aboutsummaryrefslogtreecommitdiff
path: root/lib/ext/t_cose/test/t_cose_make_psa_test_key.c
diff options
context:
space:
mode:
Diffstat (limited to 'lib/ext/t_cose/test/t_cose_make_psa_test_key.c')
-rw-r--r--lib/ext/t_cose/test/t_cose_make_psa_test_key.c126
1 files changed, 96 insertions, 30 deletions
diff --git a/lib/ext/t_cose/test/t_cose_make_psa_test_key.c b/lib/ext/t_cose/test/t_cose_make_psa_test_key.c
index 51330297f2..a58c6c9896 100644
--- a/lib/ext/t_cose/test/t_cose_make_psa_test_key.c
+++ b/lib/ext/t_cose/test/t_cose_make_psa_test_key.c
@@ -10,13 +10,29 @@
#include "t_cose_make_test_pub_key.h" /* The interface implemented here */
-
#include "t_cose_standard_constants.h"
-
-#include "psa/crypto_types.h"
#include "psa/crypto.h"
+/* Here's the auto-detect and manual override logic for managing PSA
+ * Crypto API compatibility.
+ *
+ * PSA_GENERATOR_UNBRIDLED_CAPACITY happens to be defined in MBed
+ * Crypto 1.1 and not in MBed Crypto 2.0 so it is what auto-detect
+ * hinges off of.
+ *
+ * T_COSE_USE_PSA_CRYPTO_FROM_MBED_CRYPTO20 can be defined to force
+ * setting to MBed Crypto 2.0
+ *
+ * T_COSE_USE_PSA_CRYPTO_FROM_MBED_CRYPTO11 can be defined to force
+ * setting to MBed Crypt 1.1. It is also what the code below hinges
+ * on.
+ */
+#if defined(PSA_GENERATOR_UNBRIDLED_CAPACITY) && !defined(T_COSE_USE_PSA_CRYPTO_FROM_MBED_CRYPTO20)
+#define T_COSE_USE_PSA_CRYPTO_FROM_MBED_CRYPTO11
+#endif
+
+
/*
* Some hard coded keys for the test cases here.
*/
@@ -47,10 +63,9 @@ enum t_cose_err_t make_ecdsa_key_pair(int32_t cose_algorithm_id,
struct t_cose_key *key_pair)
{
psa_key_type_t key_type;
- psa_status_t crypto_res;
+ psa_status_t crypto_result;
psa_key_handle_t key_handle;
- psa_key_policy_t policy;
- psa_key_usage_t key_usage;
+ psa_algorithm_t key_alg;
const uint8_t *private_key;
size_t private_key_len;
@@ -62,59 +77,110 @@ enum t_cose_err_t make_ecdsa_key_pair(int32_t cose_algorithm_id,
* there is usually an obvious curve for an algorithm. That
* is what this does.
*/
- switch(cose_algorithm_id) {
+
+ #ifdef T_COSE_USE_PSA_CRYPTO_FROM_MBED_CRYPTO11
+ #define PSA_KEY_TYPE_ECC_KEY_PAIR PSA_KEY_TYPE_ECC_KEYPAIR
+ #endif /* T_COSE_USE_PSA_CRYPTO_FROM_MBED_CRYPTO11 */
+
+ switch(cose_algorithm_id) {
case COSE_ALGORITHM_ES256:
private_key = private_key_256;
private_key_len = sizeof(private_key_256);
- key_type = PSA_KEY_TYPE_ECC_KEYPAIR(PSA_ECC_CURVE_SECP256R1);
- key_usage = PSA_ALG_ECDSA(PSA_ALG_SHA_256);
+ key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP256R1);
+ key_alg = PSA_ALG_ECDSA(PSA_ALG_SHA_256);
break;
case COSE_ALGORITHM_ES384:
private_key = private_key_384;
private_key_len = sizeof(private_key_384);
- key_type = PSA_KEY_TYPE_ECC_KEYPAIR(PSA_ECC_CURVE_SECP384R1);
- key_usage = PSA_ALG_ECDSA(PSA_ALG_SHA_384);
+ key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP384R1);
+ key_alg = PSA_ALG_ECDSA(PSA_ALG_SHA_384);
break;
case COSE_ALGORITHM_ES512:
private_key = private_key_521;
private_key_len = sizeof(private_key_521);
- key_type = PSA_KEY_TYPE_ECC_KEYPAIR(PSA_ECC_CURVE_SECP521R1);
- key_usage = PSA_ALG_ECDSA(PSA_ALG_SHA_512);
+ key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP521R1);
+ key_alg = PSA_ALG_ECDSA(PSA_ALG_SHA_512);
break;
default:
return T_COSE_ERR_UNSUPPORTED_SIGNING_ALG;
}
+
+ psa_crypto_init(); /* OK to call this multiple times */
+
+ /* When importing a key with the PSA API there are two main
+ * things to do.
+ *
+ * First you must tell it what type of key it is as this
+ * cannot be discovered from the raw data. The variable
+ * key_type contains that information including the EC curve. This is sufficient
+ * for psa_import_key() to succeed, but you probably want
+ * actually use the key.
+ *
+ * Second, you must say what algorithm(s) and operations
+ * the key can be used as the PSA Crypto Library has
+ * policy enforcement.
+ *
+ * How this is done varies quite a lot in the newer
+ * PSA Crypto API compared to the older.
+ */
+
+#ifdef T_COSE_USE_PSA_CRYPTO_FROM_MBED_CRYPTO11
/* Allocate for the key pair in the Crypto service */
- crypto_res = psa_allocate_key(&key_handle);
- if (crypto_res != PSA_SUCCESS) {
+ crypto_result = psa_allocate_key(&key_handle);
+ if (crypto_result != PSA_SUCCESS) {
return T_COSE_ERR_FAIL;
}
- /* Setup the key policy for private key */
- policy = psa_key_policy_init();
+ /* Say what algorithm and operations the key can be used with / for */
+ psa_key_policy_t policy = psa_key_policy_init();
psa_key_policy_set_usage(&policy,
- PSA_KEY_USAGE_SIGN,
- key_usage);
- crypto_res = psa_set_key_policy(key_handle, &policy);
- if (crypto_res != PSA_SUCCESS) {
+ PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY,
+ key_alg);
+ crypto_result = psa_set_key_policy(key_handle, &policy);
+ if (crypto_result != PSA_SUCCESS) {
return T_COSE_ERR_FAIL;
}
- /* Import the private key. psa_import_key() automatically generates
- * the public key from the private so no need to import more than
- * the private key. (With ECDSA the public key is always
+ /* Import the private key. psa_import_key() automatically
+ * generates the public key from the private so no need to import
+ * more than the private key. (With ECDSA the public key is always
+ * deterministically derivable from the private key).
+ */
+ /* key_type has the type of key including the EC curve */
+ crypto_result = psa_import_key(key_handle,
+ key_type,
+ private_key,
+ private_key_len);
+
+#else /* T_COSE_USE_PSA_CRYPTO_FROM_MBED_CRYPTO11 */
+ psa_key_attributes_t key_attributes;
+
+ key_attributes = psa_key_attributes_init();
+
+ /* Say what algorithm and operations the key can be used with / for */
+ psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH);
+ psa_set_key_algorithm(&key_attributes, key_alg);
+
+ /* The type of key including the EC curve */
+ psa_set_key_type(&key_attributes, key_type);
+
+ /* Import the private key. psa_import_key() automatically
+ * generates the public key from the private so no need to import
+ * more than the private key. (With ECDSA the public key is always
* deterministically derivable from the private key).
*/
- crypto_res = psa_import_key(key_handle,
- key_type,
- private_key,
- sizeof(private_key));
+ crypto_result = psa_import_key(&key_attributes,
+ private_key,
+ private_key_len,
+ &key_handle);
+
+#endif /* T_COSE_USE_PSA_CRYPTO_FROM_MBED_CRYPTO11 */
- if (crypto_res != PSA_SUCCESS) {
+ if (crypto_result != PSA_SUCCESS) {
return T_COSE_ERR_FAIL;
}
@@ -130,6 +196,6 @@ enum t_cose_err_t make_ecdsa_key_pair(int32_t cose_algorithm_id,
*/
void free_ecdsa_key_pair(struct t_cose_key key_pair)
{
- psa_destroy_key(key_pair.k.key_handle);
+ psa_close_key(key_pair.k.key_handle);
}