Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Design discussion: add new symbol for PSA key enrollment functions #8449

Closed
wants to merge 11 commits into from
Closed

Design discussion: add new symbol for PSA key enrollment functions #8449

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
9219f89
mbedtls_config: add new symbol MBEDTLS_PSA_ENABLE_KEY_ENROLLMENT
valeriosetti Oct 30, 2023
994c090
crypto_extra: add a new guard for set/get key enrollment alg functions
valeriosetti Oct 30, 2023
2ed0678
pk: do not set/get key enrollment alg when not available
valeriosetti Oct 30, 2023
ac46397
tests: fix tests for not using set/get key enrollment functions when …
valeriosetti Oct 30, 2023
8faea37
mbedtls_config: move to negative symbol for PSA key enrollment functions
valeriosetti Nov 3, 2023
c67f425
all.sh: add test component testing full without PSA key enrollment
valeriosetti Nov 3, 2023
cac023f
pk: improve code style in mbedtls_pk_can_do_ext()
valeriosetti Nov 3, 2023
d1eb93c
psa_crypto: remove usage of alg2 when key enrollment is disabled
valeriosetti Nov 3, 2023
04cdede
pk: return error if alg2 is set while DISABLE_KEY_ENROLLMENT is enabled
valeriosetti Nov 7, 2023
e204cfa
test_suite_ssl: skip test trying to set alg2
valeriosetti Nov 7, 2023
ad74536
ssl-opt: skip tests which try to set alg2
valeriosetti Nov 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions include/mbedtls/mbedtls_config.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1352,6 +1352,15 @@
*/
//#define MBEDTLS_PSA_CRYPTO_CLIENT

/**
* \def MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT
*
* Disable support for set/get key enrollment functions in PSA.
*
* \warning This is an Mbed TLS extension to the standard PSA interface.
*/
// #define MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT

/** \def MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
*
* Make the PSA Crypto module use an external random generator provided
Expand Down
2 changes: 2 additions & 0 deletions include/psa/crypto_extra.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ extern "C" {
* @{
*/

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing: removing the alg2 field from the context, and the code in psa_crypto.c that deals with it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

True, that's something I noticed as well. I didn't modify that part because, as I explained in my comment below, I was mostly focused on having a TLS/DTLS implementation which could work with standard PSA interface.
However I agree that this is something I can improve as well. I will try to fix this ASAP

#if !defined(MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT)
/** \brief Declare the enrollment algorithm for a key.
*
* An operation on a key may indifferently use the algorithm set with
Expand Down Expand Up @@ -73,6 +74,7 @@ static inline psa_algorithm_t psa_get_key_enrollment_algorithm(
{
return attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg2);
}
#endif /* !MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT */

#if defined(MBEDTLS_PSA_CRYPTO_SE_C)

Expand Down
6 changes: 6 additions & 0 deletions include/psa/crypto_struct.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -188,11 +188,17 @@ static inline struct psa_key_derivation_s psa_key_derivation_operation_init(
struct psa_key_policy_s {
psa_key_usage_t MBEDTLS_PRIVATE(usage);
psa_algorithm_t MBEDTLS_PRIVATE(alg);
#if !defined(MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT)
psa_algorithm_t MBEDTLS_PRIVATE(alg2);
#endif
};
typedef struct psa_key_policy_s psa_key_policy_t;

#if !defined(MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT)
#define PSA_KEY_POLICY_INIT { 0, 0, 0 }
#else
#define PSA_KEY_POLICY_INIT { 0, 0 }
#endif
static inline struct psa_key_policy_s psa_key_policy_init(void)
{
const struct psa_key_policy_s v = PSA_KEY_POLICY_INIT;
Expand Down
27 changes: 26 additions & 1 deletion library/pk.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -311,7 +311,10 @@ int mbedtls_pk_can_do_ext(const mbedtls_pk_context *ctx, psa_algorithm_t alg,
}

psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_algorithm_t key_alg, key_alg2;
psa_algorithm_t key_alg;
#if !defined(MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT)
psa_algorithm_t key_alg2;
#endif
psa_status_t status;

status = psa_get_key_attributes(ctx->priv_id, &attributes);
Expand All @@ -320,7 +323,9 @@ int mbedtls_pk_can_do_ext(const mbedtls_pk_context *ctx, psa_algorithm_t alg,
}

key_alg = psa_get_key_algorithm(&attributes);
#if !defined(MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT)
key_alg2 = psa_get_key_enrollment_algorithm(&attributes);
#endif
key_usage = psa_get_key_usage_flags(&attributes);
psa_reset_key_attributes(&attributes);

Expand All @@ -335,9 +340,15 @@ int mbedtls_pk_can_do_ext(const mbedtls_pk_context *ctx, psa_algorithm_t alg,
* This would also match ECDSA/RSA_PKCS1V15_SIGN/RSA_PSS with
* a fixed hash on key_alg/key_alg2.
*/
#if !defined(MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT)
if (alg == key_alg || alg == key_alg2) {
return 1;
}
#else
if (alg == key_alg) {
return 1;
}
#endif

/*
* If key_alg or key_alg2 is a hash-and-sign with a wildcard for the hash,
Expand All @@ -352,11 +363,13 @@ int mbedtls_pk_can_do_ext(const mbedtls_pk_context *ctx, psa_algorithm_t alg,
return 1;
}

#if !defined(MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT)
if (PSA_ALG_IS_SIGN_HASH(key_alg2) &&
PSA_ALG_SIGN_GET_HASH(key_alg2) == PSA_ALG_ANY_HASH &&
(alg & ~PSA_ALG_HASH_MASK) == (key_alg2 & ~PSA_ALG_HASH_MASK)) {
return 1;
}
#endif
}

return 0;
Expand Down Expand Up @@ -905,9 +918,15 @@ int mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk,
psa_set_key_bits(&attributes, bits);
psa_set_key_usage_flags(&attributes, usage);
psa_set_key_algorithm(&attributes, alg);
#if !defined(MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT)
if (alg2 != PSA_ALG_NONE) {
psa_set_key_enrollment_algorithm(&attributes, alg2);
}
#else
if (alg2 != PSA_ALG_NONE) {
return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
}
#endif

/* import private key into PSA */
status = psa_import_key(&attributes, d, d_len, key);
Expand Down Expand Up @@ -941,9 +960,15 @@ int mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk,
psa_set_key_bits(&attributes, mbedtls_pk_get_bitlen(pk));
psa_set_key_usage_flags(&attributes, usage);
psa_set_key_algorithm(&attributes, alg);
#if !defined(MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT)
if (alg2 != PSA_ALG_NONE) {
psa_set_key_enrollment_algorithm(&attributes, alg2);
}
#else
if (alg2 != PSA_ALG_NONE) {
return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
}
#endif

/* import private key into PSA */
status = psa_import_key(&attributes,
Expand Down
11 changes: 10 additions & 1 deletion library/pk_wrap.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -964,17 +964,26 @@ static int ecdsa_sign_psa(mbedtls_svc_key_id_t key_id, mbedtls_md_type_t md_alg,
psa_status_t status;
psa_algorithm_t psa_sig_md;
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
psa_algorithm_t alg, alg2;
psa_algorithm_t alg;
#if !defined(MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT)
psa_algorithm_t alg2;
#endif

status = psa_get_key_attributes(key_id, &key_attr);
if (status != PSA_SUCCESS) {
return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
}
alg = psa_get_key_algorithm(&key_attr);
#if !defined(MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT)
alg2 = psa_get_key_enrollment_algorithm(&key_attr);
#endif
psa_reset_key_attributes(&key_attr);

#if !defined(MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT)
if (PSA_ALG_IS_DETERMINISTIC_ECDSA(alg) || PSA_ALG_IS_DETERMINISTIC_ECDSA(alg2)) {
#else
if (PSA_ALG_IS_DETERMINISTIC_ECDSA(alg)) {
#endif
psa_sig_md = PSA_ALG_DETERMINISTIC_ECDSA(mbedtls_md_psa_alg_from_type(md_alg));
} else {
psa_sig_md = PSA_ALG_ECDSA(mbedtls_md_psa_alg_from_type(md_alg));
Expand Down
2 changes: 2 additions & 0 deletions library/pkparse.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,8 +113,10 @@ static int pk_ecc_set_key(mbedtls_pk_context *pk,
/* Montgomery allows only ECDH, others ECDSA too */
if (pk->ec_family != PSA_ECC_FAMILY_MONTGOMERY) {
flags |= PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE;
#if !defined(MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT)
psa_set_key_enrollment_algorithm(&attributes,
MBEDTLS_PK_PSA_ALG_ECDSA_MAYBE_DET(PSA_ALG_ANY_HASH));
#endif
}
psa_set_key_usage_flags(&attributes, flags);

Expand Down
16 changes: 15 additions & 1 deletion library/psa_crypto.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -997,10 +997,17 @@ static psa_status_t psa_key_policy_permits(const psa_key_policy_t *policy,
return PSA_ERROR_INVALID_ARGUMENT;
}

#if !defined(MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT)
if (psa_key_algorithm_permits(key_type, policy->alg, alg) ||
psa_key_algorithm_permits(key_type, policy->alg2, alg)) {
return PSA_SUCCESS;
} else {
}
#else
if (psa_key_algorithm_permits(key_type, policy->alg, alg)) {
return PSA_SUCCESS;
}
#endif
else {
return PSA_ERROR_NOT_PERMITTED;
}
}
Expand Down Expand Up @@ -1031,18 +1038,25 @@ static psa_status_t psa_restrict_key_policy(
psa_algorithm_t intersection_alg =
psa_key_policy_algorithm_intersection(key_type, policy->alg,
constraint->alg);

#if !defined(MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT)
psa_algorithm_t intersection_alg2 =
psa_key_policy_algorithm_intersection(key_type, policy->alg2,
constraint->alg2);
#endif
if (intersection_alg == 0 && policy->alg != 0 && constraint->alg != 0) {
return PSA_ERROR_INVALID_ARGUMENT;
}
#if !defined(MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT)
if (intersection_alg2 == 0 && policy->alg2 != 0 && constraint->alg2 != 0) {
return PSA_ERROR_INVALID_ARGUMENT;
}
#endif
policy->usage &= constraint->usage;
policy->alg = intersection_alg;
#if !defined(MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT)
policy->alg2 = intersection_alg2;
#endif
return PSA_SUCCESS;
}

Expand Down
4 changes: 4 additions & 0 deletions library/psa_crypto_storage.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -249,7 +249,9 @@ void psa_format_key_data_for_storage(const uint8_t *data,
MBEDTLS_PUT_UINT16_LE((uint16_t) attr->bits, storage_format->bits, 0);
MBEDTLS_PUT_UINT32_LE(attr->policy.usage, storage_format->policy, 0);
MBEDTLS_PUT_UINT32_LE(attr->policy.alg, storage_format->policy, sizeof(uint32_t));
#if !defined(MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT)
MBEDTLS_PUT_UINT32_LE(attr->policy.alg2, storage_format->policy, 2 * sizeof(uint32_t));
#endif
MBEDTLS_PUT_UINT32_LE(data_length, storage_format->data_len, 0);
memcpy(storage_format->key_data, data, data_length);
}
Expand Down Expand Up @@ -309,7 +311,9 @@ psa_status_t psa_parse_key_data_from_storage(const uint8_t *storage_data,
attr->bits = MBEDTLS_GET_UINT16_LE(storage_format->bits, 0);
attr->policy.usage = MBEDTLS_GET_UINT32_LE(storage_format->policy, 0);
attr->policy.alg = MBEDTLS_GET_UINT32_LE(storage_format->policy, sizeof(uint32_t));
#if !defined(MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT)
attr->policy.alg2 = MBEDTLS_GET_UINT32_LE(storage_format->policy, 2 * sizeof(uint32_t));
#endif

return PSA_SUCCESS;
}
Expand Down
10 changes: 10 additions & 0 deletions tests/scripts/all.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2109,6 +2109,16 @@ component_test_full_deprecated_warning () {
tests/scripts/run_demos.py
}

component_test_full_no_psa_key_enrollment () {
msg "build: build full without PSA key enrollment support"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT
make CC=gcc CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"

msg "test: test full without PSA key enrollment support"
make test
}

# Check that the specified libraries exist and are empty.
are_empty_libraries () {
nm "$@" >/dev/null 2>/dev/null
Expand Down
8 changes: 8 additions & 0 deletions tests/ssl-opt.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2351,6 +2351,7 @@ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_disabled MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT
run_test "TLS 1.3 opaque key: suitable algorithm found" \
"$P_SRV debug_level=4 auth_mode=required key_opaque=1 key_opaque_algs=rsa-decrypt,rsa-sign-pss" \
"$P_CLI debug_level=4 key_opaque=1 key_opaque_algs=rsa-decrypt,rsa-sign-pss" \
Expand Down Expand Up @@ -2380,6 +2381,7 @@ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_disabled MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT
run_test "TLS 1.3 opaque key: 2 keys on server, suitable algorithm found" \
"$P_SRV debug_level=4 auth_mode=required key_opaque=1 key_opaque_algs2=ecdsa-sign,none key_opaque_algs=rsa-decrypt,rsa-sign-pss" \
"$P_CLI debug_level=4 key_opaque=1 key_opaque_algs=rsa-decrypt,rsa-sign-pss" \
Expand Down Expand Up @@ -11975,6 +11977,7 @@ requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_disabled MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT
requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha256 - openssl" \
Expand All @@ -11993,6 +11996,7 @@ requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_disabled MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT
requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha256 - gnutls" \
Expand All @@ -12010,6 +12014,7 @@ requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_disabled MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT
requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha384 - openssl" \
Expand All @@ -12028,6 +12033,7 @@ requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_disabled MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT
requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha384 - gnutls" \
Expand All @@ -12045,6 +12051,7 @@ requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_disabled MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT
requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha512 - openssl" \
Expand All @@ -12063,6 +12070,7 @@ requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_disabled MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT
requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha512 - gnutls" \
Expand Down
22 changes: 11 additions & 11 deletions tests/suites/test_suite_pk.data
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,11 +81,11 @@ depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1
pk_can_do_ext:1:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_ALG_NONE:256:PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1

PK can do ext: NONE/ECDSA(ANY_HASH), check ECDSA(SHA256)
depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1
depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1:!MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT
pk_can_do_ext:1:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_NONE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):256:PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1

PK can do ext: NONE/ECDSA(SHA256), check ECDSA(SHA256)
depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1
depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1:!MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT
pk_can_do_ext:1:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_NONE:PSA_ALG_ECDSA(PSA_ALG_SHA_256):256:PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1

PK can do ext: ECDSA(SHA256)/NONE, invalid check ECDSA(ANY)
Expand Down Expand Up @@ -133,15 +133,15 @@ depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1
pk_can_do_ext:1:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_KEY_USAGE_DERIVE|PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_ECDH:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):256:PSA_ALG_ECDH:PSA_KEY_USAGE_DERIVE|PSA_KEY_USAGE_SIGN_HASH:1

PK can do ext: ECDH/ECDSA(ANY), check ECDSA(SHA256)+DERIVE|SIGN
depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1
depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1:!MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT
pk_can_do_ext:1:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_KEY_USAGE_DERIVE|PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_ECDH:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):256:PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_KEY_USAGE_DERIVE|PSA_KEY_USAGE_SIGN_HASH:1

PK can do ext: ECDH/ECDSA(ANY), check ECDSA(SHA256)+SIGN
depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1
depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1:!MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT
pk_can_do_ext:1:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_KEY_USAGE_DERIVE|PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_ECDH:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):256:PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1

PK can do ext: ECDH/ECDSA(ANY), check ECDSA(SHA256)+DERIVE
depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1
depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1:!MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT
pk_can_do_ext:1:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_KEY_USAGE_DERIVE|PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_ECDH:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):256:PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_KEY_USAGE_DERIVE:1

PK can do ext: RSA_PKCS1V15_SIGN(ANY)/NONE, check not allowed COPY usage
Expand Down Expand Up @@ -181,11 +181,11 @@ depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_ALG_NONE:1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1

PK can do ext: NONE, RSA_PKCS1V15_SIGN(ANY), check RSA_PKCS1V15_SIGN(SHA256)
depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:!MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT
pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_NONE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1

PK can do ext: NONE, RSA_PKCS1V15_SIGN(SHA256), check RSA_PKCS1V15_SIGN(SHA256)
depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:!MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT
pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_NONE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1

PK can do ext: RSA_PKCS1V15_SIGN(SHA256)/NONE, invalid check RSA_PKCS1V15_SIGN(ANY)
Expand Down Expand Up @@ -221,11 +221,11 @@ depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_ALG_NONE:1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1

PK can do ext: NONE, RSA_PSS(ANY), check RSA_PSS(SHA256)
depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:!MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT
pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_NONE:PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1

PK can do ext: NONE, RSA_PSS(SHA256), check RSA_PSS(SHA256)
depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:!MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT
pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_NONE:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1

PK can do ext: RSA_PSS(SHA256)/NONE, invalid check RSA_PSS(ANY)
Expand Down Expand Up @@ -273,15 +273,15 @@ depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT|PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):1024:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DECRYPT:1

PK can do ext: RSA_PKCS1V15_CRYPT/RSA_PSS(ANY), check RSA_PSS(SHA256)
depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:!MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT
pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT|PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_DECRYPT:1

PK can do ext: RSA_PKCS1V15_CRYPT/RSA_PSS(ANY), check non allowed ENCRYPT usage
depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT|PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_ENCRYPT:0

PK can do ext: RSA_PKCS1V15_SIGN(ANY)/RSA_PSS(ANY), check RSA_PSS(SHA256)
depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:!MBEDTLS_PSA_DISABLE_KEY_ENROLLMENT
pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1

PK can do ext: RSA_PKCS1V15_SIGN(ANY)/RSA_PSS(ANY), check RSA_PKCS1V15_SIGN(SHA256)
Expand Down
Loading