Key policies
Description
Macros |
|
#define | PSA_KEY_USAGE_EXPORT (( psa_key_usage_t )0x00000001) |
Whether the key may be exported.
|
|
#define | PSA_KEY_USAGE_COPY (( psa_key_usage_t )0x00000002) |
Whether the key may be copied.
|
|
#define | PSA_KEY_USAGE_ENCRYPT (( psa_key_usage_t )0x00000100) |
Whether the key may be used to encrypt a message.
|
|
#define | PSA_KEY_USAGE_DECRYPT (( psa_key_usage_t )0x00000200) |
Whether the key may be used to decrypt a message.
|
|
#define | PSA_KEY_USAGE_SIGN_MESSAGE (( psa_key_usage_t )0x00000400) |
Whether the key may be used to sign a message.
|
|
#define | PSA_KEY_USAGE_VERIFY_MESSAGE (( psa_key_usage_t )0x00000800) |
Whether the key may be used to verify a message.
|
|
#define | PSA_KEY_USAGE_SIGN_HASH (( psa_key_usage_t )0x00001000) |
Whether the key may be used to sign a message.
|
|
#define | PSA_KEY_USAGE_VERIFY_HASH (( psa_key_usage_t )0x00002000) |
Whether the key may be used to verify a message signature.
|
|
#define | PSA_KEY_USAGE_DERIVE (( psa_key_usage_t )0x00004000) |
Whether the key may be used to derive other keys or produce a password hash.
|
|
#define | PSA_KEY_USAGE_VERIFY_DERIVATION (( psa_key_usage_t )0x00008000) |
Whether the key may be used to verify the result of a key derivation, including password hashing.
|
|
Typedefs |
|
typedef uint32_t | psa_key_usage_t |
Encoding of permitted usage on a key.
|
|
Macro Definition Documentation
◆ PSA_KEY_USAGE_EXPORT
#define PSA_KEY_USAGE_EXPORT (( psa_key_usage_t )0x00000001) |
Whether the key may be exported.
A public key or the public part of a key pair may always be exported regardless of the value of this permission flag.
If a key does not have export permission, implementations shall not allow the key to be exported in plain form from the cryptoprocessor, whether through psa_export_key() or through a proprietary interface. The key may however be exportable in a wrapped form, i.e. in a form where it is encrypted by another key.
◆ PSA_KEY_USAGE_COPY
#define PSA_KEY_USAGE_COPY (( psa_key_usage_t )0x00000002) |
Whether the key may be copied.
This flag allows the use of psa_copy_key() to make a copy of the key with the same policy or a more restrictive policy.
For lifetimes for which the key is located in a secure element which enforce the non-exportability of keys, copying a key outside the secure element also requires the usage flag PSA_KEY_USAGE_EXPORT . Copying the key inside the secure element is permitted with just PSA_KEY_USAGE_COPY if the secure element supports it. For keys with the lifetime PSA_KEY_LIFETIME_VOLATILE or PSA_KEY_LIFETIME_PERSISTENT , the usage flag PSA_KEY_USAGE_COPY is sufficient to permit the copy.
◆ PSA_KEY_USAGE_ENCRYPT
#define PSA_KEY_USAGE_ENCRYPT (( psa_key_usage_t )0x00000100) |
Whether the key may be used to encrypt a message.
This flag allows the key to be used for a symmetric encryption operation, for an AEAD encryption-and-authentication operation, or for an asymmetric encryption operation, if otherwise permitted by the key's type and policy.
For a key pair, this concerns the public key.
◆ PSA_KEY_USAGE_DECRYPT
#define PSA_KEY_USAGE_DECRYPT (( psa_key_usage_t )0x00000200) |
Whether the key may be used to decrypt a message.
This flag allows the key to be used for a symmetric decryption operation, for an AEAD decryption-and-verification operation, or for an asymmetric decryption operation, if otherwise permitted by the key's type and policy.
For a key pair, this concerns the private key.
◆ PSA_KEY_USAGE_SIGN_MESSAGE
#define PSA_KEY_USAGE_SIGN_MESSAGE (( psa_key_usage_t )0x00000400) |
Whether the key may be used to sign a message.
This flag allows the key to be used for a MAC calculation operation or for an asymmetric message signature operation, if otherwise permitted by the key’s type and policy.
For a key pair, this concerns the private key.
◆ PSA_KEY_USAGE_VERIFY_MESSAGE
#define PSA_KEY_USAGE_VERIFY_MESSAGE (( psa_key_usage_t )0x00000800) |
Whether the key may be used to verify a message.
This flag allows the key to be used for a MAC verification operation or for an asymmetric message signature verification operation, if otherwise permitted by the key’s type and policy.
For a key pair, this concerns the public key.
◆ PSA_KEY_USAGE_SIGN_HASH
#define PSA_KEY_USAGE_SIGN_HASH (( psa_key_usage_t )0x00001000) |
Whether the key may be used to sign a message.
This flag allows the key to be used for a MAC calculation operation or for an asymmetric signature operation, if otherwise permitted by the key's type and policy.
For a key pair, this concerns the private key.
◆ PSA_KEY_USAGE_VERIFY_HASH
#define PSA_KEY_USAGE_VERIFY_HASH (( psa_key_usage_t )0x00002000) |
Whether the key may be used to verify a message signature.
This flag allows the key to be used for a MAC verification operation or for an asymmetric signature verification operation, if otherwise permitted by by the key's type and policy.
For a key pair, this concerns the public key.
◆ PSA_KEY_USAGE_DERIVE
#define PSA_KEY_USAGE_DERIVE (( psa_key_usage_t )0x00004000) |
Whether the key may be used to derive other keys or produce a password hash.
This flag allows the key to be used for a key derivation operation or for a key agreement operation, if otherwise permitted by by the key's type and policy.
If this flag is present on all keys used in calls to psa_key_derivation_input_key() for a key derivation operation, then it permits calling psa_key_derivation_output_bytes() or psa_key_derivation_output_key() at the end of the operation.
◆ PSA_KEY_USAGE_VERIFY_DERIVATION
#define PSA_KEY_USAGE_VERIFY_DERIVATION (( psa_key_usage_t )0x00008000) |
Whether the key may be used to verify the result of a key derivation, including password hashing.
This flag allows the key to be used:
This flag allows the key to be used in a key derivation operation, if otherwise permitted by by the key's type and policy.
If this flag is present on all keys used in calls to psa_key_derivation_input_key() for a key derivation operation, then it permits calling psa_key_derivation_verify_bytes() or psa_key_derivation_verify_key() at the end of the operation.
Typedef Documentation
◆ psa_key_usage_t
typedef uint32_t psa_key_usage_t |
Encoding of permitted usage on a key.
Values of this type are generally constructed as bitwise-ors of macros called
PSA_KEY_USAGE_xxx
.
- Note
- Values of this type are encoded in the persistent key store. Any changes to existing values will require bumping the storage format version and providing a translation when reading the old format.