psa: Change psa_import_key_into_slot() signature

Change psa_import_key_into_slot() signature to the signature
of an import_key driver entry point.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron 2020-11-28 15:54:54 +01:00
parent dd04d423b5
commit 2ebfdcce0e

View File

@ -583,49 +583,48 @@ psa_status_t psa_copy_key_material_into_slot( psa_key_slot_t *slot,
return( PSA_SUCCESS ); return( PSA_SUCCESS );
} }
/** Import key data into a slot. /** Import a key in binary format.
* *
* `slot->type` must have been set previously. * \note The signature of this function is that of a PSA driver
* This function assumes that the slot does not contain any key material yet. * import_key entry point. This function behaves as an import_key
* On failure, the slot content is unchanged. * entry point as defined in the PSA driver interface specification for
* transparent drivers.
* *
* Persistent storage is not affected. * \param[in] attributes The attributes for the key to import.
* * \param[in] data The buffer containing the key data in import
* \param[in,out] slot The key slot to import data into. * format.
* Its `type` field must have previously been set to * \param[in] data_length Size of the \p data buffer in bytes.
* the desired key type. * \param[out] key_buffer The buffer containing the key data in output
* It must not contain any key material yet. * format.
* \param[in] data Buffer containing the key material to parse and * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes. This
* import. * size is greater or equal to \p data_length.
* \param data_length Size of \p data in bytes.
* \param[out] key_buffer The buffer containing the export representation.
* \param[in] key_buffer_size The size of \p key_buffer in bytes. The size
* is greater or equal to \p data_length.
* \param[out] key_buffer_length The length of the data written in \p * \param[out] key_buffer_length The length of the data written in \p
* key_buffer in bytes. * key_buffer in bytes.
* \param[out] bits The key size in number of bits.
* *
* \retval #PSA_SUCCESS * \retval #PSA_SUCCESS The key was imported successfully.
* \retval #PSA_ERROR_INVALID_ARGUMENT * \retval #PSA_ERROR_INVALID_ARGUMENT
* The key data is not correctly formatted.
* \retval #PSA_ERROR_NOT_SUPPORTED * \retval #PSA_ERROR_NOT_SUPPORTED
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
* \retval #PSA_ERROR_CORRUPTION_DETECTED
*/ */
static psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot, static psa_status_t psa_import_key_into_slot(
const uint8_t *data, const psa_key_attributes_t *attributes,
size_t data_length, const uint8_t *data, size_t data_length,
uint8_t *key_buffer, uint8_t *key_buffer, size_t key_buffer_size,
size_t key_buffer_size, size_t *key_buffer_length, size_t *bits )
size_t *key_buffer_length )
{ {
psa_status_t status = PSA_SUCCESS; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
size_t bit_size; psa_key_type_t type = attributes->core.type;
/* zero-length keys are never supported. */ /* zero-length keys are never supported. */
if( data_length == 0 ) if( data_length == 0 )
return( PSA_ERROR_NOT_SUPPORTED ); return( PSA_ERROR_NOT_SUPPORTED );
if( key_type_is_raw_bytes( slot->attr.type ) ) if( key_type_is_raw_bytes( type ) )
{ {
bit_size = PSA_BYTES_TO_BITS( data_length ); *bits = PSA_BYTES_TO_BITS( data_length );
/* Ensure that the bytes-to-bits conversion hasn't overflown. */ /* Ensure that the bytes-to-bits conversion hasn't overflown. */
if( data_length > SIZE_MAX / 8 ) if( data_length > SIZE_MAX / 8 )
@ -633,10 +632,10 @@ static psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot,
/* Enforce a size limit, and in particular ensure that the bit /* Enforce a size limit, and in particular ensure that the bit
* size fits in its representation type. */ * size fits in its representation type. */
if( bit_size > PSA_MAX_KEY_BITS ) if( ( *bits ) > PSA_MAX_KEY_BITS )
return( PSA_ERROR_NOT_SUPPORTED ); return( PSA_ERROR_NOT_SUPPORTED );
status = validate_unstructured_key_bit_size( slot->attr.type, bit_size ); status = validate_unstructured_key_bit_size( type, *bits );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
return( status ); return( status );
@ -645,41 +644,18 @@ static psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot,
*key_buffer_length = data_length; *key_buffer_length = data_length;
(void)key_buffer_size; (void)key_buffer_size;
/* Write the actual key size to the slot.
* psa_start_key_creation() wrote the size declared by the
* caller, which may be 0 (meaning unspecified) or wrong. */
slot->attr.bits = (psa_key_bits_t) bit_size;
return( PSA_SUCCESS ); return( PSA_SUCCESS );
} }
else if( PSA_KEY_TYPE_IS_ASYMMETRIC( slot->attr.type ) ) else if( PSA_KEY_TYPE_IS_ASYMMETRIC( type ) )
{ {
/* Try validation through accelerators first. */ status = psa_driver_wrapper_import_key( attributes,
psa_key_attributes_t attributes = {
.core = slot->attr
};
bit_size = slot->attr.bits;
status = psa_driver_wrapper_import_key( &attributes,
data, data_length, data, data_length,
key_buffer, key_buffer,
key_buffer_size, key_buffer_size,
key_buffer_length, key_buffer_length,
&bit_size ); bits );
if( status == PSA_SUCCESS ) if( status != PSA_ERROR_NOT_SUPPORTED )
{ return( status );
if( slot->attr.bits == 0 )
slot->attr.bits = (psa_key_bits_t) bit_size;
else if( bit_size != slot->attr.bits )
return( PSA_ERROR_INVALID_ARGUMENT );
return( PSA_SUCCESS );
}
else
{
if( status != PSA_ERROR_NOT_SUPPORTED )
return( status );
}
mbedtls_platform_zeroize( key_buffer, key_buffer_size ); mbedtls_platform_zeroize( key_buffer, key_buffer_size );
@ -687,41 +663,31 @@ static psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot,
* if present. */ * if present. */
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) ) if( PSA_KEY_TYPE_IS_ECC( type ) )
{ {
status = mbedtls_psa_ecp_import_key( &attributes, return( mbedtls_psa_ecp_import_key( attributes,
data, data_length, data, data_length,
key_buffer, key_buffer_size, key_buffer, key_buffer_size,
key_buffer_length, key_buffer_length,
&bit_size ); bits ) );
slot->attr.bits = (psa_key_bits_t) bit_size;
return( status );
} }
#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||
* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */ * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \ #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) ) if( PSA_KEY_TYPE_IS_RSA( type ) )
{ {
status = mbedtls_psa_rsa_import_key( &attributes, return( mbedtls_psa_rsa_import_key( attributes,
data, data_length, data, data_length,
key_buffer, key_buffer_size, key_buffer, key_buffer_size,
key_buffer_length, key_buffer_length,
&bit_size ); bits ) );
slot->attr.bits = (psa_key_bits_t) bit_size;
return( status );
} }
#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */ * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
}
/* Fell through the fallback as well, so have nothing else to try. */ return( PSA_ERROR_NOT_SUPPORTED );
return( PSA_ERROR_NOT_SUPPORTED );
}
else
{
/* Unknown key type */
return( PSA_ERROR_NOT_SUPPORTED );
}
} }
/** Calculate the intersection of two algorithm usage policies. /** Calculate the intersection of two algorithm usage policies.
@ -1929,13 +1895,24 @@ psa_status_t psa_import_key( const psa_key_attributes_t *attributes,
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
goto exit; goto exit;
status = psa_import_key_into_slot( slot, data, data_length, size_t bits = slot->attr.bits;
status = psa_import_key_into_slot( attributes,
data, data_length,
slot->key.data, slot->key.data,
slot->key.bytes, slot->key.bytes,
&slot->key.bytes ); &slot->key.bytes, &bits );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
goto exit; goto exit;
if( slot->attr.bits == 0 )
slot->attr.bits = (psa_key_bits_t) bits;
else if( bits != slot->attr.bits )
{
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
} }
status = psa_validate_optional_attributes( slot, attributes ); status = psa_validate_optional_attributes( slot, attributes );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
goto exit; goto exit;
@ -5240,9 +5217,16 @@ static psa_status_t psa_generate_derived_key_internal(
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
return( status ); return( status );
status = psa_import_key_into_slot( slot, data, bytes, psa_key_attributes_t attributes = {
.core = slot->attr
};
status = psa_import_key_into_slot( &attributes,
data, bytes,
slot->key.data, slot->key.bytes, slot->key.data, slot->key.bytes,
&slot->key.bytes ); &slot->key.bytes,
&bits );
slot->attr.bits = (psa_key_bits_t) bits;
exit: exit:
mbedtls_free( data ); mbedtls_free( data );