tests: crypto: Add wrapped key support in PSA crypto tests

Aasimshaik11 · Aasimshaik11 · commit 1192c418ec5a · 2025-09-11T14:57:18.000+05:30
1. Added wrapped key buffers for AES, ChaChaPoly, and ECDSA keys in
   AEAD and Sign test cases.
2. Updated AEAD, Cipher, Key Agreement, and Sign tests to:
   - Import wrapped keys when CONFIG_TEST_WRAPPED_KEYS is enabled.
   - Configure key lifetime using PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION.
   - Print a debug message when wrapper key mode is active.
   - Use normal key import when wrapper keys are disabled.
3. Removed conditional inclusion of sl_si91x_psa_wrap.h and cleaned up
   redundant preprocessor blocks for better readability.

Signed-off-by: Aasim Shaik &lt;Aasim.Shaik@silabs.com&gt;
diff --git a/tests/crypto/psa_crypto/src/aead.c b/tests/crypto/psa_crypto/src/aead.c
@@ -7,12 +7,10 @@
 #include <zephyr/ztest.h>
 #include <psa/crypto.h>
 
-#if defined CONFIG_TEST_WRAPPED_KEYS
-#include "sl_si91x_psa_wrap.h"
-#endif
-
 const uint8_t aes_key_buf[] = {0xea, 0x4f, 0x6f, 0x3c, 0x2f, 0xed, 0x2b, 0x9d,
 			       0xd9, 0x70, 0x8c, 0x2e, 0x72, 0x1a, 0xe0, 0x0f};
+const uint8_t wrapped_aes_key_buf[] = {0x52, 0xb3, 0x41, 0x71, 0xcf, 0xd6,
+				   0xa2, 0x00, 0xe6, 0xe4, 0x75, 0x57, 0xa6, 0xe5, 0x0a, 0x0f};
 const uint8_t aes_nonce_buf[] = {0xf9, 0x75, 0x80, 0x9d, 0xdb, 0x51,
 				 0x72, 0x38, 0x27, 0x45, 0x63, 0x4f};
 const uint8_t aes_ad_buf[] = {0x5c, 0x65, 0xd4, 0xf2, 0x61, 0xd2, 0xc5, 0x4f, 0xfe, 0x6a};
@@ -22,6 +20,10 @@ const uint8_t chachapoly_key_buf[] = {0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86,
 				      0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
 				      0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
 				      0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f};
+const uint8_t wrapped_chachapoly_key_buf[] = {0x19, 0x67, 0x03, 0x6a, 0x20, 0xe6, 0x32,
+					  0xed, 0x21, 0x2a, 0x4a, 0xdc, 0x2c, 0x5f, 0x19,
+					  0x22, 0x77, 0x56, 0x61, 0x92, 0x2c, 0xf3, 0xdc,
+					  0xe8, 0x8e, 0x81, 0x45, 0x4d, 0xd6, 0xc7, 0x86, 0x0b};
 const uint8_t chachapoly_nonce_buf[] = {0x07, 0x00, 0x00, 0x00, 0x40, 0x41,
 					0x42, 0x43, 0x44, 0x45, 0x46, 0x47};
 const uint8_t chachapoly_ad_buf[] = {0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1,
@@ -49,7 +51,6 @@ const uint8_t chachapoly_expect_cipher_tag_buf[] = {
 
 ZTEST(psa_crypto_test, test_aead_aes_ccm)
 {
-
 	const uint8_t expect_cipher_tag_buf[] = {
 		0xe2, 0x2f, 0x37, 0x3b, 0xeb, 0xf6, 0x4a, 0x3e, 0x9b, 0x87, 0x75, 0x2b, 0xf9,
 		0xdb, 0x34, 0xdc, 0x4d, 0x43, 0x3f, 0x00, 0xf5, 0x5c, 0x3f, 0x53, 0x0c, 0x89,
@@ -67,21 +68,21 @@ ZTEST(psa_crypto_test, test_aead_aes_ccm)
 	psa_set_key_algorithm(&attributes, alg);
 
 	#if defined(CONFIG_TEST_WRAPPED_KEYS) && CONFIG_TEST_WRAPPED_KEYS
-		printf("Test Wrapper keys enabled\n");
-		psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
-							  PSA_KEY_PERSISTENCE_VOLATILE, PSA_KEY_VOLATILE_PERSISTENT_WRAP_IMPORT));
-	#endif
+	printf("Test Wrapper keys enabled\n");
+	psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
+						  PSA_KEY_PERSISTENCE_VOLATILE, 1));
+	zassert_equal(psa_import_key(&attributes, wrapped_aes_key_buf, sizeof(wrapped_aes_key_buf), &key_id),
+					      PSA_SUCCESS, "Failed to import key");
+	#else
 	zassert_equal(psa_import_key(&attributes, aes_key_buf, sizeof(aes_key_buf), &key_id),
 		      PSA_SUCCESS, "Failed to import key");
-	
+	#endif
 	zassert_equal(psa_aead_encrypt(key_id, alg, aes_nonce_buf, sizeof(aes_nonce_buf),
 				       aes_ad_buf, sizeof(aes_ad_buf), aes_plaintext,
 				       sizeof(aes_plaintext), cipher_tag_buf,
 				       sizeof(cipher_tag_buf), &out_len),
 		      PSA_SUCCESS, "Failed to perform encrypt");
-	
 	zassert_equal(out_len, sizeof(expect_cipher_tag_buf));
-
 	zassert_mem_equal(cipher_tag_buf, expect_cipher_tag_buf, sizeof(expect_cipher_tag_buf));
 
 	zassert_equal(psa_aead_decrypt(key_id, alg, aes_nonce_buf, sizeof(aes_nonce_buf),
@@ -90,16 +91,12 @@ ZTEST(psa_crypto_test, test_aead_aes_ccm)
 		      PSA_SUCCESS, "Failed to decrypt");
 
 	zassert_equal(out_len, sizeof(aes_plaintext));
-
 	zassert_mem_equal(decrypted, aes_plaintext, sizeof(aes_plaintext));
-
 	zassert_equal(psa_destroy_key(key_id), PSA_SUCCESS, "Failed to destroy key");
-
 }
 
 ZTEST(psa_crypto_test, test_aead_aes_gcm)
 {
-
 	const uint8_t expect_cipher_tag_buf[] = {
 		0x0f, 0x51, 0xf7, 0xa8, 0x3c, 0x5b, 0x5a, 0xa7, 0x96, 0xb9, 0x70, 0x25, 0x9c,
 		0xdd, 0xfe, 0x8f, 0x9a, 0x15, 0xa5, 0xc5, 0xeb, 0x48, 0x5a, 0xf5, 0x78, 0xfb,
@@ -119,17 +116,19 @@ ZTEST(psa_crypto_test, test_aead_aes_gcm)
 	#if defined(CONFIG_TEST_WRAPPED_KEYS) && CONFIG_TEST_WRAPPED_KEYS
 	printf("Test Wrapper keys enabled\n");
 		psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
-							  PSA_KEY_PERSISTENCE_VOLATILE, PSA_KEY_VOLATILE_PERSISTENT_WRAP_IMPORT));
-	#endif
+							  PSA_KEY_PERSISTENCE_VOLATILE, 1));
+	zassert_equal(psa_import_key(&attributes, wrapped_aes_key_buf, sizeof(wrapped_aes_key_buf), &key_id),
+		      PSA_SUCCESS, "Failed to import key");
+	#else
 	zassert_equal(psa_import_key(&attributes, aes_key_buf, sizeof(aes_key_buf), &key_id),
 		      PSA_SUCCESS, "Failed to import key");
-
+	#endif
 	zassert_equal(psa_aead_encrypt(key_id, alg, aes_nonce_buf, sizeof(aes_nonce_buf),
 				       aes_ad_buf, sizeof(aes_ad_buf), aes_plaintext,
 				       sizeof(aes_plaintext), cipher_tag_buf,
 				       sizeof(cipher_tag_buf), &out_len),
 		      PSA_SUCCESS, "Failed to perform encrypt");
-	
+
 	zassert_equal(out_len, sizeof(expect_cipher_tag_buf));
 
 	zassert_mem_equal(cipher_tag_buf, expect_cipher_tag_buf, sizeof(expect_cipher_tag_buf));
@@ -140,16 +139,12 @@ ZTEST(psa_crypto_test, test_aead_aes_gcm)
 		      PSA_SUCCESS, "Failed to decrypt");
 
 	zassert_equal(out_len, sizeof(aes_plaintext));
-
 	zassert_mem_equal(decrypted, aes_plaintext, sizeof(aes_plaintext));
-
 	zassert_equal(psa_destroy_key(key_id), PSA_SUCCESS, "Failed to destroy key");
-
 }
 
 ZTEST(psa_crypto_test, test_aead_chacha20_poly1305)
 {
-
 	uint8_t cipher_tag_buf[130]; /* Ciphertext + Tag */
 	uint8_t decrypted[sizeof(chachapoly_plaintext)] = {0};
 	size_t out_len;
@@ -164,34 +159,30 @@ ZTEST(psa_crypto_test, test_aead_chacha20_poly1305)
 
 	#if defined(CONFIG_TEST_WRAPPED_KEYS) && CONFIG_TEST_WRAPPED_KEYS
 	printf("Test Wrapper keys enabled\n");
-		psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
-							  PSA_KEY_PERSISTENCE_VOLATILE, PSA_KEY_VOLATILE_PERSISTENT_WRAP_IMPORT));
-	#endif
+	psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
+							  PSA_KEY_PERSISTENCE_VOLATILE, 1));
+	zassert_equal(psa_import_key(&attributes, wrapped_chachapoly_key_buf,
+							  sizeof(wrapped_chachapoly_key_buf), &key_id),
+		    				  PSA_SUCCESS, "Failed to import key");
+	#else
 	zassert_equal(psa_import_key(&attributes, chachapoly_key_buf, sizeof(chachapoly_key_buf), &key_id),
 		      PSA_SUCCESS, "Failed to import key");
-	
+	#endif
 	zassert_equal(psa_aead_encrypt(key_id, alg, chachapoly_nonce_buf,
 				       sizeof(chachapoly_nonce_buf), chachapoly_ad_buf,
 				       sizeof(chachapoly_ad_buf), chachapoly_plaintext,
 				       sizeof(chachapoly_plaintext), cipher_tag_buf,
 				       sizeof(cipher_tag_buf), &out_len),
 		      PSA_SUCCESS, "Failed to perform encrypt");
-	
 	zassert_equal(out_len, sizeof(chachapoly_expect_cipher_tag_buf));
-
 	zassert_mem_equal(cipher_tag_buf, chachapoly_expect_cipher_tag_buf,
 			  sizeof(chachapoly_expect_cipher_tag_buf));
-	
 	zassert_equal(psa_aead_decrypt(key_id, alg, chachapoly_nonce_buf,
 				       sizeof(chachapoly_nonce_buf), chachapoly_ad_buf,
 				       sizeof(chachapoly_ad_buf), cipher_tag_buf, out_len,
 				       decrypted, sizeof(decrypted), &out_len),
 		      PSA_SUCCESS, "Failed to decrypt");
-
 	zassert_equal(out_len, sizeof(chachapoly_plaintext));
-
 	zassert_mem_equal(decrypted, chachapoly_plaintext, sizeof(chachapoly_plaintext));
-
 	zassert_equal(psa_destroy_key(key_id), PSA_SUCCESS, "Failed to destroy key");
-
 }
diff --git a/tests/crypto/psa_crypto/src/cipher.c b/tests/crypto/psa_crypto/src/cipher.c
@@ -7,10 +7,6 @@
 #include <zephyr/ztest.h>
 #include <psa/crypto.h>
 
-#if defined CONFIG_TEST_WRAPPED_KEYS
-#include "sl_si91x_psa_wrap.h"
-#endif
-
 #include "test_vectors.h"
 
 uint8_t key_256[32] = {
@@ -45,16 +41,8 @@ ZTEST(psa_crypto_test, test_cipher_aes_cbc_256_multipart)
 	psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
 	psa_set_key_bits(&attributes, 256);
 
-	#if defined(CONFIG_TEST_WRAPPED_KEYS) && CONFIG_TEST_WRAPPED_KEYS
-		printf("Test Wrapper keys enabled\n");
-		psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
-							  PSA_KEY_PERSISTENCE_VOLATILE, 0));
-		zassert_equal(psa_generate_key(&attributes, &key_id), PSA_SUCCESS,
-			      "Failed to generate key");
-	#else 
-		zassert_equal(psa_import_key(&attributes, key_256, sizeof(key_256), &key_id),
+	zassert_equal(psa_import_key(&attributes, key_256, sizeof(key_256), &key_id),
 			      PSA_SUCCESS, "Failed to import key");
-	#endif
 	psa_reset_key_attributes(&attributes);
 
 	zassert_equal(psa_cipher_encrypt_setup(&operation, key_id, alg), PSA_SUCCESS,
@@ -110,16 +98,9 @@ ZTEST(psa_crypto_test, test_cipher_aes_cbc_256_single)
 	psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
 	psa_set_key_bits(&attributes, 256);
 
-	#if defined(CONFIG_TEST_WRAPPED_KEYS) && CONFIG_TEST_WRAPPED_KEYS
-		printf("Test Wrapper keys enabled\n");
-		psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
-							  PSA_KEY_PERSISTENCE_VOLATILE, PSA_KEY_VOLATILE_PERSISTENT_WRAP_IMPORT));
-		zassert_equal(psa_generate_key(&attributes, &key_id), PSA_SUCCESS,
-			      "Failed to generate key");
-	#else
-		zassert_equal(psa_import_key(&attributes, key_256, sizeof(key_256), &key_id),
+	zassert_equal(psa_import_key(&attributes, key_256, sizeof(key_256), &key_id),
 			      PSA_SUCCESS, "Failed to import key");
-	#endif
+
 	psa_reset_key_attributes(&attributes);
 
 	zassert_equal(psa_cipher_encrypt(key_id, alg, plaintext, sizeof(plaintext),
@@ -152,16 +133,8 @@ ZTEST(psa_crypto_test, test_cipher_aes_ecb_128_single)
 	psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
 	psa_set_key_bits(&attributes, 128);
 
-	#if defined(CONFIG_TEST_WRAPPED_KEYS) && CONFIG_TEST_WRAPPED_KEYS
-		printf("Test Wrapper keys enabled\n");
-		psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
-							  PSA_KEY_PERSISTENCE_VOLATILE, PSA_KEY_VOLATILE_PERSISTENT_WRAP_IMPORT));
-		zassert_equal(psa_generate_key(&attributes, &key_id), PSA_SUCCESS,
-			      "Failed to generate key");
-	#else
-		zassert_equal(psa_import_key(&attributes, key_128, sizeof(key_128), &key_id),
+	zassert_equal(psa_import_key(&attributes, key_128, sizeof(key_128), &key_id),
 			      PSA_SUCCESS, "Failed to import key");
-	#endif
 
 	psa_reset_key_attributes(&attributes);
 
@@ -194,12 +167,6 @@ ZTEST(psa_crypto_test, test_cipher_chacha20_single)
 	psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
 	psa_set_key_algorithm(&attributes, alg);
 
-	#if defined(CONFIG_TEST_WRAPPED_KEYS) && CONFIG_TEST_WRAPPED_KEYS
-		printf("Test Wrapper keys enabled\n");
-		psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
-							  PSA_KEY_PERSISTENCE_VOLATILE, 0));
-	#endif
-
 	zassert_equal(psa_import_key(&attributes, key_256, sizeof(key_256), &key_id), PSA_SUCCESS,
 		      "Failed to import key");
 
diff --git a/tests/crypto/psa_crypto/src/key_agreement.c b/tests/crypto/psa_crypto/src/key_agreement.c
@@ -7,10 +7,6 @@
 #include <zephyr/ztest.h>
 #include <psa/crypto.h>
 
-#if defined CONFIG_TEST_WRAPPED_KEYS
-#include "sl_si91x_psa_wrap.h"
-#endif
-
 static const uint8_t client_private_key[] = {
 	0xB0, 0x76, 0x51, 0xEA, 0x20, 0xF0, 0x28, 0xA8, 0x16, 0xEE, 0x01,
 	0xB0, 0xD1, 0x06, 0x2A, 0x7C, 0x81, 0x58, 0xE8, 0x84, 0xE9, 0xBC,
@@ -49,11 +45,6 @@ ZTEST(psa_crypto_test, test_key_agreement_ecdh_25519)
 	psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
 	psa_set_key_algorithm(&attributes, PSA_ALG_ECDH);
 
-	#if defined(CONFIG_TEST_WRAPPED_KEYS) && CONFIG_TEST_WRAPPED_KEYS
-		printf("Test Wrapper keys enabled\n");
-		psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
-							  PSA_KEY_PERSISTENCE_VOLATILE, 0));
-	#endif
 	zassert_equal(psa_import_key(&attributes, client_private_key, sizeof(client_private_key),
 				     &key_id),
 		      PSA_SUCCESS, "Failed to import client key");
@@ -71,10 +62,6 @@ ZTEST(psa_crypto_test, test_key_agreement_ecdh_25519)
 	psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY));
 	psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
 	psa_set_key_algorithm(&attributes, PSA_ALG_ECDH);
-	if (IS_ENABLED(TEST_WRAPPED_KEYS)) {
-		psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
-							  PSA_KEY_PERSISTENCE_VOLATILE, 0));
-	}
 	zassert_equal(psa_import_key(&attributes, server_private_key, sizeof(server_private_key),
 				     &key_id),
 		      PSA_SUCCESS, "Failed to import server key");
diff --git a/tests/crypto/psa_crypto/src/sign.c b/tests/crypto/psa_crypto/src/sign.c
@@ -6,11 +6,6 @@
 
 #include <zephyr/ztest.h>
 #include <psa/crypto.h>
-
-#if defined CONFIG_TEST_WRAPPED_KEYS
-#include "sl_si91x_psa_wrap.h"
-#endif
-
 #include "test_vectors.h"
 
 uint8_t pubkey[65];
@@ -20,6 +15,10 @@ size_t signature_len;
 static const unsigned char private_key[] = { 0x95, 0xCD, 0x3A, 0x36, 0x25, 0xD6, 0xF6, 0x06, 0xBD, 0xC8, 0x64,
                                              0x77, 0x8D, 0x4A, 0xA6, 0x50, 0xC2, 0xD7, 0x9A, 0x05, 0x94, 0xDD,
                                              0x10, 0xCF, 0x4C, 0x47, 0x4B, 0x83, 0xD2, 0x87, 0x0D, 0x1A };
+static const unsigned char wrapped_private_key[] = { 0xd1, 0xd6, 0x56, 0x96, 0x9a, 0x78, 0x46, 0x36, 0xdd,
+											 0xa8, 0xbc, 0x0c, 0xe2, 0xe5, 0xbb, 0xee, 0x05, 0x33, 0x82,
+											 0x0f, 0x7d, 0xc7, 0x12, 0xf4, 0xd9, 0x34, 0x25, 0x00, 0x72,
+											 0x53, 0x95, 0x7d,};
 #define MESSAGE_SIZE (sizeof(plaintext) / 2)
 
 ZTEST(psa_crypto_test, test_sign_ecdsa_secp256r1)
@@ -50,14 +49,15 @@ ZTEST(psa_crypto_test, test_sign_ecdsa_secp256r1)
 	psa_set_key_algorithm(&attributes, PSA_ALG_ECDSA(PSA_ALG_ANY_HASH));
 
 	#if defined(CONFIG_TEST_WRAPPED_KEYS) && CONFIG_TEST_WRAPPED_KEYS
-		printf("Test Wrapper keys enabled\n");
-		psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
-							  PSA_KEY_PERSISTENCE_VOLATILE, PSA_KEY_VOLATILE_PERSISTENT_WRAP_IMPORT));
-	#endif
-
+	printf("Test Wrapper keys enabled\n");
+	psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
+							  PSA_KEY_PERSISTENCE_VOLATILE, 1));
+	zassert_equal(psa_import_key(&attributes,wrapped_private_key, sizeof(wrapped_private_key),
+							  &key_id), PSA_SUCCESS,"Failed to import private key");
+	#else
 	zassert_equal(psa_import_key(&attributes,private_key, sizeof(private_key), &key_id), PSA_SUCCESS,
 		      "Failed to import private key");
-	
+	#endif
 	zassert_equal(psa_sign_message(key_id, PSA_ALG_ECDSA(PSA_ALG_SHA_256), plaintext,
 				       MESSAGE_SIZE, signature, sizeof(signature), &signature_len),
 		      PSA_SUCCESS, "Failed to hash-and-sign message");
