diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index b3ec54fb2a..56e0536042 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -247,248 +247,6 @@ psa_status_t psa_key_derivation(psa_key_derivation_operation_t *operation, /* FIXME Deprecated. Remove this as soon as all the tests are updated. */ #define PSA_ALG_SELECT_RAW ((psa_algorithm_t)0x31000001) -/** \defgroup policy Key policies - * @{ - * - * The functions in this section are legacy interfaces where the properties - * of a key object are set after allocating a handle, in constrast with the - * preferred interface where key objects are created atomically from - * a structure that represents the properties. - */ - -/** \def PSA_KEY_POLICY_INIT - * - * This macro returns a suitable initializer for a key policy object of type - * #psa_key_policy_t. - */ -#ifdef __DOXYGEN_ONLY__ -/* This is an example definition for documentation purposes. - * Implementations should define a suitable value in `crypto_struct.h`. - */ -#define PSA_KEY_POLICY_INIT {0} -#endif - -/** Return an initial value for a key policy that forbids all usage of the key. - */ -static psa_key_policy_t psa_key_policy_init(void); - -/** \brief Set the standard fields of a policy structure. - * - * Note that this function does not make any consistency check of the - * parameters. The values are only checked when applying the policy to - * a key with psa_set_key_policy(). - * - * \param[in,out] policy The key policy to modify. It must have been - * initialized as per the documentation for - * #psa_key_policy_t. - * \param usage The permitted uses for the key. - * \param alg The algorithm that the key may be used for. - */ -void psa_key_policy_set_usage(psa_key_policy_t *policy, - psa_key_usage_t usage, - psa_algorithm_t alg); - -/** \brief Retrieve the usage field of a policy structure. - * - * \param[in] policy The policy object to query. - * - * \return The permitted uses for a key with this policy. - */ -psa_key_usage_t psa_key_policy_get_usage(const psa_key_policy_t *policy); - -/** \brief Retrieve the algorithm field of a policy structure. - * - * \param[in] policy The policy object to query. - * - * \return The permitted algorithm for a key with this policy. - */ -psa_algorithm_t psa_key_policy_get_algorithm(const psa_key_policy_t *policy); - -/** \brief Set the usage policy for a key. - * - * This function must be called on a key handle before importing, - * generating or creating a key. Changing the policy of an - * existing key is not permitted. - * - * Implementations may set restrictions on supported key policies - * depending on the key type. - * - * \param handle Handle to the key whose policy is to be changed. - * \param[in] policy The policy object to query. - * - * \retval #PSA_SUCCESS - * Success. - * If the key is persistent, it is implementation-defined whether - * the policy has been saved to persistent storage. Implementations - * may defer saving the policy until the key material is created. - * \retval #PSA_ERROR_INVALID_HANDLE - * \retval #PSA_ERROR_ALREADY_EXISTS - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_BAD_STATE - * The library has not been previously initialized by psa_crypto_init(). - * It is implementation-dependent whether a failure to initialize - * results in this error code. - */ -psa_status_t psa_set_key_policy(psa_key_handle_t handle, - const psa_key_policy_t *policy); - -/** \brief Get the usage policy for a key. - * - * \param handle Handle to the key whose policy is being queried. - * \param[out] policy On success, the key's policy. - * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_INVALID_HANDLE - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_BAD_STATE - * The library has not been previously initialized by psa_crypto_init(). - * It is implementation-dependent whether a failure to initialize - * results in this error code. - */ -psa_status_t psa_get_key_policy(psa_key_handle_t handle, - psa_key_policy_t *policy); - -/**@}*/ - -/** \defgroup to_handle Key creation to allocated handle - * @{ - * - * The functions in this section are legacy interfaces where the properties - * of a key object are set after allocating a handle, in constrast with the - * preferred interface where key objects are created atomically from - * a structure that represents the properties. - */ - -/** Create a new persistent key. - * - * Create a new persistent key and return a handle to it. The handle - * remains valid until the application calls psa_close_key() or terminates. - * The application can open the key again with psa_open_key() until it - * removes the key by calling psa_destroy_key(). - * - * \param lifetime The lifetime of the key. This designates a storage - * area where the key material is stored. This must not - * be #PSA_KEY_LIFETIME_VOLATILE. - * \param id The persistent identifier of the key. - * \param[out] handle On success, a handle to the newly created key. - * When key material is later created in this key, - * it will be saved to the specified persistent location. - * - * \retval #PSA_SUCCESS - * Success. The application can now use the value of `*handle` - * for key operations. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * \retval #PSA_ERROR_INSUFFICIENT_STORAGE - * \retval #PSA_ERROR_ALREADY_EXISTS - * There is already a key with the identifier \p id in the storage - * area designated by \p lifetime. - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \p lifetime is invalid, for example #PSA_KEY_LIFETIME_VOLATILE. - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \p id is invalid for the specified lifetime. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \p lifetime is not supported. - * \retval #PSA_ERROR_NOT_PERMITTED - * \p lifetime is valid, but the application does not have the - * permission to create a key there. - */ -psa_status_t psa_create_key(psa_key_lifetime_t lifetime, - psa_key_id_t id, - psa_key_handle_t *handle); - -/** Allocate space for a transient key, i.e. a key which is only stored - * in volatile memory. - * - * The allocated key and its handle remain valid until the - * application calls psa_close_key() or psa_destroy_key() or until the - * application terminates. - * - * \param[out] handle On success, a handle to a volatile key. - * - * \retval #PSA_SUCCESS - * Success. The application can now use the value of `*handle` - * to refer to the key. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY - * There was not enough memory, or the maximum number of transient keys - * has been reached. - */ -psa_status_t psa_allocate_key(psa_key_handle_t *handle); - -/** - * \brief Get basic metadata about a key. - * - * \param handle Handle to the key to query. - * \param[out] type On success, the key type (a \c PSA_KEY_TYPE_XXX value). - * This may be a null pointer, in which case the key type - * is not written. - * \param[out] bits On success, the key size in bits. - * This may be a null pointer, in which case the key size - * is not written. - * - * \retval #PSA_SUCCESS - * \retval #PSA_ERROR_INVALID_HANDLE - * \retval #PSA_ERROR_DOES_NOT_EXIST - * The handle does not contain a key. - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_BAD_STATE - * The library has not been previously initialized by psa_crypto_init(). - * It is implementation-dependent whether a failure to initialize - * results in this error code. - */ -psa_status_t psa_get_key_information(psa_key_handle_t handle, - psa_key_type_t *type, - size_t *bits); - -/** \brief Retrieve the lifetime of an open key. - * - * \param handle Handle to query. - * \param[out] lifetime On success, the lifetime value. - * - * \retval #PSA_SUCCESS - * Success. - * \retval #PSA_ERROR_INVALID_HANDLE - * \retval #PSA_ERROR_COMMUNICATION_FAILURE - * \retval #PSA_ERROR_HARDWARE_FAILURE - * \retval #PSA_ERROR_CORRUPTION_DETECTED - * \retval #PSA_ERROR_BAD_STATE - * The library has not been previously initialized by psa_crypto_init(). - * It is implementation-dependent whether a failure to initialize - * results in this error code. - */ -psa_status_t psa_get_key_lifetime_from_handle(psa_key_handle_t handle, - psa_key_lifetime_t *lifetime); - -psa_status_t psa_import_key_to_handle(psa_key_handle_t handle, - psa_key_type_t type, - const uint8_t *data, - size_t data_length); - -psa_status_t psa_copy_key_to_handle(psa_key_handle_t source_handle, - psa_key_handle_t target_handle, - const psa_key_policy_t *constraint); - -psa_status_t psa_generate_derived_key_to_handle(psa_key_handle_t handle, - psa_key_type_t type, - size_t bits, - psa_key_derivation_operation_t *operation); - -psa_status_t psa_generate_key_to_handle(psa_key_handle_t handle, - psa_key_type_t type, - size_t bits, - const void *extra, - size_t extra_size); - -/**@}*/ - - /** \addtogroup crypto_types * @{ */ diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 768410c99e..f4eb3a11f0 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -739,27 +739,6 @@ psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot, return( status ); } -/* Retrieve an empty key slot (slot with no key data, but possibly - * with some metadata such as a policy or domain parameters). */ -static psa_status_t psa_get_empty_key_slot( psa_key_handle_t handle, - psa_key_slot_t **p_slot ) -{ - psa_status_t status; - psa_key_slot_t *slot = NULL; - - *p_slot = NULL; - - status = psa_get_key_slot( handle, &slot ); - if( status != PSA_SUCCESS ) - return( status ); - - if( slot->type != PSA_KEY_TYPE_NONE ) - return( PSA_ERROR_ALREADY_EXISTS ); - - *p_slot = slot; - return( status ); -} - /** Calculate the intersection of two algorithm usage policies. * * Return 0 (which allows no operation) on incompatibility. @@ -938,45 +917,6 @@ psa_status_t psa_wipe_key_slot( psa_key_slot_t *slot ) return( status ); } -psa_status_t psa_import_key_to_handle( psa_key_handle_t handle, - psa_key_type_t type, - const uint8_t *data, - size_t data_length ) -{ - psa_key_slot_t *slot; - psa_status_t status; - - status = psa_get_empty_key_slot( handle, &slot ); - if( status != PSA_SUCCESS ) - return( status ); - - slot->type = type; - - status = psa_import_key_into_slot( slot, data, data_length ); - if( status != PSA_SUCCESS ) - { - slot->type = PSA_KEY_TYPE_NONE; - return( status ); - } - -#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) - if( slot->lifetime == PSA_KEY_LIFETIME_PERSISTENT ) - { - /* Store in file location */ - status = psa_save_persistent_key( slot->persistent_storage_id, - slot->type, &slot->policy, data, - data_length ); - if( status != PSA_SUCCESS ) - { - (void) psa_remove_key_data_from_memory( slot ); - slot->type = PSA_KEY_TYPE_NONE; - } - } -#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */ - - return( status ); -} - psa_status_t psa_destroy_key( psa_key_handle_t handle ) { psa_key_slot_t *slot; @@ -1143,30 +1083,6 @@ psa_status_t psa_get_key_attributes( psa_key_handle_t handle, return( status ); } -psa_status_t psa_get_key_information( psa_key_handle_t handle, - psa_key_type_t *type, - size_t *bits ) -{ - psa_key_slot_t *slot; - psa_status_t status; - - if( type != NULL ) - *type = 0; - if( bits != NULL ) - *bits = 0; - status = psa_get_key_slot( handle, &slot ); - if( status != PSA_SUCCESS ) - return( status ); - - if( slot->type == PSA_KEY_TYPE_NONE ) - return( PSA_ERROR_DOES_NOT_EXIST ); - if( type != NULL ) - *type = slot->type; - if( bits != NULL ) - *bits = psa_get_key_slot_bits( slot ); - return( PSA_SUCCESS ); -} - #if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECP_C) static int pk_write_pubkey_simple( mbedtls_pk_context *key, unsigned char *buf, size_t size ) @@ -1341,39 +1257,6 @@ psa_status_t psa_export_public_key( psa_key_handle_t handle, data_length, 1 ) ); } -#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) -static psa_status_t psa_save_generated_persistent_key( psa_key_slot_t *slot, - size_t bits ) -{ - psa_status_t status; - uint8_t *data; - size_t key_length; - size_t data_size = PSA_KEY_EXPORT_MAX_SIZE( slot->type, bits ); - data = mbedtls_calloc( 1, data_size ); - if( data == NULL ) - return( PSA_ERROR_INSUFFICIENT_MEMORY ); - /* Get key data in export format */ - status = psa_internal_export_key( slot, data, data_size, &key_length, 0 ); - if( status != PSA_SUCCESS ) - { - slot->type = PSA_KEY_TYPE_NONE; - goto exit; - } - /* Store in file location */ - status = psa_save_persistent_key( slot->persistent_storage_id, - slot->type, &slot->policy, - data, key_length ); - if( status != PSA_SUCCESS ) - { - slot->type = PSA_KEY_TYPE_NONE; - } -exit: - mbedtls_platform_zeroize( data, key_length ); - mbedtls_free( data ); - return( status ); -} -#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */ - static psa_status_t psa_set_key_policy_internal( psa_key_slot_t *slot, const psa_key_policy_t *policy ) @@ -1623,41 +1506,6 @@ exit: return( status ); } -psa_status_t psa_copy_key_to_handle(psa_key_handle_t source_handle, - psa_key_handle_t target_handle, - const psa_key_policy_t *constraint) -{ - psa_key_slot_t *source_slot = NULL; - psa_key_slot_t *target_slot = NULL; - psa_key_policy_t new_policy; - psa_status_t status; - status = psa_get_key_from_slot( source_handle, &source_slot, - PSA_KEY_USAGE_COPY, 0 ); - if( status != PSA_SUCCESS ) - return( status ); - status = psa_get_empty_key_slot( target_handle, &target_slot ); - if( status != PSA_SUCCESS ) - return( status ); - - new_policy = target_slot->policy; - status = psa_restrict_key_policy( &new_policy, &source_slot->policy ); - if( status != PSA_SUCCESS ) - return( status ); - if( constraint != NULL ) - { - status = psa_restrict_key_policy( &new_policy, constraint ); - if( status != PSA_SUCCESS ) - return( status ); - } - - status = psa_copy_key_material( source_slot, target_slot ); - if( status != PSA_SUCCESS ) - return( status ); - - target_slot->policy = new_policy; - return( PSA_SUCCESS ); -} - psa_status_t psa_copy_key( psa_key_handle_t source_handle, const psa_key_attributes_t *specified_attributes, psa_key_handle_t *target_handle ) @@ -3644,86 +3492,6 @@ psa_status_t psa_cipher_abort( psa_cipher_operation_t *operation ) -/****************************************************************/ -/* Key Policy */ -/****************************************************************/ - -#if !defined(MBEDTLS_PSA_CRYPTO_SPM) -void psa_key_policy_set_usage( psa_key_policy_t *policy, - psa_key_usage_t usage, - psa_algorithm_t alg ) -{ - policy->usage = usage; - policy->alg = alg; -} - -psa_key_usage_t psa_key_policy_get_usage( const psa_key_policy_t *policy ) -{ - return( policy->usage ); -} - -psa_algorithm_t psa_key_policy_get_algorithm( const psa_key_policy_t *policy ) -{ - return( policy->alg ); -} -#endif /* !defined(MBEDTLS_PSA_CRYPTO_SPM) */ - -psa_status_t psa_set_key_policy( psa_key_handle_t handle, - const psa_key_policy_t *policy ) -{ - psa_key_slot_t *slot; - psa_status_t status; - - if( policy == NULL ) - return( PSA_ERROR_INVALID_ARGUMENT ); - - status = psa_get_empty_key_slot( handle, &slot ); - if( status != PSA_SUCCESS ) - return( status ); - - return( psa_set_key_policy_internal( slot, policy ) ); -} - -psa_status_t psa_get_key_policy( psa_key_handle_t handle, - psa_key_policy_t *policy ) -{ - psa_key_slot_t *slot; - psa_status_t status; - - if( policy == NULL ) - return( PSA_ERROR_INVALID_ARGUMENT ); - - status = psa_get_key_slot( handle, &slot ); - if( status != PSA_SUCCESS ) - return( status ); - - *policy = slot->policy; - - return( PSA_SUCCESS ); -} - - - -/****************************************************************/ -/* Key Lifetime */ -/****************************************************************/ - -psa_status_t psa_get_key_lifetime_from_handle( psa_key_handle_t handle, - psa_key_lifetime_t *lifetime ) -{ - psa_key_slot_t *slot; - psa_status_t status; - - status = psa_get_key_slot( handle, &slot ); - if( status != PSA_SUCCESS ) - return( status ); - - *lifetime = slot->lifetime; - - return( PSA_SUCCESS ); -} - - /****************************************************************/ /* AEAD */ @@ -4539,37 +4307,6 @@ psa_status_t psa_key_derivation_output_key( const psa_key_attributes_t *attribut return( status ); } -psa_status_t psa_generate_derived_key_to_handle( psa_key_handle_t handle, - psa_key_type_t type, - size_t bits, - psa_key_derivation_operation_t *operation ) -{ - uint8_t *data = NULL; - size_t bytes = PSA_BITS_TO_BYTES( bits ); - psa_status_t status; - - if( ! key_type_is_raw_bytes( type ) ) - return( PSA_ERROR_INVALID_ARGUMENT ); - if( bits % 8 != 0 ) - return( PSA_ERROR_INVALID_ARGUMENT ); - data = mbedtls_calloc( 1, bytes ); - if( data == NULL ) - return( PSA_ERROR_INSUFFICIENT_MEMORY ); - - status = psa_key_derivation_output_bytes( operation, data, bytes ); - if( status != PSA_SUCCESS ) - goto exit; -#if defined(MBEDTLS_DES_C) - if( type == PSA_KEY_TYPE_DES ) - psa_des_set_key_parity( data, bytes ); -#endif /* MBEDTLS_DES_C */ - status = psa_import_key_to_handle( handle, type, data, bytes ); - -exit: - mbedtls_free( data ); - return( status ); -} - /****************************************************************/ @@ -5426,40 +5163,6 @@ static psa_status_t psa_generate_key_internal( return( PSA_SUCCESS ); } -psa_status_t psa_generate_key_to_handle( psa_key_handle_t handle, - psa_key_type_t type, - size_t bits, - const void *extra, - size_t extra_size ) -{ - psa_key_slot_t *slot; - psa_status_t status; - -#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME) - /* The old public exponent encoding is no longer supported. */ - if( extra_size != 0 ) - return( PSA_ERROR_NOT_SUPPORTED ); -#endif - - status = psa_get_empty_key_slot( handle, &slot ); - if( status != PSA_SUCCESS ) - return( status ); - - slot->type = type; - status = psa_generate_key_internal( slot, bits, extra, extra_size ); - if( status != PSA_SUCCESS ) - slot->type = 0; - -#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) - if( slot->lifetime == PSA_KEY_LIFETIME_PERSISTENT ) - { - return( psa_save_generated_persistent_key( slot, bits ) ); - } -#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */ - - return( status ); -} - psa_status_t psa_generate_key( const psa_key_attributes_t *attributes, psa_key_handle_t *handle ) { diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index 3876f4b234..5251c19df8 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -290,21 +290,6 @@ psa_status_t psa_open_key( psa_key_file_id_t id, psa_key_handle_t *handle ) id, handle, 0 ) ); } -psa_status_t psa_create_key( psa_key_lifetime_t lifetime, - psa_key_file_id_t id, - psa_key_handle_t *handle ) -{ - psa_status_t status; - - status = persistent_key_setup( lifetime, id, handle, 1 ); - switch( status ) - { - case PSA_SUCCESS: return( PSA_ERROR_ALREADY_EXISTS ); - case PSA_ERROR_DOES_NOT_EXIST: return( PSA_SUCCESS ); - default: return( status ); - } -} - psa_status_t psa_close_key( psa_key_handle_t handle ) { return( psa_internal_release_key_slot( handle ) ); diff --git a/library/psa_crypto_slot_management.h b/library/psa_crypto_slot_management.h index 2e459d1a74..d31067c53a 100644 --- a/library/psa_crypto_slot_management.h +++ b/library/psa_crypto_slot_management.h @@ -55,6 +55,16 @@ psa_status_t psa_initialize_key_slots( void ); * This does not affect persistent storage. */ void psa_wipe_all_key_slots( void ); +/** Allocate a key slot. + * + * \param[out] handle On success, a handle to a newly allocated key slot. + * 0 if an error occurs. + * + * \retval #PSA_SUCCESS + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + */ +psa_status_t psa_allocate_key( psa_key_handle_t *handle ); + /** Test whether the given parameters are acceptable for a persistent key. * * This function does not access the storage in any way. It only tests