Augment DES test cases with AES: pkparse pkcs8

[gilles-peskine-arm]

Most pkparse test cases for PKCS#1 and PKCS#8 encrypted key formats use DES, which is deprecated. The goal of this task is to write equivalent test cases using AES.

The test cases all use files in tests/data_files:

test-ca.key
*.key.enc
ec_prv.*.pw.*
rsa_pkcs1*des.pem
rsa_pkcs8*des.*

The goal of this task is:

• For the test-ca.key, *.key.enc and ec*pw* files: re-encrypt them using AES-128-CBC, keeping the same content (same EC key). Update the dependencies (MBEDTLS_DES_C to MBEDTLS_AES_C) of the corresponding test cases in test_suite_pkparse.data, and in test_suite_x509write.data for test-ca.key.
• For the rsa_pkcs1_* files: nothing to do — there are already AES variants and corresponding test cases.
• For the rsa_pkcs8_* files: create files encrypted with AES-128-CBC, keeping the same content. Add corresponding test cases in test_suite_pkparse.data (copy the DES/3DES test cases, changing the file names to aes and the dependencies to MBEDTLS_AES_C).
• A few encrypted keys are listed in certs.c (which is in tests/src in development, and in library in mbedtls-2.28). Update them.

Most of those files are generated through rules in tests/data_files/Makefile. Add or change rules for the AES files.

[bharsaklemukesh975]

Can I work on this? I would like to do my first open-source contribution.
Thanks!

[ronald-cron-arm]

Yes please. It is labelled as "good-first-issue" thus suitable for a first contribution. If you do not have already done it, please have a look at README.md and CONTRIBUTING.md. Thanks.

[bharsaklemukesh975]

Thanks @ronald-cron-arm

[bharsaklemukesh975]

Please correct me if I am wrong(as it is my first contribution) for the steps needed to fix this as follows.

• Re-encrypt the test-ca.key, .key.enc, and ec_prv..pw.* files using AES-128-CBC
• For the test_suite_pkparse.data and test_suite_x509write.data files, find the test cases that use the DES encryption algorithm, and update the dependencies from MBEDTLS_DES_C to MBEDTLS_AES_C for test-ca.key
• Create new files encrypted with AES-128-CBC for the rsa_pkcs8_* files, In the test_suite_pkparse.data file, add new test cases for the AES-encrypted rsa_pkcs8_* files. Copy the DES/3DES test cases and change the file names to the AES-encrypted file names and update the dependencies from MBEDTLS_DES_C to MBEDTLS_AES_C
• Update the encrypted keys in the certs.c file to use AES-128-CBC encryption instead of DES.

Where can I find this DES key which was used for the encryption of these RSA private keys? I need to decrypt the key first before re-encrypting it?

Thanks!

[ronald-cron-arm]

This looks overall inline with the issue description.

• For the test_suite_pkparse.data and test_suite_x509write.data files, find the test cases that use the DES encryption algorithm, and update the dependencies from MBEDTLS_DES_C to MBEDTLS_AES_C for test-ca.key

I would say rather to find the test cases using test-ca.key/.key.enc/ecpw* and to update their dependencies from MBEDTLS_DES_C to MBEDTLS_AES_C.

Where can I find this DES key which was used for the encryption of these RSA private keys? I need to decrypt the key first before re-encrypting it?

It seems the key is computed from the IV that is at the beginning of the file (DEK-Info ...) and the password PolarSSLTest: see "Parse RSA Key #2 (Correct password)" test case in test_suite_pkparse.data and the processing of mbedtls_pk_parse_keyfile() called by pk_parse_keyfile_rsa() in test_suite_pkparse.function.

Finally to start with I would suggest to just work on test-ca.key, create a PR for that and go through the review process.

[bharsaklemukesh975]

Hello @ronald-cron-arm / @gilles-peskine-arm , can you please review #7416 .