Skip to content

Commit d390702

Browse files
degjorvarlubos
degjorva
authored and
rlubos
committed
nrf_security: CRACEN: Fix status handling in ECC key prep
cracen_signature_prepare_ec_pubkey now returns psa_status_t. Fixed cracen_ecc_get_ecurve_from_psa to handle it correctly as psa_status_t instead of sx_status. Ensures proper error handling. Signed-off-by: Dag Erik Gjørvad <[email protected]>
1 parent 3a8977f commit d390702

File tree

1 file changed

+33
-32
lines changed
  • subsys/nrf_security/src/drivers/cracen/cracenpsa/src

1 file changed

+33
-32
lines changed

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/sign.c

Lines changed: 33 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -82,42 +82,42 @@ static int cracen_signature_set_hashalgo_from_digestsz(const struct sxhashalg **
8282
}
8383
#endif /* PSA_MAX_RSA_KEY_BITS > 0 */
8484

85-
static int cracen_signature_prepare_ec_pubkey(const char *key_buffer, size_t key_buffer_size,
86-
const struct sx_pk_ecurve **sicurve,
87-
psa_algorithm_t alg,
88-
const psa_key_attributes_t *attributes,
89-
char *pubkey_buffer)
85+
static psa_status_t
86+
cracen_signature_prepare_ec_pubkey(const char *key_buffer, size_t key_buffer_size,
87+
const struct sx_pk_ecurve **sicurve, psa_algorithm_t alg,
88+
const psa_key_attributes_t *attributes, char *pubkey_buffer)
9089
{
9190
size_t curvesz = PSA_BITS_TO_BYTES(psa_get_key_bits(attributes));
92-
int status;
91+
psa_status_t psa_status;
92+
int sx_status;
9393

94-
status = cracen_ecc_get_ecurve_from_psa(
94+
psa_status = cracen_ecc_get_ecurve_from_psa(
9595
PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(attributes)),
9696
psa_get_key_bits(attributes), sicurve);
97-
if (status) {
98-
return status;
97+
if (psa_status != PSA_SUCCESS) {
98+
return psa_status;
9999
}
100100

101-
status = SX_ERR_INCOMPATIBLE_HW;
101+
sx_status = SX_ERR_INCOMPATIBLE_HW;
102102
if (PSA_KEY_LIFETIME_GET_LOCATION(psa_get_key_lifetime(attributes)) ==
103103
PSA_KEY_LOCATION_CRACEN) {
104104
if (IS_ENABLED(CONFIG_CRACEN_IKG)) {
105105
if (key_buffer_size != sizeof(ikg_opaque_key)) {
106106
return PSA_ERROR_INVALID_ARGUMENT;
107107
}
108-
status = cracen_ikg_create_pub_key(key_buffer[0], pubkey_buffer);
108+
sx_status = cracen_ikg_create_pub_key(key_buffer[0], pubkey_buffer);
109109
}
110-
return status;
110+
return silex_statuscodes_to_psa(sx_status);
111111
}
112112

113113
if (IS_ENABLED(PSA_NEED_CRACEN_PURE_EDDSA_TWISTED_EDWARDS_255)) {
114114
if (alg == PSA_ALG_PURE_EDDSA || alg == PSA_ALG_ED25519PH) {
115115
if (PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(psa_get_key_type(attributes))) {
116116
memcpy(pubkey_buffer, key_buffer, key_buffer_size);
117-
return SX_OK;
117+
return PSA_SUCCESS;
118118
}
119-
status = cracen_ed25519_create_pubkey(key_buffer, pubkey_buffer);
120-
return status;
119+
sx_status = cracen_ed25519_create_pubkey(key_buffer, pubkey_buffer);
120+
return silex_statuscodes_to_psa(sx_status);
121121
}
122122
}
123123

@@ -132,19 +132,19 @@ static int cracen_signature_prepare_ec_pubkey(const char *key_buffer, size_t key
132132
*/
133133
if ((key_buffer[0] != CRACEN_ECC_PUBKEY_UNCOMPRESSED) ||
134134
((2 * curvesz + 1) != key_buffer_size)) {
135-
return SX_ERR_INVALID_KEY_SZ;
135+
return PSA_ERROR_INVALID_ARGUMENT;
136136
}
137137

138138
/* key_buffer + 1 to skip the 0x4 flag in the first byte */
139139
memcpy(pubkey_buffer, key_buffer + 1, key_buffer_size - 1);
140-
return SX_OK;
140+
return PSA_SUCCESS;
141141

142142
} else {
143-
status = ecc_genpubkey(key_buffer, pubkey_buffer, *sicurve);
143+
sx_status = ecc_genpubkey(key_buffer, pubkey_buffer, *sicurve);
144144
}
145145
}
146146
}
147-
return status;
147+
return silex_statuscodes_to_psa(sx_status);
148148
}
149149

150150
static psa_status_t validate_key_attributes(const psa_key_attributes_t *attributes,
@@ -359,12 +359,13 @@ static psa_status_t cracen_signature_ecc_verify(bool is_message,
359359
size_t input_length, const uint8_t *signature,
360360
size_t signature_length)
361361
{
362+
int sx_status;
363+
psa_status_t psa_status;
362364
psa_key_type_t key_type = psa_get_key_type(attributes);
363365

364-
psa_status_t status = validate_ec_signature_inputs(is_message, attributes, key_type, alg);
365-
366-
if (status != PSA_SUCCESS) {
367-
return status;
366+
psa_status = validate_ec_signature_inputs(is_message, attributes, key_type, alg);
367+
if (psa_status != PSA_SUCCESS) {
368+
return psa_status;
368369
}
369370

370371
const size_t public_key_size =
@@ -376,10 +377,10 @@ static psa_status_t cracen_signature_ecc_verify(bool is_message,
376377
uint8_t pubkey_buffer[public_key_size];
377378
const struct sx_pk_ecurve *curve = NULL;
378379

379-
int sx_status = cracen_signature_prepare_ec_pubkey(key_buffer, key_buffer_size, &curve, alg,
380+
psa_status = cracen_signature_prepare_ec_pubkey(key_buffer, key_buffer_size, &curve, alg,
380381
attributes, pubkey_buffer);
381-
if (sx_status != SX_OK) {
382-
return silex_statuscodes_to_psa(sx_status);
382+
if (psa_status != PSA_SUCCESS) {
383+
return psa_status;
383384
}
384385
if (signature_length != 2 * curve->sz) {
385386
return PSA_ERROR_INVALID_SIGNATURE;
@@ -400,14 +401,14 @@ static psa_status_t cracen_signature_ecc_verify(bool is_message,
400401
struct sxhashalg hashalg = {0};
401402
const struct sxhashalg *hash_algorithm_ptr = &hashalg;
402403

403-
status = cracen_ecc_get_ecurve_from_psa(PSA_KEY_TYPE_ECC_GET_FAMILY(key_type),
404+
psa_status = cracen_ecc_get_ecurve_from_psa(PSA_KEY_TYPE_ECC_GET_FAMILY(key_type),
404405
psa_get_key_bits(attributes), &curve);
405-
if (status != PSA_SUCCESS) {
406-
return status;
406+
if (psa_status != PSA_SUCCESS) {
407+
return psa_status;
407408
}
408-
status = hash_get_algo(alg, &hash_algorithm_ptr);
409-
if (status != PSA_SUCCESS) {
410-
return status;
409+
psa_status = hash_get_algo(alg, &hash_algorithm_ptr);
410+
if (psa_status != PSA_SUCCESS) {
411+
return psa_status;
411412
}
412413
sx_status = is_message ? cracen_ecdsa_verify_message(pubkey_buffer,
413414
hash_algorithm_ptr, input,

0 commit comments

Comments
 (0)