espressif/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2026-04-27 19:13:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(mbedtls/ecdsa): Introduce PSA ECDSA driver

Browse Source
This commit is contained in:
harshal.patil
2025-12-30 02:23:29 +05:30
parent ce6e80c129
commit e9ea55bea2
22 changed files with 1736 additions and 2185 deletions
Download Patch File Download Diff File Expand all files Collapse all files
examples/security/tee/tee_secure_storage/main/tee_main.c
+46 -25
View File
@@ -1,7 +1,7 @@
/*
* TEE Secure Storage example
*
* SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2024-2026 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Unlicense OR CC0-1.0
*/
@@ -16,6 +16,7 @@
#include "freertos/task.h"
#include "psa/crypto.h"
#include "psa_crypto_driver_esp_ecdsa.h"
#include "esp_tee_sec_storage.h"
#include "secure_service_num.h"
@@ -34,9 +35,9 @@ static const char *message = "Lorem ipsum dolor sit amet, consectetur adipiscing
static const char *TAG = "example_tee_sec_stg";
static esp_err_t verify_ecdsa_secp256r1_sign(const uint8_t *digest, size_t len, const esp_tee_sec_storage_ecdsa_pubkey_t *pubkey, const esp_tee_sec_storage_ecdsa_sign_t *sign)
static esp_err_t verify_ecdsa_secp256r1_sign(const uint8_t *digest, size_t len, const uint8_t *pub_key, size_t pub_key_len, const uint8_t *signature, size_t signature_len)
{
if (pubkey == NULL || digest == NULL || sign == NULL) {
if (pub_key == NULL || pub_key_len == 0 || digest == NULL || len == 0 || signature == NULL || signature_len == 0) {
return ESP_ERR_INVALID_ARG;
}
@@ -46,29 +47,24 @@ static esp_err_t verify_ecdsa_secp256r1_sign(const uint8_t *digest, size_t len,
esp_err_t err = ESP_FAIL;
psa_key_id_t key_id = 0;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_set_key_type(&key_attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1));
psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_VERIFY_HASH);
psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256));
psa_key_id_t pub_key_id = 0;
psa_key_attributes_t pub_key_attr = PSA_KEY_ATTRIBUTES_INIT;
psa_set_key_type(&pub_key_attr, PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1));
psa_set_key_usage_flags(&pub_key_attr, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_VERIFY_HASH);
psa_set_key_algorithm(&pub_key_attr, PSA_ALG_ECDSA(PSA_ALG_SHA_256));
uint8_t pub_key[2 * ECDSA_SECP256R1_KEY_LEN + 1];
pub_key[0] = 0x04;
memcpy(pub_key + 1, pubkey->pub_x, ECDSA_SECP256R1_KEY_LEN);
memcpy(pub_key + 1 + ECDSA_SECP256R1_KEY_LEN, pubkey->pub_y, ECDSA_SECP256R1_KEY_LEN);
psa_status_t status = psa_import_key(&key_attributes, pub_key, sizeof(pub_key), &key_id);
psa_status_t status = psa_import_key(&pub_key_attr, pub_key, pub_key_len, &pub_key_id);
if (status != PSA_SUCCESS) {
goto exit;
}
status = psa_verify_hash(key_id, PSA_ALG_ECDSA(PSA_ALG_SHA_256), digest, len, sign->signature, sizeof(sign->signature));
status = psa_verify_hash(pub_key_id, PSA_ALG_ECDSA(PSA_ALG_SHA_256), digest, len, signature, signature_len);
if (status != PSA_SUCCESS) {
goto exit;
}
psa_destroy_key(key_id);
psa_reset_key_attributes(&key_attributes);
psa_destroy_key(pub_key_id);
psa_reset_key_attributes(&pub_key_attr);
err = ESP_OK;
@@ -107,23 +103,46 @@ static void example_tee_sec_stg_sign_verify(void *pvParameter)
goto exit;
}
esp_tee_sec_storage_ecdsa_sign_t sign = {};
err = esp_tee_sec_storage_ecdsa_sign(&cfg, msg_digest, msg_digest_len, &sign);
if (err != ESP_OK) {
esp_ecdsa_opaque_key_t opaque_key = {
.curve = ESP_ECDSA_CURVE_SECP256R1,
.tee_key_id = cfg.id,
};
psa_key_id_t priv_key_id = 0;
psa_key_attributes_t priv_key_attr = PSA_KEY_ATTRIBUTES_INIT;
psa_algorithm_t alg = PSA_ALG_ECDSA(PSA_ALG_SHA_256);
psa_set_key_type(&priv_key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1));
psa_set_key_bits(&priv_key_attr, ECDSA_SECP256R1_KEY_LEN * 8);
psa_set_key_usage_flags(&priv_key_attr, PSA_KEY_USAGE_SIGN_HASH);
psa_set_key_algorithm(&priv_key_attr, alg);
psa_set_key_lifetime(&priv_key_attr, PSA_KEY_LIFETIME_ESP_ECDSA_VOLATILE);
status = psa_import_key(&priv_key_attr, (uint8_t*) &opaque_key, sizeof(opaque_key), &priv_key_id);
if (status != PSA_SUCCESS) {
ESP_LOGE(TAG, "Failed to import private key!");
goto exit;
}
uint8_t signature[2 * ECDSA_SECP256R1_KEY_LEN];
size_t signature_len = 0;
status = psa_sign_hash(priv_key_id, alg, msg_digest, msg_digest_len, signature, sizeof(signature), &signature_len);
if (status != PSA_SUCCESS) {
ESP_LOGE(TAG, "Failed to generate signature!");
goto exit;
}
ESP_LOG_BUFFER_HEX("Signature", &sign, sizeof(sign));
ESP_LOG_BUFFER_HEX("Signature", signature, signature_len);
esp_tee_sec_storage_ecdsa_pubkey_t pubkey = {};
err = esp_tee_sec_storage_ecdsa_get_pubkey(&cfg, &pubkey);
if (err != ESP_OK) {
uint8_t pub_key[2 * ECDSA_SECP256R1_KEY_LEN + 1];
size_t pub_key_len = 0;
status = psa_export_public_key(priv_key_id, pub_key, sizeof(pub_key), &pub_key_len);
if (status != PSA_SUCCESS) {
ESP_LOGE(TAG, "Failed to fetch public-key!");
goto exit;
}
err = verify_ecdsa_secp256r1_sign(msg_digest, msg_digest_len, &pubkey, &sign);
err = verify_ecdsa_secp256r1_sign(msg_digest, msg_digest_len, pub_key, pub_key_len, signature, signature_len);
if (err != ESP_OK) {
ESP_LOGE(TAG, "Failed to verify signature!");
goto exit;
@@ -132,6 +151,8 @@ static void example_tee_sec_stg_sign_verify(void *pvParameter)
ESP_LOGI(TAG, "Signature verified successfully!");
exit:
psa_destroy_key(priv_key_id);
psa_reset_key_attributes(&priv_key_attr);
vTaskDelete(NULL);
}