[crypto] Initial crypto backend using PSA crypto API (#23193)

* [crypto] Add initial implementation for PSA crypto API Implement most cryptographic operations using PSA crypto API. Make it unit-testable using the following manual steps (until we all agree to update mbedTLS to 3.X): 1. Update mbedTLS submodule to 3.2.1 and update mbedtls.gni accordingly. 2. Use scripts/generate_driver_wrappers.py to generate psa_crypto_driver_wrappers.c and include it in mbedTLS library build. 3. Increase CHIP_CONFIG_SHA256_CONTEXT_SIZE to 256B 4. gn gen out/ut --args='chip_crypto="psa"' 5. ninja -C out/ut tests/CHIPCryptoPALTest 6. out/ut/tests/CHIPCryptoPALTest [crypto] Implement PBKDF2 using PSA crypto API PBKDF2 PSA crypto API is not yet implemented in mbedTLS 3.1 nor 3.2 so for now use a handcrafted implementation using HMAC directly. [crypto] Implement ECDSA and ECDH using PSA crypto API The ECDSA and ECDH operations specified by P256Keypair and P256PublicKey classes have been implemented using PSA crypto API provided by mbedTLS 3.X. * Code review comments
project-chip · Mar 14, 2023 · 1010824 · 1010824
1 parent 3d846e5
commit 1010824
Show file tree

Hide file tree

Showing 3 changed files with 1,780 additions and 4 deletions.
diff --git a/src/crypto/BUILD.gn b/src/crypto/BUILD.gn
@@ -30,22 +30,24 @@ if (chip_crypto == "") {
 }
 
 assert(
-    chip_crypto == "mbedtls" || chip_crypto == "openssl" ||
-        chip_crypto == "tinycrypt" || chip_crypto == "boringssl" ||
-        chip_crypto == "platform",
-    "Please select a valid crypto implementation: mbedtls, openssl, tinycrypt, boringssl, platform")
+    chip_crypto == "mbedtls" || chip_crypto == "psa" ||
+        chip_crypto == "openssl" || chip_crypto == "tinycrypt" ||
+        chip_crypto == "boringssl" || chip_crypto == "platform",
+    "Please select a valid crypto implementation: mbedtls, psa, openssl, tinycrypt, boringssl, platform")
 
 buildconfig_header("crypto_buildconfig") {
   header = "CryptoBuildConfig.h"
   header_dir = "crypto"
 
   chip_crypto_mbedtls = chip_crypto == "mbedtls"
+  chip_crypto_psa = chip_crypto == "psa"
   chip_crypto_openssl = chip_crypto == "openssl"
   chip_crypto_boringssl = chip_crypto == "boringssl"
   chip_crypto_platform = chip_crypto == "platform"
 
   defines = [
     "CHIP_CRYPTO_MBEDTLS=${chip_crypto_mbedtls}",
+    "CHIP_CRYPTO_PSA=${chip_crypto_psa}",
     "CHIP_CRYPTO_OPENSSL=${chip_crypto_openssl}",
     "CHIP_CRYPTO_BORINGSSL=${chip_crypto_boringssl}",
     "CHIP_CRYPTO_PLATFORM=${chip_crypto_platform}",
@@ -107,6 +109,19 @@ if (chip_crypto == "openssl") {
 
     external_mbedtls = current_os == "zephyr"
 
+    if (!external_mbedtls) {
+      public_deps += [ "${mbedtls_root}:mbedtls" ]
+    }
+  }
+} else if (chip_crypto == "psa") {
+  import("//build_overrides/mbedtls.gni")
+
+  source_set("cryptopal_psa") {
+    sources = [ "CHIPCryptoPALPSA.cpp" ]
+    public_deps = [ ":public_headers" ]
+
+    external_mbedtls = current_os == "zephyr"
+
     if (!external_mbedtls) {
       public_deps += [ "${mbedtls_root}:mbedtls" ]
     }
@@ -142,6 +157,8 @@ static_library("crypto") {
 
   if (chip_crypto == "mbedtls") {
     public_deps += [ ":cryptopal_mbedtls" ]
+  } else if (chip_crypto == "psa") {
+    public_deps += [ ":cryptopal_psa" ]
   } else if (chip_crypto == "openssl") {
     public_deps += [ ":cryptopal_openssl" ]
   } else if (chip_crypto == "boringssl") {