• State Verified Answer
  • Replies 16 replies
  • Subscribers 74 subscribers
  • Views 2609 views
  • Users 0 members are here
Attachments (1) Download All
Nordic Case Info
  • Case ID: 318756
Options

Mbedtls - Using keys handled by PSA Crypto

Darko

Hello,

I need to implement the code that calculates the ECDSA signature, using the mbedtls library.
Development environment:

  • nRF53DK
  • nRF Connect SDK 2.3.0

Currently, the process is implemented as follows:

  • The private key is generated using openssl, and stored to flash memory in DER format.
  • The signature is calculated by loading the mentioned key in mbedtls_pk_context using mbedtls_pk_parse_key, and passing such context to the mbedtls_ecdsa_write_signature function.

As a next step, it is necessary to implement key generation within the firmware and use it for signature so that the code itself does not need access to the key content.

I was able to generate the key using psa_generate_key.
The plan is to load the generated key to the corresponding mbedtls_pk_context using mbedtls_pk_setup_opaque as a next step.
This should be the only change from the current state (after configuring the mbedtls_pk_context, mbedtls_ecdsa_write_signature is called as before).

However, the problem is that, despite researching similar forum posts, and corresponding mbedtls configuration requests, I am still not able to use the mbedtls_pk_setup_opaque function because it looks like MBEDTLS_USE_PSA_CRYPTO is not defined.

The following security modules are included in the prj file (here there are certainly those that are not needed for the mentioned ECDSA signing, but remained in the project for the needs of tests of various mbedtls functionalities):

CONFIG_NRF_SECURITY=y

CONFIG_MBEDTLS_LIBRARY_NRF_SECURITY=y
CONFIG_MBEDTLS_USE_PSA_CRYPTO=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y

CONFIG_MBEDTLS_PK_C=y
CONFIG_MBEDTLS_RSA_C=y
CONFIG_MBEDTLS_PKCS1_V15=y
CONFIG_MBEDTLS_SHA256_C=y
CONFIG_MBEDTLS_ECP_C=y
CONFIG_MBEDTLS_ECDSA_C=y
CONFIG_MBEDTLS_ECDH_C=y
CONFIG_MBEDTLS_CTR_DRBG_C=y
CONFIG_MBEDTLS_ENTROPY_C=y
CONFIG_MBEDTLS_PK_PARSE_C=y

CONFIG_MBEDTLS_TLS_LIBRARY=y
CONFIG_MBEDTLS_X509_LIBRARY=y
CONFIG_MBEDTLS_PK_WRITE_C=y
CONFIG_MBEDTLS_X509_CREATE_C=y
CONFIG_MBEDTLS_X509_CSR_WRITE_C=y
CONFIG_MBEDTLS_LEGACY_CRYPTO_C=y
CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=n

Do you have any idea what could be the cause of this behavior?
Is this a regular approach for implementing not exposing secret key material to the users of mbedtls API?

Thanks.

Parents
  • 0

    Hi,

    I need to implement the code that calculates the ECDSA signature, using the mbedtls library.

    If you want to rule out an XY Problem, you can tell me what the use-case is. If not I will help you as best I can with what you ask for.

    it looks like MBEDTLS_USE_PSA_CRYPTO is not defined.

    I suggest that you use the VS Code Kconfig tool or "menuconfig" (west build -t menuconfig) to check which dependencies unset CONFIG_MBEDTLS_USE_PSA_CRYPTO.

    If I build the nrf/samples/crypto/ecdsa sample with your above configs except for EXTERNAL_RNG (it makes the build fail), I get MBEDTLS_USE_PSA_CRYPTO=y

    Does this help you?

    Regards,
    Sigurd Hellesvik

  • 0 in reply to Sigurd Hellesvik

    Hello,

    Thanks for answering.

    Sigurd Hellesvik said:
    If you want to rule out an XY Problem, you can tell me what the use-case is. If not I will help you as best I can with what you ask for.

    I will try to rephrase the question.

    I implemented an initial solution for calculating ECDSA signature, using the mbedtls library, that works fine.
    Such implementation loads the private key in DER format (stored in Flash memory) into mbedtls_pk_context using mbedtls_pk_parse_key, and further calculates signature providing such mbedtls_pk_context to the mbedtls_ecdsa_write_signature function.

    Now I want to stop using the key preloaded in Flash and generate it within the code.

    My approach is to generate key with psa_generate_key function, and load such key to mbedtls_pk_context using mbedtls_pk_setup_opaque (practically for replacing the call of mbedtls_pk_parse_key with the call of mbedtls_pk_setup_opaque).

    The bottom problem is that I'm not able to compile code using mbedtls_pk_setup_opaque call.

    Sigurd Hellesvik said:
    I suggest that you use the VS Code Kconfig tool or "menuconfig" (west build -t menuconfig) to check which dependencies unset CONFIG_MBEDTLS_USE_PSA_CRYPTO.

    I will check that.

    Best regards,
    Darko

Reply
  • 0 in reply to Sigurd Hellesvik

    Hello,

    Thanks for answering.

    Sigurd Hellesvik said:
    If you want to rule out an XY Problem, you can tell me what the use-case is. If not I will help you as best I can with what you ask for.

    I will try to rephrase the question.

    I implemented an initial solution for calculating ECDSA signature, using the mbedtls library, that works fine.
    Such implementation loads the private key in DER format (stored in Flash memory) into mbedtls_pk_context using mbedtls_pk_parse_key, and further calculates signature providing such mbedtls_pk_context to the mbedtls_ecdsa_write_signature function.

    Now I want to stop using the key preloaded in Flash and generate it within the code.

    My approach is to generate key with psa_generate_key function, and load such key to mbedtls_pk_context using mbedtls_pk_setup_opaque (practically for replacing the call of mbedtls_pk_parse_key with the call of mbedtls_pk_setup_opaque).

    The bottom problem is that I'm not able to compile code using mbedtls_pk_setup_opaque call.

    Sigurd Hellesvik said:
    I suggest that you use the VS Code Kconfig tool or "menuconfig" (west build -t menuconfig) to check which dependencies unset CONFIG_MBEDTLS_USE_PSA_CRYPTO.

    I will check that.

    Best regards,
    Darko

Children
No Data
Related
Terms of service