Commit graph

332 commits

Author SHA1 Message Date
Gilles Peskine 3135184cfc Merge remote-tracking branch 'upstream-crypto/development' into psa-api-beta2-merge-development
Merge the Mbed Crypto development branch a little after
mbedcrypto-1.0.0 into the PSA Crypto API 1.0 beta branch a little
after beta 2.

Summary of merge conflicts:

* Some features (psa_copy_key, public key format without
  SubjectPublicKeyInfo wrapping) went into both sides, but with a few
  improvements on the implementation side. For those, take the
  implementation side.
* The key derivation API changed considerably on the API side. This
  merge commit generally goes with the updated API except in the tests
  where it keeps some aspects of the implementation.

Due to the divergence between the two branches on key derivation and
key agreement, test_suite_psa_crypto does not compile. This will be
resolved in subsequent commits.
2019-04-09 12:00:00 +02:00
Jaeden Amero bf61ca7a04
Merge pull request #58 from Patater/disallow-invalid-context
Disallow use of invalid contexts
2019-02-21 17:37:04 +00:00
Jaeden Amero 11aa7ee189 psa: Extend hash bad order test
Extend hash bad order test in line with the new bad order tests for MAC
and cipher, covering more cases and making comments and test layout
consistent.

Ensure that when doing hash operations out of order, PSA_ERROR_BAD_STATE
is returned as documented in crypto.h and the PSA Crypto specification.
2019-02-20 15:27:41 +00:00
Jaeden Amero ab43997f44 psa: Disallow use of invalid cipher contexts
Ensure that when doing cipher operations out of order,
PSA_ERROR_BAD_STATE is returned as documented in crypto.h and the PSA
Crypto specification.
2019-02-20 15:27:41 +00:00
Jaeden Amero 252ef28dac psa: Disallow use of invalid MAC contexts
Ensure that when doing MAC operations out of order, PSA_ERROR_BAD_STATE
is returned as documented in crypto.h and the PSA Crypto specification.
2019-02-20 15:27:41 +00:00
Gilles Peskine e086652aef Test the length of cipher_update output
In multipart cipher tests, test that each step of psa_cipher_update
produces output of the expected length. The length is hard-coded in
the test data since it depends on the mode.

The length of the output of psa_cipher_finish is effectively tested
because it's the total output length minus the length produced by the
update steps.
2019-02-19 19:45:55 +01:00
Gilles Peskine a04ba4ec52 Add some CTR multipart tests
Test data obtained with Python+PyCrypto:
AES.new(key, mode=AES.MODE_CTR, counter=Crypto.Util.Counter.new(128, initial_value=0x2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a)).encrypt(plaintext.decode('hex')).encode('hex')
2019-02-19 19:26:06 +01:00
Gilles Peskine 3215de4cf5 Add CBC multipart tests with 2 blocks
Test data obtained with Python+PyCrypto:
AES.new(key, AES.MODE_CBC, iv).encrypt(plaintext.decode('hex')).encode('hex')
2019-02-19 19:26:02 +01:00
Jaeden Amero 2a0f48ae1f
Merge pull request #43 from Patater/update-2.16-dev
Update to a development version of Mbed TLS 2.16.0
2019-02-08 08:13:41 +00:00
Jaeden Amero c979f6ab38 psa: Test empty PKCS#1 v1.5 decryption
The tests use a ciphertext for PKCS#1 v1.5 encryption of a zero-length
buffer that was created with a call to psa_asymmetric_encrypt().
2019-02-07 12:19:59 +00:00
Jaeden Amero f8daab78ff psa: Enable testing RSA decryption with output sizes
For must-fail asymmetric decryption tests, add an output size parameter
so that tests can directly control what output buffer size they allocate
and use independently from the key size used. This enables better
testing of behavior with various output buffer sizes.
2019-02-07 12:19:59 +00:00
Gilles Peskine e84d5d2f1c psa_copy_key: Add test cases to specifically check non-exportability
Test that copying a non-exportable key doesn't make it exportable.
This complements similar tests that exercise a different usage flag.
2019-02-06 16:42:05 +01:00
Gilles Peskine 8c1247fec9 Add psa_copy_key tests with policy constraints
Test a few cases. The logic to combine the constraint is similar to
the logic to combine the source and target, so it's ok to have less
parameter domain coverage for constraints.
2019-01-28 14:55:16 +01:00
Gilles Peskine 57ab721d8a Test psa_copy_key
Split the testing into tests that exercise policies in
test_suite_psa_crypto and tests that exercise slot content (slot
states, key material) in test_suite_psa_crypto_slot_management.

Test various cases of source and target policies with and without
wildcards. Missing: testing of the policy constraint on psa_copy_key
itself.

Test several key types (raw data, AES, RSA). Test with the
source or target being persistent.

Add failure tests (incompatible policies, source slot empty, target
slot occupied).
2019-01-28 14:55:06 +01:00
Jaeden Amero 43bafcca94
Merge pull request #15 from gilles-peskine-arm/psa-signature_policy_wildcard
Support wildcard hash in signature policies
2019-01-28 13:31:14 +00:00
Jaeden Amero 4d69cf1a84
Merge pull request #13 from Patater/pubkey-format
Simplify RSA and EC public key formats
2019-01-25 10:09:40 +00:00
Gilles Peskine eb2d4b9037 Test that HASH_ANY is not meaningful for OAEP
PSA_ALG_HASH_ANY is specified as meaningful only for signature.
2019-01-24 13:05:36 +01:00
Jaeden Amero ccdce90adb psa: Simplify EC public key format
Remove front matter from our EC key format, to make it just the contents
of an ECPoint as defined by SEC1 section 2.3.3.

As a consequence of the simplification, remove the restriction on not
being able to use an ECDH key with ECDSA. There is no longer any OID
specified when importing a key, so we can't reject importing of an ECDH
key for the purpose of ECDSA based on the OID.
2019-01-23 17:39:46 +00:00
Jaeden Amero 25384a236e psa: Simplify RSA public key format
Remove pkcs-1 and rsaEncryption front matter from RSA public keys. Move
code that was shared between RSA and other key types (like EC keys) to
be used only with non-RSA keys.
2019-01-23 17:31:50 +00:00
Gilles Peskine 870f5dc656 Add missing test dependency 2019-01-23 10:42:23 +01:00
Gilles Peskine b37af92eb9 Merge branch 'psa-hash_clone' into psa-api-1.0-beta
Add psa_hash_clone.
2019-01-19 12:07:27 +01:00
Gilles Peskine ebb2c3e419 New function psa_hash_clone
Clone a hash operation.

Test good cases as part as multipart tests. Add new test functions for
the state machine.
2019-01-19 12:03:41 +01:00
Gilles Peskine 9dcc80e628 Merge branch 'psa-derive_input_steps-agreement_as_one_step' into psa-api-1.0-beta
Change the key derivation API to take inputs in multiple steps,
instead of a single one-site-fits-poorly function.

Conflicts:
* include/psa/crypto.h: merge independent changes in the documentation
  of psa_key_agreement (public_key from the work on public key formats
  vs general description and other parameters in the work on key derivation).
* tests/suites/test_suite_psa_crypto.data: update the key agreement
  tests from the work on key derivation to the format from the work on
  public key formats.
* tests/suites/test_suite_psa_crypto_metadata.function: reconcile the
  addition of unrelated ALG_IS_xxx macros
2019-01-18 18:54:15 +01:00
Gilles Peskine 6843c29713 Simplify the encoding of key agreement algorithms
Get rid of "key selection" algorithms (of which there was only one:
raw key selection).

Encode key agreement by combining a raw key agreement with a KDF,
rather than passing the KDF as an argument of a key agreement macro.
2019-01-18 18:38:08 +01:00
Gilles Peskine 1f9e58a1bb Merge branch 'psa-signature_policy_wildcard' into psa-api-1.0-beta
For hash-and-sign algorithms, allow a policy to specify a wildcard
instead of a specific hash algorithm.
2019-01-18 17:52:17 +01:00
Jaeden Amero 0ae445f8fd psa: Simplify EC public key format
Remove front matter from our EC key format, to make it just the contents
of an ECPoint as defined by SEC1 section 2.3.3.

As a consequence of the simplification, remove the restriction on not
being able to use an ECDH key with ECDSA. There is no longer any OID
specified when importing a key, so we can't reject importing of an ECDH
key for the purpose of ECDSA based on the OID.
2019-01-15 11:29:18 +00:00
Gilles Peskine 30f77cdfc1 Add a hash wildcard value for hash-and-sign algorithm
You can use PSA_ALG_ANY_HASH to build the algorithm value for a
hash-and-sign algorithm in a policy. Then the policy allows usage with
this hash-and-sign family with any hash.

Test that PSA_ALG_ANY_HASH-based policies allow a specific hash, but
not a different hash-and-sign family. Test that PSA_ALG_ANY_HASH is
not valid for operations, only in policies.
2019-01-14 19:38:56 +01:00
Jaeden Amero 6b19600fba psa: Simplify RSA public key format
Remove pkcs-1 and rsaEncryption front matter from RSA public keys. Move
code that was shared between RSA and other key types (like EC keys) to
be used only with non-RSA keys.
2019-01-11 18:08:53 +00:00
Jaeden Amero d94d671f14 psa: Test that generator initializers work 2019-01-08 14:28:04 +00:00
Jaeden Amero 5bae227da0 psa: Add initializers for cipher operation objects
Add new initializers for cipher operation objects and use them in our
tests and library code. Prefer using the macro initializers due to their
straightforwardness.
2019-01-08 14:28:04 +00:00
Jaeden Amero 769ce27f12 psa: Add initializers for MAC operation objects
Add new initializers for MAC operation objects and use them in our tests
and library code. Prefer using the macro initializers due to their
straightforwardness.
2019-01-08 14:28:04 +00:00
Jaeden Amero 6a25b41ac3 psa: Add initializers for hash operation objects
Add new initializers for hash operation objects and use them in our
tests and library code. Prefer using the macro initializers due to their
straightforwardness.
2019-01-08 14:28:04 +00:00
Jaeden Amero 70261c513a psa: Add initializers for key policies
Add new initializers for key policies and use them in our docs, example
programs, tests, and library code. Prefer using the macro initializers
due to their straightforwardness.
2019-01-08 14:28:04 +00:00
Gilles Peskine c5487a8892 Drop support for psa_key_slot_t in psa_crypto.c
This commit finishes the removal of support for direct access to key
slots in psa_crypto.c.

This marks the end of the necessary phase of the transition to key
handles. The code should subsequently be refactored to move key slot
management from psa_crypto.c to psa_crypto_slot_management.c.
2018-12-11 16:48:13 +01:00
Gilles Peskine bdf309ccdb Convert the PSA crypto cryptography tests to the new handle API
Switch from the direct use of slot numbers to handles allocated by
psa_allocate_key.

This commit does not affect persistent key tests except for the one
test function in test_suite_psa_crypto that uses persistent keys
(persistent_key_load_key_from_storage).

The general principle for each function is:
* Change `psa_key_slot_t slot` to `psa_key_handle_t handle`.
* Call psa_allocate_key() before setting the policy of the slot,
  or before creating key material in functions that don't set a policy.
* Some PSA_ERROR_EMPTY_SLOT errors become PSA_ERROR_INVALID_HANDLE
  because there is now a distinction between not having a valid
  handle, and having a valid handle to a slot that doesn't contain key
  material.
* In tests that use symmetric keys, calculate the max_bits parameters
  of psa_allocate_key() from the key data size. In tests where the key
  may be asymmetric, call an auxiliary macro KEY_BITS_FROM_DATA which
  returns an overapproximation. There's no good way to find a good
  value for max_bits with the API, I think the API should be tweaked.
2018-12-11 16:48:13 +01:00
Gilles Peskine a8860b2990 Remove lifetime test functions
With the handle-based slot management interface, psa_set_key_lifetime
will no longer exist, so remove the corresponding unit tests.
2018-12-11 16:48:13 +01:00
Gilles Peskine dc911fd594 Remove redundant slot-based test
fill_slots is superseded by many_transient_handles.
2018-12-11 16:48:13 +01:00
Gilles Peskine a426168cbf Test that failure of import_key preserves metadata 2018-12-11 16:48:13 +01:00
Gilles Peskine 961849f6d1 Implement slot allocation
Implement psa_allocate_key, psa_open_key, psa_create_key,
psa_close_key.

Add support for keys designated to handles to psa_get_key_slot, and
thereby to the whole API.

Allocated and non-allocated keys can coexist. This is a temporary
stage in order to transition from the use of direct slot numbers to
allocated handles only. Once all the tests and sample programs have
been migrated to use handles, the implementation will be simplified
and made more robust with support for handles only.
2018-12-11 16:48:13 +01:00
Gilles Peskine 9edc146237
Merge pull request #209 from ARMmbed/psa-init_tests
Test psa_crypto_init and make it more robust
2018-11-30 13:28:47 +01:00
Gilles Peskine b0b189f31f Add missing compilation guards for GCM and CCM
Add missing compilation guards that broke the build if either GCM or
CCM was not defined.

Add missing guards on test cases that require GCM or CBC.

The build and tests now pass for any subset of {MBEDTLS_CCM_C,
MBEDTLS_GCM_C}. There are still unused variables warnings if neither
is defined.
2018-11-28 17:30:58 +01:00
Gilles Peskine b309eec4a5 Move library initialization tests to a new test suite 2018-11-22 13:41:38 +01:00
Darryl Green 0c6575a84d psa: Extend psa_generate_key to support persistent lifetimes 2018-11-20 15:40:32 +00:00
Darryl Green d49a499d03 psa: Implement persistent keys
Allow use of persistent keys, including configuring them, importing and
exporting them, and destroying them.

When getting a slot using psa_get_key_slot, there are 3 scenarios that
can occur if the keys lifetime is persistent:

1. Key type is PSA_KEY_TYPE_NONE, no persistent storage entry:
   -  The key slot is treated as a standard empty key slot
2. Key type is PSA_KEY_TYPE_NONE, persistent storage entry exists:
   -  Attempt to load the key from persistent storage
3. Key type is not PSA_KEY_TYPE_NONE:
   -  As checking persistent storage on every use of the key could
      be expensive, the persistent key is assumed to be saved in
      persistent storage, the in-memory key is continued to be used.
2018-11-20 15:40:25 +00:00
Hanno Becker 6b123fbc39 Add test for overly long PSK in TLS-1.2 PSK-to-MS KDF 2018-11-19 11:24:26 +00:00
Hanno Becker f074938aae Add SHA-384 tests for TLS 1.2 PSK-to-MS key derivation 2018-11-19 11:24:26 +00:00
Hanno Becker a198f06feb Add tests for TLS-1.2 PSK-to-MS derivation 2018-11-19 11:24:25 +00:00
Gilles Peskine a1b87e5afe Add missing dependency in an ECDH test case
curves.pl passes.
2018-11-16 16:43:04 +01:00
Gilles Peskine 1dfb1ba684 Add a test case for key agreement with a following KDF
There was no test case of ECDH with anything other than
PSA_ALG_SELECT_RAW. Exercise the code path from ECDH through a
"proper" KDF.

ECDH shared secret copied from an existing test, HKDF output
calculated with Cryptodome.
2018-11-16 16:09:27 +01:00
Hanno Becker 24658c4ba1 Add test vectors for TLS 1.2 PRF
Taken from https://www.ietf.org/mail-archive/web/tls/current/msg03416.html
2018-11-16 11:24:59 +00:00
Gilles Peskine 88714d78b8 Allow ECDH-only public key in ECDH
In ECDH key agreement, allow a public key with the OID id-ECDH, not
just a public key with the OID id-ecPublicKey.

Public keys with the OID id-ECDH are not permitted by psa_import_key,
at least for now. There would be no way to use the key for a key
agreement operation anyway in the current API.
2018-11-14 21:17:16 +01:00
Gilles Peskine 714e16b37a Add import/export test of EC public key 2018-11-14 21:17:16 +01:00
Gilles Peskine 3ec8ed8b51 Add multipart key agreement tests
Add test cases that do key agreement with raw selection in pieces, to
validate that selection works even when the application doesn't read
everything in one chunk.
2018-11-14 21:15:37 +01:00
Gilles Peskine b7ecdf0509 Implement ECDH 2018-11-14 21:15:37 +01:00
Gilles Peskine 01d718cee8 New API function: psa_key_agreement
Set up a generator from a key agreement.
2018-11-14 21:15:37 +01:00
Gilles Peskine e8f0e3dc3c New algorithm category: key selection
A key selection algorithm is similar to a key derivation algorithm in
that it takes a secret input and produces a secret output stream.
However, unlike key derivation algorithms, there is no expectation
that the input cannot be reconstructed from the output. Key selection
algorithms are exclusively meant to be used on the output of a key
agreement algorithm to select chunks of the shared secret.
2018-11-14 21:15:37 +01:00
Gilles Peskine 86a440b638 Reject non-byte-aligned RSA keys
On key import and key generation, for RSA, reject key sizes that are
not a multiple of 8. Such keys are not well-supported in Mbed TLS and
are hardly ever used in practice.

The previous commit removed support for non-byte-aligned keys at the
PSA level. This commit actively rejects such keys and adds
corresponding tests (test keys generated with "openssl genrsa").
2018-11-12 19:14:18 +01:00
Gilles Peskine 728944718a Fix a test case with incorrect dependency
Simplify the test case "PSA export a slot after a failed import of an
EC keypair": use an invalid private value for the specified curve. Now
the dependencies match the test data, so this fixes curves.pl.
2018-11-08 10:00:08 +01:00
Moran Peker ce50007f90 Add tests of using cipher in bad state cases
- cipher setup after import key failure.
- cipher setup after set key policy but no key material
creation.
2018-11-07 16:20:07 +02:00
Moran Peker 3455009116 Add tests that check export failures after illegal behavior
- export a key after import key failure.
- export a key after the key was destroyed.
- export a key after set key policy but no key material
creation.
2018-11-07 16:19:34 +02:00
Moran Peker 28a38e6e38 Add tests that checks key management corner cases
- import a key into a non empty key slot.
- export a key from invalid slot number.
2018-11-07 16:18:24 +02:00
Gilles Peskine 8739da830e Fix test data in an old format
Update some test data from the asymmetric_apis_coverage branch that
wasn't updated to the new format from the
psa-asymmetric-format-raw_private_key branch.
2018-11-06 15:15:05 +01:00
Jaeden Amero c0a0855793
Merge pull request #171 from ARMmbed/asymmetric_apis_coverage
Increase asymmetric APIs coverage
2018-11-06 13:00:35 +00:00
Mohammad AboMokh 2d65cf0b16 Fix sign test dependencies and used algorithm 2018-11-06 11:56:45 +02:00
Jaeden Amero fe9f771e88
Merge pull request #170 from ARMmbed/increase_psa_key_derivation_code_coverage
add tests that increase key derivation code coverage slightly
2018-11-06 09:17:19 +00:00
Jaeden Amero 40f1cb104f
Merge pull request #182 from ARMmbed/psa-asymmetric-format-raw_private_key
Asymmetric import/export format: raw private EC keys
2018-11-06 09:02:25 +00:00
Mohammad AboMokh 392952df93 Fix test dependencies lists 2018-11-06 08:11:10 +02:00
itayzafrir 27e6945f43 Refactor and rename test hash_verify_bad_paths to hash_verify_bad_args
1. Updated test scenarios.
2. Renamed test and updated test description.
3. Some documentation updates.
4. Test dependency moved to .function file.
2018-11-05 18:36:05 +02:00
itayzafrir b2dd5ed1e6 Rename test hash_finish_bad_paths to hash_finish_bad_args
Test dependency moved to .function file.
2018-11-05 18:36:05 +02:00
itayzafrir f86548d674 Add test hash_bad_order
1. New test for testing bad order of hash function calls.
2. Removed test hash_update_bad_paths since it's test scenario
   was moved to the new test.
3. Moved some scenarios from test hash_verify_bad_paths to
   the new test.
2018-11-05 18:36:05 +02:00
itayzafrir 58028321b9 Split test hash_bad_paths into 3 different tests
1. Rename hash_bad_paths to hash_verify_bad_paths
2. Add test hash_update_bad_paths
3. Add test hash_finish_bad_paths

The different scenarios tested as part of hash_bad_paths are
moved to the relevant test.
2018-11-05 18:36:05 +02:00
itayzafrir 69290f0e71 Update hash tests documentation 2018-11-05 18:36:05 +02:00
itayzafrir 02d6295e53 Move positive hash tests into a new test suite
Move hash_finish, hash_verify and hash_multi_part to a
new test suite test_suite_psa_crypto_hash.
2018-11-05 18:36:05 +02:00
itayzafrir 9b3b31dc52 Delete redundant hash test vectors
Due to migration of test vectors from mbedTLS
2018-11-05 18:34:16 +02:00
itayzafrir a00f1d8b00 Add additional test vectors for hash single part
Test vectors migrated from mbedTLS
2018-11-05 18:34:16 +02:00
itayzafrir f5b3eb85b5 Add hash test for multipart operation
Test vectors migrated from mbedTLS
2018-11-05 18:34:16 +02:00
itayzafrir ec93d30b45 Add hash bad paths test
Increase code coverage
2018-11-05 18:34:16 +02:00
itayzafrir 18b1a227ac Add missing algorithms to existing hash tests 2018-11-05 18:34:16 +02:00
Nir Sonnenschein dd69d8b7ff Streamline test function API by removing parameter
streamline the API for the test test_derive_invalid_generator_state: by removing
the key_data parameter.
This parameter is not important for test flow and can be hard-coded.
2018-11-01 12:24:23 +02:00
Gilles Peskine 2257649ce4 Private EC key import: boundary test cases
Add boundary test cases for private key validity for a short
Weierstrass curve (0 < d < n).

Remove obsolete test cases "valid key but wrong curve". With the new
format, the private key representation does not contain an encoding of
the curve.
2018-10-31 14:10:06 +01:00
Nir Sonnenschein 4eda37bb9e streamline test function API by removing parameter
streamline the API for the test test_derive_invalid_generator_state by removing
the key type paramter (it is assumed to always be PSA_KEY_TYPE_DERIVE)
2018-10-31 12:15:58 +02:00
Mohammad AboMokh 991aee67cf improve test description 2018-10-31 10:36:48 +02:00
Gilles Peskine e783d34543 Private EC key format: change test data to raw private keys
In preparation for the import/export format change for private
elliptic curve keys from RFC 5915 to the raw secret value, transform the
test data to the new format.

Tests will not pass until the implementation has been changed to the
new format and some test cases and test functions have been adjusted.

I used the script below to look for lines containing a
PSA_KEY_TYPE_ECC_KEYPAIR and change the first hex string in the
line with an ASN.1 header that looks like the beginning of an RFC 5915
ECPrivateKey. This always happens to be a private key input.

perl -a -F: -i -pe 'sub pad { local ($_) = @_; s/^00// if length == $digits + 2; die if length > $digits; sprintf("\"%0${digits}s\"", $_) } if ($F[0] !~ /\W/ && /:PSA_KEY_TYPE_ECC_KEYPAIR\( *PSA_ECC_CURVE_[A-Z_]+([0-9]+)/) {$digits = int(($1+7)/8)*2; s/"30(?:[0-7].|81..|82....)02010104(..)([0-9a-f]+)"/pad(substr($2, 0, hex($1)*2))/ie}' tests/suites/test_suite_psa_crypto.data
2018-10-29 19:16:53 +01:00
Gilles Peskine 1010628a99 Add some key pair and public key export tests
Add buffer-too-small tests for export_public_key.

Add some good cases of export and export-public with EC keys.
2018-10-29 15:55:17 +01:00
Gilles Peskine 49c2591916 Improve export_public_key test function
In the test function for export_public_key, don't just check the
length of the result. Compare the actual result to the expected
result.

Take an extra argument that allows using an export buffer that's
larger or smaller than needed. Zero is the size given by
PSA_KEY_EXPORT_MAX_SIZE.

Don't check the output of psa_get_key_information. That's useful in
import_export because it tests both import and export, but not in
import_export_public_key whose goal is only to test public key export.

This commit adjusts the existing test data but does not add new test
cases.
2018-10-29 15:15:31 +01:00
Nir Sonnenschein b46e7ca16b add additional generator tests and generalize key derivation test
Key derivation test now uses an indirect way to test generator validity
as the direct way previously used isn't compatible with the PSA IPC
implementation. Additional bad path test for the generator added
to check basic bad-path scenarios.
2018-10-25 14:46:09 +03:00
Mohammad AboMokh 87576c5c5a Improve line coverage for asymmetric verify function by adding new bad scenarios 2018-10-25 13:49:59 +03:00
Mohammad AboMokh 8ffded300d Improve line coverage for asymmetric sign function by adding new bad scenarios 2018-10-25 13:49:38 +03:00
Nir Sonnenschein e5204c94a1 add tests that increase key derivation code coverage slightly
added tests that increase code coverage for the key derivation functions slightly
by reaching error cases not covered before.
2018-10-22 17:24:55 +03:00
Gilles Peskine c26eae1a9d Clarify the description of a CCM truncated tag test 2018-10-17 13:54:48 +02:00
Gilles Peskine 85ea2b397c Add some negative tests of CCM and GCM with invalid tag lengths 2018-10-17 13:54:48 +02:00
Gilles Peskine 28dfea6bb9 Add test cases for truncated MAC with a too short/long length 2018-10-17 13:54:47 +02:00
Gilles Peskine e1f2d7d1ac Document and check the consistency of truncated MAC encodings
Add comments noting that the maximum length of a MAC must fit in
PSA_ALG_MAC_TRUNCATION_MASK. Add a unit test that verifies that the
maximum MAC size fits.
2018-10-17 13:54:47 +02:00
Gilles Peskine be00a71c90 Add tests for shorter-tag AEAD (CCM, GCM) 2018-10-08 14:45:35 +02:00
Gilles Peskine 7da96b0d91 Reorder parameters of AEAD unit tests to be more logical
Pass the nonce first, then the AD, then the input. This is the order
in which the data is processed and it's the order of the parameters to
the API functions.
2018-10-08 14:42:11 +02:00
Gilles Peskine d911eb7915 Add support for truncated MAC algorithms 2018-10-08 14:42:11 +02:00
Gilles Peskine a7aa442c7c Add tests for mac_sign 2018-10-08 14:42:11 +02:00
Gilles Peskine f18c146d6b Remove a redundant test case 2018-10-08 14:42:11 +02:00
Gilles Peskine 79722b0672 Fix incorrect test dependencies for MBEDTLS_PKCS1_V21 2018-09-27 13:57:45 +02:00
Jaeden Amero 3bfe5f0388
Merge pull request #150 from ARMmbed/psa-rsa-verify-error
Don't return INVALID_PADDING on an invalid RSA signature
2018-09-21 16:15:10 +01:00
Jaeden Amero 40363fe3f5
Merge pull request #139 from ARMmbed/psa-PSA_ALG-block_cipher_padding
Correct and simplify block-based cipher modes
2018-09-21 09:38:27 +01:00
Gilles Peskine daea26f70f Correct and simplify block-based cipher modes
OFB and CFB are streaming modes. XTS is a not a cipher mode but it
doesn't use a separate padding step. This leaves only CBC as a block
cipher mode that needs a padding step.

Since CBC is the only mode that uses a separate padding step, and is
likely to remain the only mode in the future, encode the padding mode
directly in the algorithm constant, rather than building up an
algorithm value from a chaining mode and a padding mode. This greatly
simplifies the interface as well as some parts of the implementation.
2018-09-20 11:58:22 +02:00
Gilles Peskine 821adfe51c Add exercise tests for RSA public keys and for PSS 2018-09-17 14:33:43 +02:00
Gilles Peskine 81ba4abb02 Fix bad algorithm and key type values in some tests 2018-09-17 11:20:27 +02:00
itayzafrir 90d8c7a728 Ensure the module is initialized in key based functions 2018-09-16 12:15:47 +03:00
itayzafrir 0adf0fc31c Ensure the module is initialized in psa_generate_random 2018-09-16 12:15:46 +03:00
Gilles Peskine 8a1a8f31e3 Add test cases for PEM import
This is not a standard PSA feature, it's an extension provided by the
current implementation.
2018-09-14 10:02:29 +01:00
Jaeden Amero df3b74f168 Merge pull request #125 from ARMmbed/key_slot_index-fix
Fix off-by-one errors in key slot index limits
2018-09-14 10:02:29 +01:00
Gilles Peskine 996deb18cc Fix buffer overflow in the slot array
Slots are numbered from 1, but the slot array is a C array so it's
numbered from 0.

Add a non-regression test.
2018-09-14 10:02:29 +01:00
Darryl Green 10ccc641ac Add missing dependencies on MBEDTLS_ECDSA_C 2018-09-14 10:02:28 +01:00
Darryl Green efb52d53bf Add missing dependency on MBEDTLS_PKCS1_V15 2018-09-14 10:02:28 +01:00
Darryl Green 77b33b2926 Add missing dependencies on MBEDTLS_SHA256_C 2018-09-14 10:02:28 +01:00
Jaeden Amero 22e232ec04 Merge pull request #109 from ARMmbed/IAR-feature-psa
Ensure release testing job passes IAR tests
2018-09-12 16:50:07 +03:00
Gilles Peskine 9f900a8b25 Merge pull request #105 from ARMmbed/psa-derive_hkdf
PSA key derivation: simple-ish interface, HKDF
2018-09-12 16:50:07 +03:00
Gilles Peskine 08542d8037 Fix psa_generator_import_key for DES
In psa_generator_import_key, if generating a DES or 3DES key, set the
parity bits.

Add tests for deriving a DES key. Also test deriving an AES key while
I'm at it.
2018-09-12 16:50:07 +03:00
Gilles Peskine d54931c7c4 HKDF: be more robust if we reach the maximum ouptut length
In psa_generator_hkdf_read, return BAD_STATE if we're trying to
construct more output than the algorithm allows. This can't happen
through the API due to the capacity limit, but it could potentially
happen in an internal call.

Also add a test case that verifies that we can set up HKDF with its
maximum capacity and read up to the maximum capacity.
2018-09-12 16:50:05 +03:00
Gilles Peskine 0386fbaa70 Key derivation: test deriving a key from the KDF output 2018-09-12 16:48:24 +03:00
Gilles Peskine f24af9602f Key derivation with HKDF: add a few negative tests 2018-09-12 16:45:46 +03:00
Gilles Peskine 96ee5c70b9 HKDF: positive tests 2018-09-12 16:45:45 +03:00
Gilles Peskine ea0fb4975c Add framework for simple key derivation
New key type PSA_KEY_TYPE_DERIVE. New usage flag PSA_KEY_USAGE_DERIVE.
New function psa_key_derivation.

No key derivation algorithm is implemented yet. The code may not
compile with -Wunused.

Write some unit test code for psa_key_derivation. Most of it cannot be
used yet due to the lack of a key derivation algorithm.
2018-09-12 16:44:04 +03:00
Moran Peker f2ffdb87f6 Fix generate_key and hash_setup tests vectors
-Add depends_on MBEDTLS_CIPHER_MODE_CTR for CTR test_suite_psa_crypto
-Change bad type/hash alg parameter to *_CATEGORY_*
2018-09-12 16:41:12 +03:00
Gilles Peskine 731606c580 Add OAEP tests with non-empty labels 2018-09-12 16:41:12 +03:00
Gilles Peskine b3fc05d776 psa_asymmetric_{encrypt,decrypt}: reject salt when not allowed
In psa_asymmetric_encrypt and psa_asymmetric_decrypt, if the algorithm
does not use a salt, require the salt to be empty.
2018-09-12 16:41:12 +03:00
Gilles Peskine 6842812188 Asymmetric encryption tests: allow label argument
Add a label argument to all asymmetric encryption test functions
(currently empty in all tests, but that will change soon).

In asymmetric_encrypt and asymmetric_decrypt, with an empty label,
test with both a null pointer and a non-null pointer.
2018-09-12 16:41:12 +03:00
Gilles Peskine 072ac56a03 Implement OAEP
Implement RSAES-OAEP encryption and decryption.

Test it to the same level as PKCS#1 v1.5.
2018-09-12 16:41:12 +03:00
Gilles Peskine 71ac7b11a7 Allow RSA PSS with any input size
Although RSASSA-PSS defines its input as a message to be hashed, we
implement a sign-the-hash function. This function can take an input
which isn't a hash, so don't restrict the size of the input, any more
than Mbed TLS does.

Remove a redundant check that hash_length fits in unsigned int for the
sake of Mbed TLS RSA functions.

Test that PSS accepts inputs of various lengths. For PKCS#1 v1.5
signature in raw mode, test the maximum input length.
2018-09-12 16:41:12 +03:00
Gilles Peskine f64ee8a7f1 Fix "unknown MAC algorithm" to actually use a MAC algorithm 2018-09-12 16:41:12 +03:00
Gilles Peskine f969b3ac74 Change a generate_key test to exercise with PSS
This required tweaking exercise_signature_key to use a payload size
for the signature based on the algorithm, since our implementation of
PSS requires that the input size matches the hash size. This would
also be the case for PKCS#1 v1.5 with a specified hash.
2018-09-12 16:41:11 +03:00
Gilles Peskine 1c211b3e01 Fix some test dependencies
* No test depends on MBEDTLS_PK_C except via MBEDTLS_PK_PARSE_C, so
  remove MBEDTLS_PK_C and keep only MBEDTLS_PK_PARSE_C.
* Add MBEDTLS_PK_WRITE_C for pk export tests.
* Add MBEDTLS_GENPRIME for RSA key generation tests.
* Add dependencies to AEAD tests.
* Add missing dependencies to many RSA tests.
2018-09-12 16:41:11 +03:00
Gilles Peskine 66763a008a asymmetric_decrypt test: remove redundant argument
The expected output size is the size of the expected output, it
doesn't need to be passed separately.
2018-09-12 16:41:11 +03:00
Gilles Peskine d00444cf33 Improve test coverage of PKCS#1 v1.5 encrypt/decrypt
* Add a test for decryption with invalid padding.
* Add a test for encryption with input too large.
* In negative tests, pass input whose length matches the key length,
  unless that's what the test is about.
2018-09-12 16:41:11 +03:00
Gilles Peskine 365b984e38 Add asymmetric_verify tests with public keys
Change most asymmetric_verify to use public keys (they were all using
key pairs before). Keep one test with an RSA key pair and one with an
EC key pair.
2018-09-12 16:41:11 +03:00
Gilles Peskine ab4152b3d4 Diversify export tests without the export usage flag
Test both with a symmetric key and with a key pair.
2018-09-12 16:41:11 +03:00
Gilles Peskine 656896e4c3 Add positive asymmetric encryption tests
Revise the test function asymmetric_encrypt_fail into
asymmetric_encrypt and use it for positive tests as well. Get the
expected output length from PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE. Check
the actual output length against test data.

Add positive test cases for encryption: one with an RSA public
key (this is the only test for encryption with a public key rather
than a key pair) and one with a key pair.
2018-09-12 16:41:11 +03:00
Gilles Peskine 76f5c7b6a8 Tests: cover policy checks for all operations
Add tests of key policy checks for MAC, cipher, AEAD, asymmetric
encryption and asymmetric signature. For each category, test
with/without the requisite usage flag in each direction, and test
algorithm mismatch.
2018-09-12 16:41:11 +03:00
Gilles Peskine 6b530867e4 Test importing a key pair as a public key and vice versa 2018-09-12 16:41:11 +03:00
Gilles Peskine 9911b02f32 Add sign_verify test and use it to smoke-test PSS 2018-09-12 16:41:11 +03:00
Gilles Peskine 0b352bcf95 Test that creating RSA keys larger than the maximum fails
Test keypair import, public key import and key generation.
2018-09-12 16:41:11 +03:00
Gilles Peskine eae6eee24c Change ECDSA signature representation to r||s
Change the representation of an ECDSA signature from the ASN.1 DER
encoding used in TLS and X.509, to the concatenation of r and s
in big-endian order with a fixed size. A fixed size helps memory and
buffer management and this representation is generally easier to use
for anything that doesn't require the ASN.1 representation. This is
the same representation as PKCS#11 (Cryptoki) except that PKCS#11
allows r and s to be truncated (both to the same length), which
complicates the implementation and negates the advantage of a
fixed-size representation.
2018-09-12 16:41:11 +03:00
Gilles Peskine a680c7a9fc Add import-and-exercise tests for some signature algorithms 2018-09-12 16:41:10 +03:00
Gilles Peskine a81d85b732 Sort out ECDSA mechanisms
* Distinguish randomized ECDSA from deterministic ECDSA.
* Deterministic ECDSA needs to be parametrized by a hash.
* Randomized ECDSA only uses the hash for the initial hash step,
  but add ECDSA(hash) algorithms anyway so that all the signature
  algorithms encode the initial hashing step.
* Add brief documentation for the ECDSA signature mechanisms.
* Also define DSA signature mechanisms while I'm at it. There were
  already key types for DSA.
2018-09-12 16:24:51 +03:00
Gilles Peskine 55bf3d1171 Sort out RSA mechanisms
* PSS needs to be parametrized by a hash.
* Don't use `_MGF1` in the names of macros for OAEP and PSS. No one
  ever uses anything else.
* Add brief documentation for the RSA signature mechanisms.
2018-09-12 16:24:51 +03:00
Gilles Peskine 559d2f6d3e Add bad-type import tests with coinciding key sizes
Add a negative test for import where the expected key is an EC key
with the correct key size, but the wrong curve. Change the test that
tries to import an RSA key when an EC key is expected to have the
expected key size.
2018-09-12 16:24:50 +03:00
Gilles Peskine a9a3c23ccd Fix a config dependency in a test case 2018-09-12 16:24:50 +03:00
Gilles Peskine 202d0793a2 Add import test cases with a key pair of the wrong type 2018-09-12 16:24:50 +03:00
Jaeden Amero e7edf7bb20 psa: Expect zero-length exported-public symmetric keys
Because exporting-public a symmetric key fails, we have no reasonable
expectation that the exported key length has any value at all other than
something obviously incorrect or "empty", like a key with a length of 0.
Our current implementation explicitly sets the exported key length to 0
on errors, so test for this. Fix the "PSA import/export-public: cannot
export-public a symmetric key" test to expect a key length of 0 instead
of 162.
2018-09-12 16:24:50 +03:00
Gilles Peskine a50d7396f3 test of generate_random: focus on testing the output buffer size
In the test generate_random, focus on testing that psa_generate_random
is writing all the bytes of the output buffer and no more. Add a check
that it is writing to each byte of the output buffer. Do not try to
look for repeating output as the structure of a unit test isn't likely
to catch that sort of problem anyway.
2018-09-12 16:24:50 +03:00
Gilles Peskine 9ad29e2bee Add what little was missing to fully support DES
Also add what was missing in the test suite to support block ciphers
with a block size that isn't 16.

Fix some buggy test data that passed only due to problems with DES
support in the product.
2018-09-12 16:24:50 +03:00
Gilles Peskine 9a94480685 Convert ERR_ASN1 error codes to PSA
This fixes the error code when psa_export_key on an asymmetric key
reports that the output buffer is too small.
2018-09-12 16:24:50 +03:00
Gilles Peskine 775b8e97b1 export asymmetric key: more larger buffer cases
Test not only a buffer that's one byte larger than the minimum, but
also larger sizes that currently trigger a different code path.
2018-09-12 16:24:50 +03:00