SE key registration: call p_validate_slot_number

When registering a key in a secure element, if the driver has a p_validate_slot_number method, call it.
2025-11-04 04:32:24 -05:00 · 2019-08-05 16:46:18 +02:00 · 2019-08-05 16:46:18 +02:00 · a5f8749812
commit a5f8749812
parent d772958ffc
2 changed files with 36 additions and 1 deletions
--- a/include/psa/crypto_se_driver.h
+++ b/include/psa/crypto_se_driver.h
@ -818,7 +818,27 @@ typedef enum
    PSA_KEY_CREATION_GENERATE, /**< During psa_generate_key() */
    PSA_KEY_CREATION_DERIVE, /**< During psa_key_derivation_output_key() */
    PSA_KEY_CREATION_COPY, /**< During psa_copy_key() */
-    PSA_KEY_CREATION_REGISTER, /*TEMPORARY*/
+
+#ifndef __DOXYGEN_ONLY__
+    /** A key is being registered with mbedtls_psa_register_se_key().
+     *
+     * The core only passes this value to
+     * psa_drv_se_key_management_t::p_validate_slot_number, not to
+     * psa_drv_se_key_management_t::p_allocate. The call to
+     * `p_validate_slot_number` is not followed by any other call to the
+     * driver: the key is considered successfully registered if the call to
+     * `p_validate_slot_number` succeeds, or if `p_validate_slot_number` is
+     * null.
+     *
+     * With this creation method, the driver must return #PSA_SUCCESS if
+     * the given attributes are compatible with the existing key in the slot,
+     * and #PSA_ERROR_DOES_NOT_EXIST if the driver can determine that there
+     * is no key with the specified slot number.
+     *
+     * This is an Mbed Crypto extension.
+     */
+    PSA_KEY_CREATION_REGISTER,
+#endif
 } psa_key_creation_method_t;

 /** \brief A function that allocates a slot for a key.
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@ -1902,6 +1902,21 @@ psa_status_t mbedtls_psa_register_se_key(
        goto exit;
    }

+    /* If the driver has a slot number validation method, call it.
+     * If it doesn't, it means the secure element is unable to validate
+     * anything and so we have to trust the application. */
+    if( drv->key_management != NULL &&
+        drv->key_management->p_validate_slot_number != NULL )
+    {
+        status = drv->key_management->p_validate_slot_number(
+            psa_get_se_driver_context( driver ),
+            attributes,
+            PSA_KEY_CREATION_REGISTER,
+            slot->data.se.slot_number );
+        if( status != PSA_SUCCESS )
+            goto exit;
+    }
+
    status = psa_finish_key_creation( slot, driver );

 exit: