Help Implementing ECDSA using PSA crypto API of mbedTLS

Hello,

I am developing FW for a BLE Peripheral on NRF52840_DK using nRF Connect SDK v1.9.1 on VScode.

So far, Peripheral and Client are able to connect and exchange data.

When Client is sending data: with a digital signature (raw 65 bytes) and its public key (raw, 65 bytes), In the Peripheral Code,

I need help in implementing digital signature using PSA library using psa_verify_message() function.

So far, i have used these functions successfully :

psa_crypto_init()

psa_generate_random()

psa_hash_compute()

I have the raw 65 byte public key in BE format (04 zz yy xx .. .. .. aa), needed for verification

but dont understand how shall i use it as the first argument of psa_verify_message().

I am using standard curve NIST Sec P256R1

status = psa_verify_message(psa_key_id_t key, PSA_ALG_ECDSA(PSA_ALG_SHA_256), msg, sizeof(msg), signature, sizeof(signature));

Please explain me the steps needed to use this function

Thanks.

0 Deep Patel over 1 year ago

I have implemented as this. Looks good ?

//Verify The Digital Signature received from GATT Client (Mobile)

//ECC curve used NIST (P-256 R1), HASH Algorithm used : SHA256

static psa_status_t CRYPTO_VerifyMessage(const uint8_t * input, size_t input_length,

const uint8_t * signature, size_t signature_length,

const uint8_t * public_key, size_t public_key_length )

{

psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;

static psa_key_handle_t pub_key_handle;

psa_status_t status;

status = psa_crypto_init();

if (status != PSA_SUCCESS)

{

//LOG_INF("psa_crypto_init failed! (Error: %d)", status);

printk("psa_crypto_init failed!\n");

return status;

}

/* Configure the key attributes */

psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_VERIFY_MESSAGE);

psa_set_key_lifetime(&key_attributes, PSA_KEY_LIFETIME_VOLATILE);

psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256));

psa_set_key_type(&key_attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1));

psa_set_key_bits(&key_attributes, 256);

/* Acquire the key handle */

status = psa_import_key(&key_attributes, public_key, public_key_length, &pub_key_handle);

if (status != PSA_SUCCESS)

{

//LOG_INF("psa_import_key failed! (Error: %d)", status);

//printk("psa_import_key failed!\n");

printk("psa_import_key failed! (Error: %d)", status);

return status;

}

/* After the key handle is acquired the attributes are not needed */

psa_reset_key_attributes(&key_attributes);

status =

psa_verify_message(pub_key_handle, PSA_ALG_ECDSA(PSA_ALG_SHA_256), input, input_length, signature, signature_length);

if (status != PSA_SUCCESS)

{

//LOG_INF("psa_verify_message failed! (Error: %d)", status);

printk("psa_verify_message failed!\n");

return status;

}

/* Destroy the key handle */

status = psa_destroy_key(pub_key_handle);

if (status != PSA_SUCCESS)

{

//LOG_INF("psa_destroy_key failed! (Error: %d)", status);

printk("psa_destroy_key failed!\n");

return status;

}

return PSA_SUCCESS;

}

On free running application, i am getting PSA Status error as -141, which means no memory available while calling the psa_import_key()

How do i increase run time memory in code to fix this issue ?

Is there a Kconfig that i shall use ? How to figure out what value to use ?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Deep Patel over 1 year ago

I tried changing all the combination of these sizes .. but still error !!

psa_import_key failed! (Error: -141)

Any help ?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Amanda Hsieh over 1 year ago

Hi,

We are looking into this case and will reply later.

Regards,
Amanda
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Deep Patel over 1 year ago

Hello Thanks.

These are all the Kconfig settings i am using. . .

Can you suggest if what settings can be added / disabled / modified to fix this ?

# Enable BLE Stack

CONFIG_BT=y

CONFIG_BT_PERIPHERAL=y

CONFIG_BT_DEVICE_NAME="xyz"

#CONFIG_BT_SECURITY_ENABLED=n

# Set MTU

#CONFIG_BT_USER_DATA_LEN_UPDATE=y

CONFIG_BT_L2CAP_TX_MTU=250

CONFIG_BT_BUF_ACL_RX_SIZE=254

CONFIG_BT_BUF_ACL_TX_SIZE=254

#CONFIG_BT_CTLR_DATA_LENGTH_MAX=251

#######################################

#CONFIG_ZEPHYR_MBEDTLS_MODULE=y

#CONFIG_MBEDTLS_BUILTIN=y

#CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=2048

CONFIG_DEBUG_THREAD_INFO=y

CONFIG_DEBUG_OPTIMIZATIONS=y

# The Zephyr CMSIS emulation assumes that ticks are ms, currently

CONFIG_SYS_CLOCK_TICKS_PER_SEC=1000

CONFIG_MAIN_STACK_SIZE=4096

#CONFIG_MAIN_STACK_SIZE=8192

CONFIG_HEAP_MEM_POOL_SIZE=4096

#CONFIG_HEAP_MEM_POOL_SIZE=8192

# Enable loging using RTT and UART

CONFIG_CONSOLE=y

CONFIG_LOG=y

CONFIG_USE_SEGGER_RTT=y

#CONFIG_LOG_BACKEND_RTT=y

#CONFIG_LOG_BACKEND_UART=y

#CONFIG_LOG_BUFFER_SIZE=15360

#CONFIG_SEGGER_RTT_BUFFER_SIZE_UP=15360

# Enable nordic security backend and PSA APIs

CONFIG_NRF_SECURITY=y

CONFIG_MBEDTLS_PSA_CRYPTO_C=y

#CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y

#CONFIG_MBEDTLS_ENABLE_HEAP=y

CONFIG_MBEDTLS_HEAP_SIZE=8192

CONFIG_PSA_CRYPTO_DRIVER_OBERON=n

CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y

Also, i read some suggestion elsewhere like this
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Amanda Hsieh over 1 year ago

Hi,

From what I can gather from the error statement, it could happen in heap-allocation issues. There are two heap configurations you are messing with, and I am assuming you are setting the wrong one. The configuration on the heap that can be tuned is CONFIG_MBEDTLS_HEAP_SIZE, not CONFIG_HEAP_MEM_POOL_SIZE. The heap allocation in ECP (builtin) is considerable. Maybe try it at 16KB

I wonder what kind of driver you are using in this configuration. This would be valuable info.

Regards,
Amanda
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel