Don't exercise if the algorithm is not supported
Parsing a key and importing it into PSA may result in a policy that
specifies an algorithm that is not included in the build. This happens if
the key type is supported, but not the algorithm, e.g. in a build with
MBEDTLS_ECP_C but not MBEDTLS_ECDSA_C.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/tests/include/test/psa_exercise_key.h b/tests/include/test/psa_exercise_key.h
index a658d17..82ef2ad 100644
--- a/tests/include/test/psa_exercise_key.h
+++ b/tests/include/test/psa_exercise_key.h
@@ -221,4 +221,20 @@
psa_key_usage_t mbedtls_test_psa_usage_to_exercise(psa_key_type_t type,
psa_algorithm_t alg);
+/** Whether the specified algorithm can be exercised.
+ *
+ * \note This function is solely based on the algorithm and does not
+ * consider potential issues with the compatibility of a key.
+ * The idea is that you already have a key, so you know that the
+ * key type is supported, and you want to exercise the key but
+ * only if the algorithm given in its policy is enabled in the
+ * compile-time configuration.
+ *
+ * \note This function currently only supports signature algorithms
+ * (including wildcards).
+ * TODO: a more general mechanism, which should be automatically
+ * generated and possibly available as a library function?
+ */
+int mbedtls_test_can_exercise_psa_algorithm(psa_algorithm_t alg);
+
#endif /* PSA_EXERCISE_KEY_H */
diff --git a/tests/src/psa_exercise_key.c b/tests/src/psa_exercise_key.c
index 618b83f..3fcf77d 100644
--- a/tests/src/psa_exercise_key.c
+++ b/tests/src/psa_exercise_key.c
@@ -1009,4 +1009,49 @@
}
+int mbedtls_test_can_exercise_psa_algorithm(psa_algorithm_t alg)
+{
+ /* Reject algorithms that we know are not supported. Default to
+ * attempting exercise, so that if an algorithm is missing from this
+ * function, the result will be a test failure and not silently
+ * omitting exercise. */
+#if !defined(PSA_WANT_ALG_RSA_PKCS1V15_CRYPT)
+ if (alg == PSA_ALG_RSA_PKCS1V15_CRYPT) {
+ return 0;
+ }
+#endif
+#if !defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN)
+ if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg)) {
+ return 0;
+ }
+#endif
+#if !defined(PSA_WANT_ALG_RSA_PSS)
+ if (PSA_ALG_IS_RSA_PSS_STANDARD_SALT(alg)) {
+ return 0;
+ }
+#endif
+#if !defined(PSA_WANT_ALG_RSA_PSS_ANY_SALT)
+ if (PSA_ALG_IS_RSA_PSS_ANY_SALT(alg)) {
+ return 0;
+ }
+#endif
+#if !defined(PSA_WANT_ALG_ECDSA)
+ if (PSA_ALG_IS_ECDSA(alg)) {
+ return 0;
+ }
+#endif
+#if !defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA)
+ if (PSA_ALG_IS_DETERMINISTIC_ECDSA(alg)) {
+ return 0;
+ }
+#endif
+#if !defined(PSA_WANT_ALG_ECDH)
+ if (PSA_ALG_IS_ECDH(alg)) {
+ return 0;
+ }
+#endif
+ (void) alg;
+ return 1;
+}
+
#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/tests/suites/test_suite_pkparse.function b/tests/suites/test_suite_pkparse.function
index 3227ce9..add225d 100644
--- a/tests/suites/test_suite_pkparse.function
+++ b/tests/suites/test_suite_pkparse.function
@@ -48,10 +48,14 @@
TEST_EQUAL(mbedtls_pk_get_psa_attributes(ctx, usage_flag, &attributes), 0);
TEST_EQUAL(mbedtls_pk_import_into_psa(ctx, &attributes, &psa_key), 0);
+
psa_algorithm_t exercise_usage = psa_get_key_usage_flags(&attributes);
psa_algorithm_t exercise_alg = psa_get_key_algorithm(&attributes);
- TEST_ASSERT(mbedtls_test_psa_exercise_key(psa_key,
- exercise_usage, exercise_alg));
+ if (mbedtls_test_can_exercise_psa_algorithm(exercise_alg)) {
+ TEST_ASSERT(mbedtls_test_psa_exercise_key(psa_key,
+ exercise_usage,
+ exercise_alg));
+ }
mbedtls_test_set_step((unsigned long) -1);
ok = 1;