For DH, ECC (Weierstrass curves) and DSA, specify that the re-drawing
method is the one defined by NIST as
"key-pair generation by testing candidates", and describe it
unambiguously.
Also specify DES explicitly.
psa_generator_import_key() was only specified for "symmetric keys",
and there were some mistakes in the specification. Rewrite the
specification and extend it to other key types.
* For most private key types, specify that the function draws a byte
string repeatedly until the byte string is suitable.
* For DES, despite being a symmetric key type, re-drawing is
necessary.
* For Montgomery curves, despite being asymmetric, no re-drawing is
necessary.
* Specify the behavior for every standard key type other than RSA.
An implementation doesn't have to support all key types, but if it
does, it's better to have a standard.
New function psa_copy_key().
Conflicts:
* library/psa_crypto.c: trivial conflicts due to consecutive changes.
* tests/suites/test_suite_psa_crypto.data: the same code
was added on both sides, but with a conflict resolution on one side.
* tests/suites/test_suite_psa_crypto_metadata.function: the same code
was added on both sides, but with a conflict resolution on one side.
You can use PSA_ALG_ANY_HASH to build the algorithm value for a
hash-and-sign algorithm in a policy. Then the policy allows usage with
this hash-and-sign family with any hash.
Test that PSA_ALG_ANY_HASH-based policies allow a specific hash, but
not a different hash-and-sign family. Test that PSA_ALG_ANY_HASH is
not valid for operations, only in policies.
Test for a subclass of public-key algorithm: those that perform
full-domain hashing, i.e. algorithms that can be broken down as
sign(key, hash(message)).
Remove the type and bits arguments to psa_allocate_key() and
psa_create_key(). They can be useful if the implementation wants to
know exactly how much space to allocate for the slot, but many
implementations (including ours) don't care, and it's possible to work
around their lack by deferring size-dependent actions to the time when
the key material is created. They are a burden to applications and
make the API more complex, and the benefits aren't worth it.
Change the API and adapt the implementation, the units test and the
sample code accordingly.
Change the key derivation API to take inputs in multiple steps,
instead of a single one-site-fits-poorly function.
Conflicts:
* include/psa/crypto.h: merge independent changes in the documentation
of psa_key_agreement (public_key from the work on public key formats
vs general description and other parameters in the work on key derivation).
* tests/suites/test_suite_psa_crypto.data: update the key agreement
tests from the work on key derivation to the format from the work on
public key formats.
* tests/suites/test_suite_psa_crypto_metadata.function: reconcile the
addition of unrelated ALG_IS_xxx macros
Get rid of "key selection" algorithms (of which there was only one:
raw key selection).
Encode key agreement by combining a raw key agreement with a KDF,
rather than passing the KDF as an argument of a key agreement macro.
The normal way is to pass the shared secret to a key derivation.
Having an ad hoc function will allow us to simplify the possible
behaviors of key agreement and get rid of "key selection" algorithms
which are a hard-to-understand invention of this API.
It isn't a good fit. It's overly complex for what the API can do now,
which is Diffie-Hellman. Consider it again later for more complex use
cases such as authenticated key exchanges.
Use separate step types for a KDF secret and for the private key in a
key agreement.
Determine which key type is allowed from the step type, independently
of the KDF.
Forbid raw inputs for certain steps. They definitely should be
forbidden for asymmetric keys, which are structured. Also forbid them
for KDF secrets: the secrets are supposed to be keys, even if they're
unstructured.
Add the ability to specify Diffie-Hellman key exchange keys. Specify the
import/export format as well, even though importing and exporting isn't
implemented yet.
Remove front matter and DSS parameters from our DSA key formats, both
keypair and public key, to make it just a representation of the integer
private key, `x`, or the public key, `y`, respectively.
DSA and static DH need extra domain parameters. Instead of passing these
in with the keys themselves, add get and set functions to set and
retrieve this information about keys.
Remove front matter from our EC key format, to make it just the contents
of an ECPoint as defined by SEC1 section 2.3.3.
As a consequence of the simplification, remove the restriction on not
being able to use an ECDH key with ECDSA. There is no longer any OID
specified when importing a key, so we can't reject importing of an ECDH
key for the purpose of ECDSA based on the OID.
You can use PSA_ALG_ANY_HASH to build the algorithm value for a
hash-and-sign algorithm in a policy. Then the policy allows usage with
this hash-and-sign family with any hash.
Test that PSA_ALG_ANY_HASH-based policies allow a specific hash, but
not a different hash-and-sign family. Test that PSA_ALG_ANY_HASH is
not valid for operations, only in policies.
Finish changing "start" to "set up".
Correct the way to set an IV for decryption: it's set_iv(), not
update().
When decrypting, the IV is given, not random.
Test for a subclass of public-key algorithm: those that perform
full-domain hashing, i.e. algorithms that can be broken down as
sign(key, hash(message)).
Remove pkcs-1 and rsaEncryption front matter from RSA public keys. Move
code that was shared between RSA and other key types (like EC keys) to
be used only with non-RSA keys.
Copy the nice and clear documentation from psa_export_key() as to what
implementations are allowed to do regarding key export formats, as the
same applies to public keys.
We've added documentation for how context objects for multi-part
operations must be initialized consistently for key policy, hash,
cipher, and MAC. Update the generator documentation to be consistent
with how we've documented the other operations.
