eden-emu/mbedtls
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

test: remove usage of mbedtls_pk_wrap_as_opaque() from tests

Browse source 
This is replaced with: mbedtls_pk_get_psa_attributes() +
mbedtls_pk_import_into_psa() + mbedtls_pk_setup_opaque().

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This commit is contained in:
Valerio Setti 2024-02-27 08:11:25 +01:00
parent 665cf928d9
commit 1fa2f6e9af
4 changed files with 78 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

21
tests/src/test_helpers/ssl_helpers.c
View file

@ -685,9 +685,24 @@ int mbedtls_test_ssl_endpoint_certificate_init(mbedtls_test_ssl_endpoint *ep,
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
if (opaque_alg != 0) { if (opaque_alg != 0) {
TEST_EQUAL(mbedtls_pk_wrap_as_opaque(cert->pkey, &key_slot, psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
opaque_alg, opaque_usage, /* Use a fake key usage to get a successful initial guess for the PSA attributes. */
opaque_alg2), 0); TEST_EQUAL(mbedtls_pk_get_psa_attributes(cert->pkey, PSA_KEY_USAGE_VERIFY_HASH,
&key_attr), 0);
/* Then manually set type, usage, alg and alg2 as requested by the test. */
psa_key_type_t key_type = psa_get_key_type(&key_attr);
if (PSA_KEY_TYPE_IS_PUBLIC_KEY(key_type)) {
psa_set_key_type(&key_attr, PSA_KEY_TYPE_KEY_PAIR_OF_PUBLIC_KEY(key_type));
}
psa_set_key_usage_flags(&key_attr, opaque_usage);
psa_set_key_algorithm(&key_attr, opaque_alg);
if (opaque_alg2 != PSA_ALG_NONE) {
psa_set_key_enrollment_algorithm(&key_attr, opaque_alg2);
}
TEST_EQUAL(mbedtls_pk_import_into_psa(cert->pkey, &key_attr, &key_slot), 0);
mbedtls_pk_free(cert->pkey);
mbedtls_pk_init(cert->pkey);
TEST_EQUAL(mbedtls_pk_setup_opaque(cert->pkey, key_slot), 0);
} }
#else #else
(void) opaque_alg; (void) opaque_alg;

49
tests/suites/test_suite_pk.function
View file

@ -836,6 +836,7 @@ void mbedtls_pk_check_pair(char *pub_file, char *prv_file, int ret)
mbedtls_pk_context pub, prv, alt; mbedtls_pk_context pub, prv, alt;
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t opaque_key_id = MBEDTLS_SVC_KEY_ID_INIT; mbedtls_svc_key_id_t opaque_key_id = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t opaque_key_attr = PSA_KEY_ATTRIBUTES_INIT;
#endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_pk_init(&pub); mbedtls_pk_init(&pub);
@ -873,9 +874,13 @@ void mbedtls_pk_check_pair(char *pub_file, char *prv_file, int ret)
#endif #endif
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
if (mbedtls_pk_get_type(&prv) == MBEDTLS_PK_ECKEY) { if (mbedtls_pk_get_type(&prv) == MBEDTLS_PK_ECKEY) {
TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&prv, &opaque_key_id, /* Turn the prv PK context into an opaque one.*/
PSA_ALG_ANY_HASH, TEST_EQUAL(mbedtls_pk_get_psa_attributes(&prv, PSA_KEY_USAGE_SIGN_HASH,
PSA_KEY_USAGE_EXPORT, 0), 0); &opaque_key_attr), 0);
TEST_EQUAL(mbedtls_pk_import_into_psa(&prv, &opaque_key_attr, &opaque_key_id), 0);
mbedtls_pk_free(&prv);
mbedtls_pk_init(&prv);
TEST_EQUAL(mbedtls_pk_setup_opaque(&prv, opaque_key_id), 0);
TEST_EQUAL(mbedtls_pk_check_pair(&pub, &prv, mbedtls_test_rnd_std_rand, TEST_EQUAL(mbedtls_pk_check_pair(&pub, &prv, mbedtls_test_rnd_std_rand,
NULL), ret); NULL), ret);
} }
@ -1395,7 +1400,8 @@ void pk_wrap_rsa_decrypt_test_vec(data_t *cipher, int mod,
mbedtls_mpi N, P, Q, E; mbedtls_mpi N, P, Q, E;
mbedtls_rsa_context *rsa; mbedtls_rsa_context *rsa;
mbedtls_pk_context pk; mbedtls_pk_context pk;
mbedtls_svc_key_id_t key_id; mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
size_t olen; size_t olen;
mbedtls_pk_init(&pk); mbedtls_pk_init(&pk);
@ -1422,10 +1428,11 @@ void pk_wrap_rsa_decrypt_test_vec(data_t *cipher, int mod,
TEST_EQUAL(mbedtls_rsa_complete(rsa), 0); TEST_EQUAL(mbedtls_rsa_complete(rsa), 0);
/* Turn PK context into an opaque one. */ /* Turn PK context into an opaque one. */
TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&pk, &key_id, TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, PSA_KEY_USAGE_DECRYPT, &key_attr), 0);
PSA_ALG_RSA_PKCS1V15_CRYPT, TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &key_attr, &key_id), 0);
PSA_KEY_USAGE_DECRYPT, mbedtls_pk_free(&pk);
PSA_ALG_NONE), 0); mbedtls_pk_init(&pk);
TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0);
TEST_EQUAL(mbedtls_pk_get_bitlen(&pk), mod); TEST_EQUAL(mbedtls_pk_get_bitlen(&pk), mod);
@ -1635,10 +1642,9 @@ void pk_psa_sign(int curve_or_keybits, int psa_type, int expected_bits)
unsigned char pkey_legacy[200]; unsigned char pkey_legacy[200];
unsigned char pkey_psa[200]; unsigned char pkey_psa[200];
unsigned char *pkey_legacy_start, *pkey_psa_start; unsigned char *pkey_legacy_start, *pkey_psa_start;
psa_algorithm_t alg_psa;
size_t sig_len, klen_legacy, klen_psa; size_t sig_len, klen_legacy, klen_psa;
int ret; int ret;
mbedtls_svc_key_id_t key_id; mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
/* /*
@ -1660,7 +1666,6 @@ void pk_psa_sign(int curve_or_keybits, int psa_type, int expected_bits)
TEST_ASSERT(mbedtls_rsa_gen_key(mbedtls_pk_rsa(pk), TEST_ASSERT(mbedtls_rsa_gen_key(mbedtls_pk_rsa(pk),
mbedtls_test_rnd_std_rand, NULL, mbedtls_test_rnd_std_rand, NULL,
curve_or_keybits, 3) == 0); curve_or_keybits, 3) == 0);
alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256);
} else } else
#endif /* MBEDTLS_RSA_C && MBEDTLS_GENPRIME */ #endif /* MBEDTLS_RSA_C && MBEDTLS_GENPRIME */
#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
@ -1671,8 +1676,6 @@ void pk_psa_sign(int curve_or_keybits, int psa_type, int expected_bits)
TEST_ASSERT(mbedtls_pk_setup(&pk, TEST_ASSERT(mbedtls_pk_setup(&pk,
mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)) == 0); mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)) == 0);
TEST_ASSERT(pk_genkey(&pk, grpid) == 0); TEST_ASSERT(pk_genkey(&pk, grpid) == 0);
alg_psa = PSA_ALG_ECDSA(PSA_ALG_SHA_256);
} else } else
#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */ #endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
{ {
@ -1699,9 +1702,11 @@ void pk_psa_sign(int curve_or_keybits, int psa_type, int expected_bits)
#endif /* MBEDTLS_PK_WRITE_C */ #endif /* MBEDTLS_PK_WRITE_C */
/* Turn PK context into an opaque one. */ /* Turn PK context into an opaque one. */
TEST_ASSERT(mbedtls_pk_wrap_as_opaque(&pk, &key_id, alg_psa, TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, PSA_KEY_USAGE_SIGN_HASH, &attributes), 0);
PSA_KEY_USAGE_SIGN_HASH, TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &attributes, &key_id), 0);
PSA_ALG_NONE) == 0); mbedtls_pk_free(&pk);
mbedtls_pk_init(&pk);
TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0);
PSA_ASSERT(psa_get_key_attributes(key_id, &attributes)); PSA_ASSERT(psa_get_key_attributes(key_id, &attributes));
TEST_EQUAL(psa_get_key_type(&attributes), (psa_key_type_t) psa_type); TEST_EQUAL(psa_get_key_type(&attributes), (psa_key_type_t) psa_type);
@ -1822,6 +1827,7 @@ void pk_psa_wrap_sign_ext(int pk_type, int key_bits, int key_pk_type, int md_alg
mbedtls_pk_context pk; mbedtls_pk_context pk;
size_t sig_len, pkey_len; size_t sig_len, pkey_len;
mbedtls_svc_key_id_t key_id; mbedtls_svc_key_id_t key_id;
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE]; unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
unsigned char pkey[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE]; unsigned char pkey[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
unsigned char *pkey_start; unsigned char *pkey_start;
@ -1861,9 +1867,14 @@ void pk_psa_wrap_sign_ext(int pk_type, int key_bits, int key_pk_type, int md_alg
} }
/* Turn PK context into an opaque one. */ /* Turn PK context into an opaque one. */
TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&pk, &key_id, psa_alg, TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, PSA_KEY_USAGE_SIGN_HASH, &key_attr), 0);
PSA_KEY_USAGE_SIGN_HASH, /* Tweak the algorithm associated with the PSA key because get_psa_attributes() returns
PSA_ALG_NONE), 0); * a PSA_ALG_RSA_PSS_ANY_SALT(), but mbedtls_pk_sign_ext() requires a PSA_ALG_RSA_PSS().*/
psa_set_key_algorithm(&key_attr, psa_alg);
TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &key_attr, &key_id), 0);
mbedtls_pk_free(&pk);
mbedtls_pk_init(&pk);
TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0);
memset(hash, 0x2a, sizeof(hash)); memset(hash, 0x2a, sizeof(hash));
memset(sig, 0, sizeof(sig)); memset(sig, 0, sizeof(sig));

22
tests/suites/test_suite_pkwrite.function
View file

@ -75,6 +75,7 @@ static void pk_write_check_common(char *key_file, int is_public_key, int is_der)
size_t buf_len, check_buf_len; size_t buf_len, check_buf_len;
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t opaque_id = MBEDTLS_SVC_KEY_ID_INIT; mbedtls_svc_key_id_t opaque_id = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
#endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_USE_PSA_CRYPTO */
USE_PSA_INIT(); USE_PSA_INIT();
@ -117,10 +118,13 @@ static void pk_write_check_common(char *key_file, int is_public_key, int is_der)
/* Verify that pk_write works also for opaque private keys */ /* Verify that pk_write works also for opaque private keys */
if (!is_public_key) { if (!is_public_key) {
memset(buf, 0, check_buf_len); memset(buf, 0, check_buf_len);
TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&key, &opaque_id, /* Turn the key PK context into an opaque one.
PSA_ALG_NONE, * Note: set some practical usage for the key to make get_psa_attributes() happy. */
PSA_KEY_USAGE_EXPORT, TEST_EQUAL(mbedtls_pk_get_psa_attributes(&key, PSA_KEY_USAGE_SIGN_MESSAGE, &key_attr), 0);
PSA_ALG_NONE), 0); TEST_EQUAL(mbedtls_pk_import_into_psa(&key, &key_attr, &opaque_id), 0);
mbedtls_pk_free(&key);
mbedtls_pk_init(&key);
TEST_EQUAL(mbedtls_pk_setup_opaque(&key, opaque_id), 0);
start_buf = buf; start_buf = buf;
buf_len = check_buf_len; buf_len = check_buf_len;
TEST_EQUAL(pk_write_any_key(&key, &start_buf, &buf_len, is_public_key, TEST_EQUAL(pk_write_any_key(&key, &start_buf, &buf_len, is_public_key,
@ -172,6 +176,7 @@ void pk_write_public_from_private(char *priv_key_file, char *pub_key_file)
size_t pub_key_len = 0; size_t pub_key_len = 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t opaque_key_id = MBEDTLS_SVC_KEY_ID_INIT; mbedtls_svc_key_id_t opaque_key_id = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
#endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_pk_init(&priv_key); mbedtls_pk_init(&priv_key);
@ -194,9 +199,12 @@ void pk_write_public_from_private(char *priv_key_file, char *pub_key_file)
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_platform_zeroize(derived_key_raw, derived_key_len); mbedtls_platform_zeroize(derived_key_raw, derived_key_len);
TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&priv_key, &opaque_key_id, /* Turn the priv_key PK context into an opaque one. */
PSA_ALG_NONE, PSA_KEY_USAGE_EXPORT, TEST_EQUAL(mbedtls_pk_get_psa_attributes(&priv_key, PSA_KEY_USAGE_SIGN_HASH, &key_attr), 0);
PSA_ALG_NONE), 0); TEST_EQUAL(mbedtls_pk_import_into_psa(&priv_key, &key_attr, &opaque_key_id), 0);
mbedtls_pk_free(&priv_key);
mbedtls_pk_init(&priv_key);
TEST_EQUAL(mbedtls_pk_setup_opaque(&priv_key, opaque_key_id), 0);
TEST_EQUAL(mbedtls_pk_write_pubkey_der(&priv_key, derived_key_raw, TEST_EQUAL(mbedtls_pk_write_pubkey_der(&priv_key, derived_key_raw,
derived_key_len), pub_key_len); derived_key_len), pub_key_len);

47
tests/suites/test_suite_x509write.function
View file

@ -284,7 +284,7 @@ void x509_csr_check_opaque(char *key_file, int md_type, int key_usage,
{ {
mbedtls_pk_context key; mbedtls_pk_context key;
mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
psa_algorithm_t md_alg_psa, alg_psa; psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
mbedtls_x509write_csr req; mbedtls_x509write_csr req;
unsigned char buf[4096]; unsigned char buf[4096];
int ret; int ret;
@ -297,24 +297,16 @@ void x509_csr_check_opaque(char *key_file, int md_type, int key_usage,
memset(&rnd_info, 0x2a, sizeof(mbedtls_test_rnd_pseudo_info)); memset(&rnd_info, 0x2a, sizeof(mbedtls_test_rnd_pseudo_info));
md_alg_psa = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) md_type);
TEST_ASSERT(md_alg_psa != MBEDTLS_MD_NONE);
mbedtls_pk_init(&key); mbedtls_pk_init(&key);
TEST_ASSERT(mbedtls_pk_parse_keyfile(&key, key_file, NULL, TEST_ASSERT(mbedtls_pk_parse_keyfile(&key, key_file, NULL,
mbedtls_test_rnd_std_rand, NULL) == 0); mbedtls_test_rnd_std_rand, NULL) == 0);
if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_ECKEY) { /* Turn the PK context into an opaque one. */
alg_psa = PSA_ALG_ECDSA(md_alg_psa); TEST_EQUAL(mbedtls_pk_get_psa_attributes(&key, PSA_KEY_USAGE_SIGN_HASH, &key_attr), 0);
} else if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_RSA) { TEST_EQUAL(mbedtls_pk_import_into_psa(&key, &key_attr, &key_id), 0);
alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN(md_alg_psa); mbedtls_pk_free(&key);
} else { mbedtls_pk_init(&key);
TEST_ASSUME(!"PK key type not supported in this configuration"); TEST_EQUAL(mbedtls_pk_setup_opaque(&key, key_id), 0);
}
TEST_ASSERT(mbedtls_pk_wrap_as_opaque(&key, &key_id, alg_psa,
PSA_KEY_USAGE_SIGN_HASH,
PSA_ALG_NONE) == 0);
mbedtls_x509write_csr_set_md_alg(&req, md_type); mbedtls_x509write_csr_set_md_alg(&req, md_type);
mbedtls_x509write_csr_set_key(&req, &key); mbedtls_x509write_csr_set_key(&req, &key);
@ -373,6 +365,7 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd,
mbedtls_test_rnd_pseudo_info rnd_info; mbedtls_test_rnd_pseudo_info rnd_info;
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
#endif #endif
mbedtls_pk_type_t issuer_key_type; mbedtls_pk_type_t issuer_key_type;
mbedtls_x509_san_list san_ip; mbedtls_x509_san_list san_ip;
@ -451,24 +444,14 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd,
#endif #endif
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
/* For Opaque PK contexts, wrap key as an Opaque RSA context. */ /* Turn the issuer PK context into an opaque one. */
if (pk_wrap == 2) { if (pk_wrap == 2) {
psa_algorithm_t alg_psa, md_alg_psa; TEST_EQUAL(mbedtls_pk_get_psa_attributes(&issuer_key, PSA_KEY_USAGE_SIGN_HASH,
&key_attr), 0);
md_alg_psa = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) md_type); TEST_EQUAL(mbedtls_pk_import_into_psa(&issuer_key, &key_attr, &key_id), 0);
TEST_ASSERT(md_alg_psa != MBEDTLS_MD_NONE); mbedtls_pk_free(&issuer_key);
mbedtls_pk_init(&issuer_key);
if (mbedtls_pk_get_type(&issuer_key) == MBEDTLS_PK_ECKEY) { TEST_EQUAL(mbedtls_pk_setup_opaque(&issuer_key, key_id), 0);
alg_psa = PSA_ALG_ECDSA(md_alg_psa);
} else if (mbedtls_pk_get_type(&issuer_key) == MBEDTLS_PK_RSA) {
alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN(md_alg_psa);
} else {
TEST_ASSUME(!"PK key type not supported in this configuration");
}
TEST_ASSERT(mbedtls_pk_wrap_as_opaque(&issuer_key, &key_id, alg_psa,
PSA_KEY_USAGE_SIGN_HASH,
PSA_ALG_NONE) == 0);
} }
#endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_USE_PSA_CRYPTO */