Remove ad hoc is_valid_for_signature method

Use the new generic is_public method. Impact on generated cases: there are new HMAC test cases for SIGN_HASH. It was a bug that these test cases were previously not generated. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-11-22 16:55:42 +01:00 · 2022-03-17 12:52:24 +01:00 · 2022-03-17 12:52:24 +01:00 · 989c13dece
commit 989c13dece
parent a16d8fcee9
3 changed files with 42 additions and 19 deletions
--- a/scripts/mbedtls_dev/crypto_knowledge.py
+++ b/scripts/mbedtls_dev/crypto_knowledge.py
@ -20,7 +20,7 @@ This module is entirely based on the PSA API.

 import enum
 import re
-from typing import Dict, Iterable, Optional, Pattern, Tuple
+from typing import Iterable, Optional, Tuple

 from mbedtls_dev.asymmetric_key_data import ASYMMETRIC_KEY_DATA

@ -176,21 +176,6 @@ class KeyType:
        return b''.join([self.DATA_BLOCK] * (length // len(self.DATA_BLOCK)) +
                        [self.DATA_BLOCK[:length % len(self.DATA_BLOCK)]])

-    KEY_TYPE_FOR_SIGNATURE = {
-        'PSA_KEY_USAGE_SIGN_HASH': re.compile('.*KEY_PAIR'),
-        'PSA_KEY_USAGE_VERIFY_HASH': re.compile('.*KEY.*')
-    } #type: Dict[str, Pattern]
-    """Use a regexp to determine key types for which signature is possible
-       when using the actual usage flag.
-    """
-    def is_valid_for_signature(self, usage: str) -> bool:
-        """Determine if the key type is compatible with the specified
-           signitute type.
-
-        """
-        # This is just temporaly solution for the implicit usage flags.
-        return re.match(self.KEY_TYPE_FOR_SIGNATURE[usage], self.name) is not None
-
    def can_do(self, alg: 'Algorithm') -> bool:
        """Whether this key type can be used for operations with the given algorithm.

--- a/tests/scripts/generate_psa_tests.py
+++ b/tests/scripts/generate_psa_tests.py
@ -204,7 +204,7 @@ class NotSupported:
                continue
                # For public key we expect that key generation fails with
                # INVALID_ARGUMENT. It is handled by KeyGenerate class.
-            if not kt.name.endswith('_PUBLIC_KEY'):
+            if not kt.is_public():
                yield test_case_for_key_type_not_supported(
                    'generate', kt.expression, bits,
                    finish_family_dependencies(generate_dependencies, bits),
@ -820,8 +820,10 @@ class StorageFormatV0(StorageFormat):
                for key_type in sorted(alg_with_keys[alg]):
                    # The key types must be filtered to fit the specific usage flag.
                    kt = crypto_knowledge.KeyType(key_type)
-                    if kt.is_valid_for_signature(usage):
-                        yield self.keys_for_implicit_usage(usage, alg, kt)
+                    if kt.is_public() and '_SIGN_' in usage:
+                        # Can't sign with a public key
+                        continue
+                    yield self.keys_for_implicit_usage(usage, alg, kt)

    def generate_all_keys(self) -> Iterator[StorageTestData]:
        yield from super().generate_all_keys()
--- a/tests/suites/test_suite_psa_crypto_storage_format.v0.data
+++ b/tests/suites/test_suite_psa_crypto_storage_format.v0.data
@ -2140,6 +2140,42 @@ PSA storage read: implied by SIGN_HASH: ED448PH ECC_KEY_PAIR(TWISTED_EDWARDS) 25
 depends_on:PSA_WANT_ALG_ED448PH:PSA_WANT_ECC_TWISTED_EDWARDS_255:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
 key_storage_read:0x0001:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_TWISTED_EDWARDS):255:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ED448PH:0x0000:"9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60":"505341004b45590000000000010000004271ff00011000001509000600000000200000009d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60":TEST_FLAG_EXERCISE

+PSA storage read: implied by SIGN_HASH: HMAC(MD2) HMAC 128-bit
+depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_MD2:PSA_WANT_KEY_TYPE_HMAC
+key_storage_read:0x0001:PSA_KEY_TYPE_HMAC:128:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_HMAC(PSA_ALG_MD2):0x0000:"48657265006973206b6579a064617461":"505341004b4559000000000001000000001180000110000001008003000000001000000048657265006973206b6579a064617461":TEST_FLAG_EXERCISE
+
+PSA storage read: implied by SIGN_HASH: HMAC(MD4) HMAC 128-bit
+depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_MD4:PSA_WANT_KEY_TYPE_HMAC
+key_storage_read:0x0001:PSA_KEY_TYPE_HMAC:128:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_HMAC(PSA_ALG_MD4):0x0000:"48657265006973206b6579a064617461":"505341004b4559000000000001000000001180000110000002008003000000001000000048657265006973206b6579a064617461":TEST_FLAG_EXERCISE
+
+PSA storage read: implied by SIGN_HASH: HMAC(MD5) HMAC 128-bit
+depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_MD5:PSA_WANT_KEY_TYPE_HMAC
+key_storage_read:0x0001:PSA_KEY_TYPE_HMAC:128:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_HMAC(PSA_ALG_MD5):0x0000:"48657265006973206b6579a064617461":"505341004b4559000000000001000000001180000110000003008003000000001000000048657265006973206b6579a064617461":TEST_FLAG_EXERCISE
+
+PSA storage read: implied by SIGN_HASH: HMAC(RIPEMD160) HMAC 128-bit
+depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_RIPEMD160:PSA_WANT_KEY_TYPE_HMAC
+key_storage_read:0x0001:PSA_KEY_TYPE_HMAC:128:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_HMAC(PSA_ALG_RIPEMD160):0x0000:"48657265006973206b6579a064617461":"505341004b4559000000000001000000001180000110000004008003000000001000000048657265006973206b6579a064617461":TEST_FLAG_EXERCISE
+
+PSA storage read: implied by SIGN_HASH: HMAC(SHA_1) HMAC 128-bit
+depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_1:PSA_WANT_KEY_TYPE_HMAC
+key_storage_read:0x0001:PSA_KEY_TYPE_HMAC:128:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_HMAC(PSA_ALG_SHA_1):0x0000:"48657265006973206b6579a064617461":"505341004b4559000000000001000000001180000110000005008003000000001000000048657265006973206b6579a064617461":TEST_FLAG_EXERCISE
+
+PSA storage read: implied by SIGN_HASH: HMAC(SHA_224) HMAC 128-bit
+depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_224:PSA_WANT_KEY_TYPE_HMAC
+key_storage_read:0x0001:PSA_KEY_TYPE_HMAC:128:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_HMAC(PSA_ALG_SHA_224):0x0000:"48657265006973206b6579a064617461":"505341004b4559000000000001000000001180000110000008008003000000001000000048657265006973206b6579a064617461":TEST_FLAG_EXERCISE
+
+PSA storage read: implied by SIGN_HASH: HMAC(SHA_256) HMAC 128-bit
+depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_HMAC
+key_storage_read:0x0001:PSA_KEY_TYPE_HMAC:128:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_HMAC(PSA_ALG_SHA_256):0x0000:"48657265006973206b6579a064617461":"505341004b4559000000000001000000001180000110000009008003000000001000000048657265006973206b6579a064617461":TEST_FLAG_EXERCISE
+
+PSA storage read: implied by SIGN_HASH: HMAC(SHA_384) HMAC 128-bit
+depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_HMAC
+key_storage_read:0x0001:PSA_KEY_TYPE_HMAC:128:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_HMAC(PSA_ALG_SHA_384):0x0000:"48657265006973206b6579a064617461":"505341004b455900000000000100000000118000011000000a008003000000001000000048657265006973206b6579a064617461":TEST_FLAG_EXERCISE
+
+PSA storage read: implied by SIGN_HASH: HMAC(SHA_512) HMAC 128-bit
+depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_SHA_512:PSA_WANT_KEY_TYPE_HMAC
+key_storage_read:0x0001:PSA_KEY_TYPE_HMAC:128:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_HMAC(PSA_ALG_SHA_512):0x0000:"48657265006973206b6579a064617461":"505341004b455900000000000100000000118000011000000b008003000000001000000048657265006973206b6579a064617461":TEST_FLAG_EXERCISE
+
 PSA storage read: implied by SIGN_HASH: RSA_PKCS1V15_SIGN(SHA_256) RSA_KEY_PAIR 1024-bit
 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR
 key_storage_read:0x0001:PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):0x0000:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"505341004b455900000000000100000001700004011000000902000600000000620200003082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":TEST_FLAG_EXERCISE