Fix policy validity check on key creation.

gilles-peskine-arm · gilles-peskine-arm · commit 3825e14e6518 · 2019-07-31T16:54:38.000+02:00
Add a non-regression test.
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
@@ -1469,10 +1469,6 @@ static psa_status_t psa_start_key_creation(
             return( status );
     }
 
-    status = psa_check_key_slot_policy( slot );
-    if( status != PSA_SUCCESS )
-        return( status );
-
     /* Refuse to create overly large keys.
      * Note that this doesn't trigger on import if the attributes don't
      * explicitly specify a size (so psa_get_key_bits returns 0), so
@@ -1487,6 +1483,10 @@ static psa_status_t psa_start_key_creation(
 
     slot->attr = attributes->core;
 
+    status = psa_check_key_slot_policy( slot );
+    if( status != PSA_SUCCESS )
+        return( status );
+
 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
     /* For a key in a secure element, we need to do three things:
      * create the key file in internal storage, create the
diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
@@ -52,6 +52,9 @@ invalid_handle:1
 PSA invalid handle (largest plausible handle)
 invalid_handle:-1
 
+PSA import: bad usage flag
+import_with_policy:PSA_KEY_TYPE_RAW_DATA:0x40000000:0:PSA_ERROR_INVALID_ARGUMENT
+
 PSA import: invalid type (0)
 import_with_policy:PSA_KEY_TYPE_NONE:0:0:PSA_ERROR_NOT_SUPPORTED
 
