You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: doc/crypto/api/keys/policy.rst
+28-27Lines changed: 28 additions & 27 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -97,11 +97,11 @@ The usage flags are encoded in a bitmask, which has the type `psa_key_usage_t`.
97
97
- `PSA_KEY_USAGE_DERIVE`
98
98
- `PSA_KEY_USAGE_VERIFY_DERIVATION`
99
99
100
-
* The flag `PSA_KEY_USAGE_DERIVE_PUBLIC` it is not checked when calling any of the APIs to carry out a cryptographic operation. However, it is used in the function `psa_check_key_usage` to query if a key is of the correct type for the public role in the specified algorithm, which is may be provided in a buffer and not as a key object. For example PSA_KEY_USAGE_DERIVE_PUBLIC with:
100
+
* The flag `PSA_KEY_USAGE_DERIVE_PUBLIC` it is not checked when calling any of the APIs to carry out a cryptographic operation. However, it is used in the function `psa_check_key_usage()` to query if a key can be used for the public role in the specified algorithm. Note, in some usages the key in the public role is provided in a buffer and not as a key object. For example `PSA_KEY_USAGE_DERIVE_PUBLIC` with:
101
101
102
-
- ``PSA_ALG_ECDH`` checks that the key can be used as the public share in the ECDH key agreement. There are no checks on permssions as this is provided in a buffer.
103
-
- ``PSA_ALG_SPAKE2P_HMAC`` will check that the key can be used in the Verifier role in the SPAKE2+ algorithm. The key must have the `PSA_KEY_USAGE_DERIVE` permission.
104
-
- ``PSA_ALG_HKDF`` is invalid, as there is no such role in single-key derivation algorithms.
102
+
- `PSA_ALG_ECDH` checks that the key can be used as the public share in the ECDH key agreement. There are no checks on permissions as this is provided in a buffer.
103
+
- `PSA_ALG_SPAKE2P_HMAC` will check that the key can be used in the Verifier role in the SPAKE2+ algorithm. The key must have the `PSA_KEY_USAGE_DERIVE` permission.
104
+
- `PSA_ALG_HKDF` is invalid, as there is no such role in single-key derivation algorithms.
105
105
106
106
.. typedef:: uint32_t psa_key_usage_t
107
107
@@ -277,13 +277,13 @@ The usage flags are encoded in a bitmask, which has the type `psa_key_usage_t`.
277
277
:definition: ((psa_key_usage_t)0x00010000)
278
278
279
279
.. summary::
280
-
Used in the `psa_check_key_usage` function to determine if the key can be used in the second key role in PAKE operations.
280
+
Used in the `psa_check_key_usage()` function to determine if the key can be used in the second key role in PAKE operations.
281
281
282
282
.. versionadded:: 1.4
283
283
284
284
This flag is only used with the `psa_check_key_usage` function.
285
285
286
-
As the key in this role is provided in a buffer, this flag is never checked.
286
+
This flag is never checked when performing cryptographic operations.
287
287
288
288
.. function:: psa_set_key_usage_flags
289
289
@@ -324,43 +324,44 @@ The usage flags are encoded in a bitmask, which has the type `psa_key_usage_t`.
324
324
.. function:: psa_check_key_usage
325
325
326
326
.. summary::
327
-
Queries the capabilities of a key.
328
-
329
-
Returns success only if this key object exists and is the correct type for the requested operation and this implementation supports the algorithm and the key has the required permission.
330
-
331
-
That is, if the application were to call the identified operation with this key and with all other parameters correct, the operation should succeed.
332
-
333
-
This function only checks permissions, it does not attempt to perform the operation, so does not use any resources in the cryptographic engine.
334
-
327
+
Query the capability of a key.
335
328
336
329
.. versionadded:: 1.4
337
330
338
331
.. param:: psa_key_id_t key
339
-
a PSA key identifier.
332
+
Identifier of the key to check.
340
333
341
334
.. param:: psa_algorithm_t alg
342
-
a specific algorithm.
335
+
An algorithm identifier: a value of type `psa_algorithm_t`.
343
336
344
337
.. param:: psa_key_usage_t usage
345
-
a single PSA_KEY_USAGE_xxx flag.
338
+
A single PSA_KEY_USAGE_xxx flag.
346
339
347
340
.. return:: psa_status_t
348
341
349
342
.. retval:: PSA_SUCCESS
350
-
``key`` can be used for the requested operation on this implementation. That is the ``alg`` is supported, ``key`` is of the correct type and has the requied permissions for ``useage``.
343
+
``key`` can be used for the requested operation on this implementation.
351
344
352
345
.. retval:: PSA_ERROR_INVALID_ARGUMENT
353
-
Either ``algorithm`` is a wildcard,
354
-
or ``usage`` is an operation that is not algorithm dependent, like COPY or EXPORT.
355
-
or ``key`` is not of the correct type for the operation.
356
-
357
-
.. retval:: PSA_ERROR_NOT_SUPPORTED
358
-
``alg`` and ``useage`` together refer to an operation on an algorithm that is not supported by this implementation.
346
+
* ``alg`` is not a specific cryptographic algorithm. It cannot be a wildcard algorithm.
347
+
* ``usage`` is not a valid role for algorithm ``alg``.
348
+
* ``key`` is not compatible with ``alg`` and ``usage``.
359
349
360
350
.. retval: PSA_ERROR_INVALID_HANDLE:
361
-
``key`` does not exist
351
+
``key`` is not a valid key identifier.
362
352
363
353
.. retval: PSA_ERROR_NOT_PERMITTED
364
-
``key`` does not have the correct permission for the ``useage``
354
+
``key`` does not permit the requested usage.
355
+
356
+
.. retval:: PSA_ERROR_NOT_SUPPORTED
357
+
The implementation does not support using ``key`` with the cryptographic operation associated with ``alg`` and ``usage``.
358
+
359
+
Returns success only if this key object exists, is the correct type for the the operation associated with the algorithm and usage, with the required permission, and this implementation supports this key type for this operation.
360
+
361
+
This function does not attempt to perform the operation, so does not use any resources in the cryptographic engine.
362
+
363
+
The ``alg`` must be a fully specified algorithm, and not a wildcard.
364
+
365
+
The ``useage`` must be a valid role within a cryptographic algorithm. It must not be a non-cryptographiic operation such as `PSA_KEY_USAGE_COPY` or `PSA_KEY_USAGE_EXPORT`.
365
366
366
-
When checking a public key with a usage flag for an operation where the public key is provided as a buffer, for example, the public key in a derive operation, or the counterparty key in a key establishment, then the function indicates that the operation supports this type of key in this role. It ignores permissions, as all public keys can be exported.
367
+
When checking a public key with a usage flag for an operation where the public key is provided as a buffer, the function returns ``PSA_SUCCESS`` if the operation supports this type of key in this role. In these cases, the function does not check THE permissions, as all public keys can be exported. This applies to, for example, using the key as the public key in a key agreement.
0 commit comments