Introduce ECC Make PUB and ECC Check Pub crypto callbacks#10663
Open
rizlik wants to merge 5 commits into
Open
Conversation
|
retest this please |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR extends wolfCrypt’s CryptoCb (crypto callback) interface with two new ECC public-key–related callback operations to offload (1) base-point multiplication used by wc_ecc_make_pub(_ex) and internal callers, and (2) ECC public key validation used by wc_ecc_check_key and keygen/import validation paths. It also adjusts CB-only ECC builds to fail closed when validation/make-pub aren’t handled by a device, and adds test coverage plus swdev support for the new operations.
Changes:
- Add new PK callback opcodes
WC_PK_TYPE_EC_MAKE_PUBandWC_PK_TYPE_EC_CHECK_PUB_KEY, plus newwc_CryptoInfopayloads and wrapper APIs. - Route ECC make-pub and public-key validation through CryptoCb device-first paths (with CB-only ECC failing closed when unhandled).
- Extend wolfcrypt tests and
swdevto exercise/implement the new callback operations, including negative tests for malformed device results.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
wolfssl/wolfcrypt/types.h |
Adds two new PK operation enum values for ECC make-pub and public-key validation. |
wolfssl/wolfcrypt/cryptocb.h |
Extends wc_CryptoInfo with ECC make-pub/check-pub payloads and declares new CryptoCb wrapper APIs. |
wolfcrypt/src/cryptocb.c |
Implements wc_CryptoCb_EccMakePub() and wc_CryptoCb_EccCheckPubKey() wrappers and adds string names for the new PK types. |
wolfcrypt/src/ecc.c |
Adds device-first dispatch for make-pub and public-key validation; introduces fail-closed behavior under WOLF_CRYPTO_CB_ONLY_ECC. |
wolfcrypt/test/test.c |
Adds callback device logic and regression/negative tests for make-pub and check-pubkey callback behavior. |
tests/swdev/swdev.c |
Adds swdev handlers and dispatcher cases for the new ECC callback operations. |
doc/dox_comments/header_files/cryptocb.h |
Documents the new CryptoCb ECC make-pub and check-pubkey wrapper APIs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
rizlik
force-pushed
the
pubkey_ecc_operation_cb
branch
from
58a858a to
690c642
Compare
|
rizlik
force-pushed
the
pubkey_ecc_operation_cb
branch
from
690c642 to
36b66aa
Compare
Move the software private-scalar range checkout of ecc_make_pub_ex into a dedicated helper. Pure code motion, no functional change.
…fload Under WOLF_CRYPTO_CB_ONLY_ECC, HAVE_ECC_MAKE_PUB is now enabled and backed by the dispatch alone, failing closed with NO_VALID_DEVID when no device handles the operation (previously NOT_COMPILED_IN).
rizlik
force-pushed
the
pubkey_ecc_operation_cb
branch
from
36b66aa to
c43ab39
Compare
Add a crypto-callback operation for validating an ECC key. Under WOLF_CRYPTO_CB_ONLY_ECC validation now fails closed with NO_VALID_DEVID when no device handles the operation; previously such keys were accepted unvalidated. This is a deliberate compatibility break, documented at the dispatch site.
Frauschi
requested changes
Jun 18, 2026
Frauschi
left a comment
Frauschi
left a comment
Contributor
There was a problem hiding this comment.
Only two nits, otherwise LGTM.
Frauschi
approved these changes
Jun 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This branch adds two new ECC crypto-callback operations:
WC_PK_TYPE_EC_MAKE_PUBoffloadsQ = d·Gforwc_ecc_make_pub, andWC_PK_TYPE_EC_CHECK_PUB_KEYoffloads wc_ecc_check_key and the keygen/import validation paths.Under
WOLF_CRYPTO_CB_ONLY_ECC,HAVE_ECC_MAKE_PUBis now enabled and validation fails closed (NO_VALID_DEVID) rather than silently succeeding when no device services the op.