On 08/01/2024 18:10, S Krishnan, Archanaa via mbed-tls wrote:

Hello,

In psa_validate_key_attributes(), when the key ID is invalid for persistent keys the function returns PSA_ERROR_INVALID_ARGUMENT. See https://github.com/Mbed-TLS/mbedtls/blob/development/library/psa_crypto.c#L1541.

The comments for PSA_ERROR_INVALID_ARGUMENT explicitly states that this error should not be returned when key identifier is invalid, instead PSA_ERROR_INVALID_HANDLE should be returned.

For the above psa_validate_key_attributes() usecase, which is the correct return code - PSA_ERROR_INVALID_ARGUMENT or PSA_ERROR_INVALID_HANDLE?

PSA_ERROR_INVALID_HANDLE means that the caller attempted to consume a key that doesn't exist. That error condition does not apply to psa_validate_key_attributes: this function is called when creating a key. For this function, a non-existent key identifier is a success condition. This function returns PSA_ERROR_INVALID_ARGUMENT when it is not permitted to create a key with the given identifier.

This is admittedly not explicit in the generic description of the error code in the PSA specification (https://arm-software.github.io/psa-api/crypto/1.1/api/library/status.html#common-error-codes), but it is clear in the descriptions of individual functions. Contrast for example psa_import_key (“PSA_ERROR_INVALID_ARGUMENT: (…) The key identifier is not valid for the key lifetime.”; no error condition with PSA_ERROR_INVALID_HANDLE) and psa_mac_compute (“PSA_ERROR_INVALID_HANDLE: key is not a valid key identifier”; ; no error condition with PSA_ERROR_INVALID_ARGUMENT). Or check psa_copy_key: INVALID_HANDLE if the source parameter doesn't refer to an existing key, INVALID_ARGUMENT if the desired target identifier is not acceptable.

Best regards,

--
Gilles Peskine
PSA Crypto architect and Mbed TLS implementer