Implement pk_sign() for opaque ECDSA keys
diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data
index 417670d..011b1f5 100644
--- a/tests/suites/test_suite_pk.data
+++ b/tests/suites/test_suite_pk.data
@@ -188,3 +188,6 @@
ECDSA restartable sign/verify: ECKEY, max_ops=250
depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
pk_sign_verify_restart:MBEDTLS_PK_ECKEY:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":"60FED4BA255A9D31C961EB74C6356D68C049B8923B61FA6CE669622E60F29FB6":"7903FE1008B8BC99A41AE9E95628BC64F2F1B20C2D7E9F5177A3C294D4462299":MBEDTLS_MD_SHA256:"test":"3045022100f1abb023518351cd71d881567b1ea663ed3efcf6c5132b354f28d3b0b7d383670220019f4113742a2b14bd25926b49c649155f267e60d3814b4c0cc84250e46f0083":250:2:64
+
+PSA wrapped sign
+pk_psa_sign:
diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index 1edc04e..563fa44 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -72,6 +72,7 @@
/*
* Generate a key in a free key slot and return this key slot,
* or PK_PSA_INVALID_SLOT if no slot was available.
+ * The key uses NIST P-256 and is usable for signing with SHA-256.
*/
psa_key_slot_t pk_psa_genkey( void )
{
@@ -80,10 +81,20 @@
const int curve = PSA_ECC_CURVE_SECP256R1;
const psa_key_type_t type = PSA_KEY_TYPE_ECC_KEYPAIR(curve);
const size_t bits = 256;
+ psa_key_policy_t policy;
+ /* find a free key slot */
if( PSA_SUCCESS != mbedtls_psa_get_free_key_slot( &key ) )
return( PK_PSA_INVALID_SLOT );
+ /* set up policy on key slot */
+ psa_key_policy_init( &policy );
+ psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_SIGN,
+ PSA_ALG_ECDSA(PSA_ALG_SHA_256) );
+ if( PSA_SUCCESS != psa_set_key_policy( key, &policy ) )
+ return( PK_PSA_INVALID_SLOT );
+
+ /* generate key */
if( PSA_SUCCESS != psa_generate_key( key, type, bits, NULL, 0 ) )
return( PK_PSA_INVALID_SLOT );
@@ -760,3 +771,53 @@
mbedtls_pk_free( &rsa ); mbedtls_pk_free( &alt );
}
/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SHA256_C:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+void pk_psa_sign( )
+{
+ mbedtls_pk_context pk;
+ psa_key_slot_t key;
+ unsigned char hash[50], sig[100], pkey[100];
+ size_t sig_len, klen = 0;
+
+ /*
+ * This tests making signatures with a wrapped PSA key:
+ * - generate a fresh PSA key
+ * - wrap it in a PK context and make a signature this way
+ * - extract the public key
+ * - parse it to a PK context and verify the signature this way
+ */
+
+ mbedtls_pk_init( &pk );
+
+ memset( hash, 0x2a, sizeof hash );
+ memset( sig, 0, sizeof sig );
+ memset( pkey, 0, sizeof pkey );
+
+ key = pk_psa_genkey();
+ TEST_ASSERT( key != 0 );
+
+ TEST_ASSERT( mbedtls_pk_setup_psa( &pk, key ) == 0 );
+
+ TEST_ASSERT( mbedtls_pk_sign( &pk, MBEDTLS_MD_SHA256,
+ hash, sizeof hash, sig, &sig_len,
+ NULL, NULL ) == 0 );
+
+ mbedtls_pk_free( &pk );
+
+ TEST_ASSERT( PSA_SUCCESS == psa_export_public_key(
+ key, pkey, sizeof( pkey ), &klen ) );
+ TEST_ASSERT( PSA_SUCCESS == psa_destroy_key( key ) );
+
+ mbedtls_pk_init( &pk );
+
+ TEST_ASSERT( mbedtls_pk_parse_public_key( &pk, pkey, klen ) == 0 );
+
+
+ TEST_ASSERT( mbedtls_pk_verify( &pk, MBEDTLS_MD_SHA256,
+ hash, sizeof hash, sig, sig_len ) == 0 );
+
+exit:
+ mbedtls_pk_free( &pk );
+}
+/* END_CASE */