Merge remote-tracking branch 'psa/pr/14' into feature-psa

Conflict resolution: * `tests/suites/test_suite_psa_crypto.data`: in the new tests from PR #14, rename `PSA_ALG_RSA_PKCS1V15_RAW` to `PSA_ALG_RSA_PKCS1V15_SIGN_RAW` as was done in PR #15 in the other branch.
2025-12-24 17:41:01 +03:00 · 2018-04-30 16:59:40 +02:00
parent 8d2abd6f72 38a622b68b
commit c63b6ba754
4 changed files with 222 additions and 4 deletions
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -96,6 +96,7 @@ static inline int safer_memcmp( const uint8_t *a, const uint8_t *b, size_t n )

 typedef struct {
    psa_key_type_t type;
+    psa_key_policy_t policy;
    union {
        struct raw_data {
            uint8_t *data;
@@ -468,6 +469,9 @@ psa_status_t psa_export_key(psa_key_slot_t key,
    if( slot->type == PSA_KEY_TYPE_NONE )
        return( PSA_ERROR_EMPTY_SLOT );

+    if( !( slot->policy.usage & PSA_KEY_USAGE_EXPORT ) )
+        return( PSA_ERROR_NOT_PERMITTED );
+
    if( PSA_KEY_TYPE_IS_RAW_BYTES( slot->type ) )
    {
        if( slot->data.raw.bytes > data_size )
@@ -982,6 +986,12 @@ psa_status_t psa_mac_start( psa_mac_operation_t *operation,
        return( status );
    slot = &global_data.key_slots[key];

+    if ( ( slot->policy.usage & PSA_KEY_USAGE_SIGN ) != 0 )
+        operation->key_usage_sign = 1;
+
+    if ( ( slot->policy.usage & PSA_KEY_USAGE_VERIFY ) != 0 )
+        operation->key_usage_verify = 1;
+
    if( ! PSA_ALG_IS_HMAC( alg ) )
    {
        cipher_info = mbedtls_cipher_info_from_psa( alg, key_type, key_bits );
@@ -1080,7 +1090,7 @@ psa_status_t psa_mac_update( psa_mac_operation_t *operation,
    return( mbedtls_to_psa_error( ret ) );
 }

-psa_status_t psa_mac_finish( psa_mac_operation_t *operation,
+static psa_status_t psa_mac_finish_internal( psa_mac_operation_t *operation,
                             uint8_t *mac,
                             size_t mac_size,
                             size_t *mac_length )
@@ -1132,6 +1142,17 @@ psa_status_t psa_mac_finish( psa_mac_operation_t *operation,
    }
 }

+psa_status_t psa_mac_finish( psa_mac_operation_t *operation,
+                             uint8_t *mac,
+                             size_t mac_size,
+                             size_t *mac_length )
+{
+    if( !( operation->key_usage_sign ) )
+        return( PSA_ERROR_NOT_PERMITTED );
+
+    return( psa_mac_finish_internal(operation, mac, mac_size, mac_length ) );
+}
+
 #define MBEDTLS_PSA_MAC_MAX_SIZE                       \
    ( MBEDTLS_MD_MAX_SIZE > MBEDTLS_MAX_BLOCK_LENGTH ? \
      MBEDTLS_MD_MAX_SIZE :                            \
@@ -1142,9 +1163,14 @@ psa_status_t psa_mac_verify( psa_mac_operation_t *operation,
 {
    uint8_t actual_mac[MBEDTLS_PSA_MAC_MAX_SIZE];
    size_t actual_mac_length;
-    psa_status_t status = psa_mac_finish( operation,
-                                          actual_mac, sizeof( actual_mac ),
-                                          &actual_mac_length );
+    psa_status_t status;
+
+    if( !( operation->key_usage_verify ) )
+        return( PSA_ERROR_NOT_PERMITTED );
+
+    status = psa_mac_finish_internal( operation,
+                                      actual_mac, sizeof( actual_mac ),
+                                      &actual_mac_length );
    if( status != PSA_SUCCESS )
        return( status );
    if( actual_mac_length != mac_length )
@@ -1184,6 +1210,8 @@ psa_status_t psa_asymmetric_sign(psa_key_slot_t key,
        return( PSA_ERROR_EMPTY_SLOT );
    if( ! PSA_KEY_TYPE_IS_KEYPAIR( slot->type ) )
        return( PSA_ERROR_INVALID_ARGUMENT );
+    if( !( slot->policy.usage & PSA_KEY_USAGE_SIGN ) )
+        return( PSA_ERROR_NOT_PERMITTED );

 #if defined(MBEDTLS_RSA_C)
    if( slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )
@@ -1260,6 +1288,69 @@ psa_status_t psa_asymmetric_sign(psa_key_slot_t key,
 }


+/****************************************************************/
+/* Key Policy */
+/****************************************************************/
+
+void psa_key_policy_init(psa_key_policy_t *policy)
+{
+    memset( policy, 0, sizeof( psa_key_policy_t ) );
+}
+
+void psa_key_policy_set_usage(psa_key_policy_t *policy,
+                              psa_key_usage_t usage,
+                              psa_algorithm_t alg)
+{
+    policy->usage = usage;
+    policy->alg = alg;
+}
+
+psa_key_usage_t psa_key_policy_get_usage(psa_key_policy_t *policy)
+{
+    return( policy->usage );
+}
+
+psa_algorithm_t psa_key_policy_get_algorithm(psa_key_policy_t *policy)
+{
+    return( policy->alg );
+}
+
+psa_status_t psa_set_key_policy(psa_key_slot_t key,
+                                const psa_key_policy_t *policy)
+{
+    key_slot_t *slot;
+
+    if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT || policy == NULL )
+        return( PSA_ERROR_INVALID_ARGUMENT );
+    
+    slot = &global_data.key_slots[key];
+    if( slot->type != PSA_KEY_TYPE_NONE )
+        return( PSA_ERROR_OCCUPIED_SLOT );
+
+    if( ( policy->usage & ~( PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT 
+                        | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_SIGN 
+                        | PSA_KEY_USAGE_VERIFY ) ) != 0 )
+        return( PSA_ERROR_INVALID_ARGUMENT );
+
+    slot->policy = *policy;
+
+    return( PSA_SUCCESS );
+}
+
+psa_status_t psa_get_key_policy(psa_key_slot_t key,
+                                psa_key_policy_t *policy)
+{
+    key_slot_t *slot;
+
+    if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT || policy == NULL )
+        return( PSA_ERROR_INVALID_ARGUMENT );
+
+    slot = &global_data.key_slots[key];
+    
+    *policy = slot->policy;
+
+    return( PSA_SUCCESS );
+}

 /****************************************************************/
 /* Module setup */