Skip to content

Don't require a type and size when creating a key slot #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jan 22, 2019
Merged

Don't require a type and size when creating a key slot #19

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 10 additions & 35 deletions include/psa/crypto.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,14 +124,6 @@ psa_status_t psa_get_key_lifetime(psa_key_handle_t handle,
* application calls psa_close_key() or psa_destroy_key() or until the
* application terminates.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How can we detect that the application has terminated and we can free the allocated key slot?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That depends on the integration. For a library integration, when the application terminates, this frees all the runtime resources held by the crypto library. For a service integration, the access control layer in the service knows who each handle belongs to and should close a handle if it loses contact with the owner of that handle.

*
* This function takes a key type and maximum size as arguments so that
* the implementation can reserve a corresponding amount of memory.
* Implementations are not required to enforce this limit: if the application
* later tries to create a larger key or a key of a different type, it
* is implementation-defined whether this may succeed.
*
* \param type The type of key that the slot will contain.
* \param max_bits The maximum key size that the slot will contain.
* \param[out] handle On success, a handle to a volatile key slot.
*
* \retval #PSA_SUCCESS
Expand All @@ -140,13 +132,8 @@ psa_status_t psa_get_key_lifetime(psa_key_handle_t handle,
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
* There was not enough memory, or the maximum number of key slots
* has been reached.
* \retval #PSA_ERROR_INVALID_ARGUMENT
* This implementation does not support this key type.
*/

psa_status_t psa_allocate_key(psa_key_type_t type,
size_t max_bits,
psa_key_handle_t *handle);
psa_status_t psa_allocate_key(psa_key_handle_t *handle);

/** Open a handle to an existing persistent key.
*
Expand Down Expand Up @@ -192,8 +179,6 @@ psa_status_t psa_open_key(psa_key_lifetime_t lifetime,
* area where the key material is stored. This must not
* be #PSA_KEY_LIFETIME_VOLATILE.
* \param id The persistent identifier of the key.
* \param type The type of key that the slot will contain.
* \param max_bits The maximum key size that the slot will contain.
* \param[out] handle On success, a handle to the newly created key slot.
* When key material is later created in this key slot,
* it will be saved to the specified persistent location.
Expand All @@ -218,8 +203,6 @@ psa_status_t psa_open_key(psa_key_lifetime_t lifetime,
*/
psa_status_t psa_create_key(psa_key_lifetime_t lifetime,
psa_key_id_t id,
psa_key_type_t type,
size_t max_bits,
psa_key_handle_t *handle);

/** Close a key handle.
Expand Down Expand Up @@ -261,11 +244,9 @@ psa_status_t psa_close_key(psa_key_handle_t handle);
* according to a different format.
*
* \param handle Handle to the slot where the key will be stored.
* This must be a valid slot for a key of the chosen
* type: it must have been obtained by calling
* psa_allocate_key() or psa_create_key() with the
* correct \p type and with a maximum size that is
* compatible with \p data.
* It must have been obtained by calling
* psa_allocate_key() or psa_create_key() and must
* not contain key material yet.
* \param type Key type (a \c PSA_KEY_TYPE_XXX value). On a successful
* import, the key slot will contain a key of this type.
* \param[in] data Buffer containing the key data. The content of this
Expand Down Expand Up @@ -2005,12 +1986,9 @@ psa_status_t psa_generator_read(psa_crypto_generator_t *generator,
* the key material is not exposed outside the isolation boundary.
*
* \param handle Handle to the slot where the key will be stored.
* This must be a valid slot for a key of the chosen
* type: it must have been obtained by calling
* psa_allocate_key() or psa_create_key() with the
* correct \p type and with a maximum size that is
* compatible with \p bits.
* It must not contain any key material yet.
* It must have been obtained by calling
* psa_allocate_key() or psa_create_key() and must
* not contain key material yet.
* \param type Key type (a \c PSA_KEY_TYPE_XXX value).
* This must be a symmetric key type.
* \param bits Key size in bits.
Expand Down Expand Up @@ -2232,12 +2210,9 @@ typedef struct {
* \brief Generate a key or key pair.
*
* \param handle Handle to the slot where the key will be stored.
* This must be a valid slot for a key of the chosen
* type: it must have been obtained by calling
* psa_allocate_key() or psa_create_key() with the
* correct \p type and with a maximum size that is
* compatible with \p bits.
* It must not contain any key material yet.
* It must have been obtained by calling
* psa_allocate_key() or psa_create_key() and must
* not contain key material yet.
* \param type Key type (a \c PSA_KEY_TYPE_XXX value).
* \param bits Key size in bits.
* \param[in] extra Extra parameters for key generation. The
Expand Down
13 changes: 1 addition & 12 deletions library/psa_crypto_slot_management.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,13 +142,8 @@ static psa_status_t psa_internal_release_key_slot( psa_key_handle_t handle )
return( psa_wipe_key_slot( slot ) );
}

psa_status_t psa_allocate_key( psa_key_type_t type,
size_t max_bits,
psa_key_handle_t *handle )
psa_status_t psa_allocate_key( psa_key_handle_t *handle )
{
/* This implementation doesn't reserve memory for the keys. */
(void) type;
(void) max_bits;
*handle = 0;
return( psa_internal_allocate_key_slot( handle ) );
}
Expand Down Expand Up @@ -259,16 +254,10 @@ psa_status_t psa_open_key( psa_key_lifetime_t lifetime,

psa_status_t psa_create_key( psa_key_lifetime_t lifetime,
psa_key_id_t id,
psa_key_type_t type,
size_t max_bits,
psa_key_handle_t *handle )
{
psa_status_t status;

/* This implementation doesn't reserve memory for the keys. */
(void) type;
(void) max_bits;

status = persistent_key_setup( lifetime, id, handle,
PSA_ERROR_EMPTY_SLOT );
switch( status )
Expand Down
6 changes: 3 additions & 3 deletions programs/psa/crypto_examples.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -176,7 +176,7 @@ cipher_example_encrypt_decrypt_aes_cbc_nopad_1_block( void )
status = psa_generate_random( input, sizeof( input ) );
ASSERT_STATUS( status, PSA_SUCCESS );

status = psa_allocate_key( PSA_KEY_TYPE_AES, key_bits, &key_handle );
status = psa_allocate_key( &key_handle );
ASSERT_STATUS( status, PSA_SUCCESS );

status = set_key_policy( key_handle,
Expand Down Expand Up @@ -226,7 +226,7 @@ static psa_status_t cipher_example_encrypt_decrypt_aes_cbc_pkcs7_multi( void )
status = psa_generate_random( input, sizeof( input ) );
ASSERT_STATUS( status, PSA_SUCCESS );

status = psa_allocate_key( PSA_KEY_TYPE_AES, key_bits, &key_handle );
status = psa_allocate_key( &key_handle );
ASSERT_STATUS( status, PSA_SUCCESS );

status = set_key_policy( key_handle,
Expand Down Expand Up @@ -275,7 +275,7 @@ static psa_status_t cipher_example_encrypt_decrypt_aes_ctr_multi( void )
status = psa_generate_random( input, sizeof( input ) );
ASSERT_STATUS( status, PSA_SUCCESS );

status = psa_allocate_key( PSA_KEY_TYPE_AES, key_bits, &key_handle );
status = psa_allocate_key( &key_handle );
ASSERT_STATUS( status, PSA_SUCCESS );
status = set_key_policy( key_handle,
PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT,
Expand Down
15 changes: 4 additions & 11 deletions programs/psa/key_ladder_demo.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -211,9 +211,7 @@ static psa_status_t generate( const char *key_file_name )
psa_key_handle_t key_handle = 0;
psa_key_policy_t policy = PSA_KEY_POLICY_INIT;

PSA_CHECK( psa_allocate_key( PSA_KEY_TYPE_DERIVE,
PSA_BYTES_TO_BITS( KEY_SIZE_BYTES ),
&key_handle ) );
PSA_CHECK( psa_allocate_key( &key_handle ) );
psa_key_policy_set_usage( &policy,
PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT,
KDF_ALG );
Expand Down Expand Up @@ -263,9 +261,7 @@ static psa_status_t import_key_from_file( psa_key_usage_t usage,
SYS_CHECK( fclose( key_file ) == 0 );
key_file = NULL;

PSA_CHECK( psa_allocate_key( PSA_KEY_TYPE_DERIVE,
PSA_BYTES_TO_BITS( key_size ),
master_key_handle ) );
PSA_CHECK( psa_allocate_key( master_key_handle ) );
psa_key_policy_set_usage( &policy, usage, alg );
PSA_CHECK( psa_set_key_policy( *master_key_handle, &policy ) );
PSA_CHECK( psa_import_key( *master_key_handle,
Expand Down Expand Up @@ -318,9 +314,7 @@ static psa_status_t derive_key_ladder( const char *ladder[],
* since it is no longer needed. */
PSA_CHECK( psa_close_key( *key_handle ) );
*key_handle = 0;
PSA_CHECK( psa_allocate_key( PSA_KEY_TYPE_DERIVE,
PSA_BYTES_TO_BITS( KEY_SIZE_BYTES ),
key_handle ) );
PSA_CHECK( psa_allocate_key( key_handle ) );
PSA_CHECK( psa_set_key_policy( *key_handle, &policy ) );
/* Use the generator obtained from the parent key to create
* the next intermediate key. */
Expand Down Expand Up @@ -352,8 +346,7 @@ static psa_status_t derive_wrapping_key( psa_key_usage_t usage,
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT;

*wrapping_key_handle = 0;
PSA_CHECK( psa_allocate_key( PSA_KEY_TYPE_AES, WRAPPING_KEY_BITS,
wrapping_key_handle ) );
PSA_CHECK( psa_allocate_key( wrapping_key_handle ) );
psa_key_policy_set_usage( &policy, usage, WRAPPING_ALG );
PSA_CHECK( psa_set_key_policy( *wrapping_key_handle, &policy ) );

Expand Down
Loading