Key attributes#

psa_set_key_enrollment_algorithm#

static void psa_set_key_enrollment_algorithm (psa_key_attributes_t * attributes, psa_algorithm_t alg2)

Declare the enrollment algorithm for a key.

An operation on a key may indifferently use the algorithm set with psa_set_key_algorithm() or with this function.

Warnings

• Setting an enrollment algorithm is not recommended, because using the same key with different algorithms can allow some attacks based on arithmetic relations between different computations made with the same key, or can escalate harmless side channels into exploitable ones. Use this function only if it is necessary to support a protocol for which it has been verified that the usage of the key with multiple algorithms is safe.

psa_get_key_enrollment_algorithm#

static psa_algorithm_t psa_get_key_enrollment_algorithm (const psa_key_attributes_t * attributes)

Retrieve the enrollment algorithm policy from key attributes.

Returns

• The enrollment algorithm stored in the attribute structure.

psa_set_key_domain_parameters#

psa_status_t psa_set_key_domain_parameters (psa_key_attributes_t * attributes, psa_key_type_t type, const uint8_t * data, size_t data_length)

Set domain parameters for a key.

Some key types require additional domain parameters in addition to the key type identifier and the key size. Use this function instead of psa_set_key_type() when you need to specify domain parameters.

The format for the required domain parameters varies based on the key type.

• For RSA keys (PSA_KEY_TYPE_RSA_PUBLIC_KEY or PSA_KEY_TYPE_RSA_KEY_PAIR), the domain parameter data consists of the public exponent, represented as a big-endian integer with no leading zeros. This information is used when generating an RSA key pair. When importing a key, the public exponent is read from the imported key data and the exponent recorded in the attribute structure is ignored. As an exception, the public exponent 65537 is represented by an empty byte string.

• For DSA keys (PSA_KEY_TYPE_DSA_PUBLIC_KEY or PSA_KEY_TYPE_DSA_KEY_PAIR), the Dss-Params format as defined by RFC 3279 §2.3.2.

  Dss-Params ::= SEQUENCE  {
     p       INTEGER,
     q       INTEGER,
     g       INTEGER
  }
  

• For Diffie-Hellman key exchange keys (PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_CUSTOM) or PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_CUSTOM)), the DomainParameters format as defined by RFC 3279 §2.3.3.

  DomainParameters ::= SEQUENCE {
     p               INTEGER,                    -- odd prime, p=jq +1
     g               INTEGER,                    -- generator, g
     q               INTEGER,                    -- factor of p-1
     j               INTEGER OPTIONAL,           -- subgroup factor
     validationParams ValidationParams OPTIONAL
  }
  ValidationParams ::= SEQUENCE {
     seed            BIT STRING,
     pgenCounter     INTEGER
  }
  

Note

• This function may allocate memory or other resources. Once you have called this function on an attribute structure, you must call psa_reset_key_attributes() to free these resources.

• This is an experimental extension to the interface. It may change in future versions of the library.

Some key types require additional domain parameters in addition to the key type identifier and the key size. Use this function instead of psa_set_key_type() when you need to specify domain parameters.

The format for the required domain parameters varies based on the key type.

• For RSA keys (PSA_KEY_TYPE_RSA_PUBLIC_KEY or PSA_KEY_TYPE_RSA_KEY_PAIR), the domain parameter data consists of the public exponent, represented as a big-endian integer with no leading zeros. This information is used when generating an RSA key pair. When importing a key, the public exponent is read from the imported key data and the exponent recorded in the attribute structure is ignored. As an exception, the public exponent 65537 is represented by an empty byte string.

• For DSA keys (PSA_KEY_TYPE_DSA_PUBLIC_KEY or PSA_KEY_TYPE_DSA_KEY_PAIR), the Dss-Parms format as defined by RFC 3279 §2.3.2.

  Dss-Parms ::= SEQUENCE  {
     p       INTEGER,
     q       INTEGER,
     g       INTEGER
  }
  

• For Diffie-Hellman key exchange keys (PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_CUSTOM) or PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_CUSTOM)), the DomainParameters format as defined by RFC 3279 §2.3.3.

  DomainParameters ::= SEQUENCE {
     p               INTEGER,                    -- odd prime, p=jq +1
     g               INTEGER,                    -- generator, g
     q               INTEGER,                    -- factor of p-1
     j               INTEGER OPTIONAL,           -- subgroup factor
     validationParms ValidationParms OPTIONAL
  }
  ValidationParms ::= SEQUENCE {
     seed            BIT STRING,
     pgenCounter     INTEGER
  }
  

Note

• This function may allocate memory or other resources. Once you have called this function on an attribute structure, you must call psa_reset_key_attributes() to free these resources.

• This is an experimental extension to the interface. It may change in future versions of the library.

psa_get_key_domain_parameters#

psa_status_t psa_get_key_domain_parameters (const psa_key_attributes_t * attributes, uint8_t * data, size_t data_size, size_t * data_length)

Get domain parameters for a key.

Get the domain parameters for a key with this function, if any. The format of the domain parameters written to data is specified in the documentation for psa_set_key_domain_parameters().

Note

• This is an experimental extension to the interface. It may change in future versions of the library.

psa_key_attributes_init#

static psa_key_attributes_t psa_key_attributes_init (void )

Return an initial value for a key attributes structure.

psa_set_key_id#

static void psa_set_key_id (psa_key_attributes_t * attributes, psa_key_id_t key)

Declare a key as persistent and set its key identifier.

If the attribute structure currently declares the key as volatile (which is the default content of an attribute structure), this function sets the lifetime attribute to PSA_KEY_LIFETIME_PERSISTENT.

This function does not access storage, it merely stores the given value in the structure. The persistent key will be written to storage when the attribute structure is passed to a key creation function such as psa_import_key(), psa_generate_key(), psa_key_derivation_output_key() or psa_copy_key().

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate each of its arguments exactly once.

psa_set_key_lifetime#

static void psa_set_key_lifetime (psa_key_attributes_t * attributes, psa_key_lifetime_t lifetime)

Set the location of a persistent key.

To make a key persistent, you must give it a persistent key identifier with psa_set_key_id(). By default, a key that has a persistent identifier is stored in the default storage area identifier by PSA_KEY_LIFETIME_PERSISTENT. Call this function to choose a storage area, or to explicitly declare the key as volatile.

This function does not access storage, it merely stores the given value in the structure. The persistent key will be written to storage when the attribute structure is passed to a key creation function such as psa_import_key(), psa_generate_key(), psa_key_derivation_output_key() or psa_copy_key().

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate each of its arguments exactly once.

psa_get_key_id#

static psa_key_id_t psa_get_key_id (const psa_key_attributes_t * attributes)

Retrieve the key identifier from key attributes.

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate its argument exactly once.

Returns

• The persistent identifier stored in the attribute structure. This value is unspecified if the attribute structure declares the key as volatile.

psa_get_key_lifetime#

static psa_key_lifetime_t psa_get_key_lifetime (const psa_key_attributes_t * attributes)

Retrieve the lifetime from key attributes.

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate its argument exactly once.

Returns

• The lifetime value stored in the attribute structure.

psa_set_key_usage_flags#

static void psa_set_key_usage_flags (psa_key_attributes_t * attributes, psa_key_usage_t usage_flags)

Declare usage flags for a key.

Usage flags are part of a key's usage policy. They encode what kind of operations are permitted on the key. For more details, refer to the documentation of the type psa_key_usage_t.

This function overwrites any usage flags previously set in attributes.

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate each of its arguments exactly once.

psa_get_key_usage_flags#

static psa_key_usage_t psa_get_key_usage_flags (const psa_key_attributes_t * attributes)

Retrieve the usage flags from key attributes.

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate its argument exactly once.

Returns

• The usage flags stored in the attribute structure.

psa_set_key_algorithm#

static void psa_set_key_algorithm (psa_key_attributes_t * attributes, psa_algorithm_t alg)

Declare the permitted algorithm policy for a key.

The permitted algorithm policy of a key encodes which algorithm or algorithms are permitted to be used with this key. The following algorithm policies are supported:

• 0 does not allow any cryptographic operation with the key. The key may be used for non-cryptographic actions such as exporting (if permitted by the usage flags).

• An algorithm value permits this particular algorithm.

• An algorithm wildcard built from PSA_ALG_ANY_HASH allows the specified signature scheme with any hash algorithm.

• An algorithm built from PSA_ALG_AT_LEAST_THIS_LENGTH_MAC allows any MAC algorithm from the same base class (e.g. CMAC) which generates/verifies a MAC length greater than or equal to the length encoded in the wildcard algorithm.

• An algorithm built from PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG allows any AEAD algorithm from the same base class (e.g. CCM) which generates/verifies a tag length greater than or equal to the length encoded in the wildcard algorithm.

This function overwrites any algorithm policy previously set in attributes.

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate each of its arguments exactly once.

psa_get_key_algorithm#

static psa_algorithm_t psa_get_key_algorithm (const psa_key_attributes_t * attributes)

Retrieve the algorithm policy from key attributes.

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate its argument exactly once.

Returns

• The algorithm stored in the attribute structure.

psa_set_key_type#

static void psa_set_key_type (psa_key_attributes_t * attributes, psa_key_type_t type)

Declare the type of a key.

This function overwrites any key type previously set in attributes.

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate each of its arguments exactly once.

psa_set_key_bits#

static void psa_set_key_bits (psa_key_attributes_t * attributes, size_t bits)

Declare the size of a key.

This function overwrites any key size previously set in attributes.

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate each of its arguments exactly once.

psa_get_key_type#

static psa_key_type_t psa_get_key_type (const psa_key_attributes_t * attributes)

Retrieve the key type from key attributes.

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate its argument exactly once.

Returns

• The key type stored in the attribute structure.

psa_get_key_bits#

static size_t psa_get_key_bits (const psa_key_attributes_t * attributes)

Retrieve the key size from key attributes.

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate its argument exactly once.

Returns

• The key size stored in the attribute structure, in bits.

psa_get_key_attributes#

psa_status_t psa_get_key_attributes (psa_key_id_t key, psa_key_attributes_t * attributes)

Retrieve the attributes of a key.

This function first resets the attribute structure as with psa_reset_key_attributes(). It then copies the attributes of the given key into the given attribute structure.

Note

• This function may allocate memory or other resources. Once you have called this function on an attribute structure, you must call psa_reset_key_attributes() to free these resources.

psa_reset_key_attributes#

void psa_reset_key_attributes (psa_key_attributes_t * attributes)

Reset a key attribute structure to a freshly initialized state.

You must initialize the attribute structure as described in the documentation of the type #psa_key_attributes_t before calling this function. Once the structure has been initialized, you may call this function at any time.

This function frees any auxiliary resources that the structure may contain.