Key attributes

Macros

#define PSA_KEY_ATTRIBUTES_INIT   {PSA_CORE_KEY_ATTRIBUTES_INIT, NULL, 0}
 
#define PSA_DH_FAMILY_CUSTOM   ((psa_dh_family_t) 0x7e)
 
#define PSA_KEY_DOMAIN_PARAMETERS_SIZE(key_type, key_bits)
 
#define PSA_DH_KEY_DOMAIN_PARAMETERS_SIZE(key_bits)    (4 + (PSA_BITS_TO_BYTES(key_bits) + 5) * 3 /*without optional parts*/)
 
#define PSA_DSA_KEY_DOMAIN_PARAMETERS_SIZE(key_bits)    (4 + (PSA_BITS_TO_BYTES(key_bits) + 5) * 2 /*p, g*/ + 34 /*q*/)
 

Typedefs

typedef struct psa_key_attributes_s psa_key_attributes_t
 

Functions

static psa_key_attributes_t psa_key_attributes_init (void)
 
static void psa_set_key_id (psa_key_attributes_t *attributes, psa_key_id_t id)
 
static void psa_set_key_lifetime (psa_key_attributes_t *attributes, psa_key_lifetime_t lifetime)
 
static psa_key_id_t psa_get_key_id (const psa_key_attributes_t *attributes)
 
static psa_key_lifetime_t psa_get_key_lifetime (const psa_key_attributes_t *attributes)
 
static void psa_set_key_usage_flags (psa_key_attributes_t *attributes, psa_key_usage_t usage_flags)
 
static psa_key_usage_t psa_get_key_usage_flags (const psa_key_attributes_t *attributes)
 
static void psa_set_key_algorithm (psa_key_attributes_t *attributes, psa_algorithm_t alg)
 
static psa_algorithm_t psa_get_key_algorithm (const psa_key_attributes_t *attributes)
 
static void psa_set_key_type (psa_key_attributes_t *attributes, psa_key_type_t type)
 
static void psa_set_key_bits (psa_key_attributes_t *attributes, size_t bits)
 
static psa_key_type_t psa_get_key_type (const psa_key_attributes_t *attributes)
 
static size_t psa_get_key_bits (const psa_key_attributes_t *attributes)
 
psa_status_t psa_get_key_attributes (psa_key_handle_t handle, psa_key_attributes_t *attributes)
 
void psa_reset_key_attributes (psa_key_attributes_t *attributes)
 
static void psa_set_key_enrollment_algorithm (psa_key_attributes_t *attributes, psa_algorithm_t alg2)
 Declare the enrollment algorithm for a key.
 
static psa_algorithm_t psa_get_key_enrollment_algorithm (const psa_key_attributes_t *attributes)
 
psa_status_t psa_set_key_domain_parameters (psa_key_attributes_t *attributes, psa_key_type_t type, const uint8_t *data, size_t data_length)
 Set domain parameters for a key.
 
psa_status_t psa_get_key_domain_parameters (const psa_key_attributes_t *attributes, uint8_t *data, size_t data_size, size_t *data_length)
 Get domain parameters for a key.
 

Macro Definition Documentation

#define PSA_DH_FAMILY_CUSTOM   ((psa_dh_family_t) 0x7e)

Custom Diffie-Hellman group.

For keys of type PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_CUSTOM) or PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_CUSTOM), the group data comes from domain parameters set by psa_set_key_domain_parameters().

Definition at line 419 of file crypto_extra.h.

#define PSA_DH_KEY_DOMAIN_PARAMETERS_SIZE (   key_bits)    (4 + (PSA_BITS_TO_BYTES(key_bits) + 5) * 3 /*without optional parts*/)

Definition at line 552 of file crypto_extra.h.

#define PSA_DSA_KEY_DOMAIN_PARAMETERS_SIZE (   key_bits)    (4 + (PSA_BITS_TO_BYTES(key_bits) + 5) * 2 /*p, g*/ + 34 /*q*/)

Definition at line 554 of file crypto_extra.h.

#define PSA_KEY_ATTRIBUTES_INIT   {PSA_CORE_KEY_ATTRIBUTES_INIT, NULL, 0}

This macro returns a suitable initializer for a key attribute structure of type psa_key_attributes_t.

Definition at line 426 of file crypto_struct.h.

Referenced by psa_key_attributes_init().

#define PSA_KEY_DOMAIN_PARAMETERS_SIZE (   key_type,
  key_bits 
)
Value:
(PSA_KEY_TYPE_IS_RSA(key_type) ? sizeof(int) : \
0)
#define PSA_DH_KEY_DOMAIN_PARAMETERS_SIZE(key_bits)
Definition: crypto_extra.h:552
#define PSA_DSA_KEY_DOMAIN_PARAMETERS_SIZE(key_bits)
Definition: crypto_extra.h:554
#define PSA_KEY_TYPE_IS_DSA(type)
Definition: crypto_extra.h:351
#define PSA_KEY_TYPE_IS_RSA(type)
Definition: crypto_values.h:419
#define PSA_KEY_TYPE_IS_DH(type)
Definition: crypto_values.h:551

Safe output buffer size for psa_get_key_domain_parameters().

This macro returns a compile-time constant if its arguments are compile-time constants.

Warning
This function may call its arguments multiple times or zero times, so you should not pass arguments that contain side effects.
Note
This is an experimental extension to the interface. It may change in future versions of the library.
Parameters
key_typeA supported key type.
key_bitsThe size of the key in bits.
Returns
If the parameters are valid and supported, return a buffer size in bytes that guarantees that psa_get_key_domain_parameters() will not fail with PSA_ERROR_BUFFER_TOO_SMALL. If the parameters are a valid combination that is not supported by the implementation, this macro shall return either a sensible size or 0. If the parameters are not valid, the return value is unspecified.

Definition at line 547 of file crypto_extra.h.

Typedef Documentation

The type of a structure containing key attributes.

This is an opaque structure that can represent the metadata of a key object. Metadata that can be stored in attributes includes:

  • The location of the key in storage, indicated by its key identifier and its lifetime.
  • The key's policy, comprising usage flags and a specification of the permitted algorithm(s).
  • Information about the key itself: the key type and its size.
  • Implementations may define additional attributes.

The actual key material is not considered an attribute of a key. Key attributes do not contain information that is generally considered highly confidential.

An attribute structure can be a simple data structure where each function psa_set_key_xxx sets a field and the corresponding function psa_get_key_xxx retrieves the value of the corresponding field. However, implementations may report values that are equivalent to the original one, but have a different encoding. For example, an implementation may use a more compact representation for types where many bit-patterns are invalid or not supported, and store all values that it does not support as a special marker value. In such an implementation, after setting an invalid value, the corresponding get function returns an invalid value which may not be the one that was originally stored.

An attribute structure may contain references to auxiliary resources, for example pointers to allocated memory or indirect references to pre-calculated values. In order to free such resources, the application must call psa_reset_key_attributes(). As an exception, calling psa_reset_key_attributes() on an attribute structure is optional if the structure has only been modified by the following functions since it was initialized or last reset with psa_reset_key_attributes():

Before calling any function on a key attribute structure, the application must initialize it by any of the following means:

  • Set the structure to all-bits-zero, for example:
    1 psa_key_attributes_t attributes;
    2 memset(&attributes, 0, sizeof(attributes));
  • Initialize the structure to logical zero values, for example:
    1 psa_key_attributes_t attributes = {0};
  • Initialize the structure to the initializer PSA_KEY_ATTRIBUTES_INIT, for example:
    1 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
  • Assign the result of the function psa_key_attributes_init() to the structure, for example:
    1 psa_key_attributes_t attributes;
    2 attributes = psa_key_attributes_init();

A freshly initialized attribute structure contains the following values:

  • lifetime: PSA_KEY_LIFETIME_VOLATILE.
  • key identifier: 0 (which is not a valid key identifier).
  • type: 0 (meaning that the type is unspecified).
  • key size: 0 (meaning that the size is unspecified).
  • usage flags: 0 (which allows no usage except exporting a public key).
  • algorithm: 0 (which allows no cryptographic usage, but allows exporting).

A typical sequence to create a key is as follows:

  1. Create and initialize an attribute structure.
  2. If the key is persistent, call psa_set_key_id(). Also call psa_set_key_lifetime() to place the key in a non-default location.
  3. Set the key policy with psa_set_key_usage_flags() and psa_set_key_algorithm().
  4. Set the key type with psa_set_key_type(). Skip this step if copying an existing key with psa_copy_key().
  5. When generating a random key with psa_generate_key() or deriving a key with psa_key_derivation_output_key(), set the desired key size with psa_set_key_bits().
  6. Call a key creation function: psa_import_key(), psa_generate_key(), psa_key_derivation_output_key() or psa_copy_key(). This function reads the attribute structure, creates a key with these attributes, and outputs a handle to the newly created key.
  7. The attribute structure is now no longer necessary. You may call psa_reset_key_attributes(), although this is optional with the workflow presented here because the attributes currently defined in this specification do not require any additional resources beyond the structure itself.

A typical sequence to query a key's attributes is as follows:

  1. Call psa_get_key_attributes().
  2. Call psa_get_key_xxx functions to retrieve the attribute(s) that you are interested in.
  3. Call psa_reset_key_attributes() to free any resources that may be used by the attribute structure.

Once a key has been created, it is impossible to change its attributes.

Definition at line 360 of file crypto_types.h.

Function Documentation

static psa_algorithm_t psa_get_key_algorithm ( const psa_key_attributes_t attributes)
static

Retrieve the algorithm policy from key attributes.

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate its argument exactly once.

Parameters
[in]attributesThe key attribute structure to query.
Returns
The algorithm stored in the attribute structure.
psa_status_t psa_get_key_attributes ( psa_key_handle_t  handle,
psa_key_attributes_t attributes 
)

Retrieve the attributes of a key.

This function first resets the attribute structure as with psa_reset_key_attributes(). It then copies the attributes of the given key into the given attribute structure.

Note
This function may allocate memory or other resources. Once you have called this function on an attribute structure, you must call psa_reset_key_attributes() to free these resources.
Parameters
[in]handleHandle to the key to query.
[in,out]attributesOn success, the attributes of the key. On failure, equivalent to a freshly-initialized structure.
Return values
PSA_SUCCESS
PSA_ERROR_INVALID_HANDLE
PSA_ERROR_INSUFFICIENT_MEMORY
PSA_ERROR_COMMUNICATION_FAILURE
PSA_ERROR_CORRUPTION_DETECTED
PSA_ERROR_STORAGE_FAILURE
PSA_ERROR_BAD_STATEThe library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code.
static size_t psa_get_key_bits ( const psa_key_attributes_t attributes)
static

Retrieve the key size from key attributes.

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate its argument exactly once.

Parameters
[in]attributesThe key attribute structure to query.
Returns
The key size stored in the attribute structure, in bits.
psa_status_t psa_get_key_domain_parameters ( const psa_key_attributes_t attributes,
uint8_t *  data,
size_t  data_size,
size_t *  data_length 
)

Get domain parameters for a key.

Get the domain parameters for a key with this function, if any. The format of the domain parameters written to data is specified in the documentation for psa_set_key_domain_parameters().

Note
This is an experimental extension to the interface. It may change in future versions of the library.
Parameters
[in]attributesThe key attribute structure to query.
[out]dataOn success, the key domain parameters.
data_sizeSize of the data buffer in bytes. The buffer is guaranteed to be large enough if its size in bytes is at least the value given by PSA_KEY_DOMAIN_PARAMETERS_SIZE().
[out]data_lengthOn success, the number of bytes that make up the key domain parameters data.
Return values
PSA_SUCCESS
PSA_ERROR_BUFFER_TOO_SMALL
static psa_algorithm_t psa_get_key_enrollment_algorithm ( const psa_key_attributes_t attributes)
inlinestatic

Retrieve the enrollment algorithm policy from key attributes.

Parameters
[in]attributesThe key attribute structure to query.
Returns
The enrollment algorithm stored in the attribute structure.

Definition at line 79 of file crypto_extra.h.

References psa_key_policy_s::alg2, psa_key_attributes_s::core, and psa_core_key_attributes_t::policy.

static psa_key_id_t psa_get_key_id ( const psa_key_attributes_t attributes)
static

Retrieve the key identifier from key attributes.

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate its argument exactly once.

Parameters
[in]attributesThe key attribute structure to query.
Returns
The persistent identifier stored in the attribute structure. This value is unspecified if the attribute structure declares the key as volatile.
static psa_key_lifetime_t psa_get_key_lifetime ( const psa_key_attributes_t attributes)
static

Retrieve the lifetime from key attributes.

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate its argument exactly once.

Parameters
[in]attributesThe key attribute structure to query.
Returns
The lifetime value stored in the attribute structure.
static psa_key_type_t psa_get_key_type ( const psa_key_attributes_t attributes)
static

Retrieve the key type from key attributes.

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate its argument exactly once.

Parameters
[in]attributesThe key attribute structure to query.
Returns
The key type stored in the attribute structure.
static psa_key_usage_t psa_get_key_usage_flags ( const psa_key_attributes_t attributes)
static

Retrieve the usage flags from key attributes.

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate its argument exactly once.

Parameters
[in]attributesThe key attribute structure to query.
Returns
The usage flags stored in the attribute structure.
static psa_key_attributes_t psa_key_attributes_init ( void  )
static

Return an initial value for a key attributes structure.

void psa_reset_key_attributes ( psa_key_attributes_t attributes)

Reset a key attribute structure to a freshly initialized state.

You must initialize the attribute structure as described in the documentation of the type psa_key_attributes_t before calling this function. Once the structure has been initialized, you may call this function at any time.

This function frees any auxiliary resources that the structure may contain.

Parameters
[in,out]attributesThe attribute structure to reset.
static void psa_set_key_algorithm ( psa_key_attributes_t attributes,
psa_algorithm_t  alg 
)
static

Declare the permitted algorithm policy for a key.

The permitted algorithm policy of a key encodes which algorithm or algorithms are permitted to be used with this key. The following algorithm policies are supported:

  • 0 does not allow any cryptographic operation with the key. The key may be used for non-cryptographic actions such as exporting (if permitted by the usage flags).
  • An algorithm value permits this particular algorithm.
  • An algorithm wildcard built from PSA_ALG_ANY_HASH allows the specified signature scheme with any hash algorithm.

This function overwrites any algorithm policy previously set in attributes.

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate each of its arguments exactly once.

Parameters
[out]attributesThe attribute structure to write to.
algThe permitted algorithm policy to write.
static void psa_set_key_bits ( psa_key_attributes_t attributes,
size_t  bits 
)
static

Declare the size of a key.

This function overwrites any key size previously set in attributes.

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate each of its arguments exactly once.

Parameters
[out]attributesThe attribute structure to write to.
bitsThe key size in bits. If this is 0, the key size in attributes becomes unspecified. Keys of size 0 are not supported.
psa_status_t psa_set_key_domain_parameters ( psa_key_attributes_t attributes,
psa_key_type_t  type,
const uint8_t *  data,
size_t  data_length 
)

Set domain parameters for a key.

Some key types require additional domain parameters in addition to the key type identifier and the key size. Use this function instead of psa_set_key_type() when you need to specify domain parameters.

The format for the required domain parameters varies based on the key type.

  • For RSA keys (PSA_KEY_TYPE_RSA_PUBLIC_KEY or PSA_KEY_TYPE_RSA_KEY_PAIR), the domain parameter data consists of the public exponent, represented as a big-endian integer with no leading zeros. This information is used when generating an RSA key pair. When importing a key, the public exponent is read from the imported key data and the exponent recorded in the attribute structure is ignored. As an exception, the public exponent 65537 is represented by an empty byte string.
  • For DSA keys (PSA_KEY_TYPE_DSA_PUBLIC_KEY or PSA_KEY_TYPE_DSA_KEY_PAIR), the Dss-Parms format as defined by RFC 3279 §2.3.2.

``` Dss-Parms ::= SEQUENCE { p INTEGER, q INTEGER, g INTEGER }

  • ```
  • ``` DomainParameters ::= SEQUENCE { p INTEGER, – odd prime, p=jq +1 g INTEGER, – generator, g q INTEGER, – factor of p-1 j INTEGER OPTIONAL, – subgroup factor validationParms ValidationParms OPTIONAL } ValidationParms ::= SEQUENCE { seed BIT STRING, pgenCounter INTEGER }
  • ```

    Note
    This function may allocate memory or other resources. Once you have called this function on an attribute structure, you must call psa_reset_key_attributes() to free these resources.
    This is an experimental extension to the interface. It may change in future versions of the library.
    Parameters
    [in,out]attributesAttribute structure where the specified domain parameters will be stored. If this function fails, the content of attributes is not modified.
    typeKey type (a PSA_KEY_TYPE_XXX value).
    [in]dataBuffer containing the key domain parameters. The content of this buffer is interpreted according to type as described above.
    data_lengthSize of the data buffer in bytes.
    Return values
    PSA_SUCCESS
    PSA_ERROR_INVALID_ARGUMENT
    PSA_ERROR_NOT_SUPPORTED
    PSA_ERROR_INSUFFICIENT_MEMORY
static void psa_set_key_enrollment_algorithm ( psa_key_attributes_t attributes,
psa_algorithm_t  alg2 
)
inlinestatic

Declare the enrollment algorithm for a key.

An operation on a key may indifferently use the algorithm set with psa_set_key_algorithm() or with this function.

Parameters
[out]attributesThe attribute structure to write to.
alg2A second algorithm that the key may be used for, in addition to the algorithm set with psa_set_key_algorithm().
Warning
Setting an enrollment algorithm is not recommended, because using the same key with different algorithms can allow some attacks based on arithmetic relations between different computations made with the same key, or can escalate harmless side channels into exploitable ones. Use this function only if it is necessary to support a protocol for which it has been verified that the usage of the key with multiple algorithms is safe.

Definition at line 66 of file crypto_extra.h.

References psa_key_policy_s::alg2, psa_key_attributes_s::core, and psa_core_key_attributes_t::policy.

static void psa_set_key_id ( psa_key_attributes_t attributes,
psa_key_id_t  id 
)
static

Declare a key as persistent and set its key identifier.

If the attribute structure currently declares the key as volatile (which is the default content of an attribute structure), this function sets the lifetime attribute to PSA_KEY_LIFETIME_PERSISTENT.

This function does not access storage, it merely stores the given value in the structure. The persistent key will be written to storage when the attribute structure is passed to a key creation function such as psa_import_key(), psa_generate_key(), psa_key_derivation_output_key() or psa_copy_key().

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate each of its arguments exactly once.

Parameters
[out]attributesThe attribute structure to write to.
idThe persistent identifier for the key.
static void psa_set_key_lifetime ( psa_key_attributes_t attributes,
psa_key_lifetime_t  lifetime 
)
static

Set the location of a persistent key.

To make a key persistent, you must give it a persistent key identifier with psa_set_key_id(). By default, a key that has a persistent identifier is stored in the default storage area identifier by PSA_KEY_LIFETIME_PERSISTENT. Call this function to choose a storage area, or to explicitly declare the key as volatile.

This function does not access storage, it merely stores the given value in the structure. The persistent key will be written to storage when the attribute structure is passed to a key creation function such as psa_import_key(), psa_generate_key(), psa_key_derivation_output_key() or psa_copy_key().

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate each of its arguments exactly once.

Parameters
[out]attributesThe attribute structure to write to.
lifetimeThe lifetime for the key. If this is PSA_KEY_LIFETIME_VOLATILE, the key will be volatile, and the key identifier attribute is reset to 0.
static void psa_set_key_type ( psa_key_attributes_t attributes,
psa_key_type_t  type 
)
static

Declare the type of a key.

This function overwrites any key type previously set in attributes.

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate each of its arguments exactly once.

Parameters
[out]attributesThe attribute structure to write to.
typeThe key type to write. If this is 0, the key type in attributes becomes unspecified.
static void psa_set_key_usage_flags ( psa_key_attributes_t attributes,
psa_key_usage_t  usage_flags 
)
static

Declare usage flags for a key.

Usage flags are part of a key's usage policy. They encode what kind of operations are permitted on the key. For more details, refer to the documentation of the type psa_key_usage_t.

This function overwrites any usage flags previously set in attributes.

This function may be declared as static (i.e. without external linkage). This function may be provided as a function-like macro, but in this case it must evaluate each of its arguments exactly once.

Parameters
[out]attributesThe attribute structure to write to.
usage_flagsThe usage flags to write.