mbedtls/library/psa_crypto_slot_management.h

/*
 *  PSA crypto layer on top of Mbed TLS crypto
 */
/*  Copyright (C) 2018, ARM Limited, All Rights Reserved
 *  SPDX-License-Identifier: Apache-2.0
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
 *  This file is part of mbed TLS (https://tls.mbed.org)
 */

#ifndef PSA_CRYPTO_SLOT_MANAGEMENT_H
#define PSA_CRYPTO_SLOT_MANAGEMENT_H

/* Number of key slots (plus one because 0 is not used).
 * The value is a compile-time constant for now, for simplicity. */
#define PSA_KEY_SLOT_COUNT 32

/** Access a key slot at the given handle.
 *
 * \param handle        Key handle to query.
 * \param[out] p_slot   On success, `*p_slot` contains a pointer to the
 *                      key slot in memory designated by \p handle.
 *
 * \retval PSA_SUCCESS
 *         Success: \p handle is a handle to `*p_slot`. Note that `*p_slot`
 *         may be empty or occupied.
 * \retval PSA_ERROR_INVALID_HANDLE
 *         \p handle is out of range or is not in use.
 * \retval PSA_ERROR_BAD_STATE
 *         The library has not been initialized.
 */
psa_status_t psa_get_key_slot( psa_key_handle_t handle,
                               psa_key_slot_t **p_slot );

/** Initialize the key slot structures.
 *
 * \retval PSA_SUCCESS
 *         Currently this function always succeeds.
 */
psa_status_t psa_initialize_key_slots( void );

/** Delete all data from key slots in memory.
 *
 * This does not affect persistent storage. */
void psa_wipe_all_key_slots( void );

/** Find a free key slot and mark it as in use.
 *
 * \param[out] handle   On success, a slot number that is not in use. This
 *                      value can be used as a handle to the slot.
 * \param[out] p_slot   On success, a pointer to the slot.
 *
 * \retval #PSA_SUCCESS
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
 * \retval #PSA_ERROR_BAD_STATE
 */
psa_status_t psa_internal_allocate_key_slot( psa_key_handle_t *handle,
                                             psa_key_slot_t **p_slot );

/** Test whether the given parameters are acceptable for a persistent key.
 *
 * This function does not access the storage in any way. It only tests
 * whether the parameters are meaningful and permitted by general policy.
 * It does not test whether the a file by the given id exists or could be
 * created.
 *
 * \param lifetime      The lifetime to test.
 * \param id            The key id to test.
 * \param creating      0 if attempting to open an existing key.
 *                      Nonzero if attempting to create a key.
 *
 * \retval PSA_SUCCESS
 *         The given parameters are valid.
 * \retval PSA_ERROR_INVALID_ARGUMENT
 *         \p lifetime is volatile or is invalid.
 * \retval PSA_ERROR_INVALID_ARGUMENT
 *         \p id is invalid.
 */
psa_status_t psa_validate_persistent_key_parameters(
    psa_key_lifetime_t lifetime,
    psa_key_file_id_t id,
    int creating );


#endif /* PSA_CRYPTO_SLOT_MANAGEMENT_H */
Implement slot allocation Implement psa_allocate_key, psa_open_key, psa_create_key, psa_close_key. Add support for keys designated to handles to psa_get_key_slot, and thereby to the whole API. Allocated and non-allocated keys can coexist. This is a temporary stage in order to transition from the use of direct slot numbers to allocated handles only. Once all the tests and sample programs have been migrated to use handles, the implementation will be simplified and made more robust with support for handles only. 2018-11-30 17:54:54 +00:00			`/*`
			`* PSA crypto layer on top of Mbed TLS crypto`
			`*/`
			`/* Copyright (C) 2018, ARM Limited, All Rights Reserved`
			`* SPDX-License-Identifier: Apache-2.0`
			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License"); you may`
			`* not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT`
			`* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*`
			`* This file is part of mbed TLS (https://tls.mbed.org)`
			`*/`

			`#ifndef PSA_CRYPTO_SLOT_MANAGEMENT_H`
			`#define PSA_CRYPTO_SLOT_MANAGEMENT_H`

			`/* Number of key slots (plus one because 0 is not used).`
			`* The value is a compile-time constant for now, for simplicity. */`
			`#define PSA_KEY_SLOT_COUNT 32`

Document some functions in internal headers 2018-12-10 16:00:38 +00:00			`/** Access a key slot at the given handle.`
			`*`
			`* \param handle Key handle to query.`
			* \param[out] p_slot On success, `*p_slot` contains a pointer to the
			`* key slot in memory designated by \p handle.`
			`*`
			`* \retval PSA_SUCCESS`
			* Success: \p handle is a handle to `p_slot`. Note that `p_slot`
			`* may be empty or occupied.`
			`* \retval PSA_ERROR_INVALID_HANDLE`
			`* \p handle is out of range or is not in use.`
			`* \retval PSA_ERROR_BAD_STATE`
			`* The library has not been initialized.`
			`*/`
Move the key slot array to the slot management module Move the key slot array and its initialization and wiping to the slot management module. Also move the lowest-level key slot access function psa_get_key_slot and the auxiliary function for slot allocation psa_internal_allocate_key_slot to the slot management module. 2018-12-10 15:29:04 +00:00			`psa_status_t psa_get_key_slot( psa_key_handle_t handle,`
			`psa_key_slot_t **p_slot );`

Document some functions in internal headers 2018-12-10 16:00:38 +00:00			`/** Initialize the key slot structures.`
			`*`
			`* \retval PSA_SUCCESS`
			`* Currently this function always succeeds.`
			`*/`
Move the key slot array to the slot management module Move the key slot array and its initialization and wiping to the slot management module. Also move the lowest-level key slot access function psa_get_key_slot and the auxiliary function for slot allocation psa_internal_allocate_key_slot to the slot management module. 2018-12-10 15:29:04 +00:00			`psa_status_t psa_initialize_key_slots( void );`

Document some functions in internal headers 2018-12-10 16:00:38 +00:00			`/** Delete all data from key slots in memory.`
			`*`
			`* This does not affect persistent storage. */`
Move the key slot array to the slot management module Move the key slot array and its initialization and wiping to the slot management module. Also move the lowest-level key slot access function psa_get_key_slot and the auxiliary function for slot allocation psa_internal_allocate_key_slot to the slot management module. 2018-12-10 15:29:04 +00:00			`void psa_wipe_all_key_slots( void );`

Simplify key slot allocation Now that psa_allocate_key() is no longer a public function, expose psa_internal_allocate_key_slot() instead, which provides a pointer to the slot to its caller. 2019-05-27 17:01:54 +00:00			`/** Find a free key slot and mark it as in use.`
Remove obsolete key creation functions Remove the key creation functions from before the attribute-based API, i.e. the key creation functions that worked by allocating a slot, then setting metadata through the handle and finally creating key material. 2019-05-27 12:53:10 +00:00			`*`
Simplify key slot allocation Now that psa_allocate_key() is no longer a public function, expose psa_internal_allocate_key_slot() instead, which provides a pointer to the slot to its caller. 2019-05-27 17:01:54 +00:00			`* \param[out] handle On success, a slot number that is not in use. This`
			`* value can be used as a handle to the slot.`
			`* \param[out] p_slot On success, a pointer to the slot.`
Remove obsolete key creation functions Remove the key creation functions from before the attribute-based API, i.e. the key creation functions that worked by allocating a slot, then setting metadata through the handle and finally creating key material. 2019-05-27 12:53:10 +00:00			`*`
			`* \retval #PSA_SUCCESS`
			`* \retval #PSA_ERROR_INSUFFICIENT_MEMORY`
Simplify key slot allocation Now that psa_allocate_key() is no longer a public function, expose psa_internal_allocate_key_slot() instead, which provides a pointer to the slot to its caller. 2019-05-27 17:01:54 +00:00			`* \retval #PSA_ERROR_BAD_STATE`
Remove obsolete key creation functions Remove the key creation functions from before the attribute-based API, i.e. the key creation functions that worked by allocating a slot, then setting metadata through the handle and finally creating key material. 2019-05-27 12:53:10 +00:00			`*/`
Simplify key slot allocation Now that psa_allocate_key() is no longer a public function, expose psa_internal_allocate_key_slot() instead, which provides a pointer to the slot to its caller. 2019-05-27 17:01:54 +00:00			`psa_status_t psa_internal_allocate_key_slot( psa_key_handle_t *handle,`
			`psa_key_slot_t **p_slot );`
Remove obsolete key creation functions Remove the key creation functions from before the attribute-based API, i.e. the key creation functions that worked by allocating a slot, then setting metadata through the handle and finally creating key material. 2019-05-27 12:53:10 +00:00
Reject invalid key ids/lifetimes in attribute-based creation 2019-04-19 16:19:40 +00:00			`/** Test whether the given parameters are acceptable for a persistent key.`
			`*`
			`* This function does not access the storage in any way. It only tests`
			`* whether the parameters are meaningful and permitted by general policy.`
			`* It does not test whether the a file by the given id exists or could be`
			`* created.`
			`*`
			`* \param lifetime The lifetime to test.`
			`* \param id The key id to test.`
Implement and test the new key identifier range Only allow creating keys in the application (user) range. Allow opening keys in the implementation (vendor) range as well. Compared with what the implementation allowed, which was undocumented: 0 is now allowed; values from 0x40000000 to 0xfffeffff are now forbidden. 2019-05-06 16:56:30 +00:00			`* \param creating 0 if attempting to open an existing key.`
			`* Nonzero if attempting to create a key.`
Reject invalid key ids/lifetimes in attribute-based creation 2019-04-19 16:19:40 +00:00			`*`
			`* \retval PSA_SUCCESS`
			`* The given parameters are valid.`
			`* \retval PSA_ERROR_INVALID_ARGUMENT`
			`* \p lifetime is volatile or is invalid.`
			`* \retval PSA_ERROR_INVALID_ARGUMENT`
			`* \p id is invalid.`
			`*/`
			`psa_status_t psa_validate_persistent_key_parameters(`
			`psa_key_lifetime_t lifetime,`
Implement and test the new key identifier range Only allow creating keys in the application (user) range. Allow opening keys in the implementation (vendor) range as well. Compared with what the implementation allowed, which was undocumented: 0 is now allowed; values from 0x40000000 to 0xfffeffff are now forbidden. 2019-05-06 16:56:30 +00:00			`psa_key_file_id_t id,`
			`int creating );`
Reject invalid key ids/lifetimes in attribute-based creation 2019-04-19 16:19:40 +00:00

Implement slot allocation Implement psa_allocate_key, psa_open_key, psa_create_key, psa_close_key. Add support for keys designated to handles to psa_get_key_slot, and thereby to the whole API. Allocated and non-allocated keys can coexist. This is a temporary stage in order to transition from the use of direct slot numbers to allocated handles only. Once all the tests and sample programs have been migrated to use handles, the implementation will be simplified and made more robust with support for handles only. 2018-11-30 17:54:54 +00:00			`#endif /* PSA_CRYPTO_SLOT_MANAGEMENT_H */`