Pass the key creation method to drivers

Pass the key creation method (import/generate/derive/copy) to the driver methods to allocate or validate a slot number. This allows drivers to enforce policies such as "this key slot can only be used for keys generated inside the secure element".
2019-08-05 16:44:14 +02:00 · 2019-08-05 16:44:14 +02:00 · e88c2c1338
commit e88c2c1338
parent df17914e01
5 changed files with 47 additions and 24 deletions
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@ -1506,16 +1506,6 @@ static psa_status_t psa_validate_key_attributes(
    return( PSA_SUCCESS );
 }

-/** An enumeration indicating how a key is created.
- */
-typedef enum
-{
-    PSA_KEY_CREATION_IMPORT,
-    PSA_KEY_CREATION_GENERATE,
-    PSA_KEY_CREATION_DERIVE,
-    PSA_KEY_CREATION_COPY,
-} psa_key_creation_method_t;
-
 /** Prepare a key slot to receive key material.
 *
 * This function allocates a key slot and sets its metadata.
@ -1595,7 +1585,7 @@ static psa_status_t psa_start_key_creation(
     * we can roll back to a state where the key doesn't exist. */
    if( *p_drv != NULL )
    {
-        status = psa_find_se_slot_for_key( attributes, *p_drv,
+        status = psa_find_se_slot_for_key( attributes, method, *p_drv,
                                           &slot->data.se.slot_number );
        if( status != PSA_SUCCESS )
            return( status );
--- a/library/psa_crypto_se.c
+++ b/library/psa_crypto_se.c
@ -197,6 +197,7 @@ psa_status_t psa_destroy_se_persistent_data( psa_key_lifetime_t lifetime )

 psa_status_t psa_find_se_slot_for_key(
    const psa_key_attributes_t *attributes,
+    psa_key_creation_method_t method,
    psa_se_drv_table_entry_t *driver,
    psa_key_slot_number_t *slot_number )
 {
@ -220,7 +221,8 @@ psa_status_t psa_find_se_slot_for_key(
            driver->methods->key_management->p_validate_slot_number;
        if( p_validate_slot_number == NULL )
            return( PSA_ERROR_NOT_SUPPORTED );
-        status = p_validate_slot_number( &driver->context, attributes,
+        status = p_validate_slot_number( &driver->context,
+                                         attributes, method,
                                         *slot_number );
    }
    else
@ -233,7 +235,7 @@ psa_status_t psa_find_se_slot_for_key(
            return( PSA_ERROR_NOT_SUPPORTED );
        status = p_allocate( &driver->context,
                             driver->internal.persistent_data,
-                             attributes,
+                             attributes, method,
                             slot_number );
    }
    return( status );
--- a/library/psa_crypto_se.h
+++ b/library/psa_crypto_se.h
@ -135,6 +135,7 @@ psa_drv_se_context_t *psa_get_se_driver_context(
 */
 psa_status_t psa_find_se_slot_for_key(
    const psa_key_attributes_t *attributes,
+    psa_key_creation_method_t method,
    psa_se_drv_table_entry_t *driver,
    psa_key_slot_number_t *slot_number );