From 16c43e69119ad565a3689a43711c8f67731a8166 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A1vid=20H=C3=A1zi?= Date: Tue, 23 Apr 2024 13:15:57 +0200 Subject: [PATCH] mbedtls: Update mbedtls to v3.6.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The provisioning code which used by OTA has been changed, because from mbedtls 3.6.0 the psa_import_key() only accepts RSA keys in standard PSA format, mbedtls_pk_import_into_psa() is used instead. Signed-off-by: Dávid Házi --- .../mbedtls_config/aws_mbedtls_config.h | 2 +- .../provisioning/dev_mode_key_provisioning.c | 51 ++++++++++++++++--- .../mbedtls_config/aws_mbedtls_config.h | 2 +- .../mbedtls_config/aws_mbedtls_config.h | 2 +- .../mbedtls_config/aws_mbedtls_config.h | 2 +- components/security/mbedtls/library | 2 +- manifest.yml | 2 +- 7 files changed, 49 insertions(+), 14 deletions(-) diff --git a/applications/freertos_iot_libraries_tests/configs/mbedtls_config/aws_mbedtls_config.h b/applications/freertos_iot_libraries_tests/configs/mbedtls_config/aws_mbedtls_config.h index d5be8045..e0276407 100644 --- a/applications/freertos_iot_libraries_tests/configs/mbedtls_config/aws_mbedtls_config.h +++ b/applications/freertos_iot_libraries_tests/configs/mbedtls_config/aws_mbedtls_config.h @@ -1154,7 +1154,7 @@ void mbedtls_platform_free( void * ptr ); * \warning This interface is experimental and may change or be removed * without notice. */ -/* #define MBEDTLS_PSA_CRYPTO_CLIENT */ +#define MBEDTLS_PSA_CRYPTO_CLIENT /** \def MBEDTLS_PSA_CRYPTO_DRIVERS * diff --git a/applications/helpers/provisioning/dev_mode_key_provisioning.c b/applications/helpers/provisioning/dev_mode_key_provisioning.c index 2592b2fd..d0851069 100644 --- a/applications/helpers/provisioning/dev_mode_key_provisioning.c +++ b/applications/helpers/provisioning/dev_mode_key_provisioning.c @@ -1376,8 +1376,10 @@ int xOtaProvisionCodeSigningKey( psa_key_handle_t * pxKeyHandle, size_t xPubKeyDerLength = DER_FORMAT_BUFFER_LENGTH; size_t xPubKeyPemLength = strlen( ( const char * ) pxProvisioningParamsBundle->codeSigningPublicKey ); int result = 0; - psa_status_t status = PSA_SUCCESS; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + mbedtls_pk_context xMbedPkContext = { 0 }; + + mbedtls_pk_init( &xMbedPkContext ); result = convert_pem_to_der( ( const unsigned char * ) pxProvisioningParamsBundle->codeSigningPublicKey, xPubKeyPemLength, @@ -1386,22 +1388,55 @@ int xOtaProvisionCodeSigningKey( psa_key_handle_t * pxKeyHandle, if( result != 0 ) { - return result; + goto exit; + } + + /* + * From mbedtls 3.6.0 release note: + * + * Default behavior changes + * psa_import_key() now only accepts RSA keys in the PSA standard formats. + * The undocumented ability to import other formats (PKCS#8, SubjectPublicKey, + * PEM) accepted by the pkparse module has been removed. Applications that + * need these formats can call mbedtls_pk_parse_{public,}key() followed by + * mbedtls_pk_import_into_psa(). + */ + + result = mbedtls_pk_parse_public_key( &xMbedPkContext, + ( const unsigned char * ) pucPubKeyDerFormatBuffer, + xPubKeyDerLength ); + + if( result != 0 ) + { + goto exit; + } + + result = mbedtls_pk_get_psa_attributes( &xMbedPkContext, + PSA_KEY_USAGE_VERIFY_HASH, + &attributes ); + + if( result != 0 ) + { + goto exit; } - psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH ); psa_set_key_algorithm( &attributes, PSA_ALG_RSA_PSS_ANY_SALT( PSA_ALG_SHA_256 ) ); - psa_set_key_type( &attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY ); psa_set_key_bits( &attributes, keyBits ); - status = psa_import_key( &attributes, ( const uint8_t * ) pucPubKeyDerFormatBuffer, - xPubKeyDerLength, pxKeyHandle ); - if( status != PSA_SUCCESS ) + result = mbedtls_pk_import_into_psa( &xMbedPkContext, + &attributes, + pxKeyHandle ); + + if( result != 0 ) { *pxKeyHandle = NULL; + goto exit; } - return status; +exit: + mbedtls_pk_free( &xMbedPkContext ); + + return result; } /*-----------------------------------------------------------*/ diff --git a/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h b/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h index c221573f..0f7a5db6 100644 --- a/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h +++ b/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h @@ -1171,7 +1171,7 @@ void mbedtls_platform_free( void * ptr ); * \warning This interface is experimental and may change or be removed * without notice. */ -/* #define MBEDTLS_PSA_CRYPTO_CLIENT */ +#define MBEDTLS_PSA_CRYPTO_CLIENT /** \def MBEDTLS_PSA_CRYPTO_DRIVERS * diff --git a/applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h b/applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h index d5be8045..e0276407 100644 --- a/applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h +++ b/applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h @@ -1154,7 +1154,7 @@ void mbedtls_platform_free( void * ptr ); * \warning This interface is experimental and may change or be removed * without notice. */ -/* #define MBEDTLS_PSA_CRYPTO_CLIENT */ +#define MBEDTLS_PSA_CRYPTO_CLIENT /** \def MBEDTLS_PSA_CRYPTO_DRIVERS * diff --git a/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h b/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h index d5be8045..e0276407 100644 --- a/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h +++ b/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h @@ -1154,7 +1154,7 @@ void mbedtls_platform_free( void * ptr ); * \warning This interface is experimental and may change or be removed * without notice. */ -/* #define MBEDTLS_PSA_CRYPTO_CLIENT */ +#define MBEDTLS_PSA_CRYPTO_CLIENT /** \def MBEDTLS_PSA_CRYPTO_DRIVERS * diff --git a/components/security/mbedtls/library b/components/security/mbedtls/library index daca7a39..2ca6c285 160000 --- a/components/security/mbedtls/library +++ b/components/security/mbedtls/library @@ -1 +1 @@ -Subproject commit daca7a3979c22da155ec9dce49ab1abf3b65d3a9 +Subproject commit 2ca6c285a0dd3f33982dd57299012dacab1ff206 diff --git a/manifest.yml b/manifest.yml index 497d4e98..786c434e 100644 --- a/manifest.yml +++ b/manifest.yml @@ -26,7 +26,7 @@ dependencies: path: "components/security/trusted_firmware-m/library" - name: "mbedtls" license: "Apache-2.0" - version: "v3.5.2" + version: "v3.6.0" repository: type: "git" url: "https://github.com/Mbed-TLS/mbedtls.git"