Enable PSA Crypto 1.0 API tests
Adds some stubs for some missing PSA API 1.0 API functions and changes
the psa arch test build configuration to enable all Crypto 1.0 test
cases.
Signed-off-by: Julian Hall <julian.hall@arm.com>
Change-Id: Ic7477d6905b1c3dd81c2957e6258774194d91447
diff --git a/components/service/crypto/client/psa/component.cmake b/components/service/crypto/client/psa/component.cmake
index 80dd54a..ad7e09c 100644
--- a/components/service/crypto/client/psa/component.cmake
+++ b/components/service/crypto/client/psa/component.cmake
@@ -29,4 +29,6 @@
"${CMAKE_CURRENT_LIST_DIR}/psa_key_derivation.c"
"${CMAKE_CURRENT_LIST_DIR}/psa_cipher.c"
"${CMAKE_CURRENT_LIST_DIR}/psa_aead.c"
+ "${CMAKE_CURRENT_LIST_DIR}/psa_sign_message.c"
+ "${CMAKE_CURRENT_LIST_DIR}/psa_verify_message.c"
)
diff --git a/components/service/crypto/client/psa/psa_hash.c b/components/service/crypto/client/psa/psa_hash.c
index 61bcf23..972d378 100644
--- a/components/service/crypto/client/psa/psa_hash.c
+++ b/components/service/crypto/client/psa/psa_hash.c
@@ -310,6 +310,21 @@
return psa_status;
}
+psa_status_t psa_hash_suspend(psa_hash_operation_t *operation,
+ uint8_t *hash_state,
+ size_t hash_state_size,
+ size_t *hash_state_length)
+{
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+psa_status_t psa_hash_resume(psa_hash_operation_t *operation,
+ const uint8_t *hash_state,
+ size_t hash_state_length)
+{
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
psa_status_t psa_hash_compare(psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
diff --git a/components/service/crypto/client/psa/psa_sign_message.c b/components/service/crypto/client/psa/psa_sign_message.c
new file mode 100644
index 0000000..9162af5
--- /dev/null
+++ b/components/service/crypto/client/psa/psa_sign_message.c
@@ -0,0 +1,19 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <psa/crypto.h>
+
+psa_status_t psa_sign_message(
+ psa_key_id_t key,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *signature,
+ size_t signature_size,
+ size_t *signature_length)
+{
+ return PSA_ERROR_NOT_SUPPORTED;
+}
diff --git a/components/service/crypto/client/psa/psa_verify_message.c b/components/service/crypto/client/psa/psa_verify_message.c
new file mode 100644
index 0000000..bdfd629
--- /dev/null
+++ b/components/service/crypto/client/psa/psa_verify_message.c
@@ -0,0 +1,18 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <psa/crypto.h>
+
+psa_status_t psa_verify_message(
+ psa_key_id_t key,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ const uint8_t * signature,
+ size_t signature_length)
+{
+ return PSA_ERROR_NOT_SUPPORTED;
+}
diff --git a/components/service/crypto/include/psa/crypto.h b/components/service/crypto/include/psa/crypto.h
index 8d03b75..e60d975 100644
--- a/components/service/crypto/include/psa/crypto.h
+++ b/components/service/crypto/include/psa/crypto.h
@@ -1154,6 +1154,57 @@
psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation,
psa_hash_operation_t *target_operation);
+/** Suspend a hash operation.
+ *
+ * Suspends an operation frees, returns state that may be used to resume
+ * the operation some time later.
+ *
+ * \param[in,out] operation Initialized hash operation.
+ * \param[out] hash_state Buffer where the hash state is to be written.
+ * \param hash_state_size Size of the \p hash_state buffer in bytes.
+ * \param[out] hash_state_length On success, the number of bytes written
+ * to the hash_state buffer.
+ *
+ * \retval #PSA_SUCCESS
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE
+ * \retval #PSA_ERROR_HARDWARE_FAILURE
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_BAD_STATE
+ * The library has not been previously initialized by psa_crypto_init().
+ * It is implementation-dependent whether a failure to initialize
+ * results in this error code.
+ */
+psa_status_t psa_hash_suspend(psa_hash_operation_t *operation,
+ uint8_t *hash_state,
+ size_t hash_state_size,
+ size_t *hash_state_length);
+
+/** Resume a hash operation.
+ *
+ * Set-up a new multi-part hash operation using the state from a
+ * previously suspended operation.
+ *
+ * \param[in,out] operation The operation object to resume. It must have
+ * been initialized as per the documentation for
+ * #psa_hash_operation_t and not yet in use.
+ * \param[in] hash_state The hash state obtained from a suspended
+ * operation.
+ * \param[in] hash_state_length The length of the hash state blob.
+ *
+ * \retval #PSA_SUCCESS
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE
+ * \retval #PSA_ERROR_HARDWARE_FAILURE
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_BAD_STATE
+ * The library has not been previously initialized by psa_crypto_init().
+ * It is implementation-dependent whether a failure to initialize
+ * results in this error code.
+ */
+psa_status_t psa_hash_resume(psa_hash_operation_t *operation,
+ const uint8_t *hash_state,
+ size_t hash_state_length);
+
/**@}*/
/** \defgroup MAC Message authentication codes
@@ -2811,6 +2862,123 @@
*/
/**
+ * \brief Sign a message with a private key. For hash-and-sign algorithms,
+ * this includes the hashing step.
+ *
+ * \note To perform a multi-part hash-and-sign signature algorithm, first use
+ * a multi-part hash operation and then pass the resulting hash to
+ * psa_sign_hash(). PSA_ALG_GET_HASH(\p alg) can be used to determine the
+ * hash algorithm to use.
+ *
+ * \param[in] key Identifier of the key to use for the operation.
+ * It must be an asymmetric key pair. The key must
+ * allow the usage #PSA_KEY_USAGE_SIGN_MESSAGE.
+ * \param[in] alg An asymmetric signature algorithm (PSA_ALG_XXX
+ * value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg)
+ * is true), that is compatible with the type of
+ * \p key.
+ * \param[in] input The input message to sign.
+ * \param[in] input_length Size of the \p input buffer in bytes.
+ * \param[out] signature Buffer where the signature is to be written.
+ * \param[in] signature_size Size of the \p signature buffer in bytes. This
+ * must be appropriate for the selected
+ * algorithm and key:
+ * - The required signature size is
+ * #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ * where \c key_type and \c key_bits are the type and
+ * bit-size respectively of key.
+ * - #PSA_SIGNATURE_MAX_SIZE evaluates to the
+ * maximum signature size of any supported
+ * signature algorithm.
+ * \param[out] signature_length On success, the number of bytes that make up
+ * the returned signature value.
+ *
+ * \retval #PSA_SUCCESS
+ * \retval #PSA_ERROR_INVALID_HANDLE
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ * The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag,
+ * or it does not permit the requested algorithm.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of the \p signature buffer is too small. You can
+ * determine a sufficient buffer size by calling
+ * #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ * where \c key_type and \c key_bits are the type and bit-size
+ * respectively of \p key.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE
+ * \retval #PSA_ERROR_HARDWARE_FAILURE
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_DATA_CORRUPT
+ * \retval #PSA_ERROR_DATA_INVALID
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
+ * \retval #PSA_ERROR_BAD_STATE
+ * The library has not been previously initialized by psa_crypto_init().
+ * It is implementation-dependent whether a failure to initialize
+ * results in this error code.
+ */
+psa_status_t psa_sign_message(psa_key_id_t key,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *signature,
+ size_t signature_size,
+ size_t *signature_length);
+
+/** \brief Verify the signature of a message with a public key, using
+ * a hash-and-sign verification algorithm.
+ *
+ * \note To perform a multi-part hash-and-sign signature verification
+ * algorithm, first use a multi-part hash operation to hash the message
+ * and then pass the resulting hash to psa_verify_hash().
+ * PSA_ALG_GET_HASH(\p alg) can be used to determine the hash algorithm
+ * to use.
+ *
+ * \param[in] key Identifier of the key to use for the operation.
+ * It must be a public key or an asymmetric key
+ * pair. The key must allow the usage
+ * #PSA_KEY_USAGE_VERIFY_MESSAGE.
+ * \param[in] alg An asymmetric signature algorithm (PSA_ALG_XXX
+ * value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg)
+ * is true), that is compatible with the type of
+ * \p key.
+ * \param[in] input The message whose signature is to be verified.
+ * \param[in] input_length Size of the \p input buffer in bytes.
+ * \param[out] signature Buffer containing the signature to verify.
+ * \param[in] signature_length Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ * \retval #PSA_ERROR_INVALID_HANDLE
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ * The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag,
+ * or it does not permit the requested algorithm.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ * The calculation was performed successfully, but the passed signature
+ * is not a valid signature.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE
+ * \retval #PSA_ERROR_HARDWARE_FAILURE
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_DATA_CORRUPT
+ * \retval #PSA_ERROR_DATA_INVALID
+ * \retval #PSA_ERROR_BAD_STATE
+ * The library has not been previously initialized by psa_crypto_init().
+ * It is implementation-dependent whether a failure to initialize
+ * results in this error code.
+ */
+psa_status_t psa_verify_message(psa_key_id_t key,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ const uint8_t * signature,
+ size_t signature_length);
+
+/**
* \brief Sign a hash or short message with a private key.
*
* Note that to perform a hash-and-sign signature algorithm, you must
diff --git a/components/service/crypto/include/psa/crypto_values.h b/components/service/crypto/include/psa/crypto_values.h
index 43b54b1..9fbea40 100644
--- a/components/service/crypto/include/psa/crypto_values.h
+++ b/components/service/crypto/include/psa/crypto_values.h
@@ -1841,6 +1841,26 @@
/** Whether the key may be used to sign a message.
*
+ * This flag allows the key to be used for a MAC calculation operation or for
+ * an asymmetric message signature operation, if otherwise permitted by the
+ * key’s type and policy.
+ *
+ * For a key pair, this concerns the private key.
+ */
+#define PSA_KEY_USAGE_SIGN_MESSAGE ((psa_key_usage_t)0x00000400)
+
+/** Whether the key may be used to verify a message.
+ *
+ * This flag allows the key to be used for a MAC verification operation or for
+ * an asymmetric message signature verification operation, if otherwise
+ * permitted by the key’s type and policy.
+ *
+ * For a key pair, this concerns the public key.
+ */
+#define PSA_KEY_USAGE_VERIFY_MESSAGE ((psa_key_usage_t)0x00000800)
+
+/** Whether the key may be used to sign a message.
+ *
* This flag allows the key to be used for a MAC calculation operation
* or for an asymmetric signature operation,
* if otherwise permitted by the key's type and policy.
@@ -1863,6 +1883,21 @@
*/
#define PSA_KEY_USAGE_DERIVE ((psa_key_usage_t)0x00004000)
+/** Whether the key may be used to verify the result of a key derivation,
+ * including password hashing.
+ *
+ * This flag allows the key to be used:
+ *
+ * This flag allows the key to be used in a key derivation operation, if
+ * otherwise permitted by by the key's type and policy.
+ *
+ * If this flag is present on all keys used in calls to
+ * psa_key_derivation_input_key() for a key derivation operation, then it
+ * permits calling psa_key_derivation_verify_bytes() or
+ * psa_key_derivation_verify_key() at the end of the operation.
+ */
+#define PSA_KEY_USAGE_VERIFY_DERIVATION ((psa_key_usage_t)0x00008000)
+
/**@}*/
/** \defgroup derivation Key derivation
diff --git a/components/service/crypto/provider/extension/key_derivation/key_derivation_provider.c b/components/service/crypto/provider/extension/key_derivation/key_derivation_provider.c
index b35712b..dfb5b07 100644
--- a/components/service/crypto/provider/extension/key_derivation/key_derivation_provider.c
+++ b/components/service/crypto/provider/extension/key_derivation/key_derivation_provider.c
@@ -252,17 +252,22 @@
if (rpc_status == TS_RPC_CALL_ACCEPTED) {
- psa_status_t psa_status = PSA_ERROR_BAD_STATE;
+ psa_status_t psa_status = PSA_ERROR_INVALID_HANDLE;
- struct crypto_context *crypto_context =
- crypto_context_pool_find(&this_instance->context_pool,
- CRYPTO_CONTEXT_OP_ID_KEY_DERIVATION, call_req_get_caller_id(req),
- op_handle);
+ if (key_id) {
- if (crypto_context) {
+ psa_status = PSA_ERROR_BAD_STATE;
- psa_status = psa_key_derivation_input_key(&crypto_context->op.key_derivation,
- step, key_id);
+ struct crypto_context *crypto_context =
+ crypto_context_pool_find(&this_instance->context_pool,
+ CRYPTO_CONTEXT_OP_ID_KEY_DERIVATION, call_req_get_caller_id(req),
+ op_handle);
+
+ if (crypto_context) {
+
+ psa_status = psa_key_derivation_input_key(&crypto_context->op.key_derivation,
+ step, key_id);
+ }
}
call_req_set_opstatus(req, psa_status);
diff --git a/deployments/psa-api-test/crypto/crypto-api-test.cmake b/deployments/psa-api-test/crypto/crypto-api-test.cmake
index 47e42c7..aecf791 100644
--- a/deployments/psa-api-test/crypto/crypto-api-test.cmake
+++ b/deployments/psa-api-test/crypto/crypto-api-test.cmake
@@ -15,9 +15,9 @@
# Extend the arch test build configuration to include tests missing from the
# default configuration.
#-------------------------------------------------------------------------------
-#set(TS_ARCH_TEST_EXTERNAL_DEFS
-# -DCRYPTO_1_0
-# CACHE STRING "Arch test external defines")
+set(TS_ARCH_TEST_EXTERNAL_DEFS
+ -DCRYPTO_1_0
+ CACHE STRING "Arch test external defines")
#-------------------------------------------------------------------------------
# The arch test build system puts its build output under a test suite specific