On 30/10/2023 04:10, Jiamei Xie wrote:
Hi Gilles,
Thanks for your reply.
On 2023/10/27 00:36, Gilles Peskine wrote:
Hello,
The function in your driver that implements a function that operates on a key, e.g. the "asymmetric_encrypt", has the following prototype: psa_status_t my_driver_asymmetric_encrypt(const psa_key_attributes_t *attributes, const uint8_t *key_buffer, size_t key_buffer_size, ...); (See https://github.com/Mbed-TLS/mbedtls/blob/mbedtls-3.5.0/docs/proposed/psa-dri...)
Your driver can identify the key using the content of key_buffer. For an opaque driver, this can be either the key material in wrapped form (if your secure element doesn't have persistent storage) or an identifier chosen when the key is created (if your secure element keeps the key in its own storage, and you access the key externally through some name or identifier).
If I understand correctly, your secure element (the RSS) happens to implement the PSA API, so you access the key via a persistent key identifier. Then you should use this key identifier as the content of key_buffer.
Yes. This is exactly my scenario.
If I understand it correctly. The current code https://github.com/Mbed-TLS/mbedtls/blob/mbedtls-3.5.0/library/psa_crypto.c#... doesn't consider the situation where the key buffer is key identifier. 'key_id' is 32-bit and 'key_buffer' is 8-bit. To replace key identifier as the content of key_buffer:
When calling
status = psa_driver_wrapper_asymmetric_encrypt( &attributes, slot->key.data, slot->key.bytes, alg, input, input_length, salt, salt_length, output, output_size, output_length);
It should
- convert key(a struct with a 32-bit member and optional owner
member) to key_buffer(unit_8 * 4)
and make the key_buffer as the input of psa_driver_wrapper_asymmetric_encrypt.
- covert key_buffer (unit_8 * 4) into key_id (32-bit).
Yes. You can use memcpy for that (not a cast, because key_buffer might not be aligned for a uint32_t). That will work unless you want to have persistent keys and read them back on machines with a different endianness.
Best regards,