From ac9851f8d3b323033f99dbb100ad83dfb0bebc02 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 21 Apr 2021 21:23:40 +0200 Subject: [PATCH] Forbid creating a read-only key The persistence level PSA_KEY_PERSISTENCE_READ_ONLY can now only be used as intended, for keys that cannot be modified through normal use of the API. Signed-off-by: Gilles Peskine --- ChangeLog.d/psa-read-only-keys.txt | 4 ++++ library/psa_crypto_slot_management.c | 5 ++++- 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 ChangeLog.d/psa-read-only-keys.txt diff --git a/ChangeLog.d/psa-read-only-keys.txt b/ChangeLog.d/psa-read-only-keys.txt new file mode 100644 index 000000000..9e3081030 --- /dev/null +++ b/ChangeLog.d/psa-read-only-keys.txt @@ -0,0 +1,4 @@ +Features + * The PSA API no longer allows the creation of keys with a read-only lifetime. + The persistence level PSA_KEY_PERSISTENCE_READ_ONLY can now only be used + as intended, for keys that cannot be modified through normal use of the API. diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index 9bab7e415..f90b0e333 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -466,7 +466,10 @@ psa_status_t psa_validate_key_persistence( psa_key_lifetime_t lifetime ) { /* Persistent keys require storage support */ #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) - return( PSA_SUCCESS ); + if( PSA_KEY_LIFETIME_IS_READ_ONLY( lifetime ) ) + return( PSA_ERROR_INVALID_ARGUMENT ); + else + return( PSA_SUCCESS ); #else /* MBEDTLS_PSA_CRYPTO_STORAGE_C */ return( PSA_ERROR_NOT_SUPPORTED ); #endif /* !MBEDTLS_PSA_CRYPTO_STORAGE_C */