Parse RSA parameters DP, DQ and QP from PKCS1 private keys
Otherwise these values are recomputed in mbedtls_rsa_deduce_crt, which
currently suffers from side channel issues in the computation of QP (see
https://eprint.iacr.org/2020/055). By loading the pre-computed values not
only is the side channel avoided, but runtime overhead of loading RSA keys
is reduced.
Discussion in https://github.com/ARMmbed/mbed-crypto/issues/347
diff --git a/library/pkparse.c b/library/pkparse.c
index 596dae9..2311986 100644
--- a/library/pkparse.c
+++ b/library/pkparse.c
@@ -769,16 +769,31 @@
goto cleanup;
p += len;
+ /* Import DP */
+ if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+ MBEDTLS_ASN1_INTEGER ) ) != 0 ||
+ ( ret = mbedtls_mpi_read_binary( &rsa->DP, p, len ) ) != 0 )
+ goto cleanup;
+ p += len;
+
+ /* Import DQ */
+ if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+ MBEDTLS_ASN1_INTEGER ) ) != 0 ||
+ ( ret = mbedtls_mpi_read_binary( &rsa->DQ, p, len ) ) != 0 )
+ goto cleanup;
+ p += len;
+
+ /* Import QP */
+ if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+ MBEDTLS_ASN1_INTEGER ) ) != 0 ||
+ ( ret = mbedtls_mpi_read_binary( &rsa->QP, p, len ) ) != 0 )
+ goto cleanup;
+ p += len;
+
/* Complete the RSA private key */
if( ( ret = mbedtls_rsa_complete( rsa ) ) != 0 )
goto cleanup;
- /* Check optional parameters */
- if( ( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 ||
- ( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 ||
- ( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 )
- goto cleanup;
-
if( p != end )
{
ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
