TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 4c6a47a8332a66f9816e82dcd56ffd5f7db13d73 / . / tests / src / psa_exercise_key.c
blob: 197e31a349beec411ac2481cff7fe2877bc08854 [file] [log] [blame]
Gilles Peskine66e7b902021-02-12 23:40:58 +0100[diff] [blame]1/** Code to exercise a PSA key object, i.e. validate that it seems well-formed
2 * and can do what it is supposed to do.
3 */
4
5/*
6 * Copyright The Mbed TLS Contributors
7 * SPDX-License-Identifier: Apache-2.0
8 *
9 * Licensed under the Apache License, Version 2.0 (the "License"); you may
10 * not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
12 *
13 * http://www.apache.org/licenses/LICENSE-2.0
14 *
15 * Unless required by applicable law or agreed to in writing, software
16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18 * See the License for the specific language governing permissions and
19 * limitations under the License.
20 */
21
22#include <test/helpers.h>
23#include <test/macros.h>
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]24#include <test/psa_exercise_key.h>
Gilles Peskine66e7b902021-02-12 23:40:58 +0100[diff] [blame]25
26#if defined(MBEDTLS_PSA_CRYPTO_C)
27
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]28#include <mbedtls/asn1.h>
Gilles Peskine66e7b902021-02-12 23:40:58 +0100[diff] [blame]29#include <psa/crypto.h>
30
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]31#include <test/asn1_helpers.h>
32#include <test/psa_crypto_helpers.h>
33
34#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
35static int lifetime_is_dynamic_secure_element( psa_key_lifetime_t lifetime )
36{
37 return( PSA_KEY_LIFETIME_GET_LOCATION( lifetime ) !=
38 PSA_KEY_LOCATION_LOCAL_STORAGE );
39}
40#endif
41
42static int check_key_attributes_sanity( mbedtls_svc_key_id_t key )
43{
44 int ok = 0;
45 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
46 psa_key_lifetime_t lifetime;
47 mbedtls_svc_key_id_t id;
48 psa_key_type_t type;
Gilles Peskine6b362e62021-02-15 12:03:16 +0100[diff] [blame]49 size_t bits;
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]50
51 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) );
52 lifetime = psa_get_key_lifetime( &attributes );
53 id = psa_get_key_id( &attributes );
54 type = psa_get_key_type( &attributes );
55 bits = psa_get_key_bits( &attributes );
56
57 /* Persistence */
58 if( PSA_KEY_LIFETIME_IS_VOLATILE( lifetime ) )
59 {
60 TEST_ASSERT(
61 ( PSA_KEY_ID_VOLATILE_MIN <=
62 MBEDTLS_SVC_KEY_ID_GET_KEY_ID( id ) ) &&
63 ( MBEDTLS_SVC_KEY_ID_GET_KEY_ID( id ) <=
64 PSA_KEY_ID_VOLATILE_MAX ) );
65 }
66 else
67 {
68 TEST_ASSERT(
69 ( PSA_KEY_ID_USER_MIN <= MBEDTLS_SVC_KEY_ID_GET_KEY_ID( id ) ) &&
70 ( MBEDTLS_SVC_KEY_ID_GET_KEY_ID( id ) <= PSA_KEY_ID_USER_MAX ) );
71 }
72#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
73 /* randomly-generated 64-bit constant, should never appear in test data */
74 psa_key_slot_number_t slot_number = 0xec94d4a5058a1a21;
75 psa_status_t status = psa_get_key_slot_number( &attributes, &slot_number );
76 if( lifetime_is_dynamic_secure_element( lifetime ) )
77 {
78 /* Mbed Crypto currently always exposes the slot number to
79 * applications. This is not mandated by the PSA specification
80 * and may change in future versions. */
81 TEST_EQUAL( status, 0 );
82 TEST_ASSERT( slot_number != 0xec94d4a5058a1a21 );
83 }
84 else
85 {
86 TEST_EQUAL( status, PSA_ERROR_INVALID_ARGUMENT );
87 }
88#endif
89
90 /* Type and size */
91 TEST_ASSERT( type != 0 );
92 TEST_ASSERT( bits != 0 );
93 TEST_ASSERT( bits <= PSA_MAX_KEY_BITS );
94 if( PSA_KEY_TYPE_IS_UNSTRUCTURED( type ) )
95 TEST_ASSERT( bits % 8 == 0 );
96
97 /* MAX macros concerning specific key types */
98 if( PSA_KEY_TYPE_IS_ECC( type ) )
99 TEST_ASSERT( bits <= PSA_VENDOR_ECC_MAX_CURVE_BITS );
100 else if( PSA_KEY_TYPE_IS_RSA( type ) )
101 TEST_ASSERT( bits <= PSA_VENDOR_RSA_MAX_KEY_BITS );
102 TEST_ASSERT( PSA_BLOCK_CIPHER_BLOCK_LENGTH( type ) <= PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE );
103
104 ok = 1;
105
106exit:
107 /*
108 * Key attributes may have been returned by psa_get_key_attributes()
109 * thus reset them as required.
110 */
111 psa_reset_key_attributes( &attributes );
112
113 return( ok );
114}
115
116static int exercise_mac_key( mbedtls_svc_key_id_t key,
117 psa_key_usage_t usage,
118 psa_algorithm_t alg )
119{
120 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
121 const unsigned char input[] = "foo";
122 unsigned char mac[PSA_MAC_MAX_SIZE] = {0};
123 size_t mac_length = sizeof( mac );
124
Steven Cooremanfb9cb922021-02-23 14:37:38 +0100[diff] [blame]125 /* Convert wildcard algorithm to exercisable algorithm */
126 if( alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG )
127 {
128 alg = PSA_ALG_TRUNCATED_MAC( alg, PSA_MAC_TRUNCATED_LENGTH( alg ) );
129 }
130
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]131 if( usage & PSA_KEY_USAGE_SIGN_HASH )
132 {
133 PSA_ASSERT( psa_mac_sign_setup( &operation, key, alg ) );
134 PSA_ASSERT( psa_mac_update( &operation,
135 input, sizeof( input ) ) );
136 PSA_ASSERT( psa_mac_sign_finish( &operation,
137 mac, sizeof( mac ),
138 &mac_length ) );
139 }
140
141 if( usage & PSA_KEY_USAGE_VERIFY_HASH )
142 {
143 psa_status_t verify_status =
144 ( usage & PSA_KEY_USAGE_SIGN_HASH ?
145 PSA_SUCCESS :
146 PSA_ERROR_INVALID_SIGNATURE );
147 PSA_ASSERT( psa_mac_verify_setup( &operation, key, alg ) );
148 PSA_ASSERT( psa_mac_update( &operation,
149 input, sizeof( input ) ) );
150 TEST_EQUAL( psa_mac_verify_finish( &operation, mac, mac_length ),
151 verify_status );
152 }
153
154 return( 1 );
155
156exit:
157 psa_mac_abort( &operation );
158 return( 0 );
159}
160
161static int exercise_cipher_key( mbedtls_svc_key_id_t key,
162 psa_key_usage_t usage,
163 psa_algorithm_t alg )
164{
165 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
166 unsigned char iv[16] = {0};
167 size_t iv_length = sizeof( iv );
168 const unsigned char plaintext[16] = "Hello, world...";
169 unsigned char ciphertext[32] = "(wabblewebblewibblewobblewubble)";
170 size_t ciphertext_length = sizeof( ciphertext );
171 unsigned char decrypted[sizeof( ciphertext )];
172 size_t part_length;
173
174 if( usage & PSA_KEY_USAGE_ENCRYPT )
175 {
176 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) );
177 PSA_ASSERT( psa_cipher_generate_iv( &operation,
178 iv, sizeof( iv ),
179 &iv_length ) );
180 PSA_ASSERT( psa_cipher_update( &operation,
181 plaintext, sizeof( plaintext ),
182 ciphertext, sizeof( ciphertext ),
183 &ciphertext_length ) );
184 PSA_ASSERT( psa_cipher_finish( &operation,
185 ciphertext + ciphertext_length,
186 sizeof( ciphertext ) - ciphertext_length,
187 &part_length ) );
188 ciphertext_length += part_length;
189 }
190
191 if( usage & PSA_KEY_USAGE_DECRYPT )
192 {
193 psa_status_t status;
194 int maybe_invalid_padding = 0;
195 if( ! ( usage & PSA_KEY_USAGE_ENCRYPT ) )
196 {
197 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
198 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) );
199 /* This should be PSA_CIPHER_GET_IV_SIZE but the API doesn't
200 * have this macro yet. */
201 iv_length = PSA_BLOCK_CIPHER_BLOCK_LENGTH(
202 psa_get_key_type( &attributes ) );
203 maybe_invalid_padding = ! PSA_ALG_IS_STREAM_CIPHER( alg );
204 psa_reset_key_attributes( &attributes );
205 }
206 PSA_ASSERT( psa_cipher_decrypt_setup( &operation, key, alg ) );
207 PSA_ASSERT( psa_cipher_set_iv( &operation,
208 iv, iv_length ) );
209 PSA_ASSERT( psa_cipher_update( &operation,
210 ciphertext, ciphertext_length,
211 decrypted, sizeof( decrypted ),
212 &part_length ) );
213 status = psa_cipher_finish( &operation,
214 decrypted + part_length,
215 sizeof( decrypted ) - part_length,
216 &part_length );
217 /* For a stream cipher, all inputs are valid. For a block cipher,
218 * if the input is some aribtrary data rather than an actual
219 ciphertext, a padding error is likely. */
220 if( maybe_invalid_padding )
221 TEST_ASSERT( status == PSA_SUCCESS ||
222 status == PSA_ERROR_INVALID_PADDING );
223 else
224 PSA_ASSERT( status );
225 }
226
227 return( 1 );
228
229exit:
230 psa_cipher_abort( &operation );
231 return( 0 );
232}
233
234static int exercise_aead_key( mbedtls_svc_key_id_t key,
235 psa_key_usage_t usage,
236 psa_algorithm_t alg )
237{
238 unsigned char nonce[16] = {0};
239 size_t nonce_length = sizeof( nonce );
240 unsigned char plaintext[16] = "Hello, world...";
241 unsigned char ciphertext[48] = "(wabblewebblewibblewobblewubble)";
242 size_t ciphertext_length = sizeof( ciphertext );
243 size_t plaintext_length = sizeof( ciphertext );
244
Steven Cooremanfb9cb922021-02-23 14:37:38 +0100[diff] [blame]245 /* Convert wildcard algorithm to exercisable algorithm */
246 if( alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG )
247 {
248 alg = PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, PSA_ALG_AEAD_GET_TAG_LENGTH( alg ) );
249 }
250
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]251 /* Default IV length for AES-GCM is 12 bytes */
252 if( PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, 0 ) ==
253 PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_GCM, 0 ) )
254 {
255 nonce_length = 12;
256 }
257
Steven Cooremanaaec3412021-02-18 13:30:34 +0100[diff] [blame]258 /* IV length for CCM needs to be between 7 and 13 bytes */
259 if( PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, 0 ) ==
260 PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, 0 ) )
261 {
262 nonce_length = 12;
263 }
264
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]265 if( usage & PSA_KEY_USAGE_ENCRYPT )
266 {
267 PSA_ASSERT( psa_aead_encrypt( key, alg,
268 nonce, nonce_length,
269 NULL, 0,
270 plaintext, sizeof( plaintext ),
271 ciphertext, sizeof( ciphertext ),
272 &ciphertext_length ) );
273 }
274
275 if( usage & PSA_KEY_USAGE_DECRYPT )
276 {
277 psa_status_t verify_status =
278 ( usage & PSA_KEY_USAGE_ENCRYPT ?
279 PSA_SUCCESS :
280 PSA_ERROR_INVALID_SIGNATURE );
281 TEST_EQUAL( psa_aead_decrypt( key, alg,
282 nonce, nonce_length,
283 NULL, 0,
284 ciphertext, ciphertext_length,
285 plaintext, sizeof( plaintext ),
286 &plaintext_length ),
287 verify_status );
288 }
289
290 return( 1 );
291
292exit:
293 return( 0 );
294}
295
296static int exercise_signature_key( mbedtls_svc_key_id_t key,
297 psa_key_usage_t usage,
298 psa_algorithm_t alg )
299{
gabor-mezei-arm4c6a47a2021-04-26 20:12:17 +0200[diff] [blame^]300 if( usage & ( PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH ) )
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]301 {
gabor-mezei-arm4c6a47a2021-04-26 20:12:17 +0200[diff] [blame^]302 unsigned char payload[PSA_HASH_MAX_SIZE] = {1};
303 size_t payload_length = 16;
304 unsigned char signature[PSA_SIGNATURE_MAX_SIZE] = {0};
305 size_t signature_length = sizeof( signature );
306 psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH( alg );
307
308 /* If the policy allows signing with any hash, just pick one. */
309 if( PSA_ALG_IS_HASH_AND_SIGN( alg ) && hash_alg == PSA_ALG_ANY_HASH )
310 {
311 #if defined(KNOWN_SUPPORTED_HASH_ALG)
312 hash_alg = KNOWN_SUPPORTED_HASH_ALG;
313 alg ^= PSA_ALG_ANY_HASH ^ hash_alg;
314 #else
315 TEST_ASSERT( ! "No hash algorithm for hash-and-sign testing" );
316 #endif
317 }
318
319 if( usage & PSA_KEY_USAGE_SIGN_HASH )
320 {
321 /* Some algorithms require the payload to have the size of
322 * the hash encoded in the algorithm. Use this input size
323 * even for algorithms that allow other input sizes. */
324 if( hash_alg != 0 )
325 payload_length = PSA_HASH_LENGTH( hash_alg );
326 PSA_ASSERT( psa_sign_hash( key, alg,
327 payload, payload_length,
328 signature, sizeof( signature ),
329 &signature_length ) );
330 }
331
332 if( usage & PSA_KEY_USAGE_VERIFY_HASH )
333 {
334 psa_status_t verify_status =
335 ( usage & PSA_KEY_USAGE_SIGN_HASH ?
336 PSA_SUCCESS :
337 PSA_ERROR_INVALID_SIGNATURE );
338 TEST_EQUAL( psa_verify_hash( key, alg,
339 payload, payload_length,
340 signature, signature_length ),
341 verify_status );
342 }
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]343 }
344
gabor-mezei-arm4c6a47a2021-04-26 20:12:17 +0200[diff] [blame^]345 if( usage & ( PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE ) )
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]346 {
gabor-mezei-arm4c6a47a2021-04-26 20:12:17 +0200[diff] [blame^]347 unsigned char message[256] = "Hello, world...";
348 unsigned char signature[PSA_SIGNATURE_MAX_SIZE] = {0};
349 size_t message_length = 16;
350 size_t signature_length = sizeof( signature );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]351
gabor-mezei-arm4c6a47a2021-04-26 20:12:17 +0200[diff] [blame^]352 if( usage & PSA_KEY_USAGE_SIGN_MESSAGE )
353 {
354 PSA_ASSERT( psa_sign_message( key, alg,
355 message, message_length,
356 signature, sizeof( signature ),
357 &signature_length ) );
358 }
359
360 if( usage & PSA_KEY_USAGE_VERIFY_MESSAGE )
361 {
362 psa_status_t verify_status =
363 ( usage & PSA_KEY_USAGE_SIGN_MESSAGE ?
364 PSA_SUCCESS :
365 PSA_ERROR_INVALID_SIGNATURE );
366 TEST_EQUAL( psa_verify_message( key, alg,
367 message, message_length,
368 signature, signature_length ),
369 verify_status );
370 }
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]371 }
372
373 return( 1 );
374
375exit:
376 return( 0 );
377}
378
379static int exercise_asymmetric_encryption_key( mbedtls_svc_key_id_t key,
380 psa_key_usage_t usage,
381 psa_algorithm_t alg )
382{
383 unsigned char plaintext[256] = "Hello, world...";
384 unsigned char ciphertext[256] = "(wabblewebblewibblewobblewubble)";
385 size_t ciphertext_length = sizeof( ciphertext );
386 size_t plaintext_length = 16;
387
388 if( usage & PSA_KEY_USAGE_ENCRYPT )
389 {
390 PSA_ASSERT( psa_asymmetric_encrypt( key, alg,
391 plaintext, plaintext_length,
392 NULL, 0,
393 ciphertext, sizeof( ciphertext ),
394 &ciphertext_length ) );
395 }
396
397 if( usage & PSA_KEY_USAGE_DECRYPT )
398 {
399 psa_status_t status =
400 psa_asymmetric_decrypt( key, alg,
401 ciphertext, ciphertext_length,
402 NULL, 0,
403 plaintext, sizeof( plaintext ),
404 &plaintext_length );
405 TEST_ASSERT( status == PSA_SUCCESS ||
406 ( ( usage & PSA_KEY_USAGE_ENCRYPT ) == 0 &&
407 ( status == PSA_ERROR_INVALID_ARGUMENT ||
408 status == PSA_ERROR_INVALID_PADDING ) ) );
409 }
410
411 return( 1 );
412
413exit:
414 return( 0 );
415}
416
417int mbedtls_test_psa_setup_key_derivation_wrap(
418 psa_key_derivation_operation_t* operation,
419 mbedtls_svc_key_id_t key,
420 psa_algorithm_t alg,
Gilles Peskine5c2665b2021-02-14 01:22:56 +0100[diff] [blame]421 const unsigned char* input1, size_t input1_length,
422 const unsigned char* input2, size_t input2_length,
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]423 size_t capacity )
424{
425 PSA_ASSERT( psa_key_derivation_setup( operation, alg ) );
426 if( PSA_ALG_IS_HKDF( alg ) )
427 {
428 PSA_ASSERT( psa_key_derivation_input_bytes( operation,
429 PSA_KEY_DERIVATION_INPUT_SALT,
430 input1, input1_length ) );
431 PSA_ASSERT( psa_key_derivation_input_key( operation,
432 PSA_KEY_DERIVATION_INPUT_SECRET,
433 key ) );
434 PSA_ASSERT( psa_key_derivation_input_bytes( operation,
435 PSA_KEY_DERIVATION_INPUT_INFO,
436 input2,
437 input2_length ) );
438 }
439 else if( PSA_ALG_IS_TLS12_PRF( alg ) ||
440 PSA_ALG_IS_TLS12_PSK_TO_MS( alg ) )
441 {
442 PSA_ASSERT( psa_key_derivation_input_bytes( operation,
443 PSA_KEY_DERIVATION_INPUT_SEED,
444 input1, input1_length ) );
445 PSA_ASSERT( psa_key_derivation_input_key( operation,
446 PSA_KEY_DERIVATION_INPUT_SECRET,
447 key ) );
448 PSA_ASSERT( psa_key_derivation_input_bytes( operation,
449 PSA_KEY_DERIVATION_INPUT_LABEL,
450 input2, input2_length ) );
451 }
452 else
453 {
454 TEST_ASSERT( ! "Key derivation algorithm not supported" );
455 }
456
457 if( capacity != SIZE_MAX )
458 PSA_ASSERT( psa_key_derivation_set_capacity( operation, capacity ) );
459
460 return( 1 );
461
462exit:
463 return( 0 );
464}
465
466
467static int exercise_key_derivation_key( mbedtls_svc_key_id_t key,
468 psa_key_usage_t usage,
469 psa_algorithm_t alg )
470{
471 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
472 unsigned char input1[] = "Input 1";
473 size_t input1_length = sizeof( input1 );
474 unsigned char input2[] = "Input 2";
475 size_t input2_length = sizeof( input2 );
476 unsigned char output[1];
477 size_t capacity = sizeof( output );
478
479 if( usage & PSA_KEY_USAGE_DERIVE )
480 {
481 if( !mbedtls_test_psa_setup_key_derivation_wrap( &operation, key, alg,
482 input1, input1_length,
483 input2, input2_length,
484 capacity ) )
485 goto exit;
486
487 PSA_ASSERT( psa_key_derivation_output_bytes( &operation,
488 output,
489 capacity ) );
490 PSA_ASSERT( psa_key_derivation_abort( &operation ) );
491 }
492
493 return( 1 );
494
495exit:
496 return( 0 );
497}
498
499/* We need two keys to exercise key agreement. Exercise the
500 * private key against its own public key. */
501psa_status_t mbedtls_test_psa_key_agreement_with_self(
502 psa_key_derivation_operation_t *operation,
503 mbedtls_svc_key_id_t key )
504{
505 psa_key_type_t private_key_type;
506 psa_key_type_t public_key_type;
507 size_t key_bits;
508 uint8_t *public_key = NULL;
509 size_t public_key_length;
510 /* Return GENERIC_ERROR if something other than the final call to
511 * psa_key_derivation_key_agreement fails. This isn't fully satisfactory,
512 * but it's good enough: callers will report it as a failed test anyway. */
513 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
514 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
515
516 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) );
517 private_key_type = psa_get_key_type( &attributes );
518 key_bits = psa_get_key_bits( &attributes );
519 public_key_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR( private_key_type );
gabor-mezei-armceface22021-01-21 12:26:17 +0100[diff] [blame]520 public_key_length = PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE( public_key_type, key_bits );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]521 ASSERT_ALLOC( public_key, public_key_length );
522 PSA_ASSERT( psa_export_public_key( key, public_key, public_key_length,
523 &public_key_length ) );
524
525 status = psa_key_derivation_key_agreement(
526 operation, PSA_KEY_DERIVATION_INPUT_SECRET, key,
527 public_key, public_key_length );
528exit:
529 /*
530 * Key attributes may have been returned by psa_get_key_attributes()
531 * thus reset them as required.
532 */
533 psa_reset_key_attributes( &attributes );
534
535 mbedtls_free( public_key );
536 return( status );
537}
538
539/* We need two keys to exercise key agreement. Exercise the
540 * private key against its own public key. */
541psa_status_t mbedtls_test_psa_raw_key_agreement_with_self(
542 psa_algorithm_t alg,
543 mbedtls_svc_key_id_t key )
544{
545 psa_key_type_t private_key_type;
546 psa_key_type_t public_key_type;
547 size_t key_bits;
548 uint8_t *public_key = NULL;
549 size_t public_key_length;
550 uint8_t output[1024];
551 size_t output_length;
552 /* Return GENERIC_ERROR if something other than the final call to
553 * psa_key_derivation_key_agreement fails. This isn't fully satisfactory,
554 * but it's good enough: callers will report it as a failed test anyway. */
555 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
556 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
557
558 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) );
559 private_key_type = psa_get_key_type( &attributes );
560 key_bits = psa_get_key_bits( &attributes );
561 public_key_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR( private_key_type );
gabor-mezei-armceface22021-01-21 12:26:17 +0100[diff] [blame]562 public_key_length = PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE( public_key_type, key_bits );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]563 ASSERT_ALLOC( public_key, public_key_length );
564 PSA_ASSERT( psa_export_public_key( key,
565 public_key, public_key_length,
566 &public_key_length ) );
567
568 status = psa_raw_key_agreement( alg, key,
569 public_key, public_key_length,
570 output, sizeof( output ), &output_length );
gabor-mezei-armceface22021-01-21 12:26:17 +0100[diff] [blame]571 if ( status == PSA_SUCCESS )
572 {
573 TEST_ASSERT( output_length <=
574 PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE( private_key_type,
575 key_bits ) );
576 TEST_ASSERT( output_length <=
577 PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE );
578 }
579
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]580exit:
581 /*
582 * Key attributes may have been returned by psa_get_key_attributes()
583 * thus reset them as required.
584 */
585 psa_reset_key_attributes( &attributes );
586
587 mbedtls_free( public_key );
588 return( status );
589}
590
591static int exercise_raw_key_agreement_key( mbedtls_svc_key_id_t key,
592 psa_key_usage_t usage,
593 psa_algorithm_t alg )
594{
595 int ok = 0;
596
597 if( usage & PSA_KEY_USAGE_DERIVE )
598 {
599 /* We need two keys to exercise key agreement. Exercise the
600 * private key against its own public key. */
601 PSA_ASSERT( mbedtls_test_psa_raw_key_agreement_with_self( alg, key ) );
602 }
603 ok = 1;
604
605exit:
606 return( ok );
607}
608
609static int exercise_key_agreement_key( mbedtls_svc_key_id_t key,
610 psa_key_usage_t usage,
611 psa_algorithm_t alg )
612{
613 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
614 unsigned char output[1];
615 int ok = 0;
616
617 if( usage & PSA_KEY_USAGE_DERIVE )
618 {
619 /* We need two keys to exercise key agreement. Exercise the
620 * private key against its own public key. */
621 PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) );
622 PSA_ASSERT( mbedtls_test_psa_key_agreement_with_self( &operation, key ) );
623 PSA_ASSERT( psa_key_derivation_output_bytes( &operation,
624 output,
625 sizeof( output ) ) );
626 PSA_ASSERT( psa_key_derivation_abort( &operation ) );
627 }
628 ok = 1;
629
630exit:
631 return( ok );
632}
633
634int mbedtls_test_psa_exported_key_sanity_check(
635 psa_key_type_t type, size_t bits,
Gilles Peskine5c2665b2021-02-14 01:22:56 +0100[diff] [blame]636 const uint8_t *exported, size_t exported_length )
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]637{
Gilles Peskinecc9db302021-02-14 01:29:52 +0100[diff] [blame]638 TEST_ASSERT( exported_length <= PSA_EXPORT_KEY_OUTPUT_SIZE( type, bits ) );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]639
Gilles Peskinecc9db302021-02-14 01:29:52 +0100[diff] [blame]640 if( PSA_KEY_TYPE_IS_UNSTRUCTURED( type ) )
641 TEST_EQUAL( exported_length, PSA_BITS_TO_BYTES( bits ) );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]642 else
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]643
644#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PK_PARSE_C)
645 if( type == PSA_KEY_TYPE_RSA_KEY_PAIR )
646 {
Gilles Peskine5c2665b2021-02-14 01:22:56 +0100[diff] [blame]647 uint8_t *p = (uint8_t*) exported;
648 const uint8_t *end = exported + exported_length;
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]649 size_t len;
650 /* RSAPrivateKey ::= SEQUENCE {
651 * version INTEGER, -- must be 0
652 * modulus INTEGER, -- n
653 * publicExponent INTEGER, -- e
654 * privateExponent INTEGER, -- d
655 * prime1 INTEGER, -- p
656 * prime2 INTEGER, -- q
657 * exponent1 INTEGER, -- d mod (p-1)
658 * exponent2 INTEGER, -- d mod (q-1)
659 * coefficient INTEGER, -- (inverse of q) mod p
660 * }
661 */
662 TEST_EQUAL( mbedtls_asn1_get_tag( &p, end, &len,
663 MBEDTLS_ASN1_SEQUENCE |
664 MBEDTLS_ASN1_CONSTRUCTED ), 0 );
665 TEST_EQUAL( p + len, end );
666 if( ! mbedtls_test_asn1_skip_integer( &p, end, 0, 0, 0 ) )
667 goto exit;
668 if( ! mbedtls_test_asn1_skip_integer( &p, end, bits, bits, 1 ) )
669 goto exit;
670 if( ! mbedtls_test_asn1_skip_integer( &p, end, 2, bits, 1 ) )
671 goto exit;
672 /* Require d to be at least half the size of n. */
673 if( ! mbedtls_test_asn1_skip_integer( &p, end, bits / 2, bits, 1 ) )
674 goto exit;
675 /* Require p and q to be at most half the size of n, rounded up. */
676 if( ! mbedtls_test_asn1_skip_integer( &p, end, bits / 2, bits / 2 + 1, 1 ) )
677 goto exit;
678 if( ! mbedtls_test_asn1_skip_integer( &p, end, bits / 2, bits / 2 + 1, 1 ) )
679 goto exit;
680 if( ! mbedtls_test_asn1_skip_integer( &p, end, 1, bits / 2 + 1, 0 ) )
681 goto exit;
682 if( ! mbedtls_test_asn1_skip_integer( &p, end, 1, bits / 2 + 1, 0 ) )
683 goto exit;
684 if( ! mbedtls_test_asn1_skip_integer( &p, end, 1, bits / 2 + 1, 0 ) )
685 goto exit;
686 TEST_EQUAL( p, end );
gabor-mezei-armceface22021-01-21 12:26:17 +0100[diff] [blame]687
688 TEST_ASSERT( exported_length <= PSA_EXPORT_KEY_PAIR_MAX_SIZE );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]689 }
690 else
691#endif /* MBEDTLS_RSA_C */
692
693#if defined(MBEDTLS_ECP_C)
694 if( PSA_KEY_TYPE_IS_ECC_KEY_PAIR( type ) )
695 {
696 /* Just the secret value */
697 TEST_EQUAL( exported_length, PSA_BITS_TO_BYTES( bits ) );
gabor-mezei-armceface22021-01-21 12:26:17 +0100[diff] [blame]698
699 TEST_ASSERT( exported_length <= PSA_EXPORT_KEY_PAIR_MAX_SIZE );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]700 }
701 else
702#endif /* MBEDTLS_ECP_C */
703
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]704#if defined(MBEDTLS_RSA_C)
705 if( type == PSA_KEY_TYPE_RSA_PUBLIC_KEY )
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]706 {
Gilles Peskine5c2665b2021-02-14 01:22:56 +0100[diff] [blame]707 uint8_t *p = (uint8_t*) exported;
708 const uint8_t *end = exported + exported_length;
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]709 size_t len;
710 /* RSAPublicKey ::= SEQUENCE {
711 * modulus INTEGER, -- n
712 * publicExponent INTEGER } -- e
713 */
714 TEST_EQUAL( mbedtls_asn1_get_tag( &p, end, &len,
715 MBEDTLS_ASN1_SEQUENCE |
716 MBEDTLS_ASN1_CONSTRUCTED ),
717 0 );
718 TEST_EQUAL( p + len, end );
719 if( ! mbedtls_test_asn1_skip_integer( &p, end, bits, bits, 1 ) )
720 goto exit;
721 if( ! mbedtls_test_asn1_skip_integer( &p, end, 2, bits, 1 ) )
722 goto exit;
723 TEST_EQUAL( p, end );
gabor-mezei-armceface22021-01-21 12:26:17 +0100[diff] [blame]724
725
726 TEST_ASSERT( exported_length <=
727 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE( type, bits ) );
728 TEST_ASSERT( exported_length <=
729 PSA_EXPORT_PUBLIC_KEY_MAX_SIZE );
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]730 }
731 else
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]732#endif /* MBEDTLS_RSA_C */
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]733
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]734#if defined(MBEDTLS_ECP_C)
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]735 if( PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY( type ) )
736 {
gabor-mezei-armceface22021-01-21 12:26:17 +0100[diff] [blame]737
738 TEST_ASSERT( exported_length <=
739 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE( type, bits ) );
740 TEST_ASSERT( exported_length <=
741 PSA_EXPORT_PUBLIC_KEY_MAX_SIZE );
742
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]743 if( PSA_KEY_TYPE_ECC_GET_FAMILY( type ) == PSA_ECC_FAMILY_MONTGOMERY )
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]744 {
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]745 /* The representation of an ECC Montgomery public key is
746 * the raw compressed point */
747 TEST_EQUAL( PSA_BITS_TO_BYTES( bits ), exported_length );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]748 }
749 else
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]750 {
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]751 /* The representation of an ECC Weierstrass public key is:
752 * - The byte 0x04;
753 * - `x_P` as a `ceiling(m/8)`-byte string, big-endian;
754 * - `y_P` as a `ceiling(m/8)`-byte string, big-endian;
755 * - where m is the bit size associated with the curve.
756 */
757 TEST_EQUAL( 1 + 2 * PSA_BITS_TO_BYTES( bits ), exported_length );
758 TEST_EQUAL( exported[0], 4 );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]759 }
760 }
761 else
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]762#endif /* MBEDTLS_ECP_C */
763
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]764 {
Gilles Peskinecc9db302021-02-14 01:29:52 +0100[diff] [blame]765 TEST_ASSERT( ! "Sanity check not implemented for this key type" );
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]766 }
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]767
Gilles Peskinecc9db302021-02-14 01:29:52 +0100[diff] [blame]768#if defined(MBEDTLS_DES_C)
769 if( type == PSA_KEY_TYPE_DES )
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]770 {
Gilles Peskinecc9db302021-02-14 01:29:52 +0100[diff] [blame]771 /* Check the parity bits. */
772 unsigned i;
773 for( i = 0; i < bits / 8; i++ )
774 {
775 unsigned bit_count = 0;
776 unsigned m;
777 for( m = 1; m <= 0x100; m <<= 1 )
778 {
779 if( exported[i] & m )
780 ++bit_count;
781 }
782 TEST_ASSERT( bit_count % 2 != 0 );
783 }
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]784 }
Gilles Peskinecc9db302021-02-14 01:29:52 +0100[diff] [blame]785#endif
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]786
787 return( 1 );
788
789exit:
790 return( 0 );
791}
792
793static int exercise_export_key( mbedtls_svc_key_id_t key,
794 psa_key_usage_t usage )
795{
796 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
797 uint8_t *exported = NULL;
798 size_t exported_size = 0;
799 size_t exported_length = 0;
800 int ok = 0;
801
802 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) );
803
804 exported_size = PSA_EXPORT_KEY_OUTPUT_SIZE(
805 psa_get_key_type( &attributes ),
806 psa_get_key_bits( &attributes ) );
807 ASSERT_ALLOC( exported, exported_size );
808
809 if( ( usage & PSA_KEY_USAGE_EXPORT ) == 0 &&
810 ! PSA_KEY_TYPE_IS_PUBLIC_KEY( psa_get_key_type( &attributes ) ) )
811 {
812 TEST_EQUAL( psa_export_key( key, exported,
813 exported_size, &exported_length ),
814 PSA_ERROR_NOT_PERMITTED );
815 ok = 1;
816 goto exit;
817 }
818
819 PSA_ASSERT( psa_export_key( key,
820 exported, exported_size,
821 &exported_length ) );
822 ok = mbedtls_test_psa_exported_key_sanity_check(
823 psa_get_key_type( &attributes ), psa_get_key_bits( &attributes ),
824 exported, exported_length );
825
826exit:
827 /*
828 * Key attributes may have been returned by psa_get_key_attributes()
829 * thus reset them as required.
830 */
831 psa_reset_key_attributes( &attributes );
832
833 mbedtls_free( exported );
834 return( ok );
835}
836
837static int exercise_export_public_key( mbedtls_svc_key_id_t key )
838{
839 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
840 psa_key_type_t public_type;
841 uint8_t *exported = NULL;
842 size_t exported_size = 0;
843 size_t exported_length = 0;
844 int ok = 0;
845
846 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) );
847 if( ! PSA_KEY_TYPE_IS_ASYMMETRIC( psa_get_key_type( &attributes ) ) )
848 {
849 exported_size = PSA_EXPORT_KEY_OUTPUT_SIZE(
850 psa_get_key_type( &attributes ),
851 psa_get_key_bits( &attributes ) );
852 ASSERT_ALLOC( exported, exported_size );
853
854 TEST_EQUAL( psa_export_public_key( key, exported,
855 exported_size, &exported_length ),
856 PSA_ERROR_INVALID_ARGUMENT );
857 ok = 1;
858 goto exit;
859 }
860
861 public_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(
862 psa_get_key_type( &attributes ) );
gabor-mezei-armceface22021-01-21 12:26:17 +0100[diff] [blame]863 exported_size = PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE( public_type,
864 psa_get_key_bits( &attributes ) );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]865 ASSERT_ALLOC( exported, exported_size );
866
867 PSA_ASSERT( psa_export_public_key( key,
868 exported, exported_size,
869 &exported_length ) );
870 ok = mbedtls_test_psa_exported_key_sanity_check(
871 public_type, psa_get_key_bits( &attributes ),
872 exported, exported_length );
873
874exit:
875 /*
876 * Key attributes may have been returned by psa_get_key_attributes()
877 * thus reset them as required.
878 */
879 psa_reset_key_attributes( &attributes );
880
881 mbedtls_free( exported );
882 return( ok );
883}
884
885int mbedtls_test_psa_exercise_key( mbedtls_svc_key_id_t key,
886 psa_key_usage_t usage,
887 psa_algorithm_t alg )
888{
Gilles Peskine2385f712021-02-14 01:34:21 +0100[diff] [blame]889 int ok = 0;
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]890
891 if( ! check_key_attributes_sanity( key ) )
892 return( 0 );
893
894 if( alg == 0 )
895 ok = 1; /* If no algorihm, do nothing (used for raw data "keys"). */
896 else if( PSA_ALG_IS_MAC( alg ) )
897 ok = exercise_mac_key( key, usage, alg );
898 else if( PSA_ALG_IS_CIPHER( alg ) )
899 ok = exercise_cipher_key( key, usage, alg );
900 else if( PSA_ALG_IS_AEAD( alg ) )
901 ok = exercise_aead_key( key, usage, alg );
902 else if( PSA_ALG_IS_SIGN( alg ) )
903 ok = exercise_signature_key( key, usage, alg );
904 else if( PSA_ALG_IS_ASYMMETRIC_ENCRYPTION( alg ) )
905 ok = exercise_asymmetric_encryption_key( key, usage, alg );
906 else if( PSA_ALG_IS_KEY_DERIVATION( alg ) )
907 ok = exercise_key_derivation_key( key, usage, alg );
908 else if( PSA_ALG_IS_RAW_KEY_AGREEMENT( alg ) )
909 ok = exercise_raw_key_agreement_key( key, usage, alg );
910 else if( PSA_ALG_IS_KEY_AGREEMENT( alg ) )
911 ok = exercise_key_agreement_key( key, usage, alg );
912 else
Gilles Peskine2385f712021-02-14 01:34:21 +0100[diff] [blame]913 TEST_ASSERT( ! "No code to exercise this category of algorithm" );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]914
915 ok = ok && exercise_export_key( key, usage );
916 ok = ok && exercise_export_public_key( key );
917
Gilles Peskine2385f712021-02-14 01:34:21 +0100[diff] [blame]918exit:
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]919 return( ok );
920}
921
922psa_key_usage_t mbedtls_test_psa_usage_to_exercise( psa_key_type_t type,
923 psa_algorithm_t alg )
924{
925 if( PSA_ALG_IS_MAC( alg ) || PSA_ALG_IS_SIGN( alg ) )
926 {
gabor-mezei-arm4c6a47a2021-04-26 20:12:17 +0200[diff] [blame^]927 if( PSA_ALG_SIGN_GET_HASH( alg ) )
928 return( PSA_KEY_TYPE_IS_PUBLIC_KEY( type ) ?
929 PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:
930 PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH |
931 PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE );
932
933 else
934 return( PSA_KEY_TYPE_IS_PUBLIC_KEY( type ) ?
935 PSA_KEY_USAGE_VERIFY_HASH:
936 PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]937 }
938 else if( PSA_ALG_IS_CIPHER( alg ) || PSA_ALG_IS_AEAD( alg ) ||
939 PSA_ALG_IS_ASYMMETRIC_ENCRYPTION( alg ) )
940 {
941 return( PSA_KEY_TYPE_IS_PUBLIC_KEY( type ) ?
942 PSA_KEY_USAGE_ENCRYPT :
943 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT );
944 }
945 else if( PSA_ALG_IS_KEY_DERIVATION( alg ) ||
946 PSA_ALG_IS_KEY_AGREEMENT( alg ) )
947 {
948 return( PSA_KEY_USAGE_DERIVE );
949 }
950 else
951 {
952 return( 0 );
953 }
954
955}
Gilles Peskine66e7b902021-02-12 23:40:58 +0100[diff] [blame]956
957#endif /* MBEDTLS_PSA_CRYPTO_C */