diff --git a/framework b/framework index 77f707a557..ee399cc257 160000 --- a/framework +++ b/framework @@ -1 +1 @@ -Subproject commit 77f707a5576c5bdd1ff9463c7b25d2488497f57e +Subproject commit ee399cc257e84c2c5328d866335053d05b3b169c diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index 8b6a1daee5..130c427c4f 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -315,6 +315,16 @@ mbedtls_x509_san_list; */ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn); + +/** + * \brief Return the key's type as a string. + * + * \param[in] pk A mbedtls_pk_context struct containing the pk_key_type to + convert + * \return Returns a string describing the key type. + */ +const char *mbedtls_x509_pk_type_as_string(const mbedtls_pk_context *pk); + /** * \brief Convert the certificate DN string \p name into * a linked list of mbedtls_x509_name (equivalent to diff --git a/library/x509.c b/library/x509.c index 1adff8fafc..d7bc5d2dfb 100644 --- a/library/x509.c +++ b/library/x509.c @@ -122,6 +122,23 @@ int mbedtls_x509_get_alg(unsigned char **p, const unsigned char *end, return 0; } +/* + * Convert the key type to a string + */ +const char *mbedtls_x509_pk_type_as_string(const mbedtls_pk_context *pk) +{ + psa_key_type_t key_type; + + key_type = mbedtls_pk_get_key_type(pk); + if (PSA_KEY_TYPE_IS_RSA(key_type)) { + return "RSA"; + } else if (PSA_KEY_TYPE_IS_ECC(key_type)) { + return "EC"; + } else { + return "NONE"; + } +} + /* * Convert md type to string */ diff --git a/library/x509_crt.c b/library/x509_crt.c index 61dca746a3..59c3204467 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1806,7 +1806,7 @@ int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix, /* Key size */ if ((ret = mbedtls_x509_key_size_helper(key_size_str, MBEDTLS_BEFORE_COLON, - mbedtls_pk_get_name(&crt->pk))) != 0) { + mbedtls_x509_pk_type_as_string(&crt->pk))) != 0) { return ret; } diff --git a/library/x509_csr.c b/library/x509_csr.c index 32a3bb2e78..3e8e407b26 100644 --- a/library/x509_csr.c +++ b/library/x509_csr.c @@ -551,7 +551,7 @@ int mbedtls_x509_csr_info(char *buf, size_t size, const char *prefix, MBEDTLS_X509_SAFE_SNPRINTF; if ((ret = mbedtls_x509_key_size_helper(key_size_str, MBEDTLS_BEFORE_COLON, - mbedtls_pk_get_name(&csr->pk))) != 0) { + mbedtls_x509_pk_type_as_string(&csr->pk))) != 0) { return ret; } diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index b099fded5a..a7ef41aa15 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1770,7 +1770,7 @@ usage: mbedtls_printf(" ok (key type: %s)\n", strlen(opt.key_file) || strlen(opt.key_opaque_alg1) ? - mbedtls_pk_get_name(&pkey) : "none"); + mbedtls_x509_pk_type_as_string(&pkey) : "none"); #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ /* diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 64fd45952f..805b4ef1c8 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -2723,8 +2723,8 @@ usage: } mbedtls_printf(" ok (key types: %s, %s)\n", - key_cert_init ? mbedtls_pk_get_name(&pkey) : "none", - key_cert_init2 ? mbedtls_pk_get_name(&pkey2) : "none"); + key_cert_init ? mbedtls_x509_pk_type_as_string(&pkey) : "none", + key_cert_init2 ? mbedtls_x509_pk_type_as_string(&pkey2) : "none"); #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #if defined(SNI_OPTION) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 22377b8d04..ab727e6a48 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2266,7 +2266,7 @@ run_test "Opaque key for client authentication: ECDHE-ECDSA" \ "$P_CLI key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \ key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdsa-sign,none" \ 0 \ - -c "key type: Opaque" \ + -c "key type: EC" \ -c "Ciphersuite is TLS-ECDHE-ECDSA" \ -s "Verifying peer X.509 certificate... ok" \ -s "Ciphersuite is TLS-ECDHE-ECDSA" \ @@ -2284,7 +2284,7 @@ run_test "Opaque key for client authentication: ECDHE-RSA" \ "$P_CLI key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \ key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \ 0 \ - -c "key type: Opaque" \ + -c "key type: RSA" \ -c "Ciphersuite is TLS-ECDHE-RSA" \ -s "Verifying peer X.509 certificate... ok" \ -s "Ciphersuite is TLS-ECDHE-RSA" \ @@ -2302,7 +2302,7 @@ run_test "Opaque key for server authentication: ECDHE-ECDSA" \ 0 \ -c "Verifying peer X.509 certificate... ok" \ -c "Ciphersuite is TLS-ECDHE-ECDSA" \ - -s "key types: Opaque, none" \ + -s "key types: EC, none" \ -s "Ciphersuite is TLS-ECDHE-ECDSA" \ -S "error" \ -C "error" @@ -2315,7 +2315,7 @@ run_test "Opaque key for server authentication: invalid alg: ECDHE-ECDSA with debug_level=1" \ "$P_CLI force_version=tls12 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-CCM" \ 1 \ - -s "key types: Opaque, none" \ + -s "key types: EC, none" \ -s "got ciphersuites in common, but none of them usable" \ -s "error" \ -c "error" @@ -2334,7 +2334,7 @@ run_test "Opaque keys for server authentication: EC keys with different algs, -c "Verifying peer X.509 certificate... ok" \ -c "Ciphersuite is TLS-ECDHE-ECDSA" \ -c "CN=Polarssl Test EC CA" \ - -s "key types: Opaque, Opaque" \ + -s "key types: EC, EC" \ -s "Ciphersuite is TLS-ECDHE-ECDSA" \ -S "error" \ -C "error" @@ -2352,7 +2352,7 @@ run_test "Opaque keys for server authentication: EC + RSA, force ECDHE-ECDSA" -c "Verifying peer X.509 certificate... ok" \ -c "Ciphersuite is TLS-ECDHE-ECDSA" \ -c "CN=Polarssl Test EC CA" \ - -s "key types: Opaque, Opaque" \ + -s "key types: EC, RSA" \ -s "Ciphersuite is TLS-ECDHE-ECDSA" \ -S "error" \ -C "error" @@ -2365,8 +2365,8 @@ run_test "TLS 1.3 opaque key: no suitable algorithm found" \ "$P_SRV debug_level=4 auth_mode=required key_opaque=1 key_opaque_algs=rsa-sign-pkcs1,none" \ "$P_CLI debug_level=4 key_opaque=1 key_opaque_algs=rsa-sign-pkcs1,rsa-sign-pss" \ 1 \ - -c "key type: Opaque" \ - -s "key types: Opaque, Opaque" \ + -c "key type: RSA" \ + -s "key types: RSA, EC" \ -c "error" \ -s "no suitable signature algorithm" @@ -2378,8 +2378,8 @@ run_test "TLS 1.3 opaque key: suitable algorithm found" \ "$P_SRV debug_level=4 auth_mode=required key_opaque=1 key_opaque_algs=rsa-sign-pkcs1,rsa-sign-pss" \ "$P_CLI debug_level=4 key_opaque=1 key_opaque_algs=rsa-sign-pkcs1,rsa-sign-pss" \ 0 \ - -c "key type: Opaque" \ - -s "key types: Opaque, Opaque" \ + -c "key type: RSA" \ + -s "key types: RSA, EC" \ -C "error" \ -S "error" @@ -2391,7 +2391,7 @@ run_test "TLS 1.3 opaque key: first client sig alg not suitable" \ "$P_SRV debug_level=4 auth_mode=required key_opaque=1 key_opaque_algs=rsa-sign-pss-sha512,none" \ "$P_CLI debug_level=4 sig_algs=rsa_pss_rsae_sha256,rsa_pss_rsae_sha512" \ 0 \ - -s "key types: Opaque, Opaque" \ + -s "key types: RSA, EC" \ -s "CertificateVerify signature failed with rsa_pss_rsae_sha256" \ -s "CertificateVerify signature with rsa_pss_rsae_sha512" \ -C "error" \ @@ -2405,8 +2405,8 @@ run_test "TLS 1.3 opaque key: 2 keys on server, suitable algorithm found" \ "$P_SRV debug_level=4 auth_mode=required key_opaque=1 key_opaque_algs2=ecdsa-sign,none key_opaque_algs=rsa-sign-pkcs1,rsa-sign-pss" \ "$P_CLI debug_level=4 key_opaque=1 key_opaque_algs=rsa-sign-pkcs1,rsa-sign-pss" \ 0 \ - -c "key type: Opaque" \ - -s "key types: Opaque, Opaque" \ + -c "key type: RSA" \ + -s "key types: RSA, EC" \ -C "error" \ -S "error" \ @@ -2422,7 +2422,7 @@ run_test "Opaque key for server authentication: ECDHE-RSA" \ 0 \ -c "Verifying peer X.509 certificate... ok" \ -c "Ciphersuite is TLS-ECDHE-RSA" \ - -s "key types: Opaque, none" \ + -s "key types: RSA, none" \ -s "Ciphersuite is TLS-ECDHE-RSA" \ -S "error" \ -C "error" @@ -2437,7 +2437,7 @@ run_test "Opaque key for server authentication: ECDHE-RSA, PSS instead of PKC "$P_CLI crt_file=$DATA_FILES_PATH/server2-sha256.crt \ key_file=$DATA_FILES_PATH/server2.key force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA" \ 1 \ - -s "key types: Opaque, none" \ + -s "key types: RSA, none" \ -s "got ciphersuites in common, but none of them usable" \ -s "error" \ -c "error" @@ -2457,7 +2457,7 @@ run_test "Opaque keys for server authentication: RSA keys with different algs -c "Verifying peer X.509 certificate... ok" \ -c "Ciphersuite is TLS-ECDHE-RSA" \ -c "CN=Polarssl Test EC CA" \ - -s "key types: Opaque, Opaque" \ + -s "key types: RSA, RSA" \ -s "Ciphersuite is TLS-ECDHE-RSA" \ -S "error" \ -C "error" @@ -2477,7 +2477,7 @@ run_test "Opaque keys for server authentication: EC + RSA, force ECDHE-RSA" \ -c "Verifying peer X.509 certificate... ok" \ -c "Ciphersuite is TLS-ECDHE-RSA" \ -c "CN=Polarssl Test EC CA" \ - -s "key types: Opaque, Opaque" \ + -s "key types: EC, RSA" \ -s "Ciphersuite is TLS-ECDHE-RSA" \ -S "error" \ -C "error" @@ -2492,10 +2492,10 @@ run_test "Opaque key for client/server authentication: ECDHE-ECDSA" \ "$P_CLI key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \ key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdsa-sign,none" \ 0 \ - -c "key type: Opaque" \ + -c "key type: EC" \ -c "Verifying peer X.509 certificate... ok" \ -c "Ciphersuite is TLS-ECDHE-ECDSA" \ - -s "key types: Opaque, none" \ + -s "key types: EC, none" \ -s "Verifying peer X.509 certificate... ok" \ -s "Ciphersuite is TLS-ECDHE-ECDSA" \ -S "error" \ @@ -2512,10 +2512,10 @@ run_test "Opaque key for client/server authentication: ECDHE-RSA" \ "$P_CLI force_version=tls12 key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \ key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \ 0 \ - -c "key type: Opaque" \ + -c "key type: RSA" \ -c "Verifying peer X.509 certificate... ok" \ -c "Ciphersuite is TLS-ECDHE-RSA" \ - -s "key types: Opaque, none" \ + -s "key types: RSA, none" \ -s "Verifying peer X.509 certificate... ok" \ -s "Ciphersuite is TLS-ECDHE-RSA" \ -S "error" \ diff --git a/tf-psa-crypto b/tf-psa-crypto index 2025c77606..f7ad6b6931 160000 --- a/tf-psa-crypto +++ b/tf-psa-crypto @@ -1 +1 @@ -Subproject commit 2025c776064a418406cb83d66fff06624d0e3734 +Subproject commit f7ad6b6931e179c2e40b3d04f3e6d207a7e3c36e