Add support for key wrapping (v2) #224
Conversation
* psa_wrap_key() and psa_unwrap_key() functions * AES-KW and AES-KWP algorithms
athoelke
added
enhancement
athoelke
requested review from
gilles-peskine-arm,
ndevillard and
MarcusJGStreets
| @@ -375,6 +380,9 @@ typedef struct psa_custom_key_parameters_t { | |||
| /* implementation-defined value */ | |||
| #define PSA_TLS12_ECJPAKE_TO_PMS_OUTPUT_SIZE 32 | |||
| #define PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE /* implementation-defined value */ | |||
| #define PSA_WRAP_KEY_OUTPUT_SIZE(wrap_key_type, alg, key_type, key_bits) \ | |||
| /* implementation-defined value */ | |||
| #define PSA_WRAP_KEY_PAIR_MAX_SIZE /* implementation-defined value */ | |||
There was a problem hiding this comment.
I would expect PSA_WRAP_KEY_OUTPUT_MAX_SIZE instead of PSA_WRAP_KEY_PAIR_MAX_SIZE.
There was a problem hiding this comment.
psa_wrap_key() has the same issue as psa_export_key() in relation to a MAX_SIZE macro for the output. There is no really helpful limit on the size of what can be stored in the keystore, for example certificates could be stored as PSA_KEY_TYPE_RAW_DATA. The description for the output buffer size states:
- This API defines no maximum size for wrapped symmetric keys. Arbitrarily large data items can be stored in the key store, for example certificates that correspond to a stored private key or input material for key derivation.
For key export, we have PSA_EXPORT_KEY_PAIR_MAX_SIZE, PSA_EXPORT_PUBLIC_KEY_MAX_SIZE and (new for 1.3) PSA_EXPORT_ASYMMETRIC_KEY_MAX_SIZE (which is just the maximum of the other two). The reason for separate key-pair and public-key sizes is that these can be very different values, and most use cases would know which of these is required, permitting a more efficient choice of buffer size.
For key wrapping, I didn't include a macro for wrapped public keys, or asymmetric keys in general as I expected that there is no real use case for simple wrapping of public keys. If this assumption is wrong, I would be happy to add the additional macros to the API, or we might determine that a single one for wrapped asymmetric key maximum size is sufficient.
There was a problem hiding this comment.
Agreed, there is no general maximum size for export and key_wrap, thanks for the explanation!
This PR replaces #215, simplifying the API to only support key wrapping algorithms, and not wrapped-key formats. Wrapped-key formats will be considered later, along with import and export of formatted key data (see also #50, #149 and #207 for more discussion).
This added the
psa_wrap_key()andpsa_unwrap_key()functions, and support for AES-KW and AES-KWP algorithms.Open issues:
NIST 800-38F describes a generalised AES-KW and AES-KWP to support any 128-bit 'approved block cipher', which exactly matches RFC 3394 and RFC 5649 definitions for the AES block cipher. Is it valuable to define this as the more general algorithm identifier, compatible with any 128-bit block cipher key, or just keep the AES-specific name and AES-only compatibility?
I have allocated a new algorithm category, as key-wrapping algorithms tend to be specialized authenticated encryption. However, AES-SIV can be used as a general AEAD algorithm, as well as a key-wrapping algorithm. Would that be problematic?
I have recycled the 'S' bit in the algorithm identifier to flag whether the algorithm has alignment constraints on the input data (AES-KW does, AES-KWP does not) - similar to block-aligned sizes for some block-mode ciphers. Is this at all useful, or should we just make this bit 0 for key-wrap algorithms?
Partly fixes #50