From 804cd71bf8b5d01c1caaea1a482a7b50cf035104 Mon Sep 17 00:00:00 2001 From: mohammad1603 Date: Tue, 20 Mar 2018 22:44:08 +0200 Subject: [PATCH 01/10] initial key lifetime implementation and tests --- include/psa/crypto.h | 41 +++++++++++-- library/psa_crypto.c | 49 ++++++++++++++++ tests/suites/test_suite_psa_crypto.data | 21 +++++++ tests/suites/test_suite_psa_crypto.function | 65 +++++++++++++++++++++ 4 files changed, 172 insertions(+), 4 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 04e6b4796..6caa62abf 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -89,6 +89,10 @@ typedef enum { PSA_ERROR_INVALID_SIGNATURE, /** The decrypted padding is incorrect. */ PSA_ERROR_INVALID_PADDING, + /** The key lifetime value is incorrect. */ + PSA_ERROR_INVALID_LIFETIME, + /** The key lifetime can not be changed. */ + PSA_ERROR_KEY_LIFETIME_CHANGE, /** An error occurred that does not correspond to any defined failure cause. */ PSA_ERROR_UNKNOWN_ERROR, @@ -596,18 +600,47 @@ typedef uint32_t psa_key_lifetime_t; /** \brief Retrieve the lifetime of a key slot. * * The assignment of lifetimes to slots is implementation-dependent. + * + * \param key Slot whose content is to be exported. This must + * be an occupied key slot. + * \param lifetime On success, the lifetime value. + * + * \retval PSA_SUCCESS + * Success. + * \retval PSA_ERROR_INVALID_ARGUMENT + * The key slot is invalid, + * or the key data is not correctly formatted. + * \retval PSA_ERROR_EMPTY_SLOT + * The key slot is not occupied. */ psa_status_t psa_get_key_lifetime(psa_key_slot_t key, psa_key_lifetime_t *lifetime); /** \brief Change the lifetime of a key slot. + * + * \note In case a key slot has PSA_KEY_LIFETIME_WRITE_ONCE lifetime, + * it can not be changed and trying to set new value will return + * an error * - * Whether the lifetime of a key slot can be changed at all, and if so - * whether the lifetime of an occupied key slot can be changed, is - * implementation-dependent. + * \param key Slot whose content is to be exported. This must + * be an occupied key slot. + * \param lifetime The lifetime value to be set for the given key. + * + * \retval PSA_SUCCESS + * Success. + * \retval PSA_ERROR_INVALID_ARGUMENT + * The key slot is invalid, + * or the key data is not correctly formatted. + * \retval PSA_ERROR_EMPTY_SLOT + * The key slot is not occupied. + * \retval PSA_ERROR_INVALID_LIFETIME + * The lifetime value is not valid. + * \retval PSA_ERROR_KEY_LIFETIME_CHANGE + * The key slot already has PSA_KEY_LIFETIME_WRITE_ONCE value, + * and can not be changed. */ psa_status_t psa_set_key_lifetime(psa_key_slot_t key, - const psa_key_lifetime_t *lifetime); + const psa_key_lifetime_t lifetime); /**@}*/ diff --git a/library/psa_crypto.c b/library/psa_crypto.c index c93da95b9..5ba60e1ae 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -96,6 +96,7 @@ static inline int safer_memcmp( const uint8_t *a, const uint8_t *b, size_t n ) typedef struct { psa_key_type_t type; + psa_key_lifetime_t lifetime; union { struct raw_data { uint8_t *data; @@ -362,6 +363,7 @@ psa_status_t psa_import_key(psa_key_slot_t key, } slot->type = type; + slot->lifetime = 0; return( PSA_SUCCESS ); } @@ -1260,6 +1262,53 @@ psa_status_t psa_asymmetric_sign(psa_key_slot_t key, } +/****************************************************************/ +/* Key Lifetime */ +/****************************************************************/ + +psa_status_t psa_get_key_lifetime(psa_key_slot_t key, + psa_key_lifetime_t *lifetime) +{ + key_slot_t *slot; + + if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT ) + return( PSA_ERROR_INVALID_ARGUMENT ); + + slot = &global_data.key_slots[key]; + + if( slot->type == PSA_KEY_TYPE_NONE ) + return( PSA_ERROR_EMPTY_SLOT ); + + *lifetime = slot->lifetime; + + return( PSA_SUCCESS ); +} + +psa_status_t psa_set_key_lifetime(psa_key_slot_t key, + const psa_key_lifetime_t lifetime) +{ + key_slot_t *slot; + + if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT ) + return( PSA_ERROR_INVALID_ARGUMENT ); + + slot = &global_data.key_slots[key]; + if( slot->type == PSA_KEY_TYPE_NONE ) + return( PSA_ERROR_EMPTY_SLOT ); + + if( lifetime != PSA_KEY_LIFETIME_VOLATILE && + lifetime != PSA_KEY_LIFETIME_PERSISTENT && + lifetime != PSA_KEY_LIFETIME_WRITE_ONCE) + return( PSA_ERROR_INVALID_LIFETIME ); + + if ( slot->lifetime == PSA_KEY_LIFETIME_WRITE_ONCE ) + return( PSA_ERROR_KEY_LIFETIME_CHANGE ); + + slot->lifetime = liftime; + + return( PSA_SUCCESS ); +} + /****************************************************************/ /* Module setup */ diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 4f4bef14c..9611c3248 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -83,3 +83,24 @@ sign_fail:PSA_KEY_TYPE_RSA_KEYPAIR:"3082025e02010002818100af057d396ee84fb75fdbb5 PSA sign RSA PKCS#1 v1.5 SHA-256, output buffer too small sign_fail:PSA_KEY_TYPE_RSA_KEYPAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":127:PSA_ERROR_BUFFER_TOO_SMALL + +PSA Key Lifetime set and get volatile +key_lifetime:PSA_KEY_LIFETIME_VOLATILE + +PSA Key Lifetime set and get persistent +key_lifetime:PSA_KEY_LIFETIME_PERSISTENT + +PSA Key Lifetime set and get write_once +key_lifetime:PSA_KEY_LIFETIME_WRITE_ONCE + +PSA Key Lifetime set fail, invalid key slot +key_lifetime_set_fail:0:PSA_KEY_LIFETIME_VOLATILE:PSA_ERROR_INVALID_ARGUMENT + +PSA Key Lifetime set fail, unoccupied key slot +key_lifetime_set_fail:2:PSA_KEY_LIFETIME_VOLATILE:PSA_ERROR_EMPTY_SLOT + +PSA Key Lifetime set fail, can not change write_once lifetime +key_lifetime_set_fail:1:PSA_KEY_LIFETIME_WRITE_ONCE:PSA_ERROR_KEY_LIFETIME_CHANGE + +PSA Key Lifetime set fail, invalid key lifetime value +key_lifetime_set_fail:1:PSA_KEY_LIFETIME_PERSISTENT+1:PSA_ERROR_INVALID_LIFETIME diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 93817948c..d8dddff2c 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -360,3 +360,68 @@ exit: mbedtls_psa_crypto_free( ); } /* END_CASE */ + +/* BEGIN_CASE */ +void key_lifetime( int lifetime_arg ) +{ + int key_slot = 1; + psa_key_type_t key_type = PSA_ALG_CBC_BASE; + unsigned char key[32] = {0}; + psa_key_lifetime_t lifetime_set = (psa_key_lifetime_t) lifetime_arg; + psa_key_lifetime_t lifetime_get; + + TEST_ASSERT( key != NULL ); + + memset( key, 0x2a, sizeof( key ) ); + + TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS ); + + TEST_ASSERT( psa_import_key( key_slot, key_type, + key, sizeof( key ) ) == PSA_SUCCESS ); + + TEST_ASSERT( psa_set_key_lifetime( key_slot, lifetime_set )); + + TEST_ASSERT( psa_get_key_lifetime( key_slot, &lifetime_get )); + + TEST_ASSERT( lifetime_get == lifetime_set ); + +exit: + mbedtls_free( key ); + psa_destroy_key( key_slot ); + mbedtls_psa_crypto_free( ); +} +/* END_CASE */ + + +/* BEGIN_CASE */ +void key_lifetime_set_fail( int key_slot_arg, int lifetime_arg, int expected_status_arg ) +{ + int key_slot = 1; + psa_key_type_t key_type = PSA_ALG_CBC_BASE; + unsigned char key[32] = {0}; + psa_key_lifetime_t lifetime_set = (psa_key_lifetime_t) lifetime_arg; + psa_status_t actual_status; + psa_status_t expected_status = expected_status_arg; + + TEST_ASSERT( key != NULL ); + + memset( key, 0x2a, sizeof( key ) ); + + TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS ); + + TEST_ASSERT( psa_import_key( key_slot, key_type, + key, sizeof( key ) ) == PSA_SUCCESS ); + + actual_status = psa_set_key_lifetime( key_slot_arg, lifetime_set ); + + if( actual_status == PSA_SUCCESS ) + actual_status = psa_set_key_lifetime( key_slot_arg, lifetime_set ); + + TEST_ASSERT( expected_status == actual_status ); + +exit: + mbedtls_free( key ); + psa_destroy_key( key_slot ); + mbedtls_psa_crypto_free( ); +} +/* END_CASE */ From 060ad8ac345b62c2b733345a575df22ccac3eb0e Mon Sep 17 00:00:00 2001 From: mohammad1603 Date: Tue, 20 Mar 2018 14:28:38 -0700 Subject: [PATCH 02/10] Compilation and tests fixes --- library/psa_crypto.c | 2 +- tests/suites/test_suite_psa_crypto.function | 12 ++++-------- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 5ba60e1ae..329ee3dc5 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1304,7 +1304,7 @@ psa_status_t psa_set_key_lifetime(psa_key_slot_t key, if ( slot->lifetime == PSA_KEY_LIFETIME_WRITE_ONCE ) return( PSA_ERROR_KEY_LIFETIME_CHANGE ); - slot->lifetime = liftime; + slot->lifetime = lifetime; return( PSA_SUCCESS ); } diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index d8dddff2c..b4bf66060 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -370,8 +370,6 @@ void key_lifetime( int lifetime_arg ) psa_key_lifetime_t lifetime_set = (psa_key_lifetime_t) lifetime_arg; psa_key_lifetime_t lifetime_get; - TEST_ASSERT( key != NULL ); - memset( key, 0x2a, sizeof( key ) ); TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS ); @@ -379,14 +377,15 @@ void key_lifetime( int lifetime_arg ) TEST_ASSERT( psa_import_key( key_slot, key_type, key, sizeof( key ) ) == PSA_SUCCESS ); - TEST_ASSERT( psa_set_key_lifetime( key_slot, lifetime_set )); + TEST_ASSERT( psa_set_key_lifetime( key_slot, + lifetime_set ) == PSA_SUCCESS ); - TEST_ASSERT( psa_get_key_lifetime( key_slot, &lifetime_get )); + TEST_ASSERT( psa_get_key_lifetime( key_slot, + &lifetime_get ) == PSA_SUCCESS ); TEST_ASSERT( lifetime_get == lifetime_set ); exit: - mbedtls_free( key ); psa_destroy_key( key_slot ); mbedtls_psa_crypto_free( ); } @@ -403,8 +402,6 @@ void key_lifetime_set_fail( int key_slot_arg, int lifetime_arg, int expected_sta psa_status_t actual_status; psa_status_t expected_status = expected_status_arg; - TEST_ASSERT( key != NULL ); - memset( key, 0x2a, sizeof( key ) ); TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS ); @@ -420,7 +417,6 @@ void key_lifetime_set_fail( int key_slot_arg, int lifetime_arg, int expected_sta TEST_ASSERT( expected_status == actual_status ); exit: - mbedtls_free( key ); psa_destroy_key( key_slot ); mbedtls_psa_crypto_free( ); } From ba178511f4e82ee066b66f7a4a63d862f308dc27 Mon Sep 17 00:00:00 2001 From: mohammad1603 Date: Wed, 21 Mar 2018 04:35:20 -0700 Subject: [PATCH 03/10] Remove unused and duplicated erros, fix documentation and tests Remove unused and duplicated erros, fix documentation and tests --- include/psa/crypto.h | 24 ++++++++------------- library/psa_crypto.c | 15 ++++++------- tests/suites/test_suite_psa_crypto.data | 10 ++------- tests/suites/test_suite_psa_crypto.function | 4 ++-- 4 files changed, 20 insertions(+), 33 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 6caa62abf..6675ba45f 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -89,10 +89,6 @@ typedef enum { PSA_ERROR_INVALID_SIGNATURE, /** The decrypted padding is incorrect. */ PSA_ERROR_INVALID_PADDING, - /** The key lifetime value is incorrect. */ - PSA_ERROR_INVALID_LIFETIME, - /** The key lifetime can not be changed. */ - PSA_ERROR_KEY_LIFETIME_CHANGE, /** An error occurred that does not correspond to any defined failure cause. */ PSA_ERROR_UNKNOWN_ERROR, @@ -582,15 +578,19 @@ psa_status_t psa_get_key_policy(psa_key_slot_t key, */ typedef uint32_t psa_key_lifetime_t; +/** An invalid key lifetime value. + */ +#define PSA_KEY_LIFETIME_NONE ((psa_key_lifetime_t)0x00000000) + /** A volatile key slot retains its content as long as the application is * running. It is guaranteed to be erased on a power reset. */ -#define PSA_KEY_LIFETIME_VOLATILE ((psa_key_lifetime_t)0x00000000) +#define PSA_KEY_LIFETIME_VOLATILE ((psa_key_lifetime_t)0x00000001) /** A persistent key slot retains its content as long as it is not explicitly * destroyed. */ -#define PSA_KEY_LIFETIME_PERSISTENT ((psa_key_lifetime_t)0x00000001) +#define PSA_KEY_LIFETIME_PERSISTENT ((psa_key_lifetime_t)0x00000002) /** A write-once key slot may not be modified once a key has been set. * It will retain its content as long as the device remains operational. @@ -617,11 +617,10 @@ psa_status_t psa_get_key_lifetime(psa_key_slot_t key, psa_key_lifetime_t *lifetime); /** \brief Change the lifetime of a key slot. + * Whether the lifetime of a key slot can be changed at all, and if so + * whether the lifetime of an occupied key slot can be changed, is + * implementation-dependent. * - * \note In case a key slot has PSA_KEY_LIFETIME_WRITE_ONCE lifetime, - * it can not be changed and trying to set new value will return - * an error - * * \param key Slot whose content is to be exported. This must * be an occupied key slot. * \param lifetime The lifetime value to be set for the given key. @@ -633,11 +632,6 @@ psa_status_t psa_get_key_lifetime(psa_key_slot_t key, * or the key data is not correctly formatted. * \retval PSA_ERROR_EMPTY_SLOT * The key slot is not occupied. - * \retval PSA_ERROR_INVALID_LIFETIME - * The lifetime value is not valid. - * \retval PSA_ERROR_KEY_LIFETIME_CHANGE - * The key slot already has PSA_KEY_LIFETIME_WRITE_ONCE value, - * and can not be changed. */ psa_status_t psa_set_key_lifetime(psa_key_slot_t key, const psa_key_lifetime_t lifetime); diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 329ee3dc5..bdb47d249 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -363,7 +363,6 @@ psa_status_t psa_import_key(psa_key_slot_t key, } slot->type = type; - slot->lifetime = 0; return( PSA_SUCCESS ); } @@ -1292,17 +1291,17 @@ psa_status_t psa_set_key_lifetime(psa_key_slot_t key, if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT ) return( PSA_ERROR_INVALID_ARGUMENT ); + if( lifetime != PSA_KEY_LIFETIME_VOLATILE && + lifetime != PSA_KEY_LIFETIME_PERSISTENT && + lifetime != PSA_KEY_LIFETIME_WRITE_ONCE) + return( PSA_ERROR_INVALID_ARGUMENT ); + slot = &global_data.key_slots[key]; if( slot->type == PSA_KEY_TYPE_NONE ) return( PSA_ERROR_EMPTY_SLOT ); - if( lifetime != PSA_KEY_LIFETIME_VOLATILE && - lifetime != PSA_KEY_LIFETIME_PERSISTENT && - lifetime != PSA_KEY_LIFETIME_WRITE_ONCE) - return( PSA_ERROR_INVALID_LIFETIME ); - - if ( slot->lifetime == PSA_KEY_LIFETIME_WRITE_ONCE ) - return( PSA_ERROR_KEY_LIFETIME_CHANGE ); + if ( lifetime != PSA_KEY_LIFETIME_VOLATILE ) + return( PSA_ERROR_NOT_SUPPORTED ); slot->lifetime = lifetime; diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 9611c3248..be31c39bd 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -87,12 +87,6 @@ sign_fail:PSA_KEY_TYPE_RSA_KEYPAIR:"3082025e02010002818100af057d396ee84fb75fdbb5 PSA Key Lifetime set and get volatile key_lifetime:PSA_KEY_LIFETIME_VOLATILE -PSA Key Lifetime set and get persistent -key_lifetime:PSA_KEY_LIFETIME_PERSISTENT - -PSA Key Lifetime set and get write_once -key_lifetime:PSA_KEY_LIFETIME_WRITE_ONCE - PSA Key Lifetime set fail, invalid key slot key_lifetime_set_fail:0:PSA_KEY_LIFETIME_VOLATILE:PSA_ERROR_INVALID_ARGUMENT @@ -100,7 +94,7 @@ PSA Key Lifetime set fail, unoccupied key slot key_lifetime_set_fail:2:PSA_KEY_LIFETIME_VOLATILE:PSA_ERROR_EMPTY_SLOT PSA Key Lifetime set fail, can not change write_once lifetime -key_lifetime_set_fail:1:PSA_KEY_LIFETIME_WRITE_ONCE:PSA_ERROR_KEY_LIFETIME_CHANGE +key_lifetime_set_fail:1:PSA_KEY_LIFETIME_WRITE_ONCE:PSA_ERROR_NOT_SUPPORTED PSA Key Lifetime set fail, invalid key lifetime value -key_lifetime_set_fail:1:PSA_KEY_LIFETIME_PERSISTENT+1:PSA_ERROR_INVALID_LIFETIME +key_lifetime_set_fail:1:PSA_KEY_LIFETIME_PERSISTENT+1:PSA_ERROR_INVALID_ARGUMENT diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index b4bf66060..7cb38d986 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -378,10 +378,10 @@ void key_lifetime( int lifetime_arg ) key, sizeof( key ) ) == PSA_SUCCESS ); TEST_ASSERT( psa_set_key_lifetime( key_slot, - lifetime_set ) == PSA_SUCCESS ); + lifetime_set ) == PSA_SUCCESS ); TEST_ASSERT( psa_get_key_lifetime( key_slot, - &lifetime_get ) == PSA_SUCCESS ); + &lifetime_get ) == PSA_SUCCESS ); TEST_ASSERT( lifetime_get == lifetime_set ); From 5d7ec2033dc7c35e669bda2a54520788e2c034ad Mon Sep 17 00:00:00 2001 From: mohammad1603 Date: Wed, 28 Mar 2018 01:29:41 +0300 Subject: [PATCH 04/10] fix key lifetime set implementation , tests accordingly --- library/psa_crypto.c | 4 ++-- tests/suites/test_suite_psa_crypto.data | 3 --- tests/suites/test_suite_psa_crypto.function | 13 +++---------- 3 files changed, 5 insertions(+), 15 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index bdb47d249..152fb17bf 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1297,8 +1297,8 @@ psa_status_t psa_set_key_lifetime(psa_key_slot_t key, return( PSA_ERROR_INVALID_ARGUMENT ); slot = &global_data.key_slots[key]; - if( slot->type == PSA_KEY_TYPE_NONE ) - return( PSA_ERROR_EMPTY_SLOT ); + if( slot->type != PSA_KEY_TYPE_NONE ) + return( PSA_ERROR_OCCUPIED_SLOT ); if ( lifetime != PSA_KEY_LIFETIME_VOLATILE ) return( PSA_ERROR_NOT_SUPPORTED ); diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index be31c39bd..6fd66ee2a 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -90,9 +90,6 @@ key_lifetime:PSA_KEY_LIFETIME_VOLATILE PSA Key Lifetime set fail, invalid key slot key_lifetime_set_fail:0:PSA_KEY_LIFETIME_VOLATILE:PSA_ERROR_INVALID_ARGUMENT -PSA Key Lifetime set fail, unoccupied key slot -key_lifetime_set_fail:2:PSA_KEY_LIFETIME_VOLATILE:PSA_ERROR_EMPTY_SLOT - PSA Key Lifetime set fail, can not change write_once lifetime key_lifetime_set_fail:1:PSA_KEY_LIFETIME_WRITE_ONCE:PSA_ERROR_NOT_SUPPORTED diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 7cb38d986..c1bbe17ee 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -374,11 +374,11 @@ void key_lifetime( int lifetime_arg ) TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS ); - TEST_ASSERT( psa_import_key( key_slot, key_type, - key, sizeof( key ) ) == PSA_SUCCESS ); - TEST_ASSERT( psa_set_key_lifetime( key_slot, lifetime_set ) == PSA_SUCCESS ); + + TEST_ASSERT( psa_import_key( key_slot, key_type, + key, sizeof( key ) ) == PSA_SUCCESS ); TEST_ASSERT( psa_get_key_lifetime( key_slot, &lifetime_get ) == PSA_SUCCESS ); @@ -396,19 +396,12 @@ exit: void key_lifetime_set_fail( int key_slot_arg, int lifetime_arg, int expected_status_arg ) { int key_slot = 1; - psa_key_type_t key_type = PSA_ALG_CBC_BASE; - unsigned char key[32] = {0}; psa_key_lifetime_t lifetime_set = (psa_key_lifetime_t) lifetime_arg; psa_status_t actual_status; psa_status_t expected_status = expected_status_arg; - memset( key, 0x2a, sizeof( key ) ); - TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS ); - TEST_ASSERT( psa_import_key( key_slot, key_type, - key, sizeof( key ) ) == PSA_SUCCESS ); - actual_status = psa_set_key_lifetime( key_slot_arg, lifetime_set ); if( actual_status == PSA_SUCCESS ) From 1c34545cfe66610a062b377e68290fb406131fbb Mon Sep 17 00:00:00 2001 From: mohammad1603 Date: Mon, 16 Apr 2018 06:49:13 -0700 Subject: [PATCH 05/10] Remove usage of PSA_KEY_LIFETIME_NONE Remove usage of PSA_KEY_LIFETIME_NONE, initiate all key slot to PSA_KEY_LIFETIME_VOLATILE ini psa_crypto_init() --- include/psa/crypto.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 6675ba45f..ac763f973 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -102,6 +102,10 @@ typedef enum { * * Applications may call this function more than once. Once a call * succeeds, subsequent calls are guaranteed to succeed. + * + * \note Initial lifetime value for each key slot is initiated + * to PSA_KEY_LIFETIME_VOLATILE, user should change this value + * before calling psa_import_key() if needed. * * \retval PSA_SUCCESS * \retval PSA_ERROR_INSUFFICIENT_MEMORY @@ -578,19 +582,15 @@ psa_status_t psa_get_key_policy(psa_key_slot_t key, */ typedef uint32_t psa_key_lifetime_t; -/** An invalid key lifetime value. - */ -#define PSA_KEY_LIFETIME_NONE ((psa_key_lifetime_t)0x00000000) - /** A volatile key slot retains its content as long as the application is * running. It is guaranteed to be erased on a power reset. */ -#define PSA_KEY_LIFETIME_VOLATILE ((psa_key_lifetime_t)0x00000001) +#define PSA_KEY_LIFETIME_VOLATILE ((psa_key_lifetime_t)0x00000000) /** A persistent key slot retains its content as long as it is not explicitly * destroyed. */ -#define PSA_KEY_LIFETIME_PERSISTENT ((psa_key_lifetime_t)0x00000002) +#define PSA_KEY_LIFETIME_PERSISTENT ((psa_key_lifetime_t)0x00000001) /** A write-once key slot may not be modified once a key has been set. * It will retain its content as long as the device remains operational. From ea0500936eafd2db80c990c6fa770218a3f2c4fc Mon Sep 17 00:00:00 2001 From: mohammad1603 Date: Tue, 17 Apr 2018 00:31:34 -0700 Subject: [PATCH 06/10] Change behavior of psa_get_key_lifetime() psa_get_key_lifetime() behavior changed regarding empty slots, now it return the lifetime of and empty slots. Documentation in header file updated accordingly. --- include/psa/crypto.h | 12 ++---------- library/psa_crypto.c | 3 --- 2 files changed, 2 insertions(+), 13 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index ac763f973..07c1da1f9 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -103,10 +103,6 @@ typedef enum { * Applications may call this function more than once. Once a call * succeeds, subsequent calls are guaranteed to succeed. * - * \note Initial lifetime value for each key slot is initiated - * to PSA_KEY_LIFETIME_VOLATILE, user should change this value - * before calling psa_import_key() if needed. - * * \retval PSA_SUCCESS * \retval PSA_ERROR_INSUFFICIENT_MEMORY * \retval PSA_ERROR_COMMUNICATION_FAILURE @@ -609,9 +605,7 @@ typedef uint32_t psa_key_lifetime_t; * Success. * \retval PSA_ERROR_INVALID_ARGUMENT * The key slot is invalid, - * or the key data is not correctly formatted. - * \retval PSA_ERROR_EMPTY_SLOT - * The key slot is not occupied. + * or the key data is not correctly formatted. */ psa_status_t psa_get_key_lifetime(psa_key_slot_t key, psa_key_lifetime_t *lifetime); @@ -630,11 +624,9 @@ psa_status_t psa_get_key_lifetime(psa_key_slot_t key, * \retval PSA_ERROR_INVALID_ARGUMENT * The key slot is invalid, * or the key data is not correctly formatted. - * \retval PSA_ERROR_EMPTY_SLOT - * The key slot is not occupied. */ psa_status_t psa_set_key_lifetime(psa_key_slot_t key, - const psa_key_lifetime_t lifetime); + psa_key_lifetime_t lifetime); /**@}*/ diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 152fb17bf..fef053919 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1274,9 +1274,6 @@ psa_status_t psa_get_key_lifetime(psa_key_slot_t key, return( PSA_ERROR_INVALID_ARGUMENT ); slot = &global_data.key_slots[key]; - - if( slot->type == PSA_KEY_TYPE_NONE ) - return( PSA_ERROR_EMPTY_SLOT ); *lifetime = slot->lifetime; From a7d245a4a220f7581ce9bf4497ab130a502d0730 Mon Sep 17 00:00:00 2001 From: mohammad1603 Date: Tue, 17 Apr 2018 00:40:08 -0700 Subject: [PATCH 07/10] Fix return error values description Fix return PSA_ERROR_INVALID_ARGUMENT description for psa_set_key_lifetime() and psa_get_key_lifetime() --- include/psa/crypto.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 07c1da1f9..658403232 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -604,8 +604,7 @@ typedef uint32_t psa_key_lifetime_t; * \retval PSA_SUCCESS * Success. * \retval PSA_ERROR_INVALID_ARGUMENT - * The key slot is invalid, - * or the key data is not correctly formatted. + * The key slot is invalid. */ psa_status_t psa_get_key_lifetime(psa_key_slot_t key, psa_key_lifetime_t *lifetime); @@ -623,7 +622,7 @@ psa_status_t psa_get_key_lifetime(psa_key_slot_t key, * Success. * \retval PSA_ERROR_INVALID_ARGUMENT * The key slot is invalid, - * or the key data is not correctly formatted. + * or the lifetime value is invalid. */ psa_status_t psa_set_key_lifetime(psa_key_slot_t key, psa_key_lifetime_t lifetime); From 8ca560293bae188211be21c96000c57b2bbcd409 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 17 Apr 2018 14:07:59 +0200 Subject: [PATCH 08/10] Whitespace fixes --- include/psa/crypto.h | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 658403232..b18e22053 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -102,7 +102,7 @@ typedef enum { * * Applications may call this function more than once. Once a call * succeeds, subsequent calls are guaranteed to succeed. - * + * * \retval PSA_SUCCESS * \retval PSA_ERROR_INSUFFICIENT_MEMORY * \retval PSA_ERROR_COMMUNICATION_FAILURE @@ -596,11 +596,11 @@ typedef uint32_t psa_key_lifetime_t; /** \brief Retrieve the lifetime of a key slot. * * The assignment of lifetimes to slots is implementation-dependent. - * * \param key Slot whose content is to be exported. This must * be an occupied key slot. + * * \param lifetime On success, the lifetime value. - * + * * \retval PSA_SUCCESS * Success. * \retval PSA_ERROR_INVALID_ARGUMENT @@ -610,14 +610,15 @@ psa_status_t psa_get_key_lifetime(psa_key_slot_t key, psa_key_lifetime_t *lifetime); /** \brief Change the lifetime of a key slot. + * * Whether the lifetime of a key slot can be changed at all, and if so * whether the lifetime of an occupied key slot can be changed, is * implementation-dependent. - * + * * \param key Slot whose content is to be exported. This must * be an occupied key slot. * \param lifetime The lifetime value to be set for the given key. - * + * * \retval PSA_SUCCESS * Success. * \retval PSA_ERROR_INVALID_ARGUMENT From 9bb53d7affd6aabd83ecb2bf45e058ebfdd0b0d8 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 17 Apr 2018 14:09:24 +0200 Subject: [PATCH 09/10] Fix copypasta in lifetime function descriptions --- include/psa/crypto.h | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index b18e22053..83e941f7e 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -596,9 +596,8 @@ typedef uint32_t psa_key_lifetime_t; /** \brief Retrieve the lifetime of a key slot. * * The assignment of lifetimes to slots is implementation-dependent. - * \param key Slot whose content is to be exported. This must - * be an occupied key slot. * + * \param key Slot to query. * \param lifetime On success, the lifetime value. * * \retval PSA_SUCCESS @@ -615,9 +614,8 @@ psa_status_t psa_get_key_lifetime(psa_key_slot_t key, * whether the lifetime of an occupied key slot can be changed, is * implementation-dependent. * - * \param key Slot whose content is to be exported. This must - * be an occupied key slot. - * \param lifetime The lifetime value to be set for the given key. + * \param key Slot whose lifetime is to be changed. + * \param lifetime The lifetime value to set for the given key slot. * * \retval PSA_SUCCESS * Success. From f0c9dd37d2b16a3d6e1e612d8a7ccf9ff208ae1a Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 17 Apr 2018 14:11:07 +0200 Subject: [PATCH 10/10] Added possible error codes for lifetime functions --- include/psa/crypto.h | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 83e941f7e..07a120c42 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -604,6 +604,9 @@ typedef uint32_t psa_key_lifetime_t; * Success. * \retval PSA_ERROR_INVALID_ARGUMENT * The key slot is invalid. + * \retval PSA_ERROR_COMMUNICATION_FAILURE + * \retval PSA_ERROR_HARDWARE_FAILURE + * \retval PSA_ERROR_TAMPERING_DETECTED */ psa_status_t psa_get_key_lifetime(psa_key_slot_t key, psa_key_lifetime_t *lifetime); @@ -622,6 +625,15 @@ psa_status_t psa_get_key_lifetime(psa_key_slot_t key, * \retval PSA_ERROR_INVALID_ARGUMENT * The key slot is invalid, * or the lifetime value is invalid. + * \retval PSA_ERROR_NOT_SUPPORTED + * The implementation does not support the specified lifetime value, + * at least for the specified key slot. + * \retval PSA_ERROR_OCCUPIED_SLOT + * The slot contains a key, and the implementation does not support + * changing the lifetime of an occupied slot. + * \retval PSA_ERROR_COMMUNICATION_FAILURE + * \retval PSA_ERROR_HARDWARE_FAILURE + * \retval PSA_ERROR_TAMPERING_DETECTED */ psa_status_t psa_set_key_lifetime(psa_key_slot_t key, psa_key_lifetime_t lifetime);