[nrf fromlist] Fix ECDSA secp521r1 padding issue in oberon driver #34
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-This is a [nrf fromlist] as this is based on a patch we have received from Oberon ahead of introducing this in a coming version of the Oberon PSA crypto deliverable. -There was an issue found in test on deterministic ECDSA using NIST secp521r1 curve type for the Oberon PSA crypto driver. The issue was caused by an arithmetic issue with the buffer used to handle padding of ECDSA sign and verify operations. The buffer length is set according to the key size (modulo size) of the ECC curve and when secp521r1 is enabled (then this buffer is 66 bytes long). The padding is used when digests are smaller than the buffer and since secp521r1 uses SHA-512 (normally, 64 bytes long digest) the system handled this as a normal padding. ocrypto_ APIs expects 64 bytes input, and was handed a digest with invalid bytes. -Signing: The API to do signature generation uses hash + 2 to get the right offset for the digest -Verification: The API has special handling for secp521r1 to get the proper offset and uses hash + 2 for the right offset for the digest ref: NCSDK-36329 Signed-off-by: Frank Audun Kvamtrø <[email protected]>
tomi-font
approved these changes
Nov 25, 2025
Vge0rge
approved these changes
Nov 26, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
-This is a [nrf fromlist] as this is based on a patch we have
received from Oberon ahead of introducing this in a coming
version of the Oberon PSA crypto deliverable.
-There was an issue found in test on deterministic ECDSA using NIST
secp521r1 curve type for the Oberon PSA crypto driver. The issue
was caused by an arithmetic issue with the buffer used to handle
padding of ECDSA sign and verify operations. The buffer length is
set according to the key size (modulo size) of the ECC curve
and when secp521r1 is enabled (then this buffer is 66 bytes long).
The padding is used when digests are smaller than the buffer and
since secp521r1 uses SHA-512 (normally, 64 bytes long digest) the
system handled this as a normal padding. ocrypto_ APIs expects 64
bytes input, and was handed a digest with invalid bytes.
-Signing: The API to do signature generation uses hash + 2 to get the
right offset for the digest
-Verification: The API has special handling for secp521r1 to get the
proper offset and uses hash + 2 for the right offset for the digest
ref: NCSDK-36329