Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

psa_generate_key should return INVALID_ARGUMENT for a public key type #4551

Closed
hug-dev opened this issue May 24, 2021 · 3 comments · Fixed by #5037
Closed

psa_generate_key should return INVALID_ARGUMENT for a public key type #4551

hug-dev opened this issue May 24, 2021 · 3 comments · Fixed by #5037
Assignees
@mprse
Labels
bug component-psa PSA keystore/dispatch layer (storage, drivers, …) good-first-issue Good for newcomers help-wanted This issue is not being actively worked on, but PRs welcome.

Comments

@hug-dev
Copy link
Contributor

hug-dev commented May 24, 2021

In the PSA Crypto documentation it is written for psa_generate_key returned errors:

PSA_ERROR_INVALID_ARGUMENT
The key type is an asymmetric public key type.

However the following snippet:

psa_status_t status;
psa_key_handle_t public_key_handle;

status = psa_crypto_init();
if (status != PSA_SUCCESS) {
        printf("Init failed (status = %d)\n", status);
        return 1;
}

psa_key_attributes_t key_pair_attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_set_key_id(&key_pair_attributes, 1);
psa_set_key_lifetime(&key_pair_attributes, PSA_KEY_LIFETIME_PERSISTENT);
psa_set_key_usage_flags(&key_pair_attributes, PSA_KEY_USAGE_VERIFY_HASH);
psa_set_key_algorithm(&key_pair_attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256));
psa_set_key_type(&key_pair_attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_CURVE_SECP_R1));
psa_set_key_bits(&key_pair_attributes, 256U);

status = psa_generate_key(&key_pair_attributes, &key_pair_handle);
if (status != PSA_SUCCESS) {
        printf("Key generation failed (status = %d)\n", status);
        return 1;
}

prints

Key generation failed (status = -134)

which is PSA_ERROR_NOT_SUPPORTED (instead of -135).

Maybe I am wrong an PSA_ERROR_NOT_SUPPORTED is also a valid return value here!

This was tested with mbedtls-2.25.0.
@gilles-peskine-arm
Copy link
Contributor

PSA_ERROR_NOT_SUPPORTED is a valid return value for psa_generate_key, but it's meant for cases like requesting an RSA private key when the implementation is built without RSA support. If you attempt to generate a public key, PSA_ERROR_INVALID_ARGUMENT makes more sense.

@gilles-peskine-arm gilles-peskine-arm changed the title psa_generate_key maybe returns wrong error psa_generate_key should return INVALID_ARGUMENT for a public key type May 25, 2021
@gilles-peskine-arm gilles-peskine-arm added bug component-psa PSA keystore/dispatch layer (storage, drivers, …) good-first-issue Good for newcomers Product Backlog labels May 25, 2021
@gilles-peskine-arm gilles-peskine-arm added the help-wanted This issue is not being actively worked on, but PRs welcome. label May 25, 2021
@mprse
Copy link
Contributor

mprse commented Oct 6, 2021

@gilles-peskine-arm I reproduced this locally. Can I investigate this one?

@gilles-peskine-arm
Copy link
Contributor

@mprse Yes, please!

@mprse mprse self-assigned this Oct 6, 2021
@mprse mprse mentioned this issue Oct 7, 2021
Merged
bensze01 added a commit to bensze01/psa-arch-tests that referenced this issue Nov 8, 2021
@bensze01
Change to psa_generate_key tests (test_c016)
6d70305 
Test psa_generate_key with RSA 2048 Public key

Changed the error code from PSA_ERROR_NOT_SUPPORTED to
PSA_ERROR_INVALID_ARGUMENT as in the documentation of
psa_generate_key() returned values:
"PSA_ERROR_INVALID_ARGUMENT The key type is an asymmetric public key type."

See:
Mbed-TLS/mbedtls#4551
Mbed-TLS/mbedtls#5037
Mbed-TLS/mbedtls#5038

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
bensze01 added a commit to bensze01/psa-arch-tests that referenced this issue Nov 10, 2021
@bensze01
Change to psa_generate_key tests (test_c016)
183f4ee 
Test psa_generate_key with RSA 2048 Public key

Changed the error code from PSA_ERROR_NOT_SUPPORTED to
PSA_ERROR_INVALID_ARGUMENT as in the documentation of
psa_generate_key() returned values:
"PSA_ERROR_INVALID_ARGUMENT The key type is an asymmetric public
key type."

See:
Mbed-TLS/mbedtls#4551
Mbed-TLS/mbedtls#5037
Mbed-TLS/mbedtls#5038

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
bensze01 added a commit to bensze01/psa-arch-tests that referenced this issue Jan 12, 2022
@bensze01
Change to psa_generate_key tests (test_c016)
0e98b6c 
Test psa_generate_key with RSA 2048 Public key

Changed the error code from PSA_ERROR_NOT_SUPPORTED to
PSA_ERROR_INVALID_ARGUMENT as in the documentation of
psa_generate_key() returned values:
"PSA_ERROR_INVALID_ARGUMENT The key type is an asymmetric public
key type."

See:
Mbed-TLS/mbedtls#4551
Mbed-TLS/mbedtls#5037
Mbed-TLS/mbedtls#5038

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
@bensze01 bensze01 mentioned this issue Jan 12, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mprse mprse

Labels
bug component-psa PSA keystore/dispatch layer (storage, drivers, …) good-first-issue Good for newcomers help-wanted This issue is not being actively worked on, but PRs welcome.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix psa_generate_key(): return PSA_ERROR_INVALID_ARGUMENT for public key mprse/mbedtls
3 participants
@gilles-peskine-arm @hug-dev @mprse