diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index fb604271d..c141704b5 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -157,6 +157,7 @@ add_test_suite(psa_crypto_persistent_key) add_test_suite(psa_crypto_se_driver_hal) add_test_suite(psa_crypto_se_driver_hal_mocks) add_test_suite(psa_crypto_slot_management) +add_test_suite(psa_crypto_storage_format psa_crypto_storage_format.misc) add_test_suite(psa_its) add_test_suite(random) add_test_suite(rsa) diff --git a/tests/suites/test_suite_psa_crypto_storage_format.function b/tests/suites/test_suite_psa_crypto_storage_format.function new file mode 100644 index 000000000..662ad9466 --- /dev/null +++ b/tests/suites/test_suite_psa_crypto_storage_format.function @@ -0,0 +1,223 @@ +/* BEGIN_HEADER */ + +#include + +#include +#include + +#include + +/** Write a key with the given attributes and key material to storage. + * Test that it has the expected representation. + * + * On error, including if the key representation in storage differs, + * mark the test case as failed and return 0. On success, return 1. + */ +static int test_written_key( const psa_key_attributes_t *attributes, + const data_t *material, + psa_storage_uid_t uid, + const data_t *expected_representation ) +{ + mbedtls_svc_key_id_t created_key_id = MBEDTLS_SVC_KEY_ID_INIT; + uint8_t *actual_representation = NULL; + size_t length; + struct psa_storage_info_t storage_info; + int ok = 0; + + /* Create a key with the given parameters. */ + PSA_ASSERT( psa_import_key( attributes, material->x, material->len, + &created_key_id ) ); + TEST_ASSERT( mbedtls_svc_key_id_equal( psa_get_key_id( attributes ), + created_key_id ) ); + + /* Check that the key is represented as expected. */ + PSA_ASSERT( psa_its_get_info( uid, &storage_info ) ); + TEST_EQUAL( storage_info.size, expected_representation->len ); + ASSERT_ALLOC( actual_representation, storage_info.size ); + PSA_ASSERT( psa_its_get( uid, 0, storage_info.size, + actual_representation, &length ) ); + ASSERT_COMPARE( expected_representation->x, expected_representation->len, + actual_representation, length ); + + ok = 1; + +exit: + mbedtls_free( actual_representation ); + return( ok ); +} + +/** Check if a key is exportable. */ +static int can_export( const psa_key_attributes_t *attributes ) +{ + if( psa_get_key_usage_flags( attributes ) & PSA_KEY_USAGE_EXPORT ) + return( 1 ); + else if( PSA_KEY_TYPE_IS_PUBLIC_KEY( psa_get_key_type( attributes ) ) ) + return( 1 ); + else + return( 0 ); +} + +/** Write a key with the given representation to storage, then check + * that it has the given attributes and (if exportable) key material. + * + * On error, including if the key representation in storage differs, + * mark the test case as failed and return 0. On success, return 1. + */ +static int test_read_key( const psa_key_attributes_t *expected_attributes, + const data_t *expected_material, + psa_storage_uid_t uid, + const data_t *representation, + int exercise ) +{ + psa_key_attributes_t actual_attributes = PSA_KEY_ATTRIBUTES_INIT; + mbedtls_svc_key_id_t key_id = psa_get_key_id( expected_attributes ); + struct psa_storage_info_t storage_info; + int ok = 0; + uint8_t *exported_material = NULL; + size_t length; + + /* Prime the storage with a key file. */ + PSA_ASSERT( psa_its_set( uid, representation->len, representation->x, 0 ) ); + + /* Check that the injected key exists and looks as expected. */ + PSA_ASSERT( psa_get_key_attributes( key_id, &actual_attributes ) ); + TEST_ASSERT( mbedtls_svc_key_id_equal( key_id, + psa_get_key_id( &actual_attributes ) ) ); + TEST_EQUAL( psa_get_key_lifetime( expected_attributes ), + psa_get_key_lifetime( &actual_attributes ) ); + TEST_EQUAL( psa_get_key_type( expected_attributes ), + psa_get_key_type( &actual_attributes ) ); + TEST_EQUAL( psa_get_key_bits( expected_attributes ), + psa_get_key_bits( &actual_attributes ) ); + TEST_EQUAL( psa_get_key_usage_flags( expected_attributes ), + psa_get_key_usage_flags( &actual_attributes ) ); + TEST_EQUAL( psa_get_key_algorithm( expected_attributes ), + psa_get_key_algorithm( &actual_attributes ) ); + TEST_EQUAL( psa_get_key_enrollment_algorithm( expected_attributes ), + psa_get_key_enrollment_algorithm( &actual_attributes ) ); + if( can_export( expected_attributes ) ) + { + ASSERT_ALLOC( exported_material, expected_material->len ); + PSA_ASSERT( psa_export_key( key_id, + exported_material, expected_material->len, + &length ) ); + ASSERT_COMPARE( expected_material->x, expected_material->len, + exported_material, length ); + } + + if( exercise ) + { + TEST_ASSERT( mbedtls_test_psa_exercise_key( + key_id, + psa_get_key_usage_flags( expected_attributes ), + psa_get_key_algorithm( expected_attributes ) ) ); + } + + /* Destroy the key. Confirm through direct access to the storage. */ + PSA_ASSERT( psa_destroy_key( key_id ) ); + TEST_EQUAL( PSA_ERROR_DOES_NOT_EXIST, + psa_its_get_info( uid, &storage_info ) ); + + ok = 1; + +exit: + psa_reset_key_attributes( &actual_attributes ); + psa_its_remove( uid ); + mbedtls_free( exported_material ); + return( ok ); +} + +/* END_HEADER */ + +/* BEGIN_DEPENDENCIES + * depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_PSA_CRYPTO_STORAGE_C + * END_DEPENDENCIES + */ + +/* BEGIN_CASE */ +void key_storage_save( int lifetime_arg, int type_arg, int bits_arg, + int usage_arg, int alg_arg, int alg2_arg, + data_t *material, + data_t *representation ) +{ + /* Forward compatibility: save a key in the current format and + * check that it has the expected format so that future versions + * will still be able to read it. */ + + psa_key_lifetime_t lifetime = lifetime_arg; + psa_key_type_t type = type_arg; + size_t bits = bits_arg; + psa_key_usage_t usage = usage_arg; + psa_algorithm_t alg = alg_arg; + psa_algorithm_t alg2 = alg2_arg; + mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make( 0, 1 ); + psa_storage_uid_t uid = 1; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + + PSA_INIT( ); + TEST_USES_KEY_ID( key_id ); + + psa_set_key_lifetime( &attributes, lifetime ); + psa_set_key_id( &attributes, key_id ); + psa_set_key_type( &attributes, type ); + psa_set_key_bits( &attributes, bits ); + psa_set_key_usage_flags( &attributes, usage ); + psa_set_key_algorithm( &attributes, alg ); + psa_set_key_enrollment_algorithm( &attributes, alg2 ); + + /* This is the current storage format. Test that we know exactly how + * the key is stored. The stability of the test data in future + * versions of the Mbed TLS will guarantee that future versions + * can read back what this version wrote. */ + TEST_ASSERT( test_written_key( &attributes, material, + uid, representation ) ); + +exit: + psa_reset_key_attributes( &attributes ); + psa_destroy_key( key_id ); + PSA_DONE( ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void key_storage_read( int lifetime_arg, int type_arg, int bits_arg, + int usage_arg, int alg_arg, int alg2_arg, + data_t *material, + data_t *representation, int exercise ) +{ + /* Backward compatibility: read a key in the format of a past version + * and check that this version can use it. */ + + psa_key_lifetime_t lifetime = lifetime_arg; + psa_key_type_t type = type_arg; + size_t bits = bits_arg; + psa_key_usage_t usage = usage_arg; + psa_algorithm_t alg = alg_arg; + psa_algorithm_t alg2 = alg2_arg; + mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make( 0, 1 ); + psa_storage_uid_t uid = 1; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + + PSA_INIT( ); + TEST_USES_KEY_ID( key_id ); + + psa_set_key_lifetime( &attributes, lifetime ); + psa_set_key_id( &attributes, key_id ); + psa_set_key_type( &attributes, type ); + psa_set_key_bits( &attributes, bits ); + psa_set_key_usage_flags( &attributes, usage ); + psa_set_key_algorithm( &attributes, alg ); + psa_set_key_enrollment_algorithm( &attributes, alg2 ); + + /* Test that we can use a key with the given representation. This + * guarantees backward compatibility with keys that were stored by + * past versionf of Mbed TLS. */ + TEST_ASSERT( test_read_key( &attributes, material, + uid, representation, exercise ) ); + +exit: + psa_reset_key_attributes( &attributes ); + psa_destroy_key( key_id ); + PSA_DONE( ); +} +/* END_CASE */ diff --git a/tests/suites/test_suite_psa_crypto_storage_format.misc.data b/tests/suites/test_suite_psa_crypto_storage_format.misc.data new file mode 100644 index 000000000..114c402a2 --- /dev/null +++ b/tests/suites/test_suite_psa_crypto_storage_format.misc.data @@ -0,0 +1,13 @@ +# The following two manually crafted test cases are redundant with +# systematically generated test cases, but useful to have as an anchor when +# debugging changes to the test code or to the test case generation. + +PSA storage read: AES-GCM+CTR +#depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:PSA_WANT_ALG_CTR +depends_on:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_CTR_C +key_storage_read:PSA_KEY_LIFETIME_PERSISTENT:PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_GCM:PSA_ALG_CTR:"404142434445464748494a4b4c4d4e4f":"505341004b45590000000000010000000024800001010000000250050010c00410000000404142434445464748494a4b4c4d4e4f":1 + +PSA storage save: AES-GCM+CTR +#depends_on:PSA_WANT_KEY_TYPE_AES +depends_on:MBEDTLS_AES_C +key_storage_save:PSA_KEY_LIFETIME_PERSISTENT:PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_GCM:PSA_ALG_CTR:"404142434445464748494a4b4c4d4e4f":"505341004b45590000000000010000000024800001010000000250050010c00410000000404142434445464748494a4b4c4d4e4f"