From dfea0a25103f70c9497b6348a77884d167956b4c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 18 Apr 2019 13:39:40 +0200 Subject: [PATCH] Use the attribute-based key creation interface in sample programs --- programs/psa/crypto_examples.c | 52 ++++++++++++-------------------- programs/psa/key_ladder_demo.c | 54 +++++++++++++++------------------- 2 files changed, 42 insertions(+), 64 deletions(-) diff --git a/programs/psa/crypto_examples.c b/programs/psa/crypto_examples.c index 90cc0006a..07d1fd25d 100644 --- a/programs/psa/crypto_examples.c +++ b/programs/psa/crypto_examples.c @@ -39,20 +39,6 @@ int main( void ) } #else -static psa_status_t set_key_policy( psa_key_handle_t key_handle, - psa_key_usage_t key_usage, - psa_algorithm_t alg ) -{ - psa_status_t status; - psa_key_policy_t policy = PSA_KEY_POLICY_INIT; - - psa_key_policy_set_usage( &policy, key_usage, alg ); - status = psa_set_key_policy( key_handle, &policy ); - ASSERT_STATUS( status, PSA_SUCCESS ); -exit: - return( status ); -} - static psa_status_t cipher_operation( psa_cipher_operation_t *operation, const uint8_t * input, size_t input_size, @@ -161,6 +147,7 @@ cipher_example_encrypt_decrypt_aes_cbc_nopad_1_block( void ) const psa_algorithm_t alg = PSA_ALG_CBC_NO_PADDING; psa_status_t status; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_handle_t key_handle = 0; size_t output_len = 0; uint8_t iv[block_size]; @@ -171,15 +158,12 @@ cipher_example_encrypt_decrypt_aes_cbc_nopad_1_block( void ) status = psa_generate_random( input, sizeof( input ) ); ASSERT_STATUS( status, PSA_SUCCESS ); - status = psa_allocate_key( &key_handle ); - ASSERT_STATUS( status, PSA_SUCCESS ); + psa_set_key_usage_flags( &attributes, + PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT ); + psa_set_key_algorithm( &attributes, alg ); + psa_set_key_type( &attributes, PSA_KEY_TYPE_AES ); - status = set_key_policy( key_handle, - PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT, - alg ); - ASSERT_STATUS( status, PSA_SUCCESS ); - - status = psa_generate_key_to_handle( key_handle, PSA_KEY_TYPE_AES, key_bits, + status = psa_generate_key( &attributes, &key_handle, key_bits, NULL, 0 ); ASSERT_STATUS( status, PSA_SUCCESS ); @@ -213,6 +197,7 @@ static psa_status_t cipher_example_encrypt_decrypt_aes_cbc_pkcs7_multi( void ) const psa_algorithm_t alg = PSA_ALG_CBC_PKCS7; psa_status_t status; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_handle_t key_handle = 0; size_t output_len = 0; uint8_t iv[block_size], input[input_size], @@ -224,12 +209,12 @@ static psa_status_t cipher_example_encrypt_decrypt_aes_cbc_pkcs7_multi( void ) status = psa_allocate_key( &key_handle ); ASSERT_STATUS( status, PSA_SUCCESS ); - status = set_key_policy( key_handle, - PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT, - alg ); - ASSERT_STATUS( status, PSA_SUCCESS ); + psa_set_key_usage_flags( &attributes, + PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT ); + psa_set_key_algorithm( &attributes, alg ); + psa_set_key_type( &attributes, PSA_KEY_TYPE_AES ); - status = psa_generate_key_to_handle( key_handle, PSA_KEY_TYPE_AES, key_bits, + status = psa_generate_key( &attributes, &key_handle, key_bits, NULL, 0 ); ASSERT_STATUS( status, PSA_SUCCESS ); @@ -262,6 +247,7 @@ static psa_status_t cipher_example_encrypt_decrypt_aes_ctr_multi( void ) const psa_algorithm_t alg = PSA_ALG_CTR; psa_status_t status; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_handle_t key_handle = 0; size_t output_len = 0; uint8_t iv[block_size], input[input_size], encrypt[input_size], @@ -270,14 +256,12 @@ static psa_status_t cipher_example_encrypt_decrypt_aes_ctr_multi( void ) status = psa_generate_random( input, sizeof( input ) ); ASSERT_STATUS( status, PSA_SUCCESS ); - status = psa_allocate_key( &key_handle ); - ASSERT_STATUS( status, PSA_SUCCESS ); - status = set_key_policy( key_handle, - PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT, - alg ); - ASSERT_STATUS( status, PSA_SUCCESS ); + psa_set_key_usage_flags( &attributes, + PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT ); + psa_set_key_algorithm( &attributes, alg ); + psa_set_key_type( &attributes, PSA_KEY_TYPE_AES ); - status = psa_generate_key_to_handle( key_handle, PSA_KEY_TYPE_AES, key_bits, + status = psa_generate_key( &attributes, &key_handle, key_bits, NULL, 0 ); ASSERT_STATUS( status, PSA_SUCCESS ); diff --git a/programs/psa/key_ladder_demo.c b/programs/psa/key_ladder_demo.c index 1c3d92195..b84e7fd6b 100644 --- a/programs/psa/key_ladder_demo.c +++ b/programs/psa/key_ladder_demo.c @@ -200,16 +200,14 @@ static psa_status_t generate( const char *key_file_name ) { psa_status_t status = PSA_SUCCESS; psa_key_handle_t key_handle = 0; - psa_key_policy_t policy = PSA_KEY_POLICY_INIT; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - PSA_CHECK( psa_allocate_key( &key_handle ) ); - psa_key_policy_set_usage( &policy, - PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT, - KDF_ALG ); - PSA_CHECK( psa_set_key_policy( key_handle, &policy ) ); + psa_set_key_usage_flags( &attributes, + PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT ); + psa_set_key_algorithm( &attributes, KDF_ALG ); + psa_set_key_type( &attributes, PSA_KEY_TYPE_DERIVE ); - PSA_CHECK( psa_generate_key_to_handle( key_handle, - PSA_KEY_TYPE_DERIVE, + PSA_CHECK( psa_generate_key( &attributes, &key_handle, PSA_BYTES_TO_BITS( KEY_SIZE_BYTES ), NULL, 0 ) ); @@ -231,7 +229,7 @@ static psa_status_t import_key_from_file( psa_key_usage_t usage, psa_key_handle_t *master_key_handle ) { psa_status_t status = PSA_SUCCESS; - psa_key_policy_t policy = PSA_KEY_POLICY_INIT; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; uint8_t key_data[KEY_SIZE_BYTES]; size_t key_size; FILE *key_file = NULL; @@ -252,11 +250,10 @@ static psa_status_t import_key_from_file( psa_key_usage_t usage, SYS_CHECK( fclose( key_file ) == 0 ); key_file = NULL; - PSA_CHECK( psa_allocate_key( master_key_handle ) ); - psa_key_policy_set_usage( &policy, usage, alg ); - PSA_CHECK( psa_set_key_policy( *master_key_handle, &policy ) ); - PSA_CHECK( psa_import_key_to_handle( *master_key_handle, - PSA_KEY_TYPE_DERIVE, + psa_set_key_usage_flags( &attributes, usage ); + psa_set_key_algorithm( &attributes, alg ); + psa_set_key_type( &attributes, PSA_KEY_TYPE_DERIVE ); + PSA_CHECK( psa_import_key( &attributes, master_key_handle, key_data, key_size ) ); exit: if( key_file != NULL ) @@ -282,12 +279,14 @@ static psa_status_t derive_key_ladder( const char *ladder[], psa_key_handle_t *key_handle ) { psa_status_t status = PSA_SUCCESS; - psa_key_policy_t policy = PSA_KEY_POLICY_INIT; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; size_t i; - psa_key_policy_set_usage( &policy, - PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT, - KDF_ALG ); + + psa_set_key_usage_flags( &attributes, + PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT ); + psa_set_key_algorithm( &attributes, KDF_ALG ); + psa_set_key_type( &attributes, PSA_KEY_TYPE_DERIVE ); /* For each label in turn, ... */ for( i = 0; i < ladder_depth; i++ ) @@ -305,13 +304,10 @@ static psa_status_t derive_key_ladder( const char *ladder[], * since it is no longer needed. */ PSA_CHECK( psa_close_key( *key_handle ) ); *key_handle = 0; - PSA_CHECK( psa_allocate_key( key_handle ) ); - PSA_CHECK( psa_set_key_policy( *key_handle, &policy ) ); /* Use the generator obtained from the parent key to create * the next intermediate key. */ - PSA_CHECK( psa_generator_import_key_to_handle( - *key_handle, - PSA_KEY_TYPE_DERIVE, + PSA_CHECK( psa_generator_import_key( + &attributes, key_handle, PSA_BYTES_TO_BITS( KEY_SIZE_BYTES ), &generator ) ); PSA_CHECK( psa_generator_abort( &generator ) ); @@ -333,13 +329,13 @@ static psa_status_t derive_wrapping_key( psa_key_usage_t usage, psa_key_handle_t *wrapping_key_handle ) { psa_status_t status = PSA_SUCCESS; - psa_key_policy_t policy = PSA_KEY_POLICY_INIT; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; *wrapping_key_handle = 0; - PSA_CHECK( psa_allocate_key( wrapping_key_handle ) ); - psa_key_policy_set_usage( &policy, usage, WRAPPING_ALG ); - PSA_CHECK( psa_set_key_policy( *wrapping_key_handle, &policy ) ); + psa_set_key_usage_flags( &attributes, usage ); + psa_set_key_algorithm( &attributes, WRAPPING_ALG ); + psa_set_key_type( &attributes, PSA_KEY_TYPE_AES ); PSA_CHECK( psa_key_derivation( &generator, @@ -348,9 +344,7 @@ static psa_status_t derive_wrapping_key( psa_key_usage_t usage, WRAPPING_KEY_SALT, WRAPPING_KEY_SALT_LENGTH, NULL, 0, PSA_BITS_TO_BYTES( WRAPPING_KEY_BITS ) ) ); - PSA_CHECK( psa_generator_import_key_to_handle( - *wrapping_key_handle, - PSA_KEY_TYPE_AES, + PSA_CHECK( psa_generator_import_key( &attributes, wrapping_key_handle, WRAPPING_KEY_BITS, &generator ) );