From 024c3aeb9e2654562788bc07e1ca21cd93a0cb43 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 12 Nov 2025 12:51:52 +0100 Subject: [PATCH 01/10] library: ssl: remove duplicate check in ssl_parse_server_key_exchange() The check being removed is already done few lines above so there is no need to repeat it twice. Signed-off-by: Valerio Setti --- library/ssl_tls12_client.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index c4f75b63de..131efbe248 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -1977,14 +1977,6 @@ start_processing: /* * Verify signature */ - if (!mbedtls_pk_can_do(peer_pk, (mbedtls_pk_type_t) pk_alg)) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); - mbedtls_ssl_send_alert_message( - ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); - return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; - } #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) if (ssl->handshake->ecrs_enabled) { From 92926ff4dce7b2b5e037d4ea5ade1f1f5d431f41 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 12 Nov 2025 12:55:52 +0100 Subject: [PATCH 02/10] library: common: add helper to get PSA algorithm from PK sigalg Add a simple helper to convert from PK sigalg to PSA algorithm. This is handy when calling mbedtls_pk_can_do_psa() knowing the PK sigalg and the used MD type. This is being added in a separate file because it's meant to be consumed by both ssl and x509 modules. It was not added to tf-psa-crypto because this is only needed on the mbedtls repo and doing so reduce interdependencies between the repos. Signed-off-by: Valerio Setti --- library/mbedtls_utils.h | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 library/mbedtls_utils.h diff --git a/library/mbedtls_utils.h b/library/mbedtls_utils.h new file mode 100644 index 0000000000..948b391061 --- /dev/null +++ b/library/mbedtls_utils.h @@ -0,0 +1,23 @@ +#include "mbedtls/pk.h" +#include "psa/crypto.h" + +#ifndef MBEDTLS_UTILS_H +#define MBEDTLS_UTILS_H + +/* Return the PSA algorithm associated to the given combination of "sigalg" and "hash_alg". */ +static inline int mbedtls_psa_alg_from_pk_sigalg(mbedtls_pk_sigalg_t sigalg, + psa_algorithm_t hash_alg) +{ + switch (sigalg) { + case MBEDTLS_PK_SIGALG_RSA_PKCS1V15: + return PSA_ALG_RSA_PKCS1V15_SIGN(hash_alg); + case MBEDTLS_PK_SIGALG_RSA_PSS: + return PSA_ALG_RSA_PSS(hash_alg); + case MBEDTLS_PK_SIGALG_ECDSA: + return MBEDTLS_PK_ALG_ECDSA(hash_alg); + default: + return MBEDTLS_PK_SIGALG_NONE; + } +} + +#endif /* MBEDTLS_UTILS_H */ From 81a5a0914ca711606fbe74ec5818f29e3aee4bf2 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 12 Nov 2025 12:55:04 +0100 Subject: [PATCH 03/10] library: ssl: replace mbedtls_pk_can_do() with mbedtls_pk_can_do_psa() Signed-off-by: Valerio Setti --- library/ssl_tls12_client.c | 7 ++++++- library/ssl_tls12_server.c | 5 ++++- library/ssl_tls13_generic.c | 5 ++++- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 131efbe248..ebcc0d56bb 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -16,6 +16,7 @@ #include "debug_internal.h" #include "mbedtls/error.h" #include "mbedtls/constant_time.h" +#include "mbedtls_utils.h" #include "psa/crypto.h" #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) @@ -1883,6 +1884,7 @@ start_processing: unsigned char hash[MBEDTLS_MD_MAX_SIZE]; mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; + psa_algorithm_t psa_hash_alg; mbedtls_pk_sigalg_t pk_alg = MBEDTLS_PK_SIGALG_NONE; unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); size_t params_len = (size_t) (p - params); @@ -1921,7 +1923,10 @@ start_processing: } p += 2; - if (!mbedtls_pk_can_do(peer_pk, (mbedtls_pk_type_t) pk_alg)) { + psa_hash_alg = mbedtls_md_psa_alg_from_type(md_alg); + if (!mbedtls_pk_can_do_psa(peer_pk, + mbedtls_psa_alg_from_pk_sigalg(pk_alg, psa_hash_alg), + PSA_KEY_USAGE_VERIFY_HASH)) { MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); mbedtls_ssl_send_alert_message( diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 1f4ac3ea79..c02aeeaa08 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -16,6 +16,7 @@ #include "mbedtls/error.h" #include "mbedtls/platform_util.h" #include "mbedtls/constant_time.h" +#include "mbedtls_utils.h" #include @@ -3421,7 +3422,9 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) /* * Check the certificate's key type matches the signature alg */ - if (!mbedtls_pk_can_do(peer_pk, (mbedtls_pk_type_t) pk_alg)) { + if (!mbedtls_pk_can_do_psa(peer_pk, + mbedtls_psa_alg_from_pk_sigalg(pk_alg, PSA_ALG_ANY_HASH), + PSA_KEY_USAGE_VERIFY_HASH)) { MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key")); return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; } diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index c7d3d48561..078daea352 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -18,6 +18,7 @@ #include "mbedtls/constant_time.h" #include "psa/crypto.h" #include "mbedtls/psa_util.h" +#include "mbedtls_utils.h" #include "ssl_tls13_invasive.h" #include "ssl_tls13_keys.h" @@ -276,7 +277,9 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl, /* * Check the certificate's key type matches the signature alg */ - if (!mbedtls_pk_can_do(&ssl->session_negotiate->peer_cert->pk, (mbedtls_pk_type_t) sig_alg)) { + if (!mbedtls_pk_can_do_psa(&ssl->session_negotiate->peer_cert->pk, + mbedtls_psa_alg_from_pk_sigalg(sig_alg, hash_alg), + PSA_KEY_USAGE_VERIFY_HASH)) { MBEDTLS_SSL_DEBUG_MSG(1, ("signature algorithm doesn't match cert key")); goto error; } From 9d1fa1a8d8b4a3e09163eb568220678dc4256f70 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 12 Nov 2025 13:05:03 +0100 Subject: [PATCH 04/10] library: x509: change order of checks in x509_crt_check_signature() Checking that parent PK type is OK is definitely faster than computing an hash, so invert the checks. Signed-off-by: Valerio Setti --- library/x509_crt.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/library/x509_crt.c b/library/x509_crt.c index e18dbe777e..ae9cc22538 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -2108,6 +2108,11 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child, psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(child->sig_md); psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + /* Skip expensive computation on obvious mismatch */ + if (!mbedtls_pk_can_do(&parent->pk, (mbedtls_pk_type_t) child->sig_pk)) { + return -1; + } + status = psa_hash_compute(hash_alg, child->tbs.p, child->tbs.len, @@ -2118,11 +2123,6 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child, return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; } - /* Skip expensive computation on obvious mismatch */ - if (!mbedtls_pk_can_do(&parent->pk, (mbedtls_pk_type_t) child->sig_pk)) { - return -1; - } - #if defined(MBEDTLS_ECP_RESTARTABLE) if (rs_ctx != NULL && child->sig_pk == MBEDTLS_PK_SIGALG_ECDSA) { return mbedtls_pk_verify_restartable(&parent->pk, From 1de094fb321f793fa398951598c682969e00326f Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 12 Nov 2025 14:44:59 +0100 Subject: [PATCH 05/10] library: x509: replace mbedtls_pk_can_do() with mbedtls_pk_can_do_psa() Signed-off-by: Valerio Setti --- library/x509_crt.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/library/x509_crt.c b/library/x509_crt.c index ae9cc22538..61dca746a3 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -43,6 +43,8 @@ #include "mbedtls/threading.h" #endif +#include "mbedtls_utils.h" + #if defined(MBEDTLS_HAVE_TIME) #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) #ifndef WIN32_LEAN_AND_MEAN @@ -2109,7 +2111,9 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child, psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; /* Skip expensive computation on obvious mismatch */ - if (!mbedtls_pk_can_do(&parent->pk, (mbedtls_pk_type_t) child->sig_pk)) { + if (!mbedtls_pk_can_do_psa(&parent->pk, + mbedtls_psa_alg_from_pk_sigalg(child->sig_pk, hash_alg), + PSA_KEY_USAGE_VERIFY_HASH)) { return -1; } From 902467d62f999c14aada0a8e1375527ecd948f81 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 2 Dec 2025 09:33:33 +0100 Subject: [PATCH 06/10] ssl: replace usage of mbedtls_pk_can_do() with mbedtls_pk_get_key_type() Signed-off-by: Valerio Setti --- library/ssl_tls.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 36c6bf9586..f873566d5c 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5605,13 +5605,15 @@ void mbedtls_ssl_config_free(mbedtls_ssl_config *conf) */ unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk) { + psa_key_type_t key_type = mbedtls_pk_get_key_type(pk); + #if defined(MBEDTLS_RSA_C) - if (mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA)) { + if (PSA_KEY_TYPE_IS_RSA(key_type)) { return MBEDTLS_SSL_SIG_RSA; } #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) - if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA)) { + if (PSA_KEY_TYPE_IS_ECC(key_type)) { return MBEDTLS_SSL_SIG_ECDSA; } #endif From 9eb5b2a14681afd493227e01ec20df7eebf2ebdf Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 2 Dec 2025 09:40:28 +0100 Subject: [PATCH 07/10] x509: replace usage of mbedtls_pk_can_do() with mbedtls_pk_get_key_type() Signed-off-by: Valerio Setti --- library/x509write_crt.c | 5 +++-- library/x509write_csr.c | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 399c923097..8c77f10c34 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -392,6 +392,7 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char hash[MBEDTLS_MD_MAX_SIZE]; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_algorithm_t psa_algorithm; + psa_key_type_t key_type = mbedtls_pk_get_key_type(ctx->issuer_key); size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len; size_t len = 0; @@ -407,9 +408,9 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, /* There's no direct way of extracting a signature algorithm * (represented as an element of mbedtls_pk_type_t) from a PK instance. */ - if (mbedtls_pk_can_do(ctx->issuer_key, MBEDTLS_PK_RSA)) { + if (PSA_KEY_TYPE_IS_RSA(key_type)) { pk_alg = MBEDTLS_PK_SIGALG_RSA_PKCS1V15; - } else if (mbedtls_pk_can_do(ctx->issuer_key, MBEDTLS_PK_ECDSA)) { + } else if (PSA_KEY_TYPE_IS_ECC(key_type)) { pk_alg = MBEDTLS_PK_SIGALG_ECDSA; } else { return MBEDTLS_ERR_X509_INVALID_ALG; diff --git a/library/x509write_csr.c b/library/x509write_csr.c index 8a81f7ee56..22651032b1 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -144,6 +144,7 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx, mbedtls_pk_sigalg_t pk_alg; size_t hash_len; psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(ctx->md_alg); + psa_key_type_t key_type = mbedtls_pk_get_key_type(ctx->key); /* Write the CSR backwards starting from the end of buf */ c = buf + size; @@ -217,9 +218,9 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx, return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; } - if (mbedtls_pk_can_do(ctx->key, MBEDTLS_PK_RSA)) { + if (PSA_KEY_TYPE_IS_RSA(key_type)) { pk_alg = MBEDTLS_PK_SIGALG_RSA_PKCS1V15; - } else if (mbedtls_pk_can_do(ctx->key, MBEDTLS_PK_ECDSA)) { + } else if (PSA_KEY_TYPE_IS_ECC(key_type)) { pk_alg = MBEDTLS_PK_SIGALG_ECDSA; } else { return MBEDTLS_ERR_X509_INVALID_ALG; From d8f0b37d1ab7c07fe2e5617982800318d5c64b96 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 5 Dec 2025 15:57:39 +0100 Subject: [PATCH 08/10] ssl: replace remaining occurrence of pk_can_do with pk_get_key_type Signed-off-by: Valerio Setti --- library/ssl_tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index f873566d5c..be071defac 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8782,7 +8782,7 @@ int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 && - mbedtls_pk_can_do(&chain->pk, MBEDTLS_PK_ECKEY)) { + PSA_KEY_TYPE_IS_ECC(mbedtls_pk_get_type(&chain->pk))) { if (mbedtls_ssl_check_curve(ssl, mbedtls_pk_get_ec_group_id(&chain->pk)) != 0) { MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (EC key curve)")); ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY; From 5ad2bfa6c8ea5b0c7adb80c6aa80aeb567811a08 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 9 Dec 2025 16:15:48 +0100 Subject: [PATCH 09/10] library: ssl: adjust return type of mbedtls_psa_alg_from_pk_sigalg() The correct return type should have been "psa_algorithm_t" since the beginning because this is what the function really returns and this is what the returned value is then used for in the calling functions. Change also the returned value in the default case from MBEDTLS_PK_SIGALG_NONE to PSA_ALG_NONE in order to return the same type as in other cases of the switch case. Signed-off-by: Valerio Setti --- library/mbedtls_utils.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/mbedtls_utils.h b/library/mbedtls_utils.h index 948b391061..67f74786b3 100644 --- a/library/mbedtls_utils.h +++ b/library/mbedtls_utils.h @@ -5,8 +5,8 @@ #define MBEDTLS_UTILS_H /* Return the PSA algorithm associated to the given combination of "sigalg" and "hash_alg". */ -static inline int mbedtls_psa_alg_from_pk_sigalg(mbedtls_pk_sigalg_t sigalg, - psa_algorithm_t hash_alg) +static inline psa_algorithm_t mbedtls_psa_alg_from_pk_sigalg(mbedtls_pk_sigalg_t sigalg, + psa_algorithm_t hash_alg) { switch (sigalg) { case MBEDTLS_PK_SIGALG_RSA_PKCS1V15: @@ -16,7 +16,7 @@ static inline int mbedtls_psa_alg_from_pk_sigalg(mbedtls_pk_sigalg_t sigalg, case MBEDTLS_PK_SIGALG_ECDSA: return MBEDTLS_PK_ALG_ECDSA(hash_alg); default: - return MBEDTLS_PK_SIGALG_NONE; + return PSA_ALG_NONE; } } From c0ac4a69336a1a8ae43a727bc45089940c40fa5e Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 9 Dec 2025 16:18:11 +0100 Subject: [PATCH 10/10] library: ssl: specify hash algorithm when checking signature in ssl_parse_certificate_verify Since the hash algorithm is known, this can be used when calling "mbedtls_pk_can_do_psa()" to get a more accurate answer. Signed-off-by: Valerio Setti --- library/ssl_tls12_server.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index c02aeeaa08..ec4446c1b4 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -3325,6 +3325,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->handshake->ciphersuite_info; mbedtls_pk_context *peer_pk; + psa_algorithm_t psa_sig_alg; MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify")); @@ -3422,9 +3423,8 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) /* * Check the certificate's key type matches the signature alg */ - if (!mbedtls_pk_can_do_psa(peer_pk, - mbedtls_psa_alg_from_pk_sigalg(pk_alg, PSA_ALG_ANY_HASH), - PSA_KEY_USAGE_VERIFY_HASH)) { + psa_sig_alg = mbedtls_psa_alg_from_pk_sigalg(pk_alg, mbedtls_md_psa_alg_from_type(md_alg)); + if (!mbedtls_pk_can_do_psa(peer_pk, psa_sig_alg, PSA_KEY_USAGE_VERIFY_HASH)) { MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key")); return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; }