Add acl test - use other partitions' key - manage key

Author: itayzafrir

TESTS/psa/crypto_access_control/COMPONENT_NSPE/main.cpp

@@ -155,6 +155,80 @@ void test_create_key_same_id_different_partitions(void)
     TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_close_key(key_handle_local));
 }
 
+void test_use_other_partition_key_manage_key(void)
+{
+    static const psa_key_id_t key_id = 999;
+    static const psa_key_type_t key_type = PSA_KEY_TYPE_AES;
+    static const psa_algorithm_t key_alg = PSA_ALG_CBC_NO_PADDING;
+    static const psa_key_usage_t key_usage = PSA_KEY_USAGE_EXPORT;
+    static const size_t key_bits = 128;
+    static const unsigned char key_data[] = {
+        0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
+        0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
+    };
+    psa_key_handle_t key_handle = 0;
+    psa_key_policy_t policy = PSA_KEY_POLICY_INIT;
+    unsigned char output[sizeof(key_data)] = { 0 };
+    size_t len, got_key_bits;
+    psa_key_type_t got_key_type;
+    psa_key_lifetime_t got_lifetime;
+
+    /* via test partition - create a key without generating any key material */
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, test_partition_crypto_create_persistent_key(key_id, &key_handle));
+    TEST_ASSERT_NOT_EQUAL(0, key_handle);
+
+    /* try to set the key policy for the key that was created by the test partition */
+    psa_key_policy_set_usage(&policy, key_usage, key_alg);
+    TEST_ASSERT_EQUAL(PSA_ERROR_INVALID_HANDLE, psa_set_key_policy(key_handle, &policy));
+
+    /* via test partition - set key policy */
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, test_partition_crypto_set_key_policy(key_handle, key_usage, key_alg));
+
+    /* try to generate key data for the key that was created by the test partition */
+    TEST_ASSERT_EQUAL(PSA_ERROR_INVALID_HANDLE, psa_generate_key(key_handle, key_type, key_bits, NULL, 0));
+
+    /* via test partition - generate key material and close the key */
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, test_partition_crypto_generate_key(key_handle, key_type, key_bits));
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, test_partition_crypto_close_key(key_handle));
+
+    /* via test partition - reopen the key created by the test partition and keep it open */
+    key_handle = 0;
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, test_partition_crypto_open_persistent_key(key_id, &key_handle));
+    TEST_ASSERT_NOT_EQUAL(0, key_handle);
+
+    /* try to work with the handle created for a key created by the test partition */
+    got_key_type = 0;
+    got_key_bits = 0;
+    got_lifetime = 0;
+    policy = psa_key_policy_init();
+    TEST_ASSERT_EQUAL(PSA_ERROR_INVALID_HANDLE, psa_get_key_policy(key_handle, &policy));
+    TEST_ASSERT_EQUAL(PSA_ERROR_INVALID_HANDLE, psa_get_key_lifetime(key_handle, &got_lifetime));
+    TEST_ASSERT_EQUAL(PSA_ERROR_INVALID_HANDLE, psa_close_key(key_handle));
+    TEST_ASSERT_EQUAL(PSA_ERROR_INVALID_HANDLE, psa_destroy_key(key_handle));
+    TEST_ASSERT_EQUAL(PSA_ERROR_INVALID_HANDLE, psa_get_key_information(key_handle, &got_key_type, &got_key_bits));
+    TEST_ASSERT_EQUAL(PSA_ERROR_INVALID_HANDLE, psa_export_key(key_handle, output, sizeof(output), &len));
+    TEST_ASSERT_EQUAL(PSA_ERROR_INVALID_HANDLE, psa_export_public_key(key_handle, output, sizeof(output), &len));
+
+    /* via test partition - destroy the key created by the test partition */
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, test_partition_crypto_destroy_key(key_handle));
+
+    /* via test partition - create a key, set key policy but no key material */
+    key_handle = 0;
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, test_partition_crypto_create_persistent_key(key_id, &key_handle));
+    TEST_ASSERT_NOT_EQUAL(0, key_handle);
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, test_partition_crypto_set_key_policy(key_handle, key_usage, key_alg));
+
+    /* try to import key data into the key that was created by the test partition */
+    TEST_ASSERT_EQUAL(PSA_ERROR_INVALID_HANDLE, psa_import_key(key_handle, key_type,
+                                                               key_data, sizeof(key_data)));
+
+    /* via test partition - import key data for the key created by the test partition */
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, test_partition_crypto_import_key(key_handle, key_type, key_data, sizeof(key_data)));
+
+    /* via test partition - close the key created by the test partition */
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, test_partition_crypto_close_key(key_handle));
+}
+
 utest::v1::status_t case_setup_handler(const Case *const source, const size_t index_of_case)
 {
     psa_status_t status = mbed_psa_reboot_and_request_new_security_state(PSA_LIFECYCLE_ASSEMBLY_AND_TEST);
@@ -192,6 +266,8 @@ Case cases[] = {
          case_setup_handler, test_open_other_partition_key, case_teardown_handler),
     Case("create key with same id different partitions",
          case_setup_handler, test_create_key_same_id_different_partitions, case_teardown_handler),
+    Case("use other partitions' key - key manage",
+         case_setup_handler, test_use_other_partition_key_manage_key, case_teardown_handler),
 };
 
 Specification specification(test_setup, cases);

TESTS/psa/crypto_access_control/COMPONENT_PSA_SRV_IPC/test_partition_proxy.c

@@ -117,3 +117,16 @@ psa_status_t test_partition_crypto_destroy_key(psa_key_handle_t key_handle)
     psa_status_t status = invoke_ipc_call(CRYPTO_DESTROY_KEY, &in_vec, 1, NULL, 0);
     return (status);
 }
+
+psa_status_t test_partition_crypto_import_key(psa_key_handle_t key_handle, psa_key_type_t key_type,
+                                              const unsigned char *key_data, size_t key_data_size)
+{
+    psa_invec in_vec[4] = {
+        { &key_handle, sizeof(key_handle) },
+        { &key_type, sizeof(key_type) },
+        { &key_data_size, sizeof(key_data_size) },
+        { key_data, key_data_size }
+    };
+    psa_status_t status = invoke_ipc_call(CRYPTO_IMPORT_KEY, in_vec, 4, NULL, 0);
+    return (status);
+}

TESTS/psa/crypto_access_control/COMPONENT_PSA_SRV_IPC/test_partition_proxy.h

@@ -43,6 +43,9 @@ psa_status_t test_partition_crypto_close_key(psa_key_handle_t key_handle);
 
 psa_status_t test_partition_crypto_destroy_key(psa_key_handle_t key_handle);
 
+psa_status_t test_partition_crypto_import_key(psa_key_handle_t key_handle, psa_key_type_t key_type,
+                                              const unsigned char *key_data, size_t key_data_size);
+
 #ifdef __cplusplus
 }
 #endif

TESTS/psa/crypto_access_control/COMPONENT_SPE/TARGET_MBED_SPM/psa_test_partition_partition.c

@@ -149,6 +149,18 @@ spm_rot_service_t test_partition_rot_services[TEST_PARTITION_ROT_SRV_COUNT] = {
             .tail = NULL
         }
     },
+    {
+        .sid = CRYPTO_IMPORT_KEY,
+        .mask = CRYPTO_IMPORT_KEY_MSK,
+        .partition = NULL,
+        .min_version = 1,
+        .min_version_policy = PSA_MINOR_VERSION_POLICY_RELAXED,
+        .allow_nspe = true,
+        .queue = {
+            .head = NULL,
+            .tail = NULL
+        }
+    },
 };
 
 /* External SIDs used by TEST_PARTITION */

TESTS/psa/crypto_access_control/COMPONENT_SPE/psa_test_partition_partition.h

@@ -28,7 +28,7 @@
 
 #define TEST_PARTITION_ID 128
 
-#define TEST_PARTITION_ROT_SRV_COUNT (8UL)
+#define TEST_PARTITION_ROT_SRV_COUNT (9UL)
 #define TEST_PARTITION_EXT_ROT_SRV_COUNT (1UL)
 
 /* TEST_PARTITION event flags */
@@ -56,6 +56,8 @@
 #define CRYPTO_GET_KEY_INFO_MSK (1UL << CRYPTO_GET_KEY_INFO_MSK_POS)
 #define CRYPTO_GET_KEY_POLICY_MSK_POS (11UL)
 #define CRYPTO_GET_KEY_POLICY_MSK (1UL << CRYPTO_GET_KEY_POLICY_MSK_POS)
+#define CRYPTO_IMPORT_KEY_MSK_POS (12UL)
+#define CRYPTO_IMPORT_KEY_MSK (1UL << CRYPTO_IMPORT_KEY_MSK_POS)
 
 #define TEST_PARTITION_WAIT_ANY_SID_MSK (\
     CRYPTO_CREATE_PERSISTENT_KEY_MSK | \
@@ -65,7 +67,8 @@
     CRYPTO_SET_KEY_POLICY_MSK | \
     CRYPTO_DESTROY_KEY_MSK | \
     CRYPTO_GET_KEY_INFO_MSK | \
-    CRYPTO_GET_KEY_POLICY_MSK)
+    CRYPTO_GET_KEY_POLICY_MSK | \
+    CRYPTO_IMPORT_KEY_MSK)
 
 
 #endif // PSA_TEST_PARTITION_PARTITION_H

TESTS/psa/crypto_access_control/COMPONENT_SPE/test_partition.c

@@ -15,6 +15,7 @@
  * limitations under the License.
  */
 
+#include <stdlib.h>
 #include "psa_test_partition_partition.h"
 #include "psa/service.h"
 #include "psa/client.h"
@@ -147,6 +148,29 @@ static psa_status_t crypto_get_key_policy(psa_msg_t *msg)
     return (status);
 }
 
+static psa_status_t crypto_import_key(psa_msg_t *msg)
+{
+    psa_status_t status;
+    psa_key_handle_t key_handle;
+    psa_key_type_t key_type;
+    size_t key_data_size;
+    unsigned char *key_data = NULL;
+
+    read_input_param_from_message(msg, 0, &key_handle);
+    read_input_param_from_message(msg, 1, &key_type);
+    read_input_param_from_message(msg, 2, &key_data_size);
+
+    key_data = calloc(1, key_data_size);
+    if (key_data == NULL) {
+        return (PSA_ERROR_INSUFFICIENT_MEMORY);
+    }
+
+    read_input_param_from_message(msg, 3, key_data);
+
+    status = psa_import_key(key_handle, key_type, key_data, key_data_size);
+    return (status);
+}
+
 static void message_handler(psa_msg_t *msg, SignalHandler handler)
 {
     psa_status_t status = 0;
@@ -207,5 +231,9 @@ void test_partition_main(void)
             psa_get(CRYPTO_GET_KEY_POLICY_MSK, &msg);
             message_handler(&msg, crypto_get_key_policy);
         }
+        if (signal & CRYPTO_IMPORT_KEY_MSK) {
+            psa_get(CRYPTO_IMPORT_KEY_MSK, &msg);
+            message_handler(&msg, crypto_import_key);
+        }
     }
 }

TESTS/psa/crypto_access_control/crypto_acl_test_partition_psa.json

@@ -70,6 +70,14 @@
         "non_secure_clients": true,
         "minor_version": 1,
         "minor_policy": "RELAXED"
+    },
+    {
+        "name": "CRYPTO_IMPORT_KEY",
+        "identifier": "0x00000208",
+        "signal": "CRYPTO_IMPORT_KEY_MSK",
+        "non_secure_clients": true,
+        "minor_version": 1,
+        "minor_policy": "RELAXED"
     }
   ],
   "extern_sids": [

TESTS/psa/crypto_access_control/psa_test_partition_ifs.h

@@ -34,5 +34,6 @@
 #define CRYPTO_DESTROY_KEY 0x00000205
 #define CRYPTO_GET_KEY_INFO 0x00000206
 #define CRYPTO_GET_KEY_POLICY 0x00000207
+#define CRYPTO_IMPORT_KEY 0x00000208
 
 #endif // PSA_TEST_PARTITION_PARTITION_ROT_SERVICES_H