Key attributes#
Functions#
Declare the enrollment algorithm for a key.
Retrieve the enrollment algorithm policy from key attributes.
Set domain parameters for a key.
Get domain parameters for a key.
Return an initial value for a key attributes structure.
Declare a key as persistent and set its key identifier.
Set the location of a persistent key.
Retrieve the key identifier from key attributes.
Retrieve the lifetime from key attributes.
Declare usage flags for a key.
Retrieve the usage flags from key attributes.
Declare the permitted algorithm policy for a key.
Retrieve the algorithm policy from key attributes.
Declare the type of a key.
Declare the size of a key.
Retrieve the key type from key attributes.
Retrieve the key size from key attributes.
Retrieve the attributes of a key.
Reset a key attribute structure to a freshly initialized state.
Macros#
Custom Diffie-Hellman group.
Safe output buffer size for psa_get_key_domain_parameters().
Custom Diffie-Hellman group.
Safe output buffer size for psa_get_key_domain_parameters().
Function Documentation#
psa_set_key_enrollment_algorithm#
static void psa_set_key_enrollment_algorithm (psa_key_attributes_t *attributes, psa_algorithm_t alg2)
Declare the enrollment algorithm for a key.
| [out] | attributes | The attribute structure to write to. |
| N/A | alg2 | A second algorithm that the key may be used for, in addition to the algorithm set with psa_set_key_algorithm(). |
An operation on a key may indifferently use the algorithm set with psa_set_key_algorithm() or with this function.
Warnings
Setting an enrollment algorithm is not recommended, because using the same key with different algorithms can allow some attacks based on arithmetic relations between different computations made with the same key, or can escalate harmless side channels into exploitable ones. Use this function only if it is necessary to support a protocol for which it has been verified that the usage of the key with multiple algorithms is safe.
79 of file util/third_party/mbedtls/include/psa/crypto_extra.hpsa_get_key_enrollment_algorithm#
static psa_algorithm_t psa_get_key_enrollment_algorithm (const psa_key_attributes_t *attributes)
Retrieve the enrollment algorithm policy from key attributes.
| [in] | attributes | The key attribute structure to query. |
Returns
The enrollment algorithm stored in the attribute structure.
92 of file util/third_party/mbedtls/include/psa/crypto_extra.hpsa_set_key_domain_parameters#
psa_status_t psa_set_key_domain_parameters (psa_key_attributes_t *attributes, psa_key_type_t type, const uint8_t *data, size_t data_length)
Set domain parameters for a key.
| [inout] | attributes | Attribute structure where the specified domain parameters will be stored. If this function fails, the content of |
| N/A | type | Key type (a |
| [in] | data | Buffer containing the key domain parameters. The content of this buffer is interpreted according to |
| N/A | data_length | Size of the |
Some key types require additional domain parameters in addition to the key type identifier and the key size. Use this function instead of psa_set_key_type() when you need to specify domain parameters.
The format for the required domain parameters varies based on the key type.
For RSA keys (PSA_KEY_TYPE_RSA_PUBLIC_KEY or PSA_KEY_TYPE_RSA_KEY_PAIR), the domain parameter data consists of the public exponent, represented as a big-endian integer with no leading zeros. This information is used when generating an RSA key pair. When importing a key, the public exponent is read from the imported key data and the exponent recorded in the attribute structure is ignored. As an exception, the public exponent 65537 is represented by an empty byte string.
For DSA keys (PSA_KEY_TYPE_DSA_PUBLIC_KEY or PSA_KEY_TYPE_DSA_KEY_PAIR), the
Dss-Paramsformat as defined by RFC 3279 §2.3.2.Dss-Params ::= SEQUENCE { p INTEGER, q INTEGER, g INTEGER }For Diffie-Hellman key exchange keys (PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_CUSTOM) or PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_CUSTOM)), the
DomainParametersformat as defined by RFC 3279 §2.3.3.DomainParameters ::= SEQUENCE { p INTEGER, -- odd prime, p=jq +1 g INTEGER, -- generator, g q INTEGER, -- factor of p-1 j INTEGER OPTIONAL, -- subgroup factor validationParams ValidationParams OPTIONAL } ValidationParams ::= SEQUENCE { seed BIT STRING, pgenCounter INTEGER }
Note
This function may allocate memory or other resources. Once you have called this function on an attribute structure, you must call psa_reset_key_attributes() to free these resources.
This is an experimental extension to the interface. It may change in future versions of the library.
Some key types require additional domain parameters in addition to the key type identifier and the key size. Use this function instead of psa_set_key_type() when you need to specify domain parameters.
The format for the required domain parameters varies based on the key type.
For RSA keys (PSA_KEY_TYPE_RSA_PUBLIC_KEY or PSA_KEY_TYPE_RSA_KEY_PAIR), the domain parameter data consists of the public exponent, represented as a big-endian integer with no leading zeros. This information is used when generating an RSA key pair. When importing a key, the public exponent is read from the imported key data and the exponent recorded in the attribute structure is ignored. As an exception, the public exponent 65537 is represented by an empty byte string.
For DSA keys (PSA_KEY_TYPE_DSA_PUBLIC_KEY or PSA_KEY_TYPE_DSA_KEY_PAIR), the
Dss-Parmsformat as defined by RFC 3279 §2.3.2.Dss-Parms ::= SEQUENCE { p INTEGER, q INTEGER, g INTEGER }For Diffie-Hellman key exchange keys (PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_CUSTOM) or PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_CUSTOM)), the
DomainParametersformat as defined by RFC 3279 §2.3.3.DomainParameters ::= SEQUENCE { p INTEGER, -- odd prime, p=jq +1 g INTEGER, -- generator, g q INTEGER, -- factor of p-1 j INTEGER OPTIONAL, -- subgroup factor validationParms ValidationParms OPTIONAL } ValidationParms ::= SEQUENCE { seed BIT STRING, pgenCounter INTEGER }
Note
This function may allocate memory or other resources. Once you have called this function on an attribute structure, you must call psa_reset_key_attributes() to free these resources.
This is an experimental extension to the interface. It may change in future versions of the library.
506 of file util/third_party/mbedtls/include/psa/crypto_extra.hpsa_get_key_domain_parameters#
psa_status_t psa_get_key_domain_parameters (const psa_key_attributes_t *attributes, uint8_t *data, size_t data_size, size_t *data_length)
Get domain parameters for a key.
| [in] | attributes | The key attribute structure to query. |
| [out] | data | On success, the key domain parameters. |
| N/A | data_size | Size of the |
| [out] | data_length | On success, the number of bytes that make up the key domain parameters data. |
Get the domain parameters for a key with this function, if any. The format of the domain parameters written to data is specified in the documentation for psa_set_key_domain_parameters().
Note
This is an experimental extension to the interface. It may change in future versions of the library.
534 of file util/third_party/mbedtls/include/psa/crypto_extra.hpsa_key_attributes_init#
static psa_key_attributes_t psa_key_attributes_init (void)
Return an initial value for a key attributes structure.
| N/A |
107 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto.hpsa_set_key_id#
static void psa_set_key_id (psa_key_attributes_t *attributes, psa_key_id_t key)
Declare a key as persistent and set its key identifier.
| [out] | attributes | The attribute structure to write to. |
| N/A | key | The persistent identifier for the key. |
If the attribute structure currently declares the key as volatile (which is the default content of an attribute structure), this function sets the lifetime attribute to PSA_KEY_LIFETIME_PERSISTENT.
This function does not access storage, it merely stores the given value in the structure. The persistent key will be written to storage when the attribute structure is passed to a key creation function such as psa_import_key(), psa_generate_key(), psa_key_derivation_output_key() or psa_copy_key().
This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate each of its arguments exactly once.
129 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto.hpsa_set_key_lifetime#
static void psa_set_key_lifetime (psa_key_attributes_t *attributes, psa_key_lifetime_t lifetime)
Set the location of a persistent key.
| [out] | attributes | The attribute structure to write to. |
| N/A | lifetime | The lifetime for the key. If this is PSA_KEY_LIFETIME_VOLATILE, the key will be volatile, and the key identifier attribute is reset to 0. |
To make a key persistent, you must give it a persistent key identifier with psa_set_key_id(). By default, a key that has a persistent identifier is stored in the default storage area identifier by PSA_KEY_LIFETIME_PERSISTENT. Call this function to choose a storage area, or to explicitly declare the key as volatile.
This function does not access storage, it merely stores the given value in the structure. The persistent key will be written to storage when the attribute structure is passed to a key creation function such as psa_import_key(), psa_generate_key(), psa_key_derivation_output_key() or psa_copy_key().
This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate each of its arguments exactly once.
157 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto.hpsa_get_key_id#
static psa_key_id_t psa_get_key_id (const psa_key_attributes_t *attributes)
Retrieve the key identifier from key attributes.
| [in] | attributes | The key attribute structure to query. |
This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate its argument exactly once.
Returns
The persistent identifier stored in the attribute structure. This value is unspecified if the attribute structure declares the key as volatile.
172 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto.hpsa_get_key_lifetime#
static psa_key_lifetime_t psa_get_key_lifetime (const psa_key_attributes_t *attributes)
Retrieve the lifetime from key attributes.
| [in] | attributes | The key attribute structure to query. |
This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate its argument exactly once.
Returns
The lifetime value stored in the attribute structure.
184 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto.hpsa_set_key_usage_flags#
static void psa_set_key_usage_flags (psa_key_attributes_t *attributes, psa_key_usage_t usage_flags)
Declare usage flags for a key.
| [out] | attributes | The attribute structure to write to. |
| N/A | usage_flags | The usage flags to write. |
Usage flags are part of a key's usage policy. They encode what kind of operations are permitted on the key. For more details, refer to the documentation of the type psa_key_usage_t.
This function overwrites any usage flags previously set in attributes.
This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate each of its arguments exactly once.
203 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto.hpsa_get_key_usage_flags#
static psa_key_usage_t psa_get_key_usage_flags (const psa_key_attributes_t *attributes)
Retrieve the usage flags from key attributes.
| [in] | attributes | The key attribute structure to query. |
This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate its argument exactly once.
Returns
The usage flags stored in the attribute structure.
216 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto.hpsa_set_key_algorithm#
static void psa_set_key_algorithm (psa_key_attributes_t *attributes, psa_algorithm_t alg)
Declare the permitted algorithm policy for a key.
| [out] | attributes | The attribute structure to write to. |
| N/A | alg | The permitted algorithm policy to write. |
The permitted algorithm policy of a key encodes which algorithm or algorithms are permitted to be used with this key. The following algorithm policies are supported:
0 does not allow any cryptographic operation with the key. The key may be used for non-cryptographic actions such as exporting (if permitted by the usage flags).
An algorithm value permits this particular algorithm.
An algorithm wildcard built from PSA_ALG_ANY_HASH allows the specified signature scheme with any hash algorithm.
An algorithm built from PSA_ALG_AT_LEAST_THIS_LENGTH_MAC allows any MAC algorithm from the same base class (e.g. CMAC) which generates/verifies a MAC length greater than or equal to the length encoded in the wildcard algorithm.
An algorithm built from PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG allows any AEAD algorithm from the same base class (e.g. CCM) which generates/verifies a tag length greater than or equal to the length encoded in the wildcard algorithm.
This function overwrites any algorithm policy previously set in attributes.
This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate each of its arguments exactly once.
249 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto.hpsa_get_key_algorithm#
static psa_algorithm_t psa_get_key_algorithm (const psa_key_attributes_t *attributes)
Retrieve the algorithm policy from key attributes.
| [in] | attributes | The key attribute structure to query. |
This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate its argument exactly once.
Returns
The algorithm stored in the attribute structure.
263 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto.hpsa_set_key_type#
static void psa_set_key_type (psa_key_attributes_t *attributes, psa_key_type_t type)
Declare the type of a key.
| [out] | attributes | The attribute structure to write to. |
| N/A | type | The key type to write. If this is 0, the key type in |
This function overwrites any key type previously set in attributes.
This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate each of its arguments exactly once.
280 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto.hpsa_set_key_bits#
static void psa_set_key_bits (psa_key_attributes_t *attributes, size_t bits)
Declare the size of a key.
| [out] | attributes | The attribute structure to write to. |
| N/A | bits | The key size in bits. If this is 0, the key size in |
This function overwrites any key size previously set in attributes.
This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate each of its arguments exactly once.
298 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto.hpsa_get_key_type#
static psa_key_type_t psa_get_key_type (const psa_key_attributes_t *attributes)
Retrieve the key type from key attributes.
| [in] | attributes | The key attribute structure to query. |
This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate its argument exactly once.
Returns
The key type stored in the attribute structure.
311 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto.hpsa_get_key_bits#
static size_t psa_get_key_bits (const psa_key_attributes_t *attributes)
Retrieve the key size from key attributes.
| [in] | attributes | The key attribute structure to query. |
This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate its argument exactly once.
Returns
The key size stored in the attribute structure, in bits.
323 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto.hpsa_get_key_attributes#
psa_status_t psa_get_key_attributes (psa_key_id_t key, psa_key_attributes_t *attributes)
Retrieve the attributes of a key.
| [in] | key | Identifier of the key to query. |
| [inout] | attributes | On success, the attributes of the key. On failure, equivalent to a freshly-initialized structure. |
This function first resets the attribute structure as with psa_reset_key_attributes(). It then copies the attributes of the given key into the given attribute structure.
Note
This function may allocate memory or other resources. Once you have called this function on an attribute structure, you must call psa_reset_key_attributes() to free these resources.
353 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto.hpsa_reset_key_attributes#
void psa_reset_key_attributes (psa_key_attributes_t *attributes)
Reset a key attribute structure to a freshly initialized state.
| [inout] | attributes | The attribute structure to reset. |
You must initialize the attribute structure as described in the documentation of the type #psa_key_attributes_t before calling this function. Once the structure has been initialized, you may call this function at any time.
This function frees any auxiliary resources that the structure may contain.
368 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto.hMacro Definition Documentation#
PSA_DH_FAMILY_CUSTOM#
#define PSA_DH_FAMILY_CUSTOMValue:
((psa_dh_family_t) 0x7e)
Custom Diffie-Hellman group.
For keys of type PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_CUSTOM) or PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_CUSTOM), the group data comes from domain parameters set by psa_set_key_domain_parameters().
437 of file util/third_party/mbedtls/include/psa/crypto_extra.hPSA_KEY_DOMAIN_PARAMETERS_SIZE#
#define PSA_KEY_DOMAIN_PARAMETERS_SIZEValue:
Safe output buffer size for psa_get_key_domain_parameters().
This macro returns a compile-time constant if its arguments are compile-time constants.
Warnings
This function may call its arguments multiple times or zero times, so you should not pass arguments that contain side effects.
Note
This is an experimental extension to the interface. It may change in future versions of the library.
Returns
If the parameters are valid and supported, return a buffer size in bytes that guarantees that psa_get_key_domain_parameters() will not fail with PSA_ERROR_BUFFER_TOO_SMALL. If the parameters are a valid combination that is not supported by the implementation, this macro shall return either a sensible size or 0. If the parameters are not valid, the return value is unspecified.
565 of file util/third_party/mbedtls/include/psa/crypto_extra.hPSA_DH_KEY_DOMAIN_PARAMETERS_SIZE#
#define PSA_DH_KEY_DOMAIN_PARAMETERS_SIZEValue:
(key_bits)
570 of file util/third_party/mbedtls/include/psa/crypto_extra.hPSA_DSA_KEY_DOMAIN_PARAMETERS_SIZE#
#define PSA_DSA_KEY_DOMAIN_PARAMETERS_SIZEValue:
(key_bits)
572 of file util/third_party/mbedtls/include/psa/crypto_extra.hPSA_DH_FAMILY_CUSTOM#
#define PSA_DH_FAMILY_CUSTOMValue:
((psa_dh_family_t) 0x7e)
Custom Diffie-Hellman group.
For keys of type PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_CUSTOM) or PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_CUSTOM), the group data comes from domain parameters set by psa_set_key_domain_parameters().
228 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto_extra.hPSA_KEY_DOMAIN_PARAMETERS_SIZE#
#define PSA_KEY_DOMAIN_PARAMETERS_SIZEValue:
Safe output buffer size for psa_get_key_domain_parameters().
This macro returns a compile-time constant if its arguments are compile-time constants.
Warnings
This function may call its arguments multiple times or zero times, so you should not pass arguments that contain side effects.
Note
This is an experimental extension to the interface. It may change in future versions of the library.
Returns
If the parameters are valid and supported, return a buffer size in bytes that guarantees that psa_get_key_domain_parameters() will not fail with PSA_ERROR_BUFFER_TOO_SMALL. If the parameters are a valid combination that is not supported by the implementation, this macro shall return either a sensible size or 0. If the parameters are not valid, the return value is unspecified.
356 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto_extra.hPSA_DH_KEY_DOMAIN_PARAMETERS_SIZE#
#define PSA_DH_KEY_DOMAIN_PARAMETERS_SIZEValue:
(key_bits)
361 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto_extra.hPSA_DSA_KEY_DOMAIN_PARAMETERS_SIZE#
#define PSA_DSA_KEY_DOMAIN_PARAMETERS_SIZEValue:
(key_bits)
363 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto_extra.h