psa: Add storage implementation for files
Add new functions, psa_load_persistent_key(),
psa_free_persistent_key_data(), and psa_save_persistent_key(), for
managing persistent keys. These functions load to or save from our
internal representation of key slots. Serialization is a concern of the
storage backend implementation and doesn't abstraction-leak into the
lifetime management code.
An initial implementation for files is provided. Additional storage
backends can implement this interface for other storage types.
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 0c2ac88..04e404c 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -54,6 +54,8 @@
platform_util.c
poly1305.c
psa_crypto.c
+ psa_crypto_storage.c
+ psa_crypto_storage_file.c
ripemd160.c
rsa.c
rsa_internal.c
diff --git a/library/Makefile b/library/Makefile
index cf6750d..83afa66 100644
--- a/library/Makefile
+++ b/library/Makefile
@@ -82,6 +82,8 @@
pkcs5.o pkparse.o pkwrite.o \
platform.o platform_util.o poly1305.o \
psa_crypto.o \
+ psa_crypto_storage.o \
+ psa_crypto_storage_file.o \
ripemd160.o rsa_internal.o rsa.o \
sha1.o sha256.o sha512.o \
threading.o timing.o version.o \
diff --git a/library/psa_crypto_storage.c b/library/psa_crypto_storage.c
new file mode 100644
index 0000000..5285826
--- /dev/null
+++ b/library/psa_crypto_storage.c
@@ -0,0 +1,195 @@
+/*
+ * PSA persistent key storage
+ */
+/* Copyright (C) 2018, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if defined(MBEDTLS_CONFIG_FILE)
+#include MBEDTLS_CONFIG_FILE
+#else
+#include "mbedtls/config.h"
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+
+#include <stdlib.h>
+#include <string.h>
+
+#include "psa/crypto.h"
+#include "psa_crypto_storage.h"
+#include "psa_crypto_storage_backend.h"
+#include "mbedtls/platform_util.h"
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#define mbedtls_calloc calloc
+#define mbedtls_free free
+#endif
+
+/*
+ * 32-bit integer manipulation macros (little endian)
+ */
+#ifndef GET_UINT32_LE
+#define GET_UINT32_LE(n,b,i) \
+{ \
+ (n) = ( (uint32_t) (b)[(i) ] ) \
+ | ( (uint32_t) (b)[(i) + 1] << 8 ) \
+ | ( (uint32_t) (b)[(i) + 2] << 16 ) \
+ | ( (uint32_t) (b)[(i) + 3] << 24 ); \
+}
+#endif
+
+#ifndef PUT_UINT32_LE
+#define PUT_UINT32_LE(n,b,i) \
+{ \
+ (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
+ (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
+ (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
+ (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
+}
+#endif
+
+typedef struct {
+ uint8_t version[4];
+ uint8_t type[sizeof( psa_key_type_t )];
+ uint8_t policy[sizeof( psa_key_policy_t )];
+ uint8_t data_len[4];
+ uint8_t key_data[];
+} psa_persistent_key_storage_format;
+
+void psa_format_key_data_for_storage( const uint8_t *data,
+ const size_t data_length,
+ const psa_key_type_t type,
+ const psa_key_policy_t *policy,
+ uint8_t *storage_data )
+{
+ psa_persistent_key_storage_format *storage_format =
+ (psa_persistent_key_storage_format *) storage_data;
+
+ PUT_UINT32_LE(0, storage_format->version, 0);
+ PUT_UINT32_LE(type, storage_format->type, 0);
+ PUT_UINT32_LE(policy->usage, storage_format->policy, 0);
+ PUT_UINT32_LE(policy->alg, storage_format->policy, sizeof( uint32_t ));
+ PUT_UINT32_LE(data_length, storage_format->data_len, 0);
+ memcpy( storage_format->key_data, data, data_length );
+}
+
+psa_status_t psa_parse_key_data_from_storage( const uint8_t *storage_data,
+ size_t storage_data_length,
+ uint8_t **key_data,
+ size_t *key_data_length,
+ psa_key_type_t *type,
+ psa_key_policy_t *policy )
+{
+ const psa_persistent_key_storage_format *storage_format =
+ (const psa_persistent_key_storage_format *)storage_data;
+ uint32_t version;
+
+ GET_UINT32_LE(version, storage_format->version, 0);
+ if( version != 0 )
+ return( PSA_ERROR_STORAGE_FAILURE );
+
+ GET_UINT32_LE(*key_data_length, storage_format->data_len, 0);
+ if( *key_data_length > ( storage_data_length - sizeof(*storage_format) ) ||
+ *key_data_length > PSA_CRYPTO_MAX_STORAGE_SIZE )
+ return( PSA_ERROR_STORAGE_FAILURE );
+
+ *key_data = mbedtls_calloc( 1, *key_data_length );
+ if( *key_data == NULL )
+ return( PSA_ERROR_INSUFFICIENT_MEMORY );
+
+ GET_UINT32_LE(*type, storage_format->type, 0);
+ GET_UINT32_LE(policy->usage, storage_format->policy, 0);
+ GET_UINT32_LE(policy->alg, storage_format->policy, sizeof( uint32_t ));
+
+ memcpy( *key_data, storage_format->key_data, *key_data_length );
+
+ return( PSA_SUCCESS );
+}
+
+psa_status_t psa_save_persistent_key( const psa_key_slot_t key,
+ const psa_key_type_t type,
+ const psa_key_policy_t *policy,
+ const uint8_t *data,
+ const size_t data_length )
+{
+ size_t storage_data_length;
+ uint8_t *storage_data;
+ psa_status_t status;
+
+ if( data_length > PSA_CRYPTO_MAX_STORAGE_SIZE )
+ return PSA_ERROR_INSUFFICIENT_STORAGE;
+ storage_data_length = data_length + sizeof( psa_persistent_key_storage_format );
+
+ storage_data = mbedtls_calloc( 1, storage_data_length );
+ if( storage_data == NULL )
+ return( PSA_ERROR_INSUFFICIENT_MEMORY );
+
+ psa_format_key_data_for_storage( data, data_length, type, policy,
+ storage_data );
+
+ status = psa_crypto_storage_store( key,
+ storage_data, storage_data_length );
+
+ mbedtls_free( storage_data );
+
+ return( status );
+}
+
+void psa_free_persistent_key_data( uint8_t *key_data, size_t key_data_length )
+{
+ if( key_data != NULL )
+ {
+ mbedtls_platform_zeroize( key_data, key_data_length );
+ }
+ mbedtls_free( key_data );
+}
+
+psa_status_t psa_load_persistent_key( psa_key_slot_t key,
+ psa_key_type_t *type,
+ psa_key_policy_t *policy,
+ uint8_t **data,
+ size_t *data_length )
+{
+ psa_status_t status = PSA_SUCCESS;
+ uint8_t *loaded_data;
+ size_t storage_data_length = 0;
+
+ status = psa_crypto_storage_get_data_length( key, &storage_data_length );
+ if( status != PSA_SUCCESS )
+ return( status );
+
+ loaded_data = mbedtls_calloc( 1, storage_data_length );
+
+ if( loaded_data == NULL )
+ return( PSA_ERROR_INSUFFICIENT_MEMORY );
+
+ status = psa_crypto_storage_load( key, loaded_data, storage_data_length );
+ if( status != PSA_SUCCESS )
+ goto exit;
+
+ status = psa_parse_key_data_from_storage( loaded_data, storage_data_length,
+ data, data_length, type, policy );
+
+exit:
+ mbedtls_free( loaded_data );
+ return( status );
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
diff --git a/library/psa_crypto_storage.h b/library/psa_crypto_storage.h
new file mode 100644
index 0000000..167b0db
--- /dev/null
+++ b/library/psa_crypto_storage.h
@@ -0,0 +1,177 @@
+/**
+ * \file psa_crypto_storage.h
+ *
+ * \brief PSA cryptography module: Mbed TLS key storage
+ */
+/*
+ * Copyright (C) 2018, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef PSA_CRYPTO_STORAGE_H
+#define PSA_CRYPTO_STORAGE_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Include the Mbed TLS configuration file, the way Mbed TLS does it
+ * in each of its header files. */
+#if defined(MBEDTLS_CONFIG_FILE)
+#include MBEDTLS_CONFIG_FILE
+#else
+#include "mbedtls/config.h"
+#endif
+
+#include "psa/crypto.h"
+#include <stdint.h>
+
+/* Limit the maximum key size to 30kB (just in case someone tries to
+ * inadvertently store an obscene amount of data) */
+#define PSA_CRYPTO_MAX_STORAGE_SIZE ( 30 * 1024 )
+
+/**
+ * \brief Format key data and metadata and save to a location for given key
+ * slot.
+ *
+ * This function formats the key data and metadata and saves it to a
+ * persistent storage backend. The storage location corresponding to the
+ * key slot must be empty, otherwise this function will fail. This function
+ * should be called after psa_import_key_into_slot() to ensure the
+ * persistent key is not saved into a storage location corresponding to an
+ * already occupied non-persistent key, as well as validating the key data.
+ *
+ *
+ * \param key Slot number of the key to be stored. This must be a
+ * valid slot for a key of the chosen type. This should be
+ * an occupied key slot with an unoccupied corresponding
+ * storage location.
+ * \param type Key type (a \c PSA_KEY_TYPE_XXX value).
+ * \param[in] policy The key policy to save.
+ * \param[in] data Buffer containing the key data.
+ * \param data_length The number of bytes that make up the key data.
+ *
+ * \retval PSA_SUCCESS
+ * \retval PSA_ERROR_INSUFFICIENT_STORAGE
+ * \retval PSA_ERROR_STORAGE_FAILURE
+ */
+psa_status_t psa_save_persistent_key( const psa_key_slot_t key,
+ const psa_key_type_t type,
+ const psa_key_policy_t *policy,
+ const uint8_t *data,
+ const size_t data_length );
+
+/**
+ * \brief Parses key data and metadata and load persistent key for given
+ * key slot number.
+ *
+ * This function reads from a storage backend, parses the key data and
+ * metadata and writes them to the appropriate output parameters.
+ *
+ * Note: This function allocates a buffer and returns a pointer to it through
+ * the data parameter. psa_free_persistent_key_data() must be called after
+ * this function to zeroize and free this buffer, regardless of whether this
+ * function succeeds or fails.
+ *
+ * \param key Slot number whose content is to be loaded. This
+ * must be an unoccupied key slot with an occupied
+ * corresponding storage location. The key slot
+ * lifetime must be set to persistent.
+ * \param[out] type On success, the key type (a \c PSA_KEY_TYPE_XXX
+ * value).
+ * \param[out] policy On success, the key's policy.
+ * \param[out] data Pointer to an allocated key data buffer on return.
+ * \param[out] data_length The number of bytes that make up the key data.
+ *
+ * \retval PSA_SUCCESS
+ * \retval PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval PSA_ERROR_STORAGE_FAILURE
+ */
+psa_status_t psa_load_persistent_key( psa_key_slot_t key,
+ psa_key_type_t *type,
+ psa_key_policy_t *policy,
+ uint8_t **data,
+ size_t *data_length );
+
+/**
+ * \brief Remove persistent data for the given key slot number.
+ *
+ * \param key Slot number whose content is to be removed
+ * from persistent storage.
+ *
+ * \retval PSA_SUCCESS
+ * \retval PSA_ERROR_STORAGE_FAILURE
+ */
+psa_status_t psa_destroy_persistent_key( const psa_key_slot_t key );
+
+/**
+ * \brief Zeroizes and frees the given buffer.
+ *
+ * This function must be called at some point after psa_load_persistent_key()
+ * to zeroize and free the memory allocated to the buffer in that function.
+ *
+ * \param key_data Buffer for the key data.
+ * \param key_data_length Size of the key data buffer.
+ *
+ */
+void psa_free_persistent_key_data( uint8_t *key_data, size_t key_data_length );
+
+/**
+ * \brief Formats key data and metadata for persistent storage
+ *
+ * \param[in] data Buffer for the key data.
+ * \param data_length Length of the key data buffer.
+ * \param type Key type (a \c PSA_KEY_TYPE_XXX value).
+ * \param policy The key policy.
+ * \param[out] storage_data Output buffer for the formatted data.
+ *
+ */
+void psa_format_key_data_for_storage( const uint8_t *data,
+ const size_t data_length,
+ const psa_key_type_t type,
+ const psa_key_policy_t *policy,
+ uint8_t *storage_data );
+
+/**
+ * \brief Parses persistent storage data into key data and metadata
+ *
+ * \param[in] storage_data Buffer for the storage data.
+ * \param storage_data_length Length of the storage data buffer
+ * \param[out] key_data On output, pointer to a newly allocated buffer
+ * containing the key data. This must be freed
+ * using psa_free_persistent_key_data()
+ * \param[out] key_data_length Length of the key data buffer
+ * \param[out] type Key type (a \c PSA_KEY_TYPE_XXX value).
+ * \param[out] policy The key policy.
+ *
+ * \retval PSA_SUCCESS
+ * \retval PSA_ERROR_INSUFFICIENT_STORAGE
+ * \retval PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval PSA_ERROR_STORAGE_FAILURE
+ */
+psa_status_t psa_parse_key_data_from_storage( const uint8_t *storage_data,
+ size_t storage_data_length,
+ uint8_t **key_data,
+ size_t *key_data_length,
+ psa_key_type_t *type,
+ psa_key_policy_t *policy );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* PSA_CRYPTO_STORAGE_H */
diff --git a/library/psa_crypto_storage_backend.h b/library/psa_crypto_storage_backend.h
new file mode 100644
index 0000000..3ca9a1d
--- /dev/null
+++ b/library/psa_crypto_storage_backend.h
@@ -0,0 +1,112 @@
+/**
+ * \file psa_crypto_storage_backend.h
+ *
+ * \brief PSA cryptography module: Mbed TLS key storage backend
+ */
+/*
+ * Copyright (C) 2018, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef PSA_CRYPTO_STORAGE_BACKEND_H
+#define PSA_CRYPTO_STORAGE_BACKEND_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Include the Mbed TLS configuration file, the way Mbed TLS does it
+ * in each of its header files. */
+#if defined(MBEDTLS_CONFIG_FILE)
+#include MBEDTLS_CONFIG_FILE
+#else
+#include "mbedtls/config.h"
+#endif
+
+#include "psa/crypto.h"
+#include "psa_crypto_storage.h"
+#include <stdint.h>
+
+/**
+ * \brief Load persistent data for the given key slot number.
+ *
+ * This function reads data from a storage backend and returns the data in a
+ * buffer.
+ *
+ * \param key Slot number whose content is to be loaded. This must
+ * be a key slot whose lifetime is set to persistent.
+ * \param[out] data Buffer where the data is to be written.
+ * \param data_size Size of the \c data buffer in bytes.
+ *
+ * \retval PSA_SUCCESS
+ * \retval PSA_ERROR_STORAGE_FAILURE
+ */
+psa_status_t psa_crypto_storage_load( const psa_key_slot_t key, uint8_t *data,
+ size_t data_size );
+
+/**
+ * \brief Store persistent data for the given key slot number.
+ *
+ * This function stores the given data buffer to a persistent storage.
+ *
+ * \param key Slot number whose content is to be stored.
+ * \param[in] data Buffer containing the data to be stored.
+ * \param data_length The number of bytes
+ * that make up the data.
+ *
+ * \retval PSA_SUCCESS
+ * \retval PSA_ERROR_INSUFFICIENT_STORAGE
+ * \retval PSA_ERROR_STORAGE_FAILURE
+ */
+psa_status_t psa_crypto_storage_store( const psa_key_slot_t key,
+ const uint8_t *data,
+ size_t data_length );
+
+/**
+ * \brief Checks if persistent data is stored for the given key slot number
+ *
+ * This function checks if any key data or metadata exists for the key slot in
+ * the persistent storage.
+ *
+ * \param key Slot number whose content is to be checked.
+ *
+ * \retval 0
+ * No persistent data present for slot number
+ * \retval 1
+ * Persistent data present for slot number
+ */
+int psa_is_key_present_in_storage( const psa_key_slot_t key );
+
+/**
+ * \brief Get data length for given key slot number.
+ *
+ * \param key Slot number whose stored data length is to be obtained.
+ * \param[out] data_length The number of bytes
+ * that make up the data.
+ *
+ * \retval PSA_SUCCESS
+ * \retval PSA_ERROR_STORAGE_FAILURE
+ */
+psa_status_t psa_crypto_storage_get_data_length( const psa_key_slot_t key,
+ size_t *data_length );
+
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* PSA_CRYPTO_STORAGE_H */
diff --git a/library/psa_crypto_storage_file.c b/library/psa_crypto_storage_file.c
new file mode 100644
index 0000000..03c711a
--- /dev/null
+++ b/library/psa_crypto_storage_file.c
@@ -0,0 +1,218 @@
+/*
+ * PSA file storage backend for persistent keys
+ */
+/* Copyright (C) 2018, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if defined(MBEDTLS_CONFIG_FILE)
+#include MBEDTLS_CONFIG_FILE
+#else
+#include "mbedtls/config.h"
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C)
+
+#include <string.h>
+
+#include "psa/crypto.h"
+#include "psa_crypto_storage_backend.h"
+#include "mbedtls/platform_util.h"
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#define mbedtls_snprintf snprintf
+#endif
+
+/* This option sets where files are to be stored. If this is left unset,
+ * the files by default will be stored in the same location as the program,
+ * which may not be desired or possible. */
+#if !defined(CRYPTO_STORAGE_FILE_LOCATION)
+#define CRYPTO_STORAGE_FILE_LOCATION ""
+#endif
+
+enum { MAX_LOCATION_LEN = sizeof(CRYPTO_STORAGE_FILE_LOCATION) + 40 };
+
+static void key_slot_to_location( const psa_key_slot_t key,
+ char *location,
+ size_t location_size )
+{
+ mbedtls_snprintf( location, location_size,
+ CRYPTO_STORAGE_FILE_LOCATION "psa_key_slot_%d", key );
+}
+
+psa_status_t psa_crypto_storage_load( const psa_key_slot_t key, uint8_t *data,
+ size_t data_size )
+{
+ psa_status_t status = PSA_SUCCESS;
+ FILE *file;
+ size_t num_read;
+ char slot_location[MAX_LOCATION_LEN];
+
+ key_slot_to_location( key, slot_location, MAX_LOCATION_LEN );
+ file = fopen( slot_location, "rb" );
+ if( file == NULL )
+ {
+ status = PSA_ERROR_STORAGE_FAILURE;
+ goto exit;
+ }
+ num_read = fread( data, 1, data_size, file );
+ if( num_read != data_size )
+ status = PSA_ERROR_STORAGE_FAILURE;
+
+exit:
+ if( file != NULL )
+ fclose( file );
+ return( status );
+}
+
+int psa_is_key_present_in_storage( const psa_key_slot_t key )
+{
+ char slot_location[MAX_LOCATION_LEN];
+ FILE *file;
+
+ key_slot_to_location( key, slot_location, MAX_LOCATION_LEN );
+
+ file = fopen( slot_location, "r" );
+ if( file == NULL )
+ {
+ /* File doesn't exist */
+ return( 0 );
+ }
+
+ fclose( file );
+ return( 1 );
+}
+
+psa_status_t psa_crypto_storage_store( const psa_key_slot_t key,
+ const uint8_t *data,
+ size_t data_length )
+{
+ psa_status_t status = PSA_SUCCESS;
+ int ret;
+ size_t num_written;
+ char slot_location[MAX_LOCATION_LEN];
+ FILE *file;
+ /* The storage location corresponding to "key slot 0" is used as a
+ * temporary location in order to make the apparition of the actual slot
+ * file atomic. 0 is not a valid key slot number, so this should not
+ * affect actual keys. */
+ const char *temp_location = CRYPTO_STORAGE_FILE_LOCATION "psa_key_slot_0";
+
+ key_slot_to_location( key, slot_location, MAX_LOCATION_LEN );
+
+ if( psa_is_key_present_in_storage( key ) == 1 )
+ return( PSA_ERROR_OCCUPIED_SLOT );
+
+ file = fopen( temp_location, "wb" );
+ if( file == NULL )
+ {
+ status = PSA_ERROR_STORAGE_FAILURE;
+ goto exit;
+ }
+
+ num_written = fwrite( data, 1, data_length, file );
+ if( num_written != data_length )
+ {
+ status = PSA_ERROR_STORAGE_FAILURE;
+ goto exit;
+ }
+
+ ret = fclose( file );
+ file = NULL;
+ if( ret != 0 )
+ {
+ status = PSA_ERROR_STORAGE_FAILURE;
+ goto exit;
+ }
+
+ if( rename( temp_location, slot_location ) != 0 )
+ {
+ status = PSA_ERROR_STORAGE_FAILURE;
+ goto exit;
+ }
+
+exit:
+ if( file != NULL )
+ fclose( file );
+ remove( temp_location );
+ return( status );
+}
+
+psa_status_t psa_destroy_persistent_key( const psa_key_slot_t key )
+{
+ FILE *file;
+ char slot_location[MAX_LOCATION_LEN];
+
+ key_slot_to_location( key, slot_location, MAX_LOCATION_LEN );
+
+ /* Only try remove the file if it exists */
+ file = fopen( slot_location, "rb" );
+ if( file != NULL )
+ {
+ fclose( file );
+
+ if( remove( slot_location ) != 0 )
+ return( PSA_ERROR_STORAGE_FAILURE );
+ }
+ return( PSA_SUCCESS );
+}
+
+psa_status_t psa_crypto_storage_get_data_length( const psa_key_slot_t key,
+ size_t *data_length )
+{
+ psa_status_t status = PSA_SUCCESS;
+ FILE *file;
+ long file_size;
+ char slot_location[MAX_LOCATION_LEN];
+
+ key_slot_to_location( key, slot_location, MAX_LOCATION_LEN );
+
+ file = fopen( slot_location, "rb" );
+ if( file == NULL )
+ return( PSA_ERROR_EMPTY_SLOT );
+
+ if( fseek( file, 0, SEEK_END ) != 0 )
+ {
+ status = PSA_ERROR_STORAGE_FAILURE;
+ goto exit;
+ }
+
+ file_size = ftell( file );
+
+ if( file_size < 0 )
+ {
+ status = PSA_ERROR_STORAGE_FAILURE;
+ goto exit;
+ }
+
+#if LONG_MAX > SIZE_MAX
+ if( (unsigned long) file_size > SIZE_MAX )
+ {
+ status = PSA_ERROR_STORAGE_FAILURE;
+ goto exit;
+ }
+#endif
+ *data_length = (size_t) file_size;
+
+exit:
+ fclose( file );
+ return( status );
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C */
diff --git a/library/version_features.c b/library/version_features.c
index ffad82f..7ef8997 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -687,6 +687,12 @@
#if defined(MBEDTLS_PSA_CRYPTO_C)
"MBEDTLS_PSA_CRYPTO_C",
#endif /* MBEDTLS_PSA_CRYPTO_C */
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+ "MBEDTLS_PSA_CRYPTO_STORAGE_C",
+#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C)
+ "MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C",
+#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C */
#if defined(MBEDTLS_RIPEMD160_C)
"MBEDTLS_RIPEMD160_C",
#endif /* MBEDTLS_RIPEMD160_C */