From a170d927ddb07fdc682c30907f5b731fd1c52c70 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 12 Sep 2019 16:59:37 +0200 Subject: [PATCH 1/9] Clarify how key creation functions use attributes and what 0 means Clarify how key creation functions use attributes. Explain the meaning of attribute values, espcially what 0 means in each field where it has a special meaning. Explain what an algorithm usage policy can be (an algorithm, a wildcard with ANY_HASH, or 0). --- include/psa/crypto.h | 19 ++++++++++++++++--- include/psa/crypto_types.h | 11 ++++++----- 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 71bad3b7a..c21809ce1 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -226,7 +226,14 @@ static psa_key_usage_t psa_get_key_usage_flags( /** Declare the permitted algorithm policy for a key. * * The permitted algorithm policy of a key encodes which algorithm or - * algorithms are permitted to be used with this key. + * algorithms are permitted to be used with this key. The following + * algorithm policies are supported: + * - 0 does not allow any cryptographic operation with the key. The key + * may be used for non-cryptographic actions such as exporting (if + * permitted by the usage flags). + * - An algorithm value permits this particular algorithm. + * - An algorithm wildcard built from #PSA_ALG_ANY_HASH allows the specified + * signature scheme with any hash algorithm. * * This function overwrites any algorithm policy * previously set in \p attributes. @@ -266,6 +273,8 @@ static psa_algorithm_t psa_get_key_algorithm( * * \param[out] attributes The attribute structure to write to. * \param type The key type to write. + * If this is 0, the key type in \p attributes + * becomes unspecified. */ static void psa_set_key_type(psa_key_attributes_t *attributes, psa_key_type_t type); @@ -281,6 +290,8 @@ static void psa_set_key_type(psa_key_attributes_t *attributes, * * \param[out] attributes The attribute structure to write to. * \param bits The key size in bits. + * If this is 0, the key size in \p attributes + * becomes unspecified. */ static void psa_set_key_bits(psa_key_attributes_t *attributes, size_t bits); @@ -464,7 +475,6 @@ psa_status_t psa_close_key(psa_key_handle_t handle); * minimize the risk that an invalid input is accidentally interpreted * according to a different format. * - * \param[in] attributes The attributes for the new key. * The key size is always determined from the * \p data buffer. @@ -3365,6 +3375,9 @@ psa_status_t psa_key_derivation_output_bytes( * * This function calculates output bytes from a key derivation algorithm * and uses those bytes to generate a key deterministically. + * The key's location, usage policy, type and size are taken from + * \p attributes. + * * If you view the key derivation's output as a stream of bytes, this * function destructively reads as many bytes as required from the * stream. @@ -3607,7 +3620,7 @@ psa_status_t psa_generate_random(uint8_t *output, * \brief Generate a key or key pair. * * The key is generated randomly. - * Its location, policy, type and size are taken from \p attributes. + * Its location, usage policy, type and size are taken from \p attributes. * * The following type-specific considerations apply: * - For RSA keys (#PSA_KEY_TYPE_RSA_KEY_PAIR), diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index b79c3b523..b6b61984b 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -206,11 +206,12 @@ typedef uint32_t psa_key_usage_t; * values: * * - lifetime: #PSA_KEY_LIFETIME_VOLATILE. - * - key identifier: unspecified. - * - type: \c 0. - * - key size: \c 0. - * - usage flags: \c 0. - * - algorithm: \c 0. + * - key identifier: 0 (which is not a valid key identifier). + * - type: \c 0 (meaning that the type is unspecified). + * - key size: \c 0 (meaning that the size is unspecified). + * - usage flags: \c 0 (which allows no usage except exporting a public key). + * - algorithm: \c 0 (which allows no cryptographic usage, but allows + * exporting). * * A typical sequence to create a key is as follows: * -# Create and initialize an attribute structure. From 05c900b576f83038f137a11723e322b81eb22e82 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 12 Sep 2019 18:29:43 +0200 Subject: [PATCH 2/9] Forbid keys of size 0 Keys of size 0 generally don't make sense: a key is supposed to be secret. There is one edge case which is "raw data" keys, which are useful to store non-key objects in the same storage location as keys. However those are also problematic because they involve a zero-length buffer. Manipulating zero-length buffers in C requires special cases with functions like malloc() and memcpy(). Additionally, 0 as a key size already has a meaning "unspecified", which does not always overlap seamlessly with the meaning "0". Therefore, forbid keys of size 0. No implementation may accept them. --- include/psa/crypto.h | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index c21809ce1..7c88bd680 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -291,7 +291,8 @@ static void psa_set_key_type(psa_key_attributes_t *attributes, * \param[out] attributes The attribute structure to write to. * \param bits The key size in bits. * If this is 0, the key size in \p attributes - * becomes unspecified. + * becomes unspecified. Keys of size 0 are + * not supported. */ static void psa_set_key_bits(psa_key_attributes_t *attributes, size_t bits); @@ -468,6 +469,13 @@ psa_status_t psa_close_key(psa_key_handle_t handle); * and to the documentation of psa_export_key() for the format for * other key types. * + * The key data determines the key size. The attributes may optionally + * specify a key size; in this case it must match the size determined + * from the key data. A key size of 0 in \p attributes indicates that + * the key size is solely determined by the key data. + * + * Implementations must reject an attempt to import a key of size 0. + * * This specification supports a single format for each key type. * Implementations may support other formats as long as the standard * format is supported. Implementations that support other formats @@ -3092,6 +3100,8 @@ static psa_key_derivation_operation_t psa_key_derivation_operation_init(void); * - Clean up the key derivation operation object with * psa_key_derivation_abort(). * + * Implementations must reject an attempt to derive a key of size 0. + * * \param[in,out] operation The key derivation operation object * to set up. It must * have been initialized but not set up yet. @@ -3622,6 +3632,8 @@ psa_status_t psa_generate_random(uint8_t *output, * The key is generated randomly. * Its location, usage policy, type and size are taken from \p attributes. * + * Implementations must reject an attempt to generate a key of size 0. + * * The following type-specific considerations apply: * - For RSA keys (#PSA_KEY_TYPE_RSA_KEY_PAIR), * the public exponent is 65537. From 491181bd9d6e4d8745b644aaf5e969961c872c0d Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 12 Sep 2019 18:47:14 +0200 Subject: [PATCH 3/9] Remove test cases that use zero-length keys If there isn't already a test with a raw data key of the now-minimal length (1 byte), change the test case to a 1-byte key. --- tests/suites/test_suite_psa_crypto.data | 14 ++++---------- .../test_suite_psa_crypto_persistent_key.data | 6 ------ 2 files changed, 4 insertions(+), 16 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 8eee9893d..80b34c14a 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -22,9 +22,6 @@ persistence_attributes:0x1234:3:0x1235:0x1235:3 PSA key attributes: slot number slot_number_attribute: -PSA import/export raw: 0 bytes -import_export:"":PSA_KEY_TYPE_RAW_DATA:PSA_KEY_USAGE_EXPORT:0:0:0:PSA_SUCCESS:1 - PSA import/export raw: 1 bytes import_export:"2a":PSA_KEY_TYPE_RAW_DATA:PSA_KEY_USAGE_EXPORT:0:8:0:PSA_SUCCESS:1 @@ -568,8 +565,8 @@ PSA key policy algorithm2: ECDH, ECDSA depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECDH_C:MBEDTLS_ECDSA_C key_policy_alg2:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP256R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY:PSA_ALG_ECDH:PSA_ALG_ECDSA_ANY -Copy key: raw, 0 bytes -copy_success:PSA_KEY_USAGE_COPY:0:0:PSA_KEY_TYPE_RAW_DATA:"":1:-1:-1:0:PSA_KEY_USAGE_COPY:0:0 +Copy key: raw, 1 byte +copy_success:PSA_KEY_USAGE_COPY:0:0:PSA_KEY_TYPE_RAW_DATA:"2a":1:-1:-1:0:PSA_KEY_USAGE_COPY:0:0 Copy key: AES, copy attributes depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR @@ -2254,9 +2251,6 @@ generate_key:PSA_KEY_TYPE_CATEGORY_MASK:128:PSA_KEY_USAGE_EXPORT:0:PSA_ERROR_NOT PSA generate key: bad type (RSA public key) generate_key:PSA_KEY_TYPE_RSA_PUBLIC_KEY:512:PSA_KEY_USAGE_EXPORT:0:PSA_ERROR_NOT_SUPPORTED -PSA generate key: raw data, 0 bits -generate_key:PSA_KEY_TYPE_RAW_DATA:128:PSA_KEY_USAGE_EXPORT:0:PSA_SUCCESS - PSA generate key: raw data, 7 bits: invalid argument generate_key:PSA_KEY_TYPE_RAW_DATA:7:PSA_KEY_USAGE_EXPORT:0:PSA_ERROR_INVALID_ARGUMENT @@ -2358,9 +2352,9 @@ generate_key_rsa:512:"01":PSA_ERROR_INVALID_ARGUMENT PSA generate key: RSA, e=2 generate_key_rsa:512:"01":PSA_ERROR_INVALID_ARGUMENT -PSA import persistent key: raw data, 0 bits +PSA import persistent key: raw data, 8 bits depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PSA_CRYPTO_STORAGE_C -persistent_key_load_key_from_storage:"":PSA_KEY_TYPE_RAW_DATA:0:PSA_KEY_USAGE_EXPORT:0:IMPORT_KEY +persistent_key_load_key_from_storage:"2a":PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:0:IMPORT_KEY PSA import persistent key: AES, 128 bits, exportable depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PSA_CRYPTO_STORAGE_C diff --git a/tests/suites/test_suite_psa_crypto_persistent_key.data b/tests/suites/test_suite_psa_crypto_persistent_key.data index 3f40d35c7..f228b266d 100644 --- a/tests/suites/test_suite_psa_crypto_persistent_key.data +++ b/tests/suites/test_suite_psa_crypto_persistent_key.data @@ -44,9 +44,6 @@ Persistent key import garbage data, should fail depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C persistent_key_import:1:PSA_KEY_TYPE_RSA_KEY_PAIR:"11111111":0:PSA_ERROR_INVALID_ARGUMENT -import/export persistent raw key: 0 byte -import_export_persistent_key:"":PSA_KEY_TYPE_RAW_DATA:0:0:0 - import/export persistent raw key: 1 byte import_export_persistent_key:"2a":PSA_KEY_TYPE_RAW_DATA:8:0:0 @@ -73,9 +70,6 @@ PSA import/export-persistent symmetric key: 16 bytes depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C import_export_persistent_key:"2b7e151628aed2a6abf7158809cf4f3c":PSA_KEY_TYPE_AES:128:0:0 -import/export persistent raw key with restart: 0 byte -import_export_persistent_key:"":PSA_KEY_TYPE_RAW_DATA:0:1:0 - import/export persistent raw key with restart: 1 byte import_export_persistent_key:"2a":PSA_KEY_TYPE_RAW_DATA:8:1:0 From a782b95806a1589395089f7c3633ce9eb9777763 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 12 Sep 2019 18:59:22 +0200 Subject: [PATCH 4/9] Add test cases for zero-length keys Check that zero-length keys cannot be imported, generated or derived. --- tests/suites/test_suite_psa_crypto.data | 26 +++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 80b34c14a..1a78ac6e1 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -263,6 +263,18 @@ PSA import/export RSA keypair: import PEM depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C:MBEDTLS_RSA_C import_export:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b2400":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:1024:0:PSA_SUCCESS:0 +PSA import: reject raw data key of length 0 +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +import_with_data:"":PSA_KEY_TYPE_RAW_DATA:0:PSA_ERROR_INVALID_ARGUMENT + +PSA import: reject raw data key of length 0 and declared size 1 bit +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +import_with_data:"":PSA_KEY_TYPE_RAW_DATA:1:PSA_ERROR_INVALID_ARGUMENT + +PSA import: reject raw data key of length 0 and declared size 8 bits +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +import_with_data:"":PSA_KEY_TYPE_RAW_DATA:8:PSA_ERROR_INVALID_ARGUMENT + PSA import EC keypair: DER format depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED import_with_data:"3077020101042049c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eeea00a06082a8648ce3d030107a144034200047772656f814b399279d5e1f1781fac6f099a3c5ca1b0e35351834b08b65e0b572590cdaf8f769361bcf34acfc11e5e074e8426bdde04be6e653945449617de45":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP256R1):0:PSA_ERROR_INVALID_ARGUMENT @@ -2124,6 +2136,11 @@ PSA key derivation: invalid type (PSA_KEY_TYPE_CATEGORY_MASK) depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_CATEGORY_MASK:128:PSA_ERROR_INVALID_ARGUMENT +PSA key derivation: invalid length (0) +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_RAW_DATA:0:PSA_ERROR_INVALID_ARGUMENT + # This test assumes that PSA_MAX_KEY_BITS (currently 65536-8 bits = 8191 bytes # and not expected to be raised any time soon) is less than the maximum # output from HKDF-SHA512 (255*64 = 16320 bytes). @@ -2251,6 +2268,10 @@ generate_key:PSA_KEY_TYPE_CATEGORY_MASK:128:PSA_KEY_USAGE_EXPORT:0:PSA_ERROR_NOT PSA generate key: bad type (RSA public key) generate_key:PSA_KEY_TYPE_RSA_PUBLIC_KEY:512:PSA_KEY_USAGE_EXPORT:0:PSA_ERROR_NOT_SUPPORTED +PSA generate key: raw data, 0 bits: invalid argument +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +generate_key:PSA_KEY_TYPE_RAW_DATA:0:PSA_KEY_USAGE_EXPORT:0:PSA_ERROR_INVALID_ARGUMENT + PSA generate key: raw data, 7 bits: invalid argument generate_key:PSA_KEY_TYPE_RAW_DATA:7:PSA_KEY_USAGE_EXPORT:0:PSA_ERROR_INVALID_ARGUMENT @@ -2314,6 +2335,11 @@ PSA generate key: RSA, 1024 bits, good, encrypt (OAEP SHA-256) depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C generate_key:PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256):PSA_SUCCESS +PSA generate key: RSA, 0 bits: invalid +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED +generate_key:PSA_KEY_TYPE_RSA_KEY_PAIR:0:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ERROR_INVALID_ARGUMENT + PSA generate key: RSA, 1022 bits: not supported depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME generate_key:PSA_KEY_TYPE_RSA_KEY_PAIR:1022:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ERROR_NOT_SUPPORTED From 0f84d6245b9b9940084ed75570b4e377d502501d Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 12 Sep 2019 19:03:13 +0200 Subject: [PATCH 5/9] Reject keys of size 0 Implement the prohibition on keys of size 0. --- library/psa_crypto.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index a80f13de3..f0fbcdcde 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1826,6 +1826,12 @@ psa_status_t psa_import_key( const psa_key_attributes_t *attributes, psa_key_slot_t *slot = NULL; psa_se_drv_table_entry_t *driver = NULL; + /* Reject zero-length symmetric keys (including raw data key objects). + * This also rejects any key which might be encoded as an empty string, + * which is never valid. */ + if( data_length == 0 ) + return( PSA_ERROR_INVALID_ARGUMENT ); + status = psa_start_key_creation( PSA_KEY_CREATION_IMPORT, attributes, handle, &slot, &driver ); if( status != PSA_SUCCESS ) @@ -4778,6 +4784,12 @@ psa_status_t psa_key_derivation_output_key( const psa_key_attributes_t *attribut psa_status_t status; psa_key_slot_t *slot = NULL; psa_se_drv_table_entry_t *driver = NULL; + + /* Reject any attempt to create a zero-length key so that we don't + * risk tripping up later, e.g. on a malloc(0) that returns NULL. */ + if( psa_get_key_bits( attributes ) == 0 ) + return( PSA_ERROR_INVALID_ARGUMENT ); + status = psa_start_key_creation( PSA_KEY_CREATION_DERIVE, attributes, handle, &slot, &driver ); #if defined(MBEDTLS_PSA_CRYPTO_SE_C) @@ -5512,6 +5524,11 @@ psa_status_t psa_generate_key( const psa_key_attributes_t *attributes, psa_key_slot_t *slot = NULL; psa_se_drv_table_entry_t *driver = NULL; + /* Reject any attempt to create a zero-length key so that we don't + * risk tripping up later, e.g. on a malloc(0) that returns NULL. */ + if( psa_get_key_bits( attributes ) == 0 ) + return( PSA_ERROR_INVALID_ARGUMENT ); + status = psa_start_key_creation( PSA_KEY_CREATION_GENERATE, attributes, handle, &slot, &driver ); if( status != PSA_SUCCESS ) From 043b28171410805f32378658e647fdb2917db361 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 12 Sep 2019 19:03:41 +0200 Subject: [PATCH 6/9] Add a few test cases for non-byte-aligned raw data keys Add tests for derivation. Test both 7 bits and 9 bits, in case the implementation truncated the bit size down and 7 was rejected as 0 rather than because it isn't a multiple of 8. There is no corresponding test for import because import determines the key size from the key data, which is always a whole number of bytes. --- tests/suites/test_suite_psa_crypto.data | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 1a78ac6e1..16edd382a 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -2141,6 +2141,18 @@ depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C # The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_RAW_DATA:0:PSA_ERROR_INVALID_ARGUMENT +PSA key derivation: invalid length (7 bits) +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_RAW_DATA:7:PSA_ERROR_INVALID_ARGUMENT + +PSA key derivation: raw data, 8 bits +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_RAW_DATA:8:PSA_SUCCESS + +PSA key derivation: invalid length (9 bits) +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C +derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_RAW_DATA:9:PSA_ERROR_INVALID_ARGUMENT + # This test assumes that PSA_MAX_KEY_BITS (currently 65536-8 bits = 8191 bytes # and not expected to be raised any time soon) is less than the maximum # output from HKDF-SHA512 (255*64 = 16320 bytes). @@ -2278,6 +2290,9 @@ generate_key:PSA_KEY_TYPE_RAW_DATA:7:PSA_KEY_USAGE_EXPORT:0:PSA_ERROR_INVALID_AR PSA generate key: raw data, 8 bits generate_key:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:0:PSA_SUCCESS +PSA generate key: raw data, 9 bits: invalid argument +generate_key:PSA_KEY_TYPE_RAW_DATA:9:PSA_KEY_USAGE_EXPORT:0:PSA_ERROR_INVALID_ARGUMENT + PSA generate key: raw data, (MBEDTLS_CTR_DRBG_MAX_REQUEST + 1) * 8 bits generate_key:PSA_KEY_TYPE_RAW_DATA:(MBEDTLS_CTR_DRBG_MAX_REQUEST + 1) * 8:PSA_KEY_USAGE_EXPORT:0:PSA_SUCCESS From f916894ef3c9ba5f3f8d995ee715945491dbda46 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 12 Sep 2019 19:20:29 +0200 Subject: [PATCH 7/9] Remove special handling for zero-length keys Zero-length keys are rejected at creation time, so we don't need any special handling internally. When exporting a key, we do need to take care of the case where the output buffer is empty, but this is easy: an empty output buffer is never valid. --- library/psa_crypto.c | 37 ++++++++++++++----------------------- 1 file changed, 14 insertions(+), 23 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index f0fbcdcde..ac2eae667 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -451,13 +451,6 @@ static psa_status_t prepare_raw_data_slot( psa_key_type_t type, switch( type ) { case PSA_KEY_TYPE_RAW_DATA: - if( bits == 0 ) - { - raw->bytes = 0; - raw->data = NULL; - return( PSA_SUCCESS ); - } - break; #if defined(MBEDTLS_MD_C) case PSA_KEY_TYPE_HMAC: #endif @@ -1281,6 +1274,12 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot, if( export_public_key && ! PSA_KEY_TYPE_IS_ASYMMETRIC( slot->attr.type ) ) return( PSA_ERROR_INVALID_ARGUMENT ); + /* Reject a zero-length output buffer now, since this can never be a + * valid key representation. This way we know that data must be a valid + * pointer and we can do things like memset(data, ..., data_size). */ + if( data_size == 0 ) + return( PSA_ERROR_BUFFER_TOO_SMALL ); + #if defined(MBEDTLS_PSA_CRYPTO_SE_C) if( psa_get_se_driver( slot->attr.lifetime, &drv, &drv_context ) ) { @@ -1302,12 +1301,9 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot, { if( slot->data.raw.bytes > data_size ) return( PSA_ERROR_BUFFER_TOO_SMALL ); - if( data_size != 0 ) - { - memcpy( data, slot->data.raw.data, slot->data.raw.bytes ); - memset( data + slot->data.raw.bytes, 0, - data_size - slot->data.raw.bytes ); - } + memcpy( data, slot->data.raw.data, slot->data.raw.bytes ); + memset( data + slot->data.raw.bytes, 0, + data_size - slot->data.raw.bytes ); *data_length = slot->data.raw.bytes; return( PSA_SUCCESS ); } @@ -1366,10 +1362,7 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot, } if( ret < 0 ) { - /* If data_size is 0 then data may be NULL and then the - * call to memset would have undefined behavior. */ - if( data_size != 0 ) - memset( data, 0, data_size ); + memset( data, 0, data_size ); return( mbedtls_to_psa_error( ret ) ); } /* The mbedtls_pk_xxx functions write to the end of the buffer. @@ -1676,7 +1669,7 @@ static psa_status_t psa_finish_key_creation( slot->attr.bits ); uint8_t *buffer = mbedtls_calloc( 1, buffer_size ); size_t length = 0; - if( buffer == NULL && buffer_size != 0 ) + if( buffer == NULL ) return( PSA_ERROR_INSUFFICIENT_MEMORY ); status = psa_internal_export_key( slot, buffer, buffer_size, &length, @@ -1685,8 +1678,7 @@ static psa_status_t psa_finish_key_creation( status = psa_save_persistent_key( &slot->attr, buffer, length ); - if( buffer_size != 0 ) - mbedtls_platform_zeroize( buffer, buffer_size ); + mbedtls_platform_zeroize( buffer, buffer_size ); mbedtls_free( buffer ); } } @@ -1963,7 +1955,7 @@ static psa_status_t psa_copy_key_material( const psa_key_slot_t *source, buffer_size = PSA_KEY_EXPORT_MAX_SIZE( source->attr.type, psa_get_key_slot_bits( source ) ); buffer = mbedtls_calloc( 1, buffer_size ); - if( buffer == NULL && buffer_size != 0 ) + if( buffer == NULL ) return( PSA_ERROR_INSUFFICIENT_MEMORY ); status = psa_internal_export_key( source, buffer, buffer_size, &length, 0 ); if( status != PSA_SUCCESS ) @@ -1972,8 +1964,7 @@ static psa_status_t psa_copy_key_material( const psa_key_slot_t *source, status = psa_import_key_into_slot( target, buffer, length ); exit: - if( buffer_size != 0 ) - mbedtls_platform_zeroize( buffer, buffer_size ); + mbedtls_platform_zeroize( buffer, buffer_size ); mbedtls_free( buffer ); return( status ); } From 4019f0e914416ca6c80bfad51509404265b5bf45 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 12 Sep 2019 22:05:59 +0200 Subject: [PATCH 8/9] Immediately reject 0-size signature buffer when signing In psa_asymmetric_sign, immediately reject an empty signature buffer. This can never be right. Add test cases (one RSA and one ECDSA). Change the SE HAL mock tests not to use an empty signature buffer. --- library/psa_crypto.c | 8 +++++++- tests/suites/test_suite_psa_crypto.data | 8 ++++++++ ...st_suite_psa_crypto_se_driver_hal_mocks.function | 13 +++++++++++-- 3 files changed, 26 insertions(+), 3 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index ac2eae667..c53d15b01 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3347,6 +3347,12 @@ psa_status_t psa_asymmetric_sign( psa_key_handle_t handle, #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ *signature_length = signature_size; + /* Immediately reject a zero-length signature buffer. This guarantees + * that signature must be a valid pointer. (On the other hand, the hash + * buffer can in principle be empty since it doesn't actually have + * to be a hash.) */ + if( signature_size == 0 ) + return( PSA_ERROR_BUFFER_TOO_SMALL ); status = psa_get_key_from_slot( handle, &slot, PSA_KEY_USAGE_SIGN, alg ); if( status != PSA_SUCCESS ) @@ -3422,7 +3428,7 @@ exit: if( status == PSA_SUCCESS ) memset( signature + *signature_length, '!', signature_size - *signature_length ); - else if( signature_size != 0 ) + else memset( signature, '!', signature_size ); /* If signature_size is 0 then we have nothing to do. We must not call * memset because signature may be NULL in this case. */ diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 16edd382a..9df4b43be 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -1561,6 +1561,14 @@ PSA sign: deterministic ECDSA SECP256R1 SHA-256, output buffer too small depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C sign_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP256R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_ERROR_BUFFER_TOO_SMALL +PSA sign: RSA PKCS#1 v1.5 SHA-256, empty output buffer +depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C +sign_fail:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":0:PSA_ERROR_BUFFER_TOO_SMALL + +PSA sign: deterministic ECDSA SECP256R1 SHA-256, empty output buffer +depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C +sign_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP256R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_ERROR_BUFFER_TOO_SMALL + PSA sign: deterministic ECDSA SECP256R1, invalid hash algorithm (0) depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECDSA_DETERMINISTIC sign_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP256R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function b/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function index e3641789f..e6b3f7b1f 100644 --- a/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function +++ b/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function @@ -396,6 +396,7 @@ void mock_generate( int mock_alloc_return_value, psa_set_key_lifetime( &attributes, lifetime ); psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT ); psa_set_key_type( &attributes, PSA_KEY_TYPE_RAW_DATA ); + psa_set_key_bits( &attributes, 8 ); TEST_ASSERT( psa_generate_key( &attributes, &handle ) == expected_result ); TEST_ASSERT( mock_allocate_data.called == 1 ); TEST_ASSERT( mock_generate_data.called == @@ -482,6 +483,8 @@ void mock_sign( int mock_sign_return_value, int expected_result ) psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; const uint8_t key_material[3] = {0xfa, 0xca, 0xde}; psa_algorithm_t algorithm = PSA_ALG_ECDSA(PSA_ALG_SHA_256); + const uint8_t hash[1] = {'H'}; + uint8_t signature[1] = {'S'}; size_t signature_length; mock_sign_data.return_value = mock_sign_return_value; @@ -512,7 +515,9 @@ void mock_sign( int mock_sign_return_value, int expected_result ) key_material, sizeof( key_material ), &handle ) ); - TEST_ASSERT( psa_asymmetric_sign( handle, algorithm, NULL, 0, NULL, 0, + TEST_ASSERT( psa_asymmetric_sign( handle, algorithm, + hash, sizeof( hash ), + signature, sizeof( signature ), &signature_length) == expected_result ); TEST_ASSERT( mock_sign_data.called == 1 ); @@ -538,6 +543,8 @@ void mock_verify( int mock_verify_return_value, int expected_result ) psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; const uint8_t key_material[3] = {0xfa, 0xca, 0xde}; psa_algorithm_t algorithm = PSA_ALG_ECDSA(PSA_ALG_SHA_256); + const uint8_t hash[1] = {'H'}; + const uint8_t signature[1] = {'S'}; mock_verify_data.return_value = mock_verify_return_value; memset( &driver, 0, sizeof( driver ) ); @@ -567,7 +574,9 @@ void mock_verify( int mock_verify_return_value, int expected_result ) key_material, sizeof( key_material ), &handle ) ); - TEST_ASSERT( psa_asymmetric_verify( handle, algorithm, NULL, 0, NULL, 0) + TEST_ASSERT( psa_asymmetric_verify( handle, algorithm, + hash, sizeof( hash ), + signature, sizeof( signature ) ) == expected_result ); TEST_ASSERT( mock_verify_data.called == 1 ); From 89cc74f44728ed929ee7388767070fdd02d514d4 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 12 Sep 2019 22:08:23 +0200 Subject: [PATCH 9/9] Fix signature size checks in psa_asymmetric_verify for RSA The signature must have exactly the same length as the key, it can't be longer. Fix #258 If the signature doesn't have the correct size, that's an invalid signature, not a problem with an output buffer size. Fix the error code. Add test cases. --- library/psa_crypto.c | 4 +-- tests/suites/test_suite_psa_crypto.data | 36 +++++++++++++++++++++++-- 2 files changed, 36 insertions(+), 4 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index c53d15b01..09254b249 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3191,8 +3191,8 @@ static psa_status_t psa_rsa_verify( mbedtls_rsa_context *rsa, if( status != PSA_SUCCESS ) return( status ); - if( signature_length < mbedtls_rsa_get_len( rsa ) ) - return( PSA_ERROR_BUFFER_TOO_SMALL ); + if( signature_length != mbedtls_rsa_get_len( rsa ) ) + return( PSA_ERROR_INVALID_SIGNATURE ); #if defined(MBEDTLS_PKCS1_V15) if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) ) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 9df4b43be..a8e97e090 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -1621,14 +1621,30 @@ PSA verify with keypair: RSA PKCS#1 v1.5 SHA-256, good signature depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C asymmetric_verify:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311" -PSA verify: RSA PKCS#1 v1.5 SHA-256, wrong hash +PSA verify: RSA PKCS#1 v1.5 SHA-256, wrong hash length depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C asymmetric_verify_fail:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_1):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311":PSA_ERROR_INVALID_ARGUMENT -PSA verify: RSA PKCS#1 v1.5 SHA-256, wrong signature +PSA verify: RSA PKCS#1 v1.5 SHA-256, wrong signature (same size) depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C asymmetric_verify_fail:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"111164d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311":PSA_ERROR_INVALID_SIGNATURE +PSA verify: RSA PKCS#1 v1.5 SHA-256, wrong signature (empty) +depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C +asymmetric_verify_fail:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"":PSA_ERROR_INVALID_SIGNATURE + +PSA verify: RSA PKCS#1 v1.5 SHA-256, wrong signature (truncated) +depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C +asymmetric_verify_fail:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc73":PSA_ERROR_INVALID_SIGNATURE + +PSA verify: RSA PKCS#1 v1.5 SHA-256, wrong signature (trailing junk) +depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C +asymmetric_verify_fail:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc731121":PSA_ERROR_INVALID_SIGNATURE + +PSA verify: RSA PKCS#1 v1.5 SHA-256, wrong signature (leading junk) +depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C +asymmetric_verify_fail:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"21a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311":PSA_ERROR_INVALID_SIGNATURE + PSA verify: RSA PSS SHA-256, good signature, 0 bytes depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C asymmetric_verify:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"34c011b625c32d992f4ab8fcfa52b616ea66270b5b75a4fc71af712f9b8806bcdd374ce50eafcbb489562b93347885f93c2de1d404c45cacccefceb112ff6ffdfe4264f91d66320bbbe09304b851b8ad6280bbccc571eebcd49c7db5dfa399a6289e1978407904598751613d9870770cdd8507e3dc7b46851dbf05ae1df2988d" @@ -1657,6 +1673,22 @@ PSA verify: ECDSA SECP256R1, wrong signature of correct size depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECDSA_C asymmetric_verify_fail:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_CURVE_SECP256R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_ERROR_INVALID_SIGNATURE +PSA verify: ECDSA SECP256R1, wrong signature (empty) +depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C +asymmetric_verify_fail:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_CURVE_SECP256R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"":PSA_ERROR_INVALID_SIGNATURE + +PSA verify: ECDSA SECP256R1, wrong signature (truncated) +depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C +asymmetric_verify_fail:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_CURVE_SECP256R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f5":PSA_ERROR_INVALID_SIGNATURE + +PSA verify: ECDSA SECP256R1, wrong signature (trailing junk) +depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C +asymmetric_verify_fail:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_CURVE_SECP256R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f21":PSA_ERROR_INVALID_SIGNATURE + +PSA verify: ECDSA SECP256R1, wrong signature (leading junk) +depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C +asymmetric_verify_fail:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_CURVE_SECP256R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"216a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE + PSA verify: invalid algorithm for ECC key depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21 asymmetric_verify_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP256R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_INVALID_ARGUMENT