/* * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ #pragma once #include #include #include "mbedtls/ecp.h" #include "mbedtls/pk.h" #include "sdkconfig.h" #include "soc/soc_caps.h" #ifdef __cplusplus extern "C" { #endif #define USE_ECDSA_KEY_FROM_KEY_MANAGER INT_MAX /** * @brief ECDSA private key context initialization config structure * @note Contains configuration information like the efuse key block that should be used as the private key, * EC group ID of the private key and if the export public key operation is supported * by the peripheral, a flag load_pubkey that is used specify if the public key has to be populated */ typedef struct { mbedtls_ecp_group_id grp_id; /*!< MbedTLS ECP group identifier */ uint8_t efuse_block; /*!< EFuse block id for ECDSA private key */ #ifdef SOC_ECDSA_SUPPORT_EXPORT_PUBKEY bool load_pubkey; /*!< Export ECDSA public key from the hardware */ #endif bool use_km_key; /*!< Use key deployed in the key manager for ECDSA operation. Note: The key must be already deployed by the application and it must be activated for the lifetime of this context */ } esp_ecdsa_pk_conf_t; //TODO: IDF-9008 (Add a config to select the ecdsa key from the key manager peripheral) #if SOC_ECDSA_SUPPORT_EXPORT_PUBKEY || __DOXYGEN__ /** * @brief Populate the public key buffer of the mbedtls_ecp_keypair context. * * @param keypair The mbedtls ECP key-pair structure * @param efuse_blk The efuse key block that should be used as the private key. * The key purpose of this block must be ECDSA_KEY * @return - 0 if successful * - MBEDTLS_ERR_ECP_BAD_INPUT_DATA if invalid ecp group id specified * - MBEDTLS_ERR_ECP_INVALID_KEY if efuse block with purpose ECDSA_KEY is not found * - -1 if invalid efuse block is specified */ int esp_ecdsa_load_pubkey(mbedtls_ecp_keypair *keypair, int efuse_blk); #endif // SOC_ECDSA_SUPPORT_EXPORT_PUBKEY || __DOXYGEN__ #if CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN || __DOXYGEN__ /** * @brief Initialize MPI to notify mbedtls_ecdsa_sign to use the private key in efuse * We break the MPI struct of the private key in order to * differentiate between hardware key and software key * * @param key The MPI in which this functions stores the hardware context. * This must be uninitialized * @param efuse_blk The efuse key block that should be used as the private key. * The key purpose of this block must be ECDSA_KEY * * @return - 0 if successful * - -1 otherwise * */ int esp_ecdsa_privkey_load_mpi(mbedtls_mpi *key, int efuse_blk); /** * @brief Initialize PK context to notify mbedtls_ecdsa_sign to use the private key in efuse * We break the MPI struct used to represent the private key `d` in ECP keypair * in order to differentiate between hardware key and software key * * @param key_ctx The context in which this functions stores the hardware context. * This must be uninitialized * @param efuse_blk The efuse key block that should be used as the private key. * The key purpose of this block must be ECDSA_KEY * * @return - 0 if successful * - -1 otherwise */ int esp_ecdsa_privkey_load_pk_context(mbedtls_pk_context *key_ctx, int efuse_blk); /** * @brief Initialize PK context and completely populate mbedtls_ecp_keypair context. * We break the MPI struct used to represent the private key `d` in ECP keypair * in order to differentiate between hardware key and software key. * We also populate the ECP group field present in the mbedtls_ecp_keypair context. * If the ECDSA peripheral of the chip supports exporting the public key, * we can also populate the public key buffer of the mbedtls_ecp_keypair context * if the load_pubkey flag is set in the esp_ecdsa_pk_conf_t config argument. * * @param key_ctx The context in which this functions stores the hardware context. * This must be uninitialized * @param conf ESP-ECDSA private key context initialization config structure * * @return - 0 if successful * - -1 otherwise */ int esp_ecdsa_set_pk_context(mbedtls_pk_context *key_ctx, esp_ecdsa_pk_conf_t *conf); #endif // CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN || __DOXYGEN__ #ifdef __cplusplus } #endif