psa: Simplify EC public key format

Remove front matter from our EC key format, to make it just the contents of an ECPoint as defined by SEC1 section 2.3.3. As a consequence of the simplification, remove the restriction on not being able to use an ECDH key with ECDSA. There is no longer any OID specified when importing a key, so we can't reject importing of an ECDH key for the purpose of ECDSA based on the OID.
2019-01-10 11:42:27 +00:00 · 2019-01-10 11:42:27 +00:00 · ccdce90adb
commit ccdce90adb
parent 97271b37c8
5 changed files with 127 additions and 178 deletions
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h
@ -482,6 +482,14 @@ psa_status_t psa_export_key(psa_key_handle_t handle,
 *      modulus            INTEGER,    -- n
 *      publicExponent     INTEGER  }  -- e
 *   ```
+ * - For elliptic curve public keys (key types for which
+ *   #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true), the format is the uncompressed
+ *   representation defined by SEC1 &sect;2.3.3 as the content of an ECPoint:
+ *   Let `m` be the bit size associated with the curve, i.e. the bit size of
+ *   `q` for a curve over `F_q`. The representation consists of:
+ *      - The byte 0x04;
+ *      - `x_P` as a `ceiling(m/8)`-byte string, big-endian;
+ *      - `y_P` as a `ceiling(m/8)`-byte string, big-endian.
 *
 * For other public key types, the format is the DER representation defined by
 * RFC 5280 as `SubjectPublicKeyInfo`, with the `subjectPublicKey` format
@ -509,30 +517,6 @@ psa_status_t psa_export_key(psa_key_handle_t handle,
 *      g                  INTEGER  }
 *   DSAPublicKey ::= INTEGER -- public key, Y
 *   ```
- * - For elliptic curve public keys (key types for which
- *   #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true),
- *   the `subjectPublicKey` format is defined by RFC 3279 &sect;2.3.5 as
- *   `ECPoint`, which contains the uncompressed
- *   representation defined by SEC1 &sect;2.3.3.
- *   The OID is `id-ecPublicKey`,
- *   and the parameters must be given as a `namedCurve` OID as specified in
- *   RFC 5480 &sect;2.1.1.1 or other applicable standards.
- *   ```
- *   ansi-X9-62 OBJECT IDENTIFIER ::=
- *                           { iso(1) member-body(2) us(840) 10045 }
- *   id-public-key-type OBJECT IDENTIFIER  ::= { ansi-X9.62 2 }
- *   id-ecPublicKey OBJECT IDENTIFIER ::= { id-publicKeyType 1 }
- *
- *   ECPoint ::= ...
- *      -- first 8 bits: 0x04;
- *      -- then x_P as a `ceiling(m/8)`-byte string, big endian;
- *      -- then y_P as a `ceiling(m/8)`-byte string, big endian;
- *      -- where `m` is the bit size associated with the curve,
- *      --       i.e. the bit size of `q` for a curve over `F_q`.
- *
- *   EcpkParameters ::= CHOICE { -- other choices are not allowed
- *      namedCurve    OBJECT IDENTIFIER }
- *   ```
 *
 * \param handle            Handle to the key to export.
 * \param[out] data         Buffer where the key data is to be written.
@ -2160,7 +2144,9 @@ psa_status_t psa_key_derivation(psa_crypto_generator_t *generator,
 *                                in the same format that psa_import_key()
 *                                accepts. The standard formats for public
 *                                keys are documented in the documentation
- *                                of psa_export_public_key().
+ *                                of psa_export_public_key(). For EC keys, it
+ *                                must also be of the same group as the private
+ *                                key.
 * \param peer_key_length         Size of \p peer_key in bytes.
 * \param alg                     The key agreement algorithm to compute
 *                                (\c PSA_ALG_XXX value such that
--- a/include/psa/crypto_sizes.h
+++ b/include/psa/crypto_sizes.h
@ -493,26 +493,16 @@

 /* Maximum size of the export encoding of an ECC public key.
 *
- * SubjectPublicKeyInfo  ::=  SEQUENCE  {
- *      algorithm            AlgorithmIdentifier,
- *      subjectPublicKey     BIT STRING  } -- contains ECPoint
- * AlgorithmIdentifier  ::=  SEQUENCE  {
- *      algorithm               OBJECT IDENTIFIER,
- *      parameters              OBJECT IDENTIFIER } -- namedCurve
- * ECPoint ::= ...
- *    -- first 8 bits: 0x04;
- *    -- then x_P as a `ceiling(m/8)`-byte string, big endian;
- *    -- then y_P as a `ceiling(m/8)`-byte string, big endian;
- *    -- where `m` is the bit size associated with the curve.
+ * The representation of an ECC public key is:
+ *      - The byte 0x04;
+ *      - `x_P` as a `ceiling(m/8)`-byte string, big-endian;
+ *      - `y_P` as a `ceiling(m/8)`-byte string, big-endian;
+ *      - where m is the bit size associated with the curve.
 *
- * - 2 * 4 bytes of SEQUENCE overhead;
- * - 1 + 1 + 7 bytes of algorithm (id-ecPublicKey OID);
- * - 1 + 1 + 12 bytes of namedCurve OID;
- * - 4 bytes of BIT STRING overhead;
- * - 1 byte + 2 * point size in ECPoint.
+ * - 1 byte + 2 * point size.
 */
 #define PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits)        \
-    (2 * PSA_BITS_TO_BYTES(key_bits) + 36)
+    (2 * PSA_BITS_TO_BYTES(key_bits) + 1)

 /* Maximum size of the export encoding of an ECC key pair.
 *