Introduce mbedtls_pk_get_psa_attributes
Follow the specification in https://github.com/Mbed-TLS/mbedtls/pull/8657
as of dd77343381161e09a63b4694001da3957e27d3a7, i.e.
https://github.com/Mbed-TLS/mbedtls/blob/dd77343381161e09a63b4694001da3957e27d3a7/docs/architecture/psa-migration/psa-legacy-bridges.md#api-to-create-a-psa-key-from-a-pk-context
This commit introduces the function declaration, its documentation, the
definition without the interesting parts and a negative unit test function.
Subsequent commits will add RSA, ECC and PK_OPAQUE support.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data
index af1e20c..e8ffff4 100644
--- a/tests/suites/test_suite_pk.data
+++ b/tests/suites/test_suite_pk.data
@@ -680,3 +680,8 @@
PSA wrapped sign ext: RSA2048, PK_RSASSA_PSS, MD_SHA512
depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C
pk_psa_wrap_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA512
+
+PSA attributes for pk: NONE (bad)
+pk_get_psa_attributes_fail:MBEDTLS_PK_NONE:0:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_BAD_INPUT_DATA
+
+# There is a (negative) test for pk_type=MBEDTLS_PK_RSA_ALT in pk_rsa_alt().
diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index 226598c..0ac84a2 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -162,6 +162,33 @@
}
#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+static int pk_setup_for_type(mbedtls_pk_type_t pk_type, int want_pair,
+ mbedtls_pk_context *pk, psa_key_type_t *psa_type)
+{
+ int ok = 0;
+
+ if (pk_type == MBEDTLS_PK_NONE) {
+ return 1;
+ }
+ TEST_EQUAL(mbedtls_pk_setup(pk, mbedtls_pk_info_from_type(pk_type)), 0);
+
+ switch (pk_type) {
+ default:
+ TEST_FAIL("Unknown PK type in test data");
+ break;
+ }
+
+ if (!want_pair) {
+ *psa_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(*psa_type);
+ }
+ ok = 1;
+
+exit:
+ return ok;
+}
+#endif
+
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/*
@@ -1263,6 +1290,14 @@
TEST_ASSERT(mbedtls_pk_get_type(&alt) == MBEDTLS_PK_RSA_ALT);
TEST_ASSERT(strcmp(mbedtls_pk_get_name(&alt), "RSA-alt") == 0);
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&alt,
+ PSA_KEY_USAGE_ENCRYPT,
+ &attributes),
+ MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE);
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+
/* Test signature */
#if SIZE_MAX > UINT_MAX
TEST_ASSERT(mbedtls_pk_sign(&alt, MBEDTLS_MD_NONE, hash, SIZE_MAX,
@@ -1569,3 +1604,30 @@
PSA_DONE();
}
/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C */
+void pk_get_psa_attributes_fail(int pk_type, int from_pair,
+ int usage_arg,
+ int expected_ret)
+{
+ mbedtls_pk_context pk;
+ mbedtls_pk_init(&pk);
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_key_usage_t usage = usage_arg;
+
+ MD_OR_USE_PSA_INIT();
+
+ psa_key_type_t expected_psa_type;
+ if (!pk_setup_for_type(pk_type, from_pair, &pk, &expected_psa_type)) {
+ goto exit;
+ }
+
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, usage, &attributes),
+ expected_ret);
+
+exit:
+ mbedtls_pk_free(&pk);
+ psa_reset_key_attributes(&attributes);
+ MD_OR_USE_PSA_DONE();
+}
+/* END_CASE */