Split 'validate persistent key parameters' into independent validatio…

…n of location and persistence Signed-off-by: Steven Cooreman <[email protected]>
Mbed-TLS · Jun 8, 2020 · 62ec1d4 · 62ec1d4
1 parent 5cbe193
commit 62ec1d4
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 64 deletions.
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
@@ -1498,16 +1498,15 @@ static psa_status_t psa_validate_key_attributes(
     const psa_key_attributes_t *attributes,
     psa_se_drv_table_entry_t **p_drv )
 {
-    psa_status_t status;
+    psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
 
-    if( ! PSA_KEY_LIFETIME_IS_VOLATILE( attributes->core.lifetime ) )
-    {
-        status = psa_validate_persistent_key_parameters(
-            attributes->core.lifetime, attributes->core.id,
-            p_drv, 1 );
-        if( status != PSA_SUCCESS )
-            return( status );
-    }
+    status = psa_validate_key_location( attributes, p_drv );
+    if( status != PSA_SUCCESS )
+        return( status );
+
+    status = psa_validate_key_persistence( attributes );
+    if( status != PSA_SUCCESS )
+        return( status );
 
     status = psa_validate_key_policy( &attributes->core.policy );
     if( status != PSA_SUCCESS )

diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c
@@ -183,39 +183,54 @@ static int psa_is_key_id_valid( psa_key_file_id_t file_id,
 }
 #endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
 
-psa_status_t psa_validate_persistent_key_parameters(
-    psa_key_lifetime_t lifetime,
-    psa_key_file_id_t id,
-    psa_se_drv_table_entry_t **p_drv,
-    int creating )
+psa_status_t psa_validate_key_location( const psa_key_attributes_t *attributes,
+                                        psa_se_drv_table_entry_t **p_drv )
 {
-    if( p_drv != NULL )
-        *p_drv = NULL;
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-    if( psa_key_lifetime_is_external( lifetime ) )
+    psa_key_lifetime_t lifetime = psa_get_key_lifetime( attributes );
+    if ( psa_key_lifetime_is_external( lifetime ) )
     {
-        *p_drv = psa_get_se_driver_entry( lifetime );
-        if( *p_drv == NULL )
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+        psa_se_drv_table_entry_t *p_drv_e = psa_get_se_driver_entry( lifetime );
+        if( p_drv_e == NULL )
             return( PSA_ERROR_INVALID_ARGUMENT );
+        else
+        {
+            if (p_drv != NULL)
+                *p_drv = p_drv_e;
+            return( PSA_SUCCESS );
+        }
+#else
+        (void) p_drv;
+        return( PSA_ERROR_INVALID_ARGUMENT );
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
     }
     else
-#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
-    if( ( PSA_KEY_LIFETIME_GET_LOCATION( lifetime )
-            != PSA_KEY_LOCATION_LOCAL_STORAGE ) ||
-        ( PSA_KEY_LIFETIME_GET_PERSISTENCE( lifetime )
-            != PSA_KEY_PERSISTENCE_DEFAULT ) )
-        return( PSA_ERROR_INVALID_ARGUMENT );
+        /* Local/internal keys are always valid */
+        return( PSA_SUCCESS );
+}
 
-#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
-    if( ! psa_is_key_id_valid( id, ! creating ) )
-        return( PSA_ERROR_INVALID_ARGUMENT );
-    return( PSA_SUCCESS );
+psa_status_t psa_validate_key_persistence( const psa_key_attributes_t *attributes )
+{
+    psa_key_lifetime_t lifetime = psa_get_key_lifetime( attributes );
 
+    if ( PSA_KEY_LIFETIME_IS_VOLATILE( lifetime ) )
+    {
+        /* Volatile keys are always supported */
+        return( PSA_SUCCESS );
+    }
+    else
+    {
+        /* Persistent keys require storage support */
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+        if( psa_is_key_id_valid( psa_get_key_id( attributes ),
+                                 psa_key_lifetime_is_external( lifetime ) ) )
+            return( PSA_SUCCESS );
+        else
+            return( PSA_ERROR_INVALID_ARGUMENT );
 #else /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
-    (void) id;
-    (void) creating;
-    return( PSA_ERROR_NOT_SUPPORTED );
+        return( PSA_ERROR_NOT_SUPPORTED );
 #endif /* !MBEDTLS_PSA_CRYPTO_STORAGE_C */
+    }
 }
 
 psa_status_t psa_open_key( psa_key_file_id_t id, psa_key_handle_t *handle )
@@ -226,10 +241,8 @@ psa_status_t psa_open_key( psa_key_file_id_t id, psa_key_handle_t *handle )
 
     *handle = 0;
 
-    status = psa_validate_persistent_key_parameters(
-        PSA_KEY_LIFETIME_PERSISTENT, id, NULL, 0 );
-    if( status != PSA_SUCCESS )
-        return( status );
+    if( ! psa_is_key_id_valid( id, 1 ) )
+        return( PSA_ERROR_INVALID_ARGUMENT );
 
     status = psa_get_empty_key_slot( handle, &slot );
     if( status != PSA_SUCCESS )

diff --git a/library/psa_crypto_slot_management.h b/library/psa_crypto_slot_management.h
@@ -92,38 +92,33 @@ static inline int psa_key_lifetime_is_external( psa_key_lifetime_t lifetime )
                 != PSA_KEY_LOCATION_LOCAL_STORAGE );
 }
 
-/** Test whether the given parameters are acceptable for a persistent key.
+/** Validate that a key's attributes point to a known location.
  *
- * This function does not access the storage in any way. It only tests
- * whether the parameters are meaningful and permitted by general policy.
- * It does not test whether the a file by the given id exists or could be
- * created.
+ * This function checks whether the key's attributes point to a location that
+ * is known to the PSA Core, and returns the driver function table if the key
+ * is to be found in an external location.
  *
- * If the key is in external storage, this function returns the corresponding
- * driver.
+ * \param[in] attributes    The key attributes.
+ * \param[out] p_drv        On success, when a key is located in external
+ *                          storage, returns a pointer to the driver table
+ *                          associated with the key's storage location.
  *
- * \param lifetime      The lifetime to test.
- * \param id            The key id to test.
- * \param[out] p_drv    On output, if \p lifetime designates a key
- *                      in an external processor, \c *p_drv is a pointer
- *                      to the driver table entry fot this lifetime.
- *                      If \p lifetime designates a transparent key,
- *                      \c *p_drv is \c NULL.
- * \param creating      0 if attempting to open an existing key.
- *                      Nonzero if attempting to create a key.
+ * \retval #PSA_SUCCESS
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ */
+psa_status_t psa_validate_key_location( const psa_key_attributes_t *attributes,
+                                        psa_se_drv_table_entry_t **p_drv );
+
+/** Validate that a key's persistence is consistent.
  *
- * \retval PSA_SUCCESS
- *         The given parameters are valid.
- * \retval PSA_ERROR_INVALID_ARGUMENT
- *         \p lifetime is volatile or is invalid.
- * \retval PSA_ERROR_INVALID_ARGUMENT
- *         \p id is invalid.
+ * This function checks whether a key's persistence attribute is consistent.
+ *
+ * \param[in] attributes    The key attributes.
+ *
+ * \retval #PSA_SUCCESS
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
  */
-psa_status_t psa_validate_persistent_key_parameters(
-    psa_key_lifetime_t lifetime,
-    psa_key_file_id_t id,
-    psa_se_drv_table_entry_t **p_drv,
-    int creating );
+psa_status_t psa_validate_key_persistence( const psa_key_attributes_t *attributes );
 
 
 #endif /* PSA_CRYPTO_SLOT_MANAGEMENT_H */