Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Build failure with PSA and RSA but not PK_PARSE #6409

Closed
gilles-peskine-arm opened this issue Oct 11, 2022 · 0 comments · Fixed by #6410
Closed

Build failure with PSA and RSA but not PK_PARSE #6409

gilles-peskine-arm opened this issue Oct 11, 2022 · 0 comments · Fixed by #6410
Assignees
@gilles-peskine-arm
Labels
bug component-crypto Crypto primitives and low-level interfaces size-s Estimated task size: small (~2d)

Comments

@gilles-peskine-arm
Copy link
Contributor

When MBEDTLS_PSA_CRYPTO_C and MBEDTLS_RSA_C are enabled but not MBEDTLS_PK_PARSE_C, the build fails, because PSA relies on pk_parse functions to load RSA keys.

library/psa_crypto_rsa.c: In function ‘mbedtls_psa_rsa_load_representation’:
library/psa_crypto_rsa.c:85:13: error: implicit declaration of function mbedtls_pk_parse_key’; did you mean ‘mbedtls_pk_free’? [-Werror=implicit-function-declaration]
   85 |             mbedtls_pk_parse_key( &ctx, data, data_length, NULL, 0,
      |             ^~~~~~~~~~~~~~~~~~~~
      |             mbedtls_pk_free
library/psa_crypto_rsa.c:89:13: error: implicit declaration of function mbedtls_pk_parse_public_key’; did you mean ‘mbedtls_pk_write_pubkey’? [-Werror=implicit-function-declaration]
   89 |             mbedtls_pk_parse_public_key( &ctx, data, data_length ) );
      |             ^~~~~~~~~~~~~~~~~~~~~~~~~~~
      |             mbedtls_pk_write_pubkey

This applies to both 2.28 and development.

This hasn't worked since at least 2.24 when we changed the internal representation of RSA keys (and even before that I think it would only have worked for internally generated volatile keys, with runtime errors for key import or persistent keys).

The quick fix is to add a requirement in check_config.h. In development, we might do what we're already partially doing (though not quite correctly) for MBEDTLS_PK_WRITE_C, which is to force it on when required in build_info.h.
@gilles-peskine-arm gilles-peskine-arm added bug component-crypto Crypto primitives and low-level interfaces size-s Estimated task size: small (~2d) labels Oct 11, 2022
@gilles-peskine-arm gilles-peskine-arm self-assigned this Oct 11, 2022
gilles-peskine-arm added a commit to gilles-peskine-arm/mbedtls that referenced this issue Oct 11, 2022
@gilles-peskine-arm
Add build with a typical configuration for a PSA crypto service
aef1ba6 
Disable non-crypto features that can't be called through the PSA API, as
well as algorithms that have no PSA interface.

This serves as a non-regression test for Mbed-TLS#6408 and Mbed-TLS#6409.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
gilles-peskine-arm added a commit to gilles-peskine-arm/mbedtls that referenced this issue Oct 11, 2022
@gilles-peskine-arm
Automatically enable PK_PARSE for RSA in PSA
fcee740 
PSA crypto currently needs MBEDTLS_PK_PARSE_C to parse RSA keys to do almost
anything with them (import, get attributes, export public from private, any
cryptographic operations). Force it on, for symmetry with what we're doing
for MBEDTLS_PK_WRITE_C. Fixes Mbed-TLS#6409.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
@gilles-peskine-arm gilles-peskine-arm mentioned this issue Oct 11, 2022
Merged
gilles-peskine-arm added a commit to gilles-peskine-arm/mbedtls that referenced this issue Oct 25, 2022
@gilles-peskine-arm
Fix PSA+RSA dependencies on PK
8fb928f 
The PSA code needs pk_parse as well as pk_write for RSA keys. Fix Mbed-TLS#6409.
This is independent of PKCS#1v1.5 support. Fix Mbed-TLS#6408.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
gilles-peskine-arm added a commit to gilles-peskine-arm/mbedtls that referenced this issue Oct 25, 2022
@gilles-peskine-arm
Add build with a typical configuration for a PSA crypto service
21503df 
Disable non-crypto features that can't be called through the PSA API, as
well as algorithms that have no PSA interface.

This serves as a non-regression test for Mbed-TLS#6408 and Mbed-TLS#6409.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
gilles-peskine-arm added a commit to gilles-peskine-arm/mbedtls that referenced this issue Oct 25, 2022
@gilles-peskine-arm
Add build with a typical configuration for a PSA crypto service
031c8c2 
Disable non-crypto features that can't be called through the PSA API, as
well as algorithms that have no PSA interface.

This serves as a non-regression test for Mbed-TLS#6408 and Mbed-TLS#6409.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
@gilles-peskine-arm gilles-peskine-arm mentioned this issue Oct 25, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gilles-peskine-arm gilles-peskine-arm

Labels
bug component-crypto Crypto primitives and low-level interfaces size-s Estimated task size: small (~2d)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

PSA with RSA requires PK_WRITE and PK_PARSE gilles-peskine-arm/mbedtls
1 participant
@gilles-peskine-arm