psa: Move from validate_key to import_key entry point

In the course of the development of the PSA unified
driver interface, the validate_key entry point for
opaque drivers has been removed and replaced by an
import_key entry point. This commit takes into account
this change of specification.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>

library/psa_crypto.c

@@ -1104,27 +1104,40 @@ static psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot,
     else if( PSA_KEY_TYPE_IS_ASYMMETRIC( slot->attr.type ) )
     {
         /* Try validation through accelerators first. */
-        bit_size = slot->attr.bits;
         psa_key_attributes_t attributes = {
           .core = slot->attr
         };
-        status = psa_driver_wrapper_validate_key( &attributes,
+
-                                                  data,
+        status = psa_allocate_buffer_to_slot( slot, data_length );
-                                                  data_length,
+        if( status != PSA_SUCCESS )
-                                                  &bit_size );
+            return( status );
+
+        bit_size = slot->attr.bits;
+        status = psa_driver_wrapper_import_key( &attributes,
+                                                data, data_length,
+                                                slot->key.data,
+                                                slot->key.bytes,
+                                                &slot->key.bytes,
+                                                &bit_size );
         if( status == PSA_SUCCESS )
         {
-            /* Key has been validated successfully by an accelerator.
+            if( slot->attr.bits == 0 )
-             * Copy key material into slot. */
+                slot->attr.bits = (psa_key_bits_t) bit_size;
-            status = psa_copy_key_material_into_slot( slot, data, data_length );
+            else if( bit_size != slot->attr.bits )
-            if( status != PSA_SUCCESS )
+                return( PSA_ERROR_INVALID_ARGUMENT );
-                return( status );
 
-            slot->attr.bits = (psa_key_bits_t) bit_size;
             return( PSA_SUCCESS );
         }
-        else if( status != PSA_ERROR_NOT_SUPPORTED )
+        else
-            return( status );
+        {
+            if( status != PSA_ERROR_NOT_SUPPORTED )
+                return( status );
+        }
+
+        mbedtls_platform_zeroize( slot->key.data, data_length );
+        mbedtls_free( slot->key.data );
+        slot->key.data = NULL;
+        slot->key.bytes = 0;
 
         /* Key format is not supported by any accelerator, try software fallback
          * if present. */

library/psa_crypto_driver_wrappers.c

@@ -409,19 +409,23 @@ psa_status_t psa_driver_wrapper_generate_key( const psa_key_attributes_t *attrib
 #endif /* PSA_CRYPTO_DRIVER_PRESENT */
 }
 
-psa_status_t psa_driver_wrapper_validate_key( const psa_key_attributes_t *attributes,
+psa_status_t psa_driver_wrapper_import_key(
-                                              const uint8_t *data,
+    const psa_key_attributes_t *attributes,
-                                              size_t data_length,
+    const uint8_t *data,
-                                              size_t *bits )
+    size_t data_length,
+    uint8_t *key_buffer,
+    size_t key_buffer_size,
+    size_t *key_buffer_length,
+    size_t *bits )
 {
 #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     /* Try accelerators in turn */
 #if defined(PSA_CRYPTO_DRIVER_TEST)
-    status = test_transparent_validate_key( attributes,
+    status = test_transparent_import_key( attributes,
-                                            data,
+                                          data, data_length,
-                                            data_length,
+                                          key_buffer, key_buffer_size,
-                                            bits );
+                                          key_buffer_length, bits );
     /* Declared with fallback == true */
     if( status != PSA_ERROR_NOT_SUPPORTED )
         return( status );
@@ -432,6 +436,9 @@ psa_status_t psa_driver_wrapper_validate_key( const psa_key_attributes_t *attrib
     (void) attributes;
     (void) data;
     (void) data_length;
+    (void) key_buffer;
+    (void) key_buffer_size;
+    (void) key_buffer_length;
     (void) bits;
     return( PSA_ERROR_NOT_SUPPORTED );
 #endif /* PSA_CRYPTO_DRIVER_PRESENT */

library/psa_crypto_driver_wrappers.h

@@ -50,10 +50,11 @@ psa_status_t psa_driver_wrapper_verify_hash( psa_key_slot_t *slot,
 psa_status_t psa_driver_wrapper_generate_key( const psa_key_attributes_t *attributes,
                                               psa_key_slot_t *slot );
 
-psa_status_t psa_driver_wrapper_validate_key( const psa_key_attributes_t *attributes,
+psa_status_t psa_driver_wrapper_import_key(
-                                              const uint8_t *data,
+    const psa_key_attributes_t *attributes,
-                                              size_t data_length,
+    const uint8_t *data, size_t data_length,
-                                              size_t *bits );
+    uint8_t *key_buffer, size_t key_buffer_size,
+    size_t *key_buffer_length, size_t *bits );
 
 psa_status_t psa_driver_wrapper_export_public_key( const psa_key_slot_t *slot,
                                                    uint8_t *data,

tests/include/test/drivers/key_management.h

@@ -58,12 +58,6 @@ psa_status_t test_opaque_generate_key(
     const psa_key_attributes_t *attributes,
     uint8_t *key, size_t key_size, size_t *key_length );
 
-psa_status_t test_transparent_validate_key(
-    const psa_key_attributes_t *attributes,
-    const uint8_t *data,
-    size_t data_length,
-    size_t *bits);
-
 psa_status_t test_transparent_export_public_key(
     const psa_key_attributes_t *attributes,
     const uint8_t *key, size_t key_length,
@@ -74,5 +68,14 @@ psa_status_t test_opaque_export_public_key(
     const uint8_t *key, size_t key_length,
     uint8_t *data, size_t data_size, size_t *data_length );
 
+psa_status_t test_transparent_import_key(
+    const psa_key_attributes_t *attributes,
+    const uint8_t *data,
+    size_t data_length,
+    uint8_t *key_buffer,
+    size_t key_buffer_size,
+    size_t *key_buffer_length,
+    size_t *bits);
+
 #endif /* PSA_CRYPTO_DRIVER_TEST */
 #endif /* PSA_CRYPTO_TEST_DRIVERS_KEY_MANAGEMENT_H */

tests/src/drivers/key_management.c

@@ -137,11 +137,14 @@ psa_status_t test_opaque_generate_key(
     return( PSA_ERROR_NOT_SUPPORTED );
 }
 
-psa_status_t test_transparent_validate_key(
+psa_status_t test_transparent_import_key(
     const psa_key_attributes_t *attributes,
     const uint8_t *data,
     size_t data_length,
-    size_t *bits )
+    uint8_t *key_buffer,
+    size_t key_buffer_size,
+    size_t *key_buffer_length,
+    size_t *bits)
 {
     ++test_driver_key_management_hooks.hits;