Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add is_certificate and export_cdi flags to DeriveContext #370

Open
wants to merge 5 commits into
base: feature/gh-issue-caliptra-sw-1807
Choose a base branch
from
Open

Add is_certificate and export_cdi flags to DeriveContext #370

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
2fa1379
Add is_certificate and export_cdi flags to DeriveContext
clundin25 Dec 23, 2024
505c121
Add CA certificate generation to DeriveContextCmd
clundin25 Jan 2, 2025
55acb09
Add invalid contexthandle.
clundin25 Jan 2, 2025
c81cc70
Add API for exported key pairs.
clundin25 Jan 3, 2025
392b65f
Use an "exported" variant of derive_cdi and export_key_pair to distin…
clundin25 Jan 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions crypto/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -170,6 +170,20 @@ pub trait Crypto {
info: &[u8],
) -> Result<Self::Cdi, CryptoError>;

/// Derive a CDI for an exported private key based on the current base CDI and measurements
///
/// # Arguments
///
/// * `algs` - Which length of algorithms to use.
/// * `measurement` - A digest of the measurements which should be used for CDI derivation
/// * `info` - Caller-supplied info string to use in CDI derivation
fn derive_cdi_exported(
&mut self,
algs: AlgLen,
measurement: &Digest,
info: &[u8],
) -> Result<Self::Cdi, CryptoError>;

/// CFI wrapper around derive_cdi
///
/// To implement this function, you need to add the
Expand All @@ -182,6 +196,18 @@ pub trait Crypto {
info: &[u8],
) -> Result<Self::Cdi, CryptoError>;

/// CFI wrapper around derive_cdi_exported
///
/// To implement this function, you need to add the
/// cfi_impl_fn proc_macro to derive_cdi.
#[cfg(not(feature = "no-cfi"))]
fn __cfi_derive_cdi_exported(
&mut self,
algs: AlgLen,
measurement: &Digest,
info: &[u8],
) -> Result<Self::Cdi, CryptoError>;

/// Derives a key pair using a cryptographically secure KDF
///
/// # Arguments
Expand All @@ -199,6 +225,23 @@ pub trait Crypto {
info: &[u8],
) -> Result<(Self::PrivKey, EcdsaPub), CryptoError>;

/// Derives an exported key pair using a cryptographically secure KDF
///
/// # Arguments
///
/// * `algs` - Which length of algorithms to use.
/// * `cdi` - Caller-supplied private key to use in public key derivation
/// * `label` - Caller-supplied label to use in asymmetric key derivation
/// * `info` - Caller-supplied info string to use in asymmetric key derivation
///
fn derive_key_pair_exported(
&mut self,
algs: AlgLen,
cdi: &Self::Cdi,
label: &[u8],
info: &[u8],
) -> Result<(Self::PrivKey, EcdsaPub), CryptoError>;

/// CFI wrapper around derive_key_pair
///
/// To implement this function, you need to add the
Expand All @@ -212,6 +255,19 @@ pub trait Crypto {
info: &[u8],
) -> Result<(Self::PrivKey, EcdsaPub), CryptoError>;

/// CFI wrapper around derive_key_pair_exported
///
/// To implement this function, you need to add the
/// cfi_impl_fn proc_macro to derive_key_pair.
#[cfg(not(feature = "no-cfi"))]
fn __cfi_derive_key_pair_exported(
&mut self,
algs: AlgLen,
cdi: &Self::Cdi,
label: &[u8],
info: &[u8],
) -> Result<(Self::PrivKey, EcdsaPub), CryptoError>;

/// Sign `digest` with the platform Alias Key
///
/// # Arguments
Expand Down
69 changes: 50 additions & 19 deletions crypto/src/openssl.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,35 @@ impl OpensslCrypto {

EcKey::from_private_components(&group, priv_key_bn, &pub_point)
}

fn derive_key_pair_inner(
&mut self,
algs: AlgLen,
cdi: &<OpensslCrypto as Crypto>::Cdi,
label: &[u8],
info: &[u8],
) -> Result<(<OpensslCrypto as Crypto>::PrivKey, EcdsaPub), CryptoError> {
let priv_key = hkdf_get_priv_key(algs, cdi, label, info)?;

let ec_priv_key = OpensslCrypto::ec_key_from_priv_key(algs, &priv_key)?;
let nid = OpensslCrypto::get_curve(algs);

let group = EcGroup::from_curve_name(nid).unwrap();
let mut bn_ctx = BigNumContext::new().unwrap();

let mut x = BigNum::new().unwrap();
let mut y = BigNum::new().unwrap();

ec_priv_key
.public_key()
.affine_coordinates(&group, &mut x, &mut y, &mut bn_ctx)
.unwrap();

let x = CryptoBuf::new(&x.to_vec_padded(algs.size() as i32).unwrap()).unwrap();
let y = CryptoBuf::new(&y.to_vec_padded(algs.size() as i32).unwrap()).unwrap();

Ok((priv_key, EcdsaPub { x, y }))
}
}

impl Default for OpensslCrypto {
Expand Down Expand Up @@ -133,6 +162,16 @@ impl Crypto for OpensslCrypto {
hkdf_derive_cdi(algs, measurement, info)
}

#[cfg_attr(not(feature = "no-cfi"), cfi_impl_fn)]
fn derive_cdi_exported(
&mut self,
algs: AlgLen,
measurement: &Digest,
info: &[u8],
) -> Result<Self::Cdi, CryptoError> {
hkdf_derive_cdi(algs, measurement, info)
}

#[cfg_attr(not(feature = "no-cfi"), cfi_impl_fn)]
fn derive_key_pair(
&mut self,
Expand All @@ -141,26 +180,18 @@ impl Crypto for OpensslCrypto {
label: &[u8],
info: &[u8],
) -> Result<(Self::PrivKey, EcdsaPub), CryptoError> {
let priv_key = hkdf_get_priv_key(algs, cdi, label, info)?;

let ec_priv_key = OpensslCrypto::ec_key_from_priv_key(algs, &priv_key)?;
let nid = OpensslCrypto::get_curve(algs);

let group = EcGroup::from_curve_name(nid).unwrap();
let mut bn_ctx = BigNumContext::new().unwrap();

let mut x = BigNum::new().unwrap();
let mut y = BigNum::new().unwrap();

ec_priv_key
.public_key()
.affine_coordinates(&group, &mut x, &mut y, &mut bn_ctx)
.unwrap();

let x = CryptoBuf::new(&x.to_vec_padded(algs.size() as i32).unwrap()).unwrap();
let y = CryptoBuf::new(&y.to_vec_padded(algs.size() as i32).unwrap()).unwrap();
self.derive_key_pair_inner(algs, cdi, label, info)
}

Ok((priv_key, EcdsaPub { x, y }))
#[cfg_attr(not(feature = "no-cfi"), cfi_impl_fn)]
fn derive_key_pair_exported(
&mut self,
algs: AlgLen,
cdi: &Self::Cdi,
label: &[u8],
info: &[u8],
) -> Result<(Self::PrivKey, EcdsaPub), CryptoError> {
self.derive_key_pair_inner(algs, cdi, label, info)
}

fn ecdsa_sign_with_alias(
Expand Down
67 changes: 48 additions & 19 deletions crypto/src/rustcrypto.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,34 @@ impl RustCryptoImpl {
let seeded_rng = StdRng::from_seed(SEED);
RustCryptoImpl(seeded_rng)
}

fn derive_key_pair_inner(
&mut self,
algs: AlgLen,
cdi: &<RustCryptoImpl as Crypto>::Cdi,
label: &[u8],
info: &[u8],
) -> Result<(<RustCryptoImpl as Crypto>::PrivKey, EcdsaPub), CryptoError> {
let secret = hkdf_get_priv_key(algs, cdi, label, info)?;
match algs {
AlgLen::Bit256 => {
let signing = p256::ecdsa::SigningKey::from_slice(&secret.bytes())?;
let verifying = p256::ecdsa::VerifyingKey::from(&signing);
let point = verifying.to_encoded_point(false);
let x = CryptoBuf::new(point.x().ok_or(RUSTCRYPTO_ECDSA_ERROR)?.as_slice())?;
let y = CryptoBuf::new(point.y().ok_or(RUSTCRYPTO_ECDSA_ERROR)?.as_slice())?;
Ok((secret, EcdsaPub { x, y }))
}
AlgLen::Bit384 => {
let signing = p384::ecdsa::SigningKey::from_slice(&secret.bytes())?;
let verifying = p384::ecdsa::VerifyingKey::from(&signing);
let point = verifying.to_encoded_point(false);
let x = CryptoBuf::new(point.x().ok_or(RUSTCRYPTO_ECDSA_ERROR)?.as_slice())?;
let y = CryptoBuf::new(point.y().ok_or(RUSTCRYPTO_ECDSA_ERROR)?.as_slice())?;
Ok((secret, EcdsaPub { x, y }))
}
}
}
}

impl Crypto for RustCryptoImpl {
Expand Down Expand Up @@ -96,32 +124,33 @@ impl Crypto for RustCryptoImpl {
hkdf_derive_cdi(algs, measurement, info)
}

fn derive_cdi_exported(
&mut self,
algs: AlgLen,
measurement: &Digest,
info: &[u8],
) -> Result<Self::Cdi, CryptoError> {
hkdf_derive_cdi(algs, measurement, info)
}

fn derive_key_pair(
&mut self,
algs: AlgLen,
cdi: &Self::Cdi,
label: &[u8],
info: &[u8],
) -> Result<(Self::PrivKey, EcdsaPub), CryptoError> {
let secret = hkdf_get_priv_key(algs, cdi, label, info)?;
match algs {
AlgLen::Bit256 => {
let signing = p256::ecdsa::SigningKey::from_slice(&secret.bytes())?;
let verifying = p256::ecdsa::VerifyingKey::from(&signing);
let point = verifying.to_encoded_point(false);
let x = CryptoBuf::new(point.x().ok_or(RUSTCRYPTO_ECDSA_ERROR)?.as_slice())?;
let y = CryptoBuf::new(point.y().ok_or(RUSTCRYPTO_ECDSA_ERROR)?.as_slice())?;
Ok((secret, EcdsaPub { x, y }))
}
AlgLen::Bit384 => {
let signing = p384::ecdsa::SigningKey::from_slice(&secret.bytes())?;
let verifying = p384::ecdsa::VerifyingKey::from(&signing);
let point = verifying.to_encoded_point(false);
let x = CryptoBuf::new(point.x().ok_or(RUSTCRYPTO_ECDSA_ERROR)?.as_slice())?;
let y = CryptoBuf::new(point.y().ok_or(RUSTCRYPTO_ECDSA_ERROR)?.as_slice())?;
Ok((secret, EcdsaPub { x, y }))
}
}
self.derive_key_pair_inner(algs, cdi, label, info)
}

fn derive_key_pair_exported(
&mut self,
algs: AlgLen,
cdi: &Self::Cdi,
label: &[u8],
info: &[u8],
) -> Result<(Self::PrivKey, EcdsaPub), CryptoError> {
self.derive_key_pair_inner(algs, cdi, label, info)
}

fn ecdsa_sign_with_alias(
Expand Down
1 change: 1 addition & 0 deletions dpe/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ disable_csr = []
disable_internal_info = []
disable_internal_dice = []
disable_retain_parent_context = []
disable_export_cdi = []
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The specification has a separate ABI if EXPORT_CDI is set.

Should this compilation flag also change the shape of the DeriveContextResp type?

no-cfi = ["crypto/no-cfi"]

[dependencies]
Expand Down
Loading
Loading