• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1/* BEGIN_HEADER */
2#include "mbedtls/pk.h"
3
4/* For error codes */
5#include "mbedtls/asn1.h"
6#include "mbedtls/base64.h"
7#include "mbedtls/ecp.h"
8#include "mbedtls/rsa.h"
9
10#include "hash_info.h"
11#include "mbedtls/legacy_or_psa.h"
12
13#include <limits.h>
14#include <stdint.h>
15
16/* Needed only for test case data under #if defined(MBEDTLS_USE_PSA_CRYPTO),
17 * but the test code generator requires test case data to be valid C code
18 * unconditionally (https://github.com/Mbed-TLS/mbedtls/issues/2023). */
19#include "psa/crypto.h"
20
21#define RSA_KEY_SIZE 512
22#define RSA_KEY_LEN   64
23
24/** Generate a key of the desired type.
25 *
26 * \param pk        The PK object to fill. It must have been initialized
27 *                  with mbedtls_pk_setup().
28 * \param parameter - For RSA keys, the key size in bits.
29 *                  - For EC keys, the curve (\c MBEDTLS_ECP_DP_xxx).
30 *
31 * \return          The status from the underlying type-specific key
32 *                  generation function.
33 * \return          -1 if the key type is not recognized.
34 */
35static int pk_genkey(mbedtls_pk_context *pk, int parameter)
36{
37    ((void) pk);
38    (void) parameter;
39
40#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME)
41    if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_RSA) {
42        return mbedtls_rsa_gen_key(mbedtls_pk_rsa(*pk),
43                                   mbedtls_test_rnd_std_rand, NULL,
44                                   parameter, 3);
45    }
46#endif
47#if defined(MBEDTLS_ECP_C)
48    if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_ECKEY ||
49        mbedtls_pk_get_type(pk) == MBEDTLS_PK_ECKEY_DH ||
50        mbedtls_pk_get_type(pk) == MBEDTLS_PK_ECDSA) {
51        int ret;
52        if ((ret = mbedtls_ecp_group_load(&mbedtls_pk_ec(*pk)->grp,
53                                          parameter)) != 0) {
54            return ret;
55        }
56
57        return mbedtls_ecp_gen_keypair(&mbedtls_pk_ec(*pk)->grp,
58                                       &mbedtls_pk_ec(*pk)->d,
59                                       &mbedtls_pk_ec(*pk)->Q,
60                                       mbedtls_test_rnd_std_rand, NULL);
61    }
62#endif
63    return -1;
64}
65
66#if defined(MBEDTLS_RSA_C)
67int mbedtls_rsa_decrypt_func(void *ctx, size_t *olen,
68                             const unsigned char *input, unsigned char *output,
69                             size_t output_max_len)
70{
71    return mbedtls_rsa_pkcs1_decrypt((mbedtls_rsa_context *) ctx,
72                                     mbedtls_test_rnd_std_rand, NULL,
73                                     olen, input, output, output_max_len);
74}
75int mbedtls_rsa_sign_func(void *ctx,
76                          int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
77                          mbedtls_md_type_t md_alg, unsigned int hashlen,
78                          const unsigned char *hash, unsigned char *sig)
79{
80    ((void) f_rng);
81    ((void) p_rng);
82    return mbedtls_rsa_pkcs1_sign((mbedtls_rsa_context *) ctx,
83                                  mbedtls_test_rnd_std_rand, NULL,
84                                  md_alg, hashlen, hash, sig);
85}
86size_t mbedtls_rsa_key_len_func(void *ctx)
87{
88    return ((const mbedtls_rsa_context *) ctx)->len;
89}
90#endif /* MBEDTLS_RSA_C */
91
92#if defined(MBEDTLS_USE_PSA_CRYPTO)
93
94/*
95 * Generate an ECC key using PSA and return the key identifier of that key,
96 * or 0 if the key generation failed.
97 * The key uses NIST P-256 and is usable for signing with SHA-256.
98 */
99mbedtls_svc_key_id_t pk_psa_genkey_ecc(void)
100{
101    mbedtls_svc_key_id_t key;
102    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
103    const psa_key_type_t type =
104        PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1);
105    const size_t bits = 256;
106
107    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
108    psa_set_key_algorithm(&attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256));
109    psa_set_key_type(&attributes, type);
110    psa_set_key_bits(&attributes, bits);
111    PSA_ASSERT(psa_generate_key(&attributes, &key));
112
113exit:
114    return key;
115}
116
117/*
118 * Generate an RSA key using PSA and return the key identifier of that key,
119 * or 0 if the key generation failed.
120 */
121mbedtls_svc_key_id_t pk_psa_genkey_rsa(void)
122{
123    mbedtls_svc_key_id_t key;
124    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
125    const psa_key_type_t type = PSA_KEY_TYPE_RSA_KEY_PAIR;
126    const size_t bits = 1024;
127
128    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
129    psa_set_key_algorithm(&attributes, PSA_ALG_RSA_PKCS1V15_SIGN_RAW);
130    psa_set_key_type(&attributes, type);
131    psa_set_key_bits(&attributes, bits);
132    PSA_ASSERT(psa_generate_key(&attributes, &key));
133
134exit:
135    return key;
136}
137#endif /* MBEDTLS_USE_PSA_CRYPTO */
138/* END_HEADER */
139
140/* BEGIN_DEPENDENCIES
141 * depends_on:MBEDTLS_PK_C
142 * END_DEPENDENCIES
143 */
144
145/* BEGIN_CASE depends_on:MBEDTLS_USE_PSA_CRYPTO */
146void pk_psa_utils(int key_is_rsa)
147{
148    mbedtls_pk_context pk, pk2;
149    mbedtls_svc_key_id_t key;
150    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
151
152    const char * const name = "Opaque";
153    size_t bitlen;
154
155    mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
156    unsigned char b1[1], b2[1];
157    size_t len;
158    mbedtls_pk_debug_item dbg;
159
160    PSA_ASSERT(psa_crypto_init());
161
162    mbedtls_pk_init(&pk);
163    mbedtls_pk_init(&pk2);
164
165    TEST_ASSERT(psa_crypto_init() == PSA_SUCCESS);
166
167    TEST_ASSERT(mbedtls_pk_setup_opaque(&pk, MBEDTLS_SVC_KEY_ID_INIT) ==
168                MBEDTLS_ERR_PK_BAD_INPUT_DATA);
169
170    mbedtls_pk_free(&pk);
171    mbedtls_pk_init(&pk);
172
173    if (key_is_rsa) {
174        bitlen = 1024; /* hardcoded in genkey() */
175        key = pk_psa_genkey_rsa();
176    } else {
177        bitlen = 256; /* hardcoded in genkey() */
178        key = pk_psa_genkey_ecc();
179    }
180    if (mbedtls_svc_key_id_is_null(key)) {
181        goto exit;
182    }
183
184    TEST_ASSERT(mbedtls_pk_setup_opaque(&pk, key) == 0);
185
186    TEST_ASSERT(mbedtls_pk_get_type(&pk) == MBEDTLS_PK_OPAQUE);
187    TEST_ASSERT(strcmp(mbedtls_pk_get_name(&pk), name) == 0);
188
189    TEST_ASSERT(mbedtls_pk_get_bitlen(&pk) == bitlen);
190    TEST_ASSERT(mbedtls_pk_get_len(&pk) == bitlen / 8);
191
192    if (key_is_rsa) {
193        TEST_ASSERT(mbedtls_pk_can_do(&pk, MBEDTLS_PK_ECKEY) == 0);
194        TEST_ASSERT(mbedtls_pk_can_do(&pk, MBEDTLS_PK_ECDSA) == 0);
195        TEST_ASSERT(mbedtls_pk_can_do(&pk, MBEDTLS_PK_RSA) == 1);
196    } else {
197        TEST_ASSERT(mbedtls_pk_can_do(&pk, MBEDTLS_PK_ECKEY) == 1);
198        TEST_ASSERT(mbedtls_pk_can_do(&pk, MBEDTLS_PK_ECDSA) == 1);
199        TEST_ASSERT(mbedtls_pk_can_do(&pk, MBEDTLS_PK_RSA) == 0);
200    }
201
202    /* unsupported operations: verify, decrypt, encrypt */
203    TEST_ASSERT(mbedtls_pk_verify(&pk, md_alg,
204                                  b1, sizeof(b1), b2, sizeof(b2))
205                == MBEDTLS_ERR_PK_TYPE_MISMATCH);
206    if (key_is_rsa == 0) {
207        TEST_ASSERT(mbedtls_pk_decrypt(&pk, b1, sizeof(b1),
208                                       b2, &len, sizeof(b2),
209                                       NULL, NULL)
210                    == MBEDTLS_ERR_PK_TYPE_MISMATCH);
211    }
212    TEST_ASSERT(mbedtls_pk_encrypt(&pk, b1, sizeof(b1),
213                                   b2, &len, sizeof(b2),
214                                   NULL, NULL)
215                == MBEDTLS_ERR_PK_TYPE_MISMATCH);
216
217    /* unsupported functions: check_pair, debug */
218    if (key_is_rsa) {
219        TEST_ASSERT(mbedtls_pk_setup(&pk2,
220                                     mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0);
221    } else {
222        TEST_ASSERT(mbedtls_pk_setup(&pk2,
223                                     mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)) == 0);
224    }
225    TEST_ASSERT(mbedtls_pk_check_pair(&pk, &pk2,
226                                      mbedtls_test_rnd_std_rand, NULL)
227                == MBEDTLS_ERR_PK_TYPE_MISMATCH);
228    TEST_ASSERT(mbedtls_pk_debug(&pk, &dbg)
229                == MBEDTLS_ERR_PK_TYPE_MISMATCH);
230
231    /* test that freeing the context does not destroy the key */
232    mbedtls_pk_free(&pk);
233    TEST_ASSERT(PSA_SUCCESS == psa_get_key_attributes(key, &attributes));
234    TEST_ASSERT(PSA_SUCCESS == psa_destroy_key(key));
235
236exit:
237    /*
238     * Key attributes may have been returned by psa_get_key_attributes()
239     * thus reset them as required.
240     */
241    psa_reset_key_attributes(&attributes);
242
243    mbedtls_pk_free(&pk);   /* redundant except upon error */
244    mbedtls_pk_free(&pk2);
245    USE_PSA_DONE();
246}
247/* END_CASE */
248
249/* BEGIN_CASE depends_on:MBEDTLS_USE_PSA_CRYPTO */
250void pk_can_do_ext(int opaque_key, int key_type, int key_usage, int key_alg,
251                   int key_alg2, int parameter, int alg_check, int usage_check,
252                   int result)
253{
254    mbedtls_pk_context pk;
255    mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
256    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
257
258    PSA_ASSERT(psa_crypto_init());
259
260    mbedtls_pk_init(&pk);
261
262    if (opaque_key == 1) {
263        psa_set_key_usage_flags(&attributes, key_usage);
264        psa_set_key_algorithm(&attributes, key_alg);
265        if (key_alg2 != 0) {
266            psa_set_key_enrollment_algorithm(&attributes, key_alg2);
267        }
268        psa_set_key_type(&attributes, key_type);
269        psa_set_key_bits(&attributes, parameter);
270
271        PSA_ASSERT(psa_generate_key(&attributes, &key));
272
273        if (mbedtls_svc_key_id_is_null(key)) {
274            goto exit;
275        }
276
277        TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key), 0);
278
279        TEST_EQUAL(mbedtls_pk_get_type(&pk), MBEDTLS_PK_OPAQUE);
280    } else {
281        TEST_EQUAL(mbedtls_pk_setup(&pk,
282                                    mbedtls_pk_info_from_type(key_type)), 0);
283        TEST_EQUAL(pk_genkey(&pk, parameter), 0);
284        TEST_EQUAL(mbedtls_pk_get_type(&pk), key_type);
285    }
286
287    TEST_EQUAL(mbedtls_pk_can_do_ext(&pk, alg_check, usage_check), result);
288
289exit:
290    psa_reset_key_attributes(&attributes);
291    PSA_ASSERT(psa_destroy_key(key));
292    mbedtls_pk_free(&pk);
293    USE_PSA_DONE();
294}
295/* END_CASE */
296
297/* BEGIN_CASE */
298void pk_invalid_param()
299{
300    mbedtls_pk_context ctx;
301    mbedtls_pk_type_t pk_type = 0;
302    unsigned char buf[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06 };
303    size_t buf_size = sizeof(buf);
304
305    mbedtls_pk_init(&ctx);
306
307    TEST_EQUAL(MBEDTLS_ERR_PK_BAD_INPUT_DATA,
308               mbedtls_pk_verify_restartable(&ctx, MBEDTLS_MD_NONE,
309                                             NULL, buf_size,
310                                             buf, buf_size,
311                                             NULL));
312    TEST_EQUAL(MBEDTLS_ERR_PK_BAD_INPUT_DATA,
313               mbedtls_pk_verify_restartable(&ctx, MBEDTLS_MD_SHA256,
314                                             NULL, 0,
315                                             buf, buf_size,
316                                             NULL));
317    TEST_EQUAL(MBEDTLS_ERR_PK_BAD_INPUT_DATA,
318               mbedtls_pk_verify_ext(pk_type, NULL,
319                                     &ctx, MBEDTLS_MD_NONE,
320                                     NULL, buf_size,
321                                     buf, buf_size));
322    TEST_EQUAL(MBEDTLS_ERR_PK_BAD_INPUT_DATA,
323               mbedtls_pk_verify_ext(pk_type, NULL,
324                                     &ctx, MBEDTLS_MD_SHA256,
325                                     NULL, 0,
326                                     buf, buf_size));
327    TEST_EQUAL(MBEDTLS_ERR_PK_BAD_INPUT_DATA,
328               mbedtls_pk_sign_restartable(&ctx, MBEDTLS_MD_NONE,
329                                           NULL, buf_size,
330                                           buf, buf_size, &buf_size,
331                                           NULL, NULL,
332                                           NULL));
333    TEST_EQUAL(MBEDTLS_ERR_PK_BAD_INPUT_DATA,
334               mbedtls_pk_sign_restartable(&ctx, MBEDTLS_MD_SHA256,
335                                           NULL, 0,
336                                           buf, buf_size, &buf_size,
337                                           NULL, NULL,
338                                           NULL));
339exit:
340    mbedtls_pk_free(&ctx);
341}
342/* END_CASE */
343
344/* BEGIN_CASE */
345void valid_parameters()
346{
347    mbedtls_pk_context pk;
348    unsigned char buf[1];
349    size_t len;
350    void *options = NULL;
351
352    mbedtls_pk_init(&pk);
353
354    TEST_ASSERT(mbedtls_pk_setup(&pk, NULL) ==
355                MBEDTLS_ERR_PK_BAD_INPUT_DATA);
356
357    /* In informational functions, we accept NULL where a context pointer
358     * is expected because that's what the library has done forever.
359     * We do not document that NULL is accepted, so we may wish to change
360     * the behavior in a future version. */
361    TEST_ASSERT(mbedtls_pk_get_bitlen(NULL) == 0);
362    TEST_ASSERT(mbedtls_pk_get_len(NULL) == 0);
363    TEST_ASSERT(mbedtls_pk_can_do(NULL, MBEDTLS_PK_NONE) == 0);
364
365    TEST_ASSERT(mbedtls_pk_sign_restartable(&pk,
366                                            MBEDTLS_MD_NONE,
367                                            NULL, 0,
368                                            buf, sizeof(buf), &len,
369                                            mbedtls_test_rnd_std_rand, NULL,
370                                            NULL) ==
371                MBEDTLS_ERR_PK_BAD_INPUT_DATA);
372
373    TEST_ASSERT(mbedtls_pk_sign_restartable(&pk,
374                                            MBEDTLS_MD_NONE,
375                                            NULL, 0,
376                                            buf, sizeof(buf), &len,
377                                            mbedtls_test_rnd_std_rand, NULL,
378                                            NULL) ==
379                MBEDTLS_ERR_PK_BAD_INPUT_DATA);
380
381    TEST_ASSERT(mbedtls_pk_sign(&pk,
382                                MBEDTLS_MD_NONE,
383                                NULL, 0,
384                                buf, sizeof(buf), &len,
385                                mbedtls_test_rnd_std_rand, NULL) ==
386                MBEDTLS_ERR_PK_BAD_INPUT_DATA);
387
388    TEST_ASSERT(mbedtls_pk_verify_restartable(&pk,
389                                              MBEDTLS_MD_NONE,
390                                              NULL, 0,
391                                              buf, sizeof(buf),
392                                              NULL) ==
393                MBEDTLS_ERR_PK_BAD_INPUT_DATA);
394
395    TEST_ASSERT(mbedtls_pk_verify(&pk,
396                                  MBEDTLS_MD_NONE,
397                                  NULL, 0,
398                                  buf, sizeof(buf)) ==
399                MBEDTLS_ERR_PK_BAD_INPUT_DATA);
400
401    TEST_ASSERT(mbedtls_pk_verify_ext(MBEDTLS_PK_NONE, options,
402                                      &pk,
403                                      MBEDTLS_MD_NONE,
404                                      NULL, 0,
405                                      buf, sizeof(buf)) ==
406                MBEDTLS_ERR_PK_BAD_INPUT_DATA);
407
408    TEST_ASSERT(mbedtls_pk_encrypt(&pk,
409                                   NULL, 0,
410                                   NULL, &len, 0,
411                                   mbedtls_test_rnd_std_rand, NULL) ==
412                MBEDTLS_ERR_PK_BAD_INPUT_DATA);
413
414    TEST_ASSERT(mbedtls_pk_decrypt(&pk,
415                                   NULL, 0,
416                                   NULL, &len, 0,
417                                   mbedtls_test_rnd_std_rand, NULL) ==
418                MBEDTLS_ERR_PK_BAD_INPUT_DATA);
419
420#if defined(MBEDTLS_PK_PARSE_C)
421    TEST_ASSERT(mbedtls_pk_parse_key(&pk, NULL, 0, NULL, 1,
422                                     mbedtls_test_rnd_std_rand, NULL) ==
423                MBEDTLS_ERR_PK_KEY_INVALID_FORMAT);
424
425    TEST_ASSERT(mbedtls_pk_parse_public_key(&pk, NULL, 0) ==
426                MBEDTLS_ERR_PK_KEY_INVALID_FORMAT);
427#endif /* MBEDTLS_PK_PARSE_C */
428}
429/* END_CASE */
430
431/* BEGIN_CASE depends_on:MBEDTLS_PK_WRITE_C */
432void valid_parameters_pkwrite(data_t *key_data)
433{
434    mbedtls_pk_context pk;
435
436    /* For the write tests to be effective, we need a valid key pair. */
437    mbedtls_pk_init(&pk);
438    TEST_ASSERT(mbedtls_pk_parse_key(&pk,
439                                     key_data->x, key_data->len, NULL, 0,
440                                     mbedtls_test_rnd_std_rand, NULL) == 0);
441
442    TEST_ASSERT(mbedtls_pk_write_key_der(&pk, NULL, 0) ==
443                MBEDTLS_ERR_ASN1_BUF_TOO_SMALL);
444
445    TEST_ASSERT(mbedtls_pk_write_pubkey_der(&pk, NULL, 0) ==
446                MBEDTLS_ERR_ASN1_BUF_TOO_SMALL);
447
448#if defined(MBEDTLS_PEM_WRITE_C)
449    TEST_ASSERT(mbedtls_pk_write_key_pem(&pk, NULL, 0) ==
450                MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL);
451
452    TEST_ASSERT(mbedtls_pk_write_pubkey_pem(&pk, NULL, 0) ==
453                MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL);
454#endif /* MBEDTLS_PEM_WRITE_C */
455
456exit:
457    mbedtls_pk_free(&pk);
458}
459/* END_CASE */
460
461/* BEGIN_CASE */
462void pk_utils(int type, int parameter, int bitlen, int len, char *name)
463{
464    mbedtls_pk_context pk;
465
466    mbedtls_pk_init(&pk);
467
468    TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(type)) == 0);
469    TEST_ASSERT(pk_genkey(&pk, parameter) == 0);
470
471    TEST_ASSERT((int) mbedtls_pk_get_type(&pk) == type);
472    TEST_ASSERT(mbedtls_pk_can_do(&pk, type));
473    TEST_ASSERT(mbedtls_pk_get_bitlen(&pk) == (unsigned) bitlen);
474    TEST_ASSERT(mbedtls_pk_get_len(&pk) == (unsigned) len);
475    TEST_ASSERT(strcmp(mbedtls_pk_get_name(&pk), name) == 0);
476
477exit:
478    mbedtls_pk_free(&pk);
479}
480/* END_CASE */
481
482/* BEGIN_CASE depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_FS_IO */
483void mbedtls_pk_check_pair(char *pub_file, char *prv_file, int ret)
484{
485    mbedtls_pk_context pub, prv, alt;
486
487    USE_PSA_INIT();
488
489    mbedtls_pk_init(&pub);
490    mbedtls_pk_init(&prv);
491    mbedtls_pk_init(&alt);
492
493    TEST_ASSERT(mbedtls_pk_parse_public_keyfile(&pub, pub_file) == 0);
494    TEST_ASSERT(mbedtls_pk_parse_keyfile(&prv, prv_file, NULL,
495                                         mbedtls_test_rnd_std_rand, NULL)
496                == 0);
497
498    TEST_ASSERT(mbedtls_pk_check_pair(&pub, &prv,
499                                      mbedtls_test_rnd_std_rand, NULL)
500                == ret);
501
502#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
503    if (mbedtls_pk_get_type(&prv) == MBEDTLS_PK_RSA) {
504        TEST_ASSERT(mbedtls_pk_setup_rsa_alt(&alt, mbedtls_pk_rsa(prv),
505                                             mbedtls_rsa_decrypt_func, mbedtls_rsa_sign_func,
506                                             mbedtls_rsa_key_len_func) == 0);
507        TEST_ASSERT(mbedtls_pk_check_pair(&pub, &alt,
508                                          mbedtls_test_rnd_std_rand, NULL)
509                    == ret);
510    }
511#endif
512
513    mbedtls_pk_free(&pub);
514    mbedtls_pk_free(&prv);
515    mbedtls_pk_free(&alt);
516    USE_PSA_DONE();
517}
518/* END_CASE */
519
520/* BEGIN_CASE depends_on:MBEDTLS_RSA_C */
521void pk_rsa_verify_test_vec(data_t *message_str, int digest, int mod,
522                            char *input_N, char *input_E,
523                            data_t *result_str, int result)
524{
525    mbedtls_rsa_context *rsa;
526    mbedtls_pk_context pk;
527    mbedtls_pk_restart_ctx *rs_ctx = NULL;
528#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
529    mbedtls_pk_restart_ctx ctx;
530
531    rs_ctx = &ctx;
532    mbedtls_pk_restart_init(rs_ctx);
533    // this setting would ensure restart would happen if ECC was used
534    mbedtls_ecp_set_max_ops(1);
535#endif
536
537    USE_PSA_INIT();
538
539    mbedtls_pk_init(&pk);
540
541
542    TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0);
543    rsa = mbedtls_pk_rsa(pk);
544
545    rsa->len = mod / 8;
546    TEST_ASSERT(mbedtls_test_read_mpi(&rsa->N, input_N) == 0);
547    TEST_ASSERT(mbedtls_test_read_mpi(&rsa->E, input_E) == 0);
548
549    TEST_ASSERT(mbedtls_pk_verify(&pk, digest, message_str->x, 0,
550                                  result_str->x, mbedtls_pk_get_len(&pk)) == result);
551
552    TEST_ASSERT(mbedtls_pk_verify_restartable(&pk, digest, message_str->x, 0,
553                                              result_str->x, mbedtls_pk_get_len(
554                                                  &pk), rs_ctx) == result);
555
556exit:
557#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
558    mbedtls_pk_restart_free(rs_ctx);
559#endif
560    mbedtls_pk_free(&pk);
561    USE_PSA_DONE();
562}
563/* END_CASE */
564
565/* BEGIN_CASE depends_on:MBEDTLS_RSA_C */
566void pk_rsa_verify_ext_test_vec(data_t *message_str, int digest,
567                                int mod, char *input_N,
568                                char *input_E, data_t *result_str,
569                                int pk_type, int mgf1_hash_id,
570                                int salt_len, int sig_len,
571                                int result)
572{
573    mbedtls_rsa_context *rsa;
574    mbedtls_pk_context pk;
575    mbedtls_pk_rsassa_pss_options pss_opts;
576    void *options;
577    int ret;
578
579    USE_PSA_INIT();
580    mbedtls_pk_init(&pk);
581
582    TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0);
583    rsa = mbedtls_pk_rsa(pk);
584
585    rsa->len = mod / 8;
586    TEST_ASSERT(mbedtls_test_read_mpi(&rsa->N, input_N) == 0);
587    TEST_ASSERT(mbedtls_test_read_mpi(&rsa->E, input_E) == 0);
588
589
590    if (mgf1_hash_id < 0) {
591        options = NULL;
592    } else {
593        options = &pss_opts;
594
595        pss_opts.mgf1_hash_id = mgf1_hash_id;
596        pss_opts.expected_salt_len = salt_len;
597    }
598
599    ret = mbedtls_pk_verify_ext(pk_type, options, &pk,
600                                digest, message_str->x, message_str->len,
601                                result_str->x, sig_len);
602
603#if defined(MBEDTLS_USE_PSA_CRYPTO)
604    if (result == MBEDTLS_ERR_RSA_INVALID_PADDING) {
605        /* Mbed TLS distinguishes "invalid padding" from "valid padding but
606         * the rest of the signature is invalid". This has little use in
607         * practice and PSA doesn't report this distinction.
608         * In this case, PSA returns PSA_ERROR_INVALID_SIGNATURE translated
609         * to MBEDTLS_ERR_RSA_VERIFY_FAILED.
610         * However, currently `mbedtls_pk_verify_ext()` may use either the
611         * PSA or the Mbed TLS API, depending on the PSS options used.
612         * So, it may return either INVALID_PADDING or INVALID_SIGNATURE.
613         */
614        TEST_ASSERT(ret == result || ret == MBEDTLS_ERR_RSA_VERIFY_FAILED);
615    } else
616#endif
617    {
618        TEST_EQUAL(ret, result);
619    }
620
621exit:
622    mbedtls_pk_free(&pk);
623    USE_PSA_DONE();
624}
625/* END_CASE */
626
627/* BEGIN_CASE depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY */
628void pk_ec_test_vec(int type, int id, data_t *key, data_t *hash,
629                    data_t *sig, int ret)
630{
631    mbedtls_pk_context pk;
632    mbedtls_ecp_keypair *eckey;
633
634    mbedtls_pk_init(&pk);
635    USE_PSA_INIT();
636
637    TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(type)) == 0);
638
639    TEST_ASSERT(mbedtls_pk_can_do(&pk, MBEDTLS_PK_ECDSA));
640    eckey = mbedtls_pk_ec(pk);
641
642    TEST_ASSERT(mbedtls_ecp_group_load(&eckey->grp, id) == 0);
643    TEST_ASSERT(mbedtls_ecp_point_read_binary(&eckey->grp, &eckey->Q,
644                                              key->x, key->len) == 0);
645
646    // MBEDTLS_MD_NONE is used since it will be ignored.
647    TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_NONE,
648                                  hash->x, hash->len, sig->x, sig->len) == ret);
649
650exit:
651    mbedtls_pk_free(&pk);
652    USE_PSA_DONE();
653}
654/* END_CASE */
655
656/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE:MBEDTLS_ECDSA_C:MBEDTLS_ECDSA_DETERMINISTIC */
657void pk_sign_verify_restart(int pk_type, int grp_id, char *d_str,
658                            char *QX_str, char *QY_str,
659                            int md_alg, data_t *hash, data_t *sig_check,
660                            int max_ops, int min_restart, int max_restart)
661{
662    int ret, cnt_restart;
663    mbedtls_pk_restart_ctx rs_ctx;
664    mbedtls_pk_context prv, pub;
665    unsigned char sig[MBEDTLS_ECDSA_MAX_LEN];
666    size_t slen;
667
668    USE_PSA_INIT();
669
670    mbedtls_pk_restart_init(&rs_ctx);
671    mbedtls_pk_init(&prv);
672    mbedtls_pk_init(&pub);
673    memset(sig, 0, sizeof(sig));
674
675    TEST_ASSERT(mbedtls_pk_setup(&prv, mbedtls_pk_info_from_type(pk_type)) == 0);
676    TEST_ASSERT(mbedtls_ecp_group_load(&mbedtls_pk_ec(prv)->grp, grp_id) == 0);
677    TEST_ASSERT(mbedtls_test_read_mpi(&mbedtls_pk_ec(prv)->d, d_str) == 0);
678
679    TEST_ASSERT(mbedtls_pk_setup(&pub, mbedtls_pk_info_from_type(pk_type)) == 0);
680    TEST_ASSERT(mbedtls_ecp_group_load(&mbedtls_pk_ec(pub)->grp, grp_id) == 0);
681    TEST_ASSERT(mbedtls_ecp_point_read_string(&mbedtls_pk_ec(pub)->Q, 16, QX_str, QY_str) == 0);
682
683    mbedtls_ecp_set_max_ops(max_ops);
684
685    slen = sizeof(sig);
686    cnt_restart = 0;
687    do {
688        ret = mbedtls_pk_sign_restartable(&prv, md_alg, hash->x, hash->len,
689                                          sig, sizeof(sig), &slen,
690                                          mbedtls_test_rnd_std_rand, NULL,
691                                          &rs_ctx);
692    } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart);
693
694    TEST_ASSERT(ret == 0);
695    TEST_ASSERT(slen == sig_check->len);
696    TEST_ASSERT(memcmp(sig, sig_check->x, slen) == 0);
697
698    TEST_ASSERT(cnt_restart >= min_restart);
699    TEST_ASSERT(cnt_restart <= max_restart);
700
701    cnt_restart = 0;
702    do {
703        ret = mbedtls_pk_verify_restartable(&pub, md_alg,
704                                            hash->x, hash->len, sig, slen, &rs_ctx);
705    } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart);
706
707    TEST_ASSERT(ret == 0);
708    TEST_ASSERT(cnt_restart >= min_restart);
709    TEST_ASSERT(cnt_restart <= max_restart);
710
711    sig[0]++;
712    do {
713        ret = mbedtls_pk_verify_restartable(&pub, md_alg,
714                                            hash->x, hash->len, sig, slen, &rs_ctx);
715    } while (ret == MBEDTLS_ERR_ECP_IN_PROGRESS);
716    TEST_ASSERT(ret != 0);
717    sig[0]--;
718
719    /* Do we leak memory when aborting? try verify then sign
720     * This test only makes sense when we actually restart */
721    if (min_restart > 0) {
722        ret = mbedtls_pk_verify_restartable(&pub, md_alg,
723                                            hash->x, hash->len, sig, slen, &rs_ctx);
724        TEST_ASSERT(ret == MBEDTLS_ERR_ECP_IN_PROGRESS);
725        mbedtls_pk_restart_free(&rs_ctx);
726
727        slen = sizeof(sig);
728        ret = mbedtls_pk_sign_restartable(&prv, md_alg, hash->x, hash->len,
729                                          sig, sizeof(sig), &slen,
730                                          mbedtls_test_rnd_std_rand, NULL,
731                                          &rs_ctx);
732        TEST_ASSERT(ret == MBEDTLS_ERR_ECP_IN_PROGRESS);
733    }
734
735exit:
736    mbedtls_pk_restart_free(&rs_ctx);
737    mbedtls_pk_free(&prv);
738    mbedtls_pk_free(&pub);
739    USE_PSA_DONE();
740}
741/* END_CASE */
742
743/* BEGIN_CASE depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
744void pk_sign_verify(int type, int parameter, int sign_ret, int verify_ret)
745{
746    mbedtls_pk_context pk;
747    size_t sig_len;
748    unsigned char hash[32]; // Hard-coded for SHA256
749    size_t hash_len = sizeof(hash);
750    unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
751    void *rs_ctx = NULL;
752#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
753    mbedtls_pk_restart_ctx ctx;
754
755    rs_ctx = &ctx;
756    mbedtls_pk_restart_init(rs_ctx);
757    /* This value is large enough that the operation will complete in one run.
758     * See comments at the top of ecp_test_vect_restart in
759     * test_suite_ecp.function for estimates of operation counts. */
760    mbedtls_ecp_set_max_ops(42000);
761#endif
762
763    mbedtls_pk_init(&pk);
764    USE_PSA_INIT();
765
766    memset(hash, 0x2a, sizeof(hash));
767    memset(sig, 0, sizeof(sig));
768
769    TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(type)) == 0);
770    TEST_ASSERT(pk_genkey(&pk, parameter) == 0);
771
772    TEST_ASSERT(mbedtls_pk_sign_restartable(&pk, MBEDTLS_MD_SHA256,
773                                            hash, hash_len,
774                                            sig, sizeof(sig), &sig_len,
775                                            mbedtls_test_rnd_std_rand, NULL,
776                                            rs_ctx) == sign_ret);
777    if (sign_ret == 0) {
778        TEST_ASSERT(sig_len <= MBEDTLS_PK_SIGNATURE_MAX_SIZE);
779    } else {
780        sig_len = MBEDTLS_PK_SIGNATURE_MAX_SIZE;
781    }
782
783    TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_SHA256,
784                                  hash, hash_len, sig, sig_len) == verify_ret);
785
786    if (verify_ret == 0) {
787        hash[0]++;
788        TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_SHA256,
789                                      hash, hash_len, sig, sig_len) != 0);
790        hash[0]--;
791
792        sig[0]++;
793        TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_SHA256,
794                                      hash, hash_len, sig, sig_len) != 0);
795        sig[0]--;
796    }
797
798    TEST_ASSERT(mbedtls_pk_sign(&pk, MBEDTLS_MD_SHA256, hash, hash_len,
799                                sig, sizeof(sig), &sig_len,
800                                mbedtls_test_rnd_std_rand,
801                                NULL) == sign_ret);
802    if (sign_ret == 0) {
803        TEST_ASSERT(sig_len <= MBEDTLS_PK_SIGNATURE_MAX_SIZE);
804    } else {
805        sig_len = MBEDTLS_PK_SIGNATURE_MAX_SIZE;
806    }
807
808    TEST_ASSERT(mbedtls_pk_verify_restartable(&pk, MBEDTLS_MD_SHA256,
809                                              hash, hash_len, sig, sig_len, rs_ctx) == verify_ret);
810
811    if (verify_ret == 0) {
812        hash[0]++;
813        TEST_ASSERT(mbedtls_pk_verify_restartable(&pk, MBEDTLS_MD_SHA256,
814                                                  hash, sizeof(hash), sig, sig_len, rs_ctx) != 0);
815        hash[0]--;
816
817        sig[0]++;
818        TEST_ASSERT(mbedtls_pk_verify_restartable(&pk, MBEDTLS_MD_SHA256,
819                                                  hash, sizeof(hash), sig, sig_len, rs_ctx) != 0);
820        sig[0]--;
821    }
822
823exit:
824#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
825    mbedtls_pk_restart_free(rs_ctx);
826#endif
827    mbedtls_pk_free(&pk);
828    USE_PSA_DONE();
829}
830/* END_CASE */
831
832/* BEGIN_CASE depends_on:MBEDTLS_RSA_C */
833void pk_rsa_encrypt_decrypt_test(data_t *message, int mod,
834                                 char *input_P, char *input_Q,
835                                 char *input_N, char *input_E,
836                                 int ret)
837{
838    unsigned char output[300], result[300];
839    mbedtls_test_rnd_pseudo_info rnd_info;
840    mbedtls_mpi N, P, Q, E;
841    mbedtls_rsa_context *rsa;
842    mbedtls_pk_context pk;
843    size_t olen, rlen;
844
845    mbedtls_pk_init(&pk);
846    mbedtls_mpi_init(&N); mbedtls_mpi_init(&P);
847    mbedtls_mpi_init(&Q); mbedtls_mpi_init(&E);
848
849    memset(&rnd_info,  0, sizeof(mbedtls_test_rnd_pseudo_info));
850    memset(output,     0, sizeof(output));
851
852    USE_PSA_INIT();
853
854    /* encryption test */
855
856    /* init pk-rsa context */
857    TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0);
858    rsa = mbedtls_pk_rsa(pk);
859
860    /* load public key */
861    rsa->len = mod / 8;
862    TEST_ASSERT(mbedtls_test_read_mpi(&rsa->N, input_N) == 0);
863    TEST_ASSERT(mbedtls_test_read_mpi(&rsa->E, input_E) == 0);
864
865    TEST_ASSERT(mbedtls_pk_encrypt(&pk, message->x, message->len,
866                                   output, &olen, sizeof(output),
867                                   mbedtls_test_rnd_pseudo_rand, &rnd_info) == ret);
868
869    /* decryption test */
870    mbedtls_mpi_init(&N); mbedtls_mpi_init(&P);
871    mbedtls_mpi_init(&Q); mbedtls_mpi_init(&E);
872
873    /* init pk-rsa context */
874    mbedtls_pk_free(&pk);
875    TEST_ASSERT(mbedtls_pk_setup(&pk,
876                                 mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0);
877    rsa = mbedtls_pk_rsa(pk);
878
879    /* load public key */
880    TEST_ASSERT(mbedtls_test_read_mpi(&N, input_N) == 0);
881    TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0);
882
883    /* load private key */
884    TEST_ASSERT(mbedtls_test_read_mpi(&P, input_P) == 0);
885    TEST_ASSERT(mbedtls_test_read_mpi(&Q, input_Q) == 0);
886    TEST_ASSERT(mbedtls_rsa_import(rsa, &N, &P, &Q, NULL, &E) == 0);
887    TEST_ASSERT(mbedtls_rsa_get_len(rsa) == (size_t) (mod / 8));
888    TEST_ASSERT(mbedtls_rsa_complete(rsa) == 0);
889
890    memset(result, 0, sizeof(result));
891    rlen = 0;
892    TEST_ASSERT(mbedtls_pk_decrypt(&pk, output, olen,
893                                   result, &rlen, sizeof(result),
894                                   mbedtls_test_rnd_pseudo_rand, &rnd_info) == ret);
895    if (ret == 0) {
896        TEST_ASSERT(rlen == message->len);
897        TEST_ASSERT(memcmp(result, message->x, rlen) == 0);
898    }
899
900exit:
901    mbedtls_mpi_free(&N); mbedtls_mpi_free(&P);
902    mbedtls_mpi_free(&Q); mbedtls_mpi_free(&E);
903    mbedtls_pk_free(&pk);
904    USE_PSA_DONE();
905}
906/* END_CASE */
907
908/* BEGIN_CASE depends_on:MBEDTLS_RSA_C */
909void pk_rsa_decrypt_test_vec(data_t *cipher, int mod,
910                             char *input_P, char *input_Q,
911                             char *input_N, char *input_E,
912                             data_t *clear, int ret)
913{
914    unsigned char output[256];
915    mbedtls_test_rnd_pseudo_info rnd_info;
916    mbedtls_mpi N, P, Q, E;
917    mbedtls_rsa_context *rsa;
918    mbedtls_pk_context pk;
919    size_t olen;
920
921    USE_PSA_INIT();
922
923    mbedtls_pk_init(&pk);
924    mbedtls_mpi_init(&N); mbedtls_mpi_init(&P);
925    mbedtls_mpi_init(&Q); mbedtls_mpi_init(&E);
926
927    memset(&rnd_info,  0, sizeof(mbedtls_test_rnd_pseudo_info));
928
929
930    /* init pk-rsa context */
931    TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0);
932    rsa = mbedtls_pk_rsa(pk);
933
934    /* load public key */
935    TEST_ASSERT(mbedtls_test_read_mpi(&N, input_N) == 0);
936    TEST_ASSERT(mbedtls_test_read_mpi(&E, input_E) == 0);
937
938    /* load private key */
939    TEST_ASSERT(mbedtls_test_read_mpi(&P, input_P) == 0);
940    TEST_ASSERT(mbedtls_test_read_mpi(&Q, input_Q) == 0);
941    TEST_ASSERT(mbedtls_rsa_import(rsa, &N, &P, &Q, NULL, &E) == 0);
942    TEST_ASSERT(mbedtls_rsa_get_len(rsa) == (size_t) (mod / 8));
943    TEST_ASSERT(mbedtls_rsa_complete(rsa) == 0);
944
945    /* decryption test */
946    memset(output, 0, sizeof(output));
947    olen = 0;
948    TEST_ASSERT(mbedtls_pk_decrypt(&pk, cipher->x, cipher->len,
949                                   output, &olen, sizeof(output),
950                                   mbedtls_test_rnd_pseudo_rand, &rnd_info) == ret);
951    if (ret == 0) {
952        TEST_ASSERT(olen == clear->len);
953        TEST_ASSERT(memcmp(output, clear->x, olen) == 0);
954    }
955
956exit:
957    mbedtls_mpi_free(&N); mbedtls_mpi_free(&P);
958    mbedtls_mpi_free(&Q); mbedtls_mpi_free(&E);
959    mbedtls_pk_free(&pk);
960    USE_PSA_DONE();
961}
962/* END_CASE */
963
964/* BEGIN_CASE depends_on:MBEDTLS_RSA_C:MBEDTLS_USE_PSA_CRYPTO */
965void pk_wrap_rsa_decrypt_test_vec(data_t *cipher, int mod,
966                                  char *input_P, char *input_Q,
967                                  char *input_N, char *input_E,
968                                  data_t *clear, int ret)
969{
970    unsigned char output[256];
971    mbedtls_test_rnd_pseudo_info rnd_info;
972    mbedtls_mpi N, P, Q, E;
973    mbedtls_rsa_context *rsa;
974    mbedtls_pk_context pk;
975    mbedtls_svc_key_id_t key_id;
976    size_t olen;
977
978    USE_PSA_INIT();
979
980    mbedtls_pk_init(&pk);
981    mbedtls_mpi_init(&N); mbedtls_mpi_init(&P);
982    mbedtls_mpi_init(&Q); mbedtls_mpi_init(&E);
983
984    memset(&rnd_info,  0, sizeof(mbedtls_test_rnd_pseudo_info));
985
986    /* init pk-rsa context */
987    TEST_EQUAL(mbedtls_pk_setup(&pk,
988                                mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)), 0);
989    rsa = mbedtls_pk_rsa(pk);
990
991    /* load public key */
992    TEST_EQUAL(mbedtls_test_read_mpi(&N, input_N), 0);
993    TEST_EQUAL(mbedtls_test_read_mpi(&E, input_E), 0);
994
995    /* load private key */
996    TEST_EQUAL(mbedtls_test_read_mpi(&P, input_P), 0);
997    TEST_EQUAL(mbedtls_test_read_mpi(&Q, input_Q), 0);
998    TEST_EQUAL(mbedtls_rsa_import(rsa, &N, &P, &Q, NULL, &E), 0);
999    TEST_EQUAL(mbedtls_rsa_get_len(rsa), (size_t) (mod / 8));
1000    TEST_EQUAL(mbedtls_rsa_complete(rsa), 0);
1001
1002    /* Turn PK context into an opaque one. */
1003    TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&pk, &key_id,
1004                                         PSA_ALG_RSA_PKCS1V15_CRYPT,
1005                                         PSA_KEY_USAGE_DECRYPT,
1006                                         PSA_ALG_NONE), 0);
1007
1008    /* decryption test */
1009    memset(output, 0, sizeof(output));
1010    olen = 0;
1011    TEST_EQUAL(mbedtls_pk_decrypt(&pk, cipher->x, cipher->len,
1012                                  output, &olen, sizeof(output),
1013                                  mbedtls_test_rnd_pseudo_rand, &rnd_info), ret);
1014    if (ret == 0) {
1015        TEST_EQUAL(olen, clear->len);
1016        TEST_EQUAL(memcmp(output, clear->x, olen), 0);
1017    }
1018
1019    TEST_EQUAL(PSA_SUCCESS, psa_destroy_key(key_id));
1020
1021exit:
1022    mbedtls_mpi_free(&N); mbedtls_mpi_free(&P);
1023    mbedtls_mpi_free(&Q); mbedtls_mpi_free(&E);
1024    mbedtls_pk_free(&pk);
1025    USE_PSA_DONE();
1026}
1027/* END_CASE */
1028
1029/* BEGIN_CASE */
1030void pk_ec_nocrypt(int type)
1031{
1032    mbedtls_pk_context pk;
1033    unsigned char output[100];
1034    unsigned char input[100];
1035    mbedtls_test_rnd_pseudo_info rnd_info;
1036    size_t olen = 0;
1037    int ret = MBEDTLS_ERR_PK_TYPE_MISMATCH;
1038
1039    mbedtls_pk_init(&pk);
1040
1041    memset(&rnd_info,  0, sizeof(mbedtls_test_rnd_pseudo_info));
1042    memset(output,     0, sizeof(output));
1043    memset(input,      0, sizeof(input));
1044
1045    TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(type)) == 0);
1046
1047    TEST_ASSERT(mbedtls_pk_encrypt(&pk, input, sizeof(input),
1048                                   output, &olen, sizeof(output),
1049                                   mbedtls_test_rnd_pseudo_rand, &rnd_info) == ret);
1050
1051    TEST_ASSERT(mbedtls_pk_decrypt(&pk, input, sizeof(input),
1052                                   output, &olen, sizeof(output),
1053                                   mbedtls_test_rnd_pseudo_rand, &rnd_info) == ret);
1054
1055exit:
1056    mbedtls_pk_free(&pk);
1057}
1058/* END_CASE */
1059
1060/* BEGIN_CASE depends_on:MBEDTLS_RSA_C */
1061void pk_rsa_overflow()
1062{
1063    mbedtls_pk_context pk;
1064    size_t hash_len = SIZE_MAX, sig_len = SIZE_MAX;
1065    unsigned char hash[50], sig[100];
1066
1067    memset(hash, 0x2a, sizeof(hash));
1068    memset(sig, 0, sizeof(sig));
1069
1070    mbedtls_pk_init(&pk);
1071
1072    TEST_ASSERT(mbedtls_pk_setup(&pk,
1073                                 mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0);
1074
1075#if defined(MBEDTLS_PKCS1_V21)
1076    TEST_ASSERT(mbedtls_pk_verify_ext(MBEDTLS_PK_RSASSA_PSS, NULL, &pk,
1077                                      MBEDTLS_MD_NONE, hash, hash_len, sig, sig_len) ==
1078                MBEDTLS_ERR_PK_BAD_INPUT_DATA);
1079#endif /* MBEDTLS_PKCS1_V21 */
1080
1081    TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_NONE, hash, hash_len,
1082                                  sig, sig_len) == MBEDTLS_ERR_PK_BAD_INPUT_DATA);
1083
1084    TEST_ASSERT(mbedtls_pk_sign(&pk, MBEDTLS_MD_NONE, hash, hash_len,
1085                                sig, sizeof(sig), &sig_len,
1086                                mbedtls_test_rnd_std_rand, NULL)
1087                == MBEDTLS_ERR_PK_BAD_INPUT_DATA);
1088
1089exit:
1090    mbedtls_pk_free(&pk);
1091}
1092/* END_CASE */
1093
1094/* BEGIN_CASE depends_on:MBEDTLS_RSA_C:MBEDTLS_PK_RSA_ALT_SUPPORT */
1095void pk_rsa_alt()
1096{
1097    /*
1098     * An rsa_alt context can only do private operations (decrypt, sign).
1099     * Test it against the public operations (encrypt, verify) of a
1100     * corresponding rsa context.
1101     */
1102    mbedtls_rsa_context raw;
1103    mbedtls_pk_context rsa, alt;
1104    mbedtls_pk_debug_item dbg_items[10];
1105    unsigned char hash[50], sig[64];
1106    unsigned char msg[50], ciph[64], test[50];
1107    size_t sig_len, ciph_len, test_len;
1108    int ret = MBEDTLS_ERR_PK_TYPE_MISMATCH;
1109
1110    USE_PSA_INIT();
1111
1112    mbedtls_rsa_init(&raw);
1113    mbedtls_pk_init(&rsa); mbedtls_pk_init(&alt);
1114
1115    memset(hash, 0x2a, sizeof(hash));
1116    memset(sig, 0, sizeof(sig));
1117    memset(msg, 0x2a, sizeof(msg));
1118    memset(ciph, 0, sizeof(ciph));
1119    memset(test, 0, sizeof(test));
1120
1121    /* Initialize PK RSA context with random key */
1122    TEST_ASSERT(mbedtls_pk_setup(&rsa,
1123                                 mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0);
1124    TEST_ASSERT(pk_genkey(&rsa, RSA_KEY_SIZE) == 0);
1125
1126    /* Extract key to the raw rsa context */
1127    TEST_ASSERT(mbedtls_rsa_copy(&raw, mbedtls_pk_rsa(rsa)) == 0);
1128
1129    /* Initialize PK RSA_ALT context */
1130    TEST_ASSERT(mbedtls_pk_setup_rsa_alt(&alt, (void *) &raw,
1131                                         mbedtls_rsa_decrypt_func, mbedtls_rsa_sign_func,
1132                                         mbedtls_rsa_key_len_func) == 0);
1133
1134    /* Test administrative functions */
1135    TEST_ASSERT(mbedtls_pk_can_do(&alt, MBEDTLS_PK_RSA));
1136    TEST_ASSERT(mbedtls_pk_get_bitlen(&alt) == RSA_KEY_SIZE);
1137    TEST_ASSERT(mbedtls_pk_get_len(&alt) == RSA_KEY_LEN);
1138    TEST_ASSERT(mbedtls_pk_get_type(&alt) == MBEDTLS_PK_RSA_ALT);
1139    TEST_ASSERT(strcmp(mbedtls_pk_get_name(&alt), "RSA-alt") == 0);
1140
1141    /* Test signature */
1142#if SIZE_MAX > UINT_MAX
1143    TEST_ASSERT(mbedtls_pk_sign(&alt, MBEDTLS_MD_NONE, hash, SIZE_MAX,
1144                                sig, sizeof(sig), &sig_len,
1145                                mbedtls_test_rnd_std_rand, NULL)
1146                == MBEDTLS_ERR_PK_BAD_INPUT_DATA);
1147#endif /* SIZE_MAX > UINT_MAX */
1148    TEST_ASSERT(mbedtls_pk_sign(&alt, MBEDTLS_MD_NONE, hash, sizeof(hash),
1149                                sig, sizeof(sig), &sig_len,
1150                                mbedtls_test_rnd_std_rand, NULL)
1151                == 0);
1152    TEST_ASSERT(sig_len == RSA_KEY_LEN);
1153    TEST_ASSERT(mbedtls_pk_verify(&rsa, MBEDTLS_MD_NONE,
1154                                  hash, sizeof(hash), sig, sig_len) == 0);
1155
1156    /* Test decrypt */
1157    TEST_ASSERT(mbedtls_pk_encrypt(&rsa, msg, sizeof(msg),
1158                                   ciph, &ciph_len, sizeof(ciph),
1159                                   mbedtls_test_rnd_std_rand, NULL) == 0);
1160    TEST_ASSERT(mbedtls_pk_decrypt(&alt, ciph, ciph_len,
1161                                   test, &test_len, sizeof(test),
1162                                   mbedtls_test_rnd_std_rand, NULL) == 0);
1163    TEST_ASSERT(test_len == sizeof(msg));
1164    TEST_ASSERT(memcmp(test, msg, test_len) == 0);
1165
1166    /* Test forbidden operations */
1167    TEST_ASSERT(mbedtls_pk_encrypt(&alt, msg, sizeof(msg),
1168                                   ciph, &ciph_len, sizeof(ciph),
1169                                   mbedtls_test_rnd_std_rand, NULL) == ret);
1170    TEST_ASSERT(mbedtls_pk_verify(&alt, MBEDTLS_MD_NONE,
1171                                  hash, sizeof(hash), sig, sig_len) == ret);
1172    TEST_ASSERT(mbedtls_pk_debug(&alt, dbg_items) == ret);
1173
1174exit:
1175    mbedtls_rsa_free(&raw);
1176    mbedtls_pk_free(&rsa); mbedtls_pk_free(&alt);
1177    USE_PSA_DONE();
1178}
1179/* END_CASE */
1180
1181/* BEGIN_CASE depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_USE_PSA_CRYPTO */
1182void pk_psa_sign(int parameter_arg,
1183                 int psa_type_arg, int expected_bits_arg)
1184{
1185    mbedtls_pk_context pk;
1186    unsigned char hash[32];
1187    unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
1188    unsigned char pkey_legacy[200];
1189    unsigned char pkey_psa[200];
1190    unsigned char *pkey_legacy_start, *pkey_psa_start;
1191    psa_algorithm_t alg_psa;
1192    size_t sig_len, klen_legacy, klen_psa;
1193    int ret;
1194    mbedtls_svc_key_id_t key_id;
1195    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1196    psa_key_type_t expected_type = psa_type_arg;
1197    size_t expected_bits = expected_bits_arg;
1198
1199    /*
1200     * This tests making signatures with a wrapped PSA key:
1201     * - generate a fresh ECP/RSA legacy PK context
1202     * - wrap it in a PK context and make a signature this way
1203     * - extract the public key
1204     * - parse it to a PK context and verify the signature this way
1205     */
1206
1207    PSA_ASSERT(psa_crypto_init());
1208
1209#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME)
1210    if (PSA_KEY_TYPE_IS_RSA(psa_type_arg)) {
1211        /* Create legacy RSA public/private key in PK context. */
1212        mbedtls_pk_init(&pk);
1213        TEST_ASSERT(mbedtls_pk_setup(&pk,
1214                                     mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0);
1215        TEST_ASSERT(mbedtls_rsa_gen_key(mbedtls_pk_rsa(pk),
1216                                        mbedtls_test_rnd_std_rand, NULL,
1217                                        parameter_arg, 3) == 0);
1218        alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256);
1219    } else
1220#endif /* MBEDTLS_RSA_C && MBEDTLS_GENPRIME */
1221#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
1222    if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(psa_type_arg)) {
1223        mbedtls_ecp_group_id grpid = parameter_arg;
1224
1225        /* Create legacy EC public/private key in PK context. */
1226        mbedtls_pk_init(&pk);
1227        TEST_ASSERT(mbedtls_pk_setup(&pk,
1228                                     mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)) == 0);
1229        TEST_ASSERT(mbedtls_ecp_gen_key(grpid,
1230                                        (mbedtls_ecp_keypair *) pk.pk_ctx,
1231                                        mbedtls_test_rnd_std_rand, NULL) == 0);
1232        alg_psa = PSA_ALG_ECDSA(PSA_ALG_SHA_256);
1233    } else
1234#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
1235    {
1236        (void) parameter_arg;
1237        TEST_ASSUME(!"Opaque PK key not supported in this configuration");
1238    }
1239
1240    /* Export underlying public key for re-importing in a legacy context. */
1241#if defined(MBEDTLS_PK_WRITE_C)
1242    ret = mbedtls_pk_write_pubkey_der(&pk, pkey_legacy,
1243                                      sizeof(pkey_legacy));
1244    TEST_ASSERT(ret >= 0);
1245    klen_legacy = (size_t) ret;
1246    /* mbedtls_pk_write_pubkey_der() writes backwards in the data buffer. */
1247    pkey_legacy_start = pkey_legacy + sizeof(pkey_legacy) - klen_legacy;
1248#else
1249    ret = mbedtls_ecp_point_write_binary(&(mbedtls_pk_ec(pk)->grp),
1250                                         &(mbedtls_pk_ec(pk)->Q),
1251                                         MBEDTLS_ECP_PF_UNCOMPRESSED,
1252                                         &klen_legacy, pkey_legacy,
1253                                         sizeof(pkey_legacy));
1254    TEST_EQUAL(ret, 0);
1255    pkey_legacy_start = pkey_legacy;
1256#endif /* MBEDTLS_PK_WRITE_C */
1257
1258    /* Turn PK context into an opaque one. */
1259    TEST_ASSERT(mbedtls_pk_wrap_as_opaque(&pk, &key_id, alg_psa,
1260                                          PSA_KEY_USAGE_SIGN_HASH,
1261                                          PSA_ALG_NONE) == 0);
1262
1263    PSA_ASSERT(psa_get_key_attributes(key_id, &attributes));
1264    TEST_EQUAL(psa_get_key_type(&attributes), expected_type);
1265    TEST_EQUAL(psa_get_key_bits(&attributes), expected_bits);
1266    TEST_EQUAL(psa_get_key_lifetime(&attributes),
1267               PSA_KEY_LIFETIME_VOLATILE);
1268
1269    memset(hash, 0x2a, sizeof(hash));
1270    memset(sig, 0, sizeof(sig));
1271
1272    TEST_ASSERT(mbedtls_pk_sign(&pk, MBEDTLS_MD_SHA256,
1273                                hash, sizeof(hash), sig, sizeof(sig), &sig_len,
1274                                NULL, NULL) == 0);
1275
1276    /* Export underlying public key for re-importing in a psa context. */
1277#if defined(MBEDTLS_PK_WRITE_C)
1278    ret = mbedtls_pk_write_pubkey_der(&pk, pkey_psa,
1279                                      sizeof(pkey_psa));
1280    TEST_ASSERT(ret >= 0);
1281    klen_psa = (size_t) ret;
1282    /* mbedtls_pk_write_pubkey_der() writes backwards in the data buffer. */
1283    pkey_psa_start = pkey_psa + sizeof(pkey_psa) - klen_psa;
1284#else
1285    psa_status_t status;
1286
1287    status = psa_export_public_key(key_id, pkey_psa, sizeof(pkey_psa),
1288                                   &klen_psa);
1289    TEST_EQUAL(status, PSA_SUCCESS);
1290    pkey_psa_start = pkey_psa;
1291#endif /* MBEDTLS_PK_WRITE_C */
1292
1293    TEST_ASSERT(klen_psa == klen_legacy);
1294    TEST_ASSERT(memcmp(pkey_psa_start, pkey_legacy_start, klen_psa) == 0);
1295
1296    mbedtls_pk_free(&pk);
1297    TEST_ASSERT(PSA_SUCCESS == psa_destroy_key(key_id));
1298
1299    mbedtls_pk_init(&pk);
1300
1301    /* If we used "pk_write" previously, then we go for a "pk_parse" here;
1302     * otherwise if we went for "ecp_point_write_binary" then we'll go
1303     * for a "ecp_point_read_binary" here. This allows to drop dependencies
1304     * on "PK_WRITE" and "PK_PARSE" if required */
1305#if defined(MBEDTLS_PK_WRITE_C) && defined(MBEDTLS_PK_PARSE_C)
1306    TEST_EQUAL(mbedtls_pk_parse_public_key(&pk, pkey_legacy_start,
1307                                           klen_legacy), 0);
1308#else
1309    TEST_EQUAL(mbedtls_pk_setup(&pk,
1310                                mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)), 0);
1311    TEST_EQUAL(mbedtls_ecp_group_load(
1312                   &(mbedtls_pk_ec(pk)->grp),
1313                   (mbedtls_ecp_group_id) parameter_arg), 0);
1314    TEST_EQUAL(mbedtls_ecp_point_read_binary(&(mbedtls_pk_ec(pk)->grp),
1315                                             &(mbedtls_pk_ec(pk)->Q),
1316                                             pkey_legacy_start, klen_legacy), 0);
1317#endif
1318    TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_SHA256,
1319                                  hash, sizeof(hash), sig, sig_len) == 0);
1320
1321exit:
1322    /*
1323     * Key attributes may have been returned by psa_get_key_attributes()
1324     * thus reset them as required.
1325     */
1326    psa_reset_key_attributes(&attributes);
1327
1328    mbedtls_pk_free(&pk);
1329    USE_PSA_DONE();
1330}
1331/* END_CASE */
1332
1333/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_GENPRIME */
1334void pk_psa_sign_ext(int pk_type, int parameter, int key_pk_type, int md_alg)
1335{
1336    /* See the description of pk_genkey() for the description of the `parameter` argument. */
1337    mbedtls_pk_context pk;
1338    size_t sig_len;
1339    unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
1340    unsigned char hash[PSA_HASH_MAX_SIZE];
1341    size_t hash_len = mbedtls_hash_info_get_size(md_alg);
1342    void const *options = NULL;
1343    mbedtls_pk_rsassa_pss_options rsassa_pss_options;
1344    memset(hash, 0x2a, sizeof(hash));
1345    memset(sig, 0, sizeof(sig));
1346
1347    mbedtls_pk_init(&pk);
1348    PSA_INIT();
1349
1350    TEST_ASSERT(mbedtls_pk_setup(&pk,
1351                                 mbedtls_pk_info_from_type(pk_type)) == 0);
1352
1353    TEST_ASSERT(pk_genkey(&pk, parameter) == 0);
1354
1355    TEST_ASSERT(mbedtls_pk_sign_ext(key_pk_type, &pk, md_alg, hash, hash_len,
1356                                    sig, sizeof(sig), &sig_len,
1357                                    mbedtls_test_rnd_std_rand, NULL) == 0);
1358
1359    if (key_pk_type == MBEDTLS_PK_RSASSA_PSS) {
1360        rsassa_pss_options.mgf1_hash_id = md_alg;
1361        TEST_ASSERT(hash_len != 0);
1362        rsassa_pss_options.expected_salt_len = hash_len;
1363        options = (const void *) &rsassa_pss_options;
1364    }
1365    TEST_ASSERT(mbedtls_pk_verify_ext(key_pk_type, options, &pk, md_alg,
1366                                      hash, hash_len, sig, sig_len) == 0);
1367exit:
1368    PSA_DONE();
1369    mbedtls_pk_free(&pk);
1370}
1371/* END_CASE */
1372
1373/* BEGIN_CASE depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_USE_PSA_CRYPTO */
1374void pk_psa_wrap_sign_ext(int pk_type, int parameter, int key_pk_type, int md_alg)
1375{
1376    /* See the description of mbedtls_rsa_gen_key() for the description of the `parameter` argument. */
1377    mbedtls_pk_context pk;
1378    size_t sig_len, pkey_len;
1379    mbedtls_svc_key_id_t key_id;
1380    unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
1381    unsigned char pkey[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
1382    unsigned char *pkey_start;
1383    unsigned char hash[PSA_HASH_MAX_SIZE];
1384    psa_algorithm_t psa_md_alg = mbedtls_hash_info_psa_from_md(md_alg);
1385    psa_algorithm_t psa_alg;
1386    size_t hash_len = PSA_HASH_LENGTH(psa_md_alg);
1387    void const *options = NULL;
1388    mbedtls_pk_rsassa_pss_options rsassa_pss_options;
1389    int ret;
1390
1391    mbedtls_pk_init(&pk);
1392    PSA_INIT();
1393
1394    /* Create legacy RSA public/private key in PK context. */
1395    mbedtls_pk_init(&pk);
1396    TEST_EQUAL(mbedtls_pk_setup(&pk,
1397                                mbedtls_pk_info_from_type(pk_type)), 0);
1398    TEST_EQUAL(mbedtls_rsa_gen_key(mbedtls_pk_rsa(pk),
1399                                   mbedtls_test_rnd_std_rand, NULL,
1400                                   parameter, 3), 0);
1401
1402    /* Export underlying public key for re-importing in a legacy context. */
1403    ret = mbedtls_pk_write_pubkey_der(&pk, pkey, sizeof(pkey));
1404    TEST_ASSERT(ret >= 0);
1405
1406    pkey_len = (size_t) ret;
1407    /* mbedtls_pk_write_pubkey_der() writes backwards in the data buffer. */
1408    pkey_start = pkey + sizeof(pkey) - pkey_len;
1409
1410    if (key_pk_type == MBEDTLS_PK_RSA) {
1411        psa_alg = PSA_ALG_RSA_PKCS1V15_SIGN(psa_md_alg);
1412    } else if (key_pk_type == MBEDTLS_PK_RSASSA_PSS) {
1413        psa_alg = PSA_ALG_RSA_PSS(psa_md_alg);
1414    } else {
1415        TEST_ASSUME(!"PK key type not supported in this configuration");
1416    }
1417
1418    /* Turn PK context into an opaque one. */
1419    TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&pk, &key_id, psa_alg,
1420                                         PSA_KEY_USAGE_SIGN_HASH,
1421                                         PSA_ALG_NONE), 0);
1422
1423    memset(hash, 0x2a, sizeof(hash));
1424    memset(sig, 0, sizeof(sig));
1425
1426    TEST_EQUAL(mbedtls_pk_sign_ext(key_pk_type, &pk, md_alg, hash, hash_len,
1427                                   sig, sizeof(sig), &sig_len,
1428                                   mbedtls_test_rnd_std_rand, NULL), 0);
1429
1430    mbedtls_pk_free(&pk);
1431    TEST_EQUAL(PSA_SUCCESS, psa_destroy_key(key_id));
1432
1433    mbedtls_pk_init(&pk);
1434    TEST_EQUAL(mbedtls_pk_parse_public_key(&pk, pkey_start, pkey_len), 0);
1435
1436    if (key_pk_type == MBEDTLS_PK_RSASSA_PSS) {
1437        rsassa_pss_options.mgf1_hash_id = md_alg;
1438        TEST_ASSERT(hash_len != 0);
1439        rsassa_pss_options.expected_salt_len = hash_len;
1440        options = (const void *) &rsassa_pss_options;
1441    }
1442    TEST_EQUAL(mbedtls_pk_verify_ext(key_pk_type, options, &pk, md_alg,
1443                                     hash, hash_len, sig, sig_len), 0);
1444
1445exit:
1446    mbedtls_pk_free(&pk);
1447    PSA_DONE();
1448}
1449/* END_CASE */
1450