From cbce4d8889d5507fd88c1fcea692c1d98dcccf55 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Mon, 13 May 2019 14:24:15 +0200
Subject: [PATCH] Persistent key reload: test more metadata

In the tests for opening a persistent key after closing it, also read
back and check the key data if permitted by policy, and the key
policy.
---
 ...test_suite_psa_crypto_slot_management.data |  8 +++++
 ..._suite_psa_crypto_slot_management.function | 34 +++++++++++++++++--
 2 files changed, 39 insertions(+), 3 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto_slot_management.data b/tests/suites/test_suite_psa_crypto_slot_management.data
index e937465a13..e520d345d6 100644
--- a/tests/suites/test_suite_psa_crypto_slot_management.data
+++ b/tests/suites/test_suite_psa_crypto_slot_management.data
@@ -16,6 +16,14 @@ persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:1:0:0:PSA_KEY_TYPE_RAW_DAT
 Persistent slot, check after restart
 persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:1:0:0:PSA_KEY_TYPE_RAW_DATA:"0123456789abcdef0123456789abcdef":CLOSE_BY_SHUTDOWN
 
+Persistent slot: ECP keypair (ECDSA, exportable); close
+depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:1:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY:PSA_ALG_ECDSA_ANY:PSA_KEY_TYPE_ECC_KEYPAIR(PSA_ECC_CURVE_SECP256R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":CLOSE_BY_CLOSE
+
+Persistent slot: ECP keypair (ECDSA, exportable); restart
+depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:1:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY:PSA_ALG_ECDSA_ANY:PSA_KEY_TYPE_ECC_KEYPAIR(PSA_ECC_CURVE_SECP256R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":CLOSE_BY_SHUTDOWN
+
 Attempt to overwrite: close before
 create_existent:PSA_KEY_LIFETIME_PERSISTENT:1:CLOSE_BEFORE
 
diff --git a/tests/suites/test_suite_psa_crypto_slot_management.function b/tests/suites/test_suite_psa_crypto_slot_management.function
index 92c9d6589f..d983c0ee05 100644
--- a/tests/suites/test_suite_psa_crypto_slot_management.function
+++ b/tests/suites/test_suite_psa_crypto_slot_management.function
@@ -123,10 +123,15 @@ void persistent_slot_lifecycle( int lifetime_arg, int id_arg,
     psa_algorithm_t alg = alg_arg;
     psa_key_usage_t usage_flags = usage_arg;
     psa_key_type_t type = type_arg;
+    size_t bits;
     close_method_t close_method = close_method_arg;
     psa_key_type_t read_type;
+    size_t read_bits;
     psa_key_handle_t handle = 0;
     psa_key_policy_t policy = PSA_KEY_POLICY_INIT;
+    psa_key_policy_t read_policy = PSA_KEY_POLICY_INIT;
+    uint8_t *reexported = NULL;
+    size_t reexported_length = -1;
 
     TEST_MAX_KEY_ID( id );
 
@@ -138,7 +143,7 @@ void persistent_slot_lifecycle( int lifetime_arg, int id_arg,
     psa_key_policy_set_usage( &policy, usage_flags, alg );
     PSA_ASSERT( psa_set_key_policy( handle, &policy ) );
     PSA_ASSERT( psa_import_key( handle, type, key_data->x, key_data->len ) );
-    PSA_ASSERT( psa_get_key_information( handle, &read_type, NULL ) );
+    PSA_ASSERT( psa_get_key_information( handle, &read_type, &bits ) );
     TEST_EQUAL( read_type, type );
 
     /* Close the key and reopen it. */
@@ -167,14 +172,36 @@ void persistent_slot_lifecycle( int lifetime_arg, int id_arg,
     TEST_EQUAL( psa_close_key( handle ), PSA_ERROR_INVALID_HANDLE );
 
     /* Try to reopen the key. If we destroyed it, check that it doesn't
-     * exist, otherwise check that it still exists. */
+     * exist. Otherwise check that it still exists and has the expected
+     * content. */
     switch( close_method )
     {
         case CLOSE_BY_CLOSE:
         case CLOSE_BY_SHUTDOWN:
             PSA_ASSERT( psa_open_key( lifetime, id, &handle ) );
-            PSA_ASSERT( psa_get_key_information( handle, &read_type, NULL ) );
+            PSA_ASSERT( psa_get_key_policy( handle, &read_policy ) );
+            PSA_ASSERT( psa_get_key_information( handle,
+                                                 &read_type, &read_bits ) );
             TEST_EQUAL( read_type, type );
+            TEST_EQUAL( read_bits, bits );
+            TEST_EQUAL( psa_key_policy_get_usage( &read_policy ), usage_flags );
+            TEST_EQUAL( psa_key_policy_get_algorithm( &read_policy ), alg );
+            if( policy.usage & PSA_KEY_USAGE_EXPORT )
+            {
+                ASSERT_ALLOC( reexported, key_data->len );
+                PSA_ASSERT( psa_export_key( handle,
+                                            reexported, key_data->len,
+                                            &reexported_length ) );
+                ASSERT_COMPARE( key_data->x, key_data->len,
+                                reexported, reexported_length );
+            }
+            else
+            {
+                TEST_EQUAL( psa_export_key( handle,
+                                            reexported, sizeof( reexported ),
+                                            &reexported_length ),
+                            PSA_ERROR_NOT_PERMITTED );
+            }
             break;
         case CLOSE_BY_DESTROY:
             TEST_EQUAL( psa_open_key( lifetime, id, &handle ),
@@ -185,6 +212,7 @@ void persistent_slot_lifecycle( int lifetime_arg, int id_arg,
 exit:
     mbedtls_psa_crypto_free( );
     psa_purge_key_storage( );
+    mbedtls_free( reexported );
 }
 /* END_CASE */