diff options
author | Jerome Forissier <jerome@forissier.org> | 2019-12-17 09:19:56 +0100 |
---|---|---|
committer | Jérôme Forissier <jerome@forissier.org> | 2020-01-09 09:17:39 +0100 |
commit | 0f1519439f5bff0608f4a24baaaed108a0d0be5c (patch) | |
tree | 88fa84c7bef3d4986e7b80c522c303a629e26634 /core | |
parent | 76c7ba4b9ff76dc053e34ad9f9c790a6c59febf5 (diff) |
core: crypto add support for SM2 DSA
Adds SM2 Digital Signature Algorithm [1] using LibTomCrypt. The TA
interface complies with the GlobalPlatform TEE Internal Core API
version 1.2.
SM2 DSA is enabled with CFG_CRYPTO_SM2_DSA=y (default y) which currently
requires that CFG_CRYPTOLIB_NAME=tomcrypt. An Mbed TLS implementation
could be added later if needed.
[1] http://www.gmbz.org.cn/main/postDetail.html?id=20180724110812
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Diffstat (limited to 'core')
-rw-r--r-- | core/crypto.mk | 6 | ||||
-rw-r--r-- | core/crypto/crypto.c | 22 | ||||
-rw-r--r-- | core/include/crypto/crypto.h | 7 | ||||
-rw-r--r-- | core/lib/libtomcrypt/ecc.c | 3 | ||||
-rw-r--r-- | core/tee/tee_svc_cryp.c | 28 |
5 files changed, 65 insertions, 1 deletions
diff --git a/core/crypto.mk b/core/crypto.mk index d7b5a074..0fdbac63 100644 --- a/core/crypto.mk +++ b/core/crypto.mk @@ -41,10 +41,14 @@ CFG_CRYPTO_DH ?= y CFG_CRYPTO_ECC ?= y ifeq ($(CFG_CRYPTOLIB_NAME),tomcrypt) CFG_CRYPTO_SM2_PKE ?= y +CFG_CRYPTO_SM2_DSA ?= y endif ifeq ($(CFG_CRYPTOLIB_NAME)-$(CFG_CRYPTO_SM2_PKE),mbedtls-y) $(error Error: CFG_CRYPTO_SM2_PKE=y requires CFG_CRYPTOLIB_NAME=tomcrypt) endif +ifeq ($(CFG_CRYPTOLIB_NAME)-$(CFG_CRYPTO_SM2_DSA),mbedtls-y) +$(error Error: CFG_CRYPTO_SM2_DSA=y requires CFG_CRYPTOLIB_NAME=tomcrypt) +endif # Authenticated encryption CFG_CRYPTO_CCM ?= y @@ -137,6 +141,7 @@ $(eval $(call cryp-dep-one, AES, ECB CBC CTR CTS XTS)) $(eval $(call cryp-dep-one, DES, ECB CBC)) # SM2 is Elliptic Curve Cryptography, it uses some generic ECC functions $(eval $(call cryp-dep-one, SM2_PKE, ECC)) +$(eval $(call cryp-dep-one, SM2_DSA, ECC)) ############################################################### # libtomcrypt (LTC) specifics, phase #1 @@ -168,6 +173,7 @@ core-ltc-vars += SHA1_ARM32_CE SHA1_ARM64_CE core-ltc-vars += SHA256_ARM32_CE SHA256_ARM64_CE core-ltc-vars += SIZE_OPTIMIZATION core-ltc-vars += SM2_PKE +core-ltc-vars += SM2_DSA # Assigned selected CFG_CRYPTO_xxx as _CFG_CORE_LTC_xxx $(foreach v, $(core-ltc-vars), $(eval _CFG_CORE_LTC_$(v) := $(CFG_CRYPTO_$(v)))) _CFG_CORE_LTC_MPI := $(CFG_CORE_MBEDTLS_MPI) diff --git a/core/crypto/crypto.c b/core/crypto/crypto.c index eeaa269b..578514da 100644 --- a/core/crypto/crypto.c +++ b/core/crypto/crypto.c @@ -711,3 +711,25 @@ TEE_Result crypto_acipher_sm2_pke_encrypt(struct ecc_public_key *key __unused, return TEE_ERROR_NOT_IMPLEMENTED; } #endif /* !CFG_CRYPTO_SM2_PKE */ + +#if !defined(CFG_CRYPTO_SM2_DSA) +TEE_Result crypto_acipher_sm2_dsa_sign(uint32_t algo __unused, + struct ecc_keypair *key __unused, + const uint8_t *msg __unused, + size_t msg_len __unused, + uint8_t *sig __unused, + size_t *sig_len __unused) +{ + return TEE_ERROR_NOT_IMPLEMENTED; +} + +TEE_Result crypto_acipher_sm2_dsa_verify(uint32_t algo __unused, + struct ecc_public_key *key __unused, + const uint8_t *msg __unused, + size_t msg_len __unused, + const uint8_t *sig __unused, + size_t sig_len __unused) +{ + return TEE_ERROR_NOT_IMPLEMENTED; +} +#endif /* !CFG_CRYPTO_SM2_DSA */ diff --git a/core/include/crypto/crypto.h b/core/include/crypto/crypto.h index 7da74461..e9138758 100644 --- a/core/include/crypto/crypto.h +++ b/core/include/crypto/crypto.h @@ -244,6 +244,13 @@ TEE_Result crypto_acipher_sm2_pke_decrypt(struct ecc_keypair *key, TEE_Result crypto_acipher_sm2_pke_encrypt(struct ecc_public_key *key, const uint8_t *src, size_t src_len, uint8_t *dst, size_t *dst_len); +TEE_Result crypto_acipher_sm2_dsa_sign(uint32_t algo, struct ecc_keypair *key, + const uint8_t *msg, size_t msg_len, + uint8_t *sig, size_t *sig_len); +TEE_Result crypto_acipher_sm2_dsa_verify(uint32_t algo, + struct ecc_public_key *key, + const uint8_t *msg, size_t msg_len, + const uint8_t *sig, size_t sig_len); /* * Verifies a SHA-256 hash, doesn't require crypto_init() to be called in diff --git a/core/lib/libtomcrypt/ecc.c b/core/lib/libtomcrypt/ecc.c index 051da77e..92d773af 100644 --- a/core/lib/libtomcrypt/ecc.c +++ b/core/lib/libtomcrypt/ecc.c @@ -128,7 +128,8 @@ static TEE_Result ecc_get_curve_info(uint32_t curve, uint32_t algo, size_bits = 256; size_bytes = 32; name = "SM2"; - if ((algo != 0) && (algo != TEE_ALG_SM2_PKE)) + if ((algo != 0) && (algo != TEE_ALG_SM2_PKE) && + (algo != TEE_ALG_SM2_DSA_SM3)) return TEE_ERROR_BAD_PARAMETERS; break; default: diff --git a/core/tee/tee_svc_cryp.c b/core/tee/tee_svc_cryp.c index 622fd299..17d8decf 100644 --- a/core/tee/tee_svc_cryp.c +++ b/core/tee/tee_svc_cryp.c @@ -487,6 +487,14 @@ static const struct tee_cryp_obj_type_props tee_cryp_obj_props[] = { sizeof(struct ecc_keypair), tee_cryp_obj_ecc_keypair_attrs), + PROP(TEE_TYPE_SM2_DSA_PUBLIC_KEY, 1, 256, 256, + sizeof(struct ecc_public_key), + tee_cryp_obj_ecc_pub_key_attrs), + + PROP(TEE_TYPE_SM2_DSA_KEYPAIR, 1, 256, 256, + sizeof(struct ecc_keypair), + tee_cryp_obj_ecc_keypair_attrs), + PROP(TEE_TYPE_SM2_PKE_PUBLIC_KEY, 1, 256, 256, sizeof(struct ecc_public_key), tee_cryp_obj_ecc_pub_key_attrs), @@ -1145,6 +1153,9 @@ TEE_Result tee_obj_attr_copy_from(struct tee_obj *o, const struct tee_obj *src) } else if (o->info.objectType == TEE_TYPE_ECDH_PUBLIC_KEY) { if (src->info.objectType != TEE_TYPE_ECDH_KEYPAIR) return TEE_ERROR_BAD_PARAMETERS; + } else if (o->info.objectType == TEE_TYPE_SM2_DSA_PUBLIC_KEY) { + if (src->info.objectType != TEE_TYPE_SM2_DSA_KEYPAIR) + return TEE_ERROR_BAD_PARAMETERS; } else if (o->info.objectType == TEE_TYPE_SM2_PKE_PUBLIC_KEY) { if (src->info.objectType != TEE_TYPE_SM2_PKE_KEYPAIR) return TEE_ERROR_BAD_PARAMETERS; @@ -1236,12 +1247,14 @@ TEE_Result tee_obj_set_type(struct tee_obj *o, uint32_t obj_type, break; case TEE_TYPE_ECDSA_PUBLIC_KEY: case TEE_TYPE_ECDH_PUBLIC_KEY: + case TEE_TYPE_SM2_DSA_PUBLIC_KEY: case TEE_TYPE_SM2_PKE_PUBLIC_KEY: res = crypto_acipher_alloc_ecc_public_key(o->attr, max_key_size); break; case TEE_TYPE_ECDSA_KEYPAIR: case TEE_TYPE_ECDH_KEYPAIR: + case TEE_TYPE_SM2_DSA_KEYPAIR: case TEE_TYPE_SM2_PKE_KEYPAIR: res = crypto_acipher_alloc_ecc_keypair(o->attr, max_key_size); break; @@ -2033,6 +2046,12 @@ static TEE_Result tee_svc_cryp_check_key_type(const struct tee_obj *o, else req_key_type = TEE_TYPE_SM2_PKE_KEYPAIR; break; + case TEE_MAIN_ALGO_SM2_DSA_SM3: + if (mode == TEE_MODE_VERIFY) + req_key_type = TEE_TYPE_SM2_DSA_PUBLIC_KEY; + else + req_key_type = TEE_TYPE_SM2_DSA_KEYPAIR; + break; #if defined(CFG_CRYPTO_HKDF) case TEE_MAIN_ALGO_HKDF: req_key_type = TEE_TYPE_HKDF_IKM; @@ -3505,6 +3524,10 @@ TEE_Result syscall_asymm_operate(unsigned long state, res = crypto_acipher_ecc_sign(cs->algo, o->attr, src_data, src_len, dst_data, &dlen); break; + case TEE_ALG_SM2_DSA_SM3: + res = crypto_acipher_sm2_dsa_sign(cs->algo, o->attr, src_data, + src_len, dst_data, &dlen); + break; default: res = TEE_ERROR_BAD_PARAMETERS; @@ -3628,6 +3651,11 @@ TEE_Result syscall_asymm_verify(unsigned long state, data_len, sig, sig_len); break; + case TEE_MAIN_ALGO_SM2_DSA_SM3: + res = crypto_acipher_sm2_dsa_verify(cs->algo, o->attr, data, + data_len, sig, sig_len); + break; + default: res = TEE_ERROR_NOT_SUPPORTED; } |