Allow loading wrapped keys even when SE support is compiled in

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
This commit is contained in:
Steven Cooreman 2021-01-08 19:19:40 +01:00
parent a51e1dbe76
commit 98435ddf84
3 changed files with 81 additions and 36 deletions

View file

@ -2325,34 +2325,45 @@ psa_status_t psa_import_key( const psa_key_attributes_t *attributes,
if( status != PSA_SUCCESS )
goto exit;
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
if( driver != NULL )
if( psa_key_lifetime_is_external( psa_get_key_lifetime( attributes ) ) )
{
const psa_drv_se_t *drv = psa_get_se_driver_methods( driver );
/* The driver should set the number of key bits, however in
* case it doesn't, we initialize bits to an invalid value. */
size_t bits = PSA_MAX_KEY_BITS + 1;
if( drv->key_management == NULL ||
drv->key_management->p_import == NULL )
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
if( driver != NULL )
{
status = PSA_ERROR_NOT_SUPPORTED;
const psa_drv_se_t *drv = psa_get_se_driver_methods( driver );
/* The driver should set the number of key bits, however in
* case it doesn't, we initialize bits to an invalid value. */
size_t bits = PSA_MAX_KEY_BITS + 1;
if( drv->key_management == NULL ||
drv->key_management->p_import == NULL )
{
status = PSA_ERROR_NOT_SUPPORTED;
goto exit;
}
status = drv->key_management->p_import(
psa_get_se_driver_context( driver ),
slot->data.se.slot_number, attributes, data, data_length,
&bits );
if( status != PSA_SUCCESS )
goto exit;
if( bits > PSA_MAX_KEY_BITS )
{
status = PSA_ERROR_NOT_SUPPORTED;
goto exit;
}
slot->attr.bits = (psa_key_bits_t) bits;
}
else
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
{
/* Importing a key with external lifetime through the driver wrapper
* interface is not yet supported. Return as if this was an invalid
* lifetime. */
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
status = drv->key_management->p_import(
psa_get_se_driver_context( driver ),
slot->data.se.slot_number, attributes, data, data_length,
&bits );
if( status != PSA_SUCCESS )
goto exit;
if( bits > PSA_MAX_KEY_BITS )
{
status = PSA_ERROR_NOT_SUPPORTED;
goto exit;
}
slot->attr.bits = (psa_key_bits_t) bits;
}
else
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
{
status = psa_import_key_into_slot( slot, data, data_length );
if( status != PSA_SUCCESS )

View file

@ -247,25 +247,42 @@ static psa_status_t psa_load_persistent_key_into_slot( psa_key_slot_t *slot )
if( status != PSA_SUCCESS )
goto exit;
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
if( psa_key_lifetime_is_external( slot->attr.lifetime ) )
{
psa_se_key_data_storage_t *data;
if( key_data_length != sizeof( *data ) )
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
const psa_drv_se_t *drv;
psa_drv_se_context_t *drv_context;
if( psa_get_se_driver( slot->attr.lifetime, &drv, &drv_context ) )
{
status = PSA_ERROR_STORAGE_FAILURE;
goto exit;
psa_se_key_data_storage_t *data;
if( key_data_length != sizeof( *data ) )
{
status = PSA_ERROR_STORAGE_FAILURE;
goto exit;
}
data = (psa_se_key_data_storage_t *) key_data;
memcpy( &slot->data.se.slot_number, &data->slot_number,
sizeof( slot->data.se.slot_number ) );
}
else
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
{
/* A key that is successfully loaded from storage with an
* external lifetime, but doesn't belong to an SE driver,
* must be a PSA driver-associated key which we can just
* load like an internal key. */
if ( key_data == NULL )
{
status = PSA_ERROR_STORAGE_FAILURE;
goto exit;
}
status = psa_copy_key_material_into_slot( slot, key_data, key_data_length );
}
data = (psa_se_key_data_storage_t *) key_data;
memcpy( &slot->data.se.slot_number, &data->slot_number,
sizeof( slot->data.se.slot_number ) );
}
else
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
{
status = psa_copy_key_material_into_slot( slot, key_data, key_data_length );
if( status != PSA_SUCCESS )
goto exit;
}
exit:
@ -345,7 +362,14 @@ psa_status_t psa_validate_key_location( psa_key_lifetime_t lifetime,
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
psa_se_drv_table_entry_t *driver = psa_get_se_driver_entry( lifetime );
if( driver == NULL )
{
#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS)
/* Key location for external keys gets checked by the wrapper */
return( PSA_SUCCESS );
#else
return( PSA_ERROR_INVALID_ARGUMENT );
#endif
}
else
{
if (p_drv != NULL)
@ -354,7 +378,12 @@ psa_status_t psa_validate_key_location( psa_key_lifetime_t lifetime,
}
#else
(void) p_drv;
#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS)
/* Key location for external keys gets checked by the wrapper */
return( PSA_SUCCESS );
#else
return( PSA_ERROR_INVALID_ARGUMENT );
#endif
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
}
else

View file

@ -107,10 +107,15 @@ Open failure: non-existent identifier
depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C
open_fail:1:PSA_ERROR_DOES_NOT_EXIST
Create failure: invalid lifetime
create_fail:0x7fffffff:0:PSA_ERROR_INVALID_ARGUMENT
Create failure: invalid lifetime for a persistent key
depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C
create_fail:0x7fffffff:1:PSA_ERROR_INVALID_ARGUMENT
Create failure: invalid key id (0)
Create failure: invalid lifetime for a volatile key
depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C
create_fail:0x7fffff00:0:PSA_ERROR_INVALID_ARGUMENT
Create failure: invalid key id (0) for a persistent key
depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C
create_fail:PSA_KEY_LIFETIME_PERSISTENT:0:PSA_ERROR_INVALID_HANDLE