From fcee740b835f6dcbca1fa4aa42998c3269caad8e Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Tue, 11 Oct 2022 21:15:24 +0200
Subject: [PATCH] Automatically enable PK_PARSE for RSA in PSA

PSA crypto currently needs MBEDTLS_PK_PARSE_C to parse RSA keys to do almost
anything with them (import, get attributes, export public from private, any
cryptographic operations). Force it on, for symmetry with what we're doing
for MBEDTLS_PK_WRITE_C. Fixes #6409.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 ChangeLog.d/psa_rsa_needs_pk.txt | 2 ++
 include/mbedtls/build_info.h     | 3 ++-
 tests/scripts/all.sh             | 8 ++++----
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/ChangeLog.d/psa_rsa_needs_pk.txt b/ChangeLog.d/psa_rsa_needs_pk.txt
index 3421affc7..995963d7e 100644
--- a/ChangeLog.d/psa_rsa_needs_pk.txt
+++ b/ChangeLog.d/psa_rsa_needs_pk.txt
@@ -1,3 +1,5 @@
 Bugfix
    * Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not
      MBEDTLS_USE_PSA_CRYPTO or MBEDTLS_PK_WRITE_C. Fixes #6408.
+   * Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not
+     MBEDTLS_PK_PARSE_C. Fixes #6409.
diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h
index 21e63f125..b04378929 100644
--- a/include/mbedtls/build_info.h
+++ b/include/mbedtls/build_info.h
@@ -79,11 +79,12 @@
  * and also even without USE_PSA_CRYPTO for mbedtls_pk_sign_ext().
  * PSA crypto also needs pk_write to export RSA keys (otherwise the build
  * goes through but psa_export_key() and psa_export_public_key() fail on
- * RSA keys).
+ * RSA keys), and pk_parse to work with RSA keys in almost any way.
  */
 #if defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_RSA_C)
 #define MBEDTLS_PK_C
 #define MBEDTLS_PK_WRITE_C
+#define MBEDTLS_PK_PARSE_C
 #endif
 
 /* Under MBEDTLS_USE_PSA_CRYPTO, the pk module needs pk_write functions
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index fa4160415..30ab9ba63 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1572,11 +1572,11 @@ component_build_crypto_light () {
   scripts/config.py unset MBEDTLS_PEM_WRITE_C
   scripts/config.py unset MBEDTLS_PKCS12_C
   scripts/config.py unset MBEDTLS_PKCS5_C
-  # MBEDTLS_PK_WRITE_C is actually currently needed for RSA key export,
-  # but build_info.h will reenable it.
+  # MBEDTLS_PK_PARSE_C and MBEDTLS_PK_WRITE_C are actually currently needed
+  # in PSA code to work with RSA keys. We don't require users to set those:
+  # they will be reenabled in build_info.h.
+  scripts/config.py unset MBEDTLS_PK_PARSE_C
   scripts/config.py unset MBEDTLS_PK_WRITE_C
-  # At this time, we can't unset MBEDTLS_PK_PARSE_C, because it's needed
-  # for RSA in PSA (see https://github.com/Mbed-TLS/mbedtls/issues/6408).
   make CFLAGS='-O1 -Werror' all test
   are_empty_libraries library/libmbedx509.* library/libmbedtls.*
 }