Skip to content

nrf_security: CRACEN: Let ecdsa sign/verify digest without hash #24017

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 22, 2025
Merged

nrf_security: CRACEN: Let ecdsa sign/verify digest without hash #24017

merged 1 commit into from
Aug 22, 2025

Conversation

degjorva
Copy link
Contributor

@degjorva degjorva commented Aug 15, 2025
edited
Loading

ECDSA_SIGN/VERIFY_HASH should not require a hash algorithm to be present. Updated so only sign message requires one.

@degjorva degjorva requested a review from a team as a code owner August 15, 2025 13:05
@github-actions github-actions bot added the changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. label Aug 15, 2025
@NordicBuilder
Copy link
Contributor

NordicBuilder commented Aug 15, 2025
edited
Loading

CI Information

To view the history of this post, clich the 'edited' button above
Build number: 5

Inputs:

Sources:

sdk-nrf: PR head: b69a9d8a01281b903358ea907397d4b460276c73

more details

sdk-nrf:

PR head: b69a9d8a01281b903358ea907397d4b460276c73
merge base: 2071f4627b3562224964322b64cd931a1bd797c3
target head (main): c1e8d7570fb347d19f54b0e85657844403caf7c5
Diff

Github labels

Enabled Name Description
ci-disabled Disable the ci execution
ci-all-test Run all of ci, no test spec filtering will be done
ci-force-downstream Force execution of downstream even if twister fails
ci-run-twister Force run twister
ci-run-zephyr-twister Force run zephyr twister
List of changed files detected by CI (2) 
subsys
│  ├── nrf_security
│  │  ├── src
│  │  │  ├── drivers
│  │  │  │  ├── cracen
│  │  │  │  │  ├── cracenpsa
│  │  │  │  │  │  ├── src
│  │  │  │  │  │  │  ├── ecdsa.c
│  │  │  │  │  │  │  │ sign.c

Outputs:

Toolchain

Version: c5be9c56c7
Build docker image: docker-dtr.nordicsemi.no/sw-production/ncs-build:c5be9c56c7_bba2ea5f2e

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

  • ◻️ Toolchain - Skipped: existing toolchain is used
  • ✅ Build twister
    • sdk-nrf test count: 30
  • ✅ Integration tests
    • ✅ test_ble_nrf_config
    • ✅ test-fw-nrfconnect-chip
    • ✅ test-fw-nrfconnect-nrf-iot_cloud
    • ✅ test-fw-nrfconnect-nrf_crypto
    • ✅ test-fw-nrfconnect-rs
    • ✅ test-fw-nrfconnect-tfm
    • ✅ test-sdk-find-my
    • ✅ test-sdk-mcuboot
    • ✅ test-sdk-dfu
Disabled integration tests
    • test-fw-nrfconnect-nrf_lrcs_mosh
    • test-fw-nrfconnect-nrf_lrcs_positioning
    • desktop52_verification
    • doc-internal
    • test-fw-nrfconnect-apps
    • test-fw-nrfconnect-ble_mesh
    • test-fw-nrfconnect-ble_samples
    • test-fw-nrfconnect-fem
    • test-fw-nrfconnect-nfc
    • test-fw-nrfconnect-nrf-iot_libmodem-nrf
    • test-fw-nrfconnect-nrf-iot_lwm2m
    • test-fw-nrfconnect-nrf-iot_samples
    • test-fw-nrfconnect-nrf-iot_serial_lte_modem
    • test-fw-nrfconnect-nrf-iot_thingy91
    • test-fw-nrfconnect-nrf-iot_zephyr_lwm2m
    • test-fw-nrfconnect-proprietary_esb
    • test-fw-nrfconnect-ps-main
    • test-fw-nrfconnect-rpc
    • test-low-level
    • test-sdk-audio
    • test-sdk-pmic-samples
    • test-sdk-wifi
    • test-secdom-samples-public

Note: This message is automatically posted and updated by the CI

tomi-font
tomi-font requested changes Aug 15, 2025
View reviewed changes
subsys/nrf_security/src/drivers/cracen/cracenpsa/src/sign.c Outdated
Comment on lines 409 to 416
psa_status = hash_get_algo(alg, &hash_algorithm_ptr);
if (psa_status != PSA_SUCCESS) {
return psa_status;
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
psa_status = hash_get_algo(alg, &hash_algorithm_ptr);
if (psa_status != PSA_SUCCESS) {
return psa_status;
}

@degjorva degjorva force-pushed the fix-ecdsa-hash branch 3 times, most recently from 0e2588c to a6311f6 Compare August 15, 2025 13:25
@degjorva degjorva changed the title nrf_security: CRACEN: Let ecdsa verify digest without hash nrf_security: CRACEN: Let ecdsa sign/verify digest without hash Aug 15, 2025
@degjorva
nrf_security: CRACEN: Let ecdsa sign/verify digest without hash
b69a9d8 
ECDSA_SIGN/VERIFY_HASH should not require a hash algorithm to be present
Updated so it is not required.

Signed-off-by: Dag Erik Gjørvad <[email protected]>
@degjorva degjorva requested a review from tomi-font August 21, 2025 08:43
@degjorva degjorva removed the changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. label Aug 21, 2025
tomi-font
tomi-font approved these changes Aug 22, 2025
View reviewed changes
subsys/nrf_security/src/drivers/cracen/cracenpsa/src/sign.c
status = hash_get_algo(alg, &hashalgpointer);
if (status != PSA_SUCCESS) {
return status;
}
if (is_message) {
status = cracen_ecdsa_sign_message_deterministic(
&privkey, hashalgpointer, ecurve, input, input_length, signature);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cracen_ecdsa_sign_digest_deterministic() below still takes hashalgpointer, which I guess means requires hash support even though is_message is false?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

deterministic_ecdsa needs a hash function to work, so you can't run without it even if it is a sign_hash

@rlubos rlubos merged commit f86af87 into nrfconnect:main Aug 22, 2025
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Vge0rge Vge0rge Vge0rge approved these changes

@tomi-font tomi-font tomi-font approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@degjorva @NordicBuilder @Vge0rge @tomi-font @rlubos