From 5ae6c62247343d4c60618b374101cba42a645a1a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 27 Nov 2025 14:38:22 +0100 Subject: [PATCH 1/4] tests: x509parse: transition tests based on secp192 curves to secp256 After some analysis search it was determined that previous test data seem not to belong to the "framework/data_files" certificate files. Therefore new test data has been generated from scratch. The improvement compared to the previous situation is that comments has been added on top of each test in order to explain how to recreate new test data. Signed-off-by: Valerio Setti --- tests/suites/test_suite_x509parse.data | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 14e7afa740..e90f6b96fb 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -2391,13 +2391,25 @@ X509 CRT ASN1 (ECDSA signature, RSA key) depends_on:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_1:PSA_HAVE_ALG_SOME_ECDSA x509parse_crt:"3081e630819e020103300906072a8648ce3d0401300f310d300b0603550403130454657374301e170d3133303731303039343631385a170d3233303730383039343631385a300f310d300b0603550403130454657374304c300d06092a864886f70d0101010500033b003038023100e8f546061d3b49bc2f6b7524b7ea4d73a8d5293ee8c64d9407b70b5d16baebc32b8205591eab4e1eb57e9241883701250203010001300906072a8648ce3d0401033800303502186e18209afbed14a0d9a796efcad68891e3ccd5f75815c833021900e92b4fd460b1994693243b9ffad54729de865381bda41d25":"cert. version \: 1\nserial number \: 03\nissuer name \: CN=Test\nsubject name \: CN=Test\nissued on \: 2013-07-10 09\:46\:18\nexpires on \: 2023-07-08 09\:46\:18\nsigned using \: ECDSA with SHA1\nRSA key size \: 384 bits\n":0 +# This was generated as follows: +# 1. generate EC key -> openssl ecparam -name secp256r1 -genkey -noout -out secp256.key +# 2. generate CSR -> openssl req -new -key secp256.key -out secp256.csr -subj "/CN=Test/" +# 3. generate CRT -> openssl x509 -req -in secp256.csr -sha1 -signkey secp256.key -days 3650 -set_serial 0xf41534662ec7e912 -out secp256.crt -outform DER +# 4. get generated DER content -> xxd -ps secp256.crt X509 CRT ASN1 (ECDSA signature, EC key) -depends_on:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_ECC_SECP_R1_192:PSA_WANT_ALG_SHA_1 -x509parse_crt:"3081eb3081a3020900f41534662ec7e912300906072a8648ce3d0401300f310d300b0603550403130454657374301e170d3133303731303039343031395a170d3233303730383039343031395a300f310d300b06035504031304546573743049301306072a8648ce3d020106082a8648ce3d030101033200042137969fabd4e370624a0e1a33e379cab950cce00ef8c3c3e2adaeb7271c8f07659d65d3d777dcf21614363ae4b6e617300906072a8648ce3d04010338003035021858cc0f957946fe6a303d92885a456aa74c743c7b708cbd37021900fe293cac21af352d16b82eb8ea54e9410b3abaadd9f05dd6":"cert. version \: 1\nserial number \: F4\:15\:34\:66\:2E\:C7\:E9\:12\nissuer name \: CN=Test\nsubject name \: CN=Test\nissued on \: 2013-07-10 09\:40\:19\nexpires on \: 2023-07-08 09\:40\:19\nsigned using \: ECDSA with SHA1\nEC key size \: 192 bits\n":0 +depends_on:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_1 +x509parse_crt:"3082010b3081b3020900f41534662ec7e912300906072a8648ce3d0401300f310d300b06035504030c0454657374301e170d3235313132373132313634305a170d3335313132353132313634305a300f310d300b06035504030c04546573743059301306072a8648ce3d020106082a8648ce3d0301070342000478553e5f2e2a8575809988ccff53367a2b239599cb062d1c3047dd3dc60f839c7c6e81b7ee69b84d75628e5ec2e36318c55f0ac92abd9e365b26f70467750f42300906072a8648ce3d0401034800304502202ca181fa577a3e0250587b756a68b9e63ff7fcb59d72ed1941d5c732444346c8022100ad7d2effe0488257e6bd0a408ebd1e81a0627ccbf7f87b9fe14358bba69603d7":"cert. version \: 1\nserial number \: F4\:15\:34\:66\:2E\:C7\:E9\:12\nissuer name \: CN=Test\nsubject name \: CN=Test\nissued on \: 2025-11-27 12\:16\:40\nexpires on \: 2035-11-25 12\:16\:40\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n":0 +# This was generated as follows: +# 1. generate EC key -> openssl ecparam -name secp256r1 -genkey -noout -out secp256.key +# 2. generate CSR -> openssl req -new -key secp256.key -out secp256.csr -subj "/CN=Test/" +# 3. generate RSA key -> openssl genrsa -out rsa_1024.key 1024 +# 4. generate RSA CA cert -> openssl req -new -x509 -key rsa_1024.key -sha1 -days 3650 -subj="/CN=Test/" -out ca_rsa_1024.crt +# 5. generate final CRT -> openssl x509 -req -in secp256.csr -CA ca_rsa_1024.crt -CAkey rsa_1024.key -days 3650 -sha1 -set_serial 4 -out secp256-rsa.crt -outform DER +# 4. get generated DER content -> xxd -ps secp256-rsa.crt X509 CRT ASN1 (RSA signature, EC key) -depends_on:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_ECC_SECP_R1_192:PSA_WANT_ALG_SHA_1:MBEDTLS_RSA_C -x509parse_crt:"3081e430819f020104300d06092a864886f70d0101050500300f310d300b0603550403130454657374301e170d3133303731303135303233375a170d3233303730383135303233375a300f310d300b06035504031304546573743049301306072a8648ce3d020106082a8648ce3d03010103320004e962551a325b21b50cf6b990e33d4318fd16677130726357a196e3efe7107bcb6bdc6d9db2a4df7c964acfe81798433d300d06092a864886f70d01010505000331001a6c18cd1e457474b2d3912743f44b571341a7859a0122774a8e19a671680878936949f904c9255bdd6fffdb33a7e6d8":"cert. version \: 1\nserial number \: 04\nissuer name \: CN=Test\nsubject name \: CN=Test\nissued on \: 2013-07-10 15\:02\:37\nexpires on \: 2023-07-08 15\:02\:37\nsigned using \: RSA with SHA1\nEC key size \: 192 bits\n":0 +depends_on:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_1:MBEDTLS_RSA_C +x509parse_crt:"308201453081af020104300d06092a864886f70d0101050500300f310d300b06035504030c0454657374301e170d3235313132373133333235325a170d3335313132353133333235325a300f310d300b06035504030c04546573743059301306072a8648ce3d020106082a8648ce3d0301070342000478553e5f2e2a8575809988ccff53367a2b239599cb062d1c3047dd3dc60f839c7c6e81b7ee69b84d75628e5ec2e36318c55f0ac92abd9e365b26f70467750f42300d06092a864886f70d010105050003818100973b30950c1504ede8597b266acf65aaa159e3e598c8e4fea7708558b41b049fb75fd679116e6e482241e7912830929aaf8bb47b14435a167103696aaa675c147e496d1bc5f3cf5340481fbd4af24a66d61e97b5022a35f2d0f8ad98410a9fa371d28862aafb27df47f39888770d515b0d0e24fa3d6987b1cc3e8c12db1f4ba3":"cert. version \: 1\nserial number \: 04\nissuer name \: CN=Test\nsubject name \: CN=Test\nissued on \: 2025-11-27 13\:32\:52\nexpires on \: 2035-11-25 13\:32\:52\nsigned using \: RSA with SHA1\nEC key size \: 256 bits\n":0 X509 CRT ASN1 (Unsupported critical extension) depends_on:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_256 From 725e3f1daa5d2d494fe553761dabbeeb0b9ee64e Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 28 Nov 2025 09:50:20 +0100 Subject: [PATCH 2/4] tests: x509parse: replace certificates using secp192 with those using secp256 This replacement is either: - "server5-rsa-signed.crt": if a generic secp256r1 EC key is enough, i.e. any EC key is fine as it's not secp192 since this support is being removed from TF-PSA-Crypto. - "server11-rsa-signed.crt": if an EC key which does not belong to "suite-b" is required. For this case "secp256r1" wouldn't be good, so we use a "secp256k1" key. Signed-off-by: Valerio Setti --- tests/suites/test_suite_x509parse.data | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index e90f6b96fb..0ca27a9d68 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -179,8 +179,8 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_S x509_cert_info:"../framework/data_files/parse_input/server4.crt":"cert. version \: 3\nserial number \: 08\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 15\:52\:04\nexpires on \: 2023-09-22 15\:52\:04\nsigned using \: ECDSA with SHA256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" X509 CRT information EC signed by RSA -depends_on:MBEDTLS_PEM_PARSE_C:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_ECC_SECP_R1_192:PSA_WANT_ALG_SHA_1:MBEDTLS_RSA_C -x509_cert_info:"../framework/data_files/parse_input/server3.crt":"cert. version \: 3\nserial number \: 0D\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-08-09 09\:17\:03\nexpires on \: 2023-08-07 09\:17\:03\nsigned using \: RSA with SHA1\nEC key size \: 192 bits\nbasic constraints \: CA=false\n" +depends_on:MBEDTLS_PEM_PARSE_C:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:MBEDTLS_RSA_C +x509_cert_info:"../framework/data_files/parse_input/server5-rsa-signed.crt":"cert. version \: 3\nserial number \: 0D\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2025-12-01 10\:15\:30\nexpires on \: 2035-12-01 10\:15\:30\nsigned using \: RSA with SHA-256\nEC key size \: 256 bits\nbasic constraints \: CA=false\n" X509 CRT information Bitstring in subject name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:PSA_WANT_ALG_SHA_1 @@ -752,8 +752,8 @@ depends_on:MBEDTLS_PEM_PARSE_C:PSA_WANT_ALG_SHA_1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V1 x509_verify:"../framework/data_files/cert_example_multi_nocn.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH + MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" X509 CRT verification #32 (Valid, EC cert, RSA CA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_WANT_ECC_SECP_R1_192:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_SHA_1 -x509_verify:"../framework/data_files/server3.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL" +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_SHA_1:PSA_WANT_ALG_SHA_256 +x509_verify:"../framework/data_files/server5-rsa-signed.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #33 (Valid, RSA cert, EC CA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_WANT_ALG_SHA_256:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ECC_SECP_R1_384 @@ -1000,8 +1000,8 @@ depends_on:MBEDTLS_PEM_PARSE_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_WANT_ALG_SHA_256:PS x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"globalhost":0:0:"":"verify_all" X509 CRT verification #93 (Suite B invalid, EC cert, RSA CA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_WANT_ECC_SECP_R1_192:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_SHA_1 -x509_verify:"../framework/data_files/server3.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY|MBEDTLS_X509_BADCRL_BAD_MD|MBEDTLS_X509_BADCRL_BAD_PK:"suite_b":"NULL" +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_WANT_ECC_SECP_K1_256:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_SHA_1 +x509_verify:"../framework/data_files/server11-rsa-signed.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY|MBEDTLS_X509_BADCRL_BAD_MD|MBEDTLS_X509_BADCRL_BAD_PK:"suite_b":"NULL" X509 CRT verification #94 (Suite B invalid, RSA cert, EC CA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_WANT_ALG_SHA_256:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PKCS1_V15:PSA_WANT_ECC_SECP_R1_384 @@ -2674,8 +2674,8 @@ depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_WANT_ECC_SECP_R1_2 mbedtls_x509_crt_verify_chain:"../framework/data_files/dir4/cert92.crt":"../framework/data_files/dir4/cert91.crt":-1:MBEDTLS_ERR_X509_BAD_INPUT_DATA:"nonesuch":0 X509 CRT verify chain #12 (suiteb profile, RSA root) -depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_WANT_ECC_SECP_R1_192:PSA_WANT_ALG_SHA_1 -mbedtls_x509_crt_verify_chain:"../framework/data_files/server3.crt":"../framework/data_files/test-ca.crt":MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"suiteb":0 +depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_WANT_ECC_SECP_K1_256:PSA_WANT_ALG_SHA_1 +mbedtls_x509_crt_verify_chain:"../framework/data_files/server11-rsa-signed.crt":"../framework/data_files/test-ca.crt":MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"suiteb":0 X509 CRT verify chain #13 (RSA only profile, EC root) depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_WANT_ECC_SECP_R1_384 From 35d90d15c79f7a83676e6780cd3c0e918afdc4c9 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 28 Nov 2025 11:03:57 +0100 Subject: [PATCH 3/4] framework: update reference Signed-off-by: Valerio Setti --- framework | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/framework b/framework index 6c9076eef1..f58263d00f 160000 --- a/framework +++ b/framework @@ -1 +1 @@ -Subproject commit 6c9076eef1aaba371550ebc1145aed7227154b99 +Subproject commit f58263d00f287993d7ba4aeaef825385459fd02d From d36ed4a84d5c627d2781af4a52a22c9de687c04b Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 1 Dec 2025 18:01:46 +0100 Subject: [PATCH 4/4] tf-psa-crypto: update reference Signed-off-by: Valerio Setti --- tf-psa-crypto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf-psa-crypto b/tf-psa-crypto index 0a7317cc51..cb9d0ed648 160000 --- a/tf-psa-crypto +++ b/tf-psa-crypto @@ -1 +1 @@ -Subproject commit 0a7317cc517bcb8a2505e43f52da6cbc40b7134b +Subproject commit cb9d0ed64831da3e7b85ea8741a57fdc27c010e6