psa: se: Create key context in SE key slots

In key slots containing the description of a key of a
dynamically registered Secure Element (SE), store the
key slot number in a key context as defined in the
PSA driver interface for opaque drivers.

That way transparent key data and slot numbers are
, in a key slot, both stored in a dynamically allocated
buffer. The `data` union in structures of type
psa_key_slot_t to distinguish between the storage of
transparent key data and slot numbers is consequently
not necessary anymore and thus removed.

This alignement of some part of the code dedicated to
dynamically registered SE with the PSA driver interface
specification is done to ease the support of both
dynamically registered and statically defined secure
elements.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron 2020-11-25 17:52:23 +01:00
parent 0dbbf1e27f
commit ea0f8a6d1a
4 changed files with 153 additions and 152 deletions

View File

@ -749,8 +749,8 @@ exit:
} }
/* On success, store the allocated export-formatted key. */ /* On success, store the allocated export-formatted key. */
slot->data.key.data = output; slot->key.data = output;
slot->data.key.bytes = data_length; slot->key.bytes = data_length;
return( PSA_SUCCESS ); return( PSA_SUCCESS );
} }
@ -983,8 +983,8 @@ exit:
} }
/* On success, store the allocated export-formatted key. */ /* On success, store the allocated export-formatted key. */
slot->data.key.data = output; slot->key.data = output;
slot->data.key.bytes = data_length; slot->key.bytes = data_length;
return( PSA_SUCCESS ); return( PSA_SUCCESS );
} }
@ -1017,14 +1017,14 @@ static inline size_t psa_get_key_slot_bits( const psa_key_slot_t *slot )
static psa_status_t psa_allocate_buffer_to_slot( psa_key_slot_t *slot, static psa_status_t psa_allocate_buffer_to_slot( psa_key_slot_t *slot,
size_t buffer_length ) size_t buffer_length )
{ {
if( slot->data.key.data != NULL ) if( slot->key.data != NULL )
return( PSA_ERROR_ALREADY_EXISTS ); return( PSA_ERROR_ALREADY_EXISTS );
slot->data.key.data = mbedtls_calloc( 1, buffer_length ); slot->key.data = mbedtls_calloc( 1, buffer_length );
if( slot->data.key.data == NULL ) if( slot->key.data == NULL )
return( PSA_ERROR_INSUFFICIENT_MEMORY ); return( PSA_ERROR_INSUFFICIENT_MEMORY );
slot->data.key.bytes = buffer_length; slot->key.bytes = buffer_length;
return( PSA_SUCCESS ); return( PSA_SUCCESS );
} }
@ -1037,7 +1037,7 @@ psa_status_t psa_copy_key_material_into_slot( psa_key_slot_t *slot,
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
return( status ); return( status );
memcpy( slot->data.key.data, data, data_length ); memcpy( slot->key.data, data, data_length );
return( PSA_SUCCESS ); return( PSA_SUCCESS );
} }
@ -1342,23 +1342,14 @@ static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy(
/** Wipe key data from a slot. Preserve metadata such as the policy. */ /** Wipe key data from a slot. Preserve metadata such as the policy. */
static psa_status_t psa_remove_key_data_from_memory( psa_key_slot_t *slot ) static psa_status_t psa_remove_key_data_from_memory( psa_key_slot_t *slot )
{ {
#if defined(MBEDTLS_PSA_CRYPTO_SE_C) /* Data pointer will always be either a valid pointer or NULL in an
if( psa_get_se_driver( slot->attr.lifetime, NULL, NULL ) && * initialized slot, so we can just free it. */
psa_key_slot_is_external( slot ) ) if( slot->key.data != NULL )
{ mbedtls_platform_zeroize( slot->key.data, slot->key.bytes);
/* No key material to clean. */
} mbedtls_free( slot->key.data );
else slot->key.data = NULL;
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ slot->key.bytes = 0;
{
/* Data pointer will always be either a valid pointer or NULL in an
* initialized slot, so we can just free it. */
if( slot->data.key.data != NULL )
mbedtls_platform_zeroize( slot->data.key.data, slot->data.key.bytes);
mbedtls_free( slot->data.key.data );
slot->data.key.data = NULL;
slot->data.key.bytes = 0;
}
return( PSA_SUCCESS ); return( PSA_SUCCESS );
} }
@ -1443,7 +1434,7 @@ psa_status_t psa_destroy_key( mbedtls_svc_key_id_t key )
* three actions. */ * three actions. */
psa_crypto_prepare_transaction( PSA_CRYPTO_TRANSACTION_DESTROY_KEY ); psa_crypto_prepare_transaction( PSA_CRYPTO_TRANSACTION_DESTROY_KEY );
psa_crypto_transaction.key.lifetime = slot->attr.lifetime; psa_crypto_transaction.key.lifetime = slot->attr.lifetime;
psa_crypto_transaction.key.slot = slot->data.se.slot_number; psa_crypto_transaction.key.slot = psa_key_slot_get_slot_number( slot );
psa_crypto_transaction.key.id = slot->attr.id; psa_crypto_transaction.key.id = slot->attr.id;
status = psa_crypto_save_transaction( ); status = psa_crypto_save_transaction( );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
@ -1460,7 +1451,8 @@ psa_status_t psa_destroy_key( mbedtls_svc_key_id_t key )
goto exit; goto exit;
} }
status = psa_destroy_se_key( driver, slot->data.se.slot_number ); status = psa_destroy_se_key( driver,
psa_key_slot_get_slot_number( slot ) );
if( overall_status == PSA_SUCCESS ) if( overall_status == PSA_SUCCESS )
overall_status = status; overall_status = status;
} }
@ -1616,7 +1608,8 @@ psa_status_t psa_get_key_attributes( mbedtls_svc_key_id_t key,
#if defined(MBEDTLS_PSA_CRYPTO_SE_C) #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
if( psa_key_slot_is_external( slot ) ) if( psa_key_slot_is_external( slot ) )
psa_set_key_slot_number( attributes, slot->data.se.slot_number ); psa_set_key_slot_number( attributes,
psa_key_slot_get_slot_number( slot ) );
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
switch( slot->attr.type ) switch( slot->attr.type )
@ -1637,8 +1630,8 @@ psa_status_t psa_get_key_attributes( mbedtls_svc_key_id_t key,
mbedtls_rsa_context *rsa = NULL; mbedtls_rsa_context *rsa = NULL;
status = psa_load_rsa_representation( slot->attr.type, status = psa_load_rsa_representation( slot->attr.type,
slot->data.key.data, slot->key.data,
slot->data.key.bytes, slot->key.bytes,
&rsa ); &rsa );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
break; break;
@ -1684,12 +1677,12 @@ static psa_status_t psa_internal_export_key_buffer( const psa_key_slot_t *slot,
size_t data_size, size_t data_size,
size_t *data_length ) size_t *data_length )
{ {
if( slot->data.key.bytes > data_size ) if( slot->key.bytes > data_size )
return( PSA_ERROR_BUFFER_TOO_SMALL ); return( PSA_ERROR_BUFFER_TOO_SMALL );
memcpy( data, slot->data.key.data, slot->data.key.bytes ); memcpy( data, slot->key.data, slot->key.bytes );
memset( data + slot->data.key.bytes, 0, memset( data + slot->key.bytes, 0,
data_size - slot->data.key.bytes ); data_size - slot->key.bytes );
*data_length = slot->data.key.bytes; *data_length = slot->key.bytes;
return( PSA_SUCCESS ); return( PSA_SUCCESS );
} }
@ -1727,7 +1720,7 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
if( method == NULL ) if( method == NULL )
return( PSA_ERROR_NOT_SUPPORTED ); return( PSA_ERROR_NOT_SUPPORTED );
return( method( drv_context, return( method( drv_context,
slot->data.se.slot_number, psa_key_slot_get_slot_number( slot ),
data, data_size, data_length ) ); data, data_size, data_length ) );
} }
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
@ -1768,8 +1761,8 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
mbedtls_rsa_context *rsa = NULL; mbedtls_rsa_context *rsa = NULL;
status = psa_load_rsa_representation( status = psa_load_rsa_representation(
slot->attr.type, slot->attr.type,
slot->data.key.data, slot->key.data,
slot->data.key.bytes, slot->key.bytes,
&rsa ); &rsa );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
return( status ); return( status );
@ -1797,8 +1790,8 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
mbedtls_ecp_keypair *ecp = NULL; mbedtls_ecp_keypair *ecp = NULL;
status = psa_load_ecp_representation( status = psa_load_ecp_representation(
slot->attr.type, slot->attr.type,
slot->data.key.data, slot->key.data,
slot->data.key.bytes, slot->key.bytes,
&ecp ); &ecp );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
return( status ); return( status );
@ -2071,8 +2064,9 @@ static psa_status_t psa_start_key_creation(
* we can roll back to a state where the key doesn't exist. */ * we can roll back to a state where the key doesn't exist. */
if( *p_drv != NULL ) if( *p_drv != NULL )
{ {
psa_key_slot_number_t slot_number;
status = psa_find_se_slot_for_key( attributes, method, *p_drv, status = psa_find_se_slot_for_key( attributes, method, *p_drv,
&slot->data.se.slot_number ); &slot_number );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
return( status ); return( status );
@ -2080,7 +2074,7 @@ static psa_status_t psa_start_key_creation(
{ {
psa_crypto_prepare_transaction( PSA_CRYPTO_TRANSACTION_CREATE_KEY ); psa_crypto_prepare_transaction( PSA_CRYPTO_TRANSACTION_CREATE_KEY );
psa_crypto_transaction.key.lifetime = slot->attr.lifetime; psa_crypto_transaction.key.lifetime = slot->attr.lifetime;
psa_crypto_transaction.key.slot = slot->data.se.slot_number; psa_crypto_transaction.key.slot = slot_number;
psa_crypto_transaction.key.id = slot->attr.id; psa_crypto_transaction.key.id = slot->attr.id;
status = psa_crypto_save_transaction( ); status = psa_crypto_save_transaction( );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
@ -2089,6 +2083,9 @@ static psa_status_t psa_start_key_creation(
return( status ); return( status );
} }
} }
status = psa_copy_key_material_into_slot(
slot, (uint8_t *)( &slot_number ), sizeof( slot_number ) );
} }
if( *p_drv == NULL && method == PSA_KEY_CREATION_REGISTER ) if( *p_drv == NULL && method == PSA_KEY_CREATION_REGISTER )
@ -2140,13 +2137,15 @@ static psa_status_t psa_finish_key_creation(
if( driver != NULL ) if( driver != NULL )
{ {
psa_se_key_data_storage_t data; psa_se_key_data_storage_t data;
psa_key_slot_number_t slot_number =
psa_key_slot_get_slot_number( slot ) ;
#if defined(static_assert) #if defined(static_assert)
static_assert( sizeof( slot->data.se.slot_number ) == static_assert( sizeof( slot_number ) ==
sizeof( data.slot_number ), sizeof( data.slot_number ),
"Slot number size does not match psa_se_key_data_storage_t" ); "Slot number size does not match psa_se_key_data_storage_t" );
#endif #endif
memcpy( &data.slot_number, &slot->data.se.slot_number, memcpy( &data.slot_number, &slot_number, sizeof( slot_number ) );
sizeof( slot->data.se.slot_number ) );
status = psa_save_persistent_key( &slot->attr, status = psa_save_persistent_key( &slot->attr,
(uint8_t*) &data, (uint8_t*) &data,
sizeof( data ) ); sizeof( data ) );
@ -2157,8 +2156,8 @@ static psa_status_t psa_finish_key_creation(
/* Key material is saved in export representation in the slot, so /* Key material is saved in export representation in the slot, so
* just pass the slot buffer for storage. */ * just pass the slot buffer for storage. */
status = psa_save_persistent_key( &slot->attr, status = psa_save_persistent_key( &slot->attr,
slot->data.key.data, slot->key.data,
slot->data.key.bytes ); slot->key.bytes );
} }
} }
#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */ #endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
@ -2264,8 +2263,8 @@ static psa_status_t psa_validate_optional_attributes(
psa_status_t status = psa_load_rsa_representation( psa_status_t status = psa_load_rsa_representation(
slot->attr.type, slot->attr.type,
slot->data.key.data, slot->key.data,
slot->data.key.bytes, slot->key.bytes,
&rsa ); &rsa );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
return( status ); return( status );
@ -2345,8 +2344,8 @@ psa_status_t psa_import_key( const psa_key_attributes_t *attributes,
} }
status = drv->key_management->p_import( status = drv->key_management->p_import(
psa_get_se_driver_context( driver ), psa_get_se_driver_context( driver ),
slot->data.se.slot_number, attributes, data, data_length, psa_key_slot_get_slot_number( slot ),
&bits ); attributes, data, data_length, &bits );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
goto exit; goto exit;
if( bits > PSA_MAX_KEY_BITS ) if( bits > PSA_MAX_KEY_BITS )
@ -2423,8 +2422,8 @@ static psa_status_t psa_copy_key_material( const psa_key_slot_t *source,
psa_key_slot_t *target ) psa_key_slot_t *target )
{ {
psa_status_t status = psa_copy_key_material_into_slot( target, psa_status_t status = psa_copy_key_material_into_slot( target,
source->data.key.data, source->key.data,
source->data.key.bytes ); source->key.bytes );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
return( status ); return( status );
@ -3236,7 +3235,7 @@ static int psa_cmac_setup( psa_mac_operation_t *operation,
return( ret ); return( ret );
ret = mbedtls_cipher_cmac_starts( &operation->ctx.cmac, ret = mbedtls_cipher_cmac_starts( &operation->ctx.cmac,
slot->data.key.data, slot->key.data,
key_bits ); key_bits );
return( ret ); return( ret );
} }
@ -3382,8 +3381,8 @@ static psa_status_t psa_mac_setup( psa_mac_operation_t *operation,
} }
status = psa_hmac_setup_internal( &operation->ctx.hmac, status = psa_hmac_setup_internal( &operation->ctx.hmac,
slot->data.key.data, slot->key.data,
slot->data.key.bytes, slot->key.bytes,
hash_alg ); hash_alg );
} }
else else
@ -3969,8 +3968,8 @@ psa_status_t psa_sign_hash( mbedtls_svc_key_id_t key,
mbedtls_rsa_context *rsa = NULL; mbedtls_rsa_context *rsa = NULL;
status = psa_load_rsa_representation( slot->attr.type, status = psa_load_rsa_representation( slot->attr.type,
slot->data.key.data, slot->key.data,
slot->data.key.bytes, slot->key.bytes,
&rsa ); &rsa );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
goto exit; goto exit;
@ -4001,8 +4000,8 @@ psa_status_t psa_sign_hash( mbedtls_svc_key_id_t key,
{ {
mbedtls_ecp_keypair *ecp = NULL; mbedtls_ecp_keypair *ecp = NULL;
status = psa_load_ecp_representation( slot->attr.type, status = psa_load_ecp_representation( slot->attr.type,
slot->data.key.data, slot->key.data,
slot->data.key.bytes, slot->key.bytes,
&ecp ); &ecp );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
goto exit; goto exit;
@ -4079,8 +4078,8 @@ psa_status_t psa_verify_hash( mbedtls_svc_key_id_t key,
mbedtls_rsa_context *rsa = NULL; mbedtls_rsa_context *rsa = NULL;
status = psa_load_rsa_representation( slot->attr.type, status = psa_load_rsa_representation( slot->attr.type,
slot->data.key.data, slot->key.data,
slot->data.key.bytes, slot->key.bytes,
&rsa ); &rsa );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
goto exit; goto exit;
@ -4104,8 +4103,8 @@ psa_status_t psa_verify_hash( mbedtls_svc_key_id_t key,
{ {
mbedtls_ecp_keypair *ecp = NULL; mbedtls_ecp_keypair *ecp = NULL;
status = psa_load_ecp_representation( slot->attr.type, status = psa_load_ecp_representation( slot->attr.type,
slot->data.key.data, slot->key.data,
slot->data.key.bytes, slot->key.bytes,
&ecp ); &ecp );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
goto exit; goto exit;
@ -4188,8 +4187,8 @@ psa_status_t psa_asymmetric_encrypt( mbedtls_svc_key_id_t key,
{ {
mbedtls_rsa_context *rsa = NULL; mbedtls_rsa_context *rsa = NULL;
status = psa_load_rsa_representation( slot->attr.type, status = psa_load_rsa_representation( slot->attr.type,
slot->data.key.data, slot->key.data,
slot->data.key.bytes, slot->key.bytes,
&rsa ); &rsa );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
goto rsa_exit; goto rsa_exit;
@ -4294,8 +4293,8 @@ psa_status_t psa_asymmetric_decrypt( mbedtls_svc_key_id_t key,
{ {
mbedtls_rsa_context *rsa = NULL; mbedtls_rsa_context *rsa = NULL;
status = psa_load_rsa_representation( slot->attr.type, status = psa_load_rsa_representation( slot->attr.type,
slot->data.key.data, slot->key.data,
slot->data.key.bytes, slot->key.bytes,
&rsa ); &rsa );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
goto exit; goto exit;
@ -4455,8 +4454,8 @@ static psa_status_t psa_cipher_setup( psa_cipher_operation_t *operation,
{ {
/* Two-key Triple-DES is 3-key Triple-DES with K1=K3 */ /* Two-key Triple-DES is 3-key Triple-DES with K1=K3 */
uint8_t keys[24]; uint8_t keys[24];
memcpy( keys, slot->data.key.data, 16 ); memcpy( keys, slot->key.data, 16 );
memcpy( keys + 16, slot->data.key.data, 8 ); memcpy( keys + 16, slot->key.data, 8 );
ret = mbedtls_cipher_setkey( &operation->ctx.cipher, ret = mbedtls_cipher_setkey( &operation->ctx.cipher,
keys, keys,
192, cipher_operation ); 192, cipher_operation );
@ -4465,7 +4464,7 @@ static psa_status_t psa_cipher_setup( psa_cipher_operation_t *operation,
#endif #endif
{ {
ret = mbedtls_cipher_setkey( &operation->ctx.cipher, ret = mbedtls_cipher_setkey( &operation->ctx.cipher,
slot->data.key.data, slot->key.data,
(int) key_bits, cipher_operation ); (int) key_bits, cipher_operation );
} }
if( ret != 0 ) if( ret != 0 )
@ -4964,7 +4963,7 @@ static psa_status_t psa_aead_setup( aead_operation_t *operation,
mbedtls_ccm_init( &operation->ctx.ccm ); mbedtls_ccm_init( &operation->ctx.ccm );
status = mbedtls_to_psa_error( status = mbedtls_to_psa_error(
mbedtls_ccm_setkey( &operation->ctx.ccm, cipher_id, mbedtls_ccm_setkey( &operation->ctx.ccm, cipher_id,
operation->slot->data.key.data, operation->slot->key.data,
(unsigned int) key_bits ) ); (unsigned int) key_bits ) );
if( status != 0 ) if( status != 0 )
goto cleanup; goto cleanup;
@ -4986,7 +4985,7 @@ static psa_status_t psa_aead_setup( aead_operation_t *operation,
mbedtls_gcm_init( &operation->ctx.gcm ); mbedtls_gcm_init( &operation->ctx.gcm );
status = mbedtls_to_psa_error( status = mbedtls_to_psa_error(
mbedtls_gcm_setkey( &operation->ctx.gcm, cipher_id, mbedtls_gcm_setkey( &operation->ctx.gcm, cipher_id,
operation->slot->data.key.data, operation->slot->key.data,
(unsigned int) key_bits ) ); (unsigned int) key_bits ) );
if( status != 0 ) if( status != 0 )
goto cleanup; goto cleanup;
@ -5006,7 +5005,7 @@ static psa_status_t psa_aead_setup( aead_operation_t *operation,
mbedtls_chachapoly_init( &operation->ctx.chachapoly ); mbedtls_chachapoly_init( &operation->ctx.chachapoly );
status = mbedtls_to_psa_error( status = mbedtls_to_psa_error(
mbedtls_chachapoly_setkey( &operation->ctx.chachapoly, mbedtls_chachapoly_setkey( &operation->ctx.chachapoly,
operation->slot->data.key.data ) ); operation->slot->key.data ) );
if( status != 0 ) if( status != 0 )
goto cleanup; goto cleanup;
break; break;
@ -6129,8 +6128,8 @@ psa_status_t psa_key_derivation_input_key(
status = psa_key_derivation_input_internal( operation, status = psa_key_derivation_input_internal( operation,
step, slot->attr.type, step, slot->attr.type,
slot->data.key.data, slot->key.data,
slot->data.key.bytes ); slot->key.bytes );
unlock_status = psa_unlock_key_slot( slot ); unlock_status = psa_unlock_key_slot( slot );
@ -6215,8 +6214,8 @@ static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg,
mbedtls_ecp_keypair *ecp = NULL; mbedtls_ecp_keypair *ecp = NULL;
psa_status_t status = psa_load_ecp_representation( psa_status_t status = psa_load_ecp_representation(
private_key->attr.type, private_key->attr.type,
private_key->data.key.data, private_key->key.data,
private_key->data.key.bytes, private_key->key.bytes,
&ecp ); &ecp );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
return( status ); return( status );
@ -6558,16 +6557,16 @@ static psa_status_t psa_generate_key_internal(
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
return( status ); return( status );
status = psa_generate_random( slot->data.key.data, status = psa_generate_random( slot->key.data,
slot->data.key.bytes ); slot->key.bytes );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
return( status ); return( status );
slot->attr.bits = (psa_key_bits_t) bits; slot->attr.bits = (psa_key_bits_t) bits;
#if defined(MBEDTLS_DES_C) #if defined(MBEDTLS_DES_C)
if( type == PSA_KEY_TYPE_DES ) if( type == PSA_KEY_TYPE_DES )
psa_des_set_key_parity( slot->data.key.data, psa_des_set_key_parity( slot->key.data,
slot->data.key.bytes ); slot->key.bytes );
#endif /* MBEDTLS_DES_C */ #endif /* MBEDTLS_DES_C */
} }
else else
@ -6611,9 +6610,9 @@ static psa_status_t psa_generate_key_internal(
status = psa_export_rsa_key( type, status = psa_export_rsa_key( type,
&rsa, &rsa,
slot->data.key.data, slot->key.data,
bytes, bytes,
&slot->data.key.bytes ); &slot->key.bytes );
mbedtls_rsa_free( &rsa ); mbedtls_rsa_free( &rsa );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
psa_remove_key_data_from_memory( slot ); psa_remove_key_data_from_memory( slot );
@ -6657,11 +6656,11 @@ static psa_status_t psa_generate_key_internal(
} }
status = mbedtls_to_psa_error( status = mbedtls_to_psa_error(
mbedtls_ecp_write_key( &ecp, slot->data.key.data, bytes ) ); mbedtls_ecp_write_key( &ecp, slot->key.data, bytes ) );
mbedtls_ecp_keypair_free( &ecp ); mbedtls_ecp_keypair_free( &ecp );
if( status != PSA_SUCCESS ) { if( status != PSA_SUCCESS ) {
memset( slot->data.key.data, 0, bytes ); memset( slot->key.data, 0, bytes );
psa_remove_key_data_from_memory( slot ); psa_remove_key_data_from_memory( slot );
} }
return( status ); return( status );

View File

@ -62,23 +62,13 @@ typedef struct
*/ */
size_t lock_count; size_t lock_count;
union /* Dynamically allocated key data buffer.
* Format as specified in psa_export_key(). */
struct key_data
{ {
/* Dynamically allocated key data buffer. uint8_t *data;
* Format as specified in psa_export_key(). */ size_t bytes;
struct key_data } key;
{
uint8_t *data;
size_t bytes;
} key;
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
/* Any key type in a secure element */
struct se
{
psa_key_slot_number_t slot_number;
} se;
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
} data;
} psa_key_slot_t; } psa_key_slot_t;
/* A mask of key attribute flags used only internally. /* A mask of key attribute flags used only internally.
@ -163,6 +153,20 @@ static inline void psa_key_slot_clear_bits( psa_key_slot_t *slot,
slot->attr.flags &= ~mask; slot->attr.flags &= ~mask;
} }
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
/** Get the SE slot number of a key from the key slot storing its description.
*
* \param[in] slot The key slot to query. This must be a key slot storing
* the description of a key of a dynamically registered
* secure element, otherwise the behaviour is undefined.
*/
static inline psa_key_slot_number_t psa_key_slot_get_slot_number(
const psa_key_slot_t *slot )
{
return( *( (psa_key_slot_number_t *)( slot->key.data ) ) );
}
#endif
/** Completely wipe a slot in memory, including its policy. /** Completely wipe a slot in memory, including its policy.
* *
* Persistent storage is not affected. * Persistent storage is not affected.

View File

@ -80,7 +80,7 @@ psa_status_t psa_driver_wrapper_sign_hash( psa_key_slot_t *slot,
return( PSA_ERROR_NOT_SUPPORTED ); return( PSA_ERROR_NOT_SUPPORTED );
} }
return( drv->asymmetric->p_sign( drv_context, return( drv->asymmetric->p_sign( drv_context,
slot->data.se.slot_number, psa_key_slot_get_slot_number( slot ),
alg, alg,
hash, hash_length, hash, hash_length,
signature, signature_size, signature, signature_size,
@ -103,8 +103,8 @@ psa_status_t psa_driver_wrapper_sign_hash( psa_key_slot_t *slot,
* cycle through all known transparent accelerators */ * cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_DRIVER_TEST) #if defined(PSA_CRYPTO_DRIVER_TEST)
status = test_transparent_signature_sign_hash( &attributes, status = test_transparent_signature_sign_hash( &attributes,
slot->data.key.data, slot->key.data,
slot->data.key.bytes, slot->key.bytes,
alg, alg,
hash, hash,
hash_length, hash_length,
@ -121,8 +121,8 @@ psa_status_t psa_driver_wrapper_sign_hash( psa_key_slot_t *slot,
#if defined(PSA_CRYPTO_DRIVER_TEST) #if defined(PSA_CRYPTO_DRIVER_TEST)
case PSA_CRYPTO_TEST_DRIVER_LIFETIME: case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
return( test_opaque_signature_sign_hash( &attributes, return( test_opaque_signature_sign_hash( &attributes,
slot->data.key.data, slot->key.data,
slot->data.key.bytes, slot->key.bytes,
alg, alg,
hash, hash,
hash_length, hash_length,
@ -172,7 +172,7 @@ psa_status_t psa_driver_wrapper_verify_hash( psa_key_slot_t *slot,
return( PSA_ERROR_NOT_SUPPORTED ); return( PSA_ERROR_NOT_SUPPORTED );
} }
return( drv->asymmetric->p_verify( drv_context, return( drv->asymmetric->p_verify( drv_context,
slot->data.se.slot_number, psa_key_slot_get_slot_number( slot ),
alg, alg,
hash, hash_length, hash, hash_length,
signature, signature_length ) ); signature, signature_length ) );
@ -194,8 +194,8 @@ psa_status_t psa_driver_wrapper_verify_hash( psa_key_slot_t *slot,
* cycle through all known transparent accelerators */ * cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_DRIVER_TEST) #if defined(PSA_CRYPTO_DRIVER_TEST)
status = test_transparent_signature_verify_hash( &attributes, status = test_transparent_signature_verify_hash( &attributes,
slot->data.key.data, slot->key.data,
slot->data.key.bytes, slot->key.bytes,
alg, alg,
hash, hash,
hash_length, hash_length,
@ -211,8 +211,8 @@ psa_status_t psa_driver_wrapper_verify_hash( psa_key_slot_t *slot,
#if defined(PSA_CRYPTO_DRIVER_TEST) #if defined(PSA_CRYPTO_DRIVER_TEST)
case PSA_CRYPTO_TEST_DRIVER_LIFETIME: case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
return( test_opaque_signature_verify_hash( &attributes, return( test_opaque_signature_verify_hash( &attributes,
slot->data.key.data, slot->key.data,
slot->data.key.bytes, slot->key.bytes,
alg, alg,
hash, hash,
hash_length, hash_length,
@ -330,9 +330,8 @@ psa_status_t psa_driver_wrapper_generate_key( const psa_key_attributes_t *attrib
return( PSA_ERROR_NOT_SUPPORTED ); return( PSA_ERROR_NOT_SUPPORTED );
} }
return( drv->key_management->p_generate( return( drv->key_management->p_generate(
drv_context, drv_context, psa_key_slot_get_slot_number( slot ),
slot->data.se.slot_number, attributes, attributes, NULL, 0, &pubkey_length ) );
NULL, 0, &pubkey_length ) );
} }
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
@ -346,10 +345,10 @@ psa_status_t psa_driver_wrapper_generate_key( const psa_key_attributes_t *attrib
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
return( status ); return( status );
slot->data.key.data = mbedtls_calloc(1, export_size); slot->key.data = mbedtls_calloc(1, export_size);
if( slot->data.key.data == NULL ) if( slot->key.data == NULL )
return( PSA_ERROR_INSUFFICIENT_MEMORY ); return( PSA_ERROR_INSUFFICIENT_MEMORY );
slot->data.key.bytes = export_size; slot->key.bytes = export_size;
switch( location ) switch( location )
{ {
@ -365,9 +364,9 @@ psa_status_t psa_driver_wrapper_generate_key( const psa_key_attributes_t *attrib
} }
#if defined(PSA_CRYPTO_DRIVER_TEST) #if defined(PSA_CRYPTO_DRIVER_TEST)
status = test_transparent_generate_key( attributes, status = test_transparent_generate_key( attributes,
slot->data.key.data, slot->key.data,
slot->data.key.bytes, slot->key.bytes,
&slot->data.key.bytes ); &slot->key.bytes );
/* Declared with fallback == true */ /* Declared with fallback == true */
if( status != PSA_ERROR_NOT_SUPPORTED ) if( status != PSA_ERROR_NOT_SUPPORTED )
break; break;
@ -379,9 +378,9 @@ psa_status_t psa_driver_wrapper_generate_key( const psa_key_attributes_t *attrib
#if defined(PSA_CRYPTO_DRIVER_TEST) #if defined(PSA_CRYPTO_DRIVER_TEST)
case PSA_CRYPTO_TEST_DRIVER_LIFETIME: case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
status = test_opaque_generate_key( attributes, status = test_opaque_generate_key( attributes,
slot->data.key.data, slot->key.data,
slot->data.key.bytes, slot->key.bytes,
&slot->data.key.bytes ); &slot->key.bytes );
break; break;
#endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_DRIVER_TEST */
default: default:
@ -393,9 +392,9 @@ psa_status_t psa_driver_wrapper_generate_key( const psa_key_attributes_t *attrib
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
{ {
/* free allocated buffer */ /* free allocated buffer */
mbedtls_free( slot->data.key.data ); mbedtls_free( slot->key.data );
slot->data.key.data = NULL; slot->key.data = NULL;
slot->data.key.bytes = 0; slot->key.bytes = 0;
} }
return( status ); return( status );
@ -457,8 +456,8 @@ psa_status_t psa_driver_wrapper_export_public_key( const psa_key_slot_t *slot,
* cycle through all known transparent accelerators */ * cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_DRIVER_TEST) #if defined(PSA_CRYPTO_DRIVER_TEST)
status = test_transparent_export_public_key( &attributes, status = test_transparent_export_public_key( &attributes,
slot->data.key.data, slot->key.data,
slot->data.key.bytes, slot->key.bytes,
data, data,
data_size, data_size,
data_length ); data_length );
@ -472,8 +471,8 @@ psa_status_t psa_driver_wrapper_export_public_key( const psa_key_slot_t *slot,
#if defined(PSA_CRYPTO_DRIVER_TEST) #if defined(PSA_CRYPTO_DRIVER_TEST)
case PSA_CRYPTO_TEST_DRIVER_LIFETIME: case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
return( test_opaque_export_public_key( &attributes, return( test_opaque_export_public_key( &attributes,
slot->data.key.data, slot->key.data,
slot->data.key.bytes, slot->key.bytes,
data, data,
data_size, data_size,
data_length ) ); data_length ) );
@ -517,8 +516,8 @@ psa_status_t psa_driver_wrapper_cipher_encrypt(
* cycle through all known transparent accelerators */ * cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_DRIVER_TEST) #if defined(PSA_CRYPTO_DRIVER_TEST)
status = test_transparent_cipher_encrypt( &attributes, status = test_transparent_cipher_encrypt( &attributes,
slot->data.key.data, slot->key.data,
slot->data.key.bytes, slot->key.bytes,
alg, alg,
input, input,
input_length, input_length,
@ -535,8 +534,8 @@ psa_status_t psa_driver_wrapper_cipher_encrypt(
#if defined(PSA_CRYPTO_DRIVER_TEST) #if defined(PSA_CRYPTO_DRIVER_TEST)
case PSA_CRYPTO_TEST_DRIVER_LIFETIME: case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
return( test_opaque_cipher_encrypt( &attributes, return( test_opaque_cipher_encrypt( &attributes,
slot->data.key.data, slot->key.data,
slot->data.key.bytes, slot->key.bytes,
alg, alg,
input, input,
input_length, input_length,
@ -584,8 +583,8 @@ psa_status_t psa_driver_wrapper_cipher_decrypt(
* cycle through all known transparent accelerators */ * cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_DRIVER_TEST) #if defined(PSA_CRYPTO_DRIVER_TEST)
status = test_transparent_cipher_decrypt( &attributes, status = test_transparent_cipher_decrypt( &attributes,
slot->data.key.data, slot->key.data,
slot->data.key.bytes, slot->key.bytes,
alg, alg,
input, input,
input_length, input_length,
@ -602,8 +601,8 @@ psa_status_t psa_driver_wrapper_cipher_decrypt(
#if defined(PSA_CRYPTO_DRIVER_TEST) #if defined(PSA_CRYPTO_DRIVER_TEST)
case PSA_CRYPTO_TEST_DRIVER_LIFETIME: case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
return( test_opaque_cipher_decrypt( &attributes, return( test_opaque_cipher_decrypt( &attributes,
slot->data.key.data, slot->key.data,
slot->data.key.bytes, slot->key.bytes,
alg, alg,
input, input,
input_length, input_length,
@ -652,8 +651,8 @@ psa_status_t psa_driver_wrapper_cipher_encrypt_setup(
status = test_transparent_cipher_encrypt_setup( operation->ctx, status = test_transparent_cipher_encrypt_setup( operation->ctx,
&attributes, &attributes,
slot->data.key.data, slot->key.data,
slot->data.key.bytes, slot->key.bytes,
alg ); alg );
/* Declared with fallback == true */ /* Declared with fallback == true */
if( status == PSA_SUCCESS ) if( status == PSA_SUCCESS )
@ -680,8 +679,8 @@ psa_status_t psa_driver_wrapper_cipher_encrypt_setup(
status = test_opaque_cipher_encrypt_setup( operation->ctx, status = test_opaque_cipher_encrypt_setup( operation->ctx,
&attributes, &attributes,
slot->data.key.data, slot->key.data,
slot->data.key.bytes, slot->key.bytes,
alg ); alg );
if( status == PSA_SUCCESS ) if( status == PSA_SUCCESS )
operation->id = PSA_CRYPTO_OPAQUE_TEST_DRIVER_ID; operation->id = PSA_CRYPTO_OPAQUE_TEST_DRIVER_ID;
@ -733,8 +732,8 @@ psa_status_t psa_driver_wrapper_cipher_decrypt_setup(
status = test_transparent_cipher_decrypt_setup( operation->ctx, status = test_transparent_cipher_decrypt_setup( operation->ctx,
&attributes, &attributes,
slot->data.key.data, slot->key.data,
slot->data.key.bytes, slot->key.bytes,
alg ); alg );
/* Declared with fallback == true */ /* Declared with fallback == true */
if( status == PSA_SUCCESS ) if( status == PSA_SUCCESS )
@ -761,8 +760,8 @@ psa_status_t psa_driver_wrapper_cipher_decrypt_setup(
status = test_opaque_cipher_decrypt_setup( operation->ctx, status = test_opaque_cipher_decrypt_setup( operation->ctx,
&attributes, &attributes,
slot->data.key.data, slot->key.data,
slot->data.key.bytes, slot->key.bytes,
alg ); alg );
if( status == PSA_SUCCESS ) if( status == PSA_SUCCESS )
operation->id = PSA_CRYPTO_OPAQUE_TEST_DRIVER_ID; operation->id = PSA_CRYPTO_OPAQUE_TEST_DRIVER_ID;

View File

@ -255,16 +255,15 @@ static psa_status_t psa_load_persistent_key_into_slot( psa_key_slot_t *slot )
if( psa_get_se_driver( slot->attr.lifetime, &drv, &drv_context ) ) if( psa_get_se_driver( slot->attr.lifetime, &drv, &drv_context ) )
{ {
psa_se_key_data_storage_t *data; psa_se_key_data_storage_t *data;
if( key_data_length != sizeof( *data ) ) if( key_data_length != sizeof( *data ) )
{ {
status = PSA_ERROR_STORAGE_FAILURE; status = PSA_ERROR_STORAGE_FAILURE;
goto exit; goto exit;
} }
data = (psa_se_key_data_storage_t *) key_data; data = (psa_se_key_data_storage_t *) key_data;
memcpy( &slot->data.se.slot_number, &data->slot_number, status = psa_copy_key_material_into_slot(
sizeof( slot->data.se.slot_number ) ); slot, data->slot_number, sizeof( data->slot_number ) );
status = PSA_SUCCESS;
goto exit; goto exit;
} }
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ #endif /* MBEDTLS_PSA_CRYPTO_SE_C */