• State Verified Answer
  • Replies 6 replies
  • Subscribers 66 subscribers
  • Views 602 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 323007
Options

Importing ECC private key from PEM to PSA and error using mbedTLS helper functions

Mathi

Hi,

I have an ECC private key (in PEM) that is parsed by mbedtls_pk_parse_key(). Now, I want to import this private key into PSA (using psa_import_key()). 
I have followed the recommendations here https://github.com/Mbed-TLS/mbedtls/blob/development/docs/psa-transition.md, see section - "Importing a PK key by export-import for an ECC private key".I have written a conversion routine as suggested here i.e. as below:

unsigned char buf[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
size_t length = PSA_BITS_TO_BYTES(mbedtls_pk_bitlen(&pk));
mbedtls_ecp_keypair *ec = mbedtls_pk_ec(&pk);
psa_ecc_curve_t curve;
{
    mbedtls_ecp_group grp;
    mbedtls_ecp_group_init(&grp);
    mbedtls_ecp_point Q;
    mbedtls_ecp_point_init(&Q);
    mbedtls_mpi d;
    mbedtls_mpi_init(&d);
    mbedtls_ecp_export(ec, &grp, &d, &Q);
    size_t bits;
    curve = mbedtls_ecc_group_to_psa(grp.id, &bits);
    mbedtls_ecp_group_free(&grp);
    mbedtls_ecp_point_free(&Q);
    mbedtls_mpi_free(&d);
}
mbedtls_ecp_write_key(ec, buf, length);

But when building, i get an error "undefined reference to `mbedtls_ecp_export'".
I tried configuing CONFIG_MBEDTLS_ECP_C=y and  CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y and CONFIG_MBEDTLS_ECP_ALL_ENABLED=y. But, i still get this error when building.
I can see that the function is defined in ecp.c in the nrf SDK.

Is there any particular kconfig option in the nrf SDK that is controlling the compiling of this function mbedtls_ecp_export()?
If not, is there an alternative way to import this ECC private key(returned by into PSA (for ECDSA NIST-P256-SECP-R1)?

Thanks,

Mathi.
#PSA #mbedTLS #ECC #PrivateKey#Import#PEM#Crypto#ECDSA#NISTP256#PSATRANSITION

Parents Reply Children
  • 0 in reply to Mathi

    Hi Mathi. Could you help me with one thing? I try to verify JWT token but I have problem with importing public key. I'm using to convert this tool: https://lapo.it/asn1js/

    Convert my test public key:

    I copied raw key manualy to my table and using like below.

     

    	static const char public_key[65]={0x04, 0x39, 0xE4, 0x43, 0xEC, 0xD2, 0xA4, 0x2D, 0x56, 0xAD, 0xBB, 0xA4, 0xC8, 0x0D, 0xA1, 0x09, 
									  0x5C, 0xF7, 0x63, 0x7F, 0x00, 0x1C, 0xF5, 0x2A, 0x20, 0x7B, 0x96, 0x3F, 0xC8, 0xCF, 0x89, 0x99, 
									  0xB7, 0x9E, 0xB3, 0x90, 0xD6, 0xFC, 0x3B, 0x30, 0xF7, 0xC1, 0x46, 0x36, 0x62, 0xC0, 0x2D, 0xE8, 
									  0xA9, 0x90, 0xA1, 0xC0, 0x1C, 0x3A, 0x73, 0xC4, 0x9A, 0x69, 0xBA, 0x74, 0xF6, 0x09, 0x39, 0x4F, 
									  0xCE};


	psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
	psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_VERIFY_HASH);
	psa_set_key_lifetime(&key_attributes, PSA_KEY_LIFETIME_VOLATILE);
	psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256));
	psa_set_key_type(&key_attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1));
	psa_set_key_bits(&key_attributes, 256);

	LOG_HEXDUMP_INF(public_key,65,"PUBLIC KEY:");

	status = psa_import_key(&key_attributes, public_key, sizeof(public_key), &pub_key_handle);
	if (status != PSA_SUCCESS) 
	{
		#ifdef LOG_CRYPTO
			LOG_INF("psa_import_key failed! (Error: %d)", status);
		#endif	
	}

	status = psa_verify_hash(pub_key_handle, PSA_ALG_ECDSA(PSA_ALG_SHA_256), sha_digest, sizeof(sha_digest), signature, sizeof(signature));
	if (status != PSA_SUCCESS) 
	{
		LOG_INF("PSA_verify_hash failed! (Error: %d)", status);
	}
	else
	{
		LOG_INF("Verify OK");
	}

    sha_digest (hader+payload) is correct, I checked on online tool. Verification is always false. Probably I use wrong data key format. The question is: how to properly copy data from online tool to my table?

    Best regards

    PW

Related