Remove lifetime parameter from psa_open_key
Change the scope of key identifiers to be global, rather than
per lifetime. As a result, you now need to specify the lifetime of a
key only when creating it.
diff --git a/include/psa/crypto.h b/include/psa/crypto.h
index 2e680b1..424c16e 100644
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h
@@ -512,9 +512,6 @@
*
* Open a handle to a key which was previously created with psa_create_key().
*
- * \param lifetime The lifetime of the key. This designates a storage
- * area where the key material is stored. This must not
- * be #PSA_KEY_LIFETIME_VOLATILE.
* \param id The persistent identifier of the key.
* \param[out] handle On success, a handle to a key slot which contains
* the data and metadata loaded from the specified
@@ -526,19 +523,16 @@
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
* \retval #PSA_ERROR_DOES_NOT_EXIST
* \retval #PSA_ERROR_INVALID_ARGUMENT
- * \p lifetime is invalid, for example #PSA_KEY_LIFETIME_VOLATILE.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- * \p id is invalid for the specified lifetime.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \p lifetime is not supported.
+ * \p id is invalid.
* \retval #PSA_ERROR_NOT_PERMITTED
* The specified key exists, but the application does not have the
* permission to access it. Note that this specification does not
* define any way to create such a key, but it may be possible
* through implementation-specific means.
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE
+ * \retval #PSA_ERROR_STORAGE_FAILURE
*/
-psa_status_t psa_open_key(psa_key_lifetime_t lifetime,
- psa_key_id_t id,
+psa_status_t psa_open_key(psa_key_id_t id,
psa_key_handle_t *handle);
/** Close a key handle.
diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h
index 7054de7..da6e6b9 100644
--- a/include/psa/crypto_types.h
+++ b/include/psa/crypto_types.h
@@ -85,6 +85,19 @@
*/
/** Encoding of key lifetimes.
+ *
+ * The lifetime of a key indicates where it is stored and what system actions
+ * may create and destroy it.
+ *
+ * Keys with the lifetime #PSA_KEY_LIFETIME_VOLATILE are automatically
+ * destroyed when the application terminates or on a power reset.
+ *
+ * Keys with a lifetime other than #PSA_KEY_LIFETIME_VOLATILE are said
+ * to be _persistent_.
+ * Persistent keys are preserved if the application or the system restarts.
+ * Persistent keys have a key identifier of type #psa_key_id_t.
+ * The application can call psa_open_key() to open a persistent key that
+ * it created previously.
*/
typedef uint32_t psa_key_lifetime_t;
diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c
index 8ee5615..30cc05b 100644
--- a/library/psa_crypto_slot_management.c
+++ b/library/psa_crypto_slot_management.c
@@ -278,11 +278,10 @@
#endif /* !defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
}
-psa_status_t psa_open_key( psa_key_lifetime_t lifetime,
- psa_key_file_id_t id,
- psa_key_handle_t *handle )
+psa_status_t psa_open_key( psa_key_file_id_t id, psa_key_handle_t *handle )
{
- return( persistent_key_setup( lifetime, id, handle, PSA_SUCCESS ) );
+ return( persistent_key_setup( PSA_KEY_LIFETIME_PERSISTENT,
+ id, handle, PSA_SUCCESS ) );
}
psa_status_t psa_create_key( psa_key_lifetime_t lifetime,
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 67c2c77..85ac4eb 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -4911,8 +4911,7 @@
PSA_ASSERT( psa_crypto_init() );
/* Check key slot still contains key data */
- PSA_ASSERT( psa_open_key( PSA_KEY_LIFETIME_PERSISTENT, key_id,
- &handle ) );
+ PSA_ASSERT( psa_open_key( key_id, &handle ) );
PSA_ASSERT( psa_get_key_attributes( handle, &attributes ) );
TEST_EQUAL( psa_get_key_id( &attributes ), key_id );
TEST_EQUAL( psa_get_key_lifetime( &attributes ),
@@ -4947,7 +4946,7 @@
/* In case there was a test failure after creating the persistent key
* but while it was not open, try to re-open the persistent key
* to delete it. */
- psa_open_key( PSA_KEY_LIFETIME_PERSISTENT, key_id, &handle );
+ psa_open_key( key_id, &handle );
}
psa_destroy_key( handle );
mbedtls_psa_crypto_free();
diff --git a/tests/suites/test_suite_psa_crypto_persistent_key.function b/tests/suites/test_suite_psa_crypto_persistent_key.function
index a2f4f77..827a7d8 100644
--- a/tests/suites/test_suite_psa_crypto_persistent_key.function
+++ b/tests/suites/test_suite_psa_crypto_persistent_key.function
@@ -134,8 +134,7 @@
psa_close_key( handle );
mbedtls_psa_crypto_free();
PSA_ASSERT( psa_crypto_init() );
- PSA_ASSERT( psa_open_key( PSA_KEY_LIFETIME_PERSISTENT, key_id,
- &handle ) );
+ PSA_ASSERT( psa_open_key( key_id, &handle ) );
}
TEST_EQUAL( psa_is_key_present_in_storage( key_id ), 1 );
@@ -144,8 +143,7 @@
/* Check key slot storage is removed */
TEST_EQUAL( psa_is_key_present_in_storage( key_id ), 0 );
- TEST_EQUAL( psa_open_key( PSA_KEY_LIFETIME_PERSISTENT, key_id, &handle ),
- PSA_ERROR_DOES_NOT_EXIST );
+ TEST_EQUAL( psa_open_key( key_id, &handle ), PSA_ERROR_DOES_NOT_EXIST );
TEST_EQUAL( handle, 0 );
/* Shutdown and restart */
@@ -191,8 +189,7 @@
psa_close_key( handle );
mbedtls_psa_crypto_free();
PSA_ASSERT( psa_crypto_init() );
- PSA_ASSERT( psa_open_key( PSA_KEY_LIFETIME_PERSISTENT, key_id,
- &handle ) );
+ PSA_ASSERT( psa_open_key( key_id, &handle ) );
}
psa_reset_key_attributes( &attributes );
@@ -242,8 +239,7 @@
psa_close_key( handle );
mbedtls_psa_crypto_free();
PSA_ASSERT( psa_crypto_init() );
- PSA_ASSERT( psa_open_key( PSA_KEY_LIFETIME_PERSISTENT, key_id,
- &handle ) );
+ PSA_ASSERT( psa_open_key( key_id, &handle ) );
}
/* Test the key information */
diff --git a/tests/suites/test_suite_psa_crypto_slot_management.data b/tests/suites/test_suite_psa_crypto_slot_management.data
index 5dc2b67..c5afdfa 100644
--- a/tests/suites/test_suite_psa_crypto_slot_management.data
+++ b/tests/suites/test_suite_psa_crypto_slot_management.data
@@ -27,21 +27,15 @@
Open failure: invalid identifier (0)
depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C
-open_fail:PSA_KEY_LIFETIME_PERSISTENT:0:PSA_ERROR_INVALID_ARGUMENT
+open_fail:0:PSA_ERROR_INVALID_ARGUMENT
Open failure: invalid identifier (random seed UID)
depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C
-open_fail:PSA_KEY_LIFETIME_PERSISTENT:PSA_CRYPTO_ITS_RANDOM_SEED_UID:PSA_ERROR_INVALID_ARGUMENT
+open_fail:PSA_CRYPTO_ITS_RANDOM_SEED_UID:PSA_ERROR_INVALID_ARGUMENT
Open failure: non-existent identifier
depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C
-open_fail:PSA_KEY_LIFETIME_PERSISTENT:1:PSA_ERROR_DOES_NOT_EXIST
-
-Open failure: volatile lifetime
-open_fail:PSA_KEY_LIFETIME_VOLATILE:1:PSA_ERROR_INVALID_ARGUMENT
-
-Open failure: invalid lifetime
-open_fail:0x7fffffff:0:PSA_ERROR_INVALID_ARGUMENT
+open_fail:1:PSA_ERROR_DOES_NOT_EXIST
Create failure: invalid lifetime
create_fail:0x7fffffff:0:PSA_ERROR_INVALID_ARGUMENT
@@ -56,7 +50,7 @@
Open not supported
depends_on:!MBEDTLS_PSA_CRYPTO_STORAGE_C
-open_fail:PSA_KEY_LIFETIME_PERSISTENT:1:PSA_ERROR_NOT_SUPPORTED
+open_fail:1:PSA_ERROR_NOT_SUPPORTED
Create not supported
depends_on:!MBEDTLS_PSA_CRYPTO_STORAGE_C
diff --git a/tests/suites/test_suite_psa_crypto_slot_management.function b/tests/suites/test_suite_psa_crypto_slot_management.function
index 267353e..d06d3d7 100644
--- a/tests/suites/test_suite_psa_crypto_slot_management.function
+++ b/tests/suites/test_suite_psa_crypto_slot_management.function
@@ -155,7 +155,7 @@
/* Close the key and reopen it. */
PSA_ASSERT( psa_close_key( handle ) );
- PSA_ASSERT( psa_open_key( lifetime, id, &handle ) );
+ PSA_ASSERT( psa_open_key( id, &handle ) );
PSA_ASSERT( psa_get_key_information( handle, &read_type, NULL ) );
TEST_EQUAL( read_type, type );
@@ -184,12 +184,12 @@
{
case CLOSE_BY_CLOSE:
case CLOSE_BY_SHUTDOWN:
- PSA_ASSERT( psa_open_key( lifetime, id, &handle ) );
+ PSA_ASSERT( psa_open_key( id, &handle ) );
PSA_ASSERT( psa_get_key_information( handle, &read_type, NULL ) );
TEST_EQUAL( read_type, type );
break;
case CLOSE_BY_DESTROY:
- TEST_EQUAL( psa_open_key( lifetime, id, &handle ),
+ TEST_EQUAL( psa_open_key( id, &handle ),
PSA_ERROR_DOES_NOT_EXIST );
break;
}
@@ -241,7 +241,7 @@
if( reopen_policy == CLOSE_AFTER )
PSA_ASSERT( psa_close_key( handle1 ) );
if( reopen_policy == CLOSE_BEFORE || reopen_policy == CLOSE_AFTER )
- PSA_ASSERT( psa_open_key( lifetime, id, &handle1 ) );
+ PSA_ASSERT( psa_open_key( id, &handle1 ) );
/* Check that the original key hasn't changed. */
psa_reset_key_attributes( &attributes );
@@ -266,17 +266,16 @@
/* END_CASE */
/* BEGIN_CASE */
-void open_fail( int lifetime_arg, int id_arg,
+void open_fail( int id_arg,
int expected_status_arg )
{
- psa_key_lifetime_t lifetime = lifetime_arg;
psa_key_id_t id = id_arg;
psa_status_t expected_status = expected_status_arg;
psa_key_handle_t handle = 0xdead;
PSA_ASSERT( psa_crypto_init( ) );
- TEST_EQUAL( psa_open_key( lifetime, id, &handle ), expected_status );
+ TEST_EQUAL( psa_open_key( id, &handle ), expected_status );
TEST_EQUAL( handle, 0 );
exit:
@@ -376,8 +375,7 @@
{
mbedtls_psa_crypto_free( );
PSA_ASSERT( psa_crypto_init( ) );
- PSA_ASSERT( psa_open_key( target_lifetime, target_id,
- &target_handle ) );
+ PSA_ASSERT( psa_open_key( target_id, &target_handle ) );
}
/* Test that the target slot has the expected content. */