Prevent mbedtls_psa_register_se_key with volatile keys

mbedtls_psa_register_se_key() is not usable with volatile keys, since there is no way to return the implementation-chosen key identifier which would be needed to use the key. Document this limitation. Reject an attempt to create such an unusable key. Fixes #9253. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-07-29 11:41:15 +03:00 · 2024-06-13 16:06:45 +02:00
parent 86c603702e
commit d72ad738bd
5 changed files with 32 additions and 1 deletions
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@ -2149,6 +2149,14 @@ psa_status_t mbedtls_psa_register_se_key(
        return PSA_ERROR_NOT_SUPPORTED;
    }

+    /* Not usable with volatile keys, even with an appropriate location,
+     * due to the API design.
+     * https://github.com/Mbed-TLS/mbedtls/issues/9253
+     */
+    if (PSA_KEY_LIFETIME_IS_VOLATILE(psa_get_key_lifetime(attributes))) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
    status = psa_start_key_creation(PSA_KEY_CREATION_REGISTER, attributes,
                                    &slot, &driver);
    if (status != PSA_SUCCESS) {