[nrf fromlist] Fix ECDSA secp521r1 padding issue in oberon driver#34
Open
frkv wants to merge 29 commits intonrfconnect:mainfrom
Open
[nrf fromlist] Fix ECDSA secp521r1 padding issue in oberon driver#34frkv wants to merge 29 commits intonrfconnect:mainfrom
frkv wants to merge 29 commits intonrfconnect:mainfrom
Conversation
-Remove legacy header files from oberon-psa-crypto that are duplicates of files from standard Mbed TLS distribution (modules/crypto/) Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no> Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
GCC supports _Static_assert from version 4.6 as a builtin feature even when you compile with std=99. Use this _Static_assert for the implementation of MBEDTLS_STATIC_ASSERT if there is no defined static_assert. I opened a PR in the MbedTLS PSA core to include that: Mbed-TLS/TF-PSA-Crypto#190 Hopefully they will accept that and then we can remove this commit in the next release. Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
-This removes the redefinition of the define PSA_VENDOR_ECC_MAX_CURVE_BITS which we allow to be set in our configuration file from nrf security. Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
The core doesn't include some brainpool key sizes, this change adds these bit sizes: 160 192 224 320 Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
We don't use the file in our system, we use the generated headers (nrf-config.h and nrf-config-user.h) from nrf_security. Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
Turn the repo into a Zephyr module so we can use the ZEPHYR_bla_bla_MODULE_DIR CMake variable. Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Patch to enable more key types for KDF. Signed-off-by: Vidar Lillebø <vidar.lillebo@nordicsemi.no> Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
Add checks for the key attributes, key sizes and a zero check for ecc keys for importing keys. Also a attribute check for psa_generate_key. This was [nrf fromlist] and is now [nrf noup] Upstream PR:oberon-psa-crypto-nrf/pull/15 (closed) Ref: NCSDK-24820 Signed-off-by: Markus Swarowsky <markus.swarowsky@nordicsemi.no> Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
The psa_crypto_storage_store retuns DATA_INVALID for all the error codes coming from psa_its_set. This causes some issues for our testing infanstructure since it doesn't follow the PSA spec recomendation for return codes. This was a [nrf fromlist] but it has become a [nrf noup] Upstream PR: pull/14 (Closed) Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no> Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
Run crypto and TF-M tests on sdk-nrf downstream Signed-off-by: Stephen Kingston <stephen.kingston@nordicsemi.no> Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
Opens the full range of vendor keys to be used via builtin key mechanism. This change makes the version of the Oberon PSA core 1.3.4 incompatible with the volatile keys when MBEDTLS_PSA_STATIC_KEY_SLOTS is NOT enabled. Since we decided to set the starting range of the builtin keys to be the first section of the vendor key id range (PSA_KEY_ID_VENDOR_*) these now overlaped with the volatile keys. So to fix this we move the volatile key ids after the builtin key ids. Signed-off-by: Vidar Lillebø <vidar.lillebo@nordicsemi.no> Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
Adds the capability of import and destroying persistent keys that are "builtin" i.e. handled fully by PSA driver implementation. Signed-off-by: Vidar Lillebø <vidar.lillebo@nordicsemi.no> Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
Signed-off-by: Vidar Lillebø <vidar.lillebo@nordicsemi.no> Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
Patch to make server and client attributes compatible. Oberon will support this in the future. Reworked from commit 5bfe42c Reworded due to psa_core_key_attributes_t being removed in Mbed TLS 3.6.0 The psa_core_key_attributes_t declaration is now integrated into psa_key_attributes_s and the macro PSA_CORE_KEY_ATTRIBUTES_INIT has been replaced with PSA_KEY_ATTRIBUTES_INIT. Signed-off-by: Vidar Lillebø <vidar.lillebo@nordicsemi.no> Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
-This simplifies PSA crypto operation struct initialization to better tailor to the SSF use-case. This simplifies the initializers to only be empty brackets, assuming zero-initialized structs without the added complexities of writing every sub-type out. This is done to prevent compilation warnings for PSA crypto builds. Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
Zephyr has a global list of include directories that is applicable for all modules unless specifically excluded by using "targets", and using a generic named header can cause issues if there are duplicate headers files and depending on the inclusion order. So, rename the header with module prefix to avoid naming collision. Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
RFC8032 mentions the length of a key for ed448 and ed448ph to be 57 bytes (456 bits). Using 448 bits as a max length creates a buffer overflow warning when building with ED448 enabled. Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
This updates the oberon_check_unsupported.h file: 1) The inclusion of the crypto_driver_config.h is removed since we don't use that with nrf_security 2) All the PSA_ACCEL and PSA_WANT symbols are prefixed with CONFIG_ so that we can use them directly from the Zephyr autconf. Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
The Oberon PSA v1.3.4 removed the inclusion of the MbedTLS headers which do adjustments when building the SSL library in build_info.h Add these headers back since they are required when nrf_security is build with PSA and SSL enabled. Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
Fix an unused variable warning that happens when building with the LLVM toolchain. Adding the `unused` attribute to the variable to mark it as potentially unused is the simplest as it's used in different `#ifdef` scenarios. This should be communicated to Oberon and fixed upstream. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Fix unused function warning for ecdsa_sign_hash() by guarding it with the same conditions as those under which the function is used. This is communicated with Oberon and accepted by them. So this should be dropped in the next update. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
* The intention is to catch yaml files that are not parsable * [yamllint action with all the rules definition](https://github.com/nrfconnect/action-yamllint/blob/main/action.yml) Signed-off-by: Sebastian Wezel <sebastian.wezel@nordicsemi.no>
* Fix yaml files based on yamllint Signed-off-by: Sebastian Wezel <sebastian.wezel@nordicsemi.no>
Oberon was informed and will follow this methodology in the next release. Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
psa_destroy_persistent_key() improperly handled built-in keys. This resulted in ITS call attempted to delete the key that had never been created by it. Conditions for key creation and destruction are now aligned. This is a fixup for the following commit: [nrf noup] Allow import and destroy of builtin keys Signed-off-by: Anton Zyma <anton.zyma@nordicsemi.no>
When not finding a given key in memory, the implementation would try to find it from the persistent keys regardless of the actual key type (volatile/builtin/persistent). Don't try to find inexistent volatile/builtin keys from persistent ones. In addition to the calls being superflous, the problem that was happening here is that the ITS implementation (Secure Storage subsystem) returns `PSA_ERROR_INVALID_ARGUMENT` because the ID is not in the persistent key range, and because it doesn't return `PSA_ERROR_DOES_NOT_EXIST` then the wrong error code is propagated back to the caller. `toup` as the issue has been communicated to Mbed TLS and should be fixed there. See: - Mbed-TLS/TF-PSA-Crypto#488 - Mbed-TLS/TF-PSA-Crypto#492 Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Fixes build issues due to the missing checks for PSA_NEED_OBERON_WPA3_SAE_H2E macro. This change is already taken in and will be a part of the future version of Oberon PSA Crypto. Signed-off-by: Anton Zyma <anton.zyma@nordicsemi.no>
-This is a [nrf fromlist] as this is based on a patch we have received from Oberon ahead of introducing this in a coming version of the Oberon PSA crypto deliverable. -There was an issue found in test on deterministic ECDSA using NIST secp521r1 curve type for the Oberon PSA crypto driver. The issue was caused by an arithmetic issue with the buffer used to handle padding of ECDSA sign and verify operations. The buffer length is set according to the key size (modulo size) of the ECC curve and when secp521r1 is enabled (then this buffer is 66 bytes long). The padding is used when digests are smaller than the buffer and since secp521r1 uses SHA-512 (normally, 64 bytes long digest) the system handled this as a normal padding. ocrypto_ APIs expects 64 bytes input, and was handed a digest with invalid bytes. -Signing: The API to do signature generation uses hash + 2 to get the right offset for the digest -Verification: The API has special handling for secp521r1 to get the proper offset and uses hash + 2 for the right offset for the digest ref: NCSDK-36329 Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
tomi-font
approved these changes
Nov 25, 2025
Vge0rge
approved these changes
Nov 26, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
-This is a [nrf fromlist] as this is based on a patch we have
received from Oberon ahead of introducing this in a coming
version of the Oberon PSA crypto deliverable.
-There was an issue found in test on deterministic ECDSA using NIST
secp521r1 curve type for the Oberon PSA crypto driver. The issue
was caused by an arithmetic issue with the buffer used to handle
padding of ECDSA sign and verify operations. The buffer length is
set according to the key size (modulo size) of the ECC curve
and when secp521r1 is enabled (then this buffer is 66 bytes long).
The padding is used when digests are smaller than the buffer and
since secp521r1 uses SHA-512 (normally, 64 bytes long digest) the
system handled this as a normal padding. ocrypto_ APIs expects 64
bytes input, and was handed a digest with invalid bytes.
-Signing: The API to do signature generation uses hash + 2 to get the
right offset for the digest
-Verification: The API has special handling for secp521r1 to get the
proper offset and uses hash + 2 for the right offset for the digest
ref: NCSDK-36329