nrf_security: Refactor get_opaque_size function

This refactors the function cracen_get_opaque_size so that it
returns psa_status_t and not a size_t value. With ths previous
implementation it was not possible to distinguish between
a key with invalid arguments or a key which is revoked.
Revocation support will be added soon and this separation is
needed.

Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>

Author: Vge0rge

subsys/nrf_security/src/drivers/cracen/cracenpsa/include/cracen_psa.h

@@ -247,7 +247,7 @@ psa_status_t cracen_copy_key(psa_key_attributes_t *attributes, const uint8_t *so
 
 psa_status_t cracen_destroy_key(const psa_key_attributes_t *attributes);
 
-size_t cracen_get_opaque_size(const psa_key_attributes_t *attributes);
+psa_status_t cracen_get_opaque_size(const psa_key_attributes_t *attributes, size_t *key_size);
 
 psa_status_t cracen_jpake_setup(cracen_jpake_operation_t *operation,
 				const psa_key_attributes_t *attributes, const uint8_t *password,

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/common.c

@@ -806,26 +806,28 @@ psa_status_t cracen_load_keyref(const psa_key_attributes_t *attributes, const ui
 	return PSA_SUCCESS;
 }
 
-size_t cracen_get_opaque_size(const psa_key_attributes_t *attributes)
+psa_status_t cracen_get_opaque_size(const psa_key_attributes_t *attributes, size_t *key_size)
 {
 	if (PSA_KEY_LIFETIME_GET_LOCATION(psa_get_key_lifetime(attributes)) ==
 	    PSA_KEY_LOCATION_CRACEN) {
 		switch (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(psa_get_key_id(attributes))) {
 		case CRACEN_BUILTIN_IDENTITY_KEY_ID:
 			if (psa_get_key_type(attributes) ==
 			    PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)) {
-				return sizeof(ikg_opaque_key);
+				*key_size = sizeof(ikg_opaque_key);
+				return PSA_SUCCESS;
 			}
 			break;
 		case CRACEN_BUILTIN_MEXT_ID:
 		case CRACEN_BUILTIN_MKEK_ID:
 			if (psa_get_key_type(attributes) == PSA_KEY_TYPE_AES) {
-				return sizeof(ikg_opaque_key);
+				*key_size = sizeof(ikg_opaque_key);
+				return PSA_SUCCESS;
 			}
 			break;
 #ifdef CONFIG_PSA_NEED_CRACEN_PLATFORM_KEYS
 		default:
-			return cracen_platform_keys_get_size(attributes);
+			return cracen_platform_keys_get_size(attributes, key_size);
 #endif
 		}
 	}
@@ -835,15 +837,19 @@ size_t cracen_get_opaque_size(const psa_key_attributes_t *attributes)
 		if (PSA_KEY_TYPE_IS_ECC(psa_get_key_type(attributes))) {
 			if (psa_get_key_type(attributes) ==
 			    PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1)) {
-				return PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(
+				*key_size = PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(
 					psa_get_key_type(attributes), psa_get_key_bits(attributes));
+			} else {
+				*key_size = PSA_BITS_TO_BYTES(psa_get_key_bits(attributes));
 			}
-			return PSA_BITS_TO_BYTES(psa_get_key_bits(attributes));
 		} else if (psa_get_key_type(attributes) == PSA_KEY_TYPE_HMAC) {
-			return PSA_BITS_TO_BYTES(psa_get_key_bits(attributes));
+			*key_size = PSA_BITS_TO_BYTES(psa_get_key_bits(attributes));
 		} else {
-			return sizeof(kmu_opaque_key_buffer);
+			*key_size = sizeof(kmu_opaque_key_buffer);
 		}
+
+		return PSA_SUCCESS;
 	}
-	return 0;
+
+	return PSA_ERROR_INVALID_ARGUMENT;
 }

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c

@@ -880,12 +880,18 @@ psa_status_t cracen_import_key(const psa_key_attributes_t *attributes, const uin
 			MBEDTLS_SVC_KEY_ID_GET_KEY_ID(psa_get_key_id(attributes)));
 		psa_key_attributes_t stored_attributes;
 
-		if (key_buffer_size < cracen_get_opaque_size(attributes)) {
-			return PSA_ERROR_BUFFER_TOO_SMALL;
+		size_t opaque_key_size;
+		psa_status_t status = cracen_get_opaque_size(attributes, &opaque_key_size);
+
+		if (status != PSA_SUCCESS) {
+			return status;
 		}
 
-		psa_status_t status = cracen_kmu_provision(attributes, slot_id, data, data_length);
+		if (key_buffer_size < opaque_key_size) {
+			return PSA_ERROR_BUFFER_TOO_SMALL;
+		}
 
+		status = cracen_kmu_provision(attributes, slot_id, data, data_length);
 		if (status != PSA_SUCCESS) {
 			return status;
 		}
@@ -1182,6 +1188,9 @@ psa_status_t cracen_get_builtin_key(psa_drv_slot_number_t slot_number,
 				    psa_key_attributes_t *attributes, uint8_t *key_buffer,
 				    size_t key_buffer_size, size_t *key_buffer_length)
 {
+	size_t opaque_key_size;
+	psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
+
 	/* According to the PSA Crypto Driver specification, the PSA core will set the `id`
 	 * and the `lifetime` field of the attribute struct. We will fill all the other
 	 * attributes, and update the `lifetime` field to be more specific.
@@ -1199,12 +1208,17 @@ psa_status_t cracen_get_builtin_key(psa_drv_slot_number_t slot_number,
 							    PSA_KEY_USAGE_VERIFY_HASH |
 							    PSA_KEY_USAGE_VERIFY_MESSAGE);
 
+		status = cracen_get_opaque_size(attributes, &opaque_key_size);
+		if (status != PSA_SUCCESS) {
+			return status;
+		}
+
 		/* According to the PSA Crypto Driver interface proposed document the driver
 		 * should fill the attributes even if the buffer of the key is too small. So
 		 * we check the buffer here and not earlier in the function.
 		 */
-		if (key_buffer_size >= cracen_get_opaque_size(attributes)) {
-			*key_buffer_length = cracen_get_opaque_size(attributes);
+		if (key_buffer_size >= opaque_key_size) {
+			*key_buffer_length = opaque_key_size;
 			*((ikg_opaque_key *)key_buffer) =
 				(ikg_opaque_key){.slot_number = slot_number,
 						 .owner_id = MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(
@@ -1226,11 +1240,15 @@ psa_status_t cracen_get_builtin_key(psa_drv_slot_number_t slot_number,
 		psa_set_key_usage_flags(attributes,
 					PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_VERIFY_DERIVATION);
 
+		status = cracen_get_opaque_size(attributes, &opaque_key_size);
+		if (status != PSA_SUCCESS) {
+			return status;
+		}
 		/* See comment about the placement of this check in the previous switch
 		 * case.
 		 */
-		if (key_buffer_size >= cracen_get_opaque_size(attributes)) {
-			*key_buffer_length = cracen_get_opaque_size(attributes);
+		if (key_buffer_size >= opaque_key_size) {
+			*key_buffer_length = opaque_key_size;
 			*((ikg_opaque_key *)key_buffer) =
 				(ikg_opaque_key){.slot_number = slot_number,
 						 .owner_id = MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/kmu.c

@@ -901,6 +901,7 @@ psa_status_t cracen_kmu_get_builtin_key(psa_drv_slot_number_t slot_number,
 {
 	kmu_metadata metadata;
 	psa_status_t status = read_primary_slot_metadata(slot_number, &metadata);
+	size_t opaque_key_size;
 
 	if (status != PSA_SUCCESS) {
 		return status;
@@ -921,8 +922,14 @@ psa_status_t cracen_kmu_get_builtin_key(psa_drv_slot_number_t slot_number,
 		return status;
 	}
 
-	if (key_buffer_size >= cracen_get_opaque_size(attributes)) {
-		*key_buffer_length = cracen_get_opaque_size(attributes);
+
+	status = cracen_get_opaque_size(attributes, &opaque_key_size);
+	if (status != PSA_SUCCESS) {
+		return status;
+	}
+
+	if (key_buffer_size >= opaque_key_size) {
+		*key_buffer_length = opaque_key_size;
 		kmu_opaque_key_buffer *key = (kmu_opaque_key_buffer *)key_buffer;
 
 		key->key_usage_scheme = metadata.key_usage_scheme;

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/platform_keys/platform_keys.c

@@ -520,26 +520,24 @@ psa_status_t cracen_platform_get_builtin_key(psa_drv_slot_number_t slot_number,
 	return PSA_ERROR_CORRUPTION_DETECTED;
 }
 
-size_t cracen_platform_keys_get_size(psa_key_attributes_t const *attributes)
+psa_status_t cracen_platform_keys_get_size(psa_key_attributes_t const *attributes, size_t *key_size)
 {
 	platform_key key;
 	key_type type = find_key(MBEDTLS_SVC_KEY_ID_GET_KEY_ID(psa_get_key_id(attributes)), &key);
 	psa_key_type_t key_type = psa_get_key_type(attributes);
 
-	if (type == INVALID) {
-		return 0;
-	}
-
 	if (type == IKG) {
-		return sizeof(ikg_opaque_key);
+		*key_size = sizeof(ikg_opaque_key);
+		return PSA_SUCCESS;
 	}
 
 	if (key_type == PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_TWISTED_EDWARDS) ||
 	    key_type == PSA_KEY_TYPE_AES) {
-		return PSA_BITS_TO_BYTES(psa_get_key_bits(attributes));
+		*key_size = PSA_BITS_TO_BYTES(psa_get_key_bits(attributes));
+		return PSA_SUCCESS;
 	}
 
-	return 0;
+	return PSA_ERROR_INVALID_ARGUMENT;
 }
 
 psa_status_t cracen_platform_get_key_slot(mbedtls_svc_key_id_t key_id, psa_key_lifetime_t *lifetime,

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/platform_keys/platform_keys.h

@@ -13,7 +13,8 @@ psa_status_t cracen_platform_get_builtin_key(psa_drv_slot_number_t slot_number,
 					     psa_key_attributes_t *attributes, uint8_t *key_buffer,
 					     size_t key_buffer_size, size_t *key_buffer_length);
 
-size_t cracen_platform_keys_get_size(psa_key_attributes_t const *attributes);
+psa_status_t cracen_platform_keys_get_size(psa_key_attributes_t const *attributes,
+					   size_t *key_size);
 
 psa_status_t cracen_platform_get_key_slot(mbedtls_svc_key_id_t key_id, psa_key_lifetime_t *lifetime,
 					  psa_drv_slot_number_t *slot_number);

subsys/nrf_security/src/psa_crypto_driver_wrappers.c

@@ -463,8 +463,7 @@ psa_driver_wrapper_get_key_buffer_size_from_key_data(const psa_key_attributes_t
 #if defined(PSA_NEED_CRACEN_KMU_DRIVER)
 	case PSA_KEY_LOCATION_CRACEN_KMU:
 #endif
-		*key_buffer_size = cracen_get_opaque_size(attributes);
-		return *key_buffer_size != 0 ? PSA_SUCCESS : PSA_ERROR_INVALID_ARGUMENT;
+		return cracen_get_opaque_size(attributes, key_buffer_size);
 #endif
 	default:
 		(void)key_type;
@@ -503,8 +502,7 @@ psa_status_t psa_driver_wrapper_get_key_buffer_size(const psa_key_attributes_t *
 #if defined(PSA_NEED_CRACEN_KMU_DRIVER)
 	case PSA_KEY_LOCATION_CRACEN_KMU:
 #endif
-		*key_buffer_size = cracen_get_opaque_size(attributes);
-		return *key_buffer_size != 0 ? PSA_SUCCESS : PSA_ERROR_NOT_SUPPORTED;
+		return cracen_get_opaque_size(attributes, key_buffer_size);
 #endif
 #if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
 	case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION: