From 80b95101a95e126009a50f45e6f4aa41c51295f6 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 28 Aug 2020 14:29:16 +0200 Subject: [PATCH 01/17] psa: Move psa_key_file_id_t definition to crypto_types.h `psa_key_file_id_t` was defined in `crypto_platform.h` and not `crypto_types.h` even if it wasn't platform dependent because back when the PSA Crypto Specification was put together `crypto_types.h` was meant to contain only types that were intended to make it to the specification. There is not such constraint anymore thus move the definition of `psa_key_file_id_t` to crypto_types.h. Signed-off-by: Ronald Cron --- include/psa/crypto_platform.h | 23 +---------------------- include/psa/crypto_types.h | 28 +++++++++++++++++++++++++--- 2 files changed, 26 insertions(+), 25 deletions(-) diff --git a/include/psa/crypto_platform.h b/include/psa/crypto_platform.h index 77c0e5b2f0..bd3dc10eaa 100644 --- a/include/psa/crypto_platform.h +++ b/include/psa/crypto_platform.h @@ -74,27 +74,6 @@ typedef uint32_t psa_app_key_id_t; typedef int32_t psa_key_owner_id_t; #endif -typedef struct -{ - uint32_t key_id; - psa_key_owner_id_t owner; -} psa_key_file_id_t; -#define PSA_KEY_FILE_GET_KEY_ID( file_id ) ( ( file_id ).key_id ) - -/* Since crypto.h is used as part of the PSA Cryptography API specification, - * it must use standard types for things like the argument of psa_open_key(). - * If it wasn't for that constraint, psa_open_key() would take a - * `psa_key_file_id_t` argument. As a workaround, make `psa_key_id_t` an - * alias for `psa_key_file_id_t` when building for a multi-client service. */ -typedef psa_key_file_id_t psa_key_id_t; -#define PSA_KEY_ID_INIT {0, 0} - -#else /* !MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER */ - -/* By default, a key file identifier is just the application key identifier. */ -typedef psa_app_key_id_t psa_key_file_id_t; -#define PSA_KEY_FILE_GET_KEY_ID( id ) ( id ) - -#endif /* !MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER */ +#endif /* MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER */ #endif /* PSA_CRYPTO_PLATFORM_H */ diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index 17718eb6dc..f8811ad102 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -33,6 +33,8 @@ #ifndef PSA_CRYPTO_TYPES_H #define PSA_CRYPTO_TYPES_H +#include "crypto_platform.h" + #include /** \defgroup error Error codes @@ -229,12 +231,32 @@ typedef uint32_t psa_key_location_t; /* Implementation-specific quirk: The Mbed Crypto library can be built as * part of a multi-client service that exposes the PSA Crypto API in each * client and encodes the client identity in the key id argument of functions - * such as psa_open_key(). In this build configuration, we define - * psa_key_id_t in crypto_platform.h instead of here. */ + * such as psa_open_key(). */ #if !defined(MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER) typedef uint32_t psa_key_id_t; +typedef psa_key_id_t psa_key_file_id_t; + #define PSA_KEY_ID_INIT 0 -#endif +#define PSA_KEY_FILE_GET_KEY_ID( id ) ( id ) + +#else /* MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER */ +typedef struct +{ + uint32_t key_id; + psa_key_owner_id_t owner; +} psa_key_file_id_t; + +/* Since crypto.h is used as part of the PSA Cryptography API specification, + * it must use standard types for things like the argument of psa_open_key(). + * If it wasn't for that constraint, psa_open_key() would take a + * `psa_key_file_id_t` argument. As a workaround, make `psa_key_id_t` an + * alias for `psa_key_file_id_t` when building for a multi-client service. */ +typedef psa_key_file_id_t psa_key_id_t; + +#define PSA_KEY_ID_INIT {0, 0} +#define PSA_KEY_FILE_GET_KEY_ID( file_id ) ( ( file_id ).key_id ) + +#endif /* !MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER */ /**@}*/ From 27238fcbd8a737993e0713ffeea5be56f4983adf Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 23 Jul 2020 12:30:41 +0200 Subject: [PATCH 02/17] psa: Use psa_key_file_id_t as the key id type The purpose of this commit and the following is for psa_key_id_t to always be as defined by the PSA Cryptography API specification. Currently psa_key_id_t departs from its specification definition when MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER configuration flag is set. In that configuration, it is set to be equal to psa_key_file_id_t which in that configuration encodes an owner identifier along the key identifier. Type psa_key_file_id_t was meant to be the key identifier type used throughout the library code. If MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER is set it includes both a key and owner identifier, otherwise it is equal to psa_key_id_t. It has not been the key identifier type throughout the library so far because when the PSA Cryptography specification was developped the library Doxygen documentation was used to generate the PSA Cryptography API specification thus the need to use psa_key_id_t and not psa_key_file_id_t. As this constraint does not hold anymore, move to psa_key_file_id_t as the key identifier type throughout the library code. By the way, this commit updates the key identifier initialization in the tests to be compatible with a composit key identifier. A psa_key_id_make() inline function is introduced to initialize key identifiers (composit ot not) at runtime. Signed-off-by: Ronald Cron --- include/psa/crypto.h | 18 ++++----- include/psa/crypto_struct.h | 8 ++-- include/psa/crypto_types.h | 39 +++++++++++++++---- library/psa_crypto_se.h | 4 +- library/psa_crypto_slot_management.c | 14 +++---- library/psa_crypto_slot_management.h | 6 +-- library/psa_crypto_storage.c | 2 +- library/psa_crypto_storage.h | 4 +- tests/suites/test_suite_psa_crypto.function | 12 +++--- ...t_suite_psa_crypto_persistent_key.function | 8 ++-- ...st_suite_psa_crypto_se_driver_hal.function | 18 ++++----- ...te_psa_crypto_se_driver_hal_mocks.function | 16 ++++---- ..._suite_psa_crypto_slot_management.function | 20 +++++----- 13 files changed, 96 insertions(+), 73 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index a3161666d7..c8eb08bd01 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -146,11 +146,11 @@ static psa_key_attributes_t psa_key_attributes_init(void); * linkage). This function may be provided as a function-like macro, * but in this case it must evaluate each of its arguments exactly once. * - * \param[out] attributes The attribute structure to write to. - * \param id The persistent identifier for the key. + * \param[out] attributes The attribute structure to write to. + * \param key The persistent identifier for the key. */ static void psa_set_key_id(psa_key_attributes_t *attributes, - psa_key_id_t id); + psa_key_file_id_t key); /** Set the location of a persistent key. * @@ -192,7 +192,7 @@ static void psa_set_key_lifetime(psa_key_attributes_t *attributes, * This value is unspecified if the attribute structure declares * the key as volatile. */ -static psa_key_id_t psa_get_key_id(const psa_key_attributes_t *attributes); +static psa_key_file_id_t psa_get_key_id(const psa_key_attributes_t *attributes); /** Retrieve the lifetime from key attributes. * @@ -392,8 +392,9 @@ void psa_reset_key_attributes(psa_key_attributes_t *attributes); * with a lifetime other than #PSA_KEY_LIFETIME_VOLATILE. A persistent key * always has a nonzero key identifier, set with psa_set_key_id() when * creating the key. Implementations may provide additional pre-provisioned - * keys that can be opened with psa_open_key(). Such keys have a key identifier - * in the vendor range, as documented in the description of #psa_key_id_t. + * keys that can be opened with psa_open_key(). Such keys have an application + * key identifier in the vendor range, as documented in the description of + * #psa_key_id_t. * * The application must eventually close the handle with psa_close_key() or * psa_destroy_key() to release associated resources. If the application dies @@ -408,7 +409,7 @@ void psa_reset_key_attributes(psa_key_attributes_t *attributes); * portable to implementations that only permit a single key handle to be * opened. See also :ref:\`key-handles\`. * - * \param id The persistent identifier of the key. + * \param key The persistent identifier of the key. * \param[out] handle On success, a handle to the key. * * \retval #PSA_SUCCESS @@ -436,8 +437,7 @@ void psa_reset_key_attributes(psa_key_attributes_t *attributes); * It is implementation-dependent whether a failure to initialize * results in this error code. */ -psa_status_t psa_open_key(psa_key_id_t id, - psa_key_handle_t *handle); +psa_status_t psa_open_key(psa_key_file_id_t key, psa_key_handle_t *handle); /** Close a key handle. diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index 67c53db928..267b0501ac 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -330,7 +330,7 @@ typedef struct psa_key_type_t type; psa_key_bits_t bits; psa_key_lifetime_t lifetime; - psa_key_id_t id; + psa_key_file_id_t id; psa_key_policy_t policy; psa_key_attributes_flag_t flags; } psa_core_key_attributes_t; @@ -360,14 +360,14 @@ static inline struct psa_key_attributes_s psa_key_attributes_init( void ) } static inline void psa_set_key_id(psa_key_attributes_t *attributes, - psa_key_id_t id) + psa_key_file_id_t key) { - attributes->core.id = id; + attributes->core.id = key; if( attributes->core.lifetime == PSA_KEY_LIFETIME_VOLATILE ) attributes->core.lifetime = PSA_KEY_LIFETIME_PERSISTENT; } -static inline psa_key_id_t psa_get_key_id( +static inline psa_key_file_id_t psa_get_key_id( const psa_key_attributes_t *attributes) { return( attributes->core.id ); diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index f8811ad102..4603a1d1a6 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -37,6 +37,11 @@ #include +#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ + !defined(inline) && !defined(__cplusplus) +#define inline __inline +#endif + /** \defgroup error Error codes * @{ */ @@ -125,7 +130,7 @@ typedef uint32_t psa_algorithm_t; * implementation-specific device management event occurs (for example, * a factory reset). * - * Persistent keys have a key identifier of type #psa_key_id_t. + * Persistent keys have a key identifier of type #psa_key_file_id_t. * This identifier remains valid throughout the lifetime of the key, * even if the application instance that created the key terminates. * The application can call psa_open_key() to open a persistent key that @@ -239,6 +244,19 @@ typedef psa_key_id_t psa_key_file_id_t; #define PSA_KEY_ID_INIT 0 #define PSA_KEY_FILE_GET_KEY_ID( id ) ( id ) +/** Utility to initialize a key file identifier at runtime. + * + * \param unused Unused parameter. + * \param key_id Identifier of the key. + */ +static inline psa_key_file_id_t psa_key_file_id_make( + unsigned int unused, psa_key_id_t key_id ) +{ + (void)unused; + + return( key_id ); +} + #else /* MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER */ typedef struct { @@ -246,16 +264,21 @@ typedef struct psa_key_owner_id_t owner; } psa_key_file_id_t; -/* Since crypto.h is used as part of the PSA Cryptography API specification, - * it must use standard types for things like the argument of psa_open_key(). - * If it wasn't for that constraint, psa_open_key() would take a - * `psa_key_file_id_t` argument. As a workaround, make `psa_key_id_t` an - * alias for `psa_key_file_id_t` when building for a multi-client service. */ -typedef psa_key_file_id_t psa_key_id_t; - #define PSA_KEY_ID_INIT {0, 0} #define PSA_KEY_FILE_GET_KEY_ID( file_id ) ( ( file_id ).key_id ) +/** Utility to initialize a key file identifier at runtime. + * + * \param owner_id Identifier of the key owner. + * \param key_id Identifier of the key. + */ +static inline psa_key_file_id_t psa_key_file_id_make( + psa_key_owner_id_t owner_id, uint32_t key_id ) +{ + return( (psa_key_file_id_t){ .key_id = key_id, + .owner = owner_id } ); +} + #endif /* !MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER */ /**@}*/ diff --git a/library/psa_crypto_se.h b/library/psa_crypto_se.h index a464232563..258c211af8 100644 --- a/library/psa_crypto_se.h +++ b/library/psa_crypto_se.h @@ -45,13 +45,13 @@ /** The base of the range of ITS file identifiers for secure element * driver persistent data. * - * We use a slice of the implemenation reserved range 0xffff0000..0xffffffff, + * We use a slice of the implementation reserved range 0xffff0000..0xffffffff, * specifically the range 0xfffffe00..0xfffffeff. The length of this range * drives the value of #PSA_MAX_SE_LOCATION. The identifier 0xfffffe00 is * actually not used since it corresponds to #PSA_KEY_LOCATION_LOCAL_STORAGE * which doesn't have a driver. */ -#define PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE ( (psa_key_id_t) 0xfffffe00 ) +#define PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE ( (psa_app_key_id_t) 0xfffffe00 ) /** The maximum number of registered secure element driver locations. */ #define PSA_MAX_SE_DRIVERS 4 diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index a32a027980..3600e1a376 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -204,7 +204,7 @@ psa_status_t psa_validate_key_location( psa_key_lifetime_t lifetime, } psa_status_t psa_validate_key_persistence( psa_key_lifetime_t lifetime, - psa_key_id_t key_id ) + psa_key_file_id_t key ) { if ( PSA_KEY_LIFETIME_IS_VOLATILE( lifetime ) ) { @@ -215,19 +215,19 @@ psa_status_t psa_validate_key_persistence( psa_key_lifetime_t lifetime, { /* Persistent keys require storage support */ #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) - if( psa_is_key_id_valid( key_id, + if( psa_is_key_id_valid( key, psa_key_lifetime_is_external( lifetime ) ) ) return( PSA_SUCCESS ); else return( PSA_ERROR_INVALID_ARGUMENT ); #else /* MBEDTLS_PSA_CRYPTO_STORAGE_C */ - (void) key_id; + (void) key; return( PSA_ERROR_NOT_SUPPORTED ); #endif /* !MBEDTLS_PSA_CRYPTO_STORAGE_C */ } } -psa_status_t psa_open_key( psa_key_file_id_t id, psa_key_handle_t *handle ) +psa_status_t psa_open_key( psa_key_file_id_t key, psa_key_handle_t *handle ) { #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) psa_status_t status; @@ -235,7 +235,7 @@ psa_status_t psa_open_key( psa_key_file_id_t id, psa_key_handle_t *handle ) *handle = 0; - if( ! psa_is_key_id_valid( id, 1 ) ) + if( ! psa_is_key_id_valid( key, 1 ) ) return( PSA_ERROR_INVALID_ARGUMENT ); status = psa_get_empty_key_slot( handle, &slot ); @@ -243,7 +243,7 @@ psa_status_t psa_open_key( psa_key_file_id_t id, psa_key_handle_t *handle ) return( status ); slot->attr.lifetime = PSA_KEY_LIFETIME_PERSISTENT; - slot->attr.id = id; + slot->attr.id = key; status = psa_load_persistent_key_into_slot( slot ); if( status != PSA_SUCCESS ) @@ -254,7 +254,7 @@ psa_status_t psa_open_key( psa_key_file_id_t id, psa_key_handle_t *handle ) return( status ); #else /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */ - (void) id; + (void) key; *handle = 0; return( PSA_ERROR_NOT_SUPPORTED ); #endif /* !defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */ diff --git a/library/psa_crypto_slot_management.h b/library/psa_crypto_slot_management.h index 676a77e5a0..58e7f7cb6f 100644 --- a/library/psa_crypto_slot_management.h +++ b/library/psa_crypto_slot_management.h @@ -113,14 +113,14 @@ psa_status_t psa_validate_key_location( psa_key_lifetime_t lifetime, * This function checks whether a key's declared persistence level and key ID * attributes are valid and known to the PSA Core in its actual configuration. * - * \param[in] lifetime The key lifetime attribute. - * \param[in] key_id The key ID attribute + * \param[in] lifetime The key lifetime attribute. + * \param[in] key The key identifier. * * \retval #PSA_SUCCESS * \retval #PSA_ERROR_INVALID_ARGUMENT */ psa_status_t psa_validate_key_persistence( psa_key_lifetime_t lifetime, - psa_key_id_t key_id ); + psa_key_file_id_t key ); #endif /* PSA_CRYPTO_SLOT_MANAGEMENT_H */ diff --git a/library/psa_crypto_storage.c b/library/psa_crypto_storage.c index 103c9bbb8e..18889a17e2 100644 --- a/library/psa_crypto_storage.c +++ b/library/psa_crypto_storage.c @@ -394,7 +394,7 @@ psa_status_t psa_load_persistent_key( psa_core_key_attributes_t *attr, psa_status_t status = PSA_SUCCESS; uint8_t *loaded_data; size_t storage_data_length = 0; - psa_key_id_t key = attr->id; + psa_key_file_id_t key = attr->id; status = psa_crypto_storage_get_data_length( key, &storage_data_length ); if( status != PSA_SUCCESS ) diff --git a/library/psa_crypto_storage.h b/library/psa_crypto_storage.h index debc742bd1..6fcae272e1 100644 --- a/library/psa_crypto_storage.h +++ b/library/psa_crypto_storage.h @@ -292,7 +292,7 @@ typedef union uint16_t unused1; psa_key_lifetime_t lifetime; psa_key_slot_number_t slot; - psa_key_id_t id; + psa_key_file_id_t id; } key; } psa_crypto_transaction_t; @@ -361,7 +361,7 @@ psa_status_t psa_crypto_stop_transaction( void ); * * 0xffffffNN = special file; 0x74 = 't' for transaction. */ -#define PSA_CRYPTO_ITS_TRANSACTION_UID ( (psa_key_id_t) 0xffffff74 ) +#define PSA_CRYPTO_ITS_TRANSACTION_UID ( (psa_app_key_id_t) 0xffffff74 ) #endif /* PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS */ diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 665580bfe5..af7a22133d 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -233,7 +233,7 @@ int check_key_attributes_sanity( psa_key_handle_t key ) int ok = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_lifetime_t lifetime; - psa_key_id_t id; + psa_key_file_id_t id; psa_key_type_t type; psa_key_type_t bits; @@ -1326,7 +1326,7 @@ void attributes_set_get( int id_arg, int lifetime_arg, int type_arg, int bits_arg ) { psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_key_id_t id = id_arg; + psa_key_file_id_t id = psa_key_file_id_make( 1, id_arg ); psa_key_lifetime_t lifetime = lifetime_arg; psa_key_usage_t usage_flags = usage_flags_arg; psa_algorithm_t alg = alg_arg; @@ -1370,10 +1370,10 @@ void persistence_attributes( int id1_arg, int lifetime_arg, int id2_arg, int expected_id_arg, int expected_lifetime_arg ) { psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_key_id_t id1 = id1_arg; + psa_key_file_id_t id1 = psa_key_file_id_make( 1, id1_arg ); psa_key_lifetime_t lifetime = lifetime_arg; - psa_key_id_t id2 = id2_arg; - psa_key_id_t expected_id = expected_id_arg; + psa_key_file_id_t id2 = psa_key_file_id_make( 1, id2_arg ); + psa_key_file_id_t expected_id = psa_key_file_id_make( 1, expected_id_arg ); psa_key_lifetime_t expected_lifetime = expected_lifetime_arg; if( id1_arg != -1 ) @@ -5584,7 +5584,7 @@ void persistent_key_load_key_from_storage( data_t *data, int usage_flags_arg, int alg_arg, int generation_method ) { - psa_key_id_t key_id = 1; + psa_key_file_id_t key_id = psa_key_file_id_make( 1, 1 ); psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_handle_t handle = 0; psa_key_handle_t base_key = 0; diff --git a/tests/suites/test_suite_psa_crypto_persistent_key.function b/tests/suites/test_suite_psa_crypto_persistent_key.function index 49ce964fb9..43cc5df5f3 100644 --- a/tests/suites/test_suite_psa_crypto_persistent_key.function +++ b/tests/suites/test_suite_psa_crypto_persistent_key.function @@ -112,7 +112,7 @@ exit: /* BEGIN_CASE */ void save_large_persistent_key( int data_length_arg, int expected_status ) { - psa_key_id_t key_id = 42; + psa_key_file_id_t key_id = psa_key_file_id_make( 1, 42 ); psa_key_handle_t handle = 0; uint8_t *data = NULL; size_t data_length = data_length_arg; @@ -143,7 +143,7 @@ void persistent_key_destroy( int key_id_arg, int restart, int first_type_arg, data_t *first_data, int second_type_arg, data_t *second_data ) { - psa_key_id_t key_id = key_id_arg; + psa_key_file_id_t key_id = psa_key_file_id_make( 1, key_id_arg ); psa_key_handle_t handle = 0; psa_key_type_t first_type = (psa_key_type_t) first_type_arg; psa_key_type_t second_type = (psa_key_type_t) second_type_arg; @@ -196,7 +196,7 @@ exit: void persistent_key_import( int key_id_arg, int type_arg, data_t *data, int restart, int expected_status ) { - psa_key_id_t key_id = (psa_key_id_t) key_id_arg; + psa_key_file_id_t key_id = psa_key_file_id_make( 1, key_id_arg ); psa_key_type_t type = (psa_key_type_t) type_arg; psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -245,7 +245,7 @@ void import_export_persistent_key( data_t *data, int type_arg, int expected_bits, int restart, int key_not_exist ) { - psa_key_id_t key_id = 42; + psa_key_file_id_t key_id = psa_key_file_id_make( 1, 42 ); psa_key_type_t type = (psa_key_type_t) type_arg; psa_key_handle_t handle = 0; unsigned char *exported = NULL; diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal.function b/tests/suites/test_suite_psa_crypto_se_driver_hal.function index c9ce8667b6..e7c26d22ca 100644 --- a/tests/suites/test_suite_psa_crypto_se_driver_hal.function +++ b/tests/suites/test_suite_psa_crypto_se_driver_hal.function @@ -760,13 +760,13 @@ exit: #define MAX_KEY_ID_FOR_TEST 10 static void psa_purge_storage( void ) { - psa_key_id_t id; + psa_app_key_id_t id; psa_key_location_t location; /* The tests may have potentially created key ids from 1 to * MAX_KEY_ID_FOR_TEST. In addition, run the destroy function on key id * 0, which file-based storage uses as a temporary file. */ for( id = 0; id <= MAX_KEY_ID_FOR_TEST; id++ ) - psa_destroy_persistent_key( id ); + psa_destroy_persistent_key( psa_key_file_id_make( 1, id ) ); /* Purge the transaction file. */ psa_crypto_stop_transaction( ); /* Purge driver persistent data. */ @@ -853,7 +853,7 @@ void key_creation_import_export( int lifetime_arg, int min_slot, int restart ) psa_drv_se_key_management_t key_management; psa_key_lifetime_t lifetime = (psa_key_lifetime_t) lifetime_arg; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( lifetime ); - psa_key_id_t id = 1; + psa_key_file_id_t id = psa_key_file_id_make( 1, 1 ); psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; const uint8_t key_material[3] = {0xfa, 0xca, 0xde}; @@ -985,7 +985,7 @@ void key_creation_in_chosen_slot( int slot_arg, psa_drv_se_key_management_t key_management; psa_key_lifetime_t lifetime = TEST_SE_PERSISTENT_LIFETIME; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( lifetime ); - psa_key_id_t id = 1; + psa_key_file_id_t id = psa_key_file_id_make( 1, 1 ); psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; const uint8_t key_material[3] = {0xfa, 0xca, 0xde}; @@ -1067,7 +1067,7 @@ void import_key_smoke( int type_arg, int alg_arg, psa_drv_se_key_management_t key_management; psa_key_lifetime_t lifetime = TEST_SE_PERSISTENT_LIFETIME; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( lifetime ); - psa_key_id_t id = 1; + psa_key_file_id_t id = psa_key_file_id_make( 1, 1 ); psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -1139,7 +1139,7 @@ void generate_key_not_supported( int type_arg, int bits_arg ) psa_drv_se_key_management_t key_management; psa_key_lifetime_t lifetime = TEST_SE_PERSISTENT_LIFETIME; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( lifetime ); - psa_key_id_t id = 1; + psa_key_file_id_t id = psa_key_file_id_make( 1, 1 ); psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -1178,7 +1178,7 @@ void generate_key_smoke( int type_arg, int bits_arg, int alg_arg ) psa_drv_se_key_management_t key_management; psa_key_lifetime_t lifetime = TEST_SE_PERSISTENT_LIFETIME; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( lifetime ); - psa_key_id_t id = 1; + psa_key_file_id_t id = psa_key_file_id_make( 1, 1 ); psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -1258,7 +1258,7 @@ void sign_verify( int flow, psa_key_lifetime_t lifetime = TEST_SE_PERSISTENT_LIFETIME; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( lifetime ); - psa_key_id_t id = 1; + psa_key_file_id_t id = psa_key_file_id_make( 1, 1 ); psa_key_handle_t drv_handle = 0; /* key managed by the driver */ psa_key_handle_t sw_handle = 0; /* transparent key */ psa_key_attributes_t sw_attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -1420,7 +1420,7 @@ void register_key_smoke_test( int lifetime_arg, psa_drv_se_t driver; psa_drv_se_key_management_t key_management; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_key_id_t id = id_arg; + psa_key_file_id_t id = psa_key_file_id_make( 1, id_arg ); size_t bit_size = 48; psa_key_slot_number_t wanted_slot = 0x123456789; psa_key_handle_t handle = 0; diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function b/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function index ef50a68140..618bd15467 100644 --- a/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function +++ b/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function @@ -89,13 +89,13 @@ static struct #define MAX_KEY_ID_FOR_TEST 10 static void psa_purge_storage( void ) { - psa_key_id_t id; + psa_app_key_id_t id; psa_key_location_t location; /* The tests may have potentially created key ids from 1 to * MAX_KEY_ID_FOR_TEST. In addition, run the destroy function on key id * 0, which file-based storage uses as a temporary file. */ for( id = 0; id <= MAX_KEY_ID_FOR_TEST; id++ ) - psa_destroy_persistent_key( id ); + psa_destroy_persistent_key( psa_key_file_id_make( 1, id ) ); /* Purge the transaction file. */ psa_crypto_stop_transaction( ); /* Purge driver persistent data. */ @@ -330,7 +330,7 @@ void mock_import( int mock_alloc_return_value, psa_drv_se_key_management_t key_management; psa_key_lifetime_t lifetime = TEST_SE_PERSISTENT_LIFETIME; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( lifetime ); - psa_key_id_t id = 1; + psa_key_file_id_t id = psa_key_file_id_make( 1, 1 ); psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; const uint8_t key_material[3] = {0xfa, 0xca, 0xde}; @@ -387,7 +387,7 @@ void mock_export( int mock_export_return_value, int expected_result ) psa_drv_se_key_management_t key_management; psa_key_lifetime_t lifetime = TEST_SE_PERSISTENT_LIFETIME; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( lifetime ); - psa_key_id_t id = 1; + psa_key_file_id_t id = psa_key_file_id_make( 1, 1 ); psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; const uint8_t key_material[3] = {0xfa, 0xca, 0xde}; @@ -441,7 +441,7 @@ void mock_generate( int mock_alloc_return_value, psa_drv_se_key_management_t key_management; psa_key_lifetime_t lifetime = TEST_SE_PERSISTENT_LIFETIME; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( lifetime ); - psa_key_id_t id = 1; + psa_key_file_id_t id = psa_key_file_id_make( 1, 1 ); psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -496,7 +496,7 @@ void mock_export_public( int mock_export_public_return_value, psa_drv_se_key_management_t key_management; psa_key_lifetime_t lifetime = TEST_SE_PERSISTENT_LIFETIME; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( lifetime ); - psa_key_id_t id = 1; + psa_key_file_id_t id = psa_key_file_id_make( 1, 1 ); psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; const uint8_t key_material[3] = {0xfa, 0xca, 0xde}; @@ -546,7 +546,7 @@ void mock_sign( int mock_sign_return_value, int expected_result ) psa_drv_se_asymmetric_t asymmetric; psa_key_lifetime_t lifetime = TEST_SE_PERSISTENT_LIFETIME; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( lifetime ); - psa_key_id_t id = 1; + psa_key_file_id_t id = psa_key_file_id_make( 1, 1 ); psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; const uint8_t key_material[3] = {0xfa, 0xca, 0xde}; @@ -607,7 +607,7 @@ void mock_verify( int mock_verify_return_value, int expected_result ) psa_drv_se_asymmetric_t asymmetric; psa_key_lifetime_t lifetime = TEST_SE_PERSISTENT_LIFETIME; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( lifetime ); - psa_key_id_t id = 1; + psa_key_file_id_t id = psa_key_file_id_make( 1, 1 ); psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; const uint8_t key_material[3] = {0xfa, 0xca, 0xde}; diff --git a/tests/suites/test_suite_psa_crypto_slot_management.function b/tests/suites/test_suite_psa_crypto_slot_management.function index 3a14b12114..bd15865cbf 100644 --- a/tests/suites/test_suite_psa_crypto_slot_management.function +++ b/tests/suites/test_suite_psa_crypto_slot_management.function @@ -34,11 +34,11 @@ typedef enum * code. */ #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) -static psa_key_id_t key_ids_used_in_test[9]; +static psa_key_file_id_t key_ids_used_in_test[9]; static size_t num_key_ids_used; /* Record a key id as potentially used in a test case. */ -static int test_uses_key_id( psa_key_id_t key_id ) +static int test_uses_key_id( psa_key_file_id_t key_id ) { size_t i; if( key_id > PSA_MAX_PERSISTENT_KEY_IDENTIFIER ) @@ -178,7 +178,7 @@ void persistent_slot_lifecycle( int lifetime_arg, int id_arg, int close_method_arg ) { psa_key_lifetime_t lifetime = lifetime_arg; - psa_key_id_t id = id_arg; + psa_key_file_id_t id = psa_key_file_id_make( 1, id_arg ); psa_algorithm_t alg = alg_arg; psa_algorithm_t alg2 = alg2_arg; psa_key_usage_t usage_flags = usage_arg; @@ -296,7 +296,7 @@ void create_existent( int lifetime_arg, int id_arg, int reopen_policy_arg ) { psa_key_lifetime_t lifetime = lifetime_arg; - psa_key_id_t id = id_arg; + psa_key_file_id_t id = psa_key_file_id_make( 1, id_arg ); psa_key_handle_t handle1 = 0, handle2 = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_type_t type1 = PSA_KEY_TYPE_RAW_DATA; @@ -363,7 +363,7 @@ exit: void open_fail( int id_arg, int expected_status_arg ) { - psa_key_id_t id = id_arg; + psa_key_file_id_t id = psa_key_file_id_make( 1, id_arg ); psa_status_t expected_status = expected_status_arg; psa_key_handle_t handle = 0xdead; @@ -382,7 +382,7 @@ void create_fail( int lifetime_arg, int id_arg, int expected_status_arg ) { psa_key_lifetime_t lifetime = lifetime_arg; - psa_key_id_t id = id_arg; + psa_key_file_id_t id = psa_key_file_id_make( 1, id_arg ); psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_status_t expected_status = expected_status_arg; psa_key_handle_t handle = 0xdead; @@ -420,14 +420,14 @@ void copy_across_lifetimes( int source_lifetime_arg, int source_id_arg, int expected_alg_arg, int expected_alg2_arg ) { psa_key_lifetime_t source_lifetime = source_lifetime_arg; - psa_key_id_t source_id = source_id_arg; + psa_key_file_id_t source_id = psa_key_file_id_make( 1, source_id_arg ); psa_key_usage_t source_usage = source_usage_arg; psa_algorithm_t source_alg = source_alg_arg; psa_key_handle_t source_handle = 0; psa_key_attributes_t source_attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_type_t source_type = type_arg; psa_key_lifetime_t target_lifetime = target_lifetime_arg; - psa_key_id_t target_id = target_id_arg; + psa_key_file_id_t target_id = psa_key_file_id_make( 1, target_id_arg ); psa_key_usage_t target_usage = target_usage_arg; psa_algorithm_t target_alg = target_alg_arg; psa_key_handle_t target_handle = 0; @@ -534,13 +534,13 @@ void copy_to_occupied( int source_lifetime_arg, int source_id_arg, int target_type_arg, data_t *target_material ) { psa_key_lifetime_t source_lifetime = source_lifetime_arg; - psa_key_id_t source_id = source_id_arg; + psa_key_file_id_t source_id = psa_key_file_id_make( 1, source_id_arg ); psa_key_usage_t source_usage = source_usage_arg; psa_algorithm_t source_alg = source_alg_arg; psa_key_handle_t source_handle = 0; psa_key_type_t source_type = source_type_arg; psa_key_lifetime_t target_lifetime = target_lifetime_arg; - psa_key_id_t target_id = target_id_arg; + psa_key_file_id_t target_id = psa_key_file_id_make( 1, target_id_arg ); psa_key_usage_t target_usage = target_usage_arg; psa_algorithm_t target_alg = target_alg_arg; psa_key_handle_t target_handle = 0; From 039a98b5989519722e4709f634061dedcca90f72 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 23 Jul 2020 16:07:42 +0200 Subject: [PATCH 03/17] Define always psa_key_id_t as defined in PSA crypto spec Define always psa_key_id_t as defined in the PSA Cryptography API specification independently of whether the MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER configuration file is set or not. As a consequence, get rid of `psa_app_key_id_t` that is not needed anymore. Signed-off-by: Ronald Cron --- include/psa/crypto_extra.h | 4 ++-- include/psa/crypto_platform.h | 19 ------------------- include/psa/crypto_types.h | 17 +++++++++-------- include/psa/crypto_values.h | 8 ++++---- library/psa_crypto_se.h | 2 +- library/psa_crypto_slot_management.c | 6 +++--- library/psa_crypto_storage.h | 2 +- ...st_suite_psa_crypto_se_driver_hal.function | 2 +- ...te_psa_crypto_se_driver_hal_mocks.function | 2 +- 9 files changed, 22 insertions(+), 40 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index f0c7979a81..71adb9355b 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -232,9 +232,9 @@ typedef struct mbedtls_psa_stats_s /** Number of slots that are not used for anything. */ size_t empty_slots; /** Largest key id value among open keys in internal persistent storage. */ - psa_app_key_id_t max_open_internal_key_id; + psa_key_id_t max_open_internal_key_id; /** Largest key id value among open keys in secure elements. */ - psa_app_key_id_t max_open_external_key_id; + psa_key_id_t max_open_external_key_id; } mbedtls_psa_stats_t; /** \brief Get statistics about diff --git a/include/psa/crypto_platform.h b/include/psa/crypto_platform.h index bd3dc10eaa..0bebb08b64 100644 --- a/include/psa/crypto_platform.h +++ b/include/psa/crypto_platform.h @@ -47,25 +47,6 @@ /* Integral type representing a key handle. */ typedef uint16_t psa_key_handle_t; -/* This implementation distinguishes *application key identifiers*, which - * are the key identifiers specified by the application, from - * *key file identifiers*, which are the key identifiers that the library - * sees internally. The two types can be different if there is a remote - * call layer between the application and the library which supports - * multiple client applications that do not have access to each others' - * keys. The point of having different types is that the key file - * identifier may encode not only the key identifier specified by the - * application, but also the the identity of the application. - * - * Note that this is an internal concept of the library and the remote - * call layer. The application itself never sees anything other than - * #psa_app_key_id_t with its standard definition. - */ - -/* The application key identifier is always what the application sees as - * #psa_key_id_t. */ -typedef uint32_t psa_app_key_id_t; - #if defined(MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER) #if defined(PSA_CRYPTO_SECURE) diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index 4603a1d1a6..a8becb7b86 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -233,14 +233,10 @@ typedef uint32_t psa_key_location_t; * - 0 is reserved as an invalid key identifier. * - Key identifiers outside these ranges are reserved for future use. */ -/* Implementation-specific quirk: The Mbed Crypto library can be built as - * part of a multi-client service that exposes the PSA Crypto API in each - * client and encodes the client identity in the key id argument of functions - * such as psa_open_key(). */ -#if !defined(MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER) typedef uint32_t psa_key_id_t; -typedef psa_key_id_t psa_key_file_id_t; +#if !defined(MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER) +typedef psa_key_id_t psa_key_file_id_t; #define PSA_KEY_ID_INIT 0 #define PSA_KEY_FILE_GET_KEY_ID( id ) ( id ) @@ -258,9 +254,14 @@ static inline psa_key_file_id_t psa_key_file_id_make( } #else /* MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER */ +/* Implementation-specific: The Mbed Crypto library can be built as + * part of a multi-client service that exposes the PSA Crypto API in each + * client and encodes the client identity in the key id argument of functions + * such as psa_open_key(). + */ typedef struct { - uint32_t key_id; + psa_key_id_t key_id; psa_key_owner_id_t owner; } psa_key_file_id_t; @@ -273,7 +274,7 @@ typedef struct * \param key_id Identifier of the key. */ static inline psa_key_file_id_t psa_key_file_id_make( - psa_key_owner_id_t owner_id, uint32_t key_id ) + psa_key_owner_id_t owner_id, psa_key_id_t key_id ) { return( (psa_key_file_id_t){ .key_id = key_id, .owner = owner_id } ); diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index a940711803..02e9c00760 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1636,16 +1636,16 @@ /** The minimum value for a key identifier chosen by the application. */ -#define PSA_KEY_ID_USER_MIN ((psa_app_key_id_t)0x00000001) +#define PSA_KEY_ID_USER_MIN ((psa_key_id_t)0x00000001) /** The maximum value for a key identifier chosen by the application. */ -#define PSA_KEY_ID_USER_MAX ((psa_app_key_id_t)0x3fffffff) +#define PSA_KEY_ID_USER_MAX ((psa_key_id_t)0x3fffffff) /** The minimum value for a key identifier chosen by the implementation. */ -#define PSA_KEY_ID_VENDOR_MIN ((psa_app_key_id_t)0x40000000) +#define PSA_KEY_ID_VENDOR_MIN ((psa_key_id_t)0x40000000) /** The maximum value for a key identifier chosen by the implementation. */ -#define PSA_KEY_ID_VENDOR_MAX ((psa_app_key_id_t)0x7fffffff) +#define PSA_KEY_ID_VENDOR_MAX ((psa_key_id_t)0x7fffffff) /**@}*/ diff --git a/library/psa_crypto_se.h b/library/psa_crypto_se.h index 258c211af8..56917383cf 100644 --- a/library/psa_crypto_se.h +++ b/library/psa_crypto_se.h @@ -51,7 +51,7 @@ * actually not used since it corresponds to #PSA_KEY_LOCATION_LOCAL_STORAGE * which doesn't have a driver. */ -#define PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE ( (psa_app_key_id_t) 0xfffffe00 ) +#define PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE ( (psa_key_id_t) 0xfffffe00 ) /** The maximum number of registered secure element driver locations. */ #define PSA_MAX_SE_DRIVERS 4 diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index 3600e1a376..a9b8624798 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -166,7 +166,7 @@ exit: static int psa_is_key_id_valid( psa_key_file_id_t file_id, int vendor_ok ) { - psa_app_key_id_t key_id = PSA_KEY_FILE_GET_KEY_ID( file_id ); + psa_key_id_t key_id = PSA_KEY_FILE_GET_KEY_ID( file_id ); if( PSA_KEY_ID_USER_MIN <= key_id && key_id <= PSA_KEY_ID_USER_MAX ) return( 1 ); else if( vendor_ok && @@ -291,14 +291,14 @@ void mbedtls_psa_get_stats( mbedtls_psa_stats_t *stats ) ++stats->volatile_slots; else if( slot->attr.lifetime == PSA_KEY_LIFETIME_PERSISTENT ) { - psa_app_key_id_t id = PSA_KEY_FILE_GET_KEY_ID(slot->attr.id); + psa_key_id_t id = PSA_KEY_FILE_GET_KEY_ID(slot->attr.id); ++stats->persistent_slots; if( id > stats->max_open_internal_key_id ) stats->max_open_internal_key_id = id; } else { - psa_app_key_id_t id = PSA_KEY_FILE_GET_KEY_ID(slot->attr.id); + psa_key_id_t id = PSA_KEY_FILE_GET_KEY_ID(slot->attr.id); ++stats->external_slots; if( id > stats->max_open_external_key_id ) stats->max_open_external_key_id = id; diff --git a/library/psa_crypto_storage.h b/library/psa_crypto_storage.h index 6fcae272e1..c9270a913c 100644 --- a/library/psa_crypto_storage.h +++ b/library/psa_crypto_storage.h @@ -361,7 +361,7 @@ psa_status_t psa_crypto_stop_transaction( void ); * * 0xffffffNN = special file; 0x74 = 't' for transaction. */ -#define PSA_CRYPTO_ITS_TRANSACTION_UID ( (psa_app_key_id_t) 0xffffff74 ) +#define PSA_CRYPTO_ITS_TRANSACTION_UID ( (psa_key_id_t) 0xffffff74 ) #endif /* PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS */ diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal.function b/tests/suites/test_suite_psa_crypto_se_driver_hal.function index e7c26d22ca..992e5dfd0f 100644 --- a/tests/suites/test_suite_psa_crypto_se_driver_hal.function +++ b/tests/suites/test_suite_psa_crypto_se_driver_hal.function @@ -760,7 +760,7 @@ exit: #define MAX_KEY_ID_FOR_TEST 10 static void psa_purge_storage( void ) { - psa_app_key_id_t id; + psa_key_id_t id; psa_key_location_t location; /* The tests may have potentially created key ids from 1 to * MAX_KEY_ID_FOR_TEST. In addition, run the destroy function on key id diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function b/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function index 618bd15467..8f1f9689b6 100644 --- a/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function +++ b/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function @@ -89,7 +89,7 @@ static struct #define MAX_KEY_ID_FOR_TEST 10 static void psa_purge_storage( void ) { - psa_app_key_id_t id; + psa_key_id_t id; psa_key_location_t location; /* The tests may have potentially created key ids from 1 to * MAX_KEY_ID_FOR_TEST. In addition, run the destroy function on key id From fa7d7af55d4870be12c8f542796606d794e908da Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 24 Jul 2020 14:50:11 +0200 Subject: [PATCH 04/17] psa: Don't reset the key owner id in psa_set_key_lifetime As a volatile key identifier may have a non-zero owner identifier, don't reset the key owner identifier (if any) when setting a volatile lifetime for a key. Signed-off-by: Ronald Cron --- include/psa/crypto_struct.h | 1 - 1 file changed, 1 deletion(-) diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index 267b0501ac..4e4e9e5044 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -381,7 +381,6 @@ static inline void psa_set_key_lifetime(psa_key_attributes_t *attributes, { #ifdef MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER attributes->core.id.key_id = 0; - attributes->core.id.owner = 0; #else attributes->core.id = 0; #endif From 72f65fc6e9013980dda082490ba774fc5924cf63 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 1 Sep 2020 15:50:17 +0200 Subject: [PATCH 05/17] psa: Rename pss_key_owner_id_t to mbedtls_key_owner_id_t Rename psa_key_owner_id_t to mbedtls_key_owner_id_t to highlight that this is a Mbed TLS specific type and not a type defined in the PSA Cryptography API specification. Signed-off-by: Ronald Cron --- configs/config-psa-crypto.h | 2 +- include/mbedtls/config.h | 2 +- include/psa/crypto_platform.h | 2 +- include/psa/crypto_types.h | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/configs/config-psa-crypto.h b/configs/config-psa-crypto.h index 70563ae3c7..447284b939 100644 --- a/configs/config-psa-crypto.h +++ b/configs/config-psa-crypto.h @@ -1150,7 +1150,7 @@ * * This is only meaningful when building the library as part of a * multi-client service. When you activate this option, you must provide - * an implementation of the type psa_key_owner_id_t and a translation + * an implementation of the type mbedtls_key_owner_id_t and a translation * from psa_key_file_id_t to file name in all the storage backends that * you wish to support. * diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 1e6e052756..1209b83406 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1264,7 +1264,7 @@ * * This is only meaningful when building the library as part of a * multi-client service. When you activate this option, you must provide - * an implementation of the type psa_key_owner_id_t and a translation + * an implementation of the type mbedtls_key_owner_id_t and a translation * from psa_key_file_id_t to file name in all the storage backends that * you wish to support. * diff --git a/include/psa/crypto_platform.h b/include/psa/crypto_platform.h index 0bebb08b64..5e6180e364 100644 --- a/include/psa/crypto_platform.h +++ b/include/psa/crypto_platform.h @@ -52,7 +52,7 @@ typedef uint16_t psa_key_handle_t; #if defined(PSA_CRYPTO_SECURE) /* Building for the PSA Crypto service on a PSA platform. */ /* A key owner is a PSA partition identifier. */ -typedef int32_t psa_key_owner_id_t; +typedef int32_t mbedtls_key_owner_id_t; #endif #endif /* MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER */ diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index a8becb7b86..753fd304a1 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -262,7 +262,7 @@ static inline psa_key_file_id_t psa_key_file_id_make( typedef struct { psa_key_id_t key_id; - psa_key_owner_id_t owner; + mbedtls_key_owner_id_t owner; } psa_key_file_id_t; #define PSA_KEY_ID_INIT {0, 0} @@ -274,7 +274,7 @@ typedef struct * \param key_id Identifier of the key. */ static inline psa_key_file_id_t psa_key_file_id_make( - psa_key_owner_id_t owner_id, psa_key_id_t key_id ) + mbedtls_key_owner_id_t owner_id, psa_key_id_t key_id ) { return( (psa_key_file_id_t){ .key_id = key_id, .owner = owner_id } ); From 71016a9ea7d9a14688b1e0871e4e8d693742854b Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 28 Aug 2020 19:01:50 +0200 Subject: [PATCH 06/17] psa: Rename psa_key_file_id_t to mbedtls_svc_key_id_t With PSA crypto v1.0.0, a volatile key identifier may contain a owner identifier but no file is associated to it. Thus rename the type psa_key_file_id_t to mbedtls_svc_key_id_t to avoid a direct link with a file when a key identifier involves an owner identifier. The new type name is prefixed by mbedtls to highlight that the type is specific to Mbed TLS implementation and not defined in the PSA Cryptography API specification. The svc in the type name stands for service as this is the key identifier type from the point of view of the service providing the Cryptography services. The service can be completely provided by the present library or partially in case of a multi-client service. As a consequence rename as well: . MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER to MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER . PSA_KEY_ID_INIT to MBEDTLS_SVC_KEY_ID_INIT . PSA_KEY_FILE_GET_KEY_ID to MBEDTLS_SVC_KEY_ID_GET_KEY_ID . psa_key_file_id_make to mbedtls_svc_key_id_make Signed-off-by: Ronald Cron --- configs/config-psa-crypto.h | 12 +++--- .../mbed-crypto-storage-specification.md | 10 ++--- include/mbedtls/config.h | 12 +++--- include/psa/crypto.h | 11 ++--- include/psa/crypto_platform.h | 4 +- include/psa/crypto_struct.h | 12 +++--- include/psa/crypto_types.h | 41 ++++++++++--------- library/psa_crypto_slot_management.c | 21 +++++----- library/psa_crypto_slot_management.h | 3 +- library/psa_crypto_storage.c | 37 ++++++++--------- library/psa_crypto_storage.h | 6 +-- library/version_features.c | 6 +-- programs/test/query_config.c | 8 ++-- scripts/config.py | 2 +- tests/suites/test_suite_psa_crypto.function | 13 +++--- ...t_suite_psa_crypto_persistent_key.function | 8 ++-- ...st_suite_psa_crypto_se_driver_hal.function | 16 ++++---- ...te_psa_crypto_se_driver_hal_mocks.function | 14 +++---- ..._suite_psa_crypto_slot_management.function | 24 ++++++----- 19 files changed, 131 insertions(+), 129 deletions(-) diff --git a/configs/config-psa-crypto.h b/configs/config-psa-crypto.h index 447284b939..b98fc9cde1 100644 --- a/configs/config-psa-crypto.h +++ b/configs/config-psa-crypto.h @@ -1144,20 +1144,20 @@ */ //#define MBEDTLS_ENTROPY_NV_SEED -/* MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER +/* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER * - * In PSA key storage, encode the owner of the key. + * Enable key identifiers that encode a key owner identifier. * * This is only meaningful when building the library as part of a - * multi-client service. When you activate this option, you must provide - * an implementation of the type mbedtls_key_owner_id_t and a translation - * from psa_key_file_id_t to file name in all the storage backends that + * multi-client service. When you activate this option, you must provide an + * implementation of the type mbedtls_key_owner_id_t and a translation from + * mbedtls_svc_key_id_t to file name in all the storage backends that you * you wish to support. * * Note that this option is meant for internal use only and may be removed * without notice. */ -//#define MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER +//#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER /** * \def MBEDTLS_MEMORY_DEBUG diff --git a/docs/architecture/mbed-crypto-storage-specification.md b/docs/architecture/mbed-crypto-storage-specification.md index e7315ebc2a..afeb29f4b4 100644 --- a/docs/architecture/mbed-crypto-storage-specification.md +++ b/docs/architecture/mbed-crypto-storage-specification.md @@ -107,14 +107,12 @@ Backward compatibility commitments: TBD ### Key names for 1.0.0 -Information about each key is stored in a dedicated file designated by a _key file identifier_ (`psa_key_file_id_t`). The key file identifier is constructed from the 32-bit key identifier (`psa_key_id_t`) and, if applicable, an identifier of the owner of the key. In integrations where there is no concept of key owner (in particular, in library integrations), the key file identifier is exactly the key identifier. When the library is integrated into a service, the service determines the semantics of the owner identifier. +Information about each key is stored in a dedicated file designated by the key identifier. In integrations where there is no concept of key owner (in particular, in library integrations), the key identifier is exactly the key identifier as defined in the PSA Cryptography API specification (`psa_key_id_t`). In integrations where there is a concept of key owner (integration into a service for example), the key identifier is made of an owner identifier (its semantics and type are integration specific) and of the key identifier (`psa_key_id_t`) from the key owner point of view. -The way in which the file name is constructed from the key file identifier depends on the storage backend. The content of the file is described [below](#key-file-format-for-1.0.0). +The way in which the file name is constructed from the key identifier depends on the storage backend. The content of the file is described [below](#key-file-format-for-1.0.0). -The valid values for a key identifier are the range from 1 to 0xfffeffff. This limitation on the range is not documented in user-facing documentation: according to the user-facing documentation, arbitrary 32-bit values are valid. - -* Library integration: the key file name is just the key identifer. This is a 32-bit value. -* PSA service integration: the key file identifier is `(uint32_t)owner_uid << 32 | key_id` where `key_id` is the key identifier specified by the application and `owner_uid` (of type `int32_t`) is the calling partition identifier provided to the server by the partition manager. This is a 64-bit value. +* Library integration: the key file name is just the key identifier as defined in the PSA crypto specification. This is a 32-bit value. +* PSA service integration: the key file name is `(uint32_t)owner_uid << 32 | key_id` where `key_id` is the key identifier from the owner point of view and `owner_uid` (of type `int32_t`) is the calling partition identifier provided to the server by the partition manager. This is a 64-bit value. ### Key file format for 1.0.0 diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 1209b83406..496ebe968c 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1258,20 +1258,20 @@ */ //#define MBEDTLS_ENTROPY_NV_SEED -/* MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER +/* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER * - * In PSA key storage, encode the owner of the key. + * Enable key identifiers that encode a key owner identifier. * * This is only meaningful when building the library as part of a - * multi-client service. When you activate this option, you must provide - * an implementation of the type mbedtls_key_owner_id_t and a translation - * from psa_key_file_id_t to file name in all the storage backends that + * multi-client service. When you activate this option, you must provide an + * implementation of the type mbedtls_key_owner_id_t and a translation from + * mbedtls_svc_key_id_t to file name in all the storage backends that you * you wish to support. * * Note that this option is meant for internal use only and may be removed * without notice. */ -//#define MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER +//#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER /** * \def MBEDTLS_MEMORY_DEBUG diff --git a/include/psa/crypto.h b/include/psa/crypto.h index c8eb08bd01..5ba16b987f 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -149,8 +149,8 @@ static psa_key_attributes_t psa_key_attributes_init(void); * \param[out] attributes The attribute structure to write to. * \param key The persistent identifier for the key. */ -static void psa_set_key_id(psa_key_attributes_t *attributes, - psa_key_file_id_t key); +static void psa_set_key_id( psa_key_attributes_t *attributes, + mbedtls_svc_key_id_t key ); /** Set the location of a persistent key. * @@ -192,7 +192,8 @@ static void psa_set_key_lifetime(psa_key_attributes_t *attributes, * This value is unspecified if the attribute structure declares * the key as volatile. */ -static psa_key_file_id_t psa_get_key_id(const psa_key_attributes_t *attributes); +static mbedtls_svc_key_id_t psa_get_key_id( + const psa_key_attributes_t *attributes); /** Retrieve the lifetime from key attributes. * @@ -437,8 +438,8 @@ void psa_reset_key_attributes(psa_key_attributes_t *attributes); * It is implementation-dependent whether a failure to initialize * results in this error code. */ -psa_status_t psa_open_key(psa_key_file_id_t key, psa_key_handle_t *handle); - +psa_status_t psa_open_key( mbedtls_svc_key_id_t key, + psa_key_handle_t *handle ); /** Close a key handle. * diff --git a/include/psa/crypto_platform.h b/include/psa/crypto_platform.h index 5e6180e364..aa55aea478 100644 --- a/include/psa/crypto_platform.h +++ b/include/psa/crypto_platform.h @@ -47,7 +47,7 @@ /* Integral type representing a key handle. */ typedef uint16_t psa_key_handle_t; -#if defined(MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER) +#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) #if defined(PSA_CRYPTO_SECURE) /* Building for the PSA Crypto service on a PSA platform. */ @@ -55,6 +55,6 @@ typedef uint16_t psa_key_handle_t; typedef int32_t mbedtls_key_owner_id_t; #endif -#endif /* MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER */ +#endif /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */ #endif /* PSA_CRYPTO_PLATFORM_H */ diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index 4e4e9e5044..065c6b1463 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -330,12 +330,12 @@ typedef struct psa_key_type_t type; psa_key_bits_t bits; psa_key_lifetime_t lifetime; - psa_key_file_id_t id; + mbedtls_svc_key_id_t id; psa_key_policy_t policy; psa_key_attributes_flag_t flags; } psa_core_key_attributes_t; -#define PSA_CORE_KEY_ATTRIBUTES_INIT {PSA_KEY_TYPE_NONE, 0, PSA_KEY_LIFETIME_VOLATILE, PSA_KEY_ID_INIT, PSA_KEY_POLICY_INIT, 0} +#define PSA_CORE_KEY_ATTRIBUTES_INIT {PSA_KEY_TYPE_NONE, 0, PSA_KEY_LIFETIME_VOLATILE, MBEDTLS_SVC_KEY_ID_INIT, PSA_KEY_POLICY_INIT, 0} struct psa_key_attributes_s { @@ -359,15 +359,15 @@ static inline struct psa_key_attributes_s psa_key_attributes_init( void ) return( v ); } -static inline void psa_set_key_id(psa_key_attributes_t *attributes, - psa_key_file_id_t key) +static inline void psa_set_key_id( psa_key_attributes_t *attributes, + mbedtls_svc_key_id_t key ) { attributes->core.id = key; if( attributes->core.lifetime == PSA_KEY_LIFETIME_VOLATILE ) attributes->core.lifetime = PSA_KEY_LIFETIME_PERSISTENT; } -static inline psa_key_file_id_t psa_get_key_id( +static inline mbedtls_svc_key_id_t psa_get_key_id( const psa_key_attributes_t *attributes) { return( attributes->core.id ); @@ -379,7 +379,7 @@ static inline void psa_set_key_lifetime(psa_key_attributes_t *attributes, attributes->core.lifetime = lifetime; if( lifetime == PSA_KEY_LIFETIME_VOLATILE ) { -#ifdef MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER +#ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER attributes->core.id.key_id = 0; #else attributes->core.id = 0; diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index 753fd304a1..fb61e9a8ff 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -130,7 +130,7 @@ typedef uint32_t psa_algorithm_t; * implementation-specific device management event occurs (for example, * a factory reset). * - * Persistent keys have a key identifier of type #psa_key_file_id_t. + * Persistent keys have a key identifier of type #mbedtls_svc_key_id_t. * This identifier remains valid throughout the lifetime of the key, * even if the application instance that created the key terminates. * The application can call psa_open_key() to open a persistent key that @@ -235,17 +235,18 @@ typedef uint32_t psa_key_location_t; */ typedef uint32_t psa_key_id_t; -#if !defined(MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER) -typedef psa_key_id_t psa_key_file_id_t; -#define PSA_KEY_ID_INIT 0 -#define PSA_KEY_FILE_GET_KEY_ID( id ) ( id ) +#if !defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) +typedef psa_key_id_t mbedtls_svc_key_id_t; -/** Utility to initialize a key file identifier at runtime. +#define MBEDTLS_SVC_KEY_ID_INIT ( (psa_key_id_t)0 ) +#define MBEDTLS_SVC_KEY_ID_GET_KEY_ID( id ) ( id ) + +/** Utility to initialize a key identifier at runtime. * * \param unused Unused parameter. * \param key_id Identifier of the key. */ -static inline psa_key_file_id_t psa_key_file_id_make( +static inline mbedtls_svc_key_id_t mbedtls_svc_key_id_make( unsigned int unused, psa_key_id_t key_id ) { (void)unused; @@ -253,34 +254,34 @@ static inline psa_key_file_id_t psa_key_file_id_make( return( key_id ); } -#else /* MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER */ -/* Implementation-specific: The Mbed Crypto library can be built as - * part of a multi-client service that exposes the PSA Crypto API in each - * client and encodes the client identity in the key id argument of functions - * such as psa_open_key(). +#else /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */ +/* Implementation-specific: The Mbed Cryptography library can be built as + * part of a multi-client service that exposes the PSA Cryptograpy API in each + * client and encodes the client identity in the key identifier argument of + * functions such as psa_open_key(). */ typedef struct { psa_key_id_t key_id; mbedtls_key_owner_id_t owner; -} psa_key_file_id_t; +} mbedtls_svc_key_id_t; -#define PSA_KEY_ID_INIT {0, 0} -#define PSA_KEY_FILE_GET_KEY_ID( file_id ) ( ( file_id ).key_id ) +#define MBEDTLS_SVC_KEY_ID_INIT ( (mbedtls_svc_key_id_t){ 0, 0 } ) +#define MBEDTLS_SVC_KEY_ID_GET_KEY_ID( id ) ( ( id ).key_id ) -/** Utility to initialize a key file identifier at runtime. +/** Utility to initialize a key identifier at runtime. * * \param owner_id Identifier of the key owner. * \param key_id Identifier of the key. */ -static inline psa_key_file_id_t psa_key_file_id_make( +static inline mbedtls_svc_key_id_t mbedtls_svc_key_id_make( mbedtls_key_owner_id_t owner_id, psa_key_id_t key_id ) { - return( (psa_key_file_id_t){ .key_id = key_id, - .owner = owner_id } ); + return( (mbedtls_svc_key_id_t){ .key_id = key_id, + .owner = owner_id } ); } -#endif /* !MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER */ +#endif /* !MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */ /**@}*/ diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index a9b8624798..e5265604c1 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -157,16 +157,15 @@ exit: * past released version must remain valid, unless a migration path * is provided. * - * \param file_id The key identifier to check. - * \param vendor_ok Nonzero to allow key ids in the vendor range. - * 0 to allow only key ids in the application range. + * \param key The key identifier to check. + * \param vendor_ok Nonzero to allow key ids in the vendor range. + * 0 to allow only key ids in the application range. * - * \return 1 if \p file_id is acceptable, otherwise 0. + * \return 1 if \p key is acceptable, otherwise 0. */ -static int psa_is_key_id_valid( psa_key_file_id_t file_id, - int vendor_ok ) +static int psa_is_key_id_valid( mbedtls_svc_key_id_t key, int vendor_ok ) { - psa_key_id_t key_id = PSA_KEY_FILE_GET_KEY_ID( file_id ); + psa_key_id_t key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID( key ); if( PSA_KEY_ID_USER_MIN <= key_id && key_id <= PSA_KEY_ID_USER_MAX ) return( 1 ); else if( vendor_ok && @@ -204,7 +203,7 @@ psa_status_t psa_validate_key_location( psa_key_lifetime_t lifetime, } psa_status_t psa_validate_key_persistence( psa_key_lifetime_t lifetime, - psa_key_file_id_t key ) + mbedtls_svc_key_id_t key ) { if ( PSA_KEY_LIFETIME_IS_VOLATILE( lifetime ) ) { @@ -227,7 +226,7 @@ psa_status_t psa_validate_key_persistence( psa_key_lifetime_t lifetime, } } -psa_status_t psa_open_key( psa_key_file_id_t key, psa_key_handle_t *handle ) +psa_status_t psa_open_key( mbedtls_svc_key_id_t key, psa_key_handle_t *handle ) { #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) psa_status_t status; @@ -291,14 +290,14 @@ void mbedtls_psa_get_stats( mbedtls_psa_stats_t *stats ) ++stats->volatile_slots; else if( slot->attr.lifetime == PSA_KEY_LIFETIME_PERSISTENT ) { - psa_key_id_t id = PSA_KEY_FILE_GET_KEY_ID(slot->attr.id); + psa_key_id_t id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID( slot->attr.id ); ++stats->persistent_slots; if( id > stats->max_open_internal_key_id ) stats->max_open_internal_key_id = id; } else { - psa_key_id_t id = PSA_KEY_FILE_GET_KEY_ID(slot->attr.id); + psa_key_id_t id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID( slot->attr.id ); ++stats->external_slots; if( id > stats->max_open_external_key_id ) stats->max_open_external_key_id = id; diff --git a/library/psa_crypto_slot_management.h b/library/psa_crypto_slot_management.h index 58e7f7cb6f..c6fecbb7ae 100644 --- a/library/psa_crypto_slot_management.h +++ b/library/psa_crypto_slot_management.h @@ -120,7 +120,6 @@ psa_status_t psa_validate_key_location( psa_key_lifetime_t lifetime, * \retval #PSA_ERROR_INVALID_ARGUMENT */ psa_status_t psa_validate_key_persistence( psa_key_lifetime_t lifetime, - psa_key_file_id_t key ); - + mbedtls_svc_key_id_t key ); #endif /* PSA_CRYPTO_SLOT_MANAGEMENT_H */ diff --git a/library/psa_crypto_storage.c b/library/psa_crypto_storage.c index 18889a17e2..b94cfd0f09 100644 --- a/library/psa_crypto_storage.c +++ b/library/psa_crypto_storage.c @@ -55,27 +55,27 @@ /* Key storage */ /****************************************************************/ -/* Determine a file name (ITS file identifier) for the given key file - * identifier. The file name must be distinct from any file that is used - * for a purpose other than storing a key. Currently, the only such file - * is the random seed file whose name is PSA_CRYPTO_ITS_RANDOM_SEED_UID - * and whose value is 0xFFFFFF52. */ -static psa_storage_uid_t psa_its_identifier_of_slot( psa_key_file_id_t file_id ) +/* Determine a file name (ITS file identifier) for the given key identifier. + * The file name must be distinct from any file that is used for a purpose + * other than storing a key. Currently, the only such file is the random seed + * file whose name is PSA_CRYPTO_ITS_RANDOM_SEED_UID and whose value is + * 0xFFFFFF52. */ +static psa_storage_uid_t psa_its_identifier_of_slot( mbedtls_svc_key_id_t key ) { -#if defined(MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER) && \ +#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) && \ defined(PSA_CRYPTO_SECURE) /* Encode the owner in the upper 32 bits. This means that if * owner values are nonzero (as they are on a PSA platform), * no key file will ever have a value less than 0x100000000, so * the whole range 0..0xffffffff is available for non-key files. */ - uint32_t unsigned_owner = (uint32_t) file_id.owner; - return( (uint64_t) unsigned_owner << 32 | file_id.key_id ); + uint32_t unsigned_owner = (uint32_t) key.owner; + return( (uint64_t) unsigned_owner << 32 | key.key_id ); #else /* Use the key id directly as a file name. - * psa_is_key_file_id_valid() in psa_crypto_slot_management.c + * psa_is_key_id_valid() in psa_crypto_slot_management.c * is responsible for ensuring that key identifiers do not have a * value that is reserved for non-key files. */ - return( file_id ); + return( key ); #endif } @@ -94,9 +94,8 @@ static psa_storage_uid_t psa_its_identifier_of_slot( psa_key_file_id_t file_id ) * \retval PSA_ERROR_STORAGE_FAILURE * \retval PSA_ERROR_DOES_NOT_EXIST */ -static psa_status_t psa_crypto_storage_load( const psa_key_file_id_t key, - uint8_t *data, - size_t data_size ) +static psa_status_t psa_crypto_storage_load( + const mbedtls_svc_key_id_t key, uint8_t *data, size_t data_size ) { psa_status_t status; psa_storage_uid_t data_identifier = psa_its_identifier_of_slot( key ); @@ -114,7 +113,7 @@ static psa_status_t psa_crypto_storage_load( const psa_key_file_id_t key, return( status ); } -int psa_is_key_present_in_storage( const psa_key_file_id_t key ) +int psa_is_key_present_in_storage( const mbedtls_svc_key_id_t key ) { psa_status_t ret; psa_storage_uid_t data_identifier = psa_its_identifier_of_slot( key ); @@ -143,7 +142,7 @@ int psa_is_key_present_in_storage( const psa_key_file_id_t key ) * \retval PSA_ERROR_STORAGE_FAILURE * \retval PSA_ERROR_ALREADY_EXISTS */ -static psa_status_t psa_crypto_storage_store( const psa_key_file_id_t key, +static psa_status_t psa_crypto_storage_store( const mbedtls_svc_key_id_t key, const uint8_t *data, size_t data_length ) { @@ -184,7 +183,7 @@ exit: return( status ); } -psa_status_t psa_destroy_persistent_key( const psa_key_file_id_t key ) +psa_status_t psa_destroy_persistent_key( const mbedtls_svc_key_id_t key ) { psa_status_t ret; psa_storage_uid_t data_identifier = psa_its_identifier_of_slot( key ); @@ -215,7 +214,7 @@ psa_status_t psa_destroy_persistent_key( const psa_key_file_id_t key ) * \retval PSA_ERROR_STORAGE_FAILURE */ static psa_status_t psa_crypto_storage_get_data_length( - const psa_key_file_id_t key, + const mbedtls_svc_key_id_t key, size_t *data_length ) { psa_status_t status; @@ -394,7 +393,7 @@ psa_status_t psa_load_persistent_key( psa_core_key_attributes_t *attr, psa_status_t status = PSA_SUCCESS; uint8_t *loaded_data; size_t storage_data_length = 0; - psa_key_file_id_t key = attr->id; + mbedtls_svc_key_id_t key = attr->id; status = psa_crypto_storage_get_data_length( key, &storage_data_length ); if( status != PSA_SUCCESS ) diff --git a/library/psa_crypto_storage.h b/library/psa_crypto_storage.h index c9270a913c..de845a7488 100644 --- a/library/psa_crypto_storage.h +++ b/library/psa_crypto_storage.h @@ -72,7 +72,7 @@ extern "C" { * \retval 1 * Persistent data present for slot number */ -int psa_is_key_present_in_storage( const psa_key_file_id_t key ); +int psa_is_key_present_in_storage( const mbedtls_svc_key_id_t key ); /** * \brief Format key data and metadata and save to a location for given key @@ -141,7 +141,7 @@ psa_status_t psa_load_persistent_key( psa_core_key_attributes_t *attr, * or the key did not exist. * \retval PSA_ERROR_STORAGE_FAILURE */ -psa_status_t psa_destroy_persistent_key( const psa_key_file_id_t key ); +psa_status_t psa_destroy_persistent_key( const mbedtls_svc_key_id_t key ); /** * \brief Free the temporary buffer allocated by psa_load_persistent_key(). @@ -292,7 +292,7 @@ typedef union uint16_t unused1; psa_key_lifetime_t lifetime; psa_key_slot_number_t slot; - psa_key_file_id_t id; + mbedtls_svc_key_id_t id; } key; } psa_crypto_transaction_t; diff --git a/library/version_features.c b/library/version_features.c index d2840fa3cd..80263f75f4 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -417,9 +417,9 @@ static const char * const features[] = { #if defined(MBEDTLS_ENTROPY_NV_SEED) "MBEDTLS_ENTROPY_NV_SEED", #endif /* MBEDTLS_ENTROPY_NV_SEED */ -#if defined(MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER) - "MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER", -#endif /* MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER */ +#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) + "MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER", +#endif /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */ #if defined(MBEDTLS_MEMORY_DEBUG) "MBEDTLS_MEMORY_DEBUG", #endif /* MBEDTLS_MEMORY_DEBUG */ diff --git a/programs/test/query_config.c b/programs/test/query_config.c index f4c14d6cb1..fd3b8265d8 100644 --- a/programs/test/query_config.c +++ b/programs/test/query_config.c @@ -1168,13 +1168,13 @@ int query_config( const char *config ) } #endif /* MBEDTLS_ENTROPY_NV_SEED */ -#if defined(MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER) - if( strcmp( "MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER", config ) == 0 ) +#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) + if( strcmp( "MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER", config ) == 0 ) { - MACRO_EXPANSION_TO_STR( MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER ); + MACRO_EXPANSION_TO_STR( MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER ); return( 0 ); } -#endif /* MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER */ +#endif /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */ #if defined(MBEDTLS_MEMORY_DEBUG) if( strcmp( "MBEDTLS_MEMORY_DEBUG", config ) == 0 ) diff --git a/scripts/config.py b/scripts/config.py index 703e6e906c..508dac6e13 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -184,7 +184,7 @@ EXCLUDE_FROM_FULL = frozenset([ 'MBEDTLS_NO_UDBL_DIVISION', # influences anything that uses bignum 'MBEDTLS_PKCS11_C', # build dependency (libpkcs11-helper) 'MBEDTLS_PLATFORM_NO_STD_FUNCTIONS', # removes a feature - 'MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER', # platform dependency (PSA SPM) (at this time) + 'MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER', # platform dependency (PSA SPM) (at this time) 'MBEDTLS_PSA_CRYPTO_SPM', # platform dependency (PSA SPM) 'MBEDTLS_PSA_INJECT_ENTROPY', # build dependency (hook functions) 'MBEDTLS_REMOVE_3DES_CIPHERSUITES', # removes a feature diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index af7a22133d..3f34211d68 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -233,7 +233,7 @@ int check_key_attributes_sanity( psa_key_handle_t key ) int ok = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_lifetime_t lifetime; - psa_key_file_id_t id; + mbedtls_svc_key_id_t id; psa_key_type_t type; psa_key_type_t bits; @@ -1326,7 +1326,7 @@ void attributes_set_get( int id_arg, int lifetime_arg, int type_arg, int bits_arg ) { psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_key_file_id_t id = psa_key_file_id_make( 1, id_arg ); + mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( 1, id_arg ); psa_key_lifetime_t lifetime = lifetime_arg; psa_key_usage_t usage_flags = usage_flags_arg; psa_algorithm_t alg = alg_arg; @@ -1370,10 +1370,11 @@ void persistence_attributes( int id1_arg, int lifetime_arg, int id2_arg, int expected_id_arg, int expected_lifetime_arg ) { psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_key_file_id_t id1 = psa_key_file_id_make( 1, id1_arg ); + mbedtls_svc_key_id_t id1 = mbedtls_svc_key_id_make( 1, id1_arg ); psa_key_lifetime_t lifetime = lifetime_arg; - psa_key_file_id_t id2 = psa_key_file_id_make( 1, id2_arg ); - psa_key_file_id_t expected_id = psa_key_file_id_make( 1, expected_id_arg ); + mbedtls_svc_key_id_t id2 = mbedtls_svc_key_id_make( 1, id2_arg ); + mbedtls_svc_key_id_t expected_id = + mbedtls_svc_key_id_make( 1, expected_id_arg ); psa_key_lifetime_t expected_lifetime = expected_lifetime_arg; if( id1_arg != -1 ) @@ -5584,7 +5585,7 @@ void persistent_key_load_key_from_storage( data_t *data, int usage_flags_arg, int alg_arg, int generation_method ) { - psa_key_file_id_t key_id = psa_key_file_id_make( 1, 1 ); + mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make( 1, 1 ); psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_handle_t handle = 0; psa_key_handle_t base_key = 0; diff --git a/tests/suites/test_suite_psa_crypto_persistent_key.function b/tests/suites/test_suite_psa_crypto_persistent_key.function index 43cc5df5f3..ffb4f461c8 100644 --- a/tests/suites/test_suite_psa_crypto_persistent_key.function +++ b/tests/suites/test_suite_psa_crypto_persistent_key.function @@ -112,7 +112,7 @@ exit: /* BEGIN_CASE */ void save_large_persistent_key( int data_length_arg, int expected_status ) { - psa_key_file_id_t key_id = psa_key_file_id_make( 1, 42 ); + mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make( 1, 42 ); psa_key_handle_t handle = 0; uint8_t *data = NULL; size_t data_length = data_length_arg; @@ -143,7 +143,7 @@ void persistent_key_destroy( int key_id_arg, int restart, int first_type_arg, data_t *first_data, int second_type_arg, data_t *second_data ) { - psa_key_file_id_t key_id = psa_key_file_id_make( 1, key_id_arg ); + mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make( 1, key_id_arg ); psa_key_handle_t handle = 0; psa_key_type_t first_type = (psa_key_type_t) first_type_arg; psa_key_type_t second_type = (psa_key_type_t) second_type_arg; @@ -196,7 +196,7 @@ exit: void persistent_key_import( int key_id_arg, int type_arg, data_t *data, int restart, int expected_status ) { - psa_key_file_id_t key_id = psa_key_file_id_make( 1, key_id_arg ); + mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make( 1, key_id_arg ); psa_key_type_t type = (psa_key_type_t) type_arg; psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -245,7 +245,7 @@ void import_export_persistent_key( data_t *data, int type_arg, int expected_bits, int restart, int key_not_exist ) { - psa_key_file_id_t key_id = psa_key_file_id_make( 1, 42 ); + mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make( 1, 42 ); psa_key_type_t type = (psa_key_type_t) type_arg; psa_key_handle_t handle = 0; unsigned char *exported = NULL; diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal.function b/tests/suites/test_suite_psa_crypto_se_driver_hal.function index 992e5dfd0f..d117738b75 100644 --- a/tests/suites/test_suite_psa_crypto_se_driver_hal.function +++ b/tests/suites/test_suite_psa_crypto_se_driver_hal.function @@ -766,7 +766,7 @@ static void psa_purge_storage( void ) * MAX_KEY_ID_FOR_TEST. In addition, run the destroy function on key id * 0, which file-based storage uses as a temporary file. */ for( id = 0; id <= MAX_KEY_ID_FOR_TEST; id++ ) - psa_destroy_persistent_key( psa_key_file_id_make( 1, id ) ); + psa_destroy_persistent_key( mbedtls_svc_key_id_make( 1, id ) ); /* Purge the transaction file. */ psa_crypto_stop_transaction( ); /* Purge driver persistent data. */ @@ -853,7 +853,7 @@ void key_creation_import_export( int lifetime_arg, int min_slot, int restart ) psa_drv_se_key_management_t key_management; psa_key_lifetime_t lifetime = (psa_key_lifetime_t) lifetime_arg; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( lifetime ); - psa_key_file_id_t id = psa_key_file_id_make( 1, 1 ); + mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( 1, 1 ); psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; const uint8_t key_material[3] = {0xfa, 0xca, 0xde}; @@ -985,7 +985,7 @@ void key_creation_in_chosen_slot( int slot_arg, psa_drv_se_key_management_t key_management; psa_key_lifetime_t lifetime = TEST_SE_PERSISTENT_LIFETIME; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( lifetime ); - psa_key_file_id_t id = psa_key_file_id_make( 1, 1 ); + mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( 1, 1 ); psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; const uint8_t key_material[3] = {0xfa, 0xca, 0xde}; @@ -1067,7 +1067,7 @@ void import_key_smoke( int type_arg, int alg_arg, psa_drv_se_key_management_t key_management; psa_key_lifetime_t lifetime = TEST_SE_PERSISTENT_LIFETIME; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( lifetime ); - psa_key_file_id_t id = psa_key_file_id_make( 1, 1 ); + mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( 1, 1 ); psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -1139,7 +1139,7 @@ void generate_key_not_supported( int type_arg, int bits_arg ) psa_drv_se_key_management_t key_management; psa_key_lifetime_t lifetime = TEST_SE_PERSISTENT_LIFETIME; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( lifetime ); - psa_key_file_id_t id = psa_key_file_id_make( 1, 1 ); + mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( 1, 1 ); psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -1178,7 +1178,7 @@ void generate_key_smoke( int type_arg, int bits_arg, int alg_arg ) psa_drv_se_key_management_t key_management; psa_key_lifetime_t lifetime = TEST_SE_PERSISTENT_LIFETIME; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( lifetime ); - psa_key_file_id_t id = psa_key_file_id_make( 1, 1 ); + mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( 1, 1 ); psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -1258,7 +1258,7 @@ void sign_verify( int flow, psa_key_lifetime_t lifetime = TEST_SE_PERSISTENT_LIFETIME; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( lifetime ); - psa_key_file_id_t id = psa_key_file_id_make( 1, 1 ); + mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( 1, 1 ); psa_key_handle_t drv_handle = 0; /* key managed by the driver */ psa_key_handle_t sw_handle = 0; /* transparent key */ psa_key_attributes_t sw_attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -1420,7 +1420,7 @@ void register_key_smoke_test( int lifetime_arg, psa_drv_se_t driver; psa_drv_se_key_management_t key_management; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_key_file_id_t id = psa_key_file_id_make( 1, id_arg ); + mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( 1, id_arg ); size_t bit_size = 48; psa_key_slot_number_t wanted_slot = 0x123456789; psa_key_handle_t handle = 0; diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function b/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function index 8f1f9689b6..c4c89cd65c 100644 --- a/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function +++ b/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function @@ -95,7 +95,7 @@ static void psa_purge_storage( void ) * MAX_KEY_ID_FOR_TEST. In addition, run the destroy function on key id * 0, which file-based storage uses as a temporary file. */ for( id = 0; id <= MAX_KEY_ID_FOR_TEST; id++ ) - psa_destroy_persistent_key( psa_key_file_id_make( 1, id ) ); + psa_destroy_persistent_key( mbedtls_svc_key_id_make( 1, id ) ); /* Purge the transaction file. */ psa_crypto_stop_transaction( ); /* Purge driver persistent data. */ @@ -330,7 +330,7 @@ void mock_import( int mock_alloc_return_value, psa_drv_se_key_management_t key_management; psa_key_lifetime_t lifetime = TEST_SE_PERSISTENT_LIFETIME; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( lifetime ); - psa_key_file_id_t id = psa_key_file_id_make( 1, 1 ); + mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( 1, 1 ); psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; const uint8_t key_material[3] = {0xfa, 0xca, 0xde}; @@ -387,7 +387,7 @@ void mock_export( int mock_export_return_value, int expected_result ) psa_drv_se_key_management_t key_management; psa_key_lifetime_t lifetime = TEST_SE_PERSISTENT_LIFETIME; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( lifetime ); - psa_key_file_id_t id = psa_key_file_id_make( 1, 1 ); + mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( 1, 1 ); psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; const uint8_t key_material[3] = {0xfa, 0xca, 0xde}; @@ -441,7 +441,7 @@ void mock_generate( int mock_alloc_return_value, psa_drv_se_key_management_t key_management; psa_key_lifetime_t lifetime = TEST_SE_PERSISTENT_LIFETIME; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( lifetime ); - psa_key_file_id_t id = psa_key_file_id_make( 1, 1 ); + mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( 1, 1 ); psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -496,7 +496,7 @@ void mock_export_public( int mock_export_public_return_value, psa_drv_se_key_management_t key_management; psa_key_lifetime_t lifetime = TEST_SE_PERSISTENT_LIFETIME; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( lifetime ); - psa_key_file_id_t id = psa_key_file_id_make( 1, 1 ); + mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( 1, 1 ); psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; const uint8_t key_material[3] = {0xfa, 0xca, 0xde}; @@ -546,7 +546,7 @@ void mock_sign( int mock_sign_return_value, int expected_result ) psa_drv_se_asymmetric_t asymmetric; psa_key_lifetime_t lifetime = TEST_SE_PERSISTENT_LIFETIME; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( lifetime ); - psa_key_file_id_t id = psa_key_file_id_make( 1, 1 ); + mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( 1, 1 ); psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; const uint8_t key_material[3] = {0xfa, 0xca, 0xde}; @@ -607,7 +607,7 @@ void mock_verify( int mock_verify_return_value, int expected_result ) psa_drv_se_asymmetric_t asymmetric; psa_key_lifetime_t lifetime = TEST_SE_PERSISTENT_LIFETIME; psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( lifetime ); - psa_key_file_id_t id = psa_key_file_id_make( 1, 1 ); + mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( 1, 1 ); psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; const uint8_t key_material[3] = {0xfa, 0xca, 0xde}; diff --git a/tests/suites/test_suite_psa_crypto_slot_management.function b/tests/suites/test_suite_psa_crypto_slot_management.function index bd15865cbf..bc6ecdaece 100644 --- a/tests/suites/test_suite_psa_crypto_slot_management.function +++ b/tests/suites/test_suite_psa_crypto_slot_management.function @@ -34,11 +34,11 @@ typedef enum * code. */ #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) -static psa_key_file_id_t key_ids_used_in_test[9]; +static mbedtls_svc_key_id_t key_ids_used_in_test[9]; static size_t num_key_ids_used; /* Record a key id as potentially used in a test case. */ -static int test_uses_key_id( psa_key_file_id_t key_id ) +static int test_uses_key_id( mbedtls_svc_key_id_t key_id ) { size_t i; if( key_id > PSA_MAX_PERSISTENT_KEY_IDENTIFIER ) @@ -178,7 +178,7 @@ void persistent_slot_lifecycle( int lifetime_arg, int id_arg, int close_method_arg ) { psa_key_lifetime_t lifetime = lifetime_arg; - psa_key_file_id_t id = psa_key_file_id_make( 1, id_arg ); + mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( 1, id_arg ); psa_algorithm_t alg = alg_arg; psa_algorithm_t alg2 = alg2_arg; psa_key_usage_t usage_flags = usage_arg; @@ -296,7 +296,7 @@ void create_existent( int lifetime_arg, int id_arg, int reopen_policy_arg ) { psa_key_lifetime_t lifetime = lifetime_arg; - psa_key_file_id_t id = psa_key_file_id_make( 1, id_arg ); + mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( 1, id_arg ); psa_key_handle_t handle1 = 0, handle2 = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_type_t type1 = PSA_KEY_TYPE_RAW_DATA; @@ -363,7 +363,7 @@ exit: void open_fail( int id_arg, int expected_status_arg ) { - psa_key_file_id_t id = psa_key_file_id_make( 1, id_arg ); + mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( 1, id_arg ); psa_status_t expected_status = expected_status_arg; psa_key_handle_t handle = 0xdead; @@ -382,7 +382,7 @@ void create_fail( int lifetime_arg, int id_arg, int expected_status_arg ) { psa_key_lifetime_t lifetime = lifetime_arg; - psa_key_file_id_t id = psa_key_file_id_make( 1, id_arg ); + mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( 1, id_arg ); psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_status_t expected_status = expected_status_arg; psa_key_handle_t handle = 0xdead; @@ -420,14 +420,16 @@ void copy_across_lifetimes( int source_lifetime_arg, int source_id_arg, int expected_alg_arg, int expected_alg2_arg ) { psa_key_lifetime_t source_lifetime = source_lifetime_arg; - psa_key_file_id_t source_id = psa_key_file_id_make( 1, source_id_arg ); + mbedtls_svc_key_id_t source_id = + mbedtls_svc_key_id_make( 1, source_id_arg ); psa_key_usage_t source_usage = source_usage_arg; psa_algorithm_t source_alg = source_alg_arg; psa_key_handle_t source_handle = 0; psa_key_attributes_t source_attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_type_t source_type = type_arg; psa_key_lifetime_t target_lifetime = target_lifetime_arg; - psa_key_file_id_t target_id = psa_key_file_id_make( 1, target_id_arg ); + mbedtls_svc_key_id_t target_id = + mbedtls_svc_key_id_make( 1, target_id_arg ); psa_key_usage_t target_usage = target_usage_arg; psa_algorithm_t target_alg = target_alg_arg; psa_key_handle_t target_handle = 0; @@ -534,13 +536,15 @@ void copy_to_occupied( int source_lifetime_arg, int source_id_arg, int target_type_arg, data_t *target_material ) { psa_key_lifetime_t source_lifetime = source_lifetime_arg; - psa_key_file_id_t source_id = psa_key_file_id_make( 1, source_id_arg ); + mbedtls_svc_key_id_t source_id = + mbedtls_svc_key_id_make( 1, source_id_arg ); psa_key_usage_t source_usage = source_usage_arg; psa_algorithm_t source_alg = source_alg_arg; psa_key_handle_t source_handle = 0; psa_key_type_t source_type = source_type_arg; psa_key_lifetime_t target_lifetime = target_lifetime_arg; - psa_key_file_id_t target_id = psa_key_file_id_make( 1, target_id_arg ); + mbedtls_svc_key_id_t target_id = + mbedtls_svc_key_id_make( 1, target_id_arg ); psa_key_usage_t target_usage = target_usage_arg; psa_algorithm_t target_alg = target_alg_arg; psa_key_handle_t target_handle = 0; From 2647b68dde08e411f2f4e966c47f4cf44bf9c28d Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 29 Jul 2020 10:25:02 +0200 Subject: [PATCH 07/17] Set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER in full configuration Enable key identifiers encoding owner identifier in the full configuration. With this change the unit tests on the full configuration are failing. The following commit do the necessary changes to the PSA code and test code for the tests to pass with this configuration option enabled. Signed-off-by: Ronald Cron --- scripts/config.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/config.py b/scripts/config.py index 508dac6e13..47a83558bf 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -184,7 +184,6 @@ EXCLUDE_FROM_FULL = frozenset([ 'MBEDTLS_NO_UDBL_DIVISION', # influences anything that uses bignum 'MBEDTLS_PKCS11_C', # build dependency (libpkcs11-helper) 'MBEDTLS_PLATFORM_NO_STD_FUNCTIONS', # removes a feature - 'MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER', # platform dependency (PSA SPM) (at this time) 'MBEDTLS_PSA_CRYPTO_SPM', # platform dependency (PSA SPM) 'MBEDTLS_PSA_INJECT_ENTROPY', # build dependency (hook functions) 'MBEDTLS_REMOVE_3DES_CIPHERSUITES', # removes a feature @@ -248,6 +247,7 @@ EXCLUDE_FROM_BAREMETAL = frozenset([ 'MBEDTLS_PLATFORM_TIME_ALT', # requires a clock and HAVE_TIME 'MBEDTLS_PSA_CRYPTO_SE_C', # requires a filesystem and PSA_CRYPTO_STORAGE_C 'MBEDTLS_PSA_CRYPTO_STORAGE_C', # requires a filesystem + 'MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER', # requires a multi-client service 'MBEDTLS_PSA_ITS_FILE_C', # requires a filesystem 'MBEDTLS_THREADING_C', # requires a threading interface 'MBEDTLS_THREADING_PTHREAD', # requires pthread From ecfb237f233a11f347cb95497cf31d97ccc7db5a Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 23 Jul 2020 17:13:42 +0200 Subject: [PATCH 08/17] Fix PSA code and unit tests Fix PSA code and unit tests for the unit tests to pass with key identifiers encoding owner identifiers. The changes in PSA code just make the enablement of key identifiers encoding owner identifiers platform independent. Previous to this commit, such key identifiers were used only in the case of PSA SPM platforms. Signed-off-by: Ronald Cron --- include/psa/crypto_platform.h | 20 ++++++- include/psa/crypto_types.h | 29 ++++++++++ library/psa_crypto_storage.c | 3 +- tests/suites/test_suite_psa_crypto.data | 10 ++-- tests/suites/test_suite_psa_crypto.function | 47 ++++++++++----- ...t_suite_psa_crypto_persistent_key.function | 6 +- ...st_suite_psa_crypto_se_driver_hal.function | 6 +- ...te_psa_crypto_se_driver_hal_mocks.function | 34 +++++++++-- ..._suite_psa_crypto_slot_management.function | 57 ++++++++++++------- 9 files changed, 159 insertions(+), 53 deletions(-) diff --git a/include/psa/crypto_platform.h b/include/psa/crypto_platform.h index aa55aea478..4e2f162ea3 100644 --- a/include/psa/crypto_platform.h +++ b/include/psa/crypto_platform.h @@ -44,16 +44,32 @@ /* PSA requires several types which C99 provides in stdint.h. */ #include +#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ + !defined(inline) && !defined(__cplusplus) +#define inline __inline +#endif + /* Integral type representing a key handle. */ typedef uint16_t psa_key_handle_t; #if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) -#if defined(PSA_CRYPTO_SECURE) /* Building for the PSA Crypto service on a PSA platform. */ /* A key owner is a PSA partition identifier. */ typedef int32_t mbedtls_key_owner_id_t; -#endif + +/** Compare two key owner identifiers. + * + * \param id1 First key owner identifier. + * \param id2 Second key owner identifier. + * + * \return Non-zero if the two key owner identifiers are equal, zero otherwise. + */ +static inline int mbedtls_key_owner_id_equal( mbedtls_key_owner_id_t id1, + mbedtls_key_owner_id_t id2 ) +{ + return( id1 == id2 ); +} #endif /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */ diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index fb61e9a8ff..864e937889 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -240,6 +240,7 @@ typedef psa_key_id_t mbedtls_svc_key_id_t; #define MBEDTLS_SVC_KEY_ID_INIT ( (psa_key_id_t)0 ) #define MBEDTLS_SVC_KEY_ID_GET_KEY_ID( id ) ( id ) +#define MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( id ) ( 0 ) /** Utility to initialize a key identifier at runtime. * @@ -254,6 +255,19 @@ static inline mbedtls_svc_key_id_t mbedtls_svc_key_id_make( return( key_id ); } +/** Compare two key identifiers. + * + * \param id1 First key identifier. + * \param id2 Second key identifier. + * + * \return Non-zero if the two key identifier are equal, zero otherwise. + */ +static inline int mbedtls_svc_key_id_equal( mbedtls_svc_key_id_t id1, + mbedtls_svc_key_id_t id2 ) +{ + return( id1 == id2 ); +} + #else /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */ /* Implementation-specific: The Mbed Cryptography library can be built as * part of a multi-client service that exposes the PSA Cryptograpy API in each @@ -268,6 +282,7 @@ typedef struct #define MBEDTLS_SVC_KEY_ID_INIT ( (mbedtls_svc_key_id_t){ 0, 0 } ) #define MBEDTLS_SVC_KEY_ID_GET_KEY_ID( id ) ( ( id ).key_id ) +#define MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( id ) ( ( id ).owner ) /** Utility to initialize a key identifier at runtime. * @@ -281,6 +296,20 @@ static inline mbedtls_svc_key_id_t mbedtls_svc_key_id_make( .owner = owner_id } ); } +/** Compare two key identifiers. + * + * \param id1 First key identifier. + * \param id2 Second key identifier. + * + * \return Non-zero if the two key identifier are equal, zero otherwise. + */ +static inline int mbedtls_svc_key_id_equal( mbedtls_svc_key_id_t id1, + mbedtls_svc_key_id_t id2 ) +{ + return( ( id1.key_id == id2.key_id ) && + mbedtls_key_owner_id_equal( id1.owner, id2.owner ) ); +} + #endif /* !MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */ /**@}*/ diff --git a/library/psa_crypto_storage.c b/library/psa_crypto_storage.c index b94cfd0f09..e48bc282f8 100644 --- a/library/psa_crypto_storage.c +++ b/library/psa_crypto_storage.c @@ -62,8 +62,7 @@ * 0xFFFFFF52. */ static psa_storage_uid_t psa_its_identifier_of_slot( mbedtls_svc_key_id_t key ) { -#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) && \ - defined(PSA_CRYPTO_SECURE) +#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) /* Encode the owner in the upper 32 bits. This means that if * owner values are nonzero (as they are on a PSA platform), * no key file will ever have a value less than 0x100000000, so diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index cd26017962..723eebf0f3 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -5,19 +5,19 @@ PSA key attributes structure attributes_set_get:0x6963:PSA_KEY_LIFETIME_PERSISTENT:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CCM:PSA_KEY_TYPE_AES:128 PSA key attributes: id only -persistence_attributes:0x1234:-1:-1:0x1234:PSA_KEY_LIFETIME_PERSISTENT +persistence_attributes:0x1234:0x5678:-1:-1:0:0x1234:0x5678:PSA_KEY_LIFETIME_PERSISTENT PSA key attributes: lifetime=3 only -persistence_attributes:-1:3:-1:0:3 +persistence_attributes:-1:0:3:-1:0:0:0:3 PSA key attributes: id then back to volatile -persistence_attributes:0x1234:PSA_KEY_LIFETIME_VOLATILE:-1:0:PSA_KEY_LIFETIME_VOLATILE +persistence_attributes:0x1234:0x5678:PSA_KEY_LIFETIME_VOLATILE:-1:0:0:0x5678:PSA_KEY_LIFETIME_VOLATILE PSA key attributes: id then lifetime -persistence_attributes:0x1234:3:-1:0x1234:3 +persistence_attributes:0x1234:0x5678:3:-1:0:0x1234:0x5678:3 PSA key attributes: lifetime then id -persistence_attributes:0x1234:3:0x1235:0x1235:3 +persistence_attributes:0x1234:0x5678:3:0x1235:0x5679:0x1235:0x5679:3 PSA key attributes: slot number slot_number_attribute: diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 3f34211d68..3e3a7a268e 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -245,12 +245,12 @@ int check_key_attributes_sanity( psa_key_handle_t key ) /* Persistence */ if( lifetime == PSA_KEY_LIFETIME_VOLATILE ) - TEST_ASSERT( id == 0 ); + TEST_ASSERT( MBEDTLS_SVC_KEY_ID_GET_KEY_ID( id ) == 0 ); else { TEST_ASSERT( - ( PSA_KEY_ID_USER_MIN <= id && id <= PSA_KEY_ID_USER_MAX ) || - ( PSA_KEY_ID_USER_MIN <= id && id <= PSA_KEY_ID_USER_MAX ) ); + ( PSA_KEY_ID_USER_MIN <= MBEDTLS_SVC_KEY_ID_GET_KEY_ID( id ) ) && + ( MBEDTLS_SVC_KEY_ID_GET_KEY_ID( id ) <= PSA_KEY_ID_USER_MAX ) ); } #if defined(MBEDTLS_PSA_CRYPTO_SE_C) /* randomly-generated 64-bit constant, should never appear in test data */ @@ -1178,17 +1178,21 @@ static psa_key_usage_t usage_to_exercise( psa_key_type_t type, static int test_operations_on_invalid_handle( psa_key_handle_t handle ) { psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make( 1, 0x6964 ); uint8_t buffer[1]; size_t length; int ok = 0; - psa_set_key_id( &attributes, 0x6964 ); + psa_set_key_id( &attributes, key_id ); psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); psa_set_key_algorithm( &attributes, PSA_ALG_CTR ); psa_set_key_type( &attributes, PSA_KEY_TYPE_AES ); TEST_EQUAL( psa_get_key_attributes( handle, &attributes ), PSA_ERROR_INVALID_HANDLE ); - TEST_EQUAL( psa_get_key_id( &attributes ), 0 ); + TEST_EQUAL( + MBEDTLS_SVC_KEY_ID_GET_KEY_ID( psa_get_key_id( &attributes ) ), 0 ); + TEST_EQUAL( + MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( psa_get_key_id( &attributes ) ), 0 ); TEST_EQUAL( psa_get_key_lifetime( &attributes ), 0 ); TEST_EQUAL( psa_get_key_usage_flags( &attributes ), 0 ); TEST_EQUAL( psa_get_key_algorithm( &attributes ), 0 ); @@ -1333,7 +1337,10 @@ void attributes_set_get( int id_arg, int lifetime_arg, psa_key_type_t type = type_arg; size_t bits = bits_arg; - TEST_EQUAL( psa_get_key_id( &attributes ), 0 ); + TEST_EQUAL( + MBEDTLS_SVC_KEY_ID_GET_KEY_ID( psa_get_key_id( &attributes ) ), 0 ); + TEST_EQUAL( + MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( psa_get_key_id( &attributes ) ), 0 ); TEST_EQUAL( psa_get_key_lifetime( &attributes ), 0 ); TEST_EQUAL( psa_get_key_usage_flags( &attributes ), 0 ); TEST_EQUAL( psa_get_key_algorithm( &attributes ), 0 ); @@ -1347,7 +1354,8 @@ void attributes_set_get( int id_arg, int lifetime_arg, psa_set_key_type( &attributes, type ); psa_set_key_bits( &attributes, bits ); - TEST_EQUAL( psa_get_key_id( &attributes ), id ); + TEST_ASSERT( mbedtls_svc_key_id_equal( + psa_get_key_id( &attributes ), id ) ); TEST_EQUAL( psa_get_key_lifetime( &attributes ), lifetime ); TEST_EQUAL( psa_get_key_usage_flags( &attributes ), usage_flags ); TEST_EQUAL( psa_get_key_algorithm( &attributes ), alg ); @@ -1356,7 +1364,10 @@ void attributes_set_get( int id_arg, int lifetime_arg, psa_reset_key_attributes( &attributes ); - TEST_EQUAL( psa_get_key_id( &attributes ), 0 ); + TEST_EQUAL( + MBEDTLS_SVC_KEY_ID_GET_KEY_ID( psa_get_key_id( &attributes ) ), 0 ); + TEST_EQUAL( + MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( psa_get_key_id( &attributes ) ), 0 ); TEST_EQUAL( psa_get_key_lifetime( &attributes ), 0 ); TEST_EQUAL( psa_get_key_usage_flags( &attributes ), 0 ); TEST_EQUAL( psa_get_key_algorithm( &attributes ), 0 ); @@ -1366,15 +1377,19 @@ void attributes_set_get( int id_arg, int lifetime_arg, /* END_CASE */ /* BEGIN_CASE */ -void persistence_attributes( int id1_arg, int lifetime_arg, int id2_arg, - int expected_id_arg, int expected_lifetime_arg ) +void persistence_attributes( int id1_arg, int owner_id1_arg, int lifetime_arg, + int id2_arg, int owner_id2_arg, + int expected_id_arg, int expected_owner_id_arg, + int expected_lifetime_arg ) { psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - mbedtls_svc_key_id_t id1 = mbedtls_svc_key_id_make( 1, id1_arg ); + mbedtls_svc_key_id_t id1 = + mbedtls_svc_key_id_make( owner_id1_arg, id1_arg ); psa_key_lifetime_t lifetime = lifetime_arg; - mbedtls_svc_key_id_t id2 = mbedtls_svc_key_id_make( 1, id2_arg ); + mbedtls_svc_key_id_t id2 = + mbedtls_svc_key_id_make( owner_id2_arg, id2_arg ); mbedtls_svc_key_id_t expected_id = - mbedtls_svc_key_id_make( 1, expected_id_arg ); + mbedtls_svc_key_id_make( expected_owner_id_arg, expected_id_arg ); psa_key_lifetime_t expected_lifetime = expected_lifetime_arg; if( id1_arg != -1 ) @@ -1384,7 +1399,8 @@ void persistence_attributes( int id1_arg, int lifetime_arg, int id2_arg, if( id2_arg != -1 ) psa_set_key_id( &attributes, id2 ); - TEST_EQUAL( psa_get_key_id( &attributes ), expected_id ); + TEST_ASSERT( mbedtls_svc_key_id_equal( + psa_get_key_id( &attributes ), expected_id ) ); TEST_EQUAL( psa_get_key_lifetime( &attributes ), expected_lifetime ); } /* END_CASE */ @@ -5677,7 +5693,8 @@ void persistent_key_load_key_from_storage( data_t *data, /* Check key slot still contains key data */ PSA_ASSERT( psa_open_key( key_id, &handle ) ); PSA_ASSERT( psa_get_key_attributes( handle, &attributes ) ); - TEST_EQUAL( psa_get_key_id( &attributes ), key_id ); + TEST_ASSERT( mbedtls_svc_key_id_equal( + psa_get_key_id( &attributes ), key_id ) ); TEST_EQUAL( psa_get_key_lifetime( &attributes ), PSA_KEY_LIFETIME_PERSISTENT ); TEST_EQUAL( psa_get_key_type( &attributes ), type ); diff --git a/tests/suites/test_suite_psa_crypto_persistent_key.function b/tests/suites/test_suite_psa_crypto_persistent_key.function index ffb4f461c8..5087034a43 100644 --- a/tests/suites/test_suite_psa_crypto_persistent_key.function +++ b/tests/suites/test_suite_psa_crypto_persistent_key.function @@ -224,7 +224,8 @@ void persistent_key_import( int key_id_arg, int type_arg, data_t *data, psa_reset_key_attributes( &attributes ); PSA_ASSERT( psa_get_key_attributes( handle, &attributes ) ); - TEST_EQUAL( psa_get_key_id( &attributes ), key_id ); + TEST_ASSERT( mbedtls_svc_key_id_equal( + psa_get_key_id( &attributes ), key_id ) ); TEST_EQUAL( psa_get_key_lifetime( &attributes ), PSA_KEY_LIFETIME_PERSISTENT ); TEST_EQUAL( psa_get_key_type( &attributes ), type ); @@ -276,7 +277,8 @@ void import_export_persistent_key( data_t *data, int type_arg, /* Test the key information */ psa_reset_key_attributes( &attributes ); PSA_ASSERT( psa_get_key_attributes( handle, &attributes ) ); - TEST_EQUAL( psa_get_key_id( &attributes ), key_id ); + TEST_ASSERT( mbedtls_svc_key_id_equal( + psa_get_key_id( &attributes ), key_id ) ); TEST_EQUAL( psa_get_key_lifetime( &attributes ), PSA_KEY_LIFETIME_PERSISTENT ); TEST_EQUAL( psa_get_key_type( &attributes ), type ); diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal.function b/tests/suites/test_suite_psa_crypto_se_driver_hal.function index d117738b75..6f7cfa946d 100644 --- a/tests/suites/test_suite_psa_crypto_se_driver_hal.function +++ b/tests/suites/test_suite_psa_crypto_se_driver_hal.function @@ -532,8 +532,9 @@ static int check_key_attributes( PSA_ASSERT( psa_get_key_attributes( handle, &actual_attributes ) ); - TEST_EQUAL( psa_get_key_id( &actual_attributes ), - psa_get_key_id( reference_attributes ) ); + TEST_ASSERT( mbedtls_svc_key_id_equal( + psa_get_key_id( &actual_attributes ), + psa_get_key_id( reference_attributes ) ) ); TEST_EQUAL( psa_get_key_lifetime( &actual_attributes ), psa_get_key_lifetime( reference_attributes ) ); TEST_EQUAL( psa_get_key_type( &actual_attributes ), @@ -762,6 +763,7 @@ static void psa_purge_storage( void ) { psa_key_id_t id; psa_key_location_t location; + /* The tests may have potentially created key ids from 1 to * MAX_KEY_ID_FOR_TEST. In addition, run the destroy function on key id * 0, which file-based storage uses as a temporary file. */ diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function b/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function index c4c89cd65c..7d4a59125d 100644 --- a/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function +++ b/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function @@ -91,11 +91,13 @@ static void psa_purge_storage( void ) { psa_key_id_t id; psa_key_location_t location; + /* The tests may have potentially created key ids from 1 to * MAX_KEY_ID_FOR_TEST. In addition, run the destroy function on key id * 0, which file-based storage uses as a temporary file. */ for( id = 0; id <= MAX_KEY_ID_FOR_TEST; id++ ) psa_destroy_persistent_key( mbedtls_svc_key_id_make( 1, id ) ); + /* Purge the transaction file. */ psa_crypto_stop_transaction( ); /* Purge driver persistent data. */ @@ -360,8 +362,20 @@ void mock_import( int mock_alloc_return_value, TEST_ASSERT( mock_allocate_data.called == 1 ); TEST_ASSERT( mock_import_data.called == ( mock_alloc_return_value == PSA_SUCCESS? 1 : 0 ) ); - TEST_ASSERT( mock_import_data.attributes.core.id == - ( mock_alloc_return_value == PSA_SUCCESS? id : 0 ) ); + + if( mock_alloc_return_value == PSA_SUCCESS ) + { + TEST_ASSERT( mbedtls_svc_key_id_equal( + mock_import_data.attributes.core.id, id ) ); + } + else + { + TEST_ASSERT( MBEDTLS_SVC_KEY_ID_GET_KEY_ID( + mock_import_data.attributes.core.id ) == 0 ); + TEST_ASSERT( MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( + mock_import_data.attributes.core.id ) == 0 ); + } + TEST_ASSERT( mock_import_data.attributes.core.lifetime == ( mock_alloc_return_value == PSA_SUCCESS? lifetime : 0 ) ); TEST_ASSERT( mock_import_data.attributes.core.policy.usage == @@ -467,8 +481,20 @@ void mock_generate( int mock_alloc_return_value, TEST_ASSERT( mock_allocate_data.called == 1 ); TEST_ASSERT( mock_generate_data.called == ( mock_alloc_return_value == PSA_SUCCESS? 1 : 0 ) ); - TEST_ASSERT( mock_generate_data.attributes.core.id == - ( mock_alloc_return_value == PSA_SUCCESS? id : 0 ) ); + + if( mock_alloc_return_value == PSA_SUCCESS ) + { + TEST_ASSERT( mbedtls_svc_key_id_equal( + mock_generate_data.attributes.core.id, id ) ); + } + else + { + TEST_ASSERT( MBEDTLS_SVC_KEY_ID_GET_KEY_ID( + mock_generate_data.attributes.core.id ) == 0 ); + TEST_ASSERT( MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( + mock_generate_data.attributes.core.id ) == 0 ); + } + TEST_ASSERT( mock_generate_data.attributes.core.lifetime == ( mock_alloc_return_value == PSA_SUCCESS? lifetime : 0 ) ); TEST_ASSERT( mock_generate_data.attributes.core.policy.usage == diff --git a/tests/suites/test_suite_psa_crypto_slot_management.function b/tests/suites/test_suite_psa_crypto_slot_management.function index bc6ecdaece..c9d4404e8f 100644 --- a/tests/suites/test_suite_psa_crypto_slot_management.function +++ b/tests/suites/test_suite_psa_crypto_slot_management.function @@ -41,14 +41,15 @@ static size_t num_key_ids_used; static int test_uses_key_id( mbedtls_svc_key_id_t key_id ) { size_t i; - if( key_id > PSA_MAX_PERSISTENT_KEY_IDENTIFIER ) + if( MBEDTLS_SVC_KEY_ID_GET_KEY_ID( key_id ) > + PSA_MAX_PERSISTENT_KEY_IDENTIFIER ) { /* Don't touch key id values that designate non-key files. */ return( 1 ); } for( i = 0; i < num_key_ids_used ; i++ ) { - if( key_id == key_ids_used_in_test[i] ) + if( mbedtls_svc_key_id_equal( key_id, key_ids_used_in_test[i] ) ) return( 1 ); } if( num_key_ids_used == ARRAY_LENGTH( key_ids_used_in_test ) ) @@ -206,7 +207,8 @@ void persistent_slot_lifecycle( int lifetime_arg, int id_arg, TEST_ASSERT( handle != 0 ); PSA_ASSERT( psa_get_key_attributes( handle, &attributes ) ); TEST_EQUAL( psa_get_key_lifetime( &attributes ), lifetime ); - TEST_EQUAL( psa_get_key_id( &attributes ), id ); + TEST_ASSERT( mbedtls_svc_key_id_equal( + psa_get_key_id( &attributes ), id ) ); TEST_EQUAL( psa_get_key_usage_flags( &attributes ), usage_flags ); TEST_EQUAL( psa_get_key_algorithm( &attributes ), alg ); TEST_EQUAL( psa_get_key_enrollment_algorithm( &attributes ), alg2 ); @@ -217,7 +219,8 @@ void persistent_slot_lifecycle( int lifetime_arg, int id_arg, PSA_ASSERT( psa_open_key( id, &handle ) ); PSA_ASSERT( psa_get_key_attributes( handle, &attributes ) ); TEST_EQUAL( psa_get_key_lifetime( &attributes ), lifetime ); - TEST_EQUAL( psa_get_key_id( &attributes ), id ); + TEST_ASSERT( mbedtls_svc_key_id_equal( + psa_get_key_id( &attributes ), id ) ); TEST_EQUAL( psa_get_key_usage_flags( &attributes ), usage_flags ); TEST_EQUAL( psa_get_key_algorithm( &attributes ), alg ); TEST_EQUAL( psa_get_key_enrollment_algorithm( &attributes ), alg2 ); @@ -247,8 +250,9 @@ void persistent_slot_lifecycle( int lifetime_arg, int id_arg, PSA_ASSERT( psa_get_key_attributes( handle, &read_attributes ) ); TEST_EQUAL( psa_get_key_lifetime( &attributes ), psa_get_key_lifetime( &read_attributes ) ); - TEST_EQUAL( psa_get_key_id( &attributes ), - psa_get_key_id( &read_attributes ) ); + TEST_ASSERT( mbedtls_svc_key_id_equal( + psa_get_key_id( &attributes ), + psa_get_key_id( &read_attributes ) ) ); TEST_EQUAL( psa_get_key_usage_flags( &attributes ), usage_flags ); TEST_EQUAL( psa_get_key_algorithm( &attributes ), psa_get_key_algorithm( &read_attributes ) ); @@ -338,7 +342,8 @@ void create_existent( int lifetime_arg, int id_arg, /* Check that the original key hasn't changed. */ psa_reset_key_attributes( &attributes ); PSA_ASSERT( psa_get_key_attributes( handle1, &attributes ) ); - TEST_EQUAL( psa_get_key_id( &attributes ), id ); + TEST_ASSERT( mbedtls_svc_key_id_equal( + psa_get_key_id( &attributes ), id ) ); TEST_EQUAL( psa_get_key_lifetime( &attributes ), lifetime ); TEST_EQUAL( psa_get_key_type( &attributes ), type1 ); TEST_EQUAL( psa_get_key_bits( &attributes ), bits1 ); @@ -445,11 +450,9 @@ void copy_across_lifetimes( int source_lifetime_arg, int source_id_arg, PSA_ASSERT( psa_crypto_init( ) ); /* Populate the source slot. */ - if( source_lifetime != PSA_KEY_LIFETIME_VOLATILE ) - { - psa_set_key_id( &source_attributes, source_id ); - psa_set_key_lifetime( &source_attributes, source_lifetime ); - } + psa_set_key_id( &source_attributes, source_id ); + psa_set_key_lifetime( &source_attributes, source_lifetime ); + psa_set_key_type( &source_attributes, source_type ); psa_set_key_usage_flags( &source_attributes, source_usage ); psa_set_key_algorithm( &source_attributes, source_alg ); @@ -461,11 +464,9 @@ void copy_across_lifetimes( int source_lifetime_arg, int source_id_arg, PSA_ASSERT( psa_get_key_attributes( source_handle, &source_attributes ) ); /* Prepare the target slot. */ - if( target_lifetime != PSA_KEY_LIFETIME_VOLATILE ) - { - psa_set_key_id( &target_attributes, target_id ); - psa_set_key_lifetime( &target_attributes, target_lifetime ); - } + psa_set_key_id( &target_attributes, target_id ); + psa_set_key_lifetime( &target_attributes, target_lifetime ); + psa_set_key_usage_flags( &target_attributes, target_usage ); psa_set_key_algorithm( &target_attributes, target_alg ); psa_set_key_enrollment_algorithm( &target_attributes, target_alg2_arg ); @@ -489,7 +490,20 @@ void copy_across_lifetimes( int source_lifetime_arg, int source_id_arg, /* Test that the target slot has the expected content. */ psa_reset_key_attributes( &target_attributes ); PSA_ASSERT( psa_get_key_attributes( target_handle, &target_attributes ) ); - TEST_EQUAL( target_id, psa_get_key_id( &target_attributes ) ); + + if( target_lifetime != PSA_KEY_LIFETIME_VOLATILE ) + { + TEST_ASSERT( mbedtls_svc_key_id_equal( + target_id, psa_get_key_id( &target_attributes ) ) ); + } + else + { +#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) + TEST_EQUAL( MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( target_id ), 1 ); +#endif + TEST_EQUAL( MBEDTLS_SVC_KEY_ID_GET_KEY_ID( target_id ), 0 ); + } + TEST_EQUAL( target_lifetime, psa_get_key_lifetime( &target_attributes ) ); TEST_EQUAL( source_type, psa_get_key_type( &target_attributes ) ); TEST_EQUAL( psa_get_key_bits( &source_attributes ), @@ -574,7 +588,7 @@ void copy_to_occupied( int source_lifetime_arg, int source_id_arg, &source_handle ) ); /* Populate the target slot. */ - if( target_id == source_id ) + if( mbedtls_svc_key_id_equal( target_id, source_id ) ) { target_handle = source_handle; } @@ -601,8 +615,9 @@ void copy_to_occupied( int source_lifetime_arg, int source_id_arg, /* Test that the target slot is unaffected. */ PSA_ASSERT( psa_get_key_attributes( target_handle, &attributes2 ) ); - TEST_EQUAL( psa_get_key_id( &attributes1 ), - psa_get_key_id( &attributes2 ) ); + TEST_ASSERT( mbedtls_svc_key_id_equal( + psa_get_key_id( &attributes1 ), + psa_get_key_id( &attributes2 ) ) ); TEST_EQUAL( psa_get_key_lifetime( &attributes1 ), psa_get_key_lifetime( &attributes2 ) ); TEST_EQUAL( psa_get_key_type( &attributes1 ), From 978d57d61e5f6350f6f5e455557747c0a6cfb532 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 26 Aug 2020 15:42:34 +0200 Subject: [PATCH 09/17] tests: psa: Fix storage purge in se_driver_hal tests (1) Remove systematic deletion of key file associated to key identifier 0 as this file is not created under the hood anymore by the library. Signed-off-by: Ronald Cron --- tests/suites/test_suite_psa_crypto_se_driver_hal.function | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal.function b/tests/suites/test_suite_psa_crypto_se_driver_hal.function index 6f7cfa946d..fc2eb48065 100644 --- a/tests/suites/test_suite_psa_crypto_se_driver_hal.function +++ b/tests/suites/test_suite_psa_crypto_se_driver_hal.function @@ -765,10 +765,10 @@ static void psa_purge_storage( void ) psa_key_location_t location; /* The tests may have potentially created key ids from 1 to - * MAX_KEY_ID_FOR_TEST. In addition, run the destroy function on key id - * 0, which file-based storage uses as a temporary file. */ - for( id = 0; id <= MAX_KEY_ID_FOR_TEST; id++ ) + * MAX_KEY_ID_FOR_TEST. */ + for( id = 1; id <= MAX_KEY_ID_FOR_TEST; id++ ) psa_destroy_persistent_key( mbedtls_svc_key_id_make( 1, id ) ); + /* Purge the transaction file. */ psa_crypto_stop_transaction( ); /* Purge driver persistent data. */ From 5731f6f5d7a3389860d2589939cd18779d3e20fc Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 26 Aug 2020 15:29:11 +0200 Subject: [PATCH 10/17] tests: psa: Fix storage purge in se_driver_hal tests (2) Delete key files based on declaration by test cases and not based on a hardcoded list of identifiers as in test_suite_psa_crypto_slot_management.function. This fixes the fact that in case of error the file associated to the key identifier PSA_KEY_ID_VENDOR_MAX was not purged (register_key_smoke_test test function). Signed-off-by: Ronald Cron --- ...st_suite_psa_crypto_se_driver_hal.function | 50 ++++++++++++++++--- 1 file changed, 44 insertions(+), 6 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal.function b/tests/suites/test_suite_psa_crypto_se_driver_hal.function index fc2eb48065..cbc5cf788f 100644 --- a/tests/suites/test_suite_psa_crypto_se_driver_hal.function +++ b/tests/suites/test_suite_psa_crypto_se_driver_hal.function @@ -758,16 +758,40 @@ exit: return( ok ); } -#define MAX_KEY_ID_FOR_TEST 10 +static mbedtls_svc_key_id_t key_ids_used_in_test[10]; +static size_t num_key_ids_used; + +/* Record a key id as potentially used in a test case. */ +static int test_uses_key_id( mbedtls_svc_key_id_t key_id ) +{ + size_t i; + + for( i = 0; i < num_key_ids_used ; i++ ) + { + if( mbedtls_svc_key_id_equal( key_id, key_ids_used_in_test[i] ) ) + return( 1 ); + } + + if( num_key_ids_used >= ARRAY_LENGTH( key_ids_used_in_test ) ) + return( 0 ); + + key_ids_used_in_test[num_key_ids_used] = key_id; + ++num_key_ids_used; + + return( 1 ); +} + +#define TEST_USES_KEY_ID( key_id ) \ + TEST_ASSERT( test_uses_key_id( key_id ) ) + static void psa_purge_storage( void ) { - psa_key_id_t id; + size_t i; psa_key_location_t location; - /* The tests may have potentially created key ids from 1 to - * MAX_KEY_ID_FOR_TEST. */ - for( id = 1; id <= MAX_KEY_ID_FOR_TEST; id++ ) - psa_destroy_persistent_key( mbedtls_svc_key_id_make( 1, id ) ); + for( i = 0; i < num_key_ids_used; i++ ) + psa_destroy_persistent_key( key_ids_used_in_test[i] ); + num_key_ids_used = 0; /* Purge the transaction file. */ psa_crypto_stop_transaction( ); @@ -862,6 +886,8 @@ void key_creation_import_export( int lifetime_arg, int min_slot, int restart ) uint8_t exported[sizeof( key_material )]; size_t exported_length; + TEST_USES_KEY_ID( id ); + memset( &driver, 0, sizeof( driver ) ); memset( &key_management, 0, sizeof( key_management ) ); driver.hal_version = PSA_DRV_SE_HAL_VERSION; @@ -992,6 +1018,8 @@ void key_creation_in_chosen_slot( int slot_arg, psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; const uint8_t key_material[3] = {0xfa, 0xca, 0xde}; + TEST_USES_KEY_ID( id ); + memset( &driver, 0, sizeof( driver ) ); memset( &key_management, 0, sizeof( key_management ) ); driver.hal_version = PSA_DRV_SE_HAL_VERSION; @@ -1073,6 +1101,8 @@ void import_key_smoke( int type_arg, int alg_arg, psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + TEST_USES_KEY_ID( id ); + memset( &driver, 0, sizeof( driver ) ); memset( &key_management, 0, sizeof( key_management ) ); driver.hal_version = PSA_DRV_SE_HAL_VERSION; @@ -1145,6 +1175,8 @@ void generate_key_not_supported( int type_arg, int bits_arg ) psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + TEST_USES_KEY_ID( id ); + memset( &driver, 0, sizeof( driver ) ); memset( &key_management, 0, sizeof( key_management ) ); driver.hal_version = PSA_DRV_SE_HAL_VERSION; @@ -1184,6 +1216,8 @@ void generate_key_smoke( int type_arg, int bits_arg, int alg_arg ) psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + TEST_USES_KEY_ID( id ); + memset( &driver, 0, sizeof( driver ) ); memset( &key_management, 0, sizeof( key_management ) ); driver.hal_version = PSA_DRV_SE_HAL_VERSION; @@ -1268,6 +1302,8 @@ void sign_verify( int flow, uint8_t signature[PSA_SIGNATURE_MAX_SIZE]; size_t signature_length; + TEST_USES_KEY_ID( id ); + memset( &driver, 0, sizeof( driver ) ); memset( &key_management, 0, sizeof( key_management ) ); memset( &asymmetric, 0, sizeof( asymmetric ) ); @@ -1428,6 +1464,8 @@ void register_key_smoke_test( int lifetime_arg, psa_key_handle_t handle = 0; psa_status_t status; + TEST_USES_KEY_ID( id ); + memset( &driver, 0, sizeof( driver ) ); driver.hal_version = PSA_DRV_SE_HAL_VERSION; memset( &key_management, 0, sizeof( key_management ) ); From 81e005042e82e8c1194126b6c96772c5840629b9 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 28 Jul 2020 15:06:14 +0200 Subject: [PATCH 11/17] tests: psa: Add owner identifier as test parameter To test the proper handling of owner identifier as of key identifiers, add owner identifier(s) to tests having key identifier(s) as test parameters. Just don't do it for tests related to tests invalid values of key identifiers as there is no owner identifier invalid values. Signed-off-by: Ronald Cron --- tests/suites/test_suite_psa_crypto.data | 2 +- tests/suites/test_suite_psa_crypto.function | 4 +- .../test_suite_psa_crypto_persistent_key.data | 10 ++--- ...t_suite_psa_crypto_persistent_key.function | 12 ++--- .../test_suite_psa_crypto_se_driver_hal.data | 16 +++---- ...st_suite_psa_crypto_se_driver_hal.function | 3 +- ...test_suite_psa_crypto_slot_management.data | 44 +++++++++---------- ..._suite_psa_crypto_slot_management.function | 23 +++++----- 8 files changed, 59 insertions(+), 55 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 723eebf0f3..ae8c081590 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -2,7 +2,7 @@ PSA compile-time sanity checks static_checks: PSA key attributes structure -attributes_set_get:0x6963:PSA_KEY_LIFETIME_PERSISTENT:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CCM:PSA_KEY_TYPE_AES:128 +attributes_set_get:0xffff1234:0x6963:PSA_KEY_LIFETIME_PERSISTENT:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CCM:PSA_KEY_TYPE_AES:128 PSA key attributes: id only persistence_attributes:0x1234:0x5678:-1:-1:0:0x1234:0x5678:PSA_KEY_LIFETIME_PERSISTENT diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 3e3a7a268e..7f199e22e1 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -1325,12 +1325,12 @@ void static_checks( ) /* END_CASE */ /* BEGIN_CASE */ -void attributes_set_get( int id_arg, int lifetime_arg, +void attributes_set_get( int owner_id_arg, int id_arg, int lifetime_arg, int usage_flags_arg, int alg_arg, int type_arg, int bits_arg ) { psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( 1, id_arg ); + mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( owner_id_arg, id_arg ); psa_key_lifetime_t lifetime = lifetime_arg; psa_key_usage_t usage_flags = usage_flags_arg; psa_algorithm_t alg = alg_arg; diff --git a/tests/suites/test_suite_psa_crypto_persistent_key.data b/tests/suites/test_suite_psa_crypto_persistent_key.data index e0fba02c88..f65e57e373 100644 --- a/tests/suites/test_suite_psa_crypto_persistent_key.data +++ b/tests/suites/test_suite_psa_crypto_persistent_key.data @@ -32,23 +32,23 @@ save_large_persistent_key:PSA_CRYPTO_MAX_STORAGE_SIZE + 1:PSA_ERROR_NOT_SUPPORTE Persistent key destroy depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C -persistent_key_destroy:1:0:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RAW_DATA:"deadbeef" +persistent_key_destroy:2:1:0:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RAW_DATA:"deadbeef" Persistent key destroy after restart depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C -persistent_key_destroy:1:1:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RAW_DATA:"deadbeef" +persistent_key_destroy:17:1:1:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RAW_DATA:"deadbeef" Persistent key import (RSA) depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C -persistent_key_import:1:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":0:PSA_SUCCESS +persistent_key_import:256:1:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":0:PSA_SUCCESS Persistent key import with restart (RSA) depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C -persistent_key_import:1:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":1:PSA_SUCCESS +persistent_key_import:256:1:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":1:PSA_SUCCESS Persistent key import garbage data, should fail depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C -persistent_key_import:1:PSA_KEY_TYPE_RSA_KEY_PAIR:"11111111":0:PSA_ERROR_INVALID_ARGUMENT +persistent_key_import:256:1:PSA_KEY_TYPE_RSA_KEY_PAIR:"11111111":0:PSA_ERROR_INVALID_ARGUMENT import/export persistent raw key: 1 byte import_export_persistent_key:"2a":PSA_KEY_TYPE_RAW_DATA:8:0:0 diff --git a/tests/suites/test_suite_psa_crypto_persistent_key.function b/tests/suites/test_suite_psa_crypto_persistent_key.function index 5087034a43..9e2fbf6d3c 100644 --- a/tests/suites/test_suite_psa_crypto_persistent_key.function +++ b/tests/suites/test_suite_psa_crypto_persistent_key.function @@ -139,11 +139,12 @@ exit: /* END_CASE */ /* BEGIN_CASE */ -void persistent_key_destroy( int key_id_arg, int restart, +void persistent_key_destroy( int owner_id_arg, int key_id_arg, int restart, int first_type_arg, data_t *first_data, int second_type_arg, data_t *second_data ) { - mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make( 1, key_id_arg ); + mbedtls_svc_key_id_t key_id = + mbedtls_svc_key_id_make( owner_id_arg, key_id_arg ); psa_key_handle_t handle = 0; psa_key_type_t first_type = (psa_key_type_t) first_type_arg; psa_key_type_t second_type = (psa_key_type_t) second_type_arg; @@ -193,10 +194,11 @@ exit: /* END_CASE */ /* BEGIN_CASE */ -void persistent_key_import( int key_id_arg, int type_arg, data_t *data, - int restart, int expected_status ) +void persistent_key_import( int owner_id_arg, int key_id_arg, int type_arg, + data_t *data, int restart, int expected_status ) { - mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make( 1, key_id_arg ); + mbedtls_svc_key_id_t key_id = + mbedtls_svc_key_id_make( owner_id_arg, key_id_arg ); psa_key_type_t type = (psa_key_type_t) type_arg; psa_key_handle_t handle = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal.data b/tests/suites/test_suite_psa_crypto_se_driver_hal.data index 32e2ecb069..e5eee58d9a 100644 --- a/tests/suites/test_suite_psa_crypto_se_driver_hal.data +++ b/tests/suites/test_suite_psa_crypto_se_driver_hal.data @@ -130,28 +130,28 @@ Key generation smoke test: HMAC-SHA-256 generate_key_smoke:PSA_KEY_TYPE_HMAC:256:PSA_ALG_HMAC( PSA_ALG_SHA_256 ) Key registration: smoke test -register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:1:1:PSA_SUCCESS +register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:1:1:PSA_SUCCESS Key registration: invalid lifetime (volatile internal storage) -register_key_smoke_test:PSA_KEY_LIFETIME_VOLATILE:1:1:PSA_ERROR_INVALID_ARGUMENT +register_key_smoke_test:PSA_KEY_LIFETIME_VOLATILE:7:1:1:PSA_ERROR_INVALID_ARGUMENT Key registration: invalid lifetime (internal storage) -register_key_smoke_test:PSA_KEY_LIFETIME_PERSISTENT:1:1:PSA_ERROR_INVALID_ARGUMENT +register_key_smoke_test:PSA_KEY_LIFETIME_PERSISTENT:7:1:1:PSA_ERROR_INVALID_ARGUMENT Key registration: invalid lifetime (no registered driver) -register_key_smoke_test:PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( PSA_KEY_PERSISTENCE_DEFAULT, TEST_DRIVER_LOCATION + 1 ):1:1:PSA_ERROR_INVALID_ARGUMENT +register_key_smoke_test:PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( PSA_KEY_PERSISTENCE_DEFAULT, TEST_DRIVER_LOCATION + 1 ):7:1:1:PSA_ERROR_INVALID_ARGUMENT Key registration: rejected -register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:1:0:PSA_ERROR_NOT_PERMITTED +register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:1:0:PSA_ERROR_NOT_PERMITTED Key registration: not supported -register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:1:-1:PSA_ERROR_NOT_SUPPORTED +register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:1:-1:PSA_ERROR_NOT_SUPPORTED Key registration: key id out of range -register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:PSA_KEY_ID_VENDOR_MAX+1:-1:PSA_ERROR_INVALID_ARGUMENT +register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:PSA_KEY_ID_VENDOR_MAX+1:-1:PSA_ERROR_INVALID_ARGUMENT Key registration: key id in vendor range -register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:PSA_KEY_ID_VENDOR_MAX:1:PSA_SUCCESS +register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:PSA_KEY_ID_VENDOR_MAX:1:PSA_SUCCESS Import-sign-verify: sign in driver, ECDSA depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal.function b/tests/suites/test_suite_psa_crypto_se_driver_hal.function index cbc5cf788f..1d213610fe 100644 --- a/tests/suites/test_suite_psa_crypto_se_driver_hal.function +++ b/tests/suites/test_suite_psa_crypto_se_driver_hal.function @@ -1448,6 +1448,7 @@ exit: /* BEGIN_CASE */ void register_key_smoke_test( int lifetime_arg, + int owner_id_arg, int id_arg, int validate, int expected_status_arg ) @@ -1458,7 +1459,7 @@ void register_key_smoke_test( int lifetime_arg, psa_drv_se_t driver; psa_drv_se_key_management_t key_management; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( 1, id_arg ); + mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( owner_id_arg, id_arg ); size_t bit_size = 48; psa_key_slot_number_t wanted_slot = 0x123456789; psa_key_handle_t handle = 0; diff --git a/tests/suites/test_suite_psa_crypto_slot_management.data b/tests/suites/test_suite_psa_crypto_slot_management.data index 84caef9169..3031266e61 100644 --- a/tests/suites/test_suite_psa_crypto_slot_management.data +++ b/tests/suites/test_suite_psa_crypto_slot_management.data @@ -14,61 +14,61 @@ Transient slot, check after restart with live handles transient_slot_lifecycle:0:0:PSA_KEY_TYPE_RAW_DATA:"0123456789abcdef0123456789abcdef":CLOSE_BY_SHUTDOWN Persistent slot, check after closing, id=min -persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:PSA_KEY_ID_USER_MIN:0:0:0:PSA_KEY_TYPE_RAW_DATA:"0123456789abcdef0123456789abcdef":CLOSE_BY_CLOSE +persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:124:PSA_KEY_ID_USER_MIN:0:0:0:PSA_KEY_TYPE_RAW_DATA:"0123456789abcdef0123456789abcdef":CLOSE_BY_CLOSE Persistent slot, check after closing and restarting, id=min -persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:PSA_KEY_ID_USER_MIN:0:0:0:PSA_KEY_TYPE_RAW_DATA:"0123456789abcdef0123456789abcdef":CLOSE_BY_CLOSE +persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:125:PSA_KEY_ID_USER_MIN:0:0:0:PSA_KEY_TYPE_RAW_DATA:"0123456789abcdef0123456789abcdef":CLOSE_BY_CLOSE Persistent slot, check after destroying, id=min -persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:PSA_KEY_ID_USER_MIN:0:0:0:PSA_KEY_TYPE_RAW_DATA:"0123456789abcdef0123456789abcdef":CLOSE_BY_DESTROY +persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:126:PSA_KEY_ID_USER_MIN:0:0:0:PSA_KEY_TYPE_RAW_DATA:"0123456789abcdef0123456789abcdef":CLOSE_BY_DESTROY Persistent slot, check after destroying and restarting, id=min -persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:PSA_KEY_ID_USER_MIN:0:0:0:PSA_KEY_TYPE_RAW_DATA:"0123456789abcdef0123456789abcdef":CLOSE_BY_DESTROY +persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:127:PSA_KEY_ID_USER_MIN:0:0:0:PSA_KEY_TYPE_RAW_DATA:"0123456789abcdef0123456789abcdef":CLOSE_BY_DESTROY Persistent slot, check after restart with live handle, id=min -persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:PSA_KEY_ID_USER_MIN:0:0:0:PSA_KEY_TYPE_RAW_DATA:"0123456789abcdef0123456789abcdef":CLOSE_BY_SHUTDOWN +persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:128:PSA_KEY_ID_USER_MIN:0:0:0:PSA_KEY_TYPE_RAW_DATA:"0123456789abcdef0123456789abcdef":CLOSE_BY_SHUTDOWN Persistent slot, check after closing, id=max -persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:PSA_KEY_ID_USER_MAX:0:0:0:PSA_KEY_TYPE_RAW_DATA:"0123456789abcdef0123456789abcdef":CLOSE_BY_CLOSE +persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:129:PSA_KEY_ID_USER_MAX:0:0:0:PSA_KEY_TYPE_RAW_DATA:"0123456789abcdef0123456789abcdef":CLOSE_BY_CLOSE Persistent slot, check after destroying, id=max -persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:PSA_KEY_ID_USER_MAX:0:0:0:PSA_KEY_TYPE_RAW_DATA:"0123456789abcdef0123456789abcdef":CLOSE_BY_DESTROY +persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:130:PSA_KEY_ID_USER_MAX:0:0:0:PSA_KEY_TYPE_RAW_DATA:"0123456789abcdef0123456789abcdef":CLOSE_BY_DESTROY Persistent slot, check after restart, id=max -persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:PSA_KEY_ID_USER_MAX:0:0:0:PSA_KEY_TYPE_RAW_DATA:"0123456789abcdef0123456789abcdef":CLOSE_BY_SHUTDOWN +persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:131:PSA_KEY_ID_USER_MAX:0:0:0:PSA_KEY_TYPE_RAW_DATA:"0123456789abcdef0123456789abcdef":CLOSE_BY_SHUTDOWN Persistent slot: ECP keypair (ECDSA, exportable), close depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED -persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:1:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_ECDSA_ANY:0:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":CLOSE_BY_CLOSE +persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:132:1:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_ECDSA_ANY:0:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":CLOSE_BY_CLOSE Persistent slot: ECP keypair (ECDSA, exportable), close+restart depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED -persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:1:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_ECDSA_ANY:0:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":CLOSE_BY_CLOSE_WITH_SHUTDOWN +persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:133:1:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_ECDSA_ANY:0:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":CLOSE_BY_CLOSE_WITH_SHUTDOWN Persistent slot: ECP keypair (ECDSA, exportable), restart depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED -persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:1:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_ECDSA_ANY:0:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":CLOSE_BY_SHUTDOWN +persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:134:1:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_ECDSA_ANY:0:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":CLOSE_BY_SHUTDOWN Persistent slot: ECP keypair (ECDH+ECDSA, exportable), close depends_on:MBEDTLS_ECDH_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED -persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:1:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_ALG_ECDSA_ANY:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":CLOSE_BY_CLOSE +persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:135:1:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_ALG_ECDSA_ANY:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":CLOSE_BY_CLOSE Persistent slot: ECP keypair (ECDH+ECDSA, exportable), close+restart depends_on:MBEDTLS_ECDH_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED -persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:1:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_ALG_ECDSA_ANY:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":CLOSE_BY_CLOSE_WITH_SHUTDOWN +persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:136:1:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_ALG_ECDSA_ANY:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":CLOSE_BY_CLOSE_WITH_SHUTDOWN Persistent slot: ECP keypair (ECDH+ECDSA, exportable), restart depends_on:MBEDTLS_ECDH_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED -persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:1:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_ALG_ECDSA_ANY:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":CLOSE_BY_SHUTDOWN +persistent_slot_lifecycle:PSA_KEY_LIFETIME_PERSISTENT:137:1:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_ALG_ECDSA_ANY:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":CLOSE_BY_SHUTDOWN Attempt to overwrite: close before -create_existent:PSA_KEY_LIFETIME_PERSISTENT:1:CLOSE_BEFORE +create_existent:PSA_KEY_LIFETIME_PERSISTENT:0x1736:1:CLOSE_BEFORE Attempt to overwrite: close after -create_existent:PSA_KEY_LIFETIME_PERSISTENT:1:CLOSE_AFTER +create_existent:PSA_KEY_LIFETIME_PERSISTENT:0x7361:1:CLOSE_AFTER Attempt to overwrite: keep open -create_existent:PSA_KEY_LIFETIME_PERSISTENT:1:KEEP_OPEN +create_existent:PSA_KEY_LIFETIME_PERSISTENT:0x3617:1:KEEP_OPEN Open failure: invalid identifier (0) depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C @@ -118,23 +118,23 @@ depends_on:!MBEDTLS_PSA_CRYPTO_STORAGE_C create_fail:PSA_KEY_LIFETIME_PERSISTENT:1:PSA_ERROR_NOT_SUPPORTED Copy volatile to volatile -copy_across_lifetimes:PSA_KEY_LIFETIME_VOLATILE:0:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY:0:0:PSA_KEY_TYPE_RAW_DATA:"4142434445":PSA_KEY_LIFETIME_VOLATILE:0:PSA_KEY_USAGE_EXPORT:0:0:PSA_KEY_USAGE_EXPORT:0:0 +copy_across_lifetimes:PSA_KEY_LIFETIME_VOLATILE:0x10:0:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY:0:0:PSA_KEY_TYPE_RAW_DATA:"4142434445":PSA_KEY_LIFETIME_VOLATILE:0x10:0:PSA_KEY_USAGE_EXPORT:0:0:PSA_KEY_USAGE_EXPORT:0:0 Copy volatile to persistent depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C -copy_across_lifetimes:PSA_KEY_LIFETIME_VOLATILE:0:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY:0:0:PSA_KEY_TYPE_RAW_DATA:"4142434445":PSA_KEY_LIFETIME_PERSISTENT:1:PSA_KEY_USAGE_EXPORT:0:0:PSA_KEY_USAGE_EXPORT:0:0 +copy_across_lifetimes:PSA_KEY_LIFETIME_VOLATILE:0x100:0:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY:0:0:PSA_KEY_TYPE_RAW_DATA:"4142434445":PSA_KEY_LIFETIME_PERSISTENT:0x100:1:PSA_KEY_USAGE_EXPORT:0:0:PSA_KEY_USAGE_EXPORT:0:0 Copy persistent to volatile depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C -copy_across_lifetimes:PSA_KEY_LIFETIME_PERSISTENT:1:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY:0:0:PSA_KEY_TYPE_RAW_DATA:"4142434445":PSA_KEY_LIFETIME_VOLATILE:0:PSA_KEY_USAGE_EXPORT:0:0:PSA_KEY_USAGE_EXPORT:0:0 +copy_across_lifetimes:PSA_KEY_LIFETIME_PERSISTENT:0x1000:1:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY:0:0:PSA_KEY_TYPE_RAW_DATA:"4142434445":PSA_KEY_LIFETIME_VOLATILE:0x1000:0:PSA_KEY_USAGE_EXPORT:0:0:PSA_KEY_USAGE_EXPORT:0:0 Copy persistent to persistent depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C -copy_across_lifetimes:PSA_KEY_LIFETIME_PERSISTENT:1:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY:0:0:PSA_KEY_TYPE_RAW_DATA:"4142434445":PSA_KEY_LIFETIME_PERSISTENT:2:PSA_KEY_USAGE_EXPORT:0:0:PSA_KEY_USAGE_EXPORT:0:0 +copy_across_lifetimes:PSA_KEY_LIFETIME_PERSISTENT:0x10000:1:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY:0:0:PSA_KEY_TYPE_RAW_DATA:"4142434445":PSA_KEY_LIFETIME_PERSISTENT:0x10000:2:PSA_KEY_USAGE_EXPORT:0:0:PSA_KEY_USAGE_EXPORT:0:0 Copy persistent to persistent with enrollment algorithm depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR:MBEDTLS_CIPHER_MODE_CBC -copy_across_lifetimes:PSA_KEY_LIFETIME_PERSISTENT:1:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY:PSA_ALG_CTR:PSA_ALG_CBC_NO_PADDING:PSA_KEY_TYPE_AES:"404142434445464748494a4b4c4d4e4f":PSA_KEY_LIFETIME_PERSISTENT:2:PSA_KEY_USAGE_EXPORT:PSA_ALG_CTR:PSA_ALG_CBC_NO_PADDING:PSA_KEY_USAGE_EXPORT:PSA_ALG_CTR:PSA_ALG_CBC_NO_PADDING +copy_across_lifetimes:PSA_KEY_LIFETIME_PERSISTENT:0x100000:1:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY:PSA_ALG_CTR:PSA_ALG_CBC_NO_PADDING:PSA_KEY_TYPE_AES:"404142434445464748494a4b4c4d4e4f":PSA_KEY_LIFETIME_PERSISTENT:0x100000:2:PSA_KEY_USAGE_EXPORT:PSA_ALG_CTR:PSA_ALG_CBC_NO_PADDING:PSA_KEY_USAGE_EXPORT:PSA_ALG_CTR:PSA_ALG_CBC_NO_PADDING Copy volatile to occupied depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C diff --git a/tests/suites/test_suite_psa_crypto_slot_management.function b/tests/suites/test_suite_psa_crypto_slot_management.function index c9d4404e8f..3c5af47245 100644 --- a/tests/suites/test_suite_psa_crypto_slot_management.function +++ b/tests/suites/test_suite_psa_crypto_slot_management.function @@ -173,13 +173,13 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C */ -void persistent_slot_lifecycle( int lifetime_arg, int id_arg, +void persistent_slot_lifecycle( int lifetime_arg, int owner_id_arg, int id_arg, int usage_arg, int alg_arg, int alg2_arg, int type_arg, data_t *key_data, int close_method_arg ) { psa_key_lifetime_t lifetime = lifetime_arg; - mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( 1, id_arg ); + mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( owner_id_arg, id_arg ); psa_algorithm_t alg = alg_arg; psa_algorithm_t alg2 = alg2_arg; psa_key_usage_t usage_flags = usage_arg; @@ -296,11 +296,11 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C */ -void create_existent( int lifetime_arg, int id_arg, +void create_existent( int lifetime_arg, int owner_id_arg, int id_arg, int reopen_policy_arg ) { psa_key_lifetime_t lifetime = lifetime_arg; - mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( 1, id_arg ); + mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( owner_id_arg, id_arg ); psa_key_handle_t handle1 = 0, handle2 = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_type_t type1 = PSA_KEY_TYPE_RAW_DATA; @@ -414,19 +414,19 @@ exit: /* END_CASE */ /* BEGIN_CASE */ -void copy_across_lifetimes( int source_lifetime_arg, int source_id_arg, - int source_usage_arg, +void copy_across_lifetimes( int source_lifetime_arg, int source_owner_id_arg, + int source_id_arg, int source_usage_arg, int source_alg_arg, int source_alg2_arg, int type_arg, data_t *material, - int target_lifetime_arg, int target_id_arg, - int target_usage_arg, + int target_lifetime_arg, int target_owner_id_arg, + int target_id_arg, int target_usage_arg, int target_alg_arg, int target_alg2_arg, int expected_usage_arg, int expected_alg_arg, int expected_alg2_arg ) { psa_key_lifetime_t source_lifetime = source_lifetime_arg; mbedtls_svc_key_id_t source_id = - mbedtls_svc_key_id_make( 1, source_id_arg ); + mbedtls_svc_key_id_make( source_owner_id_arg, source_id_arg ); psa_key_usage_t source_usage = source_usage_arg; psa_algorithm_t source_alg = source_alg_arg; psa_key_handle_t source_handle = 0; @@ -434,7 +434,7 @@ void copy_across_lifetimes( int source_lifetime_arg, int source_id_arg, psa_key_type_t source_type = type_arg; psa_key_lifetime_t target_lifetime = target_lifetime_arg; mbedtls_svc_key_id_t target_id = - mbedtls_svc_key_id_make( 1, target_id_arg ); + mbedtls_svc_key_id_make( target_owner_id_arg, target_id_arg ); psa_key_usage_t target_usage = target_usage_arg; psa_algorithm_t target_alg = target_alg_arg; psa_key_handle_t target_handle = 0; @@ -499,7 +499,8 @@ void copy_across_lifetimes( int source_lifetime_arg, int source_id_arg, else { #if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) - TEST_EQUAL( MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( target_id ), 1 ); + TEST_EQUAL( MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( target_id ), + target_owner_id_arg ); #endif TEST_EQUAL( MBEDTLS_SVC_KEY_ID_GET_KEY_ID( target_id ), 0 ); } From f1c9a5594709df7b3297355c1ff1fb64742a5b9e Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 29 Jul 2020 15:24:05 +0200 Subject: [PATCH 12/17] tests: psa: Add checks involving unknown key owner ids Add checks involving unknown key owner identifiers in tests related to SE and persistent keys. Signed-off-by: Ronald Cron --- ...est_suite_psa_crypto_se_driver_hal.function | 6 ++++++ .../test_suite_psa_crypto_slot_management.data | 4 ++++ ...t_suite_psa_crypto_slot_management.function | 18 ++++++++++++++++++ 3 files changed, 28 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal.function b/tests/suites/test_suite_psa_crypto_se_driver_hal.function index 1d213610fe..8584e5ed68 100644 --- a/tests/suites/test_suite_psa_crypto_se_driver_hal.function +++ b/tests/suites/test_suite_psa_crypto_se_driver_hal.function @@ -1503,6 +1503,12 @@ void register_key_smoke_test( int lifetime_arg, goto exit; PSA_ASSERT( psa_close_key( handle ) ); +#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) + mbedtls_svc_key_id_t invalid_id = + mbedtls_svc_key_id_make( owner_id_arg + 1, id_arg ); + TEST_EQUAL( psa_open_key( invalid_id, &handle ), PSA_ERROR_DOES_NOT_EXIST ); +#endif + /* Restart and try again. */ PSA_DONE( ); PSA_ASSERT( psa_register_se_driver( location, &driver ) ); diff --git a/tests/suites/test_suite_psa_crypto_slot_management.data b/tests/suites/test_suite_psa_crypto_slot_management.data index 3031266e61..e16089d657 100644 --- a/tests/suites/test_suite_psa_crypto_slot_management.data +++ b/tests/suites/test_suite_psa_crypto_slot_management.data @@ -132,6 +132,10 @@ Copy persistent to persistent depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C copy_across_lifetimes:PSA_KEY_LIFETIME_PERSISTENT:0x10000:1:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY:0:0:PSA_KEY_TYPE_RAW_DATA:"4142434445":PSA_KEY_LIFETIME_PERSISTENT:0x10000:2:PSA_KEY_USAGE_EXPORT:0:0:PSA_KEY_USAGE_EXPORT:0:0 +Copy persistent to persistent, same id but different owner +depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C:MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER +copy_across_lifetimes:PSA_KEY_LIFETIME_PERSISTENT:0x10000:1:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY:0:0:PSA_KEY_TYPE_RAW_DATA:"4142434445":PSA_KEY_LIFETIME_PERSISTENT:0x10001:1:PSA_KEY_USAGE_EXPORT:0:0:PSA_KEY_USAGE_EXPORT:0:0 + Copy persistent to persistent with enrollment algorithm depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR:MBEDTLS_CIPHER_MODE_CBC copy_across_lifetimes:PSA_KEY_LIFETIME_PERSISTENT:0x100000:1:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY:PSA_ALG_CTR:PSA_ALG_CBC_NO_PADDING:PSA_KEY_TYPE_AES:"404142434445464748494a4b4c4d4e4f":PSA_KEY_LIFETIME_PERSISTENT:0x100000:2:PSA_KEY_USAGE_EXPORT:PSA_ALG_CTR:PSA_ALG_CBC_NO_PADDING:PSA_KEY_USAGE_EXPORT:PSA_ALG_CTR:PSA_ALG_CBC_NO_PADDING diff --git a/tests/suites/test_suite_psa_crypto_slot_management.function b/tests/suites/test_suite_psa_crypto_slot_management.function index 3c5af47245..fa3dd6e3ae 100644 --- a/tests/suites/test_suite_psa_crypto_slot_management.function +++ b/tests/suites/test_suite_psa_crypto_slot_management.function @@ -191,6 +191,12 @@ void persistent_slot_lifecycle( int lifetime_arg, int owner_id_arg, int id_arg, uint8_t *reexported = NULL; size_t reexported_length = -1; +#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) + mbedtls_svc_key_id_t wrong_owner_id = + mbedtls_svc_key_id_make( owner_id_arg + 1, id_arg ); + psa_key_handle_t invalid_handle = 0; +#endif + TEST_USES_KEY_ID( id ); PSA_ASSERT( psa_crypto_init( ) ); @@ -205,6 +211,12 @@ void persistent_slot_lifecycle( int lifetime_arg, int owner_id_arg, int id_arg, PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, &handle ) ); TEST_ASSERT( handle != 0 ); + +#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) + TEST_EQUAL( psa_open_key( wrong_owner_id, &invalid_handle ), + PSA_ERROR_DOES_NOT_EXIST ); +#endif + PSA_ASSERT( psa_get_key_attributes( handle, &attributes ) ); TEST_EQUAL( psa_get_key_lifetime( &attributes ), lifetime ); TEST_ASSERT( mbedtls_svc_key_id_equal( @@ -216,6 +228,12 @@ void persistent_slot_lifecycle( int lifetime_arg, int owner_id_arg, int id_arg, /* Close the key and reopen it. */ PSA_ASSERT( psa_close_key( handle ) ); + +#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) + TEST_EQUAL( psa_open_key( wrong_owner_id, &invalid_handle ), + PSA_ERROR_DOES_NOT_EXIST ); +#endif + PSA_ASSERT( psa_open_key( id, &handle ) ); PSA_ASSERT( psa_get_key_attributes( handle, &attributes ) ); TEST_EQUAL( psa_get_key_lifetime( &attributes ), lifetime ); From 79ca4274e1aa65c76dea14f863c6808712c3fd08 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 25 Aug 2020 09:53:53 +0200 Subject: [PATCH 13/17] psa: storage: Use key id macros to compute ITS file identifier Use macros instead of accessing directly the key identifier fields for coding consistency and ease maintenance. Signed-off-by: Ronald Cron --- library/psa_crypto_storage.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/library/psa_crypto_storage.c b/library/psa_crypto_storage.c index e48bc282f8..46d0b65182 100644 --- a/library/psa_crypto_storage.c +++ b/library/psa_crypto_storage.c @@ -67,8 +67,9 @@ static psa_storage_uid_t psa_its_identifier_of_slot( mbedtls_svc_key_id_t key ) * owner values are nonzero (as they are on a PSA platform), * no key file will ever have a value less than 0x100000000, so * the whole range 0..0xffffffff is available for non-key files. */ - uint32_t unsigned_owner = (uint32_t) key.owner; - return( (uint64_t) unsigned_owner << 32 | key.key_id ); + uint32_t unsigned_owner_id = MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( key ); + return( ( (uint64_t) unsigned_owner_id << 32 ) | + MBEDTLS_SVC_KEY_ID_GET_KEY_ID( key ) ); #else /* Use the key id directly as a file name. * psa_is_key_id_valid() in psa_crypto_slot_management.c From 5eba579c6cd116e6f13aa7b004fb0b7c17fb6d84 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 15 Sep 2020 08:48:15 +0200 Subject: [PATCH 14/17] Remove unnecessary inline definition Define inline for some compiling environment only in crypto_platform.h. Signed-off-by: Ronald Cron --- include/psa/crypto_types.h | 5 ----- 1 file changed, 5 deletions(-) diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index 864e937889..ea621c1d36 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -37,11 +37,6 @@ #include -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - /** \defgroup error Error codes * @{ */ From 9a2511e78fe72180bb954f91bd27aa0fd9c99dc2 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 14 Sep 2020 10:02:56 +0200 Subject: [PATCH 15/17] Fix key owner identifier documentation Signed-off-by: Ronald Cron --- include/mbedtls/config.h | 7 ++----- include/psa/crypto_platform.h | 11 +++++++++-- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 496ebe968c..e76c9be0e8 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1262,11 +1262,8 @@ * * Enable key identifiers that encode a key owner identifier. * - * This is only meaningful when building the library as part of a - * multi-client service. When you activate this option, you must provide an - * implementation of the type mbedtls_key_owner_id_t and a translation from - * mbedtls_svc_key_id_t to file name in all the storage backends that you - * you wish to support. + * The owner of a key is identified by a value of type ::mbedtls_key_owner_id_t + * which is currently hard-coded to be int32_t. * * Note that this option is meant for internal use only and may be removed * without notice. diff --git a/include/psa/crypto_platform.h b/include/psa/crypto_platform.h index 4e2f162ea3..c64f61d58c 100644 --- a/include/psa/crypto_platform.h +++ b/include/psa/crypto_platform.h @@ -54,8 +54,15 @@ typedef uint16_t psa_key_handle_t; #if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) -/* Building for the PSA Crypto service on a PSA platform. */ -/* A key owner is a PSA partition identifier. */ +/* Building for the PSA Crypto service on a PSA platform, a key owner is a PSA + * partition identifier. + * + * The function psa_its_identifier_of_slot() in psa_crypto_storage.c that + * translates a key identifier to a key storage file name assumes that + * mbedtls_key_owner_id_t is an 32 bits integer. This function thus needs + * reworking if mbedtls_key_owner_id_t is not defined as a 32 bits integer + * here anymore. + */ typedef int32_t mbedtls_key_owner_id_t; /** Compare two key owner identifiers. From cb54610e9706636cc25ddf1fe7bc8bfe92c0913d Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 14 Sep 2020 13:58:59 +0200 Subject: [PATCH 16/17] Set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER in baremetal configuration No obvious reason to not enable owner identifier encoding in baremetal as multi-client support is expected to be needed for some embedded platforms. Thus enable it. Signed-off-by: Ronald Cron --- scripts/config.py | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/config.py b/scripts/config.py index 47a83558bf..017bba0aa8 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -247,7 +247,6 @@ EXCLUDE_FROM_BAREMETAL = frozenset([ 'MBEDTLS_PLATFORM_TIME_ALT', # requires a clock and HAVE_TIME 'MBEDTLS_PSA_CRYPTO_SE_C', # requires a filesystem and PSA_CRYPTO_STORAGE_C 'MBEDTLS_PSA_CRYPTO_STORAGE_C', # requires a filesystem - 'MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER', # requires a multi-client service 'MBEDTLS_PSA_ITS_FILE_C', # requires a filesystem 'MBEDTLS_THREADING_C', # requires a threading interface 'MBEDTLS_THREADING_PTHREAD', # requires pthread From 7424f0d99809a5e4da5059c1eb047899027ea6f5 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 14 Sep 2020 16:17:41 +0200 Subject: [PATCH 17/17] psa: Move key identifier related macros and functions Move key identifier related macros and functions from crypto_types.h to crypto_values.h as the latter is the intended file to put them in. Signed-off-by: Ronald Cron --- include/psa/crypto_types.h | 60 --------------------------------- include/psa/crypto_values.h | 67 +++++++++++++++++++++++++++++++++++++ 2 files changed, 67 insertions(+), 60 deletions(-) diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index ea621c1d36..923b02b53b 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -233,36 +233,6 @@ typedef uint32_t psa_key_id_t; #if !defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) typedef psa_key_id_t mbedtls_svc_key_id_t; -#define MBEDTLS_SVC_KEY_ID_INIT ( (psa_key_id_t)0 ) -#define MBEDTLS_SVC_KEY_ID_GET_KEY_ID( id ) ( id ) -#define MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( id ) ( 0 ) - -/** Utility to initialize a key identifier at runtime. - * - * \param unused Unused parameter. - * \param key_id Identifier of the key. - */ -static inline mbedtls_svc_key_id_t mbedtls_svc_key_id_make( - unsigned int unused, psa_key_id_t key_id ) -{ - (void)unused; - - return( key_id ); -} - -/** Compare two key identifiers. - * - * \param id1 First key identifier. - * \param id2 Second key identifier. - * - * \return Non-zero if the two key identifier are equal, zero otherwise. - */ -static inline int mbedtls_svc_key_id_equal( mbedtls_svc_key_id_t id1, - mbedtls_svc_key_id_t id2 ) -{ - return( id1 == id2 ); -} - #else /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */ /* Implementation-specific: The Mbed Cryptography library can be built as * part of a multi-client service that exposes the PSA Cryptograpy API in each @@ -275,36 +245,6 @@ typedef struct mbedtls_key_owner_id_t owner; } mbedtls_svc_key_id_t; -#define MBEDTLS_SVC_KEY_ID_INIT ( (mbedtls_svc_key_id_t){ 0, 0 } ) -#define MBEDTLS_SVC_KEY_ID_GET_KEY_ID( id ) ( ( id ).key_id ) -#define MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( id ) ( ( id ).owner ) - -/** Utility to initialize a key identifier at runtime. - * - * \param owner_id Identifier of the key owner. - * \param key_id Identifier of the key. - */ -static inline mbedtls_svc_key_id_t mbedtls_svc_key_id_make( - mbedtls_key_owner_id_t owner_id, psa_key_id_t key_id ) -{ - return( (mbedtls_svc_key_id_t){ .key_id = key_id, - .owner = owner_id } ); -} - -/** Compare two key identifiers. - * - * \param id1 First key identifier. - * \param id2 Second key identifier. - * - * \return Non-zero if the two key identifier are equal, zero otherwise. - */ -static inline int mbedtls_svc_key_id_equal( mbedtls_svc_key_id_t id1, - mbedtls_svc_key_id_t id2 ) -{ - return( ( id1.key_id == id2.key_id ) && - mbedtls_key_owner_id_equal( id1.owner, id2.owner ) ); -} - #endif /* !MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */ /**@}*/ diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 02e9c00760..199bcac24b 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1647,6 +1647,73 @@ */ #define PSA_KEY_ID_VENDOR_MAX ((psa_key_id_t)0x7fffffff) + +#if !defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) + +#define MBEDTLS_SVC_KEY_ID_INIT ( (psa_key_id_t)0 ) +#define MBEDTLS_SVC_KEY_ID_GET_KEY_ID( id ) ( id ) +#define MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( id ) ( 0 ) + +/** Utility to initialize a key identifier at runtime. + * + * \param unused Unused parameter. + * \param key_id Identifier of the key. + */ +static inline mbedtls_svc_key_id_t mbedtls_svc_key_id_make( + unsigned int unused, psa_key_id_t key_id ) +{ + (void)unused; + + return( key_id ); +} + +/** Compare two key identifiers. + * + * \param id1 First key identifier. + * \param id2 Second key identifier. + * + * \return Non-zero if the two key identifier are equal, zero otherwise. + */ +static inline int mbedtls_svc_key_id_equal( mbedtls_svc_key_id_t id1, + mbedtls_svc_key_id_t id2 ) +{ + return( id1 == id2 ); +} + +#else /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */ + +#define MBEDTLS_SVC_KEY_ID_INIT ( (mbedtls_svc_key_id_t){ 0, 0 } ) +#define MBEDTLS_SVC_KEY_ID_GET_KEY_ID( id ) ( ( id ).key_id ) +#define MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( id ) ( ( id ).owner ) + +/** Utility to initialize a key identifier at runtime. + * + * \param owner_id Identifier of the key owner. + * \param key_id Identifier of the key. + */ +static inline mbedtls_svc_key_id_t mbedtls_svc_key_id_make( + mbedtls_key_owner_id_t owner_id, psa_key_id_t key_id ) +{ + return( (mbedtls_svc_key_id_t){ .key_id = key_id, + .owner = owner_id } ); +} + +/** Compare two key identifiers. + * + * \param id1 First key identifier. + * \param id2 Second key identifier. + * + * \return Non-zero if the two key identifier are equal, zero otherwise. + */ +static inline int mbedtls_svc_key_id_equal( mbedtls_svc_key_id_t id1, + mbedtls_svc_key_id_t id2 ) +{ + return( ( id1.key_id == id2.key_id ) && + mbedtls_key_owner_id_equal( id1.owner, id2.owner ) ); +} + +#endif /* !MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */ + /**@}*/ /** \defgroup policy Key policies