cryptocb: add WC_PK_TYPE_EC_CHECK_PUB_KEY for ECC key validation offload

Add a crypto-callback operation for validating an ECC key.

Under WOLF_CRYPTO_CB_ONLY_ECC validation now fails closed with
NO_VALID_DEVID when no device handles the operation; previously such
keys were accepted unvalidated. This is a deliberate compatibility
break, documented at the dispatch site.

Author: rizlik

doc/dox_comments/header_files/cryptocb.h

@@ -280,3 +280,34 @@ int wc_CryptoCb_AesSetKey(Aes* aes, const byte* key, word32 keySz);
     \sa wc_ecc_make_pub
 */
 int wc_CryptoCb_EccMakePub(ecc_key* key, ecc_point* pubOut);
+
+/*!
+    \ingroup CryptoCb
+
+    \brief Offload validating an ECC key to a CryptoCB device.
+
+    Used by wc_ecc_check_key and the key generation / import validation paths.
+    The public point crosses the (math-free) callback boundary as X9.63
+    uncompressed bytes in wc_CryptoInfo.pk.ecc_check_pub (\c pubKey /
+    \c pubKeySz); this wrapper serializes key->pubkey so a device handler only
+    deals with byte arrays. When the key state is \c ECC_PRIVATEKEY_ONLY,
+    \c pubKey is NULL and \c pubKeySz is 0 so the handler can distinguish "no
+    public point" from an invalid zero-coordinate public point that must be
+    validated and rejected. The caller's intent crosses in \c checkOrder and
+    \c checkPriv.
+
+    \param key        ECC key to validate (curve identity from key->dp)
+    \param checkOrder when 1 the caller requested validation that the point
+                      has the curve order (point * order == infinity)
+    \param checkPriv  when 1 the caller also requested validation of the
+                      private part (scalar range, consistency with the public
+                      point)
+
+    \return 0 if the key is valid
+    \return CRYPTOCB_UNAVAILABLE if no device handles the operation (wolfCrypt
+            falls back to software)
+
+    \sa wc_CryptoCb_RegisterDevice
+    \sa wc_ecc_check_key
+*/
+int wc_CryptoCb_EccCheckPubKey(ecc_key* key, int checkOrder, int checkPriv);

tests/swdev/swdev.c

@@ -194,6 +194,48 @@ static int swdev_ecc_make_pub(wc_CryptoInfo* info)
     return ret;
 }
 
+#ifdef HAVE_ECC_CHECK_KEY
+static int swdev_ecc_check_pub(wc_CryptoInfo* info)
+{
+    ecc_key* key = info->pk.ecc_check_pub.key;
+    int      ret = 0;
+    int      validatedFromWire = 0;
+
+    if (info->pk.ecc_check_pub.pubKeySz == 0) {
+        return ECC_INF_E;
+    }
+#ifdef HAVE_ECC_KEY_IMPORT
+    if (key->idx >= 0) {
+        WC_DECLARE_VAR(pubOnly, ecc_key, 1, key->heap);
+        WC_ALLOC_VAR(pubOnly, ecc_key, 1, key->heap);
+        if (!WC_VAR_OK(pubOnly))
+            ret = MEMORY_E;
+        else
+            ret = wc_ecc_init_ex(pubOnly, key->heap, INVALID_DEVID);
+        if (ret == 0) {
+            ret = wc_ecc_import_x963_ex(info->pk.ecc_check_pub.pubKey,
+                info->pk.ecc_check_pub.pubKeySz, pubOnly, key->dp->id);
+            if (ret == 0 &&
+                    wc_ecc_cmp_point(&pubOnly->pubkey, &key->pubkey) != MP_EQ) {
+                /* wire bytes disagree with key->pubkey */
+                ret = BAD_STATE_E;
+            }
+            if (ret == 0)
+                ret = wc_ecc_check_key(pubOnly);
+            wc_ecc_free(pubOnly);
+        }
+        WC_FREE_VAR(pubOnly, key->heap);
+        validatedFromWire = 1;
+    }
+#endif
+    if (ret == 0 && (!validatedFromWire ||
+            (info->pk.ecc_check_pub.checkPriv &&
+             key->type == ECC_PRIVATEKEY))) {
+        ret = wc_ecc_check_key(key);
+    }
+    return ret;
+}
+#endif /* HAVE_ECC_CHECK_KEY */
 #endif /* HAVE_ECC */
 
 #ifndef NO_SHA256
@@ -755,6 +797,10 @@ WC_SWDEV_EXPORT int wc_SwDev_Callback(int devId, wc_CryptoInfo* info,
             return swdev_ecc_get_sig_size(info);
         case WC_PK_TYPE_EC_MAKE_PUB:
             return swdev_ecc_make_pub(info);
+    #ifdef HAVE_ECC_CHECK_KEY
+        case WC_PK_TYPE_EC_CHECK_PUB_KEY:
+            return swdev_ecc_check_pub(info);
+    #endif
     #endif /* HAVE_ECC */
         default:
             return CRYPTOCB_UNAVAILABLE;

wolfcrypt/src/cryptocb.c

@@ -158,6 +158,7 @@ static const char* GetPkTypeStr(int pk)
         case WC_PK_TYPE_EC_GET_SIZE: return "ECC GetSize";
         case WC_PK_TYPE_EC_GET_SIG_SIZE: return "ECC GetSigSize";
         case WC_PK_TYPE_EC_MAKE_PUB: return "ECC MakePub";
+        case WC_PK_TYPE_EC_CHECK_PUB_KEY: return "ECC CheckPubKey";
     }
     return NULL;
 }
@@ -938,6 +939,66 @@ int wc_CryptoCb_EccMakePub(ecc_key* key, ecc_point* pubOut)
     return wc_CryptoCb_TranslateErrorCode(ret);
 }
 
+#ifdef HAVE_ECC_CHECK_KEY
+int wc_CryptoCb_EccCheckPubKey(ecc_key* key, int checkOrder, int checkPriv)
+{
+    int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE);
+    CryptoCb* dev;
+
+    if (key == NULL || key->dp == NULL)
+        return ret;
+
+    if (key->dp->size > MAX_ECC_BYTES)
+        return ret;
+
+    /* locate registered callback */
+    dev = wc_CryptoCb_FindDevice(key->devId, WC_ALGO_TYPE_PK);
+    if (dev && dev->cb) {
+        wc_CryptoInfo cryptoInfo;
+        word32 curveSz = (word32)key->dp->size;
+        word32 ptSz    = 1 + 2 * curveSz;
+        word32 xSz     = curveSz;
+        word32 ySz     = curveSz;
+        /* a key with no host-side public point is represented by
+         * ECC_PRIVATEKEY_ONLY and crosses as pubKey = NULL / pubKeySz = 0.
+         * If the key state says a public point exists, serialize it even when
+         * the coordinates are invalid (e.g. 0,0) so the device can reject the
+         * actual input instead of seeing "no public point". */
+        int havePub    = (key->type != ECC_PRIVATEKEY_ONLY);
+        WC_DECLARE_VAR(buf, byte, (1 + 2 * MAX_ECC_BYTES), key->heap);
+        WC_ALLOC_VAR_EX(buf, byte, (1 + 2 * MAX_ECC_BYTES), key->heap,
+            DYNAMIC_TYPE_ECC_BUFFER, return MEMORY_E);
+
+        ret = MP_OKAY;
+        if (havePub) {
+            /* serialize key->pubkey to X9.63 uncompressed (0x04 || X || Y) */
+            buf[0] = ECC_POINT_UNCOMP;
+            ret = wc_export_int(key->pubkey.x, buf + 1, &xSz, curveSz,
+                WC_TYPE_UNSIGNED_BIN);
+            if (ret == MP_OKAY)
+                ret = wc_export_int(key->pubkey.y, buf + 1 + curveSz, &ySz,
+                    curveSz, WC_TYPE_UNSIGNED_BIN);
+        }
+
+        if (ret == MP_OKAY) {
+            XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
+            cryptoInfo.algo_type = WC_ALGO_TYPE_PK;
+            cryptoInfo.pk.type = WC_PK_TYPE_EC_CHECK_PUB_KEY;
+            cryptoInfo.pk.ecc_check_pub.key = key;
+            cryptoInfo.pk.ecc_check_pub.pubKey = havePub ? buf : NULL;
+            cryptoInfo.pk.ecc_check_pub.pubKeySz = havePub ? ptSz : 0;
+            cryptoInfo.pk.ecc_check_pub.checkOrder = checkOrder;
+            cryptoInfo.pk.ecc_check_pub.checkPriv = checkPriv;
+
+            ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx);
+        }
+
+        WC_FREE_VAR_EX(buf, key->heap, DYNAMIC_TYPE_ECC_BUFFER);
+    }
+
+    return wc_CryptoCb_TranslateErrorCode(ret);
+}
+#endif /* HAVE_ECC_CHECK_KEY */
 #endif /* HAVE_ECC */
 
 #ifdef HAVE_CURVE25519

wolfcrypt/src/ecc.c

@@ -10792,13 +10792,37 @@ static int _ecc_validate_public_key(ecc_key* key, int partial, int priv)
     if (key == NULL)
         return BAD_FUNC_ARG;
 
+#if defined(WOLF_CRYPTO_CB) && defined(HAVE_ECC_CHECK_KEY) && \
+    !defined(WOLFSSL_CAAM)
+    /* Device-first: when a device is configured, let it validate the public
+     * key. Fall through to the software/HW path below only when the
+     * device reports the operation unavailable.
+     * CAAM is excluded: it relies on the software order-check below to detect
+     * whether an imported private key is an encrypted black key. */
+    #ifndef WOLF_CRYPTO_CB_FIND
+    if (key->devId != INVALID_DEVID)
+    #endif
+    {
+        err = wc_CryptoCb_EccCheckPubKey(key, !partial, priv);
+        if (err != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
+            return err;
+        err = MP_OKAY; /* device declined; fall through to software/HW */
+    }
+#endif
+
 #ifndef HAVE_ECC_CHECK_PUBKEY_ORDER
+#ifdef WOLF_CRYPTO_CB_ONLY_ECC
+    /* Software validation is stripped; the device-first check above either
+     * handled the key or reported the op unavailable, so fail closed rather
+     * than accept an unvalidated key. */
+    err = NO_VALID_DEVID;
+#else
     /* consider key check success on HW crypto
-     * ex: ATECC508/608A, CryptoCell and Silabs
-     *
-     * consider key check success on most Crypt Cb only builds
+     * ex: ATECC508/608A, CryptoCell and Silabs which validate the key
+     * internally
      */
     err = MP_OKAY;
+#endif
 
 #else
 
@@ -10940,6 +10964,10 @@ WOLFSSL_ABI
 int wc_ecc_check_key(ecc_key* key)
 {
     int ret;
+    /* _ecc_validate_public_key is the single validation entry point: it is
+     * device-first (offloads to the crypto callback when a device is
+     * configured) and otherwise runs the software/HW checks, or fails closed
+     * under WOLF_CRYPTO_CB_ONLY_ECC. */
     ret = _ecc_validate_public_key(key, 0, 1);
     return ret;
 }

wolfcrypt/test/test.c

@@ -71998,11 +71998,14 @@ typedef struct {
     int exampleVar; /* flag for testing if only crypt is enabled. */
 #ifdef HAVE_ECC
     int eccMakePubCount;  /* EC make-pub callback invocations */
+    int eccCheckPubCount; /* EC check-pubkey callback invocations */
     int eccMakePubBadFormat; /* when set, return a malformed (non-uncompressed)
                               * point to exercise the wrapper's BUFFER_E path */
     int eccMakePubBadLen; /* when set, claim a result size different from the
                            * curve's X9.63 length to exercise the wrapper's
                            * size check */
+    int eccCheckPubExpectZeroPoint; /* require serialized 0,0 input */
+    int eccCheckPubSawZeroPoint;    /* EC check-pubkey saw X9.63 0,0 */
     ecc_key* eccResidentKey; /* when set, the make-pub callback emits this key's
                               * public point, simulating a private scalar
                               * resident in the device (input key->k empty) */
@@ -72913,6 +72916,82 @@ static int myCryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx)
             ret = CRYPTOCB_UNAVAILABLE; /* no software emulation available */
         #endif
         }
+        #ifdef HAVE_ECC_CHECK_KEY
+        else if (info->pk.type == WC_PK_TYPE_EC_CHECK_PUB_KEY) {
+            ecc_key* k = info->pk.ecc_check_pub.key;
+            int validatedFromWire = 0;
+            myCtx->eccCheckPubCount++;
+            if (info->pk.ecc_check_pub.pubKeySz == 0) {
+                /* no host-side public point and this software device holds no
+                 * resident key, so there is nothing to validate (matches the
+                 * software answer for a missing public point) */
+                ret = ECC_INF_E;
+            }
+            else {
+                ret = 0;
+                if (myCtx != NULL && myCtx->eccCheckPubExpectZeroPoint) {
+                    const byte* pub = info->pk.ecc_check_pub.pubKey;
+                    word32 curveSz = (word32)k->dp->size;
+                    word32 ptSz = 1 + 2 * curveSz;
+                    word32 i;
+
+                    if (info->pk.ecc_check_pub.pubKeySz != ptSz ||
+                            pub[0] != ECC_POINT_UNCOMP) {
+                        ret = BAD_STATE_E;
+                    }
+                    for (i = 1; ret == 0 && i < ptSz; i++) {
+                        if (pub[i] != 0)
+                            ret = BAD_STATE_E;
+                    }
+                    if (ret == 0)
+                        myCtx->eccCheckPubSawZeroPoint = 1;
+                }
+            #ifdef HAVE_ECC_KEY_IMPORT
+                /* vault-style consumption: rebuild the public key from the
+                 * wire bytes and validate the rebuilt key, proving the
+                 * serialized point is sufficient and consistent with
+                 * key->pubkey. The named-curve import does not apply to
+                 * custom-curve keys (idx == ECC_CUSTOM_IDX). */
+                if (k->idx >= 0) {
+                    WC_DECLARE_VAR(pubOnly, ecc_key, 1, HEAP_HINT);
+                    WC_ALLOC_VAR(pubOnly, ecc_key, 1, HEAP_HINT);
+                    if (!WC_VAR_OK(pubOnly))
+                        ret = MEMORY_E;
+                    else
+                        ret = wc_ecc_init_ex(pubOnly, HEAP_HINT, INVALID_DEVID);
+                    if (ret == 0) {
+                        ret = wc_ecc_import_x963_ex(
+                            info->pk.ecc_check_pub.pubKey,
+                            info->pk.ecc_check_pub.pubKeySz, pubOnly,
+                            k->dp->id);
+                        if (ret == 0 && wc_ecc_cmp_point(&pubOnly->pubkey,
+                                &k->pubkey) != MP_EQ) {
+                            /* wire bytes disagree with key->pubkey */
+                            ret = BAD_STATE_E;
+                        }
+                        if (ret == 0)
+                            ret = wc_ecc_check_key(pubOnly);
+                        wc_ecc_free(pubOnly);
+                    }
+                    WC_FREE_VAR(pubOnly, HEAP_HINT);
+                    validatedFromWire = 1;
+                }
+            #endif
+                /* private/resident part (and custom-curve keys, where the
+                 * named-curve import above is unavailable): validate via the
+                 * key handle */
+                if (ret == 0 && (!validatedFromWire ||
+                        (info->pk.ecc_check_pub.checkPriv &&
+                         k->type == ECC_PRIVATEKEY))) {
+                    /* set devId to invalid, so software is used */
+                    k->devId = INVALID_DEVID;
+                    ret = wc_ecc_check_key(k);
+                    /* reset devId */
+                    k->devId = devIdArg;
+                }
+            }
+        }
+        #endif
     #endif /* HAVE_ECC */
     #ifdef HAVE_CURVE25519
         if (info->pk.type == WC_PK_TYPE_CURVE25519_KEYGEN) {
@@ -74646,8 +74725,11 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t cryptocb_test(void)
     myCtx.exampleVar = 1;
 #ifdef HAVE_ECC
     myCtx.eccMakePubCount = 0;
+    myCtx.eccCheckPubCount = 0;
     myCtx.eccMakePubBadFormat = 0;
     myCtx.eccMakePubBadLen = 0;
+    myCtx.eccCheckPubExpectZeroPoint = 0;
+    myCtx.eccCheckPubSawZeroPoint = 0;
     myCtx.eccResidentKey = NULL;
 #endif
 
@@ -74681,8 +74763,60 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t cryptocb_test(void)
     if (ret == 0)
         ret = ecc_test();
     PRIVATE_KEY_LOCK();
-    /* Confirm the new ECC make-pub callback was routed through the device and
-     * not silently handled in software. */
+    /* Confirm the new ECC pubkey callbacks were routed through the device and
+     * not silently handled in software. The check-pubkey callback is only
+     * exercised when wc_ecc_check_key is built (HAVE_ECC_CHECK_KEY) and the
+     * ecc_test calls to it are not skipped (WC_TEST_SKIP_ECC_CHECK_KEY); the
+     * counter legitimately stays 0 otherwise. CAAM is excluded because the
+     * check-pubkey dispatch in _ecc_validate_public_key is compiled out there
+     * (CAAM uses software validation failure to detect black keys). */
+#if !defined(WOLF_CRYPTO_CB_ONLY_ECC) && defined(HAVE_ECC_CHECK_KEY) && \
+    !defined(WC_TEST_SKIP_ECC_CHECK_KEY) && !defined(WOLFSSL_CAAM)
+    if (ret == 0 && myCtx.eccCheckPubCount == 0)
+        ret = WC_TEST_RET_ENC_NC;
+#endif
+    /* Regression: an explicit public point with zero coordinates must cross
+     * the callback boundary as X9.63 0x04||0||0, not as pubKey = NULL. */
+#if !defined(WOLFSSL_SWDEV) && defined(HAVE_ECC_CHECK_KEY) && \
+    !defined(WOLFSSL_CAAM) && !defined(NO_ECC256)
+    if (ret == 0) {
+        WC_DECLARE_VAR(zeroKey, ecc_key, 1, HEAP_HINT);
+        int haveZeroKey = 0;
+
+        WC_ALLOC_VAR(zeroKey, ecc_key, 1, HEAP_HINT);
+        PRIVATE_KEY_UNLOCK();
+        if (!WC_VAR_OK(zeroKey))
+            ret = MEMORY_E;
+        else
+            ret = wc_ecc_init_ex(zeroKey, HEAP_HINT, devId);
+        if (ret == 0) {
+            haveZeroKey = 1;
+            ret = wc_ecc_set_curve(zeroKey, 32, ECC_SECP256R1);
+        }
+        if (ret == 0) {
+            zeroKey->type = ECC_PUBLICKEY;
+            myCtx.eccCheckPubExpectZeroPoint = 1;
+            myCtx.eccCheckPubSawZeroPoint = 0;
+            ret = wc_ecc_check_key(zeroKey);
+            myCtx.eccCheckPubExpectZeroPoint = 0;
+
+            if (ret == 0) {
+                ret = WC_TEST_RET_ENC_NC; /* invalid point was accepted */
+            }
+            else if (!myCtx.eccCheckPubSawZeroPoint) {
+                ret = WC_TEST_RET_ENC_NC; /* callback saw NULL/other point */
+            }
+            else {
+                ret = 0; /* expected validation failure after serialization */
+            }
+        }
+        myCtx.eccCheckPubExpectZeroPoint = 0;
+        if (haveZeroKey)
+            wc_ecc_free(zeroKey);
+        WC_FREE_VAR(zeroKey, HEAP_HINT);
+        PRIVATE_KEY_LOCK();
+    }
+#endif
 #if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \
     !defined(WOLFSSL_MICROCHIP_TA100) && !defined(WOLFSSL_STM32_PKA) && \
     !defined(WOLFSSL_SILABS_SE_ACCEL) && !defined(WOLF_CRYPTO_CB_ONLY_ECC) && \