diff --git a/api/src/tee/crypto/crypto.rs b/api/src/tee/crypto/crypto.rs index ee2c85d8..2915217f 100644 --- a/api/src/tee/crypto/crypto.rs +++ b/api/src/tee/crypto/crypto.rs @@ -14,27 +14,25 @@ use core::{default::Default, fmt, fmt::Debug}; use mbedtls::{ bignum::Mpi, cipher::raw::{Cipher, CipherId, CipherMode, CipherPadding, CipherType, Operation}, + ecp::EcPoint, hash::{Hmac, Md, Type as MdType}, - pk::{Pk, RsaPadding, RsaPrivateComponents, RsaPublicComponents, Type as PkType}, + pk::{ + EcGroup, EcGroupId, Pk, RsaPadding, RsaPrivateComponents, RsaPublicComponents, + Type as PkType, + }, }; use mbedtls_sys_auto::mpi_write_binary; use spin::Mutex; use tee_raw_sys::*; use crate::tee::{ - TEE_ALG_SM4_XTS, TeeResult, - crypto::crypto_impl::{ + TEE_ALG_RSAES_PKCS1_OAEP_MGF1_MD5, TEE_ALG_RSASSA_PKCS1_PSS_MGF1_MD5, TEE_ALG_SM4_XTS, TeeResult, crypto::crypto_impl::{ EccAlgoKeyPair, EccComKeyPair, EccKeypair, Sm2DsaKeyPair, Sm2KepKeyPair, Sm2PkeKeyPair, crypto_ecc_keypair_ops, crypto_ecc_keypair_ops_generate, - }, - libmbedtls::{ + }, libmbedtls::{ bignum::{BigNum, crypto_bignum_allocate}, ecc::{EcdOps, Sm2DsaOps, Sm2KepOps, Sm2PkeOps}, - }, - rng_software::TeeSoftwareRng, - tee_obj::{tee_obj_get, tee_obj_id_type}, - tee_svc_cryp::{CryptoAttrRef, TeeCryptObj, tee_cryp_obj_secret_wrapper, tee_crypto_ops}, - tee_svc_cryp2::{CipherPaddingMode, CrypCtx, CrypState, TeeCrypState}, + }, rng_software::TeeSoftwareRng, tee_obj::{tee_obj_get, tee_obj_id_type}, tee_svc_cryp::{CryptoAttrRef, TeeCryptObj, tee_cryp_obj_secret_wrapper, tee_crypto_ops}, tee_svc_cryp2::{CipherPaddingMode, CrypCtx, CrypState, TeeCrypState} }; #[derive(Debug, Clone, PartialEq, Eq)] @@ -730,7 +728,7 @@ pub(crate) fn crypto_authenc_dec_final( } } -pub fn crypto_rsa_init( +pub(crate) fn crypto_rsa_init( cs: Arc>, padding_mode: RsaPadding, mode: TEE_OperationMode, @@ -747,11 +745,11 @@ pub fn crypto_rsa_init( } match mode { - TEE_OperationMode::TEE_MODE_ENCRYPT => { + TEE_OperationMode::TEE_MODE_ENCRYPT | TEE_OperationMode::TEE_MODE_VERIFY => { if let TeeCryptObj::rsa_public_key(rsa_key) = &obj_key1_guard.attr[0] { let rsa = RsaPublicComponents { - n: &rsa_key.n, - e: &rsa_key.e, + n: rsa_key.n.as_mpi(), + e: rsa_key.e.as_mpi(), }; let mut pk = Pk::public_from_rsa_components(rsa) .map_err(|_| TEE_ERROR_BAD_PARAMETERS)?; @@ -763,12 +761,12 @@ pub fn crypto_rsa_init( return Err(TEE_ERROR_BAD_STATE); } } - TEE_OperationMode::TEE_MODE_DECRYPT => { + TEE_OperationMode::TEE_MODE_DECRYPT | TEE_OperationMode::TEE_MODE_SIGN => { if let TeeCryptObj::rsa_keypair(rsa_key) = &obj_key1_guard.attr[0] { let rsa = RsaPrivateComponents::WithPrimes { - p: &rsa_key.p, - q: &rsa_key.q, - e: &rsa_key.e, + p: rsa_key.p.as_mpi(), + q: rsa_key.q.as_mpi(), + e: rsa_key.e.as_mpi(), }; let mut pk = Pk::private_from_rsa_components(rsa) .map_err(|_| TEE_ERROR_BAD_PARAMETERS)?; @@ -798,7 +796,8 @@ pub(crate) fn crypto_acipher_rsanopad_encrypt( RsaPadding::None, TEE_OperationMode::TEE_MODE_ENCRYPT, )?; - if let CrypCtx::AsyCtx(pk) = &mut cs.lock().ctx { + let mut cs_guard = cs.lock(); + if let CrypCtx::AsyCtx(pk) = &mut cs_guard.ctx { let mut rng = TeeSoftwareRng::new(); pk.encrypt_extend(input, output, &mut rng, None) .map_err(|_| TEE_ERROR_BAD_PARAMETERS) @@ -817,7 +816,8 @@ pub(crate) fn crypto_acipher_rsanopad_decrypt( RsaPadding::None, TEE_OperationMode::TEE_MODE_DECRYPT, )?; - if let CrypCtx::AsyCtx(pk) = &mut cs.lock().ctx { + let mut cs_guard = cs.lock(); + if let CrypCtx::AsyCtx(pk) = &mut cs_guard.ctx { let mut rng = TeeSoftwareRng::new(); pk.decrypt_extend(input, output, &mut rng, None) .map_err(|_| TEE_ERROR_BAD_PARAMETERS) @@ -825,3 +825,246 @@ pub(crate) fn crypto_acipher_rsanopad_decrypt( Err(TEE_ERROR_BAD_PARAMETERS) } } + +pub(crate) fn crypto_sm2_init(cs: Arc>) -> TeeResult { + let mut cs_guard = cs.lock(); + let key1 = cs_guard.key1; + let mode = cs_guard.mode; + + if let Some(k) = key1 { + let obj_key1 = tee_obj_get(k as _)?; + let obj_key1_guard = obj_key1.lock(); + + if obj_key1_guard.attr.is_empty() { + return Err(TEE_ERROR_BAD_STATE); + } + + match mode { + TEE_OperationMode::TEE_MODE_ENCRYPT => { + if let TeeCryptObj::ecc_public_key(ecc_key) = &obj_key1_guard.attr[0] { + let public_point = EcPoint::from_components( + ecc_key.x.clone().into_mpi(), + ecc_key.y.clone().into_mpi(), + ) + .map_err(|_| TEE_ERROR_BAD_PARAMETERS)?; + let ec_group = EcGroup::new(EcGroupId::from(ecc_key.curve)) + .map_err(|_| TEE_ERROR_BAD_PARAMETERS)?; + let mut pk = Pk::public_from_ec_components_extend( + ec_group, + public_point, + PkType::SM2.into(), + ) + .map_err(|_| TEE_ERROR_BAD_PARAMETERS)?; + cs_guard.ctx = CrypCtx::AsyCtx(pk); + } else { + return Err(TEE_ERROR_BAD_STATE); + } + } + TEE_OperationMode::TEE_MODE_DECRYPT => { + if let TeeCryptObj::ecc_keypair(ecc_key) = &obj_key1_guard.attr[0] { + let mut ec_group = EcGroup::new(EcGroupId::from(ecc_key.curve)) + .map_err(|_| TEE_ERROR_BAD_PARAMETERS)?; + let mut pk = Pk::private_from_ec_components_extend( + ec_group, + ecc_key.d.clone().into_mpi(), + PkType::SM2.into(), + ) + .map_err(|_| TEE_ERROR_BAD_PARAMETERS)?; + cs_guard.ctx = CrypCtx::AsyCtx(pk); + } + } + _ => return Err(TEE_ERROR_BAD_PARAMETERS), + } + } + Ok(()) +} + +pub(crate) fn crypto_acipher_sm2_pke_encrypt( + cs: Arc>, + input: &[u8], + output: &mut [u8], +) -> TeeResult { + crypto_sm2_init(cs.clone())?; + let mut cs_guard = cs.lock(); + if let CrypCtx::AsyCtx(pk) = &mut cs_guard.ctx { + let mut rng = TeeSoftwareRng::new(); + pk.encrypt_extend(input, output, &mut rng, Some(MdType::SM3 as _)) + .map_err(|_| TEE_ERROR_BAD_PARAMETERS) + } else { + Err(TEE_ERROR_BAD_PARAMETERS) + } +} + +pub(crate) fn crypto_acipher_sm2_pke_decrypt( + cs: Arc>, + input: &[u8], + output: &mut [u8], +) -> TeeResult { + crypto_sm2_init(cs.clone())?; + let mut cs_guard = cs.lock(); + if let CrypCtx::AsyCtx(pk) = &mut cs_guard.ctx { + let mut rng = TeeSoftwareRng::new(); + pk.decrypt_extend(input, output, &mut rng, Some(MdType::SM3 as _)) + .map_err(|_| TEE_ERROR_BAD_PARAMETERS) + } else { + Err(TEE_ERROR_BAD_PARAMETERS) + } +} + +pub(crate) fn crypto_acipher_rsaes_encrypt( + cs: Arc>, + input: &[u8], + output: &mut [u8], + label: &[u8], +) -> TeeResult { + let cs_guard = cs.lock(); + let algo = cs_guard.algo; + drop(cs_guard); + + let padding_mode = match algo { + TEE_ALG_RSAES_PKCS1_V1_5 => RsaPadding::Pkcs1V15, + TEE_ALG_RSAES_PKCS1_OAEP_MGF1_MD5 => RsaPadding::Pkcs1V21 { mgf: MdType::Md5 }, + TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha1 }, + TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha224 }, + TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha256 }, + TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha384 }, + TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha512 }, + _ => RsaPadding::None, + }; + + crypto_rsa_init( + cs.clone(), + padding_mode, + TEE_OperationMode::TEE_MODE_DECRYPT, + )?; + let mut cs_guard = cs.lock(); + if let CrypCtx::AsyCtx(pk) = &mut cs_guard.ctx { + let mut rng = TeeSoftwareRng::new(); + + match algo { + TEE_ALG_RSAES_PKCS1_V1_5 => { + pk.encrypt_extend(input, output, &mut rng, None) + .map_err(|_| TEE_ERROR_BAD_PARAMETERS) + } + TEE_ALG_RSAES_PKCS1_OAEP_MGF1_MD5 + | TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1 + | TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224 + | TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256 + | TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384 + | TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512 => { + pk.encrypt_with_label(input, output, &mut rng, label) + .map_err(|_| TEE_ERROR_BAD_PARAMETERS) + } + _ => Err(TEE_ERROR_BAD_PARAMETERS) + } + } else { + Err(TEE_ERROR_BAD_PARAMETERS) + } +} + +pub(crate) fn crypto_acipher_rsaes_decrypt( + cs: Arc>, + input: &[u8], + output: &mut [u8], + label: &[u8], +) -> TeeResult { + let cs_guard = cs.lock(); + let algo = cs_guard.algo; + drop(cs_guard); + + let padding_mode = match algo { + TEE_ALG_RSAES_PKCS1_V1_5 => RsaPadding::Pkcs1V15, + TEE_ALG_RSAES_PKCS1_OAEP_MGF1_MD5 => RsaPadding::Pkcs1V21 { mgf: MdType::Md5 }, + TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha1 }, + TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha224 }, + TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha256 }, + TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha384 }, + TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha512 }, + _ => RsaPadding::None, + }; + + crypto_rsa_init( + cs.clone(), + padding_mode, + TEE_OperationMode::TEE_MODE_DECRYPT, + )?; + let mut cs_guard = cs.lock(); + if let CrypCtx::AsyCtx(pk) = &mut cs_guard.ctx { + let mut rng = TeeSoftwareRng::new(); + + match algo { + TEE_ALG_RSAES_PKCS1_V1_5 => { + pk.decrypt_extend(input, output, &mut rng, None) + .map_err(|_| TEE_ERROR_BAD_PARAMETERS) + } + TEE_ALG_RSAES_PKCS1_OAEP_MGF1_MD5 + | TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1 + | TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224 + | TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256 + | TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384 + | TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512 => { + pk.decrypt_with_label(input, output, &mut rng, label) + .map_err(|_| TEE_ERROR_BAD_PARAMETERS) + } + _ => Err(TEE_ERROR_BAD_PARAMETERS) + } + } else { + Err(TEE_ERROR_BAD_PARAMETERS) + } +} + +pub(crate) fn crypto_acipher_rsassa_sign( + cs: Arc>, + input: &[u8], + output: &mut [u8], +) -> TeeResult { + let cs_guard = cs.lock(); + let algo = cs_guard.algo; + drop(cs_guard); + + let padding_mode = match algo { + TEE_ALG_RSASSA_PKCS1_V1_5_MD5 + | TEE_ALG_RSASSA_PKCS1_V1_5_SHA1 + | TEE_ALG_RSASSA_PKCS1_V1_5_SHA224 + | TEE_ALG_RSASSA_PKCS1_V1_5_SHA256 + | TEE_ALG_RSASSA_PKCS1_V1_5_SHA384 + | TEE_ALG_RSASSA_PKCS1_V1_5_SHA512 => RsaPadding::Pkcs1V15, + TEE_ALG_RSASSA_PKCS1_PSS_MGF1_MD5 => RsaPadding::Pkcs1V21 { mgf: MdType::Md5 }, + TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha1 }, + TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha224 }, + TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha256 }, + TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha384 }, + TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha512 }, + _ => RsaPadding::None, + }; + + let md_type = match algo { + TEE_ALG_RSASSA_PKCS1_V1_5_MD5 + | TEE_ALG_RSASSA_PKCS1_PSS_MGF1_MD5 => MdType::Md5, + TEE_ALG_RSASSA_PKCS1_V1_5_SHA1 + | TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1 => MdType::Sha1, + TEE_ALG_RSASSA_PKCS1_V1_5_SHA224 + | TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224 => MdType::Sha224, + TEE_ALG_RSASSA_PKCS1_V1_5_SHA256 + | TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256 => MdType::Sha256, + TEE_ALG_RSASSA_PKCS1_V1_5_SHA384 + | TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384 => MdType::Sha384, + TEE_ALG_RSASSA_PKCS1_V1_5_SHA512 + | TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512 => MdType::Sha512, + _ => MdType::None, + }; + + crypto_rsa_init( + cs.clone(), + padding_mode, + TEE_OperationMode::TEE_MODE_SIGN, + )?; + let mut cs_guard = cs.lock(); + + if let CrypCtx::AsyCtx(pk) = &mut cs_guard.ctx { + let mut rng = TeeSoftwareRng::new(); + pk.sign(md_type, input, output, &mut rng).map_err(|_| TEE_ERROR_BAD_PARAMETERS) + } else{ + Err(TEE_ERROR_BAD_PARAMETERS) + } +} \ No newline at end of file diff --git a/api/src/tee/tee_svc_cryp.rs b/api/src/tee/tee_svc_cryp.rs index bf5d10b7..d664237d 100644 --- a/api/src/tee/tee_svc_cryp.rs +++ b/api/src/tee/tee_svc_cryp.rs @@ -842,6 +842,19 @@ pub const tee_cryp_obj_ecc_pub_key_attrs: &[tee_cryp_obj_type_attrs] = &[ }, ]; +pub const tee_cryp_obj_rsa_pub_key_attrs: &[tee_cryp_obj_type_attrs] = &[ + tee_cryp_obj_type_attrs { + attr_id: TEE_ATTR_RSA_MODULUS, + flags: (TEE_TYPE_ATTR_REQUIRED | TEE_TYPE_ATTR_SIZE_INDICATOR) as _, + ops_index: ATTR_OPS_INDEX_BIGNUM as _, + }, + tee_cryp_obj_type_attrs { + attr_id: TEE_ATTR_RSA_PUBLIC_EXPONENT, + flags: TEE_TYPE_ATTR_REQUIRED as _, + ops_index: ATTR_OPS_INDEX_BIGNUM as _, + }, +]; + pub const tee_cryp_obj_rsa_keypair_attrs: &[tee_cryp_obj_type_attrs] = &[ tee_cryp_obj_type_attrs { attr_id: TEE_ATTR_RSA_MODULUS, @@ -1140,7 +1153,7 @@ pub const fn prop( } } -pub static TEE_CRYP_OBJ_PROPS: [tee_cryp_obj_type_props; 10] = [ +pub static TEE_CRYP_OBJ_PROPS: [tee_cryp_obj_type_props; 11] = [ // AES prop( TEE_TYPE_AES, @@ -1204,6 +1217,14 @@ pub static TEE_CRYP_OBJ_PROPS: [tee_cryp_obj_type_props; 10] = [ 0, tee_cryp_obj_rsa_keypair_attrs, ), + prop( + TEE_TYPE_RSA_PUBLIC_KEY, + 1, + 256, + CFG_CORE_BIGNUM_MAX_BITS as _, + 0, + tee_cryp_obj_rsa_pub_key_attrs, + ), prop( TEE_TYPE_ECDSA_KEYPAIR, 1, diff --git a/api/src/tee/tee_svc_cryp2.rs b/api/src/tee/tee_svc_cryp2.rs index f7eeda8a..08d7fff2 100644 --- a/api/src/tee/tee_svc_cryp2.rs +++ b/api/src/tee/tee_svc_cryp2.rs @@ -91,10 +91,7 @@ use crate::{ crypto::{ self, crypto::{ - crypto_acipher_rsanopad_decrypt, crypto_acipher_rsanopad_encrypt, - crypto_authenc_dec_final, crypto_authenc_enc_final, crypto_authenc_init, - crypto_authenc_update_aad, crypto_cipher_final, crypto_cipher_init, - crypto_cipher_update, + crypto_acipher_rsaes_decrypt, crypto_acipher_rsaes_encrypt, crypto_acipher_rsanopad_decrypt, crypto_acipher_rsanopad_encrypt, crypto_acipher_rsassa_sign, crypto_acipher_sm2_pke_decrypt, crypto_acipher_sm2_pke_encrypt, crypto_authenc_dec_final, crypto_authenc_enc_final, crypto_authenc_init, crypto_authenc_update_aad, crypto_cipher_final, crypto_cipher_init, crypto_cipher_update }, }, libmbedtls::bignum::BigNum, @@ -1111,7 +1108,7 @@ pub fn syscall_authenc_dec_final( crypto_authenc_dec_final(cs.clone(), input, output, tag) } -pub fn syscall_asymm_operate(id: u32, input: &[u8], output: &mut [u8]) -> TeeResult { +pub fn syscall_asymm_operate(id: u32, input: &[u8], output: &mut [u8], label: Option<&[u8]>) -> TeeResult { memtag_strip_tag_const()?; memtag_strip_tag()?; vm_check_access_rights(0, 0, 0)?; @@ -1120,26 +1117,34 @@ pub fn syscall_asymm_operate(id: u32, input: &[u8], output: &mut [u8]) -> TeeRes let cs_guard = cs.lock(); let algo = cs_guard.algo; let mode = cs_guard.mode; + let label = match label { + Some(label) => label, + None => &[], + }; drop(cs_guard); match algo { TEE_ALG_RSA_NOPAD => match mode { - TEE_OperationMode::TEE_MODE_ENCRYPT => { - crypto_acipher_rsanopad_encrypt(cs.clone(), input, output) - } - TEE_OperationMode::TEE_MODE_DECRYPT => { - crypto_acipher_rsanopad_decrypt(cs.clone(), input, output) - } + TEE_OperationMode::TEE_MODE_ENCRYPT => crypto_acipher_rsanopad_encrypt(cs.clone(), input, output), + TEE_OperationMode::TEE_MODE_DECRYPT => crypto_acipher_rsanopad_decrypt(cs.clone(), input, output), + _ => Err(TEE_ERROR_GENERIC), + }, + TEE_ALG_SM2_PKE => match mode { + TEE_OperationMode::TEE_MODE_ENCRYPT => crypto_acipher_sm2_pke_encrypt(cs.clone(), input, output), + TEE_OperationMode::TEE_MODE_DECRYPT => crypto_acipher_sm2_pke_decrypt(cs.clone(), input, output), _ => Err(TEE_ERROR_GENERIC), }, - TEE_ALG_SM2_PKE => Ok((0)), TEE_ALG_RSAES_PKCS1_V1_5 | TEE_ALG_RSAES_PKCS1_OAEP_MGF1_MD5 | TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1 | TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224 | TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256 | TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384 - | TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512 => Ok((0)), + | TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512 => match mode { + TEE_OperationMode::TEE_MODE_ENCRYPT => crypto_acipher_rsaes_encrypt(cs.clone(), input, output, label), + TEE_OperationMode::TEE_MODE_DECRYPT => crypto_acipher_rsaes_decrypt(cs.clone(), input, output, label), + _ => Err(TEE_ERROR_GENERIC), + }, TEE_ALG_RSASSA_PKCS1_V1_5_MD5 | TEE_ALG_RSASSA_PKCS1_V1_5_SHA1 | TEE_ALG_RSASSA_PKCS1_V1_5_SHA224 @@ -1151,8 +1156,8 @@ pub fn syscall_asymm_operate(id: u32, input: &[u8], output: &mut [u8]) -> TeeRes | TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224 | TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256 | TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384 - | TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512 => Ok((0)), - TEE_ALG_DSA_SHA1 | TEE_ALG_DSA_SHA224 | TEE_ALG_DSA_SHA256 => Ok((0)), + | TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512 => crypto_acipher_rsassa_sign(cs.clone(), input, output), + TEE_ALG_DSA_SHA1 | TEE_ALG_DSA_SHA224 | TEE_ALG_DSA_SHA256 => Err(TEE_ERROR_NOT_SUPPORTED), /* mbedtls no support for DSA */ TEE_ALG_ECDSA_SHA1 | TEE_ALG_ECDSA_SHA224 | TEE_ALG_ECDSA_SHA256 | TEE_ALG_ECDSA_SHA384 | TEE_ALG_ECDSA_SHA512 | TEE_ALG_SM2_DSA_SM3 => Ok((0)), _ => Err(TEE_ERROR_NOT_SUPPORTED),