subsys: jwt: add PSA crypto alternative to legacy libraries (TinyCrypt for ECDSA and Mbed TLS for RSA) #78243
Conversation
valeriosetti
force-pushed
the
jwt-replace-tc
branch
3 times, most recently
from
9ed82e0
to
ddd8ee5
Compare
|
|
||
| if JWT_SIGN_ECDSA | ||
|
|
||
| config JWT_SIGN_ECDSA_PSA |
There was a problem hiding this comment.
Just curious, does the PSA configuration basically assume/assert that there is a proper CSPRNG enabled? Otherwise, should we check that. Signing multiple messages with the same nonce in EDCSA is a devastating failure.
There was a problem hiding this comment.
I would say that the answer is yes, but it might depend on your configuration/platform capabilities.
I've recently done some change on how the Mbed TLS's PSA can handle random generation. You have basically 2 choices:
-
legacy, where
psa_generate_random()calls to the legacy Mbed TLS modules (i.e. entropy + ctr/hmac drbg) to get random values; in this case the entropy module calls back to Zephyr to poll some random values. It first tries with CS sources, then it falls back to non-CS ones. -
external, where
psa_generate_random()calls to CS-only sources. In this case there is the possibility to use non-CS sources (viaCONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG), but there are warning during the build that clearly state that this is meant to be used only as test.
valeriosetti
force-pushed
the
jwt-replace-tc
branch
from
ddd8ee5
to
13c38f9
Compare
I should have addressed most of them. There should be only complains about adding a space after casts, ex: In case my preference makes sense, can I edit the current |
valeriosetti
force-pushed
the
jwt-replace-tc
branch
6 times, most recently
from
7e409ee
to
51d5e09
Compare
| prompt "Select crypto library to be used" | ||
|
|
||
| config JWT_USE_PSA | ||
| bool "PSA crypto API library" |
There was a problem hiding this comment.
Don't you want to add some depends on here?
There was a problem hiding this comment.
Right. I implemented what you proposed here
There was a problem hiding this comment.
As this is changing the default behavior (now defaulting to PSA, enabling what's needed) we may want a migration guide entry.
valeriosetti
force-pushed
the
jwt-replace-tc
branch
from
51d5e09
to
7ff86ab
Compare
| prompt "Select crypto library to be used" | ||
|
|
||
| config JWT_USE_PSA | ||
| bool "PSA crypto API library" |
There was a problem hiding this comment.
As this is changing the default behavior (now defaulting to PSA, enabling what's needed) we may want a migration guide entry.
valeriosetti
force-pushed
the
jwt-replace-tc
branch
from
7ff86ab
to
37bbf5f
Compare
valeriosetti
changed the title
valeriosetti
force-pushed
the
jwt-replace-tc
branch
from
2e146b4
to
2b01a46
Compare
|
In the last forced-push I just updated the documentation, so I assume the CI will still be fine and the PR is now ready for reviews again :) |
valeriosetti
force-pushed
the
jwt-replace-tc
branch
from
2b01a46
to
7a7a0c8
Compare
| * SPDX-License-Identifier: Apache-2.0 | ||
| */ | ||
|
|
||
| int jwt_sign_impl(struct jwt_builder *builder, const unsigned char *der_key, |
There was a problem hiding this comment.
you may want some header guards here. Additionally for this to be stand-alone the include where jwt_builder is defined should be added to the file... or forward declared as it's a pointer to force the compiler to warn about transitive includes.
There was a problem hiding this comment.
You're absolutely right. Thanks for both suggestions!
doc/releases/migration-guide-4.0.rst
Outdated
| JWT (JSON Web Token) | ||
| ==================== | ||
|
|
||
| * By default signature is now computed through PSA Crypto API for both RSA and ECDSA. |
There was a problem hiding this comment.
I think you're missing a word here... By default, <something> signature is now...
There was a problem hiding this comment.
Rather than a word I would say an article, "the". JWT assumes that the JSON content is signed and "signature" is the subject of this sentence, so I would say that "by default, the signature" should be fine.
However I'm not a native english speaker, so I might miss something so please I apologize for any mistake.
There was a problem hiding this comment.
To be even more precise you could add JWT: the JWT signature is now
valeriosetti
force-pushed
the
jwt-replace-tc
branch
from
7a7a0c8
to
528c004
Compare
Not using a space between a cast and the value is almost universal across programming conventions. I'd suggest getting used to it. |
| sys_rand_get(entropy, sizeof(entropy)); | ||
|
|
||
| int res = tc_ctr_prng_init(&prng_state, (const uint8_t *) &entropy, sizeof(entropy), | ||
| personalize, sizeof(personalize)); |
There was a problem hiding this comment.
I'd suggest fixing this, not using a space after a cast is near universal in C style conventions.
subsys/jwt/jwt_legacy_ecdsa.c
Outdated
| struct tc_sha256_state_struct ctx; | ||
| uint8_t hash[32]; | ||
| int res; | ||
| (void) sig_size; |
There was a problem hiding this comment.
Please use ARG_UNUSED(sig_size);
subsys/jwt/jwt_psa.c
Outdated
| psa_set_key_type(&attr, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)); | ||
| psa_set_key_algorithm(&attr, PSA_ALG_ECDSA(PSA_ALG_SHA_256)); | ||
| alg = PSA_ALG_ECDSA(PSA_ALG_SHA_256); | ||
| #else /* CONFIG_JWT_SIGN_RSA */ |
There was a problem hiding this comment.
This is rather silly and picky of it, but might as well comply.
| return -EINVAL; | ||
| } | ||
|
|
||
| status = psa_sign_message(key_id, alg, |
There was a problem hiding this comment.
I care less about this, since I think your formatting is slightly more readable, as it groups the things that go together.
| * $ openssl ecparam -name prime256v1 -genkey | openssl ec -outform der | xxd -ps | ||
| * - copy the content to https://lapo.it/asn1js/ | ||
| * - get the first OCTECT STRING, which is the private key, and copy it here | ||
| */ | ||
|
|
||
| unsigned char jwt_test_private_der[] = { |
There was a problem hiding this comment.
In this case, the clang format output is actively terrible. If you have ideas on improving the config for this one, perhaps that should be proposed. But, not in this PR, just leave it.
valeriosetti
force-pushed
the
jwt-replace-tc
branch
from
528c004
to
53c4ec4
Compare
This commit: - creates 2 new files, jwt_ecdsa.c and jwt_rsa.c, to hold the implementations of the corresponding ECDSA/RSA signature algorithms; - RSA signature is stil done through Mbed TLS's PK module which can optionally make use of PSA (if enabled); - ECDSA signature will instead use PSA, if possible, or TinyCrypt as fallback. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
- Some files (PEM/DER files, jwt-test-cert.c, user-tls-conf.h) were removed because they are not used or no longer necessary. Private keys used in the test are now in the jwt-test-private.c file as arrays. - testcase.yaml has been improved in order to test all possible use cases: ECDSA with TC, ECDSA with PSA, RSA; - unnecessary Kconfigs were removed from prj.conf. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Update JWT subsystem documentation concerning the changes related to: - default library used - new Kconfigs added Signed-off-by: Valerio Setti <vsetti@baylibre.com>
valeriosetti
force-pushed
the
jwt-replace-tc
branch
from
53c4ec4
to
67a8d8e
Compare
Following the discussion of the Security WG meeting of September, 9th, TinyCrypt should be deprecated soon and
jwtis the only place in Zephyr's codebase where there is no PSA/Mbed TLS alternative to TinyCrypt to perform ECDSA.The main goal of this PR is to solve this limitation, but it also add some extra improvements:
subsys/jwtcode, isolating signature functions;conffile.