verify that mbedtls tests are passing.

h2o · Dec 4, 2023 · ba87767 · ba87767
1 parent a8e5a91
commit ba87767
Show file tree

Hide file tree

Showing 2 changed files with 86 additions and 21 deletions.
diff --git a/lib/mbedtls_sign.c b/lib/mbedtls_sign.c
@@ -36,7 +36,6 @@
 #include <psa/crypto.h>
 #include <psa/crypto_struct.h>
 #include <psa/crypto_values.h>
-#include "ptls_mbedtls.h"
 
 typedef struct st_ptls_mbedtls_signature_scheme_t {
     uint16_t scheme_id;
@@ -95,8 +94,6 @@ static int ptls_mbedtls_parse_der_length(const unsigned char* pem_buf, size_t pe
 static int ptls_mbedtls_parse_ecdsa_field(const unsigned char* pem_buf, size_t pem_len, size_t* key_index, size_t* key_length)
 {
     int ret = 0;
-    int param_index_index = -1;
-    int param_length = 0;
     size_t x = 0;
 
     // const unsigned char head = { 0x30, l-2, 0x02, 0x01, 0x01, 0x04 }
@@ -265,7 +262,6 @@ int test_parse_private_key_field(const unsigned char* pem_buf, size_t pem_len,
         /* At that point the oid has been identified.
         * The next parameter is an octet string containing the key info.
         */
-        size_t l = 0;
         if (x + 2 > pem_len ||
             pem_buf[x++]  != 0x04){
             ret = -1;
@@ -672,7 +668,7 @@ int ptls_mbedtls_load_private_key(ptls_context_t* ctx, char const* pem_fname)
     unsigned char* buf;
     mbedtls_pem_context pem = { 0 };
     mbedtls_pk_type_t pk_type = 0;
-    mbedtls_svc_key_id_t key_id = 0;
+    /* mbedtls_svc_key_id_t key_id = 0; */
     size_t key_length = 0;
     size_t key_index = 0;
     ptls_mbedtls_sign_certificate_t* signer = (ptls_mbedtls_sign_certificate_t*)malloc(sizeof(ptls_mbedtls_sign_certificate_t));

diff --git a/t/mbedtls.c b/t/mbedtls.c
@@ -34,6 +34,22 @@
 #include "../deps/picotest/picotest.h"
 #include "test.h"
 
+typedef struct st_ptls_mbedtls_signature_scheme_t {
+    uint16_t scheme_id;
+    psa_algorithm_t hash_algo;
+} ptls_mbedtls_signature_scheme_t;
+
+typedef struct st_ptls_mbedtls_sign_certificate_t {
+    ptls_sign_certificate_t super;
+    mbedtls_svc_key_id_t key_id;
+    psa_key_attributes_t attributes;
+    const ptls_mbedtls_signature_scheme_t * schemes;
+} ptls_mbedtls_sign_certificate_t;
+
+int ptls_mbedtls_sign_certificate(ptls_sign_certificate_t* _self, ptls_t* tls,
+    ptls_async_job_t** async, uint16_t* selected_algorithm,
+    ptls_buffer_t* outbuf, ptls_iovec_t input, const uint16_t* algorithms, size_t num_algorithms);
+
 static int random_trial()
 {
     /* The random test is just trying to check that we call the API properly.
@@ -118,9 +134,9 @@ Output buffer is already partially filled.
 #define ASSET_SECP521R1_KEY "t/assets/secp521r1/key.pem"
 #define ASSET_SECP256R1_PKCS8_KEY "t/assets/secp256r1-pkcs8/key.pem"
 
-void test_load_one_der_key(char const* path)
+int test_load_one_der_key(char const* path)
 {
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    int ret = -1;
     unsigned char hash[32];
     const unsigned char h0[32] = {
         1, 2, 3, 4, 5, 6, 7, 8,
@@ -129,11 +145,11 @@ void test_load_one_der_key(char const* path)
         25, 26, 27, 28, 29, 30, 31, 32
     };
     ptls_context_t ctx = { 0 };
-    psa_status_t status = 0;
 
     ret = ptls_mbedtls_load_private_key(&ctx, path);
     if (ret != 0) {
-        ok(ret == 0, "Cannot create sign_certificate from: %s\n", path);
+        printf("Cannot create sign_certificate from: %s\n", path);
+        ret = -1;
     }
     else if (ctx.sign_certificate == NULL) {
         printf("Sign_certificate not set in ptls context for: %s\n", path);
@@ -145,7 +161,6 @@ void test_load_one_der_key(char const* path)
         ptls_mbedtls_sign_certificate_t* signer = (ptls_mbedtls_sign_certificate_t*)
             (((unsigned char*)ctx.sign_certificate) - offsetof(struct st_ptls_mbedtls_sign_certificate_t, super));
         /* get the key algorithm */
-        psa_algorithm_t algo = psa_get_key_algorithm(&signer->attributes);
         ptls_buffer_t outbuf;
         uint8_t outbuf_smallbuf[256];
         ptls_iovec_t input = { hash, sizeof(hash) };
@@ -154,7 +169,8 @@ void test_load_one_der_key(char const* path)
         uint16_t algorithms[16];
         memcpy(hash, h0, 32);
         while (signer->schemes[num_algorithms].scheme_id != UINT16_MAX && num_algorithms < 16) {
-            algorithms[num_algorithms++] = signer->schemes[num_algorithms].scheme_id;
+            algorithms[num_algorithms] = signer->schemes[num_algorithms].scheme_id;
+            num_algorithms++;
         }
 
         ptls_buffer_init(&outbuf, outbuf_smallbuf, sizeof(outbuf_smallbuf));
@@ -170,28 +186,81 @@ void test_load_one_der_key(char const* path)
         ptls_buffer_dispose(&outbuf);
         ptls_mbedtls_dispose_sign_certificate(&signer->super);
     }
+    return ret;
+}
 
+static void test_load_rsa_key() 
+{
+    int ret = test_load_one_der_key(ASSET_RSA_KEY);
+
     if (ret != 0) {
         ok(!"fail");
         return;
     }
     ok(!!"success");
 }
 
-void test_sign_certificate(void)
+static void test_load_secp256r1_key()
 {
-    int ret = 0;
+    int ret = test_load_one_der_key(ASSET_SECP256R1_KEY);
+    if (ret != 0) {
+        ok(!"fail");
+        return;
+    }
+    ok(!!"success");
+}
+
+static void test_load_secp384r1_key()
+{   
+    int ret = test_load_one_der_key(ASSET_SECP384R1_KEY);
+    if (ret != 0) {
+        ok(!"fail");
+        return;
+    }
+    ok(!!"success");
+}
+
 
-    ok(test_load_one_der_key(ASSET_RSA_KEY));
-    ok(test_load_one_der_key(ASSET_SECP256R1_KEY));
-    ok(test_load_one_der_key(ASSET_SECP384R1_KEY));
-    ok(test_load_one_der_key(ASSET_SECP521R1_KEY));
-    ok(test_load_one_der_key(ASSET_SECP256R1_PKCS8_KEY));
-    ok(test_load_one_der_key(ASSET_RSA_PKCS8_KEY));
+static void test_load_secp521r1_key()
+{   
+    int ret = test_load_one_der_key(ASSET_SECP521R1_KEY);
+    if (ret != 0) { 
+        ok(!"fail");
+        return;
+    }
+    ok(!!"success");
+}
 
-    /* we do not test EDDSA keys, because they are not yet supported */
+static void test_load_secp256r1_pkcs8_key()
+{
+    int ret = test_load_one_der_key(ASSET_SECP256R1_PKCS8_KEY);
+    if (ret != 0) { 
+        ok(!"fail");
+        return;
+    }
+    ok(!!"success");
+}   
 
-    return ret;
+static void test_load_rsa_pkcs8_key()
+{
+    int ret = test_load_one_der_key(ASSET_RSA_PKCS8_KEY);
+    if (ret != 0) {
+        ok(!"fail");
+        return;
+    }
+    ok(!!"success");
+}
+
+void test_sign_certificate(void)
+{    
+    subtest("load rsa key", test_load_rsa_key);
+    subtest("load secp256r1 key", test_load_secp256r1_key);
+    subtest("load secp384r1 key", test_load_secp384r1_key);
+    subtest("load secp521r1 key", test_load_secp521r1_key);
+    subtest("load secp521r1-pkcs8 key", test_load_secp256r1_pkcs8_key);
+    subtest("load rsa-pkcs8 key", test_load_rsa_pkcs8_key);
+
+    /* we do not test EDDSA keys, because they are not yet supported */
 }
 
 DEFINE_FFX_AES128_ALGORITHMS(mbedtls);