TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / tf-m-tests.git / 71b4ce73f0b850a4b6ca3cf73c640b465c5bab0d^! / .
commit71b4ce73f0b850a4b6ca3cf73c640b465c5bab0d[log] [tgz]
authorAntonio de Angelis <Antonio.deAngelis@arm.com>Thu Nov 03 15:45:13 2022 +0000
committerAntonio de Angelis <Antonio.deAngelis@arm.com>Thu Nov 03 15:45:15 2022 +0000
tree7a1ba96b368b72ddeafcd004d1a1c867bfa454a6
parent50891e4c716d35f5983f19750c3f6a5aa7946461 [diff]
Crypto: Add separate hash-verify to RSASSA-PSS test

Extend the RSASSA-PSS verify test to repeat the verification
using separate calls to hashing and hash_verify APIs.

Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
Change-Id: I9a166a966e932bb2f97e7ae588457f20207c4a66

diff --git a/test/secure_fw/suites/crypto/crypto_tests_common.c b/test/secure_fw/suites/crypto/crypto_tests_common.c
index 0edcdac..e5dd012 100644
--- a/test/secure_fw/suites/crypto/crypto_tests_common.c
+++ b/test/secure_fw/suites/crypto/crypto_tests_common.c

@@ -2739,13 +2739,17 @@
     psa_status_t status = PSA_SUCCESS;
     psa_key_id_t key_id = PSA_KEY_ID_NULL;
     psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+    const psa_algorithm_t alg = PSA_ALG_RSA_PSS(PSA_ALG_SHA_256);
+    uint8_t hash[32] = {0};
+    size_t hash_length = 0;
 
     const uint8_t message[] =
         "This is the message that I would like to sign";
 
     /* Set attributes and import key */
-    psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_VERIFY_MESSAGE);
-    psa_set_key_algorithm(&key_attr, PSA_ALG_RSA_PSS(PSA_ALG_SHA_256));
+    /* The verify_hash flag enables automatically verify_message as well */
+    psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_VERIFY_HASH);
+    psa_set_key_algorithm(&key_attr, alg);
     psa_set_key_type(&key_attr, PSA_KEY_TYPE_RSA_PUBLIC_KEY);
 
     status = psa_import_key(&key_attr,
@@ -2762,14 +2766,39 @@
         goto destroy_key;
     }
 
-    status = psa_verify_message(key_id, PSA_ALG_RSA_PSS(PSA_ALG_SHA_256),
+    status = psa_verify_message(key_id, alg,
                                 message, sizeof(message) - 1,
                                 signature_pss_sha_256, sizeof(signature_pss_sha_256));
     if (status != PSA_SUCCESS) {
-        TEST_FAIL(("Signature verification failed!"));
+        TEST_FAIL("Signature verification failed in the verify_message!");
         goto destroy_key;
     }
 
+    /* Try the same verification, but this time split the hash calculation in a
+     * separate API call. This is useful for those protocols that require to
+     * treat the hashing in a special way (i.e. special seeding), or need to do
+     * hashing in multipart. For simplicity here we just use single-part hashing
+     */
+    status = psa_hash_compute(PSA_ALG_GET_HASH(alg),
+                              message, sizeof(message) - 1,
+                              hash, sizeof(hash), &hash_length);
+    if (status != PSA_SUCCESS) {
+        TEST_FAIL("Hashing step failed!");
+        goto destroy_key;
+    }
+
+    if (hash_length != 32) {
+        TEST_FAIL("Unexpected hash length in the hashing step!");
+        goto destroy_key;
+    }
+
+    status = psa_verify_hash(key_id, alg,
+                             hash, hash_length,
+                             signature_pss_sha_256, sizeof(signature_pss_sha_256));
+    if (status != PSA_SUCCESS) {
+        TEST_FAIL("Signature verification failed in the verify_hash!");
+        goto destroy_key;
+    }
     ret->val = TEST_PASSED;
 
 destroy_key: