[PATCH v3 21/25] mbedtls: add RSA helper layer on MbedTLS

Raymond Mao raymond.mao at linaro.org
Tue Jun 4 18:43:52 CEST 2024 

Hi Ilias,

On Fri, 31 May 2024 at 06:00, Ilias Apalodimas <ilias.apalodimas at linaro.org>
wrote:

> Hi Raymond,
>
> [...]
>
> > +
> > +/**
> > + * rsa_parse_pub_key() - decodes the BER encoded buffer and stores in
> the
> > + *                       provided struct rsa_key, pointers to the raw
> key as is,
> > + *                       so that the caller can copy it or MPI parse
> it, etc.
> > + *
> > + * @rsa_key:   struct rsa_key key representation
> > + * @key:       key in BER format
> > + * @key_len:   length of key
> > + *
> > + * Return:     0 on success or error code in case of error
> > + */
> > +int rsa_parse_pub_key(struct rsa_key *rsa_key, const void *key,
> > +                     unsigned int key_len)
> > +{
> > +       int ret = 0;
> > +       mbedtls_pk_context pk;
> > +       mbedtls_rsa_context *rsa;
> > +
> > +       mbedtls_pk_init(&pk);
> > +
> > +       ret = mbedtls_pk_parse_public_key(&pk, (const unsigned char
> *)key,
> > +                                         key_len);
> > +       if (ret) {
> > +               pr_err("Failed to parse public key, ret:-0x%04x\n",
> > +                      (unsigned int)-ret);
> > +               ret = -EINVAL;
> > +               goto clean_pubkey;
> > +       }
> > +
> > +       /* Ensure that it is a RSA key */
> > +       if (mbedtls_pk_get_type(&pk) != MBEDTLS_PK_RSA) {
> > +               pr_err("Non-RSA keys are not supported\n");
> > +               ret = -EKEYREJECTED;
> > +               goto clean_pubkey;
> > +       }
> > +
> > +       /* Get RSA key context */
> > +       rsa = mbedtls_pk_rsa(pk);
> > +       if (!rsa) {
> > +               pr_err("Failed to get RSA key context, ret:-0x%04x\n",
> > +                      (unsigned int)-ret);
>
> Why do we need to cast the result here? Just print ret
> Also, would it make sense to create a mapping between mbedTLS API
> errors and internal error codes?
> instead of doing ret -EINVAL etc  we could have something like
> ret = mbedtls_to_errno(ret);
>
> I can remove all the cast.
But it is not able to 1/1 map the mbedtls errors to general ones via a
helper
function since the error code should reflect the current scenario of the
operation.
Even with the same MbedTLS API and same error code, the purpose of
caller is different, it is hard to get them mapped in a common
interpretation.

[...]

Regards,
Raymond

More information about the U-Boot mailing list