Fix expected error code when importing a persistent key or
registering a key with an invalid key identifier:
PSA_ERROR_INVALID_ARGUMENT instead of PSA_ERROR_INVALID_HANDLE.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Implementers and users would have to refer to the RFC for the detailed
specification of the algorithm anyway.
Keep a mention of the curves and hashes involved for avoidance of doubt.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The coordinates are over $F_{2^{255}-19}$, so by the general
definition of the bit size associated with the curve in the
specification, the value for size attribute of keys is 255.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The size attribute of a key is expressed in bits, so use bits in the
documentation. (The documentation of psa_export_key() describes the
export format, so it counts in bytes.)
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Call it “SHAKE256-512”, just like SHA3-512 has 512 bits of output.
SHAKE256-64 looks like it's 64 bits of output, but this is 64 bytes.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Define algorithms for PureEdDSA and for HashEdDSA, the EdDSA variants
defined by RFC 8032.
The encoding for HashEdDSA needs to encode the hash algorithm so that
the hash can be calculated by passing PSA_ALG_SIGN_GET_HASH(sig_alg)
to psa_hash_compute() or psa_hash_setup(). As a consequence,
Ed25519ph (using SHA-512) and Ed448ph (using SHAKE256) need to have
different algorithm encodings (the key is enough to tell them apart,
but it is not known while hashing). Another consequence is that the
API needs to recognize the Ed448 prehash (64 bytes of SHAKE256 output)
as a hash algorithm.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Add an elliptic curve family for the twisted Edwards curves
Edwards25519 and Edwards448 ("Goldilocks"). As with Montgomery curves,
since these are the only two curves in common use, the family has a
generic name.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Remove cipher_generate_iv driver entry point as there
is no known use case to delegate this to a driver.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Move members that are of no use to the PSA crypto core
to the Mbed TLS implementation specific operation context.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
For cipher multi-part operations, dispatch based on
the driver identifier even in the case of the
Mbed TLS software implementation (viewed as a driver).
Also use the driver identifier to check that an
cipher operation context is active or not.
This aligns the way hash and cipher multi-part
operations are dispatched.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Add missing PSA_WANT_CCM/GCM/CMAC. This completes
the set of PSA_WANT config options given the
current support of PSA crypto in Mbed TLS.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
When these names were changed, the definition got misaligned with the
rest of the fields. Fix this alignment.
Signed-off-by: David Brown <david.brown@linaro.org>
The hash driver entry points (and consequentially the hash driver core)
are now always compiled on when PSA_CRYPTO_DRIVER_TEST is turned on.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Drivers (both built-in and external) need to declare their context
structures in a way such that they are accessible by the
to-be-autogenerated crypto_driver_contexts.h file. That file lives in
include/psa, which means all builtin driver context structure
declarations also need to live in include/psa.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
psa_aead_generate_nonce() could generate a nonce of up to 13 bytes,
depending on the inputs to psa_aead_set_lengths().
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
An earlier commit fixes the names of the PSA_WANT_ECC_ macros. Update
the crypto_config.h file to match these new names.
Signed-off-by: David Brown <david.brown@linaro.org>
Removes a broken doxygen link to a macro that is now internal and
cannot be seen from the public API anymore.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Apparently there's a goal to make the PSA Crypto core free from
dynamic memory allocations. Therefore, all driver context structures
need to be known at compile time in order for the core to know their
final size.
This change defines & implements for hashing operations how the context
structures get defined.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Fix places where Doxygen documentation uses \p to refer to a parameter
name and where the name used did not match the actual parameter name.
I used the following script to detect problematic cases:
```
perl -w -ne 'if (eof) { $. = 0; } if (m!^/\*\*!) { $in_doc = 1; %param = (); %p = (); } if (m!\*/!) { foreach $name (keys %p) { if (!$param{$name}) { foreach $line (@{$p{$name}}) { print "$ARGV:$line: $name\n" } } } $in_doc = 0; } if ($in_doc) { if (/\\param(?: *\[[^\[\]]*\])? +(\w+)/) { $param{$1} = 1; } foreach (/\\p +\*?(\w+)/) { push @{$p{$1}}, $.; } }' include/psa/*.h
```
This commits fixes all the remaining occurrences under include/psa,
which were just trivial name mismatches.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In Doxygen documentation, use \c rather than \p when discussing
something that isn't a parameter of the current macro or function.
Where needed, explain what the thing is.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
PSA_KEY_TYPE_RAW_DATA and PSA_KEY_TYPE_DERIVE are always supported.
Make this explicit by declaring PSA_WANT_KEY_TYPE_RAW_DATA and
PSA_WANT_KEY_TYPE_DERIVE unconditionally. This makes it easier to
infer dependencies in a systematic way.
Don't generate not-supported test cases for those key types. They
would always be skipped, which is noise and would make it impossible
to eventually validate that all test cases pass in at least one
configuration over the whole CI.
Don't remove the exception in set_psa_test_dependencies.py for now, to
get less noise in dependencies. This may be revised later if it is
deemed more important to be systematic.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Update with CHACHA20_POLY1305, CHACHA20. Add in CTR, which was missing,
and move ALG_XTS to its proper location alphabetically.
Signed-off-by: David Brown <david.brown@linaro.org>
PSA defines CBC with no padding, and CBC with PKCS7 padding. The bare
"ALG_CBC" is not defined, so remove this definition.
Signed-off-by: David Brown <david.brown@linaro.org>
Update the psa/crypto_config.h with the newly defined PSA_WANT_
definitions for symmetric ciphers and block modes.
Signed-off-by: David Brown <david.brown@linaro.org>
This brings them in line with PSA Crypto API 1.0.0
PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH -> PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG
PSA_ALG_AEAD_WITH_TAG_LENGTH -> PSA_ALG_AEAD_WITH_SHORTENED_TAG
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
Make sure MBEDTLS_PSA_CRYPTO_CLIENT is defined
when MBEDTLS_PSA_CRYPTO_C is defined and guard
PSA client code only with MBEDTLS_PSA_CRYPTO_CLIENT.
The definition of MBEDTLS_PSA_CRYPTO_CLIENT is done
in crypto_types.h before the definition of
psa_key_attributes_t. That way as PSA crypto client
code is related to key attributes we can be quite
confident that MBEDTLS_PSA_CRYPTO_CLIENT will be
defined when needed.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Attempting to create an ECC key with a curve specification that is not
valid can plausibly fail with PSA_ERROR_INVALID_ARGUMENT ("this is not
a curve specification at all") or PSA_ERROR_NOT_SUPPORTED ("this may
be a curve specification, but not one I support"). The choice of error
is somewhat subjective.
Before this commit, due to happenstance in the implementation, an
attempt to use a curve that is declared in the PSA API but not
implemented in Mbed TLS returned PSA_ERROR_INVALID_ARGUMENT, whereas
an attempt to use a curve that Mbed TLS supports but for which support
was disabled at compile-time returned PSA_ERROR_NOT_SUPPORTED. This
inconsistency made it difficult to write negative tests that could
work whether the curve is implemented via Mbed TLS code or via a
driver.
After this commit, any attempt to use parameters that are not
recognized fails with NOT_SUPPORTED, whether a curve with the
specified size might plausibly exist or not, because "might plausibly
exist" is not something Mbed TLS can determine.
To keep returning INVALID_ARGUMENT when importing an ECC key with an
explicit "bits" attribute that is inconsistent with the size of the
key material, this commit changes the way mbedtls_ecc_group_of_psa()
works: it now works on a size in bits rather than bytes, with an extra
flag indicating whether the bit-size must be exact or not.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Rename the enum constants TLS12_PRF_xxx, which are declared in a
public header but not intended for use in application code, to start
with MBEDTLS_PSA_.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Some of the material was originally the PSA specification, and
discusses how different implementations might behave. Replace such
statements by a description of how Mbed TLS behaves.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
It's about who has access to the key material in plaintext, not directly
where the operation is performed.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This algorithm replaces the pre-existing stream cipher algorithms.
The underlying stream cipher is determined by the key type.
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
The driver interfaces described in crypto_accel_driver.h and
crypto_entropy_driver.h are no longer being worked on. We do not
intend to finish the design of these interfaces or to implement them
in Mbed TLS. They have been superseded by the unified driver
interface (docs/proposed/psa-driver-interface.md), which is being
actively worked on both to finalize the specification and to implement
it in Mbed TLS.
The partially implemented dynamic secure element interface is staying
for now.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Due to a misplaced #endif, the (non-functional) macro definitions were
not properly removed from crypto_compat.h if MBEDTLS_DEPRECATED_REMOVED
was declared.
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
The return values of the functions are updated in the documetation.
All possible return values are added including nested functions' return
values. The values which cannot be returned are removed.
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
If the file is read correctly, but it contains data that isn't valid,
the crypto storage code returns PSA_ERROR_DATA_INVALID.
The PSA_ERROR_DATA_CORRUPT and PSA_ERROR_STORAGE_FAILURE error codes are
replaced with PSA_ERROR_DATA_INVALID, except in the ITS subsystem.
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
Note that the implementation here is just a sample, and integrators
are expected to replace it with whatever they need.
But do try to supply a definition that can be somewhat useful (give
room for pointer+size).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Define a sample type mbedtls_psa_external_random_context_t in
psa/crypto_platform.h and define the prototype of
mbedtls_psa_external_get_random() in a public header.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Rename functions to get a key slot:
. to make their naming more consistent
. to emphasize that those functions set a lock on the
key slot they return to protect it from being wiped
out and re-used while some part of the library
is accessing it.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Moved new check_crypto_config.h file from include/psa to library
directory and the file is now included from *.c instead of the
crypto_config.h file. Fixed guards in PSA crypto library based
on review comments for new PSA crypto config features.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
Moved from doing the dependency checks for MBEDTLS_PSA_BUILTIN to
checking the PSA_WANT macros for the dependency checks. This required
moving the file into the include/psa directory and having the file be
included by crypto_config.h instead of config_psa.h.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
Add a counter of unaccessed slots and use it
in tests to check that at the end of PSA tests
all key slot are unaccessed.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The lifetime of key attributes now encodes whether a key is
volatile/persistent or not AND its location.
Fix PSA code where the fact that the lifetime encodes
the key location was not taken into account properly.
Fix the impacted tests and add two non regression tests.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Add the mbedtls_set_key_owner_id API,
API specific to the MbedTLS PSA implementation.
The API allows to define the owner of
volatile keys.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Move all the PSA crypto APIs using key handles
to use key identifiers but psa_key_open() and
psa_key_close(). This is done without modifying
any test as key handles and key identifiers are
now the same.
Update the library modules using PSA crypto APIs
to get rid of key handles.
Programs and unit tests are updated to not use
key handles in subsequent commits, not in this
one.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Define psa_key_handle_t to be equal to
mbedtls_svc_key_id_t. Make the handle of a persistent
key be equal to its key identifier. For volatile keys,
make the key handle equal to the volatile key
identifier of the created volatile key.
The unit tests are modified just to make them compile
not to make them run successfully. They are fixed in
the subsequent commits.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Updated macros in config_psa.h that used ECC_xxx to use KEY_TYPE_ECC_xxx
per comments from review. Implemented a check_config_psa.h to help with
dependency checking of features enabled in config_psa.h. Added
check_config_psa.h to visual studio project.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
In order to pass existing tests like test_psa_crypto_config_basic
and test_psa_crypto_config_no_driver, all the new features need
to be enabled in the default crypto_config.h file. This change
enables those features by default and updates the other new
tests to compensate for everything being enabled by disabling
some features for some of the tests as needed.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
In the original attempt to add RSA support to PSA crypto config was too
generic. This set of changes adds support for the following RSA features:
PSA_WANT_ALG_RSA_PKCS1V15_CRYPT, PSA_WANT_ALG_RSA_PKCS1V15_SIGN,
PSA_WANT_ALG_RSA_OAEP, PSA_WANT_ALG_RSA_PSS, PSA_WANT_KEY_TYPE_RSA_KEY_PAIR,
and PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY.
There were also some updates to ensure the proper inclusion of PSA crypto
library code when certain features are enabled. These updates were made to
address warnings and errors in builds from the new tests for these
features being added for PSA crypto configuration.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
The KEY_TYPE_ECC_KEY_PAIR and KEY_TYPE_ECC_PUBLIC_KEY were previously
being guarded by MBEDTLS_ECP_C in the PSA crypto library code. This change
moves it to the new MBEDTLS_PSA_BUILTIN_xxx and separates KEY_PAIR
and PUBLIC_KEY as needed. Tests have also been added to validate the new
settings.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
This phase adds in support for the following features being
added to the list of features that can be configured in the
include/psa/crypto_config.h header file using the PSA_WANT_ALG_xxx
macros: ECDH, HMAC, HKDF, and RSA. These changes include changes to
the PSA crypto library to use the appropriate new guards that
will allow the feature to be compiled in or out either using
new PSA_WANT_ALG_xxx or the previous MBEDTLS_xxx macros.
For HKDF and HMAC, most of the PSA library code did not have a
specific matching MBEDTLS_xxx macro for that feature, but was instead
using the generic dependent MBEDTLS_MD_C macro. The ECDH and RSA
features more closely aligned with a direct replacement with a similar
macro.
The new tests for RSA, HMAC, and HKDF would normally unset additional
dependent macros, but when attempting to implement that level of
testing it required removal of too many core features like MD_C, PK_C,
ECP_C and other low level features. This may point to additional phases of
work to complete the transition of these features to the new model.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
When the new PSA crypto configuration mechanism MBEDTLS_PSA_CRYPTO_CONFIG
is disabled, legacy configurations must keep working, even if they don't
include the new header file mbedtls/config_psa.h. Code that uses or
implements PSA crypto interfaces needs some of the symbols defined by the
new header file. Therefore, include the new header file via PSA crypto
headers, which are included everywhere mbedtls/config_psa.h is needed.
Include it early, in psa/crypto_platform.h, just after including
mbedtls/config.h, so that its symbols are available wherever the symbols
from mbedtls/config.h is available.
This fixes the unit tests with configs/config-psa-crypto.h: some unit
tests were failing, revealing that library features controlled with
the new symbols were no longer getting built.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit defines the following new macros added to the PSA Crypto API
between versions 1.0 beta 3 and 1.0.0 final:
PSA_AEAD_NONCE_LENGTH
PSA_AEAD_NONCE_MAX_SIZE
PSA_CIPHER_IV_LENGTH
PSA_CIPHER_IV_MAX_SIZE
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
The psa crypto library was generically using PSA_WANT_ALG_xxx, but
should have been using the correct MBEDTLS_PSA_BUILTIN_ALG_xxx
definition since that code is the builtin version. There were also
a couple of spots that needed to ensure the code block was enabled
for either ECDSA or DETERMINISTIC_ECDSA, not just one of them.
Fixed all the new ALG_ECDSA_DETERMINISTIC names to be
ALG_DETERMINISTIC_ECDSA instead.
Fixed test to use correct definitions.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
Need to make sure the new MBEDTLS_PSA_ACCEL_XXX defines are not checked
since they should be defined by the PSA driver. Updated the list-macros.sh
script to modify the instances of those found to match the corresponding
MBEDTLS_PSA_BUILTIN_XXX that are defined in config_psa.h
Fixed definition of MBEDTLS_PSA_BUILTIN_ALG_ECDSA_DETERMINISTIC, name was
incorrect. Also fixed a missing space in the comments of crypto_config.h
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
Provided more detailed documentation for crypto_config.h file so it
is clear to users can enable cryptographic mechanisms using
PSA_WANT_XXX. If MBEDTLS_PSA_CRYPTO_CONFIG is not set the settings in
this file are not used.
Ensure that defines used in this file are set to 1 and not simply defined
per the specification. Also removed the __cplusplus guards since they are
not needed for this file.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
Originally, MBEDTLS_PSA_CRYPTO_CONFIG was being used to allow
inclusion of mbedlts/config_psa.h, but that needed to be updated
so that mbedtls/config_psa.h is always included and the definitions
specific to PSA configuration are now guarded by
MBEDTLS_PSA_CRYPTO_CONFIG. This will allow for the standard setup
to continue working while new PSA configuration items to also work.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
In order to prepare for PSA cryptographic mechanism for conditional
inclusion of various modules, there needs to be some updates to
the mbedtls configuration to enable that feature to work. This initial
set of changes just lays the ground work and future changes will
implement the functional features.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
Move key identifier related macros and functions from
crypto_types.h to crypto_values.h as the latter is
the intended file to put them in.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
* Reworked the cipher context once again to be more robustly defined
* Removed redundant memset
* Unified behaviour on failure between driver and software in cipher_finish
* Cipher test driver setup function now also returns early when its status
is overridden, like the other test driver functions
* Removed redundant test cases
* Added bad-order checking to verify the driver doesn't get called where
the spec says it won't.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Once an operation has been 'accepted' by a driver, the remainder is bound
to the same driver, since driver-specific context structs cannot be shared.
This provides a pretty good gate mechanism for the fallback logic, too.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Fix PSA code and unit tests for the unit tests
to pass with key identifiers encoding owner
identifiers.
The changes in PSA code just make the enablement
of key identifiers encoding owner identifiers
platform independent. Previous to this commit,
such key identifiers were used only in the case
of PSA SPM platforms.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
With PSA crypto v1.0.0, a volatile key identifier may
contain a owner identifier but no file is associated
to it. Thus rename the type psa_key_file_id_t to
mbedtls_svc_key_id_t to avoid a direct link with a
file when a key identifier involves an owner
identifier.
The new type name is prefixed by mbedtls to highlight
that the type is specific to Mbed TLS implementation
and not defined in the PSA Cryptography API
specification.
The svc in the type name stands for service as this
is the key identifier type from the point of view of
the service providing the Cryptography services.
The service can be completely provided by the present
library or partially in case of a multi-client service.
As a consequence rename as well:
. MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER to
MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
. PSA_KEY_ID_INIT to MBEDTLS_SVC_KEY_ID_INIT
. PSA_KEY_FILE_GET_KEY_ID to MBEDTLS_SVC_KEY_ID_GET_KEY_ID
. psa_key_file_id_make to mbedtls_svc_key_id_make
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Rename psa_key_owner_id_t to mbedtls_key_owner_id_t to
highlight that this is a Mbed TLS specific type and not
a type defined in the PSA Cryptography API specification.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
As a volatile key identifier may have a non-zero owner
identifier, don't reset the key owner identifier (if any)
when setting a volatile lifetime for a key.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Define always psa_key_id_t as defined in the PSA
Cryptography API specification independently of
whether the MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER
configuration file is set or not.
As a consequence, get rid of `psa_app_key_id_t` that is
not needed anymore.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The purpose of this commit and the following is for
psa_key_id_t to always be as defined by the PSA
Cryptography API specification.
Currently psa_key_id_t departs from its specification
definition when MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER
configuration flag is set. In that configuration, it is set
to be equal to psa_key_file_id_t which in that configuration
encodes an owner identifier along the key identifier.
Type psa_key_file_id_t was meant to be the key identifier type
used throughout the library code. If
MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER is set it
includes both a key and owner identifier, otherwise it is
equal to psa_key_id_t.
It has not been the key identifier type throughout the
library so far because when the PSA Cryptography
specification was developped the library Doxygen
documentation was used to generate the PSA Cryptography API
specification thus the need to use psa_key_id_t and not
psa_key_file_id_t.
As this constraint does not hold anymore, move
to psa_key_file_id_t as the key identifier type throughout
the library code.
By the way, this commit updates the key identifier
initialization in the tests to be compatible with a
composit key identifier. A psa_key_id_make()
inline function is introduced to initialize key
identifiers (composit ot not) at runtime.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
`psa_key_file_id_t` was defined in `crypto_platform.h` and
not `crypto_types.h` even if it wasn't platform dependent
because back when the PSA Crypto Specification was put
together `crypto_types.h` was meant to contain only types
that were intended to make it to the specification. There
is not such constraint anymore thus move the definition
of `psa_key_file_id_t` to crypto_types.h.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
As a result, the copyright of contributors other than Arm is now
acknowledged, and the years of publishing are no longer tracked in the
source files.
Also remove the now-redundant lines declaring that the files are part of
MbedTLS.
This commit was generated using the following script:
# ========================
#!/bin/sh
# Find files
find '(' -path './.git' -o -path './3rdparty' ')' -prune -o -type f -print | xargs sed -bi '
# Replace copyright attribution line
s/Copyright.*Arm.*/Copyright The Mbed TLS Contributors/I
# Remove redundant declaration and the preceding line
$!N
/This file is part of Mbed TLS/Id
P
D
'
# ========================
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
In the documentation of lifetimes, replace language meant for the PSA
specification by language that is specifically about Mbed TLS. Reduce
the discussion of what could happen in other implementation, and
discuss what can and cannot happen in integrations of Mbed TLS.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
PSA_ALG_ECB_NO_PADDING came in to the PSA Crypto API spec v1.0.0, but
was not implemented yet in the mbed TLS implementation.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Follow the PSA Crypto specification which was updated between 1.0 beta3
and 1.0.0.
Add corresponding test cases.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Rename PSA_DH_GROUP_xxx to PSA_DH_FAMILY_xxx, also rename
PSA_KEY_TYPE_GET_GROUP to PSA_KEY_TYPE_DH_GET_FAMILY and rename
psa_dh_group_t to psa_dh_family_t. Old defines are provided in
include/crypto_compat.h for backward compatibility.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
Rename PSA_ECC_CURVE_xxx to PSA_ECC_FAMILY_xxx, also rename
PSA_KEY_TYPE_GET_CURVE to PSA_KEY_TYPE_ECC_GET_FAMILY and rename
psa_ecc_curve_t to psa_ecc_family_t. Old defines are provided in
include/crypto_compat.h for backward compatibility.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
Now that lifetimes have structures and secure element drivers handle
all the lifetimes with a certain location, update driver registration
to take a location as argument rather than a lifetime.
This commit updates the tests.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Now that lifetimes have structures and secure element drivers handle
all the lifetimes with a certain location, update driver registration
to take a location as argument rather than a lifetime.
This commit updates the PSA specification draft.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Applications need this to combine implementation-specific values of
persistence levels and location indicators.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Call persistence "default" because that is genuinely the default that
applications should use if they don't know better. It's slightly
misleading in that the default persistence when you create a key is
volatile, not this: "default" is the default persistence for
persistent keys, not the default persistence for keys in general. But
we haven't found a better name.
Introduce the term "primary local storage" to designate the default
storage location.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Most of the documentation and some of the function names use
"asymmetric", so use "asymmetric" everywhere. Mention "public-key" in
key places to make the relevant functions easy to find if someone is
looking for that.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
On dual world platforms, we want to run the PK module (pk.c) on the NS
side so TLS can use PSA APIs via the PK interface. PK currently has a
hard dependency on mbedtls_ecc_group_to_psa() which is declared in
crypto_extra.h, but only defined in psa_crypto.c, which is only built
for the S side.
Without this change, dual world platforms get error messages like the
following.
[Error] @0,0: L6218E: Undefined symbol mbedtls_ecc_group_to_psa (referred from BUILD/LPC55S69_NS/ARM/mbed-os/features/mbedtls/mbed-crypto/src/pk.o)
Make mbedtls_ecc_group_to_psa() inline within crypto_extra.h so that it
is available to both NS and S world code.
Fixes#3300
Signed-off-by: Darryl Green <darryl.green@arm.com>
Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
This patch changes the compatibility API defined in crypto_compat.h
to static inline functions as the previous macro definitions were
causing issues for the C pre-processor when included in projects
which need to redefine the PSA function names. Making it static
inline function solves this problem neatly and also modern compilers
do a good job at inlining the function which makes the need for making
it a macro redundant.
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Change the encoding of key types, EC curve families and DH group
families to make the low-order bit a parity bit (with even parity).
This ensures that distinct key type values always have a Hamming
distance of at least 2, which makes it easier for implementations to
resist single bit flips.
All key types now have an encoding on 32 bits where the bottom 16 bits
are zero. Change to using 16 bits only.
Keep 32 bits for key types in storage, but move the significant
half-word from the top to the bottom.
Likewise, change EC curve and DH group families from 32 bits out of
which the top 8 and bottom 16 bits are zero, to 8 bits only.
Reorder psa_core_key_attributes_t to avoid padding.
Remove the values of curve encodings that are based on the TLS registry
and include the curve size, keeping only the new encoding that merely
encodes a curve family in 8 bits.
Keep the old constant names as aliases for the new values and
deprecate the old names.
Define constants for ECC curve families and DH group families. These
constants have 0x0000 in the lower 16 bits of the key type.
Support these constants in the implementation and in the PSA metadata
tests.
Switch the slot management and secure element driver HAL tests to the
new curve encodings. This requires SE driver code to become slightly
more clever when figuring out the bit-size of an imported EC key since
it now needs to take the data size into account.
Switch some documentation to the new encodings.
Remove the macro PSA_ECC_CURVE_BITS which can no longer be implemented.
Change the representation of psa_ecc_curve_t and psa_dh_group_t from
the IETF 16-bit encoding to a custom 24-bit encoding where the upper 8
bits represent a curve family and the lower 16 bits are the key size
in bits. Families are based on naming and mathematical similarity,
with sufficiently precise families that no two curves in a family have
the same bit size (for example SECP-R1 and SECP-R2 are two different
families).
As a consequence, the lower 16 bits of a key type value are always
either the key size or 0.
Key types are now encoded through a category in the upper 4 bits (bits
28-31) and a type-within-category in the next 11 bits (bits 17-27),
with bit 16 unused and bits 0-15 only used for the EC curve or DH
group.
For symmetric keys, bits 20-22 encode the block size (0x0=stream,
0x3=8B, 0x4=16B).
Change the numerical encoding of values for symmetric key types to
have 0000 as the lower 16 bits. Now the lower 16 bits are only used
for key types that have a subtype (EC curve or DH group).
Whether a parameter should be const is an implementation detail of the
function, so don't declare a parameter of psa_hash_compare as
const. (This only applies to parameters themselves, not to objects
that pointer parameters points to.)
Rename some macros and functions related to signature which are
changing as part of the addition of psa_sign_message and
psa_verify_message.
perl -i -pe '%t = (
PSA_KEY_USAGE_SIGN => PSA_KEY_USAGE_SIGN_HASH,
PSA_KEY_USAGE_VERIFY => PSA_KEY_USAGE_VERIFY_HASH,
PSA_ASYMMETRIC_SIGNATURE_MAX_SIZE => PSA_SIGNATURE_MAX_SIZE,
PSA_ASYMMETRIC_SIGN_OUTPUT_SIZE => PSA_SIGN_OUTPUT_SIZE,
psa_asymmetric_sign => psa_sign_hash,
psa_asymmetric_verify => psa_verify_hash,
); s/\b(@{[join("|", keys %t)]})\b/$t{$1}/ge' $(git ls-files . ':!:**/crypto_compat.h')
Move backward compatibility aliases to a separate header. Reserve
crypto_extra.h for implementation-specific extensions that we intend
to keep supporting.
This is better documentation for users. New users should simply ignore
backward compatibility aliases, and old users can look at
crypto_compat.h to see what is deprecated without bothering about new
features appearing in crypto_extra.h.
This facilitates maintenance because scripts such as
generate_psa_constants that want to ignore backward compability
aliases can simply exclude crypto_compat.h from their parsing.
PSA_ASYMMETRIC_SIGNATURE_MAX_SIZE was taking the maximum ECDSA key
size as the ECDSA signature size. Fix it to use the actual maximum
size of an ECDSA signature.
Document that passing 0 to a close/destroy function does nothing and
returns PSA_SUCCESS.
Although this was not written explicitly, the specification strongly
suggested that this would return PSA_ERROR_INVALID_HANDLE. While
returning INVALID_HANDLE makes sense, it was awkward for a very common
programming style where applications can store 0 in a handle variable
to indicate that the handle has been closed or has never been open:
applications had to either check if (handle != 0) before calling
psa_close_key(handle) or psa_destroy_key(handle), or ignore errors
from the close/destroy function. Now applications following this style
can just call psa_close_key(handle) or psa_destroy_key(handle).
Add a parameter to the p_validate_slot_number method to allow the
driver to modify the persistent data.
With the current structure of the core, the persistent data is already
updated. All it took was adding a way to modify it.
When registering a key in a secure element, go through the transaction
mechanism. This makes the code simpler, at the expense of a few extra
storage operations. Given that registering a key is typically very
rare over the lifetime of a device, this is an acceptable loss.
Drivers must now have a p_validate_slot_number method, otherwise
registering a key is not possible. This reduces the risk that due to a
mistake during the integration of a device, an application might claim
a slot in a way that is not supported by the driver.
Define a vendor-range within the the private use ranges in the IANA
registry. Provide recommendations for how to support vendor-defined
curves and groups.
If none of the inputs to a key derivation is a
PSA_KEY_DERIVATION_INPUT_SECRET passed with
psa_key_derivation_input_key(), forbid
psa_key_derivation_output_key(). It usually doesn't make sense to
derive a key object if the secret isn't itself a proper key.
Allow a direct input as the SECRET input step in a key derivation, in
addition to allowing DERIVE keys. This makes it easier for
applications to run a key derivation where the "secret" input is
obtained from somewhere else. This makes it possible for the "secret"
input to be empty (keys cannot be empty), which some protocols do (for
example the IV derivation in EAP-TLS).
Conversely, allow a RAW_DATA key as the INFO/LABEL/SALT/SEED input to a key
derivation, in addition to allowing direct inputs. This doesn't
improve security, but removes a step when a personalization parameter
is stored in the key store, and allows this personalization parameter
to remain opaque.
Add test cases that explore step/key-type-and-keyhood combinations.
Keys of size 0 generally don't make sense: a key is supposed to be
secret. There is one edge case which is "raw data" keys, which are
useful to store non-key objects in the same storage location as keys.
However those are also problematic because they involve a zero-length
buffer. Manipulating zero-length buffers in C requires special cases
with functions like malloc() and memcpy(). Additionally, 0 as a key
size already has a meaning "unspecified", which does not always
overlap seamlessly with the meaning "0".
Therefore, forbid keys of size 0. No implementation may accept them.
Clarify how key creation functions use attributes. Explain the meaning
of attribute values, espcially what 0 means in each field where it has
a special meaning. Explain what an algorithm usage policy can be (an
algorithm, a wildcard with ANY_HASH, or 0).
* open output distinct key handles
* each handle must be closed
* destroying a key does not invalidate other handles
* closing a key can/might fail an active operation (but not required)
It may be possible that the implementation runs out of
memory when exporting a key from storage or a secure
element. For example, it may not be possible to directly
move the data from storage to the caller, so the implementation
will have to buffer the material temporarily (an issue if dynamic
memory allocation scheme is used). For a large key
this is more likely to return.
It may be possible that an implementation does not
fetch key material until a command like
this is called and such an error may occur if an
off-chip secure storage dependency may have been wiped.
Note that PSA_ERROR_NOT_PERMITTED is not included
because I can't think of a scenario where you have
a valid key handle but aren't allowed to read the
attributes
If the key doesn't exist by the time this call is made
then the handle is invalid,
which means that PSA_ERROR_INVALID_HANDLE should be
returned rather than "does not exist"
It may be possible that the implementation runs out of
memory when exporting a key from storage or a secure
element. For example, it may not be possible to directly
move the data from storage to the caller, so the implementation
will have to buffer the material temporarily (an issue if dynamic
memory allocation scheme is used). For a large key
this is more likely to return.
It may be possible that an implementation does not
fetch key material until a command like
this is called and such an error may occur if an
off-chip secure storage dependency may have been wiped.
Note that PSA_ERROR_NOT_PERMITTED is not included
because I can't think of a scenario where you have
a valid key handle but aren't allowed to read the
attributes
Avoid compiler errors when MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER
is set by using the application ID type.
[Error] psa_crypto_slot_management.c@175,9: used type 'psa_key_id_t' (aka 'psa_key_file_id_t') where arithmetic or pointer type is required
A macro useful for initializing psa_key_id_t, whether
MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER is set or not. Without this
macro, it is necessary to know if
MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER as with it the key ID is
non-scalar and needs to be initialized with {0, 0}, and 0 otherwise when
key ID is scalar.
Adjust the wording to permit multiple handles to a single key - closing
a handle does not necessarily release volatile memory associated with
the key, that only occurs when the last handle is closed.
- Describe the implementation defined behavior for opening multiple
keys, and provide a reference to the relevant section.
- Describe the use of INSUFFICENT_MEMORY error to indicate additional
implementation resource constaints.
- Clarify the distinction between DOES_NOT_EXIST and INVALID_HANDLE
error conditions.
Avoid an error with differing linkages being expressed for
psa_set_key_domain_parameters() between crypto_extra.h and
crypto_struct.h in C++ builds.
[Error] crypto_extra.h@456,14: conflicting declaration of 'psa_status_t psa_set_key_domain_parameters(psa_key_attributes_t*, psa_key_type_t, const uint8_t *, size_t)' with 'C' linkage
The methods to import and generate a key in a secure element drivers
were written for an earlier version of the application-side interface.
Now that there is a psa_key_attributes_t structure that combines all
key metadata including its lifetime (location), type, size, policy and
extra type-specific data (domain parameters), pass that to drivers
instead of separate arguments for each piece of metadata. This makes
the interface less cluttered.
Update parameter names and descriptions to follow general conventions.
Document the public-key output on key generation more precisely.
Explain that it is optional in a driver, and when a driver would
implement it. Declare that it is optional in the core, too (which
means that a crypto core might not support drivers for secure elements
that do need this feature).
Update the implementation and the tests accordingly.
