Change the bitwise encoding of key type categories

There were only 5 categories (now 4). Reduce the category mask from 7
bits to 3.

Combine unformatted, not-necessarily-uniform keys (HMAC, derivation)
with raw data.

Reintroduce a KEY_TYPE_IS_UNSTRUCTURED macro (which used to exist
under the name KEY_TYPE_IS_RAW_DATA macro) for key types that don't
have any structure, including both should-be-uniform keys (such as
block cipher and stream cipher keys) and not-necessarily-uniform
keys (such as HMAC keys and secrets for key derivation).
This commit is contained in:
Gilles Peskine 2018-08-10 16:03:41 +02:00 committed by Jaeden Amero
parent c32f0304db
commit 78b3bb670d
2 changed files with 56 additions and 30 deletions

View file

@ -360,17 +360,19 @@ typedef uint32_t psa_key_type_t;
*/ */
#define PSA_KEY_TYPE_VENDOR_FLAG ((psa_key_type_t)0x80000000) #define PSA_KEY_TYPE_VENDOR_FLAG ((psa_key_type_t)0x80000000)
#define PSA_KEY_TYPE_CATEGORY_MASK ((psa_key_type_t)0x7e000000) #define PSA_KEY_TYPE_CATEGORY_MASK ((psa_key_type_t)0x70000000)
#define PSA_KEY_TYPE_CATEGORY_SYMMETRIC ((psa_key_type_t)0x40000000)
#define PSA_KEY_TYPE_CATEGORY_RAW ((psa_key_type_t)0x50000000)
#define PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY ((psa_key_type_t)0x60000000)
#define PSA_KEY_TYPE_CATEGORY_KEY_PAIR ((psa_key_type_t)0x70000000)
#define PSA_KEY_TYPE_CATEGORY_FLAG_PAIR ((psa_key_type_t)0x10000000)
/** Raw data. /** Raw data.
* *
* A "key" of this type cannot be used for any cryptographic operation. * A "key" of this type cannot be used for any cryptographic operation.
* Applications may use this type to store arbitrary data in the keystore. */ * Applications may use this type to store arbitrary data in the keystore. */
#define PSA_KEY_TYPE_RAW_DATA ((psa_key_type_t)0x02000000) #define PSA_KEY_TYPE_RAW_DATA ((psa_key_type_t)0x50000001)
#define PSA_KEY_TYPE_CATEGORY_SYMMETRIC ((psa_key_type_t)0x04000000)
#define PSA_KEY_TYPE_CATEGORY_ASYMMETRIC ((psa_key_type_t)0x06000000)
#define PSA_KEY_TYPE_PAIR_FLAG ((psa_key_type_t)0x01000000)
/** HMAC key. /** HMAC key.
* *
@ -380,21 +382,21 @@ typedef uint32_t psa_key_type_t;
* HMAC keys should generally have the same size as the underlying hash. * HMAC keys should generally have the same size as the underlying hash.
* This size can be calculated with #PSA_HASH_SIZE(\c alg) where * This size can be calculated with #PSA_HASH_SIZE(\c alg) where
* \c alg is the HMAC algorithm or the underlying hash algorithm. */ * \c alg is the HMAC algorithm or the underlying hash algorithm. */
#define PSA_KEY_TYPE_HMAC ((psa_key_type_t)0x02000001) #define PSA_KEY_TYPE_HMAC ((psa_key_type_t)0x51000000)
/** A secret for key derivation. /** A secret for key derivation.
* *
* The key policy determines which key derivation algorithm the key * The key policy determines which key derivation algorithm the key
* can be used for. * can be used for.
*/ */
#define PSA_KEY_TYPE_DERIVE ((psa_key_type_t)0x02000101) #define PSA_KEY_TYPE_DERIVE ((psa_key_type_t)0x52000000)
/** Key for an cipher, AEAD or MAC algorithm based on the AES block cipher. /** Key for an cipher, AEAD or MAC algorithm based on the AES block cipher.
* *
* The size of the key can be 16 bytes (AES-128), 24 bytes (AES-192) or * The size of the key can be 16 bytes (AES-128), 24 bytes (AES-192) or
* 32 bytes (AES-256). * 32 bytes (AES-256).
*/ */
#define PSA_KEY_TYPE_AES ((psa_key_type_t)0x04000001) #define PSA_KEY_TYPE_AES ((psa_key_type_t)0x40000001)
/** Key for a cipher or MAC algorithm based on DES or 3DES (Triple-DES). /** Key for a cipher or MAC algorithm based on DES or 3DES (Triple-DES).
* *
@ -405,30 +407,30 @@ typedef uint32_t psa_key_type_t;
* deprecated and should only be used to decrypt legacy data. 3-key 3DES * deprecated and should only be used to decrypt legacy data. 3-key 3DES
* is weak and deprecated and should only be used in legacy protocols. * is weak and deprecated and should only be used in legacy protocols.
*/ */
#define PSA_KEY_TYPE_DES ((psa_key_type_t)0x04000002) #define PSA_KEY_TYPE_DES ((psa_key_type_t)0x40000002)
/** Key for an cipher, AEAD or MAC algorithm based on the /** Key for an cipher, AEAD or MAC algorithm based on the
* Camellia block cipher. */ * Camellia block cipher. */
#define PSA_KEY_TYPE_CAMELLIA ((psa_key_type_t)0x04000003) #define PSA_KEY_TYPE_CAMELLIA ((psa_key_type_t)0x40000003)
/** Key for the RC4 stream cipher. /** Key for the RC4 stream cipher.
* *
* Note that RC4 is weak and deprecated and should only be used in * Note that RC4 is weak and deprecated and should only be used in
* legacy protocols. */ * legacy protocols. */
#define PSA_KEY_TYPE_ARC4 ((psa_key_type_t)0x04000004) #define PSA_KEY_TYPE_ARC4 ((psa_key_type_t)0x40000004)
/** RSA public key. */ /** RSA public key. */
#define PSA_KEY_TYPE_RSA_PUBLIC_KEY ((psa_key_type_t)0x06010000) #define PSA_KEY_TYPE_RSA_PUBLIC_KEY ((psa_key_type_t)0x60010000)
/** RSA key pair (private and public key). */ /** RSA key pair (private and public key). */
#define PSA_KEY_TYPE_RSA_KEYPAIR ((psa_key_type_t)0x07010000) #define PSA_KEY_TYPE_RSA_KEYPAIR ((psa_key_type_t)0x70010000)
/** DSA public key. */ /** DSA public key. */
#define PSA_KEY_TYPE_DSA_PUBLIC_KEY ((psa_key_type_t)0x06020000) #define PSA_KEY_TYPE_DSA_PUBLIC_KEY ((psa_key_type_t)0x60020000)
/** DSA key pair (private and public key). */ /** DSA key pair (private and public key). */
#define PSA_KEY_TYPE_DSA_KEYPAIR ((psa_key_type_t)0x07020000) #define PSA_KEY_TYPE_DSA_KEYPAIR ((psa_key_type_t)0x70020000)
#define PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE ((psa_key_type_t)0x06030000) #define PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE ((psa_key_type_t)0x60030000)
#define PSA_KEY_TYPE_ECC_KEYPAIR_BASE ((psa_key_type_t)0x07030000) #define PSA_KEY_TYPE_ECC_KEYPAIR_BASE ((psa_key_type_t)0x70030000)
#define PSA_KEY_TYPE_ECC_CURVE_MASK ((psa_key_type_t)0x0000ffff) #define PSA_KEY_TYPE_ECC_CURVE_MASK ((psa_key_type_t)0x0000ffff)
/** Elliptic curve key pair. */ /** Elliptic curve key pair. */
#define PSA_KEY_TYPE_ECC_KEYPAIR(curve) \ #define PSA_KEY_TYPE_ECC_KEYPAIR(curve) \
@ -441,24 +443,50 @@ typedef uint32_t psa_key_type_t;
#define PSA_KEY_TYPE_IS_VENDOR_DEFINED(type) \ #define PSA_KEY_TYPE_IS_VENDOR_DEFINED(type) \
(((type) & PSA_KEY_TYPE_VENDOR_FLAG) != 0) (((type) & PSA_KEY_TYPE_VENDOR_FLAG) != 0)
/** Whether a key type is an unstructured array of bytes.
*
* This encompasses both symmetric keys and non-key data.
*/
#define PSA_KEY_TYPE_IS_UNSTRUCTURED(type) \
(((type) & PSA_KEY_TYPE_CATEGORY_MASK & ~(psa_key_type_t)0x10000000) == \
PSA_KEY_TYPE_CATEGORY_SYMMETRIC)
/** Whether a key type is asymmetric: either a key pair or a public key. */ /** Whether a key type is asymmetric: either a key pair or a public key. */
#define PSA_KEY_TYPE_IS_ASYMMETRIC(type) \ #define PSA_KEY_TYPE_IS_ASYMMETRIC(type) \
(((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_ASYMMETRIC) (((type) & PSA_KEY_TYPE_CATEGORY_MASK \
& ~PSA_KEY_TYPE_CATEGORY_FLAG_PAIR) == \
PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY)
/** Whether a key type is the public part of a key pair. */ /** Whether a key type is the public part of a key pair. */
#define PSA_KEY_TYPE_IS_PUBLIC_KEY(type) \ #define PSA_KEY_TYPE_IS_PUBLIC_KEY(type) \
(((type) & (PSA_KEY_TYPE_CATEGORY_MASK | PSA_KEY_TYPE_PAIR_FLAG)) == \ (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY)
PSA_KEY_TYPE_CATEGORY_ASYMMETRIC)
/** Whether a key type is a key pair containing a private part and a public /** Whether a key type is a key pair containing a private part and a public
* part. */ * part. */
#define PSA_KEY_TYPE_IS_KEYPAIR(type) \ #define PSA_KEY_TYPE_IS_KEYPAIR(type) \
(((type) & (PSA_KEY_TYPE_CATEGORY_MASK | PSA_KEY_TYPE_PAIR_FLAG)) == \ (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_KEY_PAIR)
(PSA_KEY_TYPE_CATEGORY_ASYMMETRIC | PSA_KEY_TYPE_PAIR_FLAG)) /** The key pair type corresponding to a public key type.
/** The key pair type corresponding to a public key type. */ *
* You may also pass a key pair type as \p type, it will be left unchanged.
*
* \param type A public key type or key pair type.
*
* \return The corresponding key pair type.
* If \p type is not a public key or a key pair,
* the return value is undefined.
*/
#define PSA_KEY_TYPE_KEYPAIR_OF_PUBLIC_KEY(type) \ #define PSA_KEY_TYPE_KEYPAIR_OF_PUBLIC_KEY(type) \
((type) | PSA_KEY_TYPE_PAIR_FLAG) ((type) | PSA_KEY_TYPE_CATEGORY_FLAG_PAIR)
/** The public key type corresponding to a key pair type. */ /** The public key type corresponding to a key pair type.
*
* You may also pass a key pair type as \p type, it will be left unchanged.
*
* \param type A public key type or key pair type.
*
* \return The corresponding public key type.
* If \p type is not a public key or a key pair,
* the return value is undefined.
*/
#define PSA_KEY_TYPE_PUBLIC_KEY_OF_KEYPAIR(type) \ #define PSA_KEY_TYPE_PUBLIC_KEY_OF_KEYPAIR(type) \
((type) & ~PSA_KEY_TYPE_PAIR_FLAG) ((type) & ~PSA_KEY_TYPE_CATEGORY_FLAG_PAIR)
/** Whether a key type is an RSA key (pair or public-only). */ /** Whether a key type is an RSA key (pair or public-only). */
#define PSA_KEY_TYPE_IS_RSA(type) \ #define PSA_KEY_TYPE_IS_RSA(type) \
(PSA_KEY_TYPE_PUBLIC_KEY_OF_KEYPAIR(type) == PSA_KEY_TYPE_RSA_PUBLIC_KEY) (PSA_KEY_TYPE_PUBLIC_KEY_OF_KEYPAIR(type) == PSA_KEY_TYPE_RSA_PUBLIC_KEY)

View file

@ -135,9 +135,7 @@ typedef struct
static int key_type_is_raw_bytes( psa_key_type_t type ) static int key_type_is_raw_bytes( psa_key_type_t type )
{ {
psa_key_type_t category = type & PSA_KEY_TYPE_CATEGORY_MASK; return( PSA_KEY_TYPE_IS_UNSTRUCTURED( type ) );
return( category == PSA_KEY_TYPE_RAW_DATA ||
category == PSA_KEY_TYPE_CATEGORY_SYMMETRIC );
} }
typedef struct typedef struct