Refuse to destroy read-only keys

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-01-24 20:41:05 +00:00 · 2021-04-21 22:32:05 +02:00 · 2021-04-21 22:32:05 +02:00 · 251c774b91
parent 86c6123950
commit 251c774b91
2 changed files with 17 additions and 4 deletions
--- a/ChangeLog.d/psa-read-only-keys.txt
+++ b/ChangeLog.d/psa-read-only-keys.txt
@ -1,4 +1,5 @@
-Features
-   * The PSA API no longer allows the creation of keys with a read-only lifetime.
-     The persistence level PSA_KEY_PERSISTENCE_READ_ONLY can now only be used
-     as intended, for keys that cannot be modified through normal use of the API.
+Bugfix
+   * The PSA API no longer allows the creation or destruction of keys with a
+     read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
+     can now only be used as intended, for keys that cannot be modified through
+     normal use of the API.
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@ -1133,6 +1133,18 @@ psa_status_t psa_destroy_key( mbedtls_svc_key_id_t key )
       return( PSA_ERROR_GENERIC_ERROR );
    }

+    if( PSA_KEY_LIFETIME_IS_READ_ONLY( slot->attr.lifetime ) )
+    {
+        /* Refuse the destruction of a read-only key (which may or may not work
+         * if we attempt it, depending on whether the key is merely read-only
+         * by policy or actually physically read-only).
+         * Just do the best we can, which is to wipe the copy in memory. */
+        status = psa_wipe_key_slot( slot );
+        if( status != PSA_SUCCESS )
+            return( status );
+        return( PSA_ERROR_NOT_PERMITTED );
+    }
+
 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
    driver = psa_get_se_driver_entry( slot->attr.lifetime );
    if( driver != NULL )