1
0
mirror of https://github.com/ARMmbed/mbedtls.git synced 2025-10-23 18:18:57 +08:00

Move key type validation to crypto_knowledge

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
This commit is contained in:
gabor-mezei-arm
2021-06-28 20:02:11 +02:00
parent 5ea30377d3
commit 805c735a8b
3 changed files with 24 additions and 19 deletions

View File

@@ -19,7 +19,7 @@ This module is entirely based on the PSA API.
# limitations under the License. # limitations under the License.
import re import re
from typing import Iterable, Optional, Tuple from typing import Iterable, Optional, Tuple, Dict
from mbedtls_dev.asymmetric_key_data import ASYMMETRIC_KEY_DATA from mbedtls_dev.asymmetric_key_data import ASYMMETRIC_KEY_DATA
@@ -136,3 +136,18 @@ class KeyType:
return des3[:length] return des3[:length]
return b''.join([self.DATA_BLOCK] * (length // len(self.DATA_BLOCK)) + return b''.join([self.DATA_BLOCK] * (length // len(self.DATA_BLOCK)) +
[self.DATA_BLOCK[:length % len(self.DATA_BLOCK)]]) [self.DATA_BLOCK[:length % len(self.DATA_BLOCK)]])
KEY_TYPE_FOR_SIGNATURE = {
'PSA_KEY_USAGE_SIGN_HASH': '.*KEY_PAIR',
'PSA_KEY_USAGE_VERIFY_HASH': '.*KEY.*'
} #type: Dict[str, str]
"""Use a regexp to determine key types for which signature is possible
when using the actual usage flag.
"""
def is_valid_for_signature(self, usage: str) -> bool:
"""Determine if the key type is compatible with the specified
signitute type.
"""
# This is just temporaly solution for the implicit usage flags.
return re.match(self.KEY_TYPE_FOR_SIGNATURE[usage], self.name) is not None

View File

@@ -107,14 +107,6 @@ class Key:
} #type: Dict[str, str] } #type: Dict[str, str]
"""Mapping of usage flags to the flags that they imply.""" """Mapping of usage flags to the flags that they imply."""
IMPLICIT_USAGE_FLAGS_KEY_RESTRICTION = {
'PSA_KEY_USAGE_SIGN_HASH': '.*KEY_PAIR',
'PSA_KEY_USAGE_VERIFY_HASH': '.*KEY.*'
} #type: Dict[str, str]
"""Use a regexp to determine key types for which signature is possible
when using the actual usage flag.
"""
def __init__(self, *, def __init__(self, *,
version: Optional[int] = None, version: Optional[int] = None,
id: Optional[int] = None, #pylint: disable=redefined-builtin id: Optional[int] = None, #pylint: disable=redefined-builtin

View File

@@ -488,32 +488,30 @@ class StorageFormatV0(StorageFormat):
self, self,
implyer_usage: str, implyer_usage: str,
alg: str, alg: str,
key_type: str, key_type: crypto_knowledge.KeyType
params: Optional[Iterable[str]] = None
) -> StorageKey: ) -> StorageKey:
# pylint: disable=too-many-locals # pylint: disable=too-many-locals
"""Generate test keys for the specified implicit usage flag, """Generate test keys for the specified implicit usage flag,
algorithm and key type combination. algorithm and key type combination.
""" """
kt = crypto_knowledge.KeyType(key_type, params) bits = key_type.sizes_to_test()[0]
bits = kt.sizes_to_test()[0]
implicit_usage = StorageKey.IMPLICIT_USAGE_FLAGS[implyer_usage] implicit_usage = StorageKey.IMPLICIT_USAGE_FLAGS[implyer_usage]
usage_flags = 'PSA_KEY_USAGE_EXPORT' usage_flags = 'PSA_KEY_USAGE_EXPORT'
material_usage_flags = usage_flags + ' | ' + implyer_usage material_usage_flags = usage_flags + ' | ' + implyer_usage
expected_usage_flags = material_usage_flags + ' | ' + implicit_usage expected_usage_flags = material_usage_flags + ' | ' + implicit_usage
alg2 = 0 alg2 = 0
key_material = kt.key_material(bits) key_material = key_type.key_material(bits)
usage_expression = re.sub(r'PSA_KEY_USAGE_', r'', implyer_usage) usage_expression = re.sub(r'PSA_KEY_USAGE_', r'', implyer_usage)
alg_expression = re.sub(r'PSA_ALG_', r'', alg) alg_expression = re.sub(r'PSA_ALG_', r'', alg)
alg_expression = re.sub(r',', r', ', re.sub(r' +', r'', alg_expression)) alg_expression = re.sub(r',', r', ', re.sub(r' +', r'', alg_expression))
key_type_expression = re.sub(r'\bPSA_(?:KEY_TYPE|ECC_FAMILY)_', key_type_expression = re.sub(r'\bPSA_(?:KEY_TYPE|ECC_FAMILY)_',
r'', r'',
kt.expression) key_type.expression)
description = 'implied by {}: {} {} {}-bit'.format( description = 'implied by {}: {} {} {}-bit'.format(
usage_expression, alg_expression, key_type_expression, bits) usage_expression, alg_expression, key_type_expression, bits)
return StorageKey(version=self.version, return StorageKey(version=self.version,
id=1, lifetime=0x00000001, id=1, lifetime=0x00000001,
type=kt.expression, bits=bits, type=key_type.expression, bits=bits,
usage=material_usage_flags, usage=material_usage_flags,
expected_usage=expected_usage_flags, expected_usage=expected_usage_flags,
alg=alg, alg2=alg2, alg=alg, alg2=alg2,
@@ -575,14 +573,14 @@ class StorageFormatV0(StorageFormat):
# flag to generate a valid key for exercising. The key is generated # flag to generate a valid key for exercising. The key is generated
# without usage extension to check the extension compatiblity. # without usage extension to check the extension compatiblity.
alg_with_keys = self.gather_key_types_for_sign_alg() alg_with_keys = self.gather_key_types_for_sign_alg()
key_filter = StorageKey.IMPLICIT_USAGE_FLAGS_KEY_RESTRICTION
for usage in sorted(StorageKey.IMPLICIT_USAGE_FLAGS, key=str): for usage in sorted(StorageKey.IMPLICIT_USAGE_FLAGS, key=str):
for alg in sorted(alg_with_keys): for alg in sorted(alg_with_keys):
for key_type in sorted(alg_with_keys[alg]): for key_type in sorted(alg_with_keys[alg]):
# The key types must be filtered to fit the specific usage flag. # The key types must be filtered to fit the specific usage flag.
if re.match(key_filter[usage], key_type): kt = crypto_knowledge.KeyType(key_type)
yield self.keys_for_implicit_usage(usage, alg, key_type) if kt.is_valid_for_signature(usage):
yield self.keys_for_implicit_usage(usage, alg, kt)
def generate_all_keys(self) -> List[StorageKey]: def generate_all_keys(self) -> List[StorageKey]:
keys = super().generate_all_keys() keys = super().generate_all_keys()