1/* BEGIN_HEADER */ 2#include "mbedtls/pk.h" 3#include "pk_internal.h" 4 5/* For error codes */ 6#include "mbedtls/asn1.h" 7#include "mbedtls/base64.h" 8#include "mbedtls/ecp.h" 9#include "mbedtls/rsa.h" 10#include "pk_internal.h" 11 12#include <limits.h> 13#include <stdint.h> 14 15/* Needed only for test case data under #if defined(MBEDTLS_USE_PSA_CRYPTO), 16 * but the test code generator requires test case data to be valid C code 17 * unconditionally (https://github.com/Mbed-TLS/mbedtls/issues/2023). */ 18#include "psa/crypto.h" 19#include "md_psa.h" 20 21/* Used for properly sizing the key buffer in pk_genkey_ec() */ 22#include "psa_util_internal.h" 23 24#define RSA_KEY_SIZE MBEDTLS_RSA_GEN_KEY_MIN_BITS 25#define RSA_KEY_LEN (MBEDTLS_RSA_GEN_KEY_MIN_BITS/8) 26 27#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) 28static int pk_genkey_ec(mbedtls_pk_context *pk, mbedtls_ecp_group_id grp_id) 29{ 30 psa_status_t status; 31 psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; 32 size_t curve_bits; 33 psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(grp_id, &curve_bits); 34 int ret; 35 36 if (curve == 0) { 37 return MBEDTLS_ERR_PK_BAD_INPUT_DATA; 38 } 39 40 psa_set_key_type(&key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(curve)); 41 psa_set_key_bits(&key_attr, curve_bits); 42 psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_EXPORT | 43 PSA_KEY_USAGE_SIGN_HASH | 44 PSA_KEY_USAGE_SIGN_MESSAGE); 45#if defined(MBEDTLS_ECDSA_DETERMINISTIC) 46 psa_set_key_algorithm(&key_attr, PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_ANY_HASH)); 47#else 48 psa_set_key_algorithm(&key_attr, PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)); 49#endif 50 51 status = psa_generate_key(&key_attr, &pk->priv_id); 52 if (status != PSA_SUCCESS) { 53 return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; 54 } 55 56 status = psa_export_public_key(pk->priv_id, pk->pub_raw, sizeof(pk->pub_raw), 57 &pk->pub_raw_len); 58 if (status != PSA_SUCCESS) { 59 ret = MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; 60 goto exit; 61 } 62 63 pk->ec_family = curve; 64 pk->ec_bits = curve_bits; 65 66 return 0; 67 68exit: 69 status = psa_destroy_key(pk->priv_id); 70 return (ret != 0) ? ret : psa_pk_status_to_mbedtls(status); 71} 72#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ 73 74/** Generate a key of the desired type. 75 * 76 * \param pk The PK object to fill. It must have been initialized 77 * with mbedtls_pk_setup(). 78 * \param parameter - For RSA keys, the key size in bits. 79 * - For EC keys, the curve (\c MBEDTLS_ECP_DP_xxx). 80 * 81 * \return The status from the underlying type-specific key 82 * generation function. 83 * \return -1 if the key type is not recognized. 84 */ 85static int pk_genkey(mbedtls_pk_context *pk, int parameter) 86{ 87 ((void) pk); 88 (void) parameter; 89 90#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME) 91 if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_RSA) { 92 return mbedtls_rsa_gen_key(mbedtls_pk_rsa(*pk), 93 mbedtls_test_rnd_std_rand, NULL, 94 parameter, 3); 95 } 96#endif 97#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) 98 if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_ECKEY || 99 mbedtls_pk_get_type(pk) == MBEDTLS_PK_ECKEY_DH || 100 mbedtls_pk_get_type(pk) == MBEDTLS_PK_ECDSA) { 101 int ret; 102 103#if defined(MBEDTLS_ECP_C) 104 ret = mbedtls_ecp_group_load(&mbedtls_pk_ec_rw(*pk)->grp, parameter); 105 if (ret != 0) { 106 return ret; 107 } 108 return mbedtls_ecp_gen_keypair(&mbedtls_pk_ec_rw(*pk)->grp, 109 &mbedtls_pk_ec_rw(*pk)->d, 110 &mbedtls_pk_ec_rw(*pk)->Q, 111 mbedtls_test_rnd_std_rand, NULL); 112#endif /* MBEDTLS_ECP_C */ 113 114#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) 115 ret = pk_genkey_ec(pk, parameter); 116 if (ret != 0) { 117 return ret; 118 } 119 120 return 0; 121#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ 122 123 } 124#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ 125 return -1; 126} 127 128#if defined(MBEDTLS_RSA_C) 129int mbedtls_rsa_decrypt_func(void *ctx, size_t *olen, 130 const unsigned char *input, unsigned char *output, 131 size_t output_max_len) 132{ 133 return mbedtls_rsa_pkcs1_decrypt((mbedtls_rsa_context *) ctx, 134 mbedtls_test_rnd_std_rand, NULL, 135 olen, input, output, output_max_len); 136} 137int mbedtls_rsa_sign_func(void *ctx, 138 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, 139 mbedtls_md_type_t md_alg, unsigned int hashlen, 140 const unsigned char *hash, unsigned char *sig) 141{ 142 ((void) f_rng); 143 ((void) p_rng); 144 return mbedtls_rsa_pkcs1_sign((mbedtls_rsa_context *) ctx, 145 mbedtls_test_rnd_std_rand, NULL, 146 md_alg, hashlen, hash, sig); 147} 148size_t mbedtls_rsa_key_len_func(void *ctx) 149{ 150 return ((const mbedtls_rsa_context *) ctx)->len; 151} 152#endif /* MBEDTLS_RSA_C */ 153 154#if defined(MBEDTLS_USE_PSA_CRYPTO) 155 156/* 157 * Generate an ECC key using PSA and return the key identifier of that key, 158 * or 0 if the key generation failed. 159 * The key uses NIST P-256 and is usable for signing with SHA-256. 160 */ 161mbedtls_svc_key_id_t pk_psa_genkey_ecc(void) 162{ 163 mbedtls_svc_key_id_t key; 164 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 165 const psa_key_type_t type = 166 PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1); 167 const size_t bits = 256; 168 169 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); 170 psa_set_key_algorithm(&attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256)); 171 psa_set_key_type(&attributes, type); 172 psa_set_key_bits(&attributes, bits); 173 PSA_ASSERT(psa_generate_key(&attributes, &key)); 174 175exit: 176 return key; 177} 178 179/* 180 * Generate an RSA key using PSA and return the key identifier of that key, 181 * or 0 if the key generation failed. 182 */ 183mbedtls_svc_key_id_t pk_psa_genkey_rsa(void) 184{ 185 mbedtls_svc_key_id_t key; 186 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 187 const psa_key_type_t type = PSA_KEY_TYPE_RSA_KEY_PAIR; 188 const size_t bits = 1024; 189 190 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); 191 psa_set_key_algorithm(&attributes, PSA_ALG_RSA_PKCS1V15_SIGN_RAW); 192 psa_set_key_type(&attributes, type); 193 psa_set_key_bits(&attributes, bits); 194 PSA_ASSERT(psa_generate_key(&attributes, &key)); 195 196exit: 197 return key; 198} 199#endif /* MBEDTLS_USE_PSA_CRYPTO */ 200/* END_HEADER */ 201 202/* BEGIN_DEPENDENCIES 203 * depends_on:MBEDTLS_PK_C 204 * END_DEPENDENCIES 205 */ 206 207/* BEGIN_CASE depends_on:MBEDTLS_USE_PSA_CRYPTO */ 208void pk_psa_utils(int key_is_rsa) 209{ 210 mbedtls_pk_context pk, pk2; 211 mbedtls_svc_key_id_t key; 212 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 213 214 const char * const name = "Opaque"; 215 size_t bitlen; 216 217 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 218 unsigned char b1[1], b2[1]; 219 size_t len; 220 mbedtls_pk_debug_item dbg; 221 222 mbedtls_pk_init(&pk); 223 mbedtls_pk_init(&pk2); 224 USE_PSA_INIT(); 225 226 TEST_ASSERT(mbedtls_pk_setup_opaque(&pk, MBEDTLS_SVC_KEY_ID_INIT) == 227 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 228 229 mbedtls_pk_free(&pk); 230 mbedtls_pk_init(&pk); 231 232 if (key_is_rsa) { 233 bitlen = 1024; /* hardcoded in genkey() */ 234 key = pk_psa_genkey_rsa(); 235 } else { 236 bitlen = 256; /* hardcoded in genkey() */ 237 key = pk_psa_genkey_ecc(); 238 } 239 if (mbedtls_svc_key_id_is_null(key)) { 240 goto exit; 241 } 242 243 TEST_ASSERT(mbedtls_pk_setup_opaque(&pk, key) == 0); 244 245 TEST_ASSERT(mbedtls_pk_get_type(&pk) == MBEDTLS_PK_OPAQUE); 246 TEST_ASSERT(strcmp(mbedtls_pk_get_name(&pk), name) == 0); 247 248 TEST_ASSERT(mbedtls_pk_get_bitlen(&pk) == bitlen); 249 TEST_ASSERT(mbedtls_pk_get_len(&pk) == bitlen / 8); 250 251 if (key_is_rsa) { 252 TEST_ASSERT(mbedtls_pk_can_do(&pk, MBEDTLS_PK_ECKEY) == 0); 253 TEST_ASSERT(mbedtls_pk_can_do(&pk, MBEDTLS_PK_ECDSA) == 0); 254 TEST_ASSERT(mbedtls_pk_can_do(&pk, MBEDTLS_PK_RSA) == 1); 255 } else { 256 TEST_ASSERT(mbedtls_pk_can_do(&pk, MBEDTLS_PK_ECKEY) == 1); 257 TEST_ASSERT(mbedtls_pk_can_do(&pk, MBEDTLS_PK_ECDSA) == 1); 258 TEST_ASSERT(mbedtls_pk_can_do(&pk, MBEDTLS_PK_RSA) == 0); 259 } 260 261 /* unsupported operations: verify, decrypt, encrypt */ 262 if (key_is_rsa == 1) { 263 TEST_ASSERT(mbedtls_pk_verify(&pk, md_alg, 264 b1, sizeof(b1), b2, sizeof(b2)) 265 == MBEDTLS_ERR_PK_TYPE_MISMATCH); 266 } else { 267 TEST_ASSERT(mbedtls_pk_decrypt(&pk, b1, sizeof(b1), 268 b2, &len, sizeof(b2), 269 NULL, NULL) 270 == MBEDTLS_ERR_PK_TYPE_MISMATCH); 271 } 272 TEST_ASSERT(mbedtls_pk_encrypt(&pk, b1, sizeof(b1), 273 b2, &len, sizeof(b2), 274 NULL, NULL) 275 == MBEDTLS_ERR_PK_TYPE_MISMATCH); 276 277 /* unsupported functions: check_pair, debug */ 278 if (key_is_rsa) { 279 TEST_ASSERT(mbedtls_pk_setup(&pk2, 280 mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0); 281 } else { 282 TEST_ASSERT(mbedtls_pk_setup(&pk2, 283 mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)) == 0); 284 } 285 TEST_ASSERT(mbedtls_pk_check_pair(&pk, &pk2, 286 mbedtls_test_rnd_std_rand, NULL) 287 == MBEDTLS_ERR_PK_TYPE_MISMATCH); 288 TEST_ASSERT(mbedtls_pk_debug(&pk, &dbg) 289 == MBEDTLS_ERR_PK_TYPE_MISMATCH); 290 291 /* test that freeing the context does not destroy the key */ 292 mbedtls_pk_free(&pk); 293 TEST_ASSERT(PSA_SUCCESS == psa_get_key_attributes(key, &attributes)); 294 TEST_ASSERT(PSA_SUCCESS == psa_destroy_key(key)); 295 296exit: 297 /* 298 * Key attributes may have been returned by psa_get_key_attributes() 299 * thus reset them as required. 300 */ 301 psa_reset_key_attributes(&attributes); 302 303 mbedtls_pk_free(&pk); /* redundant except upon error */ 304 mbedtls_pk_free(&pk2); 305 USE_PSA_DONE(); 306} 307/* END_CASE */ 308 309/* BEGIN_CASE depends_on:MBEDTLS_USE_PSA_CRYPTO */ 310void pk_can_do_ext(int opaque_key, int key_type, int key_usage, int key_alg, 311 int key_alg2, int parameter, int alg_check, int usage_check, 312 int result) 313{ 314 mbedtls_pk_context pk; 315 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 316 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 317 318 mbedtls_pk_init(&pk); 319 USE_PSA_INIT(); 320 321 if (opaque_key == 1) { 322 psa_set_key_usage_flags(&attributes, key_usage); 323 psa_set_key_algorithm(&attributes, key_alg); 324 if (key_alg2 != 0) { 325 psa_set_key_enrollment_algorithm(&attributes, key_alg2); 326 } 327 psa_set_key_type(&attributes, key_type); 328 psa_set_key_bits(&attributes, parameter); 329 330 PSA_ASSERT(psa_generate_key(&attributes, &key)); 331 332 if (mbedtls_svc_key_id_is_null(key)) { 333 goto exit; 334 } 335 336 TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key), 0); 337 338 TEST_EQUAL(mbedtls_pk_get_type(&pk), MBEDTLS_PK_OPAQUE); 339 } else { 340 TEST_EQUAL(mbedtls_pk_setup(&pk, 341 mbedtls_pk_info_from_type(key_type)), 0); 342 TEST_EQUAL(pk_genkey(&pk, parameter), 0); 343 TEST_EQUAL(mbedtls_pk_get_type(&pk), key_type); 344 } 345 346 TEST_EQUAL(mbedtls_pk_can_do_ext(&pk, alg_check, usage_check), result); 347 348exit: 349 psa_reset_key_attributes(&attributes); 350 PSA_ASSERT(psa_destroy_key(key)); 351 mbedtls_pk_free(&pk); 352 USE_PSA_DONE(); 353} 354/* END_CASE */ 355 356/* BEGIN_CASE */ 357void pk_invalid_param() 358{ 359 mbedtls_pk_context ctx; 360 mbedtls_pk_type_t pk_type = 0; 361 unsigned char buf[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06 }; 362 size_t buf_size = sizeof(buf); 363 364 mbedtls_pk_init(&ctx); 365 USE_PSA_INIT(); 366 367 TEST_EQUAL(MBEDTLS_ERR_PK_BAD_INPUT_DATA, 368 mbedtls_pk_verify_restartable(&ctx, MBEDTLS_MD_NONE, 369 NULL, buf_size, 370 buf, buf_size, 371 NULL)); 372 TEST_EQUAL(MBEDTLS_ERR_PK_BAD_INPUT_DATA, 373 mbedtls_pk_verify_restartable(&ctx, MBEDTLS_MD_SHA256, 374 NULL, 0, 375 buf, buf_size, 376 NULL)); 377 TEST_EQUAL(MBEDTLS_ERR_PK_BAD_INPUT_DATA, 378 mbedtls_pk_verify_ext(pk_type, NULL, 379 &ctx, MBEDTLS_MD_NONE, 380 NULL, buf_size, 381 buf, buf_size)); 382 TEST_EQUAL(MBEDTLS_ERR_PK_BAD_INPUT_DATA, 383 mbedtls_pk_verify_ext(pk_type, NULL, 384 &ctx, MBEDTLS_MD_SHA256, 385 NULL, 0, 386 buf, buf_size)); 387 TEST_EQUAL(MBEDTLS_ERR_PK_BAD_INPUT_DATA, 388 mbedtls_pk_sign_restartable(&ctx, MBEDTLS_MD_NONE, 389 NULL, buf_size, 390 buf, buf_size, &buf_size, 391 NULL, NULL, 392 NULL)); 393 TEST_EQUAL(MBEDTLS_ERR_PK_BAD_INPUT_DATA, 394 mbedtls_pk_sign_restartable(&ctx, MBEDTLS_MD_SHA256, 395 NULL, 0, 396 buf, buf_size, &buf_size, 397 NULL, NULL, 398 NULL)); 399exit: 400 mbedtls_pk_free(&ctx); 401 USE_PSA_DONE(); 402} 403/* END_CASE */ 404 405/* BEGIN_CASE */ 406void valid_parameters() 407{ 408 mbedtls_pk_context pk; 409 unsigned char buf[1]; 410 size_t len; 411 void *options = NULL; 412 413 mbedtls_pk_init(&pk); 414 USE_PSA_INIT(); 415 416 TEST_ASSERT(mbedtls_pk_setup(&pk, NULL) == 417 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 418 419 /* In informational functions, we accept NULL where a context pointer 420 * is expected because that's what the library has done forever. 421 * We do not document that NULL is accepted, so we may wish to change 422 * the behavior in a future version. */ 423 TEST_ASSERT(mbedtls_pk_get_bitlen(NULL) == 0); 424 TEST_ASSERT(mbedtls_pk_get_len(NULL) == 0); 425 TEST_ASSERT(mbedtls_pk_can_do(NULL, MBEDTLS_PK_NONE) == 0); 426 427 TEST_ASSERT(mbedtls_pk_sign_restartable(&pk, 428 MBEDTLS_MD_NONE, 429 NULL, 0, 430 buf, sizeof(buf), &len, 431 mbedtls_test_rnd_std_rand, NULL, 432 NULL) == 433 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 434 435 TEST_ASSERT(mbedtls_pk_sign_restartable(&pk, 436 MBEDTLS_MD_NONE, 437 NULL, 0, 438 buf, sizeof(buf), &len, 439 mbedtls_test_rnd_std_rand, NULL, 440 NULL) == 441 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 442 443 TEST_ASSERT(mbedtls_pk_sign(&pk, 444 MBEDTLS_MD_NONE, 445 NULL, 0, 446 buf, sizeof(buf), &len, 447 mbedtls_test_rnd_std_rand, NULL) == 448 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 449 450 TEST_ASSERT(mbedtls_pk_verify_restartable(&pk, 451 MBEDTLS_MD_NONE, 452 NULL, 0, 453 buf, sizeof(buf), 454 NULL) == 455 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 456 457 TEST_ASSERT(mbedtls_pk_verify(&pk, 458 MBEDTLS_MD_NONE, 459 NULL, 0, 460 buf, sizeof(buf)) == 461 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 462 463 TEST_ASSERT(mbedtls_pk_verify_ext(MBEDTLS_PK_NONE, options, 464 &pk, 465 MBEDTLS_MD_NONE, 466 NULL, 0, 467 buf, sizeof(buf)) == 468 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 469 470 TEST_ASSERT(mbedtls_pk_encrypt(&pk, 471 NULL, 0, 472 NULL, &len, 0, 473 mbedtls_test_rnd_std_rand, NULL) == 474 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 475 476 TEST_ASSERT(mbedtls_pk_decrypt(&pk, 477 NULL, 0, 478 NULL, &len, 0, 479 mbedtls_test_rnd_std_rand, NULL) == 480 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 481 482#if defined(MBEDTLS_PK_PARSE_C) 483 TEST_ASSERT(mbedtls_pk_parse_key(&pk, NULL, 0, NULL, 1, 484 mbedtls_test_rnd_std_rand, NULL) == 485 MBEDTLS_ERR_PK_KEY_INVALID_FORMAT); 486 487 TEST_ASSERT(mbedtls_pk_parse_public_key(&pk, NULL, 0) == 488 MBEDTLS_ERR_PK_KEY_INVALID_FORMAT); 489#endif /* MBEDTLS_PK_PARSE_C */ 490 USE_PSA_DONE(); 491} 492/* END_CASE */ 493 494/* BEGIN_CASE depends_on:MBEDTLS_PK_WRITE_C */ 495void valid_parameters_pkwrite(data_t *key_data) 496{ 497 mbedtls_pk_context pk; 498 499 /* For the write tests to be effective, we need a valid key pair. */ 500 mbedtls_pk_init(&pk); 501 USE_PSA_INIT(); 502 503 TEST_ASSERT(mbedtls_pk_parse_key(&pk, 504 key_data->x, key_data->len, NULL, 0, 505 mbedtls_test_rnd_std_rand, NULL) == 0); 506 507 TEST_ASSERT(mbedtls_pk_write_key_der(&pk, NULL, 0) == 508 MBEDTLS_ERR_ASN1_BUF_TOO_SMALL); 509 510 TEST_ASSERT(mbedtls_pk_write_pubkey_der(&pk, NULL, 0) == 511 MBEDTLS_ERR_ASN1_BUF_TOO_SMALL); 512 513#if defined(MBEDTLS_PEM_WRITE_C) 514 TEST_ASSERT(mbedtls_pk_write_key_pem(&pk, NULL, 0) == 515 MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL); 516 517 TEST_ASSERT(mbedtls_pk_write_pubkey_pem(&pk, NULL, 0) == 518 MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL); 519#endif /* MBEDTLS_PEM_WRITE_C */ 520 521exit: 522 mbedtls_pk_free(&pk); 523 USE_PSA_DONE(); 524} 525/* END_CASE */ 526 527/* BEGIN_CASE */ 528void pk_utils(int type, int parameter, int bitlen, int len, char *name) 529{ 530 mbedtls_pk_context pk; 531 532 mbedtls_pk_init(&pk); 533 USE_PSA_INIT(); 534 535 TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(type)) == 0); 536 TEST_ASSERT(pk_genkey(&pk, parameter) == 0); 537 538 TEST_ASSERT((int) mbedtls_pk_get_type(&pk) == type); 539 TEST_ASSERT(mbedtls_pk_can_do(&pk, type)); 540 TEST_ASSERT(mbedtls_pk_get_bitlen(&pk) == (unsigned) bitlen); 541 TEST_ASSERT(mbedtls_pk_get_len(&pk) == (unsigned) len); 542 TEST_ASSERT(strcmp(mbedtls_pk_get_name(&pk), name) == 0); 543 544exit: 545 mbedtls_pk_free(&pk); 546 USE_PSA_DONE(); 547} 548/* END_CASE */ 549 550/* BEGIN_CASE depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_FS_IO */ 551void mbedtls_pk_check_pair(char *pub_file, char *prv_file, int ret) 552{ 553 mbedtls_pk_context pub, prv, alt; 554#if defined(MBEDTLS_USE_PSA_CRYPTO) 555 mbedtls_svc_key_id_t opaque_key_id = MBEDTLS_SVC_KEY_ID_INIT; 556#endif /* MBEDTLS_USE_PSA_CRYPTO */ 557 558 mbedtls_pk_init(&pub); 559 mbedtls_pk_init(&prv); 560 mbedtls_pk_init(&alt); 561 USE_PSA_INIT(); 562 563#if defined(MBEDTLS_USE_PSA_CRYPTO) 564 /* mbedtls_pk_check_pair() returns either PK or ECP error codes depending 565 on MBEDTLS_USE_PSA_CRYPTO so here we dynamically translate between the 566 two */ 567 if (ret == MBEDTLS_ERR_ECP_BAD_INPUT_DATA) { 568 ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA; 569 } 570#endif /* MBEDTLS_USE_PSA_CRYPTO */ 571 572 TEST_ASSERT(mbedtls_pk_parse_public_keyfile(&pub, pub_file) == 0); 573 TEST_ASSERT(mbedtls_pk_parse_keyfile(&prv, prv_file, NULL, 574 mbedtls_test_rnd_std_rand, NULL) 575 == 0); 576 577 TEST_ASSERT(mbedtls_pk_check_pair(&pub, &prv, 578 mbedtls_test_rnd_std_rand, NULL) 579 == ret); 580 581#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PK_RSA_ALT_SUPPORT) 582 if (mbedtls_pk_get_type(&prv) == MBEDTLS_PK_RSA) { 583 TEST_ASSERT(mbedtls_pk_setup_rsa_alt(&alt, mbedtls_pk_rsa(prv), 584 mbedtls_rsa_decrypt_func, mbedtls_rsa_sign_func, 585 mbedtls_rsa_key_len_func) == 0); 586 TEST_ASSERT(mbedtls_pk_check_pair(&pub, &alt, 587 mbedtls_test_rnd_std_rand, NULL) 588 == ret); 589 } 590#endif 591#if defined(MBEDTLS_USE_PSA_CRYPTO) 592 if (mbedtls_pk_get_type(&prv) == MBEDTLS_PK_ECKEY) { 593 TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&prv, &opaque_key_id, 594 PSA_ALG_ANY_HASH, 595 PSA_KEY_USAGE_EXPORT, 0), 0); 596 TEST_EQUAL(mbedtls_pk_check_pair(&pub, &prv, mbedtls_test_rnd_std_rand, 597 NULL), ret); 598 } 599#endif 600 601exit: 602#if defined(MBEDTLS_USE_PSA_CRYPTO) 603 psa_destroy_key(opaque_key_id); 604#endif /* MBEDTLS_USE_PSA_CRYPTO */ 605 mbedtls_pk_free(&pub); 606 mbedtls_pk_free(&prv); 607 mbedtls_pk_free(&alt); 608 USE_PSA_DONE(); 609} 610/* END_CASE */ 611 612/* BEGIN_CASE depends_on:MBEDTLS_RSA_C */ 613void pk_rsa_verify_test_vec(data_t *message_str, int digest, int mod, 614 char *input_N, char *input_E, 615 data_t *result_str, int result) 616{ 617 mbedtls_rsa_context *rsa; 618 mbedtls_pk_context pk; 619 mbedtls_pk_restart_ctx *rs_ctx = NULL; 620#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 621 mbedtls_pk_restart_ctx ctx; 622 623 rs_ctx = &ctx; 624 mbedtls_pk_restart_init(rs_ctx); 625 // this setting would ensure restart would happen if ECC was used 626 mbedtls_ecp_set_max_ops(1); 627#endif 628 629 mbedtls_pk_init(&pk); 630 USE_PSA_INIT(); 631 632 TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0); 633 rsa = mbedtls_pk_rsa(pk); 634 635 rsa->len = mod / 8; 636 TEST_ASSERT(mbedtls_test_read_mpi(&rsa->N, input_N) == 0); 637 TEST_ASSERT(mbedtls_test_read_mpi(&rsa->E, input_E) == 0); 638 639 TEST_ASSERT(mbedtls_pk_verify(&pk, digest, message_str->x, 0, 640 result_str->x, mbedtls_pk_get_len(&pk)) == result); 641 642 TEST_ASSERT(mbedtls_pk_verify_restartable(&pk, digest, message_str->x, 0, 643 result_str->x, mbedtls_pk_get_len( 644 &pk), rs_ctx) == result); 645 646exit: 647#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 648 mbedtls_pk_restart_free(rs_ctx); 649#endif 650 mbedtls_pk_free(&pk); 651 USE_PSA_DONE(); 652} 653/* END_CASE */ 654 655/* BEGIN_CASE depends_on:MBEDTLS_RSA_C */ 656void pk_rsa_verify_ext_test_vec(data_t *message_str, int digest, 657 int mod, char *input_N, 658 char *input_E, data_t *result_str, 659 int pk_type, int mgf1_hash_id, 660 int salt_len, int sig_len, 661 int result) 662{ 663 mbedtls_rsa_context *rsa; 664 mbedtls_pk_context pk; 665 mbedtls_pk_rsassa_pss_options pss_opts; 666 void *options; 667 int ret; 668 669 mbedtls_pk_init(&pk); 670 MD_OR_USE_PSA_INIT(); 671 672 TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0); 673 rsa = mbedtls_pk_rsa(pk); 674 675 rsa->len = mod / 8; 676 TEST_ASSERT(mbedtls_test_read_mpi(&rsa->N, input_N) == 0); 677 TEST_ASSERT(mbedtls_test_read_mpi(&rsa->E, input_E) == 0); 678 679 680 if (mgf1_hash_id < 0) { 681 options = NULL; 682 } else { 683 options = &pss_opts; 684 685 pss_opts.mgf1_hash_id = mgf1_hash_id; 686 pss_opts.expected_salt_len = salt_len; 687 } 688 689 ret = mbedtls_pk_verify_ext(pk_type, options, &pk, 690 digest, message_str->x, message_str->len, 691 result_str->x, sig_len); 692 693#if defined(MBEDTLS_USE_PSA_CRYPTO) 694 if (result == MBEDTLS_ERR_RSA_INVALID_PADDING) { 695 /* Mbed TLS distinguishes "invalid padding" from "valid padding but 696 * the rest of the signature is invalid". This has little use in 697 * practice and PSA doesn't report this distinction. 698 * In this case, PSA returns PSA_ERROR_INVALID_SIGNATURE translated 699 * to MBEDTLS_ERR_RSA_VERIFY_FAILED. 700 * However, currently `mbedtls_pk_verify_ext()` may use either the 701 * PSA or the Mbed TLS API, depending on the PSS options used. 702 * So, it may return either INVALID_PADDING or INVALID_SIGNATURE. 703 */ 704 TEST_ASSERT(ret == result || ret == MBEDTLS_ERR_RSA_VERIFY_FAILED); 705 } else 706#endif 707 { 708 TEST_EQUAL(ret, result); 709 } 710 711exit: 712 mbedtls_pk_free(&pk); 713 MD_OR_USE_PSA_DONE(); 714} 715/* END_CASE */ 716 717/* BEGIN_CASE depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY */ 718void pk_ec_test_vec(int type, int id, data_t *key, data_t *hash, 719 data_t *sig, int ret) 720{ 721 mbedtls_pk_context pk; 722 723 mbedtls_pk_init(&pk); 724 USE_PSA_INIT(); 725 726 TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(type)) == 0); 727 728 TEST_ASSERT(mbedtls_pk_can_do(&pk, MBEDTLS_PK_ECDSA)); 729#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) 730 TEST_ASSERT(key->len <= MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN); 731 memcpy(pk.pub_raw, key->x, key->len); 732 pk.ec_family = mbedtls_ecc_group_to_psa(id, &(pk.ec_bits)); 733 pk.pub_raw_len = key->len; 734#else 735 mbedtls_ecp_keypair *eckey = (mbedtls_ecp_keypair *) mbedtls_pk_ec(pk); 736 737 TEST_ASSERT(mbedtls_ecp_group_load(&eckey->grp, id) == 0); 738 TEST_ASSERT(mbedtls_ecp_point_read_binary(&eckey->grp, &eckey->Q, 739 key->x, key->len) == 0); 740#endif 741 742 // MBEDTLS_MD_NONE is used since it will be ignored. 743 TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_NONE, 744 hash->x, hash->len, sig->x, sig->len) == ret); 745 746exit: 747 mbedtls_pk_free(&pk); 748 USE_PSA_DONE(); 749} 750/* END_CASE */ 751 752/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE:MBEDTLS_ECDSA_C:MBEDTLS_ECDSA_DETERMINISTIC */ 753void pk_sign_verify_restart(int pk_type, int grp_id, char *d_str, 754 char *QX_str, char *QY_str, 755 int md_alg, data_t *hash, data_t *sig_check, 756 int max_ops, int min_restart, int max_restart) 757{ 758 int ret, cnt_restart; 759 mbedtls_pk_restart_ctx rs_ctx; 760 mbedtls_pk_context prv, pub; 761 unsigned char sig[MBEDTLS_ECDSA_MAX_LEN]; 762 size_t slen; 763 764 mbedtls_pk_restart_init(&rs_ctx); 765 mbedtls_pk_init(&prv); 766 mbedtls_pk_init(&pub); 767 USE_PSA_INIT(); 768 769 memset(sig, 0, sizeof(sig)); 770 771 TEST_ASSERT(mbedtls_pk_setup(&prv, mbedtls_pk_info_from_type(pk_type)) == 0); 772 TEST_ASSERT(mbedtls_ecp_group_load(&mbedtls_pk_ec_rw(prv)->grp, grp_id) == 0); 773 TEST_ASSERT(mbedtls_test_read_mpi(&mbedtls_pk_ec_rw(prv)->d, d_str) == 0); 774 775 TEST_ASSERT(mbedtls_pk_setup(&pub, mbedtls_pk_info_from_type(pk_type)) == 0); 776 TEST_ASSERT(mbedtls_ecp_group_load(&mbedtls_pk_ec_rw(pub)->grp, grp_id) == 0); 777 TEST_ASSERT(mbedtls_ecp_point_read_string(&mbedtls_pk_ec_rw(pub)->Q, 16, QX_str, QY_str) == 0); 778 779 mbedtls_ecp_set_max_ops(max_ops); 780 781 slen = sizeof(sig); 782 cnt_restart = 0; 783 do { 784 ret = mbedtls_pk_sign_restartable(&prv, md_alg, hash->x, hash->len, 785 sig, sizeof(sig), &slen, 786 mbedtls_test_rnd_std_rand, NULL, 787 &rs_ctx); 788 } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart); 789 790 TEST_ASSERT(ret == 0); 791 TEST_ASSERT(slen == sig_check->len); 792 TEST_ASSERT(memcmp(sig, sig_check->x, slen) == 0); 793 794 TEST_ASSERT(cnt_restart >= min_restart); 795 TEST_ASSERT(cnt_restart <= max_restart); 796 797 cnt_restart = 0; 798 do { 799 ret = mbedtls_pk_verify_restartable(&pub, md_alg, 800 hash->x, hash->len, sig, slen, &rs_ctx); 801 } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart); 802 803 TEST_ASSERT(ret == 0); 804 TEST_ASSERT(cnt_restart >= min_restart); 805 TEST_ASSERT(cnt_restart <= max_restart); 806 807 sig[0]++; 808 do { 809 ret = mbedtls_pk_verify_restartable(&pub, md_alg, 810 hash->x, hash->len, sig, slen, &rs_ctx); 811 } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS); 812 TEST_ASSERT(ret != 0); 813 sig[0]--; 814 815 /* Do we leak memory when aborting? try verify then sign 816 * This test only makes sense when we actually restart */ 817 if (min_restart > 0) { 818 ret = mbedtls_pk_verify_restartable(&pub, md_alg, 819 hash->x, hash->len, sig, slen, &rs_ctx); 820 TEST_ASSERT(ret == MBEDTLS_ERR_ECP_IN_PROGRESS); 821 mbedtls_pk_restart_free(&rs_ctx); 822 823 slen = sizeof(sig); 824 ret = mbedtls_pk_sign_restartable(&prv, md_alg, hash->x, hash->len, 825 sig, sizeof(sig), &slen, 826 mbedtls_test_rnd_std_rand, NULL, 827 &rs_ctx); 828 TEST_ASSERT(ret == MBEDTLS_ERR_ECP_IN_PROGRESS); 829 } 830 831exit: 832 mbedtls_pk_restart_free(&rs_ctx); 833 mbedtls_pk_free(&prv); 834 mbedtls_pk_free(&pub); 835 USE_PSA_DONE(); 836} 837/* END_CASE */ 838 839/* BEGIN_CASE depends_on:MBEDTLS_MD_CAN_SHA256 */ 840void pk_sign_verify(int type, int parameter, int sign_ret, int verify_ret) 841{ 842 mbedtls_pk_context pk; 843 size_t sig_len; 844 unsigned char hash[32]; // Hard-coded for SHA256 845 size_t hash_len = sizeof(hash); 846 unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE]; 847 void *rs_ctx = NULL; 848#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 849 mbedtls_pk_restart_ctx ctx; 850 851 rs_ctx = &ctx; 852 mbedtls_pk_restart_init(rs_ctx); 853 /* This value is large enough that the operation will complete in one run. 854 * See comments at the top of ecp_test_vect_restart in 855 * test_suite_ecp.function for estimates of operation counts. */ 856 mbedtls_ecp_set_max_ops(42000); 857#endif 858 859 mbedtls_pk_init(&pk); 860 MD_OR_USE_PSA_INIT(); 861 862 memset(hash, 0x2a, sizeof(hash)); 863 memset(sig, 0, sizeof(sig)); 864 865 TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(type)) == 0); 866 TEST_ASSERT(pk_genkey(&pk, parameter) == 0); 867 868 TEST_ASSERT(mbedtls_pk_sign_restartable(&pk, MBEDTLS_MD_SHA256, 869 hash, hash_len, 870 sig, sizeof(sig), &sig_len, 871 mbedtls_test_rnd_std_rand, NULL, 872 rs_ctx) == sign_ret); 873 if (sign_ret == 0) { 874 TEST_ASSERT(sig_len <= MBEDTLS_PK_SIGNATURE_MAX_SIZE); 875 } else { 876 sig_len = MBEDTLS_PK_SIGNATURE_MAX_SIZE; 877 } 878 879 TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_SHA256, 880 hash, hash_len, sig, sig_len) == verify_ret); 881 882 if (verify_ret == 0) { 883 hash[0]++; 884 TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_SHA256, 885 hash, hash_len, sig, sig_len) != 0); 886 hash[0]--; 887 888 sig[0]++; 889 TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_SHA256, 890 hash, hash_len, sig, sig_len) != 0); 891 sig[0]--; 892 } 893 894 TEST_ASSERT(mbedtls_pk_sign(&pk, MBEDTLS_MD_SHA256, hash, hash_len, 895 sig, sizeof(sig), &sig_len, 896 mbedtls_test_rnd_std_rand, 897 NULL) == sign_ret); 898 if (sign_ret == 0) { 899 TEST_ASSERT(sig_len <= MBEDTLS_PK_SIGNATURE_MAX_SIZE); 900 } else { 901 sig_len = MBEDTLS_PK_SIGNATURE_MAX_SIZE; 902 } 903 904 TEST_ASSERT(mbedtls_pk_verify_restartable(&pk, MBEDTLS_MD_SHA256, 905 hash, hash_len, sig, sig_len, rs_ctx) == verify_ret); 906 907 if (verify_ret == 0) { 908 hash[0]++; 909 TEST_ASSERT(mbedtls_pk_verify_restartable(&pk, MBEDTLS_MD_SHA256, 910 hash, sizeof(hash), sig, sig_len, rs_ctx) != 0); 911 hash[0]--; 912 913 sig[0]++; 914 TEST_ASSERT(mbedtls_pk_verify_restartable(&pk, MBEDTLS_MD_SHA256, 915 hash, sizeof(hash), sig, sig_len, rs_ctx) != 0); 916 sig[0]--; 917 } 918 919exit: 920#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 921 mbedtls_pk_restart_free(rs_ctx); 922#endif 923 mbedtls_pk_free(&pk); 924 MD_OR_USE_PSA_DONE(); 925} 926/* END_CASE */ 927 928/* BEGIN_CASE depends_on:MBEDTLS_RSA_C */ 929void pk_rsa_encrypt_decrypt_test(data_t *message, int mod, 930 char *input_P, char *input_Q, 931 char *input_N, char *input_E, 932 int ret) 933{ 934 unsigned char output[300], result[300]; 935 mbedtls_test_rnd_pseudo_info rnd_info; 936 mbedtls_mpi N, P, Q, E; 937 mbedtls_rsa_context *rsa; 938 mbedtls_pk_context pk; 939 size_t olen, rlen; 940 941 mbedtls_pk_init(&pk); 942 mbedtls_mpi_init(&N); mbedtls_mpi_init(&P); 943 mbedtls_mpi_init(&Q); mbedtls_mpi_init(&E); 944 USE_PSA_INIT(); 945 946 memset(&rnd_info, 0, sizeof(mbedtls_test_rnd_pseudo_info)); 947 memset(output, 0, sizeof(output)); 948 949 /* encryption test */ 950 951 /* init pk-rsa context */ 952 TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0); 953 rsa = mbedtls_pk_rsa(pk); 954 955 /* load public key */ 956 rsa->len = mod / 8; 957 TEST_ASSERT(mbedtls_test_read_mpi(&rsa->N, input_N) == 0); 958 TEST_ASSERT(mbedtls_test_read_mpi(&rsa->E, input_E) == 0); 959 960 TEST_ASSERT(mbedtls_pk_encrypt(&pk, message->x, message->len, 961 output, &olen, sizeof(output), 962 mbedtls_test_rnd_pseudo_rand, &rnd_info) == ret); 963 964 /* decryption test */ 965 mbedtls_mpi_init(&N); mbedtls_mpi_init(&P); 966 mbedtls_mpi_init(&Q); mbedtls_mpi_init(&E); 967 968 /* init pk-rsa context */ 969 mbedtls_pk_free(&pk); 970 TEST_ASSERT(mbedtls_pk_setup(&pk, 971 mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0); 972 rsa = mbedtls_pk_rsa(pk); 973 974 /* load public key */ 975 TEST_ASSERT(mbedtls_test_read_mpi(&N, input_N) == 0); 976 TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0); 977 978 /* load private key */ 979 TEST_ASSERT(mbedtls_test_read_mpi(&P, input_P) == 0); 980 TEST_ASSERT(mbedtls_test_read_mpi(&Q, input_Q) == 0); 981 TEST_ASSERT(mbedtls_rsa_import(rsa, &N, &P, &Q, NULL, &E) == 0); 982 TEST_ASSERT(mbedtls_rsa_get_len(rsa) == (size_t) (mod / 8)); 983 TEST_ASSERT(mbedtls_rsa_complete(rsa) == 0); 984 985 memset(result, 0, sizeof(result)); 986 rlen = 0; 987 TEST_ASSERT(mbedtls_pk_decrypt(&pk, output, olen, 988 result, &rlen, sizeof(result), 989 mbedtls_test_rnd_pseudo_rand, &rnd_info) == ret); 990 if (ret == 0) { 991 TEST_ASSERT(rlen == message->len); 992 TEST_ASSERT(memcmp(result, message->x, rlen) == 0); 993 } 994 995exit: 996 mbedtls_mpi_free(&N); mbedtls_mpi_free(&P); 997 mbedtls_mpi_free(&Q); mbedtls_mpi_free(&E); 998 mbedtls_pk_free(&pk); 999 USE_PSA_DONE(); 1000} 1001/* END_CASE */ 1002 1003/* BEGIN_CASE depends_on:MBEDTLS_RSA_C */ 1004void pk_rsa_decrypt_test_vec(data_t *cipher, int mod, 1005 char *input_P, char *input_Q, 1006 char *input_N, char *input_E, 1007 data_t *clear, int ret) 1008{ 1009 unsigned char output[256]; 1010 mbedtls_test_rnd_pseudo_info rnd_info; 1011 mbedtls_mpi N, P, Q, E; 1012 mbedtls_rsa_context *rsa; 1013 mbedtls_pk_context pk; 1014 size_t olen; 1015 1016 mbedtls_pk_init(&pk); 1017 mbedtls_mpi_init(&N); mbedtls_mpi_init(&P); 1018 mbedtls_mpi_init(&Q); mbedtls_mpi_init(&E); 1019 USE_PSA_INIT(); 1020 1021 memset(&rnd_info, 0, sizeof(mbedtls_test_rnd_pseudo_info)); 1022 1023 /* init pk-rsa context */ 1024 TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0); 1025 rsa = mbedtls_pk_rsa(pk); 1026 1027 /* load public key */ 1028 TEST_ASSERT(mbedtls_test_read_mpi(&N, input_N) == 0); 1029 TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0); 1030 1031 /* load private key */ 1032 TEST_ASSERT(mbedtls_test_read_mpi(&P, input_P) == 0); 1033 TEST_ASSERT(mbedtls_test_read_mpi(&Q, input_Q) == 0); 1034 TEST_ASSERT(mbedtls_rsa_import(rsa, &N, &P, &Q, NULL, &E) == 0); 1035 TEST_ASSERT(mbedtls_rsa_get_len(rsa) == (size_t) (mod / 8)); 1036 TEST_ASSERT(mbedtls_rsa_complete(rsa) == 0); 1037 1038 /* decryption test */ 1039 memset(output, 0, sizeof(output)); 1040 olen = 0; 1041 TEST_ASSERT(mbedtls_pk_decrypt(&pk, cipher->x, cipher->len, 1042 output, &olen, sizeof(output), 1043 mbedtls_test_rnd_pseudo_rand, &rnd_info) == ret); 1044 if (ret == 0) { 1045 TEST_ASSERT(olen == clear->len); 1046 TEST_ASSERT(memcmp(output, clear->x, olen) == 0); 1047 } 1048 1049exit: 1050 mbedtls_mpi_free(&N); mbedtls_mpi_free(&P); 1051 mbedtls_mpi_free(&Q); mbedtls_mpi_free(&E); 1052 mbedtls_pk_free(&pk); 1053 USE_PSA_DONE(); 1054} 1055/* END_CASE */ 1056 1057/* BEGIN_CASE depends_on:MBEDTLS_RSA_C:MBEDTLS_USE_PSA_CRYPTO */ 1058void pk_wrap_rsa_decrypt_test_vec(data_t *cipher, int mod, 1059 char *input_P, char *input_Q, 1060 char *input_N, char *input_E, 1061 data_t *clear, int ret) 1062{ 1063 unsigned char output[256]; 1064 mbedtls_test_rnd_pseudo_info rnd_info; 1065 mbedtls_mpi N, P, Q, E; 1066 mbedtls_rsa_context *rsa; 1067 mbedtls_pk_context pk; 1068 mbedtls_svc_key_id_t key_id; 1069 size_t olen; 1070 1071 mbedtls_pk_init(&pk); 1072 mbedtls_mpi_init(&N); mbedtls_mpi_init(&P); 1073 mbedtls_mpi_init(&Q); mbedtls_mpi_init(&E); 1074 USE_PSA_INIT(); 1075 1076 memset(&rnd_info, 0, sizeof(mbedtls_test_rnd_pseudo_info)); 1077 1078 /* init pk-rsa context */ 1079 TEST_EQUAL(mbedtls_pk_setup(&pk, 1080 mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)), 0); 1081 rsa = mbedtls_pk_rsa(pk); 1082 1083 /* load public key */ 1084 TEST_EQUAL(mbedtls_test_read_mpi(&N, input_N), 0); 1085 TEST_EQUAL(mbedtls_test_read_mpi(&E, input_E), 0); 1086 1087 /* load private key */ 1088 TEST_EQUAL(mbedtls_test_read_mpi(&P, input_P), 0); 1089 TEST_EQUAL(mbedtls_test_read_mpi(&Q, input_Q), 0); 1090 TEST_EQUAL(mbedtls_rsa_import(rsa, &N, &P, &Q, NULL, &E), 0); 1091 TEST_EQUAL(mbedtls_rsa_get_len(rsa), (size_t) (mod / 8)); 1092 TEST_EQUAL(mbedtls_rsa_complete(rsa), 0); 1093 1094 /* Turn PK context into an opaque one. */ 1095 TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&pk, &key_id, 1096 PSA_ALG_RSA_PKCS1V15_CRYPT, 1097 PSA_KEY_USAGE_DECRYPT, 1098 PSA_ALG_NONE), 0); 1099 1100 /* decryption test */ 1101 memset(output, 0, sizeof(output)); 1102 olen = 0; 1103 TEST_EQUAL(mbedtls_pk_decrypt(&pk, cipher->x, cipher->len, 1104 output, &olen, sizeof(output), 1105 mbedtls_test_rnd_pseudo_rand, &rnd_info), ret); 1106 if (ret == 0) { 1107 TEST_EQUAL(olen, clear->len); 1108 TEST_EQUAL(memcmp(output, clear->x, olen), 0); 1109 } 1110 1111 TEST_EQUAL(PSA_SUCCESS, psa_destroy_key(key_id)); 1112 1113exit: 1114 mbedtls_mpi_free(&N); mbedtls_mpi_free(&P); 1115 mbedtls_mpi_free(&Q); mbedtls_mpi_free(&E); 1116 mbedtls_pk_free(&pk); 1117 USE_PSA_DONE(); 1118} 1119/* END_CASE */ 1120 1121/* BEGIN_CASE */ 1122void pk_ec_nocrypt(int type) 1123{ 1124 mbedtls_pk_context pk; 1125 unsigned char output[100]; 1126 unsigned char input[100]; 1127 mbedtls_test_rnd_pseudo_info rnd_info; 1128 size_t olen = 0; 1129 int ret = MBEDTLS_ERR_PK_TYPE_MISMATCH; 1130 1131 mbedtls_pk_init(&pk); 1132 USE_PSA_INIT(); 1133 1134 memset(&rnd_info, 0, sizeof(mbedtls_test_rnd_pseudo_info)); 1135 memset(output, 0, sizeof(output)); 1136 memset(input, 0, sizeof(input)); 1137 1138 TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(type)) == 0); 1139 1140 TEST_ASSERT(mbedtls_pk_encrypt(&pk, input, sizeof(input), 1141 output, &olen, sizeof(output), 1142 mbedtls_test_rnd_pseudo_rand, &rnd_info) == ret); 1143 1144 TEST_ASSERT(mbedtls_pk_decrypt(&pk, input, sizeof(input), 1145 output, &olen, sizeof(output), 1146 mbedtls_test_rnd_pseudo_rand, &rnd_info) == ret); 1147 1148exit: 1149 mbedtls_pk_free(&pk); 1150 USE_PSA_DONE(); 1151} 1152/* END_CASE */ 1153 1154/* BEGIN_CASE depends_on:MBEDTLS_RSA_C */ 1155void pk_rsa_overflow() 1156{ 1157 mbedtls_pk_context pk; 1158 size_t hash_len = UINT_MAX + 1, sig_len = UINT_MAX + 1; 1159 unsigned char hash[50], sig[100]; 1160 1161 mbedtls_pk_init(&pk); 1162 USE_PSA_INIT(); 1163 1164 memset(hash, 0x2a, sizeof(hash)); 1165 memset(sig, 0, sizeof(sig)); 1166 1167 TEST_ASSERT(mbedtls_pk_setup(&pk, 1168 mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0); 1169 1170#if defined(MBEDTLS_PKCS1_V21) 1171 TEST_ASSERT(mbedtls_pk_verify_ext(MBEDTLS_PK_RSASSA_PSS, NULL, &pk, 1172 MBEDTLS_MD_NONE, hash, hash_len, sig, sig_len) == 1173 MBEDTLS_ERR_PK_BAD_INPUT_DATA); 1174#endif /* MBEDTLS_PKCS1_V21 */ 1175 1176 TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_NONE, hash, hash_len, 1177 sig, sig_len) == MBEDTLS_ERR_PK_BAD_INPUT_DATA); 1178 1179 TEST_ASSERT(mbedtls_pk_sign(&pk, MBEDTLS_MD_NONE, hash, hash_len, 1180 sig, sizeof(sig), &sig_len, 1181 mbedtls_test_rnd_std_rand, NULL) 1182 == MBEDTLS_ERR_PK_BAD_INPUT_DATA); 1183 1184exit: 1185 mbedtls_pk_free(&pk); 1186 USE_PSA_DONE(); 1187} 1188/* END_CASE */ 1189 1190/* BEGIN_CASE depends_on:MBEDTLS_RSA_C:MBEDTLS_PK_RSA_ALT_SUPPORT */ 1191void pk_rsa_alt() 1192{ 1193 /* 1194 * An rsa_alt context can only do private operations (decrypt, sign). 1195 * Test it against the public operations (encrypt, verify) of a 1196 * corresponding rsa context. 1197 */ 1198 mbedtls_rsa_context raw; 1199 mbedtls_pk_context rsa, alt; 1200 mbedtls_pk_debug_item dbg_items[10]; 1201 unsigned char hash[50], sig[RSA_KEY_LEN]; 1202 unsigned char msg[50], ciph[RSA_KEY_LEN], test[50]; 1203 size_t sig_len, ciph_len, test_len; 1204 int ret = MBEDTLS_ERR_PK_TYPE_MISMATCH; 1205 1206 mbedtls_rsa_init(&raw); 1207 mbedtls_pk_init(&rsa); 1208 mbedtls_pk_init(&alt); 1209 USE_PSA_INIT(); 1210 1211 memset(hash, 0x2a, sizeof(hash)); 1212 memset(sig, 0, sizeof(sig)); 1213 memset(msg, 0x2a, sizeof(msg)); 1214 memset(ciph, 0, sizeof(ciph)); 1215 memset(test, 0, sizeof(test)); 1216 1217 /* Initialize PK RSA context with random key */ 1218 TEST_ASSERT(mbedtls_pk_setup(&rsa, 1219 mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0); 1220 TEST_ASSERT(pk_genkey(&rsa, RSA_KEY_SIZE) == 0); 1221 1222 /* Extract key to the raw rsa context */ 1223 TEST_ASSERT(mbedtls_rsa_copy(&raw, mbedtls_pk_rsa(rsa)) == 0); 1224 1225 /* Initialize PK RSA_ALT context */ 1226 TEST_ASSERT(mbedtls_pk_setup_rsa_alt(&alt, (void *) &raw, 1227 mbedtls_rsa_decrypt_func, mbedtls_rsa_sign_func, 1228 mbedtls_rsa_key_len_func) == 0); 1229 1230 /* Test administrative functions */ 1231 TEST_ASSERT(mbedtls_pk_can_do(&alt, MBEDTLS_PK_RSA)); 1232 TEST_ASSERT(mbedtls_pk_get_bitlen(&alt) == RSA_KEY_SIZE); 1233 TEST_ASSERT(mbedtls_pk_get_len(&alt) == RSA_KEY_LEN); 1234 TEST_ASSERT(mbedtls_pk_get_type(&alt) == MBEDTLS_PK_RSA_ALT); 1235 TEST_ASSERT(strcmp(mbedtls_pk_get_name(&alt), "RSA-alt") == 0); 1236 1237 /* Test signature */ 1238#if SIZE_MAX > UINT_MAX 1239 TEST_ASSERT(mbedtls_pk_sign(&alt, MBEDTLS_MD_NONE, hash, SIZE_MAX, 1240 sig, sizeof(sig), &sig_len, 1241 mbedtls_test_rnd_std_rand, NULL) 1242 == MBEDTLS_ERR_PK_BAD_INPUT_DATA); 1243#endif /* SIZE_MAX > UINT_MAX */ 1244 TEST_ASSERT(mbedtls_pk_sign(&alt, MBEDTLS_MD_NONE, hash, sizeof(hash), 1245 sig, sizeof(sig), &sig_len, 1246 mbedtls_test_rnd_std_rand, NULL) 1247 == 0); 1248 TEST_ASSERT(sig_len == RSA_KEY_LEN); 1249 TEST_ASSERT(mbedtls_pk_verify(&rsa, MBEDTLS_MD_NONE, 1250 hash, sizeof(hash), sig, sig_len) == 0); 1251 1252 /* Test decrypt */ 1253 TEST_ASSERT(mbedtls_pk_encrypt(&rsa, msg, sizeof(msg), 1254 ciph, &ciph_len, sizeof(ciph), 1255 mbedtls_test_rnd_std_rand, NULL) == 0); 1256 TEST_ASSERT(mbedtls_pk_decrypt(&alt, ciph, ciph_len, 1257 test, &test_len, sizeof(test), 1258 mbedtls_test_rnd_std_rand, NULL) == 0); 1259 TEST_ASSERT(test_len == sizeof(msg)); 1260 TEST_ASSERT(memcmp(test, msg, test_len) == 0); 1261 1262 /* Test forbidden operations */ 1263 TEST_ASSERT(mbedtls_pk_encrypt(&alt, msg, sizeof(msg), 1264 ciph, &ciph_len, sizeof(ciph), 1265 mbedtls_test_rnd_std_rand, NULL) == ret); 1266 TEST_ASSERT(mbedtls_pk_verify(&alt, MBEDTLS_MD_NONE, 1267 hash, sizeof(hash), sig, sig_len) == ret); 1268 TEST_ASSERT(mbedtls_pk_debug(&alt, dbg_items) == ret); 1269 1270exit: 1271 mbedtls_rsa_free(&raw); 1272 mbedtls_pk_free(&rsa); mbedtls_pk_free(&alt); 1273 USE_PSA_DONE(); 1274} 1275/* END_CASE */ 1276 1277/* BEGIN_CASE depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_USE_PSA_CRYPTO */ 1278void pk_psa_sign(int parameter_arg, 1279 int psa_type_arg, int expected_bits_arg) 1280{ 1281 mbedtls_pk_context pk; 1282 unsigned char hash[32]; 1283 unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE]; 1284 unsigned char pkey_legacy[200]; 1285 unsigned char pkey_psa[200]; 1286 unsigned char *pkey_legacy_start, *pkey_psa_start; 1287 psa_algorithm_t alg_psa; 1288 size_t sig_len, klen_legacy, klen_psa; 1289 int ret; 1290 mbedtls_svc_key_id_t key_id; 1291 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1292 psa_key_type_t expected_type = psa_type_arg; 1293 size_t expected_bits = expected_bits_arg; 1294 1295 /* 1296 * This tests making signatures with a wrapped PSA key: 1297 * - generate a fresh ECP/RSA legacy PK context 1298 * - wrap it in a PK context and make a signature this way 1299 * - extract the public key 1300 * - parse it to a PK context and verify the signature this way 1301 */ 1302 1303 mbedtls_pk_init(&pk); 1304 USE_PSA_INIT(); 1305 1306#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME) 1307 if (PSA_KEY_TYPE_IS_RSA(psa_type_arg)) { 1308 /* Create legacy RSA public/private key in PK context. */ 1309 TEST_ASSERT(mbedtls_pk_setup(&pk, 1310 mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0); 1311 TEST_ASSERT(mbedtls_rsa_gen_key(mbedtls_pk_rsa(pk), 1312 mbedtls_test_rnd_std_rand, NULL, 1313 parameter_arg, 3) == 0); 1314 alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256); 1315 } else 1316#endif /* MBEDTLS_RSA_C && MBEDTLS_GENPRIME */ 1317#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) 1318 if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(psa_type_arg)) { 1319 mbedtls_ecp_group_id grpid = parameter_arg; 1320 1321 /* Create legacy EC public/private key in PK context. */ 1322 TEST_ASSERT(mbedtls_pk_setup(&pk, 1323 mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)) == 0); 1324 TEST_ASSERT(pk_genkey(&pk, grpid) == 0); 1325 1326 alg_psa = PSA_ALG_ECDSA(PSA_ALG_SHA_256); 1327 } else 1328#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */ 1329 { 1330 (void) parameter_arg; 1331 TEST_ASSUME(!"Opaque PK key not supported in this configuration"); 1332 } 1333 1334 /* Export underlying public key for re-importing in a legacy context. */ 1335#if defined(MBEDTLS_PK_WRITE_C) 1336 ret = mbedtls_pk_write_pubkey_der(&pk, pkey_legacy, 1337 sizeof(pkey_legacy)); 1338 TEST_ASSERT(ret >= 0); 1339 klen_legacy = (size_t) ret; 1340 /* mbedtls_pk_write_pubkey_der() writes backwards in the data buffer. */ 1341 pkey_legacy_start = pkey_legacy + sizeof(pkey_legacy) - klen_legacy; 1342#else 1343 ret = mbedtls_ecp_point_write_binary(&(mbedtls_pk_ec_ro(pk)->grp), 1344 &(mbedtls_pk_ec_ro(pk)->Q), 1345 MBEDTLS_ECP_PF_UNCOMPRESSED, 1346 &klen_legacy, pkey_legacy, 1347 sizeof(pkey_legacy)); 1348 TEST_EQUAL(ret, 0); 1349 pkey_legacy_start = pkey_legacy; 1350#endif /* MBEDTLS_PK_WRITE_C */ 1351 1352 /* Turn PK context into an opaque one. */ 1353 TEST_ASSERT(mbedtls_pk_wrap_as_opaque(&pk, &key_id, alg_psa, 1354 PSA_KEY_USAGE_SIGN_HASH, 1355 PSA_ALG_NONE) == 0); 1356 1357 PSA_ASSERT(psa_get_key_attributes(key_id, &attributes)); 1358 TEST_EQUAL(psa_get_key_type(&attributes), expected_type); 1359 TEST_EQUAL(psa_get_key_bits(&attributes), expected_bits); 1360 TEST_EQUAL(psa_get_key_lifetime(&attributes), 1361 PSA_KEY_LIFETIME_VOLATILE); 1362 1363 memset(hash, 0x2a, sizeof(hash)); 1364 memset(sig, 0, sizeof(sig)); 1365 1366 TEST_ASSERT(mbedtls_pk_sign(&pk, MBEDTLS_MD_SHA256, 1367 hash, sizeof(hash), sig, sizeof(sig), &sig_len, 1368 NULL, NULL) == 0); 1369 /* Only opaque EC keys support verification. */ 1370 if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(psa_type_arg)) { 1371 TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_SHA256, 1372 hash, sizeof(hash), sig, sig_len) == 0); 1373 } 1374 1375 /* Export underlying public key for re-importing in a psa context. */ 1376#if defined(MBEDTLS_PK_WRITE_C) 1377 ret = mbedtls_pk_write_pubkey_der(&pk, pkey_psa, 1378 sizeof(pkey_psa)); 1379 TEST_ASSERT(ret >= 0); 1380 klen_psa = (size_t) ret; 1381 /* mbedtls_pk_write_pubkey_der() writes backwards in the data buffer. */ 1382 pkey_psa_start = pkey_psa + sizeof(pkey_psa) - klen_psa; 1383#else 1384 psa_status_t status; 1385 1386 status = psa_export_public_key(key_id, pkey_psa, sizeof(pkey_psa), 1387 &klen_psa); 1388 TEST_EQUAL(status, PSA_SUCCESS); 1389 pkey_psa_start = pkey_psa; 1390#endif /* MBEDTLS_PK_WRITE_C */ 1391 1392 TEST_ASSERT(klen_psa == klen_legacy); 1393 TEST_ASSERT(memcmp(pkey_psa_start, pkey_legacy_start, klen_psa) == 0); 1394 1395 mbedtls_pk_free(&pk); 1396 TEST_ASSERT(PSA_SUCCESS == psa_destroy_key(key_id)); 1397 1398 mbedtls_pk_init(&pk); 1399 1400 /* If we used "pk_write" previously, then we go for a "pk_parse" here; 1401 * otherwise if we went for "ecp_point_write_binary" then we'll go 1402 * for a "ecp_point_read_binary" here. This allows to drop dependencies 1403 * on "PK_WRITE" and "PK_PARSE" if required */ 1404#if defined(MBEDTLS_PK_WRITE_C) && defined(MBEDTLS_PK_PARSE_C) 1405 TEST_EQUAL(mbedtls_pk_parse_public_key(&pk, pkey_legacy_start, 1406 klen_legacy), 0); 1407#else 1408 TEST_EQUAL(mbedtls_pk_setup(&pk, 1409 mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)), 0); 1410 TEST_EQUAL(mbedtls_ecp_group_load( 1411 &(mbedtls_pk_ec_rw(pk)->grp), 1412 (mbedtls_ecp_group_id) parameter_arg), 0); 1413 TEST_EQUAL(mbedtls_ecp_point_read_binary(&(mbedtls_pk_ec_ro(pk)->grp), 1414 &(mbedtls_pk_ec_rw(pk)->Q), 1415 pkey_legacy_start, klen_legacy), 0); 1416#endif 1417 TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_SHA256, 1418 hash, sizeof(hash), sig, sig_len) == 0); 1419 1420exit: 1421 /* 1422 * Key attributes may have been returned by psa_get_key_attributes() 1423 * thus reset them as required. 1424 */ 1425 psa_reset_key_attributes(&attributes); 1426 1427 mbedtls_pk_free(&pk); 1428 USE_PSA_DONE(); 1429} 1430/* END_CASE */ 1431 1432/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_GENPRIME */ 1433void pk_psa_sign_ext(int pk_type, int parameter, int key_pk_type, int md_alg) 1434{ 1435 /* See the description of pk_genkey() for the description of the `parameter` argument. */ 1436 mbedtls_pk_context pk; 1437 size_t sig_len; 1438 unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE]; 1439 unsigned char hash[PSA_HASH_MAX_SIZE]; 1440 size_t hash_len = mbedtls_md_get_size_from_type(md_alg); 1441 void const *options = NULL; 1442 mbedtls_pk_rsassa_pss_options rsassa_pss_options; 1443 memset(hash, 0x2a, sizeof(hash)); 1444 memset(sig, 0, sizeof(sig)); 1445 1446 mbedtls_pk_init(&pk); 1447 PSA_INIT(); 1448 1449 TEST_ASSERT(mbedtls_pk_setup(&pk, 1450 mbedtls_pk_info_from_type(pk_type)) == 0); 1451 1452 TEST_ASSERT(pk_genkey(&pk, parameter) == 0); 1453 1454 TEST_ASSERT(mbedtls_pk_sign_ext(key_pk_type, &pk, md_alg, hash, hash_len, 1455 sig, sizeof(sig), &sig_len, 1456 mbedtls_test_rnd_std_rand, NULL) == 0); 1457 1458 if (key_pk_type == MBEDTLS_PK_RSASSA_PSS) { 1459 rsassa_pss_options.mgf1_hash_id = md_alg; 1460 TEST_ASSERT(hash_len != 0); 1461 rsassa_pss_options.expected_salt_len = hash_len; 1462 options = (const void *) &rsassa_pss_options; 1463 } 1464 TEST_ASSERT(mbedtls_pk_verify_ext(key_pk_type, options, &pk, md_alg, 1465 hash, hash_len, sig, sig_len) == 0); 1466exit: 1467 mbedtls_pk_free(&pk); 1468 PSA_DONE(); 1469} 1470/* END_CASE */ 1471 1472/* BEGIN_CASE depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_USE_PSA_CRYPTO */ 1473void pk_psa_wrap_sign_ext(int pk_type, int parameter, int key_pk_type, int md_alg) 1474{ 1475 /* See the description of mbedtls_rsa_gen_key() for the description of the `parameter` argument. */ 1476 mbedtls_pk_context pk; 1477 size_t sig_len, pkey_len; 1478 mbedtls_svc_key_id_t key_id; 1479 unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE]; 1480 unsigned char pkey[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE]; 1481 unsigned char *pkey_start; 1482 unsigned char hash[PSA_HASH_MAX_SIZE]; 1483 psa_algorithm_t psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg); 1484 psa_algorithm_t psa_alg; 1485 size_t hash_len = PSA_HASH_LENGTH(psa_md_alg); 1486 void const *options = NULL; 1487 mbedtls_pk_rsassa_pss_options rsassa_pss_options; 1488 int ret; 1489 1490 mbedtls_pk_init(&pk); 1491 PSA_INIT(); 1492 1493 /* Create legacy RSA public/private key in PK context. */ 1494 mbedtls_pk_init(&pk); 1495 TEST_EQUAL(mbedtls_pk_setup(&pk, 1496 mbedtls_pk_info_from_type(pk_type)), 0); 1497 TEST_EQUAL(mbedtls_rsa_gen_key(mbedtls_pk_rsa(pk), 1498 mbedtls_test_rnd_std_rand, NULL, 1499 parameter, 3), 0); 1500 1501 /* Export underlying public key for re-importing in a legacy context. */ 1502 ret = mbedtls_pk_write_pubkey_der(&pk, pkey, sizeof(pkey)); 1503 TEST_ASSERT(ret >= 0); 1504 1505 pkey_len = (size_t) ret; 1506 /* mbedtls_pk_write_pubkey_der() writes backwards in the data buffer. */ 1507 pkey_start = pkey + sizeof(pkey) - pkey_len; 1508 1509 if (key_pk_type == MBEDTLS_PK_RSA) { 1510 psa_alg = PSA_ALG_RSA_PKCS1V15_SIGN(psa_md_alg); 1511 } else if (key_pk_type == MBEDTLS_PK_RSASSA_PSS) { 1512 psa_alg = PSA_ALG_RSA_PSS(psa_md_alg); 1513 } else { 1514 TEST_ASSUME(!"PK key type not supported in this configuration"); 1515 } 1516 1517 /* Turn PK context into an opaque one. */ 1518 TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&pk, &key_id, psa_alg, 1519 PSA_KEY_USAGE_SIGN_HASH, 1520 PSA_ALG_NONE), 0); 1521 1522 memset(hash, 0x2a, sizeof(hash)); 1523 memset(sig, 0, sizeof(sig)); 1524 1525 TEST_EQUAL(mbedtls_pk_sign_ext(key_pk_type, &pk, md_alg, hash, hash_len, 1526 sig, sizeof(sig), &sig_len, 1527 mbedtls_test_rnd_std_rand, NULL), 0); 1528 1529 mbedtls_pk_free(&pk); 1530 TEST_EQUAL(PSA_SUCCESS, psa_destroy_key(key_id)); 1531 1532 mbedtls_pk_init(&pk); 1533 TEST_EQUAL(mbedtls_pk_parse_public_key(&pk, pkey_start, pkey_len), 0); 1534 1535 if (key_pk_type == MBEDTLS_PK_RSASSA_PSS) { 1536 rsassa_pss_options.mgf1_hash_id = md_alg; 1537 TEST_ASSERT(hash_len != 0); 1538 rsassa_pss_options.expected_salt_len = hash_len; 1539 options = (const void *) &rsassa_pss_options; 1540 } 1541 TEST_EQUAL(mbedtls_pk_verify_ext(key_pk_type, options, &pk, md_alg, 1542 hash, hash_len, sig, sig_len), 0); 1543 1544exit: 1545 mbedtls_pk_free(&pk); 1546 PSA_DONE(); 1547} 1548/* END_CASE */ 1549