Parse RSA parameters DP, DQ and QP from PKCS1 private keys

Otherwise these values are recomputed in mbedtls_rsa_deduce_crt, which currently suffers from side channel issues in the computation of QP (see https://eprint.iacr.org/2020/055). By loading the pre-computed values not only is the side channel avoided, but runtime overhead of loading RSA keys is reduced. Discussion in https://github.com/ARMmbed/mbed-crypto/issues/347
2020-01-22 17:34:29 -05:00 · 2020-01-22 17:34:29 -05:00 · 80cc811039
commit 80cc811039
parent d27a88438f
2 changed files with 27 additions and 8 deletions
--- a/library/pkparse.c
+++ b/library/pkparse.c
@ -769,16 +769,31 @@ static int pk_parse_key_pkcs1_der( mbedtls_rsa_context *rsa,
        goto cleanup;
    p += len;

+    /* Import DP */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+                                      MBEDTLS_ASN1_INTEGER ) ) != 0 ||
+        ( ret = mbedtls_mpi_read_binary( &rsa->DP, p, len ) ) != 0 )
+        goto cleanup;
+    p += len;
+
+    /* Import DQ */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+                                      MBEDTLS_ASN1_INTEGER ) ) != 0 ||
+        ( ret = mbedtls_mpi_read_binary( &rsa->DQ, p, len ) ) != 0 )
+        goto cleanup;
+    p += len;
+
+    /* Import QP */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+                                      MBEDTLS_ASN1_INTEGER ) ) != 0 ||
+        ( ret = mbedtls_mpi_read_binary( &rsa->QP, p, len ) ) != 0 )
+        goto cleanup;
+    p += len;
+
    /* Complete the RSA private key */
    if( ( ret = mbedtls_rsa_complete( rsa ) ) != 0 )
        goto cleanup;

-    /* Check optional parameters */
-    if( ( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 ||
-        ( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 ||
-        ( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 )
-        goto cleanup;
-
    if( p != end )
    {
        ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +