From 5522df4f68bfa66b9b4446fdfb92783694586f70 Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Wed, 13 Sep 2017 11:28:13 -0400
Subject: Sort-of-working, large (4096-bit) RSA keys broken.

Snapshot of mostly but not entirely working code to include the extra
ModExpA7 key components in the keystore.  Need to investigate whether
a more compact representation is practical for these components, as
the current one bloats the key object so much that a bare 4096-bit key
won't fit in a single hash block, and there may not be enough room for
PKCS #11 attributes even for smaller keys.

If more compact representation not possible or insufficient, the other
option is to double the size of a keystore object, making it two flash
subsectors for a total of 8192 octets.  Which would of course halve
the number of keys we can store and require a bunch of little tweaks
all through the ks code (particularly flash erase), so definitely
worth trying for a more compact representation first.
---
 rpc_pkey.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

(limited to 'rpc_pkey.c')

diff --git a/rpc_pkey.c b/rpc_pkey.c
index 3d4a379..53d3214 100644
--- a/rpc_pkey.c
+++ b/rpc_pkey.c
@@ -734,7 +734,8 @@ static hal_error_t pkey_local_get_public_key(const hal_pkey_handle_t pkey,
  * algorithm-specific functions.
  */
 
-static hal_error_t pkey_local_sign_rsa(uint8_t *keybuf, const size_t keybuf_len,
+static hal_error_t pkey_local_sign_rsa(hal_pkey_slot_t *slot,
+                                       uint8_t *keybuf, const size_t keybuf_len,
                                        const uint8_t * const der, const size_t der_len,
                                        const hal_hash_handle_t hash,
                                        const uint8_t * input, size_t input_len,
@@ -763,10 +764,21 @@ static hal_error_t pkey_local_sign_rsa(uint8_t *keybuf, const size_t keybuf_len,
       (err = hal_rsa_decrypt(NULL, key, signature, *signature_len, signature, *signature_len)) != HAL_OK)
     return err;
 
+  if (hal_rsa_key_needs_saving(key)) {
+    uint8_t pkcs8[hal_rsa_private_key_to_der_extra_len(key)];
+    size_t pkcs8_len = 0;
+    if ((err = hal_rsa_private_key_to_der_extra(key, pkcs8, &pkcs8_len, sizeof(pkcs8))) == HAL_OK)
+      err = hal_ks_rewrite_der(ks_from_flags(slot->flags), slot, pkcs8, pkcs8_len);
+    memset(pkcs8, 0, sizeof(pkcs8));
+    if (err != HAL_OK)
+      return err;
+  }
+
   return HAL_OK;
 }
 
-static hal_error_t pkey_local_sign_ecdsa(uint8_t *keybuf, const size_t keybuf_len,
+static hal_error_t pkey_local_sign_ecdsa(hal_pkey_slot_t *slot,
+                                         uint8_t *keybuf, const size_t keybuf_len,
                                          const uint8_t * const der, const size_t der_len,
                                          const hal_hash_handle_t hash,
                                          const uint8_t * input, size_t input_len,
@@ -813,7 +825,8 @@ static hal_error_t pkey_local_sign(const hal_pkey_handle_t pkey,
   if (slot == NULL)
     return HAL_ERROR_KEY_NOT_FOUND;
 
-  hal_error_t (*signer)(uint8_t *keybuf, const size_t keybuf_len,
+  hal_error_t (*signer)(hal_pkey_slot_t *slot,
+                        uint8_t *keybuf, const size_t keybuf_len,
                         const uint8_t * const der, const size_t der_len,
                         const hal_hash_handle_t hash,
                         const uint8_t * const input,  const size_t input_len,
@@ -840,7 +853,7 @@ static hal_error_t pkey_local_sign(const hal_pkey_handle_t pkey,
   hal_error_t err;
 
   if ((err = ks_fetch_from_flags(slot, der, &der_len, sizeof(der))) == HAL_OK)
-    err = signer(keybuf, sizeof(keybuf), der, der_len, hash, input, input_len,
+    err = signer(slot, keybuf, sizeof(keybuf), der, der_len, hash, input, input_len,
                  signature, signature_len, signature_max);
 
   memset(keybuf, 0, sizeof(keybuf));
-- 
cgit v1.2.3


From 410e0cf1d22c67585f0a5346e62f60aa4e90fe05 Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Wed, 13 Sep 2017 20:20:55 -0400
Subject: Preliminary support for parallel core RSA CRT.

---
 rpc_pkey.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'rpc_pkey.c')

diff --git a/rpc_pkey.c b/rpc_pkey.c
index 53d3214..9d8975f 100644
--- a/rpc_pkey.c
+++ b/rpc_pkey.c
@@ -760,8 +760,8 @@ static hal_error_t pkey_local_sign_rsa(hal_pkey_slot_t *slot,
     input = signature;
   }
 
-  if ((err = pkcs1_5_pad(input, input_len, signature, *signature_len, 0x01))                   != HAL_OK ||
-      (err = hal_rsa_decrypt(NULL, key, signature, *signature_len, signature, *signature_len)) != HAL_OK)
+  if ((err = pkcs1_5_pad(input, input_len, signature, *signature_len, 0x01))                         != HAL_OK ||
+      (err = hal_rsa_decrypt(NULL, NULL, key, signature, *signature_len, signature, *signature_len)) != HAL_OK)
     return err;
 
   if (hal_rsa_key_needs_saving(key)) {
@@ -1276,7 +1276,7 @@ static hal_error_t pkey_local_import(const hal_client_handle_t client,
     goto fail;
   }
 
-  if ((err = hal_rsa_decrypt(NULL, rsa, data, data_len, der, data_len)) != HAL_OK)
+  if ((err = hal_rsa_decrypt(NULL, NULL, rsa, data, data_len, der, data_len)) != HAL_OK)
     goto fail;
 
   if ((err = hal_get_random(NULL, kek, sizeof(kek))) != HAL_OK)
-- 
cgit v1.2.3