-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
subsys: jwt: add PSA crypto alternative to legacy libraries (TinyCrypt for ECDSA and Mbed TLS for RSA) #78243
Conversation
9ed82e0
to
ddd8ee5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. Probably worth going through the clang-format suggestions just to keep the warnings down. Most seem to have to do with line breaks in function argument lists.
|
||
if JWT_SIGN_ECDSA | ||
|
||
config JWT_SIGN_ECDSA_PSA |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just curious, does the PSA configuration basically assume/assert that there is a proper CSPRNG enabled? Otherwise, should we check that. Signing multiple messages with the same nonce in EDCSA is a devastating failure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would say that the answer is yes, but it might depend on your configuration/platform capabilities.
I've recently done some change on how the Mbed TLS's PSA can handle random generation. You have basically 2 choices:
-
legacy, where
psa_generate_random()
calls to the legacy Mbed TLS modules (i.e. entropy + ctr/hmac drbg) to get random values; in this case the entropy module calls back to Zephyr to poll some random values. It first tries with CS sources, then it falls back to non-CS ones. -
external, where
psa_generate_random()
calls to CS-only sources. In this case there is the possibility to use non-CS sources (viaCONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG
), but there are warning during the build that clearly state that this is meant to be used only as test.
ddd8ee5
to
13c38f9
Compare
I should have addressed most of them. There should be only complains about adding a space after casts, ex: In case my preference makes sense, can I edit the current |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. Just some minor comments.
7e409ee
to
51d5e09
Compare
prompt "Select crypto library to be used" | ||
|
||
config JWT_USE_PSA | ||
bool "PSA crypto API library" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't you want to add some depends on
here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right. I implemented what you proposed here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As this is changing the default behavior (now defaulting to PSA, enabling what's needed) we may want a migration guide entry.
51d5e09
to
7ff86ab
Compare
prompt "Select crypto library to be used" | ||
|
||
config JWT_USE_PSA | ||
bool "PSA crypto API library" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As this is changing the default behavior (now defaulting to PSA, enabling what's needed) we may want a migration guide entry.
7ff86ab
to
37bbf5f
Compare
2e146b4
to
2b01a46
Compare
In the last forced-push I just updated the documentation, so I assume the CI will still be fine and the PR is now ready for reviews again :) |
2b01a46
to
7a7a0c8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor comment, with the rest looking overall good to me.
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
int jwt_sign_impl(struct jwt_builder *builder, const unsigned char *der_key, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you may want some header guards here. Additionally for this to be stand-alone the include where jwt_builder
is defined should be added to the file... or forward declared as it's a pointer to force the compiler to warn about transitive includes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're absolutely right. Thanks for both suggestions!
doc/releases/migration-guide-4.0.rst
Outdated
JWT (JSON Web Token) | ||
==================== | ||
|
||
* By default signature is now computed through PSA Crypto API for both RSA and ECDSA. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you're missing a word here... By default, <something> signature is now...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rather than a word I would say an article, "the". JWT assumes that the JSON content is signed and "signature" is the subject of this sentence, so I would say that "by default, the signature" should be fine.
However I'm not a native english speaker, so I might miss something so please I apologize for any mistake.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be even more precise you could add JWT
: the JWT signature is now
7a7a0c8
to
528c004
Compare
Not using a space between a cast and the value is almost universal across programming conventions. I'd suggest getting used to it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you should fix the spacing on casts, and use the ARG_UNUSED()
macro. The others from clang-format are not good, and maybe we want to propose fixing that in another PR.
sys_rand_get(entropy, sizeof(entropy)); | ||
|
||
int res = tc_ctr_prng_init(&prng_state, (const uint8_t *) &entropy, sizeof(entropy), | ||
personalize, sizeof(personalize)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd suggest fixing this, not using a space after a cast is near universal in C style conventions.
subsys/jwt/jwt_legacy_ecdsa.c
Outdated
struct tc_sha256_state_struct ctx; | ||
uint8_t hash[32]; | ||
int res; | ||
(void) sig_size; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use ARG_UNUSED(sig_size);
subsys/jwt/jwt_psa.c
Outdated
psa_set_key_type(&attr, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)); | ||
psa_set_key_algorithm(&attr, PSA_ALG_ECDSA(PSA_ALG_SHA_256)); | ||
alg = PSA_ALG_ECDSA(PSA_ALG_SHA_256); | ||
#else /* CONFIG_JWT_SIGN_RSA */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is rather silly and picky of it, but might as well comply.
return -EINVAL; | ||
} | ||
|
||
status = psa_sign_message(key_id, alg, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I care less about this, since I think your formatting is slightly more readable, as it groups the things that go together.
* $ openssl ecparam -name prime256v1 -genkey | openssl ec -outform der | xxd -ps | ||
* - copy the content to https://lapo.it/asn1js/ | ||
* - get the first OCTECT STRING, which is the private key, and copy it here | ||
*/ | ||
|
||
unsigned char jwt_test_private_der[] = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this case, the clang format output is actively terrible. If you have ideas on improving the config for this one, perhaps that should be proposed. But, not in this PR, just leave it.
528c004
to
53c4ec4
Compare
This commit: - creates 2 new files, jwt_ecdsa.c and jwt_rsa.c, to hold the implementations of the corresponding ECDSA/RSA signature algorithms; - RSA signature is stil done through Mbed TLS's PK module which can optionally make use of PSA (if enabled); - ECDSA signature will instead use PSA, if possible, or TinyCrypt as fallback. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
- Some files (PEM/DER files, jwt-test-cert.c, user-tls-conf.h) were removed because they are not used or no longer necessary. Private keys used in the test are now in the jwt-test-private.c file as arrays. - testcase.yaml has been improved in order to test all possible use cases: ECDSA with TC, ECDSA with PSA, RSA; - unnecessary Kconfigs were removed from prj.conf. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Update JWT subsystem documentation concerning the changes related to: - default library used - new Kconfigs added Signed-off-by: Valerio Setti <vsetti@baylibre.com>
53c4ec4
to
67a8d8e
Compare
Following the discussion of the Security WG meeting of September, 9th, TinyCrypt should be deprecated soon and
jwt
is the only place in Zephyr's codebase where there is no PSA/Mbed TLS alternative to TinyCrypt to perform ECDSA.The main goal of this PR is to solve this limitation, but it also add some extra improvements:
subsys/jwt
code, isolating signature functions;conf
file.