diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 68e92b7121..c23d73045f 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -203,7 +203,7 @@ int main( void ) #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_X509_CRT_PARSE_C) #define USAGE_KEY_OPAQUE \ - " key_opaque=%%d Handle your private key as if it were opaque\n" \ + " key_opaque=%%d Handle your private keys as if they were opaque\n" \ " default: 0 (disabled)\n" #else #define USAGE_KEY_OPAQUE "" @@ -1325,8 +1325,9 @@ int main( int argc, char *argv[] ) mbedtls_pk_context pkey; mbedtls_x509_crt srvcert2; mbedtls_pk_context pkey2; -#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_key_id_t key_slot = 0; /* invalid key slot */ + psa_key_id_t key_slot2 = 0; /* invalid key slot */ #endif int key_cert_init = 0, key_cert_init2 = 0; #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) @@ -2491,23 +2492,38 @@ int main( int argc, char *argv[] ) (unsigned int) -ret ); goto exit; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if( opt.key_opaque != 0 ) - { - if( ( ret = mbedtls_pk_wrap_as_opaque( &pkey2, &key_slot, - PSA_ALG_SHA_256 ) ) != 0 ) - { - mbedtls_printf( " failed\n ! " - "mbedtls_pk_wrap_as_opaque returned -0x%x\n\n", (unsigned int) -ret ); - goto exit; - } - } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ key_cert_init2 = 2; #endif /* MBEDTLS_ECDSA_C */ } - mbedtls_printf( " ok (key type: %s)\n", mbedtls_pk_get_name( &pkey2 ) ); +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( opt.key_opaque != 0 ) + { + if ( mbedtls_pk_get_type( &pkey ) == MBEDTLS_PK_ECKEY ) + { + if( ( ret = mbedtls_pk_wrap_as_opaque( &pkey, &key_slot, + PSA_ALG_SHA_256 ) ) != 0 ) + { + mbedtls_printf( " failed\n ! " + "mbedtls_pk_wrap_as_opaque returned -0x%x\n\n", (unsigned int) -ret ); + goto exit; + } + } + + if ( mbedtls_pk_get_type( &pkey2 ) == MBEDTLS_PK_ECKEY ) + { + if( ( ret = mbedtls_pk_wrap_as_opaque( &pkey2, &key_slot2, + PSA_ALG_SHA_256 ) ) != 0 ) + { + mbedtls_printf( " failed\n ! " + "mbedtls_pk_wrap_as_opaque returned -0x%x\n\n", (unsigned int) -ret ); + goto exit; + } + } + } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + + mbedtls_printf( " ok (key types: %s - %s)\n", mbedtls_pk_get_name( &pkey ), mbedtls_pk_get_name( &pkey2 ) ); #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO) @@ -3953,6 +3969,10 @@ exit: mbedtls_pk_free( &pkey ); mbedtls_x509_crt_free( &srvcert2 ); mbedtls_pk_free( &pkey2 ); +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_destroy_key( key_slot ); + psa_destroy_key( key_slot2 ); +#endif #endif #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) for( i = 0; (size_t) i < ssl_async_keys.slots_used; i++ ) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 7d0b31381f..628fad9560 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1455,7 +1455,7 @@ run_test "Opaque key for server authentication" \ key_file=data_files/server5.key" \ 0 \ -c "Verifying peer X.509 certificate... ok" \ - -s "key type: Opaque" \ + -s "key types: RSA - Opaque" \ -S "error" \ -C "error" @@ -1471,7 +1471,7 @@ run_test "Opaque key for client/server authentication" \ 0 \ -c "key type: Opaque" \ -c "Verifying peer X.509 certificate... ok" \ - -s "key type: Opaque" \ + -s "key types: RSA - Opaque" \ -s "Verifying peer X.509 certificate... ok" \ -S "error" \ -C "error"