nrf_security: CRACEN: Let ecdsa sign/verify digest without hash

ECDSA_SIGN/VERIFY_HASH should not require a hash algorithm to be present.
Updated so it is not required.

Signed-off-by: Dag Erik Gjørvad <[email protected]>

Author: degjorva

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/ecdsa.c

@@ -215,27 +215,31 @@ int cracen_ecdsa_sign_digest(const struct cracen_ecc_priv_key *privkey,
 			     const uint8_t *digest, size_t digest_length, uint8_t *signature)
 {
 	int status;
-	const size_t digestsz = sx_hash_get_alg_digestsz(hashalg);
 	size_t opsz = sx_pk_curve_opsize(curve);
 	struct sx_pk_acq_req pkreq;
 	struct sx_pk_inops_ecdsa_generate inputs;
 	const uint8_t *curve_n;
-	const size_t workmem_requirement = digestsz + opsz;
+	const size_t workmem_requirement = digest_length + opsz;
 	struct cracen_signature internal_signature = {0};
 	uint8_t workmem[workmem_requirement];
 
+	/* Checking against the hash algoritm with the largest digest we support */
+	if (digest_length > SX_HASH_DIGESTSZ_SHA2_512) {
+		return SX_ERR_TOO_BIG;
+	}
+
 	memcpy(workmem, digest, digest_length);
 	curve_n = sx_pk_curve_order(curve);
 
 	internal_signature.r = signature;
 	internal_signature.s = signature + opsz;
 
 	for (int i = 0; i <= MAX_ECDSA_ATTEMPTS; i++) {
-		status = cracen_get_rnd_in_range(curve_n, opsz, workmem + digestsz);
+		status = cracen_get_rnd_in_range(curve_n, opsz, workmem + digest_length);
 		if (status != SX_OK) {
 			return status;
 		}
-		status = ecdsa_run_generate_sign(&pkreq, privkey, curve, workmem, digestsz, opsz,
+		status = ecdsa_run_generate_sign(&pkreq, privkey, curve, workmem, digest_length, opsz,
 						 &inputs);
 
 		if (status != SX_OK) {

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/sign.c

@@ -246,16 +246,16 @@ static psa_status_t handle_ecdsa_sign(bool is_message, const uint8_t *key_buffer
 	const struct sxhashalg *hashalgpointer = &hashalg;
 
 	privkey.d = key_buffer;
-	status = hash_get_algo(alg, &hashalgpointer);
-	if (status != PSA_SUCCESS) {
-		return status;
-	}
 
 	*signature_length = 2 * ecurve->sz;
 	status = SX_ERR_INCOMPATIBLE_HW;
 
 	if (PSA_ALG_IS_DETERMINISTIC_ECDSA(alg) &&
 	    IS_ENABLED(PSA_NEED_CRACEN_DETERMINISTIC_ECDSA)) {
+		status = hash_get_algo(alg, &hashalgpointer);
+		if (status != PSA_SUCCESS) {
+			return status;
+		}
 		if (is_message) {
 			status = cracen_ecdsa_sign_message_deterministic(
 				&privkey, hashalgpointer, ecurve, input, input_length, signature);
@@ -266,6 +266,10 @@ static psa_status_t handle_ecdsa_sign(bool is_message, const uint8_t *key_buffer
 	} else if ((PSA_ALG_IS_ECDSA(alg) && IS_ENABLED(PSA_NEED_CRACEN_ECDSA)) &&
 		   !PSA_ALG_IS_DETERMINISTIC_ECDSA(alg)) {
 		if (is_message) {
+			status = hash_get_algo(alg, &hashalgpointer);
+			if (status != PSA_SUCCESS) {
+				return status;
+			}
 			status = cracen_ecdsa_sign_message(&privkey, hashalgpointer, ecurve, input,
 							   input_length, signature);
 		} else {
@@ -402,19 +406,22 @@ static psa_status_t cracen_signature_ecc_verify(bool is_message,
 		const struct sxhashalg *hash_algorithm_ptr = &hashalg;
 
 		psa_status = cracen_ecc_get_ecurve_from_psa(PSA_KEY_TYPE_ECC_GET_FAMILY(key_type),
-							psa_get_key_bits(attributes), &curve);
+							    psa_get_key_bits(attributes), &curve);
 		if (psa_status != PSA_SUCCESS) {
 			return psa_status;
 		}
-		psa_status = hash_get_algo(alg, &hash_algorithm_ptr);
-		if (psa_status != PSA_SUCCESS) {
-			return psa_status;
+		if (is_message) {
+			psa_status = hash_get_algo(alg, &hash_algorithm_ptr);
+			if (psa_status != PSA_SUCCESS) {
+				return psa_status;
+			}
+			sx_status = cracen_ecdsa_verify_message(pubkey_buffer, hash_algorithm_ptr,
+								input, input_length, curve,
+								signature);
+		} else {
+			sx_status = cracen_ecdsa_verify_digest(pubkey_buffer, input, input_length,
+							       curve, signature);
 		}
-		sx_status = is_message ? cracen_ecdsa_verify_message(pubkey_buffer,
-								     hash_algorithm_ptr, input,
-								     input_length, curve, signature)
-				       : cracen_ecdsa_verify_digest(pubkey_buffer, input,
-								    input_length, curve, signature);
 	} else {
 		return PSA_ERROR_NOT_SUPPORTED;
 	}