TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 816886c8f356374b23b476fc1582e6af1bec52ae / . / tests / src / psa_exercise_key.c
blob: e7e68631ade78da9bc665d8e5818f4d8b70b75c5 [file] [log] [blame]
Gilles Peskine66e7b902021-02-12 23:40:58 +0100[diff] [blame]1/** Code to exercise a PSA key object, i.e. validate that it seems well-formed
2 * and can do what it is supposed to do.
3 */
4
5/*
6 * Copyright The Mbed TLS Contributors
7 * SPDX-License-Identifier: Apache-2.0
8 *
9 * Licensed under the Apache License, Version 2.0 (the "License"); you may
10 * not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
12 *
13 * http://www.apache.org/licenses/LICENSE-2.0
14 *
15 * Unless required by applicable law or agreed to in writing, software
16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18 * See the License for the specific language governing permissions and
19 * limitations under the License.
20 */
21
22#include <test/helpers.h>
23#include <test/macros.h>
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]24#include <test/psa_exercise_key.h>
Gilles Peskine66e7b902021-02-12 23:40:58 +0100[diff] [blame]25
26#if defined(MBEDTLS_PSA_CRYPTO_C)
27
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]28#include <mbedtls/asn1.h>
Gilles Peskine66e7b902021-02-12 23:40:58 +0100[diff] [blame]29#include <psa/crypto.h>
30
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]31#include <test/asn1_helpers.h>
32#include <test/psa_crypto_helpers.h>
33
34#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
35static int lifetime_is_dynamic_secure_element( psa_key_lifetime_t lifetime )
36{
37 return( PSA_KEY_LIFETIME_GET_LOCATION( lifetime ) !=
38 PSA_KEY_LOCATION_LOCAL_STORAGE );
39}
40#endif
41
42static int check_key_attributes_sanity( mbedtls_svc_key_id_t key )
43{
44 int ok = 0;
45 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
46 psa_key_lifetime_t lifetime;
47 mbedtls_svc_key_id_t id;
48 psa_key_type_t type;
Gilles Peskine6b362e62021-02-15 12:03:16 +0100[diff] [blame]49 size_t bits;
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]50
51 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) );
52 lifetime = psa_get_key_lifetime( &attributes );
53 id = psa_get_key_id( &attributes );
54 type = psa_get_key_type( &attributes );
55 bits = psa_get_key_bits( &attributes );
56
57 /* Persistence */
58 if( PSA_KEY_LIFETIME_IS_VOLATILE( lifetime ) )
59 {
60 TEST_ASSERT(
61 ( PSA_KEY_ID_VOLATILE_MIN <=
62 MBEDTLS_SVC_KEY_ID_GET_KEY_ID( id ) ) &&
63 ( MBEDTLS_SVC_KEY_ID_GET_KEY_ID( id ) <=
64 PSA_KEY_ID_VOLATILE_MAX ) );
65 }
66 else
67 {
68 TEST_ASSERT(
69 ( PSA_KEY_ID_USER_MIN <= MBEDTLS_SVC_KEY_ID_GET_KEY_ID( id ) ) &&
70 ( MBEDTLS_SVC_KEY_ID_GET_KEY_ID( id ) <= PSA_KEY_ID_USER_MAX ) );
71 }
72#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
73 /* randomly-generated 64-bit constant, should never appear in test data */
74 psa_key_slot_number_t slot_number = 0xec94d4a5058a1a21;
75 psa_status_t status = psa_get_key_slot_number( &attributes, &slot_number );
76 if( lifetime_is_dynamic_secure_element( lifetime ) )
77 {
78 /* Mbed Crypto currently always exposes the slot number to
79 * applications. This is not mandated by the PSA specification
80 * and may change in future versions. */
81 TEST_EQUAL( status, 0 );
82 TEST_ASSERT( slot_number != 0xec94d4a5058a1a21 );
83 }
84 else
85 {
86 TEST_EQUAL( status, PSA_ERROR_INVALID_ARGUMENT );
87 }
88#endif
89
90 /* Type and size */
91 TEST_ASSERT( type != 0 );
92 TEST_ASSERT( bits != 0 );
93 TEST_ASSERT( bits <= PSA_MAX_KEY_BITS );
94 if( PSA_KEY_TYPE_IS_UNSTRUCTURED( type ) )
95 TEST_ASSERT( bits % 8 == 0 );
96
97 /* MAX macros concerning specific key types */
98 if( PSA_KEY_TYPE_IS_ECC( type ) )
99 TEST_ASSERT( bits <= PSA_VENDOR_ECC_MAX_CURVE_BITS );
100 else if( PSA_KEY_TYPE_IS_RSA( type ) )
101 TEST_ASSERT( bits <= PSA_VENDOR_RSA_MAX_KEY_BITS );
102 TEST_ASSERT( PSA_BLOCK_CIPHER_BLOCK_LENGTH( type ) <= PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE );
103
104 ok = 1;
105
106exit:
107 /*
108 * Key attributes may have been returned by psa_get_key_attributes()
109 * thus reset them as required.
110 */
111 psa_reset_key_attributes( &attributes );
112
113 return( ok );
114}
115
116static int exercise_mac_key( mbedtls_svc_key_id_t key,
117 psa_key_usage_t usage,
118 psa_algorithm_t alg )
119{
120 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
121 const unsigned char input[] = "foo";
122 unsigned char mac[PSA_MAC_MAX_SIZE] = {0};
123 size_t mac_length = sizeof( mac );
124
Steven Cooremanfb9cb922021-02-23 14:37:38 +0100[diff] [blame]125 /* Convert wildcard algorithm to exercisable algorithm */
126 if( alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG )
127 {
128 alg = PSA_ALG_TRUNCATED_MAC( alg, PSA_MAC_TRUNCATED_LENGTH( alg ) );
129 }
130
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]131 if( usage & PSA_KEY_USAGE_SIGN_HASH )
132 {
133 PSA_ASSERT( psa_mac_sign_setup( &operation, key, alg ) );
134 PSA_ASSERT( psa_mac_update( &operation,
135 input, sizeof( input ) ) );
136 PSA_ASSERT( psa_mac_sign_finish( &operation,
137 mac, sizeof( mac ),
138 &mac_length ) );
139 }
140
141 if( usage & PSA_KEY_USAGE_VERIFY_HASH )
142 {
143 psa_status_t verify_status =
144 ( usage & PSA_KEY_USAGE_SIGN_HASH ?
145 PSA_SUCCESS :
146 PSA_ERROR_INVALID_SIGNATURE );
147 PSA_ASSERT( psa_mac_verify_setup( &operation, key, alg ) );
148 PSA_ASSERT( psa_mac_update( &operation,
149 input, sizeof( input ) ) );
150 TEST_EQUAL( psa_mac_verify_finish( &operation, mac, mac_length ),
151 verify_status );
152 }
153
154 return( 1 );
155
156exit:
157 psa_mac_abort( &operation );
158 return( 0 );
159}
160
161static int exercise_cipher_key( mbedtls_svc_key_id_t key,
162 psa_key_usage_t usage,
163 psa_algorithm_t alg )
164{
165 psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
166 unsigned char iv[16] = {0};
167 size_t iv_length = sizeof( iv );
168 const unsigned char plaintext[16] = "Hello, world...";
169 unsigned char ciphertext[32] = "(wabblewebblewibblewobblewubble)";
170 size_t ciphertext_length = sizeof( ciphertext );
171 unsigned char decrypted[sizeof( ciphertext )];
172 size_t part_length;
173
174 if( usage & PSA_KEY_USAGE_ENCRYPT )
175 {
176 PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) );
177 PSA_ASSERT( psa_cipher_generate_iv( &operation,
178 iv, sizeof( iv ),
179 &iv_length ) );
180 PSA_ASSERT( psa_cipher_update( &operation,
181 plaintext, sizeof( plaintext ),
182 ciphertext, sizeof( ciphertext ),
183 &ciphertext_length ) );
184 PSA_ASSERT( psa_cipher_finish( &operation,
185 ciphertext + ciphertext_length,
186 sizeof( ciphertext ) - ciphertext_length,
187 &part_length ) );
188 ciphertext_length += part_length;
189 }
190
191 if( usage & PSA_KEY_USAGE_DECRYPT )
192 {
193 psa_status_t status;
194 int maybe_invalid_padding = 0;
195 if( ! ( usage & PSA_KEY_USAGE_ENCRYPT ) )
196 {
197 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
198 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) );
199 /* This should be PSA_CIPHER_GET_IV_SIZE but the API doesn't
200 * have this macro yet. */
201 iv_length = PSA_BLOCK_CIPHER_BLOCK_LENGTH(
202 psa_get_key_type( &attributes ) );
203 maybe_invalid_padding = ! PSA_ALG_IS_STREAM_CIPHER( alg );
204 psa_reset_key_attributes( &attributes );
205 }
206 PSA_ASSERT( psa_cipher_decrypt_setup( &operation, key, alg ) );
207 PSA_ASSERT( psa_cipher_set_iv( &operation,
208 iv, iv_length ) );
209 PSA_ASSERT( psa_cipher_update( &operation,
210 ciphertext, ciphertext_length,
211 decrypted, sizeof( decrypted ),
212 &part_length ) );
213 status = psa_cipher_finish( &operation,
214 decrypted + part_length,
215 sizeof( decrypted ) - part_length,
216 &part_length );
217 /* For a stream cipher, all inputs are valid. For a block cipher,
218 * if the input is some aribtrary data rather than an actual
219 ciphertext, a padding error is likely. */
220 if( maybe_invalid_padding )
221 TEST_ASSERT( status == PSA_SUCCESS ||
222 status == PSA_ERROR_INVALID_PADDING );
223 else
224 PSA_ASSERT( status );
225 }
226
227 return( 1 );
228
229exit:
230 psa_cipher_abort( &operation );
231 return( 0 );
232}
233
234static int exercise_aead_key( mbedtls_svc_key_id_t key,
235 psa_key_usage_t usage,
236 psa_algorithm_t alg )
237{
238 unsigned char nonce[16] = {0};
239 size_t nonce_length = sizeof( nonce );
240 unsigned char plaintext[16] = "Hello, world...";
241 unsigned char ciphertext[48] = "(wabblewebblewibblewobblewubble)";
242 size_t ciphertext_length = sizeof( ciphertext );
243 size_t plaintext_length = sizeof( ciphertext );
244
Steven Cooremanfb9cb922021-02-23 14:37:38 +0100[diff] [blame]245 /* Convert wildcard algorithm to exercisable algorithm */
246 if( alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG )
247 {
248 alg = PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, PSA_ALG_AEAD_GET_TAG_LENGTH( alg ) );
249 }
250
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]251 /* Default IV length for AES-GCM is 12 bytes */
252 if( PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, 0 ) ==
253 PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_GCM, 0 ) )
254 {
255 nonce_length = 12;
256 }
257
Steven Cooremanaaec3412021-02-18 13:30:34 +0100[diff] [blame]258 /* IV length for CCM needs to be between 7 and 13 bytes */
259 if( PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, 0 ) ==
260 PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, 0 ) )
261 {
262 nonce_length = 12;
263 }
264
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]265 if( usage & PSA_KEY_USAGE_ENCRYPT )
266 {
267 PSA_ASSERT( psa_aead_encrypt( key, alg,
268 nonce, nonce_length,
269 NULL, 0,
270 plaintext, sizeof( plaintext ),
271 ciphertext, sizeof( ciphertext ),
272 &ciphertext_length ) );
273 }
274
275 if( usage & PSA_KEY_USAGE_DECRYPT )
276 {
277 psa_status_t verify_status =
278 ( usage & PSA_KEY_USAGE_ENCRYPT ?
279 PSA_SUCCESS :
280 PSA_ERROR_INVALID_SIGNATURE );
281 TEST_EQUAL( psa_aead_decrypt( key, alg,
282 nonce, nonce_length,
283 NULL, 0,
284 ciphertext, ciphertext_length,
285 plaintext, sizeof( plaintext ),
286 &plaintext_length ),
287 verify_status );
288 }
289
290 return( 1 );
291
292exit:
293 return( 0 );
294}
295
296static int exercise_signature_key( mbedtls_svc_key_id_t key,
297 psa_key_usage_t usage,
298 psa_algorithm_t alg )
299{
300 unsigned char payload[PSA_HASH_MAX_SIZE] = {1};
301 size_t payload_length = 16;
302 unsigned char signature[PSA_SIGNATURE_MAX_SIZE] = {0};
303 size_t signature_length = sizeof( signature );
304 psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH( alg );
305
306 /* If the policy allows signing with any hash, just pick one. */
307 if( PSA_ALG_IS_HASH_AND_SIGN( alg ) && hash_alg == PSA_ALG_ANY_HASH )
308 {
309#if defined(KNOWN_SUPPORTED_HASH_ALG)
310 hash_alg = KNOWN_SUPPORTED_HASH_ALG;
311 alg ^= PSA_ALG_ANY_HASH ^ hash_alg;
312#else
Gilles Peskine2385f712021-02-14 01:34:21 +0100[diff] [blame]313 TEST_ASSERT( ! "No hash algorithm for hash-and-sign testing" );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]314#endif
315 }
316
317 if( usage & PSA_KEY_USAGE_SIGN_HASH )
318 {
319 /* Some algorithms require the payload to have the size of
320 * the hash encoded in the algorithm. Use this input size
321 * even for algorithms that allow other input sizes. */
322 if( hash_alg != 0 )
323 payload_length = PSA_HASH_LENGTH( hash_alg );
324 PSA_ASSERT( psa_sign_hash( key, alg,
325 payload, payload_length,
326 signature, sizeof( signature ),
327 &signature_length ) );
328 }
329
330 if( usage & PSA_KEY_USAGE_VERIFY_HASH )
331 {
332 psa_status_t verify_status =
333 ( usage & PSA_KEY_USAGE_SIGN_HASH ?
334 PSA_SUCCESS :
335 PSA_ERROR_INVALID_SIGNATURE );
336 TEST_EQUAL( psa_verify_hash( key, alg,
337 payload, payload_length,
338 signature, signature_length ),
339 verify_status );
340 }
341
342 return( 1 );
343
344exit:
345 return( 0 );
346}
347
348static int exercise_asymmetric_encryption_key( mbedtls_svc_key_id_t key,
349 psa_key_usage_t usage,
350 psa_algorithm_t alg )
351{
352 unsigned char plaintext[256] = "Hello, world...";
353 unsigned char ciphertext[256] = "(wabblewebblewibblewobblewubble)";
354 size_t ciphertext_length = sizeof( ciphertext );
355 size_t plaintext_length = 16;
356
357 if( usage & PSA_KEY_USAGE_ENCRYPT )
358 {
359 PSA_ASSERT( psa_asymmetric_encrypt( key, alg,
360 plaintext, plaintext_length,
361 NULL, 0,
362 ciphertext, sizeof( ciphertext ),
363 &ciphertext_length ) );
364 }
365
366 if( usage & PSA_KEY_USAGE_DECRYPT )
367 {
368 psa_status_t status =
369 psa_asymmetric_decrypt( key, alg,
370 ciphertext, ciphertext_length,
371 NULL, 0,
372 plaintext, sizeof( plaintext ),
373 &plaintext_length );
374 TEST_ASSERT( status == PSA_SUCCESS ||
375 ( ( usage & PSA_KEY_USAGE_ENCRYPT ) == 0 &&
376 ( status == PSA_ERROR_INVALID_ARGUMENT ||
377 status == PSA_ERROR_INVALID_PADDING ) ) );
378 }
379
380 return( 1 );
381
382exit:
383 return( 0 );
384}
385
386int mbedtls_test_psa_setup_key_derivation_wrap(
387 psa_key_derivation_operation_t* operation,
388 mbedtls_svc_key_id_t key,
389 psa_algorithm_t alg,
Gilles Peskine5c2665b2021-02-14 01:22:56 +0100[diff] [blame]390 const unsigned char* input1, size_t input1_length,
391 const unsigned char* input2, size_t input2_length,
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]392 size_t capacity )
393{
394 PSA_ASSERT( psa_key_derivation_setup( operation, alg ) );
395 if( PSA_ALG_IS_HKDF( alg ) )
396 {
397 PSA_ASSERT( psa_key_derivation_input_bytes( operation,
398 PSA_KEY_DERIVATION_INPUT_SALT,
399 input1, input1_length ) );
400 PSA_ASSERT( psa_key_derivation_input_key( operation,
401 PSA_KEY_DERIVATION_INPUT_SECRET,
402 key ) );
403 PSA_ASSERT( psa_key_derivation_input_bytes( operation,
404 PSA_KEY_DERIVATION_INPUT_INFO,
405 input2,
406 input2_length ) );
407 }
408 else if( PSA_ALG_IS_TLS12_PRF( alg ) ||
409 PSA_ALG_IS_TLS12_PSK_TO_MS( alg ) )
410 {
411 PSA_ASSERT( psa_key_derivation_input_bytes( operation,
412 PSA_KEY_DERIVATION_INPUT_SEED,
413 input1, input1_length ) );
414 PSA_ASSERT( psa_key_derivation_input_key( operation,
415 PSA_KEY_DERIVATION_INPUT_SECRET,
416 key ) );
417 PSA_ASSERT( psa_key_derivation_input_bytes( operation,
418 PSA_KEY_DERIVATION_INPUT_LABEL,
419 input2, input2_length ) );
420 }
421 else
422 {
423 TEST_ASSERT( ! "Key derivation algorithm not supported" );
424 }
425
426 if( capacity != SIZE_MAX )
427 PSA_ASSERT( psa_key_derivation_set_capacity( operation, capacity ) );
428
429 return( 1 );
430
431exit:
432 return( 0 );
433}
434
435
436static int exercise_key_derivation_key( mbedtls_svc_key_id_t key,
437 psa_key_usage_t usage,
438 psa_algorithm_t alg )
439{
440 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
441 unsigned char input1[] = "Input 1";
442 size_t input1_length = sizeof( input1 );
443 unsigned char input2[] = "Input 2";
444 size_t input2_length = sizeof( input2 );
445 unsigned char output[1];
446 size_t capacity = sizeof( output );
447
448 if( usage & PSA_KEY_USAGE_DERIVE )
449 {
450 if( !mbedtls_test_psa_setup_key_derivation_wrap( &operation, key, alg,
451 input1, input1_length,
452 input2, input2_length,
453 capacity ) )
454 goto exit;
455
456 PSA_ASSERT( psa_key_derivation_output_bytes( &operation,
457 output,
458 capacity ) );
459 PSA_ASSERT( psa_key_derivation_abort( &operation ) );
460 }
461
462 return( 1 );
463
464exit:
465 return( 0 );
466}
467
468/* We need two keys to exercise key agreement. Exercise the
469 * private key against its own public key. */
470psa_status_t mbedtls_test_psa_key_agreement_with_self(
471 psa_key_derivation_operation_t *operation,
472 mbedtls_svc_key_id_t key )
473{
474 psa_key_type_t private_key_type;
475 psa_key_type_t public_key_type;
476 size_t key_bits;
477 uint8_t *public_key = NULL;
478 size_t public_key_length;
479 /* Return GENERIC_ERROR if something other than the final call to
480 * psa_key_derivation_key_agreement fails. This isn't fully satisfactory,
481 * but it's good enough: callers will report it as a failed test anyway. */
482 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
483 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
484
485 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) );
486 private_key_type = psa_get_key_type( &attributes );
487 key_bits = psa_get_key_bits( &attributes );
488 public_key_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR( private_key_type );
gabor-mezei-armceface22021-01-21 12:26:17 +0100[diff] [blame]489 public_key_length = PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE( public_key_type, key_bits );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]490 ASSERT_ALLOC( public_key, public_key_length );
491 PSA_ASSERT( psa_export_public_key( key, public_key, public_key_length,
492 &public_key_length ) );
493
494 status = psa_key_derivation_key_agreement(
495 operation, PSA_KEY_DERIVATION_INPUT_SECRET, key,
496 public_key, public_key_length );
497exit:
498 /*
499 * Key attributes may have been returned by psa_get_key_attributes()
500 * thus reset them as required.
501 */
502 psa_reset_key_attributes( &attributes );
503
504 mbedtls_free( public_key );
505 return( status );
506}
507
508/* We need two keys to exercise key agreement. Exercise the
509 * private key against its own public key. */
510psa_status_t mbedtls_test_psa_raw_key_agreement_with_self(
511 psa_algorithm_t alg,
512 mbedtls_svc_key_id_t key )
513{
514 psa_key_type_t private_key_type;
515 psa_key_type_t public_key_type;
516 size_t key_bits;
517 uint8_t *public_key = NULL;
518 size_t public_key_length;
519 uint8_t output[1024];
520 size_t output_length;
521 /* Return GENERIC_ERROR if something other than the final call to
522 * psa_key_derivation_key_agreement fails. This isn't fully satisfactory,
523 * but it's good enough: callers will report it as a failed test anyway. */
524 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
525 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
526
527 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) );
528 private_key_type = psa_get_key_type( &attributes );
529 key_bits = psa_get_key_bits( &attributes );
530 public_key_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR( private_key_type );
gabor-mezei-armceface22021-01-21 12:26:17 +0100[diff] [blame]531 public_key_length = PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE( public_key_type, key_bits );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]532 ASSERT_ALLOC( public_key, public_key_length );
533 PSA_ASSERT( psa_export_public_key( key,
534 public_key, public_key_length,
535 &public_key_length ) );
536
537 status = psa_raw_key_agreement( alg, key,
538 public_key, public_key_length,
539 output, sizeof( output ), &output_length );
gabor-mezei-armceface22021-01-21 12:26:17 +0100[diff] [blame]540 if ( status == PSA_SUCCESS )
541 {
542 TEST_ASSERT( output_length <=
543 PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE( private_key_type,
544 key_bits ) );
545 TEST_ASSERT( output_length <=
546 PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE );
547 }
548
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]549exit:
550 /*
551 * Key attributes may have been returned by psa_get_key_attributes()
552 * thus reset them as required.
553 */
554 psa_reset_key_attributes( &attributes );
555
556 mbedtls_free( public_key );
557 return( status );
558}
559
560static int exercise_raw_key_agreement_key( mbedtls_svc_key_id_t key,
561 psa_key_usage_t usage,
562 psa_algorithm_t alg )
563{
564 int ok = 0;
565
566 if( usage & PSA_KEY_USAGE_DERIVE )
567 {
568 /* We need two keys to exercise key agreement. Exercise the
569 * private key against its own public key. */
570 PSA_ASSERT( mbedtls_test_psa_raw_key_agreement_with_self( alg, key ) );
571 }
572 ok = 1;
573
574exit:
575 return( ok );
576}
577
578static int exercise_key_agreement_key( mbedtls_svc_key_id_t key,
579 psa_key_usage_t usage,
580 psa_algorithm_t alg )
581{
582 psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
583 unsigned char output[1];
584 int ok = 0;
585
586 if( usage & PSA_KEY_USAGE_DERIVE )
587 {
588 /* We need two keys to exercise key agreement. Exercise the
589 * private key against its own public key. */
590 PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) );
591 PSA_ASSERT( mbedtls_test_psa_key_agreement_with_self( &operation, key ) );
592 PSA_ASSERT( psa_key_derivation_output_bytes( &operation,
593 output,
594 sizeof( output ) ) );
595 PSA_ASSERT( psa_key_derivation_abort( &operation ) );
596 }
597 ok = 1;
598
599exit:
600 return( ok );
601}
602
603int mbedtls_test_psa_exported_key_sanity_check(
604 psa_key_type_t type, size_t bits,
Gilles Peskine5c2665b2021-02-14 01:22:56 +0100[diff] [blame]605 const uint8_t *exported, size_t exported_length )
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]606{
Gilles Peskinecc9db302021-02-14 01:29:52 +0100[diff] [blame]607 TEST_ASSERT( exported_length <= PSA_EXPORT_KEY_OUTPUT_SIZE( type, bits ) );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]608
Gilles Peskinecc9db302021-02-14 01:29:52 +0100[diff] [blame]609 if( PSA_KEY_TYPE_IS_UNSTRUCTURED( type ) )
610 TEST_EQUAL( exported_length, PSA_BITS_TO_BYTES( bits ) );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]611 else
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]612
613#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PK_PARSE_C)
614 if( type == PSA_KEY_TYPE_RSA_KEY_PAIR )
615 {
Gilles Peskine5c2665b2021-02-14 01:22:56 +0100[diff] [blame]616 uint8_t *p = (uint8_t*) exported;
617 const uint8_t *end = exported + exported_length;
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]618 size_t len;
619 /* RSAPrivateKey ::= SEQUENCE {
620 * version INTEGER, -- must be 0
621 * modulus INTEGER, -- n
622 * publicExponent INTEGER, -- e
623 * privateExponent INTEGER, -- d
624 * prime1 INTEGER, -- p
625 * prime2 INTEGER, -- q
626 * exponent1 INTEGER, -- d mod (p-1)
627 * exponent2 INTEGER, -- d mod (q-1)
628 * coefficient INTEGER, -- (inverse of q) mod p
629 * }
630 */
631 TEST_EQUAL( mbedtls_asn1_get_tag( &p, end, &len,
632 MBEDTLS_ASN1_SEQUENCE |
633 MBEDTLS_ASN1_CONSTRUCTED ), 0 );
634 TEST_EQUAL( p + len, end );
635 if( ! mbedtls_test_asn1_skip_integer( &p, end, 0, 0, 0 ) )
636 goto exit;
637 if( ! mbedtls_test_asn1_skip_integer( &p, end, bits, bits, 1 ) )
638 goto exit;
639 if( ! mbedtls_test_asn1_skip_integer( &p, end, 2, bits, 1 ) )
640 goto exit;
641 /* Require d to be at least half the size of n. */
642 if( ! mbedtls_test_asn1_skip_integer( &p, end, bits / 2, bits, 1 ) )
643 goto exit;
644 /* Require p and q to be at most half the size of n, rounded up. */
645 if( ! mbedtls_test_asn1_skip_integer( &p, end, bits / 2, bits / 2 + 1, 1 ) )
646 goto exit;
647 if( ! mbedtls_test_asn1_skip_integer( &p, end, bits / 2, bits / 2 + 1, 1 ) )
648 goto exit;
649 if( ! mbedtls_test_asn1_skip_integer( &p, end, 1, bits / 2 + 1, 0 ) )
650 goto exit;
651 if( ! mbedtls_test_asn1_skip_integer( &p, end, 1, bits / 2 + 1, 0 ) )
652 goto exit;
653 if( ! mbedtls_test_asn1_skip_integer( &p, end, 1, bits / 2 + 1, 0 ) )
654 goto exit;
655 TEST_EQUAL( p, end );
gabor-mezei-armceface22021-01-21 12:26:17 +0100[diff] [blame]656
657 TEST_ASSERT( exported_length <= PSA_EXPORT_KEY_PAIR_MAX_SIZE );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]658 }
659 else
660#endif /* MBEDTLS_RSA_C */
661
662#if defined(MBEDTLS_ECP_C)
663 if( PSA_KEY_TYPE_IS_ECC_KEY_PAIR( type ) )
664 {
665 /* Just the secret value */
666 TEST_EQUAL( exported_length, PSA_BITS_TO_BYTES( bits ) );
gabor-mezei-armceface22021-01-21 12:26:17 +0100[diff] [blame]667
668 TEST_ASSERT( exported_length <= PSA_EXPORT_KEY_PAIR_MAX_SIZE );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]669 }
670 else
671#endif /* MBEDTLS_ECP_C */
672
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]673#if defined(MBEDTLS_RSA_C)
674 if( type == PSA_KEY_TYPE_RSA_PUBLIC_KEY )
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]675 {
Gilles Peskine5c2665b2021-02-14 01:22:56 +0100[diff] [blame]676 uint8_t *p = (uint8_t*) exported;
677 const uint8_t *end = exported + exported_length;
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]678 size_t len;
679 /* RSAPublicKey ::= SEQUENCE {
680 * modulus INTEGER, -- n
681 * publicExponent INTEGER } -- e
682 */
683 TEST_EQUAL( mbedtls_asn1_get_tag( &p, end, &len,
684 MBEDTLS_ASN1_SEQUENCE |
685 MBEDTLS_ASN1_CONSTRUCTED ),
686 0 );
687 TEST_EQUAL( p + len, end );
688 if( ! mbedtls_test_asn1_skip_integer( &p, end, bits, bits, 1 ) )
689 goto exit;
690 if( ! mbedtls_test_asn1_skip_integer( &p, end, 2, bits, 1 ) )
691 goto exit;
692 TEST_EQUAL( p, end );
gabor-mezei-armceface22021-01-21 12:26:17 +0100[diff] [blame]693
694
695 TEST_ASSERT( exported_length <=
696 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE( type, bits ) );
697 TEST_ASSERT( exported_length <=
698 PSA_EXPORT_PUBLIC_KEY_MAX_SIZE );
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]699 }
700 else
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]701#endif /* MBEDTLS_RSA_C */
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]702
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]703#if defined(MBEDTLS_ECP_C)
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]704 if( PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY( type ) )
705 {
gabor-mezei-armceface22021-01-21 12:26:17 +0100[diff] [blame]706
707 TEST_ASSERT( exported_length <=
708 PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE( type, bits ) );
709 TEST_ASSERT( exported_length <=
710 PSA_EXPORT_PUBLIC_KEY_MAX_SIZE );
711
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]712 if( PSA_KEY_TYPE_ECC_GET_FAMILY( type ) == PSA_ECC_FAMILY_MONTGOMERY )
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]713 {
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]714 /* The representation of an ECC Montgomery public key is
715 * the raw compressed point */
716 TEST_EQUAL( PSA_BITS_TO_BYTES( bits ), exported_length );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]717 }
718 else
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]719 {
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]720 /* The representation of an ECC Weierstrass public key is:
721 * - The byte 0x04;
722 * - `x_P` as a `ceiling(m/8)`-byte string, big-endian;
723 * - `y_P` as a `ceiling(m/8)`-byte string, big-endian;
724 * - where m is the bit size associated with the curve.
725 */
726 TEST_EQUAL( 1 + 2 * PSA_BITS_TO_BYTES( bits ), exported_length );
727 TEST_EQUAL( exported[0], 4 );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]728 }
729 }
730 else
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]731#endif /* MBEDTLS_ECP_C */
732
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]733 {
Gilles Peskinecc9db302021-02-14 01:29:52 +0100[diff] [blame]734 TEST_ASSERT( ! "Sanity check not implemented for this key type" );
Gilles Peskinead557e52021-02-14 01:19:21 +0100[diff] [blame]735 }
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]736
Gilles Peskinecc9db302021-02-14 01:29:52 +0100[diff] [blame]737#if defined(MBEDTLS_DES_C)
738 if( type == PSA_KEY_TYPE_DES )
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]739 {
Gilles Peskinecc9db302021-02-14 01:29:52 +0100[diff] [blame]740 /* Check the parity bits. */
741 unsigned i;
742 for( i = 0; i < bits / 8; i++ )
743 {
744 unsigned bit_count = 0;
745 unsigned m;
746 for( m = 1; m <= 0x100; m <<= 1 )
747 {
748 if( exported[i] & m )
749 ++bit_count;
750 }
751 TEST_ASSERT( bit_count % 2 != 0 );
752 }
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]753 }
Gilles Peskinecc9db302021-02-14 01:29:52 +0100[diff] [blame]754#endif
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]755
756 return( 1 );
757
758exit:
759 return( 0 );
760}
761
762static int exercise_export_key( mbedtls_svc_key_id_t key,
763 psa_key_usage_t usage )
764{
765 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
766 uint8_t *exported = NULL;
767 size_t exported_size = 0;
768 size_t exported_length = 0;
769 int ok = 0;
770
771 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) );
772
773 exported_size = PSA_EXPORT_KEY_OUTPUT_SIZE(
774 psa_get_key_type( &attributes ),
775 psa_get_key_bits( &attributes ) );
776 ASSERT_ALLOC( exported, exported_size );
777
778 if( ( usage & PSA_KEY_USAGE_EXPORT ) == 0 &&
779 ! PSA_KEY_TYPE_IS_PUBLIC_KEY( psa_get_key_type( &attributes ) ) )
780 {
781 TEST_EQUAL( psa_export_key( key, exported,
782 exported_size, &exported_length ),
783 PSA_ERROR_NOT_PERMITTED );
784 ok = 1;
785 goto exit;
786 }
787
788 PSA_ASSERT( psa_export_key( key,
789 exported, exported_size,
790 &exported_length ) );
791 ok = mbedtls_test_psa_exported_key_sanity_check(
792 psa_get_key_type( &attributes ), psa_get_key_bits( &attributes ),
793 exported, exported_length );
794
795exit:
796 /*
797 * Key attributes may have been returned by psa_get_key_attributes()
798 * thus reset them as required.
799 */
800 psa_reset_key_attributes( &attributes );
801
802 mbedtls_free( exported );
803 return( ok );
804}
805
806static int exercise_export_public_key( mbedtls_svc_key_id_t key )
807{
808 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
809 psa_key_type_t public_type;
810 uint8_t *exported = NULL;
811 size_t exported_size = 0;
812 size_t exported_length = 0;
813 int ok = 0;
814
815 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) );
816 if( ! PSA_KEY_TYPE_IS_ASYMMETRIC( psa_get_key_type( &attributes ) ) )
817 {
818 exported_size = PSA_EXPORT_KEY_OUTPUT_SIZE(
819 psa_get_key_type( &attributes ),
820 psa_get_key_bits( &attributes ) );
821 ASSERT_ALLOC( exported, exported_size );
822
823 TEST_EQUAL( psa_export_public_key( key, exported,
824 exported_size, &exported_length ),
825 PSA_ERROR_INVALID_ARGUMENT );
826 ok = 1;
827 goto exit;
828 }
829
830 public_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(
831 psa_get_key_type( &attributes ) );
gabor-mezei-armceface22021-01-21 12:26:17 +0100[diff] [blame]832 exported_size = PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE( public_type,
833 psa_get_key_bits( &attributes ) );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]834 ASSERT_ALLOC( exported, exported_size );
835
836 PSA_ASSERT( psa_export_public_key( key,
837 exported, exported_size,
838 &exported_length ) );
839 ok = mbedtls_test_psa_exported_key_sanity_check(
840 public_type, psa_get_key_bits( &attributes ),
841 exported, exported_length );
842
843exit:
844 /*
845 * Key attributes may have been returned by psa_get_key_attributes()
846 * thus reset them as required.
847 */
848 psa_reset_key_attributes( &attributes );
849
850 mbedtls_free( exported );
851 return( ok );
852}
853
854int mbedtls_test_psa_exercise_key( mbedtls_svc_key_id_t key,
855 psa_key_usage_t usage,
856 psa_algorithm_t alg )
857{
Gilles Peskine2385f712021-02-14 01:34:21 +0100[diff] [blame]858 int ok = 0;
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]859
860 if( ! check_key_attributes_sanity( key ) )
861 return( 0 );
862
863 if( alg == 0 )
864 ok = 1; /* If no algorihm, do nothing (used for raw data "keys"). */
865 else if( PSA_ALG_IS_MAC( alg ) )
866 ok = exercise_mac_key( key, usage, alg );
867 else if( PSA_ALG_IS_CIPHER( alg ) )
868 ok = exercise_cipher_key( key, usage, alg );
869 else if( PSA_ALG_IS_AEAD( alg ) )
870 ok = exercise_aead_key( key, usage, alg );
871 else if( PSA_ALG_IS_SIGN( alg ) )
872 ok = exercise_signature_key( key, usage, alg );
873 else if( PSA_ALG_IS_ASYMMETRIC_ENCRYPTION( alg ) )
874 ok = exercise_asymmetric_encryption_key( key, usage, alg );
875 else if( PSA_ALG_IS_KEY_DERIVATION( alg ) )
876 ok = exercise_key_derivation_key( key, usage, alg );
877 else if( PSA_ALG_IS_RAW_KEY_AGREEMENT( alg ) )
878 ok = exercise_raw_key_agreement_key( key, usage, alg );
879 else if( PSA_ALG_IS_KEY_AGREEMENT( alg ) )
880 ok = exercise_key_agreement_key( key, usage, alg );
881 else
Gilles Peskine2385f712021-02-14 01:34:21 +0100[diff] [blame]882 TEST_ASSERT( ! "No code to exercise this category of algorithm" );
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]883
884 ok = ok && exercise_export_key( key, usage );
885 ok = ok && exercise_export_public_key( key );
886
Gilles Peskine2385f712021-02-14 01:34:21 +0100[diff] [blame]887exit:
Gilles Peskinee78b0022021-02-13 00:41:11 +0100[diff] [blame]888 return( ok );
889}
890
891psa_key_usage_t mbedtls_test_psa_usage_to_exercise( psa_key_type_t type,
892 psa_algorithm_t alg )
893{
894 if( PSA_ALG_IS_MAC( alg ) || PSA_ALG_IS_SIGN( alg ) )
895 {
896 return( PSA_KEY_TYPE_IS_PUBLIC_KEY( type ) ?
897 PSA_KEY_USAGE_VERIFY_HASH :
898 PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH );
899 }
900 else if( PSA_ALG_IS_CIPHER( alg ) || PSA_ALG_IS_AEAD( alg ) ||
901 PSA_ALG_IS_ASYMMETRIC_ENCRYPTION( alg ) )
902 {
903 return( PSA_KEY_TYPE_IS_PUBLIC_KEY( type ) ?
904 PSA_KEY_USAGE_ENCRYPT :
905 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT );
906 }
907 else if( PSA_ALG_IS_KEY_DERIVATION( alg ) ||
908 PSA_ALG_IS_KEY_AGREEMENT( alg ) )
909 {
910 return( PSA_KEY_USAGE_DERIVE );
911 }
912 else
913 {
914 return( 0 );
915 }
916
917}
Gilles Peskine66e7b902021-02-12 23:40:58 +0100[diff] [blame]918
919#endif /* MBEDTLS_PSA_CRYPTO_C */