commit 3686771dfa08d76f998ffeeebc2a38b5ab0dd4b0
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Wed Oct 31 16:22:49 2018 +0100
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu Nov 22 09:59:34 2018 +0100
tree e7570ca2505a9d3b111f318baa16661a4fa90999
parent d97390e97d648d34d8d064c26c0685aa1ad12bbe

Implement pk_sign() for opaque ECDSA keys

tests/suites/test_suite_pk.function

diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index 1edc04e..563fa44 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -72,6 +72,7 @@
 /*
  * Generate a key in a free key slot and return this key slot,
  * or PK_PSA_INVALID_SLOT if no slot was available.
+ * The key uses NIST P-256 and is usable for signing with SHA-256.
  */
 psa_key_slot_t pk_psa_genkey( void )
 {
@@ -80,10 +81,20 @@
     const int curve = PSA_ECC_CURVE_SECP256R1;
     const psa_key_type_t type = PSA_KEY_TYPE_ECC_KEYPAIR(curve);
     const size_t bits = 256;
+    psa_key_policy_t policy;
 
+    /* find a free key slot */
     if( PSA_SUCCESS != mbedtls_psa_get_free_key_slot( &key ) )
         return( PK_PSA_INVALID_SLOT );
 
+    /* set up policy on key slot */
+    psa_key_policy_init( &policy );
+    psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_SIGN,
+                                      PSA_ALG_ECDSA(PSA_ALG_SHA_256) );
+    if( PSA_SUCCESS != psa_set_key_policy( key, &policy ) )
+        return( PK_PSA_INVALID_SLOT );
+
+    /* generate key */
     if( PSA_SUCCESS != psa_generate_key( key, type, bits, NULL, 0 ) )
         return( PK_PSA_INVALID_SLOT );
 
@@ -760,3 +771,53 @@
     mbedtls_pk_free( &rsa ); mbedtls_pk_free( &alt );
 }
 /* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SHA256_C:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+void pk_psa_sign(  )
+{
+    mbedtls_pk_context pk;
+    psa_key_slot_t key;
+    unsigned char hash[50], sig[100], pkey[100];
+    size_t sig_len, klen = 0;
+
+    /*
+     * This tests making signatures with a wrapped PSA key:
+     * - generate a fresh PSA key
+     * - wrap it in a PK context and make a signature this way
+     * - extract the public key
+     * - parse it to a PK context and verify the signature this way
+     */
+
+    mbedtls_pk_init( &pk );
+
+    memset( hash, 0x2a, sizeof hash );
+    memset( sig, 0, sizeof sig );
+    memset( pkey, 0, sizeof pkey );
+
+    key = pk_psa_genkey();
+    TEST_ASSERT( key != 0 );
+
+    TEST_ASSERT( mbedtls_pk_setup_psa( &pk, key ) == 0 );
+
+    TEST_ASSERT( mbedtls_pk_sign( &pk, MBEDTLS_MD_SHA256,
+                 hash, sizeof hash, sig, &sig_len,
+                 NULL, NULL ) == 0 );
+
+    mbedtls_pk_free( &pk );
+
+    TEST_ASSERT( PSA_SUCCESS == psa_export_public_key(
+                                key, pkey, sizeof( pkey ), &klen ) );
+    TEST_ASSERT( PSA_SUCCESS == psa_destroy_key( key ) );
+
+    mbedtls_pk_init( &pk );
+
+    TEST_ASSERT( mbedtls_pk_parse_public_key( &pk, pkey, klen ) == 0 );
+
+
+    TEST_ASSERT( mbedtls_pk_verify( &pk, MBEDTLS_MD_SHA256,
+                            hash, sizeof hash, sig, sig_len ) == 0 );
+
+exit:
+    mbedtls_pk_free( &pk );
+}
+/* END_CASE */