Skip to content

Add SM2_PKE, RSAES, RSA_SSA and Prop for rsa_public_key #195

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Amonyeka wants to merge 1 commit into
base: tee_support
Choose a base branch
from
Open

Add SM2_PKE, RSAES, RSA_SSA and Prop for rsa_public_key #195

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
283 changes: 263 additions & 20 deletions api/src/tee/crypto/crypto.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,27 +14,25 @@ use core::{default::Default, fmt, fmt::Debug};
use mbedtls::{
bignum::Mpi,
cipher::raw::{Cipher, CipherId, CipherMode, CipherPadding, CipherType, Operation},
ecp::EcPoint,
hash::{Hmac, Md, Type as MdType},
pk::{Pk, RsaPadding, RsaPrivateComponents, RsaPublicComponents, Type as PkType},
pk::{
EcGroup, EcGroupId, Pk, RsaPadding, RsaPrivateComponents, RsaPublicComponents,
Type as PkType,
},
};
use mbedtls_sys_auto::mpi_write_binary;
use spin::Mutex;
use tee_raw_sys::*;

use crate::tee::{
TEE_ALG_SM4_XTS, TeeResult,
crypto::crypto_impl::{
TEE_ALG_RSAES_PKCS1_OAEP_MGF1_MD5, TEE_ALG_RSASSA_PKCS1_PSS_MGF1_MD5, TEE_ALG_SM4_XTS, TeeResult, crypto::crypto_impl::{
EccAlgoKeyPair, EccComKeyPair, EccKeypair, Sm2DsaKeyPair, Sm2KepKeyPair, Sm2PkeKeyPair,
crypto_ecc_keypair_ops, crypto_ecc_keypair_ops_generate,
},
libmbedtls::{
}, libmbedtls::{
bignum::{BigNum, crypto_bignum_allocate},
ecc::{EcdOps, Sm2DsaOps, Sm2KepOps, Sm2PkeOps},
},
rng_software::TeeSoftwareRng,
tee_obj::{tee_obj_get, tee_obj_id_type},
tee_svc_cryp::{CryptoAttrRef, TeeCryptObj, tee_cryp_obj_secret_wrapper, tee_crypto_ops},
tee_svc_cryp2::{CipherPaddingMode, CrypCtx, CrypState, TeeCrypState},
}, rng_software::TeeSoftwareRng, tee_obj::{tee_obj_get, tee_obj_id_type}, tee_svc_cryp::{CryptoAttrRef, TeeCryptObj, tee_cryp_obj_secret_wrapper, tee_crypto_ops}, tee_svc_cryp2::{CipherPaddingMode, CrypCtx, CrypState, TeeCrypState}
};

#[derive(Debug, Clone, PartialEq, Eq)]
Expand Down Expand Up @@ -730,7 +728,7 @@ pub(crate) fn crypto_authenc_dec_final(
}
}

pub fn crypto_rsa_init(
pub(crate) fn crypto_rsa_init(
cs: Arc<Mutex<TeeCrypState>>,
padding_mode: RsaPadding,
mode: TEE_OperationMode,
Expand All @@ -747,11 +745,11 @@ pub fn crypto_rsa_init(
}

match mode {
TEE_OperationMode::TEE_MODE_ENCRYPT => {
TEE_OperationMode::TEE_MODE_ENCRYPT | TEE_OperationMode::TEE_MODE_VERIFY => {
if let TeeCryptObj::rsa_public_key(rsa_key) = &obj_key1_guard.attr[0] {
let rsa = RsaPublicComponents {
n: &rsa_key.n,
e: &rsa_key.e,
n: rsa_key.n.as_mpi(),
e: rsa_key.e.as_mpi(),
};
let mut pk = Pk::public_from_rsa_components(rsa)
.map_err(|_| TEE_ERROR_BAD_PARAMETERS)?;
Expand All @@ -763,12 +761,12 @@ pub fn crypto_rsa_init(
return Err(TEE_ERROR_BAD_STATE);
}
}
TEE_OperationMode::TEE_MODE_DECRYPT => {
TEE_OperationMode::TEE_MODE_DECRYPT | TEE_OperationMode::TEE_MODE_SIGN => {
if let TeeCryptObj::rsa_keypair(rsa_key) = &obj_key1_guard.attr[0] {
let rsa = RsaPrivateComponents::WithPrimes {
p: &rsa_key.p,
q: &rsa_key.q,
e: &rsa_key.e,
p: rsa_key.p.as_mpi(),
q: rsa_key.q.as_mpi(),
e: rsa_key.e.as_mpi(),
};
let mut pk = Pk::private_from_rsa_components(rsa)
.map_err(|_| TEE_ERROR_BAD_PARAMETERS)?;
Expand Down Expand Up @@ -798,7 +796,8 @@ pub(crate) fn crypto_acipher_rsanopad_encrypt(
RsaPadding::None,
TEE_OperationMode::TEE_MODE_ENCRYPT,
)?;
if let CrypCtx::AsyCtx(pk) = &mut cs.lock().ctx {
let mut cs_guard = cs.lock();
if let CrypCtx::AsyCtx(pk) = &mut cs_guard.ctx {
let mut rng = TeeSoftwareRng::new();
pk.encrypt_extend(input, output, &mut rng, None)
.map_err(|_| TEE_ERROR_BAD_PARAMETERS)
Expand All @@ -817,11 +816,255 @@ pub(crate) fn crypto_acipher_rsanopad_decrypt(
RsaPadding::None,
TEE_OperationMode::TEE_MODE_DECRYPT,
)?;
if let CrypCtx::AsyCtx(pk) = &mut cs.lock().ctx {
let mut cs_guard = cs.lock();
if let CrypCtx::AsyCtx(pk) = &mut cs_guard.ctx {
let mut rng = TeeSoftwareRng::new();
pk.decrypt_extend(input, output, &mut rng, None)
.map_err(|_| TEE_ERROR_BAD_PARAMETERS)
} else {
Err(TEE_ERROR_BAD_PARAMETERS)
}
}

pub(crate) fn crypto_sm2_init(cs: Arc<Mutex<TeeCrypState>>) -> TeeResult {
let mut cs_guard = cs.lock();
let key1 = cs_guard.key1;
let mode = cs_guard.mode;

if let Some(k) = key1 {
let obj_key1 = tee_obj_get(k as _)?;
let obj_key1_guard = obj_key1.lock();

if obj_key1_guard.attr.is_empty() {
return Err(TEE_ERROR_BAD_STATE);
}

match mode {
TEE_OperationMode::TEE_MODE_ENCRYPT => {
if let TeeCryptObj::ecc_public_key(ecc_key) = &obj_key1_guard.attr[0] {
let public_point = EcPoint::from_components(
ecc_key.x.clone().into_mpi(),
ecc_key.y.clone().into_mpi(),
)
.map_err(|_| TEE_ERROR_BAD_PARAMETERS)?;
let ec_group = EcGroup::new(EcGroupId::from(ecc_key.curve))
.map_err(|_| TEE_ERROR_BAD_PARAMETERS)?;
let mut pk = Pk::public_from_ec_components_extend(
ec_group,
public_point,
PkType::SM2.into(),
)
.map_err(|_| TEE_ERROR_BAD_PARAMETERS)?;
cs_guard.ctx = CrypCtx::AsyCtx(pk);
} else {
return Err(TEE_ERROR_BAD_STATE);
}
}
TEE_OperationMode::TEE_MODE_DECRYPT => {
if let TeeCryptObj::ecc_keypair(ecc_key) = &obj_key1_guard.attr[0] {
let mut ec_group = EcGroup::new(EcGroupId::from(ecc_key.curve))
.map_err(|_| TEE_ERROR_BAD_PARAMETERS)?;
let mut pk = Pk::private_from_ec_components_extend(
ec_group,
ecc_key.d.clone().into_mpi(),
PkType::SM2.into(),
)
.map_err(|_| TEE_ERROR_BAD_PARAMETERS)?;
cs_guard.ctx = CrypCtx::AsyCtx(pk);
}
}
_ => return Err(TEE_ERROR_BAD_PARAMETERS),
}
}
Ok(())
}

pub(crate) fn crypto_acipher_sm2_pke_encrypt(
cs: Arc<Mutex<TeeCrypState>>,
input: &[u8],
output: &mut [u8],
) -> TeeResult<usize> {
crypto_sm2_init(cs.clone())?;
let mut cs_guard = cs.lock();
if let CrypCtx::AsyCtx(pk) = &mut cs_guard.ctx {
let mut rng = TeeSoftwareRng::new();
pk.encrypt_extend(input, output, &mut rng, Some(MdType::SM3 as _))
.map_err(|_| TEE_ERROR_BAD_PARAMETERS)
} else {
Err(TEE_ERROR_BAD_PARAMETERS)
}
}

pub(crate) fn crypto_acipher_sm2_pke_decrypt(
cs: Arc<Mutex<TeeCrypState>>,
input: &[u8],
output: &mut [u8],
) -> TeeResult<usize> {
crypto_sm2_init(cs.clone())?;
let mut cs_guard = cs.lock();
if let CrypCtx::AsyCtx(pk) = &mut cs_guard.ctx {
let mut rng = TeeSoftwareRng::new();
pk.decrypt_extend(input, output, &mut rng, Some(MdType::SM3 as _))
.map_err(|_| TEE_ERROR_BAD_PARAMETERS)
} else {
Err(TEE_ERROR_BAD_PARAMETERS)
}
}

pub(crate) fn crypto_acipher_rsaes_encrypt(
cs: Arc<Mutex<TeeCrypState>>,
input: &[u8],
output: &mut [u8],
label: &[u8],
) -> TeeResult<usize> {
let cs_guard = cs.lock();
let algo = cs_guard.algo;
drop(cs_guard);

let padding_mode = match algo {
TEE_ALG_RSAES_PKCS1_V1_5 => RsaPadding::Pkcs1V15,
TEE_ALG_RSAES_PKCS1_OAEP_MGF1_MD5 => RsaPadding::Pkcs1V21 { mgf: MdType::Md5 },
TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha1 },
TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha224 },
TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha256 },
TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha384 },
TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha512 },
_ => RsaPadding::None,
};

crypto_rsa_init(
cs.clone(),
padding_mode,
TEE_OperationMode::TEE_MODE_DECRYPT,
)?;
let mut cs_guard = cs.lock();
if let CrypCtx::AsyCtx(pk) = &mut cs_guard.ctx {
let mut rng = TeeSoftwareRng::new();

match algo {
TEE_ALG_RSAES_PKCS1_V1_5 => {
pk.encrypt_extend(input, output, &mut rng, None)
.map_err(|_| TEE_ERROR_BAD_PARAMETERS)
}
TEE_ALG_RSAES_PKCS1_OAEP_MGF1_MD5
| TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1
| TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224
| TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256
| TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384
| TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512 => {
pk.encrypt_with_label(input, output, &mut rng, label)
.map_err(|_| TEE_ERROR_BAD_PARAMETERS)
}
_ => Err(TEE_ERROR_BAD_PARAMETERS)
}
} else {
Err(TEE_ERROR_BAD_PARAMETERS)
}
}

pub(crate) fn crypto_acipher_rsaes_decrypt(
cs: Arc<Mutex<TeeCrypState>>,
input: &[u8],
output: &mut [u8],
label: &[u8],
) -> TeeResult<usize> {
let cs_guard = cs.lock();
let algo = cs_guard.algo;
drop(cs_guard);

let padding_mode = match algo {
TEE_ALG_RSAES_PKCS1_V1_5 => RsaPadding::Pkcs1V15,
TEE_ALG_RSAES_PKCS1_OAEP_MGF1_MD5 => RsaPadding::Pkcs1V21 { mgf: MdType::Md5 },
TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha1 },
TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha224 },
TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha256 },
TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha384 },
TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha512 },
_ => RsaPadding::None,
};

crypto_rsa_init(
cs.clone(),
padding_mode,
TEE_OperationMode::TEE_MODE_DECRYPT,
)?;
let mut cs_guard = cs.lock();
if let CrypCtx::AsyCtx(pk) = &mut cs_guard.ctx {
let mut rng = TeeSoftwareRng::new();

match algo {
TEE_ALG_RSAES_PKCS1_V1_5 => {
pk.decrypt_extend(input, output, &mut rng, None)
.map_err(|_| TEE_ERROR_BAD_PARAMETERS)
}
TEE_ALG_RSAES_PKCS1_OAEP_MGF1_MD5
| TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1
| TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224
| TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256
| TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384
| TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512 => {
pk.decrypt_with_label(input, output, &mut rng, label)
.map_err(|_| TEE_ERROR_BAD_PARAMETERS)
}
_ => Err(TEE_ERROR_BAD_PARAMETERS)
}
} else {
Err(TEE_ERROR_BAD_PARAMETERS)
}
}

pub(crate) fn crypto_acipher_rsassa_sign(
cs: Arc<Mutex<TeeCrypState>>,
input: &[u8],
output: &mut [u8],
) -> TeeResult<usize> {
let cs_guard = cs.lock();
let algo = cs_guard.algo;
drop(cs_guard);

let padding_mode = match algo {
TEE_ALG_RSASSA_PKCS1_V1_5_MD5
| TEE_ALG_RSASSA_PKCS1_V1_5_SHA1
| TEE_ALG_RSASSA_PKCS1_V1_5_SHA224
| TEE_ALG_RSASSA_PKCS1_V1_5_SHA256
| TEE_ALG_RSASSA_PKCS1_V1_5_SHA384
| TEE_ALG_RSASSA_PKCS1_V1_5_SHA512 => RsaPadding::Pkcs1V15,
TEE_ALG_RSASSA_PKCS1_PSS_MGF1_MD5 => RsaPadding::Pkcs1V21 { mgf: MdType::Md5 },
TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha1 },
TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha224 },
TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha256 },
TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha384 },
TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512 => RsaPadding::Pkcs1V21 { mgf: MdType::Sha512 },
_ => RsaPadding::None,
};

let md_type = match algo {
TEE_ALG_RSASSA_PKCS1_V1_5_MD5
| TEE_ALG_RSASSA_PKCS1_PSS_MGF1_MD5 => MdType::Md5,
TEE_ALG_RSASSA_PKCS1_V1_5_SHA1
| TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1 => MdType::Sha1,
TEE_ALG_RSASSA_PKCS1_V1_5_SHA224
| TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224 => MdType::Sha224,
TEE_ALG_RSASSA_PKCS1_V1_5_SHA256
| TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256 => MdType::Sha256,
TEE_ALG_RSASSA_PKCS1_V1_5_SHA384
| TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384 => MdType::Sha384,
TEE_ALG_RSASSA_PKCS1_V1_5_SHA512
| TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512 => MdType::Sha512,
_ => MdType::None,
};

crypto_rsa_init(
cs.clone(),
padding_mode,
TEE_OperationMode::TEE_MODE_SIGN,
)?;
let mut cs_guard = cs.lock();

if let CrypCtx::AsyCtx(pk) = &mut cs_guard.ctx {
let mut rng = TeeSoftwareRng::new();
pk.sign(md_type, input, output, &mut rng).map_err(|_| TEE_ERROR_BAD_PARAMETERS)
} else{
Err(TEE_ERROR_BAD_PARAMETERS)
}
}
23 changes: 22 additions & 1 deletion api/src/tee/tee_svc_cryp.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -842,6 +842,19 @@ pub const tee_cryp_obj_ecc_pub_key_attrs: &[tee_cryp_obj_type_attrs] = &[
},
];

pub const tee_cryp_obj_rsa_pub_key_attrs: &[tee_cryp_obj_type_attrs] = &[
tee_cryp_obj_type_attrs {
attr_id: TEE_ATTR_RSA_MODULUS,
flags: (TEE_TYPE_ATTR_REQUIRED | TEE_TYPE_ATTR_SIZE_INDICATOR) as _,
ops_index: ATTR_OPS_INDEX_BIGNUM as _,
},
tee_cryp_obj_type_attrs {
attr_id: TEE_ATTR_RSA_PUBLIC_EXPONENT,
flags: TEE_TYPE_ATTR_REQUIRED as _,
ops_index: ATTR_OPS_INDEX_BIGNUM as _,
},
];

pub const tee_cryp_obj_rsa_keypair_attrs: &[tee_cryp_obj_type_attrs] = &[
tee_cryp_obj_type_attrs {
attr_id: TEE_ATTR_RSA_MODULUS,
Expand Down Expand Up @@ -1140,7 +1153,7 @@ pub const fn prop(
}
}

pub static TEE_CRYP_OBJ_PROPS: [tee_cryp_obj_type_props; 10] = [
pub static TEE_CRYP_OBJ_PROPS: [tee_cryp_obj_type_props; 11] = [
// AES
prop(
TEE_TYPE_AES,
Expand Down Expand Up @@ -1204,6 +1217,14 @@ pub static TEE_CRYP_OBJ_PROPS: [tee_cryp_obj_type_props; 10] = [
0,
tee_cryp_obj_rsa_keypair_attrs,
),
prop(
TEE_TYPE_RSA_PUBLIC_KEY,
1,
256,
CFG_CORE_BIGNUM_MAX_BITS as _,
0,
tee_cryp_obj_rsa_pub_key_attrs,
),
prop(
TEE_TYPE_ECDSA_KEYPAIR,
1,
Expand Down
Loading
Loading