diff options
Diffstat (limited to 'lib/ext/t_cose/test/t_cose_make_psa_test_key.c')
-rw-r--r-- | lib/ext/t_cose/test/t_cose_make_psa_test_key.c | 126 |
1 files changed, 96 insertions, 30 deletions
diff --git a/lib/ext/t_cose/test/t_cose_make_psa_test_key.c b/lib/ext/t_cose/test/t_cose_make_psa_test_key.c index 51330297f2..a58c6c9896 100644 --- a/lib/ext/t_cose/test/t_cose_make_psa_test_key.c +++ b/lib/ext/t_cose/test/t_cose_make_psa_test_key.c @@ -10,13 +10,29 @@ #include "t_cose_make_test_pub_key.h" /* The interface implemented here */ - #include "t_cose_standard_constants.h" - -#include "psa/crypto_types.h" #include "psa/crypto.h" +/* Here's the auto-detect and manual override logic for managing PSA + * Crypto API compatibility. + * + * PSA_GENERATOR_UNBRIDLED_CAPACITY happens to be defined in MBed + * Crypto 1.1 and not in MBed Crypto 2.0 so it is what auto-detect + * hinges off of. + * + * T_COSE_USE_PSA_CRYPTO_FROM_MBED_CRYPTO20 can be defined to force + * setting to MBed Crypto 2.0 + * + * T_COSE_USE_PSA_CRYPTO_FROM_MBED_CRYPTO11 can be defined to force + * setting to MBed Crypt 1.1. It is also what the code below hinges + * on. + */ +#if defined(PSA_GENERATOR_UNBRIDLED_CAPACITY) && !defined(T_COSE_USE_PSA_CRYPTO_FROM_MBED_CRYPTO20) +#define T_COSE_USE_PSA_CRYPTO_FROM_MBED_CRYPTO11 +#endif + + /* * Some hard coded keys for the test cases here. */ @@ -47,10 +63,9 @@ enum t_cose_err_t make_ecdsa_key_pair(int32_t cose_algorithm_id, struct t_cose_key *key_pair) { psa_key_type_t key_type; - psa_status_t crypto_res; + psa_status_t crypto_result; psa_key_handle_t key_handle; - psa_key_policy_t policy; - psa_key_usage_t key_usage; + psa_algorithm_t key_alg; const uint8_t *private_key; size_t private_key_len; @@ -62,59 +77,110 @@ enum t_cose_err_t make_ecdsa_key_pair(int32_t cose_algorithm_id, * there is usually an obvious curve for an algorithm. That * is what this does. */ - switch(cose_algorithm_id) { + + #ifdef T_COSE_USE_PSA_CRYPTO_FROM_MBED_CRYPTO11 + #define PSA_KEY_TYPE_ECC_KEY_PAIR PSA_KEY_TYPE_ECC_KEYPAIR + #endif /* T_COSE_USE_PSA_CRYPTO_FROM_MBED_CRYPTO11 */ + + switch(cose_algorithm_id) { case COSE_ALGORITHM_ES256: private_key = private_key_256; private_key_len = sizeof(private_key_256); - key_type = PSA_KEY_TYPE_ECC_KEYPAIR(PSA_ECC_CURVE_SECP256R1); - key_usage = PSA_ALG_ECDSA(PSA_ALG_SHA_256); + key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP256R1); + key_alg = PSA_ALG_ECDSA(PSA_ALG_SHA_256); break; case COSE_ALGORITHM_ES384: private_key = private_key_384; private_key_len = sizeof(private_key_384); - key_type = PSA_KEY_TYPE_ECC_KEYPAIR(PSA_ECC_CURVE_SECP384R1); - key_usage = PSA_ALG_ECDSA(PSA_ALG_SHA_384); + key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP384R1); + key_alg = PSA_ALG_ECDSA(PSA_ALG_SHA_384); break; case COSE_ALGORITHM_ES512: private_key = private_key_521; private_key_len = sizeof(private_key_521); - key_type = PSA_KEY_TYPE_ECC_KEYPAIR(PSA_ECC_CURVE_SECP521R1); - key_usage = PSA_ALG_ECDSA(PSA_ALG_SHA_512); + key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP521R1); + key_alg = PSA_ALG_ECDSA(PSA_ALG_SHA_512); break; default: return T_COSE_ERR_UNSUPPORTED_SIGNING_ALG; } + + psa_crypto_init(); /* OK to call this multiple times */ + + /* When importing a key with the PSA API there are two main + * things to do. + * + * First you must tell it what type of key it is as this + * cannot be discovered from the raw data. The variable + * key_type contains that information including the EC curve. This is sufficient + * for psa_import_key() to succeed, but you probably want + * actually use the key. + * + * Second, you must say what algorithm(s) and operations + * the key can be used as the PSA Crypto Library has + * policy enforcement. + * + * How this is done varies quite a lot in the newer + * PSA Crypto API compared to the older. + */ + +#ifdef T_COSE_USE_PSA_CRYPTO_FROM_MBED_CRYPTO11 /* Allocate for the key pair in the Crypto service */ - crypto_res = psa_allocate_key(&key_handle); - if (crypto_res != PSA_SUCCESS) { + crypto_result = psa_allocate_key(&key_handle); + if (crypto_result != PSA_SUCCESS) { return T_COSE_ERR_FAIL; } - /* Setup the key policy for private key */ - policy = psa_key_policy_init(); + /* Say what algorithm and operations the key can be used with / for */ + psa_key_policy_t policy = psa_key_policy_init(); psa_key_policy_set_usage(&policy, - PSA_KEY_USAGE_SIGN, - key_usage); - crypto_res = psa_set_key_policy(key_handle, &policy); - if (crypto_res != PSA_SUCCESS) { + PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY, + key_alg); + crypto_result = psa_set_key_policy(key_handle, &policy); + if (crypto_result != PSA_SUCCESS) { return T_COSE_ERR_FAIL; } - /* Import the private key. psa_import_key() automatically generates - * the public key from the private so no need to import more than - * the private key. (With ECDSA the public key is always + /* Import the private key. psa_import_key() automatically + * generates the public key from the private so no need to import + * more than the private key. (With ECDSA the public key is always + * deterministically derivable from the private key). + */ + /* key_type has the type of key including the EC curve */ + crypto_result = psa_import_key(key_handle, + key_type, + private_key, + private_key_len); + +#else /* T_COSE_USE_PSA_CRYPTO_FROM_MBED_CRYPTO11 */ + psa_key_attributes_t key_attributes; + + key_attributes = psa_key_attributes_init(); + + /* Say what algorithm and operations the key can be used with / for */ + psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH); + psa_set_key_algorithm(&key_attributes, key_alg); + + /* The type of key including the EC curve */ + psa_set_key_type(&key_attributes, key_type); + + /* Import the private key. psa_import_key() automatically + * generates the public key from the private so no need to import + * more than the private key. (With ECDSA the public key is always * deterministically derivable from the private key). */ - crypto_res = psa_import_key(key_handle, - key_type, - private_key, - sizeof(private_key)); + crypto_result = psa_import_key(&key_attributes, + private_key, + private_key_len, + &key_handle); + +#endif /* T_COSE_USE_PSA_CRYPTO_FROM_MBED_CRYPTO11 */ - if (crypto_res != PSA_SUCCESS) { + if (crypto_result != PSA_SUCCESS) { return T_COSE_ERR_FAIL; } @@ -130,6 +196,6 @@ enum t_cose_err_t make_ecdsa_key_pair(int32_t cose_algorithm_id, */ void free_ecdsa_key_pair(struct t_cose_key key_pair) { - psa_destroy_key(key_pair.k.key_handle); + psa_close_key(key_pair.k.key_handle); } |