Remove domain parameters from psa_key_attributes_t

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine 2024-02-16 00:49:46 +01:00
parent ae5eb64705
commit 97c0b2f393
4 changed files with 3 additions and 172 deletions

View file

@ -318,20 +318,6 @@ struct psa_key_attributes_s {
#if defined(MBEDTLS_PSA_CRYPTO_SE_C) #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
psa_key_slot_number_t MBEDTLS_PRIVATE(slot_number); psa_key_slot_number_t MBEDTLS_PRIVATE(slot_number);
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
/* Unlike normal buffers, there are three cases for domain_parameters
* and domain_parameters_size:
* - domain_parameters_size == SIZE_MAX && domain_parameters == NULL:
* Access to domain parameters is not supported for this key.
* This is a hack which should not exist, intended for keys managed
* by a driver, because drivers don't support domain parameters.
* - domain_parameters_size == 0 && domain_parameters == NULL:
* The domain parameters are empty.
* - domain_parameters_size > 0 &&
* domain_parameters == valid pointer to domain_parameters_size bytes:
* The domain parameters are non-empty.
*/
void *MBEDTLS_PRIVATE(domain_parameters);
size_t MBEDTLS_PRIVATE(domain_parameters_size);
/* With client/service separation, struct psa_key_attributes_s is /* With client/service separation, struct psa_key_attributes_s is
* marshalled through a transport channel between the client and * marshalled through a transport channel between the client and
* service side implementation of the PSA Crypto APIs, thus having * service side implementation of the PSA Crypto APIs, thus having
@ -342,9 +328,9 @@ struct psa_key_attributes_s {
}; };
#if defined(MBEDTLS_PSA_CRYPTO_SE_C) #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
#define PSA_KEY_ATTRIBUTES_INIT { 0, NULL, 0, PSA_CORE_KEY_ATTRIBUTES_INIT } #define PSA_KEY_ATTRIBUTES_INIT { 0, PSA_CORE_KEY_ATTRIBUTES_INIT }
#else #else
#define PSA_KEY_ATTRIBUTES_INIT { NULL, 0, PSA_CORE_KEY_ATTRIBUTES_INIT } #define PSA_KEY_ATTRIBUTES_INIT { PSA_CORE_KEY_ATTRIBUTES_INIT }
#endif #endif
static inline struct psa_key_attributes_s psa_key_attributes_init(void) static inline struct psa_key_attributes_s psa_key_attributes_init(void)

View file

@ -1211,58 +1211,12 @@ exit:
return overall_status; return overall_status;
} }
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) || \
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
static psa_status_t psa_get_rsa_public_exponent(
const mbedtls_rsa_context *rsa,
psa_key_attributes_t *attributes)
{
mbedtls_mpi mpi;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
uint8_t *buffer = NULL;
size_t buflen;
mbedtls_mpi_init(&mpi);
ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, NULL, &mpi);
if (ret != 0) {
goto exit;
}
if (mbedtls_mpi_cmp_int(&mpi, 65537) == 0) {
/* It's the default value, which is reported as an empty string,
* so there's nothing to do. */
goto exit;
}
buflen = mbedtls_mpi_size(&mpi);
buffer = mbedtls_calloc(1, buflen);
if (buffer == NULL) {
ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
goto exit;
}
ret = mbedtls_mpi_write_binary(&mpi, buffer, buflen);
if (ret != 0) {
goto exit;
}
attributes->domain_parameters = buffer;
attributes->domain_parameters_size = buflen;
exit:
mbedtls_mpi_free(&mpi);
if (ret != 0) {
mbedtls_free(buffer);
}
return mbedtls_to_psa_error(ret);
}
#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) ||
* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
/** Retrieve all the publicly-accessible attributes of a key. /** Retrieve all the publicly-accessible attributes of a key.
*/ */
psa_status_t psa_get_key_attributes(mbedtls_svc_key_id_t key, psa_status_t psa_get_key_attributes(mbedtls_svc_key_id_t key,
psa_key_attributes_t *attributes) psa_key_attributes_t *attributes)
{ {
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
psa_key_slot_t *slot; psa_key_slot_t *slot;
psa_reset_key_attributes(attributes); psa_reset_key_attributes(attributes);
@ -1283,55 +1237,7 @@ psa_status_t psa_get_key_attributes(mbedtls_svc_key_id_t key,
} }
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
switch (slot->attr.type) { return psa_unregister_read_under_mutex(slot);
#if (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) || \
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
case PSA_KEY_TYPE_RSA_KEY_PAIR:
case PSA_KEY_TYPE_RSA_PUBLIC_KEY:
/* TODO: This is a temporary situation where domain parameters are deprecated,
* but we need it for namely generating an RSA key with a non-default exponent.
* This would be improved after https://github.com/Mbed-TLS/mbedtls/issues/6494.
*/
if (!psa_key_lifetime_is_external(slot->attr.lifetime)) {
mbedtls_rsa_context *rsa = NULL;
status = mbedtls_psa_rsa_load_representation(
slot->attr.type,
slot->key.data,
slot->key.bytes,
&rsa);
if (status != PSA_SUCCESS) {
break;
}
status = psa_get_rsa_public_exponent(rsa,
attributes);
mbedtls_rsa_free(rsa);
mbedtls_free(rsa);
}
break;
#else
case PSA_KEY_TYPE_RSA_KEY_PAIR:
case PSA_KEY_TYPE_RSA_PUBLIC_KEY:
attributes->domain_parameters = NULL;
attributes->domain_parameters_size = SIZE_MAX;
break;
#endif /* (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \
* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) ||
* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
default:
/* Nothing else to do. */
break;
}
if (status != PSA_SUCCESS) {
psa_reset_key_attributes(attributes);
}
unlock_status = psa_unregister_read_under_mutex(slot);
return (status == PSA_SUCCESS) ? unlock_status : status;
} }
#if defined(MBEDTLS_PSA_CRYPTO_SE_C) #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
@ -1959,57 +1865,6 @@ static psa_status_t psa_validate_optional_attributes(
} }
} }
if (attributes->domain_parameters_size != 0) {
#if (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) || \
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
if (PSA_KEY_TYPE_IS_RSA(slot->attr.type)) {
mbedtls_rsa_context *rsa = NULL;
mbedtls_mpi actual, required;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
psa_status_t status = mbedtls_psa_rsa_load_representation(
slot->attr.type,
slot->key.data,
slot->key.bytes,
&rsa);
if (status != PSA_SUCCESS) {
return status;
}
mbedtls_mpi_init(&actual);
mbedtls_mpi_init(&required);
ret = mbedtls_rsa_export(rsa,
NULL, NULL, NULL, NULL, &actual);
mbedtls_rsa_free(rsa);
mbedtls_free(rsa);
if (ret != 0) {
goto rsa_exit;
}
ret = mbedtls_mpi_read_binary(&required,
attributes->domain_parameters,
attributes->domain_parameters_size);
if (ret != 0) {
goto rsa_exit;
}
if (mbedtls_mpi_cmp_mpi(&actual, &required) != 0) {
ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
}
rsa_exit:
mbedtls_mpi_free(&actual);
mbedtls_mpi_free(&required);
if (ret != 0) {
return mbedtls_to_psa_error(ret);
}
} else
#endif /* (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) &&
* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) ||
* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
{
return PSA_ERROR_INVALID_ARGUMENT;
}
}
if (attributes->core.bits != 0) { if (attributes->core.bits != 0) {
if (attributes->core.bits != slot->attr.bits) { if (attributes->core.bits != slot->attr.bits) {
return PSA_ERROR_INVALID_ARGUMENT; return PSA_ERROR_INVALID_ARGUMENT;
@ -7551,11 +7406,6 @@ psa_status_t psa_generate_key_internal(
(void) params; (void) params;
(void) params_data_length; (void) params_data_length;
if ((attributes->domain_parameters == NULL) &&
(attributes->domain_parameters_size != 0)) {
return PSA_ERROR_INVALID_ARGUMENT;
}
if (key_type_is_raw_bytes(type)) { if (key_type_is_raw_bytes(type)) {
status = psa_generate_random(key_buffer, key_buffer_size); status = psa_generate_random(key_buffer, key_buffer_size);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {

View file

@ -16,7 +16,6 @@
void psa_reset_key_attributes(psa_key_attributes_t *attributes) void psa_reset_key_attributes(psa_key_attributes_t *attributes)
{ {
mbedtls_free(attributes->domain_parameters);
memset(attributes, 0, sizeof(*attributes)); memset(attributes, 0, sizeof(*attributes));
} }

View file

@ -345,10 +345,6 @@ psa_status_t mbedtls_psa_ecp_generate_key(
mbedtls_ecp_curve_info_from_grp_id(grp_id); mbedtls_ecp_curve_info_from_grp_id(grp_id);
mbedtls_ecp_keypair ecp; mbedtls_ecp_keypair ecp;
if (attributes->domain_parameters_size != 0) {
return PSA_ERROR_NOT_SUPPORTED;
}
if (grp_id == MBEDTLS_ECP_DP_NONE || curve_info == NULL) { if (grp_id == MBEDTLS_ECP_DP_NONE || curve_info == NULL) {
return PSA_ERROR_NOT_SUPPORTED; return PSA_ERROR_NOT_SUPPORTED;
} }