Key policies#

Typedefs#

typedef uint32_t

Encoding of permitted usage on a key.

typedef uint32_t

Encoding of permitted usage on a key.

Macros#

#define
PSA_KEY_USAGE_EXPORT ((psa_key_usage_t) 0x00000001)

Whether the key may be exported.

#define
PSA_KEY_USAGE_COPY ((psa_key_usage_t) 0x00000002)

Whether the key may be copied.

#define
PSA_KEY_USAGE_ENCRYPT ((psa_key_usage_t) 0x00000100)

Whether the key may be used to encrypt a message.

#define
PSA_KEY_USAGE_DECRYPT ((psa_key_usage_t) 0x00000200)

Whether the key may be used to decrypt a message.

#define
PSA_KEY_USAGE_SIGN_MESSAGE ((psa_key_usage_t) 0x00000400)

Whether the key may be used to sign a message.

#define
PSA_KEY_USAGE_VERIFY_MESSAGE ((psa_key_usage_t) 0x00000800)

Whether the key may be used to verify a message.

#define
PSA_KEY_USAGE_SIGN_HASH ((psa_key_usage_t) 0x00001000)

Whether the key may be used to sign a message.

#define
PSA_KEY_USAGE_VERIFY_HASH ((psa_key_usage_t) 0x00002000)

Whether the key may be used to verify a message signature.

#define
PSA_KEY_USAGE_DERIVE ((psa_key_usage_t) 0x00004000)

Whether the key may be used to derive other keys or produce a password hash.

#define
PSA_KEY_USAGE_VERIFY_DERIVATION ((psa_key_usage_t) 0x00008000)

Whether the key may be used to verify the result of a key derivation, including password hashing.

#define
PSA_KEY_USAGE_EXPORT ((psa_key_usage_t) 0x00000001)

Whether the key may be exported.

#define
PSA_KEY_USAGE_COPY ((psa_key_usage_t) 0x00000002)

Whether the key may be copied.

#define
PSA_KEY_USAGE_ENCRYPT ((psa_key_usage_t) 0x00000100)

Whether the key may be used to encrypt a message.

#define
PSA_KEY_USAGE_DECRYPT ((psa_key_usage_t) 0x00000200)

Whether the key may be used to decrypt a message.

#define
PSA_KEY_USAGE_SIGN_MESSAGE ((psa_key_usage_t) 0x00000400)

Whether the key may be used to sign a message.

#define
PSA_KEY_USAGE_VERIFY_MESSAGE ((psa_key_usage_t) 0x00000800)

Whether the key may be used to verify a message.

#define
PSA_KEY_USAGE_SIGN_HASH ((psa_key_usage_t) 0x00001000)

Whether the key may be used to sign a message.

#define
PSA_KEY_USAGE_VERIFY_HASH ((psa_key_usage_t) 0x00002000)

Whether the key may be used to verify a message signature.

#define
PSA_KEY_USAGE_DERIVE ((psa_key_usage_t) 0x00004000)

Whether the key may be used to derive other keys or produce a password hash.

#define
PSA_KEY_USAGE_VERIFY_DERIVATION ((psa_key_usage_t) 0x00008000)

Whether the key may be used to verify the result of a key derivation, including password hashing.

Typedef Documentation#

psa_key_usage_t#

typedef uint32_t psa_key_usage_t

Encoding of permitted usage on a key.

Values of this type are generally constructed as bitwise-ors of macros called PSA_KEY_USAGE_xxx.

Note

  • Values of this type are encoded in the persistent key store. Any changes to existing values will require bumping the storage format version and providing a translation when reading the old format.


Definition at line 340 of file util/third_party/mbedtls/include/psa/crypto_types.h

psa_key_usage_t#

typedef uint32_t psa_key_usage_t

Encoding of permitted usage on a key.

Values of this type are generally constructed as bitwise-ors of macros called PSA_KEY_USAGE_xxx.

Note

  • Values of this type are encoded in the persistent key store. Any changes to existing values will require bumping the storage format version and providing a translation when reading the old format.


Definition at line 333 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto_types.h

Macro Definition Documentation#

PSA_KEY_USAGE_EXPORT#

#define PSA_KEY_USAGE_EXPORT
Value:
((psa_key_usage_t) 0x00000001)

Whether the key may be exported.

A public key or the public part of a key pair may always be exported regardless of the value of this permission flag.

If a key does not have export permission, implementations shall not allow the key to be exported in plain form from the cryptoprocessor, whether through psa_export_key() or through a proprietary interface. The key may however be exportable in a wrapped form, i.e. in a form where it is encrypted by another key.


Definition at line 2546 of file util/third_party/mbedtls/include/psa/crypto_values.h

PSA_KEY_USAGE_COPY#

#define PSA_KEY_USAGE_COPY
Value:
((psa_key_usage_t) 0x00000002)

Whether the key may be copied.

This flag allows the use of psa_copy_key() to make a copy of the key with the same policy or a more restrictive policy.

For lifetimes for which the key is located in a secure element which enforce the non-exportability of keys, copying a key outside the secure element also requires the usage flag PSA_KEY_USAGE_EXPORT. Copying the key inside the secure element is permitted with just PSA_KEY_USAGE_COPY if the secure element supports it. For keys with the lifetime PSA_KEY_LIFETIME_VOLATILE or PSA_KEY_LIFETIME_PERSISTENT, the usage flag PSA_KEY_USAGE_COPY is sufficient to permit the copy.


Definition at line 2562 of file util/third_party/mbedtls/include/psa/crypto_values.h

PSA_KEY_USAGE_ENCRYPT#

#define PSA_KEY_USAGE_ENCRYPT
Value:
((psa_key_usage_t) 0x00000100)

Whether the key may be used to encrypt a message.

This flag allows the key to be used for a symmetric encryption operation, for an AEAD encryption-and-authentication operation, or for an asymmetric encryption operation, if otherwise permitted by the key's type and policy.

For a key pair, this concerns the public key.


Definition at line 2573 of file util/third_party/mbedtls/include/psa/crypto_values.h

PSA_KEY_USAGE_DECRYPT#

#define PSA_KEY_USAGE_DECRYPT
Value:
((psa_key_usage_t) 0x00000200)

Whether the key may be used to decrypt a message.

This flag allows the key to be used for a symmetric decryption operation, for an AEAD decryption-and-verification operation, or for an asymmetric decryption operation, if otherwise permitted by the key's type and policy.

For a key pair, this concerns the private key.


Definition at line 2584 of file util/third_party/mbedtls/include/psa/crypto_values.h

PSA_KEY_USAGE_SIGN_MESSAGE#

#define PSA_KEY_USAGE_SIGN_MESSAGE
Value:
((psa_key_usage_t) 0x00000400)

Whether the key may be used to sign a message.

This flag allows the key to be used for a MAC calculation operation or for an asymmetric message signature operation, if otherwise permitted by the key’s type and policy.

For a key pair, this concerns the private key.


Definition at line 2594 of file util/third_party/mbedtls/include/psa/crypto_values.h

PSA_KEY_USAGE_VERIFY_MESSAGE#

#define PSA_KEY_USAGE_VERIFY_MESSAGE
Value:
((psa_key_usage_t) 0x00000800)

Whether the key may be used to verify a message.

This flag allows the key to be used for a MAC verification operation or for an asymmetric message signature verification operation, if otherwise permitted by the key’s type and policy.

For a key pair, this concerns the public key.


Definition at line 2604 of file util/third_party/mbedtls/include/psa/crypto_values.h

PSA_KEY_USAGE_SIGN_HASH#

#define PSA_KEY_USAGE_SIGN_HASH
Value:
((psa_key_usage_t) 0x00001000)

Whether the key may be used to sign a message.

This flag allows the key to be used for a MAC calculation operation or for an asymmetric signature operation, if otherwise permitted by the key's type and policy.

For a key pair, this concerns the private key.


Definition at line 2614 of file util/third_party/mbedtls/include/psa/crypto_values.h

PSA_KEY_USAGE_VERIFY_HASH#

#define PSA_KEY_USAGE_VERIFY_HASH
Value:
((psa_key_usage_t) 0x00002000)

Whether the key may be used to verify a message signature.

This flag allows the key to be used for a MAC verification operation or for an asymmetric signature verification operation, if otherwise permitted by the key's type and policy.

For a key pair, this concerns the public key.


Definition at line 2624 of file util/third_party/mbedtls/include/psa/crypto_values.h

PSA_KEY_USAGE_DERIVE#

#define PSA_KEY_USAGE_DERIVE
Value:
((psa_key_usage_t) 0x00004000)

Whether the key may be used to derive other keys or produce a password hash.

This flag allows the key to be used for a key derivation operation or for a key agreement operation, if otherwise permitted by the key's type and policy.

If this flag is present on all keys used in calls to psa_key_derivation_input_key() for a key derivation operation, then it permits calling psa_key_derivation_output_bytes() or psa_key_derivation_output_key() at the end of the operation.


Definition at line 2638 of file util/third_party/mbedtls/include/psa/crypto_values.h

PSA_KEY_USAGE_VERIFY_DERIVATION#

#define PSA_KEY_USAGE_VERIFY_DERIVATION
Value:
((psa_key_usage_t) 0x00008000)

Whether the key may be used to verify the result of a key derivation, including password hashing.

This flag allows the key to be used:

This flag allows the key to be used in a key derivation operation, if otherwise permitted by the key's type and policy.

If this flag is present on all keys used in calls to psa_key_derivation_input_key() for a key derivation operation, then it permits calling psa_key_derivation_verify_bytes() or psa_key_derivation_verify_key() at the end of the operation.


Definition at line 2653 of file util/third_party/mbedtls/include/psa/crypto_values.h

PSA_KEY_USAGE_EXPORT#

#define PSA_KEY_USAGE_EXPORT
Value:
((psa_key_usage_t) 0x00000001)

Whether the key may be exported.

A public key or the public part of a key pair may always be exported regardless of the value of this permission flag.

If a key does not have export permission, implementations shall not allow the key to be exported in plain form from the cryptoprocessor, whether through psa_export_key() or through a proprietary interface. The key may however be exportable in a wrapped form, i.e. in a form where it is encrypted by another key.


Definition at line 2528 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto_values.h

PSA_KEY_USAGE_COPY#

#define PSA_KEY_USAGE_COPY
Value:
((psa_key_usage_t) 0x00000002)

Whether the key may be copied.

This flag allows the use of psa_copy_key() to make a copy of the key with the same policy or a more restrictive policy.

For lifetimes for which the key is located in a secure element which enforce the non-exportability of keys, copying a key outside the secure element also requires the usage flag PSA_KEY_USAGE_EXPORT. Copying the key inside the secure element is permitted with just PSA_KEY_USAGE_COPY if the secure element supports it. For keys with the lifetime PSA_KEY_LIFETIME_VOLATILE or PSA_KEY_LIFETIME_PERSISTENT, the usage flag PSA_KEY_USAGE_COPY is sufficient to permit the copy.


Definition at line 2544 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto_values.h

PSA_KEY_USAGE_ENCRYPT#

#define PSA_KEY_USAGE_ENCRYPT
Value:
((psa_key_usage_t) 0x00000100)

Whether the key may be used to encrypt a message.

This flag allows the key to be used for a symmetric encryption operation, for an AEAD encryption-and-authentication operation, or for an asymmetric encryption operation, if otherwise permitted by the key's type and policy.

For a key pair, this concerns the public key.


Definition at line 2555 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto_values.h

PSA_KEY_USAGE_DECRYPT#

#define PSA_KEY_USAGE_DECRYPT
Value:
((psa_key_usage_t) 0x00000200)

Whether the key may be used to decrypt a message.

This flag allows the key to be used for a symmetric decryption operation, for an AEAD decryption-and-verification operation, or for an asymmetric decryption operation, if otherwise permitted by the key's type and policy.

For a key pair, this concerns the private key.


Definition at line 2566 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto_values.h

PSA_KEY_USAGE_SIGN_MESSAGE#

#define PSA_KEY_USAGE_SIGN_MESSAGE
Value:
((psa_key_usage_t) 0x00000400)

Whether the key may be used to sign a message.

This flag allows the key to be used for a MAC calculation operation or for an asymmetric message signature operation, if otherwise permitted by the key’s type and policy.

For a key pair, this concerns the private key.


Definition at line 2576 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto_values.h

PSA_KEY_USAGE_VERIFY_MESSAGE#

#define PSA_KEY_USAGE_VERIFY_MESSAGE
Value:
((psa_key_usage_t) 0x00000800)

Whether the key may be used to verify a message.

This flag allows the key to be used for a MAC verification operation or for an asymmetric message signature verification operation, if otherwise permitted by the key’s type and policy.

For a key pair, this concerns the public key.


Definition at line 2586 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto_values.h

PSA_KEY_USAGE_SIGN_HASH#

#define PSA_KEY_USAGE_SIGN_HASH
Value:
((psa_key_usage_t) 0x00001000)

Whether the key may be used to sign a message.

This flag allows the key to be used for a MAC calculation operation or for an asymmetric signature operation, if otherwise permitted by the key's type and policy.

For a key pair, this concerns the private key.


Definition at line 2596 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto_values.h

PSA_KEY_USAGE_VERIFY_HASH#

#define PSA_KEY_USAGE_VERIFY_HASH
Value:
((psa_key_usage_t) 0x00002000)

Whether the key may be used to verify a message signature.

This flag allows the key to be used for a MAC verification operation or for an asymmetric signature verification operation, if otherwise permitted by the key's type and policy.

For a key pair, this concerns the public key.


Definition at line 2606 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto_values.h

PSA_KEY_USAGE_DERIVE#

#define PSA_KEY_USAGE_DERIVE
Value:
((psa_key_usage_t) 0x00004000)

Whether the key may be used to derive other keys or produce a password hash.

This flag allows the key to be used for a key derivation operation or for a key agreement operation, if otherwise permitted by the key's type and policy.

If this flag is present on all keys used in calls to psa_key_derivation_input_key() for a key derivation operation, then it permits calling psa_key_derivation_output_bytes() or psa_key_derivation_output_key() at the end of the operation.


Definition at line 2620 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto_values.h

PSA_KEY_USAGE_VERIFY_DERIVATION#

#define PSA_KEY_USAGE_VERIFY_DERIVATION
Value:
((psa_key_usage_t) 0x00008000)

Whether the key may be used to verify the result of a key derivation, including password hashing.

This flag allows the key to be used:

This flag allows the key to be used in a key derivation operation, if otherwise permitted by the key's type and policy.

If this flag is present on all keys used in calls to psa_key_derivation_input_key() for a key derivation operation, then it permits calling psa_key_derivation_verify_bytes() or psa_key_derivation_verify_key() at the end of the operation.


Definition at line 2635 of file util/third_party/trusted-firmware-m/interface/include/psa/crypto_values.h