se050: add support for SE050 SIGN ONLY options

Author: rizlik

.wolfssl_known_macro_extras

@@ -880,7 +880,10 @@ WOLFSSL_SE050_AUTO_ERASE
 WOLFSSL_SE050_CRYPT
 WOLFSSL_SE050_HASH
 WOLFSSL_SE050_INIT
+WOLFSSL_SE050_NOECDHE
+WOLFSSL_SE050_NO_ECDSA_VERIFY
 WOLFSSL_SE050_NO_RSA
+WOLFSSL_SE050_NO_RSA_VERIFY
 WOLFSSL_SE050_NO_TRNG
 WOLFSSL_SECURE_RENEGOTIATION_ON_BY_DEFAULT
 WOLFSSL_SERVER_EXAMPLE

wolfcrypt/src/ecc.c

@@ -291,6 +291,9 @@ ECC Curve Sizes:
     #undef  HAVE_ECC_VERIFY_HELPER
     #define HAVE_ECC_VERIFY_HELPER
 #endif
+#if defined(WOLFSSL_SE050_NO_ECDSA_VERIFY)
+    #define HAVE_ECC_VERIFY_HELPER
+#endif
 
 #if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \
     !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLFSSL_SILABS_SE_ACCEL) && \
@@ -4767,7 +4770,7 @@ int wc_ecc_shared_secret(ecc_key* private_key, ecc_key* public_key, byte* out,
    err = silabs_ecc_shared_secret(private_key, public_key, out, outlen);
 #elif defined(WOLFSSL_KCAPI_ECC)
    err = KcapiEcc_SharedSecret(private_key, public_key, out, outlen);
-#elif defined(WOLFSSL_SE050)
+#elif defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NOECDHE)
    err = se050_ecc_shared_secret(private_key, public_key, out, outlen);
 #else
    err = wc_ecc_shared_secret_ex(private_key, &public_key->pubkey, out, outlen);
@@ -5761,7 +5764,7 @@ static int _ecc_make_key_ex(WC_RNG* rng, int keysize, ecc_key* key,
    else {
       err = NOT_COMPILED_IN;
    }
-#elif defined(WOLFSSL_SE050)
+#elif defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NOECDHE)
     err = se050_ecc_create_key(key, key->dp->id, key->dp->size);
     key->type = ECC_PRIVATEKEY;
 #elif defined(WOLFSSL_CRYPTOCELL)
@@ -9261,7 +9264,7 @@ int wc_ecc_verify_hash_ex(mp_int *r, mp_int *s, const byte* hash,
 #elif defined(WOLFSSL_XILINX_CRYPT_VERSAL)
    byte sigRS[ECC_MAX_CRYPTO_HW_SIZE * 2];
    byte hashcopy[ECC_MAX_CRYPTO_HW_SIZE] = {0};
-#elif defined(WOLFSSL_SE050)
+#elif defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_ECDSA_VERIFY)
 #else
    int curveLoaded = 0;
    DECLARE_CURVE_SPECS(ECC_CURVE_FIELD_COUNT);

wolfcrypt/src/port/nxp/README_SE050.md

@@ -246,6 +246,25 @@ defined, wolfCrypt will instead fall back to using `/dev/random` and
 Disables using the SE050 for RSA, useful for the SE050E which does not have
 RSA support.
 
+**`WOLFSSL_SE050_NOECDHE`**
+
+Disables offloading ECDH key generation and shared secret operations to the
+SE050. When defined, `wc_ecc_make_key()` and `wc_ecc_shared_secret()` will
+use wolfCrypt software instead of the SE050.
+
+**`WOLFSSL_SE050_NO_ECDSA_VERIFY`**
+
+When defined, ECDSA signing (`wc_ecc_sign_hash()`) continues to be offloaded
+to the SE050, but ECDSA verification (`wc_ecc_verify_hash()`) uses wolfCrypt
+software.
+
+**`WOLFSSL_SE050_NO_RSA_VERIFY`**
+
+When defined, RSA PKCS#1 v1.5 signing (`wc_RsaSSL_Sign()`) continues to be
+offloaded to the SE050, but RSA PKCS#1 v1.5 verification (`wc_RsaSSL_Verify()`)
+uses wolfCrypt software (public-key exponentiation + unpad). RSA PSS verify and
+RSA key-exchange decrypt are unaffected.
+
 ## wolfSSL HostCrypto Support
 
 The NXP SE05x Plug & Trust Middleware by default can use either OpenSSL or

wolfcrypt/src/rsa.c

@@ -3660,6 +3660,7 @@ static int RsaPrivateDecryptEx(const byte* in, word32 inLen, byte* out,
             }
             return ret;
         }
+    #if !defined(WOLFSSL_SE050_NO_RSA_VERIFY)
         else if (rsa_type == RSA_PUBLIC_DECRYPT &&
                  pad_value == RSA_BLOCK_TYPE_1 &&
                  pad_type != WC_RSA_PSS_PAD) {
@@ -3675,6 +3676,7 @@ static int RsaPrivateDecryptEx(const byte* in, word32 inLen, byte* out,
             }
             return ret;
         }
+    #endif /* !WOLFSSL_SE050_NO_RSA_VERIFY */
     #endif /* RSA CRYPTO HW */