_PK_RSA) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300156 return CRYPTO_ERR_SIGNATURE;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000157 }
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300158
159 rc = mbedtls_asn1_get_bitstring_null(&p, end, &len);
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000160 if (rc != 0) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300161 return CRYPTO_ERR_SIGNATURE;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000162 }
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300163
164 rc = mbedtls_asn1_get_tag(&p, end, &len,
165 MBEDTLS_ASN1_CONSTRUCTED |
166 MBEDTLS_ASN1_SEQUENCE);
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000167 if (rc != 0) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300168 return CRYPTO_ERR_SIGNATURE;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000169 }
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300170
171 rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_INTEGER);
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000172 if (rc != 0) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300173 return CRYPTO_ERR_SIGNATURE;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000174 }
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300175
176 if (*p == 0) {
177 p++; len--;
178 }
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000179 if (len != BSV_CERT_RSA_KEY_SIZE_IN_BYTES || ((p + len) > end)) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300180 return CRYPTO_ERR_SIGNATURE;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000181 }
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300182
183 /*
184 * Copy N from certificate.
185 */
186 memcpy(NBuff, p, BSV_CERT_RSA_KEY_SIZE_IN_BYTES);
187
188 /* Verify the RSA exponent */
189 p += len;
190 rc = mbedtls_asn1_get_int(&p, end, &exp);
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000191 if (rc != 0) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300192 return CRYPTO_ERR_SIGNATURE;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000193 }
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300194
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000195 if (exp != RSA_EXPONENT) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300196 return CRYPTO_ERR_SIGNATURE;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000197 }
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300198
199 /* Get the signature (bitstring) */
200 p = sig_ptr;
201 end = p + sig_len;
202 rc = mbedtls_asn1_get_bitstring_null(&p, end, &len);
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000203 if (rc != 0) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300204 return CRYPTO_ERR_SIGNATURE;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000205 }
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300206
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000207 if (len != BSV_CERT_RSA_KEY_SIZE_IN_BYTES || ((p + len) > end)) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300208 return CRYPTO_ERR_SIGNATURE;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000209 }
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300210
211 /*
212 * Copy the signature (in BE format)
213 */
214 memcpy((uint8_t *)signature, p, BSV_CERT_RSA_KEY_SIZE_IN_BYTES);
215
216 error = CC_BsvSha256((uintptr_t)PLAT_CRYPTOCELL_BASE,
217 data_ptr, data_len, digest);
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000218 if (error != CC_OK) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300219 return CRYPTO_ERR_SIGNATURE;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000220 }
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300221
222 /* Verify the signature */
223 error = CC_BsvRsaPssVerify((uintptr_t)PLAT_CRYPTOCELL_BASE, NBuff,
224 NULL, signature, digest, workspace,
225 BSV_RSA_WORKSPACE_MIN_SIZE, &is_verified);
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000226 if ((error != CC_OK) || (is_verified != CC_TRUE)) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300227 return CRYPTO_ERR_SIGNATURE;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000228 }
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300229
230 /* Signature verification success */
231 return CRYPTO_SUCCESS;
232}
233
234/*
235 * Match a hash
236 *
237 * Digest info is passed in DER format following the ASN.1 structure detailed
238 * above.
239 */
240static int verify_hash(void *data_ptr, unsigned int data_len,
241 void *digest_info_ptr, unsigned int digest_info_len)
242{
243 mbedtls_asn1_buf hash_oid, params;
244 mbedtls_md_type_t md_alg;
245 uint8_t *p, *end, *hash;
246 CCHashResult_t pubKeyHash;
247 size_t len;
248 int rc;
249 CCError_t error;
250
251 /* Digest info should be an MBEDTLS_ASN1_SEQUENCE */
252 p = digest_info_ptr;
253 end = p + digest_info_len;
254 rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
255 MBEDTLS_ASN1_SEQUENCE);
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000256 if (rc != 0) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300257 return CRYPTO_ERR_HASH;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000258 }
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300259
260 /* Get the hash algorithm */
261 rc = mbedtls_asn1_get_alg(&p, end, &hash_oid, &params);
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000262 if (rc != 0) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300263 return CRYPTO_ERR_HASH;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000264 }
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300265
266 rc = mbedtls_oid_get_md_alg(&hash_oid, &md_alg);
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000267 if (rc != 0) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300268 return CRYPTO_ERR_HASH;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000269 }
270
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300271 /* Verify that hash algorithm is SHA256 */
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000272 if (md_alg != MBEDTLS_MD_SHA256) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300273 return CRYPTO_ERR_HASH;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000274 }
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300275
276 /* Hash should be octet string type */
277 rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING);
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000278 if (rc != 0) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300279 return CRYPTO_ERR_HASH;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000280 }
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300281
282 /* Length of hash must match the algorithm's size */
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000283 if (len != HASH_RESULT_SIZE_IN_BYTES) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300284 return CRYPTO_ERR_HASH;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000285 }
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300286
287 hash = p;
288 error = CC_BsvSha256((uintptr_t)PLAT_CRYPTOCELL_BASE, data_ptr,
289 data_len, pubKeyHash);
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000290 if (error != CC_OK) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300291 return CRYPTO_ERR_HASH;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000292 }
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300293
294 rc = memcmp(pubKeyHash, hash, HASH_RESULT_SIZE_IN_BYTES);
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000295 if (rc != 0) {
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300296 return CRYPTO_ERR_HASH;
Govindraj Rajafd49e8b2023-02-12 20:19:31 +0000297 }
Gilad Ben-Yossef033327a2019-05-15 09:24:04 +0300298
299 return CRYPTO_SUCCESS;
300}
301
302/*
303 * Register crypto library descriptor
304 */
Yann Gautier2b6673d2023-03-15 11:31:25 +0100305REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, NULL, NULL, NULL);