add key policy enforcement implementation
add checks that keys have been set for the correct usage for asymmetric
functions.
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index ba688bc..dce8e09 100755
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -1345,6 +1345,8 @@
slot = &global_data.key_slots[key];
if( slot->type == PSA_KEY_TYPE_NONE )
return( PSA_ERROR_EMPTY_SLOT );
+ if (!(slot->policy.usage & PSA_KEY_USAGE_VERIFY))
+ return(PSA_ERROR_NOT_PERMITTED);
#if defined(MBEDTLS_RSA_C)
if( slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )
@@ -1431,6 +1433,8 @@
return( PSA_ERROR_EMPTY_SLOT );
if( ! PSA_KEY_TYPE_IS_KEYPAIR( slot->type ) )
return( PSA_ERROR_INVALID_ARGUMENT );
+ if (!(slot->policy.usage & PSA_KEY_USAGE_ENCRYPT))
+ return(PSA_ERROR_NOT_PERMITTED);
#if defined(MBEDTLS_RSA_C)
@@ -1505,6 +1509,8 @@
return( PSA_ERROR_EMPTY_SLOT );
if( ! PSA_KEY_TYPE_IS_KEYPAIR( slot->type ) )
return( PSA_ERROR_INVALID_ARGUMENT );
+ if (!(slot->policy.usage & PSA_KEY_USAGE_DECRYPT))
+ return(PSA_ERROR_NOT_PERMITTED);
#if defined(MBEDTLS_RSA_C)
if( slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index caa0abd..690b22c 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -595,6 +595,7 @@
size_t signature_size;
psa_status_t actual_status;
psa_status_t expected_status = expected_status_arg;
+ psa_key_policy_t policy = {0};
key_data = unhexify_alloc( key_hex, &key_size );
TEST_ASSERT( key_data != NULL );
@@ -605,6 +606,12 @@
TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
+ psa_key_policy_init( &policy );
+
+ psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_VERIFY, alg_arg );
+
+ TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS );
+
TEST_ASSERT( psa_import_key( slot, key_type,
key_data, key_size ) == PSA_SUCCESS );
@@ -643,6 +650,7 @@
unsigned char *output2 = NULL;
size_t output2_size = 0;
size_t output2_length = 0;
+ psa_key_policy_t policy = {0};
key_data = unhexify_alloc( key_hex, &key_size );
TEST_ASSERT( key_data != NULL );
@@ -657,6 +665,10 @@
TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
+ psa_key_policy_init( &policy );
+ psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT, alg_arg );
+ TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS );
+
TEST_ASSERT( psa_import_key( slot, key_type,
key_data, key_size ) == PSA_SUCCESS );
@@ -710,6 +722,7 @@
size_t output_length = 0;
psa_status_t actual_status;
psa_status_t expected_status = expected_status_arg;
+ psa_key_policy_t policy = {0};
key_data = unhexify_alloc( key_hex, &key_size );
TEST_ASSERT( key_data != NULL );
@@ -721,6 +734,10 @@
TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
+ psa_key_policy_init( &policy );
+ psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_ENCRYPT, alg_arg );
+ TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS );
+
TEST_ASSERT( psa_import_key( slot, key_type,
key_data, key_size ) == PSA_SUCCESS );
@@ -774,6 +791,10 @@
TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
+ psa_key_policy_init( &policy );
+ psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_DECRYPT, alg_arg );
+ TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS );
+
TEST_ASSERT( psa_import_key( slot, key_type,
key_data, key_size ) == PSA_SUCCESS );
@@ -818,6 +839,7 @@
size_t output_length = 0;
psa_status_t actual_status;
psa_status_t expected_status = expected_status_arg;
+ psa_key_policy_t policy = {0};
key_data = unhexify_alloc( key_hex, &key_size );
TEST_ASSERT( key_data != NULL );
@@ -829,6 +851,10 @@
TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
+ psa_key_policy_init( &policy );
+ psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_DECRYPT, alg_arg );
+ TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS );
+
TEST_ASSERT( psa_import_key( slot, key_type,
key_data, key_size ) == PSA_SUCCESS );