Skip to content

Commit c3177d4

Browse files
gilles-peskine-armgilles-peskine-arm
committed
Add usage flags for wrapping keys
1 parent fa0b197 commit c3177d4

File tree

2 files changed

+30
-1
lines changed

2 files changed

+30
-1
lines changed

include/psa/crypto.h

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1054,8 +1054,10 @@ psa_status_t psa_unwrap_key_to_alternate_lifetime(
10541054
* and authenticity of the key material. In practical terms, the key
10551055
* material is encrypted and authenticated.
10561056
*
1057-
* The policy on the key must have the usage flag
1057+
* The policy on the key to wrap must have the usage flag
10581058
* #PSA_KEY_USAGE_EXPORT_WRAPPED set.
1059+
* The policy on the wrapping key must have the usage flag
1060+
* #PSA_KEY_USAGE_WRAP_OTHER_KEY set.
10591061
*
10601062
* \param wrapping_key Handle to the key to wrap with.
10611063
* \param alg The key wrapping algorithm to compute
@@ -1074,6 +1076,9 @@ psa_status_t psa_unwrap_key_to_alternate_lifetime(
10741076
* handle to a key.
10751077
* \retval #PSA_ERROR_NOT_PERMITTED
10761078
* The key \p handle does not have the #PSA_KEY_USAGE_BACKUP flag.
1079+
* \retval #PSA_ERROR_NOT_PERMITTED
1080+
* The key \p wrapping_key does not have the
1081+
* #PSA_KEY_USAGE_WRAP_OTHER_KEY flag.
10771082
* \retval #PSA_ERROR_INVALID_ARGUMENT
10781083
* \p wrapping_key does not support wrapping key material.
10791084
* \retval #PSA_ERROR_NOT_SUPPORTED
@@ -1105,6 +1110,9 @@ psa_status_t psa_wrap_key_material(psa_key_handle_t wrapping_key,
11051110
/**
11061111
* \brief Import wrapped key material.
11071112
*
1113+
* The policy on the wrapping key must have the usage flag
1114+
* #PSA_KEY_USAGE_UNWRAP_OTHER_KEY set.
1115+
*
11081116
* \param wrapping_key Handle to the key to unwrap with.
11091117
* \param alg The key unwrapping algorithm to compute
11101118
* (\c PSA_ALG_XXX value such that
@@ -1126,6 +1134,9 @@ psa_status_t psa_wrap_key_material(psa_key_handle_t wrapping_key,
11261134
* \retval #PSA_ERROR_ALREADY_EXISTS
11271135
* This is an attempt to create a persistent key, and there is
11281136
* already a persistent key with the given identifier.
1137+
* \retval #PSA_ERROR_NOT_PERMITTED
1138+
* The key \p wrapping_key does not have the
1139+
* #PSA_KEY_USAGE_UNWRAP_OTHER_KEY flag.
11291140
* \retval #PSA_ERROR_INVALID_ARGUMENT
11301141
* The key attributes, as a whole, are invalid.
11311142
* \retval #PSA_ERROR_INVALID_ARGUMENT

include/psa/crypto_values.h

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1694,6 +1694,24 @@
16941694
*/
16951695
#define PSA_KEY_USAGE_BACKUP ((psa_key_usage_t)0x00000020)
16961696

1697+
/** Whether the key may be used to wrap another key.
1698+
*
1699+
* This flag allows the key to be used as a wrapping key with
1700+
* psa_wrap_key_material().
1701+
*
1702+
* For a key pair, this concerns the public key.
1703+
*/
1704+
#define PSA_KEY_USAGE_WRAP_OTHER_KEY ((psa_key_usage_t)0x00000040)
1705+
1706+
/** Whether the key may be used to unwrap another key.
1707+
*
1708+
* This flag allows the key to be used as a wrapping key with
1709+
* psa_unwrap_key_material().
1710+
*
1711+
* For a key pair, this concerns the private key.
1712+
*/
1713+
#define PSA_KEY_USAGE_UNWRAP_OTHER_KEY ((psa_key_usage_t)0x00000080)
1714+
16971715
/** Whether the key may be used to encrypt a message.
16981716
*
16991717
* This flag allows the key to be used for a symmetric encryption operation,

0 commit comments

Comments
 (0)