esp32s2/esp_ds: Digital Signature software support

1)Added support for alt rsa sign implementation with DS peripheral ( through ESP-TLS - mbedTLS SSL/TLS stack)
2024-10-05 20:47:46 -04:00 · 2020-06-16 18:10:12 +05:30 · 2020-06-16 18:10:12 +05:30 · 47f7c6a991
commit 47f7c6a991
parent b845bb5787
7 changed files with 470 additions and 3 deletions
--- a/components/esp-tls/Kconfig
+++ b/components/esp-tls/Kconfig
@ -24,6 +24,15 @@ menu "ESP-TLS"
            Enable use of Secure Element for ESP-TLS, this enables internal support for
            ATECC608A peripheral on ESPWROOM32SE, which can be used for TLS connection.

+    config ESP_TLS_USE_DS_PERIPHERAL
+        bool "Use Digital Signature (DS) Peripheral with ESP-TLS"
+        depends on IDF_TARGET_ESP32S2 && ESP_TLS_USING_MBEDTLS
+        default y
+        help
+            Enable use of the Digital Signature Peripheral for ESP-TLS.The DS peripheral
+            can only be used when it is appropriately configured for TLS.
+            Consult the ESP-TLS documentation in ESP-IDF Programming Guide for more details.
+
    config ESP_TLS_SERVER
        bool "Enable ESP-TLS Server"
        default n
--- a/components/esp-tls/esp_tls.h
+++ b/components/esp-tls/esp_tls.h
@ -205,6 +205,7 @@ typedef struct esp_tls_cfg {
                                            /*!< Function pointer to esp_crt_bundle_attach. Enables the use of certification
                                                 bundle for server verification, must be enabled in menuconfig */

+    void *ds_data;                          /*!< Pointer for digital signature peripheral context */
 } esp_tls_cfg_t;

 #ifdef CONFIG_ESP_TLS_SERVER
--- a/components/esp-tls/esp_tls_mbedtls.c
+++ b/components/esp-tls/esp_tls_mbedtls.c
@ -44,6 +44,11 @@ static const atcacert_def_t* cert_def = NULL;
 static esp_err_t esp_set_atecc608a_pki_context(esp_tls_t *tls, esp_tls_cfg_t *cfg);
 #endif /* CONFIG_ESP_TLS_USE_SECURE_ELEMENT */

+#if defined(CONFIG_ESP_TLS_USE_DS_PERIPHERAL)
+#include "rsa_sign_alt.h"
+static esp_err_t esp_mbedtls_init_pk_ctx_for_ds(const void *pki);
+#endif /* CONFIG_ESP_TLS_USE_DS_PERIPHERAL */
+
 static const char *TAG = "esp-tls-mbedtls";
 static mbedtls_x509_crt *global_cacert = NULL;

@ -56,6 +61,9 @@ typedef struct esp_tls_pki_t {
    unsigned int privkey_pem_bytes;
    const unsigned char *privkey_password;
    unsigned int privkey_password_len;
+#ifdef CONFIG_ESP_TLS_USE_DS_PERIPHERAL
+    void *esp_ds_data;
+#endif
 } esp_tls_pki_t;

 esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls)
@ -125,6 +133,9 @@ int esp_mbedtls_handshake(esp_tls_t *tls, const esp_tls_cfg_t *cfg)
    ret = mbedtls_ssl_handshake(&tls->ssl);
    if (ret == 0) {
        tls->conn_state = ESP_TLS_DONE;
+#ifdef CONFIG_ESP_TLS_USE_DS_PERIPHERAL
+        esp_ds_release_ds_lock();
+#endif
        return 1;
    } else {
        if (ret != ESP_TLS_ERR_SSL_WANT_READ && ret != ESP_TLS_ERR_SSL_WANT_WRITE) {
@ -247,6 +258,9 @@ void esp_mbedtls_cleanup(esp_tls_t *tls)
 #ifdef CONFIG_ESP_TLS_USE_SECURE_ELEMENT
    atcab_release();
 #endif
+#ifdef CONFIG_ESP_TLS_USE_DS_PERIPHERAL
+    esp_ds_release_ds_lock();
+#endif
 }

 static esp_err_t set_ca_cert(esp_tls_t *tls, const unsigned char *cacert, size_t cacert_len)
@ -272,7 +286,6 @@ static esp_err_t set_pki_context(esp_tls_t *tls, const esp_tls_pki_t *pki)
    int ret;

    if (pki->publiccert_pem_buf != NULL &&
-        pki->privkey_pem_buf != NULL &&
        pki->public_cert != NULL &&
        pki->pk_key != NULL) {

@ -286,8 +299,22 @@ static esp_err_t set_pki_context(esp_tls_t *tls, const esp_tls_pki_t *pki)
            return ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED;
        }

-        ret = mbedtls_pk_parse_key(pki->pk_key, pki->privkey_pem_buf, pki->privkey_pem_bytes,
-                                   pki->privkey_password, pki->privkey_password_len);
+#ifdef CONFIG_ESP_TLS_USE_DS_PERIPHERAL
+        if (pki->esp_ds_data != NULL) {
+            ret = esp_mbedtls_init_pk_ctx_for_ds(pki);
+            if (ret != ESP_OK) {
+                ESP_LOGE(TAG, "Failed to initialize pk context for ");
+                return ret;
+            }
+        } else
+#endif
+        if (pki->privkey_pem_buf != NULL) {
+            ret = mbedtls_pk_parse_key(pki->pk_key, pki->privkey_pem_buf, pki->privkey_pem_bytes,
+                                       pki->privkey_password, pki->privkey_password_len);
+        } else {
+            return ESP_ERR_INVALID_ARG;
+        }
+
        if (ret < 0) {
            ESP_LOGE(TAG, "mbedtls_pk_parse_keyfile returned -0x%x", -ret);
            ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ERR_TYPE_MBEDTLS, -ret);
@ -477,6 +504,35 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
        ESP_LOGE(TAG, "Please enable secure element support for ESP-TLS in menuconfig");
        return ESP_FAIL;
 #endif /* CONFIG_ESP_TLS_USE_SECURE_ELEMENT */
+    } else if (cfg->ds_data != NULL) {
+#ifdef CONFIG_ESP_TLS_USE_DS_PERIPHERAL
+        if (cfg->clientcert_pem_buf == NULL) {
+            ESP_LOGE(TAG, "Client certificate is also required with the DS parameters");
+            return ESP_ERR_INVALID_STATE;
+        }
+        esp_ds_set_session_timeout(cfg->timeout_ms);
+        /* set private key pointer to NULL since the DS peripheral with its own configuration data is used */
+        esp_tls_pki_t pki = {
+            .public_cert = &tls->clientcert,
+            .pk_key = &tls->clientkey,
+            .publiccert_pem_buf = cfg->clientcert_buf,
+            .publiccert_pem_bytes = cfg->clientcert_bytes,
+            .privkey_pem_buf = NULL,
+            .privkey_pem_bytes = 0,
+            .privkey_password = NULL,
+            .privkey_password_len = 0,
+            .esp_ds_data = cfg->ds_data,
+        };
+
+        esp_err_t esp_ret = set_pki_context(tls, &pki);
+        if (esp_ret != ESP_OK) {
+            ESP_LOGE(TAG, "Failed to set client pki context for the DS peripheral, returned %02x", esp_ret);
+            return esp_ret;
+        }
+#else
+        ESP_LOGE(TAG, "Please enable the DS peripheral support for the ESP-TLS in menuconfig. (only supported for the ESP32-S2 chip)");
+        return ESP_FAIL;
+#endif
    } else if (cfg->clientcert_pem_buf != NULL && cfg->clientkey_pem_buf != NULL) {
        esp_tls_pki_t pki = {
            .public_cert = &tls->clientcert,
@ -671,3 +727,25 @@ static esp_err_t esp_set_atecc608a_pki_context(esp_tls_t *tls, esp_tls_cfg_t *cf
    return ESP_OK;
 }
 #endif /* CONFIG_ESP_TLS_USE_SECURE_ELEMENT */
+
+#ifdef CONFIG_ESP_TLS_USE_DS_PERIPHERAL
+static esp_err_t esp_mbedtls_init_pk_ctx_for_ds(const void *pki)
+{
+    int ret = -1;
+    /* initialize the mbedtls pk context with rsa context */
+    mbedtls_rsa_context rsakey;
+    mbedtls_rsa_init(&rsakey, MBEDTLS_RSA_PKCS_V15, 0);
+    if ((ret = mbedtls_pk_setup_rsa_alt(((const esp_tls_pki_t*)pki)->pk_key, &rsakey, NULL, esp_ds_rsa_sign,
+                                        esp_ds_get_keylen )) != 0) {
+        ESP_LOGE(TAG, "Error in mbedtls_pk_setup_rsa_alt, returned %02x", ret);
+        return ESP_FAIL;
+    }
+    ret = esp_ds_init_data_ctx(((const esp_tls_pki_t*)pki)->esp_ds_data);
+    if (ret != ESP_OK) {
+        ESP_LOGE(TAG, "Failed to initialize DS parameters from nvs");
+        return ESP_FAIL;
+    }
+    ESP_LOGD(TAG, "DS peripheral params initialized.");
+    return ESP_OK;
+}
+#endif /* CONFIG_ESP_TLS_USE_DS_PERIPHERAL */
--- a/components/mbedtls/CMakeLists.txt
+++ b/components/mbedtls/CMakeLists.txt
@ -90,6 +90,10 @@ target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/esp_hardware.c"
                                  "${COMPONENT_DIR}/port/${idf_target}/sha.c"
 )

+if(CONFIG_ESP_TLS_USE_DS_PERIPHERAL)
+    target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/esp32s2/esp_rsa_sign_alt.c")
+endif()
+
 # Note: some mbedTLS hardware acceleration can be enabled/disabled by config.
 #
 # We don't need to filter aes.c as this uses a different prefix (esp_aes_x) and the
--- a/components/mbedtls/port/esp32s2/esp_rsa_sign_alt.c
+++ b/components/mbedtls/port/esp32s2/esp_rsa_sign_alt.c
@ -0,0 +1,250 @@
+// Copyright 2020 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "esp_ds.h"
+#include "rsa_sign_alt.h"
+#include "esp32s2/rom/digital_signature.h"
+#include "esp_log.h"
+#include "esp_heap_caps.h"
+#include "freertos/FreeRTOS.h"
+#include "freertos/semphr.h"
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+static const char *TAG = "ESP_RSA_SIGN_ALT";
+#define SWAP_INT32(x) (((x) >> 24) | (((x) & 0x00FF0000) >> 8) | (((x) & 0x0000FF00) << 8) | ((x) << 24))
+
+#include "mbedtls/rsa.h"
+#include "mbedtls/rsa_internal.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
+#include <string.h>
+
+static hmac_key_id_t s_esp_ds_hmac_key_id;
+static esp_ds_data_t *s_ds_data;
+static SemaphoreHandle_t s_ds_lock;
+static uint32_t s_timeout_ms = 0;
+
+/* key length in bytes = (esp_digital_signature_length_t key + 1 ) * FACTOR_KEYLEN_IN_BYTES */
+#define FACTOR_KEYLEN_IN_BYTES 4
+
+/* Lock for the DS session, other TLS connections trying to use the DS peripheral will be blocked
+ * till this DS session is completed (i.e. TLS handshake for this connection is completed) */
+static void __attribute__((constructor)) esp_ds_conn_lock (void)
+{
+    if ((s_ds_lock = xSemaphoreCreateMutex()) == NULL) {
+        ESP_EARLY_LOGE(TAG, "mutex for the DS session lock could not be created");
+    }
+}
+
+void esp_ds_set_session_timeout(int timeout)
+{
+    /* add additional offset of 1000 ms to have enough time for deleting the TLS connection and free the previous ds context after exceeding timeout value (this offset also helps when timeout is set to 0) */
+    if (timeout > s_timeout_ms) {
+        s_timeout_ms = timeout + 1000;
+    }
+}
+
+esp_err_t  esp_ds_init_data_ctx(esp_ds_data_ctx_t *ds_data)
+{
+    if (ds_data == NULL || ds_data->esp_ds_data == NULL) {
+        return ESP_ERR_INVALID_ARG;
+    }
+    /* mutex is given back when the DS context is freed after the TLS handshake is completed or in case of failure (at cleanup) */
+    if ((xSemaphoreTake(s_ds_lock, s_timeout_ms / portTICK_PERIOD_MS) != pdTRUE)) {
+        ESP_LOGE(TAG, "ds_lock could not be obtained in specified time");
+        return ESP_FAIL;
+    }
+    s_ds_data = ds_data->esp_ds_data;
+    s_esp_ds_hmac_key_id = (hmac_key_id_t) ds_data->efuse_key_id;
+    /* calculate the rsa_length in terms of esp_digital_signature_length_t which is required for the internal DS API */
+    s_ds_data->rsa_length = (ds_data->rsa_length_bits / 32) - 1;
+    return ESP_OK;
+}
+
+void esp_ds_release_ds_lock(void)
+{
+    /* Give back the semaphore (DS lock) */
+    xSemaphoreGive(s_ds_lock);
+}
+
+size_t esp_ds_get_keylen(void *ctx)
+{
+    /* calculating the rsa_length in bytes */
+    return ((s_ds_data->rsa_length + 1) * FACTOR_KEYLEN_IN_BYTES);
+}
+
+static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg,
+                                        unsigned int hashlen,
+                                        const unsigned char *hash,
+                                        size_t dst_len,
+                                        unsigned char *dst )
+{
+    size_t oid_size  = 0;
+    size_t nb_pad    = dst_len;
+    unsigned char *p = dst;
+    const char *oid  = NULL;
+
+    /* Are we signing hashed or raw data? */
+    if ( md_alg != MBEDTLS_MD_NONE ) {
+        const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
+        if ( md_info == NULL ) {
+            return ( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+        }
+
+        if ( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 ) {
+            return ( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+        }
+
+        hashlen = mbedtls_md_get_size( md_info );
+
+        /* Double-check that 8 + hashlen + oid_size can be used as a
+         * 1-byte ASN.1 length encoding and that there's no overflow. */
+        if ( 8 + hashlen + oid_size  >= 0x80         ||
+                10 + hashlen            <  hashlen      ||
+                10 + hashlen + oid_size <  10 + hashlen ) {
+            return ( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+        }
+
+        /*
+         * Static bounds check:
+         * - Need 10 bytes for five tag-length pairs.
+         *   (Insist on 1-byte length encodings to protect against variants of
+         *    Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification)
+         * - Need hashlen bytes for hash
+         * - Need oid_size bytes for hash alg OID.
+         */
+        if ( nb_pad < 10 + hashlen + oid_size ) {
+            return ( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+        }
+        nb_pad -= 10 + hashlen + oid_size;
+    } else {
+        if ( nb_pad < hashlen ) {
+            return ( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+        }
+
+        nb_pad -= hashlen;
+    }
+
+    /* Need space for signature header and padding delimiter (3 bytes),
+     * and 8 bytes for the minimal padding */
+    if ( nb_pad < 3 + 8 ) {
+        return ( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+    nb_pad -= 3;
+
+    /* Now nb_pad is the amount of memory to be filled
+     * with padding, and at least 8 bytes long. */
+
+    /* Write signature header and padding */
+    *p++ = 0;
+    *p++ = MBEDTLS_RSA_SIGN;
+    memset( p, 0xFF, nb_pad );
+    p += nb_pad;
+    *p++ = 0;
+
+    /* Are we signing raw data? */
+    if ( md_alg == MBEDTLS_MD_NONE ) {
+        memcpy( p, hash, hashlen );
+        return ( 0 );
+    }
+
+    /* Signing hashed data, add corresponding ASN.1 structure
+     *
+     * DigestInfo ::= SEQUENCE {
+     *   digestAlgorithm DigestAlgorithmIdentifier,
+     *   digest Digest }
+     * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
+     * Digest ::= OCTET STRING
+     *
+     * Schematic:
+     * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID  + LEN [ OID  ]
+     *                                 TAG-NULL + LEN [ NULL ] ]
+     *                 TAG-OCTET + LEN [ HASH ] ]
+     */
+    *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
+    *p++ = (unsigned char)( 0x08 + oid_size + hashlen );
+    *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
+    *p++ = (unsigned char)( 0x04 + oid_size );
+    *p++ = MBEDTLS_ASN1_OID;
+    *p++ = (unsigned char) oid_size;
+    memcpy( p, oid, oid_size );
+    p += oid_size;
+    *p++ = MBEDTLS_ASN1_NULL;
+    *p++ = 0x00;
+    *p++ = MBEDTLS_ASN1_OCTET_STRING;
+    *p++ = (unsigned char) hashlen;
+    memcpy( p, hash, hashlen );
+    p += hashlen;
+
+    /* Just a sanity-check, should be automatic
+     * after the initial bounds check. */
+    if ( p != dst + dst_len ) {
+        mbedtls_platform_zeroize( dst, dst_len );
+        return ( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+
+    return ( 0 );
+}
+
+
+int esp_ds_rsa_sign( void *ctx,
+                     int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                     int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
+                     const unsigned char *hash, unsigned char *sig )
+{
+    esp_ds_context_t *esp_ds_ctx;
+    esp_err_t ds_r;
+    int ret = -1;
+    uint32_t *signature = heap_caps_malloc_prefer((s_ds_data->rsa_length + 1) * FACTOR_KEYLEN_IN_BYTES, 2, MALLOC_CAP_32BIT | MALLOC_CAP_INTERNAL, MALLOC_CAP_DEFAULT | MALLOC_CAP_INTERNAL);
+    if (signature == NULL) {
+        ESP_LOGE(TAG, "Could not allocate memory for internal DS operations");
+        return -1;
+    }
+
+    if ((ret = (rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash, ((s_ds_data->rsa_length + 1) * FACTOR_KEYLEN_IN_BYTES), sig ))) != 0) {
+        ESP_LOGE(TAG, "Error in pkcs1_v15 encoding, returned %02x", ret);
+        heap_caps_free(signature);
+        return -1;
+    }
+
+    for ( int i = 0; i < (s_ds_data->rsa_length + 1); i++) {
+        signature[i] = SWAP_INT32(((uint32_t *)sig)[(s_ds_data->rsa_length + 1) - (i + 1)]);
+    }
+
+    ds_r = esp_ds_start_sign((const void *)signature,
+                             s_ds_data,
+                             s_esp_ds_hmac_key_id,
+                             &esp_ds_ctx);
+    if (ds_r != ESP_OK) {
+        ESP_LOGE(TAG, "Error in esp_ds_start_sign, returned %02x ", ds_r);
+        heap_caps_free(signature);
+        return -1;
+    }
+
+    ds_r = esp_ds_finish_sign((void *)signature, esp_ds_ctx);
+    if (ds_r != ESP_OK) {
+        ESP_LOGE(TAG, "Error in esp_ds_finish sign, returned %02X ", ds_r);
+        heap_caps_free(signature);
+        return -1;
+    }
+
+    for ( int i = 0; i < (s_ds_data->rsa_length + 1); i++) {
+        ((uint32_t *)sig)[i] = SWAP_INT32(((uint32_t *)signature)[(s_ds_data->rsa_length + 1) - (i + 1)]);
+    }
+    heap_caps_free(signature);
+    return 0;
+}
--- a/components/mbedtls/port/include/esp32s2/esp_rsa_sign_alt.h
+++ b/components/mbedtls/port/include/esp32s2/esp_rsa_sign_alt.h
@ -0,0 +1,86 @@
+// Copyright 2020 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#pragma once
+
+#ifndef _ESP_RSA_SIGN_ALT_H_
+#define _ESP_RSA_SIGN_ALT_H_
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include "esp_ds.h"
+#include "mbedtls/md.h"
+
+/**
+ * @brief      ESP-DS data context
+ *
+ * @note       This structure includes encrypted private key parameters such as ciphertext_c, initialization vector, efuse_key_id, RSA key length, which are obtained when DS peripheral is configured.
+ */
+
+/* Context for encrypted private key data required for DS */
+typedef struct esp_ds_data_ctx {
+    esp_ds_data_t *esp_ds_data;
+    uint8_t efuse_key_id; /* efuse block id in which DS_KEY is stored e.g. 0,1*/
+    uint16_t rsa_length_bits; /* length of RSA private key in bits e.g. 2048 */
+} esp_ds_data_ctx_t;
+
+/**
+ * @brief       Initializes internal DS data context
+ *
+ * This function allocates and initializes internal ds data context which is used for Digital Signature operation.
+ *
+ * @in          ds_data     ds_data context containing encrypted private key parameters
+ * @return
+ *              - ESP_OK  In case of succees
+ *              - ESP_ERR_NO_MEM In case internal context could not be allocated.
+ *              - ESP_ERR_INVALID_ARG in case input parametrers are NULL
+ *
+ */
+esp_err_t esp_ds_init_data_ctx(esp_ds_data_ctx_t *ds_data);
+
+/**
+ *
+ * @brief      Release the ds lock acquired for the DS operation (then the DS peripheral can be used for other TLS connection)
+ *
+ */
+void esp_ds_release_ds_lock(void);
+
+/**
+ *
+ * @brief       Alternate implementation for mbedtls_rsa_rsassa_pkcs1_v15_sign, Internally makes use
+ *              of DS module to perform hardware accelerated RSA sign operation
+ */
+int esp_ds_rsa_sign( void *ctx,
+                     int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                     int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
+                     const unsigned char *hash, unsigned char *sig );
+
+/*
+ * @brief       Get RSA key length in bytes from internal DS context
+ *
+ * @return      RSA key length in bytes
+ */
+size_t esp_ds_get_keylen(void *ctx);
+
+/*
+ * @brief       Set timeout (equal to TLS session timeout), so that DS module usage can be synchronized in case of multiple TLS connections using DS module,
+ */
+void esp_ds_set_session_timeout(int timeout);
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _ESP_RSA_SIGN_ALT_H_ */
--- a/components/mbedtls/port/include/rsa_sign_alt.h
+++ b/components/mbedtls/port/include/rsa_sign_alt.h
@ -0,0 +1,39 @@
+// Copyright 2020 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#pragma once
+
+#ifndef _RSA_SIGN_ALT_H_
+#define _RSA_SIGN_ALT_H_
+
+#ifdef __cpluscplus
+extern "C" {
+#endif
+
+#ifdef CONFIG_ESP_TLS_USE_DS_PERIPHERAL
+
+#include "esp32s2/esp_rsa_sign_alt.h"
+
+#else
+
+#error "DS configuration flags not activated, please enable required menuconfig flags"
+
+#endif
+
+#ifdef __cpluscplus
+}
+#endif
+
+#endif
+