1 /*
2 * PSA persistent key storage
3 */
4 /*
5 * Copyright The Mbed TLS Contributors
6 * SPDX-License-Identifier: Apache-2.0
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License"); you may
9 * not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 */
20
21 #include "common.h"
22
23 #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
24
25 #include <stdlib.h>
26 #include <string.h>
27
28 #include "psa/crypto.h"
29 #include "psa_crypto_storage.h"
30 #include "mbedtls/platform_util.h"
31
32 #if defined(MBEDTLS_PSA_ITS_FILE_C)
33 #include "psa_crypto_its.h"
34 #else /* Native ITS implementation */
35 #include "psa/error.h"
36 #include "psa/internal_trusted_storage.h"
37 #endif
38
39 #include "mbedtls/platform.h"
40
41
42
43 /****************************************************************/
44 /* Key storage */
45 /****************************************************************/
46
47 /* Determine a file name (ITS file identifier) for the given key identifier.
48 * The file name must be distinct from any file that is used for a purpose
49 * other than storing a key. Currently, the only such file is the random seed
50 * file whose name is PSA_CRYPTO_ITS_RANDOM_SEED_UID and whose value is
51 * 0xFFFFFF52. */
psa_its_identifier_of_slot(mbedtls_svc_key_id_t key)52 static psa_storage_uid_t psa_its_identifier_of_slot(mbedtls_svc_key_id_t key)
53 {
54 #if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
55 /* Encode the owner in the upper 32 bits. This means that if
56 * owner values are nonzero (as they are on a PSA platform),
57 * no key file will ever have a value less than 0x100000000, so
58 * the whole range 0..0xffffffff is available for non-key files. */
59 uint32_t unsigned_owner_id = MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(key);
60 return ((uint64_t) unsigned_owner_id << 32) |
61 MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key);
62 #else
63 /* Use the key id directly as a file name.
64 * psa_is_key_id_valid() in psa_crypto_slot_management.c
65 * is responsible for ensuring that key identifiers do not have a
66 * value that is reserved for non-key files. */
67 return key;
68 #endif
69 }
70
71 /**
72 * \brief Load persistent data for the given key slot number.
73 *
74 * This function reads data from a storage backend and returns the data in a
75 * buffer.
76 *
77 * \param key Persistent identifier of the key to be loaded. This
78 * should be an occupied storage location.
79 * \param[out] data Buffer where the data is to be written.
80 * \param data_size Size of the \c data buffer in bytes.
81 *
82 * \retval #PSA_SUCCESS \emptydescription
83 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
84 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
85 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
86 * \retval #PSA_ERROR_DOES_NOT_EXIST \emptydescription
87 */
psa_crypto_storage_load(const mbedtls_svc_key_id_t key,uint8_t * data,size_t data_size)88 static psa_status_t psa_crypto_storage_load(
89 const mbedtls_svc_key_id_t key, uint8_t *data, size_t data_size)
90 {
91 psa_status_t status;
92 psa_storage_uid_t data_identifier = psa_its_identifier_of_slot(key);
93 struct psa_storage_info_t data_identifier_info;
94 size_t data_length = 0;
95
96 status = psa_its_get_info(data_identifier, &data_identifier_info);
97 if (status != PSA_SUCCESS) {
98 return status;
99 }
100
101 status = psa_its_get(data_identifier, 0, (uint32_t) data_size, data, &data_length);
102 if (data_size != data_length) {
103 return PSA_ERROR_DATA_INVALID;
104 }
105
106 return status;
107 }
108
psa_is_key_present_in_storage(const mbedtls_svc_key_id_t key)109 int psa_is_key_present_in_storage(const mbedtls_svc_key_id_t key)
110 {
111 psa_status_t ret;
112 psa_storage_uid_t data_identifier = psa_its_identifier_of_slot(key);
113 struct psa_storage_info_t data_identifier_info;
114
115 ret = psa_its_get_info(data_identifier, &data_identifier_info);
116
117 if (ret == PSA_ERROR_DOES_NOT_EXIST) {
118 return 0;
119 }
120 return 1;
121 }
122
123 /**
124 * \brief Store persistent data for the given key slot number.
125 *
126 * This function stores the given data buffer to a persistent storage.
127 *
128 * \param key Persistent identifier of the key to be stored. This
129 * should be an unoccupied storage location.
130 * \param[in] data Buffer containing the data to be stored.
131 * \param data_length The number of bytes
132 * that make up the data.
133 *
134 * \retval #PSA_SUCCESS \emptydescription
135 * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
136 * \retval #PSA_ERROR_ALREADY_EXISTS \emptydescription
137 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
138 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
139 */
psa_crypto_storage_store(const mbedtls_svc_key_id_t key,const uint8_t * data,size_t data_length)140 static psa_status_t psa_crypto_storage_store(const mbedtls_svc_key_id_t key,
141 const uint8_t *data,
142 size_t data_length)
143 {
144 psa_status_t status;
145 psa_storage_uid_t data_identifier = psa_its_identifier_of_slot(key);
146 struct psa_storage_info_t data_identifier_info;
147
148 if (psa_is_key_present_in_storage(key) == 1) {
149 return PSA_ERROR_ALREADY_EXISTS;
150 }
151
152 status = psa_its_set(data_identifier, (uint32_t) data_length, data, 0);
153 if (status != PSA_SUCCESS) {
154 return PSA_ERROR_DATA_INVALID;
155 }
156
157 status = psa_its_get_info(data_identifier, &data_identifier_info);
158 if (status != PSA_SUCCESS) {
159 goto exit;
160 }
161
162 if (data_identifier_info.size != data_length) {
163 status = PSA_ERROR_DATA_INVALID;
164 goto exit;
165 }
166
167 exit:
168 if (status != PSA_SUCCESS) {
169 /* Remove the file in case we managed to create it but something
170 * went wrong. It's ok if the file doesn't exist. If the file exists
171 * but the removal fails, we're already reporting an error so there's
172 * nothing else we can do. */
173 (void) psa_its_remove(data_identifier);
174 }
175 return status;
176 }
177
psa_destroy_persistent_key(const mbedtls_svc_key_id_t key)178 psa_status_t psa_destroy_persistent_key(const mbedtls_svc_key_id_t key)
179 {
180 psa_status_t ret;
181 psa_storage_uid_t data_identifier = psa_its_identifier_of_slot(key);
182 struct psa_storage_info_t data_identifier_info;
183
184 ret = psa_its_get_info(data_identifier, &data_identifier_info);
185 if (ret == PSA_ERROR_DOES_NOT_EXIST) {
186 return PSA_SUCCESS;
187 }
188
189 if (psa_its_remove(data_identifier) != PSA_SUCCESS) {
190 return PSA_ERROR_DATA_INVALID;
191 }
192
193 ret = psa_its_get_info(data_identifier, &data_identifier_info);
194 if (ret != PSA_ERROR_DOES_NOT_EXIST) {
195 return PSA_ERROR_DATA_INVALID;
196 }
197
198 return PSA_SUCCESS;
199 }
200
201 /**
202 * \brief Get data length for given key slot number.
203 *
204 * \param key Persistent identifier whose stored data length
205 * is to be obtained.
206 * \param[out] data_length The number of bytes that make up the data.
207 *
208 * \retval #PSA_SUCCESS \emptydescription
209 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
210 * \retval #PSA_ERROR_DOES_NOT_EXIST \emptydescription
211 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
212 */
psa_crypto_storage_get_data_length(const mbedtls_svc_key_id_t key,size_t * data_length)213 static psa_status_t psa_crypto_storage_get_data_length(
214 const mbedtls_svc_key_id_t key,
215 size_t *data_length)
216 {
217 psa_status_t status;
218 psa_storage_uid_t data_identifier = psa_its_identifier_of_slot(key);
219 struct psa_storage_info_t data_identifier_info;
220
221 status = psa_its_get_info(data_identifier, &data_identifier_info);
222 if (status != PSA_SUCCESS) {
223 return status;
224 }
225
226 *data_length = (size_t) data_identifier_info.size;
227
228 return PSA_SUCCESS;
229 }
230
231 /**
232 * Persistent key storage magic header.
233 */
234 #define PSA_KEY_STORAGE_MAGIC_HEADER "PSA\0KEY"
235 #define PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH (sizeof(PSA_KEY_STORAGE_MAGIC_HEADER))
236
237 typedef struct {
238 uint8_t magic[PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH];
239 uint8_t version[4];
240 uint8_t lifetime[sizeof(psa_key_lifetime_t)];
241 uint8_t type[2];
242 uint8_t bits[2];
243 uint8_t policy[sizeof(psa_key_policy_t)];
244 uint8_t data_len[4];
245 uint8_t key_data[];
246 } psa_persistent_key_storage_format;
247
psa_format_key_data_for_storage(const uint8_t * data,const size_t data_length,const psa_core_key_attributes_t * attr,uint8_t * storage_data)248 void psa_format_key_data_for_storage(const uint8_t *data,
249 const size_t data_length,
250 const psa_core_key_attributes_t *attr,
251 uint8_t *storage_data)
252 {
253 psa_persistent_key_storage_format *storage_format =
254 (psa_persistent_key_storage_format *) storage_data;
255
256 memcpy(storage_format->magic, PSA_KEY_STORAGE_MAGIC_HEADER,
257 PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH);
258 MBEDTLS_PUT_UINT32_LE(0, storage_format->version, 0);
259 MBEDTLS_PUT_UINT32_LE(attr->lifetime, storage_format->lifetime, 0);
260 MBEDTLS_PUT_UINT16_LE((uint16_t) attr->type, storage_format->type, 0);
261 MBEDTLS_PUT_UINT16_LE((uint16_t) attr->bits, storage_format->bits, 0);
262 MBEDTLS_PUT_UINT32_LE(attr->policy.usage, storage_format->policy, 0);
263 MBEDTLS_PUT_UINT32_LE(attr->policy.alg, storage_format->policy, sizeof(uint32_t));
264 MBEDTLS_PUT_UINT32_LE(attr->policy.alg2, storage_format->policy, 2 * sizeof(uint32_t));
265 MBEDTLS_PUT_UINT32_LE(data_length, storage_format->data_len, 0);
266 memcpy(storage_format->key_data, data, data_length);
267 }
268
check_magic_header(const uint8_t * data)269 static psa_status_t check_magic_header(const uint8_t *data)
270 {
271 if (memcmp(data, PSA_KEY_STORAGE_MAGIC_HEADER,
272 PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH) != 0) {
273 return PSA_ERROR_DATA_INVALID;
274 }
275 return PSA_SUCCESS;
276 }
277
psa_parse_key_data_from_storage(const uint8_t * storage_data,size_t storage_data_length,uint8_t ** key_data,size_t * key_data_length,psa_core_key_attributes_t * attr)278 psa_status_t psa_parse_key_data_from_storage(const uint8_t *storage_data,
279 size_t storage_data_length,
280 uint8_t **key_data,
281 size_t *key_data_length,
282 psa_core_key_attributes_t *attr)
283 {
284 psa_status_t status;
285 const psa_persistent_key_storage_format *storage_format =
286 (const psa_persistent_key_storage_format *) storage_data;
287 uint32_t version;
288
289 if (storage_data_length < sizeof(*storage_format)) {
290 return PSA_ERROR_DATA_INVALID;
291 }
292
293 status = check_magic_header(storage_data);
294 if (status != PSA_SUCCESS) {
295 return status;
296 }
297
298 version = MBEDTLS_GET_UINT32_LE(storage_format->version, 0);
299 if (version != 0) {
300 return PSA_ERROR_DATA_INVALID;
301 }
302
303 *key_data_length = MBEDTLS_GET_UINT32_LE(storage_format->data_len, 0);
304 if (*key_data_length > (storage_data_length - sizeof(*storage_format)) ||
305 *key_data_length > PSA_CRYPTO_MAX_STORAGE_SIZE) {
306 return PSA_ERROR_DATA_INVALID;
307 }
308
309 if (*key_data_length == 0) {
310 *key_data = NULL;
311 } else {
312 *key_data = mbedtls_calloc(1, *key_data_length);
313 if (*key_data == NULL) {
314 return PSA_ERROR_INSUFFICIENT_MEMORY;
315 }
316 memcpy(*key_data, storage_format->key_data, *key_data_length);
317 }
318
319 attr->lifetime = MBEDTLS_GET_UINT32_LE(storage_format->lifetime, 0);
320 attr->type = MBEDTLS_GET_UINT16_LE(storage_format->type, 0);
321 attr->bits = MBEDTLS_GET_UINT16_LE(storage_format->bits, 0);
322 attr->policy.usage = MBEDTLS_GET_UINT32_LE(storage_format->policy, 0);
323 attr->policy.alg = MBEDTLS_GET_UINT32_LE(storage_format->policy, sizeof(uint32_t));
324 attr->policy.alg2 = MBEDTLS_GET_UINT32_LE(storage_format->policy, 2 * sizeof(uint32_t));
325
326 return PSA_SUCCESS;
327 }
328
psa_save_persistent_key(const psa_core_key_attributes_t * attr,const uint8_t * data,const size_t data_length)329 psa_status_t psa_save_persistent_key(const psa_core_key_attributes_t *attr,
330 const uint8_t *data,
331 const size_t data_length)
332 {
333 size_t storage_data_length;
334 uint8_t *storage_data;
335 psa_status_t status;
336
337 /* All keys saved to persistent storage always have a key context */
338 if (data == NULL || data_length == 0) {
339 return PSA_ERROR_INVALID_ARGUMENT;
340 }
341
342 if (data_length > PSA_CRYPTO_MAX_STORAGE_SIZE) {
343 return PSA_ERROR_INSUFFICIENT_STORAGE;
344 }
345 storage_data_length = data_length + sizeof(psa_persistent_key_storage_format);
346
347 storage_data = mbedtls_calloc(1, storage_data_length);
348 if (storage_data == NULL) {
349 return PSA_ERROR_INSUFFICIENT_MEMORY;
350 }
351
352 psa_format_key_data_for_storage(data, data_length, attr, storage_data);
353
354 status = psa_crypto_storage_store(attr->id,
355 storage_data, storage_data_length);
356
357 mbedtls_platform_zeroize(storage_data, storage_data_length);
358 mbedtls_free(storage_data);
359
360 return status;
361 }
362
psa_free_persistent_key_data(uint8_t * key_data,size_t key_data_length)363 void psa_free_persistent_key_data(uint8_t *key_data, size_t key_data_length)
364 {
365 if (key_data != NULL) {
366 mbedtls_platform_zeroize(key_data, key_data_length);
367 }
368 mbedtls_free(key_data);
369 }
370
psa_load_persistent_key(psa_core_key_attributes_t * attr,uint8_t ** data,size_t * data_length)371 psa_status_t psa_load_persistent_key(psa_core_key_attributes_t *attr,
372 uint8_t **data,
373 size_t *data_length)
374 {
375 psa_status_t status = PSA_SUCCESS;
376 uint8_t *loaded_data;
377 size_t storage_data_length = 0;
378 mbedtls_svc_key_id_t key = attr->id;
379
380 status = psa_crypto_storage_get_data_length(key, &storage_data_length);
381 if (status != PSA_SUCCESS) {
382 return status;
383 }
384
385 loaded_data = mbedtls_calloc(1, storage_data_length);
386
387 if (loaded_data == NULL) {
388 return PSA_ERROR_INSUFFICIENT_MEMORY;
389 }
390
391 status = psa_crypto_storage_load(key, loaded_data, storage_data_length);
392 if (status != PSA_SUCCESS) {
393 goto exit;
394 }
395
396 status = psa_parse_key_data_from_storage(loaded_data, storage_data_length,
397 data, data_length, attr);
398
399 /* All keys saved to persistent storage always have a key context */
400 if (status == PSA_SUCCESS &&
401 (*data == NULL || *data_length == 0)) {
402 status = PSA_ERROR_STORAGE_FAILURE;
403 }
404
405 exit:
406 mbedtls_platform_zeroize(loaded_data, storage_data_length);
407 mbedtls_free(loaded_data);
408 return status;
409 }
410
411
412
413 /****************************************************************/
414 /* Transactions */
415 /****************************************************************/
416
417 #if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
418
419 psa_crypto_transaction_t psa_crypto_transaction;
420
psa_crypto_save_transaction(void)421 psa_status_t psa_crypto_save_transaction(void)
422 {
423 struct psa_storage_info_t p_info;
424 psa_status_t status;
425 status = psa_its_get_info(PSA_CRYPTO_ITS_TRANSACTION_UID, &p_info);
426 if (status == PSA_SUCCESS) {
427 /* This shouldn't happen: we're trying to start a transaction while
428 * there is still a transaction that hasn't been replayed. */
429 return PSA_ERROR_CORRUPTION_DETECTED;
430 } else if (status != PSA_ERROR_DOES_NOT_EXIST) {
431 return status;
432 }
433 return psa_its_set(PSA_CRYPTO_ITS_TRANSACTION_UID,
434 sizeof(psa_crypto_transaction),
435 &psa_crypto_transaction,
436 0);
437 }
438
psa_crypto_load_transaction(void)439 psa_status_t psa_crypto_load_transaction(void)
440 {
441 psa_status_t status;
442 size_t length;
443 status = psa_its_get(PSA_CRYPTO_ITS_TRANSACTION_UID, 0,
444 sizeof(psa_crypto_transaction),
445 &psa_crypto_transaction, &length);
446 if (status != PSA_SUCCESS) {
447 return status;
448 }
449 if (length != sizeof(psa_crypto_transaction)) {
450 return PSA_ERROR_DATA_INVALID;
451 }
452 return PSA_SUCCESS;
453 }
454
psa_crypto_stop_transaction(void)455 psa_status_t psa_crypto_stop_transaction(void)
456 {
457 psa_status_t status = psa_its_remove(PSA_CRYPTO_ITS_TRANSACTION_UID);
458 /* Whether or not updating the storage succeeded, the transaction is
459 * finished now. It's too late to go back, so zero out the in-memory
460 * data. */
461 memset(&psa_crypto_transaction, 0, sizeof(psa_crypto_transaction));
462 return status;
463 }
464
465 #endif /* PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS */
466
467
468
469 /****************************************************************/
470 /* Random generator state */
471 /****************************************************************/
472
473 #if defined(MBEDTLS_PSA_INJECT_ENTROPY)
mbedtls_psa_storage_inject_entropy(const unsigned char * seed,size_t seed_size)474 psa_status_t mbedtls_psa_storage_inject_entropy(const unsigned char *seed,
475 size_t seed_size)
476 {
477 psa_status_t status;
478 struct psa_storage_info_t p_info;
479
480 status = psa_its_get_info(PSA_CRYPTO_ITS_RANDOM_SEED_UID, &p_info);
481
482 if (PSA_ERROR_DOES_NOT_EXIST == status) { /* No seed exists */
483 status = psa_its_set(PSA_CRYPTO_ITS_RANDOM_SEED_UID, seed_size, seed, 0);
484 } else if (PSA_SUCCESS == status) {
485 /* You should not be here. Seed needs to be injected only once */
486 status = PSA_ERROR_NOT_PERMITTED;
487 }
488 return status;
489 }
490 #endif /* MBEDTLS_PSA_INJECT_ENTROPY */
491
492
493
494 /****************************************************************/
495 /* The end */
496 /****************************************************************/
497
498 #endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
499
