bootutil: Remove P224 curve

#------------------------------------------------------------------------------

# Copyright (c) 2020, Arm Limited. All rights reserved.

# Copyright (c) 2020-2023, Arm Limited. All rights reserved.

#

# SPDX-License-Identifier: Apache-2.0

#

        src/encrypted.c

        src/fault_injection_hardening.c

        src/fault_injection_hardening_delay_rng_mbedtls.c

        src/image_ec.c

        src/image_ec256.c

        src/image_ed25519.c

        src/image_rsa.c

/*

 * Copyright (c) 2017 Linaro Limited

 * Copyright (c) 2021 Arm Limited

 * Copyright (c) 2021-2023 Arm Limited

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

uint32_t bootutil_get_caps(void);

#define BOOTUTIL_CAP_RSA2048                (1<<0)

#define BOOTUTIL_CAP_ECDSA_P224             (1<<1)

#define BOOTUTIL_CAP_ECDSA_P256             (1<<2)

#define BOOTUTIL_CAP_SWAP_USING_SCRATCH     (1<<3)

#define BOOTUTIL_CAP_OVERWRITE_UPGRADE      (1<<4)

#define BOOTUTIL_CAP_ENC_RSA                (1<<5)

#define BOOTUTIL_CAP_ENC_KW                 (1<<6)

#define BOOTUTIL_CAP_VALIDATE_PRIMARY_SLOT  (1<<7)

#define BOOTUTIL_CAP_RSA3072                (1<<8)

#define BOOTUTIL_CAP_ED25519                (1<<9)

#define BOOTUTIL_CAP_ENC_EC256              (1<<10)

#define BOOTUTIL_CAP_SWAP_USING_MOVE        (1<<11)

#define BOOTUTIL_CAP_DOWNGRADE_PREVENTION   (1<<12)

#define BOOTUTIL_CAP_ENC_X25519             (1<<13)

#define BOOTUTIL_CAP_BOOTSTRAP              (1<<14)

#define BOOTUTIL_CAP_AES256                 (1<<15)

#define BOOTUTIL_CAP_RAM_LOAD               (1<<16)

#define BOOTUTIL_CAP_DIRECT_XIP             (1<<17)

#define BOOTUTIL_CAP_ECDSA_P256             (1<<1)

#define BOOTUTIL_CAP_SWAP_USING_SCRATCH     (1<<2)

#define BOOTUTIL_CAP_OVERWRITE_UPGRADE      (1<<3)

#define BOOTUTIL_CAP_ENC_RSA                (1<<4)

#define BOOTUTIL_CAP_ENC_KW                 (1<<5)

#define BOOTUTIL_CAP_VALIDATE_PRIMARY_SLOT  (1<<6)

#define BOOTUTIL_CAP_RSA3072                (1<<7)

#define BOOTUTIL_CAP_ED25519                (1<<8)

#define BOOTUTIL_CAP_ENC_EC256              (1<<9)

#define BOOTUTIL_CAP_SWAP_USING_MOVE        (1<<10)

#define BOOTUTIL_CAP_DOWNGRADE_PREVENTION   (1<<11)

#define BOOTUTIL_CAP_ENC_X25519             (1<<12)

#define BOOTUTIL_CAP_BOOTSTRAP              (1<<13)

#define BOOTUTIL_CAP_AES256                 (1<<14)

#define BOOTUTIL_CAP_RAM_LOAD               (1<<15)

#define BOOTUTIL_CAP_DIRECT_XIP             (1<<16)

/*

 * Query the number of images this bootloader is configured for.  This

 *

 * Copyright (c) 2016-2019 Linaro LTD

 * Copyright (c) 2016-2019 JUUL Labs

 * Copyright (c) 2019-2021 Arm Limited

 * Copyright (c) 2019-2023 Arm Limited

 *

 * Original license:

 *

#define IMAGE_TLV_PUBKEY            0x02   /* public key */

#define IMAGE_TLV_SHA256            0x10   /* SHA256 of image hdr and body */

#define IMAGE_TLV_RSA2048_PSS       0x20   /* RSA2048 of hash output */

#define IMAGE_TLV_ECDSA224          0x21   /* ECDSA of hash output */

#define IMAGE_TLV_ECDSA224          0x21   /* ECDSA of hash output - Not supported anymore */

#define IMAGE_TLV_ECDSA256          0x22   /* ECDSA of hash output */

#define IMAGE_TLV_RSA3072_PSS       0x23   /* RSA3072 of hash output */

#define IMAGE_TLV_ED25519           0x24   /* ed25519 of hash output */

 * SPDX-License-Identifier: Apache-2.0

 *

 * Copyright (c) 2017 Linaro Limited

 * Copyright (c) 2021 Arm Limited

 * Copyright (c) 2021-2023 Arm Limited

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

    res |= BOOTUTIL_CAP_RSA3072;

#endif

#endif

#if defined(MCUBOOT_SIGN_EC)

    res |= BOOTUTIL_CAP_ECDSA_P224;

#endif

#if defined(MCUBOOT_SIGN_EC256)

    res |= BOOTUTIL_CAP_ECDSA_P256;

#endif

/*

 * SPDX-License-Identifier: Apache-2.0

 *

 * Copyright (c) 2016-2018 JUUL Labs

 * Copyright (C) 2021 Arm Limited

 *

 * Original license:

 *

 * Licensed to the Apache Software Foundation (ASF) under one

 * or more contributor license agreements.  See the NOTICE file

 * distributed with this work for additional information

 * regarding copyright ownership.  The ASF licenses this file

 * to you under the Apache License, Version 2.0 (the

 * "License"); you may not use this file except in compliance

 * with the License.  You may obtain a copy of the License at

 *

 *  http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing,

 * software distributed under the License is distributed on an

 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY

 * KIND, either express or implied.  See the License for the

 * specific language governing permissions and limitations

 * under the License.

 */

#include <string.h>

#include "mcuboot_config/mcuboot_config.h"

#ifdef MCUBOOT_SIGN_EC

#include "bootutil/sign_key.h"

#include "mbedtls/ecdsa.h"

#include "mbedtls/oid.h"

#include "mbedtls/asn1.h"

#include "bootutil/crypto/common.h"

#include "bootutil_priv.h"

/*

 * Declaring these like this adds NULL termination.

 */

static const uint8_t ec_pubkey_oid[] = MBEDTLS_OID_EC_ALG_UNRESTRICTED;

static const uint8_t ec_secp224r1_oid[] = MBEDTLS_OID_EC_GRP_SECP224R1;

/*

 * Parse the public key used for signing.

 */

static int

bootutil_parse_eckey(mbedtls_ecdsa_context *ctx, uint8_t **p, uint8_t *end)

{

    size_t len;

    mbedtls_asn1_buf alg;

    mbedtls_asn1_buf param;

    if (mbedtls_asn1_get_tag(p, end, &len,

        MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) {

        return -1;

    }

    end = *p + len;

    if (mbedtls_asn1_get_alg(p, end, &alg, &param)) {

        return -2;

    }

    if (alg.len != sizeof(ec_pubkey_oid) - 1 ||

      memcmp(alg.p, ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) {

        return -3;

    }

    if (param.len != sizeof(ec_secp224r1_oid) - 1||

      memcmp(param.p, ec_secp224r1_oid, sizeof(ec_secp224r1_oid) - 1)) {

        return -4;

    }

    if (mbedtls_ecp_group_load(&ctx->MBEDTLS_CONTEXT_MEMBER(grp), MBEDTLS_ECP_DP_SECP224R1)) {

        return -5;

    }

    if (mbedtls_asn1_get_bitstring_null(p, end, &len)) {

        return -6;

    }

    if (*p + len != end) {

        return -7;

    }

    if (mbedtls_ecp_point_read_binary(&ctx->MBEDTLS_CONTEXT_MEMBER(grp), &ctx->MBEDTLS_CONTEXT_MEMBER(Q), *p, end - *p)) {

        return -8;

    }

    if (mbedtls_ecp_check_pubkey(&ctx->MBEDTLS_CONTEXT_MEMBER(grp), &ctx->MBEDTLS_CONTEXT_MEMBER(Q))) {

        return -9;

    }

    return 0;

}

static int

bootutil_cmp_sig(mbedtls_ecdsa_context *ctx, uint8_t *hash, uint32_t hlen,

  uint8_t *sig, size_t slen)

{

    return mbedtls_ecdsa_read_signature(ctx, hash, hlen, sig, slen);

}

int

bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen,

  uint8_t key_id)

{

    int rc;

    uint8_t *cp;

    uint8_t *end;

    mbedtls_ecdsa_context ctx;

    mbedtls_ecdsa_init(&ctx);

    cp = (uint8_t *)bootutil_keys[key_id].key;

    end = cp + *bootutil_keys[key_id].len;

    rc = bootutil_parse_eckey(&ctx, &cp, end);

    if (rc) {

        return -1;

    }

    while (sig[slen - 1] == '\0') {

        slen--;

    }

    rc = bootutil_cmp_sig(&ctx, hash, hlen, sig, slen);

    mbedtls_ecdsa_free(&ctx);

    return rc;

}

#endif /* MCUBOOT_SIGN_EC */