Update ECDSA key policies to PSA API 1.4#535
Open
gilles-peskine-arm wants to merge 7 commits intoMbed-TLS:developmentfrom
Open
Update ECDSA key policies to PSA API 1.4#535gilles-peskine-arm wants to merge 7 commits intoMbed-TLS:developmentfrom
gilles-peskine-arm wants to merge 7 commits intoMbed-TLS:developmentfrom
Conversation
This makes more sense than having the usage enforcement directly inside the state-modifying function `psa_get_and_lock_key_slot_with_policy()`. No intended behavior change. Signed-off-by: Gilles Peskine <[email protected]>
We have C code that calculates the expected usage flags in the key policy based on the usage flags passed in the key attributes during key creation. Don't use `asymmetric_signature_key_policy` to validate that C code against test data. It's fairly simple, and duplicated in Python code used in automatically generated crypto storage and operation failure tests. No change in test coverage of the library. Signed-off-by: Gilles Peskine <[email protected]>
In `asymmetric_signature_key_policy` tests, express whether a given usage is valid through a mask of usage flags. Formerly this was expressed as a mix of test data (`payload_length_arg=0` to convey that no usage was allowed) and logic in the code (to determine which usage was allowed). Now we always use a valid payload length, even in tests that expect a policy violation. No change in test coverage of the library. Signed-off-by: Gilles Peskine <[email protected]>
Descriptions get truncated at 66 columns and some had relevant information after or near that limit. Signed-off-by: Gilles Peskine <[email protected]>
Deterministic ECDSA with a hash, randomized ECDSA with a hash, and the special case `PSA_ALG_DETERMINISTIC_ECDSA`, are three separate families of algorithms, and the policy determines which one to use. Test that this is enforced. As a special case, `PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)` allows `PSA_ALG_DETERMINISTIC_ECDSA`. This is our historical behavior, but no longer allowed by the PSA specification. Mbed-TLS#533 Signed-off-by: Gilles Peskine <[email protected]>
Stop allowing `PSA_ALG_ECDSA_ANY` when the policy is `PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)`. This was our historical behavior, but no longer allowed by the PSA specification. Fixes Mbed-TLS#533. Document this and the other similar case `PSA_ALG_RSA_PKCS1V15_SIGN_RAW` (which `PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH)` does allow). Signed-off-by: Gilles Peskine <[email protected]>
gilles-peskine-arm
added
size-s
github-project-automation
bot
moved this to In Development
in Non-roadmap pull requests
If a key policy specifies the deterministic variant of ECDSA, the key now allows verification with the randomized variant (which has identical behavior), and vice versa. Mbed-TLS#534 Signed-off-by: Gilles Peskine <[email protected]>
gilles-peskine-arm
force-pushed
the
psa-verify-policy-relax
branch
from
a2ccc07 to
d4343a8
Compare
gilles-peskine-arm
added
needs-review
gilles-peskine-arm
changed the title
bjwtaylor
approved these changes
Jan 7, 2026
bjwtaylor
removed
the
needs-review
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Treat randomized and deterministic ECDSA as equivalent when verifying. This is a new requirement in the upcoming PSA Crypto 1.4 specification. A similar relaxation will apply to ML-DSA and SLH-DSA. Resolves #534
Stop allowing
PSA_ALG_ECDSA_ANYwhen the policy isPSA_ALG_ECDSA(PSA_ALG_ANY_HASH). This was made an explicit requirement in the PSA Crypto 1.1 specification. Resolves #533PR checklist