commit 6ce6dd9bd75908472b17925ec5def18b1314d360
author Neil Armstrong <narmstrong@baylibre.com> Thu Mar 17 09:38:50 2022 +0100
committer Neil Armstrong <narmstrong@baylibre.com> Wed Apr 13 10:32:03 2022 +0200
tree cb46daad5dec8a5d9a4c995b56abdf8b95c4e11b
parent 98f899c7a5863fefb1f17fe1126527aced069b46

Add Test generating certificates using an opaque EC key

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>

tests/suites/test_suite_x509write.function

diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index ef566d0..abf0a54 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -223,7 +223,8 @@
                      char *serial_str, char *not_before, char *not_after,
                      int md_type, int key_usage, int set_key_usage,
                      int cert_type, int set_cert_type, int auth_ident,
-                     int ver, char *cert_check_file, int pk_wrap, int is_ca )
+                     int ver, char *cert_check_file, int pk_wrap, int is_ca,
+                     char *cert_verify_file )
 {
     mbedtls_pk_context subject_key, issuer_key, issuer_key_alt;
     mbedtls_pk_context *key = &issuer_key;
@@ -240,6 +241,7 @@
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
 #endif
+    mbedtls_pk_type_t issuer_key_type;
 
     memset( &rnd_info, 0x2a, sizeof( mbedtls_test_rnd_pseudo_info ) );
     mbedtls_mpi_init( &serial );
@@ -258,9 +260,11 @@
     TEST_ASSERT( mbedtls_pk_parse_keyfile( &issuer_key, issuer_key_file,
                     issuer_pwd, mbedtls_test_rnd_std_rand, NULL ) == 0 );
 
+    issuer_key_type = mbedtls_pk_get_type( &issuer_key );
+
 #if defined(MBEDTLS_RSA_C)
     /* For RSA PK contexts, create a copy as an alternative RSA context. */
-    if( pk_wrap == 1 && mbedtls_pk_get_type( &issuer_key ) == MBEDTLS_PK_RSA )
+    if( pk_wrap == 1 && issuer_key_type == MBEDTLS_PK_RSA )
     {
         TEST_ASSERT( mbedtls_pk_setup_rsa_alt( &issuer_key_alt,
                                             mbedtls_pk_rsa( issuer_key ),
@@ -329,14 +333,40 @@
         TEST_ASSERT( buf[buf_index] == 0 );
     }
 
-    f = fopen( cert_check_file, "r" );
-    TEST_ASSERT( f != NULL );
-    olen = fread( check_buf, 1, sizeof( check_buf ), f );
-    fclose( f );
-    TEST_ASSERT( olen < sizeof( check_buf ) );
+    if( issuer_key_type != MBEDTLS_PK_RSA )
+    {
+        mbedtls_x509_crt crt_parse, trusted;
+        uint32_t flags;
 
-    TEST_ASSERT( olen >= pem_len - 1 );
-    TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 );
+        mbedtls_x509_crt_init( &crt_parse );
+        mbedtls_x509_crt_init( &trusted );
+
+        TEST_ASSERT( mbedtls_x509_crt_parse_file( &trusted,
+                                                  cert_verify_file ) == 0 );
+        TEST_ASSERT( mbedtls_x509_crt_parse( &crt_parse,
+                                             buf, sizeof( buf ) ) == 0 );
+
+        ret = mbedtls_x509_crt_verify( &crt_parse, &trusted, NULL, NULL, &flags,
+                                       NULL, NULL );
+
+        mbedtls_x509_crt_free( &crt_parse );
+        mbedtls_x509_crt_free( &trusted );
+
+        TEST_EQUAL( flags, 0 );
+        TEST_EQUAL( ret, 0 );
+    }
+    else
+    {
+        f = fopen( cert_check_file, "r" );
+        TEST_ASSERT( f != NULL );
+        olen = fread( check_buf, 1, sizeof( check_buf ), f );
+        fclose( f );
+        TEST_ASSERT( olen < sizeof( check_buf ) );
+
+        TEST_EQUAL( olen, pem_len );
+        TEST_ASSERT( olen >= pem_len - 1 );
+        TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 );
+    }
 
     der_len = mbedtls_x509write_crt_der( &crt, buf, sizeof( buf ),
                                          mbedtls_test_rnd_pseudo_rand,
@@ -346,7 +376,17 @@
     if( der_len == 0 )
         goto exit;
 
-    ret = mbedtls_x509write_crt_der( &crt, buf, (size_t)( der_len - 1 ),
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    // When using PSA crypto, RNG isn't controllable, result length isn'
+    // deterministic over multiple runs, removing a single byte isn't enough to
+    // go into the MBEDTLS_ERR_ASN1_BUF_TOO_SMALL error case
+    if( issuer_key_type != MBEDTLS_PK_RSA )
+        der_len /= 2;
+    else
+#endif
+        der_len -= 1;
+
+    ret = mbedtls_x509write_crt_der( &crt, buf, (size_t)( der_len ),
                                      mbedtls_test_rnd_pseudo_rand, &rnd_info );
     TEST_ASSERT( ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );