Fix edge case with half-supported ECDSA

ECDSA has two variants: deterministic (PSA_ALG_DETERMINISTIC_ECDSA) and
randomized (PSA_ALG_ECDSA). The two variants are different for signature but
identical for verification. Mbed TLS accepts either variant as the algorithm
parameter for verification even when only the other variant is supported,
so we need to handle this as a special case when generating not-supported
test cases.

In this commit:

* Automatically generated not-supported test cases for ECDSA now require
  both variants to be disabled.
* Add manually written not-supported test cases for the signature
  operation when exactly one variant is supported.
* Add manually written positive test cases for the verification
  operation when exactly one variant is supported.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

scripts/mbedtls_dev/psa_information.py

@@ -174,9 +174,16 @@ class TestCase(test_case.TestCase):
         """Set test case arguments and automatically infer dependencies."""
         super().set_arguments(arguments)
         dependencies = automatic_dependencies(*arguments)
-        for i in range(len(dependencies)): #pylint: disable=consider-using-enumerate
+        # In test cases for not-supported features, the dependencies for
-            if dependencies[i] in self.negated_dependencies:
+        # the not-supported feature(s) must be negated. We make sure that
-                dependencies[i] = '!' + dependencies[i]
+        # all negated dependencies are present in the result, even in edge
+        # cases where they would not be detected automatically (for example,
+        # to restrict ECDSA-not-supported test cases to configurations
+        # where neither deterministic ECDSA nor randomized ECDSA are supported,
+        # to avoid the edge case that both ECDSA verifications are the same).
+        dependencies = ([dep for dep in dependencies
+                         if dep not in self.negated_dependencies] +
+                        ['!' + dep for dep in self.negated_dependencies])
         if self.key_bits is not None:
             dependencies = finish_family_dependencies(dependencies, self.key_bits)
         self.dependencies += sorted(dependencies)

tests/scripts/generate_psa_tests.py

@@ -236,7 +236,8 @@ class OpFail:
             tc.set_key_bits(bits)
         arguments.append(alg.expression)
         if category.is_asymmetric():
-            arguments.append('1' if reason == self.Reason.PUBLIC else '0')
+            private_only = (reason == self.Reason.PUBLIC)
+            arguments.append('1' if private_only else '0')
         error = ('NOT_SUPPORTED' if reason == self.Reason.NOT_SUPPORTED else
                  'INVALID_ARGUMENT')
         arguments.append('PSA_ERROR_' + error)
@@ -272,9 +273,25 @@ class OpFail:
             if key_is_compatible and alg.can_do(category):
                 # Compatible key and operation, unsupported algorithm
                 for dep in psa_information.automatic_dependencies(alg.base_expression):
+                    deps = [dep]
+                    # Special case: if one of deterministic/randomized
+                    # ECDSA is supported but not the other, then the one
+                    # that is not supported in the signature direction is
+                    # still supported in the verification direction,
+                    # because the two verification algorithms are
+                    # identical. This property is how Mbed TLS chooses to
+                    # behave, the specification would also allow it to
+                    # reject the algorithm. In the generated test cases,
+                    # we avoid this difficulty by not running the
+                    # not-supported test case when exactly one of the
+                    # two variants is supported.
+                    if dep == 'PSA_WANT_ALG_DETERMINISTIC_ECDSA':
+                        deps.append('PSA_WANT_ALG_ECDSA')
+                    elif dep == 'PSA_WANT_ALG_ECDSA':
+                        deps.append('PSA_WANT_ALG_DETERMINISTIC_ECDSA')
                     yield self.make_test_case(alg, category,
                                               self.Reason.NOT_SUPPORTED,
-                                              kt=kt, not_deps=frozenset([dep]))
+                                              kt=kt, not_deps=frozenset(deps))
                 # Public key for a private-key operation
                 if category.is_asymmetric() and kt.is_public():
                     yield self.make_test_case(alg, category,

tests/suites/test_suite_psa_crypto.data

@@ -2752,6 +2752,29 @@ PSA verify hash with keypair: ECDSA SECP256R1, good
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
 
+# The next 4 test cases check what happens if only one of the two ECDSA
+# variants is supported. The ECDSA variants (deterministic and randomized)
+# are different signature algorithms that can be enabled independently,
+# but they have the same verification. Mbed TLS accepts either variant
+# as the algorithm requested for verification even if that variant is not
+# supported. Test that this works. It would also be acceptable if the
+# library returned NOT_SUPPORTED in this case.
+PSA verify hash: ECDSA SECP256R1, only deterministic supported
+depends_on:!PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
+
+PSA verify hash with keypair: ECDSA SECP256R1, only deterministic supported
+depends_on:!PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
+
+PSA verify hash: deterministic ECDSA SECP256R1, only randomized supported
+depends_on:PSA_WANT_ALG_ECDSA:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+verify_hash:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
+
+PSA verify hash with keypair: determinitic ECDSA SECP256R1, only randomized supported
+depends_on:PSA_WANT_ALG_ECDSA:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
+verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
+
 PSA verify hash: ECDSA SECP256R1, wrong signature size (correct but ASN1-encoded)
 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
 verify_hash_fail:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"304502206a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151022100ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE

tests/suites/test_suite_psa_crypto_op_fail.function

@@ -232,8 +232,8 @@ void sign_fail(int key_type_arg, data_t *key_data,
                               input, sizeof(input),
                               output, sizeof(output), &length));
     if (!private_only) {
-        /* Determine a plausible signature size to avoid an INVALID_SIGNATURE
+        /* Construct a signature candidate of a plausible size to avoid an
-         * error based on this. */
+         * INVALID_SIGNATURE error based on an early size verification. */
         PSA_ASSERT(psa_get_key_attributes(key_id, &attributes));
         size_t key_bits = psa_get_key_bits(&attributes);
         size_t output_length = sizeof(output);

tests/suites/test_suite_psa_crypto_op_fail.misc.data

@@ -43,3 +43,24 @@ sign_fail:PSA_KEY_TYPE_AES:"48657265006973206b6579a064617461":PSA_ALG_RSA_PSS(PS
 PSA sign RSA_PSS(SHA_256): RSA_PSS not enabled, key pair
 depends_on:!PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR
 sign_fail:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):0:PSA_ERROR_NOT_SUPPORTED
+
+# There is a special case with ECDSA: deterministic and randomized ECDSA are
+# different signature algorithms that can be enabled independently, but
+# the verification algorithms are the same. Mbed TLS supports verification
+# of either variant when either variant is enabled. (It would also be correct
+# to reject the not-supported algorithm, but it would require a few more lines
+# of code.) In the automatically generated test cases, we avoid this difficulty
+# by making the not-supported test cases require neither variant to be
+# enabled. Here, test the signature operation when one variant is supported
+# but not the other. Testing the positive cases for the verification
+# operation is the job of test_suite_psa_crypto.
+#
+# We only test with one curve and one hash, because we know from a gray-box
+# approach that the curve and hash don't matter here.
+PSA sign DETERMINISTIC_ECDSA(SHA_256): !DETERMINISTIC_ECDSA but ECDSA with ECC_KEY_PAIR(SECP_R1)
+depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_ECC_SECP_R1_192:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
+sign_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"d83b57a59c51358d9c8bbb898aff507f44dd14cf16917190":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):1:PSA_ERROR_NOT_SUPPORTED
+
+PSA sign DETERMINISTIC_ECDSA(SHA_256): !ECDSA but DETERMINISTIC_ECDSA with ECC_KEY_PAIR(SECP_R1)
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:!PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_ECC_SECP_R1_192:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
+sign_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"d83b57a59c51358d9c8bbb898aff507f44dd14cf16917190":PSA_ALG_ECDSA(PSA_ALG_SHA_256):1:PSA_ERROR_NOT_SUPPORTED