TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / ceface2247a6b8e91756ecc741fc1a8bbeb8e4fe / . / tests / src / psa_exercise_key.c
blob: 408227d87cf74fe6a4c7462de134cd8bed54f582 [file] [log] [blame]
Gilles Peskine66e7b902021-02-12 23:40:58 +0100[diff] [blame]1/** Code to exercise a PSA key object, i.e. validate that it seems well-formed
2 * and can do what it is supposed to do.
3 */
4
5/*
6 * Copyright The Mbed TLS Contributors
7 * SPDX-License-Identifier: Apache-2.0
8 *
9 * Licensed under the Apache License, Version 2.0 (the "License"); you may
10 * not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
12 *
13 * http://www.apache.org/licenses/LICENSE-2.0
14 *
15 * Unless required by applicable law or agreed to in writing, software
16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18 * See the License for the specific language governing permissions and
19 * limitations under the License.
20 */
21
22#include <test/helpers.h>
23#include <test/macros.h>
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]24#include <test/psa_exercise_key.h>
Gilles Peskine66e7b902021-02-12 23:40:58 +0100[diff] [blame]25
26#if defined(MBEDTLS_PSA_CRYPTO_C)
27
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]28#include <mbedtls/asn1.h>
Gilles Peskine66e7b902021-02-12 23:40:58 +0100[diff] [blame]29#include <psa/crypto.h>
30
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]31#include <test/asn1_helpers.h>
32#include <test/psa_crypto_helpers.h>
33
34#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
35static int lifetime_is_dynamic_secure_element( psa_key_lifetime_t lifetime )
36{
37 return( PSA_KEY_LIFETIME_GET_LOCATION( lifetime ) !=
38 PSA_KEY_LOCATION_LOCAL_STORAGE );
39}
40#endif
41
42static int check_key_attributes_sanity( mbedtls_svc_key_id_t key )
43{
44 int ok = 0;
45 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
46 psa_key_lifetime_t lifetime;
47 mbedtls_svc_key_id_t id;
48 psa_key_type_t type;
Gilles Peskine6b362e62021-02-15 12:03:16 +0100[diff] [blame]49 size_t bits;
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]50
51 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) );
52 lifetime = psa_get_key_lifetime( &attributes );
53 id = psa_get_key_id( &attributes );
54 type = psa_get_key_type( &attributes );
55 bits = psa_get_key_bits( &attributes );
56
57 /* Persistence */
58 if( PSA_KEY_LIFETIME_IS_VOLATILE( lifetime ) )
59 {
60 TEST_ASSERT(
61 ( PSA_KEY_ID_VOLATILE_MIN <=
62 MBEDTLS_SVC_KEY_ID_GET_KEY_ID( id ) ) &&
63 ( MBEDTLS_SVC_KEY_ID_GET_KEY_ID( id ) <=
64 PSA_KEY_ID_VOLATILE_MAX ) );
65 }
66 else
67 {
68 TEST_ASSERT(
69 ( PSA_KEY_ID_USER_MIN <= MBEDTLS_SVC_KEY_ID_GET_KEY_ID( id ) ) &&
70 ( MBEDTLS_SVC_KEY_ID_GET_KEY_ID( id ) <= PSA_KEY_ID_USER_MAX ) );
71 }
72#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
73 /* randomly-generated 64-bit constant, should never appear in test data */
74 psa_key_slot_number_t slot_number = 0xec94d4a5058a1a21;
75 psa_status_t status = psa_get_key_slot_number( &attributes, &slot_number );
76 if( lifetime_is_dynamic_secure_element( lifetime ) )
77 {
78 /* Mbed Crypto currently always exposes the slot number to
79 * applications. This is not mandated by the PSA specification
80 * and may change in future versions. */
81 TEST_EQUAL( status, 0 );
82 TEST_ASSERT( slot_number != 0xec94d4a5058a1a21 );
83 }
84 else
85 {
86 TEST_EQUAL( status, PSA_ERROR_INVALID_ARGUMENT );
87 }
88#endif
89
90 /* Type and size */
91 TEST_ASSERT( type != 0 );
92 TEST_ASSERT( bits != 0 );
93 TEST_ASSERT( bits <= PSA_MAX_KEY_BITS );
94 if( PSA_KEY_TYPE_IS_UNSTRUCTURED( type ) )
95 TEST_ASSERT( bits % 8 == 0 );
96
97 /* MAX macros concerning specific key types */
98 if( PSA_KEY_TYPE_IS_ECC( type ) )
99 TEST_ASSERT( bits <= PSA_VENDOR_ECC_MAX_CURVE_BITS );
100 else if( PSA_KEY_TYPE_IS_RSA( type ) )
101 TEST_ASSERT( bits <= PSA_VENDOR_RSA_MAX_KEY_BITS );
102 TEST_ASSERT( PSA_BLOCK_CIPHER_BLOCK_LENGTH( type ) <= PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE );
103
104 ok = 1;
105
106exit:
107 /*
108 * Key attributes may have been returned by psa_get_key_attributes()
109 * thus reset them as required.
110 */
111 psa_reset_key_attributes( &attributes );
112
113 return( ok );
114}
115
116static int exercise_mac_key( mbedtls_svc_key_id_t key,
117 psa_key_usage_t usage,
118 psa_algorithm_t alg )
119{
120 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
121 const unsigned char input[] = "foo";
122 unsigned char mac[PSA_MAC_MAX_SIZE] = {0};
123 size_t mac_length = sizeof( mac );
124
125 if( usage & PSA_KEY_USAGE_SIGN_HASH )
126 {
127 PSA_ASSERT( psa_mac_sign_setup( &operation, key, alg ) );
128 PSA_ASSERT( psa_mac_update( &operation,
129 input, sizeof( input ) ) );
130 PSA_ASSERT( psa_mac_sign_finish( &operation,
131 mac, sizeof( mac ),
132 &mac_length ) );
133 }
134
135 if( usage & PSA_KEY_USAGE_VERIFY_HASH )
136 {
137 psa_status_t verify_status =
138 ( usage & PSA_KEY_USAGE_SIGN_HASH ?
139 PSA_SUCCESS :
140 PSA_ERROR_INVALID_SIGNATURE );
141 PSA_ASSERT( psa_mac_verify_setup( &operation, key, alg ) );
142 PSA_ASSERT( psa_mac_update( &operation,
143 input, sizeof( input ) ) );
144 TEST_EQUAL( psa_mac_verify_finish( &operation, mac, mac_length ),
145 verify_status );
146 }
147
148 return( 1 );
149
150exit:
151 psa_mac_abort( &operation );
152 return( 0 );
153}
154
155static int exercise_cipher_key( mbedtls_svc_key_id_t key,
156 psa_key_usage_t usage,
157 psa_algorithm_t alg )
158{
159 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
160 unsigned char iv[16] = {0};
161 size_t iv_length = sizeof( iv );
162 const unsigned char plaintext[16] = "Hello, world...";
163 unsigned char ciphertext[32] = "(wabblewebblewibblewobblewubble)";
164 size_t ciphertext_length = sizeof( ciphertext );
165 unsigned char decrypted[sizeof( ciphertext )];
166 size_t part_length;
167
168 if( usage & PSA_KEY_USAGE_ENCRYPT )
169 {
170 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) );
171 PSA_ASSERT( psa_cipher_generate_iv( &operation,
172 iv, sizeof( iv ),
173 &iv_length ) );
174 PSA_ASSERT( psa_cipher_update( &operation,
175 plaintext, sizeof( plaintext ),
176 ciphertext, sizeof( ciphertext ),
177 &ciphertext_length ) );
178 PSA_ASSERT( psa_cipher_finish( &operation,
179 ciphertext + ciphertext_length,
180 sizeof( ciphertext ) - ciphertext_length,
181 &part_length ) );
182 ciphertext_length += part_length;
183 }
184
185 if( usage & PSA_KEY_USAGE_DECRYPT )
186 {
187 psa_status_t status;
188 int maybe_invalid_padding = 0;
189 if( ! ( usage & PSA_KEY_USAGE_ENCRYPT ) )
190 {
191 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
192 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) );
193 /* This should be PSA_CIPHER_GET_IV_SIZE but the API doesn't
194 * have this macro yet. */
195 iv_length = PSA_BLOCK_CIPHER_BLOCK_LENGTH(
196 psa_get_key_type( &attributes ) );
197 maybe_invalid_padding = ! PSA_ALG_IS_STREAM_CIPHER( alg );
198 psa_reset_key_attributes( &attributes );
199 }
200 PSA_ASSERT( psa_cipher_decrypt_setup( &operation, key, alg ) );
201 PSA_ASSERT( psa_cipher_set_iv( &operation,
202 iv, iv_length ) );
203 PSA_ASSERT( psa_cipher_update( &operation,
204 ciphertext, ciphertext_length,
205 decrypted, sizeof( decrypted ),
206 &part_length ) );
207 status = psa_cipher_finish( &operation,
208 decrypted + part_length,
209 sizeof( decrypted ) - part_length,
210 &part_length );
211 /* For a stream cipher, all inputs are valid. For a block cipher,
212 * if the input is some aribtrary data rather than an actual
213 ciphertext, a padding error is likely. */
214 if( maybe_invalid_padding )
215 TEST_ASSERT( status == PSA_SUCCESS ||
216 status == PSA_ERROR_INVALID_PADDING );
217 else
218 PSA_ASSERT( status );
219 }
220
221 return( 1 );
222
223exit:
224 psa_cipher_abort( &operation );
225 return( 0 );
226}
227
228static int exercise_aead_key( mbedtls_svc_key_id_t key,
229 psa_key_usage_t usage,
230 psa_algorithm_t alg )
231{
232 unsigned char nonce[16] = {0};
233 size_t nonce_length = sizeof( nonce );
234 unsigned char plaintext[16] = "Hello, world...";
235 unsigned char ciphertext[48] = "(wabblewebblewibblewobblewubble)";
236 size_t ciphertext_length = sizeof( ciphertext );
237 size_t plaintext_length = sizeof( ciphertext );
238
239 /* Default IV length for AES-GCM is 12 bytes */
240 if( PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, 0 ) ==
241 PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_GCM, 0 ) )
242 {
243 nonce_length = 12;
244 }
245
246 if( usage & PSA_KEY_USAGE_ENCRYPT )
247 {
248 PSA_ASSERT( psa_aead_encrypt( key, alg,
249 nonce, nonce_length,
250 NULL, 0,
251 plaintext, sizeof( plaintext ),
252 ciphertext, sizeof( ciphertext ),
253 &ciphertext_length ) );
254 }
255
256 if( usage & PSA_KEY_USAGE_DECRYPT )
257 {
258 psa_status_t verify_status =
259 ( usage & PSA_KEY_USAGE_ENCRYPT ?
260 PSA_SUCCESS :
261 PSA_ERROR_INVALID_SIGNATURE );
262 TEST_EQUAL( psa_aead_decrypt( key, alg,
263 nonce, nonce_length,
264 NULL, 0,
265 ciphertext, ciphertext_length,
266 plaintext, sizeof( plaintext ),
267 &plaintext_length ),
268 verify_status );
269 }
270
271 return( 1 );
272
273exit:
274 return( 0 );
275}
276
277static int exercise_signature_key( mbedtls_svc_key_id_t key,
278 psa_key_usage_t usage,
279 psa_algorithm_t alg )
280{
281 unsigned char payload[PSA_HASH_MAX_SIZE] = {1};
282 size_t payload_length = 16;
283 unsigned char signature[PSA_SIGNATURE_MAX_SIZE] = {0};
284 size_t signature_length = sizeof( signature );
285 psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH( alg );
286
287 /* If the policy allows signing with any hash, just pick one. */
288 if( PSA_ALG_IS_HASH_AND_SIGN( alg ) && hash_alg == PSA_ALG_ANY_HASH )
289 {
290#if defined(KNOWN_SUPPORTED_HASH_ALG)
291 hash_alg = KNOWN_SUPPORTED_HASH_ALG;
292 alg ^= PSA_ALG_ANY_HASH ^ hash_alg;
293#else
Gilles Peskine2385f712021-02-14 01:34:21 +0100[diff] [blame]294 TEST_ASSERT( ! "No hash algorithm for hash-and-sign testing" );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]295#endif
296 }
297
298 if( usage & PSA_KEY_USAGE_SIGN_HASH )
299 {
300 /* Some algorithms require the payload to have the size of
301 * the hash encoded in the algorithm. Use this input size
302 * even for algorithms that allow other input sizes. */
303 if( hash_alg != 0 )
304 payload_length = PSA_HASH_LENGTH( hash_alg );
305 PSA_ASSERT( psa_sign_hash( key, alg,
306 payload, payload_length,
307 signature, sizeof( signature ),
308 &signature_length ) );
309 }
310
311 if( usage & PSA_KEY_USAGE_VERIFY_HASH )
312 {
313 psa_status_t verify_status =
314 ( usage & PSA_KEY_USAGE_SIGN_HASH ?
315 PSA_SUCCESS :
316 PSA_ERROR_INVALID_SIGNATURE );
317 TEST_EQUAL( psa_verify_hash( key, alg,
318 payload, payload_length,
319 signature, signature_length ),
320 verify_status );
321 }
322
323 return( 1 );
324
325exit:
326 return( 0 );
327}
328
329static int exercise_asymmetric_encryption_key( mbedtls_svc_key_id_t key,
330 psa_key_usage_t usage,
331 psa_algorithm_t alg )
332{
333 unsigned char plaintext[256] = "Hello, world...";
334 unsigned char ciphertext[256] = "(wabblewebblewibblewobblewubble)";
335 size_t ciphertext_length = sizeof( ciphertext );
336 size_t plaintext_length = 16;
337
338 if( usage & PSA_KEY_USAGE_ENCRYPT )
339 {
340 PSA_ASSERT( psa_asymmetric_encrypt( key, alg,
341 plaintext, plaintext_length,
342 NULL, 0,
343 ciphertext, sizeof( ciphertext ),
344 &ciphertext_length ) );
345 }
346
347 if( usage & PSA_KEY_USAGE_DECRYPT )
348 {
349 psa_status_t status =
350 psa_asymmetric_decrypt( key, alg,
351 ciphertext, ciphertext_length,
352 NULL, 0,
353 plaintext, sizeof( plaintext ),
354 &plaintext_length );
355 TEST_ASSERT( status == PSA_SUCCESS ||
356 ( ( usage & PSA_KEY_USAGE_ENCRYPT ) == 0 &&
357 ( status == PSA_ERROR_INVALID_ARGUMENT ||
358 status == PSA_ERROR_INVALID_PADDING ) ) );
359 }
360
361 return( 1 );
362
363exit:
364 return( 0 );
365}
366
367int mbedtls_test_psa_setup_key_derivation_wrap(
368 psa_key_derivation_operation_t* operation,
369 mbedtls_svc_key_id_t key,
370 psa_algorithm_t alg,
Gilles Peskine5c2665b2021-02-14 01:22:56 +0100[diff] [blame]371 const unsigned char* input1, size_t input1_length,
372 const unsigned char* input2, size_t input2_length,
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]373 size_t capacity )
374{
375 PSA_ASSERT( psa_key_derivation_setup( operation, alg ) );
376 if( PSA_ALG_IS_HKDF( alg ) )
377 {
378 PSA_ASSERT( psa_key_derivation_input_bytes( operation,
379 PSA_KEY_DERIVATION_INPUT_SALT,
380 input1, input1_length ) );
381 PSA_ASSERT( psa_key_derivation_input_key( operation,
382 PSA_KEY_DERIVATION_INPUT_SECRET,
383 key ) );
384 PSA_ASSERT( psa_key_derivation_input_bytes( operation,
385 PSA_KEY_DERIVATION_INPUT_INFO,
386 input2,
387 input2_length ) );
388 }
389 else if( PSA_ALG_IS_TLS12_PRF( alg ) ||
390 PSA_ALG_IS_TLS12_PSK_TO_MS( alg ) )
391 {
392 PSA_ASSERT( psa_key_derivation_input_bytes( operation,
393 PSA_KEY_DERIVATION_INPUT_SEED,
394 input1, input1_length ) );
395 PSA_ASSERT( psa_key_derivation_input_key( operation,
396 PSA_KEY_DERIVATION_INPUT_SECRET,
397 key ) );
398 PSA_ASSERT( psa_key_derivation_input_bytes( operation,
399 PSA_KEY_DERIVATION_INPUT_LABEL,
400 input2, input2_length ) );
401 }
402 else
403 {
404 TEST_ASSERT( ! "Key derivation algorithm not supported" );
405 }
406
407 if( capacity != SIZE_MAX )
408 PSA_ASSERT( psa_key_derivation_set_capacity( operation, capacity ) );
409
410 return( 1 );
411
412exit:
413 return( 0 );
414}
415
416
417static int exercise_key_derivation_key( mbedtls_svc_key_id_t key,
418 psa_key_usage_t usage,
419 psa_algorithm_t alg )
420{
421 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
422 unsigned char input1[] = "Input 1";
423 size_t input1_length = sizeof( input1 );
424 unsigned char input2[] = "Input 2";
425 size_t input2_length = sizeof( input2 );
426 unsigned char output[1];
427 size_t capacity = sizeof( output );
428
429 if( usage & PSA_KEY_USAGE_DERIVE )
430 {
431 if( !mbedtls_test_psa_setup_key_derivation_wrap( &operation, key, alg,
432 input1, input1_length,
433 input2, input2_length,
434 capacity ) )
435 goto exit;
436
437 PSA_ASSERT( psa_key_derivation_output_bytes( &operation,
438 output,
439 capacity ) );
440 PSA_ASSERT( psa_key_derivation_abort( &operation ) );
441 }
442
443 return( 1 );
444
445exit:
446 return( 0 );
447}
448
449/* We need two keys to exercise key agreement. Exercise the
450 * private key against its own public key. */
451psa_status_t mbedtls_test_psa_key_agreement_with_self(
452 psa_key_derivation_operation_t *operation,
453 mbedtls_svc_key_id_t key )
454{
455 psa_key_type_t private_key_type;
456 psa_key_type_t public_key_type;
457 size_t key_bits;
458 uint8_t *public_key = NULL;
459 size_t public_key_length;
460 /* Return GENERIC_ERROR if something other than the final call to
461 * psa_key_derivation_key_agreement fails. This isn't fully satisfactory,
462 * but it's good enough: callers will report it as a failed test anyway. */
463 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
464 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
465
466 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) );
467 private_key_type = psa_get_key_type( &attributes );
468 key_bits = psa_get_key_bits( &attributes );
469 public_key_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR( private_key_type );
gabor-mezei-armceface22021-01-21 12:26:17 +0100[diff] [blame^]470 public_key_length = PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE( public_key_type, key_bits );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]471 ASSERT_ALLOC( public_key, public_key_length );
472 PSA_ASSERT( psa_export_public_key( key, public_key, public_key_length,
473 &public_key_length ) );
474
475 status = psa_key_derivation_key_agreement(
476 operation, PSA_KEY_DERIVATION_INPUT_SECRET, key,
477 public_key, public_key_length );
478exit:
479 /*
480 * Key attributes may have been returned by psa_get_key_attributes()
481 * thus reset them as required.
482 */
483 psa_reset_key_attributes( &attributes );
484
485 mbedtls_free( public_key );
486 return( status );
487}
488
489/* We need two keys to exercise key agreement. Exercise the
490 * private key against its own public key. */
491psa_status_t mbedtls_test_psa_raw_key_agreement_with_self(
492 psa_algorithm_t alg,
493 mbedtls_svc_key_id_t key )
494{
495 psa_key_type_t private_key_type;
496 psa_key_type_t public_key_type;
497 size_t key_bits;
498 uint8_t *public_key = NULL;
499 size_t public_key_length;
500 uint8_t output[1024];
501 size_t output_length;
502 /* Return GENERIC_ERROR if something other than the final call to
503 * psa_key_derivation_key_agreement fails. This isn't fully satisfactory,
504 * but it's good enough: callers will report it as a failed test anyway. */
505 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
506 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
507
508 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) );
509 private_key_type = psa_get_key_type( &attributes );
510 key_bits = psa_get_key_bits( &attributes );
511 public_key_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR( private_key_type );
gabor-mezei-armceface22021-01-21 12:26:17 +0100[diff] [blame^]512 public_key_length = PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE( public_key_type, key_bits );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]513 ASSERT_ALLOC( public_key, public_key_length );
514 PSA_ASSERT( psa_export_public_key( key,
515 public_key, public_key_length,
516 &public_key_length ) );
517
518 status = psa_raw_key_agreement( alg, key,
519 public_key, public_key_length,
520 output, sizeof( output ), &output_length );
gabor-mezei-armceface22021-01-21 12:26:17 +0100[diff] [blame^]521 if ( status == PSA_SUCCESS )
522 {
523 TEST_ASSERT( output_length <=
524 PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE( private_key_type,
525 key_bits ) );
526 TEST_ASSERT( output_length <=
527 PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE );
528 }
529
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]530exit:
531 /*
532 * Key attributes may have been returned by psa_get_key_attributes()
533 * thus reset them as required.
534 */
535 psa_reset_key_attributes( &attributes );
536
537 mbedtls_free( public_key );
538 return( status );
539}
540
541static int exercise_raw_key_agreement_key( mbedtls_svc_key_id_t key,
542 psa_key_usage_t usage,
543 psa_algorithm_t alg )
544{
545 int ok = 0;
546
547 if( usage & PSA_KEY_USAGE_DERIVE )
548 {
549 /* We need two keys to exercise key agreement. Exercise the
550 * private key against its own public key. */
551 PSA_ASSERT( mbedtls_test_psa_raw_key_agreement_with_self( alg, key ) );
552 }
553 ok = 1;
554
555exit:
556 return( ok );
557}
558
559static int exercise_key_agreement_key( mbedtls_svc_key_id_t key,
560 psa_key_usage_t usage,
561 psa_algorithm_t alg )
562{
563 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
564 unsigned char output[1];
565 int ok = 0;
566
567 if( usage & PSA_KEY_USAGE_DERIVE )
568 {
569 /* We need two keys to exercise key agreement. Exercise the
570 * private key against its own public key. */
571 PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) );
572 PSA_ASSERT( mbedtls_test_psa_key_agreement_with_self( &operation, key ) );
573 PSA_ASSERT( psa_key_derivation_output_bytes( &operation,
574 output,
575 sizeof( output ) ) );
576 PSA_ASSERT( psa_key_derivation_abort( &operation ) );
577 }
578 ok = 1;
579
580exit:
581 return( ok );
582}
583
584int mbedtls_test_psa_exported_key_sanity_check(
585 psa_key_type_t type, size_t bits,
Gilles Peskine5c2665b2021-02-14 01:22:56 +0100[diff] [blame]586 const uint8_t *exported, size_t exported_length )
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]587{
Gilles Peskinecc9db302021-02-14 01:29:52 +0100[diff] [blame]588 TEST_ASSERT( exported_length <= PSA_EXPORT_KEY_OUTPUT_SIZE( type, bits ) );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]589
Gilles Peskinecc9db302021-02-14 01:29:52 +0100[diff] [blame]590 if( PSA_KEY_TYPE_IS_UNSTRUCTURED( type ) )
591 TEST_EQUAL( exported_length, PSA_BITS_TO_BYTES( bits ) );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]592 else
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]593
594#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PK_PARSE_C)
595 if( type == PSA_KEY_TYPE_RSA_KEY_PAIR )
596 {
Gilles Peskine5c2665b2021-02-14 01:22:56 +0100[diff] [blame]597 uint8_t *p = (uint8_t*) exported;
598 const uint8_t *end = exported + exported_length;
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]599 size_t len;
600 /* RSAPrivateKey ::= SEQUENCE {
601 * version INTEGER, -- must be 0
602 * modulus INTEGER, -- n
603 * publicExponent INTEGER, -- e
604 * privateExponent INTEGER, -- d
605 * prime1 INTEGER, -- p
606 * prime2 INTEGER, -- q
607 * exponent1 INTEGER, -- d mod (p-1)
608 * exponent2 INTEGER, -- d mod (q-1)
609 * coefficient INTEGER, -- (inverse of q) mod p
610 * }
611 */
612 TEST_EQUAL( mbedtls_asn1_get_tag( &p, end, &len,
613 MBEDTLS_ASN1_SEQUENCE |
614 MBEDTLS_ASN1_CONSTRUCTED ), 0 );
615 TEST_EQUAL( p + len, end );
616 if( ! mbedtls_test_asn1_skip_integer( &p, end, 0, 0, 0 ) )
617 goto exit;
618 if( ! mbedtls_test_asn1_skip_integer( &p, end, bits, bits, 1 ) )
619 goto exit;
620 if( ! mbedtls_test_asn1_skip_integer( &p, end, 2, bits, 1 ) )
621 goto exit;
622 /* Require d to be at least half the size of n. */
623 if( ! mbedtls_test_asn1_skip_integer( &p, end, bits / 2, bits, 1 ) )
624 goto exit;
625 /* Require p and q to be at most half the size of n, rounded up. */
626 if( ! mbedtls_test_asn1_skip_integer( &p, end, bits / 2, bits / 2 + 1, 1 ) )
627 goto exit;
628 if( ! mbedtls_test_asn1_skip_integer( &p, end, bits / 2, bits / 2 + 1, 1 ) )
629 goto exit;
630 if( ! mbedtls_test_asn1_skip_integer( &p, end, 1, bits / 2 + 1, 0 ) )
631 goto exit;
632 if( ! mbedtls_test_asn1_skip_integer( &p, end, 1, bits / 2 + 1, 0 ) )
633 goto exit;
634 if( ! mbedtls_test_asn1_skip_integer( &p, end, 1, bits / 2 + 1, 0 ) )
635 goto exit;
636 TEST_EQUAL( p, end );
gabor-mezei-armceface22021-01-21 12:26:17 +0100[diff] [blame^]637
638 TEST_ASSERT( exported_length <= PSA_EXPORT_KEY_PAIR_MAX_SIZE );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]639 }
640 else
641#endif /* MBEDTLS_RSA_C */
642
643#if defined(MBEDTLS_ECP_C)
644 if( PSA_KEY_TYPE_IS_ECC_KEY_PAIR( type ) )
645 {
646 /* Just the secret value */
647 TEST_EQUAL( exported_length, PSA_BITS_TO_BYTES( bits ) );
gabor-mezei-armceface22021-01-21 12:26:17 +0100[diff] [blame^]648
649 TEST_ASSERT( exported_length <= PSA_EXPORT_KEY_PAIR_MAX_SIZE );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]650 }
651 else
652#endif /* MBEDTLS_ECP_C */
653
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]654#if defined(MBEDTLS_RSA_C)
655 if( type == PSA_KEY_TYPE_RSA_PUBLIC_KEY )
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]656 {
Gilles Peskine5c2665b2021-02-14 01:22:56 +0100[diff] [blame]657 uint8_t *p = (uint8_t*) exported;
658 const uint8_t *end = exported + exported_length;
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]659 size_t len;
660 /* RSAPublicKey ::= SEQUENCE {
661 * modulus INTEGER, -- n
662 * publicExponent INTEGER } -- e
663 */
664 TEST_EQUAL( mbedtls_asn1_get_tag( &p, end, &len,
665 MBEDTLS_ASN1_SEQUENCE |
666 MBEDTLS_ASN1_CONSTRUCTED ),
667 0 );
668 TEST_EQUAL( p + len, end );
669 if( ! mbedtls_test_asn1_skip_integer( &p, end, bits, bits, 1 ) )
670 goto exit;
671 if( ! mbedtls_test_asn1_skip_integer( &p, end, 2, bits, 1 ) )
672 goto exit;
673 TEST_EQUAL( p, end );
gabor-mezei-armceface22021-01-21 12:26:17 +0100[diff] [blame^]674
675
676 TEST_ASSERT( exported_length <=
677 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE( type, bits ) );
678 TEST_ASSERT( exported_length <=
679 PSA_EXPORT_PUBLIC_KEY_MAX_SIZE );
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]680 }
681 else
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]682#endif /* MBEDTLS_RSA_C */
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]683
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]684#if defined(MBEDTLS_ECP_C)
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]685 if( PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY( type ) )
686 {
gabor-mezei-armceface22021-01-21 12:26:17 +0100[diff] [blame^]687
688 TEST_ASSERT( exported_length <=
689 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE( type, bits ) );
690 TEST_ASSERT( exported_length <=
691 PSA_EXPORT_PUBLIC_KEY_MAX_SIZE );
692
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]693 if( PSA_KEY_TYPE_ECC_GET_FAMILY( type ) == PSA_ECC_FAMILY_MONTGOMERY )
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]694 {
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]695 /* The representation of an ECC Montgomery public key is
696 * the raw compressed point */
697 TEST_EQUAL( PSA_BITS_TO_BYTES( bits ), exported_length );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]698 }
699 else
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]700 {
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]701 /* The representation of an ECC Weierstrass public key is:
702 * - The byte 0x04;
703 * - `x_P` as a `ceiling(m/8)`-byte string, big-endian;
704 * - `y_P` as a `ceiling(m/8)`-byte string, big-endian;
705 * - where m is the bit size associated with the curve.
706 */
707 TEST_EQUAL( 1 + 2 * PSA_BITS_TO_BYTES( bits ), exported_length );
708 TEST_EQUAL( exported[0], 4 );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]709 }
710 }
711 else
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]712#endif /* MBEDTLS_ECP_C */
713
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]714 {
Gilles Peskinecc9db302021-02-14 01:29:52 +0100[diff] [blame]715 TEST_ASSERT( ! "Sanity check not implemented for this key type" );
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]716 }
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]717
Gilles Peskinecc9db302021-02-14 01:29:52 +0100[diff] [blame]718#if defined(MBEDTLS_DES_C)
719 if( type == PSA_KEY_TYPE_DES )
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]720 {
Gilles Peskinecc9db302021-02-14 01:29:52 +0100[diff] [blame]721 /* Check the parity bits. */
722 unsigned i;
723 for( i = 0; i < bits / 8; i++ )
724 {
725 unsigned bit_count = 0;
726 unsigned m;
727 for( m = 1; m <= 0x100; m <<= 1 )
728 {
729 if( exported[i] & m )
730 ++bit_count;
731 }
732 TEST_ASSERT( bit_count % 2 != 0 );
733 }
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]734 }
Gilles Peskinecc9db302021-02-14 01:29:52 +0100[diff] [blame]735#endif
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]736
737 return( 1 );
738
739exit:
740 return( 0 );
741}
742
743static int exercise_export_key( mbedtls_svc_key_id_t key,
744 psa_key_usage_t usage )
745{
746 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
747 uint8_t *exported = NULL;
748 size_t exported_size = 0;
749 size_t exported_length = 0;
750 int ok = 0;
751
752 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) );
753
754 exported_size = PSA_EXPORT_KEY_OUTPUT_SIZE(
755 psa_get_key_type( &attributes ),
756 psa_get_key_bits( &attributes ) );
757 ASSERT_ALLOC( exported, exported_size );
758
759 if( ( usage & PSA_KEY_USAGE_EXPORT ) == 0 &&
760 ! PSA_KEY_TYPE_IS_PUBLIC_KEY( psa_get_key_type( &attributes ) ) )
761 {
762 TEST_EQUAL( psa_export_key( key, exported,
763 exported_size, &exported_length ),
764 PSA_ERROR_NOT_PERMITTED );
765 ok = 1;
766 goto exit;
767 }
768
769 PSA_ASSERT( psa_export_key( key,
770 exported, exported_size,
771 &exported_length ) );
772 ok = mbedtls_test_psa_exported_key_sanity_check(
773 psa_get_key_type( &attributes ), psa_get_key_bits( &attributes ),
774 exported, exported_length );
775
776exit:
777 /*
778 * Key attributes may have been returned by psa_get_key_attributes()
779 * thus reset them as required.
780 */
781 psa_reset_key_attributes( &attributes );
782
783 mbedtls_free( exported );
784 return( ok );
785}
786
787static int exercise_export_public_key( mbedtls_svc_key_id_t key )
788{
789 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
790 psa_key_type_t public_type;
791 uint8_t *exported = NULL;
792 size_t exported_size = 0;
793 size_t exported_length = 0;
794 int ok = 0;
795
796 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) );
797 if( ! PSA_KEY_TYPE_IS_ASYMMETRIC( psa_get_key_type( &attributes ) ) )
798 {
799 exported_size = PSA_EXPORT_KEY_OUTPUT_SIZE(
800 psa_get_key_type( &attributes ),
801 psa_get_key_bits( &attributes ) );
802 ASSERT_ALLOC( exported, exported_size );
803
804 TEST_EQUAL( psa_export_public_key( key, exported,
805 exported_size, &exported_length ),
806 PSA_ERROR_INVALID_ARGUMENT );
807 ok = 1;
808 goto exit;
809 }
810
811 public_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(
812 psa_get_key_type( &attributes ) );
gabor-mezei-armceface22021-01-21 12:26:17 +0100[diff] [blame^]813 exported_size = PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE( public_type,
814 psa_get_key_bits( &attributes ) );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]815 ASSERT_ALLOC( exported, exported_size );
816
817 PSA_ASSERT( psa_export_public_key( key,
818 exported, exported_size,
819 &exported_length ) );
820 ok = mbedtls_test_psa_exported_key_sanity_check(
821 public_type, psa_get_key_bits( &attributes ),
822 exported, exported_length );
823
824exit:
825 /*
826 * Key attributes may have been returned by psa_get_key_attributes()
827 * thus reset them as required.
828 */
829 psa_reset_key_attributes( &attributes );
830
831 mbedtls_free( exported );
832 return( ok );
833}
834
835int mbedtls_test_psa_exercise_key( mbedtls_svc_key_id_t key,
836 psa_key_usage_t usage,
837 psa_algorithm_t alg )
838{
Gilles Peskine2385f712021-02-14 01:34:21 +0100[diff] [blame]839 int ok = 0;
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]840
841 if( ! check_key_attributes_sanity( key ) )
842 return( 0 );
843
844 if( alg == 0 )
845 ok = 1; /* If no algorihm, do nothing (used for raw data "keys"). */
846 else if( PSA_ALG_IS_MAC( alg ) )
847 ok = exercise_mac_key( key, usage, alg );
848 else if( PSA_ALG_IS_CIPHER( alg ) )
849 ok = exercise_cipher_key( key, usage, alg );
850 else if( PSA_ALG_IS_AEAD( alg ) )
851 ok = exercise_aead_key( key, usage, alg );
852 else if( PSA_ALG_IS_SIGN( alg ) )
853 ok = exercise_signature_key( key, usage, alg );
854 else if( PSA_ALG_IS_ASYMMETRIC_ENCRYPTION( alg ) )
855 ok = exercise_asymmetric_encryption_key( key, usage, alg );
856 else if( PSA_ALG_IS_KEY_DERIVATION( alg ) )
857 ok = exercise_key_derivation_key( key, usage, alg );
858 else if( PSA_ALG_IS_RAW_KEY_AGREEMENT( alg ) )
859 ok = exercise_raw_key_agreement_key( key, usage, alg );
860 else if( PSA_ALG_IS_KEY_AGREEMENT( alg ) )
861 ok = exercise_key_agreement_key( key, usage, alg );
862 else
Gilles Peskine2385f712021-02-14 01:34:21 +0100[diff] [blame]863 TEST_ASSERT( ! "No code to exercise this category of algorithm" );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]864
865 ok = ok && exercise_export_key( key, usage );
866 ok = ok && exercise_export_public_key( key );
867
Gilles Peskine2385f712021-02-14 01:34:21 +0100[diff] [blame]868exit:
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]869 return( ok );
870}
871
872psa_key_usage_t mbedtls_test_psa_usage_to_exercise( psa_key_type_t type,
873 psa_algorithm_t alg )
874{
875 if( PSA_ALG_IS_MAC( alg ) || PSA_ALG_IS_SIGN( alg ) )
876 {
877 return( PSA_KEY_TYPE_IS_PUBLIC_KEY( type ) ?
878 PSA_KEY_USAGE_VERIFY_HASH :
879 PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH );
880 }
881 else if( PSA_ALG_IS_CIPHER( alg ) || PSA_ALG_IS_AEAD( alg ) ||
882 PSA_ALG_IS_ASYMMETRIC_ENCRYPTION( alg ) )
883 {
884 return( PSA_KEY_TYPE_IS_PUBLIC_KEY( type ) ?
885 PSA_KEY_USAGE_ENCRYPT :
886 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT );
887 }
888 else if( PSA_ALG_IS_KEY_DERIVATION( alg ) ||
889 PSA_ALG_IS_KEY_AGREEMENT( alg ) )
890 {
891 return( PSA_KEY_USAGE_DERIVE );
892 }
893 else
894 {
895 return( 0 );
896 }
897
898}
Gilles Peskine66e7b902021-02-12 23:40:58 +0100[diff] [blame]899
900#endif /* MBEDTLS_PSA_CRYPTO_C */