diff --git a/tests/suites/test_suite_pkwrite.data b/tests/suites/test_suite_pkwrite.data
index a339cdbb0..778352f64 100644
--- a/tests/suites/test_suite_pkwrite.data
+++ b/tests/suites/test_suite_pkwrite.data
@@ -93,3 +93,23 @@ pk_write_key_check:"data_files/ec_bp512_prv.pem":TEST_PEM
Private key write check EC Brainpool 512 bits (DER)
depends_on:MBEDTLS_ECP_LIGHT:MBEDTLS_ECP_DP_BP512R1_ENABLED
pk_write_key_check:"data_files/ec_bp512_prv.der":TEST_DER
+
+Derive public key RSA
+depends_on:MBEDTLS_RSA_C
+pk_write_check_public_key_derivation:"data_files/server1.key":"data_files/server1.pubkey.der"
+
+Derive public key RSA 4096
+depends_on:MBEDTLS_RSA_C
+pk_write_check_public_key_derivation:"data_files/rsa4096_prv.der":"data_files/rsa4096_pub.der"
+
+Derive public key EC 192 bits
+depends_on:MBEDTLS_ECP_LIGHT:MBEDTLS_ECP_DP_SECP192R1_ENABLED
+pk_write_check_public_key_derivation:"data_files/ec_prv.sec1.der":"data_files/ec_pub.der"
+
+Derive public key EC 521 bits
+depends_on:MBEDTLS_ECP_LIGHT:MBEDTLS_ECP_DP_SECP521R1_ENABLED
+pk_write_check_public_key_derivation:"data_files/ec_521_prv.der":"data_files/ec_521_pub.der"
+
+Derive public key EC Brainpool 512 bits
+depends_on:MBEDTLS_ECP_LIGHT:MBEDTLS_ECP_DP_BP512R1_ENABLED
+pk_write_check_public_key_derivation:"data_files/ec_bp512_prv.der":"data_files/ec_bp512_pub.der"
diff --git a/tests/suites/test_suite_pkwrite.function b/tests/suites/test_suite_pkwrite.function
index 804e9a77e..c5668a0b3 100644
--- a/tests/suites/test_suite_pkwrite.function
+++ b/tests/suites/test_suite_pkwrite.function
@@ -2,6 +2,7 @@
#include "mbedtls/pk.h"
#include "mbedtls/pem.h"
#include "mbedtls/oid.h"
+#include "psa/crypto_sizes.h"
typedef enum {
TEST_PEM,
@@ -124,3 +125,77 @@ void pk_write_key_check(char *key_file, int is_der)
goto exit; /* make the compiler happy */
}
/* END_CASE */
+
+/* BEGIN_CASE */
+void pk_write_check_public_key_derivation(char *priv_key_file,
+ char *pub_key_file)
+{
+ mbedtls_pk_context priv_key, pub_key;
+ uint8_t derived_key_raw[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
+ uint8_t *derived_key_start;
+ size_t derived_key_len = 0;
+ uint8_t pub_key_raw[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
+ uint8_t *pub_key_start;
+ size_t pub_key_len = 0;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_svc_key_id_t opaque_key_id = MBEDTLS_SVC_KEY_ID_INIT;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ mbedtls_pk_init(&priv_key);
+ mbedtls_pk_init(&pub_key);
+ USE_PSA_INIT();
+
+ memset(derived_key_raw, 0, sizeof(derived_key_raw));
+ memset(pub_key_raw, 0, sizeof(pub_key_raw));
+
+ TEST_EQUAL(mbedtls_pk_parse_keyfile(&priv_key, priv_key_file, NULL,
+ mbedtls_test_rnd_std_rand, NULL), 0);
+ TEST_EQUAL(mbedtls_pk_parse_public_keyfile(&pub_key, pub_key_file), 0);
+
+ /* mbedtls_pk_write_pubkey() writes data backward in the provided buffer,
+ * i.e. derived_key_raw, so we place derived_key_start at the end of it
+ * and it will be updated accordingly on return.
+ * The same holds for pub_key_raw and pub_key_start below.*/
+ derived_key_start = derived_key_raw + sizeof(derived_key_raw);
+ TEST_LE_U(1, mbedtls_pk_write_pubkey(&derived_key_start,
+ derived_key_raw, &priv_key));
+ derived_key_len = sizeof(derived_key_raw) -
+ (derived_key_start - derived_key_raw);
+
+
+ pub_key_start = pub_key_raw + sizeof(pub_key_raw);
+ TEST_LE_U(1, mbedtls_pk_write_pubkey(&pub_key_start,
+ pub_key_raw, &pub_key));
+ pub_key_len = sizeof(pub_key_raw) -
+ (pub_key_start - pub_key_raw);
+
+ ASSERT_COMPARE(derived_key_start, derived_key_len,
+ pub_key_start, pub_key_len);
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_platform_zeroize(derived_key_raw, sizeof(derived_key_raw));
+ derived_key_len = 0;
+
+ TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&priv_key, &opaque_key_id,
+ PSA_ALG_NONE, PSA_KEY_USAGE_EXPORT,
+ PSA_ALG_NONE), 0);
+
+ derived_key_start = derived_key_raw + sizeof(derived_key_raw);
+ TEST_LE_U(1, mbedtls_pk_write_pubkey(&derived_key_start,
+ derived_key_raw, &priv_key));
+ derived_key_len = sizeof(derived_key_raw) -
+ (derived_key_start - derived_key_raw);
+
+ ASSERT_COMPARE(derived_key_start, derived_key_len,
+ pub_key_start, pub_key_len);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+exit:
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_destroy_key(opaque_key_id);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ mbedtls_pk_free(&pub_key);
+ mbedtls_pk_free(&priv_key);
+ USE_PSA_DONE();
+}
+/* END_CASE */