Merge pull request #3527 from ronald-cron-arm/key-extended-id

PSA key identifiers rework

library/psa_crypto_se.h

@@ -45,7 +45,7 @@
 /** The base of the range of ITS file identifiers for secure element
  * driver persistent data.
  *
- * We use a slice of the implemenation reserved range 0xffff0000..0xffffffff,
+ * We use a slice of the implementation reserved range 0xffff0000..0xffffffff,
  * specifically the range 0xfffffe00..0xfffffeff. The length of this range
  * drives the value of #PSA_MAX_SE_LOCATION. The identifier 0xfffffe00 is
  * actually not used since it corresponds to #PSA_KEY_LOCATION_LOCAL_STORAGE

library/psa_crypto_slot_management.c

@@ -157,16 +157,15 @@ exit:
  * past released version must remain valid, unless a migration path
  * is provided.
  *
- * \param file_id       The key identifier to check.
- * \param vendor_ok     Nonzero to allow key ids in the vendor range.
- *                      0 to allow only key ids in the application range.
+ * \param key        The key identifier to check.
+ * \param vendor_ok  Nonzero to allow key ids in the vendor range.
+ *                   0 to allow only key ids in the application range.
  *
- * \return              1 if \p file_id is acceptable, otherwise 0.
+ * \return           1 if \p key is acceptable, otherwise 0.
  */
-static int psa_is_key_id_valid( psa_key_file_id_t file_id,
-                                int vendor_ok )
+static int psa_is_key_id_valid( mbedtls_svc_key_id_t key, int vendor_ok )
 {
-    psa_app_key_id_t key_id = PSA_KEY_FILE_GET_KEY_ID( file_id );
+    psa_key_id_t key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID( key );
     if( PSA_KEY_ID_USER_MIN <= key_id && key_id <= PSA_KEY_ID_USER_MAX )
         return( 1 );
     else if( vendor_ok &&
@@ -204,7 +203,7 @@ psa_status_t psa_validate_key_location( psa_key_lifetime_t lifetime,
 }
 
 psa_status_t psa_validate_key_persistence( psa_key_lifetime_t lifetime,
-                                           psa_key_id_t key_id )
+                                           mbedtls_svc_key_id_t key )
 {
     if ( PSA_KEY_LIFETIME_IS_VOLATILE( lifetime ) )
     {
@@ -215,19 +214,19 @@ psa_status_t psa_validate_key_persistence( psa_key_lifetime_t lifetime,
     {
         /* Persistent keys require storage support */
 #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
-        if( psa_is_key_id_valid( key_id,
+        if( psa_is_key_id_valid( key,
                                  psa_key_lifetime_is_external( lifetime ) ) )
             return( PSA_SUCCESS );
         else
             return( PSA_ERROR_INVALID_ARGUMENT );
 #else /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
-        (void) key_id;
+        (void) key;
         return( PSA_ERROR_NOT_SUPPORTED );
 #endif /* !MBEDTLS_PSA_CRYPTO_STORAGE_C */
     }
 }
 
-psa_status_t psa_open_key( psa_key_file_id_t id, psa_key_handle_t *handle )
+psa_status_t psa_open_key( mbedtls_svc_key_id_t key, psa_key_handle_t *handle )
 {
 #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
     psa_status_t status;
@@ -235,7 +234,7 @@ psa_status_t psa_open_key( psa_key_file_id_t id, psa_key_handle_t *handle )
 
     *handle = 0;
 
-    if( ! psa_is_key_id_valid( id, 1 ) )
+    if( ! psa_is_key_id_valid( key, 1 ) )
         return( PSA_ERROR_INVALID_ARGUMENT );
 
     status = psa_get_empty_key_slot( handle, &slot );
@@ -243,7 +242,7 @@ psa_status_t psa_open_key( psa_key_file_id_t id, psa_key_handle_t *handle )
         return( status );
 
     slot->attr.lifetime = PSA_KEY_LIFETIME_PERSISTENT;
-    slot->attr.id = id;
+    slot->attr.id = key;
 
     status = psa_load_persistent_key_into_slot( slot );
     if( status != PSA_SUCCESS )
@@ -254,7 +253,7 @@ psa_status_t psa_open_key( psa_key_file_id_t id, psa_key_handle_t *handle )
     return( status );
 
 #else /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
-    (void) id;
+    (void) key;
     *handle = 0;
     return( PSA_ERROR_NOT_SUPPORTED );
 #endif /* !defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
@@ -291,14 +290,14 @@ void mbedtls_psa_get_stats( mbedtls_psa_stats_t *stats )
             ++stats->volatile_slots;
         else if( slot->attr.lifetime == PSA_KEY_LIFETIME_PERSISTENT )
         {
-            psa_app_key_id_t id = PSA_KEY_FILE_GET_KEY_ID(slot->attr.id);
+            psa_key_id_t id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID( slot->attr.id );
             ++stats->persistent_slots;
             if( id > stats->max_open_internal_key_id )
                 stats->max_open_internal_key_id = id;
         }
         else
         {
-            psa_app_key_id_t id = PSA_KEY_FILE_GET_KEY_ID(slot->attr.id);
+            psa_key_id_t id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID( slot->attr.id );
             ++stats->external_slots;
             if( id > stats->max_open_external_key_id )
                 stats->max_open_external_key_id = id;

library/psa_crypto_slot_management.h

@@ -113,14 +113,13 @@ psa_status_t psa_validate_key_location( psa_key_lifetime_t lifetime,
  * This function checks whether a key's declared persistence level and key ID
  * attributes are valid and known to the PSA Core in its actual configuration.
  *
- * \param[in] lifetime    The key lifetime attribute.
- * \param[in] key_id      The key ID attribute
+ * \param[in] lifetime  The key lifetime attribute.
+ * \param[in] key       The key identifier.
  *
  * \retval #PSA_SUCCESS
  * \retval #PSA_ERROR_INVALID_ARGUMENT
  */
 psa_status_t psa_validate_key_persistence( psa_key_lifetime_t lifetime,
-                                           psa_key_id_t key_id );
-
+                                           mbedtls_svc_key_id_t key );
 
 #endif /* PSA_CRYPTO_SLOT_MANAGEMENT_H */

library/psa_crypto_storage.c

@@ -55,27 +55,27 @@
 /* Key storage */
 /****************************************************************/
 
-/* Determine a file name (ITS file identifier) for the given key file
- * identifier. The file name must be distinct from any file that is used
- * for a purpose other than storing a key. Currently, the only such file
- * is the random seed file whose name is PSA_CRYPTO_ITS_RANDOM_SEED_UID
- * and whose value is 0xFFFFFF52. */
-static psa_storage_uid_t psa_its_identifier_of_slot( psa_key_file_id_t file_id )
+/* Determine a file name (ITS file identifier) for the given key identifier.
+ * The file name must be distinct from any file that is used for a purpose
+ * other than storing a key. Currently, the only such file is the random seed
+ * file whose name is PSA_CRYPTO_ITS_RANDOM_SEED_UID and whose value is
+ * 0xFFFFFF52. */
+static psa_storage_uid_t psa_its_identifier_of_slot( mbedtls_svc_key_id_t key )
 {
-#if defined(MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER) && \
-    defined(PSA_CRYPTO_SECURE)
+#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
     /* Encode the owner in the upper 32 bits. This means that if
      * owner values are nonzero (as they are on a PSA platform),
      * no key file will ever have a value less than 0x100000000, so
      * the whole range 0..0xffffffff is available for non-key files. */
-    uint32_t unsigned_owner = (uint32_t) file_id.owner;
-    return( (uint64_t) unsigned_owner << 32 | file_id.key_id );
+    uint32_t unsigned_owner_id = MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( key );
+    return(  ( (uint64_t) unsigned_owner_id << 32 ) |
+             MBEDTLS_SVC_KEY_ID_GET_KEY_ID( key ) );
 #else
     /* Use the key id directly as a file name.
-     * psa_is_key_file_id_valid() in psa_crypto_slot_management.c
+     * psa_is_key_id_valid() in psa_crypto_slot_management.c
      * is responsible for ensuring that key identifiers do not have a
      * value that is reserved for non-key files. */
-    return( file_id );
+    return( key );
 #endif
 }
 
@@ -94,9 +94,8 @@ static psa_storage_uid_t psa_its_identifier_of_slot( psa_key_file_id_t file_id )
  * \retval PSA_ERROR_STORAGE_FAILURE
  * \retval PSA_ERROR_DOES_NOT_EXIST
  */
-static psa_status_t psa_crypto_storage_load( const psa_key_file_id_t key,
-                                             uint8_t *data,
-                                             size_t data_size )
+static psa_status_t psa_crypto_storage_load(
+    const mbedtls_svc_key_id_t key, uint8_t *data, size_t data_size )
 {
     psa_status_t status;
     psa_storage_uid_t data_identifier = psa_its_identifier_of_slot( key );
@@ -114,7 +113,7 @@ static psa_status_t psa_crypto_storage_load( const psa_key_file_id_t key,
     return( status );
 }
 
-int psa_is_key_present_in_storage( const psa_key_file_id_t key )
+int psa_is_key_present_in_storage( const mbedtls_svc_key_id_t key )
 {
     psa_status_t ret;
     psa_storage_uid_t data_identifier = psa_its_identifier_of_slot( key );
@@ -143,7 +142,7 @@ int psa_is_key_present_in_storage( const psa_key_file_id_t key )
  * \retval PSA_ERROR_STORAGE_FAILURE
  * \retval PSA_ERROR_ALREADY_EXISTS
  */
-static psa_status_t psa_crypto_storage_store( const psa_key_file_id_t key,
+static psa_status_t psa_crypto_storage_store( const mbedtls_svc_key_id_t key,
                                               const uint8_t *data,
                                               size_t data_length )
 {
@@ -184,7 +183,7 @@ exit:
     return( status );
 }
 
-psa_status_t psa_destroy_persistent_key( const psa_key_file_id_t key )
+psa_status_t psa_destroy_persistent_key( const mbedtls_svc_key_id_t key )
 {
     psa_status_t ret;
     psa_storage_uid_t data_identifier = psa_its_identifier_of_slot( key );
@@ -215,7 +214,7 @@ psa_status_t psa_destroy_persistent_key( const psa_key_file_id_t key )
  * \retval PSA_ERROR_STORAGE_FAILURE
  */
 static psa_status_t psa_crypto_storage_get_data_length(
-    const psa_key_file_id_t key,
+    const mbedtls_svc_key_id_t key,
     size_t *data_length )
 {
     psa_status_t status;
@@ -394,7 +393,7 @@ psa_status_t psa_load_persistent_key( psa_core_key_attributes_t *attr,
     psa_status_t status = PSA_SUCCESS;
     uint8_t *loaded_data;
     size_t storage_data_length = 0;
-    psa_key_id_t key = attr->id;
+    mbedtls_svc_key_id_t key = attr->id;
 
     status = psa_crypto_storage_get_data_length( key, &storage_data_length );
     if( status != PSA_SUCCESS )

library/psa_crypto_storage.h

@@ -72,7 +72,7 @@ extern "C" {
  * \retval 1
  *         Persistent data present for slot number
  */
-int psa_is_key_present_in_storage( const psa_key_file_id_t key );
+int psa_is_key_present_in_storage( const mbedtls_svc_key_id_t key );
 
 /**
  * \brief Format key data and metadata and save to a location for given key
@@ -141,7 +141,7 @@ psa_status_t psa_load_persistent_key( psa_core_key_attributes_t *attr,
  *         or the key did not exist.
  * \retval PSA_ERROR_STORAGE_FAILURE
  */
-psa_status_t psa_destroy_persistent_key( const psa_key_file_id_t key );
+psa_status_t psa_destroy_persistent_key( const mbedtls_svc_key_id_t key );
 
 /**
  * \brief Free the temporary buffer allocated by psa_load_persistent_key().
@@ -292,7 +292,7 @@ typedef union
         uint16_t unused1;
         psa_key_lifetime_t lifetime;
         psa_key_slot_number_t slot;
-        psa_key_id_t id;
+        mbedtls_svc_key_id_t id;
     } key;
 } psa_crypto_transaction_t;
 

library/version_features.c

@@ -417,9 +417,9 @@ static const char * const features[] = {
 #if defined(MBEDTLS_ENTROPY_NV_SEED)
     "MBEDTLS_ENTROPY_NV_SEED",
 #endif /* MBEDTLS_ENTROPY_NV_SEED */
-#if defined(MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER)
-    "MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER",
-#endif /* MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER */
+#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
+    "MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER",
+#endif /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */
 #if defined(MBEDTLS_MEMORY_DEBUG)
     "MBEDTLS_MEMORY_DEBUG",
 #endif /* MBEDTLS_MEMORY_DEBUG */