Skip to content

Commit 4eded3a

Browse files
valeriosettivaleriosetti
committed
tests: pk: complete testing of pk_sign_ext_verify_ext
Add more positive and negative testing for all the relevant cases. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
1 parent d90e4fd commit 4eded3a

1 file changed

Lines changed: 67 additions & 18 deletions

File tree

tests/suites/test_suite_pk.data

Lines changed: 67 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -596,49 +596,98 @@ Sign_ext/verify_ext: RSA2048 + PKCS1V15_SIGN(SHA_256), COPY_FROM_PSA, SIGALG_RSA
596596
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
597597
pk_sign_ext_verify_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:2048:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):TEST_PK_COPY_FROM_PSA:MBEDTLS_PK_SIGALG_RSA_PKCS1V15:MBEDTLS_MD_SHA256:0:0
598598

599+
# Ideally this is a negative test. When PK creates a context by copying it from PSA it assigns
600+
# PKCS v1.5 signature algorithm to it (no matter if the copied PSA key had PKCS v1.5 or PSS),
601+
# but here we're trying to do PSS so it's expected to fail.
602+
# It works only because the PK context is also given PSS algorithm as enrollment algorithm.
603+
Sign_ext/verify_ext: RSA2048 + PKCS1V15_SIGN(SHA_256), COPY_FROM_PSA, SIGALG_RSA_PSS + MD_SHA256, OK
604+
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
605+
pk_sign_ext_verify_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:2048:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):TEST_PK_COPY_FROM_PSA:MBEDTLS_PK_SIGALG_RSA_PSS:MBEDTLS_MD_SHA256:0:0
606+
607+
# This is similar to the above, but in this case we're testing with SHA-384 instead of SHA-256. On top
608+
# of what has been explained above this works because the key in PK context is given an ANY_HASH policy.
609+
Sign_ext/verify_ext: RSA2048 + PKCS1V15_SIGN(SHA_256), COPY_FROM_PSA, SIGALG_RSA_PSS + MD_SHA384, OK
610+
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
611+
pk_sign_ext_verify_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:2048:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):TEST_PK_COPY_FROM_PSA:MBEDTLS_PK_SIGALG_RSA_PSS:MBEDTLS_MD_SHA384:0:0
612+
613+
Sign_ext/verify_ext: RSA2048 + PKCS1V15_SIGN(SHA_256), COPY_FROM_PSA, SIGALG_RSA_PKCS1V15 + MD_NONE, No MD
614+
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
615+
pk_sign_ext_verify_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:2048:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):TEST_PK_COPY_FROM_PSA:MBEDTLS_PK_SIGALG_RSA_PKCS1V15:MBEDTLS_MD_NONE:PSA_ERROR_INVALID_ARGUMENT:0
616+
617+
# This is a positive testing. The fact that verification fails is expected because the feature
618+
# is not implemented for wrapped RSA keys.
599619
Sign_ext/verify_ext: RSA2048 + PKCS1V15_SIGN(SHA_256), WRAP_PSA, SIGALG_RSA_PKCS1V15 + MD_SHA256, OK
600620
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
601621
pk_sign_ext_verify_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:2048:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):TEST_PK_WRAP_PSA:MBEDTLS_PK_SIGALG_RSA_PKCS1V15:MBEDTLS_MD_SHA256:0:MBEDTLS_ERR_PK_TYPE_MISMATCH
602622

623+
Sign_ext/verify_ext: RSA2048 + PKCS1V15_SIGN(SHA_256), WRAP_PSA, SIGALG_RSA_PSS + MD_SHA256, Wrong sigalg
624+
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
625+
pk_sign_ext_verify_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:2048:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):TEST_PK_WRAP_PSA:MBEDTLS_PK_SIGALG_RSA_PSS:MBEDTLS_MD_SHA256:PSA_ERROR_INVALID_ARGUMENT:0
626+
627+
# This works because the copied PK context is given a PKCS v1.5 algorithm
628+
Sign_ext/verify_ext: RSA2048 + PSS_ANY_SALT(SHA_256), COPY_FROM_PSA, SIGALG_RSA_PKCS1V15 + MD_SHA256, OK
629+
depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
630+
pk_sign_ext_verify_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:2048:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):TEST_PK_COPY_FROM_PSA:MBEDTLS_PK_SIGALG_RSA_PKCS1V15:MBEDTLS_MD_SHA256:0:0
631+
632+
# Ideally this is a negative test. When PK creates a context by copying it from PSA it assigns
633+
# PKCS v1.5 signature algorithm to it (no matter if the copied PSA key had PKCS v1.5 or PSS),
634+
# but here we're trying to do PSS so it's expected to fail.
635+
# It works only because the PK context is also given PSS algorithm as enrollment algorithm.
603636
Sign_ext/verify_ext: RSA2048 + PSS_ANY_SALT(SHA_256), COPY_FROM_PSA, SIGALG_RSA_PSS + MD_SHA256, OK
604637
depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
605638
pk_sign_ext_verify_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:2048:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):TEST_PK_COPY_FROM_PSA:MBEDTLS_PK_SIGALG_RSA_PSS:MBEDTLS_MD_SHA256:0:0
606639

640+
Sign_ext/verify_ext: RSA2048 + PSS_ANY_SALT(SHA_256), COPY_FROM_PSA, SIGALG_RSA_PSS + MD_SHA384, OK
641+
depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
642+
pk_sign_ext_verify_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:2048:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):TEST_PK_COPY_FROM_PSA:MBEDTLS_PK_SIGALG_RSA_PSS:MBEDTLS_MD_SHA384:0:0
643+
644+
Sign_ext/verify_ext: RSA2048 + PSS_ANY_SALT(SHA_256), COPY_FROM_PSA, SIGALG_RSA_PSS + MD_NONE, No MD
645+
depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
646+
pk_sign_ext_verify_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:2048:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):TEST_PK_COPY_FROM_PSA:MBEDTLS_PK_SIGALG_RSA_PSS:MBEDTLS_MD_NONE:MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE:0
647+
648+
# This is a positive testing. The fact that verification fails is expected because the feature
649+
# is not implemented for wrapped RSA keys.
607650
Sign_ext/verify_ext: RSA2048 + PSS_ANY_SALT(SHA_256), WRAP_PSA, SIGALG_RSA_PSS + MD_SHA256, OK
608651
depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
609652
pk_sign_ext_verify_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:2048:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):TEST_PK_WRAP_PSA:MBEDTLS_PK_SIGALG_RSA_PSS:MBEDTLS_MD_SHA256:0:MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE
610653

611-
Sign_ext/verify_ext: RSA2048 + PKCS1V15_SIGN(SHA_384), COPY_FROM_PSA, SIGALG_RSA_PKCS1V15 + MD_SHA384, OK
612-
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
613-
pk_sign_ext_verify_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:2048:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_384):TEST_PK_COPY_FROM_PSA:MBEDTLS_PK_SIGALG_RSA_PKCS1V15:MBEDTLS_MD_SHA384:0:0
654+
# This works only because by passing MBEDTLS_PK_SIGALG_RSA_PKCS1V15 to pk_sign_ext(), we're actually
655+
# falling back to pk_sign() and in that case we use the same algorithm which is associated to the
656+
# key in PK context. So this should ideally be a negative test, but turns out to be OK.
657+
#
658+
# Note: The fact that verification fails is expected because the feature
659+
# is not implemented for wrapped RSA keys.
660+
Sign_ext/verify_ext: RSA2048 + PSS_ANY_SALT(SHA_256), WRAP_PSA, SIGALG_RSA_PKCS1V15 + MD_SHA256, OK
661+
depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
662+
pk_sign_ext_verify_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:2048:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):TEST_PK_WRAP_PSA:MBEDTLS_PK_SIGALG_RSA_PKCS1V15:MBEDTLS_MD_SHA256:0:MBEDTLS_ERR_PK_TYPE_MISMATCH
614663

615-
Sign_ext/verify_ext: RSA2048 + PKCS1V15_SIGN(SHA_384), WRAP_PSA, SIGALG_RSA_PKCS1V15 + MD_SHA384, OK
616-
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
617-
pk_sign_ext_verify_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:2048:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_384):TEST_PK_WRAP_PSA:MBEDTLS_PK_SIGALG_RSA_PKCS1V15:MBEDTLS_MD_SHA384:0:MBEDTLS_ERR_PK_TYPE_MISMATCH
664+
Sign_ext/verify_ext: RSA2048 + PSS_ANY_SALT(SHA_256), WRAP_PSA, SIGALG_RSA_PSS + MD_SHA256, No MD
665+
depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
666+
pk_sign_ext_verify_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:2048:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):TEST_PK_WRAP_PSA:MBEDTLS_PK_SIGALG_RSA_PSS:MBEDTLS_MD_NONE:PSA_ERROR_INVALID_ARGUMENT:0
618667

619-
Sign_ext/verify_ext: RSA2048 + PSS_ANY_SALT(SHA_384), COPY_FROM_PSA, SIGALG_RSA_PSS + MD_SHA384, OK
620-
depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
621-
pk_sign_ext_verify_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:2048:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_384):TEST_PK_COPY_FROM_PSA:MBEDTLS_PK_SIGALG_RSA_PSS:MBEDTLS_MD_SHA384:0:0
668+
Sign_ext/verify_ext: RSA2048 + PSS_ANY_SALT(SHA_256), WRAP_PSA, SIGALG_RSA_PSS + MD_SHA384, Wrong MD
669+
depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
670+
pk_sign_ext_verify_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:2048:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):TEST_PK_WRAP_PSA:MBEDTLS_PK_SIGALG_RSA_PSS:MBEDTLS_MD_SHA384:PSA_ERROR_INVALID_ARGUMENT:0
622671

623-
Sign_ext/verify_ext: RSA2048 + PSS_ANY_SALT(SHA_384), WRAP_PSA, SIGALG_RSA_PSS + MD_SHA384, OK
624-
depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
672+
Sign_ext/verify_ext: RSA2048 + PSS_ANY_SALT(SHA_384), WRAP_PSA, SIGALG_RSA_PSS + MD_SHA384, Wrong MD
673+
depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
625674
pk_sign_ext_verify_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:2048:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_384):TEST_PK_WRAP_PSA:MBEDTLS_PK_SIGALG_RSA_PSS:MBEDTLS_MD_SHA384:0:MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE
626675

627676
Sign_ext/verify_ext: SECP256R1 + ECDSA(SHA_256), COPY_FROM_PSA, SIGALG_ECDSA + MD_SHA256, OK
628677
depends_on:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
629678
pk_sign_ext_verify_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:MBEDTLS_PK_ALG_ECDSA(PSA_ALG_SHA_256):TEST_PK_COPY_FROM_PSA:MBEDTLS_PK_SIGALG_ECDSA:MBEDTLS_MD_SHA256:0:0
630679

680+
Sign_ext/verify_ext: SECP256R1 + ECDSA(SHA_256), COPY_FROM_PSA, SIGALG_RSA_PSS + MD_SHA256, OK
681+
depends_on:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
682+
pk_sign_ext_verify_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:MBEDTLS_PK_ALG_ECDSA(PSA_ALG_SHA_256):TEST_PK_COPY_FROM_PSA:MBEDTLS_PK_SIGALG_RSA_PSS:MBEDTLS_MD_SHA256:MBEDTLS_ERR_PK_TYPE_MISMATCH:0
683+
631684
Sign_ext/verify_ext: SECP256R1 + ECDSA(SHA_256), WRAP_PSA, SIGALG_ECDSA + MD_SHA256, OK
632685
depends_on:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
633686
pk_sign_ext_verify_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:MBEDTLS_PK_ALG_ECDSA(PSA_ALG_SHA_256):TEST_PK_WRAP_PSA:MBEDTLS_PK_SIGALG_ECDSA:MBEDTLS_MD_SHA256:0:0
634687

635-
Sign_ext/verify_ext: SECP384R1 + ECDSA(SHA_384), COPY_FROM_PSA, SIGALG_ECDSA + MD_SHA384, OK
636-
depends_on:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_384
637-
pk_sign_ext_verify_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):384:MBEDTLS_PK_ALG_ECDSA(PSA_ALG_SHA_384):TEST_PK_COPY_FROM_PSA:MBEDTLS_PK_SIGALG_ECDSA:MBEDTLS_MD_SHA384:0:0
638-
639-
Sign_ext/verify_ext: SECP384R1 + ECDSA(SHA_384), WRAP_PSA, SIGALG_ECDSA + MD_SHA384, OK
640-
depends_on:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_384
641-
pk_sign_ext_verify_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):384:MBEDTLS_PK_ALG_ECDSA(PSA_ALG_SHA_384):TEST_PK_WRAP_PSA:MBEDTLS_PK_SIGALG_ECDSA:MBEDTLS_MD_SHA384:0:0
688+
Sign_ext/verify_ext: SECP256R1 + ECDSA(SHA_256), WRAP_PSA, SIGALG_RSA_PSS + MD_SHA256, OK
689+
depends_on:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
690+
pk_sign_ext_verify_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:MBEDTLS_PK_ALG_ECDSA(PSA_ALG_SHA_256):TEST_PK_WRAP_PSA:MBEDTLS_PK_SIGALG_RSA_PSS:MBEDTLS_MD_SHA256:MBEDTLS_ERR_PK_TYPE_MISMATCH:0
642691

643692
PSA attributes for pk: NONE (bad)
644693
pk_get_psa_attributes_fail:MBEDTLS_PK_NONE:FROM_PUBLIC:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_BAD_INPUT_DATA

0 commit comments

Comments
 (0)