From 48f045a21cb7ff87cc5cc21f56b4c5cdda628e03 Mon Sep 17 00:00:00 2001 From: Pascal Nasahl Date: Wed, 5 Nov 2025 16:06:25 +0100 Subject: [PATCH 1/2] [cryptotest] Remove leading 0 in modulo The wycheproof testvector seem to have a leading 0. This means that a 512-byte modulo for RSA-4096 is actually 513-byte. Currently, the test framework fails because it expects a 512-byte value. Remove this leading 0. Signed-off-by: Pascal Nasahl (cherry picked from commit e134cd047ece7d9f147a40ab1f7bf584e85c42bb) --- sw/host/tests/crypto/rsa_kat/src/main.rs | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/sw/host/tests/crypto/rsa_kat/src/main.rs b/sw/host/tests/crypto/rsa_kat/src/main.rs index 9a98c77fdef77..103db6c3abd6b 100644 --- a/sw/host/tests/crypto/rsa_kat/src/main.rs +++ b/sw/host/tests/crypto/rsa_kat/src/main.rs @@ -87,7 +87,13 @@ fn run_rsa_testcase( }; // Convert the inputs into the expected format for the CL. - let n: Vec<_> = test_case.n.iter().copied().rev().collect(); + let mut n: Vec<_> = test_case.n.iter().copied().rev().collect(); + // n in the wycheproof vectors seem to start with a leading 0. + if n.len() * u8::BITS as usize != test_case.security_level { + // Remove it. + assert_eq!(n.pop(), Some(0)); + } + assert_eq!(n.len() * u8::BITS as usize, test_case.security_level); CryptotestCommand::Rsa.send(spi_console)?; let _operation = &match test_case.operation.as_str() { From 3b947761aed223d3790cffa2c25c5e9bd0de86b4 Mon Sep 17 00:00:00 2001 From: Pascal Nasahl Date: Wed, 5 Nov 2025 16:08:06 +0100 Subject: [PATCH 2/2] [cryptotest] Allow longer RSA signatures Some tests in the wycheproof test vector set are error tests. In one of these error tests, a larger signature (514 instead of 512-bytes) is sent to the DUT. However, we currently limit the signature payload to 512- bytes, letting the test fail. The solution to this is simple, increase the max. number of signature bytes to 512-bytes. The CL now gets this 514-byte signature and internally fails, as expected by the test. Signed-off-by: Pascal Nasahl (cherry picked from commit 9ab271154d6052cd9dbe42168d60ebd57e855ea2) --- sw/device/tests/crypto/cryptotest/json/rsa_commands.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sw/device/tests/crypto/cryptotest/json/rsa_commands.h b/sw/device/tests/crypto/cryptotest/json/rsa_commands.h index 9329782449fa1..2ce20e8fe1a20 100644 --- a/sw/device/tests/crypto/cryptotest/json/rsa_commands.h +++ b/sw/device/tests/crypto/cryptotest/json/rsa_commands.h @@ -13,7 +13,10 @@ extern "C" { #define RSA_CMD_MAX_MESSAGE_BYTES 512 #define RSA_CMD_MAX_N_BYTES 512 -#define RSA_CMD_MAX_SIGNATURE_BYTES 512 +// There are some error test cases that send larger signatures than 512 bytes. +// The cryptolib should detect this and abort with an error. +// Accomodate for these additional bytes. +#define RSA_CMD_MAX_SIGNATURE_BYTES 514 // clang-format off