diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index 7a28bd879..f6645d7de 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -685,9 +685,24 @@ int mbedtls_test_ssl_endpoint_certificate_init(mbedtls_test_ssl_endpoint *ep, #if defined(MBEDTLS_USE_PSA_CRYPTO) if (opaque_alg != 0) { - TEST_EQUAL(mbedtls_pk_wrap_as_opaque(cert->pkey, &key_slot, - opaque_alg, opaque_usage, - opaque_alg2), 0); + psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; + /* Use a fake key usage to get a successful initial guess for the PSA attributes. */ + TEST_EQUAL(mbedtls_pk_get_psa_attributes(cert->pkey, PSA_KEY_USAGE_VERIFY_HASH, + &key_attr), 0); + /* Then manually set type, usage, alg and alg2 as requested by the test. */ + psa_key_type_t key_type = psa_get_key_type(&key_attr); + if (PSA_KEY_TYPE_IS_PUBLIC_KEY(key_type)) { + psa_set_key_type(&key_attr, PSA_KEY_TYPE_KEY_PAIR_OF_PUBLIC_KEY(key_type)); + } + psa_set_key_usage_flags(&key_attr, opaque_usage); + psa_set_key_algorithm(&key_attr, opaque_alg); + if (opaque_alg2 != PSA_ALG_NONE) { + psa_set_key_enrollment_algorithm(&key_attr, opaque_alg2); + } + TEST_EQUAL(mbedtls_pk_import_into_psa(cert->pkey, &key_attr, &key_slot), 0); + mbedtls_pk_free(cert->pkey); + mbedtls_pk_init(cert->pkey); + TEST_EQUAL(mbedtls_pk_setup_opaque(cert->pkey, key_slot), 0); } #else (void) opaque_alg; diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 180cf7639..91b3337ff 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -836,6 +836,7 @@ void mbedtls_pk_check_pair(char *pub_file, char *prv_file, int ret) mbedtls_pk_context pub, prv, alt; #if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t opaque_key_id = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_attributes_t opaque_key_attr = PSA_KEY_ATTRIBUTES_INIT; #endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_pk_init(&pub); @@ -873,9 +874,13 @@ void mbedtls_pk_check_pair(char *pub_file, char *prv_file, int ret) #endif #if defined(MBEDTLS_USE_PSA_CRYPTO) if (mbedtls_pk_get_type(&prv) == MBEDTLS_PK_ECKEY) { - TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&prv, &opaque_key_id, - PSA_ALG_ANY_HASH, - PSA_KEY_USAGE_EXPORT, 0), 0); + /* Turn the prv PK context into an opaque one.*/ + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&prv, PSA_KEY_USAGE_SIGN_HASH, + &opaque_key_attr), 0); + TEST_EQUAL(mbedtls_pk_import_into_psa(&prv, &opaque_key_attr, &opaque_key_id), 0); + mbedtls_pk_free(&prv); + mbedtls_pk_init(&prv); + TEST_EQUAL(mbedtls_pk_setup_opaque(&prv, opaque_key_id), 0); TEST_EQUAL(mbedtls_pk_check_pair(&pub, &prv, mbedtls_test_rnd_std_rand, NULL), ret); } @@ -1395,7 +1400,8 @@ void pk_wrap_rsa_decrypt_test_vec(data_t *cipher, int mod, mbedtls_mpi N, P, Q, E; mbedtls_rsa_context *rsa; mbedtls_pk_context pk; - mbedtls_svc_key_id_t key_id; + mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; size_t olen; mbedtls_pk_init(&pk); @@ -1422,10 +1428,11 @@ void pk_wrap_rsa_decrypt_test_vec(data_t *cipher, int mod, TEST_EQUAL(mbedtls_rsa_complete(rsa), 0); /* Turn PK context into an opaque one. */ - TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&pk, &key_id, - PSA_ALG_RSA_PKCS1V15_CRYPT, - PSA_KEY_USAGE_DECRYPT, - PSA_ALG_NONE), 0); + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, PSA_KEY_USAGE_DECRYPT, &key_attr), 0); + TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &key_attr, &key_id), 0); + mbedtls_pk_free(&pk); + mbedtls_pk_init(&pk); + TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0); TEST_EQUAL(mbedtls_pk_get_bitlen(&pk), mod); @@ -1635,10 +1642,9 @@ void pk_psa_sign(int curve_or_keybits, int psa_type, int expected_bits) unsigned char pkey_legacy[200]; unsigned char pkey_psa[200]; unsigned char *pkey_legacy_start, *pkey_psa_start; - psa_algorithm_t alg_psa; size_t sig_len, klen_legacy, klen_psa; int ret; - mbedtls_svc_key_id_t key_id; + mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; /* @@ -1660,7 +1666,6 @@ void pk_psa_sign(int curve_or_keybits, int psa_type, int expected_bits) TEST_ASSERT(mbedtls_rsa_gen_key(mbedtls_pk_rsa(pk), mbedtls_test_rnd_std_rand, NULL, curve_or_keybits, 3) == 0); - alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256); } else #endif /* MBEDTLS_RSA_C && MBEDTLS_GENPRIME */ #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) @@ -1671,8 +1676,6 @@ void pk_psa_sign(int curve_or_keybits, int psa_type, int expected_bits) TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)) == 0); TEST_ASSERT(pk_genkey(&pk, grpid) == 0); - - alg_psa = PSA_ALG_ECDSA(PSA_ALG_SHA_256); } else #endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */ { @@ -1699,9 +1702,11 @@ void pk_psa_sign(int curve_or_keybits, int psa_type, int expected_bits) #endif /* MBEDTLS_PK_WRITE_C */ /* Turn PK context into an opaque one. */ - TEST_ASSERT(mbedtls_pk_wrap_as_opaque(&pk, &key_id, alg_psa, - PSA_KEY_USAGE_SIGN_HASH, - PSA_ALG_NONE) == 0); + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, PSA_KEY_USAGE_SIGN_HASH, &attributes), 0); + TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &attributes, &key_id), 0); + mbedtls_pk_free(&pk); + mbedtls_pk_init(&pk); + TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0); PSA_ASSERT(psa_get_key_attributes(key_id, &attributes)); TEST_EQUAL(psa_get_key_type(&attributes), (psa_key_type_t) psa_type); @@ -1822,6 +1827,7 @@ void pk_psa_wrap_sign_ext(int pk_type, int key_bits, int key_pk_type, int md_alg mbedtls_pk_context pk; size_t sig_len, pkey_len; mbedtls_svc_key_id_t key_id; + psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE]; unsigned char pkey[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE]; unsigned char *pkey_start; @@ -1861,9 +1867,14 @@ void pk_psa_wrap_sign_ext(int pk_type, int key_bits, int key_pk_type, int md_alg } /* Turn PK context into an opaque one. */ - TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&pk, &key_id, psa_alg, - PSA_KEY_USAGE_SIGN_HASH, - PSA_ALG_NONE), 0); + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, PSA_KEY_USAGE_SIGN_HASH, &key_attr), 0); + /* Tweak the algorithm associated with the PSA key because get_psa_attributes() returns + * a PSA_ALG_RSA_PSS_ANY_SALT(), but mbedtls_pk_sign_ext() requires a PSA_ALG_RSA_PSS().*/ + psa_set_key_algorithm(&key_attr, psa_alg); + TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &key_attr, &key_id), 0); + mbedtls_pk_free(&pk); + mbedtls_pk_init(&pk); + TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0); memset(hash, 0x2a, sizeof(hash)); memset(sig, 0, sizeof(sig)); diff --git a/tests/suites/test_suite_pkwrite.function b/tests/suites/test_suite_pkwrite.function index c7600903f..735c12547 100644 --- a/tests/suites/test_suite_pkwrite.function +++ b/tests/suites/test_suite_pkwrite.function @@ -75,6 +75,7 @@ static void pk_write_check_common(char *key_file, int is_public_key, int is_der) size_t buf_len, check_buf_len; #if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t opaque_id = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; #endif /* MBEDTLS_USE_PSA_CRYPTO */ USE_PSA_INIT(); @@ -117,10 +118,13 @@ static void pk_write_check_common(char *key_file, int is_public_key, int is_der) /* Verify that pk_write works also for opaque private keys */ if (!is_public_key) { memset(buf, 0, check_buf_len); - TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&key, &opaque_id, - PSA_ALG_NONE, - PSA_KEY_USAGE_EXPORT, - PSA_ALG_NONE), 0); + /* Turn the key PK context into an opaque one. + * Note: set some practical usage for the key to make get_psa_attributes() happy. */ + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&key, PSA_KEY_USAGE_SIGN_MESSAGE, &key_attr), 0); + TEST_EQUAL(mbedtls_pk_import_into_psa(&key, &key_attr, &opaque_id), 0); + mbedtls_pk_free(&key); + mbedtls_pk_init(&key); + TEST_EQUAL(mbedtls_pk_setup_opaque(&key, opaque_id), 0); start_buf = buf; buf_len = check_buf_len; TEST_EQUAL(pk_write_any_key(&key, &start_buf, &buf_len, is_public_key, @@ -172,6 +176,7 @@ void pk_write_public_from_private(char *priv_key_file, char *pub_key_file) size_t pub_key_len = 0; #if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t opaque_key_id = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; #endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_pk_init(&priv_key); @@ -194,9 +199,12 @@ void pk_write_public_from_private(char *priv_key_file, char *pub_key_file) #if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_platform_zeroize(derived_key_raw, derived_key_len); - TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&priv_key, &opaque_key_id, - PSA_ALG_NONE, PSA_KEY_USAGE_EXPORT, - PSA_ALG_NONE), 0); + /* Turn the priv_key PK context into an opaque one. */ + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&priv_key, PSA_KEY_USAGE_SIGN_HASH, &key_attr), 0); + TEST_EQUAL(mbedtls_pk_import_into_psa(&priv_key, &key_attr, &opaque_key_id), 0); + mbedtls_pk_free(&priv_key); + mbedtls_pk_init(&priv_key); + TEST_EQUAL(mbedtls_pk_setup_opaque(&priv_key, opaque_key_id), 0); TEST_EQUAL(mbedtls_pk_write_pubkey_der(&priv_key, derived_key_raw, derived_key_len), pub_key_len); diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 3d84c729f..1db7e1cff 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -284,7 +284,7 @@ void x509_csr_check_opaque(char *key_file, int md_type, int key_usage, { mbedtls_pk_context key; mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; - psa_algorithm_t md_alg_psa, alg_psa; + psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; mbedtls_x509write_csr req; unsigned char buf[4096]; int ret; @@ -297,24 +297,16 @@ void x509_csr_check_opaque(char *key_file, int md_type, int key_usage, memset(&rnd_info, 0x2a, sizeof(mbedtls_test_rnd_pseudo_info)); - md_alg_psa = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) md_type); - TEST_ASSERT(md_alg_psa != MBEDTLS_MD_NONE); - mbedtls_pk_init(&key); TEST_ASSERT(mbedtls_pk_parse_keyfile(&key, key_file, NULL, mbedtls_test_rnd_std_rand, NULL) == 0); - if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_ECKEY) { - alg_psa = PSA_ALG_ECDSA(md_alg_psa); - } else if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_RSA) { - alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN(md_alg_psa); - } else { - TEST_ASSUME(!"PK key type not supported in this configuration"); - } - - TEST_ASSERT(mbedtls_pk_wrap_as_opaque(&key, &key_id, alg_psa, - PSA_KEY_USAGE_SIGN_HASH, - PSA_ALG_NONE) == 0); + /* Turn the PK context into an opaque one. */ + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&key, PSA_KEY_USAGE_SIGN_HASH, &key_attr), 0); + TEST_EQUAL(mbedtls_pk_import_into_psa(&key, &key_attr, &key_id), 0); + mbedtls_pk_free(&key); + mbedtls_pk_init(&key); + TEST_EQUAL(mbedtls_pk_setup_opaque(&key, key_id), 0); mbedtls_x509write_csr_set_md_alg(&req, md_type); mbedtls_x509write_csr_set_key(&req, &key); @@ -373,6 +365,7 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd, mbedtls_test_rnd_pseudo_info rnd_info; #if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; #endif mbedtls_pk_type_t issuer_key_type; mbedtls_x509_san_list san_ip; @@ -451,24 +444,14 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd, #endif #if defined(MBEDTLS_USE_PSA_CRYPTO) - /* For Opaque PK contexts, wrap key as an Opaque RSA context. */ + /* Turn the issuer PK context into an opaque one. */ if (pk_wrap == 2) { - psa_algorithm_t alg_psa, md_alg_psa; - - md_alg_psa = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) md_type); - TEST_ASSERT(md_alg_psa != MBEDTLS_MD_NONE); - - if (mbedtls_pk_get_type(&issuer_key) == MBEDTLS_PK_ECKEY) { - alg_psa = PSA_ALG_ECDSA(md_alg_psa); - } else if (mbedtls_pk_get_type(&issuer_key) == MBEDTLS_PK_RSA) { - alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN(md_alg_psa); - } else { - TEST_ASSUME(!"PK key type not supported in this configuration"); - } - - TEST_ASSERT(mbedtls_pk_wrap_as_opaque(&issuer_key, &key_id, alg_psa, - PSA_KEY_USAGE_SIGN_HASH, - PSA_ALG_NONE) == 0); + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&issuer_key, PSA_KEY_USAGE_SIGN_HASH, + &key_attr), 0); + TEST_EQUAL(mbedtls_pk_import_into_psa(&issuer_key, &key_attr, &key_id), 0); + mbedtls_pk_free(&issuer_key); + mbedtls_pk_init(&issuer_key); + TEST_EQUAL(mbedtls_pk_setup_opaque(&issuer_key, key_id), 0); } #endif /* MBEDTLS_USE_PSA_CRYPTO */