[crypto] Log PSA crypto error codes in more places

Log PSA crypto error codes in more places to make it easier
to catch and analyze crypto misconfiguration, such as too
low number of available key slots.

Signed-off-by: Damian Krolik <damian.krolik@nordicsemi.no>

Author: Damian-Nordic

src/crypto/CHIPCryptoPALPSA.cpp

@@ -48,14 +48,6 @@ namespace Crypto {
 
 namespace {
 
-void logPsaError(psa_status_t status)
-{
-    if (status != 0)
-    {
-        ChipLogError(Crypto, "PSA error: %d", static_cast<int>(status));
-    }
-}
-
 bool isBufferNonEmpty(const uint8_t * data, size_t data_length)
 {
     return data != nullptr && data_length > 0;
@@ -281,6 +273,7 @@ CHIP_ERROR PsaKdf::Init(const ByteSpan & secret, const ByteSpan & salt, const By
     psa_set_key_usage_flags(&attrs, PSA_KEY_USAGE_DERIVE);
 
     status = psa_import_key(&attrs, secret.data(), secret.size(), &mSecretKeyId);
+    LogPsaError(status);
     psa_reset_key_attributes(&attrs);
     VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
 
@@ -312,6 +305,14 @@ CHIP_ERROR PsaKdf::InitOperation(psa_key_id_t hkdfKey, const ByteSpan & salt, co
     return CHIP_NO_ERROR;
 }
 
+void LogPsaError(psa_status_t status)
+{
+    if (status != 0)
+    {
+        ChipLogError(Crypto, "PSA error: %d", static_cast<int>(status));
+    }
+}
+
 CHIP_ERROR PsaKdf::DeriveBytes(const MutableByteSpan & output)
 {
     psa_status_t status = psa_key_derivation_output_bytes(&mOperation, output.data(), output.size());
@@ -367,6 +368,7 @@ CHIP_ERROR HMAC_sha::HMAC_SHA256(const uint8_t * key, size_t key_length, const u
     VerifyOrExit(status == PSA_SUCCESS, error = CHIP_ERROR_INTERNAL);
 
 exit:
+    LogPsaError(status);
     psa_destroy_key(keyId);
     psa_reset_key_attributes(&attrs);
 
@@ -476,6 +478,7 @@ CHIP_ERROR PBKDF2_sha256::pbkdf2_sha256(const uint8_t * pass, size_t pass_length
     }
 
 exit:
+    LogPsaError(status);
     psa_destroy_key(keyId);
     psa_reset_key_attributes(&attrs);
 
@@ -519,7 +522,7 @@ CHIP_ERROR P256Keypair::ECDSA_sign_msg(const uint8_t * msg, const size_t msg_len
     error = out_signature.SetLength(outputLen);
 
 exit:
-    logPsaError(status);
+    LogPsaError(status);
     return error;
 }
 
@@ -544,7 +547,7 @@ CHIP_ERROR P256PublicKey::ECDSA_validate_msg_signature(const uint8_t * msg, cons
     VerifyOrExit(status == PSA_SUCCESS, error = CHIP_ERROR_INVALID_SIGNATURE);
 
 exit:
-    logPsaError(status);
+    LogPsaError(status);
     psa_destroy_key(keyId);
     psa_reset_key_attributes(&attributes);
 
@@ -573,7 +576,7 @@ CHIP_ERROR P256PublicKey::ECDSA_validate_hash_signature(const uint8_t * hash, co
     VerifyOrExit(status == PSA_SUCCESS, error = CHIP_ERROR_INVALID_SIGNATURE);
 
 exit:
-    logPsaError(status);
+    LogPsaError(status);
     psa_destroy_key(keyId);
     psa_reset_key_attributes(&attributes);
 
@@ -596,7 +599,7 @@ CHIP_ERROR P256Keypair::ECDH_derive_secret(const P256PublicKey & remote_public_k
     SuccessOrExit(error = out_secret.SetLength(outputLength));
 
 exit:
-    logPsaError(status);
+    LogPsaError(status);
 
     return error;
 }
@@ -671,7 +674,7 @@ CHIP_ERROR P256Keypair::Initialize(ECPKeyTarget key_target)
     mInitialized = true;
 
 exit:
-    logPsaError(status);
+    LogPsaError(status);
     psa_reset_key_attributes(&attributes);
 
     return error;
@@ -697,7 +700,7 @@ CHIP_ERROR P256Keypair::Serialize(P256SerializedKeypair & output) const
     error = output.SetLength(bbuf.Needed());
 
 exit:
-    logPsaError(status);
+    LogPsaError(status);
 
     return error;
 }
@@ -728,7 +731,7 @@ CHIP_ERROR P256Keypair::Deserialize(P256SerializedKeypair & input)
     mInitialized = true;
 
 exit:
-    logPsaError(status);
+    LogPsaError(status);
 
     return error;
 }

src/crypto/CHIPCryptoPALPSA.h

@@ -150,5 +150,10 @@ class PsaKdf
     psa_key_derivation_operation_t mOperation = PSA_KEY_DERIVATION_OPERATION_INIT;
 };
 
+/**
+ * @brief Log PSA status code if it indicates an error.
+ */
+void LogPsaError(psa_status_t status);
+
 } // namespace Crypto
 } // namespace chip

src/crypto/PSAOperationalKeystore.cpp

@@ -160,6 +160,7 @@ CHIP_ERROR PSAOperationalKeystore::PersistentP256Keypair::Deserialize(P256Serial
     memcpy(mPublicKey.Bytes(), input.ConstBytes(), mPublicKey.Length());
 
 exit:
+    LogPsaError(status);
     psa_reset_key_attributes(&attributes);
 
     return error;

src/crypto/PSASessionKeystore.cpp

@@ -90,8 +90,8 @@ CHIP_ERROR PSASessionKeystore::CreateKey(const Symmetric128BitsKeyByteArray & ke
     psa_destroy_key(key.As<psa_key_id_t>());
 
     AesKeyAttributes attrs;
-    psa_status_t status =
-        psa_import_key(&attrs.Get(), keyMaterial, sizeof(Symmetric128BitsKeyByteArray), &key.AsMutable<psa_key_id_t>());
+    psa_status_t status = psa_import_key(&attrs.Get(), keyMaterial, sizeof(keyMaterial), &key.AsMutable<psa_key_id_t>());
+    LogPsaError(status);
     VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
 
     return CHIP_NO_ERROR;
@@ -103,9 +103,8 @@ CHIP_ERROR PSASessionKeystore::CreateKey(const Symmetric128BitsKeyByteArray & ke
     psa_destroy_key(key.As<psa_key_id_t>());
 
     HmacKeyAttributes attrs;
-    psa_status_t status =
-        psa_import_key(&attrs.Get(), keyMaterial, sizeof(Symmetric128BitsKeyByteArray), &key.AsMutable<psa_key_id_t>());
-
+    psa_status_t status = psa_import_key(&attrs.Get(), keyMaterial, sizeof(keyMaterial), &key.AsMutable<psa_key_id_t>());
+    LogPsaError(status);
     VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
 
     return CHIP_NO_ERROR;
@@ -118,7 +117,7 @@ CHIP_ERROR PSASessionKeystore::CreateKey(const ByteSpan & keyMaterial, HkdfKeyHa
 
     HkdfKeyAttributes attrs;
     psa_status_t status = psa_import_key(&attrs.Get(), keyMaterial.data(), keyMaterial.size(), &key.AsMutable<psa_key_id_t>());
-
+    LogPsaError(status);
     VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
 
     return CHIP_NO_ERROR;