Skip to content

Commit

Permalink
Fix edge case with half-supported ECDSA: automatic test cases
Browse files Browse the repository at this point in the history
ECDSA has two variants: deterministic (PSA_ALG_DETERMINISTIC_ECDSA) and
randomized (PSA_ALG_ECDSA). The two variants are different for signature but
identical for verification. Mbed TLS accepts either variant as the algorithm
parameter for verification even when only the other variant is supported,
so we need to handle this as a special case when generating not-supported
test cases.

In this commit, suppress generated test cases for operation failures due to
unsupported ECDSA when exactly one of the two ECDSA variants is supported.
This edge case will only be tested manually (done in mbedtls or
TF-PSA-Crypto in the commit
"Fix edge case with half-supported ECDSA (manual test cases)").

Changes to the generated output: in
`test_suite_psa_crypto_op_fail.generated.data`, wherever one of
`!PSA_WANT_ALG_DETERMINISTIC_ECDSA` or `!PSA_WANT_ALG_ECDSA` appears as a
dependency, add the other one.

Signed-off-by: Gilles Peskine <[email protected]>
  • Loading branch information
gilles-peskine-arm committed Dec 16, 2024
1 parent 9ea044b commit a8ec932
Showing 1 changed file with 15 additions and 0 deletions.
15 changes: 15 additions & 0 deletions scripts/generate_psa_tests.py
Original file line number Diff line number Diff line change
Expand Up @@ -266,6 +266,21 @@ def make_test_case(
if reason == self.Reason.NOT_SUPPORTED:
assert not_supported is not None
tc.assumes_not_supported(not_supported)
# Special case: if one of deterministic/randomized
# ECDSA is supported but not the other, then the one
# that is not supported in the signature direction is
# still supported in the verification direction,
# because the two verification algorithms are
# identical. This property is how Mbed TLS chooses to
# behave, the specification would also allow it to
# reject the algorithm. In the generated test cases,
# we avoid this difficulty by not running the
# not-supported test case when exactly one of the
# two variants is supported.
if not_supported == 'PSA_WANT_ALG_ECDSA':
tc.add_dependencies(['!PSA_WANT_ALG_DETERMINISTIC_ECDSA'])
if not_supported == 'PSA_WANT_ALG_DETERMINISTIC_ECDSA':
tc.add_dependencies(['!PSA_WANT_ALG_ECDSA'])
tc.set_arguments(arguments)
return tc

Expand Down

0 comments on commit a8ec932

Please sign in to comment.