1 /* Copyright (c) 2024 Nordic Semiconductor
2 * SPDX-License-Identifier: Apache-2.0
3 */
4 #include <zephyr/ztest.h>
5 #include <zephyr/psa/key_ids.h>
6 #include <zephyr/sys/util.h>
7 #include <psa/crypto.h>
8 #include <psa/internal_trusted_storage.h>
9 #include <psa/protected_storage.h>
10
11 ZTEST_SUITE(secure_storage_psa_crypto, NULL, NULL, NULL, NULL, NULL);
12
13 #define ID ZEPHYR_PSA_APPLICATION_KEY_ID_RANGE_BEGIN
14 #define KEY_TYPE PSA_KEY_TYPE_AES
15 #define ALG PSA_ALG_CBC_NO_PADDING
16 #define KEY_BITS 256
17
fill_key_attributes(psa_key_attributes_t * key_attributes)18 static void fill_key_attributes(psa_key_attributes_t *key_attributes)
19 {
20 *key_attributes = psa_key_attributes_init();
21 psa_set_key_lifetime(key_attributes, PSA_KEY_LIFETIME_PERSISTENT);
22 psa_set_key_usage_flags(key_attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
23 psa_set_key_id(key_attributes, ID);
24 psa_set_key_type(key_attributes, KEY_TYPE);
25 psa_set_key_algorithm(key_attributes, ALG);
26 psa_set_key_bits(key_attributes, KEY_BITS);
27 }
28
compare_key_attributes(const psa_key_attributes_t * l,const psa_key_attributes_t * r)29 static void compare_key_attributes(const psa_key_attributes_t *l, const psa_key_attributes_t *r)
30 {
31 zassert_equal(psa_get_key_lifetime(l), psa_get_key_lifetime(r));
32 zassert_equal(psa_get_key_usage_flags(l), psa_get_key_usage_flags(r));
33 zassert_equal(psa_get_key_id(l), psa_get_key_id(r));
34 zassert_equal(psa_get_key_type(l), psa_get_key_type(r));
35 zassert_equal(psa_get_key_algorithm(l), psa_get_key_algorithm(r));
36 zassert_equal(psa_get_key_bits(l), psa_get_key_bits(r));
37 }
38
fill_data(uint8_t * data,size_t size)39 static void fill_data(uint8_t *data, size_t size)
40 {
41 zassert_equal(psa_generate_random(data, size), PSA_SUCCESS);
42 }
43
ZTEST(secure_storage_psa_crypto,test_its_caller_isolation)44 ZTEST(secure_storage_psa_crypto, test_its_caller_isolation)
45 {
46 psa_status_t ret;
47 psa_key_attributes_t key_attributes;
48 psa_key_attributes_t retrieved_key_attributes;
49 psa_key_id_t key_id;
50 uint8_t data[32];
51 size_t data_length;
52 uint8_t its_data[sizeof(data)];
53 uint8_t ps_data[sizeof(data)];
54
55 fill_data(its_data, sizeof(its_data));
56 fill_data(ps_data, sizeof(ps_data));
57 zassert_true(memcmp(its_data, ps_data, sizeof(data)));
58 ret = psa_its_set(ID, sizeof(its_data), its_data, PSA_STORAGE_FLAG_NONE);
59 zassert_equal(ret, PSA_SUCCESS);
60 ret = psa_ps_set(ID, sizeof(ps_data), ps_data, PSA_STORAGE_FLAG_NONE);
61 zassert_equal(ret, PSA_SUCCESS);
62
63 fill_key_attributes(&key_attributes);
64 ret = psa_generate_key(&key_attributes, &key_id);
65 zassert_equal(ret, PSA_SUCCESS);
66 zassert_equal(key_id, ID);
67 ret = psa_purge_key(ID);
68 zassert_equal(ret, PSA_SUCCESS);
69
70 ret = psa_its_get(ID, 0, sizeof(data), data, &data_length);
71 zassert_equal(ret, PSA_SUCCESS);
72 zassert_equal(data_length, sizeof(data));
73 zassert_mem_equal(data, its_data, sizeof(data));
74 ret = psa_its_remove(ID);
75 zassert_equal(ret, PSA_SUCCESS);
76 ret = psa_its_remove(ID);
77 zassert_equal(ret, PSA_ERROR_DOES_NOT_EXIST);
78
79 ret = psa_ps_get(ID, 0, sizeof(data), data, &data_length);
80 zassert_equal(ret, PSA_SUCCESS);
81 zassert_equal(data_length, sizeof(data));
82 zassert_mem_equal(data, ps_data, sizeof(data));
83 ret = psa_ps_remove(ID);
84 zassert_equal(ret, PSA_SUCCESS);
85 ret = psa_ps_remove(ID);
86 zassert_equal(ret, PSA_ERROR_DOES_NOT_EXIST);
87
88 ret = psa_get_key_attributes(ID, &retrieved_key_attributes);
89 zassert_equal(ret, PSA_SUCCESS);
90 compare_key_attributes(&retrieved_key_attributes, &key_attributes);
91 ret = psa_destroy_key(ID);
92 zassert_equal(ret, PSA_SUCCESS);
93 ret = psa_get_key_attributes(ID, &retrieved_key_attributes);
94 zassert_equal(ret, PSA_ERROR_INVALID_HANDLE);
95 }
96
ZTEST(secure_storage_psa_crypto,test_persistent_key_usage)97 ZTEST(secure_storage_psa_crypto, test_persistent_key_usage)
98 {
99 psa_status_t ret;
100 psa_key_attributes_t key_attributes;
101 psa_key_id_t key_id;
102 uint8_t key_material[KEY_BITS / BITS_PER_BYTE];
103
104 fill_key_attributes(&key_attributes);
105 fill_data(key_material, sizeof(key_material));
106 ret = psa_import_key(&key_attributes, key_material, sizeof(key_material), &key_id);
107 zassert_equal(ret, PSA_SUCCESS);
108 zassert_equal(key_id, ID);
109 ret = psa_purge_key(ID);
110 zassert_equal(ret, PSA_SUCCESS);
111
112 static uint8_t plaintext[1024];
113 static uint8_t ciphertext[PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(KEY_TYPE, ALG, sizeof(plaintext))];
114 static uint8_t decrypted_text[sizeof(plaintext)];
115 size_t output_length;
116
117 fill_data(plaintext, sizeof(plaintext));
118 ret = psa_cipher_encrypt(ID, ALG, plaintext, sizeof(plaintext),
119 ciphertext, sizeof(ciphertext), &output_length);
120 zassert_equal(ret, PSA_SUCCESS);
121 zassert_equal(output_length, sizeof(ciphertext));
122 ret = psa_purge_key(ID);
123 zassert_equal(ret, PSA_SUCCESS);
124
125 ret = psa_cipher_decrypt(ID, ALG, ciphertext, output_length,
126 decrypted_text, sizeof(decrypted_text), &output_length);
127 zassert_equal(ret, PSA_SUCCESS);
128 zassert_equal(output_length, sizeof(plaintext));
129 zassert_mem_equal(plaintext, decrypted_text, sizeof(plaintext));
130 ret = psa_purge_key(ID);
131 zassert_equal(ret, PSA_SUCCESS);
132
133 ret = psa_destroy_key(ID);
134 zassert_equal(ret, PSA_SUCCESS);
135 ret = psa_destroy_key(ID);
136 zassert_equal(ret, PSA_ERROR_INVALID_HANDLE);
137 }
138
