Incorrect sizes for secp224k1 keys through the PSA API

[gilles-peskine-arm]

Description

The PSA crypto code assumes that a Weierstrass elliptic curve has a “bit size”, that a private key on that curve is that many bits, and a public key is a pair of numbers (coordinates) of that many bits. This is true for most curves, but breaks down for one of the curves that we support: secp224k1, which has 224-bit coordinates (since the order of the field is a 224-bit number) but 225-bit private keys (since the order of the base point is a 225-bit number).

The PSA Crypto specification makes the same incorrect assumption when it describes key formats (documentation of psa_export_key and psa_export_public_key). Private link: https://github.com/ARMmbed/psa-crypto/issues/352

Issue request type

[ ] Question
[ ] Enhancement
[x] Bug

[ciarmcom]

Internal Jira reference: https://jira.arm.com/browse/IOTCRYPT-1030

[yanesca]

@gilles-peskine-arm Is this issue fixed by #330?

[gilles-peskine-arm]

No, this is not fixed in Mbed Crypto yet.

[gilles-peskine-arm]

This is tracked in mbedtls at Mbed-TLS/mbedtls#3541