Simplify key checking

Signed-off-by: Steven Cooreman <[email protected]>
Mbed-TLS · Jun 2, 2020 · 68e9556 · 68e9556
1 parent 059c721
commit 68e9556
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 79 deletions.
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
@@ -1498,16 +1498,46 @@ static psa_status_t psa_validate_key_attributes(
     const psa_key_attributes_t *attributes,
     psa_se_drv_table_entry_t **p_drv )
 {
-    psa_status_t status;
+    psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
+    psa_key_lifetime_t lifetime = psa_get_key_lifetime( attributes );
 
-    if( ! PSA_KEY_LIFETIME_IS_VOLATILE( attributes->core.lifetime ) )
+    /* Check there is a proper handler for this lifetime */
+    if ( PSA_KEY_LIFETIME_GET_LOCATION( lifetime )
+         != PSA_KEY_LOCATION_LOCAL_STORAGE )
     {
-        status = psa_validate_persistent_key_parameters(
-            attributes->core.lifetime, attributes->core.id,
-            p_drv, 1 );
-        if( status != PSA_SUCCESS )
-            return( status );
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+        psa_se_drv_table_entry_t *p_drv_e = psa_get_se_driver_entry( lifetime );
+        if( p_drv_e == NULL )
+            status = PSA_ERROR_INVALID_ARGUMENT;
+        else
+        {
+            if (p_drv != NULL)
+                *p_drv = p_drv_e;
+            status = PSA_SUCCESS;
+        }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
     }
+    else
+    {
+        if( ! PSA_KEY_LIFETIME_IS_VOLATILE( lifetime ) ) {
+            /* PSA Core needs storage to support persistent local keys */
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+            psa_key_id_t key_id = psa_get_key_id( attributes );
+            if( PSA_KEY_ID_USER_MIN <= key_id && key_id <= PSA_KEY_ID_USER_MAX )
+                status = PSA_SUCCESS;
+            else
+                status = PSA_ERROR_INVALID_ARGUMENT;
+#else /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
+            status = PSA_ERROR_NOT_SUPPORTED;
+#endif /* !MBEDTLS_PSA_CRYPTO_STORAGE_C */
+        } else {
+            /* PSA Core is always able to store a volatile key internally */
+            status = PSA_SUCCESS;
+        }
+    }
+
+    if( status != PSA_SUCCESS )
+        return( status );
 
     status = psa_validate_key_policy( &attributes->core.policy );
     if( status != PSA_SUCCESS )

diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c
@@ -183,41 +183,6 @@ static int psa_is_key_id_valid( psa_key_file_id_t file_id,
 }
 #endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
 
-psa_status_t psa_validate_persistent_key_parameters(
-    psa_key_lifetime_t lifetime,
-    psa_key_file_id_t id,
-    psa_se_drv_table_entry_t **p_drv,
-    int creating )
-{
-    if( p_drv != NULL )
-        *p_drv = NULL;
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-    if( psa_key_lifetime_is_external( lifetime ) )
-    {
-        *p_drv = psa_get_se_driver_entry( lifetime );
-        if( *p_drv == NULL )
-            return( PSA_ERROR_INVALID_ARGUMENT );
-    }
-    else
-#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
-    if( ( PSA_KEY_LIFETIME_GET_LOCATION( lifetime )
-            != PSA_KEY_LOCATION_LOCAL_STORAGE ) ||
-        ( PSA_KEY_LIFETIME_GET_PERSISTENCE( lifetime )
-            != PSA_KEY_PERSISTENCE_DEFAULT ) )
-        return( PSA_ERROR_INVALID_ARGUMENT );
-
-#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
-    if( ! psa_is_key_id_valid( id, ! creating ) )
-        return( PSA_ERROR_INVALID_ARGUMENT );
-    return( PSA_SUCCESS );
-
-#else /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
-    (void) id;
-    (void) creating;
-    return( PSA_ERROR_NOT_SUPPORTED );
-#endif /* !MBEDTLS_PSA_CRYPTO_STORAGE_C */
-}
-
 psa_status_t psa_open_key( psa_key_file_id_t id, psa_key_handle_t *handle )
 {
 #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
@@ -226,10 +191,8 @@ psa_status_t psa_open_key( psa_key_file_id_t id, psa_key_handle_t *handle )
 
     *handle = 0;
 
-    status = psa_validate_persistent_key_parameters(
-        PSA_KEY_LIFETIME_PERSISTENT, id, NULL, 0 );
-    if( status != PSA_SUCCESS )
-        return( status );
+    if( ! psa_is_key_id_valid( id, 1 ) )
+        return( PSA_ERROR_INVALID_ARGUMENT );
 
     status = psa_get_empty_key_slot( handle, &slot );
     if( status != PSA_SUCCESS )

diff --git a/library/psa_crypto_slot_management.h b/library/psa_crypto_slot_management.h
@@ -92,38 +92,5 @@ static inline int psa_key_lifetime_is_external( psa_key_lifetime_t lifetime )
                 != PSA_KEY_LOCATION_LOCAL_STORAGE );
 }
 
-/** Test whether the given parameters are acceptable for a persistent key.
- *
- * This function does not access the storage in any way. It only tests
- * whether the parameters are meaningful and permitted by general policy.
- * It does not test whether the a file by the given id exists or could be
- * created.
- *
- * If the key is in external storage, this function returns the corresponding
- * driver.
- *
- * \param lifetime      The lifetime to test.
- * \param id            The key id to test.
- * \param[out] p_drv    On output, if \p lifetime designates a key
- *                      in an external processor, \c *p_drv is a pointer
- *                      to the driver table entry fot this lifetime.
- *                      If \p lifetime designates a transparent key,
- *                      \c *p_drv is \c NULL.
- * \param creating      0 if attempting to open an existing key.
- *                      Nonzero if attempting to create a key.
- *
- * \retval PSA_SUCCESS
- *         The given parameters are valid.
- * \retval PSA_ERROR_INVALID_ARGUMENT
- *         \p lifetime is volatile or is invalid.
- * \retval PSA_ERROR_INVALID_ARGUMENT
- *         \p id is invalid.
- */
-psa_status_t psa_validate_persistent_key_parameters(
-    psa_key_lifetime_t lifetime,
-    psa_key_file_id_t id,
-    psa_se_drv_table_entry_t **p_drv,
-    int creating );
-
 
 #endif /* PSA_CRYPTO_SLOT_MANAGEMENT_H */