diff --git a/CMakeLists.txt b/CMakeLists.txt index 99bf31f1f..11efd87e4 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -168,6 +168,7 @@ else() endif() include_directories(include/) +include_directories(library/) if(ENABLE_ZLIB_SUPPORT) find_package(ZLIB) diff --git a/configs/config-psa-crypto.h b/configs/config-psa-crypto.h index 870e335d1..27e9ef1d6 100644 --- a/configs/config-psa-crypto.h +++ b/configs/config-psa-crypto.h @@ -1522,6 +1522,31 @@ */ #define MBEDTLS_PSA_CRYPTO_C +/** + * \def MBEDTLS_PSA_CRYPTO_STORAGE_C + * + * Enable the Platform Security Architecture persistent key storage. + * + * Module: library/psa_crypto_storage.c + * + * Requires: MBEDTLS_PSA_CRYPTO_C, MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C + * + */ +#define MBEDTLS_PSA_CRYPTO_STORAGE_C + +/** + * \def MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C + * + * Enable persistent key storage over files for the + * Platform Security Architecture cryptography API. + * + * Module: library/psa_crypto_storage_file.c + * + * Requires: MBEDTLS_PSA_CRYPTO_C, MBEDTLS_FS_IO + * + */ +#define MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C + /** * \def MBEDTLS_RIPEMD160_C * diff --git a/crypto/library/Makefile b/crypto/library/Makefile index 9151662a7..5b963c5ea 100644 --- a/crypto/library/Makefile +++ b/crypto/library/Makefile @@ -45,6 +45,8 @@ OBJS_CRYPTO := \ platform.o \ platform_util.o \ psa_crypto.o \ + psa_crypto_storage.o \ + psa_crypto_storage_file.o \ ripemd160.o \ rsa_internal.o \ rsa.o \ diff --git a/crypto/tests/Makefile b/crypto/tests/Makefile index f76c1c0f8..cc4355bed 100644 --- a/crypto/tests/Makefile +++ b/crypto/tests/Makefile @@ -1,4 +1,4 @@ -CFLAGS ?= -O2 -I../include +CFLAGS ?= -O2 -I../include -I../library WARNING_CFLAGS ?= \ -Werror -Wall -Wextra \ -Wno-unused-function \ @@ -16,11 +16,15 @@ PYTHON ?= python APPS := \ test_suite_psa_crypto \ test_suite_psa_crypto_metadata \ + test_suite_psa_crypto_persistent_key \ + test_suite_psa_crypto_storage_file \ # Don't delete this line. # Look up for associated function files func.test_suite_psa_crypto := test_suite_psa_crypto func.test_suite_psa_crypto_metadata := test_suite_psa_crypto_metadata +func.test_suite_psa_crypto_persistent_key := test_suite_psa_crypto_persistent_key +func.test_suite_psa_crypto_storage_file := test_suite_psa_crypto_storage_file .SILENT: @@ -56,6 +60,8 @@ clean: test: $(APPS) ./test_suite_psa_crypto_metadata ./test_suite_psa_crypto + ./test_suite_psa_crypto_persistent_key + ./test_suite_psa_crypto_storage_file # Create separate targets for generating embedded tests. EMBEDDED_TESTS := $(addprefix embedded_,$(APPS)) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 6eec2ada9..f78e61bf1 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -506,6 +506,18 @@ #error "MBEDTLS_PSA_CRYPTO_SPM defined, but not all prerequisites" #endif +#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) && \ + !( defined(MBEDTLS_PSA_CRYPTO_C) && \ + defined(MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C) ) +#error "MBEDTLS_PSA_CRYPTO_STORAGE_C defined, but not all prerequisites" +#endif + +#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C) && \ + !( defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) && \ + defined(MBEDTLS_FS_IO) ) +#error "MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C defined, but not all prerequisites" +#endif + #if defined(MBEDTLS_RSA_C) && ( !defined(MBEDTLS_BIGNUM_C) || \ !defined(MBEDTLS_OID_C) ) #error "MBEDTLS_RSA_C defined, but not all prerequisites" diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index cd256c31c..2190ac519 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -2616,6 +2616,31 @@ */ #define MBEDTLS_PSA_CRYPTO_C +/** + * \def MBEDTLS_PSA_CRYPTO_STORAGE_C + * + * Enable the Platform Security Architecture persistent key storage. + * + * Module: library/psa_crypto_storage.c + * + * Requires: MBEDTLS_PSA_CRYPTO_C, MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C + * + */ +#define MBEDTLS_PSA_CRYPTO_STORAGE_C + +/** + * \def MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C + * + * Enable persistent key storage over files for the + * Platform Security Architecture cryptography API. + * + * Module: library/psa_crypto_storage_file.c + * + * Requires: MBEDTLS_PSA_CRYPTO_C, MBEDTLS_FS_IO + * + */ +#define MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C + /** * \def MBEDTLS_RIPEMD160_C * diff --git a/include/psa/crypto.h b/include/psa/crypto.h index d1a3f0f3b..1ca64922e 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -1441,6 +1441,7 @@ typedef uint32_t psa_algorithm_t; * \retval #PSA_ERROR_INSUFFICIENT_MEMORY * \retval #PSA_ERROR_INSUFFICIENT_STORAGE * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_STORAGE_FAILURE * \retval #PSA_ERROR_HARDWARE_FAILURE * \retval #PSA_ERROR_TAMPERING_DETECTED * \retval #PSA_ERROR_BAD_STATE @@ -1922,6 +1923,16 @@ psa_status_t psa_get_key_lifetime(psa_key_slot_t key, * whether the lifetime of an occupied key slot can be changed, is * implementation-dependent. * + * When creating a persistent key, you must call this function before creating + * the key material with psa_import_key(), psa_generate_key() or + * psa_generator_import_key(). To open an existing persistent key, you must + * call this function with the correct lifetime value before using the slot + * for a cryptographic operation. Once a slot's lifetime has been set, + * the lifetime remains associated with the slot until a subsequent call to + * psa_set_key_lifetime(), until the key is wiped with psa_destroy_key or + * until the application terminates (or disconnects from the cryptography + * service, if the implementation offers such a possibility). + * * \param key Slot whose lifetime is to be changed. * \param lifetime The lifetime value to set for the given key slot. * diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 0c2ac888b..04e404c29 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -54,6 +54,8 @@ set(src_crypto platform_util.c poly1305.c psa_crypto.c + psa_crypto_storage.c + psa_crypto_storage_file.c ripemd160.c rsa.c rsa_internal.c diff --git a/library/Makefile b/library/Makefile index cf6750d05..83afa661e 100644 --- a/library/Makefile +++ b/library/Makefile @@ -82,6 +82,8 @@ OBJS_CRYPTO= aes.o aesni.o arc4.o \ pkcs5.o pkparse.o pkwrite.o \ platform.o platform_util.o poly1305.o \ psa_crypto.o \ + psa_crypto_storage.o \ + psa_crypto_storage_file.o \ ripemd160.o rsa_internal.o rsa.o \ sha1.o sha256.o sha512.o \ threading.o timing.o version.o \ diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 010c338c0..58cb73830 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -43,6 +43,10 @@ #include "psa/crypto.h" +/* Include internal declarations that are useful for implementing persistently + * stored keys. */ +#include "psa_crypto_storage.h" + #include #include #if defined(MBEDTLS_PLATFORM_C) @@ -361,76 +365,6 @@ static psa_status_t mbedtls_to_psa_error( int ret ) } } -/* Retrieve a key slot, occupied or not. */ -static psa_status_t psa_get_key_slot( psa_key_slot_t key, - key_slot_t **p_slot ) -{ - GUARD_MODULE_INITIALIZED; - - /* 0 is not a valid slot number under any circumstance. This - * implementation provides slots number 1 to N where N is the - * number of available slots. */ - if( key == 0 || key > ARRAY_LENGTH( global_data.key_slots ) ) - return( PSA_ERROR_INVALID_ARGUMENT ); - - *p_slot = &global_data.key_slots[key - 1]; - return( PSA_SUCCESS ); -} - -/* Retrieve an empty key slot (slot with no key data, but possibly - * with some metadata such as a policy). */ -static psa_status_t psa_get_empty_key_slot( psa_key_slot_t key, - key_slot_t **p_slot ) -{ - psa_status_t status; - key_slot_t *slot = NULL; - - *p_slot = NULL; - - status = psa_get_key_slot( key, &slot ); - if( status != PSA_SUCCESS ) - return( status ); - - if( slot->type != PSA_KEY_TYPE_NONE ) - return( PSA_ERROR_OCCUPIED_SLOT ); - - *p_slot = slot; - return( status ); -} - -/** Retrieve a slot which must contain a key. The key must have allow all the - * usage flags set in \p usage. If \p alg is nonzero, the key must allow - * operations with this algorithm. */ -static psa_status_t psa_get_key_from_slot( psa_key_slot_t key, - key_slot_t **p_slot, - psa_key_usage_t usage, - psa_algorithm_t alg ) -{ - psa_status_t status; - key_slot_t *slot = NULL; - - *p_slot = NULL; - - status = psa_get_key_slot( key, &slot ); - if( status != PSA_SUCCESS ) - return( status ); - if( slot->type == PSA_KEY_TYPE_NONE ) - return( PSA_ERROR_EMPTY_SLOT ); - - /* Enforce that usage policy for the key slot contains all the flags - * required by the usage parameter. There is one exception: public - * keys can always be exported, so we treat public key objects as - * if they had the export flag. */ - if( PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->type ) ) - usage &= ~PSA_KEY_USAGE_EXPORT; - if( ( slot->policy.usage & usage ) != usage ) - return( PSA_ERROR_NOT_PERMITTED ); - if( alg != 0 && ( alg != slot->policy.alg ) ) - return( PSA_ERROR_NOT_PERMITTED ); - - *p_slot = slot; - return( PSA_SUCCESS ); -} @@ -691,23 +625,18 @@ exit: } #endif /* defined(MBEDTLS_ECP_C) */ -psa_status_t psa_import_key( psa_key_slot_t key, - psa_key_type_t type, - const uint8_t *data, - size_t data_length ) +static psa_status_t psa_import_key_into_slot( key_slot_t *slot, + const uint8_t *data, + size_t data_length ) { - key_slot_t *slot; psa_status_t status = PSA_SUCCESS; - status = psa_get_empty_key_slot( key, &slot ); - if( status != PSA_SUCCESS ) - return( status ); - if( key_type_is_raw_bytes( type ) ) + if( key_type_is_raw_bytes( slot->type ) ) { /* Ensure that a bytes-to-bit conversion won't overflow. */ if( data_length > SIZE_MAX / 8 ) return( PSA_ERROR_NOT_SUPPORTED ); - status = prepare_raw_data_slot( type, + status = prepare_raw_data_slot( slot->type, PSA_BYTES_TO_BITS( data_length ), &slot->data.raw ); if( status != PSA_SUCCESS ) @@ -717,9 +646,9 @@ psa_status_t psa_import_key( psa_key_slot_t key, } else #if defined(MBEDTLS_ECP_C) - if( PSA_KEY_TYPE_IS_ECC_KEYPAIR( type ) ) + if( PSA_KEY_TYPE_IS_ECC_KEYPAIR( slot->type ) ) { - status = psa_import_ec_private_key( PSA_KEY_TYPE_GET_CURVE( type ), + status = psa_import_ec_private_key( PSA_KEY_TYPE_GET_CURVE( slot->type ), data, data_length, &slot->data.ecp ); if( status != PSA_SUCCESS ) @@ -728,14 +657,15 @@ psa_status_t psa_import_key( psa_key_slot_t key, else #endif /* MBEDTLS_ECP_C */ #if defined(MBEDTLS_PK_PARSE_C) - if( PSA_KEY_TYPE_IS_RSA( type ) || PSA_KEY_TYPE_IS_ECC( type ) ) + if( PSA_KEY_TYPE_IS_RSA( slot->type ) || + PSA_KEY_TYPE_IS_ECC( slot->type ) ) { int ret; mbedtls_pk_context pk; mbedtls_pk_init( &pk ); /* Parse the data. */ - if( PSA_KEY_TYPE_IS_KEYPAIR( type ) ) + if( PSA_KEY_TYPE_IS_KEYPAIR( slot->type ) ) ret = mbedtls_pk_parse_key( &pk, data, data_length, NULL, 0 ); else ret = mbedtls_pk_parse_public_key( &pk, data, data_length ); @@ -746,13 +676,13 @@ psa_status_t psa_import_key( psa_key_slot_t key, * If it has the expected type and passes any type-specific * checks, store it. */ #if defined(MBEDTLS_RSA_C) - if( PSA_KEY_TYPE_IS_RSA( type ) ) + if( PSA_KEY_TYPE_IS_RSA( slot->type ) ) status = psa_import_rsa_key( &pk, &slot->data.rsa ); else #endif /* MBEDTLS_RSA_C */ #if defined(MBEDTLS_ECP_C) - if( PSA_KEY_TYPE_IS_ECC( type ) ) - status = psa_import_ecp_key( PSA_KEY_TYPE_GET_CURVE( type ), + if( PSA_KEY_TYPE_IS_ECC( slot->type ) ) + status = psa_import_ecp_key( PSA_KEY_TYPE_GET_CURVE( slot->type ), &pk, &slot->data.ecp ); else #endif /* MBEDTLS_ECP_C */ @@ -773,24 +703,123 @@ psa_status_t psa_import_key( psa_key_slot_t key, { return( PSA_ERROR_NOT_SUPPORTED ); } - - slot->type = type; return( PSA_SUCCESS ); } -psa_status_t psa_destroy_key( psa_key_slot_t key ) +#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) +static psa_status_t psa_load_persistent_key_into_slot( psa_key_slot_t key, + key_slot_t *p_slot ) +{ + psa_status_t status = PSA_SUCCESS; + uint8_t *key_data = NULL; + size_t key_data_length = 0; + + status = psa_load_persistent_key( key, &( p_slot )->type, + &( p_slot )->policy, &key_data, + &key_data_length ); + if( status != PSA_SUCCESS ) + goto exit; + status = psa_import_key_into_slot( p_slot, + key_data, key_data_length ); +exit: + psa_free_persistent_key_data( key_data, key_data_length ); + return( status ); +} +#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */ + +/* Retrieve a key slot, occupied or not. */ +static psa_status_t psa_get_key_slot( psa_key_slot_t key, + key_slot_t **p_slot ) +{ + GUARD_MODULE_INITIALIZED; + + /* 0 is not a valid slot number under any circumstance. This + * implementation provides slots number 1 to N where N is the + * number of available slots. */ + if( key == 0 || key > ARRAY_LENGTH( global_data.key_slots ) ) + return( PSA_ERROR_INVALID_ARGUMENT ); + + *p_slot = &global_data.key_slots[key - 1]; + +#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) + if( ( *p_slot )->lifetime == PSA_KEY_LIFETIME_PERSISTENT ) + { + /* There are two circumstances this can occur: the key material has + * not yet been created, or the key exists in storage but has not yet + * been loaded into memory. */ + if( ( *p_slot )->type == PSA_KEY_TYPE_NONE ) + { + psa_status_t status = PSA_SUCCESS; + status = psa_load_persistent_key_into_slot( key, *p_slot ); + if( status != PSA_ERROR_EMPTY_SLOT ) + return( status ); + } + } +#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */ + + return( PSA_SUCCESS ); +} + +/* Retrieve an empty key slot (slot with no key data, but possibly + * with some metadata such as a policy). */ +static psa_status_t psa_get_empty_key_slot( psa_key_slot_t key, + key_slot_t **p_slot ) { - key_slot_t *slot; psa_status_t status; + key_slot_t *slot = NULL; + + *p_slot = NULL; status = psa_get_key_slot( key, &slot ); if( status != PSA_SUCCESS ) return( status ); + if( slot->type != PSA_KEY_TYPE_NONE ) + return( PSA_ERROR_OCCUPIED_SLOT ); + + *p_slot = slot; + return( status ); +} + +/** Retrieve a slot which must contain a key. The key must have allow all the + * usage flags set in \p usage. If \p alg is nonzero, the key must allow + * operations with this algorithm. */ +static psa_status_t psa_get_key_from_slot( psa_key_slot_t key, + key_slot_t **p_slot, + psa_key_usage_t usage, + psa_algorithm_t alg ) +{ + psa_status_t status; + key_slot_t *slot = NULL; + + *p_slot = NULL; + + status = psa_get_key_slot( key, &slot ); + if( status != PSA_SUCCESS ) + return( status ); + if( slot->type == PSA_KEY_TYPE_NONE ) + return( PSA_ERROR_EMPTY_SLOT ); + + /* Enforce that usage policy for the key slot contains all the flags + * required by the usage parameter. There is one exception: public + * keys can always be exported, so we treat public key objects as + * if they had the export flag. */ + if( PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->type ) ) + usage &= ~PSA_KEY_USAGE_EXPORT; + if( ( slot->policy.usage & usage ) != usage ) + return( PSA_ERROR_NOT_PERMITTED ); + if( alg != 0 && ( alg != slot->policy.alg ) ) + return( PSA_ERROR_NOT_PERMITTED ); + + *p_slot = slot; + return( PSA_SUCCESS ); +} + +static psa_status_t psa_remove_key_data_from_memory( key_slot_t *slot ) +{ if( slot->type == PSA_KEY_TYPE_NONE ) { - /* No key material to clean, but do zeroize the slot below to wipe - * metadata such as policies. */ + /* No key material to clean. */ } else if( key_type_is_raw_bytes( slot->type ) ) { @@ -819,10 +848,70 @@ psa_status_t psa_destroy_key( psa_key_slot_t key ) return( PSA_ERROR_TAMPERING_DETECTED ); } - mbedtls_zeroize( slot, sizeof( *slot ) ); return( PSA_SUCCESS ); } +psa_status_t psa_import_key( psa_key_slot_t key, + psa_key_type_t type, + const uint8_t *data, + size_t data_length ) +{ + key_slot_t *slot; + psa_status_t status; + + status = psa_get_empty_key_slot( key, &slot ); + if( status != PSA_SUCCESS ) + return( status ); + + slot->type = type; + + status = psa_import_key_into_slot( slot, data, data_length ); + if( status != PSA_SUCCESS ) + { + slot->type = PSA_KEY_TYPE_NONE; + return( status ); + } + +#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) + if( slot->lifetime == PSA_KEY_LIFETIME_PERSISTENT ) + { + /* Store in file location */ + status = psa_save_persistent_key( key, slot->type, &slot->policy, data, + data_length ); + if( status != PSA_SUCCESS ) + { + (void) psa_remove_key_data_from_memory( slot ); + slot->type = PSA_KEY_TYPE_NONE; + } + } +#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */ + + return( status ); +} + +psa_status_t psa_destroy_key( psa_key_slot_t key ) +{ + key_slot_t *slot; + psa_status_t status = PSA_SUCCESS; + psa_status_t storage_status = PSA_SUCCESS; + + status = psa_get_key_slot( key, &slot ); + if( status != PSA_SUCCESS ) + return( status ); +#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) + if( slot->lifetime == PSA_KEY_LIFETIME_PERSISTENT ) + { + storage_status = psa_destroy_persistent_key( key ); + } +#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */ + status = psa_remove_key_data_from_memory( slot ); + /* Zeroize the slot to wipe metadata such as policies. */ + mbedtls_zeroize( slot, sizeof( *slot ) ); + if( status != PSA_SUCCESS ) + return( status ); + return( storage_status ); +} + /* Return the size of the key in the given slot, in bits. */ static size_t psa_get_key_bits( const key_slot_t *slot ) { @@ -864,30 +953,14 @@ psa_status_t psa_get_key_information( psa_key_slot_t key, return( PSA_SUCCESS ); } -static psa_status_t psa_internal_export_key( psa_key_slot_t key, +static psa_status_t psa_internal_export_key( key_slot_t *slot, uint8_t *data, size_t data_size, size_t *data_length, int export_public_key ) { - key_slot_t *slot; - psa_status_t status; - /* Exporting a public key doesn't require a usage flag. If we're - * called by psa_export_public_key(), don't require the EXPORT flag. - * If we're called by psa_export_key(), do require the EXPORT flag; - * if the key turns out to be public key object, psa_get_key_from_slot() - * will ignore this flag. */ - psa_key_usage_t usage = export_public_key ? 0 : PSA_KEY_USAGE_EXPORT; - - /* Set the key to empty now, so that even when there are errors, we always - * set data_length to a value between 0 and data_size. On error, setting - * the key to empty is a good choice because an empty key representation is - * unlikely to be accepted anywhere. */ *data_length = 0; - status = psa_get_key_from_slot( key, &slot, usage, 0 ); - if( status != PSA_SUCCESS ) - return( status ); if( export_public_key && ! PSA_KEY_TYPE_IS_ASYMMETRIC( slot->type ) ) return( PSA_ERROR_INVALID_ARGUMENT ); @@ -907,6 +980,8 @@ static psa_status_t psa_internal_export_key( psa_key_slot_t key, #if defined(MBEDTLS_ECP_C) if( PSA_KEY_TYPE_IS_ECC_KEYPAIR( slot->type ) && !export_public_key ) { + psa_status_t status; + size_t bytes = PSA_BITS_TO_BYTES( psa_get_key_bits( slot ) ); if( bytes > data_size ) return( PSA_ERROR_BUFFER_TOO_SMALL ); @@ -991,7 +1066,22 @@ psa_status_t psa_export_key( psa_key_slot_t key, size_t data_size, size_t *data_length ) { - return( psa_internal_export_key( key, data, data_size, + key_slot_t *slot; + psa_status_t status; + + /* Set the key to empty now, so that even when there are errors, we always + * set data_length to a value between 0 and data_size. On error, setting + * the key to empty is a good choice because an empty key representation is + * unlikely to be accepted anywhere. */ + *data_length = 0; + + /* Export requires the EXPORT flag. There is an exception for public keys, + * which don't require any flag, but psa_get_key_from_slot takes + * care of this. */ + status = psa_get_key_from_slot( key, &slot, PSA_KEY_USAGE_EXPORT, 0 ); + if( status != PSA_SUCCESS ) + return( status ); + return( psa_internal_export_key( slot, data, data_size, data_length, 0 ) ); } @@ -1000,10 +1090,54 @@ psa_status_t psa_export_public_key( psa_key_slot_t key, size_t data_size, size_t *data_length ) { - return( psa_internal_export_key( key, data, data_size, + key_slot_t *slot; + psa_status_t status; + + /* Set the key to empty now, so that even when there are errors, we always + * set data_length to a value between 0 and data_size. On error, setting + * the key to empty is a good choice because an empty key representation is + * unlikely to be accepted anywhere. */ + *data_length = 0; + + /* Exporting a public key doesn't require a usage flag. */ + status = psa_get_key_from_slot( key, &slot, 0, 0 ); + if( status != PSA_SUCCESS ) + return( status ); + return( psa_internal_export_key( slot, data, data_size, data_length, 1 ) ); } +#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) +static psa_status_t psa_save_generated_persistent_key( psa_key_slot_t key, + key_slot_t *slot, + size_t bits ) +{ + psa_status_t status; + uint8_t *data; + size_t key_length; + size_t data_size = PSA_KEY_EXPORT_MAX_SIZE( slot->type, bits ); + data = mbedtls_calloc( 1, data_size ); + /* Get key data in export format */ + status = psa_internal_export_key( slot, data, data_size, &key_length, 0 ); + if( status != PSA_SUCCESS ) + { + slot->type = PSA_KEY_TYPE_NONE; + goto exit; + } + /* Store in file location */ + status = psa_save_persistent_key( key, slot->type, &slot->policy, + data, key_length ); + if( status != PSA_SUCCESS ) + { + slot->type = PSA_KEY_TYPE_NONE; + } +exit: + mbedtls_zeroize( data, key_length ); + mbedtls_free( data ); + return( status ); +} +#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */ + /****************************************************************/ @@ -2953,16 +3087,21 @@ psa_status_t psa_set_key_lifetime( psa_key_slot_t key, if( lifetime != PSA_KEY_LIFETIME_VOLATILE && lifetime != PSA_KEY_LIFETIME_PERSISTENT && - lifetime != PSA_KEY_LIFETIME_WRITE_ONCE) + lifetime != PSA_KEY_LIFETIME_WRITE_ONCE ) return( PSA_ERROR_INVALID_ARGUMENT ); status = psa_get_empty_key_slot( key, &slot ); if( status != PSA_SUCCESS ) return( status ); - if( lifetime != PSA_KEY_LIFETIME_VOLATILE ) + if( lifetime == PSA_KEY_LIFETIME_WRITE_ONCE ) return( PSA_ERROR_NOT_SUPPORTED ); +#if !defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) + if( lifetime == PSA_KEY_LIFETIME_PERSISTENT ) + return( PSA_ERROR_NOT_SUPPORTED ); +#endif + slot->lifetime = lifetime; return( PSA_SUCCESS ); @@ -4201,7 +4340,15 @@ psa_status_t psa_generate_key( psa_key_slot_t key, return( PSA_ERROR_NOT_SUPPORTED ); slot->type = type; - return( PSA_SUCCESS ); + +#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) + if( slot->lifetime == PSA_KEY_LIFETIME_PERSISTENT ) + { + return( psa_save_generated_persistent_key( key, slot, bits ) ); + } +#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */ + + return( status ); } @@ -4212,8 +4359,18 @@ psa_status_t psa_generate_key( psa_key_slot_t key, void mbedtls_psa_crypto_free( void ) { psa_key_slot_t key; + key_slot_t *slot; + psa_status_t status; + for( key = 1; key <= PSA_KEY_SLOT_COUNT; key++ ) - psa_destroy_key( key ); + { + status = psa_get_key_slot( key, &slot ); + if( status != PSA_SUCCESS ) + continue; + psa_remove_key_data_from_memory( slot ); + /* Zeroize the slot to wipe metadata such as policies. */ + mbedtls_zeroize( slot, sizeof( *slot ) ); + } mbedtls_ctr_drbg_free( &global_data.ctr_drbg ); mbedtls_entropy_free( &global_data.entropy ); mbedtls_zeroize( &global_data, sizeof( global_data ) ); diff --git a/library/psa_crypto_storage.c b/library/psa_crypto_storage.c new file mode 100644 index 000000000..0a5805b62 --- /dev/null +++ b/library/psa_crypto_storage.c @@ -0,0 +1,219 @@ +/* + * PSA persistent key storage + */ +/* Copyright (C) 2018, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ + +#if defined(MBEDTLS_CONFIG_FILE) +#include MBEDTLS_CONFIG_FILE +#else +#include "mbedtls/config.h" +#endif + +#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) + +#include +#include + +#include "psa/crypto.h" +#include "psa_crypto_storage.h" +#include "psa_crypto_storage_backend.h" +#include "mbedtls/platform_util.h" + +#if defined(MBEDTLS_PLATFORM_C) +#include "mbedtls/platform.h" +#else +#define mbedtls_calloc calloc +#define mbedtls_free free +#endif + +/* + * 32-bit integer manipulation macros (little endian) + */ +#ifndef GET_UINT32_LE +#define GET_UINT32_LE(n,b,i) \ +{ \ + (n) = ( (uint32_t) (b)[(i) ] ) \ + | ( (uint32_t) (b)[(i) + 1] << 8 ) \ + | ( (uint32_t) (b)[(i) + 2] << 16 ) \ + | ( (uint32_t) (b)[(i) + 3] << 24 ); \ +} +#endif + +#ifndef PUT_UINT32_LE +#define PUT_UINT32_LE(n,b,i) \ +{ \ + (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \ + (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \ + (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \ + (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \ +} +#endif + +/** + * Persistent key storage magic header. + */ +#define PSA_KEY_STORAGE_MAGIC_HEADER "PSA\0KEY" +#define PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH ( sizeof( PSA_KEY_STORAGE_MAGIC_HEADER ) ) + +typedef struct { + uint8_t magic[PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH]; + uint8_t version[4]; + uint8_t type[sizeof( psa_key_type_t )]; + uint8_t policy[sizeof( psa_key_policy_t )]; + uint8_t data_len[4]; + uint8_t key_data[]; +} psa_persistent_key_storage_format; + +void psa_format_key_data_for_storage( const uint8_t *data, + const size_t data_length, + const psa_key_type_t type, + const psa_key_policy_t *policy, + uint8_t *storage_data ) +{ + psa_persistent_key_storage_format *storage_format = + (psa_persistent_key_storage_format *) storage_data; + + memcpy( storage_format->magic, PSA_KEY_STORAGE_MAGIC_HEADER, PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH ); + PUT_UINT32_LE(0, storage_format->version, 0); + PUT_UINT32_LE(type, storage_format->type, 0); + PUT_UINT32_LE(policy->usage, storage_format->policy, 0); + PUT_UINT32_LE(policy->alg, storage_format->policy, sizeof( uint32_t )); + PUT_UINT32_LE(data_length, storage_format->data_len, 0); + memcpy( storage_format->key_data, data, data_length ); +} + +static psa_status_t check_magic_header( const uint8_t *data ) +{ + if( memcmp( data, PSA_KEY_STORAGE_MAGIC_HEADER, + PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH ) != 0 ) + return( PSA_ERROR_STORAGE_FAILURE ); + return( PSA_SUCCESS ); +} + +psa_status_t psa_parse_key_data_from_storage( const uint8_t *storage_data, + size_t storage_data_length, + uint8_t **key_data, + size_t *key_data_length, + psa_key_type_t *type, + psa_key_policy_t *policy ) +{ + psa_status_t status; + const psa_persistent_key_storage_format *storage_format = + (const psa_persistent_key_storage_format *)storage_data; + uint32_t version; + + if( storage_data_length < sizeof(*storage_format) ) + return( PSA_ERROR_STORAGE_FAILURE ); + + status = check_magic_header( storage_data ); + if( status != PSA_SUCCESS ) + return( status ); + + GET_UINT32_LE(version, storage_format->version, 0); + if( version != 0 ) + return( PSA_ERROR_STORAGE_FAILURE ); + + GET_UINT32_LE(*key_data_length, storage_format->data_len, 0); + if( *key_data_length > ( storage_data_length - sizeof(*storage_format) ) || + *key_data_length > PSA_CRYPTO_MAX_STORAGE_SIZE ) + return( PSA_ERROR_STORAGE_FAILURE ); + + *key_data = mbedtls_calloc( 1, *key_data_length ); + if( *key_data == NULL ) + return( PSA_ERROR_INSUFFICIENT_MEMORY ); + + GET_UINT32_LE(*type, storage_format->type, 0); + GET_UINT32_LE(policy->usage, storage_format->policy, 0); + GET_UINT32_LE(policy->alg, storage_format->policy, sizeof( uint32_t )); + + memcpy( *key_data, storage_format->key_data, *key_data_length ); + + return( PSA_SUCCESS ); +} + +psa_status_t psa_save_persistent_key( const psa_key_slot_t key, + const psa_key_type_t type, + const psa_key_policy_t *policy, + const uint8_t *data, + const size_t data_length ) +{ + size_t storage_data_length; + uint8_t *storage_data; + psa_status_t status; + + if( data_length > PSA_CRYPTO_MAX_STORAGE_SIZE ) + return PSA_ERROR_INSUFFICIENT_STORAGE; + storage_data_length = data_length + sizeof( psa_persistent_key_storage_format ); + + storage_data = mbedtls_calloc( 1, storage_data_length ); + if( storage_data == NULL ) + return( PSA_ERROR_INSUFFICIENT_MEMORY ); + + psa_format_key_data_for_storage( data, data_length, type, policy, + storage_data ); + + status = psa_crypto_storage_store( key, + storage_data, storage_data_length ); + + mbedtls_free( storage_data ); + + return( status ); +} + +void psa_free_persistent_key_data( uint8_t *key_data, size_t key_data_length ) +{ + if( key_data != NULL ) + { + mbedtls_platform_zeroize( key_data, key_data_length ); + } + mbedtls_free( key_data ); +} + +psa_status_t psa_load_persistent_key( psa_key_slot_t key, + psa_key_type_t *type, + psa_key_policy_t *policy, + uint8_t **data, + size_t *data_length ) +{ + psa_status_t status = PSA_SUCCESS; + uint8_t *loaded_data; + size_t storage_data_length = 0; + + status = psa_crypto_storage_get_data_length( key, &storage_data_length ); + if( status != PSA_SUCCESS ) + return( status ); + + loaded_data = mbedtls_calloc( 1, storage_data_length ); + + if( loaded_data == NULL ) + return( PSA_ERROR_INSUFFICIENT_MEMORY ); + + status = psa_crypto_storage_load( key, loaded_data, storage_data_length ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_parse_key_data_from_storage( loaded_data, storage_data_length, + data, data_length, type, policy ); + +exit: + mbedtls_free( loaded_data ); + return( status ); +} + +#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */ diff --git a/library/psa_crypto_storage.h b/library/psa_crypto_storage.h new file mode 100644 index 000000000..167b0db05 --- /dev/null +++ b/library/psa_crypto_storage.h @@ -0,0 +1,177 @@ +/** + * \file psa_crypto_storage.h + * + * \brief PSA cryptography module: Mbed TLS key storage + */ +/* + * Copyright (C) 2018, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ + +#ifndef PSA_CRYPTO_STORAGE_H +#define PSA_CRYPTO_STORAGE_H + +#ifdef __cplusplus +extern "C" { +#endif + +/* Include the Mbed TLS configuration file, the way Mbed TLS does it + * in each of its header files. */ +#if defined(MBEDTLS_CONFIG_FILE) +#include MBEDTLS_CONFIG_FILE +#else +#include "mbedtls/config.h" +#endif + +#include "psa/crypto.h" +#include + +/* Limit the maximum key size to 30kB (just in case someone tries to + * inadvertently store an obscene amount of data) */ +#define PSA_CRYPTO_MAX_STORAGE_SIZE ( 30 * 1024 ) + +/** + * \brief Format key data and metadata and save to a location for given key + * slot. + * + * This function formats the key data and metadata and saves it to a + * persistent storage backend. The storage location corresponding to the + * key slot must be empty, otherwise this function will fail. This function + * should be called after psa_import_key_into_slot() to ensure the + * persistent key is not saved into a storage location corresponding to an + * already occupied non-persistent key, as well as validating the key data. + * + * + * \param key Slot number of the key to be stored. This must be a + * valid slot for a key of the chosen type. This should be + * an occupied key slot with an unoccupied corresponding + * storage location. + * \param type Key type (a \c PSA_KEY_TYPE_XXX value). + * \param[in] policy The key policy to save. + * \param[in] data Buffer containing the key data. + * \param data_length The number of bytes that make up the key data. + * + * \retval PSA_SUCCESS + * \retval PSA_ERROR_INSUFFICIENT_STORAGE + * \retval PSA_ERROR_STORAGE_FAILURE + */ +psa_status_t psa_save_persistent_key( const psa_key_slot_t key, + const psa_key_type_t type, + const psa_key_policy_t *policy, + const uint8_t *data, + const size_t data_length ); + +/** + * \brief Parses key data and metadata and load persistent key for given + * key slot number. + * + * This function reads from a storage backend, parses the key data and + * metadata and writes them to the appropriate output parameters. + * + * Note: This function allocates a buffer and returns a pointer to it through + * the data parameter. psa_free_persistent_key_data() must be called after + * this function to zeroize and free this buffer, regardless of whether this + * function succeeds or fails. + * + * \param key Slot number whose content is to be loaded. This + * must be an unoccupied key slot with an occupied + * corresponding storage location. The key slot + * lifetime must be set to persistent. + * \param[out] type On success, the key type (a \c PSA_KEY_TYPE_XXX + * value). + * \param[out] policy On success, the key's policy. + * \param[out] data Pointer to an allocated key data buffer on return. + * \param[out] data_length The number of bytes that make up the key data. + * + * \retval PSA_SUCCESS + * \retval PSA_ERROR_INSUFFICIENT_MEMORY + * \retval PSA_ERROR_STORAGE_FAILURE + */ +psa_status_t psa_load_persistent_key( psa_key_slot_t key, + psa_key_type_t *type, + psa_key_policy_t *policy, + uint8_t **data, + size_t *data_length ); + +/** + * \brief Remove persistent data for the given key slot number. + * + * \param key Slot number whose content is to be removed + * from persistent storage. + * + * \retval PSA_SUCCESS + * \retval PSA_ERROR_STORAGE_FAILURE + */ +psa_status_t psa_destroy_persistent_key( const psa_key_slot_t key ); + +/** + * \brief Zeroizes and frees the given buffer. + * + * This function must be called at some point after psa_load_persistent_key() + * to zeroize and free the memory allocated to the buffer in that function. + * + * \param key_data Buffer for the key data. + * \param key_data_length Size of the key data buffer. + * + */ +void psa_free_persistent_key_data( uint8_t *key_data, size_t key_data_length ); + +/** + * \brief Formats key data and metadata for persistent storage + * + * \param[in] data Buffer for the key data. + * \param data_length Length of the key data buffer. + * \param type Key type (a \c PSA_KEY_TYPE_XXX value). + * \param policy The key policy. + * \param[out] storage_data Output buffer for the formatted data. + * + */ +void psa_format_key_data_for_storage( const uint8_t *data, + const size_t data_length, + const psa_key_type_t type, + const psa_key_policy_t *policy, + uint8_t *storage_data ); + +/** + * \brief Parses persistent storage data into key data and metadata + * + * \param[in] storage_data Buffer for the storage data. + * \param storage_data_length Length of the storage data buffer + * \param[out] key_data On output, pointer to a newly allocated buffer + * containing the key data. This must be freed + * using psa_free_persistent_key_data() + * \param[out] key_data_length Length of the key data buffer + * \param[out] type Key type (a \c PSA_KEY_TYPE_XXX value). + * \param[out] policy The key policy. + * + * \retval PSA_SUCCESS + * \retval PSA_ERROR_INSUFFICIENT_STORAGE + * \retval PSA_ERROR_INSUFFICIENT_MEMORY + * \retval PSA_ERROR_STORAGE_FAILURE + */ +psa_status_t psa_parse_key_data_from_storage( const uint8_t *storage_data, + size_t storage_data_length, + uint8_t **key_data, + size_t *key_data_length, + psa_key_type_t *type, + psa_key_policy_t *policy ); + +#ifdef __cplusplus +} +#endif + +#endif /* PSA_CRYPTO_STORAGE_H */ diff --git a/library/psa_crypto_storage_backend.h b/library/psa_crypto_storage_backend.h new file mode 100644 index 000000000..3ca9a1d74 --- /dev/null +++ b/library/psa_crypto_storage_backend.h @@ -0,0 +1,112 @@ +/** + * \file psa_crypto_storage_backend.h + * + * \brief PSA cryptography module: Mbed TLS key storage backend + */ +/* + * Copyright (C) 2018, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ + +#ifndef PSA_CRYPTO_STORAGE_BACKEND_H +#define PSA_CRYPTO_STORAGE_BACKEND_H + +#ifdef __cplusplus +extern "C" { +#endif + +/* Include the Mbed TLS configuration file, the way Mbed TLS does it + * in each of its header files. */ +#if defined(MBEDTLS_CONFIG_FILE) +#include MBEDTLS_CONFIG_FILE +#else +#include "mbedtls/config.h" +#endif + +#include "psa/crypto.h" +#include "psa_crypto_storage.h" +#include + +/** + * \brief Load persistent data for the given key slot number. + * + * This function reads data from a storage backend and returns the data in a + * buffer. + * + * \param key Slot number whose content is to be loaded. This must + * be a key slot whose lifetime is set to persistent. + * \param[out] data Buffer where the data is to be written. + * \param data_size Size of the \c data buffer in bytes. + * + * \retval PSA_SUCCESS + * \retval PSA_ERROR_STORAGE_FAILURE + */ +psa_status_t psa_crypto_storage_load( const psa_key_slot_t key, uint8_t *data, + size_t data_size ); + +/** + * \brief Store persistent data for the given key slot number. + * + * This function stores the given data buffer to a persistent storage. + * + * \param key Slot number whose content is to be stored. + * \param[in] data Buffer containing the data to be stored. + * \param data_length The number of bytes + * that make up the data. + * + * \retval PSA_SUCCESS + * \retval PSA_ERROR_INSUFFICIENT_STORAGE + * \retval PSA_ERROR_STORAGE_FAILURE + */ +psa_status_t psa_crypto_storage_store( const psa_key_slot_t key, + const uint8_t *data, + size_t data_length ); + +/** + * \brief Checks if persistent data is stored for the given key slot number + * + * This function checks if any key data or metadata exists for the key slot in + * the persistent storage. + * + * \param key Slot number whose content is to be checked. + * + * \retval 0 + * No persistent data present for slot number + * \retval 1 + * Persistent data present for slot number + */ +int psa_is_key_present_in_storage( const psa_key_slot_t key ); + +/** + * \brief Get data length for given key slot number. + * + * \param key Slot number whose stored data length is to be obtained. + * \param[out] data_length The number of bytes + * that make up the data. + * + * \retval PSA_SUCCESS + * \retval PSA_ERROR_STORAGE_FAILURE + */ +psa_status_t psa_crypto_storage_get_data_length( const psa_key_slot_t key, + size_t *data_length ); + + +#ifdef __cplusplus +} +#endif + +#endif /* PSA_CRYPTO_STORAGE_H */ diff --git a/library/psa_crypto_storage_file.c b/library/psa_crypto_storage_file.c new file mode 100644 index 000000000..03c711af3 --- /dev/null +++ b/library/psa_crypto_storage_file.c @@ -0,0 +1,218 @@ +/* + * PSA file storage backend for persistent keys + */ +/* Copyright (C) 2018, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ + +#if defined(MBEDTLS_CONFIG_FILE) +#include MBEDTLS_CONFIG_FILE +#else +#include "mbedtls/config.h" +#endif + +#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C) + +#include + +#include "psa/crypto.h" +#include "psa_crypto_storage_backend.h" +#include "mbedtls/platform_util.h" + +#if defined(MBEDTLS_PLATFORM_C) +#include "mbedtls/platform.h" +#else +#define mbedtls_snprintf snprintf +#endif + +/* This option sets where files are to be stored. If this is left unset, + * the files by default will be stored in the same location as the program, + * which may not be desired or possible. */ +#if !defined(CRYPTO_STORAGE_FILE_LOCATION) +#define CRYPTO_STORAGE_FILE_LOCATION "" +#endif + +enum { MAX_LOCATION_LEN = sizeof(CRYPTO_STORAGE_FILE_LOCATION) + 40 }; + +static void key_slot_to_location( const psa_key_slot_t key, + char *location, + size_t location_size ) +{ + mbedtls_snprintf( location, location_size, + CRYPTO_STORAGE_FILE_LOCATION "psa_key_slot_%d", key ); +} + +psa_status_t psa_crypto_storage_load( const psa_key_slot_t key, uint8_t *data, + size_t data_size ) +{ + psa_status_t status = PSA_SUCCESS; + FILE *file; + size_t num_read; + char slot_location[MAX_LOCATION_LEN]; + + key_slot_to_location( key, slot_location, MAX_LOCATION_LEN ); + file = fopen( slot_location, "rb" ); + if( file == NULL ) + { + status = PSA_ERROR_STORAGE_FAILURE; + goto exit; + } + num_read = fread( data, 1, data_size, file ); + if( num_read != data_size ) + status = PSA_ERROR_STORAGE_FAILURE; + +exit: + if( file != NULL ) + fclose( file ); + return( status ); +} + +int psa_is_key_present_in_storage( const psa_key_slot_t key ) +{ + char slot_location[MAX_LOCATION_LEN]; + FILE *file; + + key_slot_to_location( key, slot_location, MAX_LOCATION_LEN ); + + file = fopen( slot_location, "r" ); + if( file == NULL ) + { + /* File doesn't exist */ + return( 0 ); + } + + fclose( file ); + return( 1 ); +} + +psa_status_t psa_crypto_storage_store( const psa_key_slot_t key, + const uint8_t *data, + size_t data_length ) +{ + psa_status_t status = PSA_SUCCESS; + int ret; + size_t num_written; + char slot_location[MAX_LOCATION_LEN]; + FILE *file; + /* The storage location corresponding to "key slot 0" is used as a + * temporary location in order to make the apparition of the actual slot + * file atomic. 0 is not a valid key slot number, so this should not + * affect actual keys. */ + const char *temp_location = CRYPTO_STORAGE_FILE_LOCATION "psa_key_slot_0"; + + key_slot_to_location( key, slot_location, MAX_LOCATION_LEN ); + + if( psa_is_key_present_in_storage( key ) == 1 ) + return( PSA_ERROR_OCCUPIED_SLOT ); + + file = fopen( temp_location, "wb" ); + if( file == NULL ) + { + status = PSA_ERROR_STORAGE_FAILURE; + goto exit; + } + + num_written = fwrite( data, 1, data_length, file ); + if( num_written != data_length ) + { + status = PSA_ERROR_STORAGE_FAILURE; + goto exit; + } + + ret = fclose( file ); + file = NULL; + if( ret != 0 ) + { + status = PSA_ERROR_STORAGE_FAILURE; + goto exit; + } + + if( rename( temp_location, slot_location ) != 0 ) + { + status = PSA_ERROR_STORAGE_FAILURE; + goto exit; + } + +exit: + if( file != NULL ) + fclose( file ); + remove( temp_location ); + return( status ); +} + +psa_status_t psa_destroy_persistent_key( const psa_key_slot_t key ) +{ + FILE *file; + char slot_location[MAX_LOCATION_LEN]; + + key_slot_to_location( key, slot_location, MAX_LOCATION_LEN ); + + /* Only try remove the file if it exists */ + file = fopen( slot_location, "rb" ); + if( file != NULL ) + { + fclose( file ); + + if( remove( slot_location ) != 0 ) + return( PSA_ERROR_STORAGE_FAILURE ); + } + return( PSA_SUCCESS ); +} + +psa_status_t psa_crypto_storage_get_data_length( const psa_key_slot_t key, + size_t *data_length ) +{ + psa_status_t status = PSA_SUCCESS; + FILE *file; + long file_size; + char slot_location[MAX_LOCATION_LEN]; + + key_slot_to_location( key, slot_location, MAX_LOCATION_LEN ); + + file = fopen( slot_location, "rb" ); + if( file == NULL ) + return( PSA_ERROR_EMPTY_SLOT ); + + if( fseek( file, 0, SEEK_END ) != 0 ) + { + status = PSA_ERROR_STORAGE_FAILURE; + goto exit; + } + + file_size = ftell( file ); + + if( file_size < 0 ) + { + status = PSA_ERROR_STORAGE_FAILURE; + goto exit; + } + +#if LONG_MAX > SIZE_MAX + if( (unsigned long) file_size > SIZE_MAX ) + { + status = PSA_ERROR_STORAGE_FAILURE; + goto exit; + } +#endif + *data_length = (size_t) file_size; + +exit: + fclose( file ); + return( status ); +} + +#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C */ diff --git a/library/version_features.c b/library/version_features.c index ffad82fa4..7ef899717 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -687,6 +687,12 @@ static const char *features[] = { #if defined(MBEDTLS_PSA_CRYPTO_C) "MBEDTLS_PSA_CRYPTO_C", #endif /* MBEDTLS_PSA_CRYPTO_C */ +#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) + "MBEDTLS_PSA_CRYPTO_STORAGE_C", +#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */ +#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C) + "MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C", +#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C */ #if defined(MBEDTLS_RIPEMD160_C) "MBEDTLS_RIPEMD160_C", #endif /* MBEDTLS_RIPEMD160_C */ diff --git a/scripts/config.pl b/scripts/config.pl index 2e4ac3bb6..69c6d5fce 100755 --- a/scripts/config.pl +++ b/scripts/config.pl @@ -116,6 +116,8 @@ MBEDTLS_MEMORY_BACKTRACE MBEDTLS_MEMORY_BUFFER_ALLOC_C MBEDTLS_PLATFORM_TIME_ALT MBEDTLS_PLATFORM_FPRINTF_ALT +MBEDTLS_PSA_CRYPTO_STORAGE_C +MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C ); # Things that should be enabled in "full" even if they match @excluded diff --git a/scripts/generate_visualc_files.pl b/scripts/generate_visualc_files.pl index 488a5beb6..d8825eed5 100755 --- a/scripts/generate_visualc_files.pl +++ b/scripts/generate_visualc_files.pl @@ -133,10 +133,11 @@ sub gen_entry_list { } sub gen_main_file { - my ($mbedtls_headers, $psa_headers, $sources, $hdr_tpl, $src_tpl, $main_tpl, $main_out) = @_; + my ($mbedtls_headers, $psa_headers, $source_headers, $sources, $hdr_tpl, $src_tpl, $main_tpl, $main_out) = @_; my $header_entries = gen_entry_list( $hdr_tpl, @$mbedtls_headers ); $header_entries .= gen_entry_list( $hdr_tpl, @$psa_headers ); + $header_entries .= gen_entry_list( $hdr_tpl, @$source_headers ); my $source_entries = gen_entry_list( $src_tpl, @$sources ); my $out = slurp_file( $main_tpl ); @@ -192,6 +193,7 @@ sub main { my @app_list = get_app_list(); my @mbedtls_headers = <$mbedtls_header_dir/*.h>; my @psa_headers = <$psa_header_dir/*.h>; + my @source_headers = <$source_dir/*.h>; my @sources = <$source_dir/*.c>; map { s!/!\\!g } @mbedtls_headers; map { s!/!\\!g } @psa_headers; @@ -199,8 +201,8 @@ sub main { gen_app_files( @app_list ); - gen_main_file( \@mbedtls_headers, \@psa_headers, \@sources, - $vsx_hdr_tpl, $vsx_src_tpl, + gen_main_file( \@mbedtls_headers, \@psa_headers, \@source_headers, + \@sources, $vsx_hdr_tpl, $vsx_src_tpl, $vsx_main_tpl_file, $vsx_main_file ); gen_vsx_solution( @app_list ); diff --git a/scripts/mbed_crypto.make b/scripts/mbed_crypto.make index e5e6ded6d..f51f5f8f3 100644 --- a/scripts/mbed_crypto.make +++ b/scripts/mbed_crypto.make @@ -70,6 +70,10 @@ LIB_FILES := \ platform.c \ platform_util.c \ psa_crypto.c \ + psa_crypto_storage.h \ + psa_crypto_storage.c \ + psa_crypto_storage_backend.h \ + psa_crypto_storage_file.c \ ripemd160.c \ rsa_internal.c \ rsa.c \ @@ -154,6 +158,10 @@ TEST_FILES := \ tests/suites/test_suite_psa_crypto_hash.function \ tests/suites/test_suite_psa_crypto_metadata.data \ tests/suites/test_suite_psa_crypto_metadata.function \ + tests/suites/test_suite_psa_crypto_persistent_key.data \ + tests/suites/test_suite_psa_crypto_persistent_key.function \ + tests/suites/test_suite_psa_crypto_storage_file.data \ + tests/suites/test_suite_psa_crypto_storage_file.function \ # Don't delete this line. OTHER_FILES := \ diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 89be6feb7..34658c8e1 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -113,6 +113,8 @@ add_test_suite(poly1305) add_test_suite(psa_crypto) add_test_suite(psa_crypto_hash) add_test_suite(psa_crypto_metadata) +add_test_suite(psa_crypto_persistent_key) +add_test_suite(psa_crypto_storage_file) add_test_suite(shax) add_test_suite(ssl) add_test_suite(timing) diff --git a/tests/Makefile b/tests/Makefile index 889d2a7da..f5cafe585 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -6,7 +6,7 @@ CFLAGS ?= -O2 WARNING_CFLAGS ?= -Wall -W -Wdeclaration-after-statement -Wno-unused-function -Wno-unused-value LDFLAGS ?= -LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../include -D_FILE_OFFSET_BITS=64 +LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../include -I../library -D_FILE_OFFSET_BITS=64 LOCAL_LDFLAGS = -L../library \ -lmbedtls$(SHARED_SUFFIX) \ -lmbedx509$(SHARED_SUFFIX) \ diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 5b04d84a1..73152cf05 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -644,6 +644,8 @@ scripts/config.pl unset MBEDTLS_PLATFORM_EXIT_ALT scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C scripts/config.pl unset MBEDTLS_FS_IO +scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C +scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_C # Note, _DEFAULT_SOURCE needs to be defined for platforms using glibc version >2.19, # to re-enable platform integration features otherwise disabled in C99 builds make CC=gcc CFLAGS='-Werror -Wall -Wextra -std=c99 -pedantic -O0 -D_DEFAULT_SOURCE' lib programs @@ -859,6 +861,8 @@ scripts/config.pl unset MBEDTLS_THREADING_PTHREAD scripts/config.pl unset MBEDTLS_THREADING_C scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # execinfo.h scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit +scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C # depends on MBEDTLS_FS_IO +scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_C # depends on MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C make CC=arm-none-eabi-gcc AR=arm-none-eabi-ar LD=arm-none-eabi-ld CFLAGS='-Werror -Wall -Wextra' lib msg "build: arm-none-eabi-gcc -DMBEDTLS_NO_UDBL_DIVISION, make" # ~ 10s @@ -877,6 +881,8 @@ scripts/config.pl unset MBEDTLS_THREADING_C scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # execinfo.h scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit scripts/config.pl set MBEDTLS_NO_UDBL_DIVISION +scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C # depends on MBEDTLS_FS_IO +scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_C # depends on MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C make CC=arm-none-eabi-gcc AR=arm-none-eabi-ar LD=arm-none-eabi-ld CFLAGS='-Werror -Wall -Wextra' lib echo "Checking that software 64-bit division is not required" if_build_succeeded not grep __aeabi_uldiv library/*.o @@ -897,6 +903,8 @@ scripts/config.pl unset MBEDTLS_THREADING_C scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # execinfo.h scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit scripts/config.pl set MBEDTLS_NO_64BIT_MULTIPLICATION +scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C # depends on MBEDTLS_FS_IO +scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_C # depends on MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C make CC=arm-none-eabi-gcc AR=arm-none-eabi-ar LD=arm-none-eabi-ld CFLAGS='-Werror -O1 -march=armv6-m -mthumb' lib echo "Checking that software 64-bit multiplication is not required" if_build_succeeded not grep __aeabi_lmul library/*.o @@ -920,6 +928,8 @@ scripts/config.pl unset MBEDTLS_THREADING_C scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # execinfo.h scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit scripts/config.pl unset MBEDTLS_PLATFORM_TIME_ALT # depends on MBEDTLS_HAVE_TIME +scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C # depends on MBEDTLS_FS_IO +scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_C # depends on MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C if [ $RUN_ARMCC -ne 0 ]; then make CC="$ARMC5_CC" AR="$ARMC5_AR" WARNING_CFLAGS='--strict --c99' lib diff --git a/tests/scripts/list-identifiers.sh b/tests/scripts/list-identifiers.sh index 89daa68c7..ccd488c2e 100755 --- a/tests/scripts/list-identifiers.sh +++ b/tests/scripts/list-identifiers.sh @@ -7,7 +7,7 @@ if [ -d include/mbedtls ]; then :; else exit 1 fi -HEADERS=$( ls include/mbedtls/*.h include/psa/*.h | egrep -v 'compat-1\.3\.h|bn_mul' ) +HEADERS=$( ls include/mbedtls/*.h include/psa/*.h library/*.h | egrep -v 'compat-1\.3\.h|bn_mul' ) rm -f identifiers diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index ea214d25a..e1c1b0545 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -1834,3 +1834,35 @@ validate_module_init_generate_random: PSA validate module initialization: key based validate_module_init_key_based: + +persistent key can be accessed after in-memory deletion: AES, 128 bits, CTR +depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PSA_CRYPTO_STORAGE_C +persistent_key_load_key_from_storage:"2b7e151628aed2a6abf7158809cf4f3c":PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_EXPORT:PSA_ALG_CTR:IMPORT_KEY:PSA_SUCCESS + +PSA generate persistent key: raw data, 8 bits +depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C +persistent_key_load_key_from_storage:"":PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:0:GENERATE_KEY:PSA_SUCCESS + +PSA generate persistent key: AES, 128 bits, CTR +depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR:MBEDTLS_PSA_CRYPTO_STORAGE_C +persistent_key_load_key_from_storage:"":PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CTR:GENERATE_KEY:PSA_SUCCESS + +PSA generate persistent key: DES, 64 bits, CBC-nopad +depends_on:MBEDTLS_DES_C:MBEDTLS_PSA_CRYPTO_STORAGE_C +persistent_key_load_key_from_storage:"":PSA_KEY_TYPE_DES:64:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CBC_NO_PADDING:GENERATE_KEY:PSA_SUCCESS + +PSA generate persistent key: RSA, 1024 bits, good, sign (PSS SHA-256) +depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C:MBEDTLS_PSA_CRYPTO_STORAGE_C +persistent_key_load_key_from_storage:"":PSA_KEY_TYPE_RSA_KEYPAIR:1024:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):GENERATE_KEY:PSA_SUCCESS + +PSA generate persistent key: ECC, SECP256R1, good +depends_on:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECDSA_C:MBEDTLS_PSA_CRYPTO_STORAGE_C +persistent_key_load_key_from_storage:"":PSA_KEY_TYPE_ECC_KEYPAIR(PSA_ECC_CURVE_SECP256R1):256:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY:PSA_ALG_ECDSA_ANY:GENERATE_KEY:PSA_SUCCESS + +PSA derive persistent key: HKDF SHA-256 +depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_PSA_CRYPTO_STORAGE_C +persistent_key_load_key_from_storage:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_TYPE_RAW_DATA:1024:PSA_KEY_USAGE_EXPORT:0:DERIVE_KEY:PSA_SUCCESS + +PSA generate persistent key: AES, 128 bits, CTR +depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR:MBEDTLS_PSA_CRYPTO_STORAGE_C +persistent_key_load_key_from_storage:"":PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CTR:GENERATE_KEY:PSA_ERROR_NOT_PERMITTED diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 674a6e9fe..53295befa 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -844,6 +844,13 @@ static psa_key_usage_t usage_to_exercise( psa_key_type_t type, } } + +typedef enum { + IMPORT_KEY = 0, + GENERATE_KEY = 1, + DERIVE_KEY = 2 +} generate_method; + /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -4030,3 +4037,133 @@ void validate_module_init_key_based( ) TEST_ASSERT( status == PSA_ERROR_BAD_STATE ); } /* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C */ +void persistent_key_load_key_from_storage( data_t *data, int type_arg, + int bits, int usage_arg, + int alg_arg, int generation_method, + int export_status ) +{ + psa_key_slot_t slot = 1; + psa_key_slot_t base_key = 2; + psa_key_type_t type = (psa_key_type_t) type_arg; + psa_key_type_t type_get; + size_t bits_get; + psa_key_policy_t policy_set; + psa_key_policy_t policy_get; + psa_key_usage_t policy_usage = (psa_key_usage_t) usage_arg; + psa_algorithm_t policy_alg = (psa_algorithm_t) alg_arg; + psa_key_policy_t base_policy_set; + psa_algorithm_t base_policy_alg = PSA_ALG_HKDF(PSA_ALG_SHA_256); + psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; + unsigned char *first_export = NULL; + unsigned char *second_export = NULL; + size_t export_size = PSA_KEY_EXPORT_MAX_SIZE( type, bits ); + size_t first_exported_length; + size_t second_exported_length; + + ASSERT_ALLOC( first_export, export_size ); + ASSERT_ALLOC( second_export, export_size ); + + TEST_ASSERT( psa_crypto_init() == PSA_SUCCESS ); + + TEST_ASSERT( psa_set_key_lifetime( + slot, PSA_KEY_LIFETIME_PERSISTENT ) == PSA_SUCCESS ); + + psa_key_policy_init( &policy_set ); + + psa_key_policy_set_usage( &policy_set, policy_usage, + policy_alg ); + + TEST_ASSERT( psa_set_key_policy( slot, &policy_set ) == PSA_SUCCESS ); + switch( generation_method ) + { + case IMPORT_KEY: + /* Import the key */ + TEST_ASSERT( psa_import_key( slot, type, + data->x, data->len ) == PSA_SUCCESS ); + break; + + case GENERATE_KEY: + /* Generate a key */ + TEST_ASSERT( psa_generate_key( slot, type, bits, + NULL, 0 ) == PSA_SUCCESS ); + break; + + case DERIVE_KEY: + /* Create base key */ + psa_key_policy_init( &base_policy_set ); + + psa_key_policy_set_usage( &base_policy_set, PSA_KEY_USAGE_DERIVE, + base_policy_alg ); + TEST_ASSERT( psa_set_key_policy( + base_key, &base_policy_set ) == PSA_SUCCESS ); + TEST_ASSERT( psa_import_key( base_key, PSA_KEY_TYPE_DERIVE, + data->x, data->len ) == PSA_SUCCESS ); + /* Derive a key. */ + TEST_ASSERT( psa_key_derivation( &generator, base_key, + base_policy_alg, + NULL, 0, NULL, 0, + export_size ) == PSA_SUCCESS ); + TEST_ASSERT( psa_generator_import_key( + slot, PSA_KEY_TYPE_RAW_DATA, + bits, &generator ) == PSA_SUCCESS ); + break; + } + + /* Export the key */ + TEST_ASSERT( psa_export_key( slot, first_export, export_size, + &first_exported_length ) == export_status ); + + /* Shutdown and restart */ + mbedtls_psa_crypto_free(); + + TEST_ASSERT( psa_crypto_init() == PSA_SUCCESS ); + + /* Mark slot as persistent again */ + TEST_ASSERT( psa_set_key_lifetime( + slot, PSA_KEY_LIFETIME_PERSISTENT ) == PSA_SUCCESS ); + + /* Check key slot still contains key data */ + TEST_ASSERT( psa_get_key_information( + slot, &type_get, &bits_get ) == PSA_SUCCESS ); + TEST_ASSERT( type_get == type ); + TEST_ASSERT( bits_get == (size_t) bits ); + + TEST_ASSERT( psa_get_key_policy( slot, &policy_get ) == PSA_SUCCESS ); + TEST_ASSERT( psa_key_policy_get_usage( + &policy_get ) == policy_usage ); + TEST_ASSERT( psa_key_policy_get_algorithm( + &policy_get ) == policy_alg ); + + /* Export the key again */ + TEST_ASSERT( psa_export_key( slot, second_export, export_size, + &second_exported_length ) == export_status ); + + if( export_status == PSA_SUCCESS ) + { + ASSERT_COMPARE( first_export, first_exported_length, + second_export, second_exported_length ); + + switch( generation_method ) + { + case IMPORT_KEY: + ASSERT_COMPARE( data->x, data->len, + first_export, first_exported_length ); + break; + default: + break; + } + } + + /* Do something with the key according to its type and permitted usage. */ + if( ! exercise_key( slot, policy_usage, policy_alg ) ) + goto exit; + +exit: + mbedtls_free( first_export ); + mbedtls_free( second_export ); + psa_destroy_key( slot ); + mbedtls_psa_crypto_free(); +} +/* END_CASE */ diff --git a/tests/suites/test_suite_psa_crypto_persistent_key.data b/tests/suites/test_suite_psa_crypto_persistent_key.data new file mode 100644 index 000000000..46e547c93 --- /dev/null +++ b/tests/suites/test_suite_psa_crypto_persistent_key.data @@ -0,0 +1,78 @@ +PSA Storage format data for storage +format_storage_data_check:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"505341004b45590000000000000001700100000000000012620200003082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEYPAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION + +PSA Storage parse stored data +parse_storage_data_check:"505341004b45590000000000000001700100000000000012620200003082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEYPAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION:PSA_SUCCESS + +PSA Storage parse stored data wrong version, should fail +parse_storage_data_check:"505341004b455900ffffffff000001700100000000000012620200003082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEYPAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION:PSA_ERROR_STORAGE_FAILURE + +PSA Storage parse too big data, should fail +parse_storage_data_check:"505341004b45590000000000000001700100000000000012ffffffff3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"":PSA_KEY_TYPE_RSA_KEYPAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION:PSA_ERROR_STORAGE_FAILURE + +PSA Storage parse bad magic, should fail +parse_storage_data_check:"645341004b45590000000000000001700100000000000012620200003082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEYPAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION:PSA_ERROR_STORAGE_FAILURE + +PSA Storage parse not enough magic, should fail +parse_storage_data_check:"505341004b4559":"":PSA_KEY_TYPE_RSA_KEYPAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION:PSA_ERROR_STORAGE_FAILURE + +# Not specific to files, but only run this test in an environment where the maximum size could be reached. +Save maximum size persistent raw key +depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C +save_large_persistent_key:0:PSA_SUCCESS + +Save larger than maximum size persistent raw key, should fail +save_large_persistent_key:1:PSA_ERROR_INSUFFICIENT_STORAGE + +Persistent key is configurable +depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C +persistent_key_is_configurable:1:PSA_KEY_TYPE_RSA_KEYPAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24" + +Persistent key destroy +depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C +persistent_key_destroy:1:1:PSA_KEY_TYPE_RSA_KEYPAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RAW_DATA:"deadbeef" + +Persistent key destroy missing key +depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C +persistent_key_destroy:1:0:PSA_KEY_TYPE_RSA_KEYPAIR:"":PSA_KEY_TYPE_RAW_DATA:"deadbeef" + +Key lifetime defaults to volatile +depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C +default_volatile_lifetime:1:PSA_KEY_TYPE_RSA_KEYPAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24" + +Persistent key import +depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C +persistent_key_import:1:PSA_KEY_TYPE_RSA_KEYPAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_SUCCESS + +Persistent key import garbage data, should fail +depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C +persistent_key_import:1:PSA_KEY_TYPE_RSA_KEYPAIR:"11111111":PSA_ERROR_INVALID_ARGUMENT + +import/export persistent raw key: 0 byte +import_export_persistent_key:"":PSA_KEY_TYPE_RAW_DATA:0:0 + +import/export persistent raw key: 1 byte +import_export_persistent_key:"2a":PSA_KEY_TYPE_RAW_DATA:8:0 + +import/export persistent key RSA public key: good, 1024-bit +depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C +import_export_persistent_key:"30819f300d06092a864886f70d010101050003818d0030818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_KEY_TYPE_RSA_PUBLIC_KEY:1024:0 + +import/export persistent key RSA keypair: good, 1024-bit +depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C +import_export_persistent_key:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEYPAIR:1024:0 + +import/export persistent raw key file not exist: 1 byte +import_export_persistent_key:"2a":PSA_KEY_TYPE_RAW_DATA:8:1 + +import/export persistent key RSA public key file not exist: 1024-bit +depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C +import_export_persistent_key:"30819f300d06092a864886f70d010101050003818d0030818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_KEY_TYPE_RSA_PUBLIC_KEY:1024:1 + +import/export persistent key RSA keypair file not exist: 1024-bit +depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C +import_export_persistent_key:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEYPAIR:1024:1 + +PSA import/export-persistent symmetric key: 16 bytes +depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C +import_export_persistent_key:"2b7e151628aed2a6abf7158809cf4f3c":PSA_KEY_TYPE_AES:128:0 diff --git a/tests/suites/test_suite_psa_crypto_persistent_key.function b/tests/suites/test_suite_psa_crypto_persistent_key.function new file mode 100644 index 000000000..0ede6e6c8 --- /dev/null +++ b/tests/suites/test_suite_psa_crypto_persistent_key.function @@ -0,0 +1,342 @@ +/* BEGIN_HEADER */ +#include +#include "psa/crypto.h" +#include "psa_crypto_storage.h" +#include "psa_crypto_storage_backend.h" +#include "mbedtls/md.h" + +#define PSA_KEY_STORAGE_MAGIC_HEADER "PSA\0KEY" +#define PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH ( sizeof( PSA_KEY_STORAGE_MAGIC_HEADER ) ) + +typedef struct { + uint8_t magic[PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH]; + uint8_t version[4]; + uint8_t type[sizeof( psa_key_type_t )]; + uint8_t policy[sizeof( psa_key_policy_t )]; + uint8_t data_len[4]; + uint8_t key_data[]; +} psa_persistent_key_storage_format; + +/* END_HEADER */ + +/* BEGIN_DEPENDENCIES + * depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_PSA_CRYPTO_STORAGE_C + * END_DEPENDENCIES + */ + +/* BEGIN_CASE */ +void format_storage_data_check( data_t *key_data, + data_t *expected_file_data, + int key_type, int key_usage, int key_alg ) +{ + uint8_t *file_data; + size_t file_data_length; + psa_key_policy_t key_policy; + + key_policy.usage = (psa_key_usage_t) key_usage; + key_policy.alg = (psa_algorithm_t) key_alg; + + file_data_length = key_data->len + sizeof( psa_persistent_key_storage_format ); + file_data = mbedtls_calloc( 1, file_data_length ); + psa_format_key_data_for_storage( key_data->x, key_data->len, + (psa_key_type_t) key_type, &key_policy, + file_data ); + + ASSERT_COMPARE( expected_file_data->x, expected_file_data->len, + file_data, file_data_length ); + mbedtls_free( file_data ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void parse_storage_data_check( data_t *file_data, + data_t *expected_key_data, + int expected_key_type, + int expected_key_usage, + int expected_key_alg, + int expected_status ) +{ + uint8_t *key_data = NULL; + size_t key_data_length = 0; + psa_key_type_t key_type = 0; + psa_key_policy_t key_policy; + psa_status_t status; + + status = psa_parse_key_data_from_storage( file_data->x, file_data->len, + &key_data, &key_data_length, + &key_type, &key_policy ); + + TEST_ASSERT( status == expected_status ); + if( status != PSA_SUCCESS ) + goto exit; + + TEST_ASSERT( key_type == (psa_key_type_t) expected_key_type ); + TEST_ASSERT( key_policy.usage == (uint32_t) expected_key_usage ); + TEST_ASSERT( key_policy.alg == (uint32_t) expected_key_alg ); + ASSERT_COMPARE( expected_key_data->x, expected_key_data->len, + key_data, key_data_length ); + +exit: + mbedtls_free( key_data ); +} +/* END_CASE */ + + +/* BEGIN_CASE */ +void save_large_persistent_key( int data_too_large, int expected_status ) +{ + psa_key_slot_t slot = 1; + uint8_t *data = NULL; + size_t data_length = PSA_CRYPTO_MAX_STORAGE_SIZE; + + if( data_too_large ) + data_length += 1; + + ASSERT_ALLOC( data, data_length ); + + TEST_ASSERT( psa_crypto_init() == PSA_SUCCESS ); + + TEST_ASSERT( psa_set_key_lifetime( + slot, PSA_KEY_LIFETIME_PERSISTENT ) == PSA_SUCCESS ); + + TEST_ASSERT( psa_import_key( slot, PSA_KEY_TYPE_RAW_DATA, + data, data_length ) == expected_status ); + +exit: + mbedtls_free( data ); + psa_destroy_persistent_key( slot ); + mbedtls_psa_crypto_free(); +} +/* END_CASE */ + + +/* BEGIN_CASE */ +void persistent_key_is_configurable( int slot_arg, int type_arg, + data_t *data ) +{ + psa_key_policy_t policy; + psa_key_lifetime_t lifetime; + psa_key_slot_t slot = (psa_key_slot_t) slot_arg; + psa_key_type_t type = (psa_key_type_t) type_arg; + + TEST_ASSERT( psa_crypto_init() == PSA_SUCCESS ); + + TEST_ASSERT( psa_set_key_lifetime( + slot, PSA_KEY_LIFETIME_PERSISTENT ) == PSA_SUCCESS ); + + psa_key_policy_init( &policy ); + + TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS ); + + TEST_ASSERT( psa_import_key( slot, type, + data->x, data->len ) == PSA_SUCCESS ); + + TEST_ASSERT( psa_get_key_lifetime( slot, &lifetime ) == PSA_SUCCESS ); + + TEST_ASSERT( lifetime == PSA_KEY_LIFETIME_PERSISTENT ); + +exit: + psa_destroy_persistent_key( slot ); + mbedtls_psa_crypto_free(); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void persistent_key_destroy( int slot_arg, int should_store, + int first_type_arg, data_t *first_data, + int second_type_arg, data_t *second_data ) +{ + psa_key_policy_t policy; + psa_key_slot_t slot = (psa_key_slot_t) slot_arg; + psa_key_type_t first_type = (psa_key_type_t) first_type_arg; + psa_key_type_t second_type = (psa_key_type_t) second_type_arg; + + TEST_ASSERT( psa_crypto_init() == PSA_SUCCESS ); + + TEST_ASSERT( psa_set_key_lifetime( + slot, PSA_KEY_LIFETIME_PERSISTENT ) == PSA_SUCCESS ); + + psa_key_policy_init( &policy ); + + if( should_store == 1 ) + { + TEST_ASSERT( psa_import_key( + slot, first_type, + first_data->x, first_data->len ) == PSA_SUCCESS ); + } + + /* Destroy the key */ + TEST_ASSERT( psa_destroy_key( slot ) == PSA_SUCCESS ); + + TEST_ASSERT( psa_get_key_information( + slot, NULL, NULL ) == PSA_ERROR_EMPTY_SLOT ); + + /* Check key slot storage is removed */ + TEST_ASSERT( psa_is_key_present_in_storage( slot ) == 0 ); + + /* Check destroying the key again doesn't report failure */ + TEST_ASSERT( psa_destroy_key( slot ) == PSA_SUCCESS ); + TEST_ASSERT( psa_get_key_information( + slot, NULL, NULL ) == PSA_ERROR_EMPTY_SLOT ); + + /* Shutdown and restart */ + mbedtls_psa_crypto_free(); + + TEST_ASSERT( psa_crypto_init() == PSA_SUCCESS ); + + /* Mark slot as persistent again */ + TEST_ASSERT( psa_set_key_lifetime( + slot, PSA_KEY_LIFETIME_PERSISTENT ) == PSA_SUCCESS ); + + /* Check key slot is empty */ + TEST_ASSERT( psa_get_key_information( + slot, NULL, NULL ) == PSA_ERROR_EMPTY_SLOT ); + + /* Import different key data to ensure slot really was empty */ + psa_key_policy_init( &policy ); + + psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_EXPORT, + PSA_ALG_VENDOR_FLAG ); + + TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS ); + + TEST_ASSERT( psa_import_key( + slot, second_type, + second_data->x, second_data->len ) == PSA_SUCCESS ); + +exit: + psa_destroy_persistent_key( slot ); + mbedtls_psa_crypto_free(); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void default_volatile_lifetime( int slot_arg, int type_arg, data_t *data ) +{ + psa_key_policy_t policy; + psa_key_slot_t slot = (psa_key_slot_t) slot_arg; + psa_key_type_t type = (psa_key_type_t) type_arg; + + TEST_ASSERT( psa_crypto_init() == PSA_SUCCESS ); + + psa_key_policy_init( &policy ); + + TEST_ASSERT( psa_import_key( slot, type, + data->x, data->len ) == PSA_SUCCESS ); + + /* Shutdown and restart */ + mbedtls_psa_crypto_free(); + + TEST_ASSERT( psa_crypto_init() == PSA_SUCCESS ); + + /* Check key slot is empty */ + TEST_ASSERT( psa_get_key_information( + slot, NULL, NULL ) == PSA_ERROR_EMPTY_SLOT ); + +exit: + psa_destroy_persistent_key( slot ); + mbedtls_psa_crypto_free(); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void persistent_key_import( int slot_arg, int type_arg, data_t *data, + int expected_status ) +{ + psa_key_policy_t policy; + psa_key_lifetime_t lifetime; + psa_key_slot_t slot = (psa_key_slot_t) slot_arg; + psa_key_type_t type = (psa_key_type_t) type_arg; + + TEST_ASSERT( psa_crypto_init() == PSA_SUCCESS ); + + TEST_ASSERT( psa_set_key_lifetime( + slot, PSA_KEY_LIFETIME_PERSISTENT ) == PSA_SUCCESS ); + + psa_key_policy_init( &policy ); + + TEST_ASSERT( psa_import_key( slot, type, + data->x, data->len ) == expected_status ); + + if( expected_status != PSA_SUCCESS ) + { + TEST_ASSERT( psa_is_key_present_in_storage( slot ) == 0 ); + goto exit; + } + + TEST_ASSERT( psa_get_key_lifetime( slot, &lifetime ) == PSA_SUCCESS ); + + TEST_ASSERT( lifetime == PSA_KEY_LIFETIME_PERSISTENT ); + +exit: + psa_destroy_persistent_key( slot ); + mbedtls_psa_crypto_free(); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void import_export_persistent_key( data_t *data, int type_arg, + int expected_bits, int key_not_exist ) +{ + psa_key_slot_t slot = 1; + psa_key_type_t type = (psa_key_type_t) type_arg; + unsigned char *exported = NULL; + size_t export_size = data->len; + size_t exported_length; + psa_key_type_t got_type; + size_t got_bits; + psa_key_policy_t policy; + psa_key_lifetime_t lifetime_get; + + ASSERT_ALLOC( exported, export_size ); + + TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS ); + + TEST_ASSERT( psa_set_key_lifetime( + slot, PSA_KEY_LIFETIME_PERSISTENT ) == PSA_SUCCESS ); + + psa_key_policy_init( &policy ); + + psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_EXPORT, + PSA_ALG_VENDOR_FLAG ); + + TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS ); + + /* Import the key */ + TEST_ASSERT( psa_import_key( slot, type, + data->x, data->len ) == PSA_SUCCESS ); + + TEST_ASSERT( psa_get_key_lifetime( + slot, &lifetime_get ) == PSA_SUCCESS ); + TEST_ASSERT( lifetime_get == PSA_KEY_LIFETIME_PERSISTENT ); + + /* Test the key information */ + TEST_ASSERT( psa_get_key_information( + slot, &got_type, &got_bits ) == PSA_SUCCESS ); + TEST_ASSERT( got_type == type ); + TEST_ASSERT( got_bits == (size_t) expected_bits ); + + TEST_ASSERT( psa_is_key_present_in_storage( slot ) == 1 ); + + if( key_not_exist ) + { + psa_destroy_persistent_key( slot ); + } + /* Export the key */ + TEST_ASSERT( psa_export_key( slot, exported, export_size, + &exported_length ) == PSA_SUCCESS ); + + ASSERT_COMPARE( data->x, data->len, exported, exported_length ); + + /* Destroy the key */ + TEST_ASSERT( psa_destroy_key( slot ) == PSA_SUCCESS ); + TEST_ASSERT( psa_get_key_information( + slot, NULL, NULL ) == PSA_ERROR_EMPTY_SLOT ); + TEST_ASSERT( psa_is_key_present_in_storage( slot ) == 0 ); + +exit: + mbedtls_free( exported ); + psa_destroy_persistent_key( slot ); + mbedtls_psa_crypto_free( ); +} +/* END_CASE */ diff --git a/tests/suites/test_suite_psa_crypto_storage_file.data b/tests/suites/test_suite_psa_crypto_storage_file.data new file mode 100644 index 000000000..730e0925c --- /dev/null +++ b/tests/suites/test_suite_psa_crypto_storage_file.data @@ -0,0 +1,43 @@ +PSA Storage Load verify loaded file +depends_on:MBEDTLS_FS_IO +load_data_from_file:1:"deadbeef":1:4:PSA_SUCCESS + +PSA Storage Load check slots dont share state +depends_on:MBEDTLS_FS_IO +load_data_from_file:2:"deadbeef":1:4:PSA_ERROR_STORAGE_FAILURE + +PSA Storage Load zero length file +depends_on:MBEDTLS_FS_IO +load_data_from_file:1:"":1:1:PSA_SUCCESS + +PSA Storage Load less than capacity of data buffer +depends_on:MBEDTLS_FS_IO +load_data_from_file:1:"deadbeef":1:5:PSA_SUCCESS + +PSA Storage Load nonexistent file location, should fail +depends_on:MBEDTLS_FS_IO +load_data_from_file:1:"deadbeef":0:4:PSA_ERROR_STORAGE_FAILURE + +PSA Storage Store verify stored file +depends_on:MBEDTLS_FS_IO +write_data_to_file:"deadbeef":PSA_SUCCESS + +PSA Storage Store into preexisting location, should fail +depends_on:MBEDTLS_FS_IO +write_data_to_prexisting_file:"psa_key_slot_1":"deadbeef":PSA_ERROR_OCCUPIED_SLOT + +PSA Storage Store, preexisting temp_location file, should succeed +depends_on:MBEDTLS_FS_IO +write_data_to_prexisting_file:"psa_key_slot_0":"deadbeef":PSA_SUCCESS + +PSA Storage Get data size verify data size +depends_on:MBEDTLS_FS_IO +get_file_size:"deadbeef":4:PSA_SUCCESS:1 + +PSA Storage Get data size verify data size zero length file +depends_on:MBEDTLS_FS_IO +get_file_size:"":0:PSA_SUCCESS:1 + +PSA Storage Get data size nonexistent file location, should fail +depends_on:MBEDTLS_FS_IO +get_file_size:"deadbeef":4:PSA_ERROR_EMPTY_SLOT:0 diff --git a/tests/suites/test_suite_psa_crypto_storage_file.function b/tests/suites/test_suite_psa_crypto_storage_file.function new file mode 100644 index 000000000..b6dcad777 --- /dev/null +++ b/tests/suites/test_suite_psa_crypto_storage_file.function @@ -0,0 +1,159 @@ +/* BEGIN_HEADER */ +#include +#include "psa/crypto.h" +#include "psa_crypto_storage_backend.h" + +/* END_HEADER */ + +/* BEGIN_DEPENDENCIES + * depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C + * END_DEPENDENCIES + */ + +/* BEGIN_CASE */ +void load_data_from_file( int slot_to_load, data_t *data, int should_make_file, + int capacity_arg, int expected_status ) +{ + char slot_location[] = "psa_key_slot_1"; + psa_status_t status; + int ret; + size_t file_size = 0; + uint8_t *loaded_data = NULL; + size_t capacity = (size_t) capacity_arg; + + if( should_make_file == 1 ) + { + /* Create a file with data contents, with mask permissions. */ + FILE *file; + file = fopen( slot_location, "wb+" ); + TEST_ASSERT( file != NULL ); + file_size = fwrite( data->x, 1, data->len, file ); + TEST_ASSERT( file_size == data->len ); + ret = fclose( file ); + TEST_ASSERT( ret == 0 ); + } + + /* Read from the file with psa_crypto_storage_load. */ + loaded_data = mbedtls_calloc( 1, capacity ); + TEST_ASSERT( loaded_data != NULL ); + status = psa_crypto_storage_load( (psa_key_slot_t) slot_to_load, loaded_data, + file_size ); + + /* Check we get the expected status. */ + TEST_ASSERT( status == expected_status ); + if( status != PSA_SUCCESS ) + goto exit; + + /* Check that the file data and data length is what we expect. */ + ASSERT_COMPARE( data->x, data->len, loaded_data, file_size ); + +exit: + mbedtls_free( loaded_data ); + remove( slot_location ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void write_data_to_file( data_t *data, int expected_status ) +{ + char slot_location[] = "psa_key_slot_1"; + psa_status_t status; + int ret; + FILE *file; + size_t file_size; + size_t num_read; + uint8_t *loaded_data = NULL; + + /* Write data to file. */ + status = psa_crypto_storage_store( 1, data->x, data->len ); + + /* Check that we got the expected status. */ + TEST_ASSERT( status == expected_status ); + if( status != PSA_SUCCESS ) + goto exit; + + /* Check that the file length is what we expect */ + file = fopen( slot_location, "rb" ); + TEST_ASSERT( file != NULL ); + fseek( file, 0, SEEK_END ); + file_size = (size_t) ftell( file ); + fseek( file, 0, SEEK_SET ); + TEST_ASSERT( file_size == data->len ); + + /* Check that the file contents are what we expect */ + loaded_data = mbedtls_calloc( 1, data->len ); + TEST_ASSERT( loaded_data != NULL ); + + num_read = fread( loaded_data, 1, file_size, file ); + TEST_ASSERT( num_read == file_size ); + ASSERT_COMPARE( data->x, data->len, loaded_data, file_size ); + ret = fclose( file ); + TEST_ASSERT( ret == 0 ); + +exit: + mbedtls_free( loaded_data ); + remove( slot_location ); +} +/* END_CASE */ + + +/* BEGIN_CASE */ +void get_file_size( data_t *data, int expected_data_length, + int expected_status, int should_make_file ) +{ + char slot_location[] = "psa_key_slot_1"; + psa_status_t status; + int ret; + size_t file_size; + + if( should_make_file ) + { + /* Create a file with data contents, with mask permissions. */ + FILE *file; + file = fopen( slot_location, "wb+" ); + TEST_ASSERT( file != NULL ); + file_size = fwrite( data->x, 1, data->len, file ); + TEST_ASSERT( file_size == data->len ); + ret = fclose( file ); + TEST_ASSERT( ret == 0 ); + } + + /* Check get data size is what we expect */ + status = psa_crypto_storage_get_data_length( 1, &file_size ); + TEST_ASSERT( status == expected_status ); + if( expected_status == PSA_SUCCESS ) + TEST_ASSERT( file_size == (size_t)expected_data_length ); + +exit: + remove( slot_location ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void write_data_to_prexisting_file( char *preexist_file_location, + data_t *data, int expected_status ) +{ + char slot_location[] = "psa_key_slot_1"; + psa_status_t status; + int ret; + FILE *file; + + /* Create file first */ + file = fopen( preexist_file_location, "wb" ); + TEST_ASSERT( file != NULL ); + ret = fclose( file ); + TEST_ASSERT( ret == 0 ); + + /* Write data to file. */ + status = psa_crypto_storage_store( 1, data->x, data->len ); + + /* Check that we got the expected status. */ + TEST_ASSERT( status == expected_status ); + if( status != PSA_SUCCESS ) + goto exit; + +exit: + remove( preexist_file_location ); + remove( slot_location ); +} +/* END_CASE */ diff --git a/visualc/VS2010/mbedTLS.vcxproj b/visualc/VS2010/mbedTLS.vcxproj index 301d3333f..91cf2f0fc 100644 --- a/visualc/VS2010/mbedTLS.vcxproj +++ b/visualc/VS2010/mbedTLS.vcxproj @@ -230,6 +230,8 @@ + + @@ -287,6 +289,8 @@ + +