diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index fa1d3cf07..097361ade 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1156,6 +1156,21 @@ */ //#define MBEDTLS_PSA_HAS_ITS_IO +/* MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER + * + * In PSA key storage, encode the owner of the key. + * + * This is only meaningful when building the library as part of a + * multi-client service. When you activate this option, you must provide + * an implementation of the type psa_key_owner_id_t and a translation + * from psa_key_file_id_t to file name in all the storage backends that + * you wish to support. + * + * Note that this option is meant for internal use only and may be removed + * without notice. + */ +//#define MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER + /** * \def MBEDTLS_MEMORY_DEBUG * diff --git a/include/psa/crypto_platform.h b/include/psa/crypto_platform.h index 0f3ede891..fa5322f22 100644 --- a/include/psa/crypto_platform.h +++ b/include/psa/crypto_platform.h @@ -68,8 +68,28 @@ typedef uint16_t psa_key_handle_t; * #psa_key_id_t. */ typedef uint32_t psa_app_key_id_t; +#if defined(MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER) + +typedef struct +{ + uint32_t key_id; + psa_key_owner_id_t owner; +} psa_key_file_id_t; +#define PSA_KEY_FILE_GET_KEY_ID( file_id ) ( ( file_id ).key_id ) + +/* Since crypto.h is used as part of the PSA Cryptography API specification, + * it must use standard types for things like the argument of psa_open_key(). + * If it wasn't for that constraint, psa_open_key() would take a + * `psa_key_file_id_t` argument. As a workaround, make `psa_key_id_t` an + * alias for `psa_key_file_id_t` when building for a multi-client service. */ +typedef psa_key_file_id_t psa_key_id_t; + +#else /* !MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER */ + /* By default, a key file identifier is just the application key identifier. */ typedef psa_app_key_id_t psa_key_file_id_t; #define PSA_KEY_FILE_GET_KEY_ID( id ) ( id ) +#endif /* !MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER */ + #endif /* PSA_CRYPTO_PLATFORM_H */ diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index 29c985303..923b94ad4 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -90,7 +90,14 @@ typedef uint32_t psa_key_lifetime_t; /** Encoding of identifiers of persistent keys. */ +/* Implementation-specific quirk: The Mbed Crypto library can be built as + * part of a multi-client service that exposes the PSA Crypto API in each + * client and encodes the client identity in the key id argument of functions + * such as psa_open_key(). In this build configuration, we define + * psa_key_id_t in crypto_platform.h instead of here. */ +#if !defined(MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER) typedef uint32_t psa_key_id_t; +#endif /**@}*/ diff --git a/library/version_features.c b/library/version_features.c index ad3f93792..2bfecf09b 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -411,6 +411,9 @@ static const char *features[] = { #if defined(MBEDTLS_PSA_HAS_ITS_IO) "MBEDTLS_PSA_HAS_ITS_IO", #endif /* MBEDTLS_PSA_HAS_ITS_IO */ +#if defined(MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER) + "MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER", +#endif /* MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER */ #if defined(MBEDTLS_MEMORY_DEBUG) "MBEDTLS_MEMORY_DEBUG", #endif /* MBEDTLS_MEMORY_DEBUG */ diff --git a/scripts/config.pl b/scripts/config.pl index 55f4b6e1c..e141b4171 100755 --- a/scripts/config.pl +++ b/scripts/config.pl @@ -100,6 +100,7 @@ MBEDTLS_NO_UDBL_DIVISION MBEDTLS_NO_64BIT_MULTIPLICATION MBEDTLS_PSA_CRYPTO_SPM MBEDTLS_PSA_HAS_ITS_IO +MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C MBEDTLS_USE_PSA_CRYPTO _ALT\s*$