Remove ad hoc is_valid_for_signature method

Use the new generic is_public method. Impact on generated cases: there are new HMAC test cases for SIGN_HASH. It was a bug that these test cases were previously not generated. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-02-04 15:39:53 +00:00 · 2022-03-17 12:52:24 +01:00 · 2022-03-17 12:52:24 +01:00 · fa70ced195
commit fa70ced195
parent 09dc05b880
2 changed files with 6 additions and 19 deletions
--- a/scripts/mbedtls_dev/crypto_knowledge.py
+++ b/scripts/mbedtls_dev/crypto_knowledge.py
@ -20,7 +20,7 @@ This module is entirely based on the PSA API.

 import enum
 import re
-from typing import Dict, Iterable, Optional, Pattern, Tuple
+from typing import Iterable, Optional, Tuple

 from mbedtls_dev.asymmetric_key_data import ASYMMETRIC_KEY_DATA

@ -178,21 +178,6 @@ class KeyType:
        return b''.join([self.DATA_BLOCK] * (length // len(self.DATA_BLOCK)) +
                        [self.DATA_BLOCK[:length % len(self.DATA_BLOCK)]])

-    KEY_TYPE_FOR_SIGNATURE = {
-        'PSA_KEY_USAGE_SIGN_HASH': re.compile('.*KEY_PAIR'),
-        'PSA_KEY_USAGE_VERIFY_HASH': re.compile('.*KEY.*')
-    } #type: Dict[str, Pattern]
-    """Use a regexp to determine key types for which signature is possible
-       when using the actual usage flag.
-    """
-    def is_valid_for_signature(self, usage: str) -> bool:
-        """Determine if the key type is compatible with the specified
-           signitute type.
-
-        """
-        # This is just temporaly solution for the implicit usage flags.
-        return re.match(self.KEY_TYPE_FOR_SIGNATURE[usage], self.name) is not None
-
    def can_do(self, alg: 'Algorithm') -> bool:
        """Whether this key type can be used for operations with the given algorithm.

--- a/tests/scripts/generate_psa_tests.py
+++ b/tests/scripts/generate_psa_tests.py
@ -206,7 +206,7 @@ class NotSupported:
                continue
                # For public key we expect that key generation fails with
                # INVALID_ARGUMENT. It is handled by KeyGenerate class.
-            if not kt.name.endswith('_PUBLIC_KEY'):
+            if not kt.is_public():
                yield test_case_for_key_type_not_supported(
                    'generate', kt.expression, bits,
                    finish_family_dependencies(generate_dependencies, bits),
@ -822,8 +822,10 @@ class StorageFormatV0(StorageFormat):
                for key_type in sorted(alg_with_keys[alg]):
                    # The key types must be filtered to fit the specific usage flag.
                    kt = crypto_knowledge.KeyType(key_type)
-                    if kt.is_valid_for_signature(usage):
-                        yield self.keys_for_implicit_usage(usage, alg, kt)
+                    if kt.is_public() and '_SIGN_' in usage:
+                        # Can't sign with a public key
+                        continue
+                    yield self.keys_for_implicit_usage(usage, alg, kt)

    def generate_all_keys(self) -> Iterator[StorageTestData]:
        yield from super().generate_all_keys()