[WIP] Support functionality of toranj/wpanctl to leave before join

Without PSA API supported, the default random Network Key is not reset
after factory reset. This PR mimics the same functionality for the
PSA crypto backend.

Author: LuDuda

src/core/thread/key_manager.cpp

@@ -179,17 +179,10 @@ KeyManager::KeyManager(Instance &aInstance)
     otPlatCryptoInit();
 
 #if OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE
-    {
-        NetworkKey networkKey;
-
-        mNetworkKeyRef = Crypto::Storage::kInvalidKeyRef;
-        mPskcRef       = Crypto::Storage::kInvalidKeyRef;
-
-        IgnoreError(networkKey.GenerateRandom());
-        StoreNetworkKey(networkKey, /* aOverWriteExisting */ false);
-    }
+    mNetworkKeyRef = Crypto::Storage::kInvalidKeyRef;
+    mPskcRef       = Crypto::Storage::kInvalidKeyRef;
 #else
-    IgnoreError(mNetworkKey.GenerateRandom());
+    mNetworkKey.Clear();
     mPskc.Clear();
 #endif
 
@@ -200,6 +193,22 @@ void KeyManager::Start(void)
 {
     mKeySwitchGuardTimer = 0;
     ResetKeyRotationTimer();
+
+#if OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE
+    NetworkKey networkKey;
+
+    // Generate random Network Key, if there is none currently.
+    if (mNetworkKeyRef == Crypto::Storage::kInvalidKeyRef)
+    {
+        IgnoreError(networkKey.GenerateRandom());
+        SetNetworkKey(networkKey);
+    }
+#else
+    if (mNetworkKey.IsEmpty())
+    {
+        mNetworkKey.GenerateRandom();
+    }
+#endif
 }
 
 void KeyManager::Stop(void) { mKeyRotationTimer.Stop(); }
@@ -345,6 +354,12 @@ void KeyManager::UpdateKeyMaterial(void)
 {
     HashKeys hashKeys;
 
+#if OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE
+    VerifyOrExit(Crypto::Storage::IsKeyRefValid(mNetworkKeyRef));
+#else
+    VerifyOrExit(!mNetworkKey.IsEmpty());
+#endif
+
     ComputeKeys(mKeySequence, hashKeys);
 
     mMleKey.SetFrom(hashKeys.GetMleKey());
@@ -375,6 +390,9 @@ void KeyManager::UpdateKeyMaterial(void)
         mTrelKey.SetFrom(key);
     }
 #endif
+
+exit:
+    return;
 }
 
 void KeyManager::SetCurrentKeySequence(uint32_t aKeySequence, KeySeqUpdateFlags aFlags)
@@ -711,7 +729,13 @@ void KeyManager::DestroyTemporaryKeys(void)
     Get<Mac::Mac>().ClearMode2Key();
 }
 
-void KeyManager::DestroyPersistentKeys(void) { Get<Crypto::Storage::KeyRefManager>().DestroyPersistentKeys(); }
+void KeyManager::DestroyPersistentKeys(void)
+{
+    Get<Crypto::Storage::KeyRefManager>().DestroyPersistentKeys();
+
+    mNetworkKeyRef = Crypto::Storage::kInvalidKeyRef;
+    mPskcRef       = Crypto::Storage::kInvalidKeyRef;
+}
 
 #endif // OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE
 

src/core/thread/key_manager.hpp

@@ -148,6 +148,25 @@ class NetworkKey : public otNetworkKey, public Equatable<NetworkKey>, public Cle
      * @retval kErrorFailed   Failed to generate random sequence.
      */
     Error GenerateRandom(void) { return Random::Crypto::Fill(*this); }
+
+    /**
+     * Checks if the  Network Key is empty (all bytes are zero).
+     *
+     * @retval true   The key is empty.
+     * @retval false  The key is not empty.
+     */
+    bool IsEmpty(void)
+    {
+        for (uint8_t i = 0; i < kSize; i++)
+        {
+            if (m8[i] != 0)
+            {
+                return false;
+            }
+        }
+
+        return true;
+    }
 #endif
 
 } OT_TOOL_PACKED_END;

tests/toranj/ncp/test-002-form.py

@@ -90,13 +90,11 @@
 
 node.set(wpan.WPAN_PANID, '0x1977')
 node.set(wpan.WPAN_XPANID, '1020031510006016', binary_data=True)
-node.set(wpan.WPAN_KEY, '0123456789abcdeffecdba9876543210', binary_data=True)
 
 node.form('mazda', channel=12)
 verify(node.get(wpan.WPAN_STATE) == wpan.STATE_ASSOCIATED)
 verify(node.get(wpan.WPAN_NAME) == '"mazda"')
 verify(node.get(wpan.WPAN_CHANNEL) == '12')
-verify(node.get(wpan.WPAN_KEY) == '[0123456789ABCDEFFECDBA9876543210]')
 verify(node.get(wpan.WPAN_PANID) == '0x1977')
 verify(node.get(wpan.WPAN_XPANID) == '0x1020031510006016')