yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
mbedtls/library/psa_crypto_slot_management.c

309 lines
9.1 KiB
C
Raw Normal View History

Implement slot allocation Implement psa_allocate_key, psa_open_key, psa_create_key, psa_close_key. Add support for keys designated to handles to psa_get_key_slot, and thereby to the whole API. Allocated and non-allocated keys can coexist. This is a temporary stage in order to transition from the use of direct slot numbers to allocated handles only. Once all the tests and sample programs have been migrated to use handles, the implementation will be simplified and made more robust with support for handles only.
2018-11-30 18:54:54 +01:00
/*
* PSA crypto layer on top of Mbed TLS crypto
*/
Add Apache-2.0 headers to all source files Also normalize the first line of the copyright headers. This commit was generated using the following script: # ======================== #!/bin/sh # Find scripts find -path './.git' -prune -o '(' -name '*.c' -o -name '*.cpp' -o -name '*.fmt' -o -name '*.h' ')' -print | xargs sed -i ' # Normalize the first line of the copyright headers (no text on the first line of a block comment) /^\/\*.*Copyright.*Arm/I { i\ /* s/^\// / } /Copyright.*Arm/I { # Print copyright declaration p # Read the two lines immediately following the copyright declaration N N # Insert Apache header if it is missing /SPDX/! i\ * SPDX-License-Identifier: Apache-2.0\ *\ * Licensed under the Apache License, Version 2.0 (the "License"); you may\ * not use this file except in compliance with the License.\ * You may obtain a copy of the License at\ *\ * http://www.apache.org/licenses/LICENSE-2.0\ *\ * Unless required by applicable law or agreed to in writing, software\ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT\ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\ * See the License for the specific language governing permissions and\ * limitations under the License. # Clear copyright declaration from buffer D } ' # ======================== Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-06-15 11:59:37 +02:00
/*
Update copyright notices to use Linux Foundation guidance As a result, the copyright of contributors other than Arm is now acknowledged, and the years of publishing are no longer tracked in the source files. Also remove the now-redundant lines declaring that the files are part of MbedTLS. This commit was generated using the following script: # ======================== #!/bin/sh # Find files find '(' -path './.git' -o -path './3rdparty' ')' -prune -o -type f -print | xargs sed -bi ' # Replace copyright attribution line s/Copyright.*Arm.*/Copyright The Mbed TLS Contributors/I # Remove redundant declaration and the preceding line $!N /This file is part of Mbed TLS/Id P D ' # ======================== Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-08-07 13:07:28 +02:00
* Copyright The Mbed TLS Contributors
Implement slot allocation Implement psa_allocate_key, psa_open_key, psa_create_key, psa_close_key. Add support for keys designated to handles to psa_get_key_slot, and thereby to the whole API. Allocated and non-allocated keys can coexist. This is a temporary stage in order to transition from the use of direct slot numbers to allocated handles only. Once all the tests and sample programs have been migrated to use handles, the implementation will be simplified and made more robust with support for handles only.
2018-11-30 18:54:54 +01:00
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
Include common.h instead of config.h in library source files In library source files, include "common.h", which takes care of including "mbedtls/config.h" (or the alternative MBEDTLS_CONFIG_FILE) and other things that are used throughout the library. FROM=$'#if !defined(MBEDTLS_CONFIG_FILE)\n#include "mbedtls/config.h"\n#else\n#include MBEDTLS_CONFIG_FILE\n#endif' perl -i -0777 -pe 's~\Q$ENV{FROM}~#include "common.h"~' library/*.c 3rdparty/*/library/*.c scripts/data_files/error.fmt scripts/data_files/version_features.fmt Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-03 01:43:33 +02:00
#include "common.h"
Implement slot allocation Implement psa_allocate_key, psa_open_key, psa_create_key, psa_close_key. Add support for keys designated to handles to psa_get_key_slot, and thereby to the whole API. Allocated and non-allocated keys can coexist. This is a temporary stage in order to transition from the use of direct slot numbers to allocated handles only. Once all the tests and sample programs have been migrated to use handles, the implementation will be simplified and made more robust with support for handles only.
2018-11-30 18:54:54 +01:00
#if defined(MBEDTLS_PSA_CRYPTO_C)
Add common header for crypto service integration
2019-02-14 09:28:02 +01:00
#include "psa_crypto_service_integration.h"
Implement slot allocation Implement psa_allocate_key, psa_open_key, psa_create_key, psa_close_key. Add support for keys designated to handles to psa_get_key_slot, and thereby to the whole API. Allocated and non-allocated keys can coexist. This is a temporary stage in order to transition from the use of direct slot numbers to allocated handles only. Once all the tests and sample programs have been migrated to use handles, the implementation will be simplified and made more robust with support for handles only.
2018-11-30 18:54:54 +01:00
#include "psa/crypto.h"
Move the key slot array to the slot management module Move the key slot array and its initialization and wiping to the slot management module. Also move the lowest-level key slot access function psa_get_key_slot and the auxiliary function for slot allocation psa_internal_allocate_key_slot to the slot management module.
2018-12-10 16:29:04 +01:00
#include "psa_crypto_core.h"
Implement slot allocation Implement psa_allocate_key, psa_open_key, psa_create_key, psa_close_key. Add support for keys designated to handles to psa_get_key_slot, and thereby to the whole API. Allocated and non-allocated keys can coexist. This is a temporary stage in order to transition from the use of direct slot numbers to allocated handles only. Once all the tests and sample programs have been migrated to use handles, the implementation will be simplified and made more robust with support for handles only.
2018-11-30 18:54:54 +01:00
#include "psa_crypto_slot_management.h"
#include "psa_crypto_storage.h"
Store the key size in the slot in memory There is now a field for the key size in the key slot in memory. Use it. This makes psa_get_key_attributes() marginally faster at the expense of memory that is available anyway in the current memory layout (16 bits for the size, 16 bits for flags). That's not the goal, though: the goal is to simplify the code, in particular to make it more uniform between transparent keys (whose size can be recomputed) and keys in secure elements (whose size cannot be recomputed). For keys in a secure element, the bit size is now saved by serializing the type psa_key_bits_t (which is an alias for uint16_t) rather than size_t.
2019-07-30 21:32:04 +02:00
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
#include "psa_crypto_se.h"
#endif
Implement slot allocation Implement psa_allocate_key, psa_open_key, psa_create_key, psa_close_key. Add support for keys designated to handles to psa_get_key_slot, and thereby to the whole API. Allocated and non-allocated keys can coexist. This is a temporary stage in order to transition from the use of direct slot numbers to allocated handles only. Once all the tests and sample programs have been migrated to use handles, the implementation will be simplified and made more robust with support for handles only.
2018-11-30 18:54:54 +01:00
#include <stdlib.h>
#include <string.h>
#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
#else
#define mbedtls_calloc calloc
#define mbedtls_free free
#endif
#define ARRAY_LENGTH( array ) ( sizeof( array ) / sizeof( *( array ) ) )
Move the key slot array to the slot management module Move the key slot array and its initialization and wiping to the slot management module. Also move the lowest-level key slot access function psa_get_key_slot and the auxiliary function for slot allocation psa_internal_allocate_key_slot to the slot management module.
2018-12-10 16:29:04 +01:00
typedef struct
{
psa_key_slot_t key_slots[PSA_KEY_SLOT_COUNT];
unsigned key_slots_initialized : 1;
} psa_global_data_t;
Add missing static on file-scope variable
2018-12-12 14:05:08 +01:00
static psa_global_data_t global_data;
Move the key slot array to the slot management module Move the key slot array and its initialization and wiping to the slot management module. Also move the lowest-level key slot access function psa_get_key_slot and the auxiliary function for slot allocation psa_internal_allocate_key_slot to the slot management module.
2018-12-10 16:29:04 +01:00
/* Access a key slot at the given handle. The handle of a key slot is
* the index of the slot in the global slot array, plus one so that handles
* start at 1 and not 0. */
psa_status_t psa_get_key_slot( psa_key_handle_t handle,
psa_key_slot_t **p_slot )
{
psa_key_slot_t *slot = NULL;
if( ! global_data.key_slots_initialized )
return( PSA_ERROR_BAD_STATE );
/* 0 is not a valid handle under any circumstance. This
* implementation provides slots number 1 to N where N is the
* number of available slots. */
if( handle == 0 || handle > ARRAY_LENGTH( global_data.key_slots ) )
return( PSA_ERROR_INVALID_HANDLE );
slot = &global_data.key_slots[handle - 1];
Remove "allocated" flag from key slots The flag to mark key slots as allocated was introduced to mark slots that are claimed and in use, but do not have key material yet, at a time when creating a key used several API functions: allocate a slot, then progressively set its metadata, and finally create the key material. Now that all of these steps are combined into a single API function call, the notion of allocated-but-not-filled slot is no longer relevant. So remove the corresponding flag. A slot is occupied iff there is a key in it. (For a key in a secure element, the key material is not present, but the slot contains the key metadata.) This key must have a type which is nonzero, so use this as an indicator that a slot is in use.
2019-07-31 15:01:55 +02:00
/* If the slot isn't occupied, the handle is invalid. */
if( ! psa_is_key_slot_occupied( slot ) )
Move the key slot array to the slot management module Move the key slot array and its initialization and wiping to the slot management module. Also move the lowest-level key slot access function psa_get_key_slot and the auxiliary function for slot allocation psa_internal_allocate_key_slot to the slot management module.
2018-12-10 16:29:04 +01:00
return( PSA_ERROR_INVALID_HANDLE );
*p_slot = slot;
return( PSA_SUCCESS );
}
psa_status_t psa_initialize_key_slots( void )
{
/* Nothing to do: program startup and psa_wipe_all_key_slots() both
* guarantee that the key slots are initialized to all-zero, which
* means that all the key slots are in a valid, empty state. */
global_data.key_slots_initialized = 1;
return( PSA_SUCCESS );
}
void psa_wipe_all_key_slots( void )
{
psa_key_handle_t key;
for( key = 1; key <= PSA_KEY_SLOT_COUNT; key++ )
{
psa_key_slot_t *slot = &global_data.key_slots[key - 1];
(void) psa_wipe_key_slot( slot );
}
global_data.key_slots_initialized = 0;
}
Rename psa_internal_allocate_key_slot to psa_get_empty_key_slot This function no longer modifies anything, so it doesn't actually allocate the slot. Now, it just returns the empty key slot, and it's up to the caller to cause the slot to be in use (or not).
2019-08-07 18:19:59 +02:00
psa_status_t psa_get_empty_key_slot( psa_key_handle_t *handle,
Simplify key slot allocation Now that psa_allocate_key() is no longer a public function, expose psa_internal_allocate_key_slot() instead, which provides a pointer to the slot to its caller.
2019-05-27 19:01:54 +02:00
psa_key_slot_t **p_slot )
Move the key slot array to the slot management module Move the key slot array and its initialization and wiping to the slot management module. Also move the lowest-level key slot access function psa_get_key_slot and the auxiliary function for slot allocation psa_internal_allocate_key_slot to the slot management module.
2018-12-10 16:29:04 +01:00
{
Simplify key slot allocation Now that psa_allocate_key() is no longer a public function, expose psa_internal_allocate_key_slot() instead, which provides a pointer to the slot to its caller.
2019-05-27 19:01:54 +02:00
if( ! global_data.key_slots_initialized )
return( PSA_ERROR_BAD_STATE );
Move the key slot array to the slot management module Move the key slot array and its initialization and wiping to the slot management module. Also move the lowest-level key slot access function psa_get_key_slot and the auxiliary function for slot allocation psa_internal_allocate_key_slot to the slot management module.
2018-12-10 16:29:04 +01:00
for( *handle = PSA_KEY_SLOT_COUNT; *handle != 0; --( *handle ) )
{
Simplify key slot allocation Now that psa_allocate_key() is no longer a public function, expose psa_internal_allocate_key_slot() instead, which provides a pointer to the slot to its caller.
2019-05-27 19:01:54 +02:00
*p_slot = &global_data.key_slots[*handle - 1];
Remove "allocated" flag from key slots The flag to mark key slots as allocated was introduced to mark slots that are claimed and in use, but do not have key material yet, at a time when creating a key used several API functions: allocate a slot, then progressively set its metadata, and finally create the key material. Now that all of these steps are combined into a single API function call, the notion of allocated-but-not-filled slot is no longer relevant. So remove the corresponding flag. A slot is occupied iff there is a key in it. (For a key in a secure element, the key material is not present, but the slot contains the key metadata.) This key must have a type which is nonzero, so use this as an indicator that a slot is in use.
2019-07-31 15:01:55 +02:00
if( ! psa_is_key_slot_occupied( *p_slot ) )
Move the key slot array to the slot management module Move the key slot array and its initialization and wiping to the slot management module. Also move the lowest-level key slot access function psa_get_key_slot and the auxiliary function for slot allocation psa_internal_allocate_key_slot to the slot management module.
2018-12-10 16:29:04 +01:00
return( PSA_SUCCESS );
}
Simplify key slot allocation Now that psa_allocate_key() is no longer a public function, expose psa_internal_allocate_key_slot() instead, which provides a pointer to the slot to its caller.
2019-05-27 19:01:54 +02:00
*p_slot = NULL;
Move the key slot array to the slot management module Move the key slot array and its initialization and wiping to the slot management module. Also move the lowest-level key slot access function psa_get_key_slot and the auxiliary function for slot allocation psa_internal_allocate_key_slot to the slot management module.
2018-12-10 16:29:04 +01:00
return( PSA_ERROR_INSUFFICIENT_MEMORY );
}
Move more slot management functions to the proper module Move psa_load_persistent_key_into_slot, psa_internal_make_key_persistent and psa_internal_release_key_slot to the slot management module. Expose psa_import_key_into_slot from the core. After this commit, there are no longer any functions declared in psa_crypto_slot_management.h and defined in psa_crypto.c. There are still function calls in both directions between psa_crypto.c and psa_crypto_slot_management.c.
2018-12-10 16:48:53 +01:00
#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
Take advantage of psa_core_key_attributes_t internally: key loading
2019-07-30 20:30:51 +02:00
static psa_status_t psa_load_persistent_key_into_slot( psa_key_slot_t *slot )
Move more slot management functions to the proper module Move psa_load_persistent_key_into_slot, psa_internal_make_key_persistent and psa_internal_release_key_slot to the slot management module. Expose psa_import_key_into_slot from the core. After this commit, there are no longer any functions declared in psa_crypto_slot_management.h and defined in psa_crypto.c. There are still function calls in both directions between psa_crypto.c and psa_crypto_slot_management.c.
2018-12-10 16:48:53 +01:00
{
psa_status_t status = PSA_SUCCESS;
uint8_t *key_data = NULL;
size_t key_data_length = 0;
Take advantage of psa_core_key_attributes_t internally: key loading
2019-07-30 20:30:51 +02:00
status = psa_load_persistent_key( &slot->attr,
Use a key attribute structure in the internal storage interface Pass information via a key attribute structure rather than as separate parameters to psa_crypto_storage functions. This makes it easier to maintain the code when the metadata of a key evolves. This has negligible impact on code size (+4B with "gcc -Os" on x86_64).
2019-07-23 11:58:03 +02:00
&key_data, &key_data_length );
Move more slot management functions to the proper module Move psa_load_persistent_key_into_slot, psa_internal_make_key_persistent and psa_internal_release_key_slot to the slot management module. Expose psa_import_key_into_slot from the core. After this commit, there are no longer any functions declared in psa_crypto_slot_management.h and defined in psa_crypto.c. There are still function calls in both directions between psa_crypto.c and psa_crypto_slot_management.c.
2018-12-10 16:48:53 +01:00
if( status != PSA_SUCCESS )
goto exit;
SE keys: implement persistent storage For a key in a secure element, persist the key slot. This is implemented in the nominal case. Failures may not be handled properly.
2019-07-23 16:13:14 +02:00
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
Take advantage of psa_core_key_attributes_t internally: key loading
2019-07-30 20:30:51 +02:00
if( psa_key_lifetime_is_external( slot->attr.lifetime ) )
SE keys: implement persistent storage For a key in a secure element, persist the key slot. This is implemented in the nominal case. Failures may not be handled properly.
2019-07-23 16:13:14 +02:00
{
Store the key size in the slot in memory There is now a field for the key size in the key slot in memory. Use it. This makes psa_get_key_attributes() marginally faster at the expense of memory that is available anyway in the current memory layout (16 bits for the size, 16 bits for flags). That's not the goal, though: the goal is to simplify the code, in particular to make it more uniform between transparent keys (whose size can be recomputed) and keys in secure elements (whose size cannot be recomputed). For keys in a secure element, the bit size is now saved by serializing the type psa_key_bits_t (which is an alias for uint16_t) rather than size_t.
2019-07-30 21:32:04 +02:00
psa_se_key_data_storage_t *data;
if( key_data_length != sizeof( *data ) )
SE keys: implement persistent storage For a key in a secure element, persist the key slot. This is implemented in the nominal case. Failures may not be handled properly.
2019-07-23 16:13:14 +02:00
{
status = PSA_ERROR_STORAGE_FAILURE;
goto exit;
}
Store the key size in the slot in memory There is now a field for the key size in the key slot in memory. Use it. This makes psa_get_key_attributes() marginally faster at the expense of memory that is available anyway in the current memory layout (16 bits for the size, 16 bits for flags). That's not the goal, though: the goal is to simplify the code, in particular to make it more uniform between transparent keys (whose size can be recomputed) and keys in secure elements (whose size cannot be recomputed). For keys in a secure element, the bit size is now saved by serializing the type psa_key_bits_t (which is an alias for uint16_t) rather than size_t.
2019-07-30 21:32:04 +02:00
data = (psa_se_key_data_storage_t *) key_data;
memcpy( &slot->data.se.slot_number, &data->slot_number,
sizeof( slot->data.se.slot_number ) );
memcpy( &slot->attr.bits, &data->bits,
sizeof( slot->attr.bits ) );
SE keys: implement persistent storage For a key in a secure element, persist the key slot. This is implemented in the nominal case. Failures may not be handled properly.
2019-07-23 16:13:14 +02:00
}
else
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
{
Take advantage of psa_core_key_attributes_t internally: key loading
2019-07-30 20:30:51 +02:00
status = psa_import_key_into_slot( slot, key_data, key_data_length );
SE keys: implement persistent storage For a key in a secure element, persist the key slot. This is implemented in the nominal case. Failures may not be handled properly.
2019-07-23 16:13:14 +02:00
}
Move more slot management functions to the proper module Move psa_load_persistent_key_into_slot, psa_internal_make_key_persistent and psa_internal_release_key_slot to the slot management module. Expose psa_import_key_into_slot from the core. After this commit, there are no longer any functions declared in psa_crypto_slot_management.h and defined in psa_crypto.c. There are still function calls in both directions between psa_crypto.c and psa_crypto_slot_management.c.
2018-12-10 16:48:53 +01:00
exit:
psa_free_persistent_key_data( key_data, key_data_length );
return( status );
}
Move key id validity check into its own function
2019-02-19 13:04:02 +01:00
/** Check whether a key identifier is acceptable.
*
* For backward compatibility, key identifiers that were valid in a
* past released version must remain valid, unless a migration path
* is provided.
*
psa: Rename psa_key_file_id_t to mbedtls_svc_key_id_t With PSA crypto v1.0.0, a volatile key identifier may contain a owner identifier but no file is associated to it. Thus rename the type psa_key_file_id_t to mbedtls_svc_key_id_t to avoid a direct link with a file when a key identifier involves an owner identifier. The new type name is prefixed by mbedtls to highlight that the type is specific to Mbed TLS implementation and not defined in the PSA Cryptography API specification. The svc in the type name stands for service as this is the key identifier type from the point of view of the service providing the Cryptography services. The service can be completely provided by the present library or partially in case of a multi-client service. As a consequence rename as well: . MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER to MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER . PSA_KEY_ID_INIT to MBEDTLS_SVC_KEY_ID_INIT . PSA_KEY_FILE_GET_KEY_ID to MBEDTLS_SVC_KEY_ID_GET_KEY_ID . psa_key_file_id_make to mbedtls_svc_key_id_make Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-08-28 19:01:50 +02:00
* \param key The key identifier to check.
* \param vendor_ok Nonzero to allow key ids in the vendor range.
* 0 to allow only key ids in the application range.
Move key id validity check into its own function
2019-02-19 13:04:02 +01:00
*
psa: Rename psa_key_file_id_t to mbedtls_svc_key_id_t With PSA crypto v1.0.0, a volatile key identifier may contain a owner identifier but no file is associated to it. Thus rename the type psa_key_file_id_t to mbedtls_svc_key_id_t to avoid a direct link with a file when a key identifier involves an owner identifier. The new type name is prefixed by mbedtls to highlight that the type is specific to Mbed TLS implementation and not defined in the PSA Cryptography API specification. The svc in the type name stands for service as this is the key identifier type from the point of view of the service providing the Cryptography services. The service can be completely provided by the present library or partially in case of a multi-client service. As a consequence rename as well: . MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER to MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER . PSA_KEY_ID_INIT to MBEDTLS_SVC_KEY_ID_INIT . PSA_KEY_FILE_GET_KEY_ID to MBEDTLS_SVC_KEY_ID_GET_KEY_ID . psa_key_file_id_make to mbedtls_svc_key_id_make Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-08-28 19:01:50 +02:00
* \return 1 if \p key is acceptable, otherwise 0.
Move key id validity check into its own function
2019-02-19 13:04:02 +01:00
*/
psa: Rename psa_key_file_id_t to mbedtls_svc_key_id_t With PSA crypto v1.0.0, a volatile key identifier may contain a owner identifier but no file is associated to it. Thus rename the type psa_key_file_id_t to mbedtls_svc_key_id_t to avoid a direct link with a file when a key identifier involves an owner identifier. The new type name is prefixed by mbedtls to highlight that the type is specific to Mbed TLS implementation and not defined in the PSA Cryptography API specification. The svc in the type name stands for service as this is the key identifier type from the point of view of the service providing the Cryptography services. The service can be completely provided by the present library or partially in case of a multi-client service. As a consequence rename as well: . MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER to MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER . PSA_KEY_ID_INIT to MBEDTLS_SVC_KEY_ID_INIT . PSA_KEY_FILE_GET_KEY_ID to MBEDTLS_SVC_KEY_ID_GET_KEY_ID . psa_key_file_id_make to mbedtls_svc_key_id_make Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-08-28 19:01:50 +02:00
static int psa_is_key_id_valid( mbedtls_svc_key_id_t key, int vendor_ok )
Move key id validity check into its own function
2019-02-19 13:04:02 +01:00
{
psa: Rename psa_key_file_id_t to mbedtls_svc_key_id_t With PSA crypto v1.0.0, a volatile key identifier may contain a owner identifier but no file is associated to it. Thus rename the type psa_key_file_id_t to mbedtls_svc_key_id_t to avoid a direct link with a file when a key identifier involves an owner identifier. The new type name is prefixed by mbedtls to highlight that the type is specific to Mbed TLS implementation and not defined in the PSA Cryptography API specification. The svc in the type name stands for service as this is the key identifier type from the point of view of the service providing the Cryptography services. The service can be completely provided by the present library or partially in case of a multi-client service. As a consequence rename as well: . MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER to MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER . PSA_KEY_ID_INIT to MBEDTLS_SVC_KEY_ID_INIT . PSA_KEY_FILE_GET_KEY_ID to MBEDTLS_SVC_KEY_ID_GET_KEY_ID . psa_key_file_id_make to mbedtls_svc_key_id_make Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-08-28 19:01:50 +02:00
psa_key_id_t key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID( key );
Declare key id 0 as invalid In keeping with other integral types, declare 0 to be an invalid key identifier. Documented, implemented and tested.
2019-05-15 18:42:09 +02:00
if( PSA_KEY_ID_USER_MIN <= key_id && key_id <= PSA_KEY_ID_USER_MAX )
return( 1 );
else if( vendor_ok &&
PSA_KEY_ID_VENDOR_MIN <= key_id &&
key_id <= PSA_KEY_ID_VENDOR_MAX )
return( 1 );
else
Move key id validity check into its own function
2019-02-19 13:04:02 +01:00
return( 0 );
}
Fix build errors with MBEDTLS_PSA_CRYPTO_STORAGE_C disabled
2019-04-25 13:47:40 +02:00
#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
Move more slot management functions to the proper module Move psa_load_persistent_key_into_slot, psa_internal_make_key_persistent and psa_internal_release_key_slot to the slot management module. Expose psa_import_key_into_slot from the core. After this commit, there are no longer any functions declared in psa_crypto_slot_management.h and defined in psa_crypto.c. There are still function calls in both directions between psa_crypto.c and psa_crypto_slot_management.c.
2018-12-10 16:48:53 +01:00
Documentation and new function signature update Inline with review comments. Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-06-17 14:52:05 +02:00
psa_status_t psa_validate_key_location( psa_key_lifetime_t lifetime,
Split 'validate persistent key parameters' into independent validation Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-06-08 18:37:19 +02:00
psa_se_drv_table_entry_t **p_drv )
Reject invalid key ids/lifetimes in attribute-based creation
2019-04-19 18:19:40 +02:00
{
Split 'validate persistent key parameters' into independent validation Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-06-08 18:37:19 +02:00
if ( psa_key_lifetime_is_external( lifetime ) )
Look up the SE driver when creating a key When creating a key with a lifetime that places it in a secure element, retrieve the appropriate driver table entry. This commit doesn't yet achieve behavior: so far the code only retrieves the driver, it doesn't call the driver.
2019-06-26 18:34:38 +02:00
{
Split 'validate persistent key parameters' into independent validation Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-06-08 18:37:19 +02:00
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
Minor edit to comply with pointer naming standard Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-06-08 18:54:23 +02:00
psa_se_drv_table_entry_t *driver = psa_get_se_driver_entry( lifetime );
if( driver == NULL )
Look up the SE driver when creating a key When creating a key with a lifetime that places it in a secure element, retrieve the appropriate driver table entry. This commit doesn't yet achieve behavior: so far the code only retrieves the driver, it doesn't call the driver.
2019-06-26 18:34:38 +02:00
return( PSA_ERROR_INVALID_ARGUMENT );
Split 'validate persistent key parameters' into independent validation Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-06-08 18:37:19 +02:00
else
{
if (p_drv != NULL)
Minor edit to comply with pointer naming standard Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-06-08 18:54:23 +02:00
*p_drv = driver;
Split 'validate persistent key parameters' into independent validation Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-06-08 18:37:19 +02:00
return( PSA_SUCCESS );
}
#else
(void) p_drv;
return( PSA_ERROR_INVALID_ARGUMENT );
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
Look up the SE driver when creating a key When creating a key with a lifetime that places it in a secure element, retrieve the appropriate driver table entry. This commit doesn't yet achieve behavior: so far the code only retrieves the driver, it doesn't call the driver.
2019-06-26 18:34:38 +02:00
}
else
Split 'validate persistent key parameters' into independent validation Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-06-08 18:37:19 +02:00
/* Local/internal keys are always valid */
return( PSA_SUCCESS );
}
Fix build errors with MBEDTLS_PSA_CRYPTO_STORAGE_C disabled
2019-04-25 13:47:40 +02:00
Documentation and new function signature update Inline with review comments. Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-06-17 14:52:05 +02:00
psa_status_t psa_validate_key_persistence( psa_key_lifetime_t lifetime,
psa: Rename psa_key_file_id_t to mbedtls_svc_key_id_t With PSA crypto v1.0.0, a volatile key identifier may contain a owner identifier but no file is associated to it. Thus rename the type psa_key_file_id_t to mbedtls_svc_key_id_t to avoid a direct link with a file when a key identifier involves an owner identifier. The new type name is prefixed by mbedtls to highlight that the type is specific to Mbed TLS implementation and not defined in the PSA Cryptography API specification. The svc in the type name stands for service as this is the key identifier type from the point of view of the service providing the Cryptography services. The service can be completely provided by the present library or partially in case of a multi-client service. As a consequence rename as well: . MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER to MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER . PSA_KEY_ID_INIT to MBEDTLS_SVC_KEY_ID_INIT . PSA_KEY_FILE_GET_KEY_ID to MBEDTLS_SVC_KEY_ID_GET_KEY_ID . psa_key_file_id_make to mbedtls_svc_key_id_make Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-08-28 19:01:50 +02:00
mbedtls_svc_key_id_t key )
Split 'validate persistent key parameters' into independent validation Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-06-08 18:37:19 +02:00
{
if ( PSA_KEY_LIFETIME_IS_VOLATILE( lifetime ) )
{
/* Volatile keys are always supported */
return( PSA_SUCCESS );
}
else
{
/* Persistent keys require storage support */
Fix build errors with MBEDTLS_PSA_CRYPTO_STORAGE_C disabled
2019-04-25 13:47:40 +02:00
#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
psa: Use psa_key_file_id_t as the key id type The purpose of this commit and the following is for psa_key_id_t to always be as defined by the PSA Cryptography API specification. Currently psa_key_id_t departs from its specification definition when MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER configuration flag is set. In that configuration, it is set to be equal to psa_key_file_id_t which in that configuration encodes an owner identifier along the key identifier. Type psa_key_file_id_t was meant to be the key identifier type used throughout the library code. If MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER is set it includes both a key and owner identifier, otherwise it is equal to psa_key_id_t. It has not been the key identifier type throughout the library so far because when the PSA Cryptography specification was developped the library Doxygen documentation was used to generate the PSA Cryptography API specification thus the need to use psa_key_id_t and not psa_key_file_id_t. As this constraint does not hold anymore, move to psa_key_file_id_t as the key identifier type throughout the library code. By the way, this commit updates the key identifier initialization in the tests to be compatible with a composit key identifier. A psa_key_id_make() inline function is introduced to initialize key identifiers (composit ot not) at runtime. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-07-23 12:30:41 +02:00
if( psa_is_key_id_valid( key,
Split 'validate persistent key parameters' into independent validation Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-06-08 18:37:19 +02:00
psa_key_lifetime_is_external( lifetime ) ) )
return( PSA_SUCCESS );
else
return( PSA_ERROR_INVALID_ARGUMENT );
Fix build errors with MBEDTLS_PSA_CRYPTO_STORAGE_C disabled
2019-04-25 13:47:40 +02:00
#else /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
psa: Use psa_key_file_id_t as the key id type The purpose of this commit and the following is for psa_key_id_t to always be as defined by the PSA Cryptography API specification. Currently psa_key_id_t departs from its specification definition when MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER configuration flag is set. In that configuration, it is set to be equal to psa_key_file_id_t which in that configuration encodes an owner identifier along the key identifier. Type psa_key_file_id_t was meant to be the key identifier type used throughout the library code. If MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER is set it includes both a key and owner identifier, otherwise it is equal to psa_key_id_t. It has not been the key identifier type throughout the library so far because when the PSA Cryptography specification was developped the library Doxygen documentation was used to generate the PSA Cryptography API specification thus the need to use psa_key_id_t and not psa_key_file_id_t. As this constraint does not hold anymore, move to psa_key_file_id_t as the key identifier type throughout the library code. By the way, this commit updates the key identifier initialization in the tests to be compatible with a composit key identifier. A psa_key_id_make() inline function is introduced to initialize key identifiers (composit ot not) at runtime. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-07-23 12:30:41 +02:00
(void) key;
Split 'validate persistent key parameters' into independent validation Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-06-08 18:37:19 +02:00
return( PSA_ERROR_NOT_SUPPORTED );
Fix build errors with MBEDTLS_PSA_CRYPTO_STORAGE_C disabled
2019-04-25 13:47:40 +02:00
#endif /* !MBEDTLS_PSA_CRYPTO_STORAGE_C */
Split 'validate persistent key parameters' into independent validation Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-06-08 18:37:19 +02:00
}
Reject invalid key ids/lifetimes in attribute-based creation
2019-04-19 18:19:40 +02:00
}
psa: Rename psa_key_file_id_t to mbedtls_svc_key_id_t With PSA crypto v1.0.0, a volatile key identifier may contain a owner identifier but no file is associated to it. Thus rename the type psa_key_file_id_t to mbedtls_svc_key_id_t to avoid a direct link with a file when a key identifier involves an owner identifier. The new type name is prefixed by mbedtls to highlight that the type is specific to Mbed TLS implementation and not defined in the PSA Cryptography API specification. The svc in the type name stands for service as this is the key identifier type from the point of view of the service providing the Cryptography services. The service can be completely provided by the present library or partially in case of a multi-client service. As a consequence rename as well: . MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER to MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER . PSA_KEY_ID_INIT to MBEDTLS_SVC_KEY_ID_INIT . PSA_KEY_FILE_GET_KEY_ID to MBEDTLS_SVC_KEY_ID_GET_KEY_ID . psa_key_file_id_make to mbedtls_svc_key_id_make Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-08-28 19:01:50 +02:00
psa_status_t psa_open_key( mbedtls_svc_key_id_t key, psa_key_handle_t *handle )
Implement slot allocation Implement psa_allocate_key, psa_open_key, psa_create_key, psa_close_key. Add support for keys designated to handles to psa_get_key_slot, and thereby to the whole API. Allocated and non-allocated keys can coexist. This is a temporary stage in order to transition from the use of direct slot numbers to allocated handles only. Once all the tests and sample programs have been migrated to use handles, the implementation will be simplified and made more robust with support for handles only.
2018-11-30 18:54:54 +01:00
{
Simplify psa_open_key Simplify psa_open_key now that the old method for key creation (returning a handle to a slot with no key material) no longer exists.
2019-05-27 19:04:07 +02:00
#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
Implement slot allocation Implement psa_allocate_key, psa_open_key, psa_create_key, psa_close_key. Add support for keys designated to handles to psa_get_key_slot, and thereby to the whole API. Allocated and non-allocated keys can coexist. This is a temporary stage in order to transition from the use of direct slot numbers to allocated handles only. Once all the tests and sample programs have been migrated to use handles, the implementation will be simplified and made more robust with support for handles only.
2018-11-30 18:54:54 +01:00
psa_status_t status;
Simplify key slot allocation Now that psa_allocate_key() is no longer a public function, expose psa_internal_allocate_key_slot() instead, which provides a pointer to the slot to its caller.
2019-05-27 19:01:54 +02:00
psa_key_slot_t *slot;
Implement slot allocation Implement psa_allocate_key, psa_open_key, psa_create_key, psa_close_key. Add support for keys designated to handles to psa_get_key_slot, and thereby to the whole API. Allocated and non-allocated keys can coexist. This is a temporary stage in order to transition from the use of direct slot numbers to allocated handles only. Once all the tests and sample programs have been migrated to use handles, the implementation will be simplified and made more robust with support for handles only.
2018-11-30 18:54:54 +01:00
*handle = 0;
psa: Use psa_key_file_id_t as the key id type The purpose of this commit and the following is for psa_key_id_t to always be as defined by the PSA Cryptography API specification. Currently psa_key_id_t departs from its specification definition when MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER configuration flag is set. In that configuration, it is set to be equal to psa_key_file_id_t which in that configuration encodes an owner identifier along the key identifier. Type psa_key_file_id_t was meant to be the key identifier type used throughout the library code. If MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER is set it includes both a key and owner identifier, otherwise it is equal to psa_key_id_t. It has not been the key identifier type throughout the library so far because when the PSA Cryptography specification was developped the library Doxygen documentation was used to generate the PSA Cryptography API specification thus the need to use psa_key_id_t and not psa_key_file_id_t. As this constraint does not hold anymore, move to psa_key_file_id_t as the key identifier type throughout the library code. By the way, this commit updates the key identifier initialization in the tests to be compatible with a composit key identifier. A psa_key_id_make() inline function is introduced to initialize key identifiers (composit ot not) at runtime. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-07-23 12:30:41 +02:00
if( ! psa_is_key_id_valid( key, 1 ) )
Split 'validate persistent key parameters' into independent validation Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-06-08 18:37:19 +02:00
return( PSA_ERROR_INVALID_ARGUMENT );
Implement slot allocation Implement psa_allocate_key, psa_open_key, psa_create_key, psa_close_key. Add support for keys designated to handles to psa_get_key_slot, and thereby to the whole API. Allocated and non-allocated keys can coexist. This is a temporary stage in order to transition from the use of direct slot numbers to allocated handles only. Once all the tests and sample programs have been migrated to use handles, the implementation will be simplified and made more robust with support for handles only.
2018-11-30 18:54:54 +01:00
Rename psa_internal_allocate_key_slot to psa_get_empty_key_slot This function no longer modifies anything, so it doesn't actually allocate the slot. Now, it just returns the empty key slot, and it's up to the caller to cause the slot to be in use (or not).
2019-08-07 18:19:59 +02:00
status = psa_get_empty_key_slot( handle, &slot );
Implement slot allocation Implement psa_allocate_key, psa_open_key, psa_create_key, psa_close_key. Add support for keys designated to handles to psa_get_key_slot, and thereby to the whole API. Allocated and non-allocated keys can coexist. This is a temporary stage in order to transition from the use of direct slot numbers to allocated handles only. Once all the tests and sample programs have been migrated to use handles, the implementation will be simplified and made more robust with support for handles only.
2018-11-30 18:54:54 +01:00
if( status != PSA_SUCCESS )
return( status );
Use psa_core_key_attributes_t in key slots in memory Change the type of key slots in memory to use psa_core_key_attributes_t rather than separate fields. The goal is to simplify some parts of the code. This commit only does the mechanical replacement, not the substitution. The bit-field `allocate` is now a flag `PSA_KEY_SLOT_FLAG_ALLOCATED` in the `flags` field. Write accessor functions for flags. Key slots now contain a bit size field which is currently unused. Subsequent commits will make use of it.
2019-07-30 20:06:31 +02:00
slot->attr.lifetime = PSA_KEY_LIFETIME_PERSISTENT;
psa: Use psa_key_file_id_t as the key id type The purpose of this commit and the following is for psa_key_id_t to always be as defined by the PSA Cryptography API specification. Currently psa_key_id_t departs from its specification definition when MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER configuration flag is set. In that configuration, it is set to be equal to psa_key_file_id_t which in that configuration encodes an owner identifier along the key identifier. Type psa_key_file_id_t was meant to be the key identifier type used throughout the library code. If MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER is set it includes both a key and owner identifier, otherwise it is equal to psa_key_id_t. It has not been the key identifier type throughout the library so far because when the PSA Cryptography specification was developped the library Doxygen documentation was used to generate the PSA Cryptography API specification thus the need to use psa_key_id_t and not psa_key_file_id_t. As this constraint does not hold anymore, move to psa_key_file_id_t as the key identifier type throughout the library code. By the way, this commit updates the key identifier initialization in the tests to be compatible with a composit key identifier. A psa_key_id_make() inline function is introduced to initialize key identifiers (composit ot not) at runtime. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-07-23 12:30:41 +02:00
slot->attr.id = key;
Simplify key slot allocation Now that psa_allocate_key() is no longer a public function, expose psa_internal_allocate_key_slot() instead, which provides a pointer to the slot to its caller.
2019-05-27 19:01:54 +02:00
status = psa_load_persistent_key_into_slot( slot );
Simplify psa_open_key Simplify psa_open_key now that the old method for key creation (returning a handle to a slot with no key material) no longer exists.
2019-05-27 19:04:07 +02:00
if( status != PSA_SUCCESS )
Implement slot allocation Implement psa_allocate_key, psa_open_key, psa_create_key, psa_close_key. Add support for keys designated to handles to psa_get_key_slot, and thereby to the whole API. Allocated and non-allocated keys can coexist. This is a temporary stage in order to transition from the use of direct slot numbers to allocated handles only. Once all the tests and sample programs have been migrated to use handles, the implementation will be simplified and made more robust with support for handles only.
2018-11-30 18:54:54 +01:00
{
Simplify key slot allocation Now that psa_allocate_key() is no longer a public function, expose psa_internal_allocate_key_slot() instead, which provides a pointer to the slot to its caller.
2019-05-27 19:01:54 +02:00
psa_wipe_key_slot( slot );
Implement slot allocation Implement psa_allocate_key, psa_open_key, psa_create_key, psa_close_key. Add support for keys designated to handles to psa_get_key_slot, and thereby to the whole API. Allocated and non-allocated keys can coexist. This is a temporary stage in order to transition from the use of direct slot numbers to allocated handles only. Once all the tests and sample programs have been migrated to use handles, the implementation will be simplified and made more robust with support for handles only.
2018-11-30 18:54:54 +01:00
*handle = 0;
}
return( status );
Simplify psa_open_key Simplify psa_open_key now that the old method for key creation (returning a handle to a slot with no key material) no longer exists.
2019-05-27 19:04:07 +02:00
Fix build errors with MBEDTLS_PSA_CRYPTO_STORAGE_C disabled
2019-04-25 13:47:40 +02:00
#else /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
psa: Use psa_key_file_id_t as the key id type The purpose of this commit and the following is for psa_key_id_t to always be as defined by the PSA Cryptography API specification. Currently psa_key_id_t departs from its specification definition when MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER configuration flag is set. In that configuration, it is set to be equal to psa_key_file_id_t which in that configuration encodes an owner identifier along the key identifier. Type psa_key_file_id_t was meant to be the key identifier type used throughout the library code. If MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER is set it includes both a key and owner identifier, otherwise it is equal to psa_key_id_t. It has not been the key identifier type throughout the library so far because when the PSA Cryptography specification was developped the library Doxygen documentation was used to generate the PSA Cryptography API specification thus the need to use psa_key_id_t and not psa_key_file_id_t. As this constraint does not hold anymore, move to psa_key_file_id_t as the key identifier type throughout the library code. By the way, this commit updates the key identifier initialization in the tests to be compatible with a composit key identifier. A psa_key_id_make() inline function is introduced to initialize key identifiers (composit ot not) at runtime. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-07-23 12:30:41 +02:00
(void) key;
Simplify psa_open_key Simplify psa_open_key now that the old method for key creation (returning a handle to a slot with no key material) no longer exists.
2019-05-27 19:04:07 +02:00
*handle = 0;
Fix build errors with MBEDTLS_PSA_CRYPTO_STORAGE_C disabled
2019-04-25 13:47:40 +02:00
return( PSA_ERROR_NOT_SUPPORTED );
#endif /* !defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
Implement slot allocation Implement psa_allocate_key, psa_open_key, psa_create_key, psa_close_key. Add support for keys designated to handles to psa_get_key_slot, and thereby to the whole API. Allocated and non-allocated keys can coexist. This is a temporary stage in order to transition from the use of direct slot numbers to allocated handles only. Once all the tests and sample programs have been migrated to use handles, the implementation will be simplified and made more robust with support for handles only.
2018-11-30 18:54:54 +01:00
}
psa_status_t psa_close_key( psa_key_handle_t handle )
{
Simplify key slot allocation Now that psa_allocate_key() is no longer a public function, expose psa_internal_allocate_key_slot() instead, which provides a pointer to the slot to its caller.
2019-05-27 19:01:54 +02:00
psa_status_t status;
psa_key_slot_t *slot;
Make psa_close_key(0) and psa_destroy_key(0) succeed
2019-10-08 15:48:25 +02:00
if( handle == 0 )
return( PSA_SUCCESS );
Simplify key slot allocation Now that psa_allocate_key() is no longer a public function, expose psa_internal_allocate_key_slot() instead, which provides a pointer to the slot to its caller.
2019-05-27 19:01:54 +02:00
status = psa_get_key_slot( handle, &slot );
if( status != PSA_SUCCESS )
return( status );
return( psa_wipe_key_slot( slot ) );
Implement slot allocation Implement psa_allocate_key, psa_open_key, psa_create_key, psa_close_key. Add support for keys designated to handles to psa_get_key_slot, and thereby to the whole API. Allocated and non-allocated keys can coexist. This is a temporary stage in order to transition from the use of direct slot numbers to allocated handles only. Once all the tests and sample programs have been migrated to use handles, the implementation will be simplified and made more robust with support for handles only.
2018-11-30 18:54:54 +01:00
}
New function to get key slot statistics New function mbedtls_psa_get_stats to obtain some data about how many key slots are in use. This is intended for debugging and testing purposes.
2019-05-23 20:32:30 +02:00
void mbedtls_psa_get_stats( mbedtls_psa_stats_t *stats )
{
psa_key_handle_t key;
memset( stats, 0, sizeof( *stats ) );
for( key = 1; key <= PSA_KEY_SLOT_COUNT; key++ )
{
Remove "allocated" flag from key slots The flag to mark key slots as allocated was introduced to mark slots that are claimed and in use, but do not have key material yet, at a time when creating a key used several API functions: allocate a slot, then progressively set its metadata, and finally create the key material. Now that all of these steps are combined into a single API function call, the notion of allocated-but-not-filled slot is no longer relevant. So remove the corresponding flag. A slot is occupied iff there is a key in it. (For a key in a secure element, the key material is not present, but the slot contains the key metadata.) This key must have a type which is nonzero, so use this as an indicator that a slot is in use.
2019-07-31 15:01:55 +02:00
const psa_key_slot_t *slot = &global_data.key_slots[key - 1];
if( ! psa_is_key_slot_occupied( slot ) )
New function to get key slot statistics New function mbedtls_psa_get_stats to obtain some data about how many key slots are in use. This is intended for debugging and testing purposes.
2019-05-23 20:32:30 +02:00
{
Remove "allocated" flag from key slots The flag to mark key slots as allocated was introduced to mark slots that are claimed and in use, but do not have key material yet, at a time when creating a key used several API functions: allocate a slot, then progressively set its metadata, and finally create the key material. Now that all of these steps are combined into a single API function call, the notion of allocated-but-not-filled slot is no longer relevant. So remove the corresponding flag. A slot is occupied iff there is a key in it. (For a key in a secure element, the key material is not present, but the slot contains the key metadata.) This key must have a type which is nonzero, so use this as an indicator that a slot is in use.
2019-07-31 15:01:55 +02:00
++stats->empty_slots;
New function to get key slot statistics New function mbedtls_psa_get_stats to obtain some data about how many key slots are in use. This is intended for debugging and testing purposes.
2019-05-23 20:32:30 +02:00
continue;
}
Use psa_core_key_attributes_t in key slots in memory Change the type of key slots in memory to use psa_core_key_attributes_t rather than separate fields. The goal is to simplify some parts of the code. This commit only does the mechanical replacement, not the substitution. The bit-field `allocate` is now a flag `PSA_KEY_SLOT_FLAG_ALLOCATED` in the `flags` field. Write accessor functions for flags. Key slots now contain a bit size field which is currently unused. Subsequent commits will make use of it.
2019-07-30 20:06:31 +02:00
if( slot->attr.lifetime == PSA_KEY_LIFETIME_VOLATILE )
New function to get key slot statistics New function mbedtls_psa_get_stats to obtain some data about how many key slots are in use. This is intended for debugging and testing purposes.
2019-05-23 20:32:30 +02:00
++stats->volatile_slots;
Use psa_core_key_attributes_t in key slots in memory Change the type of key slots in memory to use psa_core_key_attributes_t rather than separate fields. The goal is to simplify some parts of the code. This commit only does the mechanical replacement, not the substitution. The bit-field `allocate` is now a flag `PSA_KEY_SLOT_FLAG_ALLOCATED` in the `flags` field. Write accessor functions for flags. Key slots now contain a bit size field which is currently unused. Subsequent commits will make use of it.
2019-07-30 20:06:31 +02:00
else if( slot->attr.lifetime == PSA_KEY_LIFETIME_PERSISTENT )
New function to get key slot statistics New function mbedtls_psa_get_stats to obtain some data about how many key slots are in use. This is intended for debugging and testing purposes.
2019-05-23 20:32:30 +02:00
{
psa: Rename psa_key_file_id_t to mbedtls_svc_key_id_t With PSA crypto v1.0.0, a volatile key identifier may contain a owner identifier but no file is associated to it. Thus rename the type psa_key_file_id_t to mbedtls_svc_key_id_t to avoid a direct link with a file when a key identifier involves an owner identifier. The new type name is prefixed by mbedtls to highlight that the type is specific to Mbed TLS implementation and not defined in the PSA Cryptography API specification. The svc in the type name stands for service as this is the key identifier type from the point of view of the service providing the Cryptography services. The service can be completely provided by the present library or partially in case of a multi-client service. As a consequence rename as well: . MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER to MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER . PSA_KEY_ID_INIT to MBEDTLS_SVC_KEY_ID_INIT . PSA_KEY_FILE_GET_KEY_ID to MBEDTLS_SVC_KEY_ID_GET_KEY_ID . psa_key_file_id_make to mbedtls_svc_key_id_make Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-08-28 19:01:50 +02:00
psa_key_id_t id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID( slot->attr.id );
New function to get key slot statistics New function mbedtls_psa_get_stats to obtain some data about how many key slots are in use. This is intended for debugging and testing purposes.
2019-05-23 20:32:30 +02:00
++stats->persistent_slots;
psa: Use application key ID where necessary Avoid compiler errors when MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER is set by using the application ID type. [Error] psa_crypto_slot_management.c@175,9: used type 'psa_key_id_t' (aka 'psa_key_file_id_t') where arithmetic or pointer type is required
2019-08-20 18:43:48 +02:00
if( id > stats->max_open_internal_key_id )
stats->max_open_internal_key_id = id;
New function to get key slot statistics New function mbedtls_psa_get_stats to obtain some data about how many key slots are in use. This is intended for debugging and testing purposes.
2019-05-23 20:32:30 +02:00
}
else
{
psa: Rename psa_key_file_id_t to mbedtls_svc_key_id_t With PSA crypto v1.0.0, a volatile key identifier may contain a owner identifier but no file is associated to it. Thus rename the type psa_key_file_id_t to mbedtls_svc_key_id_t to avoid a direct link with a file when a key identifier involves an owner identifier. The new type name is prefixed by mbedtls to highlight that the type is specific to Mbed TLS implementation and not defined in the PSA Cryptography API specification. The svc in the type name stands for service as this is the key identifier type from the point of view of the service providing the Cryptography services. The service can be completely provided by the present library or partially in case of a multi-client service. As a consequence rename as well: . MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER to MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER . PSA_KEY_ID_INIT to MBEDTLS_SVC_KEY_ID_INIT . PSA_KEY_FILE_GET_KEY_ID to MBEDTLS_SVC_KEY_ID_GET_KEY_ID . psa_key_file_id_make to mbedtls_svc_key_id_make Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-08-28 19:01:50 +02:00
psa_key_id_t id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID( slot->attr.id );
New function to get key slot statistics New function mbedtls_psa_get_stats to obtain some data about how many key slots are in use. This is intended for debugging and testing purposes.
2019-05-23 20:32:30 +02:00
++stats->external_slots;
psa: Use application key ID where necessary Avoid compiler errors when MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER is set by using the application ID type. [Error] psa_crypto_slot_management.c@175,9: used type 'psa_key_id_t' (aka 'psa_key_file_id_t') where arithmetic or pointer type is required
2019-08-20 18:43:48 +02:00
if( id > stats->max_open_external_key_id )
stats->max_open_external_key_id = id;
New function to get key slot statistics New function mbedtls_psa_get_stats to obtain some data about how many key slots are in use. This is intended for debugging and testing purposes.
2019-05-23 20:32:30 +02:00
}
}
}
Implement slot allocation Implement psa_allocate_key, psa_open_key, psa_create_key, psa_close_key. Add support for keys designated to handles to psa_get_key_slot, and thereby to the whole API. Allocated and non-allocated keys can coexist. This is a temporary stage in order to transition from the use of direct slot numbers to allocated handles only. Once all the tests and sample programs have been migrated to use handles, the implementation will be simplified and made more robust with support for handles only.
2018-11-30 18:54:54 +01:00
#endif /* MBEDTLS_PSA_CRYPTO_C */
Reference in a new issue Copy permalink