cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-11-03 12:11:27 -05:00
Code Issues Packages Projects Releases Wiki Activity

add key policy enforcement implementation

Browse Source 
add checks that keys have been set for the correct usage for asymmetric
functions.
This commit is contained in:
Nir Sonnenschein 2018-06-04 16:45:27 +03:00 committed by itayzafrir
parent ca466c89b0
commit d708260de4
2 changed files with 32 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
library/psa_crypto.c
View File

@ -1345,6 +1345,8 @@ psa_status_t psa_asymmetric_verify(psa_key_slot_t key,
slot = &global_data.key_slots[key];
if( slot->type == PSA_KEY_TYPE_NONE )
return( PSA_ERROR_EMPTY_SLOT );
if (!(slot->policy.usage & PSA_KEY_USAGE_VERIFY))
return(PSA_ERROR_NOT_PERMITTED);
#if defined(MBEDTLS_RSA_C)
if( slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )
@ -1431,6 +1433,8 @@ psa_status_t psa_asymmetric_encrypt(psa_key_slot_t key,
return( PSA_ERROR_EMPTY_SLOT );
if( ! PSA_KEY_TYPE_IS_KEYPAIR( slot->type ) )
return( PSA_ERROR_INVALID_ARGUMENT );
if (!(slot->policy.usage & PSA_KEY_USAGE_ENCRYPT))
return(PSA_ERROR_NOT_PERMITTED);
#if defined(MBEDTLS_RSA_C)
@ -1505,6 +1509,8 @@ psa_status_t psa_asymmetric_decrypt(psa_key_slot_t key,
return( PSA_ERROR_EMPTY_SLOT );
if( ! PSA_KEY_TYPE_IS_KEYPAIR( slot->type ) )
return( PSA_ERROR_INVALID_ARGUMENT );
if (!(slot->policy.usage & PSA_KEY_USAGE_DECRYPT))
return(PSA_ERROR_NOT_PERMITTED);
#if defined(MBEDTLS_RSA_C)
if( slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )

26
tests/suites/test_suite_psa_crypto.function
View File

@ -595,6 +595,7 @@ void asymmetric_verify_fail( int key_type_arg, char *key_hex,
size_t signature_size;
psa_status_t actual_status;
psa_status_t expected_status = expected_status_arg;
psa_key_policy_t policy = {0};
key_data = unhexify_alloc( key_hex, &key_size );
TEST_ASSERT( key_data != NULL );
@ -605,6 +606,12 @@ void asymmetric_verify_fail( int key_type_arg, char *key_hex,
TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
psa_key_policy_init( &policy );
psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_VERIFY, alg_arg );
TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS );
TEST_ASSERT( psa_import_key( slot, key_type,
key_data, key_size ) == PSA_SUCCESS );
@ -643,6 +650,7 @@ void asymmetric_encrypt( int key_type_arg, char *key_hex,
unsigned char *output2 = NULL;
size_t output2_size = 0;
size_t output2_length = 0;
psa_key_policy_t policy = {0};
key_data = unhexify_alloc( key_hex, &key_size );
TEST_ASSERT( key_data != NULL );
@ -657,6 +665,10 @@ void asymmetric_encrypt( int key_type_arg, char *key_hex,
TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
psa_key_policy_init( &policy );
psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT, alg_arg );
TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS );
TEST_ASSERT( psa_import_key( slot, key_type,
key_data, key_size ) == PSA_SUCCESS );
@ -710,6 +722,7 @@ void asymmetric_encrypt_fail( int key_type_arg, char *key_hex,
size_t output_length = 0;
psa_status_t actual_status;
psa_status_t expected_status = expected_status_arg;
psa_key_policy_t policy = {0};
key_data = unhexify_alloc( key_hex, &key_size );
TEST_ASSERT( key_data != NULL );
@ -721,6 +734,10 @@ void asymmetric_encrypt_fail( int key_type_arg, char *key_hex,
TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
psa_key_policy_init( &policy );
psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_ENCRYPT, alg_arg );
TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS );
TEST_ASSERT( psa_import_key( slot, key_type,
key_data, key_size ) == PSA_SUCCESS );
@ -774,6 +791,10 @@ void asymmetric_decrypt( int key_type_arg, char *key_hex,
TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
psa_key_policy_init( &policy );
psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_DECRYPT, alg_arg );
TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS );
TEST_ASSERT( psa_import_key( slot, key_type,
key_data, key_size ) == PSA_SUCCESS );
@ -818,6 +839,7 @@ void asymmetric_decrypt_fail( int key_type_arg, char *key_hex,
size_t output_length = 0;
psa_status_t actual_status;
psa_status_t expected_status = expected_status_arg;
psa_key_policy_t policy = {0};
key_data = unhexify_alloc( key_hex, &key_size );
TEST_ASSERT( key_data != NULL );
@ -829,6 +851,10 @@ void asymmetric_decrypt_fail( int key_type_arg, char *key_hex,
TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
psa_key_policy_init( &policy );
psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_DECRYPT, alg_arg );
TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS );
TEST_ASSERT( psa_import_key( slot, key_type,
key_data, key_size ) == PSA_SUCCESS );