Support encoding an owner in key file IDs
Differentiate between _key identifiers_, which are always `uint32_t`,
and _key file identifiers_, which are platform-dependent. Normally,
the two are the same.
In `psa/crypto_platform.h`, define `psa_app_key_id_t` (which is always
32 bits, the standard key identifier type) and
`psa_key_file_id_t` (which will be different in some service builds).
A subsequent commit will introduce a platform where the two are different.
It would make sense for the function declarations in `psa/crypto.h` to
use `psa_key_file_id_t`. However this file is currently part of the
PSA Crypto API specification, so it must stick to the standard type
`psa_key_id_t`. Hence, as long as the specification and Mbed Crypto
are not separate, use the implementation-specific file
`psa/crypto_platform.h` to define `psa_key_id_t` as `psa_key_file_id_t`.
In the library, systematically use `psa_key_file_id_t`.
perl -i -pe 's/psa_key_id_t/psa_key_file_id_t/g' library/*.[hc]
diff --git a/include/psa/crypto_platform.h b/include/psa/crypto_platform.h
index 50ca546..0f3ede8 100644
--- a/include/psa/crypto_platform.h
+++ b/include/psa/crypto_platform.h
@@ -49,4 +49,27 @@
/* Integral type representing a key handle. */
typedef uint16_t psa_key_handle_t;
+/* This implementation distinguishes *application key identifiers*, which
+ * are the key identifiers specified by the application, from
+ * *key file identifiers*, which are the key identifiers that the library
+ * sees internally. The two types can be different if there is a remote
+ * call layer between the application and the library which supports
+ * multiple client applications that do not have access to each others'
+ * keys. The point of having different types is that the key file
+ * identifier may encode not only the key identifier specified by the
+ * application, but also the the identity of the application.
+ *
+ * Note that this is an internal concept of the library and the remote
+ * call layer. The application itself never sees anything other than
+ * #psa_app_key_id_t with its standard definition.
+ */
+
+/* The application key identifier is always what the application sees as
+ * #psa_key_id_t. */
+typedef uint32_t psa_app_key_id_t;
+
+/* By default, a key file identifier is just the application key identifier. */
+typedef psa_app_key_id_t psa_key_file_id_t;
+#define PSA_KEY_FILE_GET_KEY_ID( id ) ( id )
+
#endif /* PSA_CRYPTO_PLATFORM_H */
diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h
index c289681..0f75624 100644
--- a/library/psa_crypto_core.h
+++ b/library/psa_crypto_core.h
@@ -41,7 +41,7 @@
psa_key_type_t type;
psa_key_policy_t policy;
psa_key_lifetime_t lifetime;
- psa_key_id_t persistent_storage_id;
+ psa_key_file_id_t persistent_storage_id;
unsigned allocated : 1;
union
{
diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c
index a9458b0..227fb5f 100644
--- a/library/psa_crypto_slot_management.c
+++ b/library/psa_crypto_slot_management.c
@@ -189,12 +189,13 @@
* past released version must remain valid, unless a migration path
* is provided.
*
- * \param key_id The key identifier to check.
+ * \param file_id The key identifier to check.
*
- * \return 1 if \p key_id is acceptable, otherwise 0.
+ * \return 1 if \p file_id is acceptable, otherwise 0.
*/
-static int psa_is_key_id_valid( psa_key_id_t key_id )
+static int psa_is_key_id_valid( psa_key_file_id_t file_id )
{
+ psa_app_key_id_t key_id = PSA_KEY_FILE_GET_KEY_ID( file_id );
/* Reject id=0 because by general library conventions, 0 is an invalid
* value wherever possible. */
if( key_id == 0 )
@@ -226,7 +227,7 @@
* \retval #PSA_ERROR_STORAGE_FAILURE
*/
static psa_status_t psa_internal_make_key_persistent( psa_key_handle_t handle,
- psa_key_id_t id )
+ psa_key_file_id_t id )
{
#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
psa_key_slot_t *slot;
@@ -253,7 +254,7 @@
}
static psa_status_t persistent_key_setup( psa_key_lifetime_t lifetime,
- psa_key_id_t id,
+ psa_key_file_id_t id,
psa_key_handle_t *handle,
psa_status_t wanted_load_status )
{
@@ -278,14 +279,14 @@
}
psa_status_t psa_open_key( psa_key_lifetime_t lifetime,
- psa_key_id_t id,
+ psa_key_file_id_t id,
psa_key_handle_t *handle )
{
return( persistent_key_setup( lifetime, id, handle, PSA_SUCCESS ) );
}
psa_status_t psa_create_key( psa_key_lifetime_t lifetime,
- psa_key_id_t id,
+ psa_key_file_id_t id,
psa_key_handle_t *handle )
{
psa_status_t status;
diff --git a/library/psa_crypto_storage.c b/library/psa_crypto_storage.c
index b4e4076..42bd938 100644
--- a/library/psa_crypto_storage.c
+++ b/library/psa_crypto_storage.c
@@ -148,7 +148,7 @@
return( PSA_SUCCESS );
}
-psa_status_t psa_save_persistent_key( const psa_key_id_t key,
+psa_status_t psa_save_persistent_key( const psa_key_file_id_t key,
const psa_key_type_t type,
const psa_key_policy_t *policy,
const uint8_t *data,
@@ -186,7 +186,7 @@
mbedtls_free( key_data );
}
-psa_status_t psa_load_persistent_key( psa_key_id_t key,
+psa_status_t psa_load_persistent_key( psa_key_file_id_t key,
psa_key_type_t *type,
psa_key_policy_t *policy,
uint8_t **data,
diff --git a/library/psa_crypto_storage.h b/library/psa_crypto_storage.h
index 74f9e23..7e5aae9 100644
--- a/library/psa_crypto_storage.h
+++ b/library/psa_crypto_storage.h
@@ -86,7 +86,7 @@
* \retval PSA_ERROR_STORAGE_FAILURE
* \retval PSA_ERROR_ALREADY_EXISTS
*/
-psa_status_t psa_save_persistent_key( const psa_key_id_t key,
+psa_status_t psa_save_persistent_key( const psa_key_file_id_t key,
const psa_key_type_t type,
const psa_key_policy_t *policy,
const uint8_t *data,
@@ -117,7 +117,7 @@
* \retval PSA_ERROR_STORAGE_FAILURE
* \retval PSA_ERROR_DOES_NOT_EXIST
*/
-psa_status_t psa_load_persistent_key( psa_key_id_t key,
+psa_status_t psa_load_persistent_key( psa_key_file_id_t key,
psa_key_type_t *type,
psa_key_policy_t *policy,
uint8_t **data,
@@ -134,7 +134,7 @@
* or the key did not exist.
* \retval PSA_ERROR_STORAGE_FAILURE
*/
-psa_status_t psa_destroy_persistent_key( const psa_key_id_t key );
+psa_status_t psa_destroy_persistent_key( const psa_key_file_id_t key );
/**
* \brief Free the temporary buffer allocated by psa_load_persistent_key().
diff --git a/library/psa_crypto_storage_backend.h b/library/psa_crypto_storage_backend.h
index 83bd2f3..dd534d2 100644
--- a/library/psa_crypto_storage_backend.h
+++ b/library/psa_crypto_storage_backend.h
@@ -56,7 +56,7 @@
* \retval PSA_ERROR_STORAGE_FAILURE
* \retval PSA_ERROR_DOES_NOT_EXIST
*/
-psa_status_t psa_crypto_storage_load( const psa_key_id_t key, uint8_t *data,
+psa_status_t psa_crypto_storage_load( const psa_key_file_id_t key, uint8_t *data,
size_t data_size );
/**
@@ -75,7 +75,7 @@
* \retval PSA_ERROR_STORAGE_FAILURE
* \retval PSA_ERROR_ALREADY_EXISTS
*/
-psa_status_t psa_crypto_storage_store( const psa_key_id_t key,
+psa_status_t psa_crypto_storage_store( const psa_key_file_id_t key,
const uint8_t *data,
size_t data_length );
@@ -92,7 +92,7 @@
* \retval 1
* Persistent data present for slot number
*/
-int psa_is_key_present_in_storage( const psa_key_id_t key );
+int psa_is_key_present_in_storage( const psa_key_file_id_t key );
/**
* \brief Get data length for given key slot number.
@@ -104,7 +104,7 @@
* \retval PSA_SUCCESS
* \retval PSA_ERROR_STORAGE_FAILURE
*/
-psa_status_t psa_crypto_storage_get_data_length( const psa_key_id_t key,
+psa_status_t psa_crypto_storage_get_data_length( const psa_key_file_id_t key,
size_t *data_length );
diff --git a/library/psa_crypto_storage_file.c b/library/psa_crypto_storage_file.c
index c7ff1be..c4a534f 100644
--- a/library/psa_crypto_storage_file.c
+++ b/library/psa_crypto_storage_file.c
@@ -49,7 +49,7 @@
enum { MAX_LOCATION_LEN = sizeof(CRYPTO_STORAGE_FILE_LOCATION) + 40 };
-static void key_id_to_location( const psa_key_id_t key,
+static void key_id_to_location( const psa_key_file_id_t key,
char *location,
size_t location_size )
{
@@ -58,7 +58,7 @@
(unsigned long) key );
}
-psa_status_t psa_crypto_storage_load( const psa_key_id_t key, uint8_t *data,
+psa_status_t psa_crypto_storage_load( const psa_key_file_id_t key, uint8_t *data,
size_t data_size )
{
psa_status_t status = PSA_SUCCESS;
@@ -83,7 +83,7 @@
return( status );
}
-int psa_is_key_present_in_storage( const psa_key_id_t key )
+int psa_is_key_present_in_storage( const psa_key_file_id_t key )
{
char slot_location[MAX_LOCATION_LEN];
FILE *file;
@@ -101,7 +101,7 @@
return( 1 );
}
-psa_status_t psa_crypto_storage_store( const psa_key_id_t key,
+psa_status_t psa_crypto_storage_store( const psa_key_file_id_t key,
const uint8_t *data,
size_t data_length )
{
@@ -156,7 +156,7 @@
return( status );
}
-psa_status_t psa_destroy_persistent_key( const psa_key_id_t key )
+psa_status_t psa_destroy_persistent_key( const psa_key_file_id_t key )
{
FILE *file;
char slot_location[MAX_LOCATION_LEN];
@@ -175,7 +175,7 @@
return( PSA_SUCCESS );
}
-psa_status_t psa_crypto_storage_get_data_length( const psa_key_id_t key,
+psa_status_t psa_crypto_storage_get_data_length( const psa_key_file_id_t key,
size_t *data_length )
{
psa_status_t status = PSA_SUCCESS;
diff --git a/library/psa_crypto_storage_its.c b/library/psa_crypto_storage_its.c
index bb0d0cd..a60a8f3 100644
--- a/library/psa_crypto_storage_its.c
+++ b/library/psa_crypto_storage_its.c
@@ -36,12 +36,12 @@
#include "mbedtls/platform.h"
#endif
-static psa_storage_uid_t psa_its_identifier_of_slot( psa_key_id_t key )
+static psa_storage_uid_t psa_its_identifier_of_slot( psa_key_file_id_t key )
{
return( key );
}
-psa_status_t psa_crypto_storage_load( const psa_key_id_t key, uint8_t *data,
+psa_status_t psa_crypto_storage_load( const psa_key_file_id_t key, uint8_t *data,
size_t data_size )
{
psa_status_t status;
@@ -57,7 +57,7 @@
return( status );
}
-int psa_is_key_present_in_storage( const psa_key_id_t key )
+int psa_is_key_present_in_storage( const psa_key_file_id_t key )
{
psa_status_t ret;
psa_storage_uid_t data_identifier = psa_its_identifier_of_slot( key );
@@ -70,7 +70,7 @@
return( 1 );
}
-psa_status_t psa_crypto_storage_store( const psa_key_id_t key,
+psa_status_t psa_crypto_storage_store( const psa_key_file_id_t key,
const uint8_t *data,
size_t data_length )
{
@@ -105,7 +105,7 @@
return( status );
}
-psa_status_t psa_destroy_persistent_key( const psa_key_id_t key )
+psa_status_t psa_destroy_persistent_key( const psa_key_file_id_t key )
{
psa_status_t ret;
psa_storage_uid_t data_identifier = psa_its_identifier_of_slot( key );
@@ -125,7 +125,7 @@
return( PSA_SUCCESS );
}
-psa_status_t psa_crypto_storage_get_data_length( const psa_key_id_t key,
+psa_status_t psa_crypto_storage_get_data_length( const psa_key_file_id_t key,
size_t *data_length )
{
psa_status_t status;