1/* BEGIN_HEADER */ 2#include <stdint.h> 3 4#include "psa_crypto_slot_management.h" 5#include "psa_crypto_storage.h" 6 7typedef enum 8{ 9 /**< Close key(s) */ 10 INVALIDATE_BY_CLOSING, 11 12 /**< Destroy key(s) */ 13 INVALIDATE_BY_DESTROYING, 14 15 /**< Purge key(s) */ 16 INVALIDATE_BY_PURGING, 17 18 /**< Terminate and reinitialize without closing/destroying keys */ 19 INVALIDATE_BY_SHUTDOWN, 20 21 /**< Close key(s) then terminate and re-initialize */ 22 INVALIDATE_BY_CLOSING_WITH_SHUTDOWN, 23 24 /**< Destroy key(s) then terminate and re-initialize */ 25 INVALIDATE_BY_DESTROYING_WITH_SHUTDOWN, 26 27 /**< Purge key(s) then terminate and re-initialize */ 28 INVALIDATE_BY_PURGING_WITH_SHUTDOWN, 29} invalidate_method_t; 30 31typedef enum 32{ 33 KEEP_OPEN, 34 CLOSE_BEFORE, 35 CLOSE_AFTER, 36} reopen_policy_t; 37 38typedef enum 39{ 40 INVALID_HANDLE_0, 41 INVALID_HANDLE_UNOPENED, 42 INVALID_HANDLE_CLOSED, 43 INVALID_HANDLE_HUGE, 44} invalid_handle_construction_t; 45 46/** Apply \p invalidate_method to invalidate the specified key: 47 * close it, destroy it, or do nothing; 48 */ 49static int invalidate_key( invalidate_method_t invalidate_method, 50 mbedtls_svc_key_id_t key ) 51{ 52 switch( invalidate_method ) 53 { 54 /* Closing the key invalidate only volatile keys, not persistent ones. */ 55 case INVALIDATE_BY_CLOSING: 56 case INVALIDATE_BY_CLOSING_WITH_SHUTDOWN: 57 PSA_ASSERT( psa_close_key( key ) ); 58 break; 59 case INVALIDATE_BY_DESTROYING: 60 case INVALIDATE_BY_DESTROYING_WITH_SHUTDOWN: 61 PSA_ASSERT( psa_destroy_key( key ) ); 62 break; 63 /* Purging the key just purges RAM data of persistent keys. */ 64 case INVALIDATE_BY_PURGING: 65 case INVALIDATE_BY_PURGING_WITH_SHUTDOWN: 66 PSA_ASSERT( psa_purge_key( key ) ); 67 break; 68 case INVALIDATE_BY_SHUTDOWN: 69 break; 70 } 71 return( 1 ); 72exit: 73 return( 0 ); 74} 75 76/** Restart the PSA subsystem if \p invalidate_method says so. */ 77static int invalidate_psa( invalidate_method_t invalidate_method ) 78{ 79 switch( invalidate_method ) 80 { 81 case INVALIDATE_BY_CLOSING: 82 case INVALIDATE_BY_DESTROYING: 83 case INVALIDATE_BY_PURGING: 84 return( 1 ); 85 case INVALIDATE_BY_CLOSING_WITH_SHUTDOWN: 86 case INVALIDATE_BY_DESTROYING_WITH_SHUTDOWN: 87 case INVALIDATE_BY_PURGING_WITH_SHUTDOWN: 88 /* All keys must have been closed. */ 89 PSA_SESSION_DONE( ); 90 break; 91 case INVALIDATE_BY_SHUTDOWN: 92 /* Some keys may remain behind, and we're testing that this 93 * properly closes them. */ 94 mbedtls_psa_crypto_free( ); 95 break; 96 } 97 98 PSA_ASSERT( psa_crypto_init( ) ); 99 ASSERT_PSA_PRISTINE( ); 100 return( 1 ); 101 102exit: 103 return( 0 ); 104} 105 106/* END_HEADER */ 107 108/* BEGIN_DEPENDENCIES 109 * depends_on:MBEDTLS_PSA_CRYPTO_C 110 * END_DEPENDENCIES 111 */ 112 113/* BEGIN_CASE */ 114void transient_slot_lifecycle( int owner_id_arg, 115 int usage_arg, int alg_arg, 116 int type_arg, data_t *key_data, 117 int invalidate_method_arg ) 118{ 119 psa_algorithm_t alg = alg_arg; 120 psa_key_usage_t usage_flags = usage_arg; 121 psa_key_type_t type = type_arg; 122 invalidate_method_t invalidate_method = invalidate_method_arg; 123 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 124 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 125 126 mbedtls_test_set_step( 1 ); 127 PSA_ASSERT( psa_crypto_init( ) ); 128 129 /* Import a key. */ 130#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) 131 mbedtls_key_owner_id_t owner_id = owner_id_arg; 132 133 mbedtls_set_key_owner_id( &attributes, owner_id ); 134#else 135 (void)owner_id_arg; 136#endif 137 138 psa_set_key_usage_flags( &attributes, usage_flags ); 139 psa_set_key_algorithm( &attributes, alg ); 140 psa_set_key_type( &attributes, type ); 141 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 142 &key ) ); 143 TEST_ASSERT( ! mbedtls_svc_key_id_is_null( key ) ); 144 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 145 TEST_EQUAL( psa_get_key_type( &attributes ), type ); 146 psa_reset_key_attributes( &attributes ); 147 148#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) 149 { 150 psa_key_handle_t handle; 151 mbedtls_svc_key_id_t key_with_invalid_owner = 152 mbedtls_svc_key_id_make( owner_id + 1, 153 MBEDTLS_SVC_KEY_ID_GET_KEY_ID( key ) ); 154 155 TEST_ASSERT( mbedtls_key_owner_id_equal( 156 owner_id, 157 MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( key ) ) ); 158 TEST_EQUAL( psa_open_key( key_with_invalid_owner, &handle ), 159 PSA_ERROR_DOES_NOT_EXIST ); 160 } 161#endif 162 163 /* 164 * Purge the key and make sure that it is still valid, as purging a 165 * volatile key shouldn't invalidate/destroy it. 166 */ 167 PSA_ASSERT( psa_purge_key( key ) ); 168 PSA_ASSERT( psa_get_key_attributes( key, &attributes ) ); 169 TEST_EQUAL( psa_get_key_type( &attributes ), type ); 170 psa_reset_key_attributes( &attributes ); 171 172 /* Do something that invalidates the key. */ 173 mbedtls_test_set_step( 2 ); 174 if( ! invalidate_key( invalidate_method, key ) ) 175 goto exit; 176 if( ! invalidate_psa( invalidate_method ) ) 177 goto exit; 178 179 /* Test that the key is now invalid. */ 180 TEST_EQUAL( psa_get_key_attributes( key, &attributes ), 181 PSA_ERROR_INVALID_HANDLE ); 182 TEST_EQUAL( psa_close_key( key ), PSA_ERROR_INVALID_HANDLE ); 183 184exit: 185 /* 186 * Key attributes may have been returned by psa_get_key_attributes() 187 * thus reset them as required. 188 */ 189 psa_reset_key_attributes( &attributes ); 190 191 PSA_DONE( ); 192} 193/* END_CASE */ 194 195/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C */ 196void persistent_slot_lifecycle( int lifetime_arg, int owner_id_arg, int id_arg, 197 int usage_arg, int alg_arg, int alg2_arg, 198 int type_arg, data_t *key_data, 199 int invalidate_method_arg ) 200{ 201 psa_key_lifetime_t lifetime = lifetime_arg; 202 mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( owner_id_arg, id_arg ); 203 psa_algorithm_t alg = alg_arg; 204 psa_algorithm_t alg2 = alg2_arg; 205 psa_key_usage_t usage_flags = usage_arg; 206 psa_key_type_t type = type_arg; 207 invalidate_method_t invalidate_method = invalidate_method_arg; 208 mbedtls_svc_key_id_t returned_id = MBEDTLS_SVC_KEY_ID_INIT; 209 psa_key_handle_t handle = PSA_KEY_HANDLE_INIT; 210 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 211 psa_key_attributes_t read_attributes = PSA_KEY_ATTRIBUTES_INIT; 212 uint8_t *reexported = NULL; 213 size_t reexported_length = -1; 214 215#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) 216 mbedtls_svc_key_id_t wrong_owner_id = 217 mbedtls_svc_key_id_make( owner_id_arg + 1, id_arg ); 218 mbedtls_svc_key_id_t invalid_svc_key_id = MBEDTLS_SVC_KEY_ID_INIT; 219#endif 220 221 TEST_USES_KEY_ID( id ); 222 223 mbedtls_test_set_step( 1 ); 224 PSA_ASSERT( psa_crypto_init( ) ); 225 226 psa_set_key_id( &attributes, id ); 227 psa_set_key_lifetime( &attributes, lifetime ); 228 psa_set_key_type( &attributes, type ); 229 psa_set_key_usage_flags( &attributes, usage_flags ); 230 psa_set_key_algorithm( &attributes, alg ); 231 psa_set_key_enrollment_algorithm( &attributes, alg2 ); 232 PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, 233 &returned_id ) ); 234 TEST_ASSERT( mbedtls_svc_key_id_equal( id, returned_id ) ); 235 236#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) 237 TEST_EQUAL( psa_open_key( wrong_owner_id, &invalid_svc_key_id ), 238 PSA_ERROR_DOES_NOT_EXIST ); 239#endif 240 241 PSA_ASSERT( psa_get_key_attributes( id, &attributes ) ); 242 TEST_EQUAL( psa_get_key_lifetime( &attributes ), lifetime ); 243 TEST_ASSERT( mbedtls_svc_key_id_equal( 244 psa_get_key_id( &attributes ), id ) ); 245 TEST_EQUAL( psa_get_key_usage_flags( &attributes ), 246 mbedtls_test_update_key_usage_flags( usage_flags ) ); 247 TEST_EQUAL( psa_get_key_algorithm( &attributes ), alg ); 248 TEST_EQUAL( psa_get_key_enrollment_algorithm( &attributes ), alg2 ); 249 TEST_EQUAL( psa_get_key_type( &attributes ), type ); 250 251 /* Close the key and then open it. */ 252 PSA_ASSERT( psa_close_key( id ) ); 253 254#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) 255 TEST_EQUAL( psa_open_key( wrong_owner_id, &invalid_svc_key_id ), 256 PSA_ERROR_DOES_NOT_EXIST ); 257#endif 258 259 PSA_ASSERT( psa_open_key( id, &handle ) ); 260 TEST_ASSERT( ! psa_key_handle_is_null( handle ) ); 261 PSA_ASSERT( psa_get_key_attributes( handle, &attributes ) ); 262 TEST_EQUAL( psa_get_key_lifetime( &attributes ), lifetime ); 263 TEST_ASSERT( mbedtls_svc_key_id_equal( 264 psa_get_key_id( &attributes ), id ) ); 265 TEST_EQUAL( psa_get_key_usage_flags( &attributes ), 266 mbedtls_test_update_key_usage_flags( usage_flags ) ); 267 TEST_EQUAL( psa_get_key_algorithm( &attributes ), alg ); 268 TEST_EQUAL( psa_get_key_enrollment_algorithm( &attributes ), alg2 ); 269 TEST_EQUAL( psa_get_key_type( &attributes ), type ); 270 271 /* 272 * Do something that wipes key data in volatile memory or destroy the 273 * key. 274 */ 275 mbedtls_test_set_step( 2 ); 276 if( ! invalidate_key( invalidate_method, id ) ) 277 goto exit; 278 if( ! invalidate_psa( invalidate_method ) ) 279 goto exit; 280 281 /* Try to reaccess the key. If we destroyed it, check that it doesn't 282 * exist. Otherwise check that it still exists and has the expected 283 * content. */ 284 switch( invalidate_method ) 285 { 286 case INVALIDATE_BY_CLOSING: 287 case INVALIDATE_BY_CLOSING_WITH_SHUTDOWN: 288 case INVALIDATE_BY_PURGING: 289 case INVALIDATE_BY_PURGING_WITH_SHUTDOWN: 290 case INVALIDATE_BY_SHUTDOWN: 291 PSA_ASSERT( psa_open_key( id, &handle ) ); 292 PSA_ASSERT( psa_get_key_attributes( id, &read_attributes ) ); 293 TEST_EQUAL( psa_get_key_lifetime( &attributes ), 294 psa_get_key_lifetime( &read_attributes ) ); 295 TEST_ASSERT( mbedtls_svc_key_id_equal( 296 psa_get_key_id( &attributes ), 297 psa_get_key_id( &read_attributes ) ) ); 298 TEST_EQUAL( psa_get_key_usage_flags( &attributes ), 299 mbedtls_test_update_key_usage_flags( usage_flags ) ); 300 TEST_EQUAL( psa_get_key_algorithm( &attributes ), 301 psa_get_key_algorithm( &read_attributes ) ); 302 TEST_EQUAL( psa_get_key_enrollment_algorithm( &attributes ), 303 psa_get_key_enrollment_algorithm( &read_attributes ) ); 304 TEST_EQUAL( psa_get_key_type( &attributes ), 305 psa_get_key_type( &read_attributes ) ); 306 TEST_EQUAL( psa_get_key_bits( &attributes ), 307 psa_get_key_bits( &read_attributes ) ); 308 ASSERT_ALLOC( reexported, key_data->len ); 309 if( usage_flags & PSA_KEY_USAGE_EXPORT ) 310 { 311 PSA_ASSERT( psa_export_key( id, reexported, key_data->len, 312 &reexported_length ) ); 313 ASSERT_COMPARE( key_data->x, key_data->len, 314 reexported, reexported_length ); 315 } 316 else 317 { 318 TEST_EQUAL( psa_export_key( id, reexported, 319 key_data->len, &reexported_length ), 320 PSA_ERROR_NOT_PERMITTED ); 321 } 322 PSA_ASSERT( psa_close_key( handle ) ); 323 break; 324 325 case INVALIDATE_BY_DESTROYING: 326 case INVALIDATE_BY_DESTROYING_WITH_SHUTDOWN: 327 /* 328 * Test that the key handle and identifier are now not refering to an 329 * existing key. 330 */ 331 TEST_EQUAL( psa_get_key_attributes( handle, &read_attributes ), 332 PSA_ERROR_INVALID_HANDLE ); 333 TEST_EQUAL( psa_close_key( handle ), PSA_ERROR_INVALID_HANDLE ); 334 TEST_EQUAL( psa_get_key_attributes( id, &read_attributes ), 335 PSA_ERROR_INVALID_HANDLE ); 336 break; 337 } 338 339exit: 340 /* 341 * Key attributes may have been returned by psa_get_key_attributes() 342 * thus reset them as required. 343 */ 344 psa_reset_key_attributes( &attributes ); 345 psa_reset_key_attributes( &read_attributes ); 346 347 PSA_DONE( ); 348 mbedtls_free( reexported ); 349} 350/* END_CASE */ 351 352/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C */ 353void create_existent( int lifetime_arg, int owner_id_arg, int id_arg, 354 int reopen_policy_arg ) 355{ 356 psa_key_lifetime_t lifetime = lifetime_arg; 357 mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( owner_id_arg, id_arg ); 358 mbedtls_svc_key_id_t returned_id = MBEDTLS_SVC_KEY_ID_INIT; 359 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 360 psa_key_type_t type1 = PSA_KEY_TYPE_RAW_DATA; 361 const uint8_t material1[5] = "a key"; 362 const uint8_t material2[5] = "b key"; 363 size_t bits1 = PSA_BYTES_TO_BITS( sizeof( material1 ) ); 364 uint8_t reexported[sizeof( material1 )]; 365 size_t reexported_length; 366 reopen_policy_t reopen_policy = reopen_policy_arg; 367 368 TEST_USES_KEY_ID( id ); 369 370 PSA_ASSERT( psa_crypto_init( ) ); 371 372 /* Create a key. */ 373 psa_set_key_id( &attributes, id ); 374 psa_set_key_lifetime( &attributes, lifetime ); 375 psa_set_key_type( &attributes, type1 ); 376 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT ); 377 psa_set_key_algorithm( &attributes, 0 ); 378 PSA_ASSERT( psa_import_key( &attributes, material1, sizeof( material1 ), 379 &returned_id ) ); 380 TEST_ASSERT( mbedtls_svc_key_id_equal( id, returned_id ) ); 381 382 if( reopen_policy == CLOSE_BEFORE ) 383 PSA_ASSERT( psa_close_key( id ) ); 384 385 /* Attempt to create a new key in the same slot. */ 386 TEST_EQUAL( psa_import_key( &attributes, material2, sizeof( material2 ), 387 &returned_id ), 388 PSA_ERROR_ALREADY_EXISTS ); 389 TEST_ASSERT( mbedtls_svc_key_id_is_null( returned_id ) ); 390 391 if( reopen_policy == CLOSE_AFTER ) 392 PSA_ASSERT( psa_close_key( id ) ); 393 394 /* Check that the original key hasn't changed. */ 395 psa_reset_key_attributes( &attributes ); 396 PSA_ASSERT( psa_get_key_attributes( id, &attributes ) ); 397 TEST_ASSERT( mbedtls_svc_key_id_equal( 398 psa_get_key_id( &attributes ), id ) ); 399 TEST_EQUAL( psa_get_key_lifetime( &attributes ), lifetime ); 400 TEST_EQUAL( psa_get_key_type( &attributes ), type1 ); 401 TEST_EQUAL( psa_get_key_bits( &attributes ), bits1 ); 402 TEST_EQUAL( psa_get_key_usage_flags( &attributes ), PSA_KEY_USAGE_EXPORT ); 403 TEST_EQUAL( psa_get_key_algorithm( &attributes ), 0 ); 404 405 PSA_ASSERT( psa_export_key( id, 406 reexported, sizeof( reexported ), 407 &reexported_length ) ); 408 ASSERT_COMPARE( material1, sizeof( material1 ), 409 reexported, reexported_length ); 410 411 PSA_ASSERT( psa_close_key( id ) ); 412 413exit: 414 /* 415 * Key attributes may have been returned by psa_get_key_attributes() 416 * thus reset them as required. 417 */ 418 psa_reset_key_attributes( &attributes ); 419 420 PSA_DONE( ); 421} 422/* END_CASE */ 423 424/* BEGIN_CASE */ 425void open_fail( int id_arg, 426 int expected_status_arg ) 427{ 428 mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( 1, id_arg ); 429 psa_status_t expected_status = expected_status_arg; 430 psa_key_handle_t handle = mbedtls_svc_key_id_make( 0xdead, 0xdead ); 431 432 PSA_ASSERT( psa_crypto_init( ) ); 433 434 TEST_EQUAL( psa_open_key( id, &handle ), expected_status ); 435 TEST_ASSERT( psa_key_handle_is_null( handle ) ); 436 437exit: 438 PSA_DONE( ); 439} 440/* END_CASE */ 441 442/* BEGIN_CASE */ 443void create_fail( int lifetime_arg, int id_arg, 444 int expected_status_arg ) 445{ 446 psa_key_lifetime_t lifetime = lifetime_arg; 447 mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( 1, id_arg ); 448 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 449 psa_status_t expected_status = expected_status_arg; 450 mbedtls_svc_key_id_t returned_id = 451 mbedtls_svc_key_id_make( 0xdead, 0xdead ); 452 uint8_t material[1] = {'k'}; 453 454 TEST_USES_KEY_ID( id ); 455 456 PSA_ASSERT( psa_crypto_init( ) ); 457 458 psa_set_key_lifetime( &attributes, lifetime ); 459 if( PSA_KEY_LIFETIME_IS_VOLATILE( lifetime ) ) 460 { 461 /* 462 * Not possible to set a key identifier different from 0 through 463 * PSA key attributes APIs thus accessing to the attributes 464 * directly. 465 */ 466 attributes.core.id = id; 467 } 468 else 469 psa_set_key_id( &attributes, id ); 470 471 psa_set_key_type( &attributes, PSA_KEY_TYPE_RAW_DATA ); 472 TEST_EQUAL( psa_import_key( &attributes, material, sizeof( material ), 473 &returned_id ), 474 expected_status ); 475 TEST_ASSERT( mbedtls_svc_key_id_is_null( returned_id ) ); 476 477exit: 478 PSA_DONE( ); 479} 480/* END_CASE */ 481 482/* BEGIN_CASE */ 483void copy_across_lifetimes( int source_lifetime_arg, int source_owner_id_arg, 484 int source_id_arg, int source_usage_arg, 485 int source_alg_arg, int source_alg2_arg, 486 int type_arg, data_t *material, 487 int target_lifetime_arg, int target_owner_id_arg, 488 int target_id_arg, int target_usage_arg, 489 int target_alg_arg, int target_alg2_arg, 490 int expected_usage_arg, 491 int expected_alg_arg, int expected_alg2_arg ) 492{ 493 psa_key_lifetime_t source_lifetime = source_lifetime_arg; 494 mbedtls_svc_key_id_t source_id = 495 mbedtls_svc_key_id_make( source_owner_id_arg, source_id_arg ); 496 psa_key_usage_t source_usage = source_usage_arg; 497 psa_algorithm_t source_alg = source_alg_arg; 498 psa_key_attributes_t source_attributes = PSA_KEY_ATTRIBUTES_INIT; 499 psa_key_type_t source_type = type_arg; 500 mbedtls_svc_key_id_t returned_source_id = MBEDTLS_SVC_KEY_ID_INIT; 501 psa_key_lifetime_t target_lifetime = target_lifetime_arg; 502 mbedtls_svc_key_id_t target_id = 503 mbedtls_svc_key_id_make( target_owner_id_arg, target_id_arg ); 504 psa_key_usage_t target_usage = target_usage_arg; 505 psa_algorithm_t target_alg = target_alg_arg; 506 psa_key_attributes_t target_attributes = PSA_KEY_ATTRIBUTES_INIT; 507 mbedtls_svc_key_id_t returned_target_id = MBEDTLS_SVC_KEY_ID_INIT; 508 psa_key_handle_t target_handle = PSA_KEY_HANDLE_INIT; 509 psa_key_usage_t expected_usage = expected_usage_arg; 510 psa_algorithm_t expected_alg = expected_alg_arg; 511 psa_algorithm_t expected_alg2 = expected_alg2_arg; 512 uint8_t *export_buffer = NULL; 513 514 TEST_USES_KEY_ID( source_id ); 515 TEST_USES_KEY_ID( target_id ); 516 517 PSA_ASSERT( psa_crypto_init( ) ); 518 519 /* Populate the source slot. */ 520 psa_set_key_id( &source_attributes, source_id ); 521 psa_set_key_lifetime( &source_attributes, source_lifetime ); 522 523 psa_set_key_type( &source_attributes, source_type ); 524 psa_set_key_usage_flags( &source_attributes, source_usage ); 525 psa_set_key_algorithm( &source_attributes, source_alg ); 526 psa_set_key_enrollment_algorithm( &source_attributes, source_alg2_arg ); 527 PSA_ASSERT( psa_import_key( &source_attributes, 528 material->x, material->len, 529 &returned_source_id ) ); 530 /* Update the attributes with the bit size. */ 531 PSA_ASSERT( psa_get_key_attributes( returned_source_id, 532 &source_attributes ) ); 533 534 /* Prepare the target slot. */ 535 psa_set_key_id( &target_attributes, target_id ); 536 psa_set_key_lifetime( &target_attributes, target_lifetime ); 537 538 psa_set_key_usage_flags( &target_attributes, target_usage ); 539 psa_set_key_algorithm( &target_attributes, target_alg ); 540 psa_set_key_enrollment_algorithm( &target_attributes, target_alg2_arg ); 541 542 /* Copy the key. */ 543 PSA_ASSERT( psa_copy_key( returned_source_id, 544 &target_attributes, &returned_target_id ) ); 545 546 /* Destroy the source to ensure that this doesn't affect the target. */ 547 PSA_ASSERT( psa_destroy_key( returned_source_id ) ); 548 549 /* If the target key is persistent, restart the system to make 550 * sure that the material is still alive. */ 551 if( ! PSA_KEY_LIFETIME_IS_VOLATILE( target_lifetime ) ) 552 { 553 mbedtls_psa_crypto_free( ); 554 PSA_ASSERT( psa_crypto_init( ) ); 555 PSA_ASSERT( psa_open_key( target_id, &target_handle ) ); 556 } 557 558 /* Test that the target slot has the expected content. */ 559 psa_reset_key_attributes( &target_attributes ); 560 PSA_ASSERT( psa_get_key_attributes( returned_target_id, 561 &target_attributes ) ); 562 563 if( ! PSA_KEY_LIFETIME_IS_VOLATILE( target_lifetime ) ) 564 { 565 TEST_ASSERT( mbedtls_svc_key_id_equal( 566 target_id, psa_get_key_id( &target_attributes ) ) ); 567 } 568 else 569 { 570#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) 571 TEST_EQUAL( MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( returned_target_id ), 572 target_owner_id_arg ); 573#endif 574 } 575 576 TEST_EQUAL( target_lifetime, psa_get_key_lifetime( &target_attributes ) ); 577 TEST_EQUAL( source_type, psa_get_key_type( &target_attributes ) ); 578 TEST_EQUAL( psa_get_key_bits( &source_attributes ), 579 psa_get_key_bits( &target_attributes ) ); 580 TEST_EQUAL( expected_usage, psa_get_key_usage_flags( &target_attributes ) ); 581 TEST_EQUAL( expected_alg, psa_get_key_algorithm( &target_attributes ) ); 582 TEST_EQUAL( expected_alg2, 583 psa_get_key_enrollment_algorithm( &target_attributes ) ); 584 if( expected_usage & PSA_KEY_USAGE_EXPORT ) 585 { 586 size_t length; 587 ASSERT_ALLOC( export_buffer, material->len ); 588 PSA_ASSERT( psa_export_key( returned_target_id, export_buffer, 589 material->len, &length ) ); 590 ASSERT_COMPARE( material->x, material->len, 591 export_buffer, length ); 592 } 593 else 594 { 595 size_t length; 596 /* Check that the key is actually non-exportable. */ 597 TEST_EQUAL( psa_export_key( returned_target_id, export_buffer, 598 material->len, &length ), 599 PSA_ERROR_NOT_PERMITTED ); 600 } 601 602 PSA_ASSERT( psa_destroy_key( returned_target_id ) ); 603 604exit: 605 /* 606 * Source and target key attributes may have been returned by 607 * psa_get_key_attributes() thus reset them as required. 608 */ 609 psa_reset_key_attributes( &source_attributes ); 610 psa_reset_key_attributes( &target_attributes ); 611 612 PSA_DONE( ); 613 mbedtls_free( export_buffer ); 614} 615/* END_CASE */ 616 617/* BEGIN_CASE */ 618void copy_to_occupied( int source_lifetime_arg, int source_id_arg, 619 int source_usage_arg, int source_alg_arg, 620 int source_type_arg, data_t *source_material, 621 int target_lifetime_arg, int target_id_arg, 622 int target_usage_arg, int target_alg_arg, 623 int target_type_arg, data_t *target_material ) 624{ 625 psa_key_lifetime_t source_lifetime = source_lifetime_arg; 626 mbedtls_svc_key_id_t source_id = 627 mbedtls_svc_key_id_make( 1, source_id_arg ); 628 psa_key_usage_t source_usage = source_usage_arg; 629 psa_algorithm_t source_alg = source_alg_arg; 630 psa_key_type_t source_type = source_type_arg; 631 mbedtls_svc_key_id_t returned_source_id = MBEDTLS_SVC_KEY_ID_INIT; 632 psa_key_lifetime_t target_lifetime = target_lifetime_arg; 633 mbedtls_svc_key_id_t target_id = 634 mbedtls_svc_key_id_make( 1, target_id_arg ); 635 psa_key_usage_t target_usage = target_usage_arg; 636 psa_algorithm_t target_alg = target_alg_arg; 637 psa_key_type_t target_type = target_type_arg; 638 mbedtls_svc_key_id_t returned_target_id = MBEDTLS_SVC_KEY_ID_INIT; 639 mbedtls_svc_key_id_t new_key = MBEDTLS_SVC_KEY_ID_INIT; 640 uint8_t *export_buffer = NULL; 641 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 642 psa_key_attributes_t attributes1 = PSA_KEY_ATTRIBUTES_INIT; 643 psa_key_attributes_t attributes2 = PSA_KEY_ATTRIBUTES_INIT; 644 645 TEST_USES_KEY_ID( source_id ); 646 TEST_USES_KEY_ID( target_id ); 647 648 PSA_ASSERT( psa_crypto_init( ) ); 649 650 /* Populate the source slot. */ 651 if( ! PSA_KEY_LIFETIME_IS_VOLATILE( source_lifetime ) ) 652 { 653 psa_set_key_id( &attributes, source_id ); 654 psa_set_key_lifetime( &attributes, source_lifetime ); 655 } 656 psa_set_key_type( &attributes, source_type ); 657 psa_set_key_usage_flags( &attributes, source_usage ); 658 psa_set_key_algorithm( &attributes, source_alg ); 659 PSA_ASSERT( psa_import_key( &attributes, 660 source_material->x, source_material->len, 661 &returned_source_id ) ); 662 663 /* Populate the target slot. */ 664 if( mbedtls_svc_key_id_equal( target_id, source_id ) ) 665 { 666 returned_target_id = returned_source_id; 667 } 668 else 669 { 670 psa_set_key_id( &attributes1, target_id ); 671 psa_set_key_lifetime( &attributes1, target_lifetime ); 672 psa_set_key_type( &attributes1, target_type ); 673 psa_set_key_usage_flags( &attributes1, target_usage ); 674 psa_set_key_algorithm( &attributes1, target_alg ); 675 PSA_ASSERT( psa_import_key( &attributes1, 676 target_material->x, target_material->len, 677 &returned_target_id ) ); 678 } 679 680 PSA_ASSERT( psa_get_key_attributes( returned_target_id, &attributes1 ) ); 681 682 /* Make a copy attempt. */ 683 psa_set_key_id( &attributes, target_id ); 684 psa_set_key_lifetime( &attributes, target_lifetime ); 685 TEST_EQUAL( psa_copy_key( returned_source_id, 686 &attributes, &new_key ), 687 PSA_ERROR_ALREADY_EXISTS ); 688 TEST_ASSERT( mbedtls_svc_key_id_is_null( new_key ) ); 689 690 /* Test that the target slot is unaffected. */ 691 PSA_ASSERT( psa_get_key_attributes( returned_target_id, &attributes2 ) ); 692 TEST_ASSERT( mbedtls_svc_key_id_equal( 693 psa_get_key_id( &attributes1 ), 694 psa_get_key_id( &attributes2 ) ) ); 695 TEST_EQUAL( psa_get_key_lifetime( &attributes1 ), 696 psa_get_key_lifetime( &attributes2 ) ); 697 TEST_EQUAL( psa_get_key_type( &attributes1 ), 698 psa_get_key_type( &attributes2 ) ); 699 TEST_EQUAL( psa_get_key_bits( &attributes1 ), 700 psa_get_key_bits( &attributes2 ) ); 701 TEST_EQUAL( psa_get_key_usage_flags( &attributes1 ), 702 psa_get_key_usage_flags( &attributes2 ) ); 703 TEST_EQUAL( psa_get_key_algorithm( &attributes1 ), 704 psa_get_key_algorithm( &attributes2 ) ); 705 if( target_usage & PSA_KEY_USAGE_EXPORT ) 706 { 707 size_t length; 708 ASSERT_ALLOC( export_buffer, target_material->len ); 709 PSA_ASSERT( psa_export_key( returned_target_id, export_buffer, 710 target_material->len, &length ) ); 711 ASSERT_COMPARE( target_material->x, target_material->len, 712 export_buffer, length ); 713 } 714 715 PSA_ASSERT( psa_destroy_key( returned_source_id ) ); 716 if( ! mbedtls_svc_key_id_equal( target_id, source_id ) ) 717 PSA_ASSERT( psa_destroy_key( returned_target_id ) ); 718 719exit: 720 /* 721 * Key attributes may have been returned by psa_get_key_attributes() 722 * thus reset them as required. 723 */ 724 psa_reset_key_attributes( &attributes1 ); 725 psa_reset_key_attributes( &attributes2 ); 726 727 PSA_DONE( ); 728 mbedtls_free( export_buffer ); 729} 730/* END_CASE */ 731 732/* BEGIN_CASE */ 733void invalid_handle( int handle_construction, 734 int close_status_arg ) 735{ 736 psa_key_handle_t valid_handle = PSA_KEY_HANDLE_INIT; 737 psa_key_handle_t invalid_handle = PSA_KEY_HANDLE_INIT; 738 psa_key_id_t key_id; 739 psa_status_t close_status = close_status_arg; 740 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 741 uint8_t material[1] = "a"; 742 743 PSA_ASSERT( psa_crypto_init( ) ); 744 745 /* Allocate a handle and store a key in it. */ 746 psa_set_key_type( &attributes, PSA_KEY_TYPE_RAW_DATA ); 747 psa_set_key_usage_flags( &attributes, 0 ); 748 psa_set_key_algorithm( &attributes, 0 ); 749 PSA_ASSERT( psa_import_key( &attributes, 750 material, sizeof( material ), 751 &valid_handle ) ); 752 TEST_ASSERT( ! psa_key_handle_is_null( valid_handle ) ); 753 754 /* Construct an invalid handle as specified in the test case data. */ 755 switch( handle_construction ) 756 { 757 case INVALID_HANDLE_0: 758 invalid_handle = PSA_KEY_HANDLE_INIT; 759 break; 760 case INVALID_HANDLE_UNOPENED: 761 762 /* 763 * MBEDTLS_SVC_KEY_ID_GET_KEY_ID( valid_handle ) is a volatile 764 * key identifier as the imported key is a volatile key. Volatile 765 * key identifiers are in the range from PSA_KEY_ID_VOLATILE_MIN 766 * to PSA_KEY_ID_VOLATILE_MAX included. Thus pick a key identifier 767 * in the range from PSA_KEY_ID_VOLATILE_MIN to 768 * PSA_KEY_ID_VOLATILE_MAX different from 769 * MBEDTLS_SVC_KEY_ID_GET_KEY_ID( valid_handle ) to build an 770 * unopened and thus invalid identifier. 771 */ 772 773 if( MBEDTLS_SVC_KEY_ID_GET_KEY_ID( valid_handle ) == 774 PSA_KEY_ID_VOLATILE_MIN ) 775 key_id = PSA_KEY_ID_VOLATILE_MIN + 1; 776 else 777 key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID( valid_handle ) - 1; 778 779 invalid_handle = 780 mbedtls_svc_key_id_make( 0, key_id ); 781 break; 782 case INVALID_HANDLE_CLOSED: 783 PSA_ASSERT( psa_import_key( &attributes, 784 material, sizeof( material ), 785 &invalid_handle ) ); 786 PSA_ASSERT( psa_destroy_key( invalid_handle ) ); 787 break; 788 case INVALID_HANDLE_HUGE: 789 invalid_handle = 790 mbedtls_svc_key_id_make( 0, PSA_KEY_ID_VENDOR_MAX + 1 ); 791 break; 792 default: 793 TEST_ASSERT( ! "unknown handle construction" ); 794 } 795 796 /* Attempt to use the invalid handle. */ 797 TEST_EQUAL( psa_get_key_attributes( invalid_handle, &attributes ), 798 PSA_ERROR_INVALID_HANDLE ); 799 TEST_EQUAL( psa_close_key( invalid_handle ), close_status ); 800 TEST_EQUAL( psa_destroy_key( invalid_handle ), close_status ); 801 802 /* After all this, check that the original handle is intact. */ 803 PSA_ASSERT( psa_get_key_attributes( valid_handle, &attributes ) ); 804 TEST_EQUAL( psa_get_key_type( &attributes ), PSA_KEY_TYPE_RAW_DATA ); 805 TEST_EQUAL( psa_get_key_bits( &attributes ), 806 PSA_BYTES_TO_BITS( sizeof( material ) ) ); 807 PSA_ASSERT( psa_close_key( valid_handle ) ); 808 809exit: 810 /* 811 * Key attributes may have been returned by psa_get_key_attributes() 812 * thus reset them as required. 813 */ 814 psa_reset_key_attributes( &attributes ); 815 816 PSA_DONE( ); 817} 818/* END_CASE */ 819 820/* BEGIN_CASE */ 821void many_transient_keys( int max_keys_arg ) 822{ 823 mbedtls_svc_key_id_t *keys = NULL; 824 size_t max_keys = max_keys_arg; 825 size_t i, j; 826 psa_status_t status; 827 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 828 uint8_t exported[sizeof( size_t )]; 829 size_t exported_length; 830 831 ASSERT_ALLOC( keys, max_keys ); 832 PSA_ASSERT( psa_crypto_init( ) ); 833 834 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT ); 835 psa_set_key_algorithm( &attributes, 0 ); 836 psa_set_key_type( &attributes, PSA_KEY_TYPE_RAW_DATA ); 837 838 for( i = 0; i < max_keys; i++ ) 839 { 840 status = psa_import_key( &attributes, 841 (uint8_t *) &i, sizeof( i ), 842 &keys[i] ); 843 if( status == PSA_ERROR_INSUFFICIENT_MEMORY ) 844 break; 845 PSA_ASSERT( status ); 846 TEST_ASSERT( ! mbedtls_svc_key_id_is_null( keys[i] ) ); 847 for( j = 0; j < i; j++ ) 848 TEST_ASSERT( ! mbedtls_svc_key_id_equal( keys[i], keys[j] ) ); 849 } 850 max_keys = i; 851 852 for( i = 1; i < max_keys; i++ ) 853 { 854 PSA_ASSERT( psa_close_key( keys[i - 1] ) ); 855 PSA_ASSERT( psa_export_key( keys[i], 856 exported, sizeof( exported ), 857 &exported_length ) ); 858 ASSERT_COMPARE( exported, exported_length, 859 (uint8_t *) &i, sizeof( i ) ); 860 } 861 PSA_ASSERT( psa_close_key( keys[i - 1] ) ); 862 863exit: 864 PSA_DONE( ); 865 mbedtls_free( keys ); 866} 867/* END_CASE */ 868 869/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C */ 870void key_slot_eviction_to_import_new_key( int lifetime_arg ) 871{ 872 psa_key_lifetime_t lifetime = (psa_key_lifetime_t)lifetime_arg; 873 size_t i; 874 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 875 uint8_t exported[sizeof( size_t )]; 876 size_t exported_length; 877 mbedtls_svc_key_id_t key, returned_key_id; 878 879 PSA_ASSERT( psa_crypto_init( ) ); 880 881 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT ); 882 psa_set_key_algorithm( &attributes, 0 ); 883 psa_set_key_type( &attributes, PSA_KEY_TYPE_RAW_DATA ); 884 885 /* 886 * Create MBEDTLS_PSA_KEY_SLOT_COUNT persistent keys. 887 */ 888 for( i = 0; i < MBEDTLS_PSA_KEY_SLOT_COUNT; i++ ) 889 { 890 key = mbedtls_svc_key_id_make( i, i + 1 ); 891 psa_set_key_id( &attributes, key ); 892 PSA_ASSERT( psa_import_key( &attributes, 893 (uint8_t *) &i, sizeof( i ), 894 &returned_key_id ) ); 895 TEST_ASSERT( mbedtls_svc_key_id_equal( returned_key_id, key ) ); 896 } 897 898 /* 899 * Create a new persistent or volatile key. When creating the key, 900 * one of the descriptions of the previously created persistent keys 901 * is removed from the RAM key slots. This makes room to store its 902 * description in RAM. 903 */ 904 i = MBEDTLS_PSA_KEY_SLOT_COUNT; 905 key = mbedtls_svc_key_id_make( i, i + 1 ); 906 psa_set_key_id( &attributes, key ); 907 psa_set_key_lifetime( &attributes, lifetime ); 908 909 PSA_ASSERT( psa_import_key( &attributes, 910 (uint8_t *) &i, sizeof( i ), 911 &returned_key_id ) ); 912 if( lifetime != PSA_KEY_LIFETIME_VOLATILE ) 913 TEST_ASSERT( mbedtls_svc_key_id_equal( returned_key_id, key ) ); 914 else 915 TEST_ASSERT( psa_key_id_is_volatile( 916 MBEDTLS_SVC_KEY_ID_GET_KEY_ID( returned_key_id ) ) ); 917 918 /* 919 * Check that we can export all ( MBEDTLS_PSA_KEY_SLOT_COUNT + 1 ) keys, 920 * that they have the expected value and destroy them. In that process, 921 * the description of the persistent key that was evicted from the RAM 922 * slots when creating the last key is restored in a RAM slot to export 923 * its value. 924 */ 925 for( i = 0; i <= MBEDTLS_PSA_KEY_SLOT_COUNT; i++ ) 926 { 927 if( i < MBEDTLS_PSA_KEY_SLOT_COUNT ) 928 key = mbedtls_svc_key_id_make( i, i + 1 ); 929 else 930 key = returned_key_id; 931 932 PSA_ASSERT( psa_export_key( key, 933 exported, sizeof( exported ), 934 &exported_length ) ); 935 ASSERT_COMPARE( exported, exported_length, 936 (uint8_t *) &i, sizeof( i ) ); 937 PSA_ASSERT( psa_destroy_key( key ) ); 938 } 939 940exit: 941 PSA_DONE( ); 942} 943/* END_CASE */ 944 945/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C */ 946void non_reusable_key_slots_integrity_in_case_of_key_slot_starvation( ) 947{ 948 psa_status_t status; 949 size_t i; 950 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 951 uint8_t exported[sizeof( size_t )]; 952 size_t exported_length; 953 mbedtls_svc_key_id_t persistent_key = MBEDTLS_SVC_KEY_ID_INIT; 954 mbedtls_svc_key_id_t persistent_key2 = MBEDTLS_SVC_KEY_ID_INIT; 955 mbedtls_svc_key_id_t returned_key_id = MBEDTLS_SVC_KEY_ID_INIT; 956 mbedtls_svc_key_id_t *keys = NULL; 957 958 TEST_ASSERT( MBEDTLS_PSA_KEY_SLOT_COUNT >= 1 ); 959 960 ASSERT_ALLOC( keys, MBEDTLS_PSA_KEY_SLOT_COUNT ); 961 PSA_ASSERT( psa_crypto_init( ) ); 962 963 psa_set_key_usage_flags( &attributes, 964 PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY ); 965 psa_set_key_algorithm( &attributes, 0 ); 966 psa_set_key_type( &attributes, PSA_KEY_TYPE_RAW_DATA ); 967 968 /* 969 * Create a persistent key 970 */ 971 persistent_key = mbedtls_svc_key_id_make( 0x100, 0x205 ); 972 psa_set_key_id( &attributes, persistent_key ); 973 PSA_ASSERT( psa_import_key( &attributes, 974 (uint8_t *) &persistent_key, 975 sizeof( persistent_key ), 976 &returned_key_id ) ); 977 TEST_ASSERT( mbedtls_svc_key_id_equal( returned_key_id, persistent_key ) ); 978 979 /* 980 * Create MBEDTLS_PSA_KEY_SLOT_COUNT volatile keys 981 */ 982 psa_set_key_lifetime( &attributes, PSA_KEY_LIFETIME_VOLATILE ); 983 for( i = 0; i < MBEDTLS_PSA_KEY_SLOT_COUNT; i++ ) 984 { 985 PSA_ASSERT( psa_import_key( &attributes, 986 (uint8_t *) &i, sizeof( i ), 987 &keys[i]) ); 988 } 989 psa_reset_key_attributes( &attributes ); 990 991 /* 992 * Check that we cannot access the persistent key as all slots are 993 * occupied by volatile keys and the implementation needs to load the 994 * persistent key description in a slot to be able to access it. 995 */ 996 status = psa_get_key_attributes( persistent_key, &attributes ); 997 TEST_EQUAL( status, PSA_ERROR_INSUFFICIENT_MEMORY ); 998 999 /* 1000 * Check we can export the volatile key created last and that it has the 1001 * expected value. Then, destroy it. 1002 */ 1003 PSA_ASSERT( psa_export_key( keys[MBEDTLS_PSA_KEY_SLOT_COUNT - 1], 1004 exported, sizeof( exported ), 1005 &exported_length ) ); 1006 i = MBEDTLS_PSA_KEY_SLOT_COUNT - 1; 1007 ASSERT_COMPARE( exported, exported_length, (uint8_t *) &i, sizeof( i ) ); 1008 PSA_ASSERT( psa_destroy_key( keys[MBEDTLS_PSA_KEY_SLOT_COUNT - 1] ) ); 1009 1010 /* 1011 * Check that we can now access the persistent key again. 1012 */ 1013 PSA_ASSERT( psa_get_key_attributes( persistent_key, &attributes ) ); 1014 TEST_ASSERT( mbedtls_svc_key_id_equal( attributes.core.id, 1015 persistent_key ) ); 1016 1017 /* 1018 * Check that we cannot copy the persistent key as all slots are occupied 1019 * by the persistent key and the volatile keys and the slot containing the 1020 * persistent key cannot be reclaimed as it contains the key to copy. 1021 */ 1022 persistent_key2 = mbedtls_svc_key_id_make( 0x100, 0x204 ); 1023 psa_set_key_id( &attributes, persistent_key2 ); 1024 status = psa_copy_key( persistent_key, &attributes, &returned_key_id ); 1025 TEST_EQUAL( status, PSA_ERROR_INSUFFICIENT_MEMORY ); 1026 1027 /* 1028 * Check we can export the remaining volatile keys and that they have the 1029 * expected values. 1030 */ 1031 for( i = 0; i < ( MBEDTLS_PSA_KEY_SLOT_COUNT - 1 ); i++ ) 1032 { 1033 PSA_ASSERT( psa_export_key( keys[i], 1034 exported, sizeof( exported ), 1035 &exported_length ) ); 1036 ASSERT_COMPARE( exported, exported_length, 1037 (uint8_t *) &i, sizeof( i ) ); 1038 PSA_ASSERT( psa_destroy_key( keys[i] ) ); 1039 } 1040 1041 /* 1042 * Check we can export the persistent key and that it have the expected 1043 * value. 1044 */ 1045 1046 PSA_ASSERT( psa_export_key( persistent_key, exported, sizeof( exported ), 1047 &exported_length ) ); 1048 ASSERT_COMPARE( exported, exported_length, 1049 (uint8_t *) &persistent_key, sizeof( persistent_key ) ); 1050exit: 1051 /* 1052 * Key attributes may have been returned by psa_get_key_attributes() 1053 * thus reset them as required. 1054 */ 1055 psa_reset_key_attributes( &attributes ); 1056 1057 psa_destroy_key( persistent_key ); 1058 PSA_DONE( ); 1059 mbedtls_free( keys ); 1060} 1061/* END_CASE */ 1062