Change key types to a 16-bit encoding

All key types now have an encoding on 32 bits where the bottom 16 bits
are zero. Change to using 16 bits only.

Keep 32 bits for key types in storage, but move the significant
half-word from the top to the bottom.

Likewise, change EC curve and DH group families from 32 bits out of
which the top 8 and bottom 16 bits are zero, to 8 bits only.

Reorder psa_core_key_attributes_t to avoid padding.

Author: gilles-peskine-arm

include/psa/crypto_extra.h

@@ -329,7 +329,7 @@ psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed,
  * string. The length of the byte string is the length of the base prime `p`
  * in bytes.
  */
-#define PSA_KEY_TYPE_DSA_PUBLIC_KEY             ((psa_key_type_t)0x60040000)
+#define PSA_KEY_TYPE_DSA_PUBLIC_KEY                 ((psa_key_type_t)0x6004)
 
 /** DSA key pair (private and public key).
  *
@@ -347,7 +347,7 @@ psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed,
  * Add 1 to the resulting integer and use this as the private key *x*.
  *
  */
-#define PSA_KEY_TYPE_DSA_KEY_PAIR                ((psa_key_type_t)0x70040000)
+#define PSA_KEY_TYPE_DSA_KEY_PAIR                    ((psa_key_type_t)0x7004)
 
 /** Whether a key type is an DSA key (pair or public-only). */
 #define PSA_KEY_TYPE_IS_DSA(type)                                       \
@@ -418,9 +418,7 @@ psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed,
  * #PSA_KEY_TYPE_DH_KEY_PAIR(#PSA_DH_GROUP_CUSTOM), the group data comes
  * from domain parameters set by psa_set_key_domain_parameters().
  */
-/* This value is a deprecated value meaning an explicit curve in the IANA
- * registry. */
-#define PSA_DH_GROUP_CUSTOM             ((psa_dh_group_t) 0xff01)
+#define PSA_DH_GROUP_CUSTOM             ((psa_dh_group_t) 0x80)
 
 
 /**

include/psa/crypto_struct.h

@@ -330,14 +330,14 @@ typedef uint16_t psa_key_attributes_flag_t;
 typedef struct
 {
     psa_key_type_t type;
+    psa_key_bits_t bits;
     psa_key_lifetime_t lifetime;
     psa_key_id_t id;
     psa_key_policy_t policy;
-    psa_key_bits_t bits;
     psa_key_attributes_flag_t flags;
 } psa_core_key_attributes_t;
 
-#define PSA_CORE_KEY_ATTRIBUTES_INIT {0, 0, PSA_KEY_ID_INIT, PSA_KEY_POLICY_INIT, 0, 0}
+#define PSA_CORE_KEY_ATTRIBUTES_INIT {PSA_KEY_TYPE_NONE, 0, PSA_KEY_LIFETIME_VOLATILE, PSA_KEY_ID_INIT, PSA_KEY_POLICY_INIT, 0}
 
 struct psa_key_attributes_s
 {

include/psa/crypto_types.h

@@ -63,23 +63,23 @@ typedef int32_t psa_status_t;
 
 /** \brief Encoding of a key type.
  */
-typedef uint32_t psa_key_type_t;
+typedef uint16_t psa_key_type_t;
 
 /** The type of PSA elliptic curve family identifiers.
  *
  * The curve identifier is required to create an ECC key using the
  * PSA_KEY_TYPE_ECC_KEY_PAIR() or PSA_KEY_TYPE_ECC_PUBLIC_KEY()
  * macros.
  */
-typedef uint32_t psa_ecc_curve_t;
+typedef uint8_t psa_ecc_curve_t;
 
 /** The type of PSA Diffie-Hellman group family identifiers.
  *
  * The group identifier is required to create an Diffie-Hellman key using the
  * PSA_KEY_TYPE_DH_KEY_PAIR() or PSA_KEY_TYPE_DH_PUBLIC_KEY()
  * macros.
  */
-typedef uint32_t psa_dh_group_t;
+typedef uint8_t psa_dh_group_t;
 
 /** \brief Encoding of a cryptographic algorithm.
  *

include/psa/crypto_values.h

@@ -282,7 +282,7 @@
  *
  * Zero is not the encoding of any key type.
  */
-#define PSA_KEY_TYPE_NONE                       ((psa_key_type_t)0x00000000)
+#define PSA_KEY_TYPE_NONE                           ((psa_key_type_t)0x0000)
 
 /** Vendor-defined key type flag.
  *
@@ -291,15 +291,15 @@
  * must use an encoding with the #PSA_KEY_TYPE_VENDOR_FLAG bit set and should
  * respect the bitwise structure used by standard encodings whenever practical.
  */
-#define PSA_KEY_TYPE_VENDOR_FLAG                ((psa_key_type_t)0x80000000)
+#define PSA_KEY_TYPE_VENDOR_FLAG                    ((psa_key_type_t)0x8000)
 
-#define PSA_KEY_TYPE_CATEGORY_MASK              ((psa_key_type_t)0x70000000)
-#define PSA_KEY_TYPE_CATEGORY_SYMMETRIC         ((psa_key_type_t)0x40000000)
-#define PSA_KEY_TYPE_CATEGORY_RAW               ((psa_key_type_t)0x50000000)
-#define PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY        ((psa_key_type_t)0x60000000)
-#define PSA_KEY_TYPE_CATEGORY_KEY_PAIR          ((psa_key_type_t)0x70000000)
+#define PSA_KEY_TYPE_CATEGORY_MASK                  ((psa_key_type_t)0x7000)
+#define PSA_KEY_TYPE_CATEGORY_SYMMETRIC             ((psa_key_type_t)0x4000)
+#define PSA_KEY_TYPE_CATEGORY_RAW                   ((psa_key_type_t)0x5000)
+#define PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY            ((psa_key_type_t)0x6000)
+#define PSA_KEY_TYPE_CATEGORY_KEY_PAIR              ((psa_key_type_t)0x7000)
 
-#define PSA_KEY_TYPE_CATEGORY_FLAG_PAIR         ((psa_key_type_t)0x10000000)
+#define PSA_KEY_TYPE_CATEGORY_FLAG_PAIR             ((psa_key_type_t)0x1000)
 
 /** Whether a key type is vendor-defined.
  *
@@ -313,7 +313,7 @@
  * This encompasses both symmetric keys and non-key data.
  */
 #define PSA_KEY_TYPE_IS_UNSTRUCTURED(type) \
-    (((type) & PSA_KEY_TYPE_CATEGORY_MASK & ~(psa_key_type_t)0x10000000) == \
+    (((type) & PSA_KEY_TYPE_CATEGORY_MASK & ~(psa_key_type_t)0x1000) == \
      PSA_KEY_TYPE_CATEGORY_SYMMETRIC)
 
 /** Whether a key type is asymmetric: either a key pair or a public key. */
@@ -357,7 +357,7 @@
  *
  * A "key" of this type cannot be used for any cryptographic operation.
  * Applications may use this type to store arbitrary data in the keystore. */
-#define PSA_KEY_TYPE_RAW_DATA                   ((psa_key_type_t)0x50010000)
+#define PSA_KEY_TYPE_RAW_DATA                       ((psa_key_type_t)0x5001)
 
 /** HMAC key.
  *
@@ -367,21 +367,21 @@
  * HMAC keys should generally have the same size as the underlying hash.
  * This size can be calculated with #PSA_HASH_SIZE(\c alg) where
  * \c alg is the HMAC algorithm or the underlying hash algorithm. */
-#define PSA_KEY_TYPE_HMAC                       ((psa_key_type_t)0x51000000)
+#define PSA_KEY_TYPE_HMAC                           ((psa_key_type_t)0x5100)
 
 /** A secret for key derivation.
  *
  * The key policy determines which key derivation algorithm the key
  * can be used for.
  */
-#define PSA_KEY_TYPE_DERIVE                     ((psa_key_type_t)0x52000000)
+#define PSA_KEY_TYPE_DERIVE                         ((psa_key_type_t)0x5200)
 
 /** Key for a cipher, AEAD or MAC algorithm based on the AES block cipher.
  *
  * The size of the key can be 16 bytes (AES-128), 24 bytes (AES-192) or
  * 32 bytes (AES-256).
  */
-#define PSA_KEY_TYPE_AES                        ((psa_key_type_t)0x44020000)
+#define PSA_KEY_TYPE_AES                            ((psa_key_type_t)0x4402)
 
 /** Key for a cipher or MAC algorithm based on DES or 3DES (Triple-DES).
  *
@@ -392,17 +392,17 @@
  * deprecated and should only be used to decrypt legacy data. 3-key 3DES
  * is weak and deprecated and should only be used in legacy protocols.
  */
-#define PSA_KEY_TYPE_DES                        ((psa_key_type_t)0x43020000)
+#define PSA_KEY_TYPE_DES                            ((psa_key_type_t)0x4302)
 
 /** Key for a cipher, AEAD or MAC algorithm based on the
  * Camellia block cipher. */
-#define PSA_KEY_TYPE_CAMELLIA                   ((psa_key_type_t)0x44040000)
+#define PSA_KEY_TYPE_CAMELLIA                       ((psa_key_type_t)0x4404)
 
 /** Key for the RC4 stream cipher.
  *
  * Note that RC4 is weak and deprecated and should only be used in
  * legacy protocols. */
-#define PSA_KEY_TYPE_ARC4                       ((psa_key_type_t)0x40020000)
+#define PSA_KEY_TYPE_ARC4                           ((psa_key_type_t)0x4002)
 
 /** Key for the ChaCha20 stream cipher or the Chacha20-Poly1305 AEAD algorithm.
  *
@@ -411,19 +411,19 @@
  * Implementations must support 12-byte nonces, may support 8-byte nonces,
  * and should reject other sizes.
  */
-#define PSA_KEY_TYPE_CHACHA20                   ((psa_key_type_t)0x40040000)
+#define PSA_KEY_TYPE_CHACHA20                       ((psa_key_type_t)0x4004)
 
 /** RSA public key. */
-#define PSA_KEY_TYPE_RSA_PUBLIC_KEY             ((psa_key_type_t)0x60020000)
+#define PSA_KEY_TYPE_RSA_PUBLIC_KEY                 ((psa_key_type_t)0x6002)
 /** RSA key pair (private and public key). */
-#define PSA_KEY_TYPE_RSA_KEY_PAIR                ((psa_key_type_t)0x70020000)
+#define PSA_KEY_TYPE_RSA_KEY_PAIR                   ((psa_key_type_t)0x7002)
 /** Whether a key type is an RSA key (pair or public-only). */
 #define PSA_KEY_TYPE_IS_RSA(type)                                       \
     (PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) == PSA_KEY_TYPE_RSA_PUBLIC_KEY)
 
-#define PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE        ((psa_key_type_t)0x61000000)
-#define PSA_KEY_TYPE_ECC_KEY_PAIR_BASE           ((psa_key_type_t)0x71000000)
-#define PSA_KEY_TYPE_ECC_CURVE_MASK             ((psa_key_type_t)0x00ffffff)
+#define PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE            ((psa_key_type_t)0x6100)
+#define PSA_KEY_TYPE_ECC_KEY_PAIR_BASE              ((psa_key_type_t)0x7100)
+#define PSA_KEY_TYPE_ECC_CURVE_MASK                 ((psa_key_type_t)0x00ff)
 /** Elliptic curve key pair.
  *
  * \param curve     A value of type ::psa_ecc_curve_t that identifies the
@@ -466,7 +466,7 @@
  * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
  * https://www.secg.org/sec2-v2.pdf
  */
-#define PSA_ECC_CURVE_SECP_K1         ((psa_ecc_curve_t) 0x160000)
+#define PSA_ECC_CURVE_SECP_K1           ((psa_ecc_curve_t) 0x16)
 
 /** SEC random curves over prime fields.
  *
@@ -476,9 +476,9 @@
  * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
  * https://www.secg.org/sec2-v2.pdf
  */
-#define PSA_ECC_CURVE_SECP_R1         ((psa_ecc_curve_t) 0x120000)
+#define PSA_ECC_CURVE_SECP_R1           ((psa_ecc_curve_t) 0x12)
 /* SECP160R2 (SEC2 v1, obsolete) */
-#define PSA_ECC_CURVE_SECP_R2         ((psa_ecc_curve_t) 0x1a0000)
+#define PSA_ECC_CURVE_SECP_R2           ((psa_ecc_curve_t) 0x1a)
 
 /** SEC Koblitz curves over binary fields.
  *
@@ -488,7 +488,7 @@
  * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
  * https://www.secg.org/sec2-v2.pdf
  */
-#define PSA_ECC_CURVE_SECT_K1         ((psa_ecc_curve_t) 0x260000)
+#define PSA_ECC_CURVE_SECT_K1           ((psa_ecc_curve_t) 0x26)
 
 /** SEC random curves over binary fields.
  *
@@ -498,7 +498,7 @@
  * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
  * https://www.secg.org/sec2-v2.pdf
  */
-#define PSA_ECC_CURVE_SECT_R1         ((psa_ecc_curve_t) 0x220000)
+#define PSA_ECC_CURVE_SECT_R1           ((psa_ecc_curve_t) 0x22)
 
 /** SEC additional random curves over binary fields.
  *
@@ -508,7 +508,7 @@
  * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
  * https://www.secg.org/sec2-v2.pdf
  */
-#define PSA_ECC_CURVE_SECT_R2         ((psa_ecc_curve_t) 0x2a0000)
+#define PSA_ECC_CURVE_SECT_R2           ((psa_ecc_curve_t) 0x2a)
 
 /** Brainpool P random curves.
  *
@@ -517,7 +517,7 @@
  * brainpoolP320r1, brainpoolP384r1, brainpoolP512r1.
  * It is defined in RFC 5639.
  */
-#define PSA_ECC_CURVE_BRAINPOOL_P_R1  ((psa_ecc_curve_t) 0x300000)
+#define PSA_ECC_CURVE_BRAINPOOL_P_R1    ((psa_ecc_curve_t) 0x30)
 
 /** Curve25519 and Curve448.
  *
@@ -529,11 +529,11 @@
  *   _Ed448-Goldilocks, a new elliptic curve_, NIST ECC Workshop, 2015.
  *   The algorithm #PSA_ALG_ECDH performs X448 when used with this curve.
  */
-#define PSA_ECC_CURVE_XED             ((psa_ecc_curve_t) 0x400000)
+#define PSA_ECC_CURVE_XED               ((psa_ecc_curve_t) 0x40)
 
-#define PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE         ((psa_key_type_t)0x62000000)
-#define PSA_KEY_TYPE_DH_KEY_PAIR_BASE            ((psa_key_type_t)0x72000000)
-#define PSA_KEY_TYPE_DH_GROUP_MASK              ((psa_key_type_t)0x00ffffff)
+#define PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE             ((psa_key_type_t)0x6200)
+#define PSA_KEY_TYPE_DH_KEY_PAIR_BASE               ((psa_key_type_t)0x7200)
+#define PSA_KEY_TYPE_DH_GROUP_MASK                  ((psa_key_type_t)0x00ff)
 /** Diffie-Hellman key pair.
  *
  * \param group     A value of type ::psa_dh_group_t that identifies the
@@ -577,7 +577,7 @@
 #define PSA_DH_GROUP_RFC7919            ((psa_dh_group_t) 0x02)
 
 #define PSA_GET_KEY_TYPE_BLOCK_SIZE_EXPONENT(type)      \
-    (((type) >> 24) & 7)
+    (((type) >> 8) & 7)
 /** The block size of a block cipher.
  *
  * \param type  A cipher key type (value of type #psa_key_type_t).

library/pkwrite.c

@@ -282,7 +282,7 @@ int mbedtls_pk_write_pubkey_der( mbedtls_pk_context *key, unsigned char *buf, si
         bits = psa_get_key_bits( &attributes );
         psa_reset_key_attributes( &attributes );
 
-        curve = PSA_KEY_TYPE_GET_CURVE( key_type ) & 0xff0000;
+        curve = PSA_KEY_TYPE_GET_CURVE( key_type );
         if( curve == 0 )
             return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
 

library/psa_crypto.c

@@ -427,11 +427,6 @@ psa_ecc_curve_t mbedtls_ecc_group_to_psa( mbedtls_ecp_group_id grpid,
 mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_curve_t curve,
                                                size_t byte_length )
 {
-    if( ( curve & 0xffff ) != 0 )
-    {
-        if( PSA_BITS_TO_BYTES( curve & 0xffff ) != byte_length )
-            return( MBEDTLS_ECP_DP_NONE );
-    }
     switch( curve )
     {
         case PSA_ECC_CURVE_SECP_R1:

library/psa_crypto_storage.c

@@ -259,7 +259,9 @@ typedef struct {
     uint8_t magic[PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH];
     uint8_t version[4];
     uint8_t lifetime[sizeof( psa_key_lifetime_t )];
-    uint8_t type[sizeof( psa_key_type_t )];
+    uint8_t type[4]; /* Size=4 for a 2-byte type to keep the structure more
+                      * regular and aligned and to make potential future
+                      * extensibility easier. */
     uint8_t policy[sizeof( psa_key_policy_t )];
     uint8_t data_len[4];
     uint8_t key_data[];
@@ -276,7 +278,7 @@ void psa_format_key_data_for_storage( const uint8_t *data,
     memcpy( storage_format->magic, PSA_KEY_STORAGE_MAGIC_HEADER, PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH );
     PUT_UINT32_LE( 0, storage_format->version, 0 );
     PUT_UINT32_LE( attr->lifetime, storage_format->lifetime, 0 );
-    PUT_UINT32_LE( attr->type, storage_format->type, 0 );
+    PUT_UINT32_LE( (uint32_t) attr->type, storage_format->type, 0 );
     PUT_UINT32_LE( attr->policy.usage, storage_format->policy, 0 );
     PUT_UINT32_LE( attr->policy.alg, storage_format->policy, sizeof( uint32_t ) );
     PUT_UINT32_LE( attr->policy.alg2, storage_format->policy, 2 * sizeof( uint32_t ) );
@@ -302,6 +304,7 @@ psa_status_t psa_parse_key_data_from_storage( const uint8_t *storage_data,
     const psa_persistent_key_storage_format *storage_format =
         (const psa_persistent_key_storage_format *)storage_data;
     uint32_t version;
+    uint32_t type;
 
     if( storage_data_length < sizeof(*storage_format) )
         return( PSA_ERROR_STORAGE_FAILURE );
@@ -332,7 +335,11 @@ psa_status_t psa_parse_key_data_from_storage( const uint8_t *storage_data,
     }
 
     GET_UINT32_LE( attr->lifetime, storage_format->lifetime, 0 );
-    GET_UINT32_LE( attr->type, storage_format->type, 0 );
+    GET_UINT32_LE( type, storage_format->type, 0 );
+    if( type <= (psa_key_type_t) -1 )
+        attr->type = (psa_key_type_t) type;
+    else
+        return( PSA_ERROR_STORAGE_FAILURE );
     GET_UINT32_LE( attr->policy.usage, storage_format->policy, 0 );
     GET_UINT32_LE( attr->policy.alg, storage_format->policy, sizeof( uint32_t ) );
     GET_UINT32_LE( attr->policy.alg2, storage_format->policy, 2 * sizeof( uint32_t ) );

programs/psa/psa_constant_names.c

@@ -80,7 +80,7 @@ static void append_with_curve(char **buffer, size_t buffer_size,
                curve_name, strlen(curve_name));
     } else {
         append_integer(buffer, buffer_size, required_size,
-                       "0x%04x", curve);
+                       "0x%02x", curve);
     }
     append(buffer, buffer_size, required_size, ")", 1);
 }
@@ -98,7 +98,7 @@ static void append_with_group(char **buffer, size_t buffer_size,
                group_name, strlen(group_name));
     } else {
         append_integer(buffer, buffer_size, required_size,
-                       "0x%04x", group);
+                       "0x%02x", group);
     }
     append(buffer, buffer_size, required_size, ")", 1);
 }
@@ -144,7 +144,7 @@ static int psa_snprint_ecc_curve(char *buffer, size_t buffer_size,
 {
     const char *name = psa_ecc_curve_name(curve);
     if (name == NULL) {
-        return snprintf(buffer, buffer_size, "0x%04x", (unsigned) curve);
+        return snprintf(buffer, buffer_size, "0x%02x", (unsigned) curve);
     } else {
         size_t length = strlen(name);
         if (length < buffer_size) {
@@ -161,7 +161,7 @@ static int psa_snprint_dh_group(char *buffer, size_t buffer_size,
 {
     const char *name = psa_dh_group_name(group);
     if (name == NULL) {
-        return snprintf(buffer, buffer_size, "0x%04x", (unsigned) group);
+        return snprintf(buffer, buffer_size, "0x%02x", (unsigned) group);
     } else {
         size_t length = strlen(name);
         if (length < buffer_size) {

scripts/generate_psa_constants.py

@@ -61,7 +61,7 @@
     default:
         %(key_type_code)s{
             return snprintf(buffer, buffer_size,
-                            "0x%%08lx", (unsigned long) type);
+                            "0x%%04x", (unsigned) type);
         }
         break;
     }

tests/scripts/test_psa_constant_names.py

@@ -75,9 +75,9 @@ def __init__(self):
         # Sets of names per type
         self.statuses = set(['PSA_SUCCESS'])
         self.algorithms = set(['0xffffffff'])
-        self.ecc_curves = set(['0xffff'])
-        self.dh_groups = set(['0xffff'])
-        self.key_types = set(['0xffffffff'])
+        self.ecc_curves = set(['0xff'])
+        self.dh_groups = set(['0xff'])
+        self.key_types = set(['0xffff'])
         self.key_usage_flags = set(['0x80000000'])
         # Hard-coded value for unknown algorithms
         self.hash_algorithms = set(['0x010000fe'])