Implement PersistICDKey API

maciejbaczmanski · Sep 4, 2024 · 32d4cda · 32d4cda
1 parent bd79546
commit 32d4cda
Show file tree

Hide file tree

Showing 4 changed files with 91 additions and 2 deletions.
diff --git a/src/crypto/BUILD.gn b/src/crypto/BUILD.gn
@@ -67,6 +67,7 @@ source_set("public_headers") {
 
   public_deps = [
     ":crypto_buildconfig",
+    "${chip_root}/src/app/icd/server:icd-server-config",
     "${chip_root}/src/lib/asn1",
     "${chip_root}/src/lib/core",
     "${chip_root}/src/lib/core:types",

diff --git a/src/crypto/PSASessionKeystore.cpp b/src/crypto/PSASessionKeystore.cpp
@@ -84,7 +84,7 @@ class HkdfKeyAttributes : public KeyAttributesBase
 CHIP_ERROR PSASessionKeystore::CreateKey(const Symmetric128BitsKeyByteArray & keyMaterial, Aes128KeyHandle & key)
 {
     // Destroy the old key if already allocated
-    psa_destroy_key(key.As<psa_key_id_t>());
+    DestroyKey(key);
 
     AesKeyAttributes attrs;
     psa_status_t status =
@@ -98,7 +98,7 @@ CHIP_ERROR PSASessionKeystore::CreateKey(const Symmetric128BitsKeyByteArray & ke
 CHIP_ERROR PSASessionKeystore::CreateKey(const Symmetric128BitsKeyByteArray & keyMaterial, Hmac128KeyHandle & key)
 {
     // Destroy the old key if already allocated
-    psa_destroy_key(key.As<psa_key_id_t>());
+    DestroyKey(key);
 
     HmacKeyAttributes attrs;
     psa_status_t status =
@@ -189,5 +189,72 @@ void PSASessionKeystore::DestroyKey(HkdfKeyHandle & key)
     keyId = PSA_KEY_ID_NULL;
 }
 
+#if CHIP_CONFIG_ENABLE_ICD_CIP
+CHIP_ERROR PSASessionKeystore::PersistICDKey(Aes128KeyHandle & key)
+{
+    CHIP_ERROR err;
+    AesKeyAttributes attrs;
+    psa_key_id_t previousKeyId = key.As<psa_key_id_t>();
+    psa_key_attributes_t previousKeyAttrs;
+
+    psa_get_key_attributes(previousKeyId, &previousKeyAttrs);
+    // Exit early if key is already persistent
+    if (psa_get_key_lifetime(&previousKeyAttrs) == PSA_KEY_LIFETIME_PERSISTENT)
+    {
+        ExitNow(err = CHIP_NO_ERROR);
+    }
+
+    SuccessOrExit(err = Crypto::FindFreeKeySlotInRange(key.AsMutable<psa_key_id_t>(),
+                                                       to_underlying(KeyIdBase::ICDAesKeyRangeStart), kMaxICDClientKeys));
+
+    SuccessOrExit(err = attrs.SetKeyPersistence(key.As<psa_key_id_t>()));
+    VerifyOrExit(psa_copy_key(previousKeyId, &attrs.Get(), &key.AsMutable<psa_key_id_t>()) == PSA_SUCCESS,
+                 err = CHIP_ERROR_INTERNAL);
+
+    psa_destroy_key(previousKeyId);
+
+exit:
+    if (err != CHIP_NO_ERROR)
+    {
+        psa_destroy_key(previousKeyId);
+        psa_destroy_key(key.As<psa_key_id_t>());
+    }
+
+    return err;
+}
+
+CHIP_ERROR PSASessionKeystore::PersistICDKey(Hmac128KeyHandle & key)
+{
+    CHIP_ERROR err;
+    HmacKeyAttributes attrs;
+    psa_key_id_t previousKeyId = key.As<psa_key_id_t>();
+    psa_key_attributes_t previousKeyAttrs;
+
+    psa_get_key_attributes(previousKeyId, &previousKeyAttrs);
+    // Exit early if key is already persistent
+    if (psa_get_key_lifetime(&previousKeyAttrs) == PSA_KEY_LIFETIME_PERSISTENT)
+    {
+        ExitNow(err = CHIP_NO_ERROR);
+    }
+
+    SuccessOrExit(err = Crypto::FindFreeKeySlotInRange(key.AsMutable<psa_key_id_t>(),
+                                                       to_underlying(KeyIdBase::ICDHmacKeyRangeStart), kMaxICDClientKeys));
+    SuccessOrExit(err = attrs.SetKeyPersistence(key.As<psa_key_id_t>()));
+    VerifyOrExit(psa_copy_key(previousKeyId, &attrs.Get(), &key.AsMutable<psa_key_id_t>()) == PSA_SUCCESS,
+                 err = CHIP_ERROR_INTERNAL);
+
+    psa_destroy_key(previousKeyId);
+
+exit:
+    if (err != CHIP_NO_ERROR)
+    {
+        psa_destroy_key(previousKeyId);
+        psa_destroy_key(key.As<psa_key_id_t>());
+    }
+
+    return err;
+}
+#endif
+
 } // namespace Crypto
 } // namespace chip
diff --git a/src/crypto/PSASessionKeystore.h b/src/crypto/PSASessionKeystore.h
@@ -17,6 +17,7 @@
 
 #pragma once
 
+#include <app/icd/server/ICDServerConfig.h>
 #include <crypto/CHIPCryptoPALPSA.h>
 #include <crypto/SessionKeystore.h>
 
@@ -38,6 +39,10 @@ class PSASessionKeystore : public SessionKeystore
                                  AttestationChallenge & attestationChallenge) override;
     void DestroyKey(Symmetric128BitsKeyHandle & key) override;
     void DestroyKey(HkdfKeyHandle & key) override;
+#if CHIP_CONFIG_ENABLE_ICD_CIP
+    CHIP_ERROR PersistICDKey(Aes128KeyHandle & key) override;
+    CHIP_ERROR PersistICDKey(Hmac128KeyHandle & key) override;
+#endif
 
 private:
     CHIP_ERROR DeriveSessionKeys(PsaKdf & kdf, Aes128KeyHandle & i2rKey, Aes128KeyHandle & r2iKey,

diff --git a/src/crypto/SessionKeystore.h b/src/crypto/SessionKeystore.h
@@ -140,6 +140,22 @@ class SessionKeystore
     virtual CHIP_ERROR DeriveSessionKeys(const HkdfKeyHandle & secretKey, const ByteSpan & salt, const ByteSpan & info,
                                          Aes128KeyHandle & i2rKey, Aes128KeyHandle & r2iKey,
                                          AttestationChallenge & attestationChallenge) = 0;
+
+    /**
+     * @brief Store key in persistent PSA storage and return a key handle for an ICD Aes key.
+     *
+     * If the method returns no error, the application is responsible for destroying the handle
+     * using the DestroyKey() method when the key is no longer needed.
+     */
+    virtual CHIP_ERROR PersistICDKey(Aes128KeyHandle & key) { return CHIP_NO_ERROR; }
+
+    /**
+     * @brief Store key in persistent PSA storage and return a key handle for an ICD Hmac key.
+     *
+     * If the method returns no error, the application is responsible for destroying the handle
+     * using the DestroyKey() method when the key is no longer needed.
+     */
+    virtual CHIP_ERROR PersistICDKey(Hmac128KeyHandle & key) { return CHIP_NO_ERROR; }
 };
 
 /**