Skip to content

Commit c2f9f13

Browse files
Damian-NordicDamian-Nordic
committed
[crypto] Log PSA crypto error codes in more places
Log PSA crypto error codes in more places to make it easier to catch and analyze crypto misconfiguration, such as too low number of available key slots. Signed-off-by: Damian Krolik <damian.krolik@nordicsemi.no>
1 parent 0d67568 commit c2f9f13

4 files changed

+29
-17
lines changed

src/crypto/CHIPCryptoPALPSA.cpp

+20-15
Original file line numberDiff line numberDiff line change
@@ -48,14 +48,6 @@ namespace Crypto {
4848

4949
namespace {
5050

51-
void logPsaError(psa_status_t status)
52-
{
53-
if (status != 0)
54-
{
55-
ChipLogError(Crypto, "PSA error: %d", static_cast<int>(status));
56-
}
57-
}
58-
5951
bool isBufferNonEmpty(const uint8_t * data, size_t data_length)
6052
{
6153
return data != nullptr && data_length > 0;
@@ -281,6 +273,7 @@ CHIP_ERROR PsaKdf::Init(const ByteSpan & secret, const ByteSpan & salt, const By
281273
psa_set_key_usage_flags(&attrs, PSA_KEY_USAGE_DERIVE);
282274

283275
status = psa_import_key(&attrs, secret.data(), secret.size(), &mSecretKeyId);
276+
LogPsaError(status);
284277
psa_reset_key_attributes(&attrs);
285278
VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
286279

@@ -312,9 +305,18 @@ CHIP_ERROR PsaKdf::InitOperation(psa_key_id_t hkdfKey, const ByteSpan & salt, co
312305
return CHIP_NO_ERROR;
313306
}
314307

308+
void LogPsaError(psa_status_t status)
309+
{
310+
if (status != PSA_SUCCESS)
311+
{
312+
ChipLogError(Crypto, "PSA error: %d", static_cast<int>(status));
313+
}
314+
}
315+
315316
CHIP_ERROR PsaKdf::DeriveBytes(const MutableByteSpan & output)
316317
{
317318
psa_status_t status = psa_key_derivation_output_bytes(&mOperation, output.data(), output.size());
319+
LogPsaError(status);
318320
VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
319321

320322
return CHIP_NO_ERROR;
@@ -323,6 +325,7 @@ CHIP_ERROR PsaKdf::DeriveBytes(const MutableByteSpan & output)
323325
CHIP_ERROR PsaKdf::DeriveKey(const psa_key_attributes_t & attributes, psa_key_id_t & keyId)
324326
{
325327
psa_status_t status = psa_key_derivation_output_key(&attributes, &mOperation, &keyId);
328+
LogPsaError(status);
326329
VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
327330

328331
return CHIP_NO_ERROR;
@@ -367,6 +370,7 @@ CHIP_ERROR HMAC_sha::HMAC_SHA256(const uint8_t * key, size_t key_length, const u
367370
VerifyOrExit(status == PSA_SUCCESS, error = CHIP_ERROR_INTERNAL);
368371

369372
exit:
373+
LogPsaError(status);
370374
psa_destroy_key(keyId);
371375
psa_reset_key_attributes(&attrs);
372376

@@ -476,6 +480,7 @@ CHIP_ERROR PBKDF2_sha256::pbkdf2_sha256(const uint8_t * pass, size_t pass_length
476480
}
477481

478482
exit:
483+
LogPsaError(status);
479484
psa_destroy_key(keyId);
480485
psa_reset_key_attributes(&attrs);
481486

@@ -519,7 +524,7 @@ CHIP_ERROR P256Keypair::ECDSA_sign_msg(const uint8_t * msg, const size_t msg_len
519524
error = out_signature.SetLength(outputLen);
520525

521526
exit:
522-
logPsaError(status);
527+
LogPsaError(status);
523528
return error;
524529
}
525530

@@ -544,7 +549,7 @@ CHIP_ERROR P256PublicKey::ECDSA_validate_msg_signature(const uint8_t * msg, cons
544549
VerifyOrExit(status == PSA_SUCCESS, error = CHIP_ERROR_INVALID_SIGNATURE);
545550

546551
exit:
547-
logPsaError(status);
552+
LogPsaError(status);
548553
psa_destroy_key(keyId);
549554
psa_reset_key_attributes(&attributes);
550555

@@ -573,7 +578,7 @@ CHIP_ERROR P256PublicKey::ECDSA_validate_hash_signature(const uint8_t * hash, co
573578
VerifyOrExit(status == PSA_SUCCESS, error = CHIP_ERROR_INVALID_SIGNATURE);
574579

575580
exit:
576-
logPsaError(status);
581+
LogPsaError(status);
577582
psa_destroy_key(keyId);
578583
psa_reset_key_attributes(&attributes);
579584

@@ -596,7 +601,7 @@ CHIP_ERROR P256Keypair::ECDH_derive_secret(const P256PublicKey & remote_public_k
596601
SuccessOrExit(error = out_secret.SetLength(outputLength));
597602

598603
exit:
599-
logPsaError(status);
604+
LogPsaError(status);
600605

601606
return error;
602607
}
@@ -671,7 +676,7 @@ CHIP_ERROR P256Keypair::Initialize(ECPKeyTarget key_target)
671676
mInitialized = true;
672677

673678
exit:
674-
logPsaError(status);
679+
LogPsaError(status);
675680
psa_reset_key_attributes(&attributes);
676681

677682
return error;
@@ -697,7 +702,7 @@ CHIP_ERROR P256Keypair::Serialize(P256SerializedKeypair & output) const
697702
error = output.SetLength(bbuf.Needed());
698703

699704
exit:
700-
logPsaError(status);
705+
LogPsaError(status);
701706

702707
return error;
703708
}
@@ -728,7 +733,7 @@ CHIP_ERROR P256Keypair::Deserialize(P256SerializedKeypair & input)
728733
mInitialized = true;
729734

730735
exit:
731-
logPsaError(status);
736+
LogPsaError(status);
732737

733738
return error;
734739
}

src/crypto/CHIPCryptoPALPSA.h

+5
Original file line numberDiff line numberDiff line change
@@ -150,5 +150,10 @@ class PsaKdf
150150
psa_key_derivation_operation_t mOperation = PSA_KEY_DERIVATION_OPERATION_INIT;
151151
};
152152

153+
/**
154+
* @brief Log PSA status code if it indicates an error.
155+
*/
156+
void LogPsaError(psa_status_t status);
157+
153158
} // namespace Crypto
154159
} // namespace chip

src/crypto/PSAOperationalKeystore.cpp

+1
Original file line numberDiff line numberDiff line change
@@ -160,6 +160,7 @@ CHIP_ERROR PSAOperationalKeystore::PersistentP256Keypair::Deserialize(P256Serial
160160
memcpy(mPublicKey.Bytes(), input.ConstBytes(), mPublicKey.Length());
161161

162162
exit:
163+
LogPsaError(status);
163164
psa_reset_key_attributes(&attributes);
164165

165166
return error;

src/crypto/PSASessionKeystore.cpp

+3-2
Original file line numberDiff line numberDiff line change
@@ -92,6 +92,7 @@ CHIP_ERROR PSASessionKeystore::CreateKey(const Symmetric128BitsKeyByteArray & ke
9292
AesKeyAttributes attrs;
9393
psa_status_t status =
9494
psa_import_key(&attrs.Get(), keyMaterial, sizeof(Symmetric128BitsKeyByteArray), &key.AsMutable<psa_key_id_t>());
95+
LogPsaError(status);
9596
VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
9697

9798
return CHIP_NO_ERROR;
@@ -105,7 +106,7 @@ CHIP_ERROR PSASessionKeystore::CreateKey(const Symmetric128BitsKeyByteArray & ke
105106
HmacKeyAttributes attrs;
106107
psa_status_t status =
107108
psa_import_key(&attrs.Get(), keyMaterial, sizeof(Symmetric128BitsKeyByteArray), &key.AsMutable<psa_key_id_t>());
108-
109+
LogPsaError(status);
109110
VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
110111

111112
return CHIP_NO_ERROR;
@@ -118,7 +119,7 @@ CHIP_ERROR PSASessionKeystore::CreateKey(const ByteSpan & keyMaterial, HkdfKeyHa
118119

119120
HkdfKeyAttributes attrs;
120121
psa_status_t status = psa_import_key(&attrs.Get(), keyMaterial.data(), keyMaterial.size(), &key.AsMutable<psa_key_id_t>());
121-
122+
LogPsaError(status);
122123
VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
123124

124125
return CHIP_NO_ERROR;

0 commit comments

Comments
 (0)