feat(mbedtls): Integrate the ecdsa export public key feature in mbedtls

2025-08-10 04:43:33 +00:00 · 2023-08-08 17:19:06 +05:30
parent cc32fbb302
commit 4c0dd8388b
3 changed files with 204 additions and 4 deletions
--- a/components/mbedtls/port/include/ecdsa/ecdsa_alt.h
+++ b/components/mbedtls/port/include/ecdsa/ecdsa_alt.h
@@ -6,14 +6,47 @@

 #pragma once

+#include <stdbool.h>
 #include <stdint.h>
-#include "sdkconfig.h"
+#include "mbedtls/ecp.h"
 #include "mbedtls/pk.h"
+#include "sdkconfig.h"
+#include "soc/soc_caps.h"

 #ifdef __cplusplus
 extern "C" {
 #endif

+/**
+ * @brief ECDSA private key context initialization config structure
+ * @note  Contains configuration information like the efuse key block that should be used as the private key,
+ *        EC group ID of the private key and if the export public key operation is supported
+ *        by the peripheral, a flag load_pubkey that is used specify if the public key has to be populated
+ */
+typedef struct {
+    mbedtls_ecp_group_id grp_id;
+    uint8_t efuse_block;
+#ifdef SOC_ECDSA_SUPPORT_EXPORT_PUBKEY
+    bool load_pubkey;
+#endif
+} esp_ecdsa_pk_conf_t;  //TODO: IDF-7925 (Add a config to select the ecdsa key from the key manager peripheral)
+
+#ifdef SOC_ECDSA_SUPPORT_EXPORT_PUBKEY
+
+/**
+ * @brief Populate the public key buffer of the mbedtls_ecp_keypair context.
+ *
+ * @param keypair The mbedtls ECP key-pair structure
+ * @param efuse_blk The efuse key block that should be used as the private key.
+ *                  The key purpose of this block must be ECDSA_KEY
+ * @return - 0 if successful
+ *         - MBEDTLS_ERR_ECP_BAD_INPUT_DATA if invalid ecp group id specified
+ *         - MBEDTLS_ERR_ECP_INVALID_KEY if efuse block with purpose ECDSA_KEY is not found
+ *         - -1 if invalid efuse block is specified
+ */
+int esp_ecdsa_load_pubkey(mbedtls_ecp_keypair *keypair, int efuse_blk);
+#endif
+
 #ifdef CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN

 /**
@@ -46,6 +79,24 @@ int esp_ecdsa_privkey_load_mpi(mbedtls_mpi *key, int efuse_blk);
 *         - -1 otherwise
 */
 int esp_ecdsa_privkey_load_pk_context(mbedtls_pk_context *key_ctx, int efuse_blk);
+
+/**
+ * @brief Initialize PK context and completely populate mbedtls_ecp_keypair context.
+ *        We break the MPI struct used to represent the private key `d` in ECP keypair
+ *        in order to differentiate between hardware key and software key.
+ *        We also populate the ECP group field present in the mbedtls_ecp_keypair context.
+ *        If the ECDSA peripheral of the chip supports exporting the public key,
+ *        we can also populate the public key buffer of the mbedtls_ecp_keypair context
+ *        if the load_pubkey flag is set in the esp_ecdsa_pk_conf_t config argument.
+ *
+ * @param key_ctx The context in which this functions stores the hardware context.
+ *                This must be uninitialized
+ * @param conf ESP-ECDSA private key context initialization config structure
+ *
+ * @return - 0 if successful
+ *         - -1 otherwise
+ */
+int esp_ecdsa_set_pk_context(mbedtls_pk_context *key_ctx, esp_ecdsa_pk_conf_t *conf);
 #endif

 #ifdef __cplusplus