Implement and test the new key identifier range

Only allow creating keys in the application (user) range. Allow opening keys in the implementation (vendor) range as well. Compared with what the implementation allowed, which was undocumented: 0 is now allowed; values from 0x40000000 to 0xfffeffff are now forbidden.
2025-07-30 22:43:08 +03:00 · 2019-05-06 18:56:30 +02:00
parent 4a231b8d3b
commit f9666595e1
5 changed files with 54 additions and 29 deletions
--- a/library/psa_crypto_slot_management.c
+++ b/library/psa_crypto_slot_management.c
@ -176,20 +176,23 @@ exit:
 * is provided.
 *
 * \param file_id       The key identifier to check.
+ * \param vendor_ok     Nonzero to allow key ids in the vendor range.
+ *                      0 to allow only key ids in the application range.
 *
 * \return              1 if \p file_id is acceptable, otherwise 0.
 */
-static int psa_is_key_id_valid( psa_key_file_id_t file_id )
+static int psa_is_key_id_valid( psa_key_file_id_t file_id,
+                                int vendor_ok )
 {
    psa_app_key_id_t key_id = PSA_KEY_FILE_GET_KEY_ID( file_id );
-    /* Reject id=0 because by general library conventions, 0 is an invalid
-     * value wherever possible. */
-    if( key_id == 0 )
-        return( 0 );
    /* Reject high values because the file names are reserved for the
     * library's internal use. */
    if( key_id > PSA_MAX_PERSISTENT_KEY_IDENTIFIER )
        return( 0 );
+    /* Applications may only create keys in the range
+     * 0..PSA_KEY_ID_USER_MAX. */
+    if( ! vendor_ok && key_id > PSA_KEY_ID_USER_MAX )
+        return( 0 );
    return( 1 );
 }

@ -231,13 +234,14 @@ static psa_status_t psa_internal_make_key_persistent( psa_key_handle_t handle,

 psa_status_t psa_validate_persistent_key_parameters(
    psa_key_lifetime_t lifetime,
-    psa_key_file_id_t id )
+    psa_key_file_id_t id,
+    int creating )
 {
    if( lifetime != PSA_KEY_LIFETIME_PERSISTENT )
        return( PSA_ERROR_INVALID_ARGUMENT );

 #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
-    if( ! psa_is_key_id_valid( id ) )
+    if( ! psa_is_key_id_valid( id, ! creating ) )
        return( PSA_ERROR_INVALID_ARGUMENT );
    return( PSA_SUCCESS );

@ -250,13 +254,15 @@ psa_status_t psa_validate_persistent_key_parameters(
 static psa_status_t persistent_key_setup( psa_key_lifetime_t lifetime,
                                          psa_key_file_id_t id,
                                          psa_key_handle_t *handle,
-                                          psa_status_t wanted_load_status )
+                                          int creating )
 {
    psa_status_t status;
+    psa_status_t wanted_load_status =
+        ( creating ? PSA_ERROR_DOES_NOT_EXIST : PSA_SUCCESS );

    *handle = 0;

-    status = psa_validate_persistent_key_parameters( lifetime, id );
+    status = psa_validate_persistent_key_parameters( lifetime, id, creating );
    if( status != PSA_SUCCESS )
        return( status );

@ -281,7 +287,7 @@ static psa_status_t persistent_key_setup( psa_key_lifetime_t lifetime,
 psa_status_t psa_open_key( psa_key_file_id_t id, psa_key_handle_t *handle )
 {
    return( persistent_key_setup( PSA_KEY_LIFETIME_PERSISTENT,
-                                  id, handle, PSA_SUCCESS ) );
+                                  id, handle, 0 ) );
 }

 psa_status_t psa_create_key( psa_key_lifetime_t lifetime,
@ -290,8 +296,7 @@ psa_status_t psa_create_key( psa_key_lifetime_t lifetime,
 {
    psa_status_t status;

-    status = persistent_key_setup( lifetime, id, handle,
-                                   PSA_ERROR_DOES_NOT_EXIST );
+    status = persistent_key_setup( lifetime, id, handle, 1 );
    switch( status )
    {
        case PSA_SUCCESS: return( PSA_ERROR_ALREADY_EXISTS );