Keys may allow a second algorithm

Add a second permitted algorithm to key policies. This commit includes smoke tests that do not cover psa_copy_key.
2025-07-29 11:41:15 +03:00 · 2019-05-10 19:33:38 +02:00
parent 8bf196b303
commit d6f371b1ba
5 changed files with 124 additions and 15 deletions
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@ -492,6 +492,14 @@ PSA key policy: agreement, wrong algorithm
 depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECDH_C
 agreement_key_policy:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH(PSA_ALG_SELECT_RAW):PSA_KEY_TYPE_ECC_KEYPAIR(PSA_ECC_CURVE_SECP256R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_FFDH(PSA_ALG_SELECT_RAW)

+PSA key policy algorithm2: CTR, CBC
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR:MBEDTLS_CIPHER_MODE_CBC_NOPAD
+key_policy_alg2:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CTR:PSA_ALG_CBC_NO_PADDING
+
+PSA key policy algorithm2: ECDH, ECDSA
+depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECDH_C:MBEDTLS_ECDSA_C
+key_policy_alg2:PSA_KEY_TYPE_ECC_KEYPAIR(PSA_ECC_CURVE_SECP256R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY:PSA_ALG_ECDH(PSA_ALG_SELECT_RAW):PSA_ALG_ECDSA_ANY
+
 Copy key: raw, 0 bytes
 copy_key_policy:0:0:PSA_KEY_TYPE_RAW_DATA:"":0:0:-1:-1:0:0

--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@ -1932,6 +1932,43 @@ exit:
 }
 /* END_CASE */

+/* BEGIN_CASE */
+void key_policy_alg2( int key_type_arg, data_t *key_data,
+                      int usage_arg, int alg_arg, int alg2_arg )
+{
+    psa_key_handle_t handle = 0;
+    psa_key_type_t key_type = key_type_arg;
+    psa_key_policy_t policy = PSA_KEY_POLICY_INIT;
+    psa_key_policy_t got_policy = PSA_KEY_POLICY_INIT;
+    psa_key_usage_t usage = usage_arg;
+    psa_algorithm_t alg = alg_arg;
+    psa_algorithm_t alg2 = alg2_arg;
+
+    PSA_ASSERT( psa_crypto_init( ) );
+
+    PSA_ASSERT( psa_allocate_key( &handle ) );
+    psa_key_policy_set_usage( &policy, usage, alg );
+    psa_key_policy_set_enrollment_algorithm( &policy, alg2 );
+    PSA_ASSERT( psa_set_key_policy( handle, &policy ) );
+    PSA_ASSERT( psa_import_key( handle, key_type,
+                                key_data->x, key_data->len ) );
+
+    PSA_ASSERT( psa_get_key_policy( handle, &got_policy ) );
+    TEST_EQUAL( psa_key_policy_get_usage( &got_policy ), usage );
+    TEST_EQUAL( psa_key_policy_get_algorithm( &got_policy ), alg );
+    TEST_EQUAL( psa_key_policy_get_enrollment_algorithm( &got_policy ), alg2 );
+
+    if( ! exercise_key( handle, usage, alg ) )
+        goto exit;
+    if( ! exercise_key( handle, usage, alg2 ) )
+        goto exit;
+
+exit:
+    psa_destroy_key( handle );
+    mbedtls_psa_crypto_free( );
+}
+/* END_CASE */
+
 /* BEGIN_CASE */
 void copy_key_policy( int source_usage_arg, int source_alg_arg,
                      int type_arg, data_t *material,