Implement, plug in and test validate_key driver entry point

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
This commit is contained in:
Steven Cooreman 2020-10-13 17:43:44 +02:00
parent 398aee5742
commit 0452476eac
7 changed files with 208 additions and 4 deletions

View file

@ -977,6 +977,7 @@ psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot,
size_t data_length ) size_t data_length )
{ {
psa_status_t status = PSA_SUCCESS; psa_status_t status = PSA_SUCCESS;
size_t bit_size;
/* zero-length keys are never supported. */ /* zero-length keys are never supported. */
if( data_length == 0 ) if( data_length == 0 )
@ -984,7 +985,7 @@ psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot,
if( key_type_is_raw_bytes( slot->attr.type ) ) if( key_type_is_raw_bytes( slot->attr.type ) )
{ {
size_t bit_size = PSA_BYTES_TO_BITS( data_length ); bit_size = PSA_BYTES_TO_BITS( data_length );
/* Ensure that the bytes-to-bits conversion hasn't overflown. */ /* Ensure that the bytes-to-bits conversion hasn't overflown. */
if( data_length > SIZE_MAX / 8 ) if( data_length > SIZE_MAX / 8 )

View file

@ -410,6 +410,34 @@ psa_status_t psa_driver_wrapper_generate_key( const psa_key_attributes_t *attrib
#endif /* PSA_CRYPTO_DRIVER_PRESENT */ #endif /* PSA_CRYPTO_DRIVER_PRESENT */
} }
psa_status_t psa_driver_wrapper_validate_key( const psa_key_attributes_t *attributes,
const uint8_t *data,
size_t data_length,
size_t *bits )
{
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
/* Try accelerators in turn */
#if defined(PSA_CRYPTO_DRIVER_TEST)
status = test_transparent_validate_key( attributes,
data,
data_length,
bits );
/* Declared with fallback == true */
if( status != PSA_ERROR_NOT_SUPPORTED )
return( status );
#endif /* PSA_CRYPTO_DRIVER_TEST */
return( PSA_ERROR_NOT_SUPPORTED );
#else /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
(void) attributes;
(void) data;
(void) data_length;
(void) bits;
return( PSA_ERROR_NOT_SUPPORTED );
#endif /* PSA_CRYPTO_DRIVER_PRESENT */
}
/* /*
* Cipher functions * Cipher functions
*/ */

View file

@ -43,9 +43,18 @@ psa_status_t psa_driver_wrapper_verify_hash( psa_key_slot_t *slot,
const uint8_t *signature, const uint8_t *signature,
size_t signature_length ); size_t signature_length );
/*
* Key handling functions
*/
psa_status_t psa_driver_wrapper_generate_key( const psa_key_attributes_t *attributes, psa_status_t psa_driver_wrapper_generate_key( const psa_key_attributes_t *attributes,
psa_key_slot_t *slot ); psa_key_slot_t *slot );
psa_status_t psa_driver_wrapper_validate_key( const psa_key_attributes_t *attributes,
const uint8_t *data,
size_t data_length,
size_t *bits );
/* /*
* Cipher functions * Cipher functions
*/ */

View file

@ -1,5 +1,5 @@
/* /*
* Test driver for generating keys. * Test driver for generating and verifying keys.
*/ */
/* Copyright The Mbed TLS Contributors /* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 * SPDX-License-Identifier: Apache-2.0
@ -57,5 +57,10 @@ psa_status_t test_opaque_generate_key(
const psa_key_attributes_t *attributes, const psa_key_attributes_t *attributes,
uint8_t *key, size_t key_size, size_t *key_length ); uint8_t *key, size_t key_size, size_t *key_length );
psa_status_t test_transparent_validate_key(const psa_key_attributes_t *attributes,
const uint8_t *data,
size_t data_length,
size_t *bits);
#endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_DRIVER_TEST */
#endif /* PSA_CRYPTO_TEST_DRIVERS_KEYGEN_H */ #endif /* PSA_CRYPTO_TEST_DRIVERS_KEYGEN_H */

View file

@ -1,6 +1,6 @@
/* /*
* Test driver for generating keys. * Test driver for generating and verifying keys.
* Currently only supports generating ECC keys. * Currently only supports generating and verifying ECC keys.
*/ */
/* Copyright The Mbed TLS Contributors /* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 * SPDX-License-Identifier: Apache-2.0
@ -122,4 +122,112 @@ psa_status_t test_opaque_generate_key(
return( PSA_ERROR_NOT_SUPPORTED ); return( PSA_ERROR_NOT_SUPPORTED );
} }
psa_status_t test_transparent_validate_key(const psa_key_attributes_t *attributes,
const uint8_t *data,
size_t data_length,
size_t *bits)
{
++test_driver_keygen_hooks.hits;
if( test_driver_keygen_hooks.forced_status != PSA_SUCCESS )
return( test_driver_keygen_hooks.forced_status );
#if defined(MBEDTLS_ECP_C)
psa_key_type_t type = psa_get_key_type( attributes );
if ( PSA_KEY_TYPE_IS_ECC( type ) )
{
// Code mostly copied from psa_load_ecp_representation
psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY( type );
mbedtls_ecp_group_id grp_id;
mbedtls_ecp_keypair ecp;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
if( *bits == 0 )
{
// Attempt auto-detect of curve bit size
size_t curve_size = data_length;
if( PSA_KEY_TYPE_IS_PUBLIC_KEY( type ) &&
PSA_KEY_TYPE_ECC_GET_FAMILY( type ) != PSA_ECC_FAMILY_MONTGOMERY )
{
/* A Weierstrass public key is represented as:
* - The byte 0x04;
* - `x_P` as a `ceiling(m/8)`-byte string, big-endian;
* - `y_P` as a `ceiling(m/8)`-byte string, big-endian.
* So its data length is 2m+1 where n is the key size in bits.
*/
if( ( data_length & 1 ) == 0 )
return( PSA_ERROR_INVALID_ARGUMENT );
curve_size = data_length / 2;
/* Montgomery public keys are represented in compressed format, meaning
* their curve_size is equal to the amount of input. */
/* Private keys are represented in uncompressed private random integer
* format, meaning their curve_size is equal to the amount of input. */
}
grp_id = mbedtls_ecc_group_of_psa( curve, curve_size );
}
else
{
grp_id = mbedtls_ecc_group_of_psa( curve,
PSA_BITS_TO_BYTES( psa_get_key_bits( attributes ) ) );
}
const mbedtls_ecp_curve_info *curve_info =
mbedtls_ecp_curve_info_from_grp_id( grp_id );
if( attributes->domain_parameters_size != 0 )
return( PSA_ERROR_NOT_SUPPORTED );
if( grp_id == MBEDTLS_ECP_DP_NONE || curve_info == NULL )
return( PSA_ERROR_NOT_SUPPORTED );
*bits = curve_info->bit_size;
mbedtls_ecp_keypair_init( &ecp );
status = mbedtls_to_psa_error(
mbedtls_ecp_group_load( &ecp.grp, grp_id ) );
if( status != PSA_SUCCESS )
goto ecp_exit;
/* Load the key material. */
if( PSA_KEY_TYPE_IS_PUBLIC_KEY( type ) )
{
/* Load the public value. */
status = mbedtls_to_psa_error(
mbedtls_ecp_point_read_binary( &ecp.grp, &ecp.Q,
data,
data_length ) );
if( status != PSA_SUCCESS )
goto ecp_exit;
/* Check that the point is on the curve. */
status = mbedtls_to_psa_error(
mbedtls_ecp_check_pubkey( &ecp.grp, &ecp.Q ) );
}
else
{
/* Load and validate the secret value. */
status = mbedtls_to_psa_error(
mbedtls_ecp_read_key( ecp.grp.id,
&ecp,
data,
data_length ) );
}
ecp_exit:
mbedtls_ecp_keypair_free( &ecp );
return( status );
}
return( PSA_ERROR_NOT_SUPPORTED );
#else
(void) data;
(void) data_length;
(void) bits;
return( PSA_ERROR_NOT_SUPPORTED );
#endif /* MBEDTLS_ECP_C */
}
#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS && PSA_CRYPTO_DRIVER_TEST */ #endif /* MBEDTLS_PSA_CRYPTO_DRIVERS && PSA_CRYPTO_DRIVER_TEST */

View file

@ -40,6 +40,25 @@ generate_key:PSA_ERROR_NOT_SUPPORTED:"":PSA_SUCCESS
generate_key through transparent driver: error generate_key through transparent driver: error
generate_key:PSA_ERROR_GENERIC_ERROR:"":PSA_ERROR_GENERIC_ERROR generate_key:PSA_ERROR_GENERIC_ERROR:"":PSA_ERROR_GENERIC_ERROR
validate key through transparent driver: good private key
depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
validate_key:PSA_SUCCESS:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_SUCCESS
validate key through transparent driver: good public key
depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
validate_key:PSA_SUCCESS:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_SUCCESS
validate key through transparent driver: fallback private key
depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
validate_key:PSA_ERROR_NOT_SUPPORTED:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_SUCCESS
validate key through transparent driver: fallback public key
depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
validate_key:PSA_ERROR_NOT_SUPPORTED:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_SUCCESS
validate key through transparent driver: error
validate_key:PSA_ERROR_GENERIC_ERROR:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ERROR_GENERIC_ERROR
PSA symmetric encrypt: AES-CTR, 16 bytes, good PSA symmetric encrypt: AES-CTR, 16 bytes, good
depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR
cipher_encrypt:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"6bc1bee22e409f96e93d7e117393172a":"8f9408fe80a81d3e813da3c7b0b2bd32":0:PSA_SUCCESS:PSA_SUCCESS cipher_encrypt:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"6bc1bee22e409f96e93d7e117393172a":"8f9408fe80a81d3e813da3c7b0b2bd32":0:PSA_SUCCESS:PSA_SUCCESS

View file

@ -184,6 +184,40 @@ exit:
} }
/* END_CASE */ /* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED */
void validate_key( int force_status_arg,
int key_type_arg,
data_t *key_input,
int expected_status_arg )
{
psa_status_t force_status = force_status_arg;
psa_status_t expected_status = expected_status_arg;
psa_key_type_t key_type = key_type_arg;
psa_key_handle_t handle = 0;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_status_t actual_status;
test_driver_keygen_hooks = test_driver_keygen_hooks_init();
psa_set_key_type( &attributes,
key_type );
psa_set_key_bits( &attributes, 0 );
psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT );
test_driver_keygen_hooks.forced_status = force_status;
PSA_ASSERT( psa_crypto_init( ) );
actual_status = psa_import_key( &attributes, key_input->x, key_input->len, &handle );
TEST_EQUAL( test_driver_keygen_hooks.hits, 1 );
TEST_EQUAL( actual_status, expected_status );
exit:
psa_reset_key_attributes( &attributes );
psa_destroy_key( handle );
PSA_DONE( );
test_driver_keygen_hooks = test_driver_keygen_hooks_init();
}
/* END_CASE */
/* BEGIN_CASE */ /* BEGIN_CASE */
void cipher_encrypt( int alg_arg, int key_type_arg, void cipher_encrypt( int alg_arg, int key_type_arg,
data_t *key, data_t *iv, data_t *key, data_t *iv,