Allow loading wrapped keys even when SE support is compiled in

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2025-10-30 11:11:12 -04:00 · 2021-01-08 19:19:40 +01:00 · 2021-01-08 19:19:40 +01:00 · 98435ddf84
commit 98435ddf84
parent a51e1dbe76
3 changed files with 81 additions and 36 deletions
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@ -2325,6 +2325,8 @@ psa_status_t psa_import_key( const psa_key_attributes_t *attributes,
    if( status != PSA_SUCCESS )
        goto exit;

+    if( psa_key_lifetime_is_external( psa_get_key_lifetime( attributes ) ) )
+    {
 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
        if( driver != NULL )
        {
@ -2353,6 +2355,15 @@ psa_status_t psa_import_key( const psa_key_attributes_t *attributes,
        }
        else
 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+        {
+            /* Importing a key with external lifetime through the driver wrapper
+             * interface is not yet supported. Return as if this was an invalid
+             * lifetime. */
+            status = PSA_ERROR_INVALID_ARGUMENT;
+            goto exit;
+        }
+    }
+    else
    {
        status = psa_import_key_into_slot( slot, data, data_length );
        if( status != PSA_SUCCESS )
--- a/library/psa_crypto_slot_management.c
+++ b/library/psa_crypto_slot_management.c
@ -247,8 +247,12 @@ static psa_status_t psa_load_persistent_key_into_slot( psa_key_slot_t *slot )
    if( status != PSA_SUCCESS )
        goto exit;

-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
    if( psa_key_lifetime_is_external( slot->attr.lifetime ) )
+    {
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+        const psa_drv_se_t *drv;
+        psa_drv_se_context_t *drv_context;
+        if( psa_get_se_driver( slot->attr.lifetime, &drv, &drv_context ) )
        {
            psa_se_key_data_storage_t *data;
            if( key_data_length != sizeof( *data ) )
@ -263,11 +267,24 @@ static psa_status_t psa_load_persistent_key_into_slot( psa_key_slot_t *slot )
        else
 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
        {
-        status = psa_copy_key_material_into_slot( slot, key_data, key_data_length );
-        if( status != PSA_SUCCESS )
+            /* A key that is successfully loaded from storage with an
+             * external lifetime, but doesn't belong to an SE driver,
+             * must be a PSA driver-associated key which we can just
+             * load like an internal key. */
+            if ( key_data == NULL )
+            {
+                status = PSA_ERROR_STORAGE_FAILURE;
                goto exit;
            }

+            status = psa_copy_key_material_into_slot( slot, key_data, key_data_length );
+        }
+    }
+    else
+    {
+        status = psa_copy_key_material_into_slot( slot, key_data, key_data_length );
+    }
+
 exit:
    psa_free_persistent_key_data( key_data, key_data_length );
    return( status );
@ -345,7 +362,14 @@ psa_status_t psa_validate_key_location( psa_key_lifetime_t lifetime,
 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
        psa_se_drv_table_entry_t *driver = psa_get_se_driver_entry( lifetime );
        if( driver == NULL )
+        {
+#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS)
+            /* Key location for external keys gets checked by the wrapper */
+            return( PSA_SUCCESS );
+#else
            return( PSA_ERROR_INVALID_ARGUMENT );
+#endif
+        }
        else
        {
            if (p_drv != NULL)
@ -354,7 +378,12 @@ psa_status_t psa_validate_key_location( psa_key_lifetime_t lifetime,
        }
 #else
        (void) p_drv;
+#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS)
+        /* Key location for external keys gets checked by the wrapper */
+        return( PSA_SUCCESS );
+#else
        return( PSA_ERROR_INVALID_ARGUMENT );
+#endif
 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
    }
    else
--- a/tests/suites/test_suite_psa_crypto_slot_management.data
+++ b/tests/suites/test_suite_psa_crypto_slot_management.data
@ -107,10 +107,15 @@ Open failure: non-existent identifier
 depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C
 open_fail:1:PSA_ERROR_DOES_NOT_EXIST

-Create failure: invalid lifetime
-create_fail:0x7fffffff:0:PSA_ERROR_INVALID_ARGUMENT
+Create failure: invalid lifetime for a persistent key
+depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C
+create_fail:0x7fffffff:1:PSA_ERROR_INVALID_ARGUMENT

-Create failure: invalid key id (0)
+Create failure: invalid lifetime for a volatile key
+depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C
+create_fail:0x7fffff00:0:PSA_ERROR_INVALID_ARGUMENT
+
+Create failure: invalid key id (0) for a persistent key
 depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C
 create_fail:PSA_KEY_LIFETIME_PERSISTENT:0:PSA_ERROR_INVALID_HANDLE