Closed DemiMarie closed 1 year ago
Can you please clarify the request? Is this about TLS, about the ecp.h
interface or something else? I don't see what generic support we have that could be dropped.
Mbed TLS does not support defining arbitrary curves: you have to edit library code. I think it never did, although the original design came close. And we do not intend to move to a more open design.
Mbed TLS doesn't even recognize explicit curves in TLS. It wants named curves. (For finite-field DH, we do recognize explicit groups since that's the only way in TLS 1.2. We currently support arbitrary groups, but in Mbed TLS 4, we're likely to require the group to be one of the predefined groups.)
Mbed TLS at the very least contains code for parsing AlgorithmIdentifiers that use explicitly specified curve parameters. I am not sure if such AlgorithmIdentifiers can be used to successfully verify a signature, though.
Ah, right, the pkparse code supports SpecifiedECDomain. It only recognizes predefined curves: the code compares the curve parameters with know groups to find a mbedtls_ecp_grp_id
, and errors out if it doesn't find a group ID.
It's impossible to trigger a signature calculation with a custom curve. All the interfaces to ECC arithmetic need a group id.
I wonder if this code could be simplified by not parsing the EC domains at all, and instead doing the lookup using the raw byte sequence as key.
Since we don't support arbitrary curves in practice, I'm going to close this as a non-issue. Feel free to open a follow-up issues related to other pkparse improvements if needed.
Suggested enhancement
Mbed TLS should drop support for arbitrary elliptic curves, at least in the default build. Explicitly-specified curves that are actually aliases for known named curves would continue to be supported (by being translated to said named curve), as e.g. the biometric passport standard uses them. This support could be turn on or off at runtime.
Justification
Mbed TLS needs this because arbitrary elliptic curves are impossible to implement efficiently in constant-time, and many standards require the use of the named-curve form.