Merge pull request #257 from valeriosetti/issue598-framework
[framework] tests: pk: add a common function to create a PSA key out of predefined keys
diff --git a/scripts/generate_test_keys.py b/scripts/generate_test_keys.py
index 7541775..7cec7b3 100755
--- a/scripts/generate_test_keys.py
+++ b/scripts/generate_test_keys.py
@@ -15,7 +15,7 @@
BYTES_PER_LINE = 16
def c_byte_array_literal_content(array_name: str, key_data: bytes) -> Iterator[str]:
- yield 'const unsigned char '
+ yield 'static const unsigned char '
yield array_name
yield '[] = {'
for index in range(0, len(key_data), BYTES_PER_LINE):
@@ -89,12 +89,25 @@
def write_output_file(output_file_name: str, arrays: str, look_up_table: str):
+ """Write generated content to the output file"""
with open(output_file_name, 'wt') as output:
output.write("""\
/*********************************************************************************
* This file was automatically generated from framework/scripts/generate_test_keys.py.
* Please do not edit it manually.
*********************************************************************************/
+
+#ifndef TEST_TEST_KEYS_H
+#define TEST_TEST_KEYS_H
+
+#if TF_PSA_CRYPTO_VERSION_MAJOR >= 1
+#include <tf_psa_crypto_common.h>
+#include <mbedtls/private/ecp.h>
+#else
+#include <common.h>
+#include <mbedtls/ecp.h>
+#endif
+
""")
output.write(arrays)
output.write("""
@@ -107,10 +120,12 @@
size_t pub_key_len;
}};
-struct predefined_key_element predefined_keys[] = {{
+MBEDTLS_MAYBE_UNUSED static struct predefined_key_element predefined_keys[] = {{
{}
}};
+#endif /* TEST_TEST_KEYS_H */
+
/* End of generated file */
""".format(look_up_table))
diff --git a/tests/include/test/pk_helpers.h b/tests/include/test/pk_helpers.h
new file mode 100644
index 0000000..e358657
--- /dev/null
+++ b/tests/include/test/pk_helpers.h
@@ -0,0 +1,94 @@
+/*
+ * Helper functions for PK.
+ * This is only for TF-PSA-Crypto 1.0 and above.
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PK_HELPERS_H
+#define PK_HELPERS_H
+
+#if defined(MBEDTLS_PK_C)
+
+#include <psa/crypto.h>
+#include <mbedtls/pk.h>
+
+/* 'pk_context_populate_method_t' is only used in 'mbedtls_pk_helpers_populate_context'
+ * which takes a PSA key ID to populate the PK context. The idea is to use that
+ * function after calling 'mbedtls_pk_helpers_make_psa_key_from_predefined' to
+ * retrieve a PSA key ID. Adding support for parsing doesn't fit well with the
+ * current prototype of 'mbedtls_pk_helpers_populate_context'.
+ * What is needed to add parsing in the list below is a new function which acts
+ * as a combination between 'mbedtls_pk_helpers_make_psa_key_from_predefined' and
+ * 'mbedtls_pk_helpers_populate_context', i.e. it takes a key type, key bits and
+ * population method as input and it returns a PK context.
+ */
+typedef enum {
+ TEST_PK_WRAP_PSA,
+ TEST_PK_COPY_FROM_PSA,
+ TEST_PK_COPY_PUBLIC_FROM_PSA,
+} pk_context_populate_method_t;
+
+/**
+ * Get predefined key pair/public key data for the requested key.
+ *
+ * If the specified key type or bit length does not exist in the list of known
+ * predefined keys, an assertion failure will be generated.
+ *
+ * The output format is compatible with PSA API, so they key can be imported
+ * with psa_import_key().
+ *
+ * \param key_type PSA key type for the key being requested.
+ * \param key_bits Bit length for the PSA key being requested.
+ * \param output Pointer which on exit will point to the key material that has
+ * been requested by "key_type" and "key_bits".
+ * \param output_len Length of the key material being pointed to from "output".
+ *
+ * \return 0 on success; MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the required
+ * key is not the in list of known ones.
+ */
+int mbedtls_pk_helpers_get_predefined_key_data(psa_key_type_t key_type, psa_key_bits_t key_bits,
+ const uint8_t **output, size_t *output_len);
+
+/**
+ * Create a PSA key using prefined key data.
+ *
+ * Predefined key data is used to create the key and the choice of predefined
+ * key material is based on the combination of "key_type" and "key_bits".
+ *
+ * \param key_type Type of key to be created. For the time being only RSA and
+ * EC key types are supported.
+ * \param key_bits Length of the key (in bits).
+ * \param alg Algorithm to be associated with the key.
+ * \param alg2 Enrollment alogrithm to be associated with the key.
+ * \param usage_flags Usage flags to be associated with the key.
+ *
+ * \return On success the key ID of the created PSA key.
+ * On failure 0 is returned and the test is marked as failed.
+ */
+mbedtls_svc_key_id_t mbedtls_pk_helpers_make_psa_key_from_predefined(psa_key_type_t key_type,
+ psa_key_bits_t key_bits,
+ psa_algorithm_t alg,
+ psa_algorithm_t alg2,
+ psa_key_usage_t usage_flags);
+
+/**
+ * Populate the given PK context using "key_id" and the desired "method".
+ *
+ * \param pk The PK context to be populated; it must have been initialized.
+ * \param key_id The PSA key ID to be used to populate the PK context.
+ * \param method The desired method for populating the PK context. See
+ * "pk_context_populate_method_t" for available options.
+ *
+ * \return 0 on success.
+ * In case of failure -1 is returned and the test case is marked
+ * as failed.
+ */
+int mbedtls_pk_helpers_populate_context(mbedtls_pk_context *pk, mbedtls_svc_key_id_t key_id,
+ pk_context_populate_method_t method);
+
+#endif /* MBEDTLS_PK_C */
+
+#endif /* PK_HELPERS_H */
diff --git a/tests/src/pk_helpers.c b/tests/src/pk_helpers.c
new file mode 100644
index 0000000..dbdf144
--- /dev/null
+++ b/tests/src/pk_helpers.c
@@ -0,0 +1,136 @@
+/*
+ * Helper functions for PK.
+ * This is only for TF-PSA-Crypto 1.0 and above.
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include <mbedtls/pk.h>
+#include <test/macros.h>
+#include <test/helpers.h>
+#include <test/pk_helpers.h>
+#include <test/psa_helpers.h>
+#include <test/test_keys.h>
+#include "psa_util_internal.h"
+
+/* Functions like mbedtls_pk_wrap_psa() are only available in tf-psa-crypto and
+ * not in 3.6 LTS branch, so we need a guard for this. */
+#if TF_PSA_CRYPTO_VERSION_MAJOR >= 1
+
+#if defined(MBEDTLS_PK_C)
+
+typedef struct {
+ psa_key_type_t key_type;
+ psa_key_bits_t key_bits;
+ const uint8_t *key;
+ size_t key_len;
+} mbedtls_pk_helpers_predefined_key_t;
+
+#define EC_KEY(family_type, bits, array_base_name) \
+ { PSA_KEY_TYPE_ECC_KEY_PAIR(family_type), bits, \
+ array_base_name ## _priv, sizeof(array_base_name ## _priv) }, \
+ { PSA_KEY_TYPE_ECC_PUBLIC_KEY(family_type), bits, \
+ array_base_name ## _pub, sizeof(array_base_name ## _pub) }
+
+#define RSA_KEY(bits, array_base_name) \
+ { PSA_KEY_TYPE_RSA_KEY_PAIR, bits, \
+ array_base_name ## _priv, sizeof(array_base_name ## _priv) }, \
+ { PSA_KEY_TYPE_RSA_PUBLIC_KEY, bits, \
+ array_base_name ## _pub, sizeof(array_base_name ## _pub) }
+
+static mbedtls_pk_helpers_predefined_key_t predefined_keys_psa[] = {
+ EC_KEY(PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256, test_ec_bp256r1),
+ EC_KEY(PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384, test_ec_bp384r1),
+ EC_KEY(PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512, test_ec_bp512r1),
+
+ EC_KEY(PSA_ECC_FAMILY_MONTGOMERY, 255, test_ec_curve25519),
+ EC_KEY(PSA_ECC_FAMILY_MONTGOMERY, 448, test_ec_curve448),
+
+ EC_KEY(PSA_ECC_FAMILY_SECP_K1, 256, test_ec_secp256k1),
+
+ EC_KEY(PSA_ECC_FAMILY_SECP_R1, 256, test_ec_secp256r1),
+ EC_KEY(PSA_ECC_FAMILY_SECP_R1, 384, test_ec_secp384r1),
+ EC_KEY(PSA_ECC_FAMILY_SECP_R1, 521, test_ec_secp521r1),
+
+ RSA_KEY(1024, test_rsa_1024),
+ RSA_KEY(1026, test_rsa_1026),
+ RSA_KEY(1028, test_rsa_1028),
+ RSA_KEY(1030, test_rsa_1030),
+ RSA_KEY(1536, test_rsa_1536),
+ RSA_KEY(2048, test_rsa_2048),
+ RSA_KEY(4096, test_rsa_4096),
+};
+
+int mbedtls_pk_helpers_get_predefined_key_data(psa_key_type_t key_type, psa_key_bits_t key_bits,
+ const uint8_t **output, size_t *output_len)
+{
+ for (size_t i = 0; i < ARRAY_LENGTH(predefined_keys_psa); i++) {
+ if ((key_type == predefined_keys_psa[i].key_type) &&
+ (key_bits == predefined_keys_psa[i].key_bits)) {
+ *output = predefined_keys_psa[i].key;
+ *output_len = predefined_keys_psa[i].key_len;
+ return 0;
+ }
+ }
+
+ *output = NULL;
+ *output_len = 0;
+ TEST_FAIL("Predefined key not available");
+
+exit:
+ return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+}
+
+mbedtls_svc_key_id_t mbedtls_pk_helpers_make_psa_key_from_predefined(psa_key_type_t key_type,
+ psa_key_bits_t key_bits,
+ psa_algorithm_t alg,
+ psa_algorithm_t alg2,
+ psa_key_usage_t usage_flags)
+{
+ mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_attributes_t attr = PSA_KEY_ATTRIBUTES_INIT;
+ const uint8_t *key = NULL;
+ size_t key_len = 0;
+
+ mbedtls_pk_helpers_get_predefined_key_data(key_type, key_bits, &key, &key_len);
+
+ psa_set_key_type(&attr, key_type);
+ psa_set_key_usage_flags(&attr, usage_flags);
+ psa_set_key_algorithm(&attr, alg);
+ psa_set_key_enrollment_algorithm(&attr, alg2);
+ PSA_ASSERT(psa_import_key(&attr, key, key_len, &key_id));
+
+exit:
+ return key_id;
+}
+
+int mbedtls_pk_helpers_populate_context(mbedtls_pk_context *pk, mbedtls_svc_key_id_t key_id,
+ pk_context_populate_method_t method)
+{
+ int ret = -1;
+
+ switch (method) {
+ case TEST_PK_WRAP_PSA:
+ TEST_EQUAL(mbedtls_pk_wrap_psa(pk, key_id), 0);
+ break;
+ case TEST_PK_COPY_FROM_PSA:
+ TEST_EQUAL(mbedtls_pk_copy_from_psa(key_id, pk), 0);
+ break;
+ case TEST_PK_COPY_PUBLIC_FROM_PSA:
+ TEST_EQUAL(mbedtls_pk_copy_public_from_psa(key_id, pk), 0);
+ break;
+ default:
+ TEST_FAIL("Unknown population method");
+ }
+
+ ret = 0;
+
+exit:
+ return ret;
+}
+
+#endif /* MBEDTLS_PK_C */
+
+#endif /* !TF_PSA_CRYPTO_VERSION_MAJOR */
