test: remove usage of mbedtls_pk_wrap_as_opaque() from tests
This is replaced with: mbedtls_pk_get_psa_attributes() +
mbedtls_pk_import_into_psa() + mbedtls_pk_setup_opaque().
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c
index 7a28bd8..f6645d7 100644
--- a/tests/src/test_helpers/ssl_helpers.c
+++ b/tests/src/test_helpers/ssl_helpers.c
@@ -685,9 +685,24 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (opaque_alg != 0) {
- TEST_EQUAL(mbedtls_pk_wrap_as_opaque(cert->pkey, &key_slot,
- opaque_alg, opaque_usage,
- opaque_alg2), 0);
+ psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+ /* Use a fake key usage to get a successful initial guess for the PSA attributes. */
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(cert->pkey, PSA_KEY_USAGE_VERIFY_HASH,
+ &key_attr), 0);
+ /* Then manually set type, usage, alg and alg2 as requested by the test. */
+ psa_key_type_t key_type = psa_get_key_type(&key_attr);
+ if (PSA_KEY_TYPE_IS_PUBLIC_KEY(key_type)) {
+ psa_set_key_type(&key_attr, PSA_KEY_TYPE_KEY_PAIR_OF_PUBLIC_KEY(key_type));
+ }
+ psa_set_key_usage_flags(&key_attr, opaque_usage);
+ psa_set_key_algorithm(&key_attr, opaque_alg);
+ if (opaque_alg2 != PSA_ALG_NONE) {
+ psa_set_key_enrollment_algorithm(&key_attr, opaque_alg2);
+ }
+ TEST_EQUAL(mbedtls_pk_import_into_psa(cert->pkey, &key_attr, &key_slot), 0);
+ mbedtls_pk_free(cert->pkey);
+ mbedtls_pk_init(cert->pkey);
+ TEST_EQUAL(mbedtls_pk_setup_opaque(cert->pkey, key_slot), 0);
}
#else
(void) opaque_alg;
diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index 180cf76..91b3337 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -836,6 +836,7 @@
mbedtls_pk_context pub, prv, alt;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t opaque_key_id = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_attributes_t opaque_key_attr = PSA_KEY_ATTRIBUTES_INIT;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_pk_init(&pub);
@@ -873,9 +874,13 @@
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (mbedtls_pk_get_type(&prv) == MBEDTLS_PK_ECKEY) {
- TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&prv, &opaque_key_id,
- PSA_ALG_ANY_HASH,
- PSA_KEY_USAGE_EXPORT, 0), 0);
+ /* Turn the prv PK context into an opaque one.*/
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&prv, PSA_KEY_USAGE_SIGN_HASH,
+ &opaque_key_attr), 0);
+ TEST_EQUAL(mbedtls_pk_import_into_psa(&prv, &opaque_key_attr, &opaque_key_id), 0);
+ mbedtls_pk_free(&prv);
+ mbedtls_pk_init(&prv);
+ TEST_EQUAL(mbedtls_pk_setup_opaque(&prv, opaque_key_id), 0);
TEST_EQUAL(mbedtls_pk_check_pair(&pub, &prv, mbedtls_test_rnd_std_rand,
NULL), ret);
}
@@ -1395,7 +1400,8 @@
mbedtls_mpi N, P, Q, E;
mbedtls_rsa_context *rsa;
mbedtls_pk_context pk;
- mbedtls_svc_key_id_t key_id;
+ mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
size_t olen;
mbedtls_pk_init(&pk);
@@ -1422,10 +1428,11 @@
TEST_EQUAL(mbedtls_rsa_complete(rsa), 0);
/* Turn PK context into an opaque one. */
- TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&pk, &key_id,
- PSA_ALG_RSA_PKCS1V15_CRYPT,
- PSA_KEY_USAGE_DECRYPT,
- PSA_ALG_NONE), 0);
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, PSA_KEY_USAGE_DECRYPT, &key_attr), 0);
+ TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &key_attr, &key_id), 0);
+ mbedtls_pk_free(&pk);
+ mbedtls_pk_init(&pk);
+ TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0);
TEST_EQUAL(mbedtls_pk_get_bitlen(&pk), mod);
@@ -1635,10 +1642,9 @@
unsigned char pkey_legacy[200];
unsigned char pkey_psa[200];
unsigned char *pkey_legacy_start, *pkey_psa_start;
- psa_algorithm_t alg_psa;
size_t sig_len, klen_legacy, klen_psa;
int ret;
- mbedtls_svc_key_id_t key_id;
+ mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
/*
@@ -1660,7 +1666,6 @@
TEST_ASSERT(mbedtls_rsa_gen_key(mbedtls_pk_rsa(pk),
mbedtls_test_rnd_std_rand, NULL,
curve_or_keybits, 3) == 0);
- alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256);
} else
#endif /* MBEDTLS_RSA_C && MBEDTLS_GENPRIME */
#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
@@ -1671,8 +1676,6 @@
TEST_ASSERT(mbedtls_pk_setup(&pk,
mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)) == 0);
TEST_ASSERT(pk_genkey(&pk, grpid) == 0);
-
- alg_psa = PSA_ALG_ECDSA(PSA_ALG_SHA_256);
} else
#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
{
@@ -1699,9 +1702,11 @@
#endif /* MBEDTLS_PK_WRITE_C */
/* Turn PK context into an opaque one. */
- TEST_ASSERT(mbedtls_pk_wrap_as_opaque(&pk, &key_id, alg_psa,
- PSA_KEY_USAGE_SIGN_HASH,
- PSA_ALG_NONE) == 0);
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, PSA_KEY_USAGE_SIGN_HASH, &attributes), 0);
+ TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &attributes, &key_id), 0);
+ mbedtls_pk_free(&pk);
+ mbedtls_pk_init(&pk);
+ TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0);
PSA_ASSERT(psa_get_key_attributes(key_id, &attributes));
TEST_EQUAL(psa_get_key_type(&attributes), (psa_key_type_t) psa_type);
@@ -1822,6 +1827,7 @@
mbedtls_pk_context pk;
size_t sig_len, pkey_len;
mbedtls_svc_key_id_t key_id;
+ psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
unsigned char pkey[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
unsigned char *pkey_start;
@@ -1861,9 +1867,14 @@
}
/* Turn PK context into an opaque one. */
- TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&pk, &key_id, psa_alg,
- PSA_KEY_USAGE_SIGN_HASH,
- PSA_ALG_NONE), 0);
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, PSA_KEY_USAGE_SIGN_HASH, &key_attr), 0);
+ /* Tweak the algorithm associated with the PSA key because get_psa_attributes() returns
+ * a PSA_ALG_RSA_PSS_ANY_SALT(), but mbedtls_pk_sign_ext() requires a PSA_ALG_RSA_PSS().*/
+ psa_set_key_algorithm(&key_attr, psa_alg);
+ TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &key_attr, &key_id), 0);
+ mbedtls_pk_free(&pk);
+ mbedtls_pk_init(&pk);
+ TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0);
memset(hash, 0x2a, sizeof(hash));
memset(sig, 0, sizeof(sig));
diff --git a/tests/suites/test_suite_pkwrite.function b/tests/suites/test_suite_pkwrite.function
index c760090..735c125 100644
--- a/tests/suites/test_suite_pkwrite.function
+++ b/tests/suites/test_suite_pkwrite.function
@@ -75,6 +75,7 @@
size_t buf_len, check_buf_len;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t opaque_id = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
USE_PSA_INIT();
@@ -117,10 +118,13 @@
/* Verify that pk_write works also for opaque private keys */
if (!is_public_key) {
memset(buf, 0, check_buf_len);
- TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&key, &opaque_id,
- PSA_ALG_NONE,
- PSA_KEY_USAGE_EXPORT,
- PSA_ALG_NONE), 0);
+ /* Turn the key PK context into an opaque one.
+ * Note: set some practical usage for the key to make get_psa_attributes() happy. */
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&key, PSA_KEY_USAGE_SIGN_MESSAGE, &key_attr), 0);
+ TEST_EQUAL(mbedtls_pk_import_into_psa(&key, &key_attr, &opaque_id), 0);
+ mbedtls_pk_free(&key);
+ mbedtls_pk_init(&key);
+ TEST_EQUAL(mbedtls_pk_setup_opaque(&key, opaque_id), 0);
start_buf = buf;
buf_len = check_buf_len;
TEST_EQUAL(pk_write_any_key(&key, &start_buf, &buf_len, is_public_key,
@@ -172,6 +176,7 @@
size_t pub_key_len = 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t opaque_key_id = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_pk_init(&priv_key);
@@ -194,9 +199,12 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_platform_zeroize(derived_key_raw, derived_key_len);
- TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&priv_key, &opaque_key_id,
- PSA_ALG_NONE, PSA_KEY_USAGE_EXPORT,
- PSA_ALG_NONE), 0);
+ /* Turn the priv_key PK context into an opaque one. */
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&priv_key, PSA_KEY_USAGE_SIGN_HASH, &key_attr), 0);
+ TEST_EQUAL(mbedtls_pk_import_into_psa(&priv_key, &key_attr, &opaque_key_id), 0);
+ mbedtls_pk_free(&priv_key);
+ mbedtls_pk_init(&priv_key);
+ TEST_EQUAL(mbedtls_pk_setup_opaque(&priv_key, opaque_key_id), 0);
TEST_EQUAL(mbedtls_pk_write_pubkey_der(&priv_key, derived_key_raw,
derived_key_len), pub_key_len);
diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index 3d84c72..1db7e1c 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -284,7 +284,7 @@
{
mbedtls_pk_context key;
mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
- psa_algorithm_t md_alg_psa, alg_psa;
+ psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
mbedtls_x509write_csr req;
unsigned char buf[4096];
int ret;
@@ -297,24 +297,16 @@
memset(&rnd_info, 0x2a, sizeof(mbedtls_test_rnd_pseudo_info));
- md_alg_psa = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) md_type);
- TEST_ASSERT(md_alg_psa != MBEDTLS_MD_NONE);
-
mbedtls_pk_init(&key);
TEST_ASSERT(mbedtls_pk_parse_keyfile(&key, key_file, NULL,
mbedtls_test_rnd_std_rand, NULL) == 0);
- if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_ECKEY) {
- alg_psa = PSA_ALG_ECDSA(md_alg_psa);
- } else if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_RSA) {
- alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN(md_alg_psa);
- } else {
- TEST_ASSUME(!"PK key type not supported in this configuration");
- }
-
- TEST_ASSERT(mbedtls_pk_wrap_as_opaque(&key, &key_id, alg_psa,
- PSA_KEY_USAGE_SIGN_HASH,
- PSA_ALG_NONE) == 0);
+ /* Turn the PK context into an opaque one. */
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&key, PSA_KEY_USAGE_SIGN_HASH, &key_attr), 0);
+ TEST_EQUAL(mbedtls_pk_import_into_psa(&key, &key_attr, &key_id), 0);
+ mbedtls_pk_free(&key);
+ mbedtls_pk_init(&key);
+ TEST_EQUAL(mbedtls_pk_setup_opaque(&key, key_id), 0);
mbedtls_x509write_csr_set_md_alg(&req, md_type);
mbedtls_x509write_csr_set_key(&req, &key);
@@ -373,6 +365,7 @@
mbedtls_test_rnd_pseudo_info rnd_info;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
#endif
mbedtls_pk_type_t issuer_key_type;
mbedtls_x509_san_list san_ip;
@@ -451,24 +444,14 @@
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- /* For Opaque PK contexts, wrap key as an Opaque RSA context. */
+ /* Turn the issuer PK context into an opaque one. */
if (pk_wrap == 2) {
- psa_algorithm_t alg_psa, md_alg_psa;
-
- md_alg_psa = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) md_type);
- TEST_ASSERT(md_alg_psa != MBEDTLS_MD_NONE);
-
- if (mbedtls_pk_get_type(&issuer_key) == MBEDTLS_PK_ECKEY) {
- alg_psa = PSA_ALG_ECDSA(md_alg_psa);
- } else if (mbedtls_pk_get_type(&issuer_key) == MBEDTLS_PK_RSA) {
- alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN(md_alg_psa);
- } else {
- TEST_ASSUME(!"PK key type not supported in this configuration");
- }
-
- TEST_ASSERT(mbedtls_pk_wrap_as_opaque(&issuer_key, &key_id, alg_psa,
- PSA_KEY_USAGE_SIGN_HASH,
- PSA_ALG_NONE) == 0);
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&issuer_key, PSA_KEY_USAGE_SIGN_HASH,
+ &key_attr), 0);
+ TEST_EQUAL(mbedtls_pk_import_into_psa(&issuer_key, &key_attr, &key_id), 0);
+ mbedtls_pk_free(&issuer_key);
+ mbedtls_pk_init(&issuer_key);
+ TEST_EQUAL(mbedtls_pk_setup_opaque(&issuer_key, key_id), 0);
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */