mbedtls: Use ASN1Writer instead of hacking it up

2023-02-13 10:56:34 +05:30 · 2023-02-13 10:56:34 +05:30 · 034d169cf5
commit 034d169cf5
parent 316de9c97a
2 changed files with 18 additions and 47 deletions
--- a/matter/src/cert/mod.rs
+++ b/matter/src/cert/mod.rs
@ -26,7 +26,8 @@ use crate::{
 use log::error;
 use num_derive::FromPrimitive;

-use self::{asn1_writer::ASN1Writer, printer::CertPrinter};
+pub use self::asn1_writer::ASN1Writer;
+use self::printer::CertPrinter;

 // As per https://datatracker.ietf.org/doc/html/rfc5280

--- a/matter/src/crypto/crypto_mbedtls.rs
+++ b/matter/src/crypto/crypto_mbedtls.rs
@ -29,7 +29,12 @@ use mbedtls::{
 };

 use super::CryptoKeyPair;
-use crate::error::Error;
+use crate::{
+    // TODO: We should move ASN1Writer out of Cert,
+    // so Crypto doesn't have to depend on Cert
+    cert::{ASN1Writer, CertConsumer},
+    error::Error,
+};

 pub struct HmacSha256 {
    inner: Hmac,
@ -183,7 +188,7 @@ impl CryptoKeyPair for KeyPair {

        // current rust-mbedTLS APIs the signature to be in DER format
        let mut mbedtls_sign = [0u8; super::EC_SIGNATURE_LEN_BYTES * 3];
-        let len = convert_r_s_to_asn1_sign(signature, &mut mbedtls_sign);
+        let len = convert_r_s_to_asn1_sign(signature, &mut mbedtls_sign)?;
        let mbedtls_sign = &mbedtls_sign[..len];

        if let Err(e) = tmp_key.verify(hash::Type::Sha256, &msg_hash, mbedtls_sign) {
@ -195,51 +200,16 @@ impl CryptoKeyPair for KeyPair {
    }
 }

-fn convert_r_s_to_asn1_sign(signature: &[u8], mbedtls_sign: &mut [u8]) -> usize {
-    let mut offset = 0;
-    mbedtls_sign[offset] = 0x30;
-    offset += 1;
-    let mut len = 68;
-    if (signature[0] & 0x80) == 0x80 {
-        len += 1;
-    }
-    if (signature[32] & 0x80) == 0x80 {
-        len += 1;
-    }
-    mbedtls_sign[offset] = len;
-    offset += 1;
-    mbedtls_sign[offset] = 0x02;
-    offset += 1;
-    if (signature[0] & 0x80) == 0x80 {
-        // It seems if topmost bit is 1, there is an extra 0
-        mbedtls_sign[offset] = 33;
-        offset += 1;
-        mbedtls_sign[offset] = 0;
-        offset += 1;
-    } else {
-        mbedtls_sign[offset] = 32;
-        offset += 1;
-    }
-    mbedtls_sign[offset..(offset + 32)].copy_from_slice(&signature[..32]);
-    offset += 32;
+fn convert_r_s_to_asn1_sign(signature: &[u8], mbedtls_sign: &mut [u8]) -> Result<usize, Error> {
+    let r = &signature[0..32];
+    let s = &signature[32..64];

-    mbedtls_sign[offset] = 0x02;
-    offset += 1;
-    if (signature[32] & 0x80) == 0x80 {
-        // It seems if topmost bit is 1, there is an extra 0
-        mbedtls_sign[offset] = 33;
-        offset += 1;
-        mbedtls_sign[offset] = 0;
-        offset += 1;
-    } else {
-        mbedtls_sign[offset] = 32;
-        offset += 1;
-    }
-
-    mbedtls_sign[offset..(offset + 32)].copy_from_slice(&signature[32..64]);
-    offset += 32;
-
-    offset
+    let mut wr = ASN1Writer::new(mbedtls_sign);
+    wr.start_seq("")?;
+    wr.integer("r", r)?;
+    wr.integer("s", s)?;
+    wr.end_seq()?;
+    Ok(wr.as_slice().len())
 }

 // mbedTLS sign() function directly encodes the signature in ASN1. The lower level function