nrf_security: Use builtin functions for RSA

Vge0rge · rlubos · commit 19191b2568f6 · 2022-02-11T11:50:20.000+01:00
-This gives priority to the builtin implementation
 for RSA. It prevents the PSA drivers to do RSA
 operations with the only exception the key
 genration.

Ref: NCSDK-13753

Signed-off-by: Georgios Vasilakis &lt;georgios.vasilakis@nordicsemi.no&gt;
diff --git a/nrf_security/configs/nrf-config.h b/nrf_security/configs/nrf-config.h
@@ -90,6 +90,24 @@ extern "C" {
 #define MBEDTLS_OID_C
 #define MBEDTLS_PKCS1_V21
 #define MBEDTLS_MD_C
+#ifndef MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR
+#endif
+#ifndef MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS
+#endif
+#endif
+
+#if defined(PSA_WANT_ALG_RSA)                || \
+    defined(PSA_WANT_ALG_RSA_OAEP)           || \
+    defined(PSA_WANT_ALG_RSA_PKCS1V15_CRYPT) || \
+    defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN)  || \
+    defined(PSA_WANT_ALG_RSA_PSS)
+
+#if defined(PSA_WANT_ALG_SHA_1)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA_1
+#endif
+
 #endif
 
 #if defined(PSA_WANT_ALG_SHA_1)
diff --git a/nrf_security/src/psa_crypto_driver_wrappers.c b/nrf_security/src/psa_crypto_driver_wrappers.c
@@ -280,6 +280,20 @@ psa_status_t psa_driver_wrapper_sign_hash(
              * cycle through all known transparent accelerators */
 #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
 #if defined(PSA_CRYPTO_DRIVER_CC3XX)
+            /* Do not call the cc3xx_sign_hash for RSA keys since it still in early development */
+            if(PSA_KEY_TYPE_IS_RSA(attributes->core.type)){
+                return( psa_sign_hash_builtin( attributes,
+                                            key_buffer,
+                                            key_buffer_size,
+                                            alg,
+                                            hash,
+                                            hash_length,
+                                            signature,
+                                            signature_size,
+                                            signature_length ) );
+
+            }
+
             status = cc3xx_sign_hash( attributes,
                                       key_buffer,
                                       key_buffer_size,
@@ -393,6 +407,17 @@ psa_status_t psa_driver_wrapper_verify_hash(
              * cycle through all known transparent accelerators */
 #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
 #if defined(PSA_CRYPTO_DRIVER_CC3XX)
+            /* Do not call the cc3xx_verify_hash for RSA keys since it still in early development */
+            if(PSA_KEY_TYPE_IS_RSA(attributes->core.type)){
+                return( psa_verify_hash_builtin( attributes,
+                                                key_buffer,
+                                                key_buffer_size,
+                                                alg,
+                                                hash,
+                                                hash_length,
+                                                signature,
+                                                signature_length ) );
+            }
 
             status = cc3xx_verify_hash( attributes,
                                         key_buffer,
@@ -725,6 +750,15 @@ psa_status_t psa_driver_wrapper_import_key(
         case PSA_KEY_LOCATION_LOCAL_STORAGE:
             /* Key is stored in the slot in export representation, so
              * cycle through all known transparent accelerators */
+
+            /* RSA are not fully supported yet in the PSA drivers. This is a workaround
+             * to make sure that only the builtin solution is being used. */
+            if(PSA_KEY_TYPE_IS_RSA(attributes->core.type)){
+                return( psa_import_key_into_slot( attributes,
+                                                data, data_length,
+                                                key_buffer, key_buffer_size,
+                                                key_buffer_length, bits ) );
+            }
 #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
 #if defined(PSA_CRYPTO_DRIVER_TEST)
             status = mbedtls_test_transparent_import_key(
@@ -874,6 +908,17 @@ psa_status_t psa_driver_wrapper_export_public_key(
         case PSA_KEY_LOCATION_LOCAL_STORAGE:
             /* Key is stored in the slot in export representation, so
              * cycle through all known transparent accelerators */
+
+            /* RSA are not fully supported yet in the PSA drivers. This is a workaround
+             * to make sure that only the builtin solution is being used. */
+            if(PSA_KEY_TYPE_IS_RSA(attributes->core.type)){
+                return( psa_export_public_key_internal( attributes,
+                                                        key_buffer,
+                                                        key_buffer_size,
+                                                        data,
+                                                        data_size,
+                                                        data_length ) );
+            }
 #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
 #if defined(PSA_CRYPTO_DRIVER_CC3XX)
             status = cc3xx_export_public_key(
