diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 6caa62abf..6675ba45f 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -89,10 +89,6 @@ typedef enum { PSA_ERROR_INVALID_SIGNATURE, /** The decrypted padding is incorrect. */ PSA_ERROR_INVALID_PADDING, - /** The key lifetime value is incorrect. */ - PSA_ERROR_INVALID_LIFETIME, - /** The key lifetime can not be changed. */ - PSA_ERROR_KEY_LIFETIME_CHANGE, /** An error occurred that does not correspond to any defined failure cause. */ PSA_ERROR_UNKNOWN_ERROR, @@ -582,15 +578,19 @@ psa_status_t psa_get_key_policy(psa_key_slot_t key, */ typedef uint32_t psa_key_lifetime_t; +/** An invalid key lifetime value. + */ +#define PSA_KEY_LIFETIME_NONE ((psa_key_lifetime_t)0x00000000) + /** A volatile key slot retains its content as long as the application is * running. It is guaranteed to be erased on a power reset. */ -#define PSA_KEY_LIFETIME_VOLATILE ((psa_key_lifetime_t)0x00000000) +#define PSA_KEY_LIFETIME_VOLATILE ((psa_key_lifetime_t)0x00000001) /** A persistent key slot retains its content as long as it is not explicitly * destroyed. */ -#define PSA_KEY_LIFETIME_PERSISTENT ((psa_key_lifetime_t)0x00000001) +#define PSA_KEY_LIFETIME_PERSISTENT ((psa_key_lifetime_t)0x00000002) /** A write-once key slot may not be modified once a key has been set. * It will retain its content as long as the device remains operational. @@ -617,11 +617,10 @@ psa_status_t psa_get_key_lifetime(psa_key_slot_t key, psa_key_lifetime_t *lifetime); /** \brief Change the lifetime of a key slot. + * Whether the lifetime of a key slot can be changed at all, and if so + * whether the lifetime of an occupied key slot can be changed, is + * implementation-dependent. * - * \note In case a key slot has PSA_KEY_LIFETIME_WRITE_ONCE lifetime, - * it can not be changed and trying to set new value will return - * an error - * * \param key Slot whose content is to be exported. This must * be an occupied key slot. * \param lifetime The lifetime value to be set for the given key. @@ -633,11 +632,6 @@ psa_status_t psa_get_key_lifetime(psa_key_slot_t key, * or the key data is not correctly formatted. * \retval PSA_ERROR_EMPTY_SLOT * The key slot is not occupied. - * \retval PSA_ERROR_INVALID_LIFETIME - * The lifetime value is not valid. - * \retval PSA_ERROR_KEY_LIFETIME_CHANGE - * The key slot already has PSA_KEY_LIFETIME_WRITE_ONCE value, - * and can not be changed. */ psa_status_t psa_set_key_lifetime(psa_key_slot_t key, const psa_key_lifetime_t lifetime); diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 329ee3dc5..bdb47d249 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -363,7 +363,6 @@ psa_status_t psa_import_key(psa_key_slot_t key, } slot->type = type; - slot->lifetime = 0; return( PSA_SUCCESS ); } @@ -1292,17 +1291,17 @@ psa_status_t psa_set_key_lifetime(psa_key_slot_t key, if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT ) return( PSA_ERROR_INVALID_ARGUMENT ); + if( lifetime != PSA_KEY_LIFETIME_VOLATILE && + lifetime != PSA_KEY_LIFETIME_PERSISTENT && + lifetime != PSA_KEY_LIFETIME_WRITE_ONCE) + return( PSA_ERROR_INVALID_ARGUMENT ); + slot = &global_data.key_slots[key]; if( slot->type == PSA_KEY_TYPE_NONE ) return( PSA_ERROR_EMPTY_SLOT ); - if( lifetime != PSA_KEY_LIFETIME_VOLATILE && - lifetime != PSA_KEY_LIFETIME_PERSISTENT && - lifetime != PSA_KEY_LIFETIME_WRITE_ONCE) - return( PSA_ERROR_INVALID_LIFETIME ); - - if ( slot->lifetime == PSA_KEY_LIFETIME_WRITE_ONCE ) - return( PSA_ERROR_KEY_LIFETIME_CHANGE ); + if ( lifetime != PSA_KEY_LIFETIME_VOLATILE ) + return( PSA_ERROR_NOT_SUPPORTED ); slot->lifetime = lifetime; diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 9611c3248..be31c39bd 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -87,12 +87,6 @@ sign_fail:PSA_KEY_TYPE_RSA_KEYPAIR:"3082025e02010002818100af057d396ee84fb75fdbb5 PSA Key Lifetime set and get volatile key_lifetime:PSA_KEY_LIFETIME_VOLATILE -PSA Key Lifetime set and get persistent -key_lifetime:PSA_KEY_LIFETIME_PERSISTENT - -PSA Key Lifetime set and get write_once -key_lifetime:PSA_KEY_LIFETIME_WRITE_ONCE - PSA Key Lifetime set fail, invalid key slot key_lifetime_set_fail:0:PSA_KEY_LIFETIME_VOLATILE:PSA_ERROR_INVALID_ARGUMENT @@ -100,7 +94,7 @@ PSA Key Lifetime set fail, unoccupied key slot key_lifetime_set_fail:2:PSA_KEY_LIFETIME_VOLATILE:PSA_ERROR_EMPTY_SLOT PSA Key Lifetime set fail, can not change write_once lifetime -key_lifetime_set_fail:1:PSA_KEY_LIFETIME_WRITE_ONCE:PSA_ERROR_KEY_LIFETIME_CHANGE +key_lifetime_set_fail:1:PSA_KEY_LIFETIME_WRITE_ONCE:PSA_ERROR_NOT_SUPPORTED PSA Key Lifetime set fail, invalid key lifetime value -key_lifetime_set_fail:1:PSA_KEY_LIFETIME_PERSISTENT+1:PSA_ERROR_INVALID_LIFETIME +key_lifetime_set_fail:1:PSA_KEY_LIFETIME_PERSISTENT+1:PSA_ERROR_INVALID_ARGUMENT diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index b4bf66060..7cb38d986 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -378,10 +378,10 @@ void key_lifetime( int lifetime_arg ) key, sizeof( key ) ) == PSA_SUCCESS ); TEST_ASSERT( psa_set_key_lifetime( key_slot, - lifetime_set ) == PSA_SUCCESS ); + lifetime_set ) == PSA_SUCCESS ); TEST_ASSERT( psa_get_key_lifetime( key_slot, - &lifetime_get ) == PSA_SUCCESS ); + &lifetime_get ) == PSA_SUCCESS ); TEST_ASSERT( lifetime_get == lifetime_set );