If the public key is exported with mbedtls_pk_write_pubkey_der()
it should be re-imported with mbedtls_pk_parse_public_key().
Alternative options (when PK_WRITE is not defined), i.e.
mbedtls_ecp_point_write_binary() and mbedtls_rsa_write_pubkey(),
export the key in a different format which cannot be parsed by
pk_parse module so mbedtls_ecp_point_read_binary() and
mbedtls_rsa_parse_pubkey() should be used respectively in this
case.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Use mbedtls_test_key_consistency_psa_pk() to verify that the
generated PK contexts match with the original PSA keys instead
of doing sign/verify and encrypt/decrypt.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This bug was not found until now because:
- !PK_[WRITE|PARSE]_C is only tested in component_full_no_pkparse_pkwrite()
- the test only case concerning RSA key had MBEDTLS_PK_WRITE_C as dependency
so it was not executed in that component.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
The behavior of the functions is kept intact. Changes concern:
- generate the initial PK context using PSA parameters only; this
allows to remove 1 input parameter for the test function.
- add/fix comments.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Try to perform verify_ext() using the opaque context when the
key type is MBEDTLS_PK_RSASSA_PSS. This currently leads to a
crash while running the test suite and this will be fixed by
the next commit.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Test the behavior of mbedtls_pk_get_psa_attributes() and
mbedtls_pk_import_into_psa() with respect to lifetime. In particular, test
that they work with persistent keys as documented.
Test cases generated by the following script:
```
for old in [('transparent', '0:0:1'),
('opaque volatile [export]', '1:0:1'),
('opaque volatile [copy]', '1:0:0'),
('opaque persistent [export]', '1:1:1'),
('opaque persistent [copy]', '1:1:0')]:
for to_public in [('pair', '0'),
('public', '1')]:
for to_persistent in [('volatile', '0'),
('persistent', '1')]:
depends = ('\ndepends_on:MBEDTLS_USE_PSA_CRYPTO'
if old[0].startswith('opaque')
else '')
print(f"""\
PSA import into PSA: {old[0]} -> {to_persistent[0]} {to_public[0]}{depends}
pk_import_into_psa_lifetime:{old[1]}:{to_public[1]}:{to_persistent[1]}
""")
```
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Fix mbedtls_pk_copy_from_psa() and mbedtls_pk_copy_public_from_psa() to
still work when the algorithm in the key policy is not an RSA
algorithm (typically PSA_ALG_NONE). Add a dedicated test case and adjust the
test code. Fixes the test case "Copy from PSA: non-exportable -> public, RSA"
when MBEDTLS_PKCS1_V15 is disabled.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Document and implement mbedtls_pk_copy_public_from_psa() to export the
public key of a PSA key into PK.
Unit-test it alongside mbedtls_pk_copy_from_psa().
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This helps fixing a disparity between the legacy and the USE_PSA
case for rsa_sign_wrap() in pk_wrap.c.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
- removed redundant info from data file (i.e. informations that
can be extrapolated somehow)
- removed unecessary parameters in functions
- added some extra check on the generated PK contexts
- etc...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This bugfix was due in PR #8826, but we didn't catch that.
This commit also add proper testing in test_suite_pk that was not implemented
in #8826.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This is possible because after #8740 RSA_C no longer depends on
PK to parse and write private/public keys.
This commit also solves related issues that arose after this change
in "pk.c" and "test_suite_pk". In particular now we can use
rsa's module functions for parsing and writing keys without need
to rely on pk_parse and pk_write functions.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This commit also fixes pk_psa_wrap_sign_ext() setting the RSA padding
mode so that mbedtls_pk_get_psa_attributes() correctly guesses
the PSA alg to be used.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This is replaced with: mbedtls_pk_get_psa_attributes() +
mbedtls_pk_import_into_psa() + mbedtls_pk_setup_opaque().
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
We were testing the internal consistency of the resulting key, and that the
resulting key had the right metadata, but we were not testing that the PSA
key had the expected key material. Comparing the public keys fixes that.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This was only tested with opaque keys. Since the code paths are different
depending on the PK type, we also need to test RSA and ECKEY.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
