Skip to content

Commit ccae338

Browse files
frkvbjarki-andreasen
frkv
authored and
bjarki-andreasen
committed
crypto: tests: psa_core_lite: Fix ECDSA/Oberon PSA core unit tests
-Fixes issues with ECDSA and Oberon PSA crypto unit-tests -generalized init of public key attributes to be use both for provisioning keys and invalid KMU tests -Made test_invalid_kmu try to overwrite/destroy keys of the same algorithm as the overlays (was favoring Ed25519, before) -Added some Mbed TLS 3.6.3 related configs for key storage. These are only relevant for Oberon PSA crypto: -CONFIG_MBEDTLS_PSA_STATIC_KEY_SLOTS to avoid heap-dependency -CONFIG_MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE (to support P-256 key) -Fixed a typo -Fixed some matching criterias for "algorithm and curve" (was _ANY, should have been _ALL) Signed-off-by: Frank Audun Kvamtrø <[email protected]>
1 parent 45fa07c commit ccae338

File tree

2 files changed

+77
-36
lines changed

2 files changed

+77
-36
lines changed

tests/subsys/nrf_security/psa_core_lite/prj.conf

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,3 +18,7 @@ CONFIG_LOG=y
1818
# Enable nordic security backend and PSA APIs
1919
CONFIG_NRF_SECURITY=y
2020
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
21+
22+
# Only relevant for Oberon PSA Crypto
23+
CONFIG_MBEDTLS_PSA_STATIC_KEY_SLOTS=y
24+
CONFIG_MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE=65

tests/subsys/nrf_security/psa_core_lite/src/main.c

Lines changed: 73 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -253,15 +253,10 @@ static void set_kmu_key_attributes(psa_key_attributes_t *attributes, mbedtls_svc
253253
psa_set_key_bits(attributes, key_bits);
254254
}
255255

256-
static void provision_ed25519_public_key(mbedtls_svc_key_id_t key_id,
257-
psa_key_persistence_t persistence,
258-
uint8_t key_buffer[ED25519_PUBKEY_SIZE])
256+
static void init_attributes_ed25519_public_key(mbedtls_svc_key_id_t key_id,
257+
psa_key_persistence_t persistence,
258+
psa_key_attributes_t *attributes)
259259
{
260-
psa_status_t err;
261-
uint8_t temp_buffer[ED25519_PUBKEY_SIZE];
262-
const size_t pubkey_size = ED25519_PUBKEY_SIZE;
263-
size_t key_length;
264-
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
265260
/* KMU currently doesn't support stating Ed25519ph, using Ed25519 for both */
266261
psa_algorithm_t alg = PSA_ALG_PURE_EDDSA;
267262
psa_key_type_t key_type = PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_TWISTED_EDWARDS);
@@ -271,7 +266,37 @@ static void provision_ed25519_public_key(mbedtls_svc_key_id_t key_id,
271266
psa_key_usage_t usage = PSA_KEY_USAGE_VERIFY_MESSAGE;
272267
size_t key_bits = 255;
273268

274-
set_kmu_key_attributes(&attributes, key_id, alg, lifetime, usage, key_type, key_bits);
269+
set_kmu_key_attributes(attributes, key_id, alg, lifetime, usage, key_type, key_bits);
270+
}
271+
272+
static void init_attributes_ecdsa_secp256r1_public_key(mbedtls_svc_key_id_t key_id,
273+
psa_key_persistence_t persistence,
274+
psa_key_attributes_t *attributes)
275+
{
276+
277+
/* KMU currently doesn't support stating Deterministic ECDSA, using ECDSA for both */
278+
psa_algorithm_t alg = PSA_ALG_ECDSA(PSA_ALG_SHA_256);
279+
psa_key_type_t key_type = PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1);
280+
psa_key_lifetime_t lifetime =
281+
PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
282+
persistence, PSA_KEY_LOCATION_CRACEN_KMU);
283+
psa_key_usage_t usage = PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_VERIFY_HASH;
284+
size_t key_bits = 256;
285+
286+
set_kmu_key_attributes(attributes, key_id, alg, lifetime, usage, key_type, key_bits);
287+
}
288+
289+
static void provision_ed25519_public_key(mbedtls_svc_key_id_t key_id,
290+
psa_key_persistence_t persistence,
291+
uint8_t key_buffer[ED25519_PUBKEY_SIZE])
292+
{
293+
psa_status_t err;
294+
uint8_t temp_buffer[ED25519_PUBKEY_SIZE];
295+
const size_t pubkey_size = ED25519_PUBKEY_SIZE;
296+
size_t key_length;
297+
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
298+
299+
init_attributes_ed25519_public_key(key_id, persistence, &attributes);
275300

276301
err = psa_import_key(&attributes, key_buffer, pubkey_size, &key_id);
277302
zassert_equal(err, PSA_SUCCESS, "Failed to import Ed25519 key. slot_id: %d, err: %d",
@@ -300,16 +325,8 @@ static void provision_ecdsa_secp256r1_public_key(mbedtls_svc_key_id_t key_id,
300325
const size_t pubkey_size = ECDSA_SECP256R1_PUBKEY_SIZE;
301326
size_t key_length;
302327
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
303-
/* KMU currently doesn't support stating Deterministic ECDSA, using ECDSA for both */
304-
psa_algorithm_t alg = PSA_ALG_ECDSA(PSA_ALG_SHA_256);
305-
psa_key_type_t key_type = PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1);
306-
psa_key_lifetime_t lifetime =
307-
PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
308-
persistence, PSA_KEY_LOCATION_CRACEN_KMU);
309-
psa_key_usage_t usage = PSA_KEY_USAGE_VERIFY_MESSAGE;
310-
size_t key_bits = 256;
311328

312-
set_kmu_key_attributes(&attributes, key_id, alg, lifetime, usage, key_type, key_bits);
329+
init_attributes_ecdsa_secp256r1_public_key(key_id, persistence, &attributes);
313330

314331
err = psa_import_key(&attributes, key_buffer, pubkey_size, &key_id);
315332
zassert_equal(err, PSA_SUCCESS,
@@ -380,7 +397,7 @@ static void provision_keys(void)
380397
}
381398

382399
/* Ed25519ph public key */
383-
if (IS_ENABLED_ALL(PSA_WANT_ALG_PURE_EDDSA, PSA_WANT_ECC_TWISTED_EDWARDS_255)) {
400+
if (IS_ENABLED_ALL(PSA_WANT_ALG_ED25519PH, PSA_WANT_ECC_TWISTED_EDWARDS_255)) {
384401
provision_ed25519_public_key(KMU_KEY_ID_PUBKEY_ED25519PH_REVOKABLE,
385402
CRACEN_KEY_PERSISTENCE_REVOKABLE,
386403
ed25519ph_pubkey);
@@ -782,13 +799,13 @@ static void test_lock_keys(void)
782799
{
783800
bool ran_lock = false;
784801

785-
if (IS_ENABLED_ANY(PSA_WANT_ALG_PURE_EDDSA, PSA_WANT_ECC_TWISTED_EDWARDS_255)) {
802+
if (IS_ENABLED_ALL(PSA_WANT_ALG_PURE_EDDSA, PSA_WANT_ECC_TWISTED_EDWARDS_255)) {
786803
/* Try to lock the read-only Ed25519 key */
787804
lock_key(KMU_KEY_ID_PUBKEY_ED25519_READ_ONLY);
788805
ran_lock = true;
789806
}
790807

791-
if (IS_ENABLED_ANY(PSA_WANT_ALG_ED25519PH, PSA_WANT_ECC_TWISTED_EDWARDS_255)) {
808+
if (IS_ENABLED_ALL(PSA_WANT_ALG_ED25519PH, PSA_WANT_ECC_TWISTED_EDWARDS_255)) {
792809
/* Try to lock the read-only Ed25519ph key */
793810
lock_key(KMU_KEY_ID_PUBKEY_ED25519PH_READ_ONLY);
794811
ran_lock = true;
@@ -815,28 +832,48 @@ static void test_lock_keys(void)
815832
void test_invalid_kmu(void)
816833
{
817834
psa_status_t err;
818-
mbedtls_svc_key_id_t key_id = KMU_KEY_ID_PUBKEY_ED25519_READ_ONLY;
819-
const size_t pubkey_size = ED25519_PUBKEY_SIZE;
820-
psa_key_persistence_t persistence = CRACEN_KEY_PERSISTENCE_READ_ONLY;
821835
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
822-
/* KMU currently doesn't support stating Ed25519ph, using Ed25519 for both */
823-
psa_algorithm_t alg = PSA_ALG_PURE_EDDSA;
824-
psa_key_type_t key_type = PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_TWISTED_EDWARDS);
825-
psa_key_lifetime_t lifetime =
826-
PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
827-
persistence, PSA_KEY_LOCATION_CRACEN_KMU);
828-
psa_key_usage_t usage = PSA_KEY_USAGE_VERIFY_MESSAGE;
829-
size_t key_bits = 255;
830836

831-
set_kmu_key_attributes(&attributes, key_id, alg, lifetime, usage, key_type, key_bits);
837+
mbedtls_svc_key_id_t key_id;
838+
mbedtls_svc_key_id_t imported_key_id;
839+
uint8_t *pubkey_buffer;
840+
size_t pubkey_size;
832841

833-
/* Try to import on already existing */
834-
err = psa_import_key(&attributes, ed25519_pubkey, pubkey_size, &key_id);
842+
if (IS_ENABLED_ALL(PSA_WANT_ALG_PURE_EDDSA, PSA_WANT_ECC_TWISTED_EDWARDS_255)) {
843+
key_id = KMU_KEY_ID_PUBKEY_ED25519_READ_ONLY;
844+
pubkey_size = ED25519_PUBKEY_SIZE;
845+
pubkey_buffer = ed25519_pubkey;
846+
847+
init_attributes_ed25519_public_key(key_id, CRACEN_KEY_PERSISTENCE_READ_ONLY,
848+
&attributes);
849+
} else if (IS_ENABLED_ALL(PSA_WANT_ALG_ED25519PH, PSA_WANT_ECC_TWISTED_EDWARDS_255)) {
850+
key_id = KMU_KEY_ID_PUBKEY_ED25519PH_READ_ONLY;
851+
pubkey_size = ED25519_PUBKEY_SIZE;
852+
pubkey_buffer = ed25519ph_pubkey;
853+
854+
init_attributes_ed25519_public_key(key_id, CRACEN_KEY_PERSISTENCE_READ_ONLY,
855+
&attributes);
856+
} else if (UTIL_AND(IS_ENABLED_ANY(PSA_WANT_ALG_ECDSA, PSA_WANT_ALG_DETERMINISTIC_ECDSA),
857+
IS_ENABLED_ALL(PSA_WANT_ALG_SHA_256, PSA_WANT_ECC_SECP_R1_256))) {
858+
key_id = KMU_KEY_ID_PUBKEY_SECP256R1_READ_ONLY;
859+
pubkey_size = ECDSA_SECP256R1_PUBKEY_SIZE;
860+
pubkey_buffer = ecdsa_secp256r1_pubkey;
861+
862+
init_attributes_ecdsa_secp256r1_public_key(key_id, CRACEN_KEY_PERSISTENCE_READ_ONLY,
863+
&attributes);
864+
} else {
865+
zassert_false(true, "No valid public key for invalid KMU test");
866+
return;
867+
}
868+
869+
/* Try to import on already existing key */
870+
err = psa_import_key(&attributes, pubkey_buffer, pubkey_size, &imported_key_id);
835871
zassert_equal(err, PSA_ERROR_ALREADY_EXISTS,
836872
"Failed on import on existing (expected PSA_ERROR_ALREADY_EXISTS) slot_id: %d, err: %d",
837873
KMU_GET_SLOT_ID(key_id), err);
838874

839-
err = psa_destroy_key(KMU_KEY_ID_PUBKEY_ED25519_READ_ONLY);
875+
/* Try to destroy an existing read-only key */
876+
err = psa_destroy_key(key_id);
840877
zassert_equal(err, PSA_ERROR_NOT_PERMITTED,
841878
"Failed on erase of read-only-key (expected PSA_ERROR_ALREADY_EXISTS) slot_id: %d, err: %d",
842879
KMU_GET_SLOT_ID(key_id), err);

0 commit comments

Comments
 (0)