From b19ad853b536ec655c95bea2bf9101526eea7850 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 24 Aug 2021 15:39:44 +0200 Subject: [PATCH 1/4] Clarify psa_get_and_lock_transparent_key_slot_with_policy() purpose Clarify the purpose of psa_get_and_lock_transparent_key_slot_with_policy() and define it even when MBEDTLS_PSA_CRYPTO_SE_C is disabled for the purpose of static drivers. Signed-off-by: Ronald Cron --- library/psa_crypto.c | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 95aa0d5316..5974145148 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -944,16 +944,16 @@ error: /** Get a key slot containing a transparent key and lock it. * * A transparent key is a key for which the key material is directly - * available, as opposed to a key in a secure element. + * available, as opposed to a key in a secure element and/or to be used + * by a secure element. * - * This is a temporary function to use instead of - * psa_get_and_lock_key_slot_with_policy() until secure element support is - * fully implemented. + * This is a temporary function that may be used instead of + * psa_get_and_lock_key_slot_with_policy() when there is no opaque key support + * for a cryptographic operation. * * On success, the returned key slot is locked. It is the responsibility of the * caller to unlock the key slot when it does not access it anymore. */ -#if defined(MBEDTLS_PSA_CRYPTO_SE_C) static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy( mbedtls_svc_key_id_t key, psa_key_slot_t **p_slot, @@ -965,7 +965,7 @@ static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy( if( status != PSA_SUCCESS ) return( status ); - if( psa_key_slot_is_external( *p_slot ) ) + if( psa_key_lifetime_is_external( (*p_slot)->attr.lifetime ) ) { psa_unlock_key_slot( *p_slot ); *p_slot = NULL; @@ -974,11 +974,6 @@ static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy( return( PSA_SUCCESS ); } -#else /* MBEDTLS_PSA_CRYPTO_SE_C */ -/* With no secure element support, all keys are transparent. */ -#define psa_get_and_lock_transparent_key_slot_with_policy( key, p_slot, usage, alg ) \ - psa_get_and_lock_key_slot_with_policy( key, p_slot, usage, alg ) -#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ psa_status_t psa_remove_key_data_from_memory( psa_key_slot_t *slot ) { From 3f97e9c947638c6eb9fef52ee4d470c093520ce3 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 24 Aug 2021 15:50:05 +0200 Subject: [PATCH 2/4] psa: Fix slot number key attribute Slot number key attribute is specific of dynamically registered drivers and should thus not be computed/ returned in case of keys associated to drivers implementing the new unified driver interface. Signed-off-by: Ronald Cron --- library/psa_crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 5974145148..fc66128db4 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1201,7 +1201,7 @@ psa_status_t psa_get_key_attributes( mbedtls_svc_key_id_t key, MBEDTLS_PSA_KA_MASK_DUAL_USE ); #if defined(MBEDTLS_PSA_CRYPTO_SE_C) - if( psa_key_slot_is_external( slot ) ) + if( psa_get_se_driver_entry( slot->attr.lifetime ) != NULL ) psa_set_key_slot_number( attributes, psa_key_slot_get_slot_number( slot ) ); #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ From 7a82a39eda88b7e694887e73f724c9bb69783844 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 24 Aug 2021 16:00:51 +0200 Subject: [PATCH 3/4] psa: Remove buggy report of RSA public exponent for opaque keys The report of RSA public exponent for opaque keys is not supported. Do not attempt to compute the RSA public exponent of an RSA opaque key associated to a driver implementing the new driver interface when MBEDTLS_PSA_CRYPTO_SE_C is disabled. Signed-off-by: Ronald Cron --- library/psa_crypto.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index fc66128db4..7328151eef 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1212,14 +1212,11 @@ psa_status_t psa_get_key_attributes( mbedtls_svc_key_id_t key, defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) case PSA_KEY_TYPE_RSA_KEY_PAIR: case PSA_KEY_TYPE_RSA_PUBLIC_KEY: -#if defined(MBEDTLS_PSA_CRYPTO_SE_C) /* TODO: reporting the public exponent for opaque keys * is not yet implemented. * https://github.com/ARMmbed/mbed-crypto/issues/216 */ - if( psa_key_slot_is_external( slot ) ) - break; -#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ + if( ! psa_key_lifetime_is_external( slot->attr.lifetime ) ) { mbedtls_rsa_context *rsa = NULL; From 6f2924031458688a09459d8efaac6fef85d4fa4f Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 24 Aug 2021 18:05:41 +0200 Subject: [PATCH 4/4] psa: Remove psa_key_slot_is_external() Remove psa_key_slot_is_external() that is not used anymore. Signed-off-by: Ronald Cron --- library/psa_crypto.c | 7 ------- 1 file changed, 7 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 7328151eef..3a6c5e21f9 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -322,13 +322,6 @@ psa_status_t mbedtls_to_psa_error( int ret ) /* Key management */ /****************************************************************/ -#if defined(MBEDTLS_PSA_CRYPTO_SE_C) -static inline int psa_key_slot_is_external( const psa_key_slot_t *slot ) -{ - return( psa_key_lifetime_is_external( slot->attr.lifetime ) ); -} -#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ - /* For now the MBEDTLS_PSA_ACCEL_ guards are also used here since the * current test driver in key_management.c is using this function * when accelerators are used for ECC key pair and public key.