[PATCH v3 21/25] mbedtls: add RSA helper layer on MbedTLS
Ilias Apalodimas
ilias.apalodimas at linaro.org
Fri May 31 11:59:32 CEST 2024
Hi Raymond,
[...]
> +
> +/**
> + * rsa_parse_pub_key() - decodes the BER encoded buffer and stores in the
> + * provided struct rsa_key, pointers to the raw key as is,
> + * so that the caller can copy it or MPI parse it, etc.
> + *
> + * @rsa_key: struct rsa_key key representation
> + * @key: key in BER format
> + * @key_len: length of key
> + *
> + * Return: 0 on success or error code in case of error
> + */
> +int rsa_parse_pub_key(struct rsa_key *rsa_key, const void *key,
> + unsigned int key_len)
> +{
> + int ret = 0;
> + mbedtls_pk_context pk;
> + mbedtls_rsa_context *rsa;
> +
> + mbedtls_pk_init(&pk);
> +
> + ret = mbedtls_pk_parse_public_key(&pk, (const unsigned char *)key,
> + key_len);
> + if (ret) {
> + pr_err("Failed to parse public key, ret:-0x%04x\n",
> + (unsigned int)-ret);
> + ret = -EINVAL;
> + goto clean_pubkey;
> + }
> +
> + /* Ensure that it is a RSA key */
> + if (mbedtls_pk_get_type(&pk) != MBEDTLS_PK_RSA) {
> + pr_err("Non-RSA keys are not supported\n");
> + ret = -EKEYREJECTED;
> + goto clean_pubkey;
> + }
> +
> + /* Get RSA key context */
> + rsa = mbedtls_pk_rsa(pk);
> + if (!rsa) {
> + pr_err("Failed to get RSA key context, ret:-0x%04x\n",
> + (unsigned int)-ret);
Why do we need to cast the result here? Just print ret
Also, would it make sense to create a mapping between mbedTLS API
errors and internal error codes?
instead of doing ret -EINVAL etc we could have something like
ret = mbedtls_to_errno(ret);
> + ret = -EINVAL;
> + goto clean_pubkey;
> + }
> +
> + /* Parse modulus (n) */
> + rsa_key->n_sz = mbedtls_mpi_size(&rsa->N);
> + rsa_key->n = kzalloc(rsa_key->n_sz, GFP_KERNEL);
> + if (!rsa_key->n) {
> + ret = -ENOMEM;
> + goto clean_pubkey;
> + }
> + ret = mbedtls_mpi_write_binary(&rsa->N, (unsigned char *)rsa_key->n,
> + rsa_key->n_sz);
> + if (ret) {
> + pr_err("Failed to parse modulus (n), ret:-0x%04x\n",
> + (unsigned int)-ret);
Same here
> + ret = -EINVAL;
> + goto clean_modulus;
> + }
> +
> + /* Parse public exponent (e) */
> + rsa_key->e_sz = mbedtls_mpi_size(&rsa->E);
> + rsa_key->e = kzalloc(rsa_key->e_sz, GFP_KERNEL);
> + if (!rsa_key->e) {
> + ret = -ENOMEM;
> + goto clean_modulus;
> + }
> + ret = mbedtls_mpi_write_binary(&rsa->E, (unsigned char *)rsa_key->e,
> + rsa_key->e_sz);
> + if (!ret)
> + return 0;
> +
> + pr_err("Failed to parse public exponent (e), ret:-0x%04x\n",
> + (unsigned int)-ret);
and here
> + ret = -EINVAL;
> +
> + kfree(rsa_key->e);
> +clean_modulus:
> + kfree(rsa_key->n);
> +clean_pubkey:
> + mbedtls_pk_free(&pk);
> + return ret;
> +}
> --
> 2.25.1
>
Thanks
/Ilias
More information about the U-Boot
mailing list