From 7739e47a10557b5dbe25a5d28d0f7dc239c7b256 Mon Sep 17 00:00:00 2001
From: Christian Huitema <huitema@huitema.net>
Date: Sun, 3 Dec 2023 17:04:49 -0800
Subject: [PATCH 1/4] Add mbedtls_sign.c

---
 CMakeLists.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index dc146a8f7..f42f21a9d 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -204,7 +204,7 @@ IF (WITH_MBEDTLS)
     message(STATUS "mbedtls/include: ${MBEDTLS_INCLUDE_DIRS}")
     message(STATUS "mbedtls libraries: ${MBEDTLS_LIBRARIES}")
     INCLUDE_DIRECTORIES(${MBEDTLS_INCLUDE_DIRS})
-    ADD_LIBRARY(picotls-mbedtls lib/mbedtls.c)
+    ADD_LIBRARY(picotls-mbedtls lib/mbedtls.c lib/mbedtls_sign.c)
     ADD_EXECUTABLE(test-mbedtls.t
         deps/picotest/picotest.c
         ${CORE_TEST_FILES}

From ba87767f6f8ef2aa29667bfccec4646268e377e3 Mon Sep 17 00:00:00 2001
From: Christian Huitema <christianhuitema@Christians-iMac.local>
Date: Sun, 3 Dec 2023 18:23:01 -0800
Subject: [PATCH 2/4] verify that mbedtls tests are passing.

---
 lib/mbedtls_sign.c |   6 +--
 t/mbedtls.c        | 101 ++++++++++++++++++++++++++++++++++++++-------
 2 files changed, 86 insertions(+), 21 deletions(-)

diff --git a/lib/mbedtls_sign.c b/lib/mbedtls_sign.c
index 1098686f3..854ebc793 100644
--- a/lib/mbedtls_sign.c
+++ b/lib/mbedtls_sign.c
@@ -36,7 +36,6 @@
 #include <psa/crypto.h>
 #include <psa/crypto_struct.h>
 #include <psa/crypto_values.h>
-#include "ptls_mbedtls.h"
 
 typedef struct st_ptls_mbedtls_signature_scheme_t {
     uint16_t scheme_id;
@@ -95,8 +94,6 @@ static int ptls_mbedtls_parse_der_length(const unsigned char* pem_buf, size_t pe
 static int ptls_mbedtls_parse_ecdsa_field(const unsigned char* pem_buf, size_t pem_len, size_t* key_index, size_t* key_length)
 {
     int ret = 0;
-    int param_index_index = -1;
-    int param_length = 0;
     size_t x = 0;
 
     // const unsigned char head = { 0x30, l-2, 0x02, 0x01, 0x01, 0x04 }
@@ -265,7 +262,6 @@ int test_parse_private_key_field(const unsigned char* pem_buf, size_t pem_len,
         /* At that point the oid has been identified.
         * The next parameter is an octet string containing the key info.
         */
-        size_t l = 0;
         if (x + 2 > pem_len ||
             pem_buf[x++]  != 0x04){
             ret = -1;
@@ -672,7 +668,7 @@ int ptls_mbedtls_load_private_key(ptls_context_t* ctx, char const* pem_fname)
     unsigned char* buf;
     mbedtls_pem_context pem = { 0 };
     mbedtls_pk_type_t pk_type = 0;
-    mbedtls_svc_key_id_t key_id = 0;
+    /* mbedtls_svc_key_id_t key_id = 0; */
     size_t key_length = 0;
     size_t key_index = 0;
     ptls_mbedtls_sign_certificate_t* signer = (ptls_mbedtls_sign_certificate_t*)malloc(sizeof(ptls_mbedtls_sign_certificate_t));
diff --git a/t/mbedtls.c b/t/mbedtls.c
index 25cd323a3..cec11dfee 100644
--- a/t/mbedtls.c
+++ b/t/mbedtls.c
@@ -34,6 +34,22 @@
 #include "../deps/picotest/picotest.h"
 #include "test.h"
 
+typedef struct st_ptls_mbedtls_signature_scheme_t {
+    uint16_t scheme_id;
+    psa_algorithm_t hash_algo;
+} ptls_mbedtls_signature_scheme_t;
+
+typedef struct st_ptls_mbedtls_sign_certificate_t {
+    ptls_sign_certificate_t super;
+    mbedtls_svc_key_id_t key_id;
+    psa_key_attributes_t attributes;
+    const ptls_mbedtls_signature_scheme_t * schemes;
+} ptls_mbedtls_sign_certificate_t;
+
+int ptls_mbedtls_sign_certificate(ptls_sign_certificate_t* _self, ptls_t* tls,
+    ptls_async_job_t** async, uint16_t* selected_algorithm,
+    ptls_buffer_t* outbuf, ptls_iovec_t input, const uint16_t* algorithms, size_t num_algorithms);
+
 static int random_trial()
 {
     /* The random test is just trying to check that we call the API properly.
@@ -118,9 +134,9 @@ Output buffer is already partially filled.
 #define ASSET_SECP521R1_KEY "t/assets/secp521r1/key.pem"
 #define ASSET_SECP256R1_PKCS8_KEY "t/assets/secp256r1-pkcs8/key.pem"
 
-void test_load_one_der_key(char const* path)
+int test_load_one_der_key(char const* path)
 {
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    int ret = -1;
     unsigned char hash[32];
     const unsigned char h0[32] = {
         1, 2, 3, 4, 5, 6, 7, 8,
@@ -129,11 +145,11 @@ void test_load_one_der_key(char const* path)
         25, 26, 27, 28, 29, 30, 31, 32
     };
     ptls_context_t ctx = { 0 };
-    psa_status_t status = 0;
 
     ret = ptls_mbedtls_load_private_key(&ctx, path);
     if (ret != 0) {
-        ok(ret == 0, "Cannot create sign_certificate from: %s\n", path);
+        printf("Cannot create sign_certificate from: %s\n", path);
+        ret = -1;
     }
     else if (ctx.sign_certificate == NULL) {
         printf("Sign_certificate not set in ptls context for: %s\n", path);
@@ -145,7 +161,6 @@ void test_load_one_der_key(char const* path)
         ptls_mbedtls_sign_certificate_t* signer = (ptls_mbedtls_sign_certificate_t*)
             (((unsigned char*)ctx.sign_certificate) - offsetof(struct st_ptls_mbedtls_sign_certificate_t, super));
         /* get the key algorithm */
-        psa_algorithm_t algo = psa_get_key_algorithm(&signer->attributes);
         ptls_buffer_t outbuf;
         uint8_t outbuf_smallbuf[256];
         ptls_iovec_t input = { hash, sizeof(hash) };
@@ -154,7 +169,8 @@ void test_load_one_der_key(char const* path)
         uint16_t algorithms[16];
         memcpy(hash, h0, 32);
         while (signer->schemes[num_algorithms].scheme_id != UINT16_MAX && num_algorithms < 16) {
-            algorithms[num_algorithms++] = signer->schemes[num_algorithms].scheme_id;
+            algorithms[num_algorithms] = signer->schemes[num_algorithms].scheme_id;
+            num_algorithms++;
         }
 
         ptls_buffer_init(&outbuf, outbuf_smallbuf, sizeof(outbuf_smallbuf));
@@ -170,7 +186,13 @@ void test_load_one_der_key(char const* path)
         ptls_buffer_dispose(&outbuf);
         ptls_mbedtls_dispose_sign_certificate(&signer->super);
     }
+    return ret;
+}
 
+static void test_load_rsa_key() 
+{
+    int ret = test_load_one_der_key(ASSET_RSA_KEY);
+    
     if (ret != 0) {
         ok(!"fail");
         return;
@@ -178,20 +200,67 @@ void test_load_one_der_key(char const* path)
     ok(!!"success");
 }
 
-void test_sign_certificate(void)
+static void test_load_secp256r1_key()
 {
-    int ret = 0;
+    int ret = test_load_one_der_key(ASSET_SECP256R1_KEY);
+    if (ret != 0) {
+        ok(!"fail");
+        return;
+    }
+    ok(!!"success");
+}
+        
+static void test_load_secp384r1_key()
+{   
+    int ret = test_load_one_der_key(ASSET_SECP384R1_KEY);
+    if (ret != 0) {
+        ok(!"fail");
+        return;
+    }
+    ok(!!"success");
+}
+
     
-    ok(test_load_one_der_key(ASSET_RSA_KEY));
-    ok(test_load_one_der_key(ASSET_SECP256R1_KEY));
-    ok(test_load_one_der_key(ASSET_SECP384R1_KEY));
-    ok(test_load_one_der_key(ASSET_SECP521R1_KEY));
-    ok(test_load_one_der_key(ASSET_SECP256R1_PKCS8_KEY));
-    ok(test_load_one_der_key(ASSET_RSA_PKCS8_KEY));
+static void test_load_secp521r1_key()
+{   
+    int ret = test_load_one_der_key(ASSET_SECP521R1_KEY);
+    if (ret != 0) { 
+        ok(!"fail");
+        return;
+    }
+    ok(!!"success");
+}
 
-    /* we do not test EDDSA keys, because they are not yet supported */
+static void test_load_secp256r1_pkcs8_key()
+{
+    int ret = test_load_one_der_key(ASSET_SECP256R1_PKCS8_KEY);
+    if (ret != 0) { 
+        ok(!"fail");
+        return;
+    }
+    ok(!!"success");
+}   
 
-    return ret;
+static void test_load_rsa_pkcs8_key()
+{
+    int ret = test_load_one_der_key(ASSET_RSA_PKCS8_KEY);
+    if (ret != 0) {
+        ok(!"fail");
+        return;
+    }
+    ok(!!"success");
+}
+
+void test_sign_certificate(void)
+{    
+    subtest("load rsa key", test_load_rsa_key);
+    subtest("load secp256r1 key", test_load_secp256r1_key);
+    subtest("load secp384r1 key", test_load_secp384r1_key);
+    subtest("load secp521r1 key", test_load_secp521r1_key);
+    subtest("load secp521r1-pkcs8 key", test_load_secp256r1_pkcs8_key);
+    subtest("load rsa-pkcs8 key", test_load_rsa_pkcs8_key);
+
+    /* we do not test EDDSA keys, because they are not yet supported */
 }
 
 DEFINE_FFX_AES128_ALGORITHMS(mbedtls);

From fc0774d859cc9772a849b49d63e61adaa6dec7b2 Mon Sep 17 00:00:00 2001
From: Christian Huitema <huitema@huitema.net>
Date: Thu, 14 Mar 2024 17:20:23 -0700
Subject: [PATCH 3/4] Add comment, restart PR

---
 lib/mbedtls_sign.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/mbedtls_sign.c b/lib/mbedtls_sign.c
index 854ebc793..750dad51a 100644
--- a/lib/mbedtls_sign.c
+++ b/lib/mbedtls_sign.c
@@ -69,6 +69,8 @@ static const ptls_mbedtls_signature_scheme_t ed25519_signature_schemes[] = {
 
 #if defined(MBEDTLS_PEM_PARSE_C)
 
+/* Mapping of MBEDTLS APIs to Picotls */
+
 static int ptls_mbedtls_parse_der_length(const unsigned char* pem_buf, size_t pem_len, size_t* px, size_t *pl)
 {
     int ret = 0;

From 5dc20dbe08879e3872f3313cfd917d61b2fc5572 Mon Sep 17 00:00:00 2001
From: Christian Huitema <huitema@huitema.net>
Date: Thu, 14 Mar 2024 17:44:33 -0700
Subject: [PATCH 4/4] Remove offending include

---
 lib/mbedtls_sign.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/mbedtls_sign.c b/lib/mbedtls_sign.c
index c774cb291..8eed140a5 100644
--- a/lib/mbedtls_sign.c
+++ b/lib/mbedtls_sign.c
@@ -37,7 +37,7 @@
 #include <psa/crypto.h>
 #include <psa/crypto_struct.h>
 #include <psa/crypto_values.h>
-#include "ptls_mbedtls.h"
+/* #include "ptls_mbedtls.h" */
 
 
 typedef struct st_ptls_mbedtls_signature_scheme_t {