Merge pull request #92 from ARMmbed/dev/dgreen-arm/import-export-merge
Persistent key import/export
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 99bf31f..11efd87 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -168,6 +168,7 @@
endif()
include_directories(include/)
+include_directories(library/)
if(ENABLE_ZLIB_SUPPORT)
find_package(ZLIB)
diff --git a/configs/config-psa-crypto.h b/configs/config-psa-crypto.h
index 870e335..27e9ef1 100644
--- a/configs/config-psa-crypto.h
+++ b/configs/config-psa-crypto.h
@@ -1523,6 +1523,31 @@
#define MBEDTLS_PSA_CRYPTO_C
/**
+ * \def MBEDTLS_PSA_CRYPTO_STORAGE_C
+ *
+ * Enable the Platform Security Architecture persistent key storage.
+ *
+ * Module: library/psa_crypto_storage.c
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C, MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
+ *
+ */
+#define MBEDTLS_PSA_CRYPTO_STORAGE_C
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
+ *
+ * Enable persistent key storage over files for the
+ * Platform Security Architecture cryptography API.
+ *
+ * Module: library/psa_crypto_storage_file.c
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C, MBEDTLS_FS_IO
+ *
+ */
+#define MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
+
+/**
* \def MBEDTLS_RIPEMD160_C
*
* Enable the RIPEMD-160 hash algorithm.
diff --git a/crypto/library/Makefile b/crypto/library/Makefile
index 9151662..5b963c5 100644
--- a/crypto/library/Makefile
+++ b/crypto/library/Makefile
@@ -45,6 +45,8 @@
platform.o \
platform_util.o \
psa_crypto.o \
+ psa_crypto_storage.o \
+ psa_crypto_storage_file.o \
ripemd160.o \
rsa_internal.o \
rsa.o \
diff --git a/crypto/tests/Makefile b/crypto/tests/Makefile
index f76c1c0..cc4355b 100644
--- a/crypto/tests/Makefile
+++ b/crypto/tests/Makefile
@@ -1,4 +1,4 @@
-CFLAGS ?= -O2 -I../include
+CFLAGS ?= -O2 -I../include -I../library
WARNING_CFLAGS ?= \
-Werror -Wall -Wextra \
-Wno-unused-function \
@@ -16,11 +16,15 @@
APPS := \
test_suite_psa_crypto \
test_suite_psa_crypto_metadata \
+ test_suite_psa_crypto_persistent_key \
+ test_suite_psa_crypto_storage_file \
# Don't delete this line.
# Look up for associated function files
func.test_suite_psa_crypto := test_suite_psa_crypto
func.test_suite_psa_crypto_metadata := test_suite_psa_crypto_metadata
+func.test_suite_psa_crypto_persistent_key := test_suite_psa_crypto_persistent_key
+func.test_suite_psa_crypto_storage_file := test_suite_psa_crypto_storage_file
.SILENT:
@@ -56,6 +60,8 @@
test: $(APPS)
./test_suite_psa_crypto_metadata
./test_suite_psa_crypto
+ ./test_suite_psa_crypto_persistent_key
+ ./test_suite_psa_crypto_storage_file
# Create separate targets for generating embedded tests.
EMBEDDED_TESTS := $(addprefix embedded_,$(APPS))
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 6eec2ad..f78e61b 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -506,6 +506,18 @@
#error "MBEDTLS_PSA_CRYPTO_SPM defined, but not all prerequisites"
#endif
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) && \
+ !( defined(MBEDTLS_PSA_CRYPTO_C) && \
+ defined(MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C) )
+#error "MBEDTLS_PSA_CRYPTO_STORAGE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C) && \
+ !( defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) && \
+ defined(MBEDTLS_FS_IO) )
+#error "MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C defined, but not all prerequisites"
+#endif
+
#if defined(MBEDTLS_RSA_C) && ( !defined(MBEDTLS_BIGNUM_C) || \
!defined(MBEDTLS_OID_C) )
#error "MBEDTLS_RSA_C defined, but not all prerequisites"
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index cd256c3..2190ac5 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -2617,6 +2617,31 @@
#define MBEDTLS_PSA_CRYPTO_C
/**
+ * \def MBEDTLS_PSA_CRYPTO_STORAGE_C
+ *
+ * Enable the Platform Security Architecture persistent key storage.
+ *
+ * Module: library/psa_crypto_storage.c
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C, MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
+ *
+ */
+#define MBEDTLS_PSA_CRYPTO_STORAGE_C
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
+ *
+ * Enable persistent key storage over files for the
+ * Platform Security Architecture cryptography API.
+ *
+ * Module: library/psa_crypto_storage_file.c
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C, MBEDTLS_FS_IO
+ *
+ */
+#define MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
+
+/**
* \def MBEDTLS_RIPEMD160_C
*
* Enable the RIPEMD-160 hash algorithm.
diff --git a/include/psa/crypto.h b/include/psa/crypto.h
index d1a3f0f..1ca6492 100644
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h
@@ -1441,6 +1441,7 @@
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
* \retval #PSA_ERROR_INSUFFICIENT_STORAGE
* \retval #PSA_ERROR_COMMUNICATION_FAILURE
+ * \retval #PSA_ERROR_STORAGE_FAILURE
* \retval #PSA_ERROR_HARDWARE_FAILURE
* \retval #PSA_ERROR_TAMPERING_DETECTED
* \retval #PSA_ERROR_BAD_STATE
@@ -1922,6 +1923,16 @@
* whether the lifetime of an occupied key slot can be changed, is
* implementation-dependent.
*
+ * When creating a persistent key, you must call this function before creating
+ * the key material with psa_import_key(), psa_generate_key() or
+ * psa_generator_import_key(). To open an existing persistent key, you must
+ * call this function with the correct lifetime value before using the slot
+ * for a cryptographic operation. Once a slot's lifetime has been set,
+ * the lifetime remains associated with the slot until a subsequent call to
+ * psa_set_key_lifetime(), until the key is wiped with psa_destroy_key or
+ * until the application terminates (or disconnects from the cryptography
+ * service, if the implementation offers such a possibility).
+ *
* \param key Slot whose lifetime is to be changed.
* \param lifetime The lifetime value to set for the given key slot.
*
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 0c2ac88..04e404c 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -54,6 +54,8 @@
platform_util.c
poly1305.c
psa_crypto.c
+ psa_crypto_storage.c
+ psa_crypto_storage_file.c
ripemd160.c
rsa.c
rsa_internal.c
diff --git a/library/Makefile b/library/Makefile
index cf6750d..83afa66 100644
--- a/library/Makefile
+++ b/library/Makefile
@@ -82,6 +82,8 @@
pkcs5.o pkparse.o pkwrite.o \
platform.o platform_util.o poly1305.o \
psa_crypto.o \
+ psa_crypto_storage.o \
+ psa_crypto_storage_file.o \
ripemd160.o rsa_internal.o rsa.o \
sha1.o sha256.o sha512.o \
threading.o timing.o version.o \
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 010c338..58cb738 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -43,6 +43,10 @@
#include "psa/crypto.h"
+/* Include internal declarations that are useful for implementing persistently
+ * stored keys. */
+#include "psa_crypto_storage.h"
+
#include <stdlib.h>
#include <string.h>
#if defined(MBEDTLS_PLATFORM_C)
@@ -361,76 +365,6 @@
}
}
-/* Retrieve a key slot, occupied or not. */
-static psa_status_t psa_get_key_slot( psa_key_slot_t key,
- key_slot_t **p_slot )
-{
- GUARD_MODULE_INITIALIZED;
-
- /* 0 is not a valid slot number under any circumstance. This
- * implementation provides slots number 1 to N where N is the
- * number of available slots. */
- if( key == 0 || key > ARRAY_LENGTH( global_data.key_slots ) )
- return( PSA_ERROR_INVALID_ARGUMENT );
-
- *p_slot = &global_data.key_slots[key - 1];
- return( PSA_SUCCESS );
-}
-
-/* Retrieve an empty key slot (slot with no key data, but possibly
- * with some metadata such as a policy). */
-static psa_status_t psa_get_empty_key_slot( psa_key_slot_t key,
- key_slot_t **p_slot )
-{
- psa_status_t status;
- key_slot_t *slot = NULL;
-
- *p_slot = NULL;
-
- status = psa_get_key_slot( key, &slot );
- if( status != PSA_SUCCESS )
- return( status );
-
- if( slot->type != PSA_KEY_TYPE_NONE )
- return( PSA_ERROR_OCCUPIED_SLOT );
-
- *p_slot = slot;
- return( status );
-}
-
-/** Retrieve a slot which must contain a key. The key must have allow all the
- * usage flags set in \p usage. If \p alg is nonzero, the key must allow
- * operations with this algorithm. */
-static psa_status_t psa_get_key_from_slot( psa_key_slot_t key,
- key_slot_t **p_slot,
- psa_key_usage_t usage,
- psa_algorithm_t alg )
-{
- psa_status_t status;
- key_slot_t *slot = NULL;
-
- *p_slot = NULL;
-
- status = psa_get_key_slot( key, &slot );
- if( status != PSA_SUCCESS )
- return( status );
- if( slot->type == PSA_KEY_TYPE_NONE )
- return( PSA_ERROR_EMPTY_SLOT );
-
- /* Enforce that usage policy for the key slot contains all the flags
- * required by the usage parameter. There is one exception: public
- * keys can always be exported, so we treat public key objects as
- * if they had the export flag. */
- if( PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->type ) )
- usage &= ~PSA_KEY_USAGE_EXPORT;
- if( ( slot->policy.usage & usage ) != usage )
- return( PSA_ERROR_NOT_PERMITTED );
- if( alg != 0 && ( alg != slot->policy.alg ) )
- return( PSA_ERROR_NOT_PERMITTED );
-
- *p_slot = slot;
- return( PSA_SUCCESS );
-}
@@ -691,23 +625,18 @@
}
#endif /* defined(MBEDTLS_ECP_C) */
-psa_status_t psa_import_key( psa_key_slot_t key,
- psa_key_type_t type,
- const uint8_t *data,
- size_t data_length )
+static psa_status_t psa_import_key_into_slot( key_slot_t *slot,
+ const uint8_t *data,
+ size_t data_length )
{
- key_slot_t *slot;
psa_status_t status = PSA_SUCCESS;
- status = psa_get_empty_key_slot( key, &slot );
- if( status != PSA_SUCCESS )
- return( status );
- if( key_type_is_raw_bytes( type ) )
+ if( key_type_is_raw_bytes( slot->type ) )
{
/* Ensure that a bytes-to-bit conversion won't overflow. */
if( data_length > SIZE_MAX / 8 )
return( PSA_ERROR_NOT_SUPPORTED );
- status = prepare_raw_data_slot( type,
+ status = prepare_raw_data_slot( slot->type,
PSA_BYTES_TO_BITS( data_length ),
&slot->data.raw );
if( status != PSA_SUCCESS )
@@ -717,9 +646,9 @@
}
else
#if defined(MBEDTLS_ECP_C)
- if( PSA_KEY_TYPE_IS_ECC_KEYPAIR( type ) )
+ if( PSA_KEY_TYPE_IS_ECC_KEYPAIR( slot->type ) )
{
- status = psa_import_ec_private_key( PSA_KEY_TYPE_GET_CURVE( type ),
+ status = psa_import_ec_private_key( PSA_KEY_TYPE_GET_CURVE( slot->type ),
data, data_length,
&slot->data.ecp );
if( status != PSA_SUCCESS )
@@ -728,14 +657,15 @@
else
#endif /* MBEDTLS_ECP_C */
#if defined(MBEDTLS_PK_PARSE_C)
- if( PSA_KEY_TYPE_IS_RSA( type ) || PSA_KEY_TYPE_IS_ECC( type ) )
+ if( PSA_KEY_TYPE_IS_RSA( slot->type ) ||
+ PSA_KEY_TYPE_IS_ECC( slot->type ) )
{
int ret;
mbedtls_pk_context pk;
mbedtls_pk_init( &pk );
/* Parse the data. */
- if( PSA_KEY_TYPE_IS_KEYPAIR( type ) )
+ if( PSA_KEY_TYPE_IS_KEYPAIR( slot->type ) )
ret = mbedtls_pk_parse_key( &pk, data, data_length, NULL, 0 );
else
ret = mbedtls_pk_parse_public_key( &pk, data, data_length );
@@ -746,13 +676,13 @@
* If it has the expected type and passes any type-specific
* checks, store it. */
#if defined(MBEDTLS_RSA_C)
- if( PSA_KEY_TYPE_IS_RSA( type ) )
+ if( PSA_KEY_TYPE_IS_RSA( slot->type ) )
status = psa_import_rsa_key( &pk, &slot->data.rsa );
else
#endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_ECP_C)
- if( PSA_KEY_TYPE_IS_ECC( type ) )
- status = psa_import_ecp_key( PSA_KEY_TYPE_GET_CURVE( type ),
+ if( PSA_KEY_TYPE_IS_ECC( slot->type ) )
+ status = psa_import_ecp_key( PSA_KEY_TYPE_GET_CURVE( slot->type ),
&pk, &slot->data.ecp );
else
#endif /* MBEDTLS_ECP_C */
@@ -773,24 +703,123 @@
{
return( PSA_ERROR_NOT_SUPPORTED );
}
-
- slot->type = type;
return( PSA_SUCCESS );
}
-psa_status_t psa_destroy_key( psa_key_slot_t key )
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+static psa_status_t psa_load_persistent_key_into_slot( psa_key_slot_t key,
+ key_slot_t *p_slot )
{
- key_slot_t *slot;
+ psa_status_t status = PSA_SUCCESS;
+ uint8_t *key_data = NULL;
+ size_t key_data_length = 0;
+
+ status = psa_load_persistent_key( key, &( p_slot )->type,
+ &( p_slot )->policy, &key_data,
+ &key_data_length );
+ if( status != PSA_SUCCESS )
+ goto exit;
+ status = psa_import_key_into_slot( p_slot,
+ key_data, key_data_length );
+exit:
+ psa_free_persistent_key_data( key_data, key_data_length );
+ return( status );
+}
+#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
+
+/* Retrieve a key slot, occupied or not. */
+static psa_status_t psa_get_key_slot( psa_key_slot_t key,
+ key_slot_t **p_slot )
+{
+ GUARD_MODULE_INITIALIZED;
+
+ /* 0 is not a valid slot number under any circumstance. This
+ * implementation provides slots number 1 to N where N is the
+ * number of available slots. */
+ if( key == 0 || key > ARRAY_LENGTH( global_data.key_slots ) )
+ return( PSA_ERROR_INVALID_ARGUMENT );
+
+ *p_slot = &global_data.key_slots[key - 1];
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+ if( ( *p_slot )->lifetime == PSA_KEY_LIFETIME_PERSISTENT )
+ {
+ /* There are two circumstances this can occur: the key material has
+ * not yet been created, or the key exists in storage but has not yet
+ * been loaded into memory. */
+ if( ( *p_slot )->type == PSA_KEY_TYPE_NONE )
+ {
+ psa_status_t status = PSA_SUCCESS;
+ status = psa_load_persistent_key_into_slot( key, *p_slot );
+ if( status != PSA_ERROR_EMPTY_SLOT )
+ return( status );
+ }
+ }
+#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
+
+ return( PSA_SUCCESS );
+}
+
+/* Retrieve an empty key slot (slot with no key data, but possibly
+ * with some metadata such as a policy). */
+static psa_status_t psa_get_empty_key_slot( psa_key_slot_t key,
+ key_slot_t **p_slot )
+{
psa_status_t status;
+ key_slot_t *slot = NULL;
+
+ *p_slot = NULL;
status = psa_get_key_slot( key, &slot );
if( status != PSA_SUCCESS )
return( status );
+ if( slot->type != PSA_KEY_TYPE_NONE )
+ return( PSA_ERROR_OCCUPIED_SLOT );
+
+ *p_slot = slot;
+ return( status );
+}
+
+/** Retrieve a slot which must contain a key. The key must have allow all the
+ * usage flags set in \p usage. If \p alg is nonzero, the key must allow
+ * operations with this algorithm. */
+static psa_status_t psa_get_key_from_slot( psa_key_slot_t key,
+ key_slot_t **p_slot,
+ psa_key_usage_t usage,
+ psa_algorithm_t alg )
+{
+ psa_status_t status;
+ key_slot_t *slot = NULL;
+
+ *p_slot = NULL;
+
+ status = psa_get_key_slot( key, &slot );
+ if( status != PSA_SUCCESS )
+ return( status );
+ if( slot->type == PSA_KEY_TYPE_NONE )
+ return( PSA_ERROR_EMPTY_SLOT );
+
+ /* Enforce that usage policy for the key slot contains all the flags
+ * required by the usage parameter. There is one exception: public
+ * keys can always be exported, so we treat public key objects as
+ * if they had the export flag. */
+ if( PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->type ) )
+ usage &= ~PSA_KEY_USAGE_EXPORT;
+ if( ( slot->policy.usage & usage ) != usage )
+ return( PSA_ERROR_NOT_PERMITTED );
+ if( alg != 0 && ( alg != slot->policy.alg ) )
+ return( PSA_ERROR_NOT_PERMITTED );
+
+ *p_slot = slot;
+ return( PSA_SUCCESS );
+}
+
+static psa_status_t psa_remove_key_data_from_memory( key_slot_t *slot )
+{
if( slot->type == PSA_KEY_TYPE_NONE )
{
- /* No key material to clean, but do zeroize the slot below to wipe
- * metadata such as policies. */
+ /* No key material to clean. */
}
else if( key_type_is_raw_bytes( slot->type ) )
{
@@ -819,10 +848,70 @@
return( PSA_ERROR_TAMPERING_DETECTED );
}
- mbedtls_zeroize( slot, sizeof( *slot ) );
return( PSA_SUCCESS );
}
+psa_status_t psa_import_key( psa_key_slot_t key,
+ psa_key_type_t type,
+ const uint8_t *data,
+ size_t data_length )
+{
+ key_slot_t *slot;
+ psa_status_t status;
+
+ status = psa_get_empty_key_slot( key, &slot );
+ if( status != PSA_SUCCESS )
+ return( status );
+
+ slot->type = type;
+
+ status = psa_import_key_into_slot( slot, data, data_length );
+ if( status != PSA_SUCCESS )
+ {
+ slot->type = PSA_KEY_TYPE_NONE;
+ return( status );
+ }
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+ if( slot->lifetime == PSA_KEY_LIFETIME_PERSISTENT )
+ {
+ /* Store in file location */
+ status = psa_save_persistent_key( key, slot->type, &slot->policy, data,
+ data_length );
+ if( status != PSA_SUCCESS )
+ {
+ (void) psa_remove_key_data_from_memory( slot );
+ slot->type = PSA_KEY_TYPE_NONE;
+ }
+ }
+#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
+
+ return( status );
+}
+
+psa_status_t psa_destroy_key( psa_key_slot_t key )
+{
+ key_slot_t *slot;
+ psa_status_t status = PSA_SUCCESS;
+ psa_status_t storage_status = PSA_SUCCESS;
+
+ status = psa_get_key_slot( key, &slot );
+ if( status != PSA_SUCCESS )
+ return( status );
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+ if( slot->lifetime == PSA_KEY_LIFETIME_PERSISTENT )
+ {
+ storage_status = psa_destroy_persistent_key( key );
+ }
+#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
+ status = psa_remove_key_data_from_memory( slot );
+ /* Zeroize the slot to wipe metadata such as policies. */
+ mbedtls_zeroize( slot, sizeof( *slot ) );
+ if( status != PSA_SUCCESS )
+ return( status );
+ return( storage_status );
+}
+
/* Return the size of the key in the given slot, in bits. */
static size_t psa_get_key_bits( const key_slot_t *slot )
{
@@ -864,30 +953,14 @@
return( PSA_SUCCESS );
}
-static psa_status_t psa_internal_export_key( psa_key_slot_t key,
+static psa_status_t psa_internal_export_key( key_slot_t *slot,
uint8_t *data,
size_t data_size,
size_t *data_length,
int export_public_key )
{
- key_slot_t *slot;
- psa_status_t status;
- /* Exporting a public key doesn't require a usage flag. If we're
- * called by psa_export_public_key(), don't require the EXPORT flag.
- * If we're called by psa_export_key(), do require the EXPORT flag;
- * if the key turns out to be public key object, psa_get_key_from_slot()
- * will ignore this flag. */
- psa_key_usage_t usage = export_public_key ? 0 : PSA_KEY_USAGE_EXPORT;
-
- /* Set the key to empty now, so that even when there are errors, we always
- * set data_length to a value between 0 and data_size. On error, setting
- * the key to empty is a good choice because an empty key representation is
- * unlikely to be accepted anywhere. */
*data_length = 0;
- status = psa_get_key_from_slot( key, &slot, usage, 0 );
- if( status != PSA_SUCCESS )
- return( status );
if( export_public_key && ! PSA_KEY_TYPE_IS_ASYMMETRIC( slot->type ) )
return( PSA_ERROR_INVALID_ARGUMENT );
@@ -907,6 +980,8 @@
#if defined(MBEDTLS_ECP_C)
if( PSA_KEY_TYPE_IS_ECC_KEYPAIR( slot->type ) && !export_public_key )
{
+ psa_status_t status;
+
size_t bytes = PSA_BITS_TO_BYTES( psa_get_key_bits( slot ) );
if( bytes > data_size )
return( PSA_ERROR_BUFFER_TOO_SMALL );
@@ -991,7 +1066,22 @@
size_t data_size,
size_t *data_length )
{
- return( psa_internal_export_key( key, data, data_size,
+ key_slot_t *slot;
+ psa_status_t status;
+
+ /* Set the key to empty now, so that even when there are errors, we always
+ * set data_length to a value between 0 and data_size. On error, setting
+ * the key to empty is a good choice because an empty key representation is
+ * unlikely to be accepted anywhere. */
+ *data_length = 0;
+
+ /* Export requires the EXPORT flag. There is an exception for public keys,
+ * which don't require any flag, but psa_get_key_from_slot takes
+ * care of this. */
+ status = psa_get_key_from_slot( key, &slot, PSA_KEY_USAGE_EXPORT, 0 );
+ if( status != PSA_SUCCESS )
+ return( status );
+ return( psa_internal_export_key( slot, data, data_size,
data_length, 0 ) );
}
@@ -1000,10 +1090,54 @@
size_t data_size,
size_t *data_length )
{
- return( psa_internal_export_key( key, data, data_size,
+ key_slot_t *slot;
+ psa_status_t status;
+
+ /* Set the key to empty now, so that even when there are errors, we always
+ * set data_length to a value between 0 and data_size. On error, setting
+ * the key to empty is a good choice because an empty key representation is
+ * unlikely to be accepted anywhere. */
+ *data_length = 0;
+
+ /* Exporting a public key doesn't require a usage flag. */
+ status = psa_get_key_from_slot( key, &slot, 0, 0 );
+ if( status != PSA_SUCCESS )
+ return( status );
+ return( psa_internal_export_key( slot, data, data_size,
data_length, 1 ) );
}
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+static psa_status_t psa_save_generated_persistent_key( psa_key_slot_t key,
+ key_slot_t *slot,
+ size_t bits )
+{
+ psa_status_t status;
+ uint8_t *data;
+ size_t key_length;
+ size_t data_size = PSA_KEY_EXPORT_MAX_SIZE( slot->type, bits );
+ data = mbedtls_calloc( 1, data_size );
+ /* Get key data in export format */
+ status = psa_internal_export_key( slot, data, data_size, &key_length, 0 );
+ if( status != PSA_SUCCESS )
+ {
+ slot->type = PSA_KEY_TYPE_NONE;
+ goto exit;
+ }
+ /* Store in file location */
+ status = psa_save_persistent_key( key, slot->type, &slot->policy,
+ data, key_length );
+ if( status != PSA_SUCCESS )
+ {
+ slot->type = PSA_KEY_TYPE_NONE;
+ }
+exit:
+ mbedtls_zeroize( data, key_length );
+ mbedtls_free( data );
+ return( status );
+}
+#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
+
/****************************************************************/
@@ -2953,16 +3087,21 @@
if( lifetime != PSA_KEY_LIFETIME_VOLATILE &&
lifetime != PSA_KEY_LIFETIME_PERSISTENT &&
- lifetime != PSA_KEY_LIFETIME_WRITE_ONCE)
+ lifetime != PSA_KEY_LIFETIME_WRITE_ONCE )
return( PSA_ERROR_INVALID_ARGUMENT );
status = psa_get_empty_key_slot( key, &slot );
if( status != PSA_SUCCESS )
return( status );
- if( lifetime != PSA_KEY_LIFETIME_VOLATILE )
+ if( lifetime == PSA_KEY_LIFETIME_WRITE_ONCE )
return( PSA_ERROR_NOT_SUPPORTED );
+#if !defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+ if( lifetime == PSA_KEY_LIFETIME_PERSISTENT )
+ return( PSA_ERROR_NOT_SUPPORTED );
+#endif
+
slot->lifetime = lifetime;
return( PSA_SUCCESS );
@@ -4201,7 +4340,15 @@
return( PSA_ERROR_NOT_SUPPORTED );
slot->type = type;
- return( PSA_SUCCESS );
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+ if( slot->lifetime == PSA_KEY_LIFETIME_PERSISTENT )
+ {
+ return( psa_save_generated_persistent_key( key, slot, bits ) );
+ }
+#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
+
+ return( status );
}
@@ -4212,8 +4359,18 @@
void mbedtls_psa_crypto_free( void )
{
psa_key_slot_t key;
+ key_slot_t *slot;
+ psa_status_t status;
+
for( key = 1; key <= PSA_KEY_SLOT_COUNT; key++ )
- psa_destroy_key( key );
+ {
+ status = psa_get_key_slot( key, &slot );
+ if( status != PSA_SUCCESS )
+ continue;
+ psa_remove_key_data_from_memory( slot );
+ /* Zeroize the slot to wipe metadata such as policies. */
+ mbedtls_zeroize( slot, sizeof( *slot ) );
+ }
mbedtls_ctr_drbg_free( &global_data.ctr_drbg );
mbedtls_entropy_free( &global_data.entropy );
mbedtls_zeroize( &global_data, sizeof( global_data ) );
diff --git a/library/psa_crypto_storage.c b/library/psa_crypto_storage.c
new file mode 100644
index 0000000..0a5805b
--- /dev/null
+++ b/library/psa_crypto_storage.c
@@ -0,0 +1,219 @@
+/*
+ * PSA persistent key storage
+ */
+/* Copyright (C) 2018, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if defined(MBEDTLS_CONFIG_FILE)
+#include MBEDTLS_CONFIG_FILE
+#else
+#include "mbedtls/config.h"
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+
+#include <stdlib.h>
+#include <string.h>
+
+#include "psa/crypto.h"
+#include "psa_crypto_storage.h"
+#include "psa_crypto_storage_backend.h"
+#include "mbedtls/platform_util.h"
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#define mbedtls_calloc calloc
+#define mbedtls_free free
+#endif
+
+/*
+ * 32-bit integer manipulation macros (little endian)
+ */
+#ifndef GET_UINT32_LE
+#define GET_UINT32_LE(n,b,i) \
+{ \
+ (n) = ( (uint32_t) (b)[(i) ] ) \
+ | ( (uint32_t) (b)[(i) + 1] << 8 ) \
+ | ( (uint32_t) (b)[(i) + 2] << 16 ) \
+ | ( (uint32_t) (b)[(i) + 3] << 24 ); \
+}
+#endif
+
+#ifndef PUT_UINT32_LE
+#define PUT_UINT32_LE(n,b,i) \
+{ \
+ (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
+ (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
+ (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
+ (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
+}
+#endif
+
+/**
+ * Persistent key storage magic header.
+ */
+#define PSA_KEY_STORAGE_MAGIC_HEADER "PSA\0KEY"
+#define PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH ( sizeof( PSA_KEY_STORAGE_MAGIC_HEADER ) )
+
+typedef struct {
+ uint8_t magic[PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH];
+ uint8_t version[4];
+ uint8_t type[sizeof( psa_key_type_t )];
+ uint8_t policy[sizeof( psa_key_policy_t )];
+ uint8_t data_len[4];
+ uint8_t key_data[];
+} psa_persistent_key_storage_format;
+
+void psa_format_key_data_for_storage( const uint8_t *data,
+ const size_t data_length,
+ const psa_key_type_t type,
+ const psa_key_policy_t *policy,
+ uint8_t *storage_data )
+{
+ psa_persistent_key_storage_format *storage_format =
+ (psa_persistent_key_storage_format *) storage_data;
+
+ memcpy( storage_format->magic, PSA_KEY_STORAGE_MAGIC_HEADER, PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH );
+ PUT_UINT32_LE(0, storage_format->version, 0);
+ PUT_UINT32_LE(type, storage_format->type, 0);
+ PUT_UINT32_LE(policy->usage, storage_format->policy, 0);
+ PUT_UINT32_LE(policy->alg, storage_format->policy, sizeof( uint32_t ));
+ PUT_UINT32_LE(data_length, storage_format->data_len, 0);
+ memcpy( storage_format->key_data, data, data_length );
+}
+
+static psa_status_t check_magic_header( const uint8_t *data )
+{
+ if( memcmp( data, PSA_KEY_STORAGE_MAGIC_HEADER,
+ PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH ) != 0 )
+ return( PSA_ERROR_STORAGE_FAILURE );
+ return( PSA_SUCCESS );
+}
+
+psa_status_t psa_parse_key_data_from_storage( const uint8_t *storage_data,
+ size_t storage_data_length,
+ uint8_t **key_data,
+ size_t *key_data_length,
+ psa_key_type_t *type,
+ psa_key_policy_t *policy )
+{
+ psa_status_t status;
+ const psa_persistent_key_storage_format *storage_format =
+ (const psa_persistent_key_storage_format *)storage_data;
+ uint32_t version;
+
+ if( storage_data_length < sizeof(*storage_format) )
+ return( PSA_ERROR_STORAGE_FAILURE );
+
+ status = check_magic_header( storage_data );
+ if( status != PSA_SUCCESS )
+ return( status );
+
+ GET_UINT32_LE(version, storage_format->version, 0);
+ if( version != 0 )
+ return( PSA_ERROR_STORAGE_FAILURE );
+
+ GET_UINT32_LE(*key_data_length, storage_format->data_len, 0);
+ if( *key_data_length > ( storage_data_length - sizeof(*storage_format) ) ||
+ *key_data_length > PSA_CRYPTO_MAX_STORAGE_SIZE )
+ return( PSA_ERROR_STORAGE_FAILURE );
+
+ *key_data = mbedtls_calloc( 1, *key_data_length );
+ if( *key_data == NULL )
+ return( PSA_ERROR_INSUFFICIENT_MEMORY );
+
+ GET_UINT32_LE(*type, storage_format->type, 0);
+ GET_UINT32_LE(policy->usage, storage_format->policy, 0);
+ GET_UINT32_LE(policy->alg, storage_format->policy, sizeof( uint32_t ));
+
+ memcpy( *key_data, storage_format->key_data, *key_data_length );
+
+ return( PSA_SUCCESS );
+}
+
+psa_status_t psa_save_persistent_key( const psa_key_slot_t key,
+ const psa_key_type_t type,
+ const psa_key_policy_t *policy,
+ const uint8_t *data,
+ const size_t data_length )
+{
+ size_t storage_data_length;
+ uint8_t *storage_data;
+ psa_status_t status;
+
+ if( data_length > PSA_CRYPTO_MAX_STORAGE_SIZE )
+ return PSA_ERROR_INSUFFICIENT_STORAGE;
+ storage_data_length = data_length + sizeof( psa_persistent_key_storage_format );
+
+ storage_data = mbedtls_calloc( 1, storage_data_length );
+ if( storage_data == NULL )
+ return( PSA_ERROR_INSUFFICIENT_MEMORY );
+
+ psa_format_key_data_for_storage( data, data_length, type, policy,
+ storage_data );
+
+ status = psa_crypto_storage_store( key,
+ storage_data, storage_data_length );
+
+ mbedtls_free( storage_data );
+
+ return( status );
+}
+
+void psa_free_persistent_key_data( uint8_t *key_data, size_t key_data_length )
+{
+ if( key_data != NULL )
+ {
+ mbedtls_platform_zeroize( key_data, key_data_length );
+ }
+ mbedtls_free( key_data );
+}
+
+psa_status_t psa_load_persistent_key( psa_key_slot_t key,
+ psa_key_type_t *type,
+ psa_key_policy_t *policy,
+ uint8_t **data,
+ size_t *data_length )
+{
+ psa_status_t status = PSA_SUCCESS;
+ uint8_t *loaded_data;
+ size_t storage_data_length = 0;
+
+ status = psa_crypto_storage_get_data_length( key, &storage_data_length );
+ if( status != PSA_SUCCESS )
+ return( status );
+
+ loaded_data = mbedtls_calloc( 1, storage_data_length );
+
+ if( loaded_data == NULL )
+ return( PSA_ERROR_INSUFFICIENT_MEMORY );
+
+ status = psa_crypto_storage_load( key, loaded_data, storage_data_length );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_parse_key_data_from_storage( loaded_data, storage_data_length,
+ data, data_length, type, policy );
+
+exit:
+ mbedtls_free( loaded_data );
+ return( status );
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
diff --git a/library/psa_crypto_storage.h b/library/psa_crypto_storage.h
new file mode 100644
index 0000000..167b0db
--- /dev/null
+++ b/library/psa_crypto_storage.h
@@ -0,0 +1,177 @@
+/**
+ * \file psa_crypto_storage.h
+ *
+ * \brief PSA cryptography module: Mbed TLS key storage
+ */
+/*
+ * Copyright (C) 2018, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef PSA_CRYPTO_STORAGE_H
+#define PSA_CRYPTO_STORAGE_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Include the Mbed TLS configuration file, the way Mbed TLS does it
+ * in each of its header files. */
+#if defined(MBEDTLS_CONFIG_FILE)
+#include MBEDTLS_CONFIG_FILE
+#else
+#include "mbedtls/config.h"
+#endif
+
+#include "psa/crypto.h"
+#include <stdint.h>
+
+/* Limit the maximum key size to 30kB (just in case someone tries to
+ * inadvertently store an obscene amount of data) */
+#define PSA_CRYPTO_MAX_STORAGE_SIZE ( 30 * 1024 )
+
+/**
+ * \brief Format key data and metadata and save to a location for given key
+ * slot.
+ *
+ * This function formats the key data and metadata and saves it to a
+ * persistent storage backend. The storage location corresponding to the
+ * key slot must be empty, otherwise this function will fail. This function
+ * should be called after psa_import_key_into_slot() to ensure the
+ * persistent key is not saved into a storage location corresponding to an
+ * already occupied non-persistent key, as well as validating the key data.
+ *
+ *
+ * \param key Slot number of the key to be stored. This must be a
+ * valid slot for a key of the chosen type. This should be
+ * an occupied key slot with an unoccupied corresponding
+ * storage location.
+ * \param type Key type (a \c PSA_KEY_TYPE_XXX value).
+ * \param[in] policy The key policy to save.
+ * \param[in] data Buffer containing the key data.
+ * \param data_length The number of bytes that make up the key data.
+ *
+ * \retval PSA_SUCCESS
+ * \retval PSA_ERROR_INSUFFICIENT_STORAGE
+ * \retval PSA_ERROR_STORAGE_FAILURE
+ */
+psa_status_t psa_save_persistent_key( const psa_key_slot_t key,
+ const psa_key_type_t type,
+ const psa_key_policy_t *policy,
+ const uint8_t *data,
+ const size_t data_length );
+
+/**
+ * \brief Parses key data and metadata and load persistent key for given
+ * key slot number.
+ *
+ * This function reads from a storage backend, parses the key data and
+ * metadata and writes them to the appropriate output parameters.
+ *
+ * Note: This function allocates a buffer and returns a pointer to it through
+ * the data parameter. psa_free_persistent_key_data() must be called after
+ * this function to zeroize and free this buffer, regardless of whether this
+ * function succeeds or fails.
+ *
+ * \param key Slot number whose content is to be loaded. This
+ * must be an unoccupied key slot with an occupied
+ * corresponding storage location. The key slot
+ * lifetime must be set to persistent.
+ * \param[out] type On success, the key type (a \c PSA_KEY_TYPE_XXX
+ * value).
+ * \param[out] policy On success, the key's policy.
+ * \param[out] data Pointer to an allocated key data buffer on return.
+ * \param[out] data_length The number of bytes that make up the key data.
+ *
+ * \retval PSA_SUCCESS
+ * \retval PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval PSA_ERROR_STORAGE_FAILURE
+ */
+psa_status_t psa_load_persistent_key( psa_key_slot_t key,
+ psa_key_type_t *type,
+ psa_key_policy_t *policy,
+ uint8_t **data,
+ size_t *data_length );
+
+/**
+ * \brief Remove persistent data for the given key slot number.
+ *
+ * \param key Slot number whose content is to be removed
+ * from persistent storage.
+ *
+ * \retval PSA_SUCCESS
+ * \retval PSA_ERROR_STORAGE_FAILURE
+ */
+psa_status_t psa_destroy_persistent_key( const psa_key_slot_t key );
+
+/**
+ * \brief Zeroizes and frees the given buffer.
+ *
+ * This function must be called at some point after psa_load_persistent_key()
+ * to zeroize and free the memory allocated to the buffer in that function.
+ *
+ * \param key_data Buffer for the key data.
+ * \param key_data_length Size of the key data buffer.
+ *
+ */
+void psa_free_persistent_key_data( uint8_t *key_data, size_t key_data_length );
+
+/**
+ * \brief Formats key data and metadata for persistent storage
+ *
+ * \param[in] data Buffer for the key data.
+ * \param data_length Length of the key data buffer.
+ * \param type Key type (a \c PSA_KEY_TYPE_XXX value).
+ * \param policy The key policy.
+ * \param[out] storage_data Output buffer for the formatted data.
+ *
+ */
+void psa_format_key_data_for_storage( const uint8_t *data,
+ const size_t data_length,
+ const psa_key_type_t type,
+ const psa_key_policy_t *policy,
+ uint8_t *storage_data );
+
+/**
+ * \brief Parses persistent storage data into key data and metadata
+ *
+ * \param[in] storage_data Buffer for the storage data.
+ * \param storage_data_length Length of the storage data buffer
+ * \param[out] key_data On output, pointer to a newly allocated buffer
+ * containing the key data. This must be freed
+ * using psa_free_persistent_key_data()
+ * \param[out] key_data_length Length of the key data buffer
+ * \param[out] type Key type (a \c PSA_KEY_TYPE_XXX value).
+ * \param[out] policy The key policy.
+ *
+ * \retval PSA_SUCCESS
+ * \retval PSA_ERROR_INSUFFICIENT_STORAGE
+ * \retval PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval PSA_ERROR_STORAGE_FAILURE
+ */
+psa_status_t psa_parse_key_data_from_storage( const uint8_t *storage_data,
+ size_t storage_data_length,
+ uint8_t **key_data,
+ size_t *key_data_length,
+ psa_key_type_t *type,
+ psa_key_policy_t *policy );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* PSA_CRYPTO_STORAGE_H */
diff --git a/library/psa_crypto_storage_backend.h b/library/psa_crypto_storage_backend.h
new file mode 100644
index 0000000..3ca9a1d
--- /dev/null
+++ b/library/psa_crypto_storage_backend.h
@@ -0,0 +1,112 @@
+/**
+ * \file psa_crypto_storage_backend.h
+ *
+ * \brief PSA cryptography module: Mbed TLS key storage backend
+ */
+/*
+ * Copyright (C) 2018, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef PSA_CRYPTO_STORAGE_BACKEND_H
+#define PSA_CRYPTO_STORAGE_BACKEND_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Include the Mbed TLS configuration file, the way Mbed TLS does it
+ * in each of its header files. */
+#if defined(MBEDTLS_CONFIG_FILE)
+#include MBEDTLS_CONFIG_FILE
+#else
+#include "mbedtls/config.h"
+#endif
+
+#include "psa/crypto.h"
+#include "psa_crypto_storage.h"
+#include <stdint.h>
+
+/**
+ * \brief Load persistent data for the given key slot number.
+ *
+ * This function reads data from a storage backend and returns the data in a
+ * buffer.
+ *
+ * \param key Slot number whose content is to be loaded. This must
+ * be a key slot whose lifetime is set to persistent.
+ * \param[out] data Buffer where the data is to be written.
+ * \param data_size Size of the \c data buffer in bytes.
+ *
+ * \retval PSA_SUCCESS
+ * \retval PSA_ERROR_STORAGE_FAILURE
+ */
+psa_status_t psa_crypto_storage_load( const psa_key_slot_t key, uint8_t *data,
+ size_t data_size );
+
+/**
+ * \brief Store persistent data for the given key slot number.
+ *
+ * This function stores the given data buffer to a persistent storage.
+ *
+ * \param key Slot number whose content is to be stored.
+ * \param[in] data Buffer containing the data to be stored.
+ * \param data_length The number of bytes
+ * that make up the data.
+ *
+ * \retval PSA_SUCCESS
+ * \retval PSA_ERROR_INSUFFICIENT_STORAGE
+ * \retval PSA_ERROR_STORAGE_FAILURE
+ */
+psa_status_t psa_crypto_storage_store( const psa_key_slot_t key,
+ const uint8_t *data,
+ size_t data_length );
+
+/**
+ * \brief Checks if persistent data is stored for the given key slot number
+ *
+ * This function checks if any key data or metadata exists for the key slot in
+ * the persistent storage.
+ *
+ * \param key Slot number whose content is to be checked.
+ *
+ * \retval 0
+ * No persistent data present for slot number
+ * \retval 1
+ * Persistent data present for slot number
+ */
+int psa_is_key_present_in_storage( const psa_key_slot_t key );
+
+/**
+ * \brief Get data length for given key slot number.
+ *
+ * \param key Slot number whose stored data length is to be obtained.
+ * \param[out] data_length The number of bytes
+ * that make up the data.
+ *
+ * \retval PSA_SUCCESS
+ * \retval PSA_ERROR_STORAGE_FAILURE
+ */
+psa_status_t psa_crypto_storage_get_data_length( const psa_key_slot_t key,
+ size_t *data_length );
+
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* PSA_CRYPTO_STORAGE_H */
diff --git a/library/psa_crypto_storage_file.c b/library/psa_crypto_storage_file.c
new file mode 100644
index 0000000..03c711a
--- /dev/null
+++ b/library/psa_crypto_storage_file.c
@@ -0,0 +1,218 @@
+/*
+ * PSA file storage backend for persistent keys
+ */
+/* Copyright (C) 2018, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if defined(MBEDTLS_CONFIG_FILE)
+#include MBEDTLS_CONFIG_FILE
+#else
+#include "mbedtls/config.h"
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C)
+
+#include <string.h>
+
+#include "psa/crypto.h"
+#include "psa_crypto_storage_backend.h"
+#include "mbedtls/platform_util.h"
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#define mbedtls_snprintf snprintf
+#endif
+
+/* This option sets where files are to be stored. If this is left unset,
+ * the files by default will be stored in the same location as the program,
+ * which may not be desired or possible. */
+#if !defined(CRYPTO_STORAGE_FILE_LOCATION)
+#define CRYPTO_STORAGE_FILE_LOCATION ""
+#endif
+
+enum { MAX_LOCATION_LEN = sizeof(CRYPTO_STORAGE_FILE_LOCATION) + 40 };
+
+static void key_slot_to_location( const psa_key_slot_t key,
+ char *location,
+ size_t location_size )
+{
+ mbedtls_snprintf( location, location_size,
+ CRYPTO_STORAGE_FILE_LOCATION "psa_key_slot_%d", key );
+}
+
+psa_status_t psa_crypto_storage_load( const psa_key_slot_t key, uint8_t *data,
+ size_t data_size )
+{
+ psa_status_t status = PSA_SUCCESS;
+ FILE *file;
+ size_t num_read;
+ char slot_location[MAX_LOCATION_LEN];
+
+ key_slot_to_location( key, slot_location, MAX_LOCATION_LEN );
+ file = fopen( slot_location, "rb" );
+ if( file == NULL )
+ {
+ status = PSA_ERROR_STORAGE_FAILURE;
+ goto exit;
+ }
+ num_read = fread( data, 1, data_size, file );
+ if( num_read != data_size )
+ status = PSA_ERROR_STORAGE_FAILURE;
+
+exit:
+ if( file != NULL )
+ fclose( file );
+ return( status );
+}
+
+int psa_is_key_present_in_storage( const psa_key_slot_t key )
+{
+ char slot_location[MAX_LOCATION_LEN];
+ FILE *file;
+
+ key_slot_to_location( key, slot_location, MAX_LOCATION_LEN );
+
+ file = fopen( slot_location, "r" );
+ if( file == NULL )
+ {
+ /* File doesn't exist */
+ return( 0 );
+ }
+
+ fclose( file );
+ return( 1 );
+}
+
+psa_status_t psa_crypto_storage_store( const psa_key_slot_t key,
+ const uint8_t *data,
+ size_t data_length )
+{
+ psa_status_t status = PSA_SUCCESS;
+ int ret;
+ size_t num_written;
+ char slot_location[MAX_LOCATION_LEN];
+ FILE *file;
+ /* The storage location corresponding to "key slot 0" is used as a
+ * temporary location in order to make the apparition of the actual slot
+ * file atomic. 0 is not a valid key slot number, so this should not
+ * affect actual keys. */
+ const char *temp_location = CRYPTO_STORAGE_FILE_LOCATION "psa_key_slot_0";
+
+ key_slot_to_location( key, slot_location, MAX_LOCATION_LEN );
+
+ if( psa_is_key_present_in_storage( key ) == 1 )
+ return( PSA_ERROR_OCCUPIED_SLOT );
+
+ file = fopen( temp_location, "wb" );
+ if( file == NULL )
+ {
+ status = PSA_ERROR_STORAGE_FAILURE;
+ goto exit;
+ }
+
+ num_written = fwrite( data, 1, data_length, file );
+ if( num_written != data_length )
+ {
+ status = PSA_ERROR_STORAGE_FAILURE;
+ goto exit;
+ }
+
+ ret = fclose( file );
+ file = NULL;
+ if( ret != 0 )
+ {
+ status = PSA_ERROR_STORAGE_FAILURE;
+ goto exit;
+ }
+
+ if( rename( temp_location, slot_location ) != 0 )
+ {
+ status = PSA_ERROR_STORAGE_FAILURE;
+ goto exit;
+ }
+
+exit:
+ if( file != NULL )
+ fclose( file );
+ remove( temp_location );
+ return( status );
+}
+
+psa_status_t psa_destroy_persistent_key( const psa_key_slot_t key )
+{
+ FILE *file;
+ char slot_location[MAX_LOCATION_LEN];
+
+ key_slot_to_location( key, slot_location, MAX_LOCATION_LEN );
+
+ /* Only try remove the file if it exists */
+ file = fopen( slot_location, "rb" );
+ if( file != NULL )
+ {
+ fclose( file );
+
+ if( remove( slot_location ) != 0 )
+ return( PSA_ERROR_STORAGE_FAILURE );
+ }
+ return( PSA_SUCCESS );
+}
+
+psa_status_t psa_crypto_storage_get_data_length( const psa_key_slot_t key,
+ size_t *data_length )
+{
+ psa_status_t status = PSA_SUCCESS;
+ FILE *file;
+ long file_size;
+ char slot_location[MAX_LOCATION_LEN];
+
+ key_slot_to_location( key, slot_location, MAX_LOCATION_LEN );
+
+ file = fopen( slot_location, "rb" );
+ if( file == NULL )
+ return( PSA_ERROR_EMPTY_SLOT );
+
+ if( fseek( file, 0, SEEK_END ) != 0 )
+ {
+ status = PSA_ERROR_STORAGE_FAILURE;
+ goto exit;
+ }
+
+ file_size = ftell( file );
+
+ if( file_size < 0 )
+ {
+ status = PSA_ERROR_STORAGE_FAILURE;
+ goto exit;
+ }
+
+#if LONG_MAX > SIZE_MAX
+ if( (unsigned long) file_size > SIZE_MAX )
+ {
+ status = PSA_ERROR_STORAGE_FAILURE;
+ goto exit;
+ }
+#endif
+ *data_length = (size_t) file_size;
+
+exit:
+ fclose( file );
+ return( status );
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C */
diff --git a/library/version_features.c b/library/version_features.c
index ffad82f..7ef8997 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -687,6 +687,12 @@
#if defined(MBEDTLS_PSA_CRYPTO_C)
"MBEDTLS_PSA_CRYPTO_C",
#endif /* MBEDTLS_PSA_CRYPTO_C */
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+ "MBEDTLS_PSA_CRYPTO_STORAGE_C",
+#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C)
+ "MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C",
+#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C */
#if defined(MBEDTLS_RIPEMD160_C)
"MBEDTLS_RIPEMD160_C",
#endif /* MBEDTLS_RIPEMD160_C */
diff --git a/scripts/config.pl b/scripts/config.pl
index 2e4ac3b..69c6d5f 100755
--- a/scripts/config.pl
+++ b/scripts/config.pl
@@ -116,6 +116,8 @@
MBEDTLS_MEMORY_BUFFER_ALLOC_C
MBEDTLS_PLATFORM_TIME_ALT
MBEDTLS_PLATFORM_FPRINTF_ALT
+MBEDTLS_PSA_CRYPTO_STORAGE_C
+MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
);
# Things that should be enabled in "full" even if they match @excluded
diff --git a/scripts/generate_visualc_files.pl b/scripts/generate_visualc_files.pl
index 488a5be..d8825ee 100755
--- a/scripts/generate_visualc_files.pl
+++ b/scripts/generate_visualc_files.pl
@@ -133,10 +133,11 @@
}
sub gen_main_file {
- my ($mbedtls_headers, $psa_headers, $sources, $hdr_tpl, $src_tpl, $main_tpl, $main_out) = @_;
+ my ($mbedtls_headers, $psa_headers, $source_headers, $sources, $hdr_tpl, $src_tpl, $main_tpl, $main_out) = @_;
my $header_entries = gen_entry_list( $hdr_tpl, @$mbedtls_headers );
$header_entries .= gen_entry_list( $hdr_tpl, @$psa_headers );
+ $header_entries .= gen_entry_list( $hdr_tpl, @$source_headers );
my $source_entries = gen_entry_list( $src_tpl, @$sources );
my $out = slurp_file( $main_tpl );
@@ -192,6 +193,7 @@
my @app_list = get_app_list();
my @mbedtls_headers = <$mbedtls_header_dir/*.h>;
my @psa_headers = <$psa_header_dir/*.h>;
+ my @source_headers = <$source_dir/*.h>;
my @sources = <$source_dir/*.c>;
map { s!/!\\!g } @mbedtls_headers;
map { s!/!\\!g } @psa_headers;
@@ -199,8 +201,8 @@
gen_app_files( @app_list );
- gen_main_file( \@mbedtls_headers, \@psa_headers, \@sources,
- $vsx_hdr_tpl, $vsx_src_tpl,
+ gen_main_file( \@mbedtls_headers, \@psa_headers, \@source_headers,
+ \@sources, $vsx_hdr_tpl, $vsx_src_tpl,
$vsx_main_tpl_file, $vsx_main_file );
gen_vsx_solution( @app_list );
diff --git a/scripts/mbed_crypto.make b/scripts/mbed_crypto.make
index e5e6ded..f51f5f8 100644
--- a/scripts/mbed_crypto.make
+++ b/scripts/mbed_crypto.make
@@ -70,6 +70,10 @@
platform.c \
platform_util.c \
psa_crypto.c \
+ psa_crypto_storage.h \
+ psa_crypto_storage.c \
+ psa_crypto_storage_backend.h \
+ psa_crypto_storage_file.c \
ripemd160.c \
rsa_internal.c \
rsa.c \
@@ -154,6 +158,10 @@
tests/suites/test_suite_psa_crypto_hash.function \
tests/suites/test_suite_psa_crypto_metadata.data \
tests/suites/test_suite_psa_crypto_metadata.function \
+ tests/suites/test_suite_psa_crypto_persistent_key.data \
+ tests/suites/test_suite_psa_crypto_persistent_key.function \
+ tests/suites/test_suite_psa_crypto_storage_file.data \
+ tests/suites/test_suite_psa_crypto_storage_file.function \
# Don't delete this line.
OTHER_FILES := \
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 89be6fe..34658c8 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -113,6 +113,8 @@
add_test_suite(psa_crypto)
add_test_suite(psa_crypto_hash)
add_test_suite(psa_crypto_metadata)
+add_test_suite(psa_crypto_persistent_key)
+add_test_suite(psa_crypto_storage_file)
add_test_suite(shax)
add_test_suite(ssl)
add_test_suite(timing)
diff --git a/tests/Makefile b/tests/Makefile
index 889d2a7..f5cafe5 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -6,7 +6,7 @@
WARNING_CFLAGS ?= -Wall -W -Wdeclaration-after-statement -Wno-unused-function -Wno-unused-value
LDFLAGS ?=
-LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../include -D_FILE_OFFSET_BITS=64
+LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../include -I../library -D_FILE_OFFSET_BITS=64
LOCAL_LDFLAGS = -L../library \
-lmbedtls$(SHARED_SUFFIX) \
-lmbedx509$(SHARED_SUFFIX) \
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 5b04d84..73152cf 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -644,6 +644,8 @@
scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
scripts/config.pl unset MBEDTLS_FS_IO
+scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
+scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_C
# Note, _DEFAULT_SOURCE needs to be defined for platforms using glibc version >2.19,
# to re-enable platform integration features otherwise disabled in C99 builds
make CC=gcc CFLAGS='-Werror -Wall -Wextra -std=c99 -pedantic -O0 -D_DEFAULT_SOURCE' lib programs
@@ -859,6 +861,8 @@
scripts/config.pl unset MBEDTLS_THREADING_C
scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # execinfo.h
scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit
+scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C # depends on MBEDTLS_FS_IO
+scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_C # depends on MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
make CC=arm-none-eabi-gcc AR=arm-none-eabi-ar LD=arm-none-eabi-ld CFLAGS='-Werror -Wall -Wextra' lib
msg "build: arm-none-eabi-gcc -DMBEDTLS_NO_UDBL_DIVISION, make" # ~ 10s
@@ -877,6 +881,8 @@
scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # execinfo.h
scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit
scripts/config.pl set MBEDTLS_NO_UDBL_DIVISION
+scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C # depends on MBEDTLS_FS_IO
+scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_C # depends on MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
make CC=arm-none-eabi-gcc AR=arm-none-eabi-ar LD=arm-none-eabi-ld CFLAGS='-Werror -Wall -Wextra' lib
echo "Checking that software 64-bit division is not required"
if_build_succeeded not grep __aeabi_uldiv library/*.o
@@ -897,6 +903,8 @@
scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # execinfo.h
scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit
scripts/config.pl set MBEDTLS_NO_64BIT_MULTIPLICATION
+scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C # depends on MBEDTLS_FS_IO
+scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_C # depends on MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
make CC=arm-none-eabi-gcc AR=arm-none-eabi-ar LD=arm-none-eabi-ld CFLAGS='-Werror -O1 -march=armv6-m -mthumb' lib
echo "Checking that software 64-bit multiplication is not required"
if_build_succeeded not grep __aeabi_lmul library/*.o
@@ -920,6 +928,8 @@
scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # execinfo.h
scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit
scripts/config.pl unset MBEDTLS_PLATFORM_TIME_ALT # depends on MBEDTLS_HAVE_TIME
+scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C # depends on MBEDTLS_FS_IO
+scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_C # depends on MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
if [ $RUN_ARMCC -ne 0 ]; then
make CC="$ARMC5_CC" AR="$ARMC5_AR" WARNING_CFLAGS='--strict --c99' lib
diff --git a/tests/scripts/list-identifiers.sh b/tests/scripts/list-identifiers.sh
index 89daa68..ccd488c 100755
--- a/tests/scripts/list-identifiers.sh
+++ b/tests/scripts/list-identifiers.sh
@@ -7,7 +7,7 @@
exit 1
fi
-HEADERS=$( ls include/mbedtls/*.h include/psa/*.h | egrep -v 'compat-1\.3\.h|bn_mul' )
+HEADERS=$( ls include/mbedtls/*.h include/psa/*.h library/*.h | egrep -v 'compat-1\.3\.h|bn_mul' )
rm -f identifiers
diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index ea214d2..e1c1b05 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -1834,3 +1834,35 @@
PSA validate module initialization: key based
validate_module_init_key_based:
+
+persistent key can be accessed after in-memory deletion: AES, 128 bits, CTR
+depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PSA_CRYPTO_STORAGE_C
+persistent_key_load_key_from_storage:"2b7e151628aed2a6abf7158809cf4f3c":PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_EXPORT:PSA_ALG_CTR:IMPORT_KEY:PSA_SUCCESS
+
+PSA generate persistent key: raw data, 8 bits
+depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C
+persistent_key_load_key_from_storage:"":PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:0:GENERATE_KEY:PSA_SUCCESS
+
+PSA generate persistent key: AES, 128 bits, CTR
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR:MBEDTLS_PSA_CRYPTO_STORAGE_C
+persistent_key_load_key_from_storage:"":PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CTR:GENERATE_KEY:PSA_SUCCESS
+
+PSA generate persistent key: DES, 64 bits, CBC-nopad
+depends_on:MBEDTLS_DES_C:MBEDTLS_PSA_CRYPTO_STORAGE_C
+persistent_key_load_key_from_storage:"":PSA_KEY_TYPE_DES:64:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CBC_NO_PADDING:GENERATE_KEY:PSA_SUCCESS
+
+PSA generate persistent key: RSA, 1024 bits, good, sign (PSS SHA-256)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C:MBEDTLS_PSA_CRYPTO_STORAGE_C
+persistent_key_load_key_from_storage:"":PSA_KEY_TYPE_RSA_KEYPAIR:1024:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):GENERATE_KEY:PSA_SUCCESS
+
+PSA generate persistent key: ECC, SECP256R1, good
+depends_on:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECDSA_C:MBEDTLS_PSA_CRYPTO_STORAGE_C
+persistent_key_load_key_from_storage:"":PSA_KEY_TYPE_ECC_KEYPAIR(PSA_ECC_CURVE_SECP256R1):256:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY:PSA_ALG_ECDSA_ANY:GENERATE_KEY:PSA_SUCCESS
+
+PSA derive persistent key: HKDF SHA-256
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_PSA_CRYPTO_STORAGE_C
+persistent_key_load_key_from_storage:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_TYPE_RAW_DATA:1024:PSA_KEY_USAGE_EXPORT:0:DERIVE_KEY:PSA_SUCCESS
+
+PSA generate persistent key: AES, 128 bits, CTR
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR:MBEDTLS_PSA_CRYPTO_STORAGE_C
+persistent_key_load_key_from_storage:"":PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CTR:GENERATE_KEY:PSA_ERROR_NOT_PERMITTED
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 674a6e9..53295be 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -844,6 +844,13 @@
}
}
+
+typedef enum {
+ IMPORT_KEY = 0,
+ GENERATE_KEY = 1,
+ DERIVE_KEY = 2
+} generate_method;
+
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@@ -4030,3 +4037,133 @@
TEST_ASSERT( status == PSA_ERROR_BAD_STATE );
}
/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C */
+void persistent_key_load_key_from_storage( data_t *data, int type_arg,
+ int bits, int usage_arg,
+ int alg_arg, int generation_method,
+ int export_status )
+{
+ psa_key_slot_t slot = 1;
+ psa_key_slot_t base_key = 2;
+ psa_key_type_t type = (psa_key_type_t) type_arg;
+ psa_key_type_t type_get;
+ size_t bits_get;
+ psa_key_policy_t policy_set;
+ psa_key_policy_t policy_get;
+ psa_key_usage_t policy_usage = (psa_key_usage_t) usage_arg;
+ psa_algorithm_t policy_alg = (psa_algorithm_t) alg_arg;
+ psa_key_policy_t base_policy_set;
+ psa_algorithm_t base_policy_alg = PSA_ALG_HKDF(PSA_ALG_SHA_256);
+ psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT;
+ unsigned char *first_export = NULL;
+ unsigned char *second_export = NULL;
+ size_t export_size = PSA_KEY_EXPORT_MAX_SIZE( type, bits );
+ size_t first_exported_length;
+ size_t second_exported_length;
+
+ ASSERT_ALLOC( first_export, export_size );
+ ASSERT_ALLOC( second_export, export_size );
+
+ TEST_ASSERT( psa_crypto_init() == PSA_SUCCESS );
+
+ TEST_ASSERT( psa_set_key_lifetime(
+ slot, PSA_KEY_LIFETIME_PERSISTENT ) == PSA_SUCCESS );
+
+ psa_key_policy_init( &policy_set );
+
+ psa_key_policy_set_usage( &policy_set, policy_usage,
+ policy_alg );
+
+ TEST_ASSERT( psa_set_key_policy( slot, &policy_set ) == PSA_SUCCESS );
+ switch( generation_method )
+ {
+ case IMPORT_KEY:
+ /* Import the key */
+ TEST_ASSERT( psa_import_key( slot, type,
+ data->x, data->len ) == PSA_SUCCESS );
+ break;
+
+ case GENERATE_KEY:
+ /* Generate a key */
+ TEST_ASSERT( psa_generate_key( slot, type, bits,
+ NULL, 0 ) == PSA_SUCCESS );
+ break;
+
+ case DERIVE_KEY:
+ /* Create base key */
+ psa_key_policy_init( &base_policy_set );
+
+ psa_key_policy_set_usage( &base_policy_set, PSA_KEY_USAGE_DERIVE,
+ base_policy_alg );
+ TEST_ASSERT( psa_set_key_policy(
+ base_key, &base_policy_set ) == PSA_SUCCESS );
+ TEST_ASSERT( psa_import_key( base_key, PSA_KEY_TYPE_DERIVE,
+ data->x, data->len ) == PSA_SUCCESS );
+ /* Derive a key. */
+ TEST_ASSERT( psa_key_derivation( &generator, base_key,
+ base_policy_alg,
+ NULL, 0, NULL, 0,
+ export_size ) == PSA_SUCCESS );
+ TEST_ASSERT( psa_generator_import_key(
+ slot, PSA_KEY_TYPE_RAW_DATA,
+ bits, &generator ) == PSA_SUCCESS );
+ break;
+ }
+
+ /* Export the key */
+ TEST_ASSERT( psa_export_key( slot, first_export, export_size,
+ &first_exported_length ) == export_status );
+
+ /* Shutdown and restart */
+ mbedtls_psa_crypto_free();
+
+ TEST_ASSERT( psa_crypto_init() == PSA_SUCCESS );
+
+ /* Mark slot as persistent again */
+ TEST_ASSERT( psa_set_key_lifetime(
+ slot, PSA_KEY_LIFETIME_PERSISTENT ) == PSA_SUCCESS );
+
+ /* Check key slot still contains key data */
+ TEST_ASSERT( psa_get_key_information(
+ slot, &type_get, &bits_get ) == PSA_SUCCESS );
+ TEST_ASSERT( type_get == type );
+ TEST_ASSERT( bits_get == (size_t) bits );
+
+ TEST_ASSERT( psa_get_key_policy( slot, &policy_get ) == PSA_SUCCESS );
+ TEST_ASSERT( psa_key_policy_get_usage(
+ &policy_get ) == policy_usage );
+ TEST_ASSERT( psa_key_policy_get_algorithm(
+ &policy_get ) == policy_alg );
+
+ /* Export the key again */
+ TEST_ASSERT( psa_export_key( slot, second_export, export_size,
+ &second_exported_length ) == export_status );
+
+ if( export_status == PSA_SUCCESS )
+ {
+ ASSERT_COMPARE( first_export, first_exported_length,
+ second_export, second_exported_length );
+
+ switch( generation_method )
+ {
+ case IMPORT_KEY:
+ ASSERT_COMPARE( data->x, data->len,
+ first_export, first_exported_length );
+ break;
+ default:
+ break;
+ }
+ }
+
+ /* Do something with the key according to its type and permitted usage. */
+ if( ! exercise_key( slot, policy_usage, policy_alg ) )
+ goto exit;
+
+exit:
+ mbedtls_free( first_export );
+ mbedtls_free( second_export );
+ psa_destroy_key( slot );
+ mbedtls_psa_crypto_free();
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_psa_crypto_persistent_key.data b/tests/suites/test_suite_psa_crypto_persistent_key.data
new file mode 100644
index 0000000..46e547c
--- /dev/null
+++ b/tests/suites/test_suite_psa_crypto_persistent_key.data
@@ -0,0 +1,78 @@
+PSA Storage format data for storage
+format_storage_data_check:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"505341004b45590000000000000001700100000000000012620200003082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEYPAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION
+
+PSA Storage parse stored data
+parse_storage_data_check:"505341004b45590000000000000001700100000000000012620200003082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEYPAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION:PSA_SUCCESS
+
+PSA Storage parse stored data wrong version, should fail
+parse_storage_data_check:"505341004b455900ffffffff000001700100000000000012620200003082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEYPAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION:PSA_ERROR_STORAGE_FAILURE
+
+PSA Storage parse too big data, should fail
+parse_storage_data_check:"505341004b45590000000000000001700100000000000012ffffffff3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"":PSA_KEY_TYPE_RSA_KEYPAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION:PSA_ERROR_STORAGE_FAILURE
+
+PSA Storage parse bad magic, should fail
+parse_storage_data_check:"645341004b45590000000000000001700100000000000012620200003082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEYPAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION:PSA_ERROR_STORAGE_FAILURE
+
+PSA Storage parse not enough magic, should fail
+parse_storage_data_check:"505341004b4559":"":PSA_KEY_TYPE_RSA_KEYPAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION:PSA_ERROR_STORAGE_FAILURE
+
+# Not specific to files, but only run this test in an environment where the maximum size could be reached.
+Save maximum size persistent raw key
+depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
+save_large_persistent_key:0:PSA_SUCCESS
+
+Save larger than maximum size persistent raw key, should fail
+save_large_persistent_key:1:PSA_ERROR_INSUFFICIENT_STORAGE
+
+Persistent key is configurable
+depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C
+persistent_key_is_configurable:1:PSA_KEY_TYPE_RSA_KEYPAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24"
+
+Persistent key destroy
+depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C
+persistent_key_destroy:1:1:PSA_KEY_TYPE_RSA_KEYPAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RAW_DATA:"deadbeef"
+
+Persistent key destroy missing key
+depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C
+persistent_key_destroy:1:0:PSA_KEY_TYPE_RSA_KEYPAIR:"":PSA_KEY_TYPE_RAW_DATA:"deadbeef"
+
+Key lifetime defaults to volatile
+depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C
+default_volatile_lifetime:1:PSA_KEY_TYPE_RSA_KEYPAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24"
+
+Persistent key import
+depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C
+persistent_key_import:1:PSA_KEY_TYPE_RSA_KEYPAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_SUCCESS
+
+Persistent key import garbage data, should fail
+depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C
+persistent_key_import:1:PSA_KEY_TYPE_RSA_KEYPAIR:"11111111":PSA_ERROR_INVALID_ARGUMENT
+
+import/export persistent raw key: 0 byte
+import_export_persistent_key:"":PSA_KEY_TYPE_RAW_DATA:0:0
+
+import/export persistent raw key: 1 byte
+import_export_persistent_key:"2a":PSA_KEY_TYPE_RAW_DATA:8:0
+
+import/export persistent key RSA public key: good, 1024-bit
+depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C
+import_export_persistent_key:"30819f300d06092a864886f70d010101050003818d0030818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_KEY_TYPE_RSA_PUBLIC_KEY:1024:0
+
+import/export persistent key RSA keypair: good, 1024-bit
+depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C
+import_export_persistent_key:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEYPAIR:1024:0
+
+import/export persistent raw key file not exist: 1 byte
+import_export_persistent_key:"2a":PSA_KEY_TYPE_RAW_DATA:8:1
+
+import/export persistent key RSA public key file not exist: 1024-bit
+depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C
+import_export_persistent_key:"30819f300d06092a864886f70d010101050003818d0030818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_KEY_TYPE_RSA_PUBLIC_KEY:1024:1
+
+import/export persistent key RSA keypair file not exist: 1024-bit
+depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C
+import_export_persistent_key:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEYPAIR:1024:1
+
+PSA import/export-persistent symmetric key: 16 bytes
+depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C
+import_export_persistent_key:"2b7e151628aed2a6abf7158809cf4f3c":PSA_KEY_TYPE_AES:128:0
diff --git a/tests/suites/test_suite_psa_crypto_persistent_key.function b/tests/suites/test_suite_psa_crypto_persistent_key.function
new file mode 100644
index 0000000..0ede6e6
--- /dev/null
+++ b/tests/suites/test_suite_psa_crypto_persistent_key.function
@@ -0,0 +1,342 @@
+/* BEGIN_HEADER */
+#include <stdint.h>
+#include "psa/crypto.h"
+#include "psa_crypto_storage.h"
+#include "psa_crypto_storage_backend.h"
+#include "mbedtls/md.h"
+
+#define PSA_KEY_STORAGE_MAGIC_HEADER "PSA\0KEY"
+#define PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH ( sizeof( PSA_KEY_STORAGE_MAGIC_HEADER ) )
+
+typedef struct {
+ uint8_t magic[PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH];
+ uint8_t version[4];
+ uint8_t type[sizeof( psa_key_type_t )];
+ uint8_t policy[sizeof( psa_key_policy_t )];
+ uint8_t data_len[4];
+ uint8_t key_data[];
+} psa_persistent_key_storage_format;
+
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_PSA_CRYPTO_STORAGE_C
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE */
+void format_storage_data_check( data_t *key_data,
+ data_t *expected_file_data,
+ int key_type, int key_usage, int key_alg )
+{
+ uint8_t *file_data;
+ size_t file_data_length;
+ psa_key_policy_t key_policy;
+
+ key_policy.usage = (psa_key_usage_t) key_usage;
+ key_policy.alg = (psa_algorithm_t) key_alg;
+
+ file_data_length = key_data->len + sizeof( psa_persistent_key_storage_format );
+ file_data = mbedtls_calloc( 1, file_data_length );
+ psa_format_key_data_for_storage( key_data->x, key_data->len,
+ (psa_key_type_t) key_type, &key_policy,
+ file_data );
+
+ ASSERT_COMPARE( expected_file_data->x, expected_file_data->len,
+ file_data, file_data_length );
+ mbedtls_free( file_data );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void parse_storage_data_check( data_t *file_data,
+ data_t *expected_key_data,
+ int expected_key_type,
+ int expected_key_usage,
+ int expected_key_alg,
+ int expected_status )
+{
+ uint8_t *key_data = NULL;
+ size_t key_data_length = 0;
+ psa_key_type_t key_type = 0;
+ psa_key_policy_t key_policy;
+ psa_status_t status;
+
+ status = psa_parse_key_data_from_storage( file_data->x, file_data->len,
+ &key_data, &key_data_length,
+ &key_type, &key_policy );
+
+ TEST_ASSERT( status == expected_status );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ TEST_ASSERT( key_type == (psa_key_type_t) expected_key_type );
+ TEST_ASSERT( key_policy.usage == (uint32_t) expected_key_usage );
+ TEST_ASSERT( key_policy.alg == (uint32_t) expected_key_alg );
+ ASSERT_COMPARE( expected_key_data->x, expected_key_data->len,
+ key_data, key_data_length );
+
+exit:
+ mbedtls_free( key_data );
+}
+/* END_CASE */
+
+
+/* BEGIN_CASE */
+void save_large_persistent_key( int data_too_large, int expected_status )
+{
+ psa_key_slot_t slot = 1;
+ uint8_t *data = NULL;
+ size_t data_length = PSA_CRYPTO_MAX_STORAGE_SIZE;
+
+ if( data_too_large )
+ data_length += 1;
+
+ ASSERT_ALLOC( data, data_length );
+
+ TEST_ASSERT( psa_crypto_init() == PSA_SUCCESS );
+
+ TEST_ASSERT( psa_set_key_lifetime(
+ slot, PSA_KEY_LIFETIME_PERSISTENT ) == PSA_SUCCESS );
+
+ TEST_ASSERT( psa_import_key( slot, PSA_KEY_TYPE_RAW_DATA,
+ data, data_length ) == expected_status );
+
+exit:
+ mbedtls_free( data );
+ psa_destroy_persistent_key( slot );
+ mbedtls_psa_crypto_free();
+}
+/* END_CASE */
+
+
+/* BEGIN_CASE */
+void persistent_key_is_configurable( int slot_arg, int type_arg,
+ data_t *data )
+{
+ psa_key_policy_t policy;
+ psa_key_lifetime_t lifetime;
+ psa_key_slot_t slot = (psa_key_slot_t) slot_arg;
+ psa_key_type_t type = (psa_key_type_t) type_arg;
+
+ TEST_ASSERT( psa_crypto_init() == PSA_SUCCESS );
+
+ TEST_ASSERT( psa_set_key_lifetime(
+ slot, PSA_KEY_LIFETIME_PERSISTENT ) == PSA_SUCCESS );
+
+ psa_key_policy_init( &policy );
+
+ TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS );
+
+ TEST_ASSERT( psa_import_key( slot, type,
+ data->x, data->len ) == PSA_SUCCESS );
+
+ TEST_ASSERT( psa_get_key_lifetime( slot, &lifetime ) == PSA_SUCCESS );
+
+ TEST_ASSERT( lifetime == PSA_KEY_LIFETIME_PERSISTENT );
+
+exit:
+ psa_destroy_persistent_key( slot );
+ mbedtls_psa_crypto_free();
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void persistent_key_destroy( int slot_arg, int should_store,
+ int first_type_arg, data_t *first_data,
+ int second_type_arg, data_t *second_data )
+{
+ psa_key_policy_t policy;
+ psa_key_slot_t slot = (psa_key_slot_t) slot_arg;
+ psa_key_type_t first_type = (psa_key_type_t) first_type_arg;
+ psa_key_type_t second_type = (psa_key_type_t) second_type_arg;
+
+ TEST_ASSERT( psa_crypto_init() == PSA_SUCCESS );
+
+ TEST_ASSERT( psa_set_key_lifetime(
+ slot, PSA_KEY_LIFETIME_PERSISTENT ) == PSA_SUCCESS );
+
+ psa_key_policy_init( &policy );
+
+ if( should_store == 1 )
+ {
+ TEST_ASSERT( psa_import_key(
+ slot, first_type,
+ first_data->x, first_data->len ) == PSA_SUCCESS );
+ }
+
+ /* Destroy the key */
+ TEST_ASSERT( psa_destroy_key( slot ) == PSA_SUCCESS );
+
+ TEST_ASSERT( psa_get_key_information(
+ slot, NULL, NULL ) == PSA_ERROR_EMPTY_SLOT );
+
+ /* Check key slot storage is removed */
+ TEST_ASSERT( psa_is_key_present_in_storage( slot ) == 0 );
+
+ /* Check destroying the key again doesn't report failure */
+ TEST_ASSERT( psa_destroy_key( slot ) == PSA_SUCCESS );
+ TEST_ASSERT( psa_get_key_information(
+ slot, NULL, NULL ) == PSA_ERROR_EMPTY_SLOT );
+
+ /* Shutdown and restart */
+ mbedtls_psa_crypto_free();
+
+ TEST_ASSERT( psa_crypto_init() == PSA_SUCCESS );
+
+ /* Mark slot as persistent again */
+ TEST_ASSERT( psa_set_key_lifetime(
+ slot, PSA_KEY_LIFETIME_PERSISTENT ) == PSA_SUCCESS );
+
+ /* Check key slot is empty */
+ TEST_ASSERT( psa_get_key_information(
+ slot, NULL, NULL ) == PSA_ERROR_EMPTY_SLOT );
+
+ /* Import different key data to ensure slot really was empty */
+ psa_key_policy_init( &policy );
+
+ psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_EXPORT,
+ PSA_ALG_VENDOR_FLAG );
+
+ TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS );
+
+ TEST_ASSERT( psa_import_key(
+ slot, second_type,
+ second_data->x, second_data->len ) == PSA_SUCCESS );
+
+exit:
+ psa_destroy_persistent_key( slot );
+ mbedtls_psa_crypto_free();
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void default_volatile_lifetime( int slot_arg, int type_arg, data_t *data )
+{
+ psa_key_policy_t policy;
+ psa_key_slot_t slot = (psa_key_slot_t) slot_arg;
+ psa_key_type_t type = (psa_key_type_t) type_arg;
+
+ TEST_ASSERT( psa_crypto_init() == PSA_SUCCESS );
+
+ psa_key_policy_init( &policy );
+
+ TEST_ASSERT( psa_import_key( slot, type,
+ data->x, data->len ) == PSA_SUCCESS );
+
+ /* Shutdown and restart */
+ mbedtls_psa_crypto_free();
+
+ TEST_ASSERT( psa_crypto_init() == PSA_SUCCESS );
+
+ /* Check key slot is empty */
+ TEST_ASSERT( psa_get_key_information(
+ slot, NULL, NULL ) == PSA_ERROR_EMPTY_SLOT );
+
+exit:
+ psa_destroy_persistent_key( slot );
+ mbedtls_psa_crypto_free();
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void persistent_key_import( int slot_arg, int type_arg, data_t *data,
+ int expected_status )
+{
+ psa_key_policy_t policy;
+ psa_key_lifetime_t lifetime;
+ psa_key_slot_t slot = (psa_key_slot_t) slot_arg;
+ psa_key_type_t type = (psa_key_type_t) type_arg;
+
+ TEST_ASSERT( psa_crypto_init() == PSA_SUCCESS );
+
+ TEST_ASSERT( psa_set_key_lifetime(
+ slot, PSA_KEY_LIFETIME_PERSISTENT ) == PSA_SUCCESS );
+
+ psa_key_policy_init( &policy );
+
+ TEST_ASSERT( psa_import_key( slot, type,
+ data->x, data->len ) == expected_status );
+
+ if( expected_status != PSA_SUCCESS )
+ {
+ TEST_ASSERT( psa_is_key_present_in_storage( slot ) == 0 );
+ goto exit;
+ }
+
+ TEST_ASSERT( psa_get_key_lifetime( slot, &lifetime ) == PSA_SUCCESS );
+
+ TEST_ASSERT( lifetime == PSA_KEY_LIFETIME_PERSISTENT );
+
+exit:
+ psa_destroy_persistent_key( slot );
+ mbedtls_psa_crypto_free();
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void import_export_persistent_key( data_t *data, int type_arg,
+ int expected_bits, int key_not_exist )
+{
+ psa_key_slot_t slot = 1;
+ psa_key_type_t type = (psa_key_type_t) type_arg;
+ unsigned char *exported = NULL;
+ size_t export_size = data->len;
+ size_t exported_length;
+ psa_key_type_t got_type;
+ size_t got_bits;
+ psa_key_policy_t policy;
+ psa_key_lifetime_t lifetime_get;
+
+ ASSERT_ALLOC( exported, export_size );
+
+ TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
+
+ TEST_ASSERT( psa_set_key_lifetime(
+ slot, PSA_KEY_LIFETIME_PERSISTENT ) == PSA_SUCCESS );
+
+ psa_key_policy_init( &policy );
+
+ psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_EXPORT,
+ PSA_ALG_VENDOR_FLAG );
+
+ TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS );
+
+ /* Import the key */
+ TEST_ASSERT( psa_import_key( slot, type,
+ data->x, data->len ) == PSA_SUCCESS );
+
+ TEST_ASSERT( psa_get_key_lifetime(
+ slot, &lifetime_get ) == PSA_SUCCESS );
+ TEST_ASSERT( lifetime_get == PSA_KEY_LIFETIME_PERSISTENT );
+
+ /* Test the key information */
+ TEST_ASSERT( psa_get_key_information(
+ slot, &got_type, &got_bits ) == PSA_SUCCESS );
+ TEST_ASSERT( got_type == type );
+ TEST_ASSERT( got_bits == (size_t) expected_bits );
+
+ TEST_ASSERT( psa_is_key_present_in_storage( slot ) == 1 );
+
+ if( key_not_exist )
+ {
+ psa_destroy_persistent_key( slot );
+ }
+ /* Export the key */
+ TEST_ASSERT( psa_export_key( slot, exported, export_size,
+ &exported_length ) == PSA_SUCCESS );
+
+ ASSERT_COMPARE( data->x, data->len, exported, exported_length );
+
+ /* Destroy the key */
+ TEST_ASSERT( psa_destroy_key( slot ) == PSA_SUCCESS );
+ TEST_ASSERT( psa_get_key_information(
+ slot, NULL, NULL ) == PSA_ERROR_EMPTY_SLOT );
+ TEST_ASSERT( psa_is_key_present_in_storage( slot ) == 0 );
+
+exit:
+ mbedtls_free( exported );
+ psa_destroy_persistent_key( slot );
+ mbedtls_psa_crypto_free( );
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_psa_crypto_storage_file.data b/tests/suites/test_suite_psa_crypto_storage_file.data
new file mode 100644
index 0000000..730e092
--- /dev/null
+++ b/tests/suites/test_suite_psa_crypto_storage_file.data
@@ -0,0 +1,43 @@
+PSA Storage Load verify loaded file
+depends_on:MBEDTLS_FS_IO
+load_data_from_file:1:"deadbeef":1:4:PSA_SUCCESS
+
+PSA Storage Load check slots dont share state
+depends_on:MBEDTLS_FS_IO
+load_data_from_file:2:"deadbeef":1:4:PSA_ERROR_STORAGE_FAILURE
+
+PSA Storage Load zero length file
+depends_on:MBEDTLS_FS_IO
+load_data_from_file:1:"":1:1:PSA_SUCCESS
+
+PSA Storage Load less than capacity of data buffer
+depends_on:MBEDTLS_FS_IO
+load_data_from_file:1:"deadbeef":1:5:PSA_SUCCESS
+
+PSA Storage Load nonexistent file location, should fail
+depends_on:MBEDTLS_FS_IO
+load_data_from_file:1:"deadbeef":0:4:PSA_ERROR_STORAGE_FAILURE
+
+PSA Storage Store verify stored file
+depends_on:MBEDTLS_FS_IO
+write_data_to_file:"deadbeef":PSA_SUCCESS
+
+PSA Storage Store into preexisting location, should fail
+depends_on:MBEDTLS_FS_IO
+write_data_to_prexisting_file:"psa_key_slot_1":"deadbeef":PSA_ERROR_OCCUPIED_SLOT
+
+PSA Storage Store, preexisting temp_location file, should succeed
+depends_on:MBEDTLS_FS_IO
+write_data_to_prexisting_file:"psa_key_slot_0":"deadbeef":PSA_SUCCESS
+
+PSA Storage Get data size verify data size
+depends_on:MBEDTLS_FS_IO
+get_file_size:"deadbeef":4:PSA_SUCCESS:1
+
+PSA Storage Get data size verify data size zero length file
+depends_on:MBEDTLS_FS_IO
+get_file_size:"":0:PSA_SUCCESS:1
+
+PSA Storage Get data size nonexistent file location, should fail
+depends_on:MBEDTLS_FS_IO
+get_file_size:"deadbeef":4:PSA_ERROR_EMPTY_SLOT:0
diff --git a/tests/suites/test_suite_psa_crypto_storage_file.function b/tests/suites/test_suite_psa_crypto_storage_file.function
new file mode 100644
index 0000000..b6dcad7
--- /dev/null
+++ b/tests/suites/test_suite_psa_crypto_storage_file.function
@@ -0,0 +1,159 @@
+/* BEGIN_HEADER */
+#include <stdint.h>
+#include "psa/crypto.h"
+#include "psa_crypto_storage_backend.h"
+
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE */
+void load_data_from_file( int slot_to_load, data_t *data, int should_make_file,
+ int capacity_arg, int expected_status )
+{
+ char slot_location[] = "psa_key_slot_1";
+ psa_status_t status;
+ int ret;
+ size_t file_size = 0;
+ uint8_t *loaded_data = NULL;
+ size_t capacity = (size_t) capacity_arg;
+
+ if( should_make_file == 1 )
+ {
+ /* Create a file with data contents, with mask permissions. */
+ FILE *file;
+ file = fopen( slot_location, "wb+" );
+ TEST_ASSERT( file != NULL );
+ file_size = fwrite( data->x, 1, data->len, file );
+ TEST_ASSERT( file_size == data->len );
+ ret = fclose( file );
+ TEST_ASSERT( ret == 0 );
+ }
+
+ /* Read from the file with psa_crypto_storage_load. */
+ loaded_data = mbedtls_calloc( 1, capacity );
+ TEST_ASSERT( loaded_data != NULL );
+ status = psa_crypto_storage_load( (psa_key_slot_t) slot_to_load, loaded_data,
+ file_size );
+
+ /* Check we get the expected status. */
+ TEST_ASSERT( status == expected_status );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ /* Check that the file data and data length is what we expect. */
+ ASSERT_COMPARE( data->x, data->len, loaded_data, file_size );
+
+exit:
+ mbedtls_free( loaded_data );
+ remove( slot_location );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void write_data_to_file( data_t *data, int expected_status )
+{
+ char slot_location[] = "psa_key_slot_1";
+ psa_status_t status;
+ int ret;
+ FILE *file;
+ size_t file_size;
+ size_t num_read;
+ uint8_t *loaded_data = NULL;
+
+ /* Write data to file. */
+ status = psa_crypto_storage_store( 1, data->x, data->len );
+
+ /* Check that we got the expected status. */
+ TEST_ASSERT( status == expected_status );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ /* Check that the file length is what we expect */
+ file = fopen( slot_location, "rb" );
+ TEST_ASSERT( file != NULL );
+ fseek( file, 0, SEEK_END );
+ file_size = (size_t) ftell( file );
+ fseek( file, 0, SEEK_SET );
+ TEST_ASSERT( file_size == data->len );
+
+ /* Check that the file contents are what we expect */
+ loaded_data = mbedtls_calloc( 1, data->len );
+ TEST_ASSERT( loaded_data != NULL );
+
+ num_read = fread( loaded_data, 1, file_size, file );
+ TEST_ASSERT( num_read == file_size );
+ ASSERT_COMPARE( data->x, data->len, loaded_data, file_size );
+ ret = fclose( file );
+ TEST_ASSERT( ret == 0 );
+
+exit:
+ mbedtls_free( loaded_data );
+ remove( slot_location );
+}
+/* END_CASE */
+
+
+/* BEGIN_CASE */
+void get_file_size( data_t *data, int expected_data_length,
+ int expected_status, int should_make_file )
+{
+ char slot_location[] = "psa_key_slot_1";
+ psa_status_t status;
+ int ret;
+ size_t file_size;
+
+ if( should_make_file )
+ {
+ /* Create a file with data contents, with mask permissions. */
+ FILE *file;
+ file = fopen( slot_location, "wb+" );
+ TEST_ASSERT( file != NULL );
+ file_size = fwrite( data->x, 1, data->len, file );
+ TEST_ASSERT( file_size == data->len );
+ ret = fclose( file );
+ TEST_ASSERT( ret == 0 );
+ }
+
+ /* Check get data size is what we expect */
+ status = psa_crypto_storage_get_data_length( 1, &file_size );
+ TEST_ASSERT( status == expected_status );
+ if( expected_status == PSA_SUCCESS )
+ TEST_ASSERT( file_size == (size_t)expected_data_length );
+
+exit:
+ remove( slot_location );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void write_data_to_prexisting_file( char *preexist_file_location,
+ data_t *data, int expected_status )
+{
+ char slot_location[] = "psa_key_slot_1";
+ psa_status_t status;
+ int ret;
+ FILE *file;
+
+ /* Create file first */
+ file = fopen( preexist_file_location, "wb" );
+ TEST_ASSERT( file != NULL );
+ ret = fclose( file );
+ TEST_ASSERT( ret == 0 );
+
+ /* Write data to file. */
+ status = psa_crypto_storage_store( 1, data->x, data->len );
+
+ /* Check that we got the expected status. */
+ TEST_ASSERT( status == expected_status );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+exit:
+ remove( preexist_file_location );
+ remove( slot_location );
+}
+/* END_CASE */
diff --git a/visualc/VS2010/mbedTLS.vcxproj b/visualc/VS2010/mbedTLS.vcxproj
index 301d333..91cf2f0 100644
--- a/visualc/VS2010/mbedTLS.vcxproj
+++ b/visualc/VS2010/mbedTLS.vcxproj
@@ -230,6 +230,8 @@
<ClInclude Include="..\..\include\psa\crypto_platform.h" />
<ClInclude Include="..\..\include\psa\crypto_sizes.h" />
<ClInclude Include="..\..\include\psa\crypto_struct.h" />
+ <ClInclude Include="..\..\library/psa_crypto_storage.h" />
+ <ClInclude Include="..\..\library/psa_crypto_storage_backend.h" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="..\..\library\aes.c" />
@@ -287,6 +289,8 @@
<ClCompile Include="..\..\library\platform_util.c" />
<ClCompile Include="..\..\library\poly1305.c" />
<ClCompile Include="..\..\library\psa_crypto.c" />
+ <ClCompile Include="..\..\library\psa_crypto_storage.c" />
+ <ClCompile Include="..\..\library\psa_crypto_storage_file.c" />
<ClCompile Include="..\..\library\ripemd160.c" />
<ClCompile Include="..\..\library\rsa.c" />
<ClCompile Include="..\..\library\rsa_internal.c" />