From 5ae6c62247343d4c60618b374101cba42a645a1a Mon Sep 17 00:00:00 2001
From: Valerio Setti <valerio.setti@nordicsemi.no>
Date: Thu, 27 Nov 2025 14:38:22 +0100
Subject: [PATCH 1/3] tests: x509parse: transition tests based on secp192
 curves to secp256

After some analysis search it was determined that previous test data seem
not to belong to the "framework/data_files" certificate files. Therefore
new test data has been generated from scratch.

The improvement compared to the previous situation is that comments has
been added on top of each test in order to explain how to recreate new test
data.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
---
 tests/suites/test_suite_x509parse.data | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 14e7afa740eb..e90f6b96fb50 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -2391,13 +2391,25 @@ X509 CRT ASN1 (ECDSA signature, RSA key)
 depends_on:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_1:PSA_HAVE_ALG_SOME_ECDSA
 x509parse_crt:"3081e630819e020103300906072a8648ce3d0401300f310d300b0603550403130454657374301e170d3133303731303039343631385a170d3233303730383039343631385a300f310d300b0603550403130454657374304c300d06092a864886f70d0101010500033b003038023100e8f546061d3b49bc2f6b7524b7ea4d73a8d5293ee8c64d9407b70b5d16baebc32b8205591eab4e1eb57e9241883701250203010001300906072a8648ce3d0401033800303502186e18209afbed14a0d9a796efcad68891e3ccd5f75815c833021900e92b4fd460b1994693243b9ffad54729de865381bda41d25":"cert. version     \: 1\nserial number     \: 03\nissuer name       \: CN=Test\nsubject name      \: CN=Test\nissued  on        \: 2013-07-10 09\:46\:18\nexpires on        \: 2023-07-08 09\:46\:18\nsigned using      \: ECDSA with SHA1\nRSA key size      \: 384 bits\n":0
 
+# This was generated as follows:
+# 1. generate EC key -> openssl ecparam -name secp256r1 -genkey -noout -out secp256.key
+# 2. generate CSR -> openssl req -new -key secp256.key -out secp256.csr -subj "/CN=Test/"
+# 3. generate CRT -> openssl x509 -req -in secp256.csr -sha1 -signkey secp256.key -days 3650 -set_serial 0xf41534662ec7e912 -out secp256.crt -outform DER
+# 4. get generated DER content -> xxd -ps secp256.crt
 X509 CRT ASN1 (ECDSA signature, EC key)
-depends_on:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_ECC_SECP_R1_192:PSA_WANT_ALG_SHA_1
-x509parse_crt:"3081eb3081a3020900f41534662ec7e912300906072a8648ce3d0401300f310d300b0603550403130454657374301e170d3133303731303039343031395a170d3233303730383039343031395a300f310d300b06035504031304546573743049301306072a8648ce3d020106082a8648ce3d030101033200042137969fabd4e370624a0e1a33e379cab950cce00ef8c3c3e2adaeb7271c8f07659d65d3d777dcf21614363ae4b6e617300906072a8648ce3d04010338003035021858cc0f957946fe6a303d92885a456aa74c743c7b708cbd37021900fe293cac21af352d16b82eb8ea54e9410b3abaadd9f05dd6":"cert. version     \: 1\nserial number     \: F4\:15\:34\:66\:2E\:C7\:E9\:12\nissuer name       \: CN=Test\nsubject name      \: CN=Test\nissued  on        \: 2013-07-10 09\:40\:19\nexpires on        \: 2023-07-08 09\:40\:19\nsigned using      \: ECDSA with SHA1\nEC key size       \: 192 bits\n":0
-
+depends_on:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_1
+x509parse_crt:"3082010b3081b3020900f41534662ec7e912300906072a8648ce3d0401300f310d300b06035504030c0454657374301e170d3235313132373132313634305a170d3335313132353132313634305a300f310d300b06035504030c04546573743059301306072a8648ce3d020106082a8648ce3d0301070342000478553e5f2e2a8575809988ccff53367a2b239599cb062d1c3047dd3dc60f839c7c6e81b7ee69b84d75628e5ec2e36318c55f0ac92abd9e365b26f70467750f42300906072a8648ce3d0401034800304502202ca181fa577a3e0250587b756a68b9e63ff7fcb59d72ed1941d5c732444346c8022100ad7d2effe0488257e6bd0a408ebd1e81a0627ccbf7f87b9fe14358bba69603d7":"cert. version     \: 1\nserial number     \: F4\:15\:34\:66\:2E\:C7\:E9\:12\nissuer name       \: CN=Test\nsubject name      \: CN=Test\nissued  on        \: 2025-11-27 12\:16\:40\nexpires on        \: 2035-11-25 12\:16\:40\nsigned using      \: ECDSA with SHA1\nEC key size       \: 256 bits\n":0
+
+# This was generated as follows:
+# 1. generate EC key -> openssl ecparam -name secp256r1 -genkey -noout -out secp256.key
+# 2. generate CSR -> openssl req -new -key secp256.key -out secp256.csr -subj "/CN=Test/"
+# 3. generate RSA key -> openssl genrsa -out rsa_1024.key 1024
+# 4. generate RSA CA cert -> openssl req -new -x509 -key rsa_1024.key -sha1 -days 3650 -subj="/CN=Test/" -out ca_rsa_1024.crt
+# 5. generate final CRT -> openssl x509 -req -in secp256.csr -CA ca_rsa_1024.crt -CAkey rsa_1024.key -days 3650 -sha1 -set_serial 4 -out secp256-rsa.crt -outform DER
+# 4. get generated DER content -> xxd -ps secp256-rsa.crt
 X509 CRT ASN1 (RSA signature, EC key)
-depends_on:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_ECC_SECP_R1_192:PSA_WANT_ALG_SHA_1:MBEDTLS_RSA_C
-x509parse_crt:"3081e430819f020104300d06092a864886f70d0101050500300f310d300b0603550403130454657374301e170d3133303731303135303233375a170d3233303730383135303233375a300f310d300b06035504031304546573743049301306072a8648ce3d020106082a8648ce3d03010103320004e962551a325b21b50cf6b990e33d4318fd16677130726357a196e3efe7107bcb6bdc6d9db2a4df7c964acfe81798433d300d06092a864886f70d01010505000331001a6c18cd1e457474b2d3912743f44b571341a7859a0122774a8e19a671680878936949f904c9255bdd6fffdb33a7e6d8":"cert. version     \: 1\nserial number     \: 04\nissuer name       \: CN=Test\nsubject name      \: CN=Test\nissued  on        \: 2013-07-10 15\:02\:37\nexpires on        \: 2023-07-08 15\:02\:37\nsigned using      \: RSA with SHA1\nEC key size       \: 192 bits\n":0
+depends_on:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_1:MBEDTLS_RSA_C
+x509parse_crt:"308201453081af020104300d06092a864886f70d0101050500300f310d300b06035504030c0454657374301e170d3235313132373133333235325a170d3335313132353133333235325a300f310d300b06035504030c04546573743059301306072a8648ce3d020106082a8648ce3d0301070342000478553e5f2e2a8575809988ccff53367a2b239599cb062d1c3047dd3dc60f839c7c6e81b7ee69b84d75628e5ec2e36318c55f0ac92abd9e365b26f70467750f42300d06092a864886f70d010105050003818100973b30950c1504ede8597b266acf65aaa159e3e598c8e4fea7708558b41b049fb75fd679116e6e482241e7912830929aaf8bb47b14435a167103696aaa675c147e496d1bc5f3cf5340481fbd4af24a66d61e97b5022a35f2d0f8ad98410a9fa371d28862aafb27df47f39888770d515b0d0e24fa3d6987b1cc3e8c12db1f4ba3":"cert. version     \: 1\nserial number     \: 04\nissuer name       \: CN=Test\nsubject name      \: CN=Test\nissued  on        \: 2025-11-27 13\:32\:52\nexpires on        \: 2035-11-25 13\:32\:52\nsigned using      \: RSA with SHA1\nEC key size       \: 256 bits\n":0
 
 X509 CRT ASN1 (Unsupported critical extension)
 depends_on:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_256

From a042b4c3116c04c9dbdf1c2d01a6cce4b13d039e Mon Sep 17 00:00:00 2001
From: Valerio Setti <valerio.setti@nordicsemi.no>
Date: Fri, 28 Nov 2025 09:50:20 +0100
Subject: [PATCH 2/3] tests: x509parse: replace certificates using secp192 with
 those using secp256

This replacement is either:
- "server5-rsa-signed.crt": if a generic secp256r1 EC key is enough, i.e.
	any EC key is fine as it's not secp192 since this support is being
	removed from TF-PSA-Crypto.
- "server11-rsa-signed.crt": if an EC key which does not belong to "suite-b"
	is required. For this case "secp256r1" wouldn't be good, so we use
	a "secp256k1" key.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
---
 tests/suites/test_suite_x509parse.data | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index e90f6b96fb50..353d3e809aa2 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -179,8 +179,8 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_S
 x509_cert_info:"../framework/data_files/parse_input/server4.crt":"cert. version     \: 3\nserial number     \: 08\nissuer name       \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2013-09-24 15\:52\:04\nexpires on        \: 2023-09-22 15\:52\:04\nsigned using      \: ECDSA with SHA256\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
 
 X509 CRT information EC signed by RSA
-depends_on:MBEDTLS_PEM_PARSE_C:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_ECC_SECP_R1_192:PSA_WANT_ALG_SHA_1:MBEDTLS_RSA_C
-x509_cert_info:"../framework/data_files/parse_input/server3.crt":"cert. version     \: 3\nserial number     \: 0D\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2013-08-09 09\:17\:03\nexpires on        \: 2023-08-07 09\:17\:03\nsigned using      \: RSA with SHA1\nEC key size       \: 192 bits\nbasic constraints \: CA=false\n"
+depends_on:MBEDTLS_PEM_PARSE_C:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_1:MBEDTLS_RSA_C
+x509_cert_info:"../framework/data_files/parse_input/server5-rsa-signed.crt":"cert. version     \: 3\nserial number     \: 0D\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2019-02-10 14\:44\:06\nexpires on        \: 2029-02-10 14\:44\:06\nsigned using      \: RSA with SHA1\nEC key size       \: 256 bits\nbasic constraints \: CA=false\n"
 
 X509 CRT information Bitstring in subject name
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_1
@@ -752,8 +752,8 @@ depends_on:MBEDTLS_PEM_PARSE_C:PSA_WANT_ALG_SHA_1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V1
 x509_verify:"../framework/data_files/cert_example_multi_nocn.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH + MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
 
 X509 CRT verification #32 (Valid, EC cert, RSA CA)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_WANT_ECC_SECP_R1_192:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_SHA_1
-x509_verify:"../framework/data_files/server3.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_SHA_1
+x509_verify:"../framework/data_files/server5-rsa-signed.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL"
 
 X509 CRT verification #33 (Valid, RSA cert, EC CA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_WANT_ALG_SHA_256:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ECC_SECP_R1_384
@@ -1000,8 +1000,8 @@ depends_on:MBEDTLS_PEM_PARSE_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_WANT_ALG_SHA_256:PS
 x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"globalhost":0:0:"":"verify_all"
 
 X509 CRT verification #93 (Suite B invalid, EC cert, RSA CA)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_WANT_ECC_SECP_R1_192:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_SHA_1
-x509_verify:"../framework/data_files/server3.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY|MBEDTLS_X509_BADCRL_BAD_MD|MBEDTLS_X509_BADCRL_BAD_PK:"suite_b":"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_SHA_1
+x509_verify:"../framework/data_files/server11-rsa-signed.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY|MBEDTLS_X509_BADCRL_BAD_MD|MBEDTLS_X509_BADCRL_BAD_PK:"suite_b":"NULL"
 
 X509 CRT verification #94 (Suite B invalid, RSA cert, EC CA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_WANT_ALG_SHA_256:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PKCS1_V15:PSA_WANT_ECC_SECP_R1_384
@@ -2674,8 +2674,8 @@ depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_WANT_ECC_SECP_R1_2
 mbedtls_x509_crt_verify_chain:"../framework/data_files/dir4/cert92.crt":"../framework/data_files/dir4/cert91.crt":-1:MBEDTLS_ERR_X509_BAD_INPUT_DATA:"nonesuch":0
 
 X509 CRT verify chain #12 (suiteb profile, RSA root)
-depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_WANT_ECC_SECP_R1_192:PSA_WANT_ALG_SHA_1
-mbedtls_x509_crt_verify_chain:"../framework/data_files/server3.crt":"../framework/data_files/test-ca.crt":MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"suiteb":0
+depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_1
+mbedtls_x509_crt_verify_chain:"../framework/data_files/server11-rsa-signed.crt":"../framework/data_files/test-ca.crt":MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"suiteb":0
 
 X509 CRT verify chain #13 (RSA only profile, EC root)
 depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_WANT_ECC_SECP_R1_384

From 388bdd56249c4b69618389464fe0347630476972 Mon Sep 17 00:00:00 2001
From: Valerio Setti <valerio.setti@nordicsemi.no>
Date: Fri, 28 Nov 2025 11:03:57 +0100
Subject: [PATCH 3/3] framework: update reference

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
---
 framework | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/framework b/framework
index 6c9076eef1aa..8338ee053d62 160000
--- a/framework
+++ b/framework
@@ -1 +1 @@
-Subproject commit 6c9076eef1aaba371550ebc1145aed7227154b99
+Subproject commit 8338ee053d628c4b2fb0430b9cf0df265faeb19d