mbedtls: Update mbedtls to v3.6.0

The provisioning code which used by OTA has been changed, because from mbedtls 3.6.0 the psa_import_key() only accepts RSA keys in standard PSA format, mbedtls_pk_import_into_psa() is used instead. Signed-off-by: Dávid Házi <[email protected]>
FreeRTOS · May 17, 2024 · 16c43e6 · 16c43e6
1 parent 43eacc8
commit 16c43e6
Show file tree

Hide file tree

Showing 7 changed files with 49 additions and 14 deletions.
diff --git a/applications/freertos_iot_libraries_tests/configs/mbedtls_config/aws_mbedtls_config.h b/applications/freertos_iot_libraries_tests/configs/mbedtls_config/aws_mbedtls_config.h
@@ -1154,7 +1154,7 @@ void mbedtls_platform_free( void * ptr );
  * \warning This interface is experimental and may change or be removed
  * without notice.
  */
-/* #define MBEDTLS_PSA_CRYPTO_CLIENT */
+#define MBEDTLS_PSA_CRYPTO_CLIENT
 
 /** \def MBEDTLS_PSA_CRYPTO_DRIVERS
  *

diff --git a/applications/helpers/provisioning/dev_mode_key_provisioning.c b/applications/helpers/provisioning/dev_mode_key_provisioning.c
@@ -1376,8 +1376,10 @@ int xOtaProvisionCodeSigningKey( psa_key_handle_t * pxKeyHandle,
     size_t xPubKeyDerLength = DER_FORMAT_BUFFER_LENGTH;
     size_t xPubKeyPemLength = strlen( ( const char * ) pxProvisioningParamsBundle->codeSigningPublicKey );
     int result = 0;
-    psa_status_t status = PSA_SUCCESS;
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    mbedtls_pk_context xMbedPkContext = { 0 };
+
+    mbedtls_pk_init( &xMbedPkContext );
 
     result = convert_pem_to_der( ( const unsigned char * ) pxProvisioningParamsBundle->codeSigningPublicKey,
                                  xPubKeyPemLength,
@@ -1386,22 +1388,55 @@ int xOtaProvisionCodeSigningKey( psa_key_handle_t * pxKeyHandle,
 
     if( result != 0 )
     {
-        return result;
+        goto exit;
+    }
+
+    /*
+     * From mbedtls 3.6.0 release note:
+     *
+     * Default behavior changes
+     * psa_import_key() now only accepts RSA keys in the PSA standard formats.
+     * The undocumented ability to import other formats (PKCS#8, SubjectPublicKey,
+     * PEM) accepted by the pkparse module has been removed. Applications that
+     * need these formats can call mbedtls_pk_parse_{public,}key() followed by
+     * mbedtls_pk_import_into_psa().
+     */
+
+    result = mbedtls_pk_parse_public_key( &xMbedPkContext,
+                                          ( const unsigned char * ) pucPubKeyDerFormatBuffer,
+                                          xPubKeyDerLength );
+
+    if( result != 0 )
+    {
+        goto exit;
+    }
+
+    result = mbedtls_pk_get_psa_attributes( &xMbedPkContext,
+                                            PSA_KEY_USAGE_VERIFY_HASH,
+                                            &attributes );
+
+    if( result != 0 )
+    {
+        goto exit;
     }
 
-    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH );
     psa_set_key_algorithm( &attributes, PSA_ALG_RSA_PSS_ANY_SALT( PSA_ALG_SHA_256 ) );
-    psa_set_key_type( &attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY );
     psa_set_key_bits( &attributes, keyBits );
-    status = psa_import_key( &attributes, ( const uint8_t * ) pucPubKeyDerFormatBuffer,
-                             xPubKeyDerLength, pxKeyHandle );
 
-    if( status != PSA_SUCCESS )
+    result = mbedtls_pk_import_into_psa( &xMbedPkContext,
+                                         &attributes,
+                                         pxKeyHandle );
+
+    if( result != 0 )
     {
         *pxKeyHandle = NULL;
+        goto exit;
     }
 
-    return status;
+exit:
+    mbedtls_pk_free( &xMbedPkContext );
+
+    return result;
 }
 
 /*-----------------------------------------------------------*/
diff --git a/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h b/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h
@@ -1171,7 +1171,7 @@ void mbedtls_platform_free( void * ptr );
  * \warning This interface is experimental and may change or be removed
  * without notice.
  */
-/* #define MBEDTLS_PSA_CRYPTO_CLIENT */
+#define MBEDTLS_PSA_CRYPTO_CLIENT
 
 /** \def MBEDTLS_PSA_CRYPTO_DRIVERS
  *

diff --git a/applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h b/applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h
@@ -1154,7 +1154,7 @@ void mbedtls_platform_free( void * ptr );
  * \warning This interface is experimental and may change or be removed
  * without notice.
  */
-/* #define MBEDTLS_PSA_CRYPTO_CLIENT */
+#define MBEDTLS_PSA_CRYPTO_CLIENT
 
 /** \def MBEDTLS_PSA_CRYPTO_DRIVERS
  *

diff --git a/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h b/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h
@@ -1154,7 +1154,7 @@ void mbedtls_platform_free( void * ptr );
  * \warning This interface is experimental and may change or be removed
  * without notice.
  */
-/* #define MBEDTLS_PSA_CRYPTO_CLIENT */
+#define MBEDTLS_PSA_CRYPTO_CLIENT
 
 /** \def MBEDTLS_PSA_CRYPTO_DRIVERS
  *

diff --git a/components/security/mbedtls/library b/components/security/mbedtls/library
diff --git a/manifest.yml b/manifest.yml
@@ -26,7 +26,7 @@ dependencies:
       path: "components/security/trusted_firmware-m/library"
   - name: "mbedtls"
     license: "Apache-2.0"
-    version: "v3.5.2"
+    version: "v3.6.0"
     repository:
       type: "git"
       url: "https://github.com/Mbed-TLS/mbedtls.git"