1 /**
2 * \file psa/crypto_values.h
3 *
4 * \brief PSA cryptography module: macros to build and analyze integer values.
5 *
6 * \note This file may not be included directly. Applications must
7 * include psa/crypto.h. Drivers must include the appropriate driver
8 * header file.
9 *
10 * This file contains portable definitions of macros to build and analyze
11 * values of integral types that encode properties of cryptographic keys,
12 * designations of cryptographic algorithms, and error codes returned by
13 * the library.
14 *
15 * Note that many of the constants defined in this file are embedded in
16 * the persistent key store, as part of key metadata (including usage
17 * policies). As a consequence, they must not be changed (unless the storage
18 * format version changes).
19 *
20 * This header file only defines preprocessor macros.
21 */
22 /*
23 * Copyright The Mbed TLS Contributors
24 * SPDX-License-Identifier: Apache-2.0
25 *
26 * Licensed under the Apache License, Version 2.0 (the "License"); you may
27 * not use this file except in compliance with the License.
28 * You may obtain a copy of the License at
29 *
30 * http://www.apache.org/licenses/LICENSE-2.0
31 *
32 * Unless required by applicable law or agreed to in writing, software
33 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
34 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
35 * See the License for the specific language governing permissions and
36 * limitations under the License.
37 */
38
39 #ifndef PSA_CRYPTO_VALUES_H
40 #define PSA_CRYPTO_VALUES_H
41 #include "mbedtls/private_access.h"
42
43 /** \defgroup error Error codes
44 * @{
45 */
46
47 /* PSA error codes */
48
49 /* Error codes are standardized across PSA domains (framework, crypto, storage,
50 * etc.). Do not change the values in this section or even the expansions
51 * of each macro: it must be possible to `#include` both this header
52 * and some other PSA component's headers in the same C source,
53 * which will lead to duplicate definitions of the `PSA_SUCCESS` and
54 * `PSA_ERROR_xxx` macros, which is ok if and only if the macros expand
55 * to the same sequence of tokens.
56 *
57 * If you must add a new
58 * value, check with the Arm PSA framework group to pick one that other
59 * domains aren't already using. */
60
61 /** The action was completed successfully. */
62 #define PSA_SUCCESS ((psa_status_t)0)
63
64 /** An error occurred that does not correspond to any defined
65 * failure cause.
66 *
67 * Implementations may use this error code if none of the other standard
68 * error codes are applicable. */
69 #define PSA_ERROR_GENERIC_ERROR ((psa_status_t)-132)
70
71 /** The requested operation or a parameter is not supported
72 * by this implementation.
73 *
74 * Implementations should return this error code when an enumeration
75 * parameter such as a key type, algorithm, etc. is not recognized.
76 * If a combination of parameters is recognized and identified as
77 * not valid, return #PSA_ERROR_INVALID_ARGUMENT instead. */
78 #define PSA_ERROR_NOT_SUPPORTED ((psa_status_t)-134)
79
80 /** The requested action is denied by a policy.
81 *
82 * Implementations should return this error code when the parameters
83 * are recognized as valid and supported, and a policy explicitly
84 * denies the requested operation.
85 *
86 * If a subset of the parameters of a function call identify a
87 * forbidden operation, and another subset of the parameters are
88 * not valid or not supported, it is unspecified whether the function
89 * returns #PSA_ERROR_NOT_PERMITTED, #PSA_ERROR_NOT_SUPPORTED or
90 * #PSA_ERROR_INVALID_ARGUMENT. */
91 #define PSA_ERROR_NOT_PERMITTED ((psa_status_t)-133)
92
93 /** An output buffer is too small.
94 *
95 * Applications can call the \c PSA_xxx_SIZE macro listed in the function
96 * description to determine a sufficient buffer size.
97 *
98 * Implementations should preferably return this error code only
99 * in cases when performing the operation with a larger output
100 * buffer would succeed. However implementations may return this
101 * error if a function has invalid or unsupported parameters in addition
102 * to the parameters that determine the necessary output buffer size. */
103 #define PSA_ERROR_BUFFER_TOO_SMALL ((psa_status_t)-138)
104
105 /** Asking for an item that already exists
106 *
107 * Implementations should return this error, when attempting
108 * to write an item (like a key) that already exists. */
109 #define PSA_ERROR_ALREADY_EXISTS ((psa_status_t)-139)
110
111 /** Asking for an item that doesn't exist
112 *
113 * Implementations should return this error, if a requested item (like
114 * a key) does not exist. */
115 #define PSA_ERROR_DOES_NOT_EXIST ((psa_status_t)-140)
116
117 /** The requested action cannot be performed in the current state.
118 *
119 * Multipart operations return this error when one of the
120 * functions is called out of sequence. Refer to the function
121 * descriptions for permitted sequencing of functions.
122 *
123 * Implementations shall not return this error code to indicate
124 * that a key either exists or not,
125 * but shall instead return #PSA_ERROR_ALREADY_EXISTS or #PSA_ERROR_DOES_NOT_EXIST
126 * as applicable.
127 *
128 * Implementations shall not return this error code to indicate that a
129 * key identifier is invalid, but shall return #PSA_ERROR_INVALID_HANDLE
130 * instead. */
131 #define PSA_ERROR_BAD_STATE ((psa_status_t)-137)
132
133 /** The parameters passed to the function are invalid.
134 *
135 * Implementations may return this error any time a parameter or
136 * combination of parameters are recognized as invalid.
137 *
138 * Implementations shall not return this error code to indicate that a
139 * key identifier is invalid, but shall return #PSA_ERROR_INVALID_HANDLE
140 * instead.
141 */
142 #define PSA_ERROR_INVALID_ARGUMENT ((psa_status_t)-135)
143
144 /** There is not enough runtime memory.
145 *
146 * If the action is carried out across multiple security realms, this
147 * error can refer to available memory in any of the security realms. */
148 #define PSA_ERROR_INSUFFICIENT_MEMORY ((psa_status_t)-141)
149
150 /** There is not enough persistent storage.
151 *
152 * Functions that modify the key storage return this error code if
153 * there is insufficient storage space on the host media. In addition,
154 * many functions that do not otherwise access storage may return this
155 * error code if the implementation requires a mandatory log entry for
156 * the requested action and the log storage space is full. */
157 #define PSA_ERROR_INSUFFICIENT_STORAGE ((psa_status_t)-142)
158
159 /** There was a communication failure inside the implementation.
160 *
161 * This can indicate a communication failure between the application
162 * and an external cryptoprocessor or between the cryptoprocessor and
163 * an external volatile or persistent memory. A communication failure
164 * may be transient or permanent depending on the cause.
165 *
166 * \warning If a function returns this error, it is undetermined
167 * whether the requested action has completed or not. Implementations
168 * should return #PSA_SUCCESS on successful completion whenever
169 * possible, however functions may return #PSA_ERROR_COMMUNICATION_FAILURE
170 * if the requested action was completed successfully in an external
171 * cryptoprocessor but there was a breakdown of communication before
172 * the cryptoprocessor could report the status to the application.
173 */
174 #define PSA_ERROR_COMMUNICATION_FAILURE ((psa_status_t)-145)
175
176 /** There was a storage failure that may have led to data loss.
177 *
178 * This error indicates that some persistent storage is corrupted.
179 * It should not be used for a corruption of volatile memory
180 * (use #PSA_ERROR_CORRUPTION_DETECTED), for a communication error
181 * between the cryptoprocessor and its external storage (use
182 * #PSA_ERROR_COMMUNICATION_FAILURE), or when the storage is
183 * in a valid state but is full (use #PSA_ERROR_INSUFFICIENT_STORAGE).
184 *
185 * Note that a storage failure does not indicate that any data that was
186 * previously read is invalid. However this previously read data may no
187 * longer be readable from storage.
188 *
189 * When a storage failure occurs, it is no longer possible to ensure
190 * the global integrity of the keystore. Depending on the global
191 * integrity guarantees offered by the implementation, access to other
192 * data may or may not fail even if the data is still readable but
193 * its integrity cannot be guaranteed.
194 *
195 * Implementations should only use this error code to report a
196 * permanent storage corruption. However application writers should
197 * keep in mind that transient errors while reading the storage may be
198 * reported using this error code. */
199 #define PSA_ERROR_STORAGE_FAILURE ((psa_status_t)-146)
200
201 /** A hardware failure was detected.
202 *
203 * A hardware failure may be transient or permanent depending on the
204 * cause. */
205 #define PSA_ERROR_HARDWARE_FAILURE ((psa_status_t)-147)
206
207 /** A tampering attempt was detected.
208 *
209 * If an application receives this error code, there is no guarantee
210 * that previously accessed or computed data was correct and remains
211 * confidential. Applications should not perform any security function
212 * and should enter a safe failure state.
213 *
214 * Implementations may return this error code if they detect an invalid
215 * state that cannot happen during normal operation and that indicates
216 * that the implementation's security guarantees no longer hold. Depending
217 * on the implementation architecture and on its security and safety goals,
218 * the implementation may forcibly terminate the application.
219 *
220 * This error code is intended as a last resort when a security breach
221 * is detected and it is unsure whether the keystore data is still
222 * protected. Implementations shall only return this error code
223 * to report an alarm from a tampering detector, to indicate that
224 * the confidentiality of stored data can no longer be guaranteed,
225 * or to indicate that the integrity of previously returned data is now
226 * considered compromised. Implementations shall not use this error code
227 * to indicate a hardware failure that merely makes it impossible to
228 * perform the requested operation (use #PSA_ERROR_COMMUNICATION_FAILURE,
229 * #PSA_ERROR_STORAGE_FAILURE, #PSA_ERROR_HARDWARE_FAILURE,
230 * #PSA_ERROR_INSUFFICIENT_ENTROPY or other applicable error code
231 * instead).
232 *
233 * This error indicates an attack against the application. Implementations
234 * shall not return this error code as a consequence of the behavior of
235 * the application itself. */
236 #define PSA_ERROR_CORRUPTION_DETECTED ((psa_status_t)-151)
237
238 /** There is not enough entropy to generate random data needed
239 * for the requested action.
240 *
241 * This error indicates a failure of a hardware random generator.
242 * Application writers should note that this error can be returned not
243 * only by functions whose purpose is to generate random data, such
244 * as key, IV or nonce generation, but also by functions that execute
245 * an algorithm with a randomized result, as well as functions that
246 * use randomization of intermediate computations as a countermeasure
247 * to certain attacks.
248 *
249 * Implementations should avoid returning this error after psa_crypto_init()
250 * has succeeded. Implementations should generate sufficient
251 * entropy during initialization and subsequently use a cryptographically
252 * secure pseudorandom generator (PRNG). However implementations may return
253 * this error at any time if a policy requires the PRNG to be reseeded
254 * during normal operation. */
255 #define PSA_ERROR_INSUFFICIENT_ENTROPY ((psa_status_t)-148)
256
257 /** The signature, MAC or hash is incorrect.
258 *
259 * Verification functions return this error if the verification
260 * calculations completed successfully, and the value to be verified
261 * was determined to be incorrect.
262 *
263 * If the value to verify has an invalid size, implementations may return
264 * either #PSA_ERROR_INVALID_ARGUMENT or #PSA_ERROR_INVALID_SIGNATURE. */
265 #define PSA_ERROR_INVALID_SIGNATURE ((psa_status_t)-149)
266
267 /** The decrypted padding is incorrect.
268 *
269 * \warning In some protocols, when decrypting data, it is essential that
270 * the behavior of the application does not depend on whether the padding
271 * is correct, down to precise timing. Applications should prefer
272 * protocols that use authenticated encryption rather than plain
273 * encryption. If the application must perform a decryption of
274 * unauthenticated data, the application writer should take care not
275 * to reveal whether the padding is invalid.
276 *
277 * Implementations should strive to make valid and invalid padding
278 * as close as possible to indistinguishable to an external observer.
279 * In particular, the timing of a decryption operation should not
280 * depend on the validity of the padding. */
281 #define PSA_ERROR_INVALID_PADDING ((psa_status_t)-150)
282
283 /** Return this error when there's insufficient data when attempting
284 * to read from a resource. */
285 #define PSA_ERROR_INSUFFICIENT_DATA ((psa_status_t)-143)
286
287 /** The key identifier is not valid. See also :ref:\`key-handles\`.
288 */
289 #define PSA_ERROR_INVALID_HANDLE ((psa_status_t)-136)
290
291 /** Stored data has been corrupted.
292 *
293 * This error indicates that some persistent storage has suffered corruption.
294 * It does not indicate the following situations, which have specific error
295 * codes:
296 *
297 * - A corruption of volatile memory - use #PSA_ERROR_CORRUPTION_DETECTED.
298 * - A communication error between the cryptoprocessor and its external
299 * storage - use #PSA_ERROR_COMMUNICATION_FAILURE.
300 * - When the storage is in a valid state but is full - use
301 * #PSA_ERROR_INSUFFICIENT_STORAGE.
302 * - When the storage fails for other reasons - use
303 * #PSA_ERROR_STORAGE_FAILURE.
304 * - When the stored data is not valid - use #PSA_ERROR_DATA_INVALID.
305 *
306 * \note A storage corruption does not indicate that any data that was
307 * previously read is invalid. However this previously read data might no
308 * longer be readable from storage.
309 *
310 * When a storage failure occurs, it is no longer possible to ensure the
311 * global integrity of the keystore.
312 */
313 #define PSA_ERROR_DATA_CORRUPT ((psa_status_t)-152)
314
315 /** Data read from storage is not valid for the implementation.
316 *
317 * This error indicates that some data read from storage does not have a valid
318 * format. It does not indicate the following situations, which have specific
319 * error codes:
320 *
321 * - When the storage or stored data is corrupted - use #PSA_ERROR_DATA_CORRUPT
322 * - When the storage fails for other reasons - use #PSA_ERROR_STORAGE_FAILURE
323 * - An invalid argument to the API - use #PSA_ERROR_INVALID_ARGUMENT
324 *
325 * This error is typically a result of either storage corruption on a
326 * cleartext storage backend, or an attempt to read data that was
327 * written by an incompatible version of the library.
328 */
329 #define PSA_ERROR_DATA_INVALID ((psa_status_t)-153)
330
331 /**@}*/
332
333 /** \defgroup crypto_types Key and algorithm types
334 * @{
335 */
336
337 /* Note that key type values, including ECC family and DH group values, are
338 * embedded in the persistent key store, as part of key metadata. As a
339 * consequence, they must not be changed (unless the storage format version
340 * changes).
341 */
342
343 /** An invalid key type value.
344 *
345 * Zero is not the encoding of any key type.
346 */
347 #define PSA_KEY_TYPE_NONE ((psa_key_type_t)0x0000)
348
349 /** Vendor-defined key type flag.
350 *
351 * Key types defined by this standard will never have the
352 * #PSA_KEY_TYPE_VENDOR_FLAG bit set. Vendors who define additional key types
353 * must use an encoding with the #PSA_KEY_TYPE_VENDOR_FLAG bit set and should
354 * respect the bitwise structure used by standard encodings whenever practical.
355 */
356 #define PSA_KEY_TYPE_VENDOR_FLAG ((psa_key_type_t)0x8000)
357
358 #define PSA_KEY_TYPE_CATEGORY_MASK ((psa_key_type_t)0x7000)
359 #define PSA_KEY_TYPE_CATEGORY_RAW ((psa_key_type_t)0x1000)
360 #define PSA_KEY_TYPE_CATEGORY_SYMMETRIC ((psa_key_type_t)0x2000)
361 #define PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY ((psa_key_type_t)0x4000)
362 #define PSA_KEY_TYPE_CATEGORY_KEY_PAIR ((psa_key_type_t)0x7000)
363
364 #define PSA_KEY_TYPE_CATEGORY_FLAG_PAIR ((psa_key_type_t)0x3000)
365
366 /** Whether a key type is vendor-defined.
367 *
368 * See also #PSA_KEY_TYPE_VENDOR_FLAG.
369 */
370 #define PSA_KEY_TYPE_IS_VENDOR_DEFINED(type) \
371 (((type) & PSA_KEY_TYPE_VENDOR_FLAG) != 0)
372
373 /** Whether a key type is an unstructured array of bytes.
374 *
375 * This encompasses both symmetric keys and non-key data.
376 */
377 #define PSA_KEY_TYPE_IS_UNSTRUCTURED(type) \
378 (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_RAW || \
379 ((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_SYMMETRIC)
380
381 /** Whether a key type is asymmetric: either a key pair or a public key. */
382 #define PSA_KEY_TYPE_IS_ASYMMETRIC(type) \
383 (((type) & PSA_KEY_TYPE_CATEGORY_MASK \
384 & ~PSA_KEY_TYPE_CATEGORY_FLAG_PAIR) == \
385 PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY)
386 /** Whether a key type is the public part of a key pair. */
387 #define PSA_KEY_TYPE_IS_PUBLIC_KEY(type) \
388 (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY)
389 /** Whether a key type is a key pair containing a private part and a public
390 * part. */
391 #define PSA_KEY_TYPE_IS_KEY_PAIR(type) \
392 (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_KEY_PAIR)
393 /** The key pair type corresponding to a public key type.
394 *
395 * You may also pass a key pair type as \p type, it will be left unchanged.
396 *
397 * \param type A public key type or key pair type.
398 *
399 * \return The corresponding key pair type.
400 * If \p type is not a public key or a key pair,
401 * the return value is undefined.
402 */
403 #define PSA_KEY_TYPE_KEY_PAIR_OF_PUBLIC_KEY(type) \
404 ((type) | PSA_KEY_TYPE_CATEGORY_FLAG_PAIR)
405 /** The public key type corresponding to a key pair type.
406 *
407 * You may also pass a key pair type as \p type, it will be left unchanged.
408 *
409 * \param type A public key type or key pair type.
410 *
411 * \return The corresponding public key type.
412 * If \p type is not a public key or a key pair,
413 * the return value is undefined.
414 */
415 #define PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) \
416 ((type) & ~PSA_KEY_TYPE_CATEGORY_FLAG_PAIR)
417
418 /** Raw data.
419 *
420 * A "key" of this type cannot be used for any cryptographic operation.
421 * Applications may use this type to store arbitrary data in the keystore. */
422 #define PSA_KEY_TYPE_RAW_DATA ((psa_key_type_t)0x1001)
423
424 /** HMAC key.
425 *
426 * The key policy determines which underlying hash algorithm the key can be
427 * used for.
428 *
429 * HMAC keys should generally have the same size as the underlying hash.
430 * This size can be calculated with #PSA_HASH_LENGTH(\c alg) where
431 * \c alg is the HMAC algorithm or the underlying hash algorithm. */
432 #define PSA_KEY_TYPE_HMAC ((psa_key_type_t)0x1100)
433
434 /** A secret for key derivation.
435 *
436 * This key type is for high-entropy secrets only. For low-entropy secrets,
437 * #PSA_KEY_TYPE_PASSWORD should be used instead.
438 *
439 * These keys can be used as the #PSA_KEY_DERIVATION_INPUT_SECRET or
440 * #PSA_KEY_DERIVATION_INPUT_PASSWORD input of key derivation algorithms.
441 *
442 * The key policy determines which key derivation algorithm the key
443 * can be used for.
444 */
445 #define PSA_KEY_TYPE_DERIVE ((psa_key_type_t)0x1200)
446
447 /** A low-entropy secret for password hashing or key derivation.
448 *
449 * This key type is suitable for passwords and passphrases which are typically
450 * intended to be memorizable by humans, and have a low entropy relative to
451 * their size. It can be used for randomly generated or derived keys with
452 * maximum or near-maximum entropy, but #PSA_KEY_TYPE_DERIVE is more suitable
453 * for such keys. It is not suitable for passwords with extremely low entropy,
454 * such as numerical PINs.
455 *
456 * These keys can be used as the #PSA_KEY_DERIVATION_INPUT_PASSWORD input of
457 * key derivation algorithms. Algorithms that accept such an input were
458 * designed to accept low-entropy secret and are known as password hashing or
459 * key stretching algorithms.
460 *
461 * These keys cannot be used as the #PSA_KEY_DERIVATION_INPUT_SECRET input of
462 * key derivation algorithms, as the algorithms that take such an input expect
463 * it to be high-entropy.
464 *
465 * The key policy determines which key derivation algorithm the key can be
466 * used for, among the permissible subset defined above.
467 */
468 #define PSA_KEY_TYPE_PASSWORD ((psa_key_type_t)0x1203)
469
470 /** A secret value that can be used to verify a password hash.
471 *
472 * The key policy determines which key derivation algorithm the key
473 * can be used for, among the same permissible subset as for
474 * #PSA_KEY_TYPE_PASSWORD.
475 */
476 #define PSA_KEY_TYPE_PASSWORD_HASH ((psa_key_type_t)0x1205)
477
478 /** A secret value that can be used in when computing a password hash.
479 *
480 * The key policy determines which key derivation algorithm the key
481 * can be used for, among the subset of algorithms that can use pepper.
482 */
483 #define PSA_KEY_TYPE_PEPPER ((psa_key_type_t)0x1206)
484
485 /** Key for a cipher, AEAD or MAC algorithm based on the AES block cipher.
486 *
487 * The size of the key can be 16 bytes (AES-128), 24 bytes (AES-192) or
488 * 32 bytes (AES-256).
489 */
490 #define PSA_KEY_TYPE_AES ((psa_key_type_t)0x2400)
491
492 /** Key for a cipher, AEAD or MAC algorithm based on the
493 * ARIA block cipher. */
494 #define PSA_KEY_TYPE_ARIA ((psa_key_type_t)0x2406)
495
496 /** Key for a cipher or MAC algorithm based on DES or 3DES (Triple-DES).
497 *
498 * The size of the key can be 64 bits (single DES), 128 bits (2-key 3DES) or
499 * 192 bits (3-key 3DES).
500 *
501 * Note that single DES and 2-key 3DES are weak and strongly
502 * deprecated and should only be used to decrypt legacy data. 3-key 3DES
503 * is weak and deprecated and should only be used in legacy protocols.
504 */
505 #define PSA_KEY_TYPE_DES ((psa_key_type_t)0x2301)
506
507 /** Key for a cipher, AEAD or MAC algorithm based on the
508 * Camellia block cipher. */
509 #define PSA_KEY_TYPE_CAMELLIA ((psa_key_type_t)0x2403)
510
511 /** Key for the ChaCha20 stream cipher or the Chacha20-Poly1305 AEAD algorithm.
512 *
513 * ChaCha20 and the ChaCha20_Poly1305 construction are defined in RFC 7539.
514 *
515 * \note For ChaCha20 and ChaCha20_Poly1305, Mbed TLS only supports
516 * 12-byte nonces.
517 *
518 * \note For ChaCha20, the initial counter value is 0. To encrypt or decrypt
519 * with the initial counter value 1, you can process and discard a
520 * 64-byte block before the real data.
521 */
522 #define PSA_KEY_TYPE_CHACHA20 ((psa_key_type_t)0x2004)
523
524 /** RSA public key.
525 *
526 * The size of an RSA key is the bit size of the modulus.
527 */
528 #define PSA_KEY_TYPE_RSA_PUBLIC_KEY ((psa_key_type_t)0x4001)
529 /** RSA key pair (private and public key).
530 *
531 * The size of an RSA key is the bit size of the modulus.
532 */
533 #define PSA_KEY_TYPE_RSA_KEY_PAIR ((psa_key_type_t)0x7001)
534 /** Whether a key type is an RSA key (pair or public-only). */
535 #define PSA_KEY_TYPE_IS_RSA(type) \
536 (PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) == PSA_KEY_TYPE_RSA_PUBLIC_KEY)
537
538 #define PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE ((psa_key_type_t)0x4100)
539 #define PSA_KEY_TYPE_ECC_KEY_PAIR_BASE ((psa_key_type_t)0x7100)
540 #define PSA_KEY_TYPE_ECC_CURVE_MASK ((psa_key_type_t)0x00ff)
541 /** Elliptic curve key pair.
542 *
543 * The size of an elliptic curve key is the bit size associated with the curve,
544 * i.e. the bit size of *q* for a curve over a field *F<sub>q</sub>*.
545 * See the documentation of `PSA_ECC_FAMILY_xxx` curve families for details.
546 *
547 * \param curve A value of type ::psa_ecc_family_t that
548 * identifies the ECC curve to be used.
549 */
550 #define PSA_KEY_TYPE_ECC_KEY_PAIR(curve) \
551 (PSA_KEY_TYPE_ECC_KEY_PAIR_BASE | (curve))
552 /** Elliptic curve public key.
553 *
554 * The size of an elliptic curve public key is the same as the corresponding
555 * private key (see #PSA_KEY_TYPE_ECC_KEY_PAIR and the documentation of
556 * `PSA_ECC_FAMILY_xxx` curve families).
557 *
558 * \param curve A value of type ::psa_ecc_family_t that
559 * identifies the ECC curve to be used.
560 */
561 #define PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve) \
562 (PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE | (curve))
563
564 /** Whether a key type is an elliptic curve key (pair or public-only). */
565 #define PSA_KEY_TYPE_IS_ECC(type) \
566 ((PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) & \
567 ~PSA_KEY_TYPE_ECC_CURVE_MASK) == PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE)
568 /** Whether a key type is an elliptic curve key pair. */
569 #define PSA_KEY_TYPE_IS_ECC_KEY_PAIR(type) \
570 (((type) & ~PSA_KEY_TYPE_ECC_CURVE_MASK) == \
571 PSA_KEY_TYPE_ECC_KEY_PAIR_BASE)
572 /** Whether a key type is an elliptic curve public key. */
573 #define PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(type) \
574 (((type) & ~PSA_KEY_TYPE_ECC_CURVE_MASK) == \
575 PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE)
576
577 /** Extract the curve from an elliptic curve key type. */
578 #define PSA_KEY_TYPE_ECC_GET_FAMILY(type) \
579 ((psa_ecc_family_t) (PSA_KEY_TYPE_IS_ECC(type) ? \
580 ((type) & PSA_KEY_TYPE_ECC_CURVE_MASK) : \
581 0))
582
583 /** Check if the curve of given family is Weierstrass elliptic curve. */
584 #define PSA_ECC_FAMILY_IS_WEIERSTRASS(family) ((family & 0xc0) == 0)
585
586 /** SEC Koblitz curves over prime fields.
587 *
588 * This family comprises the following curves:
589 * secp192k1, secp224k1, secp256k1.
590 * They are defined in _Standards for Efficient Cryptography_,
591 * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
592 * https://www.secg.org/sec2-v2.pdf
593 */
594 #define PSA_ECC_FAMILY_SECP_K1 ((psa_ecc_family_t) 0x17)
595
596 /** SEC random curves over prime fields.
597 *
598 * This family comprises the following curves:
599 * secp192k1, secp224r1, secp256r1, secp384r1, secp521r1.
600 * They are defined in _Standards for Efficient Cryptography_,
601 * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
602 * https://www.secg.org/sec2-v2.pdf
603 */
604 #define PSA_ECC_FAMILY_SECP_R1 ((psa_ecc_family_t) 0x12)
605 /* SECP160R2 (SEC2 v1, obsolete) */
606 #define PSA_ECC_FAMILY_SECP_R2 ((psa_ecc_family_t) 0x1b)
607
608 /** SEC Koblitz curves over binary fields.
609 *
610 * This family comprises the following curves:
611 * sect163k1, sect233k1, sect239k1, sect283k1, sect409k1, sect571k1.
612 * They are defined in _Standards for Efficient Cryptography_,
613 * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
614 * https://www.secg.org/sec2-v2.pdf
615 */
616 #define PSA_ECC_FAMILY_SECT_K1 ((psa_ecc_family_t) 0x27)
617
618 /** SEC random curves over binary fields.
619 *
620 * This family comprises the following curves:
621 * sect163r1, sect233r1, sect283r1, sect409r1, sect571r1.
622 * They are defined in _Standards for Efficient Cryptography_,
623 * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
624 * https://www.secg.org/sec2-v2.pdf
625 */
626 #define PSA_ECC_FAMILY_SECT_R1 ((psa_ecc_family_t) 0x22)
627
628 /** SEC additional random curves over binary fields.
629 *
630 * This family comprises the following curve:
631 * sect163r2.
632 * It is defined in _Standards for Efficient Cryptography_,
633 * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
634 * https://www.secg.org/sec2-v2.pdf
635 */
636 #define PSA_ECC_FAMILY_SECT_R2 ((psa_ecc_family_t) 0x2b)
637
638 /** Brainpool P random curves.
639 *
640 * This family comprises the following curves:
641 * brainpoolP160r1, brainpoolP192r1, brainpoolP224r1, brainpoolP256r1,
642 * brainpoolP320r1, brainpoolP384r1, brainpoolP512r1.
643 * It is defined in RFC 5639.
644 */
645 #define PSA_ECC_FAMILY_BRAINPOOL_P_R1 ((psa_ecc_family_t) 0x30)
646
647 /** Curve25519 and Curve448.
648 *
649 * This family comprises the following Montgomery curves:
650 * - 255-bit: Bernstein et al.,
651 * _Curve25519: new Diffie-Hellman speed records_, LNCS 3958, 2006.
652 * The algorithm #PSA_ALG_ECDH performs X25519 when used with this curve.
653 * - 448-bit: Hamburg,
654 * _Ed448-Goldilocks, a new elliptic curve_, NIST ECC Workshop, 2015.
655 * The algorithm #PSA_ALG_ECDH performs X448 when used with this curve.
656 */
657 #define PSA_ECC_FAMILY_MONTGOMERY ((psa_ecc_family_t) 0x41)
658
659 /** The twisted Edwards curves Ed25519 and Ed448.
660 *
661 * These curves are suitable for EdDSA (#PSA_ALG_PURE_EDDSA for both curves,
662 * #PSA_ALG_ED25519PH for the 255-bit curve,
663 * #PSA_ALG_ED448PH for the 448-bit curve).
664 *
665 * This family comprises the following twisted Edwards curves:
666 * - 255-bit: Edwards25519, the twisted Edwards curve birationally equivalent
667 * to Curve25519.
668 * Bernstein et al., _Twisted Edwards curves_, Africacrypt 2008.
669 * - 448-bit: Edwards448, the twisted Edwards curve birationally equivalent
670 * to Curve448.
671 * Hamburg, _Ed448-Goldilocks, a new elliptic curve_, NIST ECC Workshop, 2015.
672 */
673 #define PSA_ECC_FAMILY_TWISTED_EDWARDS ((psa_ecc_family_t) 0x42)
674
675 #define PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE ((psa_key_type_t)0x4200)
676 #define PSA_KEY_TYPE_DH_KEY_PAIR_BASE ((psa_key_type_t)0x7200)
677 #define PSA_KEY_TYPE_DH_GROUP_MASK ((psa_key_type_t)0x00ff)
678 /** Diffie-Hellman key pair.
679 *
680 * \param group A value of type ::psa_dh_family_t that identifies the
681 * Diffie-Hellman group to be used.
682 */
683 #define PSA_KEY_TYPE_DH_KEY_PAIR(group) \
684 (PSA_KEY_TYPE_DH_KEY_PAIR_BASE | (group))
685 /** Diffie-Hellman public key.
686 *
687 * \param group A value of type ::psa_dh_family_t that identifies the
688 * Diffie-Hellman group to be used.
689 */
690 #define PSA_KEY_TYPE_DH_PUBLIC_KEY(group) \
691 (PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE | (group))
692
693 /** Whether a key type is a Diffie-Hellman key (pair or public-only). */
694 #define PSA_KEY_TYPE_IS_DH(type) \
695 ((PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) & \
696 ~PSA_KEY_TYPE_DH_GROUP_MASK) == PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE)
697 /** Whether a key type is a Diffie-Hellman key pair. */
698 #define PSA_KEY_TYPE_IS_DH_KEY_PAIR(type) \
699 (((type) & ~PSA_KEY_TYPE_DH_GROUP_MASK) == \
700 PSA_KEY_TYPE_DH_KEY_PAIR_BASE)
701 /** Whether a key type is a Diffie-Hellman public key. */
702 #define PSA_KEY_TYPE_IS_DH_PUBLIC_KEY(type) \
703 (((type) & ~PSA_KEY_TYPE_DH_GROUP_MASK) == \
704 PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE)
705
706 /** Extract the group from a Diffie-Hellman key type. */
707 #define PSA_KEY_TYPE_DH_GET_FAMILY(type) \
708 ((psa_dh_family_t) (PSA_KEY_TYPE_IS_DH(type) ? \
709 ((type) & PSA_KEY_TYPE_DH_GROUP_MASK) : \
710 0))
711
712 /** Diffie-Hellman groups defined in RFC 7919 Appendix A.
713 *
714 * This family includes groups with the following key sizes (in bits):
715 * 2048, 3072, 4096, 6144, 8192. A given implementation may support
716 * all of these sizes or only a subset.
717 */
718 #define PSA_DH_FAMILY_RFC7919 ((psa_dh_family_t) 0x03)
719
720 #define PSA_GET_KEY_TYPE_BLOCK_SIZE_EXPONENT(type) \
721 (((type) >> 8) & 7)
722 /** The block size of a block cipher.
723 *
724 * \param type A cipher key type (value of type #psa_key_type_t).
725 *
726 * \return The block size for a block cipher, or 1 for a stream cipher.
727 * The return value is undefined if \p type is not a supported
728 * cipher key type.
729 *
730 * \note It is possible to build stream cipher algorithms on top of a block
731 * cipher, for example CTR mode (#PSA_ALG_CTR).
732 * This macro only takes the key type into account, so it cannot be
733 * used to determine the size of the data that #psa_cipher_update()
734 * might buffer for future processing in general.
735 *
736 * \note This macro returns a compile-time constant if its argument is one.
737 *
738 * \warning This macro may evaluate its argument multiple times.
739 */
740 #define PSA_BLOCK_CIPHER_BLOCK_LENGTH(type) \
741 (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_SYMMETRIC ? \
742 1u << PSA_GET_KEY_TYPE_BLOCK_SIZE_EXPONENT(type) : \
743 0u)
744
745 /* Note that algorithm values are embedded in the persistent key store,
746 * as part of key metadata. As a consequence, they must not be changed
747 * (unless the storage format version changes).
748 */
749
750 /** Vendor-defined algorithm flag.
751 *
752 * Algorithms defined by this standard will never have the #PSA_ALG_VENDOR_FLAG
753 * bit set. Vendors who define additional algorithms must use an encoding with
754 * the #PSA_ALG_VENDOR_FLAG bit set and should respect the bitwise structure
755 * used by standard encodings whenever practical.
756 */
757 #define PSA_ALG_VENDOR_FLAG ((psa_algorithm_t)0x80000000)
758
759 #define PSA_ALG_CATEGORY_MASK ((psa_algorithm_t)0x7f000000)
760 #define PSA_ALG_CATEGORY_HASH ((psa_algorithm_t)0x02000000)
761 #define PSA_ALG_CATEGORY_MAC ((psa_algorithm_t)0x03000000)
762 #define PSA_ALG_CATEGORY_CIPHER ((psa_algorithm_t)0x04000000)
763 #define PSA_ALG_CATEGORY_AEAD ((psa_algorithm_t)0x05000000)
764 #define PSA_ALG_CATEGORY_SIGN ((psa_algorithm_t)0x06000000)
765 #define PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION ((psa_algorithm_t)0x07000000)
766 #define PSA_ALG_CATEGORY_KEY_DERIVATION ((psa_algorithm_t)0x08000000)
767 #define PSA_ALG_CATEGORY_KEY_AGREEMENT ((psa_algorithm_t)0x09000000)
768
769 /** Whether an algorithm is vendor-defined.
770 *
771 * See also #PSA_ALG_VENDOR_FLAG.
772 */
773 #define PSA_ALG_IS_VENDOR_DEFINED(alg) \
774 (((alg) & PSA_ALG_VENDOR_FLAG) != 0)
775
776 /** Whether the specified algorithm is a hash algorithm.
777 *
778 * \param alg An algorithm identifier (value of type #psa_algorithm_t).
779 *
780 * \return 1 if \p alg is a hash algorithm, 0 otherwise.
781 * This macro may return either 0 or 1 if \p alg is not a supported
782 * algorithm identifier.
783 */
784 #define PSA_ALG_IS_HASH(alg) \
785 (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_HASH)
786
787 /** Whether the specified algorithm is a MAC algorithm.
788 *
789 * \param alg An algorithm identifier (value of type #psa_algorithm_t).
790 *
791 * \return 1 if \p alg is a MAC algorithm, 0 otherwise.
792 * This macro may return either 0 or 1 if \p alg is not a supported
793 * algorithm identifier.
794 */
795 #define PSA_ALG_IS_MAC(alg) \
796 (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_MAC)
797
798 /** Whether the specified algorithm is a symmetric cipher algorithm.
799 *
800 * \param alg An algorithm identifier (value of type #psa_algorithm_t).
801 *
802 * \return 1 if \p alg is a symmetric cipher algorithm, 0 otherwise.
803 * This macro may return either 0 or 1 if \p alg is not a supported
804 * algorithm identifier.
805 */
806 #define PSA_ALG_IS_CIPHER(alg) \
807 (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_CIPHER)
808
809 /** Whether the specified algorithm is an authenticated encryption
810 * with associated data (AEAD) algorithm.
811 *
812 * \param alg An algorithm identifier (value of type #psa_algorithm_t).
813 *
814 * \return 1 if \p alg is an AEAD algorithm, 0 otherwise.
815 * This macro may return either 0 or 1 if \p alg is not a supported
816 * algorithm identifier.
817 */
818 #define PSA_ALG_IS_AEAD(alg) \
819 (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_AEAD)
820
821 /** Whether the specified algorithm is an asymmetric signature algorithm,
822 * also known as public-key signature algorithm.
823 *
824 * \param alg An algorithm identifier (value of type #psa_algorithm_t).
825 *
826 * \return 1 if \p alg is an asymmetric signature algorithm, 0 otherwise.
827 * This macro may return either 0 or 1 if \p alg is not a supported
828 * algorithm identifier.
829 */
830 #define PSA_ALG_IS_SIGN(alg) \
831 (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_SIGN)
832
833 /** Whether the specified algorithm is an asymmetric encryption algorithm,
834 * also known as public-key encryption algorithm.
835 *
836 * \param alg An algorithm identifier (value of type #psa_algorithm_t).
837 *
838 * \return 1 if \p alg is an asymmetric encryption algorithm, 0 otherwise.
839 * This macro may return either 0 or 1 if \p alg is not a supported
840 * algorithm identifier.
841 */
842 #define PSA_ALG_IS_ASYMMETRIC_ENCRYPTION(alg) \
843 (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION)
844
845 /** Whether the specified algorithm is a key agreement algorithm.
846 *
847 * \param alg An algorithm identifier (value of type #psa_algorithm_t).
848 *
849 * \return 1 if \p alg is a key agreement algorithm, 0 otherwise.
850 * This macro may return either 0 or 1 if \p alg is not a supported
851 * algorithm identifier.
852 */
853 #define PSA_ALG_IS_KEY_AGREEMENT(alg) \
854 (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_KEY_AGREEMENT)
855
856 /** Whether the specified algorithm is a key derivation algorithm.
857 *
858 * \param alg An algorithm identifier (value of type #psa_algorithm_t).
859 *
860 * \return 1 if \p alg is a key derivation algorithm, 0 otherwise.
861 * This macro may return either 0 or 1 if \p alg is not a supported
862 * algorithm identifier.
863 */
864 #define PSA_ALG_IS_KEY_DERIVATION(alg) \
865 (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_KEY_DERIVATION)
866
867 /** Whether the specified algorithm is a key stretching / password hashing
868 * algorithm.
869 *
870 * A key stretching / password hashing algorithm is a key derivation algorithm
871 * that is suitable for use with a low-entropy secret such as a password.
872 * Equivalently, it's a key derivation algorithm that uses a
873 * #PSA_KEY_DERIVATION_INPUT_PASSWORD input step.
874 *
875 * \param alg An algorithm identifier (value of type #psa_algorithm_t).
876 *
877 * \return 1 if \p alg is a key stretching / password hashing algorithm, 0
878 * otherwise. This macro may return either 0 or 1 if \p alg is not a
879 * supported algorithm identifier.
880 */
881 #define PSA_ALG_IS_KEY_DERIVATION_STRETCHING(alg) \
882 (PSA_ALG_IS_KEY_DERIVATION(alg) && \
883 (alg) & PSA_ALG_KEY_DERIVATION_STRETCHING_FLAG)
884
885 /** An invalid algorithm identifier value. */
886 #define PSA_ALG_NONE ((psa_algorithm_t)0)
887
888 #define PSA_ALG_HASH_MASK ((psa_algorithm_t)0x000000ff)
889 /** MD5 */
890 #define PSA_ALG_MD5 ((psa_algorithm_t)0x02000003)
891 /** PSA_ALG_RIPEMD160 */
892 #define PSA_ALG_RIPEMD160 ((psa_algorithm_t)0x02000004)
893 /** SHA1 */
894 #define PSA_ALG_SHA_1 ((psa_algorithm_t)0x02000005)
895 /** SHA2-224 */
896 #define PSA_ALG_SHA_224 ((psa_algorithm_t)0x02000008)
897 /** SHA2-256 */
898 #define PSA_ALG_SHA_256 ((psa_algorithm_t)0x02000009)
899 /** SHA2-384 */
900 #define PSA_ALG_SHA_384 ((psa_algorithm_t)0x0200000a)
901 /** SHA2-512 */
902 #define PSA_ALG_SHA_512 ((psa_algorithm_t)0x0200000b)
903 /** SHA2-512/224 */
904 #define PSA_ALG_SHA_512_224 ((psa_algorithm_t)0x0200000c)
905 /** SHA2-512/256 */
906 #define PSA_ALG_SHA_512_256 ((psa_algorithm_t)0x0200000d)
907 /** SHA3-224 */
908 #define PSA_ALG_SHA3_224 ((psa_algorithm_t)0x02000010)
909 /** SHA3-256 */
910 #define PSA_ALG_SHA3_256 ((psa_algorithm_t)0x02000011)
911 /** SHA3-384 */
912 #define PSA_ALG_SHA3_384 ((psa_algorithm_t)0x02000012)
913 /** SHA3-512 */
914 #define PSA_ALG_SHA3_512 ((psa_algorithm_t)0x02000013)
915 /** The first 512 bits (64 bytes) of the SHAKE256 output.
916 *
917 * This is the prehashing for Ed448ph (see #PSA_ALG_ED448PH). For other
918 * scenarios where a hash function based on SHA3/SHAKE is desired, SHA3-512
919 * has the same output size and a (theoretically) higher security strength.
920 */
921 #define PSA_ALG_SHAKE256_512 ((psa_algorithm_t)0x02000015)
922
923 /** In a hash-and-sign algorithm policy, allow any hash algorithm.
924 *
925 * This value may be used to form the algorithm usage field of a policy
926 * for a signature algorithm that is parametrized by a hash. The key
927 * may then be used to perform operations using the same signature
928 * algorithm parametrized with any supported hash.
929 *
930 * That is, suppose that `PSA_xxx_SIGNATURE` is one of the following macros:
931 * - #PSA_ALG_RSA_PKCS1V15_SIGN, #PSA_ALG_RSA_PSS, #PSA_ALG_RSA_PSS_ANY_SALT,
932 * - #PSA_ALG_ECDSA, #PSA_ALG_DETERMINISTIC_ECDSA.
933 * Then you may create and use a key as follows:
934 * - Set the key usage field using #PSA_ALG_ANY_HASH, for example:
935 * ```
936 * psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); // or VERIFY
937 * psa_set_key_algorithm(&attributes, PSA_xxx_SIGNATURE(PSA_ALG_ANY_HASH));
938 * ```
939 * - Import or generate key material.
940 * - Call psa_sign_hash() or psa_verify_hash(), passing
941 * an algorithm built from `PSA_xxx_SIGNATURE` and a specific hash. Each
942 * call to sign or verify a message may use a different hash.
943 * ```
944 * psa_sign_hash(key, PSA_xxx_SIGNATURE(PSA_ALG_SHA_256), ...);
945 * psa_sign_hash(key, PSA_xxx_SIGNATURE(PSA_ALG_SHA_512), ...);
946 * psa_sign_hash(key, PSA_xxx_SIGNATURE(PSA_ALG_SHA3_256), ...);
947 * ```
948 *
949 * This value may not be used to build other algorithms that are
950 * parametrized over a hash. For any valid use of this macro to build
951 * an algorithm \c alg, #PSA_ALG_IS_HASH_AND_SIGN(\c alg) is true.
952 *
953 * This value may not be used to build an algorithm specification to
954 * perform an operation. It is only valid to build policies.
955 */
956 #define PSA_ALG_ANY_HASH ((psa_algorithm_t)0x020000ff)
957
958 #define PSA_ALG_MAC_SUBCATEGORY_MASK ((psa_algorithm_t)0x00c00000)
959 #define PSA_ALG_HMAC_BASE ((psa_algorithm_t)0x03800000)
960 /** Macro to build an HMAC algorithm.
961 *
962 * For example, #PSA_ALG_HMAC(#PSA_ALG_SHA_256) is HMAC-SHA-256.
963 *
964 * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
965 * #PSA_ALG_IS_HASH(\p hash_alg) is true).
966 *
967 * \return The corresponding HMAC algorithm.
968 * \return Unspecified if \p hash_alg is not a supported
969 * hash algorithm.
970 */
971 #define PSA_ALG_HMAC(hash_alg) \
972 (PSA_ALG_HMAC_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
973
974 #define PSA_ALG_HMAC_GET_HASH(hmac_alg) \
975 (PSA_ALG_CATEGORY_HASH | ((hmac_alg) & PSA_ALG_HASH_MASK))
976
977 /** Whether the specified algorithm is an HMAC algorithm.
978 *
979 * HMAC is a family of MAC algorithms that are based on a hash function.
980 *
981 * \param alg An algorithm identifier (value of type #psa_algorithm_t).
982 *
983 * \return 1 if \p alg is an HMAC algorithm, 0 otherwise.
984 * This macro may return either 0 or 1 if \p alg is not a supported
985 * algorithm identifier.
986 */
987 #define PSA_ALG_IS_HMAC(alg) \
988 (((alg) & (PSA_ALG_CATEGORY_MASK | PSA_ALG_MAC_SUBCATEGORY_MASK)) == \
989 PSA_ALG_HMAC_BASE)
990
991 /* In the encoding of a MAC algorithm, the bits corresponding to
992 * PSA_ALG_MAC_TRUNCATION_MASK encode the length to which the MAC is
993 * truncated. As an exception, the value 0 means the untruncated algorithm,
994 * whatever its length is. The length is encoded in 6 bits, so it can
995 * reach up to 63; the largest MAC is 64 bytes so its trivial truncation
996 * to full length is correctly encoded as 0 and any non-trivial truncation
997 * is correctly encoded as a value between 1 and 63. */
998 #define PSA_ALG_MAC_TRUNCATION_MASK ((psa_algorithm_t)0x003f0000)
999 #define PSA_MAC_TRUNCATION_OFFSET 16
1000
1001 /* In the encoding of a MAC algorithm, the bit corresponding to
1002 * #PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG encodes the fact that the algorithm
1003 * is a wildcard algorithm. A key with such wildcard algorithm as permitted
1004 * algorithm policy can be used with any algorithm corresponding to the
1005 * same base class and having a (potentially truncated) MAC length greater or
1006 * equal than the one encoded in #PSA_ALG_MAC_TRUNCATION_MASK. */
1007 #define PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ((psa_algorithm_t)0x00008000)
1008
1009 /** Macro to build a truncated MAC algorithm.
1010 *
1011 * A truncated MAC algorithm is identical to the corresponding MAC
1012 * algorithm except that the MAC value for the truncated algorithm
1013 * consists of only the first \p mac_length bytes of the MAC value
1014 * for the untruncated algorithm.
1015 *
1016 * \note This macro may allow constructing algorithm identifiers that
1017 * are not valid, either because the specified length is larger
1018 * than the untruncated MAC or because the specified length is
1019 * smaller than permitted by the implementation.
1020 *
1021 * \note It is implementation-defined whether a truncated MAC that
1022 * is truncated to the same length as the MAC of the untruncated
1023 * algorithm is considered identical to the untruncated algorithm
1024 * for policy comparison purposes.
1025 *
1026 * \param mac_alg A MAC algorithm identifier (value of type
1027 * #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p mac_alg)
1028 * is true). This may be a truncated or untruncated
1029 * MAC algorithm.
1030 * \param mac_length Desired length of the truncated MAC in bytes.
1031 * This must be at most the full length of the MAC
1032 * and must be at least an implementation-specified
1033 * minimum. The implementation-specified minimum
1034 * shall not be zero.
1035 *
1036 * \return The corresponding MAC algorithm with the specified
1037 * length.
1038 * \return Unspecified if \p mac_alg is not a supported
1039 * MAC algorithm or if \p mac_length is too small or
1040 * too large for the specified MAC algorithm.
1041 */
1042 #define PSA_ALG_TRUNCATED_MAC(mac_alg, mac_length) \
1043 (((mac_alg) & ~(PSA_ALG_MAC_TRUNCATION_MASK | \
1044 PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG)) | \
1045 ((mac_length) << PSA_MAC_TRUNCATION_OFFSET & PSA_ALG_MAC_TRUNCATION_MASK))
1046
1047 /** Macro to build the base MAC algorithm corresponding to a truncated
1048 * MAC algorithm.
1049 *
1050 * \param mac_alg A MAC algorithm identifier (value of type
1051 * #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p mac_alg)
1052 * is true). This may be a truncated or untruncated
1053 * MAC algorithm.
1054 *
1055 * \return The corresponding base MAC algorithm.
1056 * \return Unspecified if \p mac_alg is not a supported
1057 * MAC algorithm.
1058 */
1059 #define PSA_ALG_FULL_LENGTH_MAC(mac_alg) \
1060 ((mac_alg) & ~(PSA_ALG_MAC_TRUNCATION_MASK | \
1061 PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG))
1062
1063 /** Length to which a MAC algorithm is truncated.
1064 *
1065 * \param mac_alg A MAC algorithm identifier (value of type
1066 * #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p mac_alg)
1067 * is true).
1068 *
1069 * \return Length of the truncated MAC in bytes.
1070 * \return 0 if \p mac_alg is a non-truncated MAC algorithm.
1071 * \return Unspecified if \p mac_alg is not a supported
1072 * MAC algorithm.
1073 */
1074 #define PSA_MAC_TRUNCATED_LENGTH(mac_alg) \
1075 (((mac_alg) & PSA_ALG_MAC_TRUNCATION_MASK) >> PSA_MAC_TRUNCATION_OFFSET)
1076
1077 /** Macro to build a MAC minimum-MAC-length wildcard algorithm.
1078 *
1079 * A minimum-MAC-length MAC wildcard algorithm permits all MAC algorithms
1080 * sharing the same base algorithm, and where the (potentially truncated) MAC
1081 * length of the specific algorithm is equal to or larger then the wildcard
1082 * algorithm's minimum MAC length.
1083 *
1084 * \note When setting the minimum required MAC length to less than the
1085 * smallest MAC length allowed by the base algorithm, this effectively
1086 * becomes an 'any-MAC-length-allowed' policy for that base algorithm.
1087 *
1088 * \param mac_alg A MAC algorithm identifier (value of type
1089 * #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p mac_alg)
1090 * is true).
1091 * \param min_mac_length Desired minimum length of the message authentication
1092 * code in bytes. This must be at most the untruncated
1093 * length of the MAC and must be at least 1.
1094 *
1095 * \return The corresponding MAC wildcard algorithm with the
1096 * specified minimum length.
1097 * \return Unspecified if \p mac_alg is not a supported MAC
1098 * algorithm or if \p min_mac_length is less than 1 or
1099 * too large for the specified MAC algorithm.
1100 */
1101 #define PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(mac_alg, min_mac_length) \
1102 ( PSA_ALG_TRUNCATED_MAC(mac_alg, min_mac_length) | \
1103 PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG )
1104
1105 #define PSA_ALG_CIPHER_MAC_BASE ((psa_algorithm_t)0x03c00000)
1106 /** The CBC-MAC construction over a block cipher
1107 *
1108 * \warning CBC-MAC is insecure in many cases.
1109 * A more secure mode, such as #PSA_ALG_CMAC, is recommended.
1110 */
1111 #define PSA_ALG_CBC_MAC ((psa_algorithm_t)0x03c00100)
1112 /** The CMAC construction over a block cipher */
1113 #define PSA_ALG_CMAC ((psa_algorithm_t)0x03c00200)
1114
1115 /** Whether the specified algorithm is a MAC algorithm based on a block cipher.
1116 *
1117 * \param alg An algorithm identifier (value of type #psa_algorithm_t).
1118 *
1119 * \return 1 if \p alg is a MAC algorithm based on a block cipher, 0 otherwise.
1120 * This macro may return either 0 or 1 if \p alg is not a supported
1121 * algorithm identifier.
1122 */
1123 #define PSA_ALG_IS_BLOCK_CIPHER_MAC(alg) \
1124 (((alg) & (PSA_ALG_CATEGORY_MASK | PSA_ALG_MAC_SUBCATEGORY_MASK)) == \
1125 PSA_ALG_CIPHER_MAC_BASE)
1126
1127 #define PSA_ALG_CIPHER_STREAM_FLAG ((psa_algorithm_t)0x00800000)
1128 #define PSA_ALG_CIPHER_FROM_BLOCK_FLAG ((psa_algorithm_t)0x00400000)
1129
1130 /** Whether the specified algorithm is a stream cipher.
1131 *
1132 * A stream cipher is a symmetric cipher that encrypts or decrypts messages
1133 * by applying a bitwise-xor with a stream of bytes that is generated
1134 * from a key.
1135 *
1136 * \param alg An algorithm identifier (value of type #psa_algorithm_t).
1137 *
1138 * \return 1 if \p alg is a stream cipher algorithm, 0 otherwise.
1139 * This macro may return either 0 or 1 if \p alg is not a supported
1140 * algorithm identifier or if it is not a symmetric cipher algorithm.
1141 */
1142 #define PSA_ALG_IS_STREAM_CIPHER(alg) \
1143 (((alg) & (PSA_ALG_CATEGORY_MASK | PSA_ALG_CIPHER_STREAM_FLAG)) == \
1144 (PSA_ALG_CATEGORY_CIPHER | PSA_ALG_CIPHER_STREAM_FLAG))
1145
1146 /** The stream cipher mode of a stream cipher algorithm.
1147 *
1148 * The underlying stream cipher is determined by the key type.
1149 * - To use ChaCha20, use a key type of #PSA_KEY_TYPE_CHACHA20.
1150 */
1151 #define PSA_ALG_STREAM_CIPHER ((psa_algorithm_t)0x04800100)
1152
1153 /** The CTR stream cipher mode.
1154 *
1155 * CTR is a stream cipher which is built from a block cipher.
1156 * The underlying block cipher is determined by the key type.
1157 * For example, to use AES-128-CTR, use this algorithm with
1158 * a key of type #PSA_KEY_TYPE_AES and a length of 128 bits (16 bytes).
1159 */
1160 #define PSA_ALG_CTR ((psa_algorithm_t)0x04c01000)
1161
1162 /** The CFB stream cipher mode.
1163 *
1164 * The underlying block cipher is determined by the key type.
1165 */
1166 #define PSA_ALG_CFB ((psa_algorithm_t)0x04c01100)
1167
1168 /** The OFB stream cipher mode.
1169 *
1170 * The underlying block cipher is determined by the key type.
1171 */
1172 #define PSA_ALG_OFB ((psa_algorithm_t)0x04c01200)
1173
1174 /** The XTS cipher mode.
1175 *
1176 * XTS is a cipher mode which is built from a block cipher. It requires at
1177 * least one full block of input, but beyond this minimum the input
1178 * does not need to be a whole number of blocks.
1179 */
1180 #define PSA_ALG_XTS ((psa_algorithm_t)0x0440ff00)
1181
1182 /** The Electronic Code Book (ECB) mode of a block cipher, with no padding.
1183 *
1184 * \warning ECB mode does not protect the confidentiality of the encrypted data
1185 * except in extremely narrow circumstances. It is recommended that applications
1186 * only use ECB if they need to construct an operating mode that the
1187 * implementation does not provide. Implementations are encouraged to provide
1188 * the modes that applications need in preference to supporting direct access
1189 * to ECB.
1190 *
1191 * The underlying block cipher is determined by the key type.
1192 *
1193 * This symmetric cipher mode can only be used with messages whose lengths are a
1194 * multiple of the block size of the chosen block cipher.
1195 *
1196 * ECB mode does not accept an initialization vector (IV). When using a
1197 * multi-part cipher operation with this algorithm, psa_cipher_generate_iv()
1198 * and psa_cipher_set_iv() must not be called.
1199 */
1200 #define PSA_ALG_ECB_NO_PADDING ((psa_algorithm_t)0x04404400)
1201
1202 /** The CBC block cipher chaining mode, with no padding.
1203 *
1204 * The underlying block cipher is determined by the key type.
1205 *
1206 * This symmetric cipher mode can only be used with messages whose lengths
1207 * are whole number of blocks for the chosen block cipher.
1208 */
1209 #define PSA_ALG_CBC_NO_PADDING ((psa_algorithm_t)0x04404000)
1210
1211 /** The CBC block cipher chaining mode with PKCS#7 padding.
1212 *
1213 * The underlying block cipher is determined by the key type.
1214 *
1215 * This is the padding method defined by PKCS#7 (RFC 2315) §10.3.
1216 */
1217 #define PSA_ALG_CBC_PKCS7 ((psa_algorithm_t)0x04404100)
1218
1219 #define PSA_ALG_AEAD_FROM_BLOCK_FLAG ((psa_algorithm_t)0x00400000)
1220
1221 /** Whether the specified algorithm is an AEAD mode on a block cipher.
1222 *
1223 * \param alg An algorithm identifier (value of type #psa_algorithm_t).
1224 *
1225 * \return 1 if \p alg is an AEAD algorithm which is an AEAD mode based on
1226 * a block cipher, 0 otherwise.
1227 * This macro may return either 0 or 1 if \p alg is not a supported
1228 * algorithm identifier.
1229 */
1230 #define PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) \
1231 (((alg) & (PSA_ALG_CATEGORY_MASK | PSA_ALG_AEAD_FROM_BLOCK_FLAG)) == \
1232 (PSA_ALG_CATEGORY_AEAD | PSA_ALG_AEAD_FROM_BLOCK_FLAG))
1233
1234 /** The CCM authenticated encryption algorithm.
1235 *
1236 * The underlying block cipher is determined by the key type.
1237 */
1238 #define PSA_ALG_CCM ((psa_algorithm_t)0x05500100)
1239
1240 /** The CCM* cipher mode without authentication.
1241 *
1242 * This is CCM* as specified in IEEE 802.15.4 §7, with a tag length of 0.
1243 * For CCM* with a nonzero tag length, use the AEAD algorithm #PSA_ALG_CCM.
1244 *
1245 * The underlying block cipher is determined by the key type.
1246 *
1247 * Currently only 13-byte long IV's are supported.
1248 */
1249 #define PSA_ALG_CCM_STAR_NO_TAG ((psa_algorithm_t)0x04c01300)
1250
1251 /** The GCM authenticated encryption algorithm.
1252 *
1253 * The underlying block cipher is determined by the key type.
1254 */
1255 #define PSA_ALG_GCM ((psa_algorithm_t)0x05500200)
1256
1257 /** The Chacha20-Poly1305 AEAD algorithm.
1258 *
1259 * The ChaCha20_Poly1305 construction is defined in RFC 7539.
1260 *
1261 * Implementations must support 12-byte nonces, may support 8-byte nonces,
1262 * and should reject other sizes.
1263 *
1264 * Implementations must support 16-byte tags and should reject other sizes.
1265 */
1266 #define PSA_ALG_CHACHA20_POLY1305 ((psa_algorithm_t)0x05100500)
1267
1268 /* In the encoding of an AEAD algorithm, the bits corresponding to
1269 * PSA_ALG_AEAD_TAG_LENGTH_MASK encode the length of the AEAD tag.
1270 * The constants for default lengths follow this encoding.
1271 */
1272 #define PSA_ALG_AEAD_TAG_LENGTH_MASK ((psa_algorithm_t)0x003f0000)
1273 #define PSA_AEAD_TAG_LENGTH_OFFSET 16
1274
1275 /* In the encoding of an AEAD algorithm, the bit corresponding to
1276 * #PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG encodes the fact that the algorithm
1277 * is a wildcard algorithm. A key with such wildcard algorithm as permitted
1278 * algorithm policy can be used with any algorithm corresponding to the
1279 * same base class and having a tag length greater than or equal to the one
1280 * encoded in #PSA_ALG_AEAD_TAG_LENGTH_MASK. */
1281 #define PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG ((psa_algorithm_t)0x00008000)
1282
1283 /** Macro to build a shortened AEAD algorithm.
1284 *
1285 * A shortened AEAD algorithm is similar to the corresponding AEAD
1286 * algorithm, but has an authentication tag that consists of fewer bytes.
1287 * Depending on the algorithm, the tag length may affect the calculation
1288 * of the ciphertext.
1289 *
1290 * \param aead_alg An AEAD algorithm identifier (value of type
1291 * #psa_algorithm_t such that #PSA_ALG_IS_AEAD(\p aead_alg)
1292 * is true).
1293 * \param tag_length Desired length of the authentication tag in bytes.
1294 *
1295 * \return The corresponding AEAD algorithm with the specified
1296 * length.
1297 * \return Unspecified if \p aead_alg is not a supported
1298 * AEAD algorithm or if \p tag_length is not valid
1299 * for the specified AEAD algorithm.
1300 */
1301 #define PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, tag_length) \
1302 (((aead_alg) & ~(PSA_ALG_AEAD_TAG_LENGTH_MASK | \
1303 PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG)) | \
1304 ((tag_length) << PSA_AEAD_TAG_LENGTH_OFFSET & \
1305 PSA_ALG_AEAD_TAG_LENGTH_MASK))
1306
1307 /** Retrieve the tag length of a specified AEAD algorithm
1308 *
1309 * \param aead_alg An AEAD algorithm identifier (value of type
1310 * #psa_algorithm_t such that #PSA_ALG_IS_AEAD(\p aead_alg)
1311 * is true).
1312 *
1313 * \return The tag length specified by the input algorithm.
1314 * \return Unspecified if \p aead_alg is not a supported
1315 * AEAD algorithm.
1316 */
1317 #define PSA_ALG_AEAD_GET_TAG_LENGTH(aead_alg) \
1318 (((aead_alg) & PSA_ALG_AEAD_TAG_LENGTH_MASK) >> \
1319 PSA_AEAD_TAG_LENGTH_OFFSET )
1320
1321 /** Calculate the corresponding AEAD algorithm with the default tag length.
1322 *
1323 * \param aead_alg An AEAD algorithm (\c PSA_ALG_XXX value such that
1324 * #PSA_ALG_IS_AEAD(\p aead_alg) is true).
1325 *
1326 * \return The corresponding AEAD algorithm with the default
1327 * tag length for that algorithm.
1328 */
1329 #define PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(aead_alg) \
1330 ( \
1331 PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG_CASE(aead_alg, PSA_ALG_CCM) \
1332 PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG_CASE(aead_alg, PSA_ALG_GCM) \
1333 PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG_CASE(aead_alg, PSA_ALG_CHACHA20_POLY1305) \
1334 0)
1335 #define PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG_CASE(aead_alg, ref) \
1336 PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, 0) == \
1337 PSA_ALG_AEAD_WITH_SHORTENED_TAG(ref, 0) ? \
1338 ref :
1339
1340 /** Macro to build an AEAD minimum-tag-length wildcard algorithm.
1341 *
1342 * A minimum-tag-length AEAD wildcard algorithm permits all AEAD algorithms
1343 * sharing the same base algorithm, and where the tag length of the specific
1344 * algorithm is equal to or larger then the minimum tag length specified by the
1345 * wildcard algorithm.
1346 *
1347 * \note When setting the minimum required tag length to less than the
1348 * smallest tag length allowed by the base algorithm, this effectively
1349 * becomes an 'any-tag-length-allowed' policy for that base algorithm.
1350 *
1351 * \param aead_alg An AEAD algorithm identifier (value of type
1352 * #psa_algorithm_t such that
1353 * #PSA_ALG_IS_AEAD(\p aead_alg) is true).
1354 * \param min_tag_length Desired minimum length of the authentication tag in
1355 * bytes. This must be at least 1 and at most the largest
1356 * allowed tag length of the algorithm.
1357 *
1358 * \return The corresponding AEAD wildcard algorithm with the
1359 * specified minimum length.
1360 * \return Unspecified if \p aead_alg is not a supported
1361 * AEAD algorithm or if \p min_tag_length is less than 1
1362 * or too large for the specified AEAD algorithm.
1363 */
1364 #define PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(aead_alg, min_tag_length) \
1365 ( PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, min_tag_length) | \
1366 PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG )
1367
1368 #define PSA_ALG_RSA_PKCS1V15_SIGN_BASE ((psa_algorithm_t)0x06000200)
1369 /** RSA PKCS#1 v1.5 signature with hashing.
1370 *
1371 * This is the signature scheme defined by RFC 8017
1372 * (PKCS#1: RSA Cryptography Specifications) under the name
1373 * RSASSA-PKCS1-v1_5.
1374 *
1375 * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
1376 * #PSA_ALG_IS_HASH(\p hash_alg) is true).
1377 * This includes #PSA_ALG_ANY_HASH
1378 * when specifying the algorithm in a usage policy.
1379 *
1380 * \return The corresponding RSA PKCS#1 v1.5 signature algorithm.
1381 * \return Unspecified if \p hash_alg is not a supported
1382 * hash algorithm.
1383 */
1384 #define PSA_ALG_RSA_PKCS1V15_SIGN(hash_alg) \
1385 (PSA_ALG_RSA_PKCS1V15_SIGN_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
1386 /** Raw PKCS#1 v1.5 signature.
1387 *
1388 * The input to this algorithm is the DigestInfo structure used by
1389 * RFC 8017 (PKCS#1: RSA Cryptography Specifications), §9.2
1390 * steps 3–6.
1391 */
1392 #define PSA_ALG_RSA_PKCS1V15_SIGN_RAW PSA_ALG_RSA_PKCS1V15_SIGN_BASE
1393 #define PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) \
1394 (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_PKCS1V15_SIGN_BASE)
1395
1396 #define PSA_ALG_RSA_PSS_BASE ((psa_algorithm_t)0x06000300)
1397 #define PSA_ALG_RSA_PSS_ANY_SALT_BASE ((psa_algorithm_t)0x06001300)
1398 /** RSA PSS signature with hashing.
1399 *
1400 * This is the signature scheme defined by RFC 8017
1401 * (PKCS#1: RSA Cryptography Specifications) under the name
1402 * RSASSA-PSS, with the message generation function MGF1, and with
1403 * a salt length equal to the length of the hash, or the largest
1404 * possible salt length for the algorithm and key size if that is
1405 * smaller than the hash length. The specified hash algorithm is
1406 * used to hash the input message, to create the salted hash, and
1407 * for the mask generation.
1408 *
1409 * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
1410 * #PSA_ALG_IS_HASH(\p hash_alg) is true).
1411 * This includes #PSA_ALG_ANY_HASH
1412 * when specifying the algorithm in a usage policy.
1413 *
1414 * \return The corresponding RSA PSS signature algorithm.
1415 * \return Unspecified if \p hash_alg is not a supported
1416 * hash algorithm.
1417 */
1418 #define PSA_ALG_RSA_PSS(hash_alg) \
1419 (PSA_ALG_RSA_PSS_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
1420
1421 /** RSA PSS signature with hashing with relaxed verification.
1422 *
1423 * This algorithm has the same behavior as #PSA_ALG_RSA_PSS when signing,
1424 * but allows an arbitrary salt length (including \c 0) when verifying a
1425 * signature.
1426 *
1427 * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
1428 * #PSA_ALG_IS_HASH(\p hash_alg) is true).
1429 * This includes #PSA_ALG_ANY_HASH
1430 * when specifying the algorithm in a usage policy.
1431 *
1432 * \return The corresponding RSA PSS signature algorithm.
1433 * \return Unspecified if \p hash_alg is not a supported
1434 * hash algorithm.
1435 */
1436 #define PSA_ALG_RSA_PSS_ANY_SALT(hash_alg) \
1437 (PSA_ALG_RSA_PSS_ANY_SALT_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
1438
1439 /** Whether the specified algorithm is RSA PSS with standard salt.
1440 *
1441 * \param alg An algorithm value or an algorithm policy wildcard.
1442 *
1443 * \return 1 if \p alg is of the form
1444 * #PSA_ALG_RSA_PSS(\c hash_alg),
1445 * where \c hash_alg is a hash algorithm or
1446 * #PSA_ALG_ANY_HASH. 0 otherwise.
1447 * This macro may return either 0 or 1 if \p alg is not
1448 * a supported algorithm identifier or policy.
1449 */
1450 #define PSA_ALG_IS_RSA_PSS_STANDARD_SALT(alg) \
1451 (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_PSS_BASE)
1452
1453 /** Whether the specified algorithm is RSA PSS with any salt.
1454 *
1455 * \param alg An algorithm value or an algorithm policy wildcard.
1456 *
1457 * \return 1 if \p alg is of the form
1458 * #PSA_ALG_RSA_PSS_ANY_SALT_BASE(\c hash_alg),
1459 * where \c hash_alg is a hash algorithm or
1460 * #PSA_ALG_ANY_HASH. 0 otherwise.
1461 * This macro may return either 0 or 1 if \p alg is not
1462 * a supported algorithm identifier or policy.
1463 */
1464 #define PSA_ALG_IS_RSA_PSS_ANY_SALT(alg) \
1465 (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_PSS_ANY_SALT_BASE)
1466
1467 /** Whether the specified algorithm is RSA PSS.
1468 *
1469 * This includes any of the RSA PSS algorithm variants, regardless of the
1470 * constraints on salt length.
1471 *
1472 * \param alg An algorithm value or an algorithm policy wildcard.
1473 *
1474 * \return 1 if \p alg is of the form
1475 * #PSA_ALG_RSA_PSS(\c hash_alg) or
1476 * #PSA_ALG_RSA_PSS_ANY_SALT_BASE(\c hash_alg),
1477 * where \c hash_alg is a hash algorithm or
1478 * #PSA_ALG_ANY_HASH. 0 otherwise.
1479 * This macro may return either 0 or 1 if \p alg is not
1480 * a supported algorithm identifier or policy.
1481 */
1482 #define PSA_ALG_IS_RSA_PSS(alg) \
1483 (PSA_ALG_IS_RSA_PSS_STANDARD_SALT(alg) || \
1484 PSA_ALG_IS_RSA_PSS_ANY_SALT(alg))
1485
1486 #define PSA_ALG_ECDSA_BASE ((psa_algorithm_t)0x06000600)
1487 /** ECDSA signature with hashing.
1488 *
1489 * This is the ECDSA signature scheme defined by ANSI X9.62,
1490 * with a random per-message secret number (*k*).
1491 *
1492 * The representation of the signature as a byte string consists of
1493 * the concatenation of the signature values *r* and *s*. Each of
1494 * *r* and *s* is encoded as an *N*-octet string, where *N* is the length
1495 * of the base point of the curve in octets. Each value is represented
1496 * in big-endian order (most significant octet first).
1497 *
1498 * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
1499 * #PSA_ALG_IS_HASH(\p hash_alg) is true).
1500 * This includes #PSA_ALG_ANY_HASH
1501 * when specifying the algorithm in a usage policy.
1502 *
1503 * \return The corresponding ECDSA signature algorithm.
1504 * \return Unspecified if \p hash_alg is not a supported
1505 * hash algorithm.
1506 */
1507 #define PSA_ALG_ECDSA(hash_alg) \
1508 (PSA_ALG_ECDSA_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
1509 /** ECDSA signature without hashing.
1510 *
1511 * This is the same signature scheme as #PSA_ALG_ECDSA(), but
1512 * without specifying a hash algorithm. This algorithm may only be
1513 * used to sign or verify a sequence of bytes that should be an
1514 * already-calculated hash. Note that the input is padded with
1515 * zeros on the left or truncated on the left as required to fit
1516 * the curve size.
1517 */
1518 #define PSA_ALG_ECDSA_ANY PSA_ALG_ECDSA_BASE
1519 #define PSA_ALG_DETERMINISTIC_ECDSA_BASE ((psa_algorithm_t)0x06000700)
1520 /** Deterministic ECDSA signature with hashing.
1521 *
1522 * This is the deterministic ECDSA signature scheme defined by RFC 6979.
1523 *
1524 * The representation of a signature is the same as with #PSA_ALG_ECDSA().
1525 *
1526 * Note that when this algorithm is used for verification, signatures
1527 * made with randomized ECDSA (#PSA_ALG_ECDSA(\p hash_alg)) with the
1528 * same private key are accepted. In other words,
1529 * #PSA_ALG_DETERMINISTIC_ECDSA(\p hash_alg) differs from
1530 * #PSA_ALG_ECDSA(\p hash_alg) only for signature, not for verification.
1531 *
1532 * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
1533 * #PSA_ALG_IS_HASH(\p hash_alg) is true).
1534 * This includes #PSA_ALG_ANY_HASH
1535 * when specifying the algorithm in a usage policy.
1536 *
1537 * \return The corresponding deterministic ECDSA signature
1538 * algorithm.
1539 * \return Unspecified if \p hash_alg is not a supported
1540 * hash algorithm.
1541 */
1542 #define PSA_ALG_DETERMINISTIC_ECDSA(hash_alg) \
1543 (PSA_ALG_DETERMINISTIC_ECDSA_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
1544 #define PSA_ALG_ECDSA_DETERMINISTIC_FLAG ((psa_algorithm_t)0x00000100)
1545 #define PSA_ALG_IS_ECDSA(alg) \
1546 (((alg) & ~PSA_ALG_HASH_MASK & ~PSA_ALG_ECDSA_DETERMINISTIC_FLAG) == \
1547 PSA_ALG_ECDSA_BASE)
1548 #define PSA_ALG_ECDSA_IS_DETERMINISTIC(alg) \
1549 (((alg) & PSA_ALG_ECDSA_DETERMINISTIC_FLAG) != 0)
1550 #define PSA_ALG_IS_DETERMINISTIC_ECDSA(alg) \
1551 (PSA_ALG_IS_ECDSA(alg) && PSA_ALG_ECDSA_IS_DETERMINISTIC(alg))
1552 #define PSA_ALG_IS_RANDOMIZED_ECDSA(alg) \
1553 (PSA_ALG_IS_ECDSA(alg) && !PSA_ALG_ECDSA_IS_DETERMINISTIC(alg))
1554
1555 /** Edwards-curve digital signature algorithm without prehashing (PureEdDSA),
1556 * using standard parameters.
1557 *
1558 * Contexts are not supported in the current version of this specification
1559 * because there is no suitable signature interface that can take the
1560 * context as a parameter. A future version of this specification may add
1561 * suitable functions and extend this algorithm to support contexts.
1562 *
1563 * PureEdDSA requires an elliptic curve key on a twisted Edwards curve.
1564 * In this specification, the following curves are supported:
1565 * - #PSA_ECC_FAMILY_TWISTED_EDWARDS, 255-bit: Ed25519 as specified
1566 * in RFC 8032.
1567 * The curve is Edwards25519.
1568 * The hash function used internally is SHA-512.
1569 * - #PSA_ECC_FAMILY_TWISTED_EDWARDS, 448-bit: Ed448 as specified
1570 * in RFC 8032.
1571 * The curve is Edwards448.
1572 * The hash function used internally is the first 114 bytes of the
1573 * SHAKE256 output.
1574 *
1575 * This algorithm can be used with psa_sign_message() and
1576 * psa_verify_message(). Since there is no prehashing, it cannot be used
1577 * with psa_sign_hash() or psa_verify_hash().
1578 *
1579 * The signature format is the concatenation of R and S as defined by
1580 * RFC 8032 §5.1.6 and §5.2.6 (a 64-byte string for Ed25519, a 114-byte
1581 * string for Ed448).
1582 */
1583 #define PSA_ALG_PURE_EDDSA ((psa_algorithm_t)0x06000800)
1584
1585 #define PSA_ALG_HASH_EDDSA_BASE ((psa_algorithm_t)0x06000900)
1586 #define PSA_ALG_IS_HASH_EDDSA(alg) \
1587 (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HASH_EDDSA_BASE)
1588
1589 /** Edwards-curve digital signature algorithm with prehashing (HashEdDSA),
1590 * using SHA-512 and the Edwards25519 curve.
1591 *
1592 * See #PSA_ALG_PURE_EDDSA regarding context support and the signature format.
1593 *
1594 * This algorithm is Ed25519 as specified in RFC 8032.
1595 * The curve is Edwards25519.
1596 * The prehash is SHA-512.
1597 * The hash function used internally is SHA-512.
1598 *
1599 * This is a hash-and-sign algorithm: to calculate a signature,
1600 * you can either:
1601 * - call psa_sign_message() on the message;
1602 * - or calculate the SHA-512 hash of the message
1603 * with psa_hash_compute()
1604 * or with a multi-part hash operation started with psa_hash_setup(),
1605 * using the hash algorithm #PSA_ALG_SHA_512,
1606 * then sign the calculated hash with psa_sign_hash().
1607 * Verifying a signature is similar, using psa_verify_message() or
1608 * psa_verify_hash() instead of the signature function.
1609 */
1610 #define PSA_ALG_ED25519PH \
1611 (PSA_ALG_HASH_EDDSA_BASE | (PSA_ALG_SHA_512 & PSA_ALG_HASH_MASK))
1612
1613 /** Edwards-curve digital signature algorithm with prehashing (HashEdDSA),
1614 * using SHAKE256 and the Edwards448 curve.
1615 *
1616 * See #PSA_ALG_PURE_EDDSA regarding context support and the signature format.
1617 *
1618 * This algorithm is Ed448 as specified in RFC 8032.
1619 * The curve is Edwards448.
1620 * The prehash is the first 64 bytes of the SHAKE256 output.
1621 * The hash function used internally is the first 114 bytes of the
1622 * SHAKE256 output.
1623 *
1624 * This is a hash-and-sign algorithm: to calculate a signature,
1625 * you can either:
1626 * - call psa_sign_message() on the message;
1627 * - or calculate the first 64 bytes of the SHAKE256 output of the message
1628 * with psa_hash_compute()
1629 * or with a multi-part hash operation started with psa_hash_setup(),
1630 * using the hash algorithm #PSA_ALG_SHAKE256_512,
1631 * then sign the calculated hash with psa_sign_hash().
1632 * Verifying a signature is similar, using psa_verify_message() or
1633 * psa_verify_hash() instead of the signature function.
1634 */
1635 #define PSA_ALG_ED448PH \
1636 (PSA_ALG_HASH_EDDSA_BASE | (PSA_ALG_SHAKE256_512 & PSA_ALG_HASH_MASK))
1637
1638 /* Default definition, to be overridden if the library is extended with
1639 * more hash-and-sign algorithms that we want to keep out of this header
1640 * file. */
1641 #define PSA_ALG_IS_VENDOR_HASH_AND_SIGN(alg) 0
1642
1643 /** Whether the specified algorithm is a signature algorithm that can be used
1644 * with psa_sign_hash() and psa_verify_hash().
1645 *
1646 * This encompasses all strict hash-and-sign algorithms categorized by
1647 * PSA_ALG_IS_HASH_AND_SIGN(), as well as algorithms that follow the
1648 * paradigm more loosely:
1649 * - #PSA_ALG_RSA_PKCS1V15_SIGN_RAW (expects its input to be an encoded hash)
1650 * - #PSA_ALG_ECDSA_ANY (doesn't specify what kind of hash the input is)
1651 *
1652 * \param alg An algorithm identifier (value of type psa_algorithm_t).
1653 *
1654 * \return 1 if alg is a signature algorithm that can be used to sign a
1655 * hash. 0 if alg is a signature algorithm that can only be used
1656 * to sign a message. 0 if alg is not a signature algorithm.
1657 * This macro can return either 0 or 1 if alg is not a
1658 * supported algorithm identifier.
1659 */
1660 #define PSA_ALG_IS_SIGN_HASH(alg) \
1661 (PSA_ALG_IS_RSA_PSS(alg) || PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) || \
1662 PSA_ALG_IS_ECDSA(alg) || PSA_ALG_IS_HASH_EDDSA(alg) || \
1663 PSA_ALG_IS_VENDOR_HASH_AND_SIGN(alg))
1664
1665 /** Whether the specified algorithm is a signature algorithm that can be used
1666 * with psa_sign_message() and psa_verify_message().
1667 *
1668 * \param alg An algorithm identifier (value of type #psa_algorithm_t).
1669 *
1670 * \return 1 if alg is a signature algorithm that can be used to sign a
1671 * message. 0 if \p alg is a signature algorithm that can only be used
1672 * to sign an already-calculated hash. 0 if \p alg is not a signature
1673 * algorithm. This macro can return either 0 or 1 if \p alg is not a
1674 * supported algorithm identifier.
1675 */
1676 #define PSA_ALG_IS_SIGN_MESSAGE(alg) \
1677 (PSA_ALG_IS_SIGN_HASH(alg) || (alg) == PSA_ALG_PURE_EDDSA )
1678
1679 /** Whether the specified algorithm is a hash-and-sign algorithm.
1680 *
1681 * Hash-and-sign algorithms are asymmetric (public-key) signature algorithms
1682 * structured in two parts: first the calculation of a hash in a way that
1683 * does not depend on the key, then the calculation of a signature from the
1684 * hash value and the key. Hash-and-sign algorithms encode the hash
1685 * used for the hashing step, and you can call #PSA_ALG_SIGN_GET_HASH
1686 * to extract this algorithm.
1687 *
1688 * Thus, for a hash-and-sign algorithm,
1689 * `psa_sign_message(key, alg, input, ...)` is equivalent to
1690 * ```
1691 * psa_hash_compute(PSA_ALG_SIGN_GET_HASH(alg), input, ..., hash, ...);
1692 * psa_sign_hash(key, alg, hash, ..., signature, ...);
1693 * ```
1694 * Most usefully, separating the hash from the signature allows the hash
1695 * to be calculated in multiple steps with psa_hash_setup(), psa_hash_update()
1696 * and psa_hash_finish(). Likewise psa_verify_message() is equivalent to
1697 * calculating the hash and then calling psa_verify_hash().
1698 *
1699 * \param alg An algorithm identifier (value of type #psa_algorithm_t).
1700 *
1701 * \return 1 if \p alg is a hash-and-sign algorithm, 0 otherwise.
1702 * This macro may return either 0 or 1 if \p alg is not a supported
1703 * algorithm identifier.
1704 */
1705 #define PSA_ALG_IS_HASH_AND_SIGN(alg) \
1706 (PSA_ALG_IS_SIGN_HASH(alg) && \
1707 ((alg) & PSA_ALG_HASH_MASK) != 0)
1708
1709 /** Get the hash used by a hash-and-sign signature algorithm.
1710 *
1711 * A hash-and-sign algorithm is a signature algorithm which is
1712 * composed of two phases: first a hashing phase which does not use
1713 * the key and produces a hash of the input message, then a signing
1714 * phase which only uses the hash and the key and not the message
1715 * itself.
1716 *
1717 * \param alg A signature algorithm (\c PSA_ALG_XXX value such that
1718 * #PSA_ALG_IS_SIGN(\p alg) is true).
1719 *
1720 * \return The underlying hash algorithm if \p alg is a hash-and-sign
1721 * algorithm.
1722 * \return 0 if \p alg is a signature algorithm that does not
1723 * follow the hash-and-sign structure.
1724 * \return Unspecified if \p alg is not a signature algorithm or
1725 * if it is not supported by the implementation.
1726 */
1727 #define PSA_ALG_SIGN_GET_HASH(alg) \
1728 (PSA_ALG_IS_HASH_AND_SIGN(alg) ? \
1729 ((alg) & PSA_ALG_HASH_MASK) | PSA_ALG_CATEGORY_HASH : \
1730 0)
1731
1732 /** RSA PKCS#1 v1.5 encryption.
1733 */
1734 #define PSA_ALG_RSA_PKCS1V15_CRYPT ((psa_algorithm_t)0x07000200)
1735
1736 #define PSA_ALG_RSA_OAEP_BASE ((psa_algorithm_t)0x07000300)
1737 /** RSA OAEP encryption.
1738 *
1739 * This is the encryption scheme defined by RFC 8017
1740 * (PKCS#1: RSA Cryptography Specifications) under the name
1741 * RSAES-OAEP, with the message generation function MGF1.
1742 *
1743 * \param hash_alg The hash algorithm (\c PSA_ALG_XXX value such that
1744 * #PSA_ALG_IS_HASH(\p hash_alg) is true) to use
1745 * for MGF1.
1746 *
1747 * \return The corresponding RSA OAEP encryption algorithm.
1748 * \return Unspecified if \p hash_alg is not a supported
1749 * hash algorithm.
1750 */
1751 #define PSA_ALG_RSA_OAEP(hash_alg) \
1752 (PSA_ALG_RSA_OAEP_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
1753 #define PSA_ALG_IS_RSA_OAEP(alg) \
1754 (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_OAEP_BASE)
1755 #define PSA_ALG_RSA_OAEP_GET_HASH(alg) \
1756 (PSA_ALG_IS_RSA_OAEP(alg) ? \
1757 ((alg) & PSA_ALG_HASH_MASK) | PSA_ALG_CATEGORY_HASH : \
1758 0)
1759
1760 #define PSA_ALG_HKDF_BASE ((psa_algorithm_t)0x08000100)
1761 /** Macro to build an HKDF algorithm.
1762 *
1763 * For example, `PSA_ALG_HKDF(PSA_ALG_SHA256)` is HKDF using HMAC-SHA-256.
1764 *
1765 * This key derivation algorithm uses the following inputs:
1766 * - #PSA_KEY_DERIVATION_INPUT_SALT is the salt used in the "extract" step.
1767 * It is optional; if omitted, the derivation uses an empty salt.
1768 * - #PSA_KEY_DERIVATION_INPUT_SECRET is the secret key used in the "extract" step.
1769 * - #PSA_KEY_DERIVATION_INPUT_INFO is the info string used in the "expand" step.
1770 * You must pass #PSA_KEY_DERIVATION_INPUT_SALT before #PSA_KEY_DERIVATION_INPUT_SECRET.
1771 * You may pass #PSA_KEY_DERIVATION_INPUT_INFO at any time after steup and before
1772 * starting to generate output.
1773 *
1774 * \warning HKDF processes the salt as follows: first hash it with hash_alg
1775 * if the salt is longer than the block size of the hash algorithm; then
1776 * pad with null bytes up to the block size. As a result, it is possible
1777 * for distinct salt inputs to result in the same outputs. To ensure
1778 * unique outputs, it is recommended to use a fixed length for salt values.
1779 *
1780 * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
1781 * #PSA_ALG_IS_HASH(\p hash_alg) is true).
1782 *
1783 * \return The corresponding HKDF algorithm.
1784 * \return Unspecified if \p hash_alg is not a supported
1785 * hash algorithm.
1786 */
1787 #define PSA_ALG_HKDF(hash_alg) \
1788 (PSA_ALG_HKDF_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
1789 /** Whether the specified algorithm is an HKDF algorithm.
1790 *
1791 * HKDF is a family of key derivation algorithms that are based on a hash
1792 * function and the HMAC construction.
1793 *
1794 * \param alg An algorithm identifier (value of type #psa_algorithm_t).
1795 *
1796 * \return 1 if \c alg is an HKDF algorithm, 0 otherwise.
1797 * This macro may return either 0 or 1 if \c alg is not a supported
1798 * key derivation algorithm identifier.
1799 */
1800 #define PSA_ALG_IS_HKDF(alg) \
1801 (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HKDF_BASE)
1802 #define PSA_ALG_HKDF_GET_HASH(hkdf_alg) \
1803 (PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK))
1804
1805 #define PSA_ALG_HKDF_EXTRACT_BASE ((psa_algorithm_t)0x08000400)
1806 /** Macro to build an HKDF-Extract algorithm.
1807 *
1808 * For example, `PSA_ALG_HKDF_EXTRACT(PSA_ALG_SHA256)` is
1809 * HKDF-Extract using HMAC-SHA-256.
1810 *
1811 * This key derivation algorithm uses the following inputs:
1812 * - PSA_KEY_DERIVATION_INPUT_SALT is the salt.
1813 * - PSA_KEY_DERIVATION_INPUT_SECRET is the input keying material used in the
1814 * "extract" step.
1815 * The inputs are mandatory and must be passed in the order above.
1816 * Each input may only be passed once.
1817 *
1818 * \warning HKDF-Extract is not meant to be used on its own. PSA_ALG_HKDF
1819 * should be used instead if possible. PSA_ALG_HKDF_EXTRACT is provided
1820 * as a separate algorithm for the sake of protocols that use it as a
1821 * building block. It may also be a slight performance optimization
1822 * in applications that use HKDF with the same salt and key but many
1823 * different info strings.
1824 *
1825 * \warning HKDF processes the salt as follows: first hash it with hash_alg
1826 * if the salt is longer than the block size of the hash algorithm; then
1827 * pad with null bytes up to the block size. As a result, it is possible
1828 * for distinct salt inputs to result in the same outputs. To ensure
1829 * unique outputs, it is recommended to use a fixed length for salt values.
1830 *
1831 * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
1832 * #PSA_ALG_IS_HASH(\p hash_alg) is true).
1833 *
1834 * \return The corresponding HKDF-Extract algorithm.
1835 * \return Unspecified if \p hash_alg is not a supported
1836 * hash algorithm.
1837 */
1838 #define PSA_ALG_HKDF_EXTRACT(hash_alg) \
1839 (PSA_ALG_HKDF_EXTRACT_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
1840 /** Whether the specified algorithm is an HKDF-Extract algorithm.
1841 *
1842 * HKDF-Extract is a family of key derivation algorithms that are based
1843 * on a hash function and the HMAC construction.
1844 *
1845 * \param alg An algorithm identifier (value of type #psa_algorithm_t).
1846 *
1847 * \return 1 if \c alg is an HKDF-Extract algorithm, 0 otherwise.
1848 * This macro may return either 0 or 1 if \c alg is not a supported
1849 * key derivation algorithm identifier.
1850 */
1851 #define PSA_ALG_IS_HKDF_EXTRACT(alg) \
1852 (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HKDF_EXTRACT_BASE)
1853
1854 #define PSA_ALG_HKDF_EXPAND_BASE ((psa_algorithm_t)0x08000500)
1855 /** Macro to build an HKDF-Expand algorithm.
1856 *
1857 * For example, `PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA256)` is
1858 * HKDF-Expand using HMAC-SHA-256.
1859 *
1860 * This key derivation algorithm uses the following inputs:
1861 * - PSA_KEY_DERIVATION_INPUT_SECRET is the pseudorandom key (PRK).
1862 * - PSA_KEY_DERIVATION_INPUT_INFO is the info string.
1863 *
1864 * The inputs are mandatory and must be passed in the order above.
1865 * Each input may only be passed once.
1866 *
1867 * \warning HKDF-Expand is not meant to be used on its own. `PSA_ALG_HKDF`
1868 * should be used instead if possible. `PSA_ALG_HKDF_EXPAND` is provided as
1869 * a separate algorithm for the sake of protocols that use it as a building
1870 * block. It may also be a slight performance optimization in applications
1871 * that use HKDF with the same salt and key but many different info strings.
1872 *
1873 * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
1874 * #PSA_ALG_IS_HASH(\p hash_alg) is true).
1875 *
1876 * \return The corresponding HKDF-Expand algorithm.
1877 * \return Unspecified if \p hash_alg is not a supported
1878 * hash algorithm.
1879 */
1880 #define PSA_ALG_HKDF_EXPAND(hash_alg) \
1881 (PSA_ALG_HKDF_EXPAND_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
1882 /** Whether the specified algorithm is an HKDF-Expand algorithm.
1883 *
1884 * HKDF-Expand is a family of key derivation algorithms that are based
1885 * on a hash function and the HMAC construction.
1886 *
1887 * \param alg An algorithm identifier (value of type #psa_algorithm_t).
1888 *
1889 * \return 1 if \c alg is an HKDF-Expand algorithm, 0 otherwise.
1890 * This macro may return either 0 or 1 if \c alg is not a supported
1891 * key derivation algorithm identifier.
1892 */
1893 #define PSA_ALG_IS_HKDF_EXPAND(alg) \
1894 (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HKDF_EXPAND_BASE)
1895
1896 /** Whether the specified algorithm is an HKDF or HKDF-Extract or
1897 * HKDF-Expand algorithm.
1898 *
1899 *
1900 * \param alg An algorithm identifier (value of type #psa_algorithm_t).
1901 *
1902 * \return 1 if \c alg is any HKDF type algorithm, 0 otherwise.
1903 * This macro may return either 0 or 1 if \c alg is not a supported
1904 * key derivation algorithm identifier.
1905 */
1906 #define PSA_ALG_IS_ANY_HKDF(alg) \
1907 (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HKDF_BASE || \
1908 ((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HKDF_EXTRACT_BASE || \
1909 ((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HKDF_EXPAND_BASE)
1910
1911 #define PSA_ALG_TLS12_PRF_BASE ((psa_algorithm_t)0x08000200)
1912 /** Macro to build a TLS-1.2 PRF algorithm.
1913 *
1914 * TLS 1.2 uses a custom pseudorandom function (PRF) for key schedule,
1915 * specified in Section 5 of RFC 5246. It is based on HMAC and can be
1916 * used with either SHA-256 or SHA-384.
1917 *
1918 * This key derivation algorithm uses the following inputs, which must be
1919 * passed in the order given here:
1920 * - #PSA_KEY_DERIVATION_INPUT_SEED is the seed.
1921 * - #PSA_KEY_DERIVATION_INPUT_SECRET is the secret key.
1922 * - #PSA_KEY_DERIVATION_INPUT_LABEL is the label.
1923 *
1924 * For the application to TLS-1.2 key expansion, the seed is the
1925 * concatenation of ServerHello.Random + ClientHello.Random,
1926 * and the label is "key expansion".
1927 *
1928 * For example, `PSA_ALG_TLS12_PRF(PSA_ALG_SHA256)` represents the
1929 * TLS 1.2 PRF using HMAC-SHA-256.
1930 *
1931 * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
1932 * #PSA_ALG_IS_HASH(\p hash_alg) is true).
1933 *
1934 * \return The corresponding TLS-1.2 PRF algorithm.
1935 * \return Unspecified if \p hash_alg is not a supported
1936 * hash algorithm.
1937 */
1938 #define PSA_ALG_TLS12_PRF(hash_alg) \
1939 (PSA_ALG_TLS12_PRF_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
1940
1941 /** Whether the specified algorithm is a TLS-1.2 PRF algorithm.
1942 *
1943 * \param alg An algorithm identifier (value of type #psa_algorithm_t).
1944 *
1945 * \return 1 if \c alg is a TLS-1.2 PRF algorithm, 0 otherwise.
1946 * This macro may return either 0 or 1 if \c alg is not a supported
1947 * key derivation algorithm identifier.
1948 */
1949 #define PSA_ALG_IS_TLS12_PRF(alg) \
1950 (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_TLS12_PRF_BASE)
1951 #define PSA_ALG_TLS12_PRF_GET_HASH(hkdf_alg) \
1952 (PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK))
1953
1954 #define PSA_ALG_TLS12_PSK_TO_MS_BASE ((psa_algorithm_t)0x08000300)
1955 /** Macro to build a TLS-1.2 PSK-to-MasterSecret algorithm.
1956 *
1957 * In a pure-PSK handshake in TLS 1.2, the master secret is derived
1958 * from the PreSharedKey (PSK) through the application of padding
1959 * (RFC 4279, Section 2) and the TLS-1.2 PRF (RFC 5246, Section 5).
1960 * The latter is based on HMAC and can be used with either SHA-256
1961 * or SHA-384.
1962 *
1963 * This key derivation algorithm uses the following inputs, which must be
1964 * passed in the order given here:
1965 * - #PSA_KEY_DERIVATION_INPUT_SEED is the seed.
1966 * - #PSA_KEY_DERIVATION_INPUT_OTHER_SECRET is the other secret for the
1967 * computation of the premaster secret. This input is optional;
1968 * if omitted, it defaults to a string of null bytes with the same length
1969 * as the secret (PSK) input.
1970 * - #PSA_KEY_DERIVATION_INPUT_SECRET is the secret key.
1971 * - #PSA_KEY_DERIVATION_INPUT_LABEL is the label.
1972 *
1973 * For the application to TLS-1.2, the seed (which is
1974 * forwarded to the TLS-1.2 PRF) is the concatenation of the
1975 * ClientHello.Random + ServerHello.Random,
1976 * the label is "master secret" or "extended master secret" and
1977 * the other secret depends on the key exchange specified in the cipher suite:
1978 * - for a plain PSK cipher suite (RFC 4279, Section 2), omit
1979 * PSA_KEY_DERIVATION_INPUT_OTHER_SECRET
1980 * - for a DHE-PSK (RFC 4279, Section 3) or ECDHE-PSK cipher suite
1981 * (RFC 5489, Section 2), the other secret should be the output of the
1982 * PSA_ALG_FFDH or PSA_ALG_ECDH key agreement performed with the peer.
1983 * The recommended way to pass this input is to use a key derivation
1984 * algorithm constructed as
1985 * PSA_ALG_KEY_AGREEMENT(ka_alg, PSA_ALG_TLS12_PSK_TO_MS(hash_alg))
1986 * and to call psa_key_derivation_key_agreement(). Alternatively,
1987 * this input may be an output of `psa_raw_key_agreement()` passed with
1988 * psa_key_derivation_input_bytes(), or an equivalent input passed with
1989 * psa_key_derivation_input_bytes() or psa_key_derivation_input_key().
1990 * - for a RSA-PSK cipher suite (RFC 4279, Section 4), the other secret
1991 * should be the 48-byte client challenge (the PreMasterSecret of
1992 * (RFC 5246, Section 7.4.7.1)) concatenation of the TLS version and
1993 * a 46-byte random string chosen by the client. On the server, this is
1994 * typically an output of psa_asymmetric_decrypt() using
1995 * PSA_ALG_RSA_PKCS1V15_CRYPT, passed to the key derivation operation
1996 * with `psa_key_derivation_input_bytes()`.
1997 *
1998 * For example, `PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA256)` represents the
1999 * TLS-1.2 PSK to MasterSecret derivation PRF using HMAC-SHA-256.
2000 *
2001 * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
2002 * #PSA_ALG_IS_HASH(\p hash_alg) is true).
2003 *
2004 * \return The corresponding TLS-1.2 PSK to MS algorithm.
2005 * \return Unspecified if \p hash_alg is not a supported
2006 * hash algorithm.
2007 */
2008 #define PSA_ALG_TLS12_PSK_TO_MS(hash_alg) \
2009 (PSA_ALG_TLS12_PSK_TO_MS_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
2010
2011 /** Whether the specified algorithm is a TLS-1.2 PSK to MS algorithm.
2012 *
2013 * \param alg An algorithm identifier (value of type #psa_algorithm_t).
2014 *
2015 * \return 1 if \c alg is a TLS-1.2 PSK to MS algorithm, 0 otherwise.
2016 * This macro may return either 0 or 1 if \c alg is not a supported
2017 * key derivation algorithm identifier.
2018 */
2019 #define PSA_ALG_IS_TLS12_PSK_TO_MS(alg) \
2020 (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_TLS12_PSK_TO_MS_BASE)
2021 #define PSA_ALG_TLS12_PSK_TO_MS_GET_HASH(hkdf_alg) \
2022 (PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK))
2023
2024 /* The TLS 1.2 ECJPAKE-to-PMS KDF. It takes the shared secret K (an EC point
2025 * in case of EC J-PAKE) and calculates SHA256(K.X) that the rest of TLS 1.2
2026 * will use to derive the session secret, as defined by step 2 of
2027 * https://datatracker.ietf.org/doc/html/draft-cragie-tls-ecjpake-01#section-8.7.
2028 * Uses PSA_ALG_SHA_256.
2029 * This function takes a single input:
2030 * #PSA_KEY_DERIVATION_INPUT_SECRET is the shared secret K from EC J-PAKE.
2031 * The only supported curve is secp256r1 (the 256-bit curve in
2032 * #PSA_ECC_FAMILY_SECP_R1), so the input must be exactly 65 bytes.
2033 * The output has to be read as a single chunk of 32 bytes, defined as
2034 * PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE.
2035 */
2036 #define PSA_ALG_TLS12_ECJPAKE_TO_PMS ((psa_algorithm_t)0x08000609)
2037
2038 /* This flag indicates whether the key derivation algorithm is suitable for
2039 * use on low-entropy secrets such as password - these algorithms are also
2040 * known as key stretching or password hashing schemes. These are also the
2041 * algorithms that accepts inputs of type #PSA_KEY_DERIVATION_INPUT_PASSWORD.
2042 *
2043 * Those algorithms cannot be combined with a key agreement algorithm.
2044 */
2045 #define PSA_ALG_KEY_DERIVATION_STRETCHING_FLAG ((psa_algorithm_t)0x00800000)
2046
2047 #define PSA_ALG_PBKDF2_HMAC_BASE ((psa_algorithm_t)0x08800100)
2048 /** Macro to build a PBKDF2-HMAC password hashing / key stretching algorithm.
2049 *
2050 * PBKDF2 is defined by PKCS#5, republished as RFC 8018 (section 5.2).
2051 * This macro specifies the PBKDF2 algorithm constructed using a PRF based on
2052 * HMAC with the specified hash.
2053 * For example, `PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA256)` specifies PBKDF2
2054 * using the PRF HMAC-SHA-256.
2055 *
2056 * This key derivation algorithm uses the following inputs, which must be
2057 * provided in the following order:
2058 * - #PSA_KEY_DERIVATION_INPUT_COST is the iteration count.
2059 * This input step must be used exactly once.
2060 * - #PSA_KEY_DERIVATION_INPUT_SALT is the salt.
2061 * This input step must be used one or more times; if used several times, the
2062 * inputs will be concatenated. This can be used to build the final salt
2063 * from multiple sources, both public and secret (also known as pepper).
2064 * - #PSA_KEY_DERIVATION_INPUT_PASSWORD is the password to be hashed.
2065 * This input step must be used exactly once.
2066 *
2067 * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
2068 * #PSA_ALG_IS_HASH(\p hash_alg) is true).
2069 *
2070 * \return The corresponding PBKDF2-HMAC-XXX algorithm.
2071 * \return Unspecified if \p hash_alg is not a supported
2072 * hash algorithm.
2073 */
2074 #define PSA_ALG_PBKDF2_HMAC(hash_alg) \
2075 (PSA_ALG_PBKDF2_HMAC_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
2076
2077 /** Whether the specified algorithm is a PBKDF2-HMAC algorithm.
2078 *
2079 * \param alg An algorithm identifier (value of type #psa_algorithm_t).
2080 *
2081 * \return 1 if \c alg is a PBKDF2-HMAC algorithm, 0 otherwise.
2082 * This macro may return either 0 or 1 if \c alg is not a supported
2083 * key derivation algorithm identifier.
2084 */
2085 #define PSA_ALG_IS_PBKDF2_HMAC(alg) \
2086 (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_PBKDF2_HMAC_BASE)
2087
2088 /** The PBKDF2-AES-CMAC-PRF-128 password hashing / key stretching algorithm.
2089 *
2090 * PBKDF2 is defined by PKCS#5, republished as RFC 8018 (section 5.2).
2091 * This macro specifies the PBKDF2 algorithm constructed using the
2092 * AES-CMAC-PRF-128 PRF specified by RFC 4615.
2093 *
2094 * This key derivation algorithm uses the same inputs as
2095 * #PSA_ALG_PBKDF2_HMAC() with the same constraints.
2096 */
2097 #define PSA_ALG_PBKDF2_AES_CMAC_PRF_128 ((psa_algorithm_t)0x08800200)
2098
2099 #define PSA_ALG_KEY_DERIVATION_MASK ((psa_algorithm_t)0xfe00ffff)
2100 #define PSA_ALG_KEY_AGREEMENT_MASK ((psa_algorithm_t)0xffff0000)
2101
2102 /** Macro to build a combined algorithm that chains a key agreement with
2103 * a key derivation.
2104 *
2105 * \param ka_alg A key agreement algorithm (\c PSA_ALG_XXX value such
2106 * that #PSA_ALG_IS_KEY_AGREEMENT(\p ka_alg) is true).
2107 * \param kdf_alg A key derivation algorithm (\c PSA_ALG_XXX value such
2108 * that #PSA_ALG_IS_KEY_DERIVATION(\p kdf_alg) is true).
2109 *
2110 * \return The corresponding key agreement and derivation
2111 * algorithm.
2112 * \return Unspecified if \p ka_alg is not a supported
2113 * key agreement algorithm or \p kdf_alg is not a
2114 * supported key derivation algorithm.
2115 */
2116 #define PSA_ALG_KEY_AGREEMENT(ka_alg, kdf_alg) \
2117 ((ka_alg) | (kdf_alg))
2118
2119 #define PSA_ALG_KEY_AGREEMENT_GET_KDF(alg) \
2120 (((alg) & PSA_ALG_KEY_DERIVATION_MASK) | PSA_ALG_CATEGORY_KEY_DERIVATION)
2121
2122 #define PSA_ALG_KEY_AGREEMENT_GET_BASE(alg) \
2123 (((alg) & PSA_ALG_KEY_AGREEMENT_MASK) | PSA_ALG_CATEGORY_KEY_AGREEMENT)
2124
2125 /** Whether the specified algorithm is a raw key agreement algorithm.
2126 *
2127 * A raw key agreement algorithm is one that does not specify
2128 * a key derivation function.
2129 * Usually, raw key agreement algorithms are constructed directly with
2130 * a \c PSA_ALG_xxx macro while non-raw key agreement algorithms are
2131 * constructed with #PSA_ALG_KEY_AGREEMENT().
2132 *
2133 * \param alg An algorithm identifier (value of type #psa_algorithm_t).
2134 *
2135 * \return 1 if \p alg is a raw key agreement algorithm, 0 otherwise.
2136 * This macro may return either 0 or 1 if \p alg is not a supported
2137 * algorithm identifier.
2138 */
2139 #define PSA_ALG_IS_RAW_KEY_AGREEMENT(alg) \
2140 (PSA_ALG_IS_KEY_AGREEMENT(alg) && \
2141 PSA_ALG_KEY_AGREEMENT_GET_KDF(alg) == PSA_ALG_CATEGORY_KEY_DERIVATION)
2142
2143 #define PSA_ALG_IS_KEY_DERIVATION_OR_AGREEMENT(alg) \
2144 ((PSA_ALG_IS_KEY_DERIVATION(alg) || PSA_ALG_IS_KEY_AGREEMENT(alg)))
2145
2146 /** The finite-field Diffie-Hellman (DH) key agreement algorithm.
2147 *
2148 * The shared secret produced by key agreement is
2149 * `g^{ab}` in big-endian format.
2150 * It is `ceiling(m / 8)` bytes long where `m` is the size of the prime `p`
2151 * in bits.
2152 */
2153 #define PSA_ALG_FFDH ((psa_algorithm_t)0x09010000)
2154
2155 /** Whether the specified algorithm is a finite field Diffie-Hellman algorithm.
2156 *
2157 * This includes the raw finite field Diffie-Hellman algorithm as well as
2158 * finite-field Diffie-Hellman followed by any supporter key derivation
2159 * algorithm.
2160 *
2161 * \param alg An algorithm identifier (value of type #psa_algorithm_t).
2162 *
2163 * \return 1 if \c alg is a finite field Diffie-Hellman algorithm, 0 otherwise.
2164 * This macro may return either 0 or 1 if \c alg is not a supported
2165 * key agreement algorithm identifier.
2166 */
2167 #define PSA_ALG_IS_FFDH(alg) \
2168 (PSA_ALG_KEY_AGREEMENT_GET_BASE(alg) == PSA_ALG_FFDH)
2169
2170 /** The elliptic curve Diffie-Hellman (ECDH) key agreement algorithm.
2171 *
2172 * The shared secret produced by key agreement is the x-coordinate of
2173 * the shared secret point. It is always `ceiling(m / 8)` bytes long where
2174 * `m` is the bit size associated with the curve, i.e. the bit size of the
2175 * order of the curve's coordinate field. When `m` is not a multiple of 8,
2176 * the byte containing the most significant bit of the shared secret
2177 * is padded with zero bits. The byte order is either little-endian
2178 * or big-endian depending on the curve type.
2179 *
2180 * - For Montgomery curves (curve types `PSA_ECC_FAMILY_CURVEXXX`),
2181 * the shared secret is the x-coordinate of `d_A Q_B = d_B Q_A`
2182 * in little-endian byte order.
2183 * The bit size is 448 for Curve448 and 255 for Curve25519.
2184 * - For Weierstrass curves over prime fields (curve types
2185 * `PSA_ECC_FAMILY_SECPXXX` and `PSA_ECC_FAMILY_BRAINPOOL_PXXX`),
2186 * the shared secret is the x-coordinate of `d_A Q_B = d_B Q_A`
2187 * in big-endian byte order.
2188 * The bit size is `m = ceiling(log_2(p))` for the field `F_p`.
2189 * - For Weierstrass curves over binary fields (curve types
2190 * `PSA_ECC_FAMILY_SECTXXX`),
2191 * the shared secret is the x-coordinate of `d_A Q_B = d_B Q_A`
2192 * in big-endian byte order.
2193 * The bit size is `m` for the field `F_{2^m}`.
2194 */
2195 #define PSA_ALG_ECDH ((psa_algorithm_t)0x09020000)
2196
2197 /** Whether the specified algorithm is an elliptic curve Diffie-Hellman
2198 * algorithm.
2199 *
2200 * This includes the raw elliptic curve Diffie-Hellman algorithm as well as
2201 * elliptic curve Diffie-Hellman followed by any supporter key derivation
2202 * algorithm.
2203 *
2204 * \param alg An algorithm identifier (value of type #psa_algorithm_t).
2205 *
2206 * \return 1 if \c alg is an elliptic curve Diffie-Hellman algorithm,
2207 * 0 otherwise.
2208 * This macro may return either 0 or 1 if \c alg is not a supported
2209 * key agreement algorithm identifier.
2210 */
2211 #define PSA_ALG_IS_ECDH(alg) \
2212 (PSA_ALG_KEY_AGREEMENT_GET_BASE(alg) == PSA_ALG_ECDH)
2213
2214 /** Whether the specified algorithm encoding is a wildcard.
2215 *
2216 * Wildcard values may only be used to set the usage algorithm field in
2217 * a policy, not to perform an operation.
2218 *
2219 * \param alg An algorithm identifier (value of type #psa_algorithm_t).
2220 *
2221 * \return 1 if \c alg is a wildcard algorithm encoding.
2222 * \return 0 if \c alg is a non-wildcard algorithm encoding (suitable for
2223 * an operation).
2224 * \return This macro may return either 0 or 1 if \c alg is not a supported
2225 * algorithm identifier.
2226 */
2227 #define PSA_ALG_IS_WILDCARD(alg) \
2228 (PSA_ALG_IS_HASH_AND_SIGN(alg) ? \
2229 PSA_ALG_SIGN_GET_HASH(alg) == PSA_ALG_ANY_HASH : \
2230 PSA_ALG_IS_MAC(alg) ? \
2231 (alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0 : \
2232 PSA_ALG_IS_AEAD(alg) ? \
2233 (alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0 : \
2234 (alg) == PSA_ALG_ANY_HASH)
2235
2236 /** Get the hash used by a composite algorithm.
2237 *
2238 * \param alg An algorithm identifier (value of type #psa_algorithm_t).
2239 *
2240 * \return The underlying hash algorithm if alg is a composite algorithm that
2241 * uses a hash algorithm.
2242 *
2243 * \return \c 0 if alg is not a composite algorithm that uses a hash.
2244 */
2245 #define PSA_ALG_GET_HASH(alg) \
2246 (((alg) & 0x000000ff) == 0 ? ((psa_algorithm_t)0) : 0x02000000 | ((alg) & 0x000000ff))
2247
2248 /**@}*/
2249
2250 /** \defgroup key_lifetimes Key lifetimes
2251 * @{
2252 */
2253
2254 /* Note that location and persistence level values are embedded in the
2255 * persistent key store, as part of key metadata. As a consequence, they
2256 * must not be changed (unless the storage format version changes).
2257 */
2258
2259 /** The default lifetime for volatile keys.
2260 *
2261 * A volatile key only exists as long as the identifier to it is not destroyed.
2262 * The key material is guaranteed to be erased on a power reset.
2263 *
2264 * A key with this lifetime is typically stored in the RAM area of the
2265 * PSA Crypto subsystem. However this is an implementation choice.
2266 * If an implementation stores data about the key in a non-volatile memory,
2267 * it must release all the resources associated with the key and erase the
2268 * key material if the calling application terminates.
2269 */
2270 #define PSA_KEY_LIFETIME_VOLATILE ((psa_key_lifetime_t)0x00000000)
2271
2272 /** The default lifetime for persistent keys.
2273 *
2274 * A persistent key remains in storage until it is explicitly destroyed or
2275 * until the corresponding storage area is wiped. This specification does
2276 * not define any mechanism to wipe a storage area, but integrations may
2277 * provide their own mechanism (for example to perform a factory reset,
2278 * to prepare for device refurbishment, or to uninstall an application).
2279 *
2280 * This lifetime value is the default storage area for the calling
2281 * application. Integrations of Mbed TLS may support other persistent lifetimes.
2282 * See ::psa_key_lifetime_t for more information.
2283 */
2284 #define PSA_KEY_LIFETIME_PERSISTENT ((psa_key_lifetime_t)0x00000001)
2285
2286 /** The persistence level of volatile keys.
2287 *
2288 * See ::psa_key_persistence_t for more information.
2289 */
2290 #define PSA_KEY_PERSISTENCE_VOLATILE ((psa_key_persistence_t)0x00)
2291
2292 /** The default persistence level for persistent keys.
2293 *
2294 * See ::psa_key_persistence_t for more information.
2295 */
2296 #define PSA_KEY_PERSISTENCE_DEFAULT ((psa_key_persistence_t)0x01)
2297
2298 /** A persistence level indicating that a key is never destroyed.
2299 *
2300 * See ::psa_key_persistence_t for more information.
2301 */
2302 #define PSA_KEY_PERSISTENCE_READ_ONLY ((psa_key_persistence_t)0xff)
2303
2304 #define PSA_KEY_LIFETIME_GET_PERSISTENCE(lifetime) \
2305 ((psa_key_persistence_t)((lifetime) & 0x000000ff))
2306
2307 #define PSA_KEY_LIFETIME_GET_LOCATION(lifetime) \
2308 ((psa_key_location_t)((lifetime) >> 8))
2309
2310 /** Whether a key lifetime indicates that the key is volatile.
2311 *
2312 * A volatile key is automatically destroyed by the implementation when
2313 * the application instance terminates. In particular, a volatile key
2314 * is automatically destroyed on a power reset of the device.
2315 *
2316 * A key that is not volatile is persistent. Persistent keys are
2317 * preserved until the application explicitly destroys them or until an
2318 * implementation-specific device management event occurs (for example,
2319 * a factory reset).
2320 *
2321 * \param lifetime The lifetime value to query (value of type
2322 * ::psa_key_lifetime_t).
2323 *
2324 * \return \c 1 if the key is volatile, otherwise \c 0.
2325 */
2326 #define PSA_KEY_LIFETIME_IS_VOLATILE(lifetime) \
2327 (PSA_KEY_LIFETIME_GET_PERSISTENCE(lifetime) == \
2328 PSA_KEY_PERSISTENCE_VOLATILE)
2329
2330 /** Whether a key lifetime indicates that the key is read-only.
2331 *
2332 * Read-only keys cannot be created or destroyed through the PSA Crypto API.
2333 * They must be created through platform-specific means that bypass the API.
2334 *
2335 * Some platforms may offer ways to destroy read-only keys. For example,
2336 * consider a platform with multiple levels of privilege, where a
2337 * low-privilege application can use a key but is not allowed to destroy
2338 * it, and the platform exposes the key to the application with a read-only
2339 * lifetime. High-privilege code can destroy the key even though the
2340 * application sees the key as read-only.
2341 *
2342 * \param lifetime The lifetime value to query (value of type
2343 * ::psa_key_lifetime_t).
2344 *
2345 * \return \c 1 if the key is read-only, otherwise \c 0.
2346 */
2347 #define PSA_KEY_LIFETIME_IS_READ_ONLY(lifetime) \
2348 (PSA_KEY_LIFETIME_GET_PERSISTENCE(lifetime) == \
2349 PSA_KEY_PERSISTENCE_READ_ONLY)
2350
2351 /** Construct a lifetime from a persistence level and a location.
2352 *
2353 * \param persistence The persistence level
2354 * (value of type ::psa_key_persistence_t).
2355 * \param location The location indicator
2356 * (value of type ::psa_key_location_t).
2357 *
2358 * \return The constructed lifetime value.
2359 */
2360 #define PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(persistence, location) \
2361 ((location) << 8 | (persistence))
2362
2363 /** The local storage area for persistent keys.
2364 *
2365 * This storage area is available on all systems that can store persistent
2366 * keys without delegating the storage to a third-party cryptoprocessor.
2367 *
2368 * See ::psa_key_location_t for more information.
2369 */
2370 #define PSA_KEY_LOCATION_LOCAL_STORAGE ((psa_key_location_t)0x000000)
2371
2372 #define PSA_KEY_LOCATION_VENDOR_FLAG ((psa_key_location_t)0x800000)
2373
2374 /* Note that key identifier values are embedded in the
2375 * persistent key store, as part of key metadata. As a consequence, they
2376 * must not be changed (unless the storage format version changes).
2377 */
2378
2379 /** The null key identifier.
2380 */
2381 #define PSA_KEY_ID_NULL ((psa_key_id_t)0)
2382 /** The minimum value for a key identifier chosen by the application.
2383 */
2384 #define PSA_KEY_ID_USER_MIN ((psa_key_id_t)0x00000001)
2385 /** The maximum value for a key identifier chosen by the application.
2386 */
2387 #define PSA_KEY_ID_USER_MAX ((psa_key_id_t)0x3fffffff)
2388 /** The minimum value for a key identifier chosen by the implementation.
2389 */
2390 #define PSA_KEY_ID_VENDOR_MIN ((psa_key_id_t)0x40000000)
2391 /** The maximum value for a key identifier chosen by the implementation.
2392 */
2393 #define PSA_KEY_ID_VENDOR_MAX ((psa_key_id_t)0x7fffffff)
2394
2395
2396 #if !defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
2397
2398 #define MBEDTLS_SVC_KEY_ID_INIT ( (psa_key_id_t)0 )
2399 #define MBEDTLS_SVC_KEY_ID_GET_KEY_ID( id ) ( id )
2400 #define MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( id ) ( 0 )
2401
2402 /** Utility to initialize a key identifier at runtime.
2403 *
2404 * \param unused Unused parameter.
2405 * \param key_id Identifier of the key.
2406 */
mbedtls_svc_key_id_make(unsigned int unused,psa_key_id_t key_id)2407 static inline mbedtls_svc_key_id_t mbedtls_svc_key_id_make(
2408 unsigned int unused, psa_key_id_t key_id )
2409 {
2410 (void)unused;
2411
2412 return( key_id );
2413 }
2414
2415 /** Compare two key identifiers.
2416 *
2417 * \param id1 First key identifier.
2418 * \param id2 Second key identifier.
2419 *
2420 * \return Non-zero if the two key identifier are equal, zero otherwise.
2421 */
mbedtls_svc_key_id_equal(mbedtls_svc_key_id_t id1,mbedtls_svc_key_id_t id2)2422 static inline int mbedtls_svc_key_id_equal( mbedtls_svc_key_id_t id1,
2423 mbedtls_svc_key_id_t id2 )
2424 {
2425 return( id1 == id2 );
2426 }
2427
2428 /** Check whether a key identifier is null.
2429 *
2430 * \param key Key identifier.
2431 *
2432 * \return Non-zero if the key identifier is null, zero otherwise.
2433 */
mbedtls_svc_key_id_is_null(mbedtls_svc_key_id_t key)2434 static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key )
2435 {
2436 return( key == 0 );
2437 }
2438
2439 #else /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */
2440
2441 #define MBEDTLS_SVC_KEY_ID_INIT ( (mbedtls_svc_key_id_t){ 0, 0 } )
2442 #define MBEDTLS_SVC_KEY_ID_GET_KEY_ID( id ) ( ( id ).MBEDTLS_PRIVATE(key_id) )
2443 #define MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( id ) ( ( id ).MBEDTLS_PRIVATE(owner) )
2444
2445 /** Utility to initialize a key identifier at runtime.
2446 *
2447 * \param owner_id Identifier of the key owner.
2448 * \param key_id Identifier of the key.
2449 */
mbedtls_svc_key_id_make(mbedtls_key_owner_id_t owner_id,psa_key_id_t key_id)2450 static inline mbedtls_svc_key_id_t mbedtls_svc_key_id_make(
2451 mbedtls_key_owner_id_t owner_id, psa_key_id_t key_id )
2452 {
2453 return( (mbedtls_svc_key_id_t){ .MBEDTLS_PRIVATE(key_id) = key_id,
2454 .MBEDTLS_PRIVATE(owner) = owner_id } );
2455 }
2456
2457 /** Compare two key identifiers.
2458 *
2459 * \param id1 First key identifier.
2460 * \param id2 Second key identifier.
2461 *
2462 * \return Non-zero if the two key identifier are equal, zero otherwise.
2463 */
mbedtls_svc_key_id_equal(mbedtls_svc_key_id_t id1,mbedtls_svc_key_id_t id2)2464 static inline int mbedtls_svc_key_id_equal( mbedtls_svc_key_id_t id1,
2465 mbedtls_svc_key_id_t id2 )
2466 {
2467 return( ( id1.MBEDTLS_PRIVATE(key_id) == id2.MBEDTLS_PRIVATE(key_id) ) &&
2468 mbedtls_key_owner_id_equal( id1.MBEDTLS_PRIVATE(owner), id2.MBEDTLS_PRIVATE(owner) ) );
2469 }
2470
2471 /** Check whether a key identifier is null.
2472 *
2473 * \param key Key identifier.
2474 *
2475 * \return Non-zero if the key identifier is null, zero otherwise.
2476 */
mbedtls_svc_key_id_is_null(mbedtls_svc_key_id_t key)2477 static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key )
2478 {
2479 return( key.MBEDTLS_PRIVATE(key_id) == 0 );
2480 }
2481
2482 #endif /* !MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */
2483
2484 /**@}*/
2485
2486 /** \defgroup policy Key policies
2487 * @{
2488 */
2489
2490 /* Note that key usage flags are embedded in the
2491 * persistent key store, as part of key metadata. As a consequence, they
2492 * must not be changed (unless the storage format version changes).
2493 */
2494
2495 /** Whether the key may be exported.
2496 *
2497 * A public key or the public part of a key pair may always be exported
2498 * regardless of the value of this permission flag.
2499 *
2500 * If a key does not have export permission, implementations shall not
2501 * allow the key to be exported in plain form from the cryptoprocessor,
2502 * whether through psa_export_key() or through a proprietary interface.
2503 * The key may however be exportable in a wrapped form, i.e. in a form
2504 * where it is encrypted by another key.
2505 */
2506 #define PSA_KEY_USAGE_EXPORT ((psa_key_usage_t)0x00000001)
2507
2508 /** Whether the key may be copied.
2509 *
2510 * This flag allows the use of psa_copy_key() to make a copy of the key
2511 * with the same policy or a more restrictive policy.
2512 *
2513 * For lifetimes for which the key is located in a secure element which
2514 * enforce the non-exportability of keys, copying a key outside the secure
2515 * element also requires the usage flag #PSA_KEY_USAGE_EXPORT.
2516 * Copying the key inside the secure element is permitted with just
2517 * #PSA_KEY_USAGE_COPY if the secure element supports it.
2518 * For keys with the lifetime #PSA_KEY_LIFETIME_VOLATILE or
2519 * #PSA_KEY_LIFETIME_PERSISTENT, the usage flag #PSA_KEY_USAGE_COPY
2520 * is sufficient to permit the copy.
2521 */
2522 #define PSA_KEY_USAGE_COPY ((psa_key_usage_t)0x00000002)
2523
2524 /** Whether the key may be used to encrypt a message.
2525 *
2526 * This flag allows the key to be used for a symmetric encryption operation,
2527 * for an AEAD encryption-and-authentication operation,
2528 * or for an asymmetric encryption operation,
2529 * if otherwise permitted by the key's type and policy.
2530 *
2531 * For a key pair, this concerns the public key.
2532 */
2533 #define PSA_KEY_USAGE_ENCRYPT ((psa_key_usage_t)0x00000100)
2534
2535 /** Whether the key may be used to decrypt a message.
2536 *
2537 * This flag allows the key to be used for a symmetric decryption operation,
2538 * for an AEAD decryption-and-verification operation,
2539 * or for an asymmetric decryption operation,
2540 * if otherwise permitted by the key's type and policy.
2541 *
2542 * For a key pair, this concerns the private key.
2543 */
2544 #define PSA_KEY_USAGE_DECRYPT ((psa_key_usage_t)0x00000200)
2545
2546 /** Whether the key may be used to sign a message.
2547 *
2548 * This flag allows the key to be used for a MAC calculation operation or for
2549 * an asymmetric message signature operation, if otherwise permitted by the
2550 * key’s type and policy.
2551 *
2552 * For a key pair, this concerns the private key.
2553 */
2554 #define PSA_KEY_USAGE_SIGN_MESSAGE ((psa_key_usage_t)0x00000400)
2555
2556 /** Whether the key may be used to verify a message.
2557 *
2558 * This flag allows the key to be used for a MAC verification operation or for
2559 * an asymmetric message signature verification operation, if otherwise
2560 * permitted by the key’s type and policy.
2561 *
2562 * For a key pair, this concerns the public key.
2563 */
2564 #define PSA_KEY_USAGE_VERIFY_MESSAGE ((psa_key_usage_t)0x00000800)
2565
2566 /** Whether the key may be used to sign a message.
2567 *
2568 * This flag allows the key to be used for a MAC calculation operation
2569 * or for an asymmetric signature operation,
2570 * if otherwise permitted by the key's type and policy.
2571 *
2572 * For a key pair, this concerns the private key.
2573 */
2574 #define PSA_KEY_USAGE_SIGN_HASH ((psa_key_usage_t)0x00001000)
2575
2576 /** Whether the key may be used to verify a message signature.
2577 *
2578 * This flag allows the key to be used for a MAC verification operation
2579 * or for an asymmetric signature verification operation,
2580 * if otherwise permitted by the key's type and policy.
2581 *
2582 * For a key pair, this concerns the public key.
2583 */
2584 #define PSA_KEY_USAGE_VERIFY_HASH ((psa_key_usage_t)0x00002000)
2585
2586 /** Whether the key may be used to derive other keys or produce a password
2587 * hash.
2588 *
2589 * This flag allows the key to be used for a key derivation operation or for
2590 * a key agreement operation, if otherwise permitted by the key's type and
2591 * policy.
2592 *
2593 * If this flag is present on all keys used in calls to
2594 * psa_key_derivation_input_key() for a key derivation operation, then it
2595 * permits calling psa_key_derivation_output_bytes() or
2596 * psa_key_derivation_output_key() at the end of the operation.
2597 */
2598 #define PSA_KEY_USAGE_DERIVE ((psa_key_usage_t)0x00004000)
2599
2600 /** Whether the key may be used to verify the result of a key derivation,
2601 * including password hashing.
2602 *
2603 * This flag allows the key to be used:
2604 *
2605 * This flag allows the key to be used in a key derivation operation, if
2606 * otherwise permitted by the key's type and policy.
2607 *
2608 * If this flag is present on all keys used in calls to
2609 * psa_key_derivation_input_key() for a key derivation operation, then it
2610 * permits calling psa_key_derivation_verify_bytes() or
2611 * psa_key_derivation_verify_key() at the end of the operation.
2612 */
2613 #define PSA_KEY_USAGE_VERIFY_DERIVATION ((psa_key_usage_t)0x00008000)
2614
2615 /**@}*/
2616
2617 /** \defgroup derivation Key derivation
2618 * @{
2619 */
2620
2621 /* Key input steps are not embedded in the persistent storage, so you can
2622 * change them if needed: it's only an ABI change. */
2623
2624 /** A secret input for key derivation.
2625 *
2626 * This should be a key of type #PSA_KEY_TYPE_DERIVE
2627 * (passed to psa_key_derivation_input_key())
2628 * or the shared secret resulting from a key agreement
2629 * (obtained via psa_key_derivation_key_agreement()).
2630 *
2631 * The secret can also be a direct input (passed to
2632 * key_derivation_input_bytes()). In this case, the derivation operation
2633 * may not be used to derive keys: the operation will only allow
2634 * psa_key_derivation_output_bytes(),
2635 * psa_key_derivation_verify_bytes(), or
2636 * psa_key_derivation_verify_key(), but not
2637 * psa_key_derivation_output_key().
2638 */
2639 #define PSA_KEY_DERIVATION_INPUT_SECRET ((psa_key_derivation_step_t)0x0101)
2640
2641 /** A low-entropy secret input for password hashing / key stretching.
2642 *
2643 * This is usually a key of type #PSA_KEY_TYPE_PASSWORD (passed to
2644 * psa_key_derivation_input_key()) or a direct input (passed to
2645 * psa_key_derivation_input_bytes()) that is a password or passphrase. It can
2646 * also be high-entropy secret such as a key of type #PSA_KEY_TYPE_DERIVE or
2647 * the shared secret resulting from a key agreement.
2648 *
2649 * The secret can also be a direct input (passed to
2650 * key_derivation_input_bytes()). In this case, the derivation operation
2651 * may not be used to derive keys: the operation will only allow
2652 * psa_key_derivation_output_bytes(),
2653 * psa_key_derivation_verify_bytes(), or
2654 * psa_key_derivation_verify_key(), but not
2655 * psa_key_derivation_output_key().
2656 */
2657 #define PSA_KEY_DERIVATION_INPUT_PASSWORD ((psa_key_derivation_step_t)0x0102)
2658
2659 /** A high-entropy additional secret input for key derivation.
2660 *
2661 * This is typically the shared secret resulting from a key agreement obtained
2662 * via `psa_key_derivation_key_agreement()`. It may alternatively be a key of
2663 * type `PSA_KEY_TYPE_DERIVE` passed to `psa_key_derivation_input_key()`, or
2664 * a direct input passed to `psa_key_derivation_input_bytes()`.
2665 */
2666 #define PSA_KEY_DERIVATION_INPUT_OTHER_SECRET \
2667 ((psa_key_derivation_step_t)0x0103)
2668
2669 /** A label for key derivation.
2670 *
2671 * This should be a direct input.
2672 * It can also be a key of type #PSA_KEY_TYPE_RAW_DATA.
2673 */
2674 #define PSA_KEY_DERIVATION_INPUT_LABEL ((psa_key_derivation_step_t)0x0201)
2675
2676 /** A salt for key derivation.
2677 *
2678 * This should be a direct input.
2679 * It can also be a key of type #PSA_KEY_TYPE_RAW_DATA or
2680 * #PSA_KEY_TYPE_PEPPER.
2681 */
2682 #define PSA_KEY_DERIVATION_INPUT_SALT ((psa_key_derivation_step_t)0x0202)
2683
2684 /** An information string for key derivation.
2685 *
2686 * This should be a direct input.
2687 * It can also be a key of type #PSA_KEY_TYPE_RAW_DATA.
2688 */
2689 #define PSA_KEY_DERIVATION_INPUT_INFO ((psa_key_derivation_step_t)0x0203)
2690
2691 /** A seed for key derivation.
2692 *
2693 * This should be a direct input.
2694 * It can also be a key of type #PSA_KEY_TYPE_RAW_DATA.
2695 */
2696 #define PSA_KEY_DERIVATION_INPUT_SEED ((psa_key_derivation_step_t)0x0204)
2697
2698 /** A cost parameter for password hashing / key stretching.
2699 *
2700 * This must be a direct input, passed to psa_key_derivation_input_integer().
2701 */
2702 #define PSA_KEY_DERIVATION_INPUT_COST ((psa_key_derivation_step_t)0x0205)
2703
2704 /**@}*/
2705
2706 /** \defgroup helper_macros Helper macros
2707 * @{
2708 */
2709
2710 /* Helper macros */
2711
2712 /** Check if two AEAD algorithm identifiers refer to the same AEAD algorithm
2713 * regardless of the tag length they encode.
2714 *
2715 * \param aead_alg_1 An AEAD algorithm identifier.
2716 * \param aead_alg_2 An AEAD algorithm identifier.
2717 *
2718 * \return 1 if both identifiers refer to the same AEAD algorithm,
2719 * 0 otherwise.
2720 * Unspecified if neither \p aead_alg_1 nor \p aead_alg_2 are
2721 * a supported AEAD algorithm.
2722 */
2723 #define MBEDTLS_PSA_ALG_AEAD_EQUAL(aead_alg_1, aead_alg_2) \
2724 (!(((aead_alg_1) ^ (aead_alg_2)) & \
2725 ~(PSA_ALG_AEAD_TAG_LENGTH_MASK | PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG)))
2726
2727 /**@}*/
2728
2729 #endif /* PSA_CRYPTO_VALUES_H */
2730
