Declare a psa_key_file_id_t layout with an owner field

gilles-peskine-arm · gilles-peskine-arm · commit b61309a2e775 · 2019-02-20T10:54:55.000+01:00
Declare the owner as psa_key_owner_id_t, of which an implementation
must be provided separately.

Make this a configuration option
MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER, to make the conditional
compilation flow easier to follow. Declare it in config.h to
pacify check_names.sh.

Support for a specific implementation of psa_key_owner_id_t in storage
backends will come in a subsequent commit.
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
@@ -1156,6 +1156,21 @@
  */
 //#define MBEDTLS_PSA_HAS_ITS_IO
 
+/* MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER
+ *
+ * In PSA key storage, encode the owner of the key.
+ *
+ * This is only meaningful when building the library as part of a
+ * multi-client service. When you activate this option, you must provide
+ * an implementation of the type psa_key_owner_id_t and a translation
+ * from psa_key_file_id_t to file name in all the storage backends that
+ * you wish to support.
+ *
+ * Note that this option is meant for internal use only and may be removed
+ * without notice.
+ */
+//#define MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER
+
 /**
  * \def MBEDTLS_MEMORY_DEBUG
  *
diff --git a/include/psa/crypto_platform.h b/include/psa/crypto_platform.h
@@ -68,8 +68,28 @@ typedef uint16_t psa_key_handle_t;
  * #psa_key_id_t. */
 typedef uint32_t psa_app_key_id_t;
 
+#if defined(MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER)
+
+typedef struct
+{
+    uint32_t key_id;
+    psa_key_owner_id_t owner;
+} psa_key_file_id_t;
+#define PSA_KEY_FILE_GET_KEY_ID( file_id ) ( ( file_id ).key_id )
+
+/* Since crypto.h is used as part of the PSA Cryptography API specification,
+ * it must use standard types for things like the argument of psa_open_key().
+ * If it wasn't for that constraint, psa_open_key() would take a
+ * `psa_key_file_id_t` argument. As a workaround, make `psa_key_id_t` an
+ * alias for `psa_key_file_id_t` when building for a multi-client service. */
+typedef psa_key_file_id_t psa_key_id_t;
+
+#else /* !MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER */
+
 /* By default, a key file identifier is just the application key identifier. */
 typedef psa_app_key_id_t psa_key_file_id_t;
 #define PSA_KEY_FILE_GET_KEY_ID( id ) ( id )
 
+#endif /* !MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER */
+
 #endif /* PSA_CRYPTO_PLATFORM_H */
diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h
@@ -90,7 +90,14 @@ typedef uint32_t psa_key_lifetime_t;
 
 /** Encoding of identifiers of persistent keys.
  */
+/* Implementation-specific quirk: The Mbed Crypto library can be built as
+ * part of a multi-client service that exposes the PSA Crypto API in each
+ * client and encodes the client identity in the key id argument of functions
+ * such as psa_open_key(). In this build configuration, we define
+ * psa_key_id_t in crypto_platform.h instead of here. */
+#if !defined(MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER)
 typedef uint32_t psa_key_id_t;
+#endif
 
 /**@}*/
 
diff --git a/library/version_features.c b/library/version_features.c
@@ -411,6 +411,9 @@ static const char *features[] = {
 #if defined(MBEDTLS_PSA_HAS_ITS_IO)
     "MBEDTLS_PSA_HAS_ITS_IO",
 #endif /* MBEDTLS_PSA_HAS_ITS_IO */
+#if defined(MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER)
+    "MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER",
+#endif /* MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER */
 #if defined(MBEDTLS_MEMORY_DEBUG)
     "MBEDTLS_MEMORY_DEBUG",
 #endif /* MBEDTLS_MEMORY_DEBUG */
diff --git a/scripts/config.pl b/scripts/config.pl
@@ -100,6 +100,7 @@
 MBEDTLS_NO_64BIT_MULTIPLICATION
 MBEDTLS_PSA_CRYPTO_SPM
 MBEDTLS_PSA_HAS_ITS_IO
+MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER
 MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C
 MBEDTLS_USE_PSA_CRYPTO
 _ALT\s*$
