Skip to content

[development] Migrate from mbedtls_pk_can_do_ext to mbedtls_pk_can_do_psa (2/2) #10333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Sep 16, 2025
Merged

[development] Migrate from mbedtls_pk_can_do_ext to mbedtls_pk_can_do_psa (2/2) #10333

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
0009b04
library: ssl: replace mbedtls_pk_can_do_ext with mbedtls_pk_can_do_psa
valeriosetti Jul 30, 2025
7b2d72a
ssl: replace PSA_ALG_ECDSA with MBEDTLS_PK_ALG_ECDSA
valeriosetti Sep 8, 2025
bc611fe
[tls12|tls13]_server: fix usage being checked on the certificate key
valeriosetti Sep 8, 2025
91c0945
tests: fix alg and usage for some ECDHE-ECDSA opaque key tests
valeriosetti Sep 8, 2025
e2aed3a
tests: revert changes to test_suite_ssl.data
valeriosetti Sep 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion library/ssl_ciphersuites.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -924,7 +924,7 @@ psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(const mbedtls_ssl_cip
mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) info->mac));

case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
return PSA_ALG_ECDSA(mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) info->mac));
return MBEDTLS_PK_ALG_ECDSA(mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) info->mac));

default:
return PSA_ALG_NONE;
Expand Down
6 changes: 3 additions & 3 deletions library/ssl_tls.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8147,14 +8147,14 @@ unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
mbedtls_md_psa_alg_from_type(md_alg);

if (sig_alg_received == MBEDTLS_SSL_SIG_ECDSA &&
!mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
PSA_ALG_ECDSA(psa_hash_alg),
!mbedtls_pk_can_do_psa(ssl->handshake->key_cert->key,
MBEDTLS_PK_ALG_ECDSA(psa_hash_alg),
PSA_KEY_USAGE_SIGN_HASH)) {
continue;
}

if (sig_alg_received == MBEDTLS_SSL_SIG_RSA &&
!mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
!mbedtls_pk_can_do_psa(ssl->handshake->key_cert->key,
PSA_ALG_RSA_PKCS1V15_SIGN(
psa_hash_alg),
PSA_KEY_USAGE_SIGN_HASH)) {
Expand Down
7 changes: 4 additions & 3 deletions library/ssl_tls12_server.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -693,11 +693,12 @@ static int ssl_pick_cert(mbedtls_ssl_context *ssl,
int key_type_matches = 0;
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
key_type_matches = ((ssl->conf->f_async_sign_start != NULL ||
mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)) &&
mbedtls_pk_can_do_ext(&cur->cert->pk, pk_alg, pk_usage));
mbedtls_pk_can_do_psa(cur->key, pk_alg, pk_usage)) &&
mbedtls_pk_can_do_psa(&cur->cert->pk, pk_alg,
PSA_KEY_USAGE_VERIFY_HASH));
#else
key_type_matches = (
mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage));
mbedtls_pk_can_do_psa(cur->key, pk_alg, pk_usage));
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
if (!key_type_matches) {
MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: key type"));
Expand Down
10 changes: 5 additions & 5 deletions library/ssl_tls13_server.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1076,11 +1076,11 @@ static psa_algorithm_t ssl_tls13_iana_sig_alg_to_psa_alg(uint16_t sig_alg)
{
switch (sig_alg) {
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
return PSA_ALG_ECDSA(PSA_ALG_SHA_256);
return MBEDTLS_PK_ALG_ECDSA(PSA_ALG_SHA_256);
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
return PSA_ALG_ECDSA(PSA_ALG_SHA_384);
return MBEDTLS_PK_ALG_ECDSA(PSA_ALG_SHA_384);
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
return PSA_ALG_ECDSA(PSA_ALG_SHA_512);
return MBEDTLS_PK_ALG_ECDSA(PSA_ALG_SHA_512);
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
return PSA_ALG_RSA_PSS(PSA_ALG_SHA_256);
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
Expand Down Expand Up @@ -1160,8 +1160,8 @@ static int ssl_tls13_pick_key_cert(mbedtls_ssl_context *ssl)
if (mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
*sig_alg, &key_cert->cert->pk)
&& psa_alg != PSA_ALG_NONE &&
mbedtls_pk_can_do_ext(&key_cert->cert->pk, psa_alg,
PSA_KEY_USAGE_SIGN_HASH) == 1
mbedtls_pk_can_do_psa(&key_cert->cert->pk, psa_alg,
PSA_KEY_USAGE_VERIFY_HASH) == 1
) {
ssl->handshake->key_cert = key_cert;
MBEDTLS_SSL_DEBUG_MSG(3,
Expand Down
4 changes: 2 additions & 2 deletions programs/ssl/ssl_test_lib.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -242,7 +242,7 @@ int key_opaque_set_alg_usage(const char *alg1, const char *alg2,
*psa_algs[i] = PSA_ALG_RSA_PSS(PSA_ALG_SHA_512);
*usage |= PSA_KEY_USAGE_SIGN_HASH;
} else if (strcmp(algs[i], "ecdsa-sign") == 0) {
*psa_algs[i] = PSA_ALG_ECDSA(PSA_ALG_ANY_HASH);
*psa_algs[i] = MBEDTLS_PK_ALG_ECDSA(PSA_ALG_ANY_HASH);
*usage |= PSA_KEY_USAGE_SIGN_HASH;
} else if (strcmp(algs[i], "ecdh") == 0) {
*psa_algs[i] = PSA_ALG_ECDH;
Expand All @@ -253,7 +253,7 @@ int key_opaque_set_alg_usage(const char *alg1, const char *alg2,
}
} else {
if (key_type == MBEDTLS_PK_ECKEY) {
*psa_alg1 = PSA_ALG_ECDSA(PSA_ALG_ANY_HASH);
*psa_alg1 = MBEDTLS_PK_ALG_ECDSA(PSA_ALG_ANY_HASH);
*psa_alg2 = PSA_ALG_ECDH;
*usage = PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_DERIVE;
} else if (key_type == MBEDTLS_PK_RSA) {
Expand Down
4 changes: 2 additions & 2 deletions tests/suites/test_suite_ssl.data
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -457,11 +457,11 @@ handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA

Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, PSA_ALG_ANY_HASH
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM
handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":MBEDTLS_PK_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM

Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, PSA_ALG_SHA_256
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM
handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":MBEDTLS_PK_ALG_ECDSA(PSA_ALG_SHA_256):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM

Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, bad alg
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
Expand Down