• State Not Answered
  • Replies 0 replies
  • Subscribers 74 subscribers
  • Views 685 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 303801
Options

PSA Hash-and-Sign not working - returning INVALID param error

Bilal

Hi, I am using nRF Connect SDK v2.2.0 on a nRF52840 custom board and I am trying to use the PSA API to perform a hash and verify operation using psa_hash_compute() and psa_verify_hash()

While using these functions I am seeing some errors and faults that I don't understand.

I have been following along with the example code under: /nrf/samples/crypto/ecdsa

Below is what I have set in my prj.conf file:

CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=8192
CONFIG_PSA_CRYPTO_DRIVER_OBERON=y
CONFIG_PSA_CRYPTO_DRIVER_CC3XX=n

This matches what is provided in the sample code.

My code is doing the following:

#define NRF_CRYPTO_EXAMPLE_ECDSA_TEXT_SIZE (100)
#define NRF_CRYPTO_EXAMPLE_ECDSA_PUBLIC_KEY_SIZE (65)
#define NRF_CRYPTO_EXAMPLE_ECDSA_SIGNATURE_SIZE (64)
#define NRF_CRYPTO_EXAMPLE_ECDSA_HASH_SIZE (64)

static uint8_t m_pub_key[NRF_CRYPTO_EXAMPLE_ECDSA_PUBLIC_KEY_SIZE];
static uint8_t m_signature[NRF_CRYPTO_EXAMPLE_ECDSA_SIGNATURE_SIZE];
static uint8_t m_hash[NRF_CRYPTO_EXAMPLE_ECDSA_HASH_SIZE];

static psa_key_handle_t keypair_handle;
static psa_key_handle_t pub_key_handle;

static uint8_t m_plain_text[NRF_CRYPTO_EXAMPLE_ECDSA_TEXT_SIZE] = {
	"Example string to demonstrate basic usage of ECDSA."
};

/* Compute the SHA256 hash*/
cryptoStatus = psa_hash_compute(
        PSA_ALG_SHA_256,
        m_plain_text,
        sizeof(m_plain_text),
        m_hash,
        sizeof( m_hash ),
        &outputLen);
LOG_ERR("psa_hash_compute cryptoStatus %d", cryptoStatus);

/* Sign the hash */
cryptoStatus = psa_sign_hash(
        keypair_handle,
        PSA_ALG_ECDSA( PSA_ALG_SHA_256 ),
        m_hash,
        sizeof( m_hash ),
        m_signature,
        sizeof(m_signature),
        &outputLen);
LOG_ERR("psa_sign_hash cryptoStatus %d", cryptoStatus);

cryptoStatus = psa_verify_hash(
        pub_key_handle,
        PSA_ALG_ECDSA( PSA_ALG_SHA_256 ),
        m_hash,
        sizeof( m_hash ),
        m_signature,
        sizeof( m_signature ) );
LOG_ERR("psa_verify_hash cryptoStatus %d", cryptoStatus);

A few things:

  • I have currently set my hash (m_hash variable) to be 64 bytes - and when I do that the call to psa_sign_hash returns back PSA_ERROR_INVALID_ARGUMENT (Error -135)
  • The psa_hash_compute function runs correctly I have been able to verify that hash output is valid by verifying it with an offline SHA256 hash calculator but for some reason psa_sign_hash and psa_verify_hash both return INVALID ARGUMENT errors.

  • My initial thought was that the size of the hash array might be the thing causing that error - so I changed the hash array to be 32 bytes (which matches wat the sample code has) and that was not helpful either.
  • When I do that, the system actually throws a stack overflow fault.
  • If i make the hash array any length > 32 - the stack overflow goes away but I am still left with the PSA_ERROR_INVALID_ARGUMENT error

I am not sure what I am doing wrong here, but seems like something small I am missing. Could you help?

I am went through the sample code and tried to make my configuration and settings exactly the same but not sure why this is failing. Any help would be appreciated 

Related
Terms of service