On 08/01/2024 18:10, S Krishnan, Archanaa via mbed-tls wrote:
Hello,
In psa_validate_key_attributes(), when the key ID is invalid for persistent keys the function returns PSA_ERROR_INVALID_ARGUMENT. See https://github.com/Mbed-TLS/mbedtls/blob/development/library/psa_crypto.c#L1....
The comments for PSA_ERROR_INVALID_ARGUMENT explicitly states that this error should not be returned when key identifier is invalid, instead PSA_ERROR_INVALID_HANDLE should be returned.
For the above psa_validate_key_attributes() usecase, which is the correct return code - PSA_ERROR_INVALID_ARGUMENT or PSA_ERROR_INVALID_HANDLE?
PSA_ERROR_INVALID_HANDLE means that the caller attempted to consume a key that doesn't exist. That error condition does not apply to psa_validate_key_attributes: this function is called when creating a key. For this function, a non-existent key identifier is a success condition. This function returns PSA_ERROR_INVALID_ARGUMENT when it is not permitted to create a key with the given identifier.
This is admittedly not explicit in the generic description of the error code in the PSA specification (https://arm-software.github.io/psa-api/crypto/1.1/api/library/status.html#co...), but it is clear in the descriptions of individual functions. Contrast for example psa_import_key https://arm-software.github.io/psa-api/crypto/1.1/api/keys/management.html#c.psa_import_key (“PSA_ERROR_INVALID_ARGUMENT: (…) The key identifier is not valid for the key lifetime.”; no error condition with PSA_ERROR_INVALID_HANDLE) and psa_mac_compute https://arm-software.github.io/psa-api/crypto/1.1/api/ops/macs.html#c.psa_mac_compute (“|PSA_ERROR_INVALID_HANDLE|: key is not a valid key identifier”; ; no error condition with PSA_ERROR_INVALID_ARGUMENT). Or check psa_copy_key https://arm-software.github.io/psa-api/crypto/1.1/api/keys/management.html#c.psa_copy_key: INVALID_HANDLE if the source parameter doesn't refer to an existing key, INVALID_ARGUMENT if the desired target identifier is not acceptable.
Best regards,