test: remove usage of mbedtls_pk_wrap_as_opaque() from tests

This is replaced with: mbedtls_pk_get_psa_attributes() +
mbedtls_pk_import_into_psa() + mbedtls_pk_setup_opaque().

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This commit is contained in:
Valerio Setti 2024-02-27 08:11:25 +01:00
parent 665cf928d9
commit 1fa2f6e9af
4 changed files with 78 additions and 61 deletions

View file

@ -685,9 +685,24 @@ int mbedtls_test_ssl_endpoint_certificate_init(mbedtls_test_ssl_endpoint *ep,
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (opaque_alg != 0) {
TEST_EQUAL(mbedtls_pk_wrap_as_opaque(cert->pkey, &key_slot,
opaque_alg, opaque_usage,
opaque_alg2), 0);
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
/* Use a fake key usage to get a successful initial guess for the PSA attributes. */
TEST_EQUAL(mbedtls_pk_get_psa_attributes(cert->pkey, PSA_KEY_USAGE_VERIFY_HASH,
&key_attr), 0);
/* Then manually set type, usage, alg and alg2 as requested by the test. */
psa_key_type_t key_type = psa_get_key_type(&key_attr);
if (PSA_KEY_TYPE_IS_PUBLIC_KEY(key_type)) {
psa_set_key_type(&key_attr, PSA_KEY_TYPE_KEY_PAIR_OF_PUBLIC_KEY(key_type));
}
psa_set_key_usage_flags(&key_attr, opaque_usage);
psa_set_key_algorithm(&key_attr, opaque_alg);
if (opaque_alg2 != PSA_ALG_NONE) {
psa_set_key_enrollment_algorithm(&key_attr, opaque_alg2);
}
TEST_EQUAL(mbedtls_pk_import_into_psa(cert->pkey, &key_attr, &key_slot), 0);
mbedtls_pk_free(cert->pkey);
mbedtls_pk_init(cert->pkey);
TEST_EQUAL(mbedtls_pk_setup_opaque(cert->pkey, key_slot), 0);
}
#else
(void) opaque_alg;

View file

@ -836,6 +836,7 @@ void mbedtls_pk_check_pair(char *pub_file, char *prv_file, int ret)
mbedtls_pk_context pub, prv, alt;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t opaque_key_id = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t opaque_key_attr = PSA_KEY_ATTRIBUTES_INIT;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_pk_init(&pub);
@ -873,9 +874,13 @@ void mbedtls_pk_check_pair(char *pub_file, char *prv_file, int ret)
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (mbedtls_pk_get_type(&prv) == MBEDTLS_PK_ECKEY) {
TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&prv, &opaque_key_id,
PSA_ALG_ANY_HASH,
PSA_KEY_USAGE_EXPORT, 0), 0);
/* Turn the prv PK context into an opaque one.*/
TEST_EQUAL(mbedtls_pk_get_psa_attributes(&prv, PSA_KEY_USAGE_SIGN_HASH,
&opaque_key_attr), 0);
TEST_EQUAL(mbedtls_pk_import_into_psa(&prv, &opaque_key_attr, &opaque_key_id), 0);
mbedtls_pk_free(&prv);
mbedtls_pk_init(&prv);
TEST_EQUAL(mbedtls_pk_setup_opaque(&prv, opaque_key_id), 0);
TEST_EQUAL(mbedtls_pk_check_pair(&pub, &prv, mbedtls_test_rnd_std_rand,
NULL), ret);
}
@ -1395,7 +1400,8 @@ void pk_wrap_rsa_decrypt_test_vec(data_t *cipher, int mod,
mbedtls_mpi N, P, Q, E;
mbedtls_rsa_context *rsa;
mbedtls_pk_context pk;
mbedtls_svc_key_id_t key_id;
mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
size_t olen;
mbedtls_pk_init(&pk);
@ -1422,10 +1428,11 @@ void pk_wrap_rsa_decrypt_test_vec(data_t *cipher, int mod,
TEST_EQUAL(mbedtls_rsa_complete(rsa), 0);
/* Turn PK context into an opaque one. */
TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&pk, &key_id,
PSA_ALG_RSA_PKCS1V15_CRYPT,
PSA_KEY_USAGE_DECRYPT,
PSA_ALG_NONE), 0);
TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, PSA_KEY_USAGE_DECRYPT, &key_attr), 0);
TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &key_attr, &key_id), 0);
mbedtls_pk_free(&pk);
mbedtls_pk_init(&pk);
TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0);
TEST_EQUAL(mbedtls_pk_get_bitlen(&pk), mod);
@ -1635,10 +1642,9 @@ void pk_psa_sign(int curve_or_keybits, int psa_type, int expected_bits)
unsigned char pkey_legacy[200];
unsigned char pkey_psa[200];
unsigned char *pkey_legacy_start, *pkey_psa_start;
psa_algorithm_t alg_psa;
size_t sig_len, klen_legacy, klen_psa;
int ret;
mbedtls_svc_key_id_t key_id;
mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
/*
@ -1660,7 +1666,6 @@ void pk_psa_sign(int curve_or_keybits, int psa_type, int expected_bits)
TEST_ASSERT(mbedtls_rsa_gen_key(mbedtls_pk_rsa(pk),
mbedtls_test_rnd_std_rand, NULL,
curve_or_keybits, 3) == 0);
alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256);
} else
#endif /* MBEDTLS_RSA_C && MBEDTLS_GENPRIME */
#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
@ -1671,8 +1676,6 @@ void pk_psa_sign(int curve_or_keybits, int psa_type, int expected_bits)
TEST_ASSERT(mbedtls_pk_setup(&pk,
mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)) == 0);
TEST_ASSERT(pk_genkey(&pk, grpid) == 0);
alg_psa = PSA_ALG_ECDSA(PSA_ALG_SHA_256);
} else
#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
{
@ -1699,9 +1702,11 @@ void pk_psa_sign(int curve_or_keybits, int psa_type, int expected_bits)
#endif /* MBEDTLS_PK_WRITE_C */
/* Turn PK context into an opaque one. */
TEST_ASSERT(mbedtls_pk_wrap_as_opaque(&pk, &key_id, alg_psa,
PSA_KEY_USAGE_SIGN_HASH,
PSA_ALG_NONE) == 0);
TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, PSA_KEY_USAGE_SIGN_HASH, &attributes), 0);
TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &attributes, &key_id), 0);
mbedtls_pk_free(&pk);
mbedtls_pk_init(&pk);
TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0);
PSA_ASSERT(psa_get_key_attributes(key_id, &attributes));
TEST_EQUAL(psa_get_key_type(&attributes), (psa_key_type_t) psa_type);
@ -1822,6 +1827,7 @@ void pk_psa_wrap_sign_ext(int pk_type, int key_bits, int key_pk_type, int md_alg
mbedtls_pk_context pk;
size_t sig_len, pkey_len;
mbedtls_svc_key_id_t key_id;
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
unsigned char pkey[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
unsigned char *pkey_start;
@ -1861,9 +1867,14 @@ void pk_psa_wrap_sign_ext(int pk_type, int key_bits, int key_pk_type, int md_alg
}
/* Turn PK context into an opaque one. */
TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&pk, &key_id, psa_alg,
PSA_KEY_USAGE_SIGN_HASH,
PSA_ALG_NONE), 0);
TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, PSA_KEY_USAGE_SIGN_HASH, &key_attr), 0);
/* Tweak the algorithm associated with the PSA key because get_psa_attributes() returns
* a PSA_ALG_RSA_PSS_ANY_SALT(), but mbedtls_pk_sign_ext() requires a PSA_ALG_RSA_PSS().*/
psa_set_key_algorithm(&key_attr, psa_alg);
TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &key_attr, &key_id), 0);
mbedtls_pk_free(&pk);
mbedtls_pk_init(&pk);
TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0);
memset(hash, 0x2a, sizeof(hash));
memset(sig, 0, sizeof(sig));

View file

@ -75,6 +75,7 @@ static void pk_write_check_common(char *key_file, int is_public_key, int is_der)
size_t buf_len, check_buf_len;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t opaque_id = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
USE_PSA_INIT();
@ -117,10 +118,13 @@ static void pk_write_check_common(char *key_file, int is_public_key, int is_der)
/* Verify that pk_write works also for opaque private keys */
if (!is_public_key) {
memset(buf, 0, check_buf_len);
TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&key, &opaque_id,
PSA_ALG_NONE,
PSA_KEY_USAGE_EXPORT,
PSA_ALG_NONE), 0);
/* Turn the key PK context into an opaque one.
* Note: set some practical usage for the key to make get_psa_attributes() happy. */
TEST_EQUAL(mbedtls_pk_get_psa_attributes(&key, PSA_KEY_USAGE_SIGN_MESSAGE, &key_attr), 0);
TEST_EQUAL(mbedtls_pk_import_into_psa(&key, &key_attr, &opaque_id), 0);
mbedtls_pk_free(&key);
mbedtls_pk_init(&key);
TEST_EQUAL(mbedtls_pk_setup_opaque(&key, opaque_id), 0);
start_buf = buf;
buf_len = check_buf_len;
TEST_EQUAL(pk_write_any_key(&key, &start_buf, &buf_len, is_public_key,
@ -172,6 +176,7 @@ void pk_write_public_from_private(char *priv_key_file, char *pub_key_file)
size_t pub_key_len = 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t opaque_key_id = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_pk_init(&priv_key);
@ -194,9 +199,12 @@ void pk_write_public_from_private(char *priv_key_file, char *pub_key_file)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_platform_zeroize(derived_key_raw, derived_key_len);
TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&priv_key, &opaque_key_id,
PSA_ALG_NONE, PSA_KEY_USAGE_EXPORT,
PSA_ALG_NONE), 0);
/* Turn the priv_key PK context into an opaque one. */
TEST_EQUAL(mbedtls_pk_get_psa_attributes(&priv_key, PSA_KEY_USAGE_SIGN_HASH, &key_attr), 0);
TEST_EQUAL(mbedtls_pk_import_into_psa(&priv_key, &key_attr, &opaque_key_id), 0);
mbedtls_pk_free(&priv_key);
mbedtls_pk_init(&priv_key);
TEST_EQUAL(mbedtls_pk_setup_opaque(&priv_key, opaque_key_id), 0);
TEST_EQUAL(mbedtls_pk_write_pubkey_der(&priv_key, derived_key_raw,
derived_key_len), pub_key_len);

View file

@ -284,7 +284,7 @@ void x509_csr_check_opaque(char *key_file, int md_type, int key_usage,
{
mbedtls_pk_context key;
mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
psa_algorithm_t md_alg_psa, alg_psa;
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
mbedtls_x509write_csr req;
unsigned char buf[4096];
int ret;
@ -297,24 +297,16 @@ void x509_csr_check_opaque(char *key_file, int md_type, int key_usage,
memset(&rnd_info, 0x2a, sizeof(mbedtls_test_rnd_pseudo_info));
md_alg_psa = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) md_type);
TEST_ASSERT(md_alg_psa != MBEDTLS_MD_NONE);
mbedtls_pk_init(&key);
TEST_ASSERT(mbedtls_pk_parse_keyfile(&key, key_file, NULL,
mbedtls_test_rnd_std_rand, NULL) == 0);
if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_ECKEY) {
alg_psa = PSA_ALG_ECDSA(md_alg_psa);
} else if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_RSA) {
alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN(md_alg_psa);
} else {
TEST_ASSUME(!"PK key type not supported in this configuration");
}
TEST_ASSERT(mbedtls_pk_wrap_as_opaque(&key, &key_id, alg_psa,
PSA_KEY_USAGE_SIGN_HASH,
PSA_ALG_NONE) == 0);
/* Turn the PK context into an opaque one. */
TEST_EQUAL(mbedtls_pk_get_psa_attributes(&key, PSA_KEY_USAGE_SIGN_HASH, &key_attr), 0);
TEST_EQUAL(mbedtls_pk_import_into_psa(&key, &key_attr, &key_id), 0);
mbedtls_pk_free(&key);
mbedtls_pk_init(&key);
TEST_EQUAL(mbedtls_pk_setup_opaque(&key, key_id), 0);
mbedtls_x509write_csr_set_md_alg(&req, md_type);
mbedtls_x509write_csr_set_key(&req, &key);
@ -373,6 +365,7 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd,
mbedtls_test_rnd_pseudo_info rnd_info;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
#endif
mbedtls_pk_type_t issuer_key_type;
mbedtls_x509_san_list san_ip;
@ -451,24 +444,14 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd,
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/* For Opaque PK contexts, wrap key as an Opaque RSA context. */
/* Turn the issuer PK context into an opaque one. */
if (pk_wrap == 2) {
psa_algorithm_t alg_psa, md_alg_psa;
md_alg_psa = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) md_type);
TEST_ASSERT(md_alg_psa != MBEDTLS_MD_NONE);
if (mbedtls_pk_get_type(&issuer_key) == MBEDTLS_PK_ECKEY) {
alg_psa = PSA_ALG_ECDSA(md_alg_psa);
} else if (mbedtls_pk_get_type(&issuer_key) == MBEDTLS_PK_RSA) {
alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN(md_alg_psa);
} else {
TEST_ASSUME(!"PK key type not supported in this configuration");
}
TEST_ASSERT(mbedtls_pk_wrap_as_opaque(&issuer_key, &key_id, alg_psa,
PSA_KEY_USAGE_SIGN_HASH,
PSA_ALG_NONE) == 0);
TEST_EQUAL(mbedtls_pk_get_psa_attributes(&issuer_key, PSA_KEY_USAGE_SIGN_HASH,
&key_attr), 0);
TEST_EQUAL(mbedtls_pk_import_into_psa(&issuer_key, &key_attr, &key_id), 0);
mbedtls_pk_free(&issuer_key);
mbedtls_pk_init(&issuer_key);
TEST_EQUAL(mbedtls_pk_setup_opaque(&issuer_key, key_id), 0);
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */