nrf_security: drivers: cracen: Implement ECDSA in cracenpsa

Add support for ECDSA in cracenpsa
Directly using silexpk/sxsymcrypt
This bypasses sicrypto, which saves on flash usage
Adding support for hmac without sicrypto.
Remove sicrypto implementation of ECDSA being
accessible from cracenpsa.
Various refactors to support this

Signed-off-by: Dag Erik Gjørvad <[email protected]>

Author: degjorva

subsys/nrf_security/src/core/lite/psa_core_lite.c

@@ -9,6 +9,7 @@
 #include <psa_crypto_driver_wrappers.h>
 #include <cracen_psa_kmu.h>
 #include <cracen/mem_helpers.h>
+#include <cracen_psa_eddsa.h>
 
 #if defined(CONFIG_PSA_CORE_LITE_NSIB_ED25519_OPTIMIZATIONS)
 #include "cracen_psa.h"

subsys/nrf_security/src/drivers/cracen/cracenpsa/cracenpsa.cmake

@@ -15,6 +15,8 @@ list(APPEND cracen_driver_sources
   ${CMAKE_CURRENT_LIST_DIR}/src/common.c
   ${CMAKE_CURRENT_LIST_DIR}/src/mem_helpers.c
   ${CMAKE_CURRENT_LIST_DIR}/src/ec_helpers.c
+  ${CMAKE_CURRENT_LIST_DIR}/src/ecc.c
+  ${CMAKE_CURRENT_LIST_DIR}/src/rndinrange.c
 
   # Note: We always need to have blkcipher.c and ctr_drbg.c since it
   # is used directly by many Cracen drivers.
@@ -44,7 +46,10 @@ endif()
 if(CONFIG_PSA_NEED_CRACEN_ASYMMETRIC_SIGNATURE_DRIVER)
   list(APPEND cracen_driver_sources
     ${CMAKE_CURRENT_LIST_DIR}/src/sign.c
+    ${CMAKE_CURRENT_LIST_DIR}/src/ecdsa.c
+    ${CMAKE_CURRENT_LIST_DIR}/src/ecc.c
     ${CMAKE_CURRENT_LIST_DIR}/src/ed25519.c
+    ${CMAKE_CURRENT_LIST_DIR}/src/hmac.c
   )
 endif()
 
@@ -62,8 +67,11 @@ endif()
 
 if(CONFIG_PSA_NEED_CRACEN_KEY_MANAGEMENT_DRIVER OR CONFIG_PSA_NEED_CRACEN_KMU_DRIVER OR CONFIG_MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
   list(APPEND cracen_driver_sources
+    ${CMAKE_CURRENT_LIST_DIR}/src/ed25519.c
     ${CMAKE_CURRENT_LIST_DIR}/src/key_management.c
     ${CMAKE_CURRENT_LIST_DIR}/src/ed25519.c
+    ${CMAKE_CURRENT_LIST_DIR}/src/ecdsa.c
+    ${CMAKE_CURRENT_LIST_DIR}/src/ecc.c
   )
 endif()
 

subsys/nrf_security/src/drivers/cracen/cracenpsa/include/cracen_psa.h

@@ -361,18 +361,4 @@ psa_status_t cracen_spake2p_get_shared_key(cracen_spake2p_operation_t *operation
 
 psa_status_t cracen_spake2p_abort(cracen_spake2p_operation_t *operation);
 
-int cracen_ed25519_sign(const uint8_t *priv_key, char *signature, const uint8_t *message,
-			size_t message_length);
-
-int cracen_ed25519_verify(const uint8_t *pub_key, const char *message, size_t message_length,
-			  const char *signature);
-
-int cracen_ed25519ph_sign(const uint8_t *priv_key, char *signature, const uint8_t *message,
-			  size_t message_length, bool is_message);
-
-int cracen_ed25519ph_verify(const uint8_t *pub_key, const char *message, size_t message_length,
-			    const char *signature, bool is_message);
-
-int cracen_ed25519_create_pubkey(const uint8_t *priv_key, uint8_t *pub_key);
-
 #endif /* CRACEN_PSA_H */

subsys/nrf_security/src/drivers/cracen/cracenpsa/include/cracen_psa_ecdsa.h

@@ -0,0 +1,38 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#ifndef CRACEN_PSA_ECDSA_H
+#define CRACEN_PSA_ECDSA_H
+
+#include <psa/crypto.h>
+
+int cracen_ecdsa_verify_message(const char *pubkey, const struct sxhashalg *hashalg,
+				const uint8_t *message, size_t message_length,
+				const struct sx_pk_ecurve *curve, const uint8_t *signature);
+
+int cracen_ecdsa_verify_digest(const char *pubkey, const uint8_t *digest, size_t digestsz,
+			       const struct sx_pk_ecurve *curve, const uint8_t *signature);
+
+int cracen_ecdsa_sign_message(const struct ecc_priv_key *privkey, const struct sxhashalg *hashalg,
+			      const struct sx_pk_ecurve *curve, const uint8_t *message,
+			      size_t message_length, uint8_t *signature);
+
+int cracen_ecdsa_sign_digest(const struct ecc_priv_key *privkey, const struct sxhashalg *hashalg,
+			     const struct sx_pk_ecurve *curve, const uint8_t *digest,
+			     size_t digest_length, uint8_t *signature);
+
+int cracen_ecdsa_sign_message_deterministic(const struct ecc_priv_key *privkey,
+					    const struct sxhashalg *hashalg,
+					    const struct sx_pk_ecurve *curve,
+					    const uint8_t *message, size_t message_length,
+					    uint8_t *signature);
+
+int cracen_ecdsa_sign_digest_deterministic(const struct ecc_priv_key *privkey,
+					   const struct sxhashalg *hashalg,
+					   const struct sx_pk_ecurve *curve, const uint8_t *digest,
+					   size_t digestsz, uint8_t *signature);
+
+#endif /* CRACEN_PSA_ECDSA_H */

subsys/nrf_security/src/drivers/cracen/cracenpsa/include/cracen_psa_eddsa.h

@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#include <psa/crypto.h>
+
+int cracen_ed25519_sign(const uint8_t *priv_key, char *signature, const uint8_t *message,
+			size_t message_length);
+
+int cracen_ed25519_verify(const uint8_t *pub_key, const char *message, size_t message_length,
+			  const char *signature);
+
+int cracen_ed25519ph_sign(const uint8_t *priv_key, char *signature, const uint8_t *message,
+			  size_t message_length, bool is_message);
+
+int cracen_ed25519ph_verify(const uint8_t *pub_key, const char *message, size_t message_length,
+			    const char *signature, bool is_message);
+
+int cracen_ed25519_create_pubkey(const uint8_t *priv_key, uint8_t *pub_key);

subsys/nrf_security/src/drivers/cracen/cracenpsa/include/cracen_psa_primitives.h

@@ -371,4 +371,26 @@ struct cracen_pake_operation {
 	};
 };
 typedef struct cracen_pake_operation cracen_pake_operation_t;
+
+struct ecdsa_signature {
+	size_t sz; /** Total signature size, in bytes. */
+	char *r;   /** Signature element "r". */
+	char *s;   /** Signature element "s". */
+};
+
+struct ecc_priv_key {
+	const struct sx_pk_ecurve *curve;
+	const char *d; /** Private key value d */
+};
+
+struct ecc_pub_key {
+	const struct sx_pk_ecurve *curve;
+	char *qx; /** x coordinate of a point on the curve */
+	char *qy; /** y coordinate of a point on the curve */
+};
+
+struct ecc_keypair {
+	struct ecc_priv_key priv_key;
+	struct ecc_pub_key pub_key;
+};
 #endif /* CRACEN_PSA_PRIMITIVES_H */

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/common.c

@@ -852,3 +852,85 @@ psa_status_t cracen_get_opaque_size(const psa_key_attributes_t *attributes, size
 
 	return PSA_ERROR_INVALID_ARGUMENT;
 }
+
+void be_add(unsigned char *v, size_t sz, size_t summand)
+{
+	while (sz > 0) {
+		sz--;
+		summand += v[sz];
+		v[sz] = summand & 0xFF;
+		summand >>= 8;
+	}
+}
+
+int be_cmp(const unsigned char *a, const unsigned char *b, size_t sz, int carry)
+{
+	unsigned int neq = 0;
+	unsigned int gt = 0;
+	unsigned int ucarry;
+	unsigned int d;
+	unsigned int lt;
+
+	/* transform carry to work with unsigned numbers */
+	ucarry = 0x100 + carry;
+
+	for (int i = sz - 1; i >= 0; i--) {
+		d = ucarry + a[i] - b[i];
+		ucarry = 0xFF + (d >> 8);
+		neq |= d & 0xFF;
+	}
+
+	neq |= ucarry & 0xFF;
+	lt = ucarry < 0x100;
+	gt = neq && !lt;
+
+	return (gt ? 1 : 0) - (lt ? 1 : 0);
+}
+
+int hash_all_inputs_with_context(struct sxhash *hashopctx, const char *inputs[],
+				 const size_t inputs_lengths[], size_t input_count,
+				 const struct sxhashalg *hashalg, char *digest)
+{
+	int status;
+
+	status = sx_hash_create(hashopctx, hashalg, sizeof(*hashopctx));
+	if (status != SX_OK) {
+		return status;
+	}
+
+	for (size_t i = 0; i < input_count; i++) {
+		status = sx_hash_feed(hashopctx, inputs[i], inputs_lengths[i]);
+		if (status != SX_OK) {
+			return status;
+		}
+	}
+	status = sx_hash_digest(hashopctx, digest);
+	if (status != SX_OK) {
+		return status;
+	}
+
+	status = sx_hash_wait(hashopctx);
+
+	return status;
+}
+
+int hash_all_inputs(const char *inputs[], const size_t inputs_lengths[], size_t input_count,
+		    const struct sxhashalg *hashalg, char *digest)
+{
+	struct sxhash hashopctx;
+
+	return hash_all_inputs_with_context(&hashopctx, inputs, inputs_lengths, input_count,
+					    hashalg, digest);
+}
+
+int hash_input(const char *input, const size_t input_length, const struct sxhashalg *hashalg,
+	       char *digest)
+{
+	return hash_all_inputs(&input, &input_length, 1, hashalg, digest);
+}
+
+int hash_input_with_context(struct sxhash *hashopctx, const char *input, const size_t input_length,
+			    const struct sxhashalg *hashalg, char *digest)
+{
+	return hash_all_inputs_with_context(hashopctx, &input, &input_length, 1, hashalg, digest);
+}

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/common.h

@@ -186,3 +186,106 @@ psa_status_t cracen_cipher_crypt_ecb(const struct sxkeyref *key, const uint8_t *
  * @return sxsymcrypt error code.
  */
 int cracen_prepare_ik_key(const uint8_t *user_data);
+
+/**
+ * @brief Compute v = v + summand.
+ * \note  v is an unsigned integer stored as a big endian byte array of sz bytes.
+ *        Summand must be less than or equal to the maximum value of a size_t minus 255.
+ *        The final carry is discarded: addition is modulo 2^(sz*8).
+ *
+ * @param v		Big-endian Value
+ * @param v_size	size of v
+ * @param summand	Summand.
+ *
+ */
+void be_add(unsigned char *v, size_t v_size, size_t summand);
+
+/**
+ * @brief Big-Endian compare with carry.
+ * \note
+ *
+ * @param a		First value to be compared
+ * @param b		Second value to be compared
+ * @param size		Size of a and b.
+ * @param carry		Value of the carry.
+ *
+ * \retval 0 if equal.
+ * \retval 1 if a > b.
+ * \retval -1 if a < b.
+ */
+int be_cmp(const unsigned char *a, const unsigned char *b, size_t sz, int carry);
+
+/**
+ * @brief Hash several elements at different locations in memory
+ *
+ * @param inputs[in]		Array of pointers to elements that will be hashed.
+ * @param inputs_lengths[in]	Array of lengths of elements to be hashed.
+ * @param input_count[in]	Number of elements to be hashed.
+ * @param hashalg[in]		Hash algorithm to be used in sxhashalg format.
+ * @param digest[out]		Buffer of at least sx_hash_get_alg_digestsz(hashalg) bytes.
+ *
+ * @return sxsymcrypt status code.
+ */
+int hash_all_inputs(const char *inputs[], const size_t inputs_lengths[], size_t input_count,
+		    const struct sxhashalg *hashalg, char *digest);
+
+/**
+ * @brief Hash several elements at different locations in memory with a previously created hash
+ * context(sxhash)
+ *
+ * @param sxhashopctx[in]	Pointer to the sxhash context.
+ * @param inputs[in]		Array of pointers to elements that will be hashed.
+ * @param inputs_lengths[in]	Array of lengths of elements to be hashed.
+ * @param input_count[in]	Number of elements to be hashed.
+ * @param hashalg[in]		Hash algorithm to be used in sxhashalg format.
+ * @param digest[out]		Buffer of at least sx_hash_get_alg_digestsz(hashalg) bytes.
+ *
+ * @return sxsymcrypt status code.
+ */
+int hash_all_inputs_with_context(struct sxhash *sxhashopctx, const char *inputs[],
+				 const size_t inputs_lengths[], size_t input_count,
+				 const struct sxhashalg *hashalg, char *digest);
+
+/**
+ * @brief Hash a single element
+ *
+ * @param inputs[in]		Pointer to the element that will be hashed.
+ * @param input_length[in]	Length of the element to be hashed.
+ * @param hashalg[in]		Hash algorithm to be used in sxhashalg format.
+ * @param digest[out]		Buffer of at least sx_hash_get_alg_digestsz(hashalg) bytes.
+ *
+ * @return sxsymcrypt status code.
+ */
+int hash_input(const char *input, const size_t input_length, const struct sxhashalg *hashalg,
+	       char *digest);
+
+/**
+ * @brief Hash a single element with a previously created hash context(sxhash)
+ *
+ * @param sxhashopctx[in]	Pointer to the sxhash context.
+ * @param input[in]		Pointer to element that will be hashed.
+ * @param input_length[in]	Length of element to be hashed.
+ * @param hashalg[in]		hash algorithm to be used in sxhashalg format.
+ * @param digest[out]		Buffer of at least sx_hash_get_alg_digestsz(hashalg) bytes.
+ *
+ * @return sxsymcrypt status code.
+ */
+int hash_input_with_context(struct sxhash *hashopctx, const char *input, const size_t input_length,
+			    const struct sxhashalg *hashalg, char *digest);
+
+/**
+ * @brief Generate a random number within the specified range.
+ *
+ * \note  This function generates a random number strictly less than the given upper limit (`n`).
+ *        The generated random number is evenly distributed over the range [0, n-1]. If the range
+ *        is invalid (e.g., `n` is zero, less than three, or even), an error code is returned.
+ *
+ * @param n[in]         Pointer to a buffer holding the upper limit of the random range.
+ *                      The upper limit must be a non-zero odd number.
+ * @param nsz[in]       Size of the upper limit buffer in bytes.
+ * @param out[out]      Buffer to store the generated random number.
+ *                      The size of `out` should be at least `nsz`.
+ *
+ * @return sxsymcrypt status code:
+ */
+int rndinrange_create(const unsigned char *n, size_t nsz, unsigned char *out);