diff --git a/applications/freertos_iot_libraries_tests/configs/mbedtls_config/aws_mbedtls_config.h b/applications/freertos_iot_libraries_tests/configs/mbedtls_config/aws_mbedtls_config.h index d5be8045..e0276407 100644 --- a/applications/freertos_iot_libraries_tests/configs/mbedtls_config/aws_mbedtls_config.h +++ b/applications/freertos_iot_libraries_tests/configs/mbedtls_config/aws_mbedtls_config.h @@ -1154,7 +1154,7 @@ void mbedtls_platform_free( void * ptr ); * \warning This interface is experimental and may change or be removed * without notice. */ -/* #define MBEDTLS_PSA_CRYPTO_CLIENT */ +#define MBEDTLS_PSA_CRYPTO_CLIENT /** \def MBEDTLS_PSA_CRYPTO_DRIVERS * diff --git a/applications/helpers/provisioning/dev_mode_key_provisioning.c b/applications/helpers/provisioning/dev_mode_key_provisioning.c index 2592b2fd..d0851069 100644 --- a/applications/helpers/provisioning/dev_mode_key_provisioning.c +++ b/applications/helpers/provisioning/dev_mode_key_provisioning.c @@ -1376,8 +1376,10 @@ int xOtaProvisionCodeSigningKey( psa_key_handle_t * pxKeyHandle, size_t xPubKeyDerLength = DER_FORMAT_BUFFER_LENGTH; size_t xPubKeyPemLength = strlen( ( const char * ) pxProvisioningParamsBundle->codeSigningPublicKey ); int result = 0; - psa_status_t status = PSA_SUCCESS; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + mbedtls_pk_context xMbedPkContext = { 0 }; + + mbedtls_pk_init( &xMbedPkContext ); result = convert_pem_to_der( ( const unsigned char * ) pxProvisioningParamsBundle->codeSigningPublicKey, xPubKeyPemLength, @@ -1386,22 +1388,55 @@ int xOtaProvisionCodeSigningKey( psa_key_handle_t * pxKeyHandle, if( result != 0 ) { - return result; + goto exit; + } + + /* + * From mbedtls 3.6.0 release note: + * + * Default behavior changes + * psa_import_key() now only accepts RSA keys in the PSA standard formats. + * The undocumented ability to import other formats (PKCS#8, SubjectPublicKey, + * PEM) accepted by the pkparse module has been removed. Applications that + * need these formats can call mbedtls_pk_parse_{public,}key() followed by + * mbedtls_pk_import_into_psa(). + */ + + result = mbedtls_pk_parse_public_key( &xMbedPkContext, + ( const unsigned char * ) pucPubKeyDerFormatBuffer, + xPubKeyDerLength ); + + if( result != 0 ) + { + goto exit; + } + + result = mbedtls_pk_get_psa_attributes( &xMbedPkContext, + PSA_KEY_USAGE_VERIFY_HASH, + &attributes ); + + if( result != 0 ) + { + goto exit; } - psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH ); psa_set_key_algorithm( &attributes, PSA_ALG_RSA_PSS_ANY_SALT( PSA_ALG_SHA_256 ) ); - psa_set_key_type( &attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY ); psa_set_key_bits( &attributes, keyBits ); - status = psa_import_key( &attributes, ( const uint8_t * ) pucPubKeyDerFormatBuffer, - xPubKeyDerLength, pxKeyHandle ); - if( status != PSA_SUCCESS ) + result = mbedtls_pk_import_into_psa( &xMbedPkContext, + &attributes, + pxKeyHandle ); + + if( result != 0 ) { *pxKeyHandle = NULL; + goto exit; } - return status; +exit: + mbedtls_pk_free( &xMbedPkContext ); + + return result; } /*-----------------------------------------------------------*/ diff --git a/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h b/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h index c221573f..0f7a5db6 100644 --- a/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h +++ b/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h @@ -1171,7 +1171,7 @@ void mbedtls_platform_free( void * ptr ); * \warning This interface is experimental and may change or be removed * without notice. */ -/* #define MBEDTLS_PSA_CRYPTO_CLIENT */ +#define MBEDTLS_PSA_CRYPTO_CLIENT /** \def MBEDTLS_PSA_CRYPTO_DRIVERS * diff --git a/applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h b/applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h index d5be8045..e0276407 100644 --- a/applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h +++ b/applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h @@ -1154,7 +1154,7 @@ void mbedtls_platform_free( void * ptr ); * \warning This interface is experimental and may change or be removed * without notice. */ -/* #define MBEDTLS_PSA_CRYPTO_CLIENT */ +#define MBEDTLS_PSA_CRYPTO_CLIENT /** \def MBEDTLS_PSA_CRYPTO_DRIVERS * diff --git a/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h b/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h index d5be8045..e0276407 100644 --- a/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h +++ b/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h @@ -1154,7 +1154,7 @@ void mbedtls_platform_free( void * ptr ); * \warning This interface is experimental and may change or be removed * without notice. */ -/* #define MBEDTLS_PSA_CRYPTO_CLIENT */ +#define MBEDTLS_PSA_CRYPTO_CLIENT /** \def MBEDTLS_PSA_CRYPTO_DRIVERS * diff --git a/components/security/mbedtls/library b/components/security/mbedtls/library index daca7a39..2ca6c285 160000 --- a/components/security/mbedtls/library +++ b/components/security/mbedtls/library @@ -1 +1 @@ -Subproject commit daca7a3979c22da155ec9dce49ab1abf3b65d3a9 +Subproject commit 2ca6c285a0dd3f33982dd57299012dacab1ff206 diff --git a/manifest.yml b/manifest.yml index 497d4e98..786c434e 100644 --- a/manifest.yml +++ b/manifest.yml @@ -26,7 +26,7 @@ dependencies: path: "components/security/trusted_firmware-m/library" - name: "mbedtls" license: "Apache-2.0" - version: "v3.5.2" + version: "v3.6.0" repository: type: "git" url: "https://github.com/Mbed-TLS/mbedtls.git"