diff --git a/library/psa_crypto.c b/library/psa_crypto.c index c90119fe4a..d61e118b54 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1378,9 +1378,9 @@ psa_status_t psa_get_key_attributes(mbedtls_svc_key_id_t key, defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) case PSA_KEY_TYPE_RSA_KEY_PAIR: case PSA_KEY_TYPE_RSA_PUBLIC_KEY: - /* TODO: reporting the public exponent for opaque keys - * is not yet implemented. - * https://github.com/ARMmbed/mbed-crypto/issues/216 + /* TODO: This is a temporary situation where domain parameters are deprecated, + * but we need it for namely generating an RSA key with a non-default exponent. + * This would be improved after https://github.com/Mbed-TLS/mbedtls/issues/6494. */ if (!psa_key_lifetime_is_external(slot->attr.lifetime)) { mbedtls_rsa_context *rsa = NULL; @@ -1400,6 +1400,12 @@ psa_status_t psa_get_key_attributes(mbedtls_svc_key_id_t key, mbedtls_free(rsa); } break; +#else + case PSA_KEY_TYPE_RSA_KEY_PAIR: + case PSA_KEY_TYPE_RSA_PUBLIC_KEY: + attributes->domain_parameters = NULL; + attributes->domain_parameters_size = SIZE_MAX; + break; #endif /* (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \ * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) || * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */ diff --git a/library/psa_crypto_client.c b/library/psa_crypto_client.c index 564463fedc..472d3d31a3 100644 --- a/library/psa_crypto_client.c +++ b/library/psa_crypto_client.c @@ -53,6 +53,11 @@ psa_status_t psa_get_key_domain_parameters( const psa_key_attributes_t *attributes, uint8_t *data, size_t data_size, size_t *data_length) { + if (attributes->domain_parameters == NULL && + attributes->domain_parameters_size == SIZE_MAX) { + return PSA_ERROR_NOT_SUPPORTED; + } + if (attributes->domain_parameters_size > data_size) { return PSA_ERROR_BUFFER_TOO_SMALL; } diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index b8acfb5eb1..10a76ec182 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3368,77 +3368,75 @@ component_test_psa_ecc_key_pair_no_generate() { build_and_test_psa_want_key_pair_partial "ECC" "GENERATE" } -component_test_psa_crypto_config_accel_rsa_signature () { - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated RSA signature" +config_psa_crypto_accel_rsa () { + driver_only=$1 - loc_accel_list="ALG_RSA_PKCS1V15_SIGN ALG_RSA_PSS KEY_TYPE_RSA_KEY_PAIR KEY_TYPE_RSA_PUBLIC_KEY" + # Start from crypto_full config (no X.509, no TLS) + helper_libtestdriver1_adjust_config "crypto_full" + + if [ "$driver_only" -eq 1 ]; then + # Remove RSA support and its dependencies + scripts/config.py unset MBEDTLS_RSA_C + scripts/config.py unset MBEDTLS_PKCS1_V15 + scripts/config.py unset MBEDTLS_PKCS1_V21 + + # We need PEM parsing in the test library as well to support the import + # of PEM encoded RSA keys. + scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_PEM_PARSE_C + scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_BASE64_C + fi +} + +component_test_psa_crypto_config_accel_rsa_crypto () { + msg "build: crypto_full with accelerated RSA" + + loc_accel_list="ALG_RSA_OAEP ALG_RSA_PSS \ + ALG_RSA_PKCS1V15_CRYPT ALG_RSA_PKCS1V15_SIGN \ + KEY_TYPE_RSA_PUBLIC_KEY \ + KEY_TYPE_RSA_KEY_PAIR_BASIC \ + KEY_TYPE_RSA_KEY_PAIR_GENERATE \ + KEY_TYPE_RSA_KEY_PAIR_IMPORT \ + KEY_TYPE_RSA_KEY_PAIR_EXPORT" # Configure # --------- - # Start from default config (no TLS 1.3, no USE_PSA) - helper_libtestdriver1_adjust_config "default" - - # It seems it is not possible to remove only the support for RSA signature - # in the library. Thus we have to remove all RSA support (signature and - # encryption/decryption). AS there is no driver support for asymmetric - # encryption/decryption so far remove RSA encryption/decryption from the - # application algorithm list. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT - - # Remove RSA support and its dependencies - scripts/config.py unset MBEDTLS_RSA_C - scripts/config.py unset MBEDTLS_PKCS1_V15 - scripts/config.py unset MBEDTLS_PKCS1_V21 - scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED - - # Make sure both the library and the test library support the SHA hash - # algorithms and only those ones (SHA256 is included by default). That way: - # - the test library can compute the RSA signatures even in the case of a - # composite RSA signature algorithm based on a SHA hash (no other hash - # used in the unit tests). - # - the dependency of RSA signature tests on PSA_WANT_ALG_SHA_xyz is - # fulfilled as the hash SHA algorithm is supported by the library, and - # thus the tests are run, not skipped. - # - when testing a signature key with an algorithm wildcard built from - # PSA_ALG_ANY_HASH as algorithm to test with the key, the chosen hash - # algorithm based on the hashes supported by the library is also - # supported by the test library. - # Disable unwanted hashes here, we'll enable hashes we want in loc_extra_list. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160_C - scripts/config.py unset MBEDTLS_MD5_C - scripts/config.py unset MBEDTLS_RIPEMD160_C - - # We need PEM parsing in the test library as well to support the import - # of PEM encoded RSA keys. - scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_PEM_PARSE_C - scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_BASE64_C + config_psa_crypto_accel_rsa 1 # Build # ----- - # These hashes are needed for some RSA-PSS signature tests. + # These hashes are needed for unit tests. loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ - ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" + ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512 ALG_MD5" helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" helper_libtestdriver1_make_main "$loc_accel_list" # Make sure this was not re-enabled by accident (additive config) - not grep mbedtls_rsa_rsassa_pkcs1_v15_sign library/rsa.o - not grep mbedtls_rsa_rsassa_pss_sign_ext library/rsa.o + not grep mbedtls_rsa library/rsa.o # Run the tests # ------------- - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated RSA signature" + msg "test: crypto_full with accelerated RSA" + make test +} + +component_test_psa_crypto_config_reference_rsa_crypto () { + msg "build: crypto_full with non-accelerated RSA" + + # Configure + # --------- + config_psa_crypto_accel_rsa 0 + + # Build + # ----- + make + + # Run the tests + # ------------- + msg "test: crypto_full with non-accelerated RSA" make test } diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index ca349d38e9..d3ea8c0e1a 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -501,6 +501,38 @@ KNOWN_TASKS = { ], } } + }, + 'analyze_driver_vs_reference_rsa': { + 'test_function': do_analyze_driver_vs_reference, + 'args': { + 'component_ref': 'test_psa_crypto_config_reference_rsa_crypto', + 'component_driver': 'test_psa_crypto_config_accel_rsa_crypto', + 'ignored_suites': [ + # Modules replaced by drivers. + 'rsa', 'pkcs1_v15', 'pkcs1_v21', + # We temporarily don't care about PK stuff. + 'pk', 'pkwrite', 'pkparse' + ], + 'ignored_tests': { + 'test_suite_platform': [ + # Incompatible with sanitizers (e.g. ASan). If the driver + # component uses a sanitizer but the reference component + # doesn't, we have a PASS vs SKIP mismatch. + 'Check mbedtls_calloc overallocation', + ], + # Following tests depend on RSA_C but are not about + # them really, just need to know some error code is there. + 'test_suite_error': [ + 'Low and high error', + 'Single high error' + ], + # Constant time operations only used for PKCS1_V15 + 'test_suite_constant_time': [ + re.compile(r'mbedtls_ct_zeroize_if .*'), + re.compile(r'mbedtls_ct_memmove_left .*') + ], + } + } } } diff --git a/tests/src/drivers/test_driver_asymmetric_encryption.c b/tests/src/drivers/test_driver_asymmetric_encryption.c index c906a664a3..ff46387d58 100644 --- a/tests/src/drivers/test_driver_asymmetric_encryption.c +++ b/tests/src/drivers/test_driver_asymmetric_encryption.c @@ -46,8 +46,7 @@ psa_status_t mbedtls_test_transparent_asymmetric_encrypt( return mbedtls_test_driver_asymmetric_encryption_hooks.forced_status; } -#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ - defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_CIPHER) +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) return libtestdriver1_mbedtls_psa_asymmetric_encrypt( (const libtestdriver1_psa_key_attributes_t *) attributes, key_buffer, key_buffer_size, @@ -88,8 +87,7 @@ psa_status_t mbedtls_test_transparent_asymmetric_decrypt( return mbedtls_test_driver_asymmetric_encryption_hooks.forced_status; } -#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ - defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_CIPHER) +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) return libtestdriver1_mbedtls_psa_asymmetric_decrypt( (const libtestdriver1_psa_key_attributes_t *) attributes, key_buffer, key_buffer_size, diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index e239a44528..1bd8b65002 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -7342,7 +7342,7 @@ PSA generate key: RSA, e=1 generate_key_rsa:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:"01":PSA_ERROR_INVALID_ARGUMENT PSA generate key: RSA, e=2 -generate_key_rsa:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:"01":PSA_ERROR_INVALID_ARGUMENT +generate_key_rsa:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:"02":PSA_ERROR_INVALID_ARGUMENT PSA generate key: FFDH, 2048 bits, good depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index a510f8e01a..4c08a9017c 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -9688,14 +9688,24 @@ void generate_key_rsa(int bits_arg, PSA_ASSERT(psa_get_key_attributes(key, &attributes)); TEST_EQUAL(psa_get_key_type(&attributes), type); TEST_EQUAL(psa_get_key_bits(&attributes), bits); - PSA_ASSERT(psa_get_key_domain_parameters(&attributes, - e_read_buffer, e_read_size, - &e_read_length)); + psa_status_t status = psa_get_key_domain_parameters(&attributes, + e_read_buffer, e_read_size, + &e_read_length); + + +#if (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \ + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) || \ + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) if (is_default_public_exponent) { TEST_EQUAL(e_read_length, 0); } else { + TEST_EQUAL(status, PSA_SUCCESS); TEST_MEMORY_COMPARE(e_read_buffer, e_read_length, e_arg->x, e_arg->len); } +#else + (void) is_default_public_exponent; + TEST_EQUAL(status, PSA_ERROR_NOT_SUPPORTED); +#endif /* Do something with the key according to its type and permitted usage. */ if (!mbedtls_test_psa_exercise_key(key, usage, alg)) {