se050: add support for SE050 SIGN ONLY options

This commit is contained in:
Marco Oliverio
2026-03-03 11:30:38 +01:00
parent 5cd2db0b4d
commit f55ecb5124
4 changed files with 30 additions and 3 deletions
+3
View File
@@ -880,7 +880,10 @@ WOLFSSL_SE050_AUTO_ERASE
WOLFSSL_SE050_CRYPT
WOLFSSL_SE050_HASH
WOLFSSL_SE050_INIT
WOLFSSL_SE050_NOECDHE
WOLFSSL_SE050_NO_ECDSA_VERIFY
WOLFSSL_SE050_NO_RSA
WOLFSSL_SE050_NO_RSA_VERIFY
WOLFSSL_SE050_NO_TRNG
WOLFSSL_SECURE_RENEGOTIATION_ON_BY_DEFAULT
WOLFSSL_SERVER_EXAMPLE
+6 -3
View File
@@ -291,6 +291,9 @@ ECC Curve Sizes:
#undef HAVE_ECC_VERIFY_HELPER
#define HAVE_ECC_VERIFY_HELPER
#endif
#if defined(WOLFSSL_SE050_NO_ECDSA_VERIFY)
#define HAVE_ECC_VERIFY_HELPER
#endif
#if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \
!defined(WOLFSSL_CRYPTOCELL) && !defined(WOLFSSL_SILABS_SE_ACCEL) && \
@@ -4767,7 +4770,7 @@ int wc_ecc_shared_secret(ecc_key* private_key, ecc_key* public_key, byte* out,
err = silabs_ecc_shared_secret(private_key, public_key, out, outlen);
#elif defined(WOLFSSL_KCAPI_ECC)
err = KcapiEcc_SharedSecret(private_key, public_key, out, outlen);
#elif defined(WOLFSSL_SE050)
#elif defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NOECDHE)
err = se050_ecc_shared_secret(private_key, public_key, out, outlen);
#else
err = wc_ecc_shared_secret_ex(private_key, &public_key->pubkey, out, outlen);
@@ -5761,7 +5764,7 @@ static int _ecc_make_key_ex(WC_RNG* rng, int keysize, ecc_key* key,
else {
err = NOT_COMPILED_IN;
}
#elif defined(WOLFSSL_SE050)
#elif defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NOECDHE)
err = se050_ecc_create_key(key, key->dp->id, key->dp->size);
key->type = ECC_PRIVATEKEY;
#elif defined(WOLFSSL_CRYPTOCELL)
@@ -9261,7 +9264,7 @@ int wc_ecc_verify_hash_ex(mp_int *r, mp_int *s, const byte* hash,
#elif defined(WOLFSSL_XILINX_CRYPT_VERSAL)
byte sigRS[ECC_MAX_CRYPTO_HW_SIZE * 2];
byte hashcopy[ECC_MAX_CRYPTO_HW_SIZE] = {0};
#elif defined(WOLFSSL_SE050)
#elif defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_ECDSA_VERIFY)
#else
int curveLoaded = 0;
DECLARE_CURVE_SPECS(ECC_CURVE_FIELD_COUNT);
+19
View File
@@ -246,6 +246,25 @@ defined, wolfCrypt will instead fall back to using `/dev/random` and
Disables using the SE050 for RSA, useful for the SE050E which does not have
RSA support.
**`WOLFSSL_SE050_NOECDHE`**
Disables offloading ECDH key generation and shared secret operations to the
SE050. When defined, `wc_ecc_make_key()` and `wc_ecc_shared_secret()` will
use wolfCrypt software instead of the SE050.
**`WOLFSSL_SE050_NO_ECDSA_VERIFY`**
When defined, ECDSA signing (`wc_ecc_sign_hash()`) continues to be offloaded
to the SE050, but ECDSA verification (`wc_ecc_verify_hash()`) uses wolfCrypt
software.
**`WOLFSSL_SE050_NO_RSA_VERIFY`**
When defined, RSA PKCS#1 v1.5 signing (`wc_RsaSSL_Sign()`) continues to be
offloaded to the SE050, but RSA PKCS#1 v1.5 verification (`wc_RsaSSL_Verify()`)
uses wolfCrypt software (public-key exponentiation + unpad). RSA PSS verify and
RSA key-exchange decrypt are unaffected.
## wolfSSL HostCrypto Support
The NXP SE05x Plug & Trust Middleware by default can use either OpenSSL or
+2
View File
@@ -3660,6 +3660,7 @@ static int RsaPrivateDecryptEx(const byte* in, word32 inLen, byte* out,
}
return ret;
}
#if !defined(WOLFSSL_SE050_NO_RSA_VERIFY)
else if (rsa_type == RSA_PUBLIC_DECRYPT &&
pad_value == RSA_BLOCK_TYPE_1 &&
pad_type != WC_RSA_PSS_PAD) {
@@ -3675,6 +3676,7 @@ static int RsaPrivateDecryptEx(const byte* in, word32 inLen, byte* out,
}
return ret;
}
#endif /* !WOLFSSL_SE050_NO_RSA_VERIFY */
#endif /* RSA CRYPTO HW */