commit db2b8db7150183e15169636027f87c4145e5645c
author Darryl Green <darryl.green@arm.com> Fri Jun 15 13:06:04 2018 +0100
committer Darryl Green <darryl.green@arm.com> Tue Nov 20 15:21:22 2018 +0000
tree 1fa9bc1fe13b1c7be90282e256d8e1f60ffbfdf1
parent d9eee3b417c2e8f63dd10d835ab9a9472242c2ed

psa: Add storage implementation for files

Add new functions, psa_load_persistent_key(),
psa_free_persistent_key_data(), and psa_save_persistent_key(), for
managing persistent keys. These functions load to or save from our
internal representation of key slots. Serialization is a concern of the
storage backend implementation and doesn't abstraction-leak into the
lifetime management code.

An initial implementation for files is provided. Additional storage
backends can implement this interface for other storage types.

library/psa_crypto_storage.c

diff --git a/library/psa_crypto_storage.c b/library/psa_crypto_storage.c
new file mode 100644
index 0000000..5285826
--- /dev/null
+++ b/library/psa_crypto_storage.c
@@ -0,0 +1,195 @@
+/*
+ *  PSA persistent key storage
+ */
+/*  Copyright (C) 2018, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if defined(MBEDTLS_CONFIG_FILE)
+#include MBEDTLS_CONFIG_FILE
+#else
+#include "mbedtls/config.h"
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+
+#include <stdlib.h>
+#include <string.h>
+
+#include "psa/crypto.h"
+#include "psa_crypto_storage.h"
+#include "psa_crypto_storage_backend.h"
+#include "mbedtls/platform_util.h"
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#define mbedtls_calloc   calloc
+#define mbedtls_free     free
+#endif
+
+/*
+ * 32-bit integer manipulation macros (little endian)
+ */
+#ifndef GET_UINT32_LE
+#define GET_UINT32_LE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ]       )             \
+        | ( (uint32_t) (b)[(i) + 1] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 2] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 3] << 24 );            \
+}
+#endif
+
+#ifndef PUT_UINT32_LE
+#define PUT_UINT32_LE(n,b,i)                                    \
+{                                                               \
+    (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
+    (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
+    (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
+    (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
+}
+#endif
+
+typedef struct {
+    uint8_t version[4];
+    uint8_t type[sizeof( psa_key_type_t )];
+    uint8_t policy[sizeof( psa_key_policy_t )];
+    uint8_t data_len[4];
+    uint8_t key_data[];
+} psa_persistent_key_storage_format;
+
+void psa_format_key_data_for_storage( const uint8_t *data,
+                                      const size_t data_length,
+                                      const psa_key_type_t type,
+                                      const psa_key_policy_t *policy,
+                                      uint8_t *storage_data )
+{
+    psa_persistent_key_storage_format *storage_format =
+        (psa_persistent_key_storage_format *) storage_data;
+
+    PUT_UINT32_LE(0, storage_format->version, 0);
+    PUT_UINT32_LE(type, storage_format->type, 0);
+    PUT_UINT32_LE(policy->usage, storage_format->policy, 0);
+    PUT_UINT32_LE(policy->alg, storage_format->policy, sizeof( uint32_t ));
+    PUT_UINT32_LE(data_length, storage_format->data_len, 0);
+    memcpy( storage_format->key_data, data, data_length );
+}
+
+psa_status_t psa_parse_key_data_from_storage( const uint8_t *storage_data,
+                                              size_t storage_data_length,
+                                              uint8_t **key_data,
+                                              size_t *key_data_length,
+                                              psa_key_type_t *type,
+                                              psa_key_policy_t *policy )
+{
+    const psa_persistent_key_storage_format *storage_format =
+        (const psa_persistent_key_storage_format *)storage_data;
+    uint32_t version;
+
+    GET_UINT32_LE(version, storage_format->version, 0);
+    if( version != 0 )
+        return( PSA_ERROR_STORAGE_FAILURE );
+
+    GET_UINT32_LE(*key_data_length, storage_format->data_len, 0);
+    if( *key_data_length > ( storage_data_length - sizeof(*storage_format) ) ||
+        *key_data_length > PSA_CRYPTO_MAX_STORAGE_SIZE )
+        return( PSA_ERROR_STORAGE_FAILURE );
+
+    *key_data = mbedtls_calloc( 1, *key_data_length );
+    if( *key_data == NULL )
+        return( PSA_ERROR_INSUFFICIENT_MEMORY );
+
+    GET_UINT32_LE(*type, storage_format->type, 0);
+    GET_UINT32_LE(policy->usage, storage_format->policy, 0);
+    GET_UINT32_LE(policy->alg, storage_format->policy, sizeof( uint32_t ));
+
+    memcpy( *key_data, storage_format->key_data, *key_data_length );
+
+    return( PSA_SUCCESS );
+}
+
+psa_status_t psa_save_persistent_key( const psa_key_slot_t key,
+                                      const psa_key_type_t type,
+                                      const psa_key_policy_t *policy,
+                                      const uint8_t *data,
+                                      const size_t data_length )
+{
+    size_t storage_data_length;
+    uint8_t *storage_data;
+    psa_status_t status;
+
+    if( data_length > PSA_CRYPTO_MAX_STORAGE_SIZE )
+        return PSA_ERROR_INSUFFICIENT_STORAGE;
+    storage_data_length = data_length + sizeof( psa_persistent_key_storage_format );
+
+    storage_data = mbedtls_calloc( 1, storage_data_length );
+    if( storage_data == NULL )
+        return( PSA_ERROR_INSUFFICIENT_MEMORY );
+
+    psa_format_key_data_for_storage( data, data_length, type, policy,
+                                     storage_data );
+
+    status = psa_crypto_storage_store( key,
+                                       storage_data, storage_data_length );
+
+    mbedtls_free( storage_data );
+
+    return( status );
+}
+
+void psa_free_persistent_key_data( uint8_t *key_data, size_t key_data_length )
+{
+    if( key_data != NULL )
+    {
+        mbedtls_platform_zeroize( key_data, key_data_length );
+    }
+    mbedtls_free( key_data );
+}
+
+psa_status_t psa_load_persistent_key( psa_key_slot_t key,
+                                      psa_key_type_t *type,
+                                      psa_key_policy_t *policy,
+                                      uint8_t **data,
+                                      size_t *data_length )
+{
+    psa_status_t status = PSA_SUCCESS;
+    uint8_t *loaded_data;
+    size_t storage_data_length = 0;
+
+    status = psa_crypto_storage_get_data_length( key, &storage_data_length );
+    if( status != PSA_SUCCESS )
+        return( status );
+
+    loaded_data = mbedtls_calloc( 1, storage_data_length );
+
+    if( loaded_data == NULL )
+        return( PSA_ERROR_INSUFFICIENT_MEMORY );
+
+    status = psa_crypto_storage_load( key, loaded_data, storage_data_length );
+    if( status != PSA_SUCCESS )
+        goto exit;
+
+    status = psa_parse_key_data_from_storage( loaded_data, storage_data_length,
+                                              data, data_length, type, policy );
+
+exit:
+    mbedtls_free( loaded_data );
+    return( status );
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */