test_suite_pk: add failing check for sign_ext() in pk_psa_wrap_sign_ext()

If the wrapped key has a PKCS1 v1.5 signature algorithm, then try to call sign_ext() to perform PSA RSS. Of course this will fail because it's not supported by the wrapped key. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-03-03 01:13:37 +00:00 · 2024-03-21 16:26:11 +01:00 · 2024-03-21 16:26:11 +01:00 · f0d4c9a7e2
commit f0d4c9a7e2
parent afa6d51442
1 changed files with 13 additions and 0 deletions
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@ -2082,6 +2082,19 @@ void pk_psa_wrap_sign_ext(int pk_type, int key_bits, int key_pk_type, int md_alg
    memset(hash, 0x2a, sizeof(hash));
    memset(sig, 0, sizeof(sig));

+#if defined(MBEDTLS_PKCS1_V21)
+    /* Check that trying to use the wrong pk_type in sign_ext() results in a failure.
+     * The PSA key was setup to use PKCS1 v1.5 signature algorithm, but here we try
+     * to use it for PSS (PKCS1 v2.1) and it should fail. */
+    if (key_pk_type == MBEDTLS_PK_RSA) {
+        TEST_EQUAL(mbedtls_pk_sign_ext(MBEDTLS_PK_RSASSA_PSS, &pk, md_alg, hash, hash_len,
+                                       sig, sizeof(sig), &sig_len,
+                                       mbedtls_test_rnd_std_rand, NULL),
+                   MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
+    }
+#endif /* MBEDTLS_PKCS1_V21 */
+
+    /* Perform sign_ext() with the correct pk_type. */
    TEST_EQUAL(mbedtls_pk_sign_ext(key_pk_type, &pk, md_alg, hash, hash_len,
                                   sig, sizeof(sig), &sig_len,
                                   mbedtls_test_rnd_std_rand, NULL), 0);