Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PSA fails to account for configurations with RSA but without MBEDTLS_GENPRIME #4512

Closed
Patater opened this issue May 14, 2021 · 0 comments · Fixed by #4513
Closed

PSA fails to account for configurations with RSA but without MBEDTLS_GENPRIME #4512

Patater opened this issue May 14, 2021 · 0 comments · Fixed by #4513
Labels
bug component-psa PSA keystore/dispatch layer (storage, drivers, …)

Comments

@Patater
Copy link
Contributor

Patater commented May 14, 2021


Description

  • Type: Bug
  • Priority: Minor

Bug

mbed TLS build:
Version: 2.25.0 or newer
Configuration: Default without MBEDTLS_GENPRIME

Expected behavior
PSA should offer features based on the Mbed TLS features available.

Actual behavior
When MBEDTLS_GENPRIME is not set, PSA attempts to call mbedtls_rsa_gen_key() which isn't available.

Steps to reproduce
Build Mbed TLS with its default configuration, but unset MBEDTLS_GENPRIME
Observe linker error

        psa_crypto_rsa.c.obj: in function `rsa_generate_key':
        psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key'
Patater added a commit to Patater/mbedtls that referenced this issue May 14, 2021
At the moment, the only difference in Mbed TLS configuration options set
by MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR and
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY is that
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR defines MBEDTLS_GENPRIME and
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY does not.

When working backwards however, when configuring what functionality is
available in Mbed TLS's PSA implementation based on Mbed TLS
configuration defines (i.e. when MBEDTLS_PSA_CRYPTO_CONFIG is not
defined), both MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR and
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY are set regardless of the
MBEDTLS_GENPRIME setting.

On space-constrained platforms, it is a useful configuration to be able
to import/export and work with RSA, but exclude RSA key generation,
potentially saving flash space.

Change config_psa.h to only set
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR if MBEDTLS_GENPRIME is also
set. This restores the configuration behavior present in Mbed TLS
v2.24.0 and earlier versions.

Without this change, linker errors will occur when attempts to call,
which doesn't exist when MBEDTLS_GENPRIME is unset.
    psa_crypto_rsa.c.obj: in function `rsa_generate_key':
    psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key'

Fixes Mbed-TLS#4512

Signed-off-by: Jaeden Amero <[email protected]>
Patater added a commit to Patater/mbedtls that referenced this issue May 14, 2021
At the moment, the only difference in Mbed TLS configuration options set
by MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR and
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY is that
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR defines MBEDTLS_GENPRIME and
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY does not.

When working backwards however, when configuring what functionality is
available in Mbed TLS's PSA implementation based on Mbed TLS
configuration defines (i.e. when MBEDTLS_PSA_CRYPTO_CONFIG is not
defined), both MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR and
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY are set regardless of the
MBEDTLS_GENPRIME setting.

On space-constrained platforms, it is a useful configuration to be able
to import/export and work with RSA, but exclude RSA key generation,
potentially saving flash space.

Change config_psa.h to only set
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR if MBEDTLS_GENPRIME is also
set. This restores the configuration behavior present in Mbed TLS
v2.24.0 and earlier versions.

Without this change, linker errors will occur when attempts to call,
which doesn't exist when MBEDTLS_GENPRIME is unset.
    psa_crypto_rsa.c.obj: in function `rsa_generate_key':
    psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key'

Fixes Mbed-TLS#4512

Signed-off-by: Jaeden Amero <[email protected]>
Patater added a commit to Patater/mbedtls that referenced this issue May 14, 2021
At the moment, the only difference in Mbed TLS configuration options set
by MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR and
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY is that
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR defines MBEDTLS_GENPRIME and
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY does not.

When working backwards however, when configuring what functionality is
available in Mbed TLS's PSA implementation based on Mbed TLS
configuration defines (i.e. when MBEDTLS_PSA_CRYPTO_CONFIG is not
defined), both MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR and
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY are set regardless of the
MBEDTLS_GENPRIME setting.

On space-constrained platforms, it is a useful configuration to be able
to import/export and work with RSA, but exclude RSA key generation,
potentially saving flash space.

Change config_psa.h to only set
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR if MBEDTLS_GENPRIME is also
set. This restores the configuration behavior present in Mbed TLS
v2.24.0 and earlier versions.

Without this change, linker errors will occur when attempts to call,
which doesn't exist when MBEDTLS_GENPRIME is unset.
    psa_crypto_rsa.c.obj: in function `rsa_generate_key':
    psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key'

Fixes Mbed-TLS#4512

Signed-off-by: Jaeden Amero <[email protected]>
Patater added a commit to Patater/mbed-os that referenced this issue May 14, 2021
Until we have a fix for Mbed-TLS/mbedtls#4512,
we need to patch the fix during import time. Otherwise, we run into
linker errors when PSA attempts to use RSA key generation, which we've
excluded.

This patch is extracted from
Mbed-TLS/mbedtls#4513
@gilles-peskine-arm gilles-peskine-arm added bug component-psa PSA keystore/dispatch layer (storage, drivers, …) Product Backlog labels May 18, 2021
Patater added a commit to Patater/mbedtls that referenced this issue May 19, 2021
On space-constrained platforms, it is a useful configuration to be able
to import/export and perform RSA key pair operations, but to exclude RSA
key generation, potentially saving flash space. It is not possible to
express this with the PSA_WANT_ configuration system at the present
time. However, in previous versions of Mbed TLS (v2.24.0 and earlier) it
was possible to configure a software PSA implementation which was
capable of making RSA signatures but not capable of generating RSA keys.
To do this, one unset MBEDTLS_GENPRIME.

Since the addition of MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR, this
expressivity was lost. Expressing that you wanted to work with RSA key
pairs forced you to include the ability to generate key pairs as well.

Change psa_crypto_rsa.c to only call mbedtls_rsa_gen_key() if
MBEDTLS_GENPRIME is also set. This restores the configuration behavior
present in Mbed TLS v2.24.0 and earlier versions.

It left as a future exercise to add the ability to PSA to be able to
express a desire for a software or accelerator configuration that
includes RSA key pair operations, like signature, but excludes key pair
generation.

Without this change, linker errors will occur when attempts to call,
which doesn't exist when MBEDTLS_GENPRIME is unset.
    psa_crypto_rsa.c.obj: in function `rsa_generate_key':
    psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key'

Fixes Mbed-TLS#4512

Signed-off-by: Jaeden Amero <[email protected]>
Patater added a commit to Patater/mbedtls that referenced this issue May 19, 2021
On space-constrained platforms, it is a useful configuration to be able
to import/export and perform RSA key pair operations, but to exclude RSA
key generation, potentially saving flash space. It is not possible to
express this with the PSA_WANT_ configuration system at the present
time. However, in previous versions of Mbed TLS (v2.24.0 and earlier) it
was possible to configure a software PSA implementation which was
capable of making RSA signatures but not capable of generating RSA keys.
To do this, one unset MBEDTLS_GENPRIME.

Since the addition of MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR, this
expressivity was lost. Expressing that you wanted to work with RSA key
pairs forced you to include the ability to generate key pairs as well.

Change psa_crypto_rsa.c to only call mbedtls_rsa_gen_key() if
MBEDTLS_GENPRIME is also set. This restores the configuration behavior
present in Mbed TLS v2.24.0 and earlier versions.

It left as a future exercise to add the ability to PSA to be able to
express a desire for a software or accelerator configuration that
includes RSA key pair operations, like signature, but excludes key pair
generation.

Without this change, linker errors will occur when attempts to call,
which doesn't exist when MBEDTLS_GENPRIME is unset.
    psa_crypto_rsa.c.obj: in function `rsa_generate_key':
    psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key'

Fixes Mbed-TLS#4512

Signed-off-by: Jaeden Amero <[email protected]>
Patater added a commit to Patater/mbedtls that referenced this issue May 20, 2021
On space-constrained platforms, it is a useful configuration to be able
to import/export and perform RSA key pair operations, but to exclude RSA
key generation, potentially saving flash space. It is not possible to
express this with the PSA_WANT_ configuration system at the present
time. However, in previous versions of Mbed TLS (v2.24.0 and earlier) it
was possible to configure a software PSA implementation which was
capable of making RSA signatures but not capable of generating RSA keys.
To do this, one unset MBEDTLS_GENPRIME.

Since the addition of MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR, this
expressivity was lost. Expressing that you wanted to work with RSA key
pairs forced you to include the ability to generate key pairs as well.

Change psa_crypto_rsa.c to only call mbedtls_rsa_gen_key() if
MBEDTLS_GENPRIME is also set. This restores the configuration behavior
present in Mbed TLS v2.24.0 and earlier versions.

It left as a future exercise to add the ability to PSA to be able to
express a desire for a software or accelerator configuration that
includes RSA key pair operations, like signature, but excludes key pair
generation.

Without this change, linker errors will occur when attempts to call,
which doesn't exist when MBEDTLS_GENPRIME is unset.
    psa_crypto_rsa.c.obj: in function `rsa_generate_key':
    psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key'

Fixes Mbed-TLS#4512

Signed-off-by: Jaeden Amero <[email protected]>
Patater added a commit to Patater/mbedtls that referenced this issue May 20, 2021
On space-constrained platforms, it is a useful configuration to be able
to import/export and perform RSA key pair operations, but to exclude RSA
key generation, potentially saving flash space. It is not possible to
express this with the PSA_WANT_ configuration system at the present
time. However, in previous versions of Mbed TLS (v2.24.0 and earlier) it
was possible to configure a software PSA implementation which was
capable of making RSA signatures but not capable of generating RSA keys.
To do this, one unset MBEDTLS_GENPRIME.

Since the addition of MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR, this
expressivity was lost. Expressing that you wanted to work with RSA key
pairs forced you to include the ability to generate key pairs as well.

Change psa_crypto_rsa.c to only call mbedtls_rsa_gen_key() if
MBEDTLS_GENPRIME is also set. This restores the configuration behavior
present in Mbed TLS v2.24.0 and earlier versions.

It left as a future exercise to add the ability to PSA to be able to
express a desire for a software or accelerator configuration that
includes RSA key pair operations, like signature, but excludes key pair
generation.

Without this change, linker errors will occur when attempts to call,
which doesn't exist when MBEDTLS_GENPRIME is unset.
    psa_crypto_rsa.c.obj: in function `rsa_generate_key':
    psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key'

Fixes Mbed-TLS#4512

Signed-off-by: Jaeden Amero <[email protected]>
Patater added a commit to Patater/mbedtls that referenced this issue May 21, 2021
On space-constrained platforms, it is a useful configuration to be able
to import/export and perform RSA key pair operations, but to exclude RSA
key generation, potentially saving flash space. It is not possible to
express this with the PSA_WANT_ configuration system at the present
time. However, in previous versions of Mbed TLS (v2.24.0 and earlier) it
was possible to configure a software PSA implementation which was
capable of making RSA signatures but not capable of generating RSA keys.
To do this, one unset MBEDTLS_GENPRIME.

Since the addition of MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR, this
expressivity was lost. Expressing that you wanted to work with RSA key
pairs forced you to include the ability to generate key pairs as well.

Change psa_crypto_rsa.c to only call mbedtls_rsa_gen_key() if
MBEDTLS_GENPRIME is also set. This restores the configuration behavior
present in Mbed TLS v2.24.0 and earlier versions.

It left as a future exercise to add the ability to PSA to be able to
express a desire for a software or accelerator configuration that
includes RSA key pair operations, like signature, but excludes key pair
generation.

Without this change, linker errors will occur when attempts to call,
which doesn't exist when MBEDTLS_GENPRIME is unset.
    psa_crypto_rsa.c.obj: in function `rsa_generate_key':
    psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key'

Fixes Mbed-TLS#4512

Signed-off-by: Jaeden Amero <[email protected]>
MubeenHCLite pushed a commit to MubeenHCLite/mbed-os that referenced this issue Jun 14, 2021
Until we have a fix for Mbed-TLS/mbedtls#4512,
we need to patch the fix during import time. Otherwise, we run into
linker errors when PSA attempts to use RSA key generation, which we've
excluded.

This patch is extracted from
Mbed-TLS/mbedtls#4513
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug component-psa PSA keystore/dispatch layer (storage, drivers, …)
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants