Fix policy validity check on key creation.

Add a non-regression test.
2025-01-11 11:05:39 +00:00 · 2019-07-31 15:54:33 +02:00 · 2019-07-31 15:54:33 +02:00 · 3825e14e65
parent 6edfa293c2
commit 3825e14e65
2 changed files with 7 additions and 4 deletions
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@ -1469,10 +1469,6 @@ static psa_status_t psa_start_key_creation(
            return( status );
    }

-    status = psa_check_key_slot_policy( slot );
-    if( status != PSA_SUCCESS )
-        return( status );
-
    /* Refuse to create overly large keys.
     * Note that this doesn't trigger on import if the attributes don't
     * explicitly specify a size (so psa_get_key_bits returns 0), so
@ -1487,6 +1483,10 @@ static psa_status_t psa_start_key_creation(

    slot->attr = attributes->core;

+    status = psa_check_key_slot_policy( slot );
+    if( status != PSA_SUCCESS )
+        return( status );
+
 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
    /* For a key in a secure element, we need to do three things:
     * create the key file in internal storage, create the
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@ -52,6 +52,9 @@ invalid_handle:1
 PSA invalid handle (largest plausible handle)
 invalid_handle:-1

+PSA import: bad usage flag
+import_with_policy:PSA_KEY_TYPE_RAW_DATA:0x40000000:0:PSA_ERROR_INVALID_ARGUMENT
+
 PSA import: invalid type (0)
 import_with_policy:PSA_KEY_TYPE_NONE:0:0:PSA_ERROR_NOT_SUPPORTED