PSA_IMPORT_KEY introduction. #399
Conversation
…d e2e-tests. Signed-off-by: Robert Drazkowski <Robert.Drazkowski@globallogic.com>
hug-dev
added
the
platforms
A new function was added to simplify importing ECC keys. Signed-off-by: Robert Drazkowski <Robert.Drazkowski@globallogic.com>
…DER encoded format. Few tests adaptations. Signed-off-by: Robert Drazkowski <Robert.Drazkowski@globallogic.com>
There was a problem hiding this comment.
Thanks a lot, really great to see the test also working on the Mbed Crypto provider that will help us a lot 👌
Just added one more request and then I am fine on my side.
I will let @ionut-arm give his review also, so that you don't have to push too many time!
| if !client.is_operation_supported(Opcode::PsaImportKey) { | ||
| return Ok(()); | ||
| } | ||
|
|
||
| client.generate_ecc_key_pair_secpr1_ecdsa_sha256(key_name.clone())?; | ||
| let status = client | ||
| .import_ecc_public_secp_r1_ecdsa_sha256_key(key_name, KEY_PAIR_ECC.to_vec()) | ||
| .import_ecc_public_secp_r1_ecdsa_sha256_key(key_name, ECC_KEY_PAIR.to_vec()) |
There was a problem hiding this comment.
I guess it makes no difference here as we check if the key already exists (so that the code does not go as far as parsing it), but I think it should be ECC_PUBLIC_KEY.
| // Things do never get better... | ||
| // Things never get better... |
| @@ -406,5 +416,5 @@ fn import_ecc_private_key() { | |||
| return; | |||
There was a problem hiding this comment.
Can you also execute this test on the Mbed Crypto provider 😄? That way we will be sure that both the formats for the public key and key pair are correct 👌
There was a problem hiding this comment.
Done. And it looks like Mbed Crypto uses just the raw private key octet string from the whole structure.
Signed-off-by: Robert Drazkowski <Robert.Drazkowski@globallogic.com>
RobertDrazkowskiGL
force-pushed
the
calib-psa-import-key
branch
from
aa15896
to
19b22ee
Compare
| socket_path = "/tmp/parsec.sock" | ||
|
|
||
| [authenticator] | ||
| auth_type = "Direct" |
There was a problem hiding this comment.
Are these files supposed to be used for manual testing/playing around with the service locally, or do you intend to present them to admins as a starting place for configuring the service with an ATECC device? If it's the former then you can disregard this comment, but otherwise I'd say auth_type = "UnixPeerCredentials" is a better choice.
There was a problem hiding this comment.
So far, we do not have such far-reaching plans. These files are here to make our life easier when we run tests.
And the e2e-tests depend on auth_type = "Direct", therefore I recommend to leave it that way.
| @@ -238,6 +320,7 @@ fn check_format_import3() -> Result<()> { | |||
| Ok(()) | |||
| } | |||
|
|
|||
| #[cfg(not(feature = "cryptoauthlib-provider"))] | |||
| #[test] | |||
| fn failed_imported_key_should_be_removed() -> Result<()> { | |||
There was a problem hiding this comment.
Instead of skipping the test completely, any chance you could make public_key and attributes conditional and have it try to import an ECC key for CALib? Or even just modifying the last import call to succeed in the CAL provider
Signed-off-by: Robert Drazkowski <Robert.Drazkowski@globallogic.com>
Signed-off-by: Robert Drazkowski <Robert.Drazkowski@globallogic.com>
The next operation, with dedicated tests. The largest changes are in tests, the implementation is pretty straightforward.
Signed-off-by: Robert Drazkowski Robert.Drazkowski@globallogic.com