From 8a0466a05200f9f9270297082141eceb52057693 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 24 Aug 2021 15:39:44 +0200 Subject: [PATCH 1/4] Clarify psa_get_and_lock_transparent_key_slot_with_policy() purpose Clarify the purpose of psa_get_and_lock_transparent_key_slot_with_policy() and define it even when MBEDTLS_PSA_CRYPTO_SE_C is disabled for the purpose of static drivers. Signed-off-by: Ronald Cron --- library/psa_crypto.c | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 3c7598955..b8aaf6a75 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1019,16 +1019,16 @@ error: /** Get a key slot containing a transparent key and lock it. * * A transparent key is a key for which the key material is directly - * available, as opposed to a key in a secure element. + * available, as opposed to a key in a secure element and/or to be used + * by a secure element. * - * This is a temporary function to use instead of - * psa_get_and_lock_key_slot_with_policy() until secure element support is - * fully implemented. + * This is a temporary function that may be used instead of + * psa_get_and_lock_key_slot_with_policy() when there is no opaque key support + * for a cryptographic operation. * * On success, the returned key slot is locked. It is the responsibility of the * caller to unlock the key slot when it does not access it anymore. */ -#if defined(MBEDTLS_PSA_CRYPTO_SE_C) static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy( mbedtls_svc_key_id_t key, psa_key_slot_t **p_slot, @@ -1040,7 +1040,7 @@ static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy( if( status != PSA_SUCCESS ) return( status ); - if( psa_key_slot_is_external( *p_slot ) ) + if( psa_key_lifetime_is_external( (*p_slot)->attr.lifetime ) ) { psa_unlock_key_slot( *p_slot ); *p_slot = NULL; @@ -1049,11 +1049,6 @@ static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy( return( PSA_SUCCESS ); } -#else /* MBEDTLS_PSA_CRYPTO_SE_C */ -/* With no secure element support, all keys are transparent. */ -#define psa_get_and_lock_transparent_key_slot_with_policy( key, p_slot, usage, alg ) \ - psa_get_and_lock_key_slot_with_policy( key, p_slot, usage, alg ) -#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ psa_status_t psa_remove_key_data_from_memory( psa_key_slot_t *slot ) { From 0518f61e1a9ed0a8c4b4448b7a22d0fa42dda835 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 24 Aug 2021 15:50:05 +0200 Subject: [PATCH 2/4] psa: Fix slot number key attribute Slot number key attribute is specific of dynamically registered drivers and should thus not be computed/ returned in case of keys associated to drivers implementing the new unified driver interface. Signed-off-by: Ronald Cron --- library/psa_crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index b8aaf6a75..3a49c12a8 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1277,7 +1277,7 @@ psa_status_t psa_get_key_attributes( mbedtls_svc_key_id_t key, MBEDTLS_PSA_KA_MASK_DUAL_USE ); #if defined(MBEDTLS_PSA_CRYPTO_SE_C) - if( psa_key_slot_is_external( slot ) ) + if( psa_get_se_driver_entry( slot->attr.lifetime ) != NULL ) psa_set_key_slot_number( attributes, psa_key_slot_get_slot_number( slot ) ); #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ From 41e8006fa2e287a8c20520a4e7b739f6a6458d09 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 24 Aug 2021 16:00:51 +0200 Subject: [PATCH 3/4] psa: Remove buggy report of RSA public exponent for opaque keys The report of RSA public exponent for opaque keys is not supported. Do not attempt to compute the RSA public exponent of an RSA opaque key associated to a driver implementing the new driver interface when MBEDTLS_PSA_CRYPTO_SE_C is disabled. Signed-off-by: Ronald Cron --- library/psa_crypto.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 3a49c12a8..2c562ce2a 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1288,14 +1288,11 @@ psa_status_t psa_get_key_attributes( mbedtls_svc_key_id_t key, defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) case PSA_KEY_TYPE_RSA_KEY_PAIR: case PSA_KEY_TYPE_RSA_PUBLIC_KEY: -#if defined(MBEDTLS_PSA_CRYPTO_SE_C) /* TODO: reporting the public exponent for opaque keys * is not yet implemented. * https://github.com/ARMmbed/mbed-crypto/issues/216 */ - if( psa_key_slot_is_external( slot ) ) - break; -#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ + if( ! psa_key_lifetime_is_external( slot->attr.lifetime ) ) { mbedtls_rsa_context *rsa = NULL; From f8f425d95d12f39a835e71093267c17bc5be5490 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 24 Aug 2021 18:05:41 +0200 Subject: [PATCH 4/4] psa: Remove psa_key_slot_is_external() Remove psa_key_slot_is_external() that is not used anymore. Signed-off-by: Ronald Cron --- library/psa_crypto.c | 7 ------- 1 file changed, 7 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 2c562ce2a..5aed67181 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -385,13 +385,6 @@ psa_status_t mbedtls_to_psa_error( int ret ) /* Key management */ /****************************************************************/ -#if defined(MBEDTLS_PSA_CRYPTO_SE_C) -static inline int psa_key_slot_is_external( const psa_key_slot_t *slot ) -{ - return( psa_key_lifetime_is_external( slot->attr.lifetime ) ); -} -#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ - /* For now the MBEDTLS_PSA_ACCEL_ guards are also used here since the * current test driver in key_management.c is using this function * when accelerators are used for ECC key pair and public key.