Fix edge case with half-supported ECDSA (manual test cases)

ECDSA has two variants: deterministic (PSA_ALG_DETERMINISTIC_ECDSA) and randomized (PSA_ALG_ECDSA). The two variants are different for signature but identical for verification. Mbed TLS accepts either variant as the algorithm parameter for verification even when only the other variant is supported, so we need to handle this as a special case when generating not-supported test cases. In this commit: * Add manually written not-supported test cases for the signature operation when exactly one variant is supported. * Add manually written positive test cases for the verification operation when exactly one variant is supported. * Register that !ECDSA but DETERMINISTIC_ECDSA is not tested yet (https://github.com/Mbed-TLS/mbedtls/issues/9592). A commit in the framework will take care of automatically generated test cases. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-07-29 11:41:15 +03:00 · 2024-04-19 19:08:34 +02:00
parent 85bc82c280
commit 8729b10f26
5 changed files with 67 additions and 10 deletions
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@ -206,6 +206,11 @@ class CoverageTask(outcome_analysis.CoverageTask):
            'PBES2 Encrypt, pad=6 (PKCS7 padding disabled)',
            'PBES2 Encrypt, pad=8 (PKCS7 padding disabled)',
        ],
+        'test_suite_psa_crypto': [
+            # We don't test this unusual, but sensible configuration.
+            # https://github.com/Mbed-TLS/mbedtls/issues/9592
+            re.compile(r'.*ECDSA.*only deterministic supported'),
+        ],
        'test_suite_psa_crypto_generate_key.generated': [
            # Ignore mechanisms that are not implemented, except
            # for public keys for which we always test that
@ -258,6 +263,9 @@ class CoverageTask(outcome_analysis.CoverageTask):
            # "PSA test case generation: dependency inference class: operation fail"
            # from https://github.com/Mbed-TLS/mbedtls/pull/9025 .
            re.compile(r'.* with (?:DH|ECC)_(?:KEY_PAIR|PUBLIC_KEY)\(.*'),
+            # We don't test this unusual, but sensible configuration.
+            # https://github.com/Mbed-TLS/mbedtls/issues/9592
+            re.compile(r'.*: !ECDSA but DETERMINISTIC_ECDSA with ECC_.*'),
            # PBKDF2_HMAC is not in the default configuration, so we don't
            # enable it in depends.py where we remove hashes.
            # https://github.com/Mbed-TLS/mbedtls/issues/9576
@ -272,6 +280,11 @@ class CoverageTask(outcome_analysis.CoverageTask):
            # https://github.com/Mbed-TLS/mbedtls/issues/9578
            re.compile(r'PSA sign RSA_PSS_ANY_SALT.*!(?:MD|RIPEMD|SHA).*'),
        ],
+        'test_suite_psa_crypto_op_fail.misc': [
+            # We don't test this unusual, but sensible configuration.
+            # https://github.com/Mbed-TLS/mbedtls/issues/9592
+            'PSA sign DETERMINISTIC_ECDSA(SHA_256): !ECDSA but DETERMINISTIC_ECDSA with ECC_KEY_PAIR(SECP_R1)', #pylint: disable=line-too-long
+        ],
        'test_suite_psa_crypto_storage_format.current': [
            PSA_MECHANISM_NOT_IMPLEMENTED_SEARCH_RE,
        ],