This bug was not found until now because:
- !PK_[WRITE|PARSE]_C is only tested in component_full_no_pkparse_pkwrite()
- the test only case concerning RSA key had MBEDTLS_PK_WRITE_C as dependency
so it was not executed in that component.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
The behavior of the functions is kept intact. Changes concern:
- generate the initial PK context using PSA parameters only; this
allows to remove 1 input parameter for the test function.
- add/fix comments.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Test the behavior of mbedtls_pk_get_psa_attributes() and
mbedtls_pk_import_into_psa() with respect to lifetime. In particular, test
that they work with persistent keys as documented.
Test cases generated by the following script:
```
for old in [('transparent', '0:0:1'),
('opaque volatile [export]', '1:0:1'),
('opaque volatile [copy]', '1:0:0'),
('opaque persistent [export]', '1:1:1'),
('opaque persistent [copy]', '1:1:0')]:
for to_public in [('pair', '0'),
('public', '1')]:
for to_persistent in [('volatile', '0'),
('persistent', '1')]:
depends = ('\ndepends_on:MBEDTLS_USE_PSA_CRYPTO'
if old[0].startswith('opaque')
else '')
print(f"""\
PSA import into PSA: {old[0]} -> {to_persistent[0]} {to_public[0]}{depends}
pk_import_into_psa_lifetime:{old[1]}:{to_public[1]}:{to_persistent[1]}
""")
```
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Fix mbedtls_pk_copy_from_psa() and mbedtls_pk_copy_public_from_psa() to
still work when the algorithm in the key policy is not an RSA
algorithm (typically PSA_ALG_NONE). Add a dedicated test case and adjust the
test code. Fixes the test case "Copy from PSA: non-exportable -> public, RSA"
when MBEDTLS_PKCS1_V15 is disabled.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Explain why this kind of test is possible for RSA keys, while
it is not possible for EC ones.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
- removed redundant info from data file (i.e. informations that
can be extrapolated somehow)
- removed unecessary parameters in functions
- added some extra check on the generated PK contexts
- etc...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This bugfix was due in PR #8826, but we didn't catch that.
This commit also add proper testing in test_suite_pk that was not implemented
in #8826.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This was only tested with opaque keys. Since the code paths are different
depending on the PK type, we also need to test RSA and ECKEY.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Implement mbedtls_pk_import_into_psa for all PK types except RSA_ALT.
This covers importing a key pair, importing a public key and importing
the public part of a key pair.
Test mbedtls_pk_import_into_psa() with the output of
mbedtls_pk_get_psa_attributes(). Also unit-test mbedtls_pk_import_into_psa()
on its own to get extra coverage, mostly for negative cases.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Add non-regression tests. Update some test functions to not assume that
byte_length == bit_length / 8.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Normally, if an elliptic curve is enabled in the legacy API then it's also
enabled in the PSA API. In particular, if the legacy API has at least one
curve then that curve also works with PSA. There is an exception with
secp224k1 which PSA does not support. In a build with secp224k1 as the only
legacy curve, MBEDTLS_PK_HAVE_ECC_KEYS is enabled (because you can use the
curve through PK) but PSA does not support any elliptic curve, so we can't
run PK-PSA bridge tests.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In the MBEDTLS_PK_OPAQUE, have mbedtls_pk_get_psa_attributes() require the
specified usage to be enabled for the specified key. Otherwise the following
call to mbedtls_pk_import_into_psa() is unlikely to result in a key with a
useful policy, so the call to mbedtls_pk_get_psa_attributes() was probably
an error.
Adjust the existing test cases accordingly and add a few negative test
cases.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In principle the RSA tests shouldn't depend on RSA key generation: they just
need to operate on RSA keys. However they do need some method of creating an
RSA key, and we're currently doing random generation. So depend on what the
test code needs.
Depend on the legacy RSA interface, since driver-only RSA isn't currently
supported in the PK module.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Add code and unit tests for MBEDTLS_PK_ECxxx in
mbedtls_pk_get_psa_attributes().
This commit only supports built-in ECC (MBEDTLS_ECP_C). A subsequent commit
will handle driver-only ECC.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This makes the function always available with its
its implementation depending on MBEDTLS_USE_PSA_CRYPTO.
Related dependencies and tests are updated as well.
Fixes#7583.
Signed-off-by: Tomi Fontanilles <129057597+tomi-font@users.noreply.github.com>
Add configuration to enforce minimum size when
generating a RSA key, it's default value is 1024
bits since this the minimum secure value currently
but it can be any value greater than or equal 128
bits. Tests were modifed to accommodate for this
change.
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
