Implement psa_sign_message and psa_verify_message

[gabor-mezei-arm]

Description

Implement the PSA Crypto API 1.0.0 functions psa_sign_messsage and psa_verify_message.

Since Mbed TLS only supports hash-and-sign algorithms, these are simple wrappers around psa_hash_compute and psa_sign_hash/psa_verify_hash.

Also part of the goal of this task is to implement the corresponding policies PSA_KEY_USAGE_SIGN_MESSAGE and PSA_KEY_USAGE_VERIFY_MESSAGE.

Resolve #3267

Requires Forwardporting

• mbedtls-3.0 [Forwardport 3.0] Implement psa_sign_message and psa_verify_message #4510

[gilles-peskine-arm]

I made a first review pass, just for design. I did not review the documentation, the code or the test data in detail. I'm happy with the design. The test coverage looks ok (but I may ask for a few specific tests once I've done a detailed review).

Some things are missing. They can be done either in this PR or in a follow-up.

• Drivers can have a sign/verify-message entry point. So there needs to be a psa_driver_wrapper_sign_message and a psa_driver_wrapper_sign_hash. If there is no all-in-one method for the given algorithm, then fall back to the code you've already written that hashes then signs. It may be better to first merge this PR, then implement the new driver dispatch at once for both sign-hash and sign-message — what do you think @ronald-cron-arm?
• psa_exercise_key should have cases for keys that have the SIGN_MESSAGE or VERIFY_MESSAGE usage.

[stevew817]

It may be better to first merge this PR, then implement the new driver dispatch at once for both sign-hash and sign-message.

There's plenty of examples for functionality that has been converted to driver dispatch already. Conversion for this PR should be the same as following the footpath already created by the dispatch of psa_sign_hash and psa_verify_hash. I'd very much like for that to happen in this PR, since it's not all that much work and avoids the lead-time of yet another PR.

[stevew817]

@gilles-peskine-arm Shouldn't keys registered with PSA_KEY_USAGE_SIGN_HASH also be able to be used with sign_message, since SIGN_HASH is more permissive than SIGN_MESSAGE?

Asking in the interest of compatibility, i.e. keys that have so far been created with SIGN_HASH permission cannot be upgraded to SIGN_MESSAGE, so the next best thing would be to allow them to be used for the all-in-one operation too.

[gilles-peskine-arm]

Indeed, and likewise with VERIFY. Though this isn't the best place to implement it, since according to the specification

if an application sets the flag PSA_KEY_USAGE_SIGN_HASH when creating a key, then the key always has the permissions conveyed by PSA_KEY_USAGE_SIGN_MESSAGE, and the flag PSA_KEY_USAGE_SIGN_MESSAGE will also be present when the application queries the usage flags of the key.

So the right place to implement this is when setting the attributes of a new key. Otherwise psa_get_key_attributes won't do the right thing. This is part of the scope of #3267, but it's up to @gabor-mezei-arm whether to do it in this pull request or in a follow-up.

Upgrading existing keys in persistent storage was not in scope, so I've filed a separate issue for it.

[gabor-mezei-arm]

It will done in a separate PR.

[gabor-mezei-arm]

@stevew817 @ronald-cron-arm The driver wrapper of psa_sign_hash is calling the crypto SE driver p_sign if crypto SE is enabled. Is there a need for a similar driver for the psa_sign_message or just use the p_sign for the signing step?

[ronald-cron-arm]

@stevew817 @ronald-cron-arm The driver wrapper of psa_sign_hash is calling the crypto SE driver p_sign if crypto SE is enabled. Is there a need for a similar driver for the psa_sign_message or just use the p_sign for the signing step?

The current approach regarding the dynamically registered drivers is just to not break the current support, no need to add additional support. Thus here I don't think you need to do anything regarding the dynamically registered drivers.

[gabor-mezei-arm]

Rebased to development_2.x, need to be forwardported to the development branch.

[stevew817]

Looks even better to me after these last 4 commits 👍

[gilles-peskine-arm]

Thanks for the updates, looks good to me as well. Please make a PR for 3.0.

[gilles-peskine-arm]

Please replace PSA_ECC_CURVE_xxx by PSA_ECC_FAMILY_xxx as well. PSA_ECC_CURVE_xxx are deprecated in 2.x, even if they aren't removed yet.

CI only let this through because this code isn't built in the full config.