1/* BEGIN_HEADER */ 2#include "mbedtls/pk.h" 3#include "mbedtls/psa_util.h" 4#include "pk_internal.h" 5 6/* For error codes */ 7#include "mbedtls/asn1.h" 8#include "mbedtls/base64.h" 9#include "mbedtls/ecp.h" 10#include "mbedtls/error.h" 11#include "mbedtls/rsa.h" 12#include "rsa_internal.h" 13#include "pk_internal.h" 14 15#include <limits.h> 16#include <stdint.h> 17 18/* Needed only for test case data under #if defined(MBEDTLS_USE_PSA_CRYPTO), 19 * but the test code generator requires test case data to be valid C code 20 * unconditionally (https://github.com/Mbed-TLS/mbedtls/issues/2023). */ 21#include "psa/crypto.h" 22#include "mbedtls/psa_util.h" 23 24#include <test/psa_exercise_key.h> 25 26/* Needed for the definition of MBEDTLS_PK_WRITE_PUBKEY_MAX_SIZE. */ 27#include "pkwrite.h" 28 29/* Used for properly sizing the key buffer in pk_genkey_ec() */ 30#include "psa_util_internal.h" 31 32#define RSA_KEY_SIZE MBEDTLS_RSA_GEN_KEY_MIN_BITS 33#define RSA_KEY_LEN (MBEDTLS_RSA_GEN_KEY_MIN_BITS/8) 34 35#if defined(MBEDTLS_RSA_C) || \ 36 defined(MBEDTLS_PK_RSA_ALT_SUPPORT) || \ 37 defined(MBEDTLS_ECDSA_C) || \ 38 defined(MBEDTLS_USE_PSA_CRYPTO) 39#define PK_CAN_SIGN_SOME 40#endif 41 42/* MBEDTLS_TEST_PK_PSA_SIGN is enabled when: 43 * - The build has PK_[PARSE/WRITE]_C for RSA or ECDSA signature. 44 * - The build has built-in ECC and ECDSA signature. 45 */ 46#if (defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_PK_WRITE_C) && \ 47 ((defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME)) || \ 48 defined(MBEDTLS_PK_CAN_ECDSA_SIGN))) || \ 49 (defined(MBEDTLS_ECP_C) && defined(MBEDTLS_PK_CAN_ECDSA_SIGN)) 50#define MBEDTLS_TEST_PK_PSA_SIGN 51#endif 52 53#if defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) 54/* Pick an elliptic curve that's supported by PSA. Note that the curve is 55 * not guaranteed to be supported by the ECP module. 56 * 57 * This should always find a curve if ECC is enabled in the build, except in 58 * one edge case: in a build with MBEDTLS_PSA_CRYPTO_CONFIG disabled and 59 * where the only legacy curve is secp224k1, which is not supported in PSA, 60 * PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY ends up enabled but PSA does not 61 * support any curve. 62 */ 63 64/* First try all the curves that can do both ECDSA and ECDH, then try 65 * the ECDH-only curves. (There are no curves that can do ECDSA but not ECDH.) 66 * This way, if ECDSA is enabled then the curve that's selected here will 67 * be ECDSA-capable, and likewise for ECDH. */ 68#if defined(PSA_WANT_ECC_SECP_R1_192) 69#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 70#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 192 71#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP192R1 72#elif defined(PSA_WANT_ECC_SECP_R1_224) 73#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 74#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 224 75#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP224R1 76#elif defined(PSA_WANT_ECC_SECP_R1_256) 77#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 78#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 256 79#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP256R1 80#elif defined(PSA_WANT_ECC_SECP_R1_384) 81#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 82#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 384 83#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP384R1 84#elif defined(PSA_WANT_ECC_SECP_R1_521) 85#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 86#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 521 87#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP521R1 88#elif defined(PSA_WANT_ECC_SECP_K1_192) 89#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_K1 90#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 192 91#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP192K1 92#elif defined(PSA_WANT_ECC_SECP_K1_224) 93#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_K1 94#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 224 95#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP224K1 96#elif defined(PSA_WANT_ECC_SECP_K1_256) 97#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_K1 98#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 256 99#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP256K1 100#elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) 101#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_BRAINPOOL_P_R1 102#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 256 103#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_BP256R1 104#elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384) 105#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_BRAINPOOL_P_R1 106#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 384 107#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_BP384R1 108#elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) 109#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_BRAINPOOL_P_R1 110#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 512 111#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_BP512R1 112#elif defined(PSA_WANT_ECC_MONTGOMERY_255) 113#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_MONTGOMERY 114#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 255 115#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_CURVE25519 116#elif defined(PSA_WANT_ECC_MONTGOMERY_448) 117#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_MONTGOMERY 118#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 448 119#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_CURVE448 120#endif /* curve selection */ 121 122#if defined(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY) 123#define MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE 124#endif 125 126/* Pick a second curve, for tests that need two supported curves of the 127 * same size. For simplicity, we only handle a subset of configurations, 128 * and both curves will support both ECDH and ECDSA. */ 129#if defined(PSA_WANT_ECC_SECP_R1_192) && defined(PSA_WANT_ECC_SECP_K1_192) 130/* Identical redefinition of the ONE macros, to confirm that they have 131 * the values we expect here. */ 132#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 133#define MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY PSA_ECC_FAMILY_SECP_K1 134#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 192 135#define MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES 136#elif defined(PSA_WANT_ECC_SECP_R1_256) && defined(PSA_WANT_ECC_SECP_K1_256) 137#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 138#define MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY PSA_ECC_FAMILY_SECP_K1 139#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 256 140#define MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES 141#endif 142 143/* Pick a second bit-size, for tests that need two supported curves of the 144 * same family. For simplicity, we only handle a subset of configurations, 145 * and both curves will support both ECDH and ECDSA. */ 146#if defined(PSA_WANT_ECC_SECP_R1_192) && defined(PSA_WANT_ECC_SECP_R1_256) 147/* Identical redefinition of the ONE macros, to confirm that they have 148 * the values we expect here. */ 149#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 150#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 192 151#define MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS 256 152#define MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS 153#elif defined(PSA_WANT_ECC_SECP_R1_256) && defined(PSA_WANT_ECC_SECP_R1_384) 154#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 155#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 256 156#define MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS 384 157#define MBEDTLS_TEST_PSA_ECC_HAVE_TWO_BITS 158#endif 159 160#endif /* defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) */ 161 162/* Always define the macros so that we can use them in test data. */ 163#if !defined(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY) 164#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY 0 165#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 0 166#define MBEDTLS_TEST_ECP_DP_ONE_CURVE 0 167#endif 168#if !defined(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY) 169#define MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY 0 170#endif 171#if !defined(MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS) 172#define MBEDTLS_TEST_PSA_ECC_ANOTHER_CURVE_BITS 0 173#endif 174 175/* Get an available MD alg to be used in sign/verify tests. */ 176#if defined(MBEDTLS_MD_CAN_SHA1) 177#define MBEDTLS_MD_ALG_FOR_TEST MBEDTLS_MD_SHA1 178#elif defined(MBEDTLS_MD_CAN_SHA224) 179#define MBEDTLS_MD_ALG_FOR_TEST MBEDTLS_MD_SHA224 180#elif defined(MBEDTLS_MD_CAN_SHA256) 181#define MBEDTLS_MD_ALG_FOR_TEST MBEDTLS_MD_SHA256 182#elif defined(MBEDTLS_MD_CAN_SHA384) 183#define MBEDTLS_MD_ALG_FOR_TEST MBEDTLS_MD_SHA384 184#elif defined(MBEDTLS_MD_CAN_SHA512) 185#define MBEDTLS_MD_ALG_FOR_TEST MBEDTLS_MD_SHA512 186#endif 187 188#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) 189static int pk_genkey_ec(mbedtls_pk_context *pk, mbedtls_ecp_group_id grp_id) 190{ 191 psa_status_t status; 192 psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; 193 size_t curve_bits; 194 psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(grp_id, &curve_bits); 195 int ret; 196 197 if (curve == 0) { 198 return MBEDTLS_ERR_PK_BAD_INPUT_DATA; 199 } 200 201 psa_set_key_type(&key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(curve)); 202 psa_set_key_bits(&key_attr, curve_bits); 203 psa_key_usage_t usage = PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY; 204 psa_algorithm_t sign_alg = 0; 205 psa_algorithm_t derive_alg = 0; 206 if (mbedtls_pk_get_type(pk) != MBEDTLS_PK_ECDSA) { 207 usage |= PSA_KEY_USAGE_DERIVE; 208 derive_alg = PSA_ALG_ECDH; 209 } 210 if (mbedtls_pk_get_type(pk) != MBEDTLS_PK_ECKEY_DH && 211 curve != PSA_ECC_FAMILY_MONTGOMERY) { 212 usage |= PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE; 213#if defined(MBEDTLS_ECDSA_DETERMINISTIC) 214 sign_alg = PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_ANY_HASH); 215#else 216 sign_alg = PSA_ALG_ECDSA(PSA_ALG_ANY_HASH); 217#endif 218 } 219 if (derive_alg != 0) { 220 psa_set_key_algorithm(&key_attr, derive_alg); 221 if (sign_alg != 0) { 222 psa_set_key_enrollment_algorithm(&key_attr, sign_alg); 223 } 224 } else { 225 psa_set_key_algorithm(&key_attr, sign_alg); 226 } 227 psa_set_key_usage_flags(&key_attr, usage); 228 229 status = psa_generate_key(&key_attr, &pk->priv_id); 230 if (status != PSA_SUCCESS) { 231 return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; 232 } 233 234 status = psa_export_public_key(pk->priv_id, pk->pub_raw, sizeof(pk->pub_raw), 235 &pk->pub_raw_len); 236 if (status != PSA_SUCCESS) { 237 ret = MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; 238 goto exit; 239 } 240 241 pk->ec_family = curve; 242 pk->ec_bits = curve_bits; 243 244 return 0; 245 246exit: 247 status = psa_destroy_key(pk->priv_id); 248 return (ret != 0) ? ret : psa_pk_status_to_mbedtls(status); 249} 250#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ 251 252/** Generate a key of the desired type. 253 * 254 * \param pk The PK object to fill. It must have been initialized 255 * with mbedtls_pk_setup(). 256 * \param curve_or_keybits - For RSA keys, the key size in bits. 257 * - For EC keys, the curve (\c MBEDTLS_ECP_DP_xxx). 258 * 259 * \return The status from the underlying type-specific key 260 * generation function. 261 * \return -1 if the key type is not recognized. 262 */ 263static int pk_genkey(mbedtls_pk_context *pk, int curve_or_keybits) 264{ 265 (void) pk; 266 (void) curve_or_keybits; 267 268#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME) 269 if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_RSA) { 270 return mbedtls_rsa_gen_key(mbedtls_pk_rsa(*pk), 271 mbedtls_test_rnd_std_rand, NULL, 272 curve_or_keybits, 3); 273 } 274#endif 275#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) 276 if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_ECKEY || 277 mbedtls_pk_get_type(pk) == MBEDTLS_PK_ECKEY_DH || 278 mbedtls_pk_get_type(pk) == MBEDTLS_PK_ECDSA) { 279 int ret; 280 281#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) 282 ret = pk_genkey_ec(pk, curve_or_keybits); 283 if (ret != 0) { 284 return ret; 285 } 286 287 return 0; 288#else 289 ret = mbedtls_ecp_group_load(&mbedtls_pk_ec_rw(*pk)->grp, curve_or_keybits); 290 if (ret != 0) { 291 return ret; 292 } 293 return mbedtls_ecp_gen_keypair(&mbedtls_pk_ec_rw(*pk)->grp, 294 &mbedtls_pk_ec_rw(*pk)->d, 295 &mbedtls_pk_ec_rw(*pk)->Q, 296 mbedtls_test_rnd_std_rand, NULL); 297#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ 298 299 } 300#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ 301 return -1; 302} 303 304#if defined(MBEDTLS_PSA_CRYPTO_C) 305static psa_key_usage_t pk_get_psa_attributes_implied_usage( 306 psa_key_usage_t expected_usage) 307{ 308 /* Usage implied universally */ 309 if (expected_usage & PSA_KEY_USAGE_SIGN_HASH) { 310 expected_usage |= PSA_KEY_USAGE_SIGN_MESSAGE; 311 } 312 if (expected_usage & PSA_KEY_USAGE_VERIFY_HASH) { 313 expected_usage |= PSA_KEY_USAGE_VERIFY_MESSAGE; 314 } 315 /* Usage implied by mbedtls_pk_get_psa_attributes() */ 316 if (expected_usage & PSA_KEY_USAGE_SIGN_HASH) { 317 expected_usage |= PSA_KEY_USAGE_VERIFY_HASH; 318 } 319 if (expected_usage & PSA_KEY_USAGE_SIGN_MESSAGE) { 320 expected_usage |= PSA_KEY_USAGE_VERIFY_MESSAGE; 321 } 322 if (expected_usage & PSA_KEY_USAGE_DECRYPT) { 323 expected_usage |= PSA_KEY_USAGE_ENCRYPT; 324 } 325 expected_usage |= PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY; 326 return expected_usage; 327} 328 329#define RSA_WRITE_PUBKEY_MAX_SIZE \ 330 PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS) 331#define ECP_WRITE_PUBKEY_MAX_SIZE \ 332 PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS) 333static int pk_public_same(const mbedtls_pk_context *pk1, 334 const mbedtls_pk_context *pk2) 335{ 336 int ok = 0; 337 338 mbedtls_pk_type_t type = mbedtls_pk_get_type(pk1); 339 TEST_EQUAL(type, mbedtls_pk_get_type(pk2)); 340 341 switch (type) { 342#if defined(MBEDTLS_RSA_C) 343 case MBEDTLS_PK_RSA: 344 { 345 const mbedtls_rsa_context *rsa1 = mbedtls_pk_rsa(*pk1); 346 const mbedtls_rsa_context *rsa2 = mbedtls_pk_rsa(*pk2); 347 TEST_EQUAL(mbedtls_rsa_get_padding_mode(rsa1), 348 mbedtls_rsa_get_padding_mode(rsa2)); 349 TEST_EQUAL(mbedtls_rsa_get_md_alg(rsa1), 350 mbedtls_rsa_get_md_alg(rsa2)); 351 unsigned char buf1[RSA_WRITE_PUBKEY_MAX_SIZE]; 352 unsigned char *p1 = buf1 + sizeof(buf1); 353 int len1 = mbedtls_rsa_write_pubkey(rsa1, buf1, &p1); 354 TEST_LE_U(0, len1); 355 unsigned char buf2[RSA_WRITE_PUBKEY_MAX_SIZE]; 356 unsigned char *p2 = buf2 + sizeof(buf2); 357 int len2 = mbedtls_rsa_write_pubkey(rsa2, buf2, &p2); 358 TEST_LE_U(0, len2); 359 TEST_MEMORY_COMPARE(p1, len1, p2, len2); 360 break; 361 } 362#endif /* MBEDTLS_RSA_C */ 363 364#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) 365 case MBEDTLS_PK_ECKEY: 366 case MBEDTLS_PK_ECKEY_DH: 367 case MBEDTLS_PK_ECDSA: 368 { 369#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) 370 TEST_MEMORY_COMPARE(pk1->pub_raw, pk1->pub_raw_len, 371 pk2->pub_raw, pk2->pub_raw_len); 372 TEST_EQUAL(pk1->ec_family, pk2->ec_family); 373 TEST_EQUAL(pk1->ec_bits, pk2->ec_bits); 374 375#else /* MBEDTLS_PK_USE_PSA_EC_DATA */ 376 const mbedtls_ecp_keypair *ec1 = mbedtls_pk_ec_ro(*pk1); 377 const mbedtls_ecp_keypair *ec2 = mbedtls_pk_ec_ro(*pk2); 378 TEST_EQUAL(mbedtls_ecp_keypair_get_group_id(ec1), 379 mbedtls_ecp_keypair_get_group_id(ec2)); 380 unsigned char buf1[ECP_WRITE_PUBKEY_MAX_SIZE]; 381 size_t len1 = 99999991; 382 TEST_EQUAL(mbedtls_ecp_write_public_key( 383 ec1, MBEDTLS_ECP_PF_UNCOMPRESSED, 384 &len1, buf1, sizeof(buf1)), 0); 385 unsigned char buf2[ECP_WRITE_PUBKEY_MAX_SIZE]; 386 size_t len2 = 99999992; 387 TEST_EQUAL(mbedtls_ecp_write_public_key( 388 ec2, MBEDTLS_ECP_PF_UNCOMPRESSED, 389 &len2, buf2, sizeof(buf2)), 0); 390 TEST_MEMORY_COMPARE(buf1, len1, buf2, len2); 391#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ 392 } 393 break; 394#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ 395 396 default: 397 TEST_FAIL("Unsupported pk type in pk_public_same"); 398 } 399 400 ok = 1; 401 402exit: 403 return ok; 404} 405#endif /* MBEDTLS_PSA_CRYPTO_C */ 406 407#if defined(MBEDTLS_RSA_C) 408int mbedtls_rsa_decrypt_func(void *ctx, size_t *olen, 409 const unsigned char *input, unsigned char *output, 410 size_t output_max_len) 411{ 412 return mbedtls_rsa_pkcs1_decrypt((mbedtls_rsa_context *) ctx, 413 mbedtls_test_rnd_std_rand, NULL, 414 olen, input, output, output_max_len); 415} 416int mbedtls_rsa_sign_func(void *ctx, 417 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, 418 mbedtls_md_type_t md_alg, unsigned int hashlen, 419 const unsigned char *hash, unsigned char *sig) 420{ 421 ((void) f_rng); 422 ((void) p_rng); 423 return mbedtls_rsa_pkcs1_sign((mbedtls_rsa_context *) ctx, 424 mbedtls_test_rnd_std_rand, NULL, 425 md_alg, hashlen, hash, sig); 426} 427size_t mbedtls_rsa_key_len_func(void *ctx) 428{ 429 return ((const mbedtls_rsa_context *) ctx)->len; 430} 431#endif /* MBEDTLS_RSA_C */ 432 433typedef enum { 434 /* The values are compatible with thinking of "from pair" as a boolean. */ 435 FROM_PUBLIC = 0, 436 FROM_PAIR = 1 437} from_pair_t; 438 439#if defined(MBEDTLS_PSA_CRYPTO_C) 440static int pk_setup_for_type(mbedtls_pk_type_t pk_type, int want_pair, 441 mbedtls_pk_context *pk, psa_key_type_t *psa_type) 442{ 443 if (pk_type == MBEDTLS_PK_NONE) { 444 return 0; 445 } 446 TEST_EQUAL(mbedtls_pk_setup(pk, mbedtls_pk_info_from_type(pk_type)), 0); 447 448 switch (pk_type) { 449#if defined(MBEDTLS_RSA_C) 450 case MBEDTLS_PK_RSA: 451 { 452 *psa_type = PSA_KEY_TYPE_RSA_KEY_PAIR; 453 mbedtls_rsa_context *rsa = mbedtls_pk_rsa(*pk); 454 if (want_pair) { 455#if defined(MBEDTLS_GENPRIME) 456 TEST_EQUAL(mbedtls_rsa_gen_key( 457 rsa, 458 mbedtls_test_rnd_std_rand, NULL, 459 MBEDTLS_RSA_GEN_KEY_MIN_BITS, 65537), 0); 460#else 461 TEST_FAIL("I don't know how to create an RSA key pair in this configuration."); 462#endif 463 } else { 464 unsigned char N[PSA_BITS_TO_BYTES(MBEDTLS_RSA_GEN_KEY_MIN_BITS)] = { 0xff }; 465 N[sizeof(N) - 1] = 0x03; 466 const unsigned char E[1] = { 0x03 }; 467 TEST_EQUAL(mbedtls_rsa_import_raw(rsa, 468 N, sizeof(N), 469 NULL, 0, NULL, 0, NULL, 0, 470 E, sizeof(E)), 0); 471 TEST_EQUAL(mbedtls_rsa_complete(rsa), 0); 472 } 473 break; 474 } 475#endif /* MBEDTLS_RSA_C */ 476 477#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) 478 case MBEDTLS_PK_ECKEY: 479 case MBEDTLS_PK_ECKEY_DH: 480 case MBEDTLS_PK_ECDSA: 481 { 482 mbedtls_ecp_group_id grp_id = MBEDTLS_TEST_ECP_DP_ONE_CURVE; 483 size_t bits; 484 *psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(mbedtls_ecc_group_to_psa(grp_id, &bits)); 485 TEST_EQUAL(pk_genkey(pk, grp_id), 0); 486 if (!want_pair) { 487#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) 488 psa_key_attributes_t pub_attributes = PSA_KEY_ATTRIBUTES_INIT; 489 psa_set_key_type(&pub_attributes, 490 PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(*psa_type)); 491 psa_set_key_usage_flags(&pub_attributes, 492 PSA_KEY_USAGE_EXPORT | 493 PSA_KEY_USAGE_COPY | 494 PSA_KEY_USAGE_VERIFY_MESSAGE | 495 PSA_KEY_USAGE_VERIFY_HASH); 496 psa_set_key_algorithm(&pub_attributes, PSA_ALG_ECDSA_ANY); 497 PSA_ASSERT(psa_destroy_key(pk->priv_id)); 498 pk->priv_id = MBEDTLS_SVC_KEY_ID_INIT; 499#else 500 mbedtls_ecp_keypair *ec = mbedtls_pk_ec_rw(*pk); 501 mbedtls_mpi_free(&ec->d); 502#endif 503 } 504 break; 505 } 506#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ 507 508 default: 509 TEST_FAIL("Unknown PK type in test data"); 510 break; 511 } 512 513 if (!want_pair) { 514 *psa_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(*psa_type); 515 } 516 return 0; 517 518exit: 519 return MBEDTLS_ERR_ERROR_GENERIC_ERROR; 520} 521#endif 522 523#if defined(MBEDTLS_PSA_CRYPTO_C) 524/* Create a new PSA key which will contain only the public part of the private 525 * key which is provided in input. For this new key: 526 * - Type is the public counterpart of the private key. 527 * - Usage is the copied from the original private key, but the PSA_KEY_USAGE_EXPORT 528 * flag is removed. This is to prove that mbedtls_pk_copy_from_psa() doesn't 529 * require the key to have the EXPORT flag. 530 * - Algorithm is copied from the original key pair. 531 */ 532static mbedtls_svc_key_id_t psa_pub_key_from_priv(mbedtls_svc_key_id_t priv_id) 533{ 534 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 535 psa_key_type_t type; 536 psa_algorithm_t alg; 537 psa_key_usage_t usage; 538 unsigned char pub_key_buf[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE]; 539 size_t pub_key_len; 540 mbedtls_svc_key_id_t pub_key = MBEDTLS_SVC_KEY_ID_INIT; 541 542 /* Get attributes from the private key. */ 543 PSA_ASSERT(psa_get_key_attributes(priv_id, &attributes)); 544 type = psa_get_key_type(&attributes); 545 usage = psa_get_key_usage_flags(&attributes); 546 alg = psa_get_key_algorithm(&attributes); 547 psa_reset_key_attributes(&attributes); 548 549 /* Export the public key and then import it in a new slot. */ 550 PSA_ASSERT(psa_export_public_key(priv_id, pub_key_buf, sizeof(pub_key_buf), &pub_key_len)); 551 552 /* Notes: 553 * - psa_import_key() automatically determines the key's bit length 554 * from the provided key data. That's why psa_set_key_bits() is not used 555 * below. 556 */ 557 type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type); 558 usage &= ~PSA_KEY_USAGE_EXPORT; 559 psa_set_key_type(&attributes, type); 560 psa_set_key_usage_flags(&attributes, usage); 561 psa_set_key_algorithm(&attributes, alg); 562 563 PSA_ASSERT(psa_import_key(&attributes, pub_key_buf, pub_key_len, &pub_key)); 564 565exit: 566 psa_reset_key_attributes(&attributes); 567 return pub_key; 568} 569 570/* Create a copy of a PSA key with same usage and algorithm policy and destroy 571 * the original one. */ 572mbedtls_svc_key_id_t psa_copy_and_destroy(mbedtls_svc_key_id_t orig_key_id) 573{ 574 psa_key_attributes_t orig_attr = PSA_KEY_ATTRIBUTES_INIT; 575 psa_key_attributes_t new_attr = PSA_KEY_ATTRIBUTES_INIT; 576 mbedtls_svc_key_id_t new_key_id = MBEDTLS_SVC_KEY_ID_INIT; 577 578 PSA_ASSERT(psa_get_key_attributes(orig_key_id, &orig_attr)); 579 psa_set_key_usage_flags(&new_attr, psa_get_key_usage_flags(&orig_attr)); 580 psa_set_key_algorithm(&new_attr, psa_get_key_algorithm(&orig_attr)); 581 582 PSA_ASSERT(psa_copy_key(orig_key_id, &new_attr, &new_key_id)); 583 psa_destroy_key(orig_key_id); 584 585exit: 586 psa_reset_key_attributes(&orig_attr); 587 psa_reset_key_attributes(&new_attr); 588 return new_key_id; 589} 590 591psa_status_t pk_psa_import_key(unsigned char *key_data, size_t key_len, 592 psa_key_type_t type, psa_key_usage_t usage, 593 psa_algorithm_t alg, mbedtls_svc_key_id_t *key) 594{ 595 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 596 psa_status_t status; 597 598 *key = MBEDTLS_SVC_KEY_ID_INIT; 599 600 /* Note: psa_import_key() automatically determines the key's bit length 601 * from the provided key data. That's why psa_set_key_bits() is not used below. */ 602 psa_set_key_usage_flags(&attributes, usage); 603 psa_set_key_algorithm(&attributes, alg); 604 psa_set_key_type(&attributes, type); 605 status = psa_import_key(&attributes, key_data, key_len, key); 606 607 return status; 608} 609 610psa_status_t pk_psa_genkey_generic(psa_key_type_t type, size_t bits, 611 psa_key_usage_t usage, psa_algorithm_t alg, 612 mbedtls_svc_key_id_t *key) 613{ 614 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 615 psa_status_t status; 616 617 *key = MBEDTLS_SVC_KEY_ID_INIT; 618 619 psa_set_key_usage_flags(&attributes, usage); 620 psa_set_key_algorithm(&attributes, alg); 621 psa_set_key_type(&attributes, type); 622 psa_set_key_bits(&attributes, bits); 623 status = psa_generate_key(&attributes, key); 624 625 return status; 626} 627 628/* 629 * Generate an ECC key using PSA and return the key identifier of that key, 630 * or 0 if the key generation failed. 631 * The key uses NIST P-256 and is usable for signing with SHA-256. 632 */ 633mbedtls_svc_key_id_t pk_psa_genkey_ecc(void) 634{ 635 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 636 637 pk_psa_genkey_generic(PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1), 256, 638 PSA_KEY_USAGE_SIGN_HASH, PSA_ALG_ECDSA(PSA_ALG_SHA_256), 639 &key); 640 641 return key; 642} 643 644/* 645 * Generate an RSA key using PSA and return the key identifier of that key, 646 * or 0 if the key generation failed. 647 */ 648mbedtls_svc_key_id_t pk_psa_genkey_rsa(void) 649{ 650 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 651 652 pk_psa_genkey_generic(PSA_KEY_TYPE_RSA_KEY_PAIR, 1024, PSA_KEY_USAGE_SIGN_HASH, 653 PSA_ALG_RSA_PKCS1V15_SIGN_RAW, &key); 654 655 return key; 656} 657#endif /* MBEDTLS_PSA_CRYPTO_C */ 658/* END_HEADER */ 659 660/* BEGIN_DEPENDENCIES 661 * depends_on:MBEDTLS_PK_C 662 * END_DEPENDENCIES 663 */ 664 665/* BEGIN_CASE depends_on:MBEDTLS_USE_PSA_CRYPTO */ 666void pk_psa_utils(int key_is_rsa) 667{ 668 mbedtls_pk_context pk, pk2; 669 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 670 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 671 672 const char * const name = "Opaque"; 673 size_t bitlen; 674 675 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 676 unsigned char b1[1], b2[1]; 677 size_t len; 678 mbedtls_pk_debug_item dbg; 679 680 mbedtls_pk_init(&pk); 681 mbedtls_pk_init(&pk2); 682 USE_PSA_INIT(); 683 684 TEST_ASSERT(mbedtls_pk_setup_opaque(&pk, MBEDTLS_SVC_KEY_ID_INIT) == 685 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 686 687 mbedtls_pk_free(&pk); 688 mbedtls_pk_init(&pk); 689 690 if (key_is_rsa) { 691 bitlen = 1024; /* hardcoded in genkey() */ 692 key = pk_psa_genkey_rsa(); 693 } else { 694 bitlen = 256; /* hardcoded in genkey() */ 695 key = pk_psa_genkey_ecc(); 696 } 697 if (mbedtls_svc_key_id_is_null(key)) { 698 goto exit; 699 } 700 701 TEST_ASSERT(mbedtls_pk_setup_opaque(&pk, key) == 0); 702 703 TEST_ASSERT(mbedtls_pk_get_type(&pk) == MBEDTLS_PK_OPAQUE); 704 TEST_ASSERT(strcmp(mbedtls_pk_get_name(&pk), name) == 0); 705 706 TEST_ASSERT(mbedtls_pk_get_bitlen(&pk) == bitlen); 707 TEST_ASSERT(mbedtls_pk_get_len(&pk) == (bitlen + 7) / 8); 708 709 if (key_is_rsa) { 710 TEST_ASSERT(mbedtls_pk_can_do(&pk, MBEDTLS_PK_ECKEY) == 0); 711 TEST_ASSERT(mbedtls_pk_can_do(&pk, MBEDTLS_PK_ECDSA) == 0); 712 TEST_ASSERT(mbedtls_pk_can_do(&pk, MBEDTLS_PK_RSA) == 1); 713 } else { 714 TEST_ASSERT(mbedtls_pk_can_do(&pk, MBEDTLS_PK_ECKEY) == 1); 715 TEST_ASSERT(mbedtls_pk_can_do(&pk, MBEDTLS_PK_ECDSA) == 1); 716 TEST_ASSERT(mbedtls_pk_can_do(&pk, MBEDTLS_PK_RSA) == 0); 717 } 718 719 /* unsupported operations: verify, decrypt, encrypt */ 720 if (key_is_rsa == 1) { 721 TEST_ASSERT(mbedtls_pk_verify(&pk, md_alg, 722 b1, sizeof(b1), b2, sizeof(b2)) 723 == MBEDTLS_ERR_PK_TYPE_MISMATCH); 724 } else { 725 TEST_ASSERT(mbedtls_pk_decrypt(&pk, b1, sizeof(b1), 726 b2, &len, sizeof(b2), 727 NULL, NULL) 728 == MBEDTLS_ERR_PK_TYPE_MISMATCH); 729 } 730 TEST_ASSERT(mbedtls_pk_encrypt(&pk, b1, sizeof(b1), 731 b2, &len, sizeof(b2), 732 NULL, NULL) 733 == MBEDTLS_ERR_PK_TYPE_MISMATCH); 734 735 /* unsupported functions: check_pair, debug */ 736 if (key_is_rsa) { 737 TEST_ASSERT(mbedtls_pk_setup(&pk2, 738 mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0); 739 } else { 740 TEST_ASSERT(mbedtls_pk_setup(&pk2, 741 mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)) == 0); 742 } 743 TEST_ASSERT(mbedtls_pk_check_pair(&pk, &pk2, 744 mbedtls_test_rnd_std_rand, NULL) 745 == MBEDTLS_ERR_PK_TYPE_MISMATCH); 746 TEST_ASSERT(mbedtls_pk_debug(&pk, &dbg) 747 == MBEDTLS_ERR_PK_TYPE_MISMATCH); 748 749 /* test that freeing the context does not destroy the key */ 750 mbedtls_pk_free(&pk); 751 TEST_ASSERT(PSA_SUCCESS == psa_get_key_attributes(key, &attributes)); 752 TEST_ASSERT(PSA_SUCCESS == psa_destroy_key(key)); 753 754exit: 755 /* 756 * Key attributes may have been returned by psa_get_key_attributes() 757 * thus reset them as required. 758 */ 759 psa_reset_key_attributes(&attributes); 760 761 mbedtls_pk_free(&pk); /* redundant except upon error */ 762 mbedtls_pk_free(&pk2); 763 USE_PSA_DONE(); 764} 765/* END_CASE */ 766 767/* BEGIN_CASE depends_on:MBEDTLS_USE_PSA_CRYPTO */ 768void pk_can_do_ext(int opaque_key, int key_type, int key_usage, int key_alg, 769 int key_alg2, int curve_or_keybits, int alg_check, int usage_check, 770 int result) 771{ 772 mbedtls_pk_context pk; 773 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 774 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 775 776 mbedtls_pk_init(&pk); 777 USE_PSA_INIT(); 778 779 if (opaque_key == 1) { 780 psa_set_key_usage_flags(&attributes, key_usage); 781 psa_set_key_algorithm(&attributes, key_alg); 782 if (key_alg2 != 0) { 783 psa_set_key_enrollment_algorithm(&attributes, key_alg2); 784 } 785 psa_set_key_type(&attributes, key_type); 786 psa_set_key_bits(&attributes, curve_or_keybits); 787 788 PSA_ASSERT(psa_generate_key(&attributes, &key)); 789 790 if (mbedtls_svc_key_id_is_null(key)) { 791 goto exit; 792 } 793 794 TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key), 0); 795 796 TEST_EQUAL(mbedtls_pk_get_type(&pk), MBEDTLS_PK_OPAQUE); 797 } else { 798 TEST_EQUAL(mbedtls_pk_setup(&pk, 799 mbedtls_pk_info_from_type(key_type)), 0); 800 TEST_EQUAL(pk_genkey(&pk, curve_or_keybits), 0); 801 TEST_EQUAL(mbedtls_pk_get_type(&pk), key_type); 802 } 803 804 TEST_EQUAL(mbedtls_pk_can_do_ext(&pk, alg_check, usage_check), result); 805 806exit: 807 psa_reset_key_attributes(&attributes); 808 PSA_ASSERT(psa_destroy_key(key)); 809 mbedtls_pk_free(&pk); 810 USE_PSA_DONE(); 811} 812/* END_CASE */ 813 814/* BEGIN_CASE */ 815void pk_invalid_param() 816{ 817 mbedtls_pk_context ctx; 818 mbedtls_pk_type_t pk_type = 0; 819 unsigned char buf[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06 }; 820 size_t buf_size = sizeof(buf); 821 822 mbedtls_pk_init(&ctx); 823 USE_PSA_INIT(); 824 825 TEST_EQUAL(MBEDTLS_ERR_PK_BAD_INPUT_DATA, 826 mbedtls_pk_verify_restartable(&ctx, MBEDTLS_MD_NONE, 827 NULL, buf_size, 828 buf, buf_size, 829 NULL)); 830 TEST_EQUAL(MBEDTLS_ERR_PK_BAD_INPUT_DATA, 831 mbedtls_pk_verify_restartable(&ctx, MBEDTLS_MD_SHA256, 832 NULL, 0, 833 buf, buf_size, 834 NULL)); 835 TEST_EQUAL(MBEDTLS_ERR_PK_BAD_INPUT_DATA, 836 mbedtls_pk_verify_ext(pk_type, NULL, 837 &ctx, MBEDTLS_MD_NONE, 838 NULL, buf_size, 839 buf, buf_size)); 840 TEST_EQUAL(MBEDTLS_ERR_PK_BAD_INPUT_DATA, 841 mbedtls_pk_verify_ext(pk_type, NULL, 842 &ctx, MBEDTLS_MD_SHA256, 843 NULL, 0, 844 buf, buf_size)); 845 TEST_EQUAL(MBEDTLS_ERR_PK_BAD_INPUT_DATA, 846 mbedtls_pk_sign_restartable(&ctx, MBEDTLS_MD_NONE, 847 NULL, buf_size, 848 buf, buf_size, &buf_size, 849 NULL, NULL, 850 NULL)); 851 TEST_EQUAL(MBEDTLS_ERR_PK_BAD_INPUT_DATA, 852 mbedtls_pk_sign_restartable(&ctx, MBEDTLS_MD_SHA256, 853 NULL, 0, 854 buf, buf_size, &buf_size, 855 NULL, NULL, 856 NULL)); 857 TEST_EQUAL(MBEDTLS_ERR_PK_BAD_INPUT_DATA, 858 mbedtls_pk_sign_ext(pk_type, &ctx, MBEDTLS_MD_NONE, 859 NULL, buf_size, 860 buf, buf_size, &buf_size, 861 NULL, NULL)); 862 TEST_EQUAL(MBEDTLS_ERR_PK_BAD_INPUT_DATA, 863 mbedtls_pk_sign_ext(pk_type, &ctx, MBEDTLS_MD_SHA256, 864 NULL, 0, 865 buf, buf_size, &buf_size, 866 NULL, NULL)); 867exit: 868 mbedtls_pk_free(&ctx); 869 USE_PSA_DONE(); 870} 871/* END_CASE */ 872 873/* BEGIN_CASE */ 874void valid_parameters() 875{ 876 mbedtls_pk_context pk; 877 unsigned char buf[1]; 878 size_t len; 879 void *options = NULL; 880 881 mbedtls_pk_init(&pk); 882 USE_PSA_INIT(); 883 884 TEST_ASSERT(mbedtls_pk_setup(&pk, NULL) == 885 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 886 887 /* In informational functions, we accept NULL where a context pointer 888 * is expected because that's what the library has done forever. 889 * We do not document that NULL is accepted, so we may wish to change 890 * the behavior in a future version. */ 891 TEST_ASSERT(mbedtls_pk_get_bitlen(NULL) == 0); 892 TEST_ASSERT(mbedtls_pk_get_len(NULL) == 0); 893 TEST_ASSERT(mbedtls_pk_can_do(NULL, MBEDTLS_PK_NONE) == 0); 894 895 TEST_ASSERT(mbedtls_pk_sign_restartable(&pk, 896 MBEDTLS_MD_NONE, 897 NULL, 0, 898 buf, sizeof(buf), &len, 899 mbedtls_test_rnd_std_rand, NULL, 900 NULL) == 901 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 902 903 TEST_ASSERT(mbedtls_pk_sign(&pk, 904 MBEDTLS_MD_NONE, 905 NULL, 0, 906 buf, sizeof(buf), &len, 907 mbedtls_test_rnd_std_rand, NULL) == 908 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 909 910 TEST_ASSERT(mbedtls_pk_sign_ext(MBEDTLS_PK_NONE, &pk, 911 MBEDTLS_MD_NONE, 912 NULL, 0, 913 buf, sizeof(buf), &len, 914 mbedtls_test_rnd_std_rand, NULL) == 915 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 916 917 TEST_ASSERT(mbedtls_pk_verify_restartable(&pk, 918 MBEDTLS_MD_NONE, 919 NULL, 0, 920 buf, sizeof(buf), 921 NULL) == 922 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 923 924 TEST_ASSERT(mbedtls_pk_verify(&pk, 925 MBEDTLS_MD_NONE, 926 NULL, 0, 927 buf, sizeof(buf)) == 928 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 929 930 TEST_ASSERT(mbedtls_pk_verify_ext(MBEDTLS_PK_NONE, options, 931 &pk, 932 MBEDTLS_MD_NONE, 933 NULL, 0, 934 buf, sizeof(buf)) == 935 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 936 937 TEST_ASSERT(mbedtls_pk_encrypt(&pk, 938 NULL, 0, 939 NULL, &len, 0, 940 mbedtls_test_rnd_std_rand, NULL) == 941 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 942 943 TEST_ASSERT(mbedtls_pk_decrypt(&pk, 944 NULL, 0, 945 NULL, &len, 0, 946 mbedtls_test_rnd_std_rand, NULL) == 947 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 948 949#if defined(MBEDTLS_PK_PARSE_C) 950 TEST_ASSERT(mbedtls_pk_parse_key(&pk, NULL, 0, NULL, 1, 951 mbedtls_test_rnd_std_rand, NULL) == 952 MBEDTLS_ERR_PK_KEY_INVALID_FORMAT); 953 954 TEST_ASSERT(mbedtls_pk_parse_public_key(&pk, NULL, 0) == 955 MBEDTLS_ERR_PK_KEY_INVALID_FORMAT); 956#endif /* MBEDTLS_PK_PARSE_C */ 957 USE_PSA_DONE(); 958} 959/* END_CASE */ 960 961/* BEGIN_CASE depends_on:MBEDTLS_PK_WRITE_C:MBEDTLS_PK_PARSE_C */ 962void valid_parameters_pkwrite(data_t *key_data) 963{ 964 mbedtls_pk_context pk; 965 966 /* For the write tests to be effective, we need a valid key pair. */ 967 mbedtls_pk_init(&pk); 968 USE_PSA_INIT(); 969 970 TEST_ASSERT(mbedtls_pk_parse_key(&pk, 971 key_data->x, key_data->len, NULL, 0, 972 mbedtls_test_rnd_std_rand, NULL) == 0); 973 974 TEST_ASSERT(mbedtls_pk_write_key_der(&pk, NULL, 0) == 975 MBEDTLS_ERR_ASN1_BUF_TOO_SMALL); 976 977 TEST_ASSERT(mbedtls_pk_write_pubkey_der(&pk, NULL, 0) == 978 MBEDTLS_ERR_ASN1_BUF_TOO_SMALL); 979 980#if defined(MBEDTLS_PEM_WRITE_C) 981 TEST_ASSERT(mbedtls_pk_write_key_pem(&pk, NULL, 0) == 982 MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL); 983 984 TEST_ASSERT(mbedtls_pk_write_pubkey_pem(&pk, NULL, 0) == 985 MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL); 986#endif /* MBEDTLS_PEM_WRITE_C */ 987 988exit: 989 mbedtls_pk_free(&pk); 990 USE_PSA_DONE(); 991} 992/* END_CASE */ 993 994/* BEGIN_CASE */ 995void pk_utils(int type, int curve_or_keybits, int bitlen, int len, char *name) 996{ 997 mbedtls_pk_context pk; 998 999 mbedtls_pk_init(&pk); 1000 USE_PSA_INIT(); 1001 1002 TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(type)) == 0); 1003 TEST_ASSERT(pk_genkey(&pk, curve_or_keybits) == 0); 1004 1005 TEST_ASSERT((int) mbedtls_pk_get_type(&pk) == type); 1006 TEST_ASSERT(mbedtls_pk_can_do(&pk, type)); 1007 TEST_ASSERT(mbedtls_pk_get_bitlen(&pk) == (unsigned) bitlen); 1008 TEST_ASSERT(mbedtls_pk_get_len(&pk) == (unsigned) len); 1009 TEST_ASSERT(strcmp(mbedtls_pk_get_name(&pk), name) == 0); 1010 1011exit: 1012 mbedtls_pk_free(&pk); 1013 USE_PSA_DONE(); 1014} 1015/* END_CASE */ 1016 1017/* BEGIN_CASE depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_FS_IO */ 1018void mbedtls_pk_check_pair(char *pub_file, char *prv_file, int ret) 1019{ 1020 mbedtls_pk_context pub, prv, alt; 1021#if defined(MBEDTLS_USE_PSA_CRYPTO) 1022 mbedtls_svc_key_id_t opaque_key_id = MBEDTLS_SVC_KEY_ID_INIT; 1023 psa_key_attributes_t opaque_key_attr = PSA_KEY_ATTRIBUTES_INIT; 1024#endif /* MBEDTLS_USE_PSA_CRYPTO */ 1025 1026 mbedtls_pk_init(&pub); 1027 mbedtls_pk_init(&prv); 1028 mbedtls_pk_init(&alt); 1029 USE_PSA_INIT(); 1030 1031#if defined(MBEDTLS_USE_PSA_CRYPTO) 1032 /* mbedtls_pk_check_pair() returns either PK or ECP error codes depending 1033 on MBEDTLS_USE_PSA_CRYPTO so here we dynamically translate between the 1034 two */ 1035 if (ret == MBEDTLS_ERR_ECP_BAD_INPUT_DATA) { 1036 ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA; 1037 } 1038#endif /* MBEDTLS_USE_PSA_CRYPTO */ 1039 1040 TEST_ASSERT(mbedtls_pk_parse_public_keyfile(&pub, pub_file) == 0); 1041 TEST_ASSERT(mbedtls_pk_parse_keyfile(&prv, prv_file, NULL, 1042 mbedtls_test_rnd_std_rand, NULL) 1043 == 0); 1044 1045 TEST_ASSERT(mbedtls_pk_check_pair(&pub, &prv, 1046 mbedtls_test_rnd_std_rand, NULL) 1047 == ret); 1048 1049#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PK_RSA_ALT_SUPPORT) 1050 if (mbedtls_pk_get_type(&prv) == MBEDTLS_PK_RSA) { 1051 TEST_ASSERT(mbedtls_pk_setup_rsa_alt(&alt, mbedtls_pk_rsa(prv), 1052 mbedtls_rsa_decrypt_func, mbedtls_rsa_sign_func, 1053 mbedtls_rsa_key_len_func) == 0); 1054 TEST_ASSERT(mbedtls_pk_check_pair(&pub, &alt, 1055 mbedtls_test_rnd_std_rand, NULL) 1056 == ret); 1057 } 1058#endif 1059#if defined(MBEDTLS_USE_PSA_CRYPTO) 1060 if (mbedtls_pk_get_type(&prv) == MBEDTLS_PK_ECKEY) { 1061 /* Turn the prv PK context into an opaque one.*/ 1062 TEST_EQUAL(mbedtls_pk_get_psa_attributes(&prv, PSA_KEY_USAGE_SIGN_HASH, 1063 &opaque_key_attr), 0); 1064 TEST_EQUAL(mbedtls_pk_import_into_psa(&prv, &opaque_key_attr, &opaque_key_id), 0); 1065 mbedtls_pk_free(&prv); 1066 mbedtls_pk_init(&prv); 1067 TEST_EQUAL(mbedtls_pk_setup_opaque(&prv, opaque_key_id), 0); 1068 TEST_EQUAL(mbedtls_pk_check_pair(&pub, &prv, mbedtls_test_rnd_std_rand, 1069 NULL), ret); 1070 } 1071#endif 1072 1073exit: 1074#if defined(MBEDTLS_USE_PSA_CRYPTO) 1075 psa_destroy_key(opaque_key_id); 1076#endif /* MBEDTLS_USE_PSA_CRYPTO */ 1077 mbedtls_pk_free(&pub); 1078 mbedtls_pk_free(&prv); 1079 mbedtls_pk_free(&alt); 1080 USE_PSA_DONE(); 1081} 1082/* END_CASE */ 1083 1084/* BEGIN_CASE depends_on:MBEDTLS_RSA_C */ 1085void pk_rsa_verify_test_vec(data_t *message_str, int padding, int digest, 1086 int mod, char *input_N, char *input_E, 1087 data_t *result_str, int expected_result) 1088{ 1089 mbedtls_rsa_context *rsa; 1090 mbedtls_pk_context pk; 1091 mbedtls_pk_restart_ctx *rs_ctx = NULL; 1092#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 1093 mbedtls_pk_restart_ctx ctx; 1094 1095 rs_ctx = &ctx; 1096 mbedtls_pk_restart_init(rs_ctx); 1097 // this setting would ensure restart would happen if ECC was used 1098 mbedtls_ecp_set_max_ops(1); 1099#endif 1100 1101 mbedtls_pk_init(&pk); 1102 MD_OR_USE_PSA_INIT(); 1103 1104 TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0); 1105 rsa = mbedtls_pk_rsa(pk); 1106 1107 rsa->len = (mod + 7) / 8; 1108 if (padding >= 0) { 1109 TEST_EQUAL(mbedtls_rsa_set_padding(rsa, padding, MBEDTLS_MD_NONE), 0); 1110 } 1111 1112 TEST_ASSERT(mbedtls_test_read_mpi(&rsa->N, input_N) == 0); 1113 TEST_ASSERT(mbedtls_test_read_mpi(&rsa->E, input_E) == 0); 1114 1115 int actual_result; 1116 actual_result = mbedtls_pk_verify(&pk, digest, message_str->x, 0, 1117 result_str->x, mbedtls_pk_get_len(&pk)); 1118#if !defined(MBEDTLS_USE_PSA_CRYPTO) 1119 if (actual_result == MBEDTLS_ERR_RSA_INVALID_PADDING && 1120 expected_result == MBEDTLS_ERR_RSA_VERIFY_FAILED) { 1121 /* Tolerate INVALID_PADDING error for an invalid signature with 1122 * the legacy API (but not with PSA). */ 1123 } else 1124#endif 1125 { 1126 TEST_EQUAL(actual_result, expected_result); 1127 } 1128 1129 actual_result = mbedtls_pk_verify_restartable(&pk, digest, message_str->x, 0, 1130 result_str->x, 1131 mbedtls_pk_get_len(&pk), 1132 rs_ctx); 1133#if !defined(MBEDTLS_USE_PSA_CRYPTO) 1134 if (actual_result == MBEDTLS_ERR_RSA_INVALID_PADDING && 1135 expected_result == MBEDTLS_ERR_RSA_VERIFY_FAILED) { 1136 /* Tolerate INVALID_PADDING error for an invalid signature with 1137 * the legacy API (but not with PSA). */ 1138 } else 1139#endif 1140 { 1141 TEST_EQUAL(actual_result, expected_result); 1142 } 1143 1144exit: 1145#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 1146 mbedtls_pk_restart_free(rs_ctx); 1147#endif 1148 mbedtls_pk_free(&pk); 1149 MD_OR_USE_PSA_DONE(); 1150} 1151/* END_CASE */ 1152 1153/* BEGIN_CASE depends_on:MBEDTLS_RSA_C */ 1154void pk_rsa_verify_ext_test_vec(data_t *message_str, int digest, 1155 int mod, char *input_N, 1156 char *input_E, data_t *result_str, 1157 int pk_type, int mgf1_hash_id, 1158 int salt_len, int sig_len, 1159 int result) 1160{ 1161 mbedtls_rsa_context *rsa; 1162 mbedtls_pk_context pk; 1163 mbedtls_pk_rsassa_pss_options pss_opts; 1164 void *options; 1165 int ret; 1166 1167 mbedtls_pk_init(&pk); 1168 MD_OR_USE_PSA_INIT(); 1169 1170 TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0); 1171 rsa = mbedtls_pk_rsa(pk); 1172 1173 rsa->len = (mod + 7) / 8; 1174 TEST_ASSERT(mbedtls_test_read_mpi(&rsa->N, input_N) == 0); 1175 TEST_ASSERT(mbedtls_test_read_mpi(&rsa->E, input_E) == 0); 1176 1177 1178 if (mgf1_hash_id < 0) { 1179 options = NULL; 1180 } else { 1181 options = &pss_opts; 1182 1183 pss_opts.mgf1_hash_id = mgf1_hash_id; 1184 pss_opts.expected_salt_len = salt_len; 1185 } 1186 1187 ret = mbedtls_pk_verify_ext(pk_type, options, &pk, 1188 digest, message_str->x, message_str->len, 1189 result_str->x, sig_len); 1190 1191#if defined(MBEDTLS_USE_PSA_CRYPTO) 1192 if (result == MBEDTLS_ERR_RSA_INVALID_PADDING) { 1193 /* Mbed TLS distinguishes "invalid padding" from "valid padding but 1194 * the rest of the signature is invalid". This has little use in 1195 * practice and PSA doesn't report this distinction. 1196 * In this case, PSA returns PSA_ERROR_INVALID_SIGNATURE translated 1197 * to MBEDTLS_ERR_RSA_VERIFY_FAILED. 1198 * However, currently `mbedtls_pk_verify_ext()` may use either the 1199 * PSA or the Mbed TLS API, depending on the PSS options used. 1200 * So, it may return either INVALID_PADDING or INVALID_SIGNATURE. 1201 */ 1202 TEST_ASSERT(ret == result || ret == MBEDTLS_ERR_RSA_VERIFY_FAILED); 1203 } else 1204#endif 1205 { 1206 TEST_EQUAL(ret, result); 1207 } 1208 1209exit: 1210 mbedtls_pk_free(&pk); 1211 MD_OR_USE_PSA_DONE(); 1212} 1213/* END_CASE */ 1214 1215/* BEGIN_CASE depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY */ 1216void pk_ec_test_vec(int type, int id, data_t *key, data_t *hash, 1217 data_t *sig, int ret) 1218{ 1219 mbedtls_pk_context pk; 1220 1221 mbedtls_pk_init(&pk); 1222 USE_PSA_INIT(); 1223 1224 TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(type)) == 0); 1225 1226 TEST_ASSERT(mbedtls_pk_can_do(&pk, MBEDTLS_PK_ECDSA)); 1227#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) 1228 TEST_ASSERT(key->len <= MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN); 1229 memcpy(pk.pub_raw, key->x, key->len); 1230 pk.ec_family = mbedtls_ecc_group_to_psa(id, &(pk.ec_bits)); 1231 pk.pub_raw_len = key->len; 1232#else 1233 mbedtls_ecp_keypair *eckey = (mbedtls_ecp_keypair *) mbedtls_pk_ec(pk); 1234 1235 TEST_ASSERT(mbedtls_ecp_group_load(&eckey->grp, id) == 0); 1236 TEST_ASSERT(mbedtls_ecp_point_read_binary(&eckey->grp, &eckey->Q, 1237 key->x, key->len) == 0); 1238#endif 1239 1240 // MBEDTLS_MD_NONE is used since it will be ignored. 1241 TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_NONE, 1242 hash->x, hash->len, sig->x, sig->len) == ret); 1243 1244exit: 1245 mbedtls_pk_free(&pk); 1246 USE_PSA_DONE(); 1247} 1248/* END_CASE */ 1249 1250/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE:MBEDTLS_ECDSA_C:MBEDTLS_ECDSA_DETERMINISTIC */ 1251void pk_sign_verify_restart(int pk_type, int grp_id, char *d_str, 1252 char *QX_str, char *QY_str, 1253 int md_alg, data_t *hash, data_t *sig_check, 1254 int max_ops, int min_restart, int max_restart) 1255{ 1256 int ret, cnt_restart; 1257 mbedtls_pk_restart_ctx rs_ctx; 1258 mbedtls_pk_context prv, pub; 1259 unsigned char sig[MBEDTLS_ECDSA_MAX_LEN]; 1260 size_t slen; 1261 1262 mbedtls_pk_restart_init(&rs_ctx); 1263 mbedtls_pk_init(&prv); 1264 mbedtls_pk_init(&pub); 1265 USE_PSA_INIT(); 1266 1267 memset(sig, 0, sizeof(sig)); 1268 1269 TEST_ASSERT(mbedtls_pk_setup(&prv, mbedtls_pk_info_from_type(pk_type)) == 0); 1270 TEST_ASSERT(mbedtls_ecp_group_load(&mbedtls_pk_ec_rw(prv)->grp, grp_id) == 0); 1271 TEST_ASSERT(mbedtls_test_read_mpi(&mbedtls_pk_ec_rw(prv)->d, d_str) == 0); 1272 1273 TEST_ASSERT(mbedtls_pk_setup(&pub, mbedtls_pk_info_from_type(pk_type)) == 0); 1274 TEST_ASSERT(mbedtls_ecp_group_load(&mbedtls_pk_ec_rw(pub)->grp, grp_id) == 0); 1275 TEST_ASSERT(mbedtls_ecp_point_read_string(&mbedtls_pk_ec_rw(pub)->Q, 16, QX_str, QY_str) == 0); 1276 1277 mbedtls_ecp_set_max_ops(max_ops); 1278 1279 slen = sizeof(sig); 1280 cnt_restart = 0; 1281 do { 1282 ret = mbedtls_pk_sign_restartable(&prv, md_alg, hash->x, hash->len, 1283 sig, sizeof(sig), &slen, 1284 mbedtls_test_rnd_std_rand, NULL, 1285 &rs_ctx); 1286 } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart); 1287 1288 TEST_ASSERT(ret == 0); 1289 TEST_ASSERT(slen == sig_check->len); 1290 TEST_ASSERT(memcmp(sig, sig_check->x, slen) == 0); 1291 1292 TEST_ASSERT(cnt_restart >= min_restart); 1293 TEST_ASSERT(cnt_restart <= max_restart); 1294 1295 cnt_restart = 0; 1296 do { 1297 ret = mbedtls_pk_verify_restartable(&pub, md_alg, 1298 hash->x, hash->len, sig, slen, &rs_ctx); 1299 } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart); 1300 1301 TEST_ASSERT(ret == 0); 1302 TEST_ASSERT(cnt_restart >= min_restart); 1303 TEST_ASSERT(cnt_restart <= max_restart); 1304 1305 sig[0]++; 1306 do { 1307 ret = mbedtls_pk_verify_restartable(&pub, md_alg, 1308 hash->x, hash->len, sig, slen, &rs_ctx); 1309 } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS); 1310 TEST_ASSERT(ret != 0); 1311 sig[0]--; 1312 1313 /* Do we leak memory when aborting? try verify then sign 1314 * This test only makes sense when we actually restart */ 1315 if (min_restart > 0) { 1316 ret = mbedtls_pk_verify_restartable(&pub, md_alg, 1317 hash->x, hash->len, sig, slen, &rs_ctx); 1318 TEST_ASSERT(ret == MBEDTLS_ERR_ECP_IN_PROGRESS); 1319 mbedtls_pk_restart_free(&rs_ctx); 1320 1321 slen = sizeof(sig); 1322 ret = mbedtls_pk_sign_restartable(&prv, md_alg, hash->x, hash->len, 1323 sig, sizeof(sig), &slen, 1324 mbedtls_test_rnd_std_rand, NULL, 1325 &rs_ctx); 1326 TEST_ASSERT(ret == MBEDTLS_ERR_ECP_IN_PROGRESS); 1327 } 1328 1329exit: 1330 mbedtls_pk_restart_free(&rs_ctx); 1331 mbedtls_pk_free(&prv); 1332 mbedtls_pk_free(&pub); 1333 USE_PSA_DONE(); 1334} 1335/* END_CASE */ 1336 1337/* BEGIN_CASE depends_on:MBEDTLS_MD_CAN_SHA256:PK_CAN_SIGN_SOME */ 1338void pk_sign_verify(int type, int curve_or_keybits, int rsa_padding, int rsa_md_alg, 1339 int sign_ret, int verify_ret) 1340{ 1341 mbedtls_pk_context pk; 1342 size_t sig_len; 1343 unsigned char hash[32]; // Hard-coded for SHA256 1344 size_t hash_len = sizeof(hash); 1345 unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE]; 1346 void *rs_ctx = NULL; 1347#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 1348 mbedtls_pk_restart_ctx ctx; 1349 1350 rs_ctx = &ctx; 1351 mbedtls_pk_restart_init(rs_ctx); 1352 /* This value is large enough that the operation will complete in one run. 1353 * See comments at the top of ecp_test_vect_restart in 1354 * test_suite_ecp.function for estimates of operation counts. */ 1355 mbedtls_ecp_set_max_ops(42000); 1356#endif 1357 1358 mbedtls_pk_init(&pk); 1359 MD_OR_USE_PSA_INIT(); 1360 1361 memset(hash, 0x2a, sizeof(hash)); 1362 memset(sig, 0, sizeof(sig)); 1363 1364 TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(type)) == 0); 1365 TEST_ASSERT(pk_genkey(&pk, curve_or_keybits) == 0); 1366 1367#if defined(MBEDTLS_RSA_C) 1368 if (type == MBEDTLS_PK_RSA) { 1369 TEST_ASSERT(mbedtls_rsa_set_padding(mbedtls_pk_rsa(pk), rsa_padding, rsa_md_alg) == 0); 1370 } 1371#else 1372 (void) rsa_padding; 1373 (void) rsa_md_alg; 1374#endif /* MBEDTLS_RSA_C */ 1375 1376 TEST_ASSERT(mbedtls_pk_sign_restartable(&pk, MBEDTLS_MD_SHA256, 1377 hash, hash_len, 1378 sig, sizeof(sig), &sig_len, 1379 mbedtls_test_rnd_std_rand, NULL, 1380 rs_ctx) == sign_ret); 1381 if (sign_ret == 0) { 1382 TEST_ASSERT(sig_len <= MBEDTLS_PK_SIGNATURE_MAX_SIZE); 1383 } else { 1384 sig_len = MBEDTLS_PK_SIGNATURE_MAX_SIZE; 1385 } 1386 1387 TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_SHA256, 1388 hash, hash_len, sig, sig_len) == verify_ret); 1389 1390 if (verify_ret == 0) { 1391 hash[0]++; 1392 TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_SHA256, 1393 hash, hash_len, sig, sig_len) != 0); 1394 hash[0]--; 1395 1396 sig[0]++; 1397 TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_SHA256, 1398 hash, hash_len, sig, sig_len) != 0); 1399 sig[0]--; 1400 } 1401 1402 TEST_ASSERT(mbedtls_pk_sign(&pk, MBEDTLS_MD_SHA256, hash, hash_len, 1403 sig, sizeof(sig), &sig_len, 1404 mbedtls_test_rnd_std_rand, 1405 NULL) == sign_ret); 1406 if (sign_ret == 0) { 1407 TEST_ASSERT(sig_len <= MBEDTLS_PK_SIGNATURE_MAX_SIZE); 1408 } else { 1409 sig_len = MBEDTLS_PK_SIGNATURE_MAX_SIZE; 1410 } 1411 1412 TEST_ASSERT(mbedtls_pk_verify_restartable(&pk, MBEDTLS_MD_SHA256, 1413 hash, hash_len, sig, sig_len, rs_ctx) == verify_ret); 1414 1415 if (verify_ret == 0) { 1416 hash[0]++; 1417 TEST_ASSERT(mbedtls_pk_verify_restartable(&pk, MBEDTLS_MD_SHA256, 1418 hash, sizeof(hash), sig, sig_len, rs_ctx) != 0); 1419 hash[0]--; 1420 1421 sig[0]++; 1422 TEST_ASSERT(mbedtls_pk_verify_restartable(&pk, MBEDTLS_MD_SHA256, 1423 hash, sizeof(hash), sig, sig_len, rs_ctx) != 0); 1424 sig[0]--; 1425 } 1426 1427exit: 1428#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 1429 mbedtls_pk_restart_free(rs_ctx); 1430#endif 1431 mbedtls_pk_free(&pk); 1432 MD_OR_USE_PSA_DONE(); 1433} 1434/* END_CASE */ 1435 1436/* BEGIN_CASE depends_on:MBEDTLS_RSA_C */ 1437void pk_rsa_encrypt_decrypt_test(data_t *message, int mod, int padding, 1438 char *input_P, char *input_Q, 1439 char *input_N, char *input_E, 1440 int ret) 1441{ 1442 unsigned char output[300], result[300]; 1443 mbedtls_test_rnd_pseudo_info rnd_info; 1444 mbedtls_mpi N, P, Q, E; 1445 mbedtls_rsa_context *rsa; 1446 mbedtls_pk_context pk; 1447 size_t olen, rlen; 1448 1449 mbedtls_pk_init(&pk); 1450 mbedtls_mpi_init(&N); mbedtls_mpi_init(&P); 1451 mbedtls_mpi_init(&Q); mbedtls_mpi_init(&E); 1452 MD_OR_USE_PSA_INIT(); 1453 1454 memset(&rnd_info, 0, sizeof(mbedtls_test_rnd_pseudo_info)); 1455 memset(output, 0, sizeof(output)); 1456 1457 /* encryption test */ 1458 1459 /* init pk-rsa context */ 1460 TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0); 1461 rsa = mbedtls_pk_rsa(pk); 1462 mbedtls_rsa_set_padding(rsa, padding, MBEDTLS_MD_SHA1); 1463 1464 /* load public key */ 1465 rsa->len = (mod + 7) / 8; 1466 TEST_ASSERT(mbedtls_test_read_mpi(&rsa->N, input_N) == 0); 1467 TEST_ASSERT(mbedtls_test_read_mpi(&rsa->E, input_E) == 0); 1468 1469 TEST_ASSERT(mbedtls_pk_encrypt(&pk, message->x, message->len, 1470 output, &olen, sizeof(output), 1471 mbedtls_test_rnd_pseudo_rand, &rnd_info) == ret); 1472 1473 /* decryption test */ 1474 mbedtls_mpi_init(&N); mbedtls_mpi_init(&P); 1475 mbedtls_mpi_init(&Q); mbedtls_mpi_init(&E); 1476 1477 /* init pk-rsa context */ 1478 mbedtls_pk_free(&pk); 1479 TEST_ASSERT(mbedtls_pk_setup(&pk, 1480 mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0); 1481 rsa = mbedtls_pk_rsa(pk); 1482 mbedtls_rsa_set_padding(rsa, padding, MBEDTLS_MD_SHA1); 1483 1484 /* load public key */ 1485 TEST_ASSERT(mbedtls_test_read_mpi(&N, input_N) == 0); 1486 TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0); 1487 1488 /* load private key */ 1489 TEST_ASSERT(mbedtls_test_read_mpi(&P, input_P) == 0); 1490 TEST_ASSERT(mbedtls_test_read_mpi(&Q, input_Q) == 0); 1491 TEST_ASSERT(mbedtls_rsa_import(rsa, &N, &P, &Q, NULL, &E) == 0); 1492 TEST_EQUAL(mbedtls_rsa_get_len(rsa), (mod + 7) / 8); 1493 TEST_ASSERT(mbedtls_rsa_complete(rsa) == 0); 1494 1495 TEST_EQUAL(mbedtls_pk_get_len(&pk), (mod + 7) / 8); 1496 TEST_EQUAL(mbedtls_pk_get_bitlen(&pk), mod); 1497 1498 memset(result, 0, sizeof(result)); 1499 rlen = 0; 1500 TEST_ASSERT(mbedtls_pk_decrypt(&pk, output, olen, 1501 result, &rlen, sizeof(result), 1502 mbedtls_test_rnd_pseudo_rand, &rnd_info) == ret); 1503 if (ret == 0) { 1504 TEST_ASSERT(rlen == message->len); 1505 TEST_ASSERT(memcmp(result, message->x, rlen) == 0); 1506 } 1507 1508exit: 1509 mbedtls_mpi_free(&N); mbedtls_mpi_free(&P); 1510 mbedtls_mpi_free(&Q); mbedtls_mpi_free(&E); 1511 mbedtls_pk_free(&pk); 1512 MD_OR_USE_PSA_DONE(); 1513} 1514/* END_CASE */ 1515 1516/* BEGIN_CASE depends_on:MBEDTLS_RSA_C */ 1517void pk_rsa_decrypt_test_vec(data_t *cipher, int mod, int padding, int md_alg, 1518 char *input_P, char *input_Q, 1519 char *input_N, char *input_E, 1520 data_t *clear, int ret) 1521{ 1522 unsigned char output[256]; 1523 mbedtls_test_rnd_pseudo_info rnd_info; 1524 mbedtls_mpi N, P, Q, E; 1525 mbedtls_rsa_context *rsa; 1526 mbedtls_pk_context pk; 1527 size_t olen; 1528 1529 mbedtls_pk_init(&pk); 1530 mbedtls_mpi_init(&N); mbedtls_mpi_init(&P); 1531 mbedtls_mpi_init(&Q); mbedtls_mpi_init(&E); 1532 MD_OR_USE_PSA_INIT(); 1533 1534 memset(&rnd_info, 0, sizeof(mbedtls_test_rnd_pseudo_info)); 1535 1536 /* init pk-rsa context */ 1537 TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0); 1538 rsa = mbedtls_pk_rsa(pk); 1539 1540 /* load public key */ 1541 TEST_ASSERT(mbedtls_test_read_mpi(&N, input_N) == 0); 1542 TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0); 1543 1544 /* load private key */ 1545 TEST_ASSERT(mbedtls_test_read_mpi(&P, input_P) == 0); 1546 TEST_ASSERT(mbedtls_test_read_mpi(&Q, input_Q) == 0); 1547 TEST_ASSERT(mbedtls_rsa_import(rsa, &N, &P, &Q, NULL, &E) == 0); 1548 TEST_EQUAL(mbedtls_rsa_get_len(rsa), (mod + 7) / 8); 1549 TEST_ASSERT(mbedtls_rsa_complete(rsa) == 0); 1550 1551 TEST_EQUAL(mbedtls_pk_get_bitlen(&pk), mod); 1552 TEST_EQUAL(mbedtls_pk_get_len(&pk), (mod + 7) / 8); 1553 1554 /* set padding mode */ 1555 if (padding >= 0) { 1556 TEST_EQUAL(mbedtls_rsa_set_padding(rsa, padding, md_alg), 0); 1557 } 1558 1559 /* decryption test */ 1560 memset(output, 0, sizeof(output)); 1561 olen = 0; 1562 TEST_ASSERT(mbedtls_pk_decrypt(&pk, cipher->x, cipher->len, 1563 output, &olen, sizeof(output), 1564 mbedtls_test_rnd_pseudo_rand, &rnd_info) == ret); 1565 if (ret == 0) { 1566 TEST_ASSERT(olen == clear->len); 1567 TEST_ASSERT(memcmp(output, clear->x, olen) == 0); 1568 } 1569 1570exit: 1571 mbedtls_mpi_free(&N); mbedtls_mpi_free(&P); 1572 mbedtls_mpi_free(&Q); mbedtls_mpi_free(&E); 1573 mbedtls_pk_free(&pk); 1574 MD_OR_USE_PSA_DONE(); 1575} 1576/* END_CASE */ 1577 1578/* BEGIN_CASE depends_on:MBEDTLS_RSA_C:MBEDTLS_USE_PSA_CRYPTO */ 1579void pk_wrap_rsa_decrypt_test_vec(data_t *cipher, int mod, 1580 char *input_P, char *input_Q, 1581 char *input_N, char *input_E, 1582 int padding_mode, 1583 data_t *clear, int ret) 1584{ 1585 unsigned char output[256]; 1586 mbedtls_test_rnd_pseudo_info rnd_info; 1587 mbedtls_mpi N, P, Q, E; 1588 mbedtls_rsa_context *rsa; 1589 mbedtls_pk_context pk; 1590 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; 1591 psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; 1592 size_t olen; 1593 1594 mbedtls_pk_init(&pk); 1595 mbedtls_mpi_init(&N); mbedtls_mpi_init(&P); 1596 mbedtls_mpi_init(&Q); mbedtls_mpi_init(&E); 1597 USE_PSA_INIT(); 1598 1599 memset(&rnd_info, 0, sizeof(mbedtls_test_rnd_pseudo_info)); 1600 1601 /* init pk-rsa context */ 1602 TEST_EQUAL(mbedtls_pk_setup(&pk, 1603 mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)), 0); 1604 rsa = mbedtls_pk_rsa(pk); 1605 1606 /* load public key */ 1607 TEST_EQUAL(mbedtls_test_read_mpi(&N, input_N), 0); 1608 TEST_EQUAL(mbedtls_test_read_mpi(&E, input_E), 0); 1609 1610 /* load private key */ 1611 TEST_EQUAL(mbedtls_test_read_mpi(&P, input_P), 0); 1612 TEST_EQUAL(mbedtls_test_read_mpi(&Q, input_Q), 0); 1613 TEST_EQUAL(mbedtls_rsa_import(rsa, &N, &P, &Q, NULL, &E), 0); 1614 TEST_EQUAL(mbedtls_rsa_get_len(rsa), (mod + 7) / 8); 1615 TEST_EQUAL(mbedtls_rsa_complete(rsa), 0); 1616 1617 /* Set padding mode */ 1618 if (padding_mode == MBEDTLS_RSA_PKCS_V21) { 1619 TEST_EQUAL(mbedtls_rsa_set_padding(rsa, padding_mode, MBEDTLS_MD_SHA1), 0); 1620 } 1621 1622 /* Turn PK context into an opaque one. */ 1623 TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, PSA_KEY_USAGE_DECRYPT, &key_attr), 0); 1624 TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &key_attr, &key_id), 0); 1625 mbedtls_pk_free(&pk); 1626 mbedtls_pk_init(&pk); 1627 TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0); 1628 1629 TEST_EQUAL(mbedtls_pk_get_bitlen(&pk), mod); 1630 1631 /* decryption test */ 1632 memset(output, 0, sizeof(output)); 1633 olen = 0; 1634 TEST_EQUAL(mbedtls_pk_decrypt(&pk, cipher->x, cipher->len, 1635 output, &olen, sizeof(output), 1636 mbedtls_test_rnd_pseudo_rand, &rnd_info), ret); 1637 if (ret == 0) { 1638 TEST_EQUAL(olen, clear->len); 1639 TEST_EQUAL(memcmp(output, clear->x, olen), 0); 1640 } 1641 1642 TEST_EQUAL(PSA_SUCCESS, psa_destroy_key(key_id)); 1643 1644exit: 1645 mbedtls_mpi_free(&N); mbedtls_mpi_free(&P); 1646 mbedtls_mpi_free(&Q); mbedtls_mpi_free(&E); 1647 mbedtls_pk_free(&pk); 1648 USE_PSA_DONE(); 1649} 1650/* END_CASE */ 1651 1652/* BEGIN_CASE */ 1653void pk_ec_nocrypt(int type) 1654{ 1655 mbedtls_pk_context pk; 1656 unsigned char output[100]; 1657 unsigned char input[100]; 1658 mbedtls_test_rnd_pseudo_info rnd_info; 1659 size_t olen = 0; 1660 int ret = MBEDTLS_ERR_PK_TYPE_MISMATCH; 1661 1662 mbedtls_pk_init(&pk); 1663 USE_PSA_INIT(); 1664 1665 memset(&rnd_info, 0, sizeof(mbedtls_test_rnd_pseudo_info)); 1666 memset(output, 0, sizeof(output)); 1667 memset(input, 0, sizeof(input)); 1668 1669 TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(type)) == 0); 1670 1671 TEST_ASSERT(mbedtls_pk_encrypt(&pk, input, sizeof(input), 1672 output, &olen, sizeof(output), 1673 mbedtls_test_rnd_pseudo_rand, &rnd_info) == ret); 1674 1675 TEST_ASSERT(mbedtls_pk_decrypt(&pk, input, sizeof(input), 1676 output, &olen, sizeof(output), 1677 mbedtls_test_rnd_pseudo_rand, &rnd_info) == ret); 1678 1679exit: 1680 mbedtls_pk_free(&pk); 1681 USE_PSA_DONE(); 1682} 1683/* END_CASE */ 1684 1685/* BEGIN_CASE depends_on:MBEDTLS_RSA_C */ 1686void pk_rsa_overflow() 1687{ 1688 mbedtls_pk_context pk; 1689 size_t hash_len = UINT_MAX + 1, sig_len = UINT_MAX + 1; 1690 unsigned char hash[50], sig[100]; 1691 1692 mbedtls_pk_init(&pk); 1693 USE_PSA_INIT(); 1694 1695 memset(hash, 0x2a, sizeof(hash)); 1696 memset(sig, 0, sizeof(sig)); 1697 1698 TEST_EQUAL(mbedtls_pk_setup(&pk, 1699 mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)), 0); 1700 1701#if defined(MBEDTLS_PKCS1_V21) 1702 TEST_EQUAL(mbedtls_pk_verify_ext(MBEDTLS_PK_RSASSA_PSS, NULL, &pk, 1703 MBEDTLS_MD_NONE, hash, hash_len, sig, sig_len), 1704 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 1705#endif /* MBEDTLS_PKCS1_V21 */ 1706 1707 TEST_EQUAL(mbedtls_pk_verify(&pk, MBEDTLS_MD_NONE, hash, hash_len, 1708 sig, sig_len), 1709 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 1710 1711#if defined(MBEDTLS_PKCS1_V21) 1712 TEST_EQUAL(mbedtls_pk_sign_ext(MBEDTLS_PK_RSASSA_PSS, &pk, 1713 MBEDTLS_MD_NONE, hash, hash_len, 1714 sig, sizeof(sig), &sig_len, 1715 mbedtls_test_rnd_std_rand, NULL), 1716 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 1717#endif /* MBEDTLS_PKCS1_V21 */ 1718 1719 TEST_EQUAL(mbedtls_pk_sign(&pk, MBEDTLS_MD_NONE, hash, hash_len, 1720 sig, sizeof(sig), &sig_len, 1721 mbedtls_test_rnd_std_rand, NULL), 1722 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 1723 1724exit: 1725 mbedtls_pk_free(&pk); 1726 USE_PSA_DONE(); 1727} 1728/* END_CASE */ 1729 1730/* BEGIN_CASE depends_on:MBEDTLS_RSA_C:MBEDTLS_PK_RSA_ALT_SUPPORT */ 1731void pk_rsa_alt() 1732{ 1733 /* 1734 * An rsa_alt context can only do private operations (decrypt, sign). 1735 * Test it against the public operations (encrypt, verify) of a 1736 * corresponding rsa context. 1737 */ 1738 mbedtls_rsa_context raw; 1739 mbedtls_pk_context rsa, alt; 1740 mbedtls_pk_debug_item dbg_items[10]; 1741 unsigned char hash[50], sig[RSA_KEY_LEN]; 1742 unsigned char msg[50], ciph[RSA_KEY_LEN], test[50]; 1743 size_t sig_len, ciph_len, test_len; 1744 int ret = MBEDTLS_ERR_PK_TYPE_MISMATCH; 1745 1746 mbedtls_rsa_init(&raw); 1747 mbedtls_pk_init(&rsa); 1748 mbedtls_pk_init(&alt); 1749 USE_PSA_INIT(); 1750 1751 memset(hash, 0x2a, sizeof(hash)); 1752 memset(sig, 0, sizeof(sig)); 1753 memset(msg, 0x2a, sizeof(msg)); 1754 memset(ciph, 0, sizeof(ciph)); 1755 memset(test, 0, sizeof(test)); 1756 1757 /* Initialize PK RSA context with random key */ 1758 TEST_ASSERT(mbedtls_pk_setup(&rsa, 1759 mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0); 1760 TEST_ASSERT(pk_genkey(&rsa, RSA_KEY_SIZE) == 0); 1761 1762 /* Extract key to the raw rsa context */ 1763 TEST_ASSERT(mbedtls_rsa_copy(&raw, mbedtls_pk_rsa(rsa)) == 0); 1764 1765 /* Initialize PK RSA_ALT context */ 1766 TEST_ASSERT(mbedtls_pk_setup_rsa_alt(&alt, (void *) &raw, 1767 mbedtls_rsa_decrypt_func, mbedtls_rsa_sign_func, 1768 mbedtls_rsa_key_len_func) == 0); 1769 1770 /* Test administrative functions */ 1771 TEST_ASSERT(mbedtls_pk_can_do(&alt, MBEDTLS_PK_RSA)); 1772 TEST_ASSERT(mbedtls_pk_get_bitlen(&alt) == RSA_KEY_SIZE); 1773 TEST_ASSERT(mbedtls_pk_get_len(&alt) == RSA_KEY_LEN); 1774 TEST_ASSERT(mbedtls_pk_get_type(&alt) == MBEDTLS_PK_RSA_ALT); 1775 TEST_ASSERT(strcmp(mbedtls_pk_get_name(&alt), "RSA-alt") == 0); 1776 1777#if defined(MBEDTLS_PSA_CRYPTO_C) 1778 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1779 TEST_EQUAL(mbedtls_pk_get_psa_attributes(&alt, 1780 PSA_KEY_USAGE_ENCRYPT, 1781 &attributes), 1782 MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE); 1783 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; 1784 TEST_EQUAL(mbedtls_pk_import_into_psa(&alt, &attributes, &key_id), 1785 MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE); 1786#endif /* MBEDTLS_PSA_CRYPTO_C */ 1787 1788 /* Test signature */ 1789#if SIZE_MAX > UINT_MAX 1790 TEST_ASSERT(mbedtls_pk_sign(&alt, MBEDTLS_MD_NONE, hash, SIZE_MAX, 1791 sig, sizeof(sig), &sig_len, 1792 mbedtls_test_rnd_std_rand, NULL) 1793 == MBEDTLS_ERR_PK_BAD_INPUT_DATA); 1794#endif /* SIZE_MAX > UINT_MAX */ 1795 TEST_ASSERT(mbedtls_pk_sign(&alt, MBEDTLS_MD_NONE, hash, sizeof(hash), 1796 sig, sizeof(sig), &sig_len, 1797 mbedtls_test_rnd_std_rand, NULL) 1798 == 0); 1799 TEST_ASSERT(sig_len == RSA_KEY_LEN); 1800 TEST_ASSERT(mbedtls_pk_verify(&rsa, MBEDTLS_MD_NONE, 1801 hash, sizeof(hash), sig, sig_len) == 0); 1802 1803 /* Test decrypt */ 1804 TEST_ASSERT(mbedtls_pk_encrypt(&rsa, msg, sizeof(msg), 1805 ciph, &ciph_len, sizeof(ciph), 1806 mbedtls_test_rnd_std_rand, NULL) == 0); 1807 TEST_ASSERT(mbedtls_pk_decrypt(&alt, ciph, ciph_len, 1808 test, &test_len, sizeof(test), 1809 mbedtls_test_rnd_std_rand, NULL) == 0); 1810 TEST_ASSERT(test_len == sizeof(msg)); 1811 TEST_ASSERT(memcmp(test, msg, test_len) == 0); 1812 1813 /* Test forbidden operations */ 1814 TEST_ASSERT(mbedtls_pk_encrypt(&alt, msg, sizeof(msg), 1815 ciph, &ciph_len, sizeof(ciph), 1816 mbedtls_test_rnd_std_rand, NULL) == ret); 1817 TEST_ASSERT(mbedtls_pk_verify(&alt, MBEDTLS_MD_NONE, 1818 hash, sizeof(hash), sig, sig_len) == ret); 1819 TEST_ASSERT(mbedtls_pk_debug(&alt, dbg_items) == ret); 1820 1821exit: 1822 mbedtls_rsa_free(&raw); 1823 mbedtls_pk_free(&rsa); mbedtls_pk_free(&alt); 1824 USE_PSA_DONE(); 1825} 1826/* END_CASE */ 1827 1828/* BEGIN_CASE depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_PK_PSA_SIGN */ 1829void pk_psa_sign(int psa_type, int bits, int rsa_padding) 1830{ 1831 mbedtls_pk_context pk; 1832 unsigned char hash[32]; 1833 unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE]; 1834 unsigned char legacy_pub_key[MBEDTLS_PK_WRITE_PUBKEY_MAX_SIZE]; 1835 unsigned char opaque_pub_key[MBEDTLS_PK_WRITE_PUBKEY_MAX_SIZE]; 1836 size_t sig_len, legacy_pub_key_len, opaque_pub_key_len; 1837 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; 1838 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1839#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_PK_WRITE_C) 1840 int ret; 1841#endif /* MBEDTLS_RSA_C || MBEDTLS_PK_WRITE_C */ 1842#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) 1843 mbedtls_ecp_group_id ecp_grp_id; 1844#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */ 1845 1846 /* 1847 * Following checks are perfomed: 1848 * - create an RSA/EC opaque context; 1849 * - sign with opaque context for both EC and RSA keys; 1850 * - [EC only] verify with opaque context; 1851 * - verify that public keys of opaque and non-opaque contexts match; 1852 * - verify with non-opaque context. 1853 */ 1854 1855 mbedtls_pk_init(&pk); 1856 USE_PSA_INIT(); 1857 1858 /* Create the legacy EC/RSA PK context. */ 1859#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME) 1860 if (PSA_KEY_TYPE_IS_RSA(psa_type)) { 1861 TEST_ASSERT(mbedtls_pk_setup(&pk, 1862 mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0); 1863 TEST_EQUAL(pk_genkey(&pk, bits), 0); 1864 TEST_EQUAL(mbedtls_rsa_set_padding(mbedtls_pk_rsa(pk), rsa_padding, MBEDTLS_MD_NONE), 0); 1865 } 1866#else /* MBEDTLS_RSA_C && MBEDTLS_GENPRIME */ 1867 (void) rsa_padding; 1868#endif /* MBEDTLS_RSA_C && MBEDTLS_GENPRIME */ 1869#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) 1870 if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(psa_type)) { 1871 ecp_grp_id = mbedtls_ecc_group_from_psa(psa_type, bits); 1872 TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)) == 0); 1873 TEST_ASSERT(pk_genkey(&pk, ecp_grp_id) == 0); 1874 } 1875#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */ 1876 1877 /* Export public key from the non-opaque PK context we just created. */ 1878#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_PK_WRITE_C) 1879 ret = mbedtls_pk_write_pubkey_der(&pk, legacy_pub_key, sizeof(legacy_pub_key)); 1880 TEST_ASSERT(ret >= 0); 1881 legacy_pub_key_len = (size_t) ret; 1882 /* mbedtls_pk_write_pubkey_der() writes backwards in the data buffer so we 1883 * shift data back to the beginning of the buffer. */ 1884 memmove(legacy_pub_key, 1885 legacy_pub_key + sizeof(legacy_pub_key) - legacy_pub_key_len, 1886 legacy_pub_key_len); 1887#else /* MBEDTLS_PK_PARSE_C && MBEDTLS_PK_WRITE_C */ 1888#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) 1889 if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(psa_type)) { 1890 TEST_EQUAL(mbedtls_ecp_point_write_binary(&(mbedtls_pk_ec_ro(pk)->grp), 1891 &(mbedtls_pk_ec_ro(pk)->Q), 1892 MBEDTLS_ECP_PF_UNCOMPRESSED, 1893 &legacy_pub_key_len, legacy_pub_key, 1894 sizeof(legacy_pub_key)), 0); 1895 } 1896#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */ 1897#if defined(MBEDTLS_RSA_C) 1898 if (PSA_KEY_TYPE_IS_RSA(psa_type)) { 1899 unsigned char *end = legacy_pub_key + sizeof(legacy_pub_key); 1900 ret = mbedtls_rsa_write_pubkey(mbedtls_pk_rsa(pk), legacy_pub_key, &end); 1901 legacy_pub_key_len = (size_t) ret; 1902 TEST_ASSERT(legacy_pub_key_len > 0); 1903 /* mbedtls_rsa_write_pubkey() writes data backward in the buffer so 1904 * we shift that to the origin of the buffer instead. */ 1905 memmove(legacy_pub_key, end, legacy_pub_key_len); 1906 } 1907#endif /* MBEDTLS_RSA_C */ 1908#endif /* MBEDTLS_PK_PARSE_C && MBEDTLS_PK_WRITE_C */ 1909 1910 /* Turn the PK context into an opaque one. */ 1911 TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, PSA_KEY_USAGE_SIGN_HASH, &attributes), 0); 1912 TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &attributes, &key_id), 0); 1913 mbedtls_pk_free(&pk); 1914 mbedtls_pk_init(&pk); 1915 TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0); 1916 1917 PSA_ASSERT(psa_get_key_attributes(key_id, &attributes)); 1918 TEST_EQUAL(psa_get_key_type(&attributes), (psa_key_type_t) psa_type); 1919 TEST_EQUAL(psa_get_key_bits(&attributes), (size_t) bits); 1920 TEST_EQUAL(psa_get_key_lifetime(&attributes), PSA_KEY_LIFETIME_VOLATILE); 1921 1922 /* Sign with the opaque context. */ 1923 memset(hash, 0x2a, sizeof(hash)); 1924 memset(sig, 0, sizeof(sig)); 1925 TEST_ASSERT(mbedtls_pk_sign(&pk, MBEDTLS_MD_SHA256, 1926 hash, sizeof(hash), sig, sizeof(sig), &sig_len, 1927 NULL, NULL) == 0); 1928 /* Only opaque EC keys support verification. */ 1929 if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(psa_type)) { 1930 TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_SHA256, 1931 hash, sizeof(hash), sig, sig_len) == 0); 1932 } 1933 1934 /* Export public key from the opaque PK context. */ 1935#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_PK_WRITE_C) 1936 ret = mbedtls_pk_write_pubkey_der(&pk, opaque_pub_key, sizeof(opaque_pub_key)); 1937 TEST_ASSERT(ret >= 0); 1938 opaque_pub_key_len = (size_t) ret; 1939 /* mbedtls_pk_write_pubkey_der() writes backwards in the data buffer. */ 1940 memmove(opaque_pub_key, 1941 opaque_pub_key + sizeof(opaque_pub_key) - opaque_pub_key_len, 1942 opaque_pub_key_len); 1943#else /* MBEDTLS_PK_PARSE_C && MBEDTLS_PK_WRITE_C */ 1944 TEST_EQUAL(psa_export_public_key(key_id, opaque_pub_key, sizeof(opaque_pub_key), 1945 &opaque_pub_key_len), PSA_SUCCESS); 1946#endif /* MBEDTLS_PK_PARSE_C && MBEDTLS_PK_WRITE_C */ 1947 1948 /* Check that the public keys of opaque and non-opaque PK contexts match. */ 1949 TEST_EQUAL(opaque_pub_key_len, legacy_pub_key_len); 1950 TEST_MEMORY_COMPARE(opaque_pub_key, opaque_pub_key_len, legacy_pub_key, legacy_pub_key_len); 1951 1952 /* Destroy the opaque PK context and the wrapped PSA key. */ 1953 mbedtls_pk_free(&pk); 1954 TEST_ASSERT(PSA_SUCCESS == psa_destroy_key(key_id)); 1955 1956 /* Create a new non-opaque PK context to verify the signature. */ 1957 mbedtls_pk_init(&pk); 1958#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_PK_WRITE_C) 1959 TEST_EQUAL(mbedtls_pk_parse_public_key(&pk, legacy_pub_key, legacy_pub_key_len), 0); 1960#else /* MBEDTLS_PK_PARSE_C && MBEDTLS_PK_WRITE_C */ 1961#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) 1962 if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(psa_type)) { 1963 TEST_EQUAL(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)), 0); 1964 TEST_EQUAL(mbedtls_ecp_group_load(&(mbedtls_pk_ec_rw(pk)->grp), ecp_grp_id), 0); 1965 TEST_EQUAL(mbedtls_ecp_point_read_binary(&(mbedtls_pk_ec_ro(pk)->grp), 1966 &(mbedtls_pk_ec_rw(pk)->Q), 1967 legacy_pub_key, legacy_pub_key_len), 0); 1968 } 1969#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */ 1970#if defined(MBEDTLS_RSA_C) 1971 if (PSA_KEY_TYPE_IS_RSA(psa_type)) { 1972 TEST_EQUAL(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)), 0); 1973 TEST_EQUAL(mbedtls_rsa_parse_pubkey(mbedtls_pk_rsa(pk), legacy_pub_key, 1974 legacy_pub_key_len), 0); 1975 } 1976#endif /* MBEDTLS_RSA_C */ 1977#endif /* MBEDTLS_PK_PARSE_C && MBEDTLS_PK_WRITE_C */ 1978 1979#if defined(MBEDTLS_RSA_C) 1980 if (PSA_KEY_TYPE_IS_RSA(psa_type)) { 1981 TEST_EQUAL(mbedtls_rsa_set_padding(mbedtls_pk_rsa(pk), rsa_padding, MBEDTLS_MD_NONE), 0); 1982 } 1983#endif /* MBEDTLS_RSA_C */ 1984 TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_SHA256, 1985 hash, sizeof(hash), sig, sig_len) == 0); 1986 1987exit: 1988 psa_reset_key_attributes(&attributes); 1989 1990 mbedtls_pk_free(&pk); 1991 USE_PSA_DONE(); 1992} 1993/* END_CASE */ 1994 1995/* BEGIN_CASE depends_on:MBEDTLS_GENPRIME */ 1996void pk_sign_ext(int pk_type, int curve_or_keybits, int key_pk_type, int md_alg) 1997{ 1998 mbedtls_pk_context pk; 1999 size_t sig_len; 2000 unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE]; 2001 unsigned char hash[MBEDTLS_MD_MAX_SIZE]; 2002 size_t hash_len = mbedtls_md_get_size_from_type(md_alg); 2003 void const *options = NULL; 2004 mbedtls_pk_rsassa_pss_options rsassa_pss_options; 2005 memset(hash, 0x2a, sizeof(hash)); 2006 memset(sig, 0, sizeof(sig)); 2007 2008 mbedtls_pk_init(&pk); 2009 MD_OR_USE_PSA_INIT(); 2010 2011 TEST_EQUAL(mbedtls_pk_setup(&pk, 2012 mbedtls_pk_info_from_type(pk_type)), 0); 2013 TEST_EQUAL(pk_genkey(&pk, curve_or_keybits), 0); 2014 2015 TEST_EQUAL(mbedtls_pk_sign_ext(key_pk_type, &pk, md_alg, hash, hash_len, 2016 sig, sizeof(sig), &sig_len, 2017 mbedtls_test_rnd_std_rand, NULL), 0); 2018 2019 if (key_pk_type == MBEDTLS_PK_RSASSA_PSS) { 2020 rsassa_pss_options.mgf1_hash_id = md_alg; 2021 TEST_ASSERT(hash_len != 0); 2022 rsassa_pss_options.expected_salt_len = hash_len; 2023 options = (const void *) &rsassa_pss_options; 2024 } 2025 TEST_EQUAL(mbedtls_pk_verify_ext(key_pk_type, options, &pk, md_alg, 2026 hash, hash_len, sig, sig_len), 0); 2027exit: 2028 mbedtls_pk_free(&pk); 2029 MD_OR_USE_PSA_DONE(); 2030} 2031/* END_CASE */ 2032 2033/* BEGIN_CASE depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_USE_PSA_CRYPTO */ 2034void pk_psa_wrap_sign_ext(int pk_type, int key_bits, int key_pk_type, int md_alg) 2035{ 2036 mbedtls_pk_context pk; 2037 size_t sig_len, pkey_len; 2038 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; 2039 psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; 2040 unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE]; 2041 unsigned char pkey[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE]; 2042 unsigned char *pkey_start; 2043 unsigned char hash[PSA_HASH_MAX_SIZE]; 2044 psa_algorithm_t psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg); 2045 size_t hash_len = PSA_HASH_LENGTH(psa_md_alg); 2046 void const *options = NULL; 2047 mbedtls_pk_rsassa_pss_options rsassa_pss_options; 2048 int ret; 2049 2050 mbedtls_pk_init(&pk); 2051 PSA_INIT(); 2052 2053 /* Create legacy RSA public/private key in PK context. */ 2054 mbedtls_pk_init(&pk); 2055 TEST_EQUAL(mbedtls_pk_setup(&pk, 2056 mbedtls_pk_info_from_type(pk_type)), 0); 2057 TEST_EQUAL(mbedtls_rsa_gen_key(mbedtls_pk_rsa(pk), 2058 mbedtls_test_rnd_std_rand, NULL, 2059 key_bits, 3), 0); 2060 2061 if (key_pk_type == MBEDTLS_PK_RSASSA_PSS) { 2062 mbedtls_rsa_set_padding(mbedtls_pk_rsa(pk), MBEDTLS_RSA_PKCS_V21, MBEDTLS_MD_NONE); 2063 } 2064 2065 /* Export underlying public key for re-importing in a legacy context. 2066 * Note: mbedtls_rsa_write_key() writes backwards in the data buffer. */ 2067 pkey_start = pkey + sizeof(pkey); 2068 ret = mbedtls_rsa_write_pubkey(mbedtls_pk_rsa(pk), pkey, &pkey_start); 2069 TEST_ASSERT(ret >= 0); 2070 2071 pkey_len = (size_t) ret; 2072 /* mbedtls_pk_write_pubkey_der() writes backwards in the data buffer. */ 2073 pkey_start = pkey + sizeof(pkey) - pkey_len; 2074 2075 /* Turn PK context into an opaque one. */ 2076 TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, PSA_KEY_USAGE_SIGN_HASH, &key_attr), 0); 2077 TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &key_attr, &key_id), 0); 2078 mbedtls_pk_free(&pk); 2079 mbedtls_pk_init(&pk); 2080 TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0); 2081 2082 memset(hash, 0x2a, sizeof(hash)); 2083 memset(sig, 0, sizeof(sig)); 2084 2085 TEST_EQUAL(mbedtls_pk_sign_ext(key_pk_type, &pk, md_alg, hash, hash_len, 2086 sig, sizeof(sig), &sig_len, 2087 mbedtls_test_rnd_std_rand, NULL), 0); 2088 2089 /* verify_ext() is not supported when using an opaque context. */ 2090 if (key_pk_type == MBEDTLS_PK_RSASSA_PSS) { 2091 mbedtls_pk_rsassa_pss_options pss_opts = { 2092 .mgf1_hash_id = md_alg, 2093 .expected_salt_len = MBEDTLS_RSA_SALT_LEN_ANY, 2094 }; 2095 TEST_EQUAL(mbedtls_pk_verify_ext(key_pk_type, &pss_opts, &pk, md_alg, 2096 hash, hash_len, sig, sig_len), 2097 MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE); 2098 } else { 2099 TEST_EQUAL(mbedtls_pk_verify_ext(key_pk_type, NULL, &pk, md_alg, 2100 hash, hash_len, sig, sig_len), 2101 MBEDTLS_ERR_PK_TYPE_MISMATCH); 2102 } 2103 2104 mbedtls_pk_free(&pk); 2105 TEST_EQUAL(PSA_SUCCESS, psa_destroy_key(key_id)); 2106 2107 mbedtls_pk_init(&pk); 2108 TEST_EQUAL(mbedtls_pk_setup(&pk, 2109 mbedtls_pk_info_from_type(pk_type)), 0); 2110 TEST_EQUAL(mbedtls_rsa_parse_pubkey(mbedtls_pk_rsa(pk), pkey_start, pkey_len), 0); 2111 2112 if (key_pk_type == MBEDTLS_PK_RSASSA_PSS) { 2113 rsassa_pss_options.mgf1_hash_id = md_alg; 2114 TEST_ASSERT(hash_len != 0); 2115 rsassa_pss_options.expected_salt_len = hash_len; 2116 options = (const void *) &rsassa_pss_options; 2117 } 2118 TEST_EQUAL(mbedtls_pk_verify_ext(key_pk_type, options, &pk, md_alg, 2119 hash, hash_len, sig, sig_len), 0); 2120 2121exit: 2122 mbedtls_pk_free(&pk); 2123 PSA_DONE(); 2124} 2125/* END_CASE */ 2126 2127/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C */ 2128void pk_get_psa_attributes(int pk_type, int from_pair, 2129 int usage_arg, 2130 int to_pair, int expected_alg) 2131{ 2132 mbedtls_pk_context pk; 2133 mbedtls_pk_init(&pk); 2134 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2135 psa_key_usage_t usage = usage_arg; 2136 mbedtls_svc_key_id_t new_key_id = MBEDTLS_SVC_KEY_ID_INIT; 2137 2138 PSA_INIT(); 2139 2140 psa_key_type_t expected_psa_type = 0; 2141 TEST_EQUAL(pk_setup_for_type(pk_type, from_pair, 2142 &pk, &expected_psa_type), 0); 2143 if (!to_pair) { 2144 expected_psa_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(expected_psa_type); 2145 } 2146 2147 psa_key_lifetime_t lifetime = PSA_KEY_LIFETIME_VOLATILE; //TODO: diversity 2148 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; //TODO: diversity 2149 psa_set_key_id(&attributes, key_id); 2150 psa_set_key_lifetime(&attributes, lifetime); 2151 psa_set_key_enrollment_algorithm(&attributes, 42); 2152 psa_key_usage_t expected_usage = pk_get_psa_attributes_implied_usage(usage); 2153 2154#if defined(MBEDTLS_ECDSA_DETERMINISTIC) 2155 /* When the resulting algorithm is ECDSA, the compile-time configuration 2156 * can cause it to be either deterministic or randomized ECDSA. 2157 * Rather than have two near-identical sets of test data depending on 2158 * the configuration, always use randomized in the test data and 2159 * tweak the expected result here. */ 2160 if (expected_alg == PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)) { 2161 expected_alg = PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_ANY_HASH); 2162 } 2163#endif 2164 2165 TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, usage, &attributes), 0); 2166 2167 TEST_EQUAL(psa_get_key_lifetime(&attributes), lifetime); 2168 TEST_ASSERT(mbedtls_svc_key_id_equal(psa_get_key_id(&attributes), 2169 key_id)); 2170 TEST_EQUAL(psa_get_key_type(&attributes), expected_psa_type); 2171 TEST_EQUAL(psa_get_key_bits(&attributes), 2172 mbedtls_pk_get_bitlen(&pk)); 2173 TEST_EQUAL(psa_get_key_usage_flags(&attributes), expected_usage); 2174 TEST_EQUAL(psa_get_key_algorithm(&attributes), expected_alg); 2175 TEST_EQUAL(psa_get_key_enrollment_algorithm(&attributes), PSA_ALG_NONE); 2176 2177 TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &attributes, &new_key_id), 0); 2178 if (!mbedtls_test_key_consistency_psa_pk(new_key_id, &pk)) { 2179 goto exit; 2180 } 2181 2182exit: 2183 mbedtls_pk_free(&pk); 2184 psa_reset_key_attributes(&attributes); 2185 psa_destroy_key(new_key_id); 2186 PSA_DONE(); 2187} 2188/* END_CASE */ 2189 2190/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_GENPRIME */ 2191void pk_rsa_v21_get_psa_attributes(int md_type, int from_pair, 2192 int usage_arg, 2193 int to_pair, int expected_alg) 2194{ 2195 mbedtls_pk_context pk; 2196 mbedtls_pk_init(&pk); 2197 psa_key_usage_t usage = usage_arg; 2198 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2199 mbedtls_svc_key_id_t new_key_id = MBEDTLS_SVC_KEY_ID_INIT; 2200 2201 PSA_INIT(); 2202 2203 psa_key_type_t expected_psa_type = 0; 2204 TEST_EQUAL(pk_setup_for_type(MBEDTLS_PK_RSA, from_pair, 2205 &pk, &expected_psa_type), 0); 2206 mbedtls_rsa_context *rsa = mbedtls_pk_rsa(pk); 2207 TEST_EQUAL(mbedtls_rsa_set_padding(rsa, MBEDTLS_RSA_PKCS_V21, md_type), 0); 2208 if (!to_pair) { 2209 expected_psa_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(expected_psa_type); 2210 } 2211 psa_key_usage_t expected_usage = pk_get_psa_attributes_implied_usage(usage); 2212 2213 TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, usage, &attributes), 0); 2214 2215 TEST_EQUAL(psa_get_key_lifetime(&attributes), PSA_KEY_LIFETIME_VOLATILE); 2216 TEST_ASSERT(mbedtls_svc_key_id_equal(psa_get_key_id(&attributes), 2217 MBEDTLS_SVC_KEY_ID_INIT)); 2218 TEST_EQUAL(psa_get_key_type(&attributes), expected_psa_type); 2219 TEST_EQUAL(psa_get_key_bits(&attributes), 2220 mbedtls_pk_get_bitlen(&pk)); 2221 TEST_EQUAL(psa_get_key_usage_flags(&attributes), expected_usage); 2222 TEST_EQUAL(psa_get_key_algorithm(&attributes), expected_alg); 2223 TEST_EQUAL(psa_get_key_enrollment_algorithm(&attributes), PSA_ALG_NONE); 2224 2225 TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &attributes, &new_key_id), 0); 2226 if (!mbedtls_test_key_consistency_psa_pk(new_key_id, &pk)) { 2227 goto exit; 2228 } 2229 2230exit: 2231 mbedtls_pk_free(&pk); 2232 psa_reset_key_attributes(&attributes); 2233 psa_destroy_key(new_key_id); 2234 PSA_DONE(); 2235} 2236/* END_CASE */ 2237 2238/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C */ 2239void pk_get_psa_attributes_fail(int pk_type, int from_pair, 2240 int usage_arg, 2241 int expected_ret) 2242{ 2243 mbedtls_pk_context pk; 2244 mbedtls_pk_init(&pk); 2245 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2246 psa_key_usage_t usage = usage_arg; 2247 2248 PSA_INIT(); 2249 2250 psa_key_type_t expected_psa_type; 2251 TEST_EQUAL(pk_setup_for_type(pk_type, from_pair, 2252 &pk, &expected_psa_type), 0); 2253 2254 TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, usage, &attributes), 2255 expected_ret); 2256 2257exit: 2258 mbedtls_pk_free(&pk); 2259 psa_reset_key_attributes(&attributes); 2260 PSA_DONE(); 2261} 2262/* END_CASE */ 2263 2264/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PSA_CRYPTO_STORAGE_C */ 2265void pk_import_into_psa_lifetime(int from_opaque, 2266 int from_persistent, /* when from opaque */ 2267 int from_exportable, /* when from opaque */ 2268 int to_public, 2269 int to_persistent) 2270{ 2271 mbedtls_pk_context pk; 2272 mbedtls_pk_init(&pk); 2273 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2274 mbedtls_svc_key_id_t old_key_id = MBEDTLS_SVC_KEY_ID_INIT; 2275 mbedtls_svc_key_id_t new_key_id = MBEDTLS_SVC_KEY_ID_INIT; 2276 mbedtls_svc_key_id_t expected_key_id = MBEDTLS_SVC_KEY_ID_INIT; 2277 psa_key_lifetime_t expected_lifetime = PSA_KEY_LIFETIME_VOLATILE; 2278 2279 PSA_INIT(); 2280 2281 if (from_opaque) { 2282#if defined(MBEDTLS_USE_PSA_CRYPTO) 2283 psa_key_type_t from_psa_type = 2284 PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY); 2285 psa_set_key_type(&attributes, from_psa_type); 2286 psa_set_key_bits(&attributes, MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS); 2287 psa_set_key_usage_flags( 2288 &attributes, 2289 (from_exportable ? PSA_KEY_USAGE_EXPORT : PSA_KEY_USAGE_COPY) | 2290 PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH); 2291 psa_set_key_algorithm(&attributes, PSA_ALG_ECDH); 2292 if (from_persistent) { 2293 psa_set_key_id(&attributes, mbedtls_svc_key_id_make(0, 1)); 2294 } 2295 PSA_ASSERT(psa_generate_key(&attributes, &old_key_id)); 2296 TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, old_key_id), 0); 2297 psa_reset_key_attributes(&attributes); 2298#else 2299 (void) from_persistent; 2300 (void) from_exportable; 2301 TEST_FAIL("Attempted to test opaque key without opaque key support"); 2302#endif 2303 } else { 2304 psa_key_type_t psa_type_according_to_setup; 2305 TEST_EQUAL(pk_setup_for_type(MBEDTLS_PK_ECKEY, 1, 2306 &pk, &psa_type_according_to_setup), 0); 2307 } 2308 2309 if (to_persistent) { 2310 expected_key_id = mbedtls_svc_key_id_make(42, 2); 2311 psa_set_key_id(&attributes, expected_key_id); 2312 /* psa_set_key_id() sets the lifetime to PERSISTENT */ 2313 expected_lifetime = PSA_KEY_LIFETIME_PERSISTENT; 2314 } 2315 2316 psa_key_usage_t to_usage = 2317 to_public ? PSA_KEY_USAGE_VERIFY_HASH : PSA_KEY_USAGE_SIGN_HASH; 2318 TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, to_usage, 2319 &attributes), 0); 2320 /* mbedtls_pk_get_psa_attributes() is specified to not modify 2321 * the persistence attributes. */ 2322 TEST_EQUAL(psa_get_key_lifetime(&attributes), expected_lifetime); 2323 TEST_EQUAL(MBEDTLS_SVC_KEY_ID_GET_KEY_ID(psa_get_key_id(&attributes)), 2324 MBEDTLS_SVC_KEY_ID_GET_KEY_ID(expected_key_id)); 2325 2326 TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &attributes, &new_key_id), 0); 2327 if (!mbedtls_test_key_consistency_psa_pk(new_key_id, &pk)) { 2328 goto exit; 2329 } 2330 2331 PSA_ASSERT(psa_get_key_attributes(new_key_id, &attributes)); 2332 TEST_EQUAL(psa_get_key_lifetime(&attributes), expected_lifetime); 2333 /* Here expected_key_id=0 for a volatile key, but we expect 2334 * attributes to contain a dynamically assigned key id which we 2335 * can't predict. */ 2336 if (to_persistent) { 2337 TEST_ASSERT(mbedtls_svc_key_id_equal(psa_get_key_id(&attributes), 2338 expected_key_id)); 2339 } 2340 2341exit: 2342 mbedtls_pk_free(&pk); 2343 psa_reset_key_attributes(&attributes); 2344 psa_destroy_key(old_key_id); 2345 psa_destroy_key(new_key_id); 2346 PSA_DONE(); 2347} 2348/* END_CASE */ 2349 2350/* BEGIN_CASE depends_on:MBEDTLS_USE_PSA_CRYPTO */ 2351void pk_get_psa_attributes_opaque(int from_type_arg, int from_bits_arg, 2352 int from_usage_arg, int from_alg_arg, 2353 int usage_arg, 2354 int expected_ret, 2355 int to_pair, int expected_usage_arg) 2356{ 2357 mbedtls_pk_context pk; 2358 mbedtls_pk_init(&pk); 2359 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2360 mbedtls_svc_key_id_t old_key_id = MBEDTLS_SVC_KEY_ID_INIT; 2361 psa_key_type_t from_type = from_type_arg; 2362 size_t bits = from_bits_arg; 2363 psa_key_usage_t from_usage = from_usage_arg; 2364 psa_algorithm_t alg = from_alg_arg; 2365 psa_key_usage_t usage = usage_arg; 2366 psa_key_usage_t expected_usage = expected_usage_arg; 2367 mbedtls_svc_key_id_t new_key_id = MBEDTLS_SVC_KEY_ID_INIT; 2368 2369 PSA_INIT(); 2370 2371 psa_set_key_type(&attributes, from_type); 2372 psa_set_key_bits(&attributes, bits); 2373 psa_set_key_usage_flags(&attributes, from_usage); 2374 psa_set_key_algorithm(&attributes, alg); 2375 psa_set_key_enrollment_algorithm(&attributes, 42); 2376 PSA_ASSERT(psa_generate_key(&attributes, &old_key_id)); 2377 TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, old_key_id), 0); 2378 2379 psa_key_type_t expected_psa_type = 2380 to_pair ? from_type : PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(from_type); 2381 2382 TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, usage, &attributes), 2383 expected_ret); 2384 2385 if (expected_ret == 0) { 2386 TEST_EQUAL(psa_get_key_lifetime(&attributes), PSA_KEY_LIFETIME_VOLATILE); 2387 TEST_ASSERT(mbedtls_svc_key_id_equal(psa_get_key_id(&attributes), 2388 MBEDTLS_SVC_KEY_ID_INIT)); 2389 TEST_EQUAL(psa_get_key_type(&attributes), expected_psa_type); 2390 TEST_EQUAL(psa_get_key_bits(&attributes), bits); 2391 TEST_EQUAL(psa_get_key_usage_flags(&attributes), expected_usage); 2392 TEST_EQUAL(psa_get_key_algorithm(&attributes), alg); 2393 TEST_EQUAL(psa_get_key_enrollment_algorithm(&attributes), PSA_ALG_NONE); 2394 2395 int expected_import_ret = 0; 2396 if (to_pair && 2397 !(from_usage & (PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT))) { 2398 expected_import_ret = MBEDTLS_ERR_PK_TYPE_MISMATCH; 2399 } 2400 TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &attributes, &new_key_id), 2401 expected_import_ret); 2402 if (expected_import_ret == 0) { 2403 if (!mbedtls_test_key_consistency_psa_pk(new_key_id, &pk)) { 2404 goto exit; 2405 } 2406 } 2407 } 2408 2409exit: 2410 mbedtls_pk_free(&pk); 2411 psa_destroy_key(old_key_id); 2412 psa_destroy_key(new_key_id); 2413 psa_reset_key_attributes(&attributes); 2414 PSA_DONE(); 2415} 2416/* END_CASE */ 2417 2418/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C */ 2419void pk_import_into_psa_fail(int pk_type, int from_pair, 2420 int type_arg, int bits_arg, 2421 int expected_ret) 2422{ 2423 mbedtls_pk_context pk; 2424 mbedtls_pk_init(&pk); 2425 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2426 psa_key_type_t type = type_arg; 2427 size_t bits = bits_arg; 2428 mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make(0, 42); 2429 2430 PSA_INIT(); 2431 2432 psa_key_type_t expected_psa_type; 2433 TEST_EQUAL(pk_setup_for_type(pk_type, from_pair, 2434 &pk, &expected_psa_type), 0); 2435 2436 psa_set_key_type(&attributes, type); 2437 psa_set_key_bits(&attributes, bits); 2438 2439 TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &attributes, &key_id), 2440 expected_ret); 2441 TEST_ASSERT(mbedtls_svc_key_id_equal(key_id, MBEDTLS_SVC_KEY_ID_INIT)); 2442 2443exit: 2444 psa_destroy_key(key_id); 2445 mbedtls_pk_free(&pk); 2446 psa_reset_key_attributes(&attributes); 2447 PSA_DONE(); 2448} 2449/* END_CASE */ 2450 2451/* BEGIN_CASE depends_on:MBEDTLS_USE_PSA_CRYPTO */ 2452void pk_import_into_psa_opaque(int from_type, int from_bits, 2453 int from_usage, int from_alg, 2454 int to_type, int to_bits, 2455 int to_usage, int to_alg, 2456 int expected_ret) 2457{ 2458 mbedtls_pk_context pk; 2459 mbedtls_pk_init(&pk); 2460 psa_key_attributes_t from_attributes = PSA_KEY_ATTRIBUTES_INIT; 2461 mbedtls_svc_key_id_t from_key_id = MBEDTLS_SVC_KEY_ID_INIT; 2462 psa_key_attributes_t to_attributes = PSA_KEY_ATTRIBUTES_INIT; 2463 mbedtls_svc_key_id_t to_key_id = MBEDTLS_SVC_KEY_ID_INIT; 2464 psa_key_attributes_t actual_attributes = PSA_KEY_ATTRIBUTES_INIT; 2465 2466 PSA_INIT(); 2467 2468 psa_set_key_type(&from_attributes, from_type); 2469 psa_set_key_bits(&from_attributes, from_bits); 2470 psa_set_key_usage_flags(&from_attributes, from_usage); 2471 psa_set_key_algorithm(&from_attributes, from_alg); 2472 PSA_ASSERT(psa_generate_key(&from_attributes, &from_key_id)); 2473 TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, from_key_id), 0); 2474 2475 psa_set_key_type(&to_attributes, to_type); 2476 psa_set_key_bits(&to_attributes, to_bits); 2477 psa_set_key_usage_flags(&to_attributes, to_usage); 2478 psa_set_key_algorithm(&to_attributes, to_alg); 2479 2480 TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &to_attributes, &to_key_id), 2481 expected_ret); 2482 2483 if (expected_ret == 0) { 2484 PSA_ASSERT(psa_get_key_attributes(to_key_id, &actual_attributes)); 2485 TEST_EQUAL(to_type, psa_get_key_type(&actual_attributes)); 2486 if (to_bits != 0) { 2487 TEST_EQUAL(to_bits, psa_get_key_bits(&actual_attributes)); 2488 } 2489 TEST_EQUAL(to_alg, psa_get_key_algorithm(&actual_attributes)); 2490 psa_key_usage_t expected_usage = to_usage; 2491 if (expected_usage & PSA_KEY_USAGE_SIGN_HASH) { 2492 expected_usage |= PSA_KEY_USAGE_SIGN_MESSAGE; 2493 } 2494 if (expected_usage & PSA_KEY_USAGE_VERIFY_HASH) { 2495 expected_usage |= PSA_KEY_USAGE_VERIFY_MESSAGE; 2496 } 2497 TEST_EQUAL(expected_usage, psa_get_key_usage_flags(&actual_attributes)); 2498 if (!mbedtls_test_key_consistency_psa_pk(to_key_id, &pk)) { 2499 goto exit; 2500 } 2501 } else { 2502 TEST_ASSERT(mbedtls_svc_key_id_equal(to_key_id, MBEDTLS_SVC_KEY_ID_INIT)); 2503 } 2504 2505exit: 2506 mbedtls_pk_free(&pk); 2507 psa_destroy_key(from_key_id); 2508 psa_destroy_key(to_key_id); 2509 psa_reset_key_attributes(&from_attributes); 2510 psa_reset_key_attributes(&to_attributes); 2511 psa_reset_key_attributes(&actual_attributes); 2512 PSA_DONE(); 2513} 2514/* END_CASE */ 2515 2516/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C*/ 2517void pk_copy_from_psa_fail(void) 2518{ 2519 mbedtls_pk_context pk_ctx; 2520 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; 2521 2522 mbedtls_pk_init(&pk_ctx); 2523 PSA_INIT(); 2524 2525 /* Null pk pointer. */ 2526 TEST_EQUAL(mbedtls_pk_copy_from_psa(key_id, NULL), 2527 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 2528 TEST_EQUAL(mbedtls_pk_copy_public_from_psa(key_id, NULL), 2529 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 2530 2531 /* Invalid key ID. */ 2532 TEST_EQUAL(mbedtls_pk_copy_from_psa(mbedtls_svc_key_id_make(0, 0), &pk_ctx), 2533 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 2534 TEST_EQUAL(mbedtls_pk_copy_public_from_psa(mbedtls_svc_key_id_make(0, 0), &pk_ctx), 2535 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 2536 2537#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE) 2538 /* Generate a key type that is not handled by the PK module. */ 2539 PSA_ASSERT(pk_psa_genkey_generic(PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919), 2048, 2540 PSA_KEY_USAGE_EXPORT, PSA_ALG_NONE, &key_id)); 2541 TEST_EQUAL(mbedtls_pk_copy_from_psa(key_id, &pk_ctx), MBEDTLS_ERR_PK_BAD_INPUT_DATA); 2542 TEST_EQUAL(mbedtls_pk_copy_public_from_psa(key_id, &pk_ctx), MBEDTLS_ERR_PK_BAD_INPUT_DATA); 2543 psa_destroy_key(key_id); 2544#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE */ 2545 2546#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) && defined(PSA_WANT_ECC_SECP_R1_256) && \ 2547 defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) 2548 /* Generate an EC key which cannot be exported. */ 2549 PSA_ASSERT(pk_psa_genkey_generic(PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1), 256, 2550 0, PSA_ALG_NONE, &key_id)); 2551 TEST_EQUAL(mbedtls_pk_copy_from_psa(key_id, &pk_ctx), MBEDTLS_ERR_PK_TYPE_MISMATCH); 2552 psa_destroy_key(key_id); 2553#endif /* MBEDTLS_PK_HAVE_ECC_KEYS && PSA_WANT_ECC_SECP_R1_256 && 2554 PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE */ 2555 2556exit: 2557 mbedtls_pk_free(&pk_ctx); 2558 psa_destroy_key(key_id); 2559 PSA_DONE(); 2560} 2561/* END_CASE */ 2562 2563/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN:MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_BASIC:!MBEDTLS_RSA_C */ 2564void pk_copy_from_psa_builtin_fail() 2565{ 2566 mbedtls_pk_context pk_ctx; 2567 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; 2568 2569 mbedtls_pk_init(&pk_ctx); 2570 PSA_INIT(); 2571 2572 PSA_ASSERT(pk_psa_genkey_generic(PSA_KEY_TYPE_RSA_KEY_PAIR, 2573 PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS, 2574 PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_EXPORT, 2575 PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256), 2576 &key_id)); 2577 TEST_EQUAL(mbedtls_pk_copy_from_psa(key_id, &pk_ctx), MBEDTLS_ERR_PK_BAD_INPUT_DATA); 2578exit: 2579 mbedtls_pk_free(&pk_ctx); 2580 psa_destroy_key(key_id); 2581 PSA_DONE(); 2582} 2583/* END_CASE */ 2584 2585/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C*/ 2586void pk_copy_from_psa_success(data_t *priv_key_data, int key_type_arg, 2587 int key_alg_arg) 2588{ 2589 psa_key_type_t key_type = key_type_arg; 2590 psa_algorithm_t key_alg = key_alg_arg; 2591 psa_key_usage_t key_usage = PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | 2592 PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY; 2593 mbedtls_pk_context pk_priv, pk_priv_copy_public, pk_pub, pk_pub_copy_public; 2594 mbedtls_svc_key_id_t priv_key_id = MBEDTLS_SVC_KEY_ID_INIT; 2595 mbedtls_svc_key_id_t pub_key_id = MBEDTLS_SVC_KEY_ID_INIT; 2596 unsigned char *in_buf = NULL; 2597 size_t in_buf_len = MBEDTLS_MD_MAX_SIZE; 2598 unsigned char out_buf[MBEDTLS_PK_SIGNATURE_MAX_SIZE]; 2599 unsigned char out_buf2[MBEDTLS_PK_SIGNATURE_MAX_SIZE]; 2600 size_t out_buf_len, out_buf2_len; 2601 2602 mbedtls_pk_init(&pk_priv); 2603 mbedtls_pk_init(&pk_priv_copy_public); 2604 mbedtls_pk_init(&pk_pub); 2605 mbedtls_pk_init(&pk_pub_copy_public); 2606 PSA_INIT(); 2607 2608 if (key_type == PSA_KEY_TYPE_RSA_KEY_PAIR) { 2609 key_usage |= PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT; 2610 } 2611 2612 /* Create both a private key and its public counterpart in PSA. */ 2613 PSA_ASSERT(pk_psa_import_key(priv_key_data->x, priv_key_data->len, 2614 key_type, key_usage, key_alg, &priv_key_id)); 2615 pub_key_id = psa_pub_key_from_priv(priv_key_id); 2616 2617 /* Create 4 PK contexts starting from the PSA keys we just created. */ 2618 TEST_EQUAL(mbedtls_pk_copy_from_psa(priv_key_id, &pk_priv), 0); 2619 TEST_EQUAL(mbedtls_pk_copy_public_from_psa(priv_key_id, &pk_priv_copy_public), 0); 2620 TEST_EQUAL(mbedtls_pk_copy_from_psa(pub_key_id, &pk_pub), 0); 2621 TEST_EQUAL(mbedtls_pk_copy_public_from_psa(pub_key_id, &pk_pub_copy_public), 0); 2622 2623 /* Destoy both PSA keys to prove that generated PK contexts are independent 2624 * from them. */ 2625 priv_key_id = psa_copy_and_destroy(priv_key_id); 2626 pub_key_id = psa_copy_and_destroy(pub_key_id); 2627 2628 /* Test #1: 2629 * - check that the generated PK contexts are of the correct type. 2630 * - [only for RSA] check that the padding mode is correct. 2631 */ 2632 if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type)) { 2633 TEST_EQUAL(mbedtls_pk_get_type(&pk_priv), MBEDTLS_PK_ECKEY); 2634 TEST_EQUAL(mbedtls_pk_get_type(&pk_pub), MBEDTLS_PK_ECKEY); 2635 } else { 2636 TEST_EQUAL(mbedtls_pk_get_type(&pk_priv), MBEDTLS_PK_RSA); 2637 TEST_EQUAL(mbedtls_pk_get_type(&pk_pub), MBEDTLS_PK_RSA); 2638#if defined(MBEDTLS_RSA_C) 2639 mbedtls_rsa_context *rsa_priv = mbedtls_pk_rsa(pk_priv); 2640 mbedtls_rsa_context *rsa_pub = mbedtls_pk_rsa(pk_pub); 2641 if (PSA_ALG_IS_RSA_OAEP(key_alg) || PSA_ALG_IS_RSA_PSS(key_alg)) { 2642 TEST_EQUAL(mbedtls_rsa_get_padding_mode(rsa_priv), MBEDTLS_RSA_PKCS_V21); 2643 TEST_EQUAL(mbedtls_rsa_get_padding_mode(rsa_pub), MBEDTLS_RSA_PKCS_V21); 2644 } else { 2645 TEST_EQUAL(mbedtls_rsa_get_padding_mode(rsa_priv), MBEDTLS_RSA_PKCS_V15); 2646 TEST_EQUAL(mbedtls_rsa_get_padding_mode(rsa_pub), MBEDTLS_RSA_PKCS_V15); 2647 } 2648#endif /* MBEDTLS_RSA_C */ 2649 } 2650 2651 /* Test #2: check that the 2 generated PK contexts form a valid private/public key pair. */ 2652 TEST_EQUAL(mbedtls_pk_check_pair(&pk_pub, &pk_priv, mbedtls_test_rnd_std_rand, NULL), 0); 2653 2654 /* Get the MD alg to be used for the tests below from the provided key policy. */ 2655 mbedtls_md_type_t md_for_test = MBEDTLS_MD_ALG_FOR_TEST; /* Default */ 2656 if ((PSA_ALG_GET_HASH(key_alg) != PSA_ALG_NONE) && 2657 (PSA_ALG_GET_HASH(key_alg) != PSA_ALG_ANY_HASH)) { 2658 md_for_test = mbedtls_md_type_from_psa_alg(key_alg); 2659 } 2660 /* Use also the same MD algorithm for PSA sign/verify checks. This is helpful 2661 * for the cases in which the key policy algorithm is ANY_HASH type. */ 2662 psa_algorithm_t psa_alg_for_test = 2663 (key_alg & ~PSA_ALG_HASH_MASK) | 2664 (mbedtls_md_psa_alg_from_type(md_for_test) & PSA_ALG_HASH_MASK); 2665 2666 in_buf_len = mbedtls_md_get_size_from_type(md_for_test); 2667 TEST_CALLOC(in_buf, in_buf_len); 2668 memset(in_buf, 0x1, in_buf_len); 2669 2670 /* Test #3: sign/verify with the following pattern: 2671 * - Sign using the PK context generated from the private key. 2672 * - Verify from the same PK context used for signature. 2673 * - Verify with the PK context generated using public key. 2674 * - Verify using the public PSA key directly. 2675 */ 2676 2677 /* Edge cases: in a build with RSA key support but not RSA padding modes, 2678 * or with ECDSA verify support but not signature, the signature might be 2679 * impossible. */ 2680 int pk_can_sign = 0; 2681#if defined(MBEDTLS_PKCS1_V15) 2682 if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(key_alg) || key_alg == PSA_ALG_RSA_PKCS1V15_CRYPT) { 2683 pk_can_sign = 1; 2684 } 2685#endif 2686#if defined(MBEDTLS_PKCS1_V21) 2687 if (PSA_ALG_IS_RSA_PSS(key_alg) || PSA_ALG_IS_RSA_OAEP(key_alg)) { 2688 pk_can_sign = 1; 2689 } 2690#endif 2691#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) 2692 if (PSA_ALG_IS_ECDSA(key_alg) || PSA_ALG_IS_DETERMINISTIC_ECDSA(key_alg)) { 2693 pk_can_sign = 1; 2694 } 2695#endif 2696 if (pk_can_sign) { 2697 TEST_EQUAL(mbedtls_pk_sign(&pk_priv, md_for_test, in_buf, in_buf_len, 2698 out_buf, sizeof(out_buf), &out_buf_len, 2699 mbedtls_test_rnd_std_rand, NULL), 0); 2700 2701 TEST_EQUAL(mbedtls_pk_verify(&pk_priv, md_for_test, in_buf, in_buf_len, 2702 out_buf, out_buf_len), 0); 2703 TEST_EQUAL(mbedtls_pk_verify(&pk_pub, md_for_test, in_buf, in_buf_len, 2704 out_buf, out_buf_len), 0); 2705 } 2706 2707 if (PSA_ALG_IS_HASH_AND_SIGN(key_alg)) { 2708#if defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) 2709 /* ECDSA signature requires PK->PSA format conversion. */ 2710 if (PSA_ALG_IS_ECDSA(key_alg)) { 2711 TEST_EQUAL(mbedtls_ecdsa_der_to_raw(mbedtls_pk_get_bitlen(&pk_pub), 2712 out_buf, out_buf_len, out_buf, 2713 sizeof(out_buf), &out_buf_len), 0); 2714 } 2715#endif /* MBEDTLS_PSA_UTIL_HAVE_ECDSA */ 2716 PSA_ASSERT(psa_verify_hash(pub_key_id, psa_alg_for_test, in_buf, in_buf_len, 2717 out_buf, out_buf_len)); 2718 } 2719 2720 /* Test #4: check sign/verify interoperability also in the opposite direction: 2721 * sign with PSA and verify with PK. Key's policy must include a valid hash 2722 * algorithm (not any). 2723 */ 2724 if (PSA_ALG_IS_HASH_AND_SIGN(key_alg)) { 2725 PSA_ASSERT(psa_sign_hash(priv_key_id, psa_alg_for_test, in_buf, in_buf_len, 2726 out_buf, sizeof(out_buf), &out_buf_len)); 2727#if defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) 2728 /* ECDSA signature requires PSA->PK format conversion */ 2729 if (PSA_ALG_IS_ECDSA(key_alg)) { 2730 TEST_EQUAL(mbedtls_ecdsa_raw_to_der(mbedtls_pk_get_bitlen(&pk_pub), 2731 out_buf, out_buf_len, out_buf, 2732 sizeof(out_buf), &out_buf_len), 0); 2733 } 2734#endif /* MBEDTLS_PSA_UTIL_HAVE_ECDSA */ 2735 TEST_EQUAL(mbedtls_pk_verify(&pk_pub, md_for_test, in_buf, in_buf_len, 2736 out_buf, out_buf_len), 0); 2737 } 2738 2739 /* Test #5: in case of RSA key pair try also encryption/decryption. */ 2740 if (PSA_ALG_IS_ASYMMETRIC_ENCRYPTION(key_alg)) { 2741 /* Encrypt with the public key only PK context. */ 2742 TEST_EQUAL(mbedtls_pk_encrypt(&pk_pub, in_buf, in_buf_len, 2743 out_buf, &out_buf_len, sizeof(out_buf), 2744 mbedtls_test_rnd_std_rand, NULL), 0); 2745 2746 /* Decrypt with key pair PK context and compare with original data. */ 2747 TEST_EQUAL(mbedtls_pk_decrypt(&pk_priv, out_buf, out_buf_len, 2748 out_buf2, &out_buf2_len, sizeof(out_buf2), 2749 mbedtls_test_rnd_std_rand, NULL), 0); 2750 TEST_MEMORY_COMPARE(in_buf, in_buf_len, out_buf2, out_buf2_len); 2751 2752 if (PSA_ALG_IS_ASYMMETRIC_ENCRYPTION(key_alg)) { 2753 /* Decrypt with PSA private key directly and compare with original data. */ 2754 PSA_ASSERT(psa_asymmetric_decrypt(priv_key_id, key_alg, out_buf, out_buf_len, 2755 NULL, 0, 2756 out_buf2, sizeof(out_buf2), &out_buf2_len)); 2757 TEST_MEMORY_COMPARE(in_buf, in_buf_len, out_buf2, out_buf2_len); 2758 2759 /* Encrypt with PSA public key directly, decrypt with public key PK context 2760 * and compare with original data. */ 2761 PSA_ASSERT(psa_asymmetric_encrypt(pub_key_id, key_alg, in_buf, in_buf_len, 2762 NULL, 0, 2763 out_buf, sizeof(out_buf), &out_buf_len)); 2764 TEST_EQUAL(mbedtls_pk_decrypt(&pk_priv, out_buf, out_buf_len, 2765 out_buf2, &out_buf2_len, sizeof(out_buf2), 2766 mbedtls_test_rnd_std_rand, NULL), 0); 2767 TEST_MEMORY_COMPARE(in_buf, in_buf_len, out_buf2, out_buf2_len); 2768 } 2769 } 2770 2771 /* Test that the keys from mbedtls_pk_copy_public_from_psa() are identical 2772 * to the public key from mbedtls_pk_copy_from_psa(). */ 2773 mbedtls_test_set_step(1); 2774 TEST_ASSERT(pk_public_same(&pk_pub, &pk_priv_copy_public)); 2775 mbedtls_test_set_step(2); 2776 TEST_ASSERT(pk_public_same(&pk_pub, &pk_pub_copy_public)); 2777 2778exit: 2779 mbedtls_free(in_buf); 2780 mbedtls_pk_free(&pk_priv); 2781 mbedtls_pk_free(&pk_priv_copy_public); 2782 mbedtls_pk_free(&pk_pub); 2783 mbedtls_pk_free(&pk_pub_copy_public); 2784 psa_destroy_key(priv_key_id); 2785 psa_destroy_key(pub_key_id); 2786 PSA_DONE(); 2787} 2788/* END_CASE */ 2789 2790/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C*/ 2791void pk_copy_public_from_psa(data_t *priv_key_data, int key_type_arg) 2792{ 2793 psa_key_type_t key_type = key_type_arg; 2794 mbedtls_pk_context pk_from_exportable; 2795 mbedtls_pk_init(&pk_from_exportable); 2796 mbedtls_pk_context pk_from_non_exportable; 2797 mbedtls_pk_init(&pk_from_non_exportable); 2798 mbedtls_pk_context pk_private; 2799 mbedtls_pk_init(&pk_private); 2800 mbedtls_svc_key_id_t non_exportable_key_id = MBEDTLS_SVC_KEY_ID_INIT; 2801 mbedtls_svc_key_id_t exportable_key_id = MBEDTLS_SVC_KEY_ID_INIT; 2802 2803 PSA_INIT(); 2804 2805 PSA_ASSERT(pk_psa_import_key(priv_key_data->x, priv_key_data->len, 2806 key_type, 2807 PSA_KEY_USAGE_EXPORT, 2808 PSA_ALG_NONE, 2809 &exportable_key_id)); 2810 PSA_ASSERT(pk_psa_import_key(priv_key_data->x, priv_key_data->len, 2811 key_type, 2812 0, 2813 PSA_ALG_NONE, 2814 &non_exportable_key_id)); 2815 2816 TEST_EQUAL(mbedtls_pk_copy_public_from_psa(exportable_key_id, 2817 &pk_from_exportable), 0); 2818 TEST_EQUAL(mbedtls_pk_copy_public_from_psa(non_exportable_key_id, 2819 &pk_from_non_exportable), 0); 2820 2821 /* Check that the non-exportable key really is non-exportable */ 2822 TEST_EQUAL(mbedtls_pk_copy_from_psa(non_exportable_key_id, &pk_private), 2823 MBEDTLS_ERR_PK_TYPE_MISMATCH); 2824 2825 psa_destroy_key(exportable_key_id); 2826 psa_destroy_key(non_exportable_key_id); 2827 2828 /* The goal of this test function is mostly to check that 2829 * mbedtls_pk_copy_public_from_psa works with a non-exportable key pair. 2830 * We check that the resulting key is the same as for an exportable 2831 * key pair. We rely on pk_copy_from_psa_success tests to validate that 2832 * the result is correct. */ 2833 TEST_ASSERT(pk_public_same(&pk_from_non_exportable, &pk_from_exportable)); 2834 2835exit: 2836 mbedtls_pk_free(&pk_from_non_exportable); 2837 mbedtls_pk_free(&pk_from_exportable); 2838 mbedtls_pk_free(&pk_private); 2839 psa_destroy_key(exportable_key_id); 2840 psa_destroy_key(non_exportable_key_id); 2841 PSA_DONE(); 2842} 2843/* END_CASE */ 2844