SE050 fixes and new simulator tests#10196
Closed
LinuxJedi wants to merge 3 commits intowolfSSL:masterfrom
Closed
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes SE050-related crypto handling issues (RSA verify key binding and Ed25519 verify result handling / test expectations) and adds a GitHub Actions workflow to run wolfCrypt tests against an SE050 software simulator for regression coverage.
Changes:
- Adjust SE050-specific behavior in wolfCrypt tests (skip/modify vectors and expected error codes where SE050 diverges from host-side validation).
- Fix SE050 RSA verify to avoid persisting a public-only key binding that would break subsequent sign operations on the same
RsaKey. - Add a CI workflow that builds and runs wolfCrypt tests against the external SE050 simulator.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
wolfcrypt/test/test.c |
Updates RSA/Ed25519 tests to handle SE050 secure-element constraints and differing error codes. |
wolfcrypt/src/port/nxp/se050_port.c |
Fixes RSA verify keyId binding behavior; initializes Ed25519 verify result. |
wolfcrypt/src/ed25519.c |
Resets SE050 key binding on import to avoid using stale SE050 objects after key material changes. |
.github/workflows/se050-sim.yml |
Adds CI job to build/run wolfCrypt tests against the SE050 simulator in Docker. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- se050_ed25519_verify_msg: initialize *res = 0 at entry so failures don't leak a stale res = 1 from a prior good verify. - Ed25519 import functions: reset keyIdSet / keyId under WOLFSSL_SE050 in wc_ed25519_import_private_key_ex, wc_ed25519_import_private_only, wc_ed25519_import_public_ex so overwriting host-side key material invalidates any prior SE050 object binding. - New workflow .github/workflows/se050-sim.yml: builds wolfSSL against the NXP Plug&Trust SDK and runs the wolfCrypt tests against the SE050Sim simulator. Patches the upstream Dockerfile to use the PR's wolfSSL source. - ed25519_test SE050 adjustments: - Cap the RFC 8032 loop at 5 iters — iter 5's 1023 B msg exceeds NXP SDK SE05X_TLV_BUF_SIZE_CMD = 900. - rareEd verifies and private-only sign: expect WC_HW_E (SE050 delegates malformed-input rejection to the secure element) instead of BAD_FUNC_ARG / SIG_VERIFY_E. - Skip ed25519ctx_test / ed25519ph_test — SE050 port drops the context/prehash params so RFC 8032 ctx/ph vectors can't byte-match.
- se050_rsa_verify: when the function uploads only the public part of the key (keyCreated == 1), erase the transient SE050 object and don't persist keyIdSet = 1. A subsequent sign on the same RsaKey was reusing the public-only SE050 object and failing. Pre-existing bindings (from wc_RsaUseKeyId or a prior sign that uploaded a keypair) are preserved untouched. - rsa_keygen_test: add WOLFSSL_SE050 to the existing WOLFSSL_CRYPTOCELL guard around the export-then-decode round-trip. SE050-generated keys keep their private components in the secure element, so wc_RsaKeyToDer + wc_RsaPrivateKeyDecode cannot complete. Matching guard on the idx declaration to avoid an unused-variable warning.
Member
Author
|
Force push to rebase off master (resolving conflicts) |
Contributor
|
Jenkins retest this please |
Member
Author
|
Closing this as Marco is going to incorporate these commits in an upcoming PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This fixes bugs in the Ed25519 and RSA handling for the SE050 as well as introduces a new simulator so that we have regression testing from now on.