Commit Graph

582 Commits

Author SHA1 Message Date
k-stachowiak
012dcc4b87 Remove PSA_PRE_1_0_KEY_DERIVATION and the corresponding code 2019-08-13 18:42:40 +02:00
k-stachowiak
0b74cf85ea Remove psa_key_derivation() and associated static functions 2019-08-13 18:42:27 +02:00
Gilles Peskine
b4e73e9747 Add some design notes about multipart operation structures 2019-08-13 15:00:57 +02:00
Gilles Peskine
f3801fff77 Update import_key and generate_key SE methods to the current API
The methods to import and generate a key in a secure element drivers
were written for an earlier version of the application-side interface.
Now that there is a psa_key_attributes_t structure that combines all
key metadata including its lifetime (location), type, size, policy and
extra type-specific data (domain parameters), pass that to drivers
instead of separate arguments for each piece of metadata. This makes
the interface less cluttered.

Update parameter names and descriptions to follow general conventions.

Document the public-key output on key generation more precisely.
Explain that it is optional in a driver, and when a driver would
implement it. Declare that it is optional in the core, too (which
means that a crypto core might not support drivers for secure elements
that do need this feature).

Update the implementation and the tests accordingly.
2019-08-09 16:43:35 +02:00
Gilles Peskine
a5f8749812 SE key registration: call p_validate_slot_number
When registering a key in a secure element, if the driver has a
p_validate_slot_number method, call it.
2019-08-09 15:05:32 +02:00
Gilles Peskine
d772958ffc New function mbedtls_psa_register_se_key
Register an existing key in a secure element.

Minimal implementation that doesn't call any driver method and just
lets the application declare whatever it wants.
2019-08-09 15:05:21 +02:00
Gilles Peskine
e88c2c1338 Pass the key creation method to drivers
Pass the key creation method (import/generate/derive/copy) to the
driver methods to allocate or validate a slot number. This allows
drivers to enforce policies such as "this key slot can only be used
for keys generated inside the secure element".
2019-08-09 14:59:31 +02:00
Gilles Peskine
9d75202efb Clarify and expand the documentation of the allocate/create sequence 2019-08-09 11:33:48 +02:00
Gilles Peskine
ae9964d3ef Add validate_slot_number method to SE drivers
Pave the way for allowing the application to choose the slot number in
a secure element, rather than always letting the driver choose.
2019-08-08 11:02:30 +02:00
Gilles Peskine
0a23322431 Improve documentation of the allocate method 2019-08-08 11:02:30 +02:00
Gilles Peskine
5fe5e27591 Test slot_number attribute
Test the behavior of the getter/setter functions.

Test that psa_get_key_slot_number() reports a slot number for a key in
a secure element, and doesn't report a slot number for a key that is
not in a secure element.

Test that psa_get_key_slot_number() reports the correct slot number
for a key in a secure element.
2019-08-08 10:58:09 +02:00
Gilles Peskine
c8000c005a Add slot_number attribute
Add a slot_number field to psa_key_attributes_t and getter/setter
functions. Since slot numbers can have the value 0, indicate the
presence of the field via a separate flag.

In psa_get_key_attributes(), report the slot number if the key is in a
secure element.

When creating a key, for now, applications cannot choose a slot
number. A subsequent commit will add this capability in the secure
element HAL.
2019-08-08 10:58:09 +02:00
Gilles Peskine
91e8c33f48 Add infrastructure for key attribute flags
Add infrastructure for internal, external and dual-use flags, with a
compile-time check (if static_assert is available) to ensure that the
same numerical value doesn't get declared for two different purposes
in crypto_struct.h (external or dual-use) and
psa_crypto_core.h (internal).
2019-08-08 10:58:09 +02:00
Gilles Peskine
0c77b0e2f9
Merge pull request #198 from gilles-peskine-arm/psa-api-1.0-beta-merge_development_20190801
Merge mbed-crypto/development into psa-api-1.0-beta
2019-08-08 10:24:53 +02:00
Gilles Peskine
72c8c5b352 Merge remote-tracking branch 'upstream-crypto/development' into psa-api-1.0-beta-merge_development_20190801
Conflict resolution:
* `scripts/config.pl`:
  Take the exclusion of `MBEDTLS_PSA_CRYPTO_SE_C` from the API branch.
  Take the removal of `MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C` (obsolete) from
  the development branch.
* `tests/scripts/all.sh`:
  Multiple instances of factoring a sequence of `config.pl` calls into
  a mere `config.pl baremetal` in the development branch, and a change in
  the composition of `baremetal` in the API branch. In each case, take the
  version from development.
* `tests/suites/test_suite_psa_crypto_slot_management.function`:
  A function became non-static in development and disappeared in the API
  branch. Keep the version from the API branch. Functions need to be
  non-static if they're defined but unused in some configurations,
  which is not the case for any function in this file at the moment.
* `tests/suites/test_suite_psa_crypto.function`:
  Consecutive changes in the two branches, reconciled.
2019-07-31 17:47:49 +02:00
Gilles Peskine
68cc433b5b Store key sizes in 16 bits in attributes
This is larger than the maximum key size introduced in the previous
commit, by design.

Make some room for flags (not used yet).
2019-07-30 21:08:38 +02:00
Gilles Peskine
c744d99386 Limit keys to 65528 bits
65528 bits is more than any reasonable key until we start supporting
post-quantum cryptography.

This limit is chosen to allow bit-sizes to be stored in 16 bits, with
65535 left to indicate an invalid value. It's a whole number of bytes,
which facilitates some calculations, in particular allowing a key of
exactly PSA_CRYPTO_MAX_STORAGE_SIZE to be created but not one bit
more.

As a resource usage limit, this is arguably too large, but that's out
of scope of the current commit.

Test that key import, generation and derivation reject overly large
sizes.
2019-07-30 20:58:33 +02:00
Gilles Peskine
7e0cff90b9 Move attribute fields to a substructure
Move the "core attributes" to a substructure of psa_key_attribute_t.
The motivation is to be able to use the new structure
psa_core_key_attributes_t internally.
2019-07-30 20:58:27 +02:00
Gilles Peskine
1801740a7c SE driver: report the bit size on key import
Add a parameter to the key import method of a secure element driver to
make it report the key size in bits. This is necessary (otherwise the
core has no idea what the bit-size is), and making import report it is
easier than adding a separate method (for other key creation methods,
this information is an input, not an output).
2019-07-29 18:07:09 +02:00
Gilles Peskine
adb1c52149
Merge pull request #157 from gilles-peskine-arm/psa-se_driver-create_key
Secure element key creation foundation
2019-07-26 14:39:55 +02:00
Gilles Peskine
0c3ae1f0b4 Improve documentation of SE driver persistent state
Explain what it can be used for and when it is saved to storage.
2019-07-25 14:04:38 +02:00
Gilles Peskine
6a3dd89a64 Improve alignment in comments 2019-07-25 10:56:39 +02:00
Gilles Peskine
105f67f0fa Move the definition of psa_key_attributes_t to crypto_types.h
psa_key_attributes_t is used in the SE driver HAL, so it must be
defined in a common header, not in the API-only header crypto.h.
2019-07-23 18:43:28 +02:00
Gilles Peskine
9dd125d8bb Fix overly complex Doxygen markup 2019-07-23 18:43:28 +02:00
Gilles Peskine
6032673b39 Fix Doxygen reference
Pass doxygen.sh
2019-07-22 20:10:36 +02:00
Gilles Peskine
c11c4dcf95 Favor stdint.h types in internal types
Use uint8_t for PSA buffers. Keep unsigned char for generic libc
buffers and for mbedtls buffers.
2019-07-15 11:17:53 +02:00
Gilles Peskine
7228da25f9 Favor stdint.h types in implementation-specific API 2019-07-15 11:16:18 +02:00
Gilles Peskine
f82088a5f4 Favor stdint.h types in example code 2019-07-15 11:16:18 +02:00
Andrew Thoelke
d16bdac9b5 Use stdint.h types in multipart AEAD functions
No implementation yet.
2019-07-15 11:14:56 +02:00
Andrew Thoelke
47629d076e Use stdint.h types
Follow MISRA C 2012 rules by using exact width types from stdint.h.
2019-07-15 11:14:56 +02:00
Gilles Peskine
94cc42c28f Pass a writable pointer to the persistent data when needed
Most driver methods are not allowed to modify the persistent data, so
the driver context structure contains a const pointer to it. Pass a
non-const pointer to the persstent data to the driver methods that
need it: init, allocate, destroy.
2019-07-12 23:34:20 +02:00
Gilles Peskine
f2223c868d New driver method: allocate
Add a driver method to allocate a key slot for a key that is about to
be created.
2019-07-12 23:33:02 +02:00
Gilles Peskine
8597bc13e7 Pass the driver context to most driver methods
Pass the driver context to all driver methods except the ones that
operate on an already-setup operation context.

Rename `p_context` arguments to `op_context` to avoid confusion
between contexts.
2019-07-12 23:32:27 +02:00
Gilles Peskine
7a86da1d42 Define a driver context structure type
Define a structure that is to be instantiated once per driver
instance.

Define a driver initialization method and pass it the driver context.
2019-07-12 23:25:59 +02:00
Gilles Peskine
f03143a4d1 Change driver key slot numbers to 64 bits
This slightly increases storage requirements, but works in more use
cases. In particular, it allows drivers to treat choose slot numbers
with a monotonic counter that is incremented each time a key is
created, without worrying about overflow in practice.
2019-07-12 23:18:29 +02:00
Gilles Peskine
6e59c42d1d Split the secure element driver method table memory layout
Instead of having one giant table containing all possible methods,
represent a driver's method table as a structure containing pointers
to substructures. This way a driver that doesn't implement a certain
class of operations can use NULL for this class as a whole instead of
storing NULL for each method.
2019-07-12 11:47:50 +02:00
Gilles Peskine
e62b74e68f Add public-key export method 2019-07-12 11:47:50 +02:00
Adrian L. Shaw
2282cfa660 Remove GMAC algorithm (for now)
It can't be implemented with the current version of the API
2019-07-11 15:51:45 +01:00
Adrian L. Shaw
fd2aed4d76 Document cipher modes 2019-07-11 15:47:40 +01:00
Jaeden Amero
c19dcebbdd
Merge pull request #154 from yanesca/iotcrypt-789-update-tls-prf-to-multipart
Update TLS 1.2 PRF to multipart API
2019-07-04 11:53:04 +01:00
Gilles Peskine
c93a43bed6 Improve documentation 2019-06-26 11:21:41 +02:00
Janos Follath
844eb0e5fa Add tls12_prf_read for the new API
Technically we could have reused the old one for the new API, but then
we had to set an extra field during setup. The new version works when
all the fields that haven't been set explicitely are zero-initialised.
2019-06-26 09:15:08 +01:00
Janos Follath
adbec81cc4 Remove the deprecated PSA_ALG_SELECT_RAW option
This change affects the psa_key_derivation_s structure. With the buffer
removed from the union, it is empty if MBEDTLS_MD_C is not defined.

We can avoid undefined behaviour by adding a new dummy field that is
always present or make the whole union conditional on MBEDTLS_MD_C.

In this latter case the initialiser macro has to depend on MBEDTLS_MD_C
as well. Furthermore the first structure would be either
psa_hkdf_key_derivation_t or psa_tls12_prf_key_derivation_t both of
which are very deep and would make the initialisation macro difficult
to maintain, therefore we go with the first option.
2019-06-26 09:15:08 +01:00
Janos Follath
999f648437 Add new psa_tls12_prf_key_derivation_t
As part of adapting TLS 1.2 key derivation to the PSA 1.0 API we need to
change the context structure.
2019-06-26 09:15:08 +01:00
Janos Follath
e3e8166cdd Move PSA_PRE_1_0_KEY_DERIVATION to crypto_struct.h
We want to make the PRF context structure depend on this flag, but
crypto_extra.h is included after crypto_struct.h and having the
option at its original place would not affect crypto_struct.h.
2019-06-26 09:15:08 +01:00
Janos Follath
71a4c9125b Add flag for removing deprecated API
Add the compile time option PSA_PRE_1_0_KEY_DERIVATION. If this is not
turned on, then the function `psa_key_derivation()` is removed.

Most of the tests regarding key derivation haven't been adapted to the
new API yet and some of them have only been adapted partially. When this
new option is turned off, the tests using the old API and test cases
using the old API of partially adapted tests are skipped.

The sole purpose of this option is to make the transition to the new API
smoother. Once the transition is complete it can and should be removed
along with the old API and its implementation.
2019-06-26 09:15:08 +01:00
Gilles Peskine
ed87d31d7d Specify the order of inputs for TLS-1.2 KDFs
From the implementation point of view does not make much difference to
constrain the input order.

We constrain it because, this way the code is easier to review, the data
flow easier to understand and the implementations in general are easier
to validate.
2019-06-25 12:02:31 +01:00
Gilles Peskine
45a8ca373c Fix typos in function argument names 2019-06-24 19:55:49 +02:00
Gilles Peskine
d910e928e8 Declare a function to register a secure element driver 2019-06-24 14:10:24 +02:00
Gilles Peskine
b6cadea6a5 Secure element driver structure
Define a structure type containing all the methods of a secure element
driver.
2019-06-24 14:10:24 +02:00
Jaeden Amero
d58a00d5b7 psa: Avoid use of relative include paths
Relative include paths should be avoided. The build system will
determine where to pull in includes from. Specifically, `#include
"../mbedtls/config.h"` shouldn't be used. Use `#include
"mbedtls/config.h` instead, so that the submodule-building makefiles can
change which directory to use to get mbedtls include files from.

Fixes #141
2019-06-07 11:49:59 +01:00
Gilles Peskine
4bac9a4c4b New function to get key slot statistics
New function mbedtls_psa_get_stats to obtain some data about how many
key slots are in use. This is intended for debugging and testing
purposes.
2019-06-05 16:38:42 +02:00
Gilles Peskine
f46f81ceb5 Remove obsolete key creation functions
Remove the key creation functions from before the attribute-based API,
i.e. the key creation functions that worked by allocating a slot, then
setting metadata through the handle and finally creating key material.
2019-06-05 11:34:54 +02:00
Gilles Peskine
f25c9ec02e Minor documentation improvements 2019-05-27 14:08:27 +02:00
Gilles Peskine
96f0b3b1d3 Keys may allow a second algorithm
Add a second permitted algorithm to key policies.

This commit includes smoke tests that do not cover psa_copy_key.
2019-05-27 14:08:27 +02:00
Gilles Peskine
549ea8676a Minor documentation improvements 2019-05-22 11:45:59 +02:00
Gilles Peskine
a9b9cf7d1e Document macros that are referenced
Without documentation, Doxygen does not generate hyperlinks when the
macro is referenced and prints out #PSA_xxx instead.
2019-05-21 19:18:33 +02:00
Gilles Peskine
6a21123619 Remove obsolete mentions of PSA_ERROR_EMPTY_SLOT
There are no more "empty slots", so finish removing the corresponding
error.
2019-05-21 19:11:07 +02:00
Gilles Peskine
a741d39893 State that all error codes are negative 2019-05-21 18:43:27 +02:00
Gilles Peskine
737c6bef6a Fix grammar 2019-05-21 18:43:24 +02:00
Gilles Peskine
56e2dc8010 Use "sufficient buffer size" in buffer size macros
Don't use "safe buffer size", because this it's somewhat misleading to
make it about safety: a buffer size that's too small will lead to a
runtime error, not to undefined behavior.
2019-05-21 18:43:19 +02:00
Gilles Peskine
2cb9e39b50 Convert TLS1.2 KDF descriptions to multistep key derivation
Convert the description of PSA_ALG_TLS12_PRF and
PSA_ALG_TLS12_PSK_TO_MS to the key derivation API that takes one input
at a time rather than the old {secret,salt,label} interface.

Define a new input category "seed".
2019-05-21 18:43:19 +02:00
Gilles Peskine
6c6195d7ba Remove implementation comment from API specification 2019-05-21 18:43:19 +02:00
Gilles Peskine
4754cdeef8 Improve description of psa_open_key()
Remove obsolete reference to psa_make_key_persistent().
2019-05-21 18:43:18 +02:00
Gilles Peskine
536e20571a New macro to get the bit size of an elliptic curve 2019-05-21 17:06:03 +02:00
Gilles Peskine
d6f371b1ba Keys may allow a second algorithm
Add a second permitted algorithm to key policies.

This commit includes smoke tests that do not cover psa_copy_key.
2019-05-21 17:06:03 +02:00
Gilles Peskine
d7d43b9791 Convert code samples to the new attribute-based key creation API 2019-05-21 15:56:03 +02:00
Gilles Peskine
a0c0655c91 Add missing declarations to the API document
PSA_KEY_ATTRIBUTES_INIT and psa_key_attributes_init weren't declared
in the API document, only defined in our implementation, but they are
referenced in the API document.
2019-05-21 15:54:54 +02:00
Jaeden Amero
fba7539ad7
Merge pull request #269 from ARMmbed/psa-slots_to_handles
Update API documentation to refer to handles and key ids, not slots
2019-05-17 10:18:34 +01:00
Gilles Peskine
eff4942202
Merge pull request #268 from ARMmbed/psa-error_tampering_detected
Rename PSA_ERROR_TAMPERING_DETECTED to PSA_ERROR_CORRUPTION_DETECTED
2019-05-17 11:06:09 +02:00
Gilles Peskine
35ef36b62f Rename psa_generate_random_key back to psa_generate_key
generate_key is a more classical name. The longer name was only
introduced to avoid confusion with getting a key from a generator,
which is key derivation, but we no longer use the generator
terminology so this reason no longer applies.

perl -i -pe 's/psa_generate_random_key/psa_generate_key/g' $(git ls-files)
2019-05-17 10:56:57 +02:00
Gilles Peskine
c93b80c350 Rename *KEYPAIR* to *KEY_PAIR*
Be consistent with PUBLIC_KEY.

perl -i -pe 's/KEYPAIR/KEY_PAIR/g' $(git ls-files)
2019-05-17 10:56:57 +02:00
Adrian L. Shaw
0a695bd13e Simplify description of psa_copy_key 2019-05-16 22:11:18 +02:00
Adrian L. Shaw
52d83dabd6 Mention psa_close_key in the description of psa_open_key 2019-05-16 22:11:17 +02:00
Adrian L. Shaw
d56456cbe8 Improve descriptions that mention handles and fix incorrect mention of psa_create_key 2019-05-16 22:10:51 +02:00
Adrian L. Shaw
67e1c7ac80 Remove remaining mentions of slots 2019-05-16 22:10:49 +02:00
Gilles Peskine
4b3eb69271 Rename PSA_ERROR_TAMPERING_DETECTED to ..._CORRUPTION_DETECTED
“Tampering detected” was misleading because in the real world it can
also arise due to a software bug. “Corruption detected” is neutral and
more precisely reflects what can trigger the error.

perl -i -pe 's/PSA_ERROR_TAMPERING_DETECTED/PSA_ERROR_CORRUPTION_DETECTED/gi' $(git ls-files)
2019-05-16 21:35:18 +02:00
Gilles Peskine
27a983d93c Grammar fix 2019-05-16 19:51:11 +02:00
Gilles Peskine
20a77aeac7 RSA key generation: require e=65537 2019-05-16 19:51:10 +02:00
Gilles Peskine
a130219ac0 Move remaining text about DSA out of the specification 2019-05-16 19:51:10 +02:00
Gilles Peskine
e38ab1ac4f Move DSA definitions out of the specification
Move DSA-related key types and algorithms to the
implementation-specific header file. Not that we actually implement
DSA, but with domain parameters, we should be able to.
2019-05-16 19:51:10 +02:00
Gilles Peskine
dcaefae849 Parametrize Diffie-Hellman keys by a group identifier
Parametrize finite-field Diffie-Hellman key types with a DH group
identifier, in the same way elliptic curve keys are parametrized with
an EC curve identifier.

Define the DH groups from the TLS registry (these are the groups from
RFC 7919).

Replicate the macro definitions and the metadata tests from elliptic
curve identifiers to DH group identifiers.

Define PSA_DH_GROUP_CUSTOM as an implementation-specific extension for
which domain parameters are used to specify the group.
2019-05-16 19:51:10 +02:00
Gilles Peskine
24f10f85e2 Remove domain parameters from the official API
Move psa_get_key_domain_parameters() and
psa_set_key_domain_parameters() out of the official API and declare
them to be implementation-specific extensions.

Expand the documentation of psa_set_key_domain_parameters() a bit to
explain how domain parameters are used.

Remove all mentions of domain parameters from the documentation of API
functions. This leaves DH and DSA effectively unusable.
2019-05-16 19:27:05 +02:00
Gilles Peskine
58fe9e8afe Correct the description of psa_raw_key_agreement
There was some copypasta from the KA+KDF function's description.
2019-05-16 18:55:25 +02:00
Gilles Peskine
be697d8324 Shorten the name of psa_key_agreement_raw_shared_secret
There is less of a risk of confusion with the KA+KDF function now.
2019-05-16 18:55:25 +02:00
Gilles Peskine
1cb9a08d6a Reorder key derivation functions in the header file
Present key derivation functions in a more logical order,
corresponding roughly to the order in which an application would call
them.
2019-05-16 18:55:25 +02:00
Gilles Peskine
cf7292e257 Wrap and reindent some lines
After renaming several identifiers, re-wrap and re-indent some lines
to make the code prettier.
2019-05-16 18:55:25 +02:00
Gilles Peskine
35675b6b26 Terminology: say "key derivation operation", not "generator"
Generators are mostly about key derivation (currently: only about key
derivation). "Generator" is not a commonly used term in cryptography.
So favor "derivation" as terminology.

This commit updates the function descriptions.
2019-05-16 18:55:25 +02:00
Gilles Peskine
cbe6650394 Rename generator-related internal identifiers
perl -pe 's/crypto_generator/key_derivation/gi' $(git ls-files)
    perl -pe 's/_generator/_key_derivation/gi' $(git ls-files)
2019-05-16 18:55:25 +02:00
Gilles Peskine
03410b5c5f Rename PSA_KDF_STEP_xxx -> PSA_KEY_DERIVATION_INPUT_xxx
More consistent with the new function names.
2019-05-16 18:55:25 +02:00
Gilles Peskine
a99d3fbd05 Rename generator functions to psa_key_derivation_xxx
Generators are mostly about key derivation (currently: only about key
derivation). "Generator" is not a commonly used term in cryptography.
So favor "derivation" as terminology. Call a generator a key
derivation operation structure, since it behaves like other multipart
operation structures. Furthermore, the function names are not fully
consistent.

In this commit, I rename the functions to consistently have the prefix
"psa_key_derivation_". I used the following command:

    perl -i -pe '%t = (
        psa_crypto_generator_t => "psa_key_derivation_operation_t",
        psa_crypto_generator_init => "psa_key_derivation_init",
        psa_key_derivation_setup => "psa_key_derivation_setup",
        psa_key_derivation_input_key => "psa_key_derivation_input_key",
        psa_key_derivation_input_bytes => "psa_key_derivation_input_bytes",
        psa_key_agreement => "psa_key_derivation_key_agreement",
        psa_set_generator_capacity => "psa_key_derivation_set_capacity",
        psa_get_generator_capacity => "psa_key_derivation_get_capacity",
        psa_generator_read => "psa_key_derivation_output_bytes",
        psa_generate_derived_key => "psa_key_derivation_output_key",
        psa_generator_abort => "psa_key_derivation_abort",
        PSA_CRYPTO_GENERATOR_INIT => "PSA_KEY_DERIVATION_OPERATION_INIT",
        PSA_GENERATOR_UNBRIDLED_CAPACITY => "PSA_KEY_DERIVATION_UNLIMITED_CAPACITY",
        ); s/\b(@{[join("|", keys %t)]})\b/$t{$1}/ge' $(git ls-files)
2019-05-16 18:55:21 +02:00
Jaeden Amero
d35249e66f
Merge pull request #109 from gilles-peskine-arm/psa-key_attributes-set_persistent
Individual setters for persistent key attributes
2019-05-16 17:28:53 +01:00
Jaeden Amero
99e8d26a75
Merge pull request #104 from gilles-peskine-arm/psa-global_key_id
Make key ids global and define their range
2019-05-16 17:11:59 +01:00
Gilles Peskine
f1b7694768 Minor documentation improvements 2019-05-16 16:10:59 +02:00
Gilles Peskine
280948a32b Fix copypasta in the documentation of PSA_KEY_ID_xxx_{MIN,MAX} 2019-05-16 15:27:14 +02:00
Jaeden Amero
16ab39102e
Merge pull request #102 from gilles-peskine-arm/psa-aead_multipart-delay
Multipart AEAD buffer output sizes
2019-05-16 13:34:21 +01:00
Jaeden Amero
76be7f9c70
Merge pull request #108 from gilles-peskine-arm/psa-copy_key-policy
Add policy usage flag to copy a key
2019-05-16 12:08:13 +01:00
Jaeden Amero
826e326d2e
Merge pull request #107 from gilles-peskine-arm/psa-curve_size_macro
PSA: EC curve size macro
2019-05-16 11:59:41 +01:00
Gilles Peskine
6c9514427b New macro to get the bit size of an elliptic curve 2019-05-16 00:16:46 +02:00
Gilles Peskine
73676cbc50 Put handle parameter last: psa_import_key
In psa_import_key, change the order of parameters to pass
the pointer where the newly created handle will be stored last.
This is consistent with most other library functions that put inputs
before outputs.
2019-05-15 23:16:07 +02:00
Gilles Peskine
806051f17e Update an obsolete use of psa_import_key in documentation
psa_import_key now takes an attribute structure, not a type.
2019-05-15 23:15:49 +02:00
Gilles Peskine
98dd779eb5 Put handle parameter last: psa_generate_derived_key
In psa_generate_derived_key, change the order of parameters to pass
the pointer where the newly created handle will be stored last.
This is consistent with most other library functions that put inputs
before outputs.
2019-05-15 20:15:31 +02:00
Gilles Peskine
9de5eb0a2f Remove psa_make_key_persistent 2019-05-15 19:14:05 +02:00
Gilles Peskine
dc8219a10d Replace psa_make_key_persistent by id/lifetime setters
Use individual setters for the id and lifetime fields of an attribute
structure, like the other attributes.

This commit updates the specification and adds an implementation of
the new setters.
2019-05-15 19:14:05 +02:00
Gilles Peskine
80b39ae753 Remove obsolete use of key policy structure in API text 2019-05-15 19:14:05 +02:00
Gilles Peskine
f9fbc38e66 Declare key id 0 as invalid
In keeping with other integral types, declare 0 to be an invalid key
identifier.

Documented, implemented and tested.
2019-05-15 18:42:09 +02:00
Gilles Peskine
d6a8f5f1b5 Improve description of PSA_KEY_USAGE_COPY
Be more clear about when EXPORT is also required.
2019-05-14 16:25:50 +02:00
Gilles Peskine
ac99e32b79 Documentation improvements 2019-05-14 16:11:07 +02:00
Gilles Peskine
36d477de44 Fix copypasta in PSA_AEAD_DECRYPT_OUTPUT_SIZE 2019-05-14 16:11:07 +02:00
Gilles Peskine
248010caa0 Fix calculation in PSA_AEAD_UPDATE_OUTPUT_SIZE 2019-05-14 16:11:07 +02:00
Gilles Peskine
8e0206aa26 New usage flag PSA_KEY_USAGE_COPY
Document the new flag and allow its use.
2019-05-14 14:24:28 +02:00
Gilles Peskine
4318dfc8ec psa_export_key, psa_export_public_key: document the EXPORT flag 2019-05-14 14:23:32 +02:00
Jaeden Amero
1fe90fab30
Merge pull request #101 from gilles-peskine-arm/psa-key_attributes-verify_attributes
Check unused attributes in import and copy
2019-05-13 11:48:40 +01:00
Gilles Peskine
4a231b8d3b Break up key identifiers into user, vendor and reserved ranges
Define a range of key identifiers for use by the application
(0..2^30-1), a range for use by implementations (2^30..2^31), and a
range that is reserved for future use (2^31..2^32-1).
2019-05-06 18:56:14 +02:00
Gilles Peskine
225010fdf7 Remove lifetime parameter from psa_open_key
Change the scope of key identifiers to be global, rather than
per lifetime. As a result, you now need to specify the lifetime of a
key only when creating it.
2019-05-06 18:52:22 +02:00
Gilles Peskine
f02aec90dc Allow AEAD update output to be delayed
Do not require finish() to have empty output for any algorithm. Some
hardware does not support immediate stream processing.
2019-05-06 15:59:44 +02:00
Gilles Peskine
3e79c8ecfd Declare ChaCha20 cipher and AEAD
Declare algorithms for ChaCha20 and ChaCha20-Poly1305, and a
corresponding (common) key type.

Don't declare Poly1305 as a separate algorithm because it's a one-time
authenticator, not a MAC, so the API isn't suitable for it (no way to
use a nonce).
2019-05-06 15:59:44 +02:00
Gilles Peskine
49dd8d8cec Add size macros for multipart AEAD
New macros PSA_AEAD_UPDATE_OUTPUT_SIZE, PSA_AEAD_FINISH_OUTPUT_SIZE
and PSA_AEAD_VERIFY_OUTPUT_SIZE to determine the output buffer sizes
for psa_aead_update(), psa_aead_finish() and psa_aead_verify().
2019-05-06 15:59:16 +02:00
Gilles Peskine
5211efb317 Add output parameter for psa_aead_verify
Like psa_aead_finish(), psa_aead_verify() needs to produce output from
the last partial block of input if psa_aead_update() cannot produce
output byte by byte.
2019-05-06 15:56:05 +02:00
Gilles Peskine
bdc27860c2 Reorder macros for clarity
Group PSA_AEAD_DECRYPT_OUTPUT_SIZE with PSA_AEAD_ENCRYPT_OUTPUT_SIZE.
2019-05-06 15:45:16 +02:00
Gilles Peskine
679693ee49 Algorithm encoding: add flag bit PSA_ALG_AEAD_FROM_BLOCK_FLAG
Make it easy to distinguish generic constructions on top of block
ciphers, such as CCM or GCM, from specialized algorithms such as
Chacha20-Poly1305.
2019-05-06 15:10:16 +02:00
Gilles Peskine
4ce2a9dcbf Check unused attributes in import and copy
In psa_import_key and psa_copy_key, some information comes from the
key data (input buffer or source key) rather than from the attributes:
key size for import, key size and type and domain parameters for copy.
If an unused attribute is nonzero in the attribute structure, check
that it matches the correct value. This protects against application
errors.
2019-05-03 16:57:15 +02:00
Adrian L. Shaw
5a5a79ae2a Rename psa_generate_key() and psa_generator_import_key() 2019-05-03 15:44:28 +01:00
Gilles Peskine
1ea5e44c93 Minor documentation improvement 2019-05-02 20:31:10 +02:00
Gilles Peskine
aa02c17dfa Add buffer size macro for psa_get_key_domain_parameters 2019-04-28 11:48:29 +02:00
Gilles Peskine
9c640f91d4 Improve documentation of key attributes 2019-04-28 11:48:26 +02:00
Gilles Peskine
06af0cd4a3 Always require reset after psa_get_key_attributes
There was a guarantee that psa_get_key_attributes() does not require a
subsequent psa_reset_key_attributes() to free resources as long as the
key was created with attributes having this property. This requirement
was hard to pin down because if a key is created with default
parameters, there are cases where it is difficult to ensure that the
domain parameters will be reported without allocating memory. So
remove this guarantee. Now the only case psa_reset_key_attributes() is
not required is if the attribute structure has only been modified with
certain specific setters.
2019-04-28 11:46:10 +02:00
Gilles Peskine
e56e878207 Remove extra parameter from psa_generate_key
Read extra data from the domain parameters in the attribute structure
instead of taking an argument on the function call.

Implement this for RSA key generation, where the public exponent can
be set as a domain parameter.

Add tests that generate RSA keys with various public exponents.
2019-04-26 17:37:50 +02:00
Gilles Peskine
b699f07af0 Switch psa_{get,set}_domain_parameters to attributes
Change psa_get_domain_parameters() and psa_set_domain_parameters() to
access a psa_key_attributes_t structure rather than a key handle.

In psa_get_key_attributes(), treat the RSA public exponent as a domain
parameter and read it out. This is in preparation for removing the
`extra` parameter of psa_generate_key() and setting the RSA public
exponent for key generation via domain parameters.

In this commit, the default public exponent 65537 is not treated
specially, which allows us to verify that test code that should be
calling psa_reset_key_attributes() after retrieving the attributes of
an RSA key is doing so properly (if it wasn't, there would be a memory
leak), even if the test data happens to use an RSA key with the
default public exponent.
2019-04-26 17:37:08 +02:00
Gilles Peskine
3a4f1f8e46 Set the key size as an attribute
Instead of passing a separate parameter for the key size to
psa_generate_key and psa_generator_import_key, set it through the
attributes, like the key type and other metadata.
2019-04-26 13:49:28 +02:00
Gilles Peskine
a3dd737be4 Move legacy definitions to crypto_extra.h
Types and functions that are not used in the attribute-based key
creation API are now implementation-specific extensions, kept around
until we finish transitioning to the new API.
2019-04-24 15:47:30 +02:00
Gilles Peskine
2062859496 Document the new functions related to key attributes
Also update the documentation of key creation functions that have been
modified to use key attributes.
2019-04-24 15:47:30 +02:00
Gilles Peskine
8c8f2ab66b Implement psa_get_key_attributes
Implement attribute querying.

Test attribute getters and setters. Use psa_get_key_attributes instead
of the deprecated functions psa_get_key_policy or
psa_get_key_information in most tests.
2019-04-24 15:46:04 +02:00
Gilles Peskine
db4b3abab1 Implement missing attributes setters and getters 2019-04-24 15:46:03 +02:00
Gilles Peskine
4747d19d18 Implement atomic-creation psa_import_key
Implement the new, attribute-based psa_import_key and some basic
functions to access psa_key_attributes_t. Replace
psa_import_key_to_handle by psa_import_key in a few test functions.

This commit does not handle persistence attributes yet.
2019-04-24 15:45:50 +02:00
Gilles Peskine
87a5e565f4 Rename functions that inject key material to an allocated handle
This commit starts a migration to a new interface for key creation.
Today, the application allocates a handle, then fills its metadata,
and finally injects key material. The new interface fills metadata
into a temporary structure, and a handle is allocated at the same time
it gets filled with both metadata and key material.

This commit was obtained by moving the declaration of the old-style
functions to crypto_extra.h and renaming them with the to_handle
suffix, adding declarations for the new-style functions in crypto.h
under their new name, and running

    perl -i -pe 's/\bpsa_(import|copy|generator_import|generate)_key\b/$&_to_handle/g' library/*.c tests/suites/*.function programs/psa/*.c
    perl -i -pe 's/\bpsa_get_key_lifetime\b/$&_from_handle/g' library/*.c tests/suites/*.function programs/psa/*.c

Many functions that are specific to the old interface, and which will
not remain under the same name with the new interface, are still in
crypto.h for now.

All functional tests should still pass. The documentation may have
some broken links.
2019-04-24 15:24:45 +02:00
Gilles Peskine
22c51517fb Use unsigned int for bitfields
uintN_t is not a standard type for a bitfield, as armcc points out.
2019-04-18 09:42:21 +02:00
Gilles Peskine
a52460c3ed Algorithm encoding: move two bits from derivation to agreement
This gives a little more room to encode key agreement algorithms,
while keeping enough space for key derivation algorithms.

This doesn't affect any of the already-defined algorithms.
2019-04-18 09:42:21 +02:00
Gilles Peskine
3135184cfc Merge remote-tracking branch 'upstream-crypto/development' into psa-api-beta2-merge-development
Merge the Mbed Crypto development branch a little after
mbedcrypto-1.0.0 into the PSA Crypto API 1.0 beta branch a little
after beta 2.

Summary of merge conflicts:

* Some features (psa_copy_key, public key format without
  SubjectPublicKeyInfo wrapping) went into both sides, but with a few
  improvements on the implementation side. For those, take the
  implementation side.
* The key derivation API changed considerably on the API side. This
  merge commit generally goes with the updated API except in the tests
  where it keeps some aspects of the implementation.

Due to the divergence between the two branches on key derivation and
key agreement, test_suite_psa_crypto does not compile. This will be
resolved in subsequent commits.
2019-04-09 12:00:00 +02:00
Gilles Peskine
e3dbdd8d90 Gate entropy injection through a dedicated configuration option
Entropy injection has specific testing requirements. Therefore it
should depend on a specific option.
2019-03-15 11:15:21 +01:00
Gilles Peskine
6bf4baef95 Remove compilation option MBEDTLS_PSA_HAS_ITS_IO
MBEDTLS_PSA_HAS_ITS_IO is not really useful since it doesn't actually
enable anything except the entropy seed file support, which only
requires the ITS interface and not a native implemetation. Remove it.
2019-03-15 11:15:13 +01:00
Gilles Peskine
ee67dd61bc Fix Doxygen warnings 2019-03-12 13:23:17 +01:00
Gilles Peskine
5579971cb1 psa_generator_import_key (ECC): minor corrections 2019-03-12 11:55:43 +01:00
Gilles Peskine
2de2c0d9ce Clarify deterministic generation by re-drawing
For DH, ECC (Weierstrass curves) and DSA, specify that the re-drawing
method is the one defined by NIST as
"key-pair generation by testing candidates", and describe it
unambiguously.

Also specify DES explicitly.
2019-03-11 18:10:07 +01:00
Gilles Peskine
fa4486d7ec Specify psa_generator_import_key for each key type
psa_generator_import_key() was only specified for "symmetric keys",
and there were some mistakes in the specification. Rewrite the
specification and extend it to other key types.

* For most private key types, specify that the function draws a byte
  string repeatedly until the byte string is suitable.
* For DES, despite being a symmetric key type, re-drawing is
  necessary.
* For Montgomery curves, despite being asymmetric, no re-drawing is
  necessary.
* Specify the behavior for every standard key type other than RSA.
  An implementation doesn't have to support all key types, but if it
  does, it's better to have a standard.
2019-03-11 17:30:31 +01:00
Gilles Peskine
3be6b7f553 Fix some copypasta in references to parameter names
Validated by

perl -ne 'if (/^\/\*\*/) {%param=(); @p=()} if (/\\param.*? (\w+)/) {$param{$1}=1} while (/\\p \*?(\w+)/g) {push @p,[$1,ARGV->input_line_number()]} if (/^\ \*\//) {foreach (@p) {if (!$param{$_->[0]}) {printf "%s:%d: bad \\p %s\n", $ARGV, $_->[1], $_->[0]}}} close ARGV if eof' include/psa/*.h
2019-03-11 15:11:31 +01:00
Gilles Peskine
ae2e5e0806 Remove copypasta'ed error reason in psa_aead_finish 2019-03-11 15:11:31 +01:00
Gilles Peskine
2e37c0dc5d Fix leftover occurrences of "key selection algorithm" 2019-03-11 15:11:31 +01:00
Jaeden Amero
03a60301d7
Merge pull request #248 from ARMmbed/dreemkiller_rename_driver
Various Changes for the PSA Driver Model
2019-03-06 18:59:46 +00:00
Gilles Peskine
32668ce268 Pacify check-names.sh 2019-03-06 18:29:57 +01:00