crypto: Update to Mbed Crypto 1.0.0d1

TESTS/mbed-crypto/sanity/main.cpp

@@ -85,7 +85,7 @@ void test_crypto_random(void)
 void test_crypto_asymmetric_encrypt_decrypt(void)
 {
     psa_status_t status = PSA_SUCCESS;
-    psa_key_slot_t slot = 1;
+    psa_key_handle_t key_handle = 0;
     psa_key_type_t key_type = PSA_KEY_TYPE_RSA_KEYPAIR;
     psa_algorithm_t alg = PSA_ALG_RSA_PKCS1V15_CRYPT;
     size_t key_bits = 512, got_bits = 0, output_length;
@@ -94,21 +94,23 @@ void test_crypto_asymmetric_encrypt_decrypt(void)
     unsigned char encrypted[64];
     unsigned char decrypted[sizeof(input)];
 
-    psa_key_policy_init(&policy);
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_allocate_key(&key_handle));
+
+    policy = psa_key_policy_init();
     psa_key_policy_set_usage(&policy, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT, alg);
-    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_set_key_policy(slot, &policy));
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_set_key_policy(key_handle, &policy));
 
-    status = psa_generate_key(slot, key_type, key_bits, NULL, 0);
+    status = psa_generate_key(key_handle, key_type, key_bits, NULL, 0);
     TEST_SKIP_UNLESS_MESSAGE(status != PSA_ERROR_NOT_SUPPORTED, "RSA key generation is not supported");
     TEST_ASSERT_EQUAL(PSA_SUCCESS, status);
-    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_get_key_information(slot, NULL, &got_bits));
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_get_key_information(key_handle, NULL, &got_bits));
     TEST_ASSERT_EQUAL(key_bits, got_bits);
-    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_asymmetric_encrypt(slot, alg, input, sizeof(input), NULL, 0,
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_asymmetric_encrypt(key_handle, alg, input, sizeof(input), NULL, 0,
                                                           encrypted, sizeof(encrypted), &output_length));
     TEST_ASSERT_EQUAL(sizeof(encrypted), output_length);
-    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_asymmetric_decrypt(slot, alg, encrypted, sizeof(encrypted), NULL, 0,
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_asymmetric_decrypt(key_handle, alg, encrypted, sizeof(encrypted), NULL, 0,
                                                           decrypted, sizeof(decrypted), &output_length));
-    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_destroy_key(slot));
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_destroy_key(key_handle));
     TEST_ASSERT_EQUAL(sizeof(input), output_length);
     TEST_ASSERT_EQUAL_UINT8_ARRAY(input, decrypted, output_length);
 }
@@ -124,14 +126,15 @@ void test_crypto_hash_verify(void)
         0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55
     };
 
+    operation = psa_hash_operation_init();
     TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_hash_setup(&operation, alg));
     TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_hash_verify(&operation, hash, sizeof(hash)));
     TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_hash_abort(&operation));
 }
 
 void test_crypto_symmetric_cipher_encrypt_decrypt(void)
 {
-    psa_key_slot_t slot = 1;
+    psa_key_handle_t key_handle = 0;
     psa_key_type_t key_type = PSA_KEY_TYPE_AES;
     psa_algorithm_t alg = PSA_ALG_CBC_NO_PADDING;
     psa_cipher_operation_t operation;
@@ -151,12 +154,16 @@ void test_crypto_symmetric_cipher_encrypt_decrypt(void)
     };
     unsigned char encrypted[sizeof(input)], decrypted[sizeof(input)], iv[16];
 
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_allocate_key(&key_handle));
+
     memset(iv, 0x2a, sizeof(iv));
-    psa_key_policy_init(&policy);
+    policy = psa_key_policy_init();
     psa_key_policy_set_usage(&policy, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT, alg);
-    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_set_key_policy(slot, &policy));
-    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_import_key(slot, key_type, key, sizeof(key)));
-    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_cipher_encrypt_setup(&operation, slot, alg));
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_set_key_policy(key_handle, &policy));
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_import_key(key_handle, key_type, key, sizeof(key)));
+
+    operation = psa_cipher_operation_init();
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_cipher_encrypt_setup(&operation, key_handle, alg));
     TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_cipher_set_iv(&operation, iv, sizeof(iv)));
     TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_cipher_update(&operation, input, sizeof(input),
                                                      encrypted, sizeof(encrypted), &output_len));
@@ -165,20 +172,21 @@ void test_crypto_symmetric_cipher_encrypt_decrypt(void)
     TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_cipher_abort(&operation));
     TEST_ASSERT_EQUAL_HEX8_ARRAY(expected_encryption, encrypted, sizeof(expected_encryption));
 
-    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_cipher_decrypt_setup(&operation, slot, alg));
+    operation = psa_cipher_operation_init();
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_cipher_decrypt_setup(&operation, key_handle, alg));
     TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_cipher_set_iv(&operation, iv, sizeof(iv)));
     TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_cipher_update(&operation, encrypted, sizeof(encrypted),
                                                      decrypted, sizeof(decrypted), &output_len));
     TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_cipher_finish(&operation, decrypted + output_len,
                                                      sizeof(decrypted) - output_len, &output_len));
     TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_cipher_abort(&operation));
-    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_destroy_key(slot));
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_destroy_key(key_handle));
     TEST_ASSERT_EQUAL_HEX8_ARRAY(input, decrypted, sizeof(input));
 }
 
 void test_crypto_asymmetric_sign_verify(void)
 {
-    psa_key_slot_t slot = 1;
+    psa_key_handle_t key_handle = 0;
     psa_key_type_t key_type = PSA_KEY_TYPE_RSA_KEYPAIR;
     psa_algorithm_t alg = PSA_ALG_RSA_PKCS1V15_SIGN_RAW;
     psa_key_policy_t policy;
@@ -252,47 +260,98 @@ void test_crypto_asymmetric_sign_verify(void)
     unsigned char signature[sizeof(expected_signature)];
     size_t signature_len;
 
-    psa_key_policy_init(&policy);
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_allocate_key(&key_handle));
+
+    policy = psa_key_policy_init();
     psa_key_policy_set_usage(&policy, PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY, alg);
-    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_set_key_policy(slot, &policy));
-    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_import_key(slot, key_type, key, sizeof(key)));
-    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_asymmetric_sign(slot, alg, input, sizeof(input),
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_set_key_policy(key_handle, &policy));
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_import_key(key_handle, key_type, key, sizeof(key)));
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_asymmetric_sign(key_handle, alg, input, sizeof(input),
                                                        signature, sizeof(signature), &signature_len));
     TEST_ASSERT_EQUAL(sizeof(signature), signature_len);
     TEST_ASSERT_EQUAL_HEX8_ARRAY(expected_signature, signature, signature_len);
 
-    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_asymmetric_verify(slot, alg, input, sizeof(input),
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_asymmetric_verify(key_handle, alg, input, sizeof(input),
                                                          signature, signature_len));
-    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_destroy_key(slot));
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_destroy_key(key_handle));
 }
 
 void test_crypto_key_derivation(void)
 {
-    psa_key_slot_t slot = 1, derived_slot = 2;
+    psa_key_handle_t key_handle = 0, derived_key_handle = 0;
     psa_algorithm_t alg = PSA_ALG_HKDF(PSA_ALG_SHA_256), derived_alg = PSA_ALG_CTR;
-    psa_key_type_t derived_key_type = PSA_KEY_TYPE_AES, got_type;
+    psa_key_type_t key_type = PSA_KEY_TYPE_DERIVE, derived_key_type = PSA_KEY_TYPE_AES, got_type;
     psa_key_policy_t policy;
     psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT;
     size_t key_bits = 512, derived_key_bits = 256, got_bits;
 
-    psa_key_policy_init(&policy);
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_allocate_key(&key_handle));
+
+    policy = psa_key_policy_init();
     psa_key_policy_set_usage(&policy, PSA_KEY_USAGE_DERIVE, alg);
-    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_set_key_policy(slot, &policy));
-    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_generate_key(slot, PSA_KEY_TYPE_DERIVE, key_bits, NULL, 0));
-    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_key_derivation(&generator, slot, alg, NULL, 0, NULL, 0,
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_set_key_policy(key_handle, &policy));
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_generate_key(key_handle, key_type, key_bits, NULL, 0));
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_key_derivation(&generator, key_handle, alg, NULL, 0, NULL, 0,
                                                       PSA_BITS_TO_BYTES(derived_key_bits)));
+
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_allocate_key(&derived_key_handle));
     psa_key_policy_set_usage(&policy, PSA_KEY_USAGE_ENCRYPT, derived_alg);
-    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_set_key_policy(derived_slot, &policy));
-    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_generator_import_key(derived_slot, derived_key_type,
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_set_key_policy(derived_key_handle, &policy));
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_generator_import_key(derived_key_handle, derived_key_type,
                                                             derived_key_bits, &generator));
-    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_get_key_information(derived_slot, &got_type, &got_bits));
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_get_key_information(derived_key_handle, &got_type, &got_bits));
     TEST_ASSERT_EQUAL(derived_key_type, got_type);
     TEST_ASSERT_EQUAL(derived_key_bits, got_bits);
     TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_generator_abort(&generator));
-    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_destroy_key(slot));
-    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_destroy_key(derived_slot));
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_destroy_key(key_handle));
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_destroy_key(derived_key_handle));
 }
 
+void test_crypto_key_handles(void)
+{
+    psa_key_id_t id = 999;
+    psa_key_type_t type = PSA_KEY_TYPE_AES;
+    size_t bits = 256;
+    psa_key_usage_t usage = PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT;
+    psa_algorithm_t alg = PSA_ALG_CBC_NO_PADDING;
+    psa_key_handle_t key_handle;
+    psa_key_policy_t policy;
+
+    key_handle = 0;
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_allocate_key(&key_handle));
+    TEST_ASSERT_NOT_EQUAL(0, key_handle);
+    policy = psa_key_policy_init();
+    psa_key_policy_set_usage(&policy, usage, alg);
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_set_key_policy(key_handle, &policy));
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_generate_key(key_handle, type, bits, NULL, 0));
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_close_key(key_handle));
+
+    key_handle = 0;
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_allocate_key(&key_handle));
+    TEST_ASSERT_NOT_EQUAL(0, key_handle);
+    policy = psa_key_policy_init();
+    psa_key_policy_set_usage(&policy, usage, alg);
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_set_key_policy(key_handle, &policy));
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_generate_key(key_handle, type, bits, NULL, 0));
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_destroy_key(key_handle));
+
+    key_handle = 0;
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_create_key(PSA_KEY_LIFETIME_PERSISTENT, id, &key_handle));
+    TEST_ASSERT_NOT_EQUAL(0, key_handle);
+    policy = psa_key_policy_init();
+    psa_key_policy_set_usage(&policy, usage, alg);
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_set_key_policy(key_handle, &policy));
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_generate_key(key_handle, type, bits, NULL, 0));
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_close_key(key_handle));
+
+    key_handle = 0;
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_open_key(PSA_KEY_LIFETIME_PERSISTENT, id, &key_handle));
+    TEST_ASSERT_NOT_EQUAL(0, key_handle);
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_destroy_key(key_handle));
+
+    key_handle = 0;
+    TEST_ASSERT_EQUAL(PSA_ERROR_EMPTY_SLOT, psa_open_key(PSA_KEY_LIFETIME_PERSISTENT, id, &key_handle));
+}
 
 utest::v1::status_t case_setup_handler(const Case *const source, const size_t index_of_case)
 {
@@ -326,6 +385,7 @@ Case cases[] = {
     Case("mbed-crypto symmetric cipher encrypt/decrypt", case_setup_handler, test_crypto_symmetric_cipher_encrypt_decrypt, case_teardown_handler),
     Case("mbed-crypto asymmetric sign/verify", case_setup_handler, test_crypto_asymmetric_sign_verify, case_teardown_handler),
     Case("mbed-crypto key derivation", case_setup_handler, test_crypto_key_derivation, case_teardown_handler),
+    Case("mbed-crypto key handles", case_setup_handler, test_crypto_key_handles, case_teardown_handler),
 };
 
 Specification specification(test_setup, cases);

features/mbedtls/VERSION.txt

@@ -1,2 +1 @@
 mbedtls-2.15.1
-mbedcrypto-0.1.0b2

features/mbedtls/importer/Makefile

@@ -32,34 +32,15 @@ MBED_TLS_REPO_URL ?= [email protected]:ARMmbed/mbedtls-restricted.git
 
 # Translate between mbed TLS namespace and mbed namespace
 TARGET_PREFIX:=../
-TARGET_PREFIX_CRYPTO:=../mbed-crypto/
 TARGET_SRC:=$(TARGET_PREFIX)src
 TARGET_INC:=$(TARGET_PREFIX)inc
 TARGET_TESTS:=$(TARGET_PREFIX)TESTS
 
-# New folder structure is introduced here for targets with Secured-Partition-Environment
-# and Non-Secured-Partition-Environment, below documentation for each folder:
-# COMPONENT_PSA_SRV_IMPL - include secure service business logic implementation
-# code. For example Mbed Crypto or secure time core logic
-TARGET_SRV_IMPL:=$(TARGET_PREFIX_CRYPTO)/platform/TARGET_PSA/COMPONENT_PSA_SRV_IMPL
-# COMPONENT_SPE - include code that compiles ONLY to secure image and never
-# compiles to non-secure image
-TARGET_SPE:=$(TARGET_PREFIX_CRYPTO)/platform/TARGET_PSA/COMPONENT_SPE
-# The folder contain specific target implementation using hardware.
-TARGET_PSA_DRIVERS:=$(TARGET_PREFIX_CRYPTO)/targets
-# COMPONENT_NSPE - include code that compiles ONLY to non-secure image and
-# never compiles to secure image
-TARGET_NSPE:=$(TARGET_SRV_IMPL)/COMPONENT_NSPE
-
 # mbed TLS source directory - hidden from mbed via TARGET_IGNORE
 MBED_TLS_DIR:=TARGET_IGNORE/mbedtls
 MBED_TLS_API:=$(MBED_TLS_DIR)/include/mbedtls
 MBED_TLS_GIT_CFG=$(MBED_TLS_DIR)/.git/config
 
-# Mbed Crypto directory - hidden from mbed via TARGET_IGNORE
-MBED_CRYPTO_DIR:=$(MBED_TLS_DIR)/crypto
-MBED_CRYPTO_API:=$(MBED_CRYPTO_DIR)/include/psa
-
 .PHONY: all deploy deploy-tests rsync mbedtls clean update
 
 all: mbedtls
@@ -81,23 +62,6 @@ rsync:
 	cp $(MBED_TLS_DIR)/LICENSE $(TARGET_PREFIX)
 	cp $(MBED_TLS_DIR)/apache-2.0.txt $(TARGET_PREFIX)
 	#
-	# Create Mbed Crypto target folder
-	mkdir -p $(TARGET_PREFIX_CRYPTO)
-	#
-	# Copying Mbed Crypto into Mbed OS..
-	rm -rf $(TARGET_SRV_IMPL)
-	rm -rf $(TARGET_SPE)
-
-	mkdir -p $(TARGET_SRV_IMPL)
-	mkdir -p $(TARGET_SPE)
-	mkdir -p $(TARGET_NSPE)
-	mkdir -p $(TARGET_PSA_DRIVERS)
-
-	rsync -a --delete --exclude='crypto_struct.h' $(MBED_CRYPTO_API) $(TARGET_INC)
-	rsync -a --delete $(MBED_CRYPTO_API)/crypto_struct.h $(TARGET_NSPE)
-	rsync -a --delete $(MBED_CRYPTO_API)/crypto_struct.h $(TARGET_SPE)/crypto_struct_spe.h
-	rsync -a --delete $(MBED_CRYPTO_DIR)/library/psa_*.c $(TARGET_SRV_IMPL)
-	rsync -a --delete $(MBED_CRYPTO_DIR)/library/psa_*.h $(TARGET_SRV_IMPL)
 
 deploy: rsync
 	#
@@ -128,14 +92,8 @@ update: $(MBED_TLS_GIT_CFG)  $(MBED_TLS_HA_GIT_CFG)
 	# Checking out the required release
 	git -C $(MBED_TLS_DIR) checkout $(MBED_TLS_RELEASE)
 	#
-	# Update and checkout git submodules
-	git -C $(MBED_TLS_DIR) submodule update --init --recursive
-	#
 	# Updating checked out version tag
 	echo $(MBED_TLS_RELEASE) > $(TARGET_PREFIX)VERSION.txt
-	#
-	# Updating Mbed Crypto checked out version tag
-	git -C $(MBED_CRYPTO_DIR) describe --tags --abbrev=12 --dirty --always >> $(TARGET_PREFIX)VERSION.txt
 
 $(MBED_TLS_GIT_CFG):
 	rm -rf $(MBED_TLS_DIR)
@@ -149,5 +107,3 @@ clean:
 	rm -rf $(TARGET_SRC)
 	rm -rf $(TARGET_INC)
 	rm -rf $(MBED_TLS_DIR)
-	rm -rf $(TARGET_SRV_IMPL)
-	rm -rf $(TARGET_SPE)

features/mbedtls/importer/adjust-config.sh

@@ -146,7 +146,7 @@ conf unset MBEDTLS_PLATFORM_TIME_TYPE_MACRO
 # which should fit RSA 4096 bit keys.
 conf set MBEDTLS_MPI_MAX_SIZE     512
 
-# The following configurations are a needed for Mbed Crypto submodule.
+# The following configurations are needed for Mbed Crypto.
 # They are related to the persistent key storage feature.
 conf set MBEDTLS_PSA_CRYPTO_STORAGE_C
 conf set MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C

features/mbedtls/mbed-crypto/LICENSE

@@ -0,0 +1,2 @@
+Unless specifically indicated otherwise in a file, files are licensed
+under the Apache 2.0 license, as can be found in: apache-2.0.txt

features/mbedtls/mbed-crypto/VERSION.txt

@@ -0,0 +1 @@
+mbedcrypto-1.0.0d1