Merge remote-tracking branch 'psa/pr/90' into feature-psa
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 6dff2f5..d730bd8 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -339,6 +339,72 @@
}
}
+/* Retrieve a key slot, occupied or not. */
+static psa_status_t psa_get_key_slot( psa_key_slot_t key,
+ key_slot_t **p_slot )
+{
+ if( key == 0 || key > PSA_KEY_SLOT_COUNT )
+ return( PSA_ERROR_INVALID_ARGUMENT );
+
+ *p_slot = &global_data.key_slots[key];
+ return( PSA_SUCCESS );
+}
+
+/* Retrieve an empty key slot (slot with no key data, but possibly
+ * with some metadata such as a policy). */
+static psa_status_t psa_get_empty_key_slot( psa_key_slot_t key,
+ key_slot_t **p_slot )
+{
+ psa_status_t status;
+ key_slot_t *slot = NULL;
+
+ *p_slot = NULL;
+
+ status = psa_get_key_slot( key, &slot );
+ if( status != PSA_SUCCESS )
+ return( status );
+
+ if( slot->type != PSA_KEY_TYPE_NONE )
+ return( PSA_ERROR_OCCUPIED_SLOT );
+
+ *p_slot = slot;
+ return( status );
+}
+
+/* Retrieve a slot which must contain a key. The key must have allow all
+ * the usage flags set in \p usage. If \p alg is nonzero, the key must
+ * allow operations with this algorithm. */
+static psa_status_t psa_get_key_from_slot( psa_key_slot_t key,
+ key_slot_t **p_slot,
+ psa_key_usage_t usage,
+ psa_algorithm_t alg )
+{
+ psa_status_t status;
+ key_slot_t *slot = NULL;
+
+ *p_slot = NULL;
+
+ status = psa_get_key_slot( key, &slot );
+ if( status != PSA_SUCCESS )
+ return( status );
+ if( slot->type == PSA_KEY_TYPE_NONE )
+ return( PSA_ERROR_EMPTY_SLOT );
+
+ /* Enforce that usage policy for the key slot contains all the flags
+ * required by the usage parameter. There is one exception: public
+ * keys can always be exported, so we treat public key objects as
+ * if they had the export flag. */
+ if( PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->type ) )
+ usage &= ~PSA_KEY_USAGE_EXPORT;
+ if( ( slot->policy.usage & usage ) != usage )
+ return( PSA_ERROR_NOT_PERMITTED );
+ if( alg != 0 && ( alg != slot->policy.alg ) )
+ return( PSA_ERROR_NOT_PERMITTED );
+
+ *p_slot = slot;
+ return( PSA_SUCCESS );
+}
+
/****************************************************************/
@@ -481,16 +547,13 @@
size_t data_length )
{
key_slot_t *slot;
-
- if( key == 0 || key > PSA_KEY_SLOT_COUNT )
- return( PSA_ERROR_INVALID_ARGUMENT );
- slot = &global_data.key_slots[key];
- if( slot->type != PSA_KEY_TYPE_NONE )
- return( PSA_ERROR_OCCUPIED_SLOT );
+ psa_status_t status = PSA_SUCCESS;
+ status = psa_get_empty_key_slot( key, &slot );
+ if( status != PSA_SUCCESS )
+ return( status );
if( key_type_is_raw_bytes( type ) )
{
- psa_status_t status;
/* Ensure that a bytes-to-bit conversion won't overflow. */
if( data_length > SIZE_MAX / 8 )
return( PSA_ERROR_NOT_SUPPORTED );
@@ -510,7 +573,6 @@
{
int ret;
mbedtls_pk_context pk;
- psa_status_t status = PSA_SUCCESS;
mbedtls_pk_init( &pk );
if( PSA_KEY_TYPE_IS_KEYPAIR( type ) )
ret = mbedtls_pk_parse_key( &pk, data, data_length, NULL, 0 );
@@ -583,10 +645,12 @@
psa_status_t psa_destroy_key( psa_key_slot_t key )
{
key_slot_t *slot;
+ psa_status_t status;
- if( key == 0 || key > PSA_KEY_SLOT_COUNT )
- return( PSA_ERROR_INVALID_ARGUMENT );
- slot = &global_data.key_slots[key];
+ status = psa_get_key_slot( key, &slot );
+ if( status != PSA_SUCCESS )
+ return( status );
+
if( slot->type == PSA_KEY_TYPE_NONE )
{
/* No key material to clean, but do zeroize the slot below to wipe
@@ -624,51 +688,45 @@
return( PSA_SUCCESS );
}
+/* Return the size of the key in the given slot, in bits. */
+static size_t psa_get_key_bits( const key_slot_t *slot )
+{
+ if( key_type_is_raw_bytes( slot->type ) )
+ return( slot->data.raw.bytes * 8 );
+#if defined(MBEDTLS_RSA_C)
+ if( slot->type == PSA_KEY_TYPE_RSA_PUBLIC_KEY ||
+ slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )
+ return( mbedtls_rsa_get_bitlen( slot->data.rsa ) );
+#endif /* defined(MBEDTLS_RSA_C) */
+#if defined(MBEDTLS_ECP_C)
+ if( PSA_KEY_TYPE_IS_ECC( slot->type ) )
+ return( slot->data.ecp->grp.pbits );
+#endif /* defined(MBEDTLS_ECP_C) */
+ /* Shouldn't happen except on an empty slot. */
+ return( 0 );
+}
+
psa_status_t psa_get_key_information( psa_key_slot_t key,
psa_key_type_t *type,
size_t *bits )
{
key_slot_t *slot;
+ psa_status_t status;
- if( key == 0 || key > PSA_KEY_SLOT_COUNT )
+ if( type != NULL )
+ *type = 0;
+ if( bits != NULL )
+ *bits = 0;
+ status = psa_get_key_slot( key, &slot );
+ if( status != PSA_SUCCESS )
+ return( status );
+
+ if( slot->type == PSA_KEY_TYPE_NONE )
return( PSA_ERROR_EMPTY_SLOT );
- slot = &global_data.key_slots[key];
if( type != NULL )
*type = slot->type;
if( bits != NULL )
- *bits = 0;
- if( slot->type == PSA_KEY_TYPE_NONE )
- return( PSA_ERROR_EMPTY_SLOT );
-
- if( key_type_is_raw_bytes( slot->type ) )
- {
- if( bits != NULL )
- *bits = slot->data.raw.bytes * 8;
- }
- else
-#if defined(MBEDTLS_RSA_C)
- if( slot->type == PSA_KEY_TYPE_RSA_PUBLIC_KEY ||
- slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )
- {
- if( bits != NULL )
- *bits = mbedtls_rsa_get_bitlen( slot->data.rsa );
- }
- else
-#endif /* defined(MBEDTLS_RSA_C) */
-#if defined(MBEDTLS_ECP_C)
- if( PSA_KEY_TYPE_IS_ECC( slot->type ) )
- {
- if( bits != NULL )
- *bits = slot->data.ecp->grp.pbits;
- }
- else
-#endif /* defined(MBEDTLS_ECP_C) */
- {
- /* Shouldn't happen: the key type is not any type that we
- * put in. */
- return( PSA_ERROR_TAMPERING_DETECTED );
- }
-
+ *bits = psa_get_key_bits( slot );
return( PSA_SUCCESS );
}
@@ -679,6 +737,13 @@
int export_public_key )
{
key_slot_t *slot;
+ psa_status_t status;
+ /* Exporting a public key doesn't require a usage flag. If we're
+ * called by psa_export_public_key(), don't require the EXPORT flag.
+ * If we're called by psa_export_key(), do require the EXPORT flag;
+ * if the key turns out to be public key object, psa_get_key_from_slot()
+ * will ignore this flag. */
+ psa_key_usage_t usage = export_public_key ? 0 : PSA_KEY_USAGE_EXPORT;
/* Set the key to empty now, so that even when there are errors, we always
* set data_length to a value between 0 and data_size. On error, setting
@@ -686,20 +751,12 @@
* unlikely to be accepted anywhere. */
*data_length = 0;
- if( key == 0 || key > PSA_KEY_SLOT_COUNT )
- return( PSA_ERROR_EMPTY_SLOT );
- slot = &global_data.key_slots[key];
- if( slot->type == PSA_KEY_TYPE_NONE )
- return( PSA_ERROR_EMPTY_SLOT );
-
+ status = psa_get_key_from_slot( key, &slot, usage, 0 );
+ if( status != PSA_SUCCESS )
+ return( status );
if( export_public_key && ! PSA_KEY_TYPE_IS_ASYMMETRIC( slot->type ) )
return( PSA_ERROR_INVALID_ARGUMENT );
- if( ! export_public_key &&
- ! PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->type ) &&
- ( slot->policy.usage & PSA_KEY_USAGE_EXPORT ) == 0 )
- return( PSA_ERROR_NOT_PERMITTED );
-
if( key_type_is_raw_bytes( slot->type ) )
{
if( slot->data.raw.bytes > data_size )
@@ -1412,7 +1469,6 @@
{
psa_status_t status;
key_slot_t *slot;
- psa_key_type_t key_type;
size_t key_bits;
const mbedtls_cipher_info_t *cipher_info = NULL;
@@ -1420,23 +1476,26 @@
if( status != PSA_SUCCESS )
return( status );
- status = psa_get_key_information( key, &key_type, &key_bits );
+ status = psa_get_key_from_slot( key, &slot, 0, alg );
if( status != PSA_SUCCESS )
return( status );
- slot = &global_data.key_slots[key];
- if( slot->type == PSA_KEY_TYPE_NONE )
- return( PSA_ERROR_EMPTY_SLOT );
-
+ /* Since this function is called identically for a sign or verify
+ * operation, we don't know yet whether the operation is permitted.
+ * Store the part of the key policy that we can't check in the
+ * operation structure. psa_mac_finish() or psa_mac_verify() will
+ * check that remaining part. */
if( ( slot->policy.usage & PSA_KEY_USAGE_SIGN ) != 0 )
operation->key_usage_sign = 1;
-
if( ( slot->policy.usage & PSA_KEY_USAGE_VERIFY ) != 0 )
operation->key_usage_verify = 1;
+ key_bits = psa_get_key_bits( slot );
+
if( ! PSA_ALG_IS_HMAC( alg ) )
{
- cipher_info = mbedtls_cipher_info_from_psa( alg, key_type, key_bits, NULL );
+ cipher_info = mbedtls_cipher_info_from_psa( alg, slot->type, key_bits,
+ NULL );
if( cipher_info == NULL )
return( PSA_ERROR_NOT_SUPPORTED );
operation->mac_size = cipher_info->block_size;
@@ -1454,7 +1513,7 @@
default:
#if defined(MBEDTLS_MD_C)
if( PSA_ALG_IS_HMAC( alg ) )
- status = psa_hmac_start( operation, key_type, slot, alg );
+ status = psa_hmac_start( operation, slot->type, slot, alg );
else
#endif /* MBEDTLS_MD_C */
return( PSA_ERROR_NOT_SUPPORTED );
@@ -1919,27 +1978,14 @@
(void) salt;
(void) salt_length;
- if( key == 0 || key > PSA_KEY_SLOT_COUNT )
- {
- status = PSA_ERROR_EMPTY_SLOT;
+ status = psa_get_key_from_slot( key, &slot, PSA_KEY_USAGE_SIGN, alg );
+ if( status != PSA_SUCCESS )
goto exit;
- }
- slot = &global_data.key_slots[key];
- if( slot->type == PSA_KEY_TYPE_NONE )
- {
- status = PSA_ERROR_EMPTY_SLOT;
- goto exit;
- }
if( ! PSA_KEY_TYPE_IS_KEYPAIR( slot->type ) )
{
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
- if( ! ( slot->policy.usage & PSA_KEY_USAGE_SIGN ) )
- {
- status = PSA_ERROR_NOT_PERMITTED;
- goto exit;
- }
#if defined(MBEDTLS_RSA_C)
if( slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )
@@ -1999,17 +2045,14 @@
size_t signature_length )
{
key_slot_t *slot;
+ psa_status_t status;
(void) salt;
(void) salt_length;
- if( key == 0 || key > PSA_KEY_SLOT_COUNT )
- return( PSA_ERROR_INVALID_ARGUMENT );
- slot = &global_data.key_slots[key];
- if( slot->type == PSA_KEY_TYPE_NONE )
- return( PSA_ERROR_EMPTY_SLOT );
- if( ! ( slot->policy.usage & PSA_KEY_USAGE_VERIFY ) )
- return( PSA_ERROR_NOT_PERMITTED );
+ status = psa_get_key_from_slot( key, &slot, PSA_KEY_USAGE_VERIFY, alg );
+ if( status != PSA_SUCCESS )
+ return( status );
#if defined(MBEDTLS_RSA_C)
if( slot->type == PSA_KEY_TYPE_RSA_KEYPAIR ||
@@ -2054,19 +2097,17 @@
size_t *output_length )
{
key_slot_t *slot;
+ psa_status_t status;
+
(void) salt;
(void) salt_length;
*output_length = 0;
- if( key == 0 || key > PSA_KEY_SLOT_COUNT )
- return( PSA_ERROR_INVALID_ARGUMENT );
- slot = &global_data.key_slots[key];
- if( slot->type == PSA_KEY_TYPE_NONE )
- return( PSA_ERROR_EMPTY_SLOT );
+ status = psa_get_key_from_slot( key, &slot, PSA_KEY_USAGE_ENCRYPT, alg );
+ if( status != PSA_SUCCESS )
+ return( status );
if( ! PSA_KEY_TYPE_IS_KEYPAIR( slot->type ) )
return( PSA_ERROR_INVALID_ARGUMENT );
- if( ! ( slot->policy.usage & PSA_KEY_USAGE_ENCRYPT ) )
- return( PSA_ERROR_NOT_PERMITTED );
#if defined(MBEDTLS_RSA_C)
if( slot->type == PSA_KEY_TYPE_RSA_KEYPAIR ||
@@ -2121,19 +2162,17 @@
size_t *output_length )
{
key_slot_t *slot;
+ psa_status_t status;
+
(void) salt;
(void) salt_length;
*output_length = 0;
- if( key == 0 || key > PSA_KEY_SLOT_COUNT )
- return( PSA_ERROR_EMPTY_SLOT );
- slot = &global_data.key_slots[key];
- if( slot->type == PSA_KEY_TYPE_NONE )
- return( PSA_ERROR_EMPTY_SLOT );
+ status = psa_get_key_from_slot( key, &slot, PSA_KEY_USAGE_DECRYPT, alg );
+ if( status != PSA_SUCCESS )
+ return( status );
if( ! PSA_KEY_TYPE_IS_KEYPAIR( slot->type ) )
return( PSA_ERROR_INVALID_ARGUMENT );
- if( ! ( slot->policy.usage & PSA_KEY_USAGE_DECRYPT ) )
- return( PSA_ERROR_NOT_PERMITTED );
#if defined(MBEDTLS_RSA_C)
if( slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )
@@ -2213,20 +2252,22 @@
int ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
psa_status_t status;
key_slot_t *slot;
- psa_key_type_t key_type;
size_t key_bits;
const mbedtls_cipher_info_t *cipher_info = NULL;
+ psa_key_usage_t usage = ( cipher_operation == MBEDTLS_ENCRYPT ?
+ PSA_KEY_USAGE_ENCRYPT :
+ PSA_KEY_USAGE_DECRYPT );
status = psa_cipher_init( operation, alg );
if( status != PSA_SUCCESS )
return( status );
- status = psa_get_key_information( key, &key_type, &key_bits );
+ status = psa_get_key_from_slot( key, &slot, usage, alg);
if( status != PSA_SUCCESS )
return( status );
- slot = &global_data.key_slots[key];
+ key_bits = psa_get_key_bits( slot );
- cipher_info = mbedtls_cipher_info_from_psa( alg, key_type, key_bits, NULL );
+ cipher_info = mbedtls_cipher_info_from_psa( alg, slot->type, key_bits, NULL );
if( cipher_info == NULL )
return( PSA_ERROR_NOT_SUPPORTED );
@@ -2238,7 +2279,7 @@
}
#if defined(MBEDTLS_DES_C)
- if( key_type == PSA_KEY_TYPE_DES && key_bits == 128 )
+ if( slot->type == PSA_KEY_TYPE_DES && key_bits == 128 )
{
/* Two-key Triple-DES is 3-key Triple-DES with K1=K3 */
unsigned char keys[24];
@@ -2290,11 +2331,11 @@
operation->key_set = 1;
operation->block_size = ( PSA_ALG_IS_BLOCK_CIPHER( alg ) ?
- PSA_BLOCK_CIPHER_BLOCK_SIZE( key_type ) :
+ PSA_BLOCK_CIPHER_BLOCK_SIZE( slot->type ) :
1 );
if( PSA_ALG_IS_BLOCK_CIPHER( alg ) || alg == PSA_ALG_CTR )
{
- operation->iv_size = PSA_BLOCK_CIPHER_BLOCK_SIZE( key_type );
+ operation->iv_size = PSA_BLOCK_CIPHER_BLOCK_SIZE( slot->type );
}
return( PSA_SUCCESS );
@@ -2525,13 +2566,14 @@
const psa_key_policy_t *policy )
{
key_slot_t *slot;
+ psa_status_t status;
- if( key == 0 || key > PSA_KEY_SLOT_COUNT || policy == NULL )
+ if( policy == NULL )
return( PSA_ERROR_INVALID_ARGUMENT );
- slot = &global_data.key_slots[key];
- if( slot->type != PSA_KEY_TYPE_NONE )
- return( PSA_ERROR_OCCUPIED_SLOT );
+ status = psa_get_empty_key_slot( key, &slot );
+ if( status != PSA_SUCCESS )
+ return( status );
if( ( policy->usage & ~( PSA_KEY_USAGE_EXPORT |
PSA_KEY_USAGE_ENCRYPT |
@@ -2549,11 +2591,14 @@
psa_key_policy_t *policy )
{
key_slot_t *slot;
+ psa_status_t status;
- if( key == 0 || key > PSA_KEY_SLOT_COUNT || policy == NULL )
+ if( policy == NULL )
return( PSA_ERROR_INVALID_ARGUMENT );
- slot = &global_data.key_slots[key];
+ status = psa_get_key_slot( key, &slot );
+ if( status != PSA_SUCCESS )
+ return( status );
*policy = slot->policy;
@@ -2570,11 +2615,11 @@
psa_key_lifetime_t *lifetime )
{
key_slot_t *slot;
+ psa_status_t status;
- if( key == 0 || key > PSA_KEY_SLOT_COUNT )
- return( PSA_ERROR_INVALID_ARGUMENT );
-
- slot = &global_data.key_slots[key];
+ status = psa_get_key_slot( key, &slot );
+ if( status != PSA_SUCCESS )
+ return( status );
*lifetime = slot->lifetime;
@@ -2585,18 +2630,16 @@
psa_key_lifetime_t lifetime )
{
key_slot_t *slot;
-
- if( key == 0 || key > PSA_KEY_SLOT_COUNT )
- return( PSA_ERROR_INVALID_ARGUMENT );
+ psa_status_t status;
if( lifetime != PSA_KEY_LIFETIME_VOLATILE &&
lifetime != PSA_KEY_LIFETIME_PERSISTENT &&
lifetime != PSA_KEY_LIFETIME_WRITE_ONCE)
return( PSA_ERROR_INVALID_ARGUMENT );
- slot = &global_data.key_slots[key];
- if( slot->type != PSA_KEY_TYPE_NONE )
- return( PSA_ERROR_OCCUPIED_SLOT );
+ status = psa_get_empty_key_slot( key, &slot );
+ if( status != PSA_SUCCESS )
+ return( status );
if( lifetime != PSA_KEY_LIFETIME_VOLATILE )
return( PSA_ERROR_NOT_SUPPORTED );
@@ -2627,7 +2670,6 @@
int ret;
psa_status_t status;
key_slot_t *slot;
- psa_key_type_t key_type;
size_t key_bits;
uint8_t *tag;
size_t tag_length;
@@ -2636,22 +2678,17 @@
*ciphertext_length = 0;
- status = psa_get_key_information( key, &key_type, &key_bits );
+ status = psa_get_key_from_slot( key, &slot, PSA_KEY_USAGE_ENCRYPT, alg );
if( status != PSA_SUCCESS )
return( status );
- slot = &global_data.key_slots[key];
- if( slot->type == PSA_KEY_TYPE_NONE )
- return( PSA_ERROR_EMPTY_SLOT );
+ key_bits = psa_get_key_bits( slot );
- cipher_info = mbedtls_cipher_info_from_psa( alg, key_type,
+ cipher_info = mbedtls_cipher_info_from_psa( alg, slot->type,
key_bits, &cipher_id );
if( cipher_info == NULL )
return( PSA_ERROR_NOT_SUPPORTED );
- if( ( slot->policy.usage & PSA_KEY_USAGE_ENCRYPT ) == 0 )
- return( PSA_ERROR_NOT_PERMITTED );
-
- if( ( key_type & PSA_KEY_TYPE_CATEGORY_MASK ) !=
+ if( ( slot->type & PSA_KEY_TYPE_CATEGORY_MASK ) !=
PSA_KEY_TYPE_CATEGORY_SYMMETRIC )
return( PSA_ERROR_INVALID_ARGUMENT );
@@ -2660,7 +2697,7 @@
mbedtls_gcm_context gcm;
tag_length = 16;
- if( PSA_BLOCK_CIPHER_BLOCK_SIZE( key_type ) != 16 )
+ if( PSA_BLOCK_CIPHER_BLOCK_SIZE( slot->type ) != 16 )
return( PSA_ERROR_INVALID_ARGUMENT );
//make sure we have place to hold the tag in the ciphertext buffer
@@ -2691,7 +2728,7 @@
mbedtls_ccm_context ccm;
tag_length = 16;
- if( PSA_BLOCK_CIPHER_BLOCK_SIZE( key_type ) != 16 )
+ if( PSA_BLOCK_CIPHER_BLOCK_SIZE( slot->type ) != 16 )
return( PSA_ERROR_INVALID_ARGUMENT );
if( nonce_length < 7 || nonce_length > 13 )
@@ -2775,7 +2812,6 @@
int ret;
psa_status_t status;
key_slot_t *slot;
- psa_key_type_t key_type;
size_t key_bits;
const uint8_t *tag;
size_t tag_length;
@@ -2784,22 +2820,17 @@
*plaintext_length = 0;
- status = psa_get_key_information( key, &key_type, &key_bits );
+ status = psa_get_key_from_slot( key, &slot, PSA_KEY_USAGE_DECRYPT, alg );
if( status != PSA_SUCCESS )
return( status );
- slot = &global_data.key_slots[key];
- if( slot->type == PSA_KEY_TYPE_NONE )
- return( PSA_ERROR_EMPTY_SLOT );
+ key_bits = psa_get_key_bits( slot );
- cipher_info = mbedtls_cipher_info_from_psa( alg, key_type,
+ cipher_info = mbedtls_cipher_info_from_psa( alg, slot->type,
key_bits, &cipher_id );
if( cipher_info == NULL )
return( PSA_ERROR_NOT_SUPPORTED );
- if( !( slot->policy.usage & PSA_KEY_USAGE_DECRYPT ) )
- return( PSA_ERROR_NOT_PERMITTED );
-
- if( ( key_type & PSA_KEY_TYPE_CATEGORY_MASK ) !=
+ if( ( slot->type & PSA_KEY_TYPE_CATEGORY_MASK ) !=
PSA_KEY_TYPE_CATEGORY_SYMMETRIC )
return( PSA_ERROR_INVALID_ARGUMENT );
@@ -2903,19 +2934,18 @@
size_t parameters_size )
{
key_slot_t *slot;
+ psa_status_t status;
- if( key == 0 || key > PSA_KEY_SLOT_COUNT )
- return( PSA_ERROR_INVALID_ARGUMENT );
- slot = &global_data.key_slots[key];
- if( slot->type != PSA_KEY_TYPE_NONE )
- return( PSA_ERROR_OCCUPIED_SLOT );
if( parameters == NULL && parameters_size != 0 )
return( PSA_ERROR_INVALID_ARGUMENT );
+ status = psa_get_empty_key_slot( key, &slot );
+ if( status != PSA_SUCCESS )
+ return( status );
+
if( key_type_is_raw_bytes( type ) )
{
- psa_status_t status = prepare_raw_data_slot( type, bits,
- &slot->data.raw );
+ status = prepare_raw_data_slot( type, bits, &slot->data.raw );
if( status != PSA_SUCCESS )
return( status );
status = psa_generate_random( slot->data.raw.data,
diff --git a/library/rsa.c b/library/rsa.c
index ad19639..499d145 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -1122,7 +1122,8 @@
p += hlen;
p += olen - 2 * hlen - 2 - ilen;
*p++ = 1;
- memcpy( p, input, ilen );
+ if( ilen != 0 )
+ memcpy( p, input, ilen );
mbedtls_md_init( &md_ctx );
if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
@@ -1169,7 +1170,9 @@
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
// We don't check p_rng because it won't be dereferenced here
- if( f_rng == NULL || input == NULL || output == NULL )
+ if( f_rng == NULL || output == NULL )
+ return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+ if( ilen != 0 && input == NULL )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
olen = ctx->len;
@@ -1209,7 +1212,8 @@
}
*p++ = 0;
- memcpy( p, input, ilen );
+ if( ilen != 0 )
+ memcpy( p, input, ilen );
return( ( mode == MBEDTLS_RSA_PUBLIC )
? mbedtls_rsa_public( ctx, output, output )
@@ -1373,7 +1377,8 @@
}
*olen = ilen - (p - buf);
- memcpy( output, p, *olen );
+ if( *olen != 0 )
+ memcpy( output, p, *olen );
ret = 0;
cleanup:
@@ -1471,7 +1476,8 @@
}
*olen = ilen - (p - buf);
- memcpy( output, p, *olen );
+ if( *olen != 0 )
+ memcpy( output, p, *olen );
ret = 0;
cleanup:
diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index b281cb3..72c6021 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -53,10 +53,6 @@
depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C
import_export:"30819f300d06092a864886f70d010101050003818d0030818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_EXPORT:1024:-1:PSA_ERROR_BUFFER_TOO_SMALL:1
-PSA import/export RSA keypair: policy forbids export
-depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C
-import_export:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEYPAIR:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_ENCRYPT:1024:0:PSA_ERROR_NOT_PERMITTED:1
-
PSA import/export RSA keypair: good, 1024-bit
depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C
import_export:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEYPAIR:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_EXPORT:1024:0:PSA_SUCCESS:1
@@ -117,6 +113,22 @@
depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
import_export:"3081a402010104303f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76aa00706052b81040022a16403620004d9c662b50ba29ca47990450e043aeaf4f0c69b15676d112f622a71c93059af999691c5680d2b44d111579db12f4a413a2ed5c45fcfb67b5b63e00b91ebe59d09a6b1ac2c0c4282aa12317ed5914f999bc488bb132e8342cc36f2ca5e3379c747":PSA_KEY_TYPE_ECC_KEYPAIR(PSA_ECC_CURVE_SECP384R1):PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_EXPORT:384:0:PSA_SUCCESS:1
+PSA import/export AES key: policy forbids export
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR
+import_export:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_KEY_TYPE_AES:PSA_ALG_CTR:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:128:0:PSA_ERROR_NOT_PERMITTED:1
+
+PSA import/export HMAC key: policy forbids export
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
+import_export:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_KEY_TYPE_HMAC:PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY:256:0:PSA_ERROR_NOT_PERMITTED:1
+
+PSA import/export RSA keypair: policy forbids export (crypt)
+depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+import_export:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEYPAIR:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:1024:0:PSA_ERROR_NOT_PERMITTED:1
+
+PSA import/export RSA keypair: policy forbids export (sign)
+depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+import_export:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEYPAIR:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY:1024:0:PSA_ERROR_NOT_PERMITTED:1
+
PSA import EC keypair secp384r1: valid key but wrong curve (secp256r1)
depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
import:"3077020101042049c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eeea00a06082a8648ce3d030107a144034200047772656f814b399279d5e1f1781fac6f099a3c5ca1b0e35351834b08b65e0b572590cdaf8f769361bcf34acfc11e5e074e8426bdde04be6e653945449617de45":PSA_KEY_TYPE_ECC_KEYPAIR(PSA_ECC_CURVE_SECP384R1):PSA_ERROR_INVALID_ARGUMENT
@@ -138,11 +150,105 @@
PSA key policy set and get
key_policy:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CBC_BASE | PSA_ALG_BLOCK_CIPHER_PAD_NONE
-PSA key policy enforcement: export
-key_policy_fail:PSA_KEY_USAGE_EXPORT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_ERROR_NOT_PERMITTED:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24"
+PSA key policy: MAC, sign | verify
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
+mac_key_policy:PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY:PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_256)
-PSA key policy enforcement: sign
-key_policy_fail:PSA_KEY_USAGE_SIGN:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_ERROR_NOT_PERMITTED:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24"
+PSA key policy: MAC, wrong algorithm
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
+mac_key_policy:PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY:PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_224)
+
+PSA key policy: MAC, sign but not verify
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
+mac_key_policy:PSA_KEY_USAGE_SIGN:PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_256)
+
+PSA key policy: MAC, verify but not sign
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
+mac_key_policy:PSA_KEY_USAGE_VERIFY:PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_256)
+
+PSA key policy: MAC, neither sign nor verify
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
+mac_key_policy:0:PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_256)
+
+PSA key policy: cipher, encrypt | decrypt
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR
+cipher_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_CTR
+
+PSA key policy: cipher, wrong algorithm
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR:MBEDTLS_CIPHER_MODE_CBC
+cipher_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_CBC_BASE | PSA_ALG_BLOCK_CIPHER_PAD_NONE
+
+PSA key policy: cipher, encrypt but not decrypt
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR
+cipher_key_policy:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_CTR
+
+PSA key policy: cipher, decrypt but not encrypt
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR
+cipher_key_policy:PSA_KEY_USAGE_DECRYPT:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_CTR
+
+PSA key policy: cipher, neither encrypt nor decrypt
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR
+cipher_key_policy:0:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_CTR
+
+PSA key policy: AEAD, encrypt | decrypt
+depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
+aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CCM:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:16:PSA_ALG_CCM
+
+PSA key policy: AEAD, wrong algorithm
+depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_GCM_C
+aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CCM:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":16:16:PSA_ALG_GCM
+
+PSA key policy: AEAD, encrypt but not decrypt
+depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
+aead_key_policy:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CCM:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:16:PSA_ALG_CCM
+
+PSA key policy: AEAD, decrypt but not encrypt
+depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
+aead_key_policy:PSA_KEY_USAGE_DECRYPT:PSA_ALG_CCM:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:16:PSA_ALG_CCM
+
+PSA key policy: AEAD, neither encrypt nor decrypt
+depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
+aead_key_policy:0:PSA_ALG_CCM:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:16:PSA_ALG_CCM
+
+PSA key policy: asymmetric encryption, encrypt | decrypt
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_TYPE_RSA_KEYPAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_CRYPT
+
+PSA key policy: asymmetric encryption, wrong algorithm
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C
+asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_TYPE_RSA_KEYPAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256)
+
+PSA key policy: asymmetric encryption, encrypt but not decrypt
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_TYPE_RSA_KEYPAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_CRYPT
+
+PSA key policy: asymmetric encryption, decrypt but not encrypt
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+asymmetric_encryption_key_policy:PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_TYPE_RSA_KEYPAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_CRYPT
+
+PSA key policy: asymmetric encryption, neither encrypt nor decrypt
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+asymmetric_encryption_key_policy:0:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_TYPE_RSA_KEYPAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_CRYPT
+
+PSA key policy: asymmetric signature, sign | verify
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+asymmetric_signature_key_policy:PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEYPAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_SIGN_RAW
+
+PSA key policy: asymmetric signature, wrong algorithm
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+asymmetric_signature_key_policy:PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEYPAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PSS(PSA_ALG_SHA_224)
+
+PSA key policy: asymmetric signature, sign but not verify
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+asymmetric_signature_key_policy:PSA_KEY_USAGE_SIGN:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEYPAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_SIGN_RAW
+
+PSA key policy: asymmetric signature, verify but not sign
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+asymmetric_signature_key_policy:PSA_KEY_USAGE_VERIFY:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEYPAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_SIGN_RAW
+
+PSA key policy: asymmetric signature, neither sign nor verify
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+asymmetric_signature_key_policy:0:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEYPAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_SIGN_RAW
PSA key lifetime: set and get volatile
key_lifetime:PSA_KEY_LIFETIME_VOLATILE
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index c90447f..977222b 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -723,49 +723,267 @@
/* END_CASE */
/* BEGIN_CASE */
-void key_policy_fail( int usage_arg, int alg_arg, int expected_status,
- data_t *keypair )
+void mac_key_policy( int policy_usage,
+ int policy_alg,
+ int key_type,
+ data_t *key_data,
+ int exercise_alg )
{
int key_slot = 1;
- psa_algorithm_t alg = alg_arg;
- psa_key_usage_t usage = usage_arg;
- size_t signature_length = 0;
psa_key_policy_t policy;
- int actual_status = PSA_SUCCESS;
+ psa_mac_operation_t operation;
+ psa_status_t status;
+ unsigned char mac[PSA_MAC_MAX_SIZE];
+ size_t output_length;
TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
psa_key_policy_init( &policy );
- psa_key_policy_set_usage( &policy, usage, alg );
+ psa_key_policy_set_usage( &policy, policy_usage, policy_alg );
TEST_ASSERT( psa_set_key_policy( key_slot, &policy ) == PSA_SUCCESS );
- if( usage & PSA_KEY_USAGE_EXPORT )
- {
- TEST_ASSERT( keypair != NULL );
- TEST_ASSERT( PSA_CRYPTO_TEST_SIZE_T_RANGE( keypair->len ) );
- TEST_ASSERT( psa_import_key( key_slot,
- PSA_KEY_TYPE_RSA_KEYPAIR,
- keypair->x,
- keypair->len ) == PSA_SUCCESS );
- actual_status = psa_asymmetric_sign( key_slot, alg,
- NULL, 0,
- NULL, 0,
- NULL, 0, &signature_length );
- }
+ TEST_ASSERT( psa_import_key( key_slot, key_type,
+ key_data->x, key_data->len ) == PSA_SUCCESS );
- if( usage & PSA_KEY_USAGE_SIGN )
- {
- size_t data_length;
- TEST_ASSERT( keypair != NULL );
- TEST_ASSERT( PSA_CRYPTO_TEST_SIZE_T_RANGE( keypair->len ) );
- TEST_ASSERT( psa_import_key( key_slot,
- PSA_KEY_TYPE_RSA_KEYPAIR,
- keypair->x,
- keypair->len ) == PSA_SUCCESS );
- actual_status = psa_export_key( key_slot, NULL, 0, &data_length );
- }
+ status = psa_mac_start( &operation, key_slot, exercise_alg );
+ if( status == PSA_SUCCESS )
+ status = psa_mac_finish( &operation,
+ mac, sizeof( mac ), &output_length );
+ if( policy_alg == exercise_alg &&
+ ( policy_usage & PSA_KEY_USAGE_SIGN ) != 0 )
+ TEST_ASSERT( status == PSA_SUCCESS );
+ else
+ TEST_ASSERT( status == PSA_ERROR_NOT_PERMITTED );
+ psa_mac_abort( &operation );
- TEST_ASSERT( actual_status == expected_status );
+ memset( mac, 0, sizeof( mac ) );
+ status = psa_mac_start( &operation, key_slot, exercise_alg );
+ if( status == PSA_SUCCESS )
+ status = psa_mac_verify( &operation, mac, sizeof( mac ) );
+ if( policy_alg == exercise_alg &&
+ ( policy_usage & PSA_KEY_USAGE_VERIFY ) != 0 )
+ TEST_ASSERT( status == PSA_ERROR_INVALID_SIGNATURE );
+ else
+ TEST_ASSERT( status == PSA_ERROR_NOT_PERMITTED );
+
+exit:
+ psa_mac_abort( &operation );
+ psa_destroy_key( key_slot );
+ mbedtls_psa_crypto_free( );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void cipher_key_policy( int policy_usage,
+ int policy_alg,
+ int key_type,
+ data_t *key_data,
+ int exercise_alg )
+{
+ int key_slot = 1;
+ psa_key_policy_t policy;
+ psa_cipher_operation_t operation;
+ psa_status_t status;
+
+ TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
+
+ psa_key_policy_init( &policy );
+ psa_key_policy_set_usage( &policy, policy_usage, policy_alg );
+ TEST_ASSERT( psa_set_key_policy( key_slot, &policy ) == PSA_SUCCESS );
+
+ TEST_ASSERT( psa_import_key( key_slot, key_type,
+ key_data->x, key_data->len ) == PSA_SUCCESS );
+
+ status = psa_encrypt_setup( &operation, key_slot, exercise_alg );
+ if( policy_alg == exercise_alg &&
+ ( policy_usage & PSA_KEY_USAGE_ENCRYPT ) != 0 )
+ TEST_ASSERT( status == PSA_SUCCESS );
+ else
+ TEST_ASSERT( status == PSA_ERROR_NOT_PERMITTED );
+ psa_cipher_abort( &operation );
+
+ status = psa_decrypt_setup( &operation, key_slot, exercise_alg );
+ if( policy_alg == exercise_alg &&
+ ( policy_usage & PSA_KEY_USAGE_DECRYPT ) != 0 )
+ TEST_ASSERT( status == PSA_SUCCESS );
+ else
+ TEST_ASSERT( status == PSA_ERROR_NOT_PERMITTED );
+
+exit:
+ psa_cipher_abort( &operation );
+ psa_destroy_key( key_slot );
+ mbedtls_psa_crypto_free( );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void aead_key_policy( int policy_usage,
+ int policy_alg,
+ int key_type,
+ data_t *key_data,
+ int nonce_length_arg,
+ int tag_length_arg,
+ int exercise_alg )
+{
+ int key_slot = 1;
+ psa_key_policy_t policy;
+ psa_status_t status;
+ unsigned char nonce[16] = {0};
+ size_t nonce_length = nonce_length_arg;
+ unsigned char tag[16];
+ size_t tag_length = tag_length_arg;
+ size_t output_length;
+
+ TEST_ASSERT( nonce_length <= sizeof( nonce ) );
+ TEST_ASSERT( tag_length <= sizeof( tag ) );
+
+ TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
+
+ psa_key_policy_init( &policy );
+ psa_key_policy_set_usage( &policy, policy_usage, policy_alg );
+ TEST_ASSERT( psa_set_key_policy( key_slot, &policy ) == PSA_SUCCESS );
+
+ TEST_ASSERT( psa_import_key( key_slot, key_type,
+ key_data->x, key_data->len ) == PSA_SUCCESS );
+
+ status = psa_aead_encrypt( key_slot, exercise_alg,
+ nonce, nonce_length,
+ NULL, 0,
+ NULL, 0,
+ tag, tag_length,
+ &output_length );
+ if( policy_alg == exercise_alg &&
+ ( policy_usage & PSA_KEY_USAGE_ENCRYPT ) != 0 )
+ TEST_ASSERT( status == PSA_SUCCESS );
+ else
+ TEST_ASSERT( status == PSA_ERROR_NOT_PERMITTED );
+
+ memset( tag, 0, sizeof( tag ) );
+ status = psa_aead_decrypt( key_slot, exercise_alg,
+ nonce, nonce_length,
+ NULL, 0,
+ tag, tag_length,
+ NULL, 0,
+ &output_length );
+ if( policy_alg == exercise_alg &&
+ ( policy_usage & PSA_KEY_USAGE_DECRYPT ) != 0 )
+ TEST_ASSERT( status == PSA_ERROR_INVALID_SIGNATURE );
+ else
+ TEST_ASSERT( status == PSA_ERROR_NOT_PERMITTED );
+
+exit:
+ psa_destroy_key( key_slot );
+ mbedtls_psa_crypto_free( );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void asymmetric_encryption_key_policy( int policy_usage,
+ int policy_alg,
+ int key_type,
+ data_t *key_data,
+ int exercise_alg )
+{
+ int key_slot = 1;
+ psa_key_policy_t policy;
+ psa_status_t status;
+ size_t key_bits;
+ size_t buffer_length;
+ unsigned char *buffer = NULL;
+ size_t output_length;
+
+ TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
+
+ psa_key_policy_init( &policy );
+ psa_key_policy_set_usage( &policy, policy_usage, policy_alg );
+ TEST_ASSERT( psa_set_key_policy( key_slot, &policy ) == PSA_SUCCESS );
+
+ TEST_ASSERT( psa_import_key( key_slot, key_type,
+ key_data->x, key_data->len ) == PSA_SUCCESS );
+
+ TEST_ASSERT( psa_get_key_information( key_slot,
+ NULL,
+ &key_bits ) == PSA_SUCCESS );
+ buffer_length = PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE( key_type, key_bits,
+ exercise_alg );
+ buffer = mbedtls_calloc( 1, buffer_length );
+ TEST_ASSERT( buffer != NULL );
+
+ status = psa_asymmetric_encrypt( key_slot, exercise_alg,
+ NULL, 0,
+ NULL, 0,
+ buffer, buffer_length,
+ &output_length );
+ if( policy_alg == exercise_alg &&
+ ( policy_usage & PSA_KEY_USAGE_ENCRYPT ) != 0 )
+ TEST_ASSERT( status == PSA_SUCCESS );
+ else
+ TEST_ASSERT( status == PSA_ERROR_NOT_PERMITTED );
+
+ memset( buffer, 0, buffer_length );
+ status = psa_asymmetric_decrypt( key_slot, exercise_alg,
+ buffer, buffer_length,
+ NULL, 0,
+ buffer, buffer_length,
+ &output_length );
+ if( policy_alg == exercise_alg &&
+ ( policy_usage & PSA_KEY_USAGE_DECRYPT ) != 0 )
+ TEST_ASSERT( status == PSA_ERROR_INVALID_PADDING );
+ else
+ TEST_ASSERT( status == PSA_ERROR_NOT_PERMITTED );
+
+exit:
+ psa_destroy_key( key_slot );
+ mbedtls_psa_crypto_free( );
+ mbedtls_free( buffer );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void asymmetric_signature_key_policy( int policy_usage,
+ int policy_alg,
+ int key_type,
+ data_t *key_data,
+ int exercise_alg )
+{
+ int key_slot = 1;
+ psa_key_policy_t policy;
+ psa_status_t status;
+ unsigned char payload[16] = {1};
+ size_t payload_length = sizeof( payload );
+ unsigned char signature[PSA_ASYMMETRIC_SIGNATURE_MAX_SIZE] = {0};
+ size_t signature_length;
+
+ TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
+
+ psa_key_policy_init( &policy );
+ psa_key_policy_set_usage( &policy, policy_usage, policy_alg );
+ TEST_ASSERT( psa_set_key_policy( key_slot, &policy ) == PSA_SUCCESS );
+
+ TEST_ASSERT( psa_import_key( key_slot, key_type,
+ key_data->x, key_data->len ) == PSA_SUCCESS );
+
+ status = psa_asymmetric_sign( key_slot, exercise_alg,
+ payload, payload_length,
+ NULL, 0,
+ signature, sizeof( signature ),
+ &signature_length );
+ if( policy_alg == exercise_alg &&
+ ( policy_usage & PSA_KEY_USAGE_SIGN ) != 0 )
+ TEST_ASSERT( status == PSA_SUCCESS );
+ else
+ TEST_ASSERT( status == PSA_ERROR_NOT_PERMITTED );
+
+ memset( signature, 0, sizeof( signature ) );
+ status = psa_asymmetric_verify( key_slot, exercise_alg,
+ payload, payload_length,
+ NULL, 0,
+ signature, sizeof( signature ) );
+ if( policy_alg == exercise_alg &&
+ ( policy_usage & PSA_KEY_USAGE_VERIFY ) != 0 )
+ TEST_ASSERT( status == PSA_ERROR_INVALID_SIGNATURE );
+ else
+ TEST_ASSERT( status == PSA_ERROR_NOT_PERMITTED );
exit:
psa_destroy_key( key_slot );
@@ -1041,6 +1259,7 @@
size_t function_output_length = 0;
size_t total_output_length = 0;
psa_cipher_operation_t operation;
+ psa_key_policy_t policy;
TEST_ASSERT( key != NULL );
TEST_ASSERT( input != NULL );
@@ -1054,6 +1273,10 @@
TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
+ psa_key_policy_init( &policy );
+ psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_ENCRYPT, alg );
+ TEST_ASSERT( psa_set_key_policy( key_slot, &policy ) == PSA_SUCCESS );
+
TEST_ASSERT( psa_import_key( key_slot, key_type,
key->x, key->len ) == PSA_SUCCESS );
@@ -1111,6 +1334,7 @@
size_t function_output_length = 0;
size_t total_output_length = 0;
psa_cipher_operation_t operation;
+ psa_key_policy_t policy;
TEST_ASSERT( key != NULL );
TEST_ASSERT( input != NULL );
@@ -1124,6 +1348,10 @@
TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
+ psa_key_policy_init( &policy );
+ psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_ENCRYPT, alg );
+ TEST_ASSERT( psa_set_key_policy( key_slot, &policy ) == PSA_SUCCESS );
+
TEST_ASSERT( psa_import_key( key_slot, key_type,
key->x, key->len ) == PSA_SUCCESS );
@@ -1184,6 +1412,7 @@
size_t function_output_length = 0;
size_t total_output_length = 0;
psa_cipher_operation_t operation;
+ psa_key_policy_t policy;
TEST_ASSERT( key != NULL );
TEST_ASSERT( input != NULL );
@@ -1197,6 +1426,10 @@
TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
+ psa_key_policy_init( &policy );
+ psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_DECRYPT, alg );
+ TEST_ASSERT( psa_set_key_policy( key_slot, &policy ) == PSA_SUCCESS );
+
TEST_ASSERT( psa_import_key( key_slot, key_type,
key->x, key->len ) == PSA_SUCCESS );
@@ -1259,6 +1492,7 @@
size_t function_output_length = 0;
size_t total_output_length = 0;
psa_cipher_operation_t operation;
+ psa_key_policy_t policy;
TEST_ASSERT( key != NULL );
TEST_ASSERT( input != NULL );
@@ -1272,6 +1506,10 @@
TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
+ psa_key_policy_init( &policy );
+ psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_DECRYPT, alg );
+ TEST_ASSERT( psa_set_key_policy( key_slot, &policy ) == PSA_SUCCESS );
+
TEST_ASSERT( psa_import_key( key_slot, key_type,
key->x, key->len ) == PSA_SUCCESS );
@@ -1333,6 +1571,7 @@
size_t function_output_length = 0;
psa_cipher_operation_t operation1;
psa_cipher_operation_t operation2;
+ psa_key_policy_t policy;
TEST_ASSERT( key != NULL );
TEST_ASSERT( input != NULL );
@@ -1341,6 +1580,10 @@
TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
+ psa_key_policy_init( &policy );
+ psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT, alg );
+ TEST_ASSERT( psa_set_key_policy( key_slot, &policy ) == PSA_SUCCESS );
+
TEST_ASSERT( psa_import_key( key_slot, key_type,
key->x, key->len ) == PSA_SUCCESS );
@@ -1420,6 +1663,7 @@
size_t function_output_length;
psa_cipher_operation_t operation1;
psa_cipher_operation_t operation2;
+ psa_key_policy_t policy;
TEST_ASSERT( key != NULL );
TEST_ASSERT( input != NULL );
@@ -1428,6 +1672,10 @@
TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
+ psa_key_policy_init( &policy );
+ psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT, alg );
+ TEST_ASSERT( psa_set_key_policy( key_slot, &policy ) == PSA_SUCCESS );
+
TEST_ASSERT( psa_import_key( key_slot, key_type,
key->x, key->len ) == PSA_SUCCESS );