diff --git a/library/psa_crypto.c b/library/psa_crypto.c index fccb80077..c35b2a644 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1104,27 +1104,40 @@ static psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot, else if( PSA_KEY_TYPE_IS_ASYMMETRIC( slot->attr.type ) ) { /* Try validation through accelerators first. */ - bit_size = slot->attr.bits; psa_key_attributes_t attributes = { .core = slot->attr }; - status = psa_driver_wrapper_validate_key( &attributes, - data, - data_length, - &bit_size ); + + status = psa_allocate_buffer_to_slot( slot, data_length ); + if( status != PSA_SUCCESS ) + return( status ); + + bit_size = slot->attr.bits; + status = psa_driver_wrapper_import_key( &attributes, + data, data_length, + slot->key.data, + slot->key.bytes, + &slot->key.bytes, + &bit_size ); if( status == PSA_SUCCESS ) { - /* Key has been validated successfully by an accelerator. - * Copy key material into slot. */ - status = psa_copy_key_material_into_slot( slot, data, data_length ); - if( status != PSA_SUCCESS ) - return( status ); + if( slot->attr.bits == 0 ) + slot->attr.bits = (psa_key_bits_t) bit_size; + else if( bit_size != slot->attr.bits ) + return( PSA_ERROR_INVALID_ARGUMENT ); - slot->attr.bits = (psa_key_bits_t) bit_size; return( PSA_SUCCESS ); } - else if( status != PSA_ERROR_NOT_SUPPORTED ) - return( status ); + else + { + if( status != PSA_ERROR_NOT_SUPPORTED ) + return( status ); + } + + mbedtls_platform_zeroize( slot->key.data, data_length ); + mbedtls_free( slot->key.data ); + slot->key.data = NULL; + slot->key.bytes = 0; /* Key format is not supported by any accelerator, try software fallback * if present. */ diff --git a/library/psa_crypto_driver_wrappers.c b/library/psa_crypto_driver_wrappers.c index 2d433830d..0562756e2 100644 --- a/library/psa_crypto_driver_wrappers.c +++ b/library/psa_crypto_driver_wrappers.c @@ -409,19 +409,23 @@ psa_status_t psa_driver_wrapper_generate_key( const psa_key_attributes_t *attrib #endif /* PSA_CRYPTO_DRIVER_PRESENT */ } -psa_status_t psa_driver_wrapper_validate_key( const psa_key_attributes_t *attributes, - const uint8_t *data, - size_t data_length, - size_t *bits ) +psa_status_t psa_driver_wrapper_import_key( + const psa_key_attributes_t *attributes, + const uint8_t *data, + size_t data_length, + uint8_t *key_buffer, + size_t key_buffer_size, + size_t *key_buffer_length, + size_t *bits ) { #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; /* Try accelerators in turn */ #if defined(PSA_CRYPTO_DRIVER_TEST) - status = test_transparent_validate_key( attributes, - data, - data_length, - bits ); + status = test_transparent_import_key( attributes, + data, data_length, + key_buffer, key_buffer_size, + key_buffer_length, bits ); /* Declared with fallback == true */ if( status != PSA_ERROR_NOT_SUPPORTED ) return( status ); @@ -432,6 +436,9 @@ psa_status_t psa_driver_wrapper_validate_key( const psa_key_attributes_t *attrib (void) attributes; (void) data; (void) data_length; + (void) key_buffer; + (void) key_buffer_size; + (void) key_buffer_length; (void) bits; return( PSA_ERROR_NOT_SUPPORTED ); #endif /* PSA_CRYPTO_DRIVER_PRESENT */ diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h index 6b5143781..4c6cce95b 100644 --- a/library/psa_crypto_driver_wrappers.h +++ b/library/psa_crypto_driver_wrappers.h @@ -50,10 +50,11 @@ psa_status_t psa_driver_wrapper_verify_hash( psa_key_slot_t *slot, psa_status_t psa_driver_wrapper_generate_key( const psa_key_attributes_t *attributes, psa_key_slot_t *slot ); -psa_status_t psa_driver_wrapper_validate_key( const psa_key_attributes_t *attributes, - const uint8_t *data, - size_t data_length, - size_t *bits ); +psa_status_t psa_driver_wrapper_import_key( + const psa_key_attributes_t *attributes, + const uint8_t *data, size_t data_length, + uint8_t *key_buffer, size_t key_buffer_size, + size_t *key_buffer_length, size_t *bits ); psa_status_t psa_driver_wrapper_export_public_key( const psa_key_slot_t *slot, uint8_t *data, diff --git a/tests/include/test/drivers/key_management.h b/tests/include/test/drivers/key_management.h index 90f8c587c..7811fb439 100644 --- a/tests/include/test/drivers/key_management.h +++ b/tests/include/test/drivers/key_management.h @@ -58,12 +58,6 @@ psa_status_t test_opaque_generate_key( const psa_key_attributes_t *attributes, uint8_t *key, size_t key_size, size_t *key_length ); -psa_status_t test_transparent_validate_key( - const psa_key_attributes_t *attributes, - const uint8_t *data, - size_t data_length, - size_t *bits); - psa_status_t test_transparent_export_public_key( const psa_key_attributes_t *attributes, const uint8_t *key, size_t key_length, @@ -74,5 +68,14 @@ psa_status_t test_opaque_export_public_key( const uint8_t *key, size_t key_length, uint8_t *data, size_t data_size, size_t *data_length ); +psa_status_t test_transparent_import_key( + const psa_key_attributes_t *attributes, + const uint8_t *data, + size_t data_length, + uint8_t *key_buffer, + size_t key_buffer_size, + size_t *key_buffer_length, + size_t *bits); + #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_TEST_DRIVERS_KEY_MANAGEMENT_H */ diff --git a/tests/src/drivers/key_management.c b/tests/src/drivers/key_management.c index 00d2b4519..ab3210b71 100644 --- a/tests/src/drivers/key_management.c +++ b/tests/src/drivers/key_management.c @@ -137,11 +137,14 @@ psa_status_t test_opaque_generate_key( return( PSA_ERROR_NOT_SUPPORTED ); } -psa_status_t test_transparent_validate_key( +psa_status_t test_transparent_import_key( const psa_key_attributes_t *attributes, const uint8_t *data, size_t data_length, - size_t *bits ) + uint8_t *key_buffer, + size_t key_buffer_size, + size_t *key_buffer_length, + size_t *bits) { ++test_driver_key_management_hooks.hits;