Define WANT symbols for always-supported key types
PSA_KEY_TYPE_RAW_DATA and PSA_KEY_TYPE_DERIVE are always supported.
Make this explicit by declaring PSA_WANT_KEY_TYPE_RAW_DATA and
PSA_WANT_KEY_TYPE_DERIVE unconditionally. This makes it easier to
infer dependencies in a systematic way.
Don't generate not-supported test cases for those key types. They
would always be skipped, which is noise and would make it impossible
to eventually validate that all test cases pass in at least one
configuration over the whole CI.
Don't remove the exception in set_psa_test_dependencies.py for now, to
get less noise in dependencies. This may be revised later if it is
deemed more important to be systematic.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h
index 4ad390d..73a3ea3 100644
--- a/include/mbedtls/config_psa.h
+++ b/include/mbedtls/config_psa.h
@@ -533,6 +533,10 @@
#endif /* MBEDTLS_PSA_CRYPTO_CONFIG */
+/* These features are always enabled. */
+#define PSA_WANT_KEY_TYPE_DERIVE 1
+#define PSA_WANT_KEY_TYPE_RAW_DATA 1
+
#ifdef __cplusplus
}
#endif
diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h
index 9453e81..773e171 100644
--- a/include/psa/crypto_config.h
+++ b/include/psa/crypto_config.h
@@ -79,6 +79,7 @@
#define PSA_WANT_ALG_TLS12_PRF 1
#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1
#define PSA_WANT_ALG_XTS 1
+
#define PSA_WANT_KEY_TYPE_DERIVE 1
#define PSA_WANT_KEY_TYPE_HMAC 1
#define PSA_WANT_KEY_TYPE_AES 1
@@ -88,6 +89,7 @@
#define PSA_WANT_KEY_TYPE_DES 1
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR 1
#define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1
+#define PSA_WANT_KEY_TYPE_RAW_DATA 1
#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR 1
#define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1
diff --git a/tests/scripts/generate_psa_tests.py b/tests/scripts/generate_psa_tests.py
index 4036ee3..19cb78c 100755
--- a/tests/scripts/generate_psa_tests.py
+++ b/tests/scripts/generate_psa_tests.py
@@ -119,8 +119,12 @@
filename = os.path.join(self.test_suite_directory, basename + '.data')
test_case.write_data_file(filename, test_cases)
- @staticmethod
+ ALWAYS_SUPPORTED = frozenset([
+ 'PSA_KEY_TYPE_DERIVE',
+ 'PSA_KEY_TYPE_RAW_DATA',
+ ])
def test_cases_for_key_type_not_supported(
+ self,
kt: crypto_knowledge.KeyType,
param: Optional[int] = None,
param_descr: str = '',
@@ -131,8 +135,9 @@
parameter not being supported. If it is absent or None, emit test cases
conditioned on the base type not being supported.
"""
- if kt.name == 'PSA_KEY_TYPE_RAW_DATA':
- # This key type is always supported.
+ if kt.name in self.ALWAYS_SUPPORTED:
+ # Don't generate test cases for key types that are always supported.
+ # They would be skipped in all configurations, which is noise.
return []
import_dependencies = [('!' if param is None else '') +
psa_want_symbol(kt.name)]
diff --git a/tests/scripts/set_psa_test_dependencies.py b/tests/scripts/set_psa_test_dependencies.py
index e3760c5..7a84cf4 100755
--- a/tests/scripts/set_psa_test_dependencies.py
+++ b/tests/scripts/set_psa_test_dependencies.py
@@ -112,9 +112,9 @@
'PSA_ALG_ANY_HASH', # only meaningful in policies
'PSA_ALG_KEY_AGREEMENT', # only a way to combine algorithms
'PSA_ALG_TRUNCATED_MAC', # only a modifier
- 'PSA_KEY_TYPE_NONE', # always supported
- 'PSA_KEY_TYPE_DERIVE', # always supported
- 'PSA_KEY_TYPE_RAW_DATA', # always supported
+ 'PSA_KEY_TYPE_NONE', # not a real key type
+ 'PSA_KEY_TYPE_DERIVE', # always supported, don't list it to reduce noise
+ 'PSA_KEY_TYPE_RAW_DATA', # always supported, don't list it to reduce noise
# Not implemented yet: cipher-related key types and algorithms.
# Manually extracted from crypto_values.h.
diff --git a/tests/suites/test_suite_psa_crypto_not_supported.generated.data b/tests/suites/test_suite_psa_crypto_not_supported.generated.data
index 614f4a4..02c7df3 100644
--- a/tests/suites/test_suite_psa_crypto_not_supported.generated.data
+++ b/tests/suites/test_suite_psa_crypto_not_supported.generated.data
@@ -80,22 +80,6 @@
depends_on:!PSA_WANT_KEY_TYPE_CHACHA20
generate_not_supported:PSA_KEY_TYPE_CHACHA20:256
-PSA import DERIVE 120-bit not supported
-depends_on:!PSA_WANT_KEY_TYPE_DERIVE
-import_not_supported:PSA_KEY_TYPE_DERIVE:"48657265006973206b6579a0646174"
-
-PSA generate DERIVE 120-bit not supported
-depends_on:!PSA_WANT_KEY_TYPE_DERIVE
-generate_not_supported:PSA_KEY_TYPE_DERIVE:120
-
-PSA import DERIVE 128-bit not supported
-depends_on:!PSA_WANT_KEY_TYPE_DERIVE
-import_not_supported:PSA_KEY_TYPE_DERIVE:"48657265006973206b6579a064617461"
-
-PSA generate DERIVE 128-bit not supported
-depends_on:!PSA_WANT_KEY_TYPE_DERIVE
-generate_not_supported:PSA_KEY_TYPE_DERIVE:128
-
PSA import DES 64-bit not supported
depends_on:!PSA_WANT_KEY_TYPE_DES
import_not_supported:PSA_KEY_TYPE_DES:"644573206b457901"
