- fix inaccuracy about PSA hash implementation
- add note about context-less operations
- provide summary
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Data gathered with:
for c in server9*.crt; do echo $c; openssl x509 -noout -text -in $c |
grep '^ Signature Algorithm: rsassaPss' -A3 | sed '1d'; done
for c in crl-rsa-pss-*; do echo $c; openssl crl -noout -text -in $c |
grep '^ Signature Algorithm: rsassaPss' -A3 | sed '1d'; done
for c in server9.req.*; do echo $c; openssl req -noout -text -in $c |
grep '^ Signature Algorithm: rsassaPss' -A3 | sed '1d'; done
Unfortunately there is no record of how these files have been generated.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Work in progress, some tasks have very explicit definitions and details
on how to execute, others much less so; some may need splitting.
These documents are temporary anyway, to give a rough idea of the work
remaining to reach those goals (both of which we started, but only for
some use case so far). Ultimately the result will be actionable and
estimated tasks on github.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Note: removed `mbedtls_x509write_crt_set_subject_key()` from the list of
things that should be tested, as it's taking public key rather than a
keypair.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This is an updated version of the study that was done a few years ago.
The script `syms` was used to list symbols form libmbedtls.a /
libmbedx509.a that are defined externally. It was run with config.py
full minus MBEDTLS_USE_PSA_CRYPTO minus
MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Existing example programs in this directory are already incompatible
with that option, so this is probably acceptable here too.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
The implementation was silently overwriting the IV length to 12
even though the caller passed a different value.
Change the behavior to signal that a different length is not supported.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
The implementation was silently overwriting the IV length to 12
even though the caller passed a different value.
Change the behavior to signal that a different length is not supported.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
Add a positive test case where both the client and the server require
authentication and both use a non-CA self-signed certificate.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
psa_aead_encrypt_setup() and psa_aead_decrypt_setup() were returning
PSA_ERROR_INVALID_ARGUMENT, while the same failed checks were producing
PSA_ERROR_NOT_SUPPORTED if they happened in psa_aead_encrypt() or
psa_aead_decrypt().
The PSA Crypto API 1.1 spec will specify PSA_ERROR_INVALID_ARGUMENT
in the case that the supplied algorithm is not an AEAD one.
Also move these shared checks to a helper function, to reduce code
duplication and ensure that the functions remain in sync.
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
This is meant to highlight similarities and differences in the
multi-part HMAC APIs.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Update the fork of the compliance test suite, and remove the multipart
AEAD tests from the expected failures list.
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
