modules: openthread: add HKDF support in crypto_psa

valeriosetti · valeriosetti · commit 48e255e989cd · 2025-11-20T16:26:53.000+01:00
crypto_psa.c was missing an implementation for the following functions:
- otPlatCryptoHkdfInit
- otPlatCryptoHkdfExtract
- otPlatCryptoHkdfExpand
- otPlatCryptoHkdfDeinit
which provide support for HKDF using PSA Crypto API.

This commit fill this gap by copying the implementation from upstream
PR 11445.

Signed-off-by: Valerio Setti &lt;vsetti@baylibre.com&gt;
diff --git a/modules/openthread/platform/crypto_psa.c b/modules/openthread/platform/crypto_psa.c
@@ -44,6 +44,8 @@ static psa_key_type_t toPsaKeyType(otCryptoKeyType aType)
 		return PSA_KEY_TYPE_HMAC;
 	case OT_CRYPTO_KEY_TYPE_ECDSA:
 		return PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1);
+	case OT_CRYPTO_KEY_TYPE_DERIVE:
+		return PSA_KEY_TYPE_DERIVE;
 	default:
 		return PSA_KEY_TYPE_NONE;
 	}
@@ -58,6 +60,8 @@ static psa_algorithm_t toPsaAlgorithm(otCryptoKeyAlgorithm aAlgorithm)
 		return PSA_ALG_HMAC(PSA_ALG_SHA_256);
 	case OT_CRYPTO_KEY_ALG_ECDSA:
 		return PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256);
+	case OT_CRYPTO_KEY_ALG_HKDF_SHA256:
+		return PSA_ALG_HKDF(PSA_ALG_SHA_256);
 	default:
 		/*
 		 * There is currently no constant like PSA_ALG_NONE, but 0 is used
@@ -91,6 +95,10 @@ static psa_key_usage_t toPsaKeyUsage(int aUsage)
 		usage |= PSA_KEY_USAGE_VERIFY_HASH;
 	}
 
+	if (aUsage & OT_CRYPTO_KEY_USAGE_DERIVE) {
+		usage |= PSA_KEY_USAGE_DERIVE;
+	}
+
 	return usage;
 }
 
@@ -287,6 +295,143 @@ otError otPlatCryptoHmacSha256Finish(otCryptoContext *aContext, uint8_t *aBuf, s
 	return psaToOtError(psa_mac_sign_finish(operation, aBuf, aBufLength, &mac_length));
 }
 
+
+otError otPlatCryptoHkdfInit(otCryptoContext *aContext)
+{
+	psa_key_derivation_operation_t *operation;
+
+	if (!checkContext(aContext, sizeof(psa_key_derivation_operation_t))) {
+		return OT_ERROR_INVALID_ARGS;
+	}
+
+	operation = aContext->mContext;
+
+	memset(operation, 0, sizeof(psa_key_derivation_operation_t));
+
+	return psaToOtError(psa_key_derivation_setup(operation, PSA_ALG_HKDF(PSA_ALG_SHA_256)));
+}
+
+otError otPlatCryptoHkdfExtract(otCryptoContext *aContext,
+				const uint8_t *aSalt,
+				uint16_t aSaltLength,
+				const otCryptoKey *aInputKey)
+{
+	otError error = OT_ERROR_NONE;
+	psa_status_t status = PSA_SUCCESS;
+	psa_key_derivation_operation_t *operation = NULL;
+	otCryptoKeyRef key_ref = PSA_KEY_ID_NULL;
+	psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+	psa_algorithm_t key_alg = PSA_ALG_NONE;
+	size_t key_length = 0;
+	const size_t key_buffer_size = 16;
+	uint8_t key_buffer[key_buffer_size];
+
+	if (!checkContext(aContext, sizeof(psa_key_derivation_operation_t)) ||
+	    (aInputKey == NULL) || (aSalt == NULL) || (aSaltLength == 0)) {
+		return OT_ERROR_INVALID_ARGS;
+	}
+
+	operation = aContext->mContext;
+
+	status = psa_key_derivation_input_bytes(operation, PSA_KEY_DERIVATION_INPUT_SALT, aSalt,
+						aSaltLength);
+	if (status != PSA_SUCCESS) {
+		error = psaToOtError(status);
+		goto exit;
+	}
+
+	status = psa_get_key_attributes(aInputKey->mKeyRef, &attributes);
+	if (status != PSA_SUCCESS) {
+		error = psaToOtError(status);
+		goto exit;
+	}
+
+	key_alg = psa_get_key_algorithm(&attributes);
+
+	/* The PSA API enforces a policy that restricts each key to a single algorithm.
+	 * If the key is already HKDF-SHA256, we can use it directly.
+	 * Otherwise, export and re-import it as a volatile HKDF key.
+	 */
+	if (key_alg != toPsaAlgorithm(OT_CRYPTO_KEY_ALG_HKDF_SHA256)) {
+		error = otPlatCryptoExportKey(aInputKey->mKeyRef, key_buffer, sizeof(key_buffer),
+					      &key_length);
+		if (error != OT_ERROR_NONE) {
+			goto exit;
+		}
+		error = otPlatCryptoImportKey(&key_ref, OT_CRYPTO_KEY_TYPE_DERIVE,
+					      OT_CRYPTO_KEY_ALG_HKDF_SHA256,
+					      OT_CRYPTO_KEY_USAGE_DERIVE,
+					      OT_CRYPTO_KEY_STORAGE_VOLATILE,
+					      key_buffer, key_length);
+		if (error != OT_ERROR_NONE) {
+			goto exit;
+		}
+
+		status = psa_key_derivation_input_key(operation, PSA_KEY_DERIVATION_INPUT_SECRET,
+						      key_ref);
+		if (status != PSA_SUCCESS) {
+			error = psaToOtError(status);
+			goto exit;
+		}
+	} else {
+		status = psa_key_derivation_input_key(operation, PSA_KEY_DERIVATION_INPUT_SECRET,
+						      aInputKey->mKeyRef);
+		if (status != PSA_SUCCESS) {
+			error = psaToOtError(status);
+			goto exit;
+		}
+	}
+
+exit:
+	psa_reset_key_attributes(&attributes);
+	otPlatCryptoDestroyKey(key_ref);
+
+	return error;
+}
+
+otError otPlatCryptoHkdfExpand(otCryptoContext *aContext,
+				const uint8_t *aInfo,
+				uint16_t aInfoLength,
+				uint8_t *aOutputKey,
+				uint16_t aOutputKeyLength)
+{
+	psa_status_t status = PSA_SUCCESS;
+	psa_key_derivation_operation_t *operation;
+
+	if (!checkContext(aContext, sizeof(psa_key_derivation_operation_t)) ||
+	    (aOutputKey == NULL) || (aOutputKeyLength == 0)) {
+		return OT_ERROR_INVALID_ARGS;
+	}
+
+	operation = aContext->mContext;
+
+	status = psa_key_derivation_input_bytes(operation, PSA_KEY_DERIVATION_INPUT_INFO,
+						aInfo, aInfoLength);
+	if (status != PSA_SUCCESS) {
+		return psaToOtError(status);
+	}
+
+	status = psa_key_derivation_output_bytes(operation, aOutputKey, aOutputKeyLength);
+	if (status != PSA_SUCCESS) {
+		return psaToOtError(status);
+	}
+
+	return OT_ERROR_NONE;
+}
+
+otError otPlatCryptoHkdfDeinit(otCryptoContext *aContext)
+{
+	psa_key_derivation_operation_t *operation;
+
+	if (!checkContext(aContext, sizeof(psa_key_derivation_operation_t))) {
+		return OT_ERROR_INVALID_ARGS;
+	}
+
+	operation = aContext->mContext;
+
+	return psaToOtError(psa_key_derivation_abort(operation));
+}
+
 otError otPlatCryptoAesInit(otCryptoContext *aContext)
 {
 	psa_key_id_t *key_ref;
