psa: Support RSA signature without MBEDTLS_GENPRIME

[Patater]

Description

On space-constrained platforms, it is a useful configuration to be able
to import/export and perform RSA key pair operations, but to exclude RSA
key generation, potentially saving flash space. It is not possible to
express this with the PSA_WANT_ configuration system at the present
time. However, in previous versions of Mbed TLS (v2.24.0 and earlier) it
was possible to configure a software PSA implementation which was
capable of making RSA signatures but not capable of generating RSA keys.
To do this, one unset MBEDTLS_GENPRIME.

Since the addition of MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR, this
expressivity was lost. Expressing that you wanted to work with RSA key
pairs forced you to include the ability to generate key pairs as well.

Change psa_crypto_rsa.c to only call mbedtls_rsa_gen_key() if
MBEDTLS_GENPRIME is also set. This restores the configuration behavior
present in Mbed TLS v2.24.0 and earlier versions.

It left as a future exercise to add the ability to PSA to be able to
express a desire for a software or accelerator configuration that
includes RSA key pair operations, like signature, but excludes key pair
generation.

Without this change, linker errors will occur when attempts to call,
which doesn't exist when MBEDTLS_GENPRIME is unset.
psa_crypto_rsa.c.obj: in function rsa_generate_key': psa_crypto_rsa.c:320: undefined reference to mbedtls_rsa_gen_key'

Fixes #4512

Signed-off-by: Jaeden Amero [email protected]

Status

READY

Requires Backporting

Yes

• development_2.x ([Backport 2.x] psa: Support RSA signature without MBEDTLS_GENPRIME #4546)

Migrations

If there is any API change, what's the incentive and logic for it.
NO

Additional comments

None

Todos

• Tests
• [ ] Documentation
• Changelog updated
• Backported ([Backport 2.x] psa: Support RSA signature without MBEDTLS_GENPRIME #4546)

Steps to test or reproduce

Build with MBEDTLS_GENPRIME unset.

[Patater]

@paul-elliott-arm Could you verify that the needs: work and needs: ci labels are correct still? It appears that CI was flaky before (experimental TLS 1.3 test). Re-running CI since then, we now have a pass.

[gilles-peskine-arm]

Unfortunately the simple solution is not acceptable since it breaks other use cases.

[gilles-peskine-arm]

This also disables signature and decryption.

Unfortunately, there is no way to express “private-key operations but not key generation” in the current PSA crypto configuration system. This is a known limitation. Resolving this limitation will require more design work.

[Patater]

Maybe this is a bug, but I am able to perform a signature using an imported RSA key pair even when MBEDTLS_GENPRIME is not set (without this fix in Mbed TLS v2.24.0, and with this fix in v2.25.0). I can provide a sample application if that's helpful.

What's the intention behind both MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR and MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY ? Why differentiate?

The fix here provides symmetry in what MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR sets, and what TLS options enable it.

There was (in Mbed TLS v2.24.0) a way to express “private-key operations but not key generation” in the PSA crypto configuration system. Was it intentional to remove this in v2.25.0 and up?

[gilles-peskine-arm]

The intention between differentiating have-key-pair and have-public-key is to allow builds that have public-key operations only (typically: I want to verify some signatures, but I'm not going to sign anything), which can save significant code size if the implementation is structured for it: you don't need any blinding code, CRT parameter handling, etc. Mbed TLS is not yet structured for it, but we'll work on that in the coming months.

Private key operations may have worked accidentally even when only PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY was enabled and not PSA_WANT_KEY_TYPE_RSA_KEY_PAIR, but we're progressively tightening down on the configuration, and also ramping up testing (#4444 will add systematic negative testing).

There was (in Mbed TLS v2.24.0) a way to express “private-key operations but not key generation” in the PSA crypto configuration system.

In the classic configuration system, yes. In the PSA configuration system, no. We didn't intend to remove anything, but we're aware that the new system doesn't exactly match the granularity of the old one.

[Patater]

I should also highlight that I'm not using MBEDTLS_PSA_CRYPTO_CONFIG or PSA_WANT_*. Indeed, with PSA_WANT_* there is no way to express "private-key operations but not key generation".

I am using the "old-style configuration mechanism", which it seems there is some intention to provide backwards compatibility with, hence my raising of this PR to help with that effort. If this aspect of PSA configuration isn't one you want to support because PSA_WANT_* can't express it yet, that's not great for my use case, but I can understand.

Another question would be if the configuration settings I've added to all.sh are considered invalid somehow. Is building with the default config minus MBEDTLS_GENPRIME (and no other changes) no longer supported?

[gilles-peskine-arm]

Breaking configurations without MBEDTLS_GENPRIME was an unintended regression. I fully agree that we should fix it. But I don't want to fix it by breaking something else. I think it should be possible to fix it by adding (back?) a few #ifdef MBDETLS_GENPRIME in the right places.

With MBEDTLS_PSA_CRYPTO_CONFIG, MBEDTLS_GENPRIME is a mandatory consequence of PSA_WANT_KEY_TYPE_RSA_KEY_PAIR for the time being, that's a limitation to fix later.

[gilles-peskine-arm]

As a quick fix, I think the best solution would be to add #if defined(MBEDTLS_GENPRIME) back into psa_crypto_*.c. That's not the long-term solution, because it only matters for the software implementation, it doesn't allow e.g. an accelerator to declare that it can accelerate RSA signatures but not RSA key generation. But it's a good short-term solution because it fixes the problem you care about without breaking (or worsening) things that currently work (-ish), and it doesn't require any new design that we're not sure is the right design.

[gilles-peskine-arm]

Please run make test as well

[Patater]

Modified the RSA software implementation to use the MBEDTLS_GENPRIME define to gate calling of mbedtls_rsa_gen_key().

[Patater]

Also call make test, even though not necessary to run into the discovered linker error, it is helpful to see if the configuration without MBEDTLS_GENPRIME is broken in some other fashion.

[Patater]

One outstanding issue is if the accelerator configuration PSA_CRYPTO_DRIVER_TEST && MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR needs to work without MBEDTLS_GENPRIME being set.

#if ( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||  \
      ( defined(PSA_CRYPTO_DRIVER_TEST) &&                   \
        defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) ) )
#define BUILTIN_KEY_TYPE_RSA_KEY_PAIR    1
#endif

[gilles-peskine-arm]

Currently only rsa_generate_key.

[Patater]

Does it use this implementation of rsa_generate_key() or is another rsa_generate_key() substituted in at link time?

[gilles-peskine-arm]

We don't do link-time substitution.

[Patater]

Updated with removal of XXX review comment question and addition of MBEDTLS_GENPRIME ifdef in psa_generate_key_internal() to gate calling mbedtls_psa_rsa_generate_key().

[Patater]

Updated to add missing dependency to "PSA generate key: RSA, 1024 bits, good, encrypt (OAEP SHA-256)". It wasn't depending on MBEDTLS_GENPRIME, but should have been.

[gilles-peskine-arm]

Looks good to me. Please make a backport to development_2.x.

[gilles-peskine-arm]

I think this could just have said “Fix the build when MBEDTLS_GENPRIME is disabled.” But ok.

[Patater]

Raised backport to development_2.x #4546