Help Implementing ECDSA using PSA crypto API of mbedTLS

Hello,

I am developing FW for a BLE Peripheral on NRF52840_DK using nRF Connect SDK v1.9.1 on VScode.

So far, Peripheral and Client are able to connect and exchange data.

When Client is sending data: with a digital signature (raw 65 bytes) and its public key (raw, 65 bytes), In the Peripheral Code,

I need help in implementing digital signature using PSA library using psa_verify_message() function.

So far, i have used these functions successfully :

psa_crypto_init()

psa_generate_random()

psa_hash_compute()

I have the raw 65 byte public key in BE format (04 zz yy xx .. .. .. aa), needed for verification

but dont understand how shall i use it as the first argument of psa_verify_message().

I am using standard curve NIST Sec P256R1

status = psa_verify_message(psa_key_id_t key, PSA_ALG_ECDSA(PSA_ALG_SHA_256), msg, sizeof(msg), signature, sizeof(signature));

Please explain me the steps needed to use this function

Thanks.

Parents

0 Deep Patel over 1 year ago

I have implemented as this. Looks good ?

//Verify The Digital Signature received from GATT Client (Mobile)

//ECC curve used NIST (P-256 R1), HASH Algorithm used : SHA256

static psa_status_t CRYPTO_VerifyMessage(const uint8_t * input, size_t input_length,

const uint8_t * signature, size_t signature_length,

const uint8_t * public_key, size_t public_key_length )

{

psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;

static psa_key_handle_t pub_key_handle;

psa_status_t status;

status = psa_crypto_init();

if (status != PSA_SUCCESS)

{

//LOG_INF("psa_crypto_init failed! (Error: %d)", status);

printk("psa_crypto_init failed!\n");

return status;

}

/* Configure the key attributes */

psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_VERIFY_MESSAGE);

psa_set_key_lifetime(&key_attributes, PSA_KEY_LIFETIME_VOLATILE);

psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256));

psa_set_key_type(&key_attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1));

psa_set_key_bits(&key_attributes, 256);

/* Acquire the key handle */

status = psa_import_key(&key_attributes, public_key, public_key_length, &pub_key_handle);

if (status != PSA_SUCCESS)

{

//LOG_INF("psa_import_key failed! (Error: %d)", status);

//printk("psa_import_key failed!\n");

printk("psa_import_key failed! (Error: %d)", status);

return status;

}

/* After the key handle is acquired the attributes are not needed */

psa_reset_key_attributes(&key_attributes);

status =

psa_verify_message(pub_key_handle, PSA_ALG_ECDSA(PSA_ALG_SHA_256), input, input_length, signature, signature_length);

if (status != PSA_SUCCESS)

{

//LOG_INF("psa_verify_message failed! (Error: %d)", status);

printk("psa_verify_message failed!\n");

return status;

}

/* Destroy the key handle */

status = psa_destroy_key(pub_key_handle);

if (status != PSA_SUCCESS)

{

//LOG_INF("psa_destroy_key failed! (Error: %d)", status);

printk("psa_destroy_key failed!\n");

return status;

}

return PSA_SUCCESS;

}

On free running application, i am getting PSA Status error as -141, which means no memory available while calling the psa_import_key()

How do i increase run time memory in code to fix this issue ?

Is there a Kconfig that i shall use ? How to figure out what value to use ?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Deep Patel over 1 year ago

I have implemented as this. Looks good ?

//Verify The Digital Signature received from GATT Client (Mobile)

//ECC curve used NIST (P-256 R1), HASH Algorithm used : SHA256

static psa_status_t CRYPTO_VerifyMessage(const uint8_t * input, size_t input_length,

const uint8_t * signature, size_t signature_length,

const uint8_t * public_key, size_t public_key_length )

{

psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;

static psa_key_handle_t pub_key_handle;

psa_status_t status;

status = psa_crypto_init();

if (status != PSA_SUCCESS)

{

//LOG_INF("psa_crypto_init failed! (Error: %d)", status);

printk("psa_crypto_init failed!\n");

return status;

}

/* Configure the key attributes */

psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_VERIFY_MESSAGE);

psa_set_key_lifetime(&key_attributes, PSA_KEY_LIFETIME_VOLATILE);

psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256));

psa_set_key_type(&key_attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1));

psa_set_key_bits(&key_attributes, 256);

/* Acquire the key handle */

status = psa_import_key(&key_attributes, public_key, public_key_length, &pub_key_handle);

if (status != PSA_SUCCESS)

{

//LOG_INF("psa_import_key failed! (Error: %d)", status);

//printk("psa_import_key failed!\n");

printk("psa_import_key failed! (Error: %d)", status);

return status;

}

/* After the key handle is acquired the attributes are not needed */

psa_reset_key_attributes(&key_attributes);

status =

psa_verify_message(pub_key_handle, PSA_ALG_ECDSA(PSA_ALG_SHA_256), input, input_length, signature, signature_length);

if (status != PSA_SUCCESS)

{

//LOG_INF("psa_verify_message failed! (Error: %d)", status);

printk("psa_verify_message failed!\n");

return status;

}

/* Destroy the key handle */

status = psa_destroy_key(pub_key_handle);

if (status != PSA_SUCCESS)

{

//LOG_INF("psa_destroy_key failed! (Error: %d)", status);

printk("psa_destroy_key failed!\n");

return status;

}

return PSA_SUCCESS;

}

On free running application, i am getting PSA Status error as -141, which means no memory available while calling the psa_import_key()

How do i increase run time memory in code to fix this issue ?

Is there a Kconfig that i shall use ? How to figure out what value to use ?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data