Now that key generation has been replaced with parsing predefined
keys, guards for MBEDTLS_PK_PARSE_C need to be added in test
code.
This commits also removes remaining usage of GENPRIME.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This commit adds "generate_test_keys.py" script to generate
predefined keys used in test_suite_pk. Keys are generated with
"programs/pkey/gen_key" tool and converted to C array using
the python script.
tests/src/test_keys.h is automatically generated using the
above mentioned script.
test_suite_pk is updated in order to use the new format.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Instead of using PK module to import/export the key in a PSA friendly
format:
- for RSA keys we use the DER input data directly;
- for EC keys we extract the private key manually.
This helps avoiding dependencies from PK_WRITE and PK_PARSE.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Add pk_info parameter in order to ease the requirements on the provided
PK context. Now it can simply be initialized, but not setup.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This helps dropping dependency on FS_IO.
This commit also removes DER files that were previusly added and which
are not more needed/used.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
check_pair() is not supported by opaque RSA keys, but we want
to be sure that calling this functions fails nicely instead
for crashing.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
If the wrapped key has a PKCS1 v1.5 signature algorithm, then try
to call sign_ext() to perform PSA RSS. Of course this will fail
because it's not supported by the wrapped key.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
If the public key is exported with mbedtls_pk_write_pubkey_der()
it should be re-imported with mbedtls_pk_parse_public_key().
Alternative options (when PK_WRITE is not defined), i.e.
mbedtls_ecp_point_write_binary() and mbedtls_rsa_write_pubkey(),
export the key in a different format which cannot be parsed by
pk_parse module so mbedtls_ecp_point_read_binary() and
mbedtls_rsa_parse_pubkey() should be used respectively in this
case.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Use mbedtls_test_key_consistency_psa_pk() to verify that the
generated PK contexts match with the original PSA keys instead
of doing sign/verify and encrypt/decrypt.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This bug was not found until now because:
- !PK_[WRITE|PARSE]_C is only tested in component_full_no_pkparse_pkwrite()
- the test only case concerning RSA key had MBEDTLS_PK_WRITE_C as dependency
so it was not executed in that component.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
The behavior of the functions is kept intact. Changes concern:
- generate the initial PK context using PSA parameters only; this
allows to remove 1 input parameter for the test function.
- add/fix comments.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Try to perform verify_ext() using the opaque context when the
key type is MBEDTLS_PK_RSASSA_PSS. This currently leads to a
crash while running the test suite and this will be fixed by
the next commit.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Test the behavior of mbedtls_pk_get_psa_attributes() and
mbedtls_pk_import_into_psa() with respect to lifetime. In particular, test
that they work with persistent keys as documented.
Test cases generated by the following script:
```
for old in [('transparent', '0:0:1'),
('opaque volatile [export]', '1:0:1'),
('opaque volatile [copy]', '1:0:0'),
('opaque persistent [export]', '1:1:1'),
('opaque persistent [copy]', '1:1:0')]:
for to_public in [('pair', '0'),
('public', '1')]:
for to_persistent in [('volatile', '0'),
('persistent', '1')]:
depends = ('\ndepends_on:MBEDTLS_USE_PSA_CRYPTO'
if old[0].startswith('opaque')
else '')
print(f"""\
PSA import into PSA: {old[0]} -> {to_persistent[0]} {to_public[0]}{depends}
pk_import_into_psa_lifetime:{old[1]}:{to_public[1]}:{to_persistent[1]}
""")
```
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
