[crypto/rsa] Resolve outstanding TODOs with respect to key sharing

andrea-caforio · andreaskurth · commit e383c23ab5d4 · 2025-10-27T16:45:32.000Z
The Boolean-masked key is now accounted for everywhere in the
cryptolib.

Signed-off-by: Andrea Caforio &lt;andrea.caforio@lowrisc.org&gt;
diff --git a/sw/device/lib/crypto/impl/keyblob.c b/sw/device/lib/crypto/impl/keyblob.c
@@ -35,7 +35,6 @@ static size_t keyblob_share_num_bytes(const otcrypto_key_config_t config) {
       return config.key_length + (64 / 8);
     case kOtcryptoKeyTypeRsa:
       // RSA key shares are the same size as the unmasked key.
-      // TODO: update once masking is implemented for RSA keys.
       HARDENED_CHECK_EQ(config.key_mode >> 16, kOtcryptoKeyTypeRsa);
       return config.key_length;
     default:
diff --git a/sw/device/lib/crypto/impl/rsa.c b/sw/device/lib/crypto/impl/rsa.c
@@ -212,11 +212,7 @@ otcrypto_status_t otcrypto_rsa_private_key_from_exponents(
           (rsa_2048_private_key_t *)private_key->keyblob;
       HARDENED_TRY(hardened_memcpy(sk->n.data, modulus.data, modulus.len));
       HARDENED_TRY(hardened_memcpy(sk->d0.data, d_share0.data, d_share0.len));
-      // TODO: RSA keys are currently unblinded, so combine the shares.
-      for (size_t i = 0; i < d_share1.len; i++) {
-        sk->d0.data[i] ^= d_share1.data[i];
-        sk->d1.data[i] = 0x0;
-      }
+      HARDENED_TRY(hardened_memcpy(sk->d1.data, d_share1.data, d_share1.len));
       break;
     }
     case kOtcryptoRsaSize3072: {
@@ -228,11 +224,7 @@ otcrypto_status_t otcrypto_rsa_private_key_from_exponents(
           (rsa_3072_private_key_t *)private_key->keyblob;
       HARDENED_TRY(hardened_memcpy(sk->n.data, modulus.data, modulus.len));
       HARDENED_TRY(hardened_memcpy(sk->d0.data, d_share0.data, d_share0.len));
-      // TODO: RSA keys are currently unblinded, so combine the shares.
-      for (size_t i = 0; i < d_share1.len; i++) {
-        sk->d0.data[i] ^= d_share1.data[i];
-        sk->d1.data[i] = 0x0;
-      }
+      HARDENED_TRY(hardened_memcpy(sk->d1.data, d_share1.data, d_share1.len));
       break;
     }
     case kOtcryptoRsaSize4096: {
@@ -244,11 +236,7 @@ otcrypto_status_t otcrypto_rsa_private_key_from_exponents(
           (rsa_4096_private_key_t *)private_key->keyblob;
       HARDENED_TRY(hardened_memcpy(sk->n.data, modulus.data, modulus.len));
       HARDENED_TRY(hardened_memcpy(sk->d0.data, d_share0.data, d_share0.len));
-      // TODO: RSA keys are currently unblinded, so combine the shares.
-      for (size_t i = 0; i < d_share1.len; i++) {
-        sk->d0.data[i] ^= d_share1.data[i];
-        sk->d1.data[i] = 0x0;
-      }
+      HARDENED_TRY(hardened_memcpy(sk->d1.data, d_share1.data, d_share1.len));
       break;
     }
     default:
