Commit graph

225 commits

Author SHA1 Message Date
Gilles Peskine
ae2668be97 Don't use mbedtls_pk_ec in our own code
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-01 20:53:04 +01:00
Gilles Peskine
7e353ba37a Create auxiliary function for repeated code
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-01 20:46:19 +01:00
Gilles Peskine
19411635a5 Test enrollment algorithm for the non-OPAQUE case
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-01 20:42:28 +01:00
Gilles Peskine
03aa9bc226 Switch pk_setup_for_type() to return MBEDTLS_ERR_xxx
Use mbedtls return codes rather than a boolean "has test not failed?".

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-01-30 11:18:42 +01:00
Gilles Peskine
3da3c0a000 Always call psa_crypto_init when testing mbedtls_pk_get_psa_attributes
mbedtls_pk_get_psa_attributes() actually works without having initialized
the PSA subsystem, because it doesn't call any non-client PSA API functions.
But the function is only useful in conjunction with the PSA API: it's
meant to be followed by importing a key with the resulting attributes. We
don't advertize it to work without an up-and-running PSA subsystem, and
there's no need to test it without an up-and-running PSA subsystem as we
were (accidentally) doing.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-01-30 10:22:29 +01:00
Gilles Peskine
f8c2cd1489 Update preprocessor guard comment
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-01-30 10:18:36 +01:00
Gilles Peskine
77faddf93b Depend on legacy RSA key generation for test code
In principle the RSA tests shouldn't depend on RSA key generation: they just
need to operate on RSA keys. However they do need some method of creating an
RSA key, and we're currently doing random generation. So depend on what the
test code needs.

Depend on the legacy RSA interface, since driver-only RSA isn't currently
supported in the PK module.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-01-24 22:14:32 +01:00
Gilles Peskine
2bd4ddc8e0 Implement pick-a-curve when ECP_LIGHT is disabled
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-01-24 22:10:50 +01:00
Gilles Peskine
f3dbc98d96 mbedtls_pk_get_psa_attributes: support MBEDTLS_PK_USE_PSA_EC_DATA
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-01-23 20:09:38 +01:00
Gilles Peskine
758d8c7631 mbedtls_pk_get_psa_attributes: support MBEDTLS_PK_OPAQUE
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-01-23 20:09:38 +01:00
Gilles Peskine
ace7c7721e mbedtls_pk_get_psa_attributes: ECC support
Add code and unit tests for MBEDTLS_PK_ECxxx in
mbedtls_pk_get_psa_attributes().

This commit only supports built-in ECC (MBEDTLS_ECP_C). A subsequent commit
will handle driver-only ECC.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-01-23 20:09:38 +01:00
Gilles Peskine
6ea18361df mbedtls_pk_get_psa_attributes: RSA support
Add code and unit tests for MBEDTLS_PK_RSA in mbedtls_pk_get_psa_attributes().

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-01-23 20:09:38 +01:00
Gilles Peskine
0b17255da1 Introduce mbedtls_pk_get_psa_attributes
Follow the specification in https://github.com/Mbed-TLS/mbedtls/pull/8657
as of dd77343381, i.e.
dd77343381/docs/architecture/psa-migration/psa-legacy-bridges.md (api-to-create-a-psa-key-from-a-pk-context)

This commit introduces the function declaration, its documentation, the
definition without the interesting parts and a negative unit test function.
Subsequent commits will add RSA, ECC and PK_OPAQUE support.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-01-23 20:09:38 +01:00
Tomi Fontanilles
9c69348c24 pk test suite: rename the parameter named parameter
Signed-off-by: Tomi Fontanilles <129057597+tomi-font@users.noreply.github.com>
2023-12-20 12:59:57 +02:00
Tomi Fontanilles
8174662b64 pk: implement non-PSA mbedtls_pk_sign_ext()
This makes the function always available with its
its implementation depending on MBEDTLS_USE_PSA_CRYPTO.

Related dependencies and tests are updated as well.

Fixes #7583.

Signed-off-by: Tomi Fontanilles <129057597+tomi-font@users.noreply.github.com>
2023-12-20 12:59:57 +02:00
Yanray Wang
61f96608cc test_suite_pk: add extra dependency for pk_psa_sign
pk_psa_sign is guarded by MBEDTLS_TEST_PK_PSA_SIGN which is set under:
 - The build has PK_[PARSE/WRITE]_C for RSA or ECDSA signature.
 - The build has built-in ECC and ECDSA signature.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-09-26 17:15:52 +08:00
Waleed Elmelegy
d7bdbbeb0a Improve naming of mimimum RSA key size generation configurations
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2023-07-27 14:50:09 +00:00
Waleed Elmelegy
3d158f0c28 Adapt tests to work on all possible minimum RSA key sizes
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2023-07-27 11:03:35 +00:00
Waleed Elmelegy
76336c3e4d Enforce minimum key size when generating RSA key size
Add configuration to enforce minimum size when
generating a RSA key, it's default value is 1024
bits since this the minimum secure value currently
but it can be any value greater than or equal 128
bits. Tests were modifed to accommodate for this
change.

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2023-07-27 10:58:25 +00:00
Manuel Pégourié-Gonnard
2be8c63af7 Create psa_util_internal.h
Most functions in psa_util.h are going to end up there (except those
that can be static in one file), but I wanted to have separate commits
for file creation and moving code around, so for now the new file's
pretty empty but that will change in the next few commits.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-07-06 12:42:33 +02:00
Valerio Setti
e77307738d pk_wrap: add support for ECDSA verify for opaque keys
This commit also add tests to verify the functionality

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-29 14:33:26 +02:00
Valerio Setti
30fdc03819 pk: remove useless internal function
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-19 19:24:05 +02:00
Valerio Setti
545a0d643f test: replace occurencies of ECP_LIGHT with PK_HAVE_ECC_KEYS
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-19 19:24:05 +02:00
Manuel Pégourié-Gonnard
02b10d8266 Add missing include
Fix build failures with config full

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-06-06 10:33:54 +02:00
Manuel Pégourié-Gonnard
6076f4124a Remove hash_info.[ch]
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-06-06 10:33:54 +02:00
Manuel Pégourié-Gonnard
2d6d993662 Use MD<->PSA functions from MD light
As usual, just a search-and-replace plus:

1. Removing things from hash_info.[ch]
2. Adding new auto-enable MD_LIGHT in build-info.h
3. Including md_psa.h where needed

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-06-06 10:33:54 +02:00
Manuel Pégourié-Gonnard
9b41eb8533 Replace hash_info_get_type with MD function
Mostly a search and replace with just two manual changes:

1. Now PK and TLS need MD light, so auto-enable it.
2. Remove the old function in hash_info.[ch]

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-06-06 10:33:54 +02:00
valerio
6c666c6c8d test: add key pair check verification for opaque EC keys
Signed-off-by: valerio <valerio.setti@nordicsemi.no>
2023-06-05 11:05:40 +02:00
Valerio Setti
7237d5ff5b test: minor enhancement for using the new private key format
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-23 15:12:07 +02:00
Valerio Setti
a7cb845705 pk: add checks for the returned ECC family
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-22 18:39:43 +02:00
Valerio Setti
483738ed67 tests: fixes for using the new public key raw format
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-17 15:38:39 +02:00
Valerio Setti
77a75685ed pk: align library and tests code to the new internal functions
Note = programs are not aligned to this change because:
- the original mbedtls_pk_ec is not ufficially deprecated
- that function is used in tests when ECP_C is defined, so
  the legacy version of that function is available in that
  case

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-15 11:18:46 +02:00
Valerio Setti
8bb93bb44c test: fix max value in test_mx32
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-24 13:47:18 +02:00
valerio
32f2ac9a18 test: proper positioning of USE_PSA_INIT + added missing exit labels
Signed-off-by: valerio <valerio.setti@nordicsemi.no>
2023-04-24 13:47:18 +02:00
Valerio Setti
b79f7db9b0 test: fix USE_PSA_INIT/DONE for PK test suite
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-24 13:47:18 +02:00
Valerio Setti
d49cbc1493 test: fix remaining failures in test due to the ECP_LIGHT symbol
Changes in test_suite_psa_crypto are to enforce the dependency
on ECP_C which is mandatory for some key's derivation.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-11 11:33:50 +02:00
Valerio Setti
7816c24f2d test: fix guards position in test_suite_pk
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-11 09:16:24 +02:00
Valerio Setti
b3f20da313 test: fix error handling in the new pk_genkey_ec() function
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-11 09:16:24 +02:00
Valerio Setti
12a063abb7 test: use proper macros for PSA init/done
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-11 09:16:24 +02:00
Valerio Setti
b6891b13f6 pk: add alternate function for keypair generation using PSA
Instead of using the legacy mbedtls_ecp_gen_keypair() which makes
use of ECP's math, when USE_PSA_CRYPTO is enabled then the new
function pk_genkey_ec() is used in test_suite_pk.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-11 09:16:24 +02:00
Valerio Setti
0fe1ee27e5 pk: add an alternative function for checking private/public key pairs
Instead of using the legacy mbedtls_ecp_check_pub_priv() function which
was based on ECP math, we add a new option named eckey_check_pair_psa()
which takes advantage of PSA.
Of course, this is available when MBEDTLS_USE_PSA_CRYPTO in enabled.

Tests were also fixed accordingly.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-03 15:00:21 +02:00
Manuel Pégourié-Gonnard
c584c27426 Disable built-in SHA-256 in accel_hash too
Now that Entropy doesn't need it any more, we can have driver-only
SHA-256 (and 224 with it) in the non-USE_PSA component too.

This reveals a missing PSA_INIT in a PK test using SHA-256.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-24 10:43:40 +01:00
Manuel Pégourié-Gonnard
7224086ebc Remove legacy_or_psa.h
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-21 16:29:31 +01:00
Manuel Pégourié-Gonnard
fa99afa2bc PK: fix test failures
Introduce MD_OR_USE_PSA_INIT/DONE. This will likely be used everywhere
in X.509 and SSL/TLS, but most places in PK only need USE_PSA_INIT/DONE.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-21 16:28:00 +01:00
Manuel Pégourié-Gonnard
0b8095d96a PK: use MD_CAN macros
sed -i -f md.sed tests/suites/test_suite_pk{,parse,write}.*

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-21 16:28:00 +01:00
Gilles Peskine
7e677fa2c5
Merge pull request #6389 from gilles-peskine-arm/ecdsa-use-psa-without-pkwrite
Remove pkwrite dependency in pk using PSA for ECDSA
2023-02-28 18:17:16 +01:00
Dave Rodgman
d26d7445b8 Restore guards on a couple of tests
These tests check for failures, but can only fail where SIZE_MAX
exceeds some limit (UINT_MAX or UINT32_MAX) and do not fail
in this way otherwise - so guards are needed.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-02-11 17:22:03 +00:00
Dave Rodgman
4a5c9ee7f2 Remove redundant SIZE_MAX guards
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-02-10 16:03:44 +00:00
Valerio Setti
683a432a7f fix code style
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-08 13:39:10 +01:00
Valerio Setti
a1e3e3a28f test: pk: keep PK_WRITE_C only in RSA tests
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-08 13:39:10 +01:00