Persistent key reload: test more metadata

In the tests for opening a persistent key after closing it, also read
back and check the key data if permitted by policy, and the key
policy.
This commit is contained in:
Gilles Peskine 2019-05-13 14:24:15 +02:00
parent 1ecf92c2f8
commit d3bb7bb2f2
2 changed files with 56 additions and 9 deletions

View File

@ -25,6 +25,14 @@ persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:PSA_KEY_ID_USER_MAX:0:0:PS
Persistent slot, check after restart, id=max Persistent slot, check after restart, id=max
persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:PSA_KEY_ID_USER_MAX:0:0:PSA_KEY_TYPE_RAW_DATA:"0123456789abcdef0123456789abcdef":CLOSE_BY_SHUTDOWN persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:PSA_KEY_ID_USER_MAX:0:0:PSA_KEY_TYPE_RAW_DATA:"0123456789abcdef0123456789abcdef":CLOSE_BY_SHUTDOWN
Persistent slot: ECP keypair (ECDSA, exportable); close
depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:1:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY:PSA_ALG_ECDSA_ANY:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP256R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":CLOSE_BY_CLOSE
Persistent slot: ECP keypair (ECDSA, exportable); restart
depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:1:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY:PSA_ALG_ECDSA_ANY:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP256R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":CLOSE_BY_SHUTDOWN
Attempt to overwrite: close before Attempt to overwrite: close before
create_existent:PSA_KEY_LIFETIME_PERSISTENT:1:CLOSE_BEFORE create_existent:PSA_KEY_LIFETIME_PERSISTENT:1:CLOSE_BEFORE

View File

@ -134,9 +134,11 @@ void persistent_slot_lifecycle( int lifetime_arg, int id_arg,
psa_key_usage_t usage_flags = usage_arg; psa_key_usage_t usage_flags = usage_arg;
psa_key_type_t type = type_arg; psa_key_type_t type = type_arg;
close_method_t close_method = close_method_arg; close_method_t close_method = close_method_arg;
psa_key_type_t read_type;
psa_key_handle_t handle = 0; psa_key_handle_t handle = 0;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_attributes_t read_attributes = PSA_KEY_ATTRIBUTES_INIT;
uint8_t *reexported = NULL;
size_t reexported_length = -1;
TEST_USES_KEY_ID( id ); TEST_USES_KEY_ID( id );
@ -151,14 +153,22 @@ void persistent_slot_lifecycle( int lifetime_arg, int id_arg,
PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len,
&handle ) ); &handle ) );
TEST_ASSERT( handle != 0 ); TEST_ASSERT( handle != 0 );
PSA_ASSERT( psa_get_key_information( handle, &read_type, NULL ) ); PSA_ASSERT( psa_get_key_attributes( handle, &attributes ) );
TEST_EQUAL( read_type, type ); TEST_EQUAL( psa_get_key_lifetime( &attributes ), lifetime );
TEST_EQUAL( psa_get_key_id( &attributes ), id );
TEST_EQUAL( psa_get_key_usage_flags( &attributes ), usage_flags );
TEST_EQUAL( psa_get_key_algorithm( &attributes ), alg );
TEST_EQUAL( psa_get_key_type( &attributes ), type );
/* Close the key and reopen it. */ /* Close the key and reopen it. */
PSA_ASSERT( psa_close_key( handle ) ); PSA_ASSERT( psa_close_key( handle ) );
PSA_ASSERT( psa_open_key( id, &handle ) ); PSA_ASSERT( psa_open_key( id, &handle ) );
PSA_ASSERT( psa_get_key_information( handle, &read_type, NULL ) ); PSA_ASSERT( psa_get_key_attributes( handle, &attributes ) );
TEST_EQUAL( read_type, type ); TEST_EQUAL( psa_get_key_lifetime( &attributes ), lifetime );
TEST_EQUAL( psa_get_key_id( &attributes ), id );
TEST_EQUAL( psa_get_key_usage_flags( &attributes ), usage_flags );
TEST_EQUAL( psa_get_key_algorithm( &attributes ), alg );
TEST_EQUAL( psa_get_key_type( &attributes ), type );
/* Do something that invalidates the handle. */ /* Do something that invalidates the handle. */
switch( close_method ) switch( close_method )
@ -175,19 +185,47 @@ void persistent_slot_lifecycle( int lifetime_arg, int id_arg,
break; break;
} }
/* Test that the handle is now invalid. */ /* Test that the handle is now invalid. */
TEST_EQUAL( psa_get_key_information( handle, &read_type, NULL ), TEST_EQUAL( psa_get_key_attributes( handle, &read_attributes ),
PSA_ERROR_INVALID_HANDLE ); PSA_ERROR_INVALID_HANDLE );
psa_reset_key_attributes( &read_attributes );
TEST_EQUAL( psa_close_key( handle ), PSA_ERROR_INVALID_HANDLE ); TEST_EQUAL( psa_close_key( handle ), PSA_ERROR_INVALID_HANDLE );
/* Try to reopen the key. If we destroyed it, check that it doesn't /* Try to reopen the key. If we destroyed it, check that it doesn't
* exist, otherwise check that it still exists. */ * exist. Otherwise check that it still exists and has the expected
* content. */
switch( close_method ) switch( close_method )
{ {
case CLOSE_BY_CLOSE: case CLOSE_BY_CLOSE:
case CLOSE_BY_SHUTDOWN: case CLOSE_BY_SHUTDOWN:
PSA_ASSERT( psa_open_key( id, &handle ) ); PSA_ASSERT( psa_open_key( id, &handle ) );
PSA_ASSERT( psa_get_key_information( handle, &read_type, NULL ) ); PSA_ASSERT( psa_get_key_attributes( handle, &read_attributes ) );
TEST_EQUAL( read_type, type ); TEST_EQUAL( psa_get_key_lifetime( &attributes ),
psa_get_key_lifetime( &read_attributes ) );
TEST_EQUAL( psa_get_key_id( &attributes ),
psa_get_key_id( &read_attributes ) );
TEST_EQUAL( psa_get_key_usage_flags( &attributes ), usage_flags );
TEST_EQUAL( psa_get_key_algorithm( &attributes ),
psa_get_key_algorithm( &read_attributes ) );
TEST_EQUAL( psa_get_key_type( &attributes ),
psa_get_key_type( &read_attributes ) );
TEST_EQUAL( psa_get_key_bits( &attributes ),
psa_get_key_bits( &read_attributes ) );
if( usage_flags & PSA_KEY_USAGE_EXPORT )
{
ASSERT_ALLOC( reexported, key_data->len );
PSA_ASSERT( psa_export_key( handle,
reexported, key_data->len,
&reexported_length ) );
ASSERT_COMPARE( key_data->x, key_data->len,
reexported, reexported_length );
}
else
{
TEST_EQUAL( psa_export_key( handle,
reexported, sizeof( reexported ),
&reexported_length ),
PSA_ERROR_NOT_PERMITTED );
}
break; break;
case CLOSE_BY_DESTROY: case CLOSE_BY_DESTROY:
TEST_EQUAL( psa_open_key( id, &handle ), TEST_EQUAL( psa_open_key( id, &handle ),
@ -198,6 +236,7 @@ void persistent_slot_lifecycle( int lifetime_arg, int id_arg,
exit: exit:
mbedtls_psa_crypto_free( ); mbedtls_psa_crypto_free( );
psa_purge_key_storage( ); psa_purge_key_storage( );
mbedtls_free( reexported );
} }
/* END_CASE */ /* END_CASE */