Merge pull request #8616 from lpy4105/issue/8553/test-driver-only-rsa
Add test for driver-only RSA (crypto only)
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index c90119f..d61e118 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -1378,9 +1378,9 @@
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
case PSA_KEY_TYPE_RSA_KEY_PAIR:
case PSA_KEY_TYPE_RSA_PUBLIC_KEY:
- /* TODO: reporting the public exponent for opaque keys
- * is not yet implemented.
- * https://github.com/ARMmbed/mbed-crypto/issues/216
+ /* TODO: This is a temporary situation where domain parameters are deprecated,
+ * but we need it for namely generating an RSA key with a non-default exponent.
+ * This would be improved after https://github.com/Mbed-TLS/mbedtls/issues/6494.
*/
if (!psa_key_lifetime_is_external(slot->attr.lifetime)) {
mbedtls_rsa_context *rsa = NULL;
@@ -1400,6 +1400,12 @@
mbedtls_free(rsa);
}
break;
+#else
+ case PSA_KEY_TYPE_RSA_KEY_PAIR:
+ case PSA_KEY_TYPE_RSA_PUBLIC_KEY:
+ attributes->domain_parameters = NULL;
+ attributes->domain_parameters_size = SIZE_MAX;
+ break;
#endif /* (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \
* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) ||
* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
diff --git a/library/psa_crypto_client.c b/library/psa_crypto_client.c
index 564463f..472d3d3 100644
--- a/library/psa_crypto_client.c
+++ b/library/psa_crypto_client.c
@@ -53,6 +53,11 @@
const psa_key_attributes_t *attributes,
uint8_t *data, size_t data_size, size_t *data_length)
{
+ if (attributes->domain_parameters == NULL &&
+ attributes->domain_parameters_size == SIZE_MAX) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
if (attributes->domain_parameters_size > data_size) {
return PSA_ERROR_BUFFER_TOO_SMALL;
}
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index b8acfb5..10a76ec 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -3368,77 +3368,75 @@
build_and_test_psa_want_key_pair_partial "ECC" "GENERATE"
}
-component_test_psa_crypto_config_accel_rsa_signature () {
- msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated RSA signature"
+config_psa_crypto_accel_rsa () {
+ driver_only=$1
- loc_accel_list="ALG_RSA_PKCS1V15_SIGN ALG_RSA_PSS KEY_TYPE_RSA_KEY_PAIR KEY_TYPE_RSA_PUBLIC_KEY"
+ # Start from crypto_full config (no X.509, no TLS)
+ helper_libtestdriver1_adjust_config "crypto_full"
+
+ if [ "$driver_only" -eq 1 ]; then
+ # Remove RSA support and its dependencies
+ scripts/config.py unset MBEDTLS_RSA_C
+ scripts/config.py unset MBEDTLS_PKCS1_V15
+ scripts/config.py unset MBEDTLS_PKCS1_V21
+
+ # We need PEM parsing in the test library as well to support the import
+ # of PEM encoded RSA keys.
+ scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_PEM_PARSE_C
+ scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_BASE64_C
+ fi
+}
+
+component_test_psa_crypto_config_accel_rsa_crypto () {
+ msg "build: crypto_full with accelerated RSA"
+
+ loc_accel_list="ALG_RSA_OAEP ALG_RSA_PSS \
+ ALG_RSA_PKCS1V15_CRYPT ALG_RSA_PKCS1V15_SIGN \
+ KEY_TYPE_RSA_PUBLIC_KEY \
+ KEY_TYPE_RSA_KEY_PAIR_BASIC \
+ KEY_TYPE_RSA_KEY_PAIR_GENERATE \
+ KEY_TYPE_RSA_KEY_PAIR_IMPORT \
+ KEY_TYPE_RSA_KEY_PAIR_EXPORT"
# Configure
# ---------
- # Start from default config (no TLS 1.3, no USE_PSA)
- helper_libtestdriver1_adjust_config "default"
-
- # It seems it is not possible to remove only the support for RSA signature
- # in the library. Thus we have to remove all RSA support (signature and
- # encryption/decryption). AS there is no driver support for asymmetric
- # encryption/decryption so far remove RSA encryption/decryption from the
- # application algorithm list.
- scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP
- scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
-
- # Remove RSA support and its dependencies
- scripts/config.py unset MBEDTLS_RSA_C
- scripts/config.py unset MBEDTLS_PKCS1_V15
- scripts/config.py unset MBEDTLS_PKCS1_V21
- scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
- scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
- scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
- scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
- scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
- scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-
- # Make sure both the library and the test library support the SHA hash
- # algorithms and only those ones (SHA256 is included by default). That way:
- # - the test library can compute the RSA signatures even in the case of a
- # composite RSA signature algorithm based on a SHA hash (no other hash
- # used in the unit tests).
- # - the dependency of RSA signature tests on PSA_WANT_ALG_SHA_xyz is
- # fulfilled as the hash SHA algorithm is supported by the library, and
- # thus the tests are run, not skipped.
- # - when testing a signature key with an algorithm wildcard built from
- # PSA_ALG_ANY_HASH as algorithm to test with the key, the chosen hash
- # algorithm based on the hashes supported by the library is also
- # supported by the test library.
- # Disable unwanted hashes here, we'll enable hashes we want in loc_extra_list.
- scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5
- scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160_C
- scripts/config.py unset MBEDTLS_MD5_C
- scripts/config.py unset MBEDTLS_RIPEMD160_C
-
- # We need PEM parsing in the test library as well to support the import
- # of PEM encoded RSA keys.
- scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_PEM_PARSE_C
- scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_BASE64_C
+ config_psa_crypto_accel_rsa 1
# Build
# -----
- # These hashes are needed for some RSA-PSS signature tests.
+ # These hashes are needed for unit tests.
loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
- ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
+ ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512 ALG_MD5"
helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list"
helper_libtestdriver1_make_main "$loc_accel_list"
# Make sure this was not re-enabled by accident (additive config)
- not grep mbedtls_rsa_rsassa_pkcs1_v15_sign library/rsa.o
- not grep mbedtls_rsa_rsassa_pss_sign_ext library/rsa.o
+ not grep mbedtls_rsa library/rsa.o
# Run the tests
# -------------
- msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated RSA signature"
+ msg "test: crypto_full with accelerated RSA"
+ make test
+}
+
+component_test_psa_crypto_config_reference_rsa_crypto () {
+ msg "build: crypto_full with non-accelerated RSA"
+
+ # Configure
+ # ---------
+ config_psa_crypto_accel_rsa 0
+
+ # Build
+ # -----
+ make
+
+ # Run the tests
+ # -------------
+ msg "test: crypto_full with non-accelerated RSA"
make test
}
diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index ca349d3..d3ea8c0 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -501,6 +501,38 @@
],
}
}
+ },
+ 'analyze_driver_vs_reference_rsa': {
+ 'test_function': do_analyze_driver_vs_reference,
+ 'args': {
+ 'component_ref': 'test_psa_crypto_config_reference_rsa_crypto',
+ 'component_driver': 'test_psa_crypto_config_accel_rsa_crypto',
+ 'ignored_suites': [
+ # Modules replaced by drivers.
+ 'rsa', 'pkcs1_v15', 'pkcs1_v21',
+ # We temporarily don't care about PK stuff.
+ 'pk', 'pkwrite', 'pkparse'
+ ],
+ 'ignored_tests': {
+ 'test_suite_platform': [
+ # Incompatible with sanitizers (e.g. ASan). If the driver
+ # component uses a sanitizer but the reference component
+ # doesn't, we have a PASS vs SKIP mismatch.
+ 'Check mbedtls_calloc overallocation',
+ ],
+ # Following tests depend on RSA_C but are not about
+ # them really, just need to know some error code is there.
+ 'test_suite_error': [
+ 'Low and high error',
+ 'Single high error'
+ ],
+ # Constant time operations only used for PKCS1_V15
+ 'test_suite_constant_time': [
+ re.compile(r'mbedtls_ct_zeroize_if .*'),
+ re.compile(r'mbedtls_ct_memmove_left .*')
+ ],
+ }
+ }
}
}
diff --git a/tests/src/drivers/test_driver_asymmetric_encryption.c b/tests/src/drivers/test_driver_asymmetric_encryption.c
index c906a66..ff46387 100644
--- a/tests/src/drivers/test_driver_asymmetric_encryption.c
+++ b/tests/src/drivers/test_driver_asymmetric_encryption.c
@@ -46,8 +46,7 @@
return mbedtls_test_driver_asymmetric_encryption_hooks.forced_status;
}
-#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
- defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_CIPHER)
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
return libtestdriver1_mbedtls_psa_asymmetric_encrypt(
(const libtestdriver1_psa_key_attributes_t *) attributes,
key_buffer, key_buffer_size,
@@ -88,8 +87,7 @@
return mbedtls_test_driver_asymmetric_encryption_hooks.forced_status;
}
-#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
- defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_CIPHER)
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
return libtestdriver1_mbedtls_psa_asymmetric_decrypt(
(const libtestdriver1_psa_key_attributes_t *) attributes,
key_buffer, key_buffer_size,
diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index e239a44..1bd8b65 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -7342,7 +7342,7 @@
generate_key_rsa:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:"01":PSA_ERROR_INVALID_ARGUMENT
PSA generate key: RSA, e=2
-generate_key_rsa:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:"01":PSA_ERROR_INVALID_ARGUMENT
+generate_key_rsa:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:"02":PSA_ERROR_INVALID_ARGUMENT
PSA generate key: FFDH, 2048 bits, good
depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index a510f8e..4c08a90 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -9688,14 +9688,24 @@
PSA_ASSERT(psa_get_key_attributes(key, &attributes));
TEST_EQUAL(psa_get_key_type(&attributes), type);
TEST_EQUAL(psa_get_key_bits(&attributes), bits);
- PSA_ASSERT(psa_get_key_domain_parameters(&attributes,
- e_read_buffer, e_read_size,
- &e_read_length));
+ psa_status_t status = psa_get_key_domain_parameters(&attributes,
+ e_read_buffer, e_read_size,
+ &e_read_length);
+
+
+#if (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
if (is_default_public_exponent) {
TEST_EQUAL(e_read_length, 0);
} else {
+ TEST_EQUAL(status, PSA_SUCCESS);
TEST_MEMORY_COMPARE(e_read_buffer, e_read_length, e_arg->x, e_arg->len);
}
+#else
+ (void) is_default_public_exponent;
+ TEST_EQUAL(status, PSA_ERROR_NOT_SUPPORTED);
+#endif
/* Do something with the key according to its type and permitted usage. */
if (!mbedtls_test_psa_exercise_key(key, usage, alg)) {