ECPrivateKey wrong format with MSB=1

[EMH-MHA]

Description

• Type: Bug

Bug

I have an issue regarding the DER conversion of an ECPrivateKey with a private key with the MSB set to 1.
RFC 5915 mandates, that the privateKey

is an octet string of length ceiling (log2(n)/8) (where n is the order of the curve) 
obtained from the unsigned integer via the Integer-to-Octet-String-Primitive (I2OSP) 
defined in [RFC3447].

In mbedtls_pk_write_key_der(), the private key is written with mbedtls_asn1_write_mpi() which uses the ASN.1 conversion rules for an Integer, not the fixed-length I2OSP function.
If we have a private key with the MSB=1, the resulting octet string length is larger than ceiling (log2(n)/8) (e.g. 33 Bytes for a 256-bit curve) and if the private keys happens to be quite small, it can also be less than 32 bytes.

When reimporting those keys with mbedTLS, mbedtls_mpi_read_binary() has the intended behavior, but there are implementations, which will not load this private key.

Output Examples

A 33-Byte private key:

30790201010421009ed82ec84932efddd0e5ae6d57d08c1ba139ff6c522ab4e96cfbf9428ae563e8a00b06092b2403030208010107a144034200047d85040cc1dd9e29ea57cae7778ddc8d81ad00d6253c17d0821cbca662283a2ca8375452d4d7e9dd7773a03cfd41d427f683a39ac845844a6a406523435a68f0

A 31-Byte private key:

3077020101041f78c60a8e42c231ca5884c4408f332197a4115e518e577439c927b196c39b20a00b06092b2403030208010107a144034200046196116158d041c6c80fe5063e46aac6d84a631a8757251395a47666f3bba96c5d0d7e5edc64d3a53c558a221f69e2a6760281ff1427a85c7b94b30ce04e599e

[RonEld]

Thanks you @EMH-MHA for reporting this!
We will look into this and check the expected behaviour

[ciarmcom]

ARM Internal Ref: IOTSSL-1587

[hanno-becker]

Hi @EMH-MHA,

this is a good catch, thanks for raising this! I agree that we're not respecting the constant length requirement here and that the code should be adapted.

Regards,
Hanno