Arm Mbed OS support forum

Error loading DER public key with mbedtls_pk_parse_public_key

After update to 2.26.0 from 2.16.1 I found some problems loading EC public keys.

I got a -0x3D00 MBEDTLS_ERR_PK_KEY_INVALID_FORMAT when use mbedtls_pk_parse_public_key with a valid public key.

I made a minimal gtest example: (working on 2.16.1)

TEST(Crypto, ERROR_mbedtls_pk_parse_public_key) {
    std::vector<uint8_t> key = {
        0x30, 0x82, 0x01, 0x33, 0x30, 0x81, 0xEC, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x30, 0x81,
        0xE0, 0x02, 0x01, 0x01, 0x30, 0x2C, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x01, 0x01, 0x02, 0x21, 0x00,
        0xA9, 0xFB, 0x57, 0xDB, 0xA1, 0xEE, 0xA9, 0xBC, 0x3E, 0x66, 0x0A, 0x90, 0x9D, 0x83, 0x8D, 0x72, 0x6E, 0x3B,
        0xF6, 0x23, 0xD5, 0x26, 0x20, 0x28, 0x20, 0x13, 0x48, 0x1D, 0x1F, 0x6E, 0x53, 0x77, 0x30, 0x44, 0x04, 0x20,
        0x7D, 0x5A, 0x09, 0x75, 0xFC, 0x2C, 0x30, 0x57, 0xEE, 0xF6, 0x75, 0x30, 0x41, 0x7A, 0xFF, 0xE7, 0xFB, 0x80,
        0x55, 0xC1, 0x26, 0xDC, 0x5C, 0x6C, 0xE9, 0x4A, 0x4B, 0x44, 0xF3, 0x30, 0xB5, 0xD9, 0x04, 0x20, 0x26, 0xDC,
        0x5C, 0x6C, 0xE9, 0x4A, 0x4B, 0x44, 0xF3, 0x30, 0xB5, 0xD9, 0xBB, 0xD7, 0x7C, 0xBF, 0x95, 0x84, 0x16, 0x29,
        0x5C, 0xF7, 0xE1, 0xCE, 0x6B, 0xCC, 0xDC, 0x18, 0xFF, 0x8C, 0x07, 0xB6, 0x04, 0x41, 0x04, 0x8B, 0xD2, 0xAE,
        0xB9, 0xCB, 0x7E, 0x57, 0xCB, 0x2C, 0x4B, 0x48, 0x2F, 0xFC, 0x81, 0xB7, 0xAF, 0xB9, 0xDE, 0x27, 0xE1, 0xE3,
        0xBD, 0x23, 0xC2, 0x3A, 0x44, 0x53, 0xBD, 0x9A, 0xCE, 0x32, 0x62, 0x54, 0x7E, 0xF8, 0x35, 0xC3, 0xDA, 0xC4,
        0xFD, 0x97, 0xF8, 0x46, 0x1A, 0x14, 0x61, 0x1D, 0xC9, 0xC2, 0x77, 0x45, 0x13, 0x2D, 0xED, 0x8E, 0x54, 0x5C,
        0x1D, 0x54, 0xC7, 0x2F, 0x04, 0x69, 0x97, 0x02, 0x21, 0x00, 0xA9, 0xFB, 0x57, 0xDB, 0xA1, 0xEE, 0xA9, 0xBC,
        0x3E, 0x66, 0x0A, 0x90, 0x9D, 0x83, 0x8D, 0x71, 0x8C, 0x39, 0x7A, 0xA3, 0xB5, 0x61, 0xA6, 0xF7, 0x90, 0x1E,
        0x0E, 0x82, 0x97, 0x48, 0x56, 0xA7, 0x02, 0x01, 0x01, 0x03, 0x42, 0x00, 0x04, 0x37, 0x41, 0x18, 0xF7, 0x6A,
        0xD5, 0x65, 0x34, 0x2D, 0xEA, 0x40, 0xC9, 0x00, 0x87, 0x70, 0xDE, 0x69, 0x3B, 0xA7, 0xA2, 0xB9, 0x44, 0xF0,
        0x33, 0xA2, 0x10, 0x9A, 0x30, 0x7A, 0x86, 0xB5, 0x0D, 0x6B, 0xC1, 0x1F, 0x09, 0xC5, 0xA3, 0x24, 0x48, 0xBD,
        0x3F, 0x28, 0x8A, 0x1B, 0xFC, 0xEA, 0xE1, 0xE7, 0xD4, 0x71, 0xC4, 0x04, 0xB7, 0xC4, 0xD4, 0xFE, 0x7D, 0xC8,
        0xA5, 0x84, 0xFB, 0x9F, 0x49};

    mbedtls_pk_context pk;
    mbedtls_pk_init(&pk);
    int error = mbedtls_pk_parse_public_key(&pk, key.data(), key.size());
    mbedtls_pk_free(&pk);
    ASSERT_EQ(error, 0);
}

Here is the callstack of involved methods:

mbedtls_ecp_get_type (/src/mbedtls/library/ecp.c:623) 
mbedtls_ecp_point_read_binary (/src/mbedtls/library/ecp.c:893)
pk_group_from_specified (/src/mbedtls/library/pkparse.c:345)
pk_group_id_from_specified (/src/mbedtls/library/pkparse.c:436)
pk_use_ecparams (/src/mbedtls/library/pkparse.c:469)
mbedtls_pk_parse_subpubkey (/src/mbedtls/library/pkparse.c:657)
mbedtls_pk_parse_public_key (/src/mbedtls/library/pkparse.c:1528)

As far as I can see the problem is “pk_group_from_specified” calling to “mbedtls_ecp_point_read_binary” to fill the G component, but “mbedtls_ecp_get_type” using the G component to check the curve type.

I think this line is not correct, since grp will be used to check the G component (/src/mbedtls/library/pkparse.c:345):

if( ( ret = mbedtls_ecp_point_read_binary( **grp**, **&grp->G**,
                                  ( const unsigned char *) p, len ) ) != 0 )

As we can see, the G component is still not filled, but will be used to check the curve type, and none of these check will provide a valid type (/src/mbedtls/library/ecp.c:905):

if(mbedtls_ecp_get_type(**grp**) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
[...]
if(mbedtls_ecp_get_type(**grp**) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {

mbedtls_ecp_get_type is using the G component to check the curve type (/src/mbedtls/library/ecp.c:623):

if(**grp->G**.X.p == NULL)
    return (MBEDTLS_ECP_TYPE_NONE);