From 225010fdf77debcdcd8697c330d62038dac20a4e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 6 May 2019 18:44:55 +0200 Subject: [PATCH] Remove lifetime parameter from psa_open_key Change the scope of key identifiers to be global, rather than per lifetime. As a result, you now need to specify the lifetime of a key only when creating it. --- include/psa/crypto.h | 14 ++++---------- include/psa/crypto_types.h | 13 +++++++++++++ library/psa_crypto_slot_management.c | 7 +++---- tests/suites/test_suite_psa_crypto.function | 5 ++--- ...test_suite_psa_crypto_persistent_key.function | 12 ++++-------- .../test_suite_psa_crypto_slot_management.data | 14 ++++---------- ...est_suite_psa_crypto_slot_management.function | 16 +++++++--------- 7 files changed, 37 insertions(+), 44 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 2e680b101..424c16e31 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -512,9 +512,6 @@ void psa_reset_key_attributes(psa_key_attributes_t *attributes); * * Open a handle to a key which was previously created with psa_create_key(). * - * \param lifetime The lifetime of the key. This designates a storage - * area where the key material is stored. This must not - * be #PSA_KEY_LIFETIME_VOLATILE. * \param id The persistent identifier of the key. * \param[out] handle On success, a handle to a key slot which contains * the data and metadata loaded from the specified @@ -526,19 +523,16 @@ void psa_reset_key_attributes(psa_key_attributes_t *attributes); * \retval #PSA_ERROR_INSUFFICIENT_MEMORY * \retval #PSA_ERROR_DOES_NOT_EXIST * \retval #PSA_ERROR_INVALID_ARGUMENT - * \p lifetime is invalid, for example #PSA_KEY_LIFETIME_VOLATILE. - * \retval #PSA_ERROR_INVALID_ARGUMENT - * \p id is invalid for the specified lifetime. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \p lifetime is not supported. + * \p id is invalid. * \retval #PSA_ERROR_NOT_PERMITTED * The specified key exists, but the application does not have the * permission to access it. Note that this specification does not * define any way to create such a key, but it may be possible * through implementation-specific means. + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_STORAGE_FAILURE */ -psa_status_t psa_open_key(psa_key_lifetime_t lifetime, - psa_key_id_t id, +psa_status_t psa_open_key(psa_key_id_t id, psa_key_handle_t *handle); /** Close a key handle. diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index 7054de72e..da6e6b9c5 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -85,6 +85,19 @@ typedef uint32_t psa_algorithm_t; */ /** Encoding of key lifetimes. + * + * The lifetime of a key indicates where it is stored and what system actions + * may create and destroy it. + * + * Keys with the lifetime #PSA_KEY_LIFETIME_VOLATILE are automatically + * destroyed when the application terminates or on a power reset. + * + * Keys with a lifetime other than #PSA_KEY_LIFETIME_VOLATILE are said + * to be _persistent_. + * Persistent keys are preserved if the application or the system restarts. + * Persistent keys have a key identifier of type #psa_key_id_t. + * The application can call psa_open_key() to open a persistent key that + * it created previously. */ typedef uint32_t psa_key_lifetime_t; diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index 8ee561512..30cc05bd3 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -278,11 +278,10 @@ static psa_status_t persistent_key_setup( psa_key_lifetime_t lifetime, #endif /* !defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */ } -psa_status_t psa_open_key( psa_key_lifetime_t lifetime, - psa_key_file_id_t id, - psa_key_handle_t *handle ) +psa_status_t psa_open_key( psa_key_file_id_t id, psa_key_handle_t *handle ) { - return( persistent_key_setup( lifetime, id, handle, PSA_SUCCESS ) ); + return( persistent_key_setup( PSA_KEY_LIFETIME_PERSISTENT, + id, handle, PSA_SUCCESS ) ); } psa_status_t psa_create_key( psa_key_lifetime_t lifetime, diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 67c2c77f9..85ac4ebba 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -4911,8 +4911,7 @@ void persistent_key_load_key_from_storage( data_t *data, PSA_ASSERT( psa_crypto_init() ); /* Check key slot still contains key data */ - PSA_ASSERT( psa_open_key( PSA_KEY_LIFETIME_PERSISTENT, key_id, - &handle ) ); + PSA_ASSERT( psa_open_key( key_id, &handle ) ); PSA_ASSERT( psa_get_key_attributes( handle, &attributes ) ); TEST_EQUAL( psa_get_key_id( &attributes ), key_id ); TEST_EQUAL( psa_get_key_lifetime( &attributes ), @@ -4947,7 +4946,7 @@ exit: /* In case there was a test failure after creating the persistent key * but while it was not open, try to re-open the persistent key * to delete it. */ - psa_open_key( PSA_KEY_LIFETIME_PERSISTENT, key_id, &handle ); + psa_open_key( key_id, &handle ); } psa_destroy_key( handle ); mbedtls_psa_crypto_free(); diff --git a/tests/suites/test_suite_psa_crypto_persistent_key.function b/tests/suites/test_suite_psa_crypto_persistent_key.function index a2f4f779b..827a7d8e4 100644 --- a/tests/suites/test_suite_psa_crypto_persistent_key.function +++ b/tests/suites/test_suite_psa_crypto_persistent_key.function @@ -134,8 +134,7 @@ void persistent_key_destroy( int key_id_arg, int restart, psa_close_key( handle ); mbedtls_psa_crypto_free(); PSA_ASSERT( psa_crypto_init() ); - PSA_ASSERT( psa_open_key( PSA_KEY_LIFETIME_PERSISTENT, key_id, - &handle ) ); + PSA_ASSERT( psa_open_key( key_id, &handle ) ); } TEST_EQUAL( psa_is_key_present_in_storage( key_id ), 1 ); @@ -144,8 +143,7 @@ void persistent_key_destroy( int key_id_arg, int restart, /* Check key slot storage is removed */ TEST_EQUAL( psa_is_key_present_in_storage( key_id ), 0 ); - TEST_EQUAL( psa_open_key( PSA_KEY_LIFETIME_PERSISTENT, key_id, &handle ), - PSA_ERROR_DOES_NOT_EXIST ); + TEST_EQUAL( psa_open_key( key_id, &handle ), PSA_ERROR_DOES_NOT_EXIST ); TEST_EQUAL( handle, 0 ); /* Shutdown and restart */ @@ -191,8 +189,7 @@ void persistent_key_import( int key_id_arg, int type_arg, data_t *data, psa_close_key( handle ); mbedtls_psa_crypto_free(); PSA_ASSERT( psa_crypto_init() ); - PSA_ASSERT( psa_open_key( PSA_KEY_LIFETIME_PERSISTENT, key_id, - &handle ) ); + PSA_ASSERT( psa_open_key( key_id, &handle ) ); } psa_reset_key_attributes( &attributes ); @@ -242,8 +239,7 @@ void import_export_persistent_key( data_t *data, int type_arg, psa_close_key( handle ); mbedtls_psa_crypto_free(); PSA_ASSERT( psa_crypto_init() ); - PSA_ASSERT( psa_open_key( PSA_KEY_LIFETIME_PERSISTENT, key_id, - &handle ) ); + PSA_ASSERT( psa_open_key( key_id, &handle ) ); } /* Test the key information */ diff --git a/tests/suites/test_suite_psa_crypto_slot_management.data b/tests/suites/test_suite_psa_crypto_slot_management.data index 5dc2b6787..c5afdfa95 100644 --- a/tests/suites/test_suite_psa_crypto_slot_management.data +++ b/tests/suites/test_suite_psa_crypto_slot_management.data @@ -27,21 +27,15 @@ create_existent:PSA_KEY_LIFETIME_PERSISTENT:1:KEEP_OPEN Open failure: invalid identifier (0) depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C -open_fail:PSA_KEY_LIFETIME_PERSISTENT:0:PSA_ERROR_INVALID_ARGUMENT +open_fail:0:PSA_ERROR_INVALID_ARGUMENT Open failure: invalid identifier (random seed UID) depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C -open_fail:PSA_KEY_LIFETIME_PERSISTENT:PSA_CRYPTO_ITS_RANDOM_SEED_UID:PSA_ERROR_INVALID_ARGUMENT +open_fail:PSA_CRYPTO_ITS_RANDOM_SEED_UID:PSA_ERROR_INVALID_ARGUMENT Open failure: non-existent identifier depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C -open_fail:PSA_KEY_LIFETIME_PERSISTENT:1:PSA_ERROR_DOES_NOT_EXIST - -Open failure: volatile lifetime -open_fail:PSA_KEY_LIFETIME_VOLATILE:1:PSA_ERROR_INVALID_ARGUMENT - -Open failure: invalid lifetime -open_fail:0x7fffffff:0:PSA_ERROR_INVALID_ARGUMENT +open_fail:1:PSA_ERROR_DOES_NOT_EXIST Create failure: invalid lifetime create_fail:0x7fffffff:0:PSA_ERROR_INVALID_ARGUMENT @@ -56,7 +50,7 @@ create_fail:PSA_KEY_LIFETIME_PERSISTENT:PSA_CRYPTO_ITS_RANDOM_SEED_UID:PSA_ERROR Open not supported depends_on:!MBEDTLS_PSA_CRYPTO_STORAGE_C -open_fail:PSA_KEY_LIFETIME_PERSISTENT:1:PSA_ERROR_NOT_SUPPORTED +open_fail:1:PSA_ERROR_NOT_SUPPORTED Create not supported depends_on:!MBEDTLS_PSA_CRYPTO_STORAGE_C diff --git a/tests/suites/test_suite_psa_crypto_slot_management.function b/tests/suites/test_suite_psa_crypto_slot_management.function index 267353e5b..d06d3d749 100644 --- a/tests/suites/test_suite_psa_crypto_slot_management.function +++ b/tests/suites/test_suite_psa_crypto_slot_management.function @@ -155,7 +155,7 @@ void persistent_slot_lifecycle( int lifetime_arg, int id_arg, /* Close the key and reopen it. */ PSA_ASSERT( psa_close_key( handle ) ); - PSA_ASSERT( psa_open_key( lifetime, id, &handle ) ); + PSA_ASSERT( psa_open_key( id, &handle ) ); PSA_ASSERT( psa_get_key_information( handle, &read_type, NULL ) ); TEST_EQUAL( read_type, type ); @@ -184,12 +184,12 @@ void persistent_slot_lifecycle( int lifetime_arg, int id_arg, { case CLOSE_BY_CLOSE: case CLOSE_BY_SHUTDOWN: - PSA_ASSERT( psa_open_key( lifetime, id, &handle ) ); + PSA_ASSERT( psa_open_key( id, &handle ) ); PSA_ASSERT( psa_get_key_information( handle, &read_type, NULL ) ); TEST_EQUAL( read_type, type ); break; case CLOSE_BY_DESTROY: - TEST_EQUAL( psa_open_key( lifetime, id, &handle ), + TEST_EQUAL( psa_open_key( id, &handle ), PSA_ERROR_DOES_NOT_EXIST ); break; } @@ -241,7 +241,7 @@ void create_existent( int lifetime_arg, int id_arg, if( reopen_policy == CLOSE_AFTER ) PSA_ASSERT( psa_close_key( handle1 ) ); if( reopen_policy == CLOSE_BEFORE || reopen_policy == CLOSE_AFTER ) - PSA_ASSERT( psa_open_key( lifetime, id, &handle1 ) ); + PSA_ASSERT( psa_open_key( id, &handle1 ) ); /* Check that the original key hasn't changed. */ psa_reset_key_attributes( &attributes ); @@ -266,17 +266,16 @@ exit: /* END_CASE */ /* BEGIN_CASE */ -void open_fail( int lifetime_arg, int id_arg, +void open_fail( int id_arg, int expected_status_arg ) { - psa_key_lifetime_t lifetime = lifetime_arg; psa_key_id_t id = id_arg; psa_status_t expected_status = expected_status_arg; psa_key_handle_t handle = 0xdead; PSA_ASSERT( psa_crypto_init( ) ); - TEST_EQUAL( psa_open_key( lifetime, id, &handle ), expected_status ); + TEST_EQUAL( psa_open_key( id, &handle ), expected_status ); TEST_EQUAL( handle, 0 ); exit: @@ -376,8 +375,7 @@ void copy_across_lifetimes( int source_lifetime_arg, int source_id_arg, { mbedtls_psa_crypto_free( ); PSA_ASSERT( psa_crypto_init( ) ); - PSA_ASSERT( psa_open_key( target_lifetime, target_id, - &target_handle ) ); + PSA_ASSERT( psa_open_key( target_id, &target_handle ) ); } /* Test that the target slot has the expected content. */