Value definitions for PSA Crypto. More...

Detailed Description

Value definitions for PSA Crypto.

Author: Lena Boeckmann lena..nosp@m.boec.nosp@m.kmann.nosp@m.@haw.nosp@m.-hamb.nosp@m.urg..nosp@m.de

Note: Some of the macros in this file have already been copied here from the PSA API specification, but are not implemented, yet. They are marked by comments that either say "specification-defined" or "implementation-defined". These macros will be implemented successively in the future.

Definition in file crypto_values.h.

#include "crypto_types.h"

Include dependency graph for crypto_values.h:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

#define	PSA_ALG_CATEGORY_MASK ((psa_algorithm_t)0x7f000000)
	PSA algorithm category mask.

#define	PSA_ALG_CATEGORY_HASH ((psa_algorithm_t)0x02000000)
	Category for hash algorithms.

#define	PSA_ALG_CATEGORY_MAC ((psa_algorithm_t)0x03000000)
	Category for MAC algorithms.

#define	PSA_ALG_CATEGORY_CIPHER ((psa_algorithm_t)0x04000000)
	Category for cipher algorithms.

#define	PSA_ALG_CATEGORY_AEAD ((psa_algorithm_t)0x05000000)
	Category for AEAD algorithms.

#define	PSA_ALG_CATEGORY_SIGN ((psa_algorithm_t)0x06000000)
	Category for signature algorithms.

#define	PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION ((psa_algorithm_t)0x07000000)
	Category for asymmetric encryption algorithms.

#define	PSA_ALG_CATEGORY_KEY_DERIVATION ((psa_algorithm_t)0x08000000)
	Category for key derivation algorithms.

#define	PSA_ALG_CATEGORY_KEY_AGREEMENT ((psa_algorithm_t)0x09000000)
	Category for key agreement algorithms.

#define	PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(aead_alg, min_tag_length) /* specification-defined value */
	Macro to build an AEAD minimum-tag-length wildcard algorithm.

#define	PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(aead_alg)
	An AEAD algorithm with the default tag length.

#define	PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, tag_length) ((psa_algorithm_t)(((aead_alg) & ~0x003f0000) \| (((tag_length) & 0x3f) << 16)))
	Macro to build a AEAD algorithm with a shortened tag.

#define	PSA_ALG_ANY_HASH ((psa_algorithm_t)0x020000ff)
	When setting a hash-and-sign algorithm in a key policy, permit any hash algorithm.

#define	PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(mac_alg, min_mac_length) /* specification-defined value */
	Macro to build a MAC minimum-MAC-length wildcard algorithm.

#define	PSA_ALG_DETERMINISTIC_ECDSA(hash_alg) ((psa_algorithm_t)(0x06000700 \| ((hash_alg) & 0x000000ff)))
	Deterministic ECDSA signature scheme, with hashing.

#define	PSA_ALG_FULL_LENGTH_MAC(mac_alg) ((psa_algorithm_t)((mac_alg) & ~0x003f0000))
	Macro to construct the MAC algorithm with a full length MAC, from a truncated MAC algorithm.

#define	PSA_ALG_HKDF(hash_alg) ((psa_algorithm_t)(0x08000100 \| ((hash_alg) & 0x000000ff)))
	Macro to build an HKDF algorithm.

#define	PSA_ALG_GET_HASH(alg)
	Get the hash used by a composite algorithm.

#define	PSA_ALG_HMAC_BASE (0x03800000)
	HMAC Base.

#define	PSA_ALG_HMAC(hash_alg) ((psa_algorithm_t)(PSA_ALG_HMAC_BASE \| ((hash_alg) & PSA_ALG_HASH_MASK)))
	Macro to build an HMAC message-authentication-code algorithm from an underlying hash algorithm.

#define	PSA_ALG_IS_CIPHER(alg) (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_CIPHER)
	Whether the specified algorithm is a symmetric cipher algorithm.

#define	PSA_ALG_IS_AEAD(alg) (((alg) & PSA_ALG_CATEGORY_MASK) == 0x05000000)
	Whether the specified algorithm is an authenticated encryption with associated data (AEAD) algorithm.

#define	PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) (((alg) & 0x7f400000) == 0x05400000)
	Whether the specified algorithm is an AEAD mode on a block cipher.

#define	PSA_ALG_IS_ASYMMETRIC_ENCRYPTION(alg) (((alg) & PSA_ALG_CATEGORY_MASK) == 0x07000000)
	Whether the specified algorithm is an asymmetric encryption algorithm, also known as public-key encryption algorithm.

#define	PSA_ALG_IS_BLOCK_CIPHER_MAC(alg) (((alg) & 0x7fc00000) == 0x03c00000)
	Whether the specified algorithm is a MAC algorithm based on a block cipher.

#define	PSA_ALG_IS_DETERMINISTIC_ECDSA(alg) (((alg) & ~0x000000ff) == 0x06000700)
	Whether the specified algorithm is deterministic ECDSA.

#define	PSA_ALG_IS_ECDH(alg) (((alg) & 0x7fff0000) == 0x09020000)
	Whether the specified algorithm is an elliptic curve Diffie-Hellman algorithm.

#define	PSA_ALG_IS_FFDH(alg) (((alg) & 0x7fff0000) == 0x09010000)
	Whether the specified algorithm is a finite field Diffie-Hellman algorithm.

#define	PSA_ALG_IS_ECDSA(alg) (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_SIGN)
	Whether the specified algorithm is ECDSA.

#define	PSA_ALG_IS_HASH(alg) (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_HASH)
	Whether the specified algorithm is a hash algorithm.

#define	PSA_ALG_HMAC_GET_HASH(hmac_alg) (PSA_ALG_CATEGORY_HASH \| ((hmac_alg) & PSA_ALG_HASH_MASK))
	Get the hash operation of a hmac algorithm.

#define	PSA_ALG_IS_HASH_EDDSA(alg) (((alg) & ~0x000000ff) == 0x06000900)
	Whether the specified algorithm is HashEdDSA.

#define	PSA_ALG_IS_HASH_AND_SIGN(alg)
	Whether the specified algorithm is a hash-and-sign algorithm that signs exactly the hash value.

#define	PSA_ALG_IS_HKDF(alg) (((alg) & ~0x000000ff) == 0x08000100)
	Whether the specified algorithm is an HKDF algorithm.

#define	PSA_ALG_IS_HMAC(alg) (((alg) & 0x7fc0ff00) == 0x03800000)
	Whether the specified algorithm is an HMAC algorithm.

#define	PSA_ALG_IS_KEY_AGREEMENT(alg) (((alg) & 0x7f000000) == 0x09000000)
	Whether the specified algorithm is a key agreement algorithm.

#define	PSA_ALG_IS_KEY_DERIVATION(alg) (((alg) & 0x7f000000) == 0x08000000)
	Whether the specified algorithm is a key derivation algorithm.

#define	PSA_ALG_IS_KEY_DERIVATION_STRETCHING(alg) (((alg) & 0x7f800000) == 0x08800000)
	Whether the specified algorithm is a key-stretching or password-hashing algorithm.

#define	PSA_ALG_IS_MAC(alg) (((alg) & 0x7f000000) == 0x03000000)
	Whether the specified algorithm is a MAC algorithm.

#define	PSA_ALG_IS_PBKDF2_HMAC(alg) (((alg) & ~0x000000ff) == 0x08800100)
	Whether the specified algorithm is a PBKDF2-HMAC algorithm.

#define	PSA_ALG_IS_RANDOMIZED_ECDSA(alg) (((alg) & ~0x000000ff) == 0x06000600)
	Whether the specified algorithm is randomized ECDSA.

#define	PSA_ALG_IS_RAW_KEY_AGREEMENT(alg) (((alg) & 0x7f00ffff) == 0x09000000)
	Whether the specified algorithm is a raw key agreement algorithm.

#define	PSA_ALG_IS_RSA_OAEP(alg) (((alg) & ~0x000000ff) == 0x07000300)
	Whether the specified algorithm is an RSA OAEP encryption algorithm.

#define	PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) (((alg) & ~0x000000ff) == 0x06000200)
	Whether the specified algorithm is an RSA PKCS#1 v1.5 signature algorithm.

#define	PSA_ALG_IS_RSA_PSS(alg) (((alg) & ~0x000000ff) == 0x06000300)
	Whether the specified algorithm is a RSA PSS signature algorithm.

#define	PSA_ALG_IS_RSA_PSS_ANY_SALT(alg) (((alg) & ~0x000000ff) == 0x06001300)
	Whether the specified algorithm is an RSA PSS signature algorithm that permits any salt length.

#define	PSA_ALG_IS_RSA_PSS_STANDARD_SALT(alg) (((alg) & ~0x000000ff) == 0x06000300)
	Whether the specified algorithm is an RSA PSS signature algorithm that requires the standard salt length.

#define	PSA_ALG_IS_SIGN(alg) (((alg) & 0x7f000000) == 0x06000000)
	Whether the specified algorithm is an asymmetric signature algorithm, also known as public-key signature algorithm.

#define	PSA_ALG_IS_SIGN_HASH(alg)
	Whether the specified algorithm is a signature algorithm that can be used with psa_sign_hash() and psa_verify_hash().

#define	PSA_ALG_IS_SIGN_MESSAGE(alg) (PSA_ALG_IS_SIGN_HASH(alg) \|\| (alg) == PSA_ALG_PURE_EDDSA)
	Whether the specified algorithm is a signature algorithm that can be used with psa_sign_message() and psa_verify_message().

#define	PSA_ALG_IS_STREAM_CIPHER(alg) (((alg) & 0x7f800000) == 0x04800000)
	Whether the specified algorithm is a stream cipher.

#define	PSA_ALG_IS_TLS12_PRF(alg) (((alg) & ~0x000000ff) == 0x08000200)
	Whether the specified algorithm is a TLS-1.2 PRF algorithm.

#define	PSA_ALG_IS_TLS12_PSK_TO_MS(alg) (((alg) & ~0x000000ff) == 0x08000300)
	Whether the specified algorithm is a TLS-1.2 PSK to MS algorithm.

#define	PSA_ALG_IS_WILDCARD(alg) (PSA_ALG_GET_HASH(alg) == PSA_ALG_HASH_ANY)
	Whether the specified algorithm encoding is a wildcard.

#define	PSA_ALG_KEY_AGREEMENT(ka_alg, kdf_alg) ((ka_alg) \| (kdf_alg))
	Macro to build a combined algorithm that chains a key agreement with a key derivation.

#define	PSA_ALG_KEY_AGREEMENT_GET_BASE(alg) ((psa_algorithm_t)((alg) & 0xffff0000))
	Get the raw key agreement algorithm from a full key agreement algorithm.

#define	PSA_ALG_KEY_AGREEMENT_GET_KDF(alg) ((psa_algorithm_t)((alg) & 0xfe00ffff))
	Get the key derivation algorithm used in a full key agreement algorithm.

#define	PSA_ALG_NONE ((psa_algorithm_t)0)
	An invalid algorithm identifier value.

#define	PSA_ALG_HASH_MASK ((psa_algorithm_t)0x000000ff)
	Hash algorithm mask.

#define	PSA_ALG_MD2 ((psa_algorithm_t)0x02000001)
	The MD2 message-digest algorithm.

#define	PSA_ALG_MD4 ((psa_algorithm_t)0x02000002)
	The MD4 message-digest algorithm.

#define	PSA_ALG_MD5 ((psa_algorithm_t)0x02000003)
	The MD5 message-digest algorithm.

#define	PSA_ALG_RIPEMD160 ((psa_algorithm_t)0x02000004)
	The RIPEMD-160 message-digest algorithm.

#define	PSA_ALG_SHA_1 ((psa_algorithm_t)0x02000005)
	The SHA-1 message-digest algorithm.

#define	PSA_ALG_SHA_224 ((psa_algorithm_t)0x02000008) /** SHA-224 */
	The SHA-224 message-digest algorithm.

#define	PSA_ALG_SHA_256 ((psa_algorithm_t)0x02000009) /** SHA-256 */
	The SHA-256 message-digest algorithm.

#define	PSA_ALG_SHA_384 ((psa_algorithm_t)0x0200000a) /** SHA-384 */
	The SHA-384 message-digest algorithm.

#define	PSA_ALG_SHA_512 ((psa_algorithm_t)0x0200000b) /** SHA-512 */
	The SHA-512 message-digest algorithm.

#define	PSA_ALG_SHA_512_224 ((psa_algorithm_t)0x0200000c) /** SHA-512/224 */
	The SHA-512/224 message-digest algorithm.

#define	PSA_ALG_SHA_512_256 ((psa_algorithm_t)0x0200000d) /** SHA-512/256 */
	The SHA-512/256 message-digest algorithm.

#define	PSA_ALG_SHA3_224 ((psa_algorithm_t)0x02000010) /** SHA-3-224 */
	The SHA3-224 message-digest algorithm.

#define	PSA_ALG_SHA3_256 ((psa_algorithm_t)0x02000011) /** SHA-3-256 */
	The SHA3-256 message-digest algorithm.

#define	PSA_ALG_SHA3_384 ((psa_algorithm_t)0x02000012) /** SHA-3-384 */
	The SHA3-384 message-digest algorithm.

#define	PSA_ALG_SHA3_512 ((psa_algorithm_t)0x02000013) /** SHA-3-512 */
	The SHA3-512 message-digest algorithm.

#define	PSA_ALG_SM3 ((psa_algorithm_t)0x02000014) /** SM3 */
	The SM3 message-digest algorithm.

#define	PSA_ALG_SHAKE256_512 ((psa_algorithm_t)0x02000015)
	The first 512 bits (64 bytes) of the SHAKE256 output.

#define	PSA_ALG_CBC_MAC ((psa_algorithm_t)0x03c00100)
	The CBC-MAC message-authentication-code algorithm, constructed over a block cipher.

#define	PSA_ALG_CMAC ((psa_algorithm_t)0x03c00200)
	The CMAC message-authentication-code algorithm, constructed over a block cipher.

#define	PSA_ALG_CBC_NO_PADDING ((psa_algorithm_t)0x04404000)
	The Cipher Block Chaining (CBC) mode of a block cipher, with no padding.

#define	PSA_ALG_CBC_PKCS7 ((psa_algorithm_t)0x04404100)
	The Cipher Block Chaining (CBC) mode of a block cipher, with PKCS#7 padding.

#define	PSA_ALG_ECB_NO_PADDING ((psa_algorithm_t)0x04404400)
	The Electronic Codebook (ECB) mode of a block cipher, with no padding.

#define	PSA_ALG_XTS ((psa_algorithm_t)0x0440ff00)
	The XEX with Ciphertext Stealing (XTS) cipher mode of a block cipher.

#define	PSA_ALG_CTR ((psa_algorithm_t)0x04c01000)
	A stream cipher built using the Counter (CTR) mode of a block cipher.

#define	PSA_ALG_CFB ((psa_algorithm_t)0x04c01100)
	A stream cipher built using the Cipher Feedback (CFB) mode of a block cipher.

#define	PSA_ALG_OFB ((psa_algorithm_t)0x04c01200)
	A stream cipher built using the Output Feedback (OFB) mode of a block cipher.

#define	PSA_ALG_STREAM_CIPHER ((psa_algorithm_t)0x04800100)
	The stream cipher mode of a stream cipher algorithm.

#define	PSA_ALG_CHACHA20_POLY1305 ((psa_algorithm_t)0x05100500)
	The ChaCha20-Poly1305 AEAD algorithm.

#define	PSA_ALG_CCM ((psa_algorithm_t)0x05500100)
	The Counter with CBC-MAC (CCM) authenticated encryption algorithm.

#define	PSA_ALG_GCM ((psa_algorithm_t)0x05500200)
	The Galois/Counter Mode (GCM) authenticated encryption algorithm.

#define	PSA_ALG_PBKDF2_AES_CMAC_PRF_128 ((psa_algorithm_t)0x08800200)
	The PBKDF2-AES-CMAC-PRF-128 password-hashing or key-stretching algorithm.

#define	PSA_ALG_PBKDF2_HMAC(hash_alg) ((psa_algorithm_t)(0x08800100 \| ((hash_alg) & 0x000000ff)))
	Macro to build a PBKDF2-HMAC password-hashing or key-stretching algorithm.

#define	PSA_ALG_RSA_PKCS1V15_SIGN_RAW ((psa_algorithm_t)0x06000200)
	The raw RSA PKCS#1 v1.5 signature algorithm, without hashing.

#define	PSA_ALG_ECDSA_BASE ((psa_algorithm_t)0x06000600)
	Base of ECDSA algorithms.

#define	PSA_ALG_PURE_EDDSA ((psa_algorithm_t)0x06000800)
	Edwards-curve digital signature algorithm without prehashing (PureEdDSA), using standard parameters.

#define	PSA_ALG_ECDSA(hash_alg) (PSA_ALG_ECDSA_BASE \| ((hash_alg) & PSA_ALG_HASH_MASK))
	The randomized ECDSA signature scheme, with hashing.

#define	PSA_ALG_ECDSA_ANY PSA_ALG_ECDSA_BASE
	The randomized ECDSA signature scheme, without hashing.

#define	PSA_ALG_ED25519PH ((psa_algorithm_t)0x0600090B)
	Edwards-curve digital signature algorithm with prehashing (HashEdDSA), using the Edwards25519 curve.

#define	PSA_ALG_ED448PH ((psa_algorithm_t)0x06000915)
	Edwards-curve digital signature algorithm with prehashing (HashEdDSA), using the Edwards448 curve.

#define	PSA_ALG_RSA_PKCS1V15_CRYPT ((psa_algorithm_t)0x07000200)
	The RSA PKCS#1 v1.5 asymmetric encryption algorithm.

#define	PSA_ALG_FFDH ((psa_algorithm_t)0x09010000)
	The finite-field Diffie-Hellman (DH) key agreement algorithm.

#define	PSA_ALG_ECDH ((psa_algorithm_t)0x09020000)
	The elliptic curve Diffie-Hellman (ECDH) key agreement algorithm.

#define	PSA_ALG_RSA_OAEP(hash_alg) ((psa_algorithm_t)(0x07000300 \| ((hash_alg) & 0x000000ff)))
	The RSA OAEP asymmetric encryption algorithm.

#define	PSA_ALG_RSA_PKCS1V15_SIGN(hash_alg) ((psa_algorithm_t)(0x06000200 \| ((hash_alg) & 0x000000ff)))
	The RSA PKCS#1 v1.5 message signature scheme, with hashing.

#define	PSA_ALG_RSA_PSS(hash_alg) ((psa_algorithm_t)(0x06000300 \| ((hash_alg) & 0x000000ff)))
	The RSA PSS message signature scheme, with hashing.

#define	PSA_ALG_RSA_PSS_ANY_SALT(hash_alg) ((psa_algorithm_t)(0x06001300 \| ((hash_alg) & 0x000000ff)))
	The RSA PSS message signature scheme, with hashing.

#define	PSA_ALG_TLS12_PRF(hash_alg) ((psa_algorithm_t)(0x08000200 \| ((hash_alg) & 0x000000ff)))
	Macro to build a TLS-1.2 PRF algorithm.

#define	PSA_ALG_TLS12_PSK_TO_MS(hash_alg) ((psa_algorithm_t)(0x08000300 \| ((hash_alg) & 0x000000ff)))
	Macro to build a TLS-1.2 PSK-to-MasterSecret algorithm.

#define	PSA_ALG_TRUNCATED_MAC(mac_alg, mac_length) ((psa_algorithm_t)(((mac_alg) & ~0x003f0000) \| (((mac_length) & 0x3f) << 16)))
	Macro to build a truncated MAC algorithm.

#define	PSA_DH_FAMILY_RFC7919 ((psa_dh_family_t)0x03)
	Finite-field Diffie-Hellman groups defined for TLS in RFC 7919.

#define	PSA_ECC_FAMILY_BRAINPOOL_P_R1 ((psa_ecc_family_t)0x30)
	Brainpool `P` random curves.

#define	PSA_ECC_FAMILY_FRP ((psa_ecc_family_t)0x33)
	Curve used primarily in France and elsewhere in Europe.

#define	PSA_ECC_FAMILY_MONTGOMERY ((psa_ecc_family_t)0x41)
	Montgomery curves.

#define	PSA_ECC_FAMILY_SECP_K1 ((psa_ecc_family_t)0x17)
	SEC Koblitz curves over prime fields.

#define	PSA_ECC_FAMILY_SECP_R1 ((psa_ecc_family_t)0x12)
	SEC random curves over prime fields.

#define	PSA_ECC_FAMILY_SECP_R2 ((psa_ecc_family_t)0x1b)

#define	PSA_ECC_FAMILY_SECT_K1 ((psa_ecc_family_t)0x27)
	SEC Koblitz curves over binary fields.

#define	PSA_ECC_FAMILY_SECT_R1 ((psa_ecc_family_t)0x22)
	SEC random curves over binary fields.

#define	PSA_ECC_FAMILY_SECT_R2 ((psa_ecc_family_t)0x2b)
	SEC additional random curves over binary fields.

#define	PSA_ECC_FAMILY_TWISTED_EDWARDS ((psa_ecc_family_t)0x42)
	Twisted Edwards curves.

#define	PSA_KEY_DERIVATION_INPUT_CONTEXT /* implementation-defined value */
	A context for key derivation.

#define	PSA_KEY_DERIVATION_INPUT_COST /* implementation-defined value */
	A cost parameter for password hashing or key stretching.

#define	PSA_KEY_DERIVATION_INPUT_INFO /* implementation-defined value */
	An information string for key derivation.

#define	PSA_KEY_DERIVATION_INPUT_LABEL /* implementation-defined value */
	A label for key derivation.

#define	PSA_KEY_DERIVATION_INPUT_PASSWORD /* implementation-defined value */
	A low-entropy secret input for password hashing or key stretching.

#define	PSA_KEY_DERIVATION_INPUT_SALT /* implementation-defined value */
	A salt for key derivation.

#define	PSA_KEY_DERIVATION_INPUT_SECRET /* implementation-defined value */
	A high-entropy secret input for key derivation.

#define	PSA_KEY_DERIVATION_INPUT_SEED /* implementation-defined value */
	A seed for key derivation.

#define	PSA_KEY_DERIVATION_UNLIMITED_CAPACITY /* implementation-defined value */
	Use the maximum possible capacity for a key derivation operation.

#define	PSA_KEY_ID_NULL ((psa_key_id_t)0)
	The null key identifier.

#define	PSA_KEY_ID_USER_MAX ((psa_key_id_t)0x3fffffff)
	The maximum value for a key identifier chosen by the application.

#define	PSA_KEY_ID_USER_MIN ((psa_key_id_t)0x00000001)
	The minimum value for a key identifier chosen by the application.

#define	PSA_KEY_ID_VENDOR_MAX ((psa_key_id_t)0x7fffffff)
	The maximum value for a key identifier chosen by the implementation.

#define	PSA_KEY_ID_VENDOR_MIN ((psa_key_id_t)0x40000000)
	The minimum value for a key identifier chosen by the implementation.

#define	PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(persistence, location) ((location) << 8 \| (persistence))
	Construct a lifetime from a persistence level and a location.

#define	PSA_KEY_LIFETIME_GET_LOCATION(lifetime) ((psa_key_location_t)((lifetime) >> 8))
	Extract the location indicator from a key lifetime.

#define	PSA_KEY_LIFETIME_GET_PERSISTENCE(lifetime) ((psa_key_persistence_t)((lifetime) & 0x000000ff))
	Extract the persistence level from a key lifetime.

#define	PSA_KEY_LIFETIME_IS_VOLATILE(lifetime) (PSA_KEY_LIFETIME_GET_PERSISTENCE(lifetime) == PSA_KEY_PERSISTENCE_VOLATILE)
	Whether a key lifetime indicates that the key is volatile.

#define	PSA_KEY_LIFETIME_PERSISTENT ((psa_key_lifetime_t)0x00000001)
	The default lifetime for persistent keys.

#define	PSA_KEY_LIFETIME_VOLATILE ((psa_key_lifetime_t)0x00000000)
	The default lifetime for volatile keys.

#define	PSA_KEY_LOCATION_LOCAL_STORAGE ((psa_key_location_t)0x000000)
	The local storage area for persistent keys.

#define	PSA_KEY_LOCATION_PRIMARY_SECURE_ELEMENT ((psa_key_location_t)0x000001)
	The default secure element storage area for persistent keys.

#define	PSA_KEY_LOCATION_VENDOR_FLAG ((psa_key_location_t)0x800000)
	Mark vendor defined key locations.

#define	PSA_KEY_LOCATION_SE_MIN (PSA_KEY_LOCATION_VENDOR_FLAG)
	Minimum location value for secure elements.

#define	PSA_KEY_LOCATION_SE_MAX ((psa_key_location_t)0x8000ff)
	Maximum location value for secure elements.

#define	PSA_KEY_PERSISTENCE_DEFAULT ((psa_key_persistence_t)0x01)
	The default persistence level for persistent keys.

#define	PSA_KEY_PERSISTENCE_READ_ONLY ((psa_key_persistence_t)0xff)
	A persistence level indicating that a key is never destroyed.

#define	PSA_KEY_PERSISTENCE_VOLATILE ((psa_key_persistence_t)0x00)
	The persistence level of volatile keys.

#define	PSA_KEY_TYPE_VENDOR_FLAG ((psa_key_type_t)0x8000)
	Vendor-defined key type flag.

#define	PSA_KEY_TYPE_CATEGORY_MASK ((psa_key_type_t)0x7000)
	Mask for key type categories.

#define	PSA_KEY_TYPE_CATEGORY_RAW ((psa_key_type_t)0x1000)
	Raw key data type.

#define	PSA_KEY_TYPE_CATEGORY_SYMMETRIC ((psa_key_type_t)0x2000)
	Symmetric key type.

#define	PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY ((psa_key_type_t)0x4000)
	Asymmetric public key type.

#define	PSA_KEY_TYPE_CATEGORY_KEY_PAIR ((psa_key_type_t)0x7000)
	Asymmetric key pair type.

#define	PSA_KEY_TYPE_CATEGORY_FLAG_PAIR ((psa_key_type_t)0x3000)
	Asymmetric key pair flag.

#define	PSA_KEY_TYPE_AES ((psa_key_type_t)0x2400)
	Key for a cipher, AEAD or MAC algorithm based on the AES block cipher.

#define	PSA_KEY_TYPE_ARC4 ((psa_key_type_t)0x2002)
	Key for the ARC4 stream cipher.

#define	PSA_KEY_TYPE_ARIA ((psa_key_type_t)0x2406)
	Key for a cipher, AEAD or MAC algorithm based on the ARIA block cipher.

#define	PSA_KEY_TYPE_CAMELLIA ((psa_key_type_t)0x2403)
	Key for a cipher, AEAD or MAC algorithm based on the Camellia block cipher.

#define	PSA_KEY_TYPE_CHACHA20 ((psa_key_type_t)0x2004)
	Key for the ChaCha20 stream cipher or the ChaCha20-Poly1305 AEAD algorithm.

#define	PSA_KEY_TYPE_DERIVE ((psa_key_type_t)0x1200)
	A secret for key derivation.

#define	PSA_KEY_TYPE_DES ((psa_key_type_t)0x2301)
	Key for a cipher or MAC algorithm based on DES or 3DES (Triple-DES).

#define	PSA_KEY_TYPE_DH_GET_FAMILY(type) ((psa_dh_family_t)((type) & 0x00ff))
	Extract the group family from a Diffie-Hellman key type.

#define	PSA_KEY_TYPE_DH_KEY_PAIR(group) ((psa_key_type_t)(0x7200 \| (group)))
	Finite-field Diffie-Hellman key pair: both the private key and public key.

#define	PSA_KEY_TYPE_DH_PUBLIC_KEY(group) ((psa_key_type_t)(0x4200 \| (group)))
	Finite-field Diffie-Hellman public key.

#define	PSA_KEY_TYPE_ECC_GET_FAMILY(type) ((psa_ecc_family_t)((type) & 0x00ff))
	Extract the curve family from an elliptic curve key type.

#define	PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE ((psa_key_type_t)0x4100)
	Base value for ECC public keys.

#define	PSA_KEY_TYPE_ECC_KEY_PAIR_BASE ((psa_key_type_t)0x7100)
	Base value for ECC key pairs.

#define	PSA_KEY_TYPE_ECC_CURVE_MASK ((psa_key_type_t)0x00ff)
	Mask for ECC curves.

#define	PSA_KEY_TYPE_ECC_KEY_PAIR(curve) (PSA_KEY_TYPE_ECC_KEY_PAIR_BASE \| (curve))
	Elliptic curve key pair: both the private and public key.

#define	PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve) (PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE \| (curve))
	Elliptic curve public key.

#define	PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve) (PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE \| (curve))
	Elliptic curve public key.

#define	PSA_KEY_TYPE_IS_ECC(type) ((PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) & 0xff00) == 0x4100)
	Whether a key type is an elliptic curve key, either a key pair or a public key.

#define	PSA_KEY_TYPE_IS_ECC_KEY_PAIR(type) (((type) & 0xff00) == 0x7100)
	Whether a key type is an elliptic curve key pair.

#define	PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(type) (((type) & 0xff00) == 0x4100)
	Whether a key type is an elliptic curve public key.

#define	PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) ((psa_key_type_t)((type) & ~0x3000))
	The public key type corresponding to a key pair type.

#define	PSA_KEY_TYPE_HMAC ((psa_key_type_t)0x1100)
	HMAC key.

#define	PSA_KEY_TYPE_IS_ASYMMETRIC(type) (((type) & 0x4000) == 0x4000)
	Whether a key type is asymmetric: either a key pair or a public key.

#define	PSA_KEY_TYPE_IS_DH(type) ((PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) & 0xff00) == 0x4200)
	Whether a key type is a Diffie-Hellman key, either a key pair or a public key.

#define	PSA_KEY_TYPE_IS_DH_KEY_PAIR(type) (((type) & 0xff00) == 0x7200)
	Whether a key type is a Diffie-Hellman key pair.

#define	PSA_KEY_TYPE_IS_DH_PUBLIC_KEY(type) (((type) & 0xff00) == 0x4200)
	Whether a key type is a Diffie-Hellman public key.

#define	PSA_KEY_TYPE_IS_KEY_PAIR(type) (((type) & 0x7000) == 0x7000)
	Whether a key type is a key pair containing a private part and a public part.

#define	PSA_KEY_TYPE_IS_PUBLIC_KEY(type) (((type) & 0x7000) == 0x4000)
	Whether a key type is the public part of a key pair.

#define	PSA_KEY_TYPE_IS_RSA(type) (PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) == 0x4001)
	Whether a key type is an RSA key.

#define	PSA_KEY_TYPE_IS_UNSTRUCTURED(type) (((type) & 0x7000) == 0x1000 \|\| ((type) & 0x7000) == 0x2000)
	Whether a key type is an unstructured array of bytes.

#define	PSA_KEY_TYPE_KEY_PAIR_OF_PUBLIC_KEY(type) ((psa_key_type_t)((type) \| 0x3000))
	The key pair type corresponding to a public key type.

#define	PSA_KEY_TYPE_NONE ((psa_key_type_t)0x0000)
	An invalid key type value.

#define	PSA_KEY_TYPE_PASSWORD ((psa_key_type_t)0x1203)
	A low-entropy secret for password hashing or key derivation.

#define	PSA_KEY_TYPE_PASSWORD_HASH ((psa_key_type_t)0x1205)
	A secret value that can be used to verify a password hash.

#define	PSA_KEY_TYPE_PEPPER ((psa_key_type_t)0x1206)
	A secret value that can be used when computing a password hash.

#define	PSA_KEY_TYPE_RAW_DATA ((psa_key_type_t)0x1001)
	Raw data.

#define	PSA_KEY_TYPE_RSA_KEY_PAIR ((psa_key_type_t)0x7001)
	RSA key pair: both the private and public key.

#define	PSA_KEY_TYPE_RSA_PUBLIC_KEY ((psa_key_type_t)0x4001)
	RSA public key.

#define	PSA_KEY_TYPE_SM4 ((psa_key_type_t)0x2405)
	Key for a cipher, AEAD or MAC algorithm based on the SM4 block cipher.

#define	PSA_KEY_USAGE_CACHE ((psa_key_usage_t)0x00000004)
	Permission for the implementation to cache the key.

#define	PSA_KEY_USAGE_COPY ((psa_key_usage_t)0x00000002)
	Permission to copy the key.

#define	PSA_KEY_USAGE_DECRYPT ((psa_key_usage_t)0x00000200)
	Permission to decrypt a message with the key.

#define	PSA_KEY_USAGE_DERIVE ((psa_key_usage_t)0x00004000)
	Permission to derive other keys or produce a password hash from this key.

#define	PSA_KEY_USAGE_ENCRYPT ((psa_key_usage_t)0x00000100)
	Permission to encrypt a message with the key.

#define	PSA_KEY_USAGE_EXPORT ((psa_key_usage_t)0x00000001)
	Permission to export the key.

#define	PSA_KEY_USAGE_SIGN_HASH ((psa_key_usage_t)0x00001000)
	Permission to sign a message hash with the key.

#define	PSA_KEY_USAGE_SIGN_MESSAGE ((psa_key_usage_t)0x00000400)
	Permission to sign a message with the key.

#define	PSA_KEY_USAGE_VERIFY_DERIVATION ((psa_key_usage_t)0x00008000)
	Permission to verify the result of a key derivation, including password hashing.

#define	PSA_KEY_USAGE_VERIFY_HASH ((psa_key_usage_t)0x00002000)
	Permission to verify a message hash with the key.

#define	PSA_KEY_USAGE_VERIFY_MESSAGE ((psa_key_usage_t)0x00000800)
	Permission to verify a message signature with the key.

#define	PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE /* implementation-defined value */
	Sufficient output buffer size for psa_raw_key_agreement(), for any of the supported key types and key agreement algorithms.

#define	PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(key_type, key_bits) /* implementation-defined value */
	Sufficient output buffer size for psa_raw_key_agreement().

#define	PSA_SIGNATURE_MAX_SIZE /* implementation-defined value */
	A sufficient signature buffer size for psa_sign_message() and psa_sign_hash(), for any of the supported key types and asymmetric signature algorithms.

#define	PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE /* implementation-defined value */
	This macro returns the maximum supported length of the PSK for the TLS-1.2 PSK-to-MS key derivation.

#define	PSA_SUCCESS ((psa_status_t)0)
	The action was completed successfully.

#define	PSA_ERROR_GENERIC_ERROR ((psa_status_t)-132)
	An error occurred that does not correspond to any defined failure cause.

#define	PSA_ERROR_NOT_SUPPORTED ((psa_status_t)-134)
	The requested operation or a parameter is not supported by this implementation.

#define	PSA_ERROR_NOT_PERMITTED ((psa_status_t)-133)
	The requested action is denied by a policy.

#define	PSA_ERROR_BUFFER_TOO_SMALL ((psa_status_t)-138)
	An output buffer is too small.

#define	PSA_ERROR_ALREADY_EXISTS ((psa_status_t)-139)
	Asking for an item that already exists.

#define	PSA_ERROR_DOES_NOT_EXIST ((psa_status_t)-140)
	Asking for an item that doesn’t exist.

#define	PSA_ERROR_BAD_STATE ((psa_status_t)-137)
	The requested action cannot be performed in the current state.

#define	PSA_ERROR_INVALID_ARGUMENT ((psa_status_t)-135)
	The parameters passed to the function are invalid.

#define	PSA_ERROR_INSUFFICIENT_MEMORY ((psa_status_t)-141)
	There is not enough runtime memory.

#define	PSA_ERROR_INSUFFICIENT_STORAGE ((psa_status_t)-142)
	There is not enough persistent storage.

#define	PSA_ERROR_COMMUNICATION_FAILURE ((psa_status_t)-145)
	There was a communication failure inside the implementation.

#define	PSA_ERROR_STORAGE_FAILURE ((psa_status_t)-146)
	There was a storage failure that might have led to data loss.

#define	PSA_ERROR_DATA_CORRUPT ((psa_status_t)-152)
	Stored data has been corrupted.

#define	PSA_ERROR_DATA_INVALID ((psa_status_t)-153)
	Data read from storage is not valid for the implementation.

#define	PSA_ERROR_HARDWARE_FAILURE ((psa_status_t)-147)
	A hardware failure was detected.

#define	PSA_ERROR_CORRUPTION_DETECTED ((psa_status_t)-151)
	A tampering attempt was detected.

#define	PSA_ERROR_INSUFFICIENT_ENTROPY ((psa_status_t)-148)
	There is not enough entropy to generate random data needed for the requested action.

#define	PSA_ERROR_INVALID_SIGNATURE ((psa_status_t)-149)
	The signature, MAC or hash is incorrect.

#define	PSA_ERROR_INVALID_PADDING ((psa_status_t)-150)
	The decrypted padding is incorrect.

#define	PSA_ERROR_INSUFFICIENT_DATA ((psa_status_t)-143)
	Return this error when there’s insufficient data when attempting to read from a resource.

#define	PSA_ERROR_INVALID_HANDLE ((psa_status_t)-136)
	The key identifier is not valid.

Macro Definition Documentation

◆ PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG

#define PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG	(	aead_alg,
		min_tag_length
	)	/* specification-defined value */

Macro to build an AEAD minimum-tag-length wildcard algorithm.

A key with a minimum-tag-length AEAD wildcard algorithm as permitted algorithm policy can be used with all AEAD algorithms sharing the same base algorithm, and where the tag length of the specific algorithm is equal to or larger then the minimum tag length specified by the wildcard algorithm.

Note: When setting the minimum required tag length to less than the smallest tag length allowed by the base algorithm, this effectively becomes an ‘any-tag-length-allowed’ policy for that base algorithm.

The AEAD algorithm with a default length tag can be recovered using PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG().

Parameters

aead_alg	An AEAD algorithm: a value of type psa_algorithm_t such that PSA_ALG_IS_AEAD(`aead_alg`) is true.
min_tag_length	Desired minimum length of the authentication tag in bytes. This must be at least 1 and at most the largest allowed tag length of the algorithm.

Returns: The corresponding AEAD wildcard algorithm with the specified minimum tag length Unspecified if aead_alg is not a supported AEAD algorithm or if min_tag_length is less than 1 or too large for the specified AEAD algorithm.

Definition at line 96 of file crypto_values.h.

◆ PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG

#define PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG ( aead_alg )

Value:

    ((((aead_alg) & ~0x003f0000) == 0x05400100) ? PSA_ALG_CCM : \
     (((aead_alg) & ~0x003f0000) == 0x05400200) ? PSA_ALG_GCM : \
     (((aead_alg) & ~0x003f0000) == 0x05000500) ? PSA_ALG_CHACHA20_POLY1305 : \
     PSA_ALG_NONE)

An AEAD algorithm with the default tag length.

This macro can be used to construct the AEAD algorithm with default tag length from an AEAD algorithm with a shortened tag. See also PSA_ALG_AEAD_WITH_SHORTENED_TAG().

Compatible key types: The resulting AEAD algorithm is compatible with the same key types as the AEAD algorithm used to construct it.

Definition at line 109 of file crypto_values.h.

◆ PSA_ALG_AEAD_WITH_SHORTENED_TAG

#define PSA_ALG_AEAD_WITH_SHORTENED_TAG	(	aead_alg,
		tag_length
	)	((psa_algorithm_t)(((aead_alg) & ~0x003f0000) \| (((tag_length) & 0x3f) << 16)))

Macro to build a AEAD algorithm with a shortened tag.

An AEAD algorithm with a shortened tag is similar to the corresponding AEAD algorithm, but has an authentication tag that consists of fewer bytes. Depending on the algorithm, the tag length might affect the calculation of the ciphertext.

The AEAD algorithm with a default length tag can be recovered using PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG().

Compatible key types: The resulting AEAD algorithm is compatible with the same key types as the AEAD algorithm used to construct it.

Parameters

aead_alg	An AEAD algorithm: a value of type psa_algorithm_t such that PSA_ALG_IS_AEAD(`aead_alg`) is true.
tag_length	Desired length of the authentication tag in bytes.

Returns: The corresponding AEAD algorithm with the specified tag length. Unspecified if aead_alg is not a supported AEAD algorithm or if tag_length is not valid for the specified AEAD algorithm.

Definition at line 137 of file crypto_values.h.

◆ PSA_ALG_ANY_HASH

#define PSA_ALG_ANY_HASH ((psa_algorithm_t)0x020000ff)

When setting a hash-and-sign algorithm in a key policy, permit any hash algorithm.

This value can be used to form the permitted algorithm attribute of a key policy for a signature algorithm that is parametrized by a hash. A key with this policy can then be used to perform operations using the same signature algorithm parametrized with any supported hash. A signature algorithm created using this macro is a wildcard algorithm, and PSA_ALG_IS_WILDCARD() will return true.

This value must not be used to build other algorithms that are parametrized over a hash. For any valid use of this macro to build an algorithm alg, PSA_ALG_IS_HASH_AND_SIGN(alg) is true. This value must not be used to build an algorithm specification to perform an operation. It is only valid for setting the permitted algorithm in a key policy.

Usage: For example, suppose that PSA_xxx_SIGNATURE is one of the following macros:

The following sequence of operations shows how PSA_ALG_ANY_HASH can be used in a key policy:

Set the key usage flags using PSA_ALG_ANY_HASH, for example:
@ref psa_set_key_usage_flags(@p &attributes, @ref PSA_KEY_USAGE_SIGN_MESSAGE);

// or VERIFY_MESSAGE

@ref psa_set_key_algorithm(@p &attributes,

PSA_xxx_SIGNATURE(@ref PSA_ALG_ANY_HASH));

psa_set_key_usage_flags
static void psa_set_key_usage_flags(psa_key_attributes_t *attributes, psa_key_usage_t usage_flags)
Declare usage flags for a key.
Definition crypto.h:2022

psa_set_key_algorithm
static void psa_set_key_algorithm(psa_key_attributes_t *attributes, psa_algorithm_t alg)
Declare the permitted algorithm policy for a key.
Definition crypto.h:1867

PSA_KEY_USAGE_SIGN_MESSAGE
#define PSA_KEY_USAGE_SIGN_MESSAGE
Permission to sign a message with the key.
Definition crypto_values.h:3247

PSA_ALG_ANY_HASH
#define PSA_ALG_ANY_HASH
When setting a hash-and-sign algorithm in a key policy, permit any hash algorithm.
Definition crypto_values.h:182
Import or generate key material.
Call psa_sign_message() or psa_verify_message(), passing an algorithm built from PSA_xxx_SIGNATURE and a specific hash. Each call to sign or verify a message can use a different hash algorithm.
@ref psa_sign_message(@p key, PSA_xxx_SIGNATURE(@ref PSA_ALG_SHA_256), ...);

@ref psa_sign_message(@p key, PSA_xxx_SIGNATURE(@ref PSA_ALG_SHA_512), ...);

@ref psa_sign_message(@p key, PSA_xxx_SIGNATURE(@ref PSA_ALG_SHA3_256), ...);

psa_sign_message
psa_status_t psa_sign_message(psa_key_id_t key, psa_algorithm_t alg, const uint8_t *input, size_t input_length, uint8_t *signature, size_t signature_size, size_t *signature_length)
Sign a message with a private key.

PSA_ALG_SHA_256
#define PSA_ALG_SHA_256
The SHA-256 message-digest algorithm.
Definition crypto_values.h:953

PSA_ALG_SHA3_256
#define PSA_ALG_SHA3_256
The SHA3-256 message-digest algorithm.
Definition crypto_values.h:1000

PSA_ALG_SHA_512
#define PSA_ALG_SHA_512
The SHA-512 message-digest algorithm.
Definition crypto_values.h:969

Definition at line 182 of file crypto_values.h.

◆ PSA_ALG_AT_LEAST_THIS_LENGTH_MAC

#define PSA_ALG_AT_LEAST_THIS_LENGTH_MAC	(	mac_alg,
		min_mac_length
	)	/* specification-defined value */

Macro to build a MAC minimum-MAC-length wildcard algorithm.

A key with a minimum-MAC-length MAC wildcard algorithm as permitted algorithm policy can be used with all MAC algorithms sharing the same base algorithm, and where the (potentially truncated) MAC length of the specific algorithm is equal to or larger then the wildcard algorithm’s minimum MAC length.

Note: When setting the minimum required MAC length to less than the smallest MAC length allowed by the base algorithm, this effectively becomes an ‘any-MAC-length-allowed’ policy for that base algorithm.

The untruncated MAC algorithm can be recovered using PSA_ALG_FULL_LENGTH_MAC().

Compatible key types The resulting wildcard MAC algorithm is compatible with the same key types as the MAC algorithm used to construct it.

Parameters

mac_alg	A MAC algorithm: a value of type psa_algorithm_t such that PSA_ALG_IS_MAC(alg) is true. This can be a truncated or untruncated MAC algorithm.
min_mac_length	Desired minimum length of the message authentication code in bytes. This must be at most the untruncated length of the MAC and must be at least 1.

Returns: The corresponding MAC wildcard algorithm with the specified minimum MAC length. Unspecified if mac_alg is not a supported MAC algorithm or if min_mac_length is less than 1 or too large for the specified MAC algorithm.

Definition at line 212 of file crypto_values.h.

◆ PSA_ALG_CATEGORY_AEAD

#define PSA_ALG_CATEGORY_AEAD ((psa_algorithm_t)0x05000000)

Category for AEAD algorithms.

Definition at line 54 of file crypto_values.h.

◆ PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION

#define PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION ((psa_algorithm_t)0x07000000)

Category for asymmetric encryption algorithms.

Definition at line 62 of file crypto_values.h.

◆ PSA_ALG_CATEGORY_CIPHER

#define PSA_ALG_CATEGORY_CIPHER ((psa_algorithm_t)0x04000000)

Category for cipher algorithms.

Definition at line 50 of file crypto_values.h.

◆ PSA_ALG_CATEGORY_HASH

#define PSA_ALG_CATEGORY_HASH ((psa_algorithm_t)0x02000000)

Category for hash algorithms.

Definition at line 42 of file crypto_values.h.

◆ PSA_ALG_CATEGORY_KEY_AGREEMENT

#define PSA_ALG_CATEGORY_KEY_AGREEMENT ((psa_algorithm_t)0x09000000)

Category for key agreement algorithms.

Definition at line 70 of file crypto_values.h.

◆ PSA_ALG_CATEGORY_KEY_DERIVATION

#define PSA_ALG_CATEGORY_KEY_DERIVATION ((psa_algorithm_t)0x08000000)

Category for key derivation algorithms.

Definition at line 66 of file crypto_values.h.

◆ PSA_ALG_CATEGORY_MAC

#define PSA_ALG_CATEGORY_MAC ((psa_algorithm_t)0x03000000)

Category for MAC algorithms.

Definition at line 46 of file crypto_values.h.

◆ PSA_ALG_CATEGORY_MASK

#define PSA_ALG_CATEGORY_MASK ((psa_algorithm_t)0x7f000000)

PSA algorithm category mask.

Definition at line 37 of file crypto_values.h.

◆ PSA_ALG_CATEGORY_SIGN

#define PSA_ALG_CATEGORY_SIGN ((psa_algorithm_t)0x06000000)

Category for signature algorithms.

Definition at line 58 of file crypto_values.h.

◆ PSA_ALG_CBC_MAC

#define PSA_ALG_CBC_MAC ((psa_algorithm_t)0x03c00100)

The CBC-MAC message-authentication-code algorithm, constructed over a block cipher.

Warning: CBC-MAC is insecure in many cases. A more secure mode, such as PSA_ALG_CMAC, is recommended.

The CBC-MAC algorithm must be used with a key for a block cipher. For example, one of PSA_KEY_TYPE_AES.

CBC-MAC is defined as MAC Algorithm 1 in ISO/IEC 9797-1:2011 Information technology — Security techniques — Message Authentication Codes (MACs) — Part 1: Mechanisms using a block cipher ISO9797.

Compatible key types

Definition at line 1062 of file crypto_values.h.

◆ PSA_ALG_CBC_NO_PADDING

#define PSA_ALG_CBC_NO_PADDING ((psa_algorithm_t)0x04404000)

The Cipher Block Chaining (CBC) mode of a block cipher, with no padding.

The underlying block cipher is determined by the key type. This symmetric cipher mode can only be used with messages whose lengths are a multiple of the block size of the chosen block cipher.

CBC mode requires an initialization vector (IV) that is the same size as the cipher block length.

Note

The cipher block length can be determined using PSA_BLOCK_CIPHER_BLOCK_LENGTH().

     The CBC block cipher mode is defined in NIST Special Publication 800-38A:
     Recommendation for Block Cipher Modes of Operation: Methods and Techniques
     [SP800-38A](https://doi.org/10.6028/NIST.SP.800-38B).

     @b Compatible @b key @b types
     - @ref PSA_KEY_TYPE_AES
     - @ref PSA_KEY_TYPE_ARIA
     - @ref PSA_KEY_TYPE_DES
     - @ref PSA_KEY_TYPE_CAMELLIA
     - @ref PSA_KEY_TYPE_SM4

Definition at line 1106 of file crypto_values.h.

◆ PSA_ALG_CBC_PKCS7

#define PSA_ALG_CBC_PKCS7 ((psa_algorithm_t)0x04404100)

The Cipher Block Chaining (CBC) mode of a block cipher, with PKCS#7 padding.

The underlying block cipher is determined by the key type.

     CBC mode requires an initialization vector (IV) that is the same size as the cipher
     block length.

Note

The cipher block length can be determined using PSA_BLOCK_CIPHER_BLOCK_LENGTH().

     The CBC block cipher mode is defined in NIST Special Publication 800-38A:
     Recommendation for Block Cipher Modes of Operation: Methods and Techniques
     [SP800-38A](https://doi.org/10.6028/NIST.SP.800-38B).
     The padding operation is defined by PKCS #7: Cryptographic Message Syntax Version 1.5
     [RFC2315](https://tools.ietf.org/html/rfc2315.html) §10.3.

     @b Compatible @b key @b types
     - @ref PSA_KEY_TYPE_AES
     - @ref PSA_KEY_TYPE_ARIA
     - @ref PSA_KEY_TYPE_DES
     - @ref PSA_KEY_TYPE_CAMELLIA
     - @ref PSA_KEY_TYPE_SM4

Definition at line 1131 of file crypto_values.h.

◆ PSA_ALG_CCM

#define PSA_ALG_CCM ((psa_algorithm_t)0x05500100)

The Counter with CBC-MAC (CCM) authenticated encryption algorithm.

CCM is defined for block ciphers that have a 128-bit block size. The underlying block cipher is determined by the key type.

To use PSA_ALG_CCM with a multi-part AEAD operation, the application must call psa_aead_set_lengths() before providing the nonce, the additional data and plaintext to the operation.

CCM requires a nonce of between 7 and 13 bytes in length. The length of the nonce affects the m maximum length of the plaintext than can be encrypted or decrypted. If the nonce has length N, then the plaintext length pLen is encoded in L = 15 - N octets, this requires that pLen < 28L.

The value for L that is used with PSA_ALG_CCM depends on the function used to provide the nonce:

A call to psa_aead_encrypt(), psa_aead_decrypt(), or psa_aead_set_nonce() will set L to 15 - nonce_length. If the plaintext length cannot be encoded in L octets, then a PSA_ERROR_INVALID_ARGUMENT error is returned.
A call to psa_aead_generate_nonce() on a multi-part cipher operation will select L as the smallest integer >= 2 where pLen < 28L, with pLen being the plaintext_length provided to psa_aead_set_lengths(). The call to psa_aead_generate_nonce() will generate and return a random nonce of length 15 - L bytes.

CCM supports authentication tag sizes of 4, 6, 8, 10, 12, 14, and 16 bytes. The default tag length is 16. Shortened tag lengths can be requested using PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, tag_length), where tag_length is a valid CCM tag length.

The CCM block cipher mode is defined in Counter with CBC-MAC (CCM) RFC3610.

Compatible key types

Definition at line 1430 of file crypto_values.h.

◆ PSA_ALG_CFB

#define PSA_ALG_CFB ((psa_algorithm_t)0x04c01100)

A stream cipher built using the Cipher Feedback (CFB) mode of a block cipher.

The underlying block cipher is determined by the key type. This is the variant of CFB where each iteration encrypts or decrypts a segment of the input that is the same length as the cipher block size. For example, using PSA_ALG_CFB with a key of type PSA_KEY_TYPE_AES will result in the AES-CFB-128 cipher.

CFB mode requires an initialization vector (IV) that is the same size as the cipher block length.

Note

The cipher block length can be determined using PSA_BLOCK_CIPHER_BLOCK_LENGTH().

     The CFB block cipher mode is defined in NIST Special Publication 800-38A:
     Recommendation for Block Cipher Modes of Operation: Methods and Techniques
     [SP800-38A](https://doi.org/10.6028/NIST.SP.800-38A), using a segment size s equal
     to the block size b. The definition in
     [SP800-38A](https://doi.org/10.6028/NIST.SP.800-38A) is
     extended to allow an incomplete final block of input, in which case the algorithm
     discards the final bytes of the key stream when encrypting or decrypting the final
     partial block.

     @b Compatible @b key @b types
     - @ref PSA_KEY_TYPE_AES
     - @ref PSA_KEY_TYPE_ARIA
     - @ref PSA_KEY_TYPE_DES
     - @ref PSA_KEY_TYPE_CAMELLIA
     - @ref PSA_KEY_TYPE_SM4

Definition at line 1276 of file crypto_values.h.

◆ PSA_ALG_CHACHA20_POLY1305

#define PSA_ALG_CHACHA20_POLY1305 ((psa_algorithm_t)0x05100500)

The ChaCha20-Poly1305 AEAD algorithm.

There are two defined variants of ChaCha20-Poly1305:

An implementation that supports ChaCha20-Poly1305 must support the variant defined by ChaCha20 and Poly1305 for IETF Protocols RFC7539, which has a 96-bit nonce and 32-bit counter.
An implementation can optionally also support the original variant defined by ChaCha, a variant of Salsa20 CHACHA20, which has a 64-bit nonce and 64-bit counter.

The variant used for the AEAD encryption or decryption operation, depends on the nonce provided for an AEAD operation using PSA_ALG_CHACHA20_POLY1305 :

A nonce provided in a call to psa_aead_encrypt(), psa_aead_decrypt() or psa_aead_set_nonce() must be 8 or 12 bytes. The size of nonce will select the appropriate variant of the algorithm.
A nonce generated by a call to psa_aead_generate_nonce() will be 12 bytes, and will use the RFC7539 variant.

Implementations must support 16-byte tags. It is recommended that truncated tag sizes are rejected.

Compatible key types

PSA_KEY_TYPE_CHACHA20

Definition at line 1387 of file crypto_values.h.

◆ PSA_ALG_CMAC

#define PSA_ALG_CMAC ((psa_algorithm_t)0x03c00200)

The CMAC message-authentication-code algorithm, constructed over a block cipher.

The CMAC algorithm must be used with a key for a block cipher. For example, when used with a key with type PSA_KEY_TYPE_AES, the resulting operation is AES-CMAC.

CMAC is defined in NIST Special Publication 800-38B: Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication SP800-38B.

Compatible key types

Definition at line 1081 of file crypto_values.h.

◆ PSA_ALG_CTR

#define PSA_ALG_CTR ((psa_algorithm_t)0x04c01000)

A stream cipher built using the Counter (CTR) mode of a block cipher.

CTR is a stream cipher which is built from a block cipher. The underlying block cipher is determined by the key type. For example, to use AES-128-CTR, use this algorithm with a key of type PSA_KEY_TYPE_AES and a size of 128 bits (16 bytes).

The CTR block cipher mode is defined in NIST Special Publication 800-38A: Recommendation for Block Cipher Modes of Operation: Methods and Techniques [SP800-38A].

CTR mode requires a counter block which is the same size as the cipher block length. The counter block is updated for each block (or a partial final block) that is encrypted or decrypted.

A counter block value must only be used once across all messages encrypted using the same key value. This is typically achieved by splitting the counter block into a nonce, which is unique among all message encrypted with the key, and a counter which is incremented for each block of a message.

For example, when using AES-CTR encryption, which uses a 16-byte block, the application can provide a 12-byte nonce when setting the IV. This leaves 4 bytes for the counter, allowing up to 2^32 blocks (64GB) of message data to be encrypted in each message.

The first counter block is constructed from the initialization vector (IV). The initial counter block is is constructed in the following ways:

A call to psa_cipher_encrypt() will generate a random counter block value. This is the first block of output.
A call to psa_cipher_decrypt() will use first block of the input buffer as the initial counter block value.
A call to psa_cipher_generate_iv() on a multi-part cipher operation will generate and return a random counter block value.
A call to psa_cipher_set_iv() on a multi-part cipher operation requires an IV that is between 1 and n bytes in length, where n is the cipher block length. The counter block is initialized using the IV, and padded with zero bytes up to the block length.

During the counter block update operation, the counter block is treated as a single big-endian encoded integer and the update operation increments this integer by 1.

This scheme meets the recommendations in Appendix B of SP800-38A.

Note

The cipher block length can be determined using PSA_BLOCK_CIPHER_BLOCK_LENGTH().

     @b Compatible @b key @b types
     - @ref PSA_KEY_TYPE_AES
     - @ref PSA_KEY_TYPE_ARIA
     - @ref PSA_KEY_TYPE_DES
     - @ref PSA_KEY_TYPE_CAMELLIA
     - @ref PSA_KEY_TYPE_SM4

Definition at line 1245 of file crypto_values.h.

◆ PSA_ALG_DETERMINISTIC_ECDSA

#define PSA_ALG_DETERMINISTIC_ECDSA ( hash_alg ) ((psa_algorithm_t)(0x06000700 | ((hash_alg) & 0x000000ff)))

Deterministic ECDSA signature scheme, with hashing.

This algorithm can be used with both the message and hash signature functions.

     This is the deterministic ECDSA signature scheme defined by Deterministic Usage of the
     Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm
     (ECDSA) [RFC6979].

     The representation of a signature is the same as with @ref PSA_ALG_ECDSA().

Note: When based on the same hash algorithm, the verification operations for PSA_ALG_ECDSA and PSA_ALG_DETERMINISTIC_ECDSA are identical. A signature created using PSA_ALG_ECDSA can be verified with the same key using either PSA_ALG_ECDSA or PSA_ALG_DETERMINISTIC_ECDSA. Similarly, a signature created using PSA_ALG_DETERMINISTIC_ECDSA can be verified with the same key using either PSA_ALG_ECDSA or PSA_ALG_DETERMINISTIC_ECDSA.

In particular, it is impossible to determine whether a signature was produced with deterministic ECDSA or with randomized ECDSA: it is only possible to verify that a signature was made with ECDSA with the private key corresponding to the public key used for the verification.

Compatible key types

PSA_KEY_TYPE_ECC_KEY_PAIR(family)
PSA_KEY_TYPE_ECC_PUBLIC_KEY(family) (signature verification only)

where family is a Weierstrass Elliptic curve family. That is, one of the following values:

PSA_ECC_FAMILY_SECT_XX
PSA_ECC_FAMILY_SECP_XX
PSA_ECC_FAMILY_FRP
PSA_ECC_FAMILY_BRAINPOOL_P_R1

Parameters

hash_alg A hash algorithm: a value of type psa_algorithm_t such that PSA_ALG_IS_HASH(hash_alg) is true. This includes PSA_ALG_ANY_HASH when specifying the algorithm in a key policy.

Returns: The corresponding deterministic ECDSA signature algorithm. Unspecified if hash_alg is not a supported hash algorithm.

Definition at line 256 of file crypto_values.h.

◆ PSA_ALG_ECB_NO_PADDING

#define PSA_ALG_ECB_NO_PADDING ((psa_algorithm_t)0x04404400)

The Electronic Codebook (ECB) mode of a block cipher, with no padding.

Warning: ECB mode does not protect the confidentiality of the encrypted data except in extremely narrow circumstances. It is recommended that applications only use ECB if they need to construct an operating mode that the implementation does not provide. Implementations are encouraged to provide the modes that applications need in preference to supporting direct access to ECB.

The underlying block cipher is determined by the key type.

     This symmetric cipher mode can only be used with messages whose lengths are a multiple
     of the block size of the chosen block cipher.

     ECB mode does not accept an initialization vector (IV). When using a multi-part cipher
     operation with this algorithm, @ref psa_cipher_generate_iv() and
     @ref psa_cipher_set_iv() must not be called.

Note

The cipher block length can be determined using PSA_BLOCK_CIPHER_BLOCK_LENGTH().

     The ECB block cipher mode is defined in NIST Special Publication 800-38A:
     Recommendation for Block Cipher Modes of Operation: Methods and Techniques
     [SP800-38A](https://doi.org/10.6028/NIST.SP.800-38A).

     @b Compatible @b key @b types
     - @ref PSA_KEY_TYPE_AES
     - @ref PSA_KEY_TYPE_ARIA
     - @ref PSA_KEY_TYPE_DES
     - @ref PSA_KEY_TYPE_CAMELLIA
     - @ref PSA_KEY_TYPE_SM4

Definition at line 1164 of file crypto_values.h.

◆ PSA_ALG_ECDH

#define PSA_ALG_ECDH ((psa_algorithm_t)0x09020000)

The elliptic curve Diffie-Hellman (ECDH) key agreement algorithm.

This algorithm can be used directly in a call to psa_raw_key_agreement(), or combined with a key derivation operation using PSA_ALG_KEY_AGREEMENT() for use with psa_key_derivation_key_agreement().

When used as a key’s permitted algorithm policy, the following uses are permitted:

In a call to psa_raw_key_agreement(), with algorithm PSA_ALG_ECDH.
In a call to psa_key_derivation_key_agreement(), with any combined key agreement and key derivation algorithm constructed with PSA_ALG_ECDH.

When used as part of a multi-part key derivation operation, this implements a Diffie-Hellman key agreement scheme using a single elliptic curve key-pair for each participant. This includes the Ephemeral unified model, the Static unified model, and the One-pass Diffie-Hellman schemes. The input step PSA_KEY_DERIVATION_INPUT_SECRET is used when providing the secret and peer keys to the operation.

The shared secret produced by key agreement is the x-coordinate of the shared secret point. It is always ceiling(m / 8) bytes long where m is the bit size associated with the curve, i.e. the bit size of the order of the curve’s coordinate field. When m is not a multiple of 8, the byte containing the most significant bit of the shared secret is padded with zero bits. The byte order is either little-endian or big-endian depending on the curve type.

For Montgomery curves (curve family PSA_ECC_FAMILY_MONTGOMERY), the shared secret is the x-coordinate of Z = d_A Q_B = d_B Q_A in little-endian byte order.
- For Curve25519, this is the X25519 function defined in Curve25519: new Diffie-Hellman speed records Curve25519. The bit size m is 255.
- For Curve448, this is the X448 function defined in Ed448-Goldilocks, a new elliptic curve Curve448. The bit size m is 448.
For Weierstrass curves (curve families PSA_ECC_FAMILY_SECP_XX, PSA_ECC_FAMILY_SECT_XX, PSA_ECC_FAMILY_BRAINPOOL_P_R1 and PSA_ECC_FAMILY_FRP) the shared secret is the x-coordinate of Z = h d_A Q_B = h d_B Q_A in big-endian byte order. This is the Elliptic Curve Cryptography Cofactor Diffie-Hellman primitive defined by SEC 1: Elliptic Curve Cryptography SEC1 §3.3.2 as, and also as ECC CDH by NIST Special Publication 800-56A: Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography SP800-56A §5.7.1.2.
- Over prime fields (curve families PSA_ECC_FAMILY_SECP_XX, PSA_ECC_FAMILY_BRAINPOOL_P_R1 and PSA_ECC_FAMILY_FRP), the bit size is m = ceiling(log_2(p)) for the field F_p.
- Over binary fields (curve families PSA_ECC_FAMILY_SECT_XX), the bit size is m for the field F_{2^m}.

Note: The cofactor Diffie-Hellman primitive is equivalent to the standard elliptic curve Diffie-Hellman calculation Z = d_A Q_B = d_B Q_A (SEC1 §3.3.1) for curves where the cofactor h is 1. This is true for all curves in the PSA_ECC_FAMILY_SECP_XX, PSA_ECC_FAMILY_BRAINPOOL_P_R1, and PSA_ECC_FAMILY_FRP families.

Compatible key types

PSA_KEY_TYPE_ECC_KEY_PAIR(family)

where family is a Weierstrass or Montgomery Elliptic curve family. That is, one of the following values:

PSA_ECC_FAMILY_SECT_XX
PSA_ECC_FAMILY_SECP_XX
PSA_ECC_FAMILY_FRP
PSA_ECC_FAMILY_BRAINPOOL_P_R1
PSA_ECC_FAMILY_MONTGOMERY

Definition at line 1834 of file crypto_values.h.

◆ PSA_ALG_ECDSA

#define PSA_ALG_ECDSA ( hash_alg ) (PSA_ALG_ECDSA_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))

The randomized ECDSA signature scheme, with hashing.

This algorithm can be used with both the message and hash signature functions.

     This algorithm is randomized: each invocation returns a different, equally valid
     signature.

Note: When based on the same hash algorithm, the verification operations for PSA_ALG_ECDSA and PSA_ALG_DETERMINISTIC_ECDSA are identical. A signature created using PSA_ALG_ECDSA can be verified with the same key using either PSA_ALG_ECDSA or PSA_ALG_DETERMINISTIC_ECDSA. Similarly, a signature created using PSA_ALG_DETERMINISTIC_ECDSA can be verified with the same key using either PSA_ALG_ECDSA or PSA_ALG_DETERMINISTIC_ECDSA.

In particular, it is impossible to determine whether a signature was produced with deterministic ECDSA or with randomized ECDSA: it is only possible to verify that a signature was made with ECDSA with the private key corresponding to the public key used for the verification.

This signature scheme is defined by SEC 1: Elliptic Curve Cryptography SEC1, and also by Public Key Cryptography For The Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA) [X9-62])(https://standards.globalspec.com/std/1955141/ANSI%20X9.62), with a random per-message secret number k.

The representation of the signature as a byte string consists of the concatenation of the signature values r and s. Each of r and s is encoded as an N-octet string, where N is the length of the base point of the curve in octets. Each value is represented in big-endian order, with the most significant octet first.

Compatible key types

PSA_KEY_TYPE_ECC_KEY_PAIR(family)
PSA_KEY_TYPE_ECC_PUBLIC_KEY(family) (signature verification only)

where family is a Weierstrass Elliptic curve family. That is, one of the following values:

PSA_ECC_FAMILY_SECT_XX
PSA_ECC_FAMILY_SECP_XX
PSA_ECC_FAMILY_FRP
PSA_ECC_FAMILY_BRAINPOOL_P_R1

Parameters

hash_alg A hash algorithm: a value of type psa_algorithm_t such that PSA_ALG_IS_HASH(hash_alg) is true. This includes PSA_ALG_ANY_HASH when specifying the algorithm in a key policy.

Returns: The corresponding randomized ECDSA signature algorithm. Unspecified if hash_alg is not a supported hash algorithm.

Definition at line 1631 of file crypto_values.h.

◆ PSA_ALG_ECDSA_ANY

#define PSA_ALG_ECDSA_ANY PSA_ALG_ECDSA_BASE

The randomized ECDSA signature scheme, without hashing.

This algorithm can be only used with the psa_sign_hash() and psa_verify_hash() functions.

This algorithm is randomized: each invocation returns a different, equally valid signature.

This is the same signature scheme as PSA_ALG_ECDSA(), but without specifying a hash algorithm, and skipping the message hashing operation.

This algorithm is only recommended to sign or verify a sequence of bytes that are an already-calculated hash. Note that the input is padded with zeros on the left or truncated on the right as required to fit the curve size.

Compatible key types

PSA_KEY_TYPE_ECC_KEY_PAIR(family)
PSA_KEY_TYPE_ECC_PUBLIC_KEY(family) (signature verification only)

where family is a Weierstrass Elliptic curve family. That is, one of the following values:

PSA_ECC_FAMILY_SECT_XX
PSA_ECC_FAMILY_SECP_XX
PSA_ECC_FAMILY_FRP
PSA_ECC_FAMILY_BRAINPOOL_P_R1

Definition at line 1661 of file crypto_values.h.

◆ PSA_ALG_ECDSA_BASE

#define PSA_ALG_ECDSA_BASE ((psa_algorithm_t)0x06000600)

Base of ECDSA algorithms.

Definition at line 1543 of file crypto_values.h.

◆ PSA_ALG_ED25519PH

#define PSA_ALG_ED25519PH ((psa_algorithm_t)0x0600090B)

Edwards-curve digital signature algorithm with prehashing (HashEdDSA), using the Edwards25519 curve.

This algorithm can be used with both the message and hash signature functions.

     This computes the Ed25519ph algorithm as specified in Edwards-Curve Digital Signature
     Algorithm (EdDSA) [RFC8032](https://tools.ietf.org/html/rfc8032.html) §5.1, and
     requires an Edwards25519 curve key. An empty string is used as the context. The prehash
     function is SHA-512.

     @b Usage
     This is a hash-and-sign algorithm. To calculate a signature, use one of the following
     approaches:
     -   Call @ref psa_sign_message() with the message.
     -   Calculate the SHA-512 hash of the message with @ref psa_hash_compute(), or with a
         multi-part hash operation, using the hash algorithm @ref PSA_ALG_SHA_512. Then sign
         the calculated hash with @ref psa_sign_hash().

     Verifying a signature is similar, using @ref psa_verify_message() or
     @ref psa_verify_hash() instead of the signature function.

     @b Compatible @b key @b types
     - @ref PSA_KEY_TYPE_ECC_KEY_PAIR(@ref PSA_ECC_FAMILY_TWISTED_EDWARDS)
     - @ref PSA_KEY_TYPE_ECC_PUBLIC_KEY(@ref PSA_ECC_FAMILY_TWISTED_EDWARDS) (signature
       verification only)

Definition at line 1690 of file crypto_values.h.

◆ PSA_ALG_ED448PH

#define PSA_ALG_ED448PH ((psa_algorithm_t)0x06000915)

Edwards-curve digital signature algorithm with prehashing (HashEdDSA), using the Edwards448 curve.

This algorithm can be used with both the message and hash signature functions.

     This computes the Ed448ph algorithm as specified in Edwards-Curve Digital Signature
     Algorithm (EdDSA) [RFC8032](https://tools.ietf.org/html/rfc8032.html) §5.2, and
     requires an Edwards448 curve key. An empty string is used as the context. The prehash
     function is the first 64 bytes of the output from SHAKE256.

     @b Usage
     This is a hash-and-sign algorithm. To calculate a signature, use one of the following
     approaches:
     -   Call @ref psa_sign_message() with the message.
     -   Calculate the first 64 bytes of the SHAKE256 output of the message with
         @ref psa_hash_compute(), or with a multi-part hash operation, using the hash
         algorithm @ref PSA_ALG_SHAKE256_512. Then sign the calculated hash with
         @ref psa_sign_hash().

     Verifying a signature is similar, using @ref psa_verify_message() or
     @ref psa_verify_hash() instead of the signature function.

     @b Compatible @b key @b types
     - @ref PSA_KEY_TYPE_ECC_KEY_PAIR(@ref PSA_ECC_FAMILY_TWISTED_EDWARDS)
     - @ref PSA_KEY_TYPE_ECC_PUBLIC_KEY(@ref PSA_ECC_FAMILY_TWISTED_EDWARDS) (signature
       verification only)

Definition at line 1720 of file crypto_values.h.

◆ PSA_ALG_FFDH

#define PSA_ALG_FFDH ((psa_algorithm_t)0x09010000)

The finite-field Diffie-Hellman (DH) key agreement algorithm.

This algorithm can be used directly in a call to psa_raw_key_agreement(), or combined with a key derivation operation using PSA_ALG_KEY_AGREEMENT() for use with psa_key_derivation_key_agreement().

When used as a key’s permitted algorithm policy, the following uses are permitted:

In a call to psa_raw_key_agreement(), with algorithm PSA_ALG_FFDH.
In a call to psa_key_derivation_key_agreement(), with any combined key agreement and key derivation algorithm constructed with PSA_ALG_FFDH.

When used as part of a multi-part key derivation operation, this implements a Diffie-Hellman key agreement scheme using a single Diffie-Hellman key-pair for each participant. This includes the dhEphem, dhOneFlow, and dhStatic schemes. The input step PSA_KEY_DERIVATION_INPUT_SECRET is used when providing the secret and peer keys to the operation.

The shared secret produced by this key agreement algorithm is g^{ab} in big-endian format. It is ceiling(m / 8) bytes long where m is the size of the prime p in bits.

This key agreement scheme is defined by NIST Special Publication 800-56A: Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography SP800-56A §5.7.1.1 under the name FFC DH.

Compatible key types

PSA_KEY_TYPE_DH_KEY_PAIR()

Definition at line 1765 of file crypto_values.h.

◆ PSA_ALG_FULL_LENGTH_MAC

#define PSA_ALG_FULL_LENGTH_MAC ( mac_alg ) ((psa_algorithm_t)((mac_alg) & ~0x003f0000))

Macro to construct the MAC algorithm with a full length MAC, from a truncated MAC algorithm.

Compatible key types The resulting untruncated MAC algorithm is compatible with the same key types as the MAC algorithm used to construct it.

Parameters

mac_alg A MAC algorithm: a value of type psa_algorithm_t such that PSA_ALG_IS_MAC(mac_alg) is true. This can be a truncated or untruncated MAC algorithm.

Returns: The corresponding MAC algorithm with a full length MAC. Unspecified if mac_alg is not a supported MAC algorithm. *

Definition at line 274 of file crypto_values.h.

◆ PSA_ALG_GCM

#define PSA_ALG_GCM ((psa_algorithm_t)0x05500200)

The Galois/Counter Mode (GCM) authenticated encryption algorithm.

GCM is defined for block ciphers that have a 128-bit block size. The underlying block cipher is determined by the key type.

GCM requires a nonce of at least 1 byte in length. The maximum supported nonce size is implementation defined. Calling psa_aead_generate_nonce() will generate a random 12-byte nonce.

GCM supports authentication tag sizes of 4, 8, 12, 13, 14, 15, and 16 bytes. The default tag length is 16. Shortened tag lengths can be requested using PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, tag_length), where tag_length is a valid GCM tag length.

The GCM block cipher mode is defined in NIST Special Publication 800-38D: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC SP800-38D.

Compatible key types

Definition at line 1457 of file crypto_values.h.

◆ PSA_ALG_GET_HASH

#define PSA_ALG_GET_HASH ( alg )

Value:

(((alg) & PSA_ALG_HASH_MASK) == \

0 ? ((psa_algorithm_t)0) : PSA_ALG_CATEGORY_HASH | ((alg) & PSA_ALG_HASH_MASK))

psa_algorithm_t

uint32_t psa_algorithm_t

Encoding of a cryptographic algorithm.

Definition crypto_types.h:46

PSA_ALG_HASH_MASK

#define PSA_ALG_HASH_MASK

Hash algorithm mask.

Definition crypto_values.h:884

PSA_ALG_CATEGORY_HASH

#define PSA_ALG_CATEGORY_HASH

Category for hash algorithms.

Definition crypto_values.h:42

Get the hash used by a composite algorithm.

     The following composite algorithms require a hash algorithm:
     - @ref PSA_ALG_ECDSA()
     - @ref PSA_ALG_HKDF()
     - @ref PSA_ALG_HMAC()
     - @ref PSA_ALG_RSA_OAEP()
     - @ref PSA_ALG_IS_RSA_PKCS1V15_SIGN()
     - @ref PSA_ALG_RSA_PSS()
     - @ref PSA_ALG_RSA_PSS_ANY_SALT()
     - @ref PSA_ALG_TLS12_PRF()
     - @ref PSA_ALG_TLS12_PSK_TO_MS()
     - @ref PSA_ALG_PBKDF2_HMAC()

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: The underlying hash algorithm if alg is a composite algorithm that uses a hash algorithm PSA_ALG_NONE if alg is not a composite algorithm that uses a hash.

Definition at line 329 of file crypto_values.h.

◆ PSA_ALG_HASH_MASK

#define PSA_ALG_HASH_MASK ((psa_algorithm_t)0x000000ff)

Hash algorithm mask.

Definition at line 884 of file crypto_values.h.

◆ PSA_ALG_HKDF

#define PSA_ALG_HKDF ( hash_alg ) ((psa_algorithm_t)(0x08000100 | ((hash_alg) & 0x000000ff)))

Macro to build an HKDF algorithm.

This is the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) specified by HMAC-based Extract-and-Expand Key Derivation Function (HKDF) [RFC5869].

This key derivation algorithm uses the following inputs:

PSA_KEY_DERIVATION_INPUT_SALT is the salt used in the “extract” step. It is optional; if omitted, the derivation uses an empty salt.
PSA_KEY_DERIVATION_INPUT_INFO is the info string used in the “expand” step.
PSA_KEY_DERIVATION_INPUT_SECRET is the secret key used in the “extract” step.

If PSA_KEY_DERIVATION_INPUT_SALT is provided, it must be before PSA_KEY_DERIVATION_INPUT_SECRET. PSA_KEY_DERIVATION_INPUT_INFO can be provided at any time after setup and before starting to generate output.

Each input may only be passed once.

Compatible key types

PSA_KEY_TYPE_DERIVE (for the secret key)
PSA_KEY_TYPE_RAW_DATA (for the other inputs)

Parameters

hash_alg A hash algorithm: a value of type psa_algorithm_t such that PSA_ALG_IS_HASH(hash_alg) is true.

Returns: The corresponding HKDF algorithm. For example, PSA_ALG_HKDF(PSA_ALG_SHA_256) is HKDF using HMAC-SHA-256. Unspecified if hash_alg is not a supported hash algorithm.

Definition at line 306 of file crypto_values.h.

◆ PSA_ALG_HMAC

#define PSA_ALG_HMAC ( hash_alg ) ((psa_algorithm_t)(PSA_ALG_HMAC_BASE | ((hash_alg) & PSA_ALG_HASH_MASK)))

Macro to build an HMAC message-authentication-code algorithm from an underlying hash algorithm.

For example, PSA_ALG_HMAC(PSA_ALG_SHA_256) is HMAC-SHA-256. The HMAC construction is defined in HMAC: Keyed-Hashing for Message Authentication [RFC2104].

Compatible key types

PSA_KEY_TYPE_HMAC

Parameters

hash_alg A hash algorithm (PSA_ALG_XXX value such that PSA_ALG_IS_HASH(hash_alg) is true).

Returns: The corresponding HMAC algorithm. Unspecified if hash_alg is not a supported hash algorithm.

Definition at line 355 of file crypto_values.h.

◆ PSA_ALG_HMAC_BASE

#define PSA_ALG_HMAC_BASE (0x03800000)

HMAC Base.

Definition at line 336 of file crypto_values.h.

◆ PSA_ALG_HMAC_GET_HASH

#define PSA_ALG_HMAC_GET_HASH ( hmac_alg ) (PSA_ALG_CATEGORY_HASH | ((hmac_alg) & PSA_ALG_HASH_MASK))

Get the hash operation of a hmac algorithm.

Parameters

hmac_alg HMAC algorithm

Definition at line 483 of file crypto_values.h.

◆ PSA_ALG_IS_AEAD

#define PSA_ALG_IS_AEAD ( alg ) (((alg) & PSA_ALG_CATEGORY_MASK) == 0x05000000)

Whether the specified algorithm is an authenticated encryption with associated data (AEAD) algorithm.

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is an AEAD algorithm 0 otherwise

Definition at line 378 of file crypto_values.h.

◆ PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER

#define PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER ( alg ) (((alg) & 0x7f400000) == 0x05400000)

Whether the specified algorithm is an AEAD mode on a block cipher.

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is an AEAD algorithm which is an AEAD mode based on a block cipher 0 otherwise.

Definition at line 389 of file crypto_values.h.

◆ PSA_ALG_IS_ASYMMETRIC_ENCRYPTION

#define PSA_ALG_IS_ASYMMETRIC_ENCRYPTION ( alg ) (((alg) & PSA_ALG_CATEGORY_MASK) == 0x07000000)

Whether the specified algorithm is an asymmetric encryption algorithm, also known as public-key encryption algorithm.

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is an asymmetric encryption algorithm, 0 otherwise.

Definition at line 401 of file crypto_values.h.

◆ PSA_ALG_IS_BLOCK_CIPHER_MAC

#define PSA_ALG_IS_BLOCK_CIPHER_MAC ( alg ) (((alg) & 0x7fc00000) == 0x03c00000)

Whether the specified algorithm is a MAC algorithm based on a block cipher.

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is a MAC algorithm based on a block cipher 0 otherwise

Definition at line 412 of file crypto_values.h.

◆ PSA_ALG_IS_CIPHER

#define PSA_ALG_IS_CIPHER ( alg ) (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_CIPHER)

Whether the specified algorithm is a symmetric cipher algorithm.

Parameters

alg	An algorithm identifier (value of type psa_algorithm_t).

Returns: 1 if alg is a symmetric cipher algorithm, 0 if algorithm is not recognized or not supported

Definition at line 366 of file crypto_values.h.

◆ PSA_ALG_IS_DETERMINISTIC_ECDSA

#define PSA_ALG_IS_DETERMINISTIC_ECDSA ( alg ) (((alg) & ~0x000000ff) == 0x06000700)

Whether the specified algorithm is deterministic ECDSA.

     See also @ref PSA_ALG_IS_ECDSA() and @ref PSA_ALG_IS_RANDOMIZED_ECDSA().

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is a deterministic ECDSA algorithm 0 otherwise

Definition at line 425 of file crypto_values.h.

◆ PSA_ALG_IS_ECDH

#define PSA_ALG_IS_ECDH ( alg ) (((alg) & 0x7fff0000) == 0x09020000)

Whether the specified algorithm is an elliptic curve Diffie-Hellman algorithm.

This includes the raw elliptic curve Diffie-Hellman algorithm as well as elliptic curve Diffie-Hellman followed by any supporter key derivation algorithm.

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is an elliptic curve Diffie-Hellman algorithm 0 otherwise.

Definition at line 439 of file crypto_values.h.

◆ PSA_ALG_IS_ECDSA

#define PSA_ALG_IS_ECDSA ( alg ) (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_SIGN)

Whether the specified algorithm is ECDSA.

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is an ECDSA algorithm 0 otherwise

Definition at line 464 of file crypto_values.h.

◆ PSA_ALG_IS_FFDH

#define PSA_ALG_IS_FFDH ( alg ) (((alg) & 0x7fff0000) == 0x09010000)

Whether the specified algorithm is a finite field Diffie-Hellman algorithm.

This includes the raw finite field Diffie-Hellman algorithm as well as finite-field Diffie-Hellman followed by any supported key derivation algorithm.

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is a finite field Diffie-Hellman algorithm 0 otherwise

Definition at line 453 of file crypto_values.h.

◆ PSA_ALG_IS_HASH

#define PSA_ALG_IS_HASH ( alg ) (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_HASH)

Whether the specified algorithm is a hash algorithm.

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is a hash algorithm 0 otherwise

Definition at line 475 of file crypto_values.h.

◆ PSA_ALG_IS_HASH_AND_SIGN

#define PSA_ALG_IS_HASH_AND_SIGN ( alg )

Value:

(PSA_ALG_IS_SIGN_HASH(alg) && \

((alg) & PSA_ALG_HASH_MASK) != 0)

PSA_ALG_IS_SIGN_HASH

#define PSA_ALG_IS_SIGN_HASH(alg)

Whether the specified algorithm is a signature algorithm that can be used with psa_sign_hash() and ps...

Definition crypto_values.h:748

Whether the specified algorithm is a hash-and-sign algorithm that signs exactly the hash value.

This macro identifies algorithms that can be used with psa_sign_hash() that use the exact message hash value as an input the signature operation. For example, if PSA_ALG_IS_HASH_AND_SIGN(alg) is true, the following call sequence is equivalent to psa_sign_message(key, alg, msg, msg_len, ...):

@ref psa_hash_operation_t op = {0};
uint8_t hash[@ref PSA_HASH_MAX_SIZE];
size_t hash_len;
@ref psa_hash_setup(&op, @ref PSA_ALG_GET_HASH(alg));
@ref psa_hash_update(&op, msg, msg_len);
@ref psa_hash_finish(&op, hash, sizeof(hash), &hash_len);
@ref psa_sign_hash(key, alg, hash, hash_len, ...);

This excludes hash-and-sign algorithms that require a encoded or modified hash for the signature step in the algorithm, such as PSA_ALG_RSA_PKCS1V15_SIGN_RAW. For such algorithms, PSA_ALG_IS_SIGN_HASH() is true but PSA_ALG_IS_HASH_AND_SIGN() is false.

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is a hash-and-sign algorithm that signs exactly the hash value 0 otherwise A wildcard signature algorithm policy, using PSA_ALG_ANY_HASH, returns the same value as the signature algorithm parameterised with a valid hash algorithm.

Definition at line 529 of file crypto_values.h.

◆ PSA_ALG_IS_HASH_EDDSA

#define PSA_ALG_IS_HASH_EDDSA ( alg ) (((alg) & ~0x000000ff) == 0x06000900)

Whether the specified algorithm is HashEdDSA.

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is a HashEdDSA algorithm 0 otherwise

Definition at line 494 of file crypto_values.h.

◆ PSA_ALG_IS_HKDF

#define PSA_ALG_IS_HKDF ( alg ) (((alg) & ~0x000000ff) == 0x08000100)

Whether the specified algorithm is an HKDF algorithm.

HKDF is a family of key derivation algorithms that are based on a hash function and the HMAC construction.

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is an HKDF algorithm 0 otherwise

Definition at line 544 of file crypto_values.h.

◆ PSA_ALG_IS_HMAC

#define PSA_ALG_IS_HMAC ( alg ) (((alg) & 0x7fc0ff00) == 0x03800000)

Whether the specified algorithm is an HMAC algorithm.

HMAC is a family of MAC algorithms that are based on a hash function.

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is an HMAC algorithm 0 otherwise

Definition at line 557 of file crypto_values.h.

◆ PSA_ALG_IS_KEY_AGREEMENT

#define PSA_ALG_IS_KEY_AGREEMENT ( alg ) (((alg) & 0x7f000000) == 0x09000000)

Whether the specified algorithm is a key agreement algorithm.

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is a key agreement algorithm 0 otherwise

Definition at line 568 of file crypto_values.h.

◆ PSA_ALG_IS_KEY_DERIVATION

#define PSA_ALG_IS_KEY_DERIVATION ( alg ) (((alg) & 0x7f000000) == 0x08000000)

Whether the specified algorithm is a key derivation algorithm.

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is a key derivation algorithm 0 otherwise

Definition at line 579 of file crypto_values.h.

◆ PSA_ALG_IS_KEY_DERIVATION_STRETCHING

#define PSA_ALG_IS_KEY_DERIVATION_STRETCHING ( alg ) (((alg) & 0x7f800000) == 0x08800000)

Whether the specified algorithm is a key-stretching or password-hashing algorithm.

A key-stretching or password-hashing algorithm is a key derivation algorithm that is suitable for use with a low-entropy secret such as a password. Equivalently, it’s a key derivation algorithm that uses a PSA_KEY_DERIVATION_INPUT_PASSWORD input step.

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is a key-stretching or password-hashing algorithm 0 otherwise

Definition at line 594 of file crypto_values.h.

◆ PSA_ALG_IS_MAC

#define PSA_ALG_IS_MAC ( alg ) (((alg) & 0x7f000000) == 0x03000000)

Whether the specified algorithm is a MAC algorithm.

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is a MAC algorithm 0 otherwise

Definition at line 605 of file crypto_values.h.

◆ PSA_ALG_IS_PBKDF2_HMAC

#define PSA_ALG_IS_PBKDF2_HMAC ( alg ) (((alg) & ~0x000000ff) == 0x08800100)

Whether the specified algorithm is a PBKDF2-HMAC algorithm.

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is a PBKDF2-HMAC algorithm 0 otherwise

Definition at line 616 of file crypto_values.h.

◆ PSA_ALG_IS_RANDOMIZED_ECDSA

#define PSA_ALG_IS_RANDOMIZED_ECDSA ( alg ) (((alg) & ~0x000000ff) == 0x06000600)

Whether the specified algorithm is randomized ECDSA.

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is arandomized ECDSA algorithm 0 otherwise

Definition at line 629 of file crypto_values.h.

◆ PSA_ALG_IS_RAW_KEY_AGREEMENT

#define PSA_ALG_IS_RAW_KEY_AGREEMENT ( alg ) (((alg) & 0x7f00ffff) == 0x09000000)

Whether the specified algorithm is a raw key agreement algorithm.

A raw key agreement algorithm is one that does not specify a key derivation function. Usually, raw key agreement algorithms are constructed directly with a PSA_ALG_xxx macro while non-raw key agreement algorithms are constructed with PSA_ALG_KEY_AGREEMENT().

The raw key agreement algorithm can be extracted from a full key agreement algorithm identifier using PSA_ALG_KEY_AGREEMENT_GET_BASE().

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is a raw key agreement algorithm 0 otherwise

Definition at line 648 of file crypto_values.h.

◆ PSA_ALG_IS_RSA_OAEP

#define PSA_ALG_IS_RSA_OAEP ( alg ) (((alg) & ~0x000000ff) == 0x07000300)

Whether the specified algorithm is an RSA OAEP encryption algorithm.

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is a RSA OAEP algorithm 0 otherwise

Definition at line 659 of file crypto_values.h.

◆ PSA_ALG_IS_RSA_PKCS1V15_SIGN

#define PSA_ALG_IS_RSA_PKCS1V15_SIGN ( alg ) (((alg) & ~0x000000ff) == 0x06000200)

Whether the specified algorithm is an RSA PKCS#1 v1.5 signature algorithm.

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is a RSA PKCS#1 v1.5 signature algorithm 0 otherwise

Definition at line 670 of file crypto_values.h.

◆ PSA_ALG_IS_RSA_PSS

#define PSA_ALG_IS_RSA_PSS ( alg ) (((alg) & ~0x000000ff) == 0x06000300)

Whether the specified algorithm is a RSA PSS signature algorithm.

This macro returns 1 for algorithms constructed using either PSA_ALG_RSA_PSS() or PSA_ALG_RSA_PSS_ANY_SALT().

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is a RSA PSS signature algorithm 0 otherwise

Definition at line 684 of file crypto_values.h.

◆ PSA_ALG_IS_RSA_PSS_ANY_SALT

#define PSA_ALG_IS_RSA_PSS_ANY_SALT ( alg ) (((alg) & ~0x000000ff) == 0x06001300)

Whether the specified algorithm is an RSA PSS signature algorithm that permits any salt length.

An RSA PSS signature algorithm that permits any salt length is constructed using PSA_ALG_RSA_PSS_ANY_SALT().

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is a RSA PSS signature algorithm that permits any salt length 0 otherwise

Definition at line 701 of file crypto_values.h.

◆ PSA_ALG_IS_RSA_PSS_STANDARD_SALT

#define PSA_ALG_IS_RSA_PSS_STANDARD_SALT ( alg ) (((alg) & ~0x000000ff) == 0x06000300)

Whether the specified algorithm is an RSA PSS signature algorithm that requires the standard salt length.

An RSA PSS signature algorithm that requires the standard salt length is constructed using PSA_ALG_RSA_PSS().

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is an RSA PSS signature algorithm that requires the standard salt length 0 otherwise

Definition at line 718 of file crypto_values.h.

◆ PSA_ALG_IS_SIGN

#define PSA_ALG_IS_SIGN ( alg ) (((alg) & 0x7f000000) == 0x06000000)

Whether the specified algorithm is an asymmetric signature algorithm, also known as public-key signature algorithm.

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is an asymmetric signature algorithm algorithm 0 otherwise

Definition at line 730 of file crypto_values.h.

◆ PSA_ALG_IS_SIGN_HASH

#define PSA_ALG_IS_SIGN_HASH ( alg )

Value:

(PSA_ALG_IS_RSA_PSS(alg) || PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) || \

PSA_ALG_IS_ECDSA(alg) || PSA_ALG_IS_HASH_EDDSA(alg))

PSA_ALG_IS_RSA_PKCS1V15_SIGN

#define PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg)

Whether the specified algorithm is an RSA PKCS#1 v1.5 signature algorithm.

Definition crypto_values.h:670

PSA_ALG_IS_HASH_EDDSA

#define PSA_ALG_IS_HASH_EDDSA(alg)

Whether the specified algorithm is HashEdDSA.

Definition crypto_values.h:494

PSA_ALG_IS_RSA_PSS

#define PSA_ALG_IS_RSA_PSS(alg)

Whether the specified algorithm is a RSA PSS signature algorithm.

Definition crypto_values.h:684

Whether the specified algorithm is a signature algorithm that can be used with psa_sign_hash() and psa_verify_hash().

This includes all algorithms such that PSA_ALG_IS_HASH_AND_SIGN() is true, as well as signature algorithms for which the input to psa_sign_hash() or psa_verify_hash() is not directly a hash, such as PSA_ALG_IS_RSA_PKCS1V15_SIGN.

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is a signature algorithm that can be used to sign a hash. 0 if alg is a signature algorithm that can only be used to sign a message. 0 if alg is not a signature algorithm

Definition at line 748 of file crypto_values.h.

◆ PSA_ALG_IS_SIGN_MESSAGE

#define PSA_ALG_IS_SIGN_MESSAGE ( alg ) (PSA_ALG_IS_SIGN_HASH(alg) || (alg) == PSA_ALG_PURE_EDDSA)

Whether the specified algorithm is a signature algorithm that can be used with psa_sign_message() and psa_verify_message().

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is a signature algorithm that can be used to sign a message. 0 if alg is a signature algorithm that can only be used to sign an already-calculated hash. 0 if alg is not a signature algorithm.

Definition at line 763 of file crypto_values.h.

◆ PSA_ALG_IS_STREAM_CIPHER

#define PSA_ALG_IS_STREAM_CIPHER ( alg ) (((alg) & 0x7f800000) == 0x04800000)

Whether the specified algorithm is a stream cipher.

A stream cipher is a symmetric cipher that encrypts or decrypts messages by applying a bitwise-xor with a stream of bytes that is generated from a key.

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is a stream cipher 0 otherwise

Definition at line 777 of file crypto_values.h.

◆ PSA_ALG_IS_TLS12_PRF

#define PSA_ALG_IS_TLS12_PRF ( alg ) (((alg) & ~0x000000ff) == 0x08000200)

Whether the specified algorithm is a TLS-1.2 PRF algorithm.

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is a TLS-1.2 PRF algorithm 0 otherwise

Definition at line 788 of file crypto_values.h.

◆ PSA_ALG_IS_TLS12_PSK_TO_MS

#define PSA_ALG_IS_TLS12_PSK_TO_MS ( alg ) (((alg) & ~0x000000ff) == 0x08000300)

Whether the specified algorithm is a TLS-1.2 PSK to MS algorithm.

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is a TLS-1.2 PSK to MS algorithm 0 otherwise

Definition at line 799 of file crypto_values.h.

◆ PSA_ALG_IS_WILDCARD

#define PSA_ALG_IS_WILDCARD ( alg ) (PSA_ALG_GET_HASH(alg) == PSA_ALG_HASH_ANY)

Whether the specified algorithm encoding is a wildcard.

Wildcard algorithm values can only be used to set the permitted algorithm field in a key policy, wildcard values cannot be used to perform an operation.

See PSA_ALG_ANY_HASH for example of how a wildcard algorithm can be used in a key policy.

Parameters

alg	An algorithm identifier: a value of type psa_algorithm_t.

Returns: 1 if alg is a wildcard algorithm encoding. 0 if alg is a non-wildcard algorithm encoding that is suitable for an operation.

Definition at line 816 of file crypto_values.h.

◆ PSA_ALG_KEY_AGREEMENT

#define PSA_ALG_KEY_AGREEMENT	(	ka_alg,
		kdf_alg
	)	((ka_alg) \| (kdf_alg))

Macro to build a combined algorithm that chains a key agreement with a key derivation.

A combined key agreement algorithm is used with a multi-part key derivation operation, using a call to psa_key_derivation_key_agreement().

The component parts of a key agreement algorithm can be extracted using PSA_ALG_KEY_AGREEMENT_GET_BASE() and PSA_ALG_KEY_AGREEMENT_GET_KDF().

Compatible key types The resulting combined key agreement algorithm is compatible with the same key types as the raw key agreement algorithm used to construct it.

Parameters

ka_alg	A key agreement algorithm: a value of type psa_algorithm_t such that PSA_ALG_IS_KEY_AGREEMENT(`ka_alg`) is true.
kdf_alg	A key derivation algorithm: a value of type psa_algorithm_t such that PSA_ALG_IS_KEY_DERIVATION(`kdf_alg`) is true.

Returns: The corresponding key agreement and derivation algorithm. Unspecified if ka_alg is not a supported key agreement algorithm or kdf_alg is not a supported key derivation algorithm.

Definition at line 841 of file crypto_values.h.

◆ PSA_ALG_KEY_AGREEMENT_GET_BASE

#define PSA_ALG_KEY_AGREEMENT_GET_BASE ( alg ) ((psa_algorithm_t)((alg) & 0xffff0000))

Get the raw key agreement algorithm from a full key agreement algorithm.

Parameters

alg	A key agreement algorithm: a value of type psa_algorithm_t such that PSA_ALG_IS_KEY_AGREEMENT(`alg`) is true.

Returns: The underlying raw key agreement algorithm if alg is a key agreement algorithm. Unspecified if alg is not a key agreement algorithm or if it is not supported by the implementation.

Definition at line 856 of file crypto_values.h.

◆ PSA_ALG_KEY_AGREEMENT_GET_KDF

#define PSA_ALG_KEY_AGREEMENT_GET_KDF ( alg ) ((psa_algorithm_t)((alg) & 0xfe00ffff))

Get the key derivation algorithm used in a full key agreement algorithm.

Parameters

alg	A key agreement algorithm: a value of type psa_algorithm_t such that PSA_ALG_IS_KEY_AGREEMENT(`alg`) is true.

Returns: The underlying key derivation algorithm if alg is a key agreement algorithm. Unspecified if alg is not a key agreement algorithm or if it is not supported by the implementation.

Definition at line 871 of file crypto_values.h.

◆ PSA_ALG_MD2

#define PSA_ALG_MD2 ((psa_algorithm_t)0x02000001)

The MD2 message-digest algorithm.

Warning: The MD2 hash is weak and deprecated and is only recommended for use in legacy protocols.

MD2 is defined in The MD2 Message-Digest Algorithm RFC1319.

Definition at line 895 of file crypto_values.h.

◆ PSA_ALG_MD4

#define PSA_ALG_MD4 ((psa_algorithm_t)0x02000002)

The MD4 message-digest algorithm.

Warning: The MD4 hash is weak and deprecated and is only recommended for use in legacy protocols.

MD4 is defined in The MD4 Message-Digest Algorithm RFC1320.

Definition at line 906 of file crypto_values.h.

◆ PSA_ALG_MD5

#define PSA_ALG_MD5 ((psa_algorithm_t)0x02000003)

The MD5 message-digest algorithm.

Warning: The MD5 hash is weak and deprecated and is only recommended for use in legacy protocols.

MD5 is defined in The MD5 Message-Digest Algorithm RFC1321.

Definition at line 917 of file crypto_values.h.

◆ PSA_ALG_NONE

#define PSA_ALG_NONE ((psa_algorithm_t)0)

An invalid algorithm identifier value.

Zero is not the encoding of any algorithm.

Definition at line 879 of file crypto_values.h.

◆ PSA_ALG_OFB

#define PSA_ALG_OFB ((psa_algorithm_t)0x04c01200)

A stream cipher built using the Output Feedback (OFB) mode of a block cipher.

The underlying block cipher is determined by the key type.

     OFB mode requires an initialization vector (IV) that is the same size as the cipher
     block length. OFB mode requires that the IV is a nonce, and must be unique for each use
     of the mode with the same key.

Note

The cipher block length can be determined using PSA_BLOCK_CIPHER_BLOCK_LENGTH().

     The OFB block cipher mode is defined in NIST Special Publication 800-38A:
     Recommendation for Block Cipher Modes of Operation: Methods and Techniques
     [SP800-38A](https://doi.org/10.6028/NIST.SP.800-38A).

     @b Compatible @b key @b types
     - @ref PSA_KEY_TYPE_AES
     - @ref PSA_KEY_TYPE_ARIA
     - @ref PSA_KEY_TYPE_DES
     - @ref PSA_KEY_TYPE_CAMELLIA
     - @ref PSA_KEY_TYPE_SM4

Definition at line 1300 of file crypto_values.h.

◆ PSA_ALG_PBKDF2_AES_CMAC_PRF_128

#define PSA_ALG_PBKDF2_AES_CMAC_PRF_128 ((psa_algorithm_t)0x08800200)

The PBKDF2-AES-CMAC-PRF-128 password-hashing or key-stretching algorithm.

PBKDF2 is specified by PKCS #5: Password-Based Cryptography Specification Version 2.1 RFC8018 §5.2. This algorithm specifies the PBKDF2 algorithm using the AES-CMAC-PRF-128 pseudo-random function specified by RFC4615.

This key derivation algorithm uses the same inputs as PSA_ALG_PBKDF2_HMAC() with the same constraints.

Compatible key types

PSA_KEY_TYPE_DERIVE (for password input)
PSA_KEY_TYPE_PASSWORD (for password input)
PSA_KEY_TYPE_PEPPER (for salt input)
PSA_KEY_TYPE_RAW_DATA (for salt input)
PSA_KEY_TYPE_PASSWORD_HASH (for key verification)

Definition at line 1477 of file crypto_values.h.

◆ PSA_ALG_PBKDF2_HMAC

#define PSA_ALG_PBKDF2_HMAC ( hash_alg ) ((psa_algorithm_t)(0x08800100 | ((hash_alg) & 0x000000ff)))

Macro to build a PBKDF2-HMAC password-hashing or key-stretching algorithm.

PBKDF2 is specified by PKCS #5: Password-Based Cryptography Specification Version 2.1 RFC8018 §5.2. This macro constructs a PBKDF2 algorithm that uses a pseudo-random function based on HMAC with the specified hash.

This key derivation algorithm uses the following inputs, which must be provided in the following order:

PSA_KEY_DERIVATION_INPUT_COST is the iteration count. This input step must be used exactly once.
PSA_KEY_DERIVATION_INPUT_SALT is the salt. This input step must be used one or more times; if used several times, the inputs will be concatenated. This can be used to build the final salt from multiple sources, both public and secret (also known as pepper).
PSA_KEY_DERIVATION_INPUT_PASSWORD is the password to be hashed. This input step must be used exactly once.

Compatible key types

PSA_KEY_TYPE_DERIVE (for password input)
PSA_KEY_TYPE_PASSWORD (for password input)
PSA_KEY_TYPE_PEPPER (for salt input)
PSA_KEY_TYPE_RAW_DATA (for salt input)
PSA_KEY_TYPE_PASSWORD_HASH (for key verification)

Parameters

hash_alg A hash algorithm: a value of type psa_algorithm_t such that PSA_ALG_IS_HASH(hash_alg) is true.

Returns: The corresponding PBKDF2-HMAC-XXX algorithm. For example, PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256) is the algorithm identifier for PBKDF2-HMAC-SHA-256. Unspecified if hash_alg is not a supported hash algorithm.

Definition at line 1513 of file crypto_values.h.

◆ PSA_ALG_PURE_EDDSA

#define PSA_ALG_PURE_EDDSA ((psa_algorithm_t)0x06000800)

Edwards-curve digital signature algorithm without prehashing (PureEdDSA), using standard parameters.

This algorithm can be only used with the psa_sign_message() and psa_verify_message() functions.

This is the PureEdDSA digital signature algorithm defined by Edwards-Curve Digital Signature Algorithm (EdDSA) RFC8032, using standard parameters.

PureEdDSA requires an elliptic curve key on a twisted Edwards curve. The following curves are supported:

Edwards25519: the Ed25519 algorithm is computed. The output signature is a 64-byte string: the concatenation of R and S as defined by RFC8032 §5.1.6.
Edwards448: the Ed448 algorithm is computed with an empty string as the context. The output signature is a 114-byte string: the concatenation of R and S as defined by RFC8032 §5.2.6.

Note: Contexts are not supported in the current version of this specification because there is no suitable signature interface that can take the context as a parameter. A future version of this specification may add suitable functions and extend this algorithm to support contexts.; To sign or verify the pre-computed hash of a message using EdDSA, the HashEdDSA algorithms (PSA_ALG_ED25519PH and PSA_ALG_ED448PH) can be used with psa_sign_hash() and psa_verify_hash(). The signature produced by HashEdDSA is distinct from that produced by PureEdDSA.

Compatible key types

PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_TWISTED_EDWARDS)
PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_TWISTED_EDWARDS) (signature verification only)

Definition at line 1580 of file crypto_values.h.

◆ PSA_ALG_RIPEMD160

#define PSA_ALG_RIPEMD160 ((psa_algorithm_t)0x02000004)

The RIPEMD-160 message-digest algorithm.

RIPEMD-160 is defined in RIPEMD-160: A Strengthened Version of RIPEMD, and also in ISO/IEC 10118-3:2018 IT Security techniques — Hash-functions — Part 3: Dedicated hash-functions ISO10118.

Definition at line 926 of file crypto_values.h.

◆ PSA_ALG_RSA_OAEP

#define PSA_ALG_RSA_OAEP ( hash_alg ) ((psa_algorithm_t)(0x07000300 | ((hash_alg) & 0x000000ff)))

The RSA OAEP asymmetric encryption algorithm.

This encryption scheme is defined by RFC8017 §7.1 under the name RSAES-OAEP, with the following options:

The mask generation function MGF1 defined in RFC8017 Appendix B.2.1.
The specified hash algorithm is used to hash the label, and for the mask generation function.

Compatible key types

PSA_KEY_TYPE_RSA_KEY_PAIR
PSA_KEY_TYPE_RSA_PUBLIC_KEY (asymmetric encryption only)

Parameters

hash_alg A hash algorithm: a value of type psa_algorithm_t such that PSA_ALG_IS_HASH(hash_alg) is true. The hash algorithm is used for MGF1.

Returns: The corresponding RSA OAEP encryption algorithm. Unspecified if hash_alg is not a supported hash algorithm.

Definition at line 1858 of file crypto_values.h.

◆ PSA_ALG_RSA_PKCS1V15_CRYPT

#define PSA_ALG_RSA_PKCS1V15_CRYPT ((psa_algorithm_t)0x07000200)

The RSA PKCS#1 v1.5 asymmetric encryption algorithm.

This encryption scheme is defined by PKCS #1: RSA Cryptography Specifications Version 2.2 RFC8017 §7.2 under the name RSAES-PKCS-v1_5.

Compatible key types

PSA_KEY_TYPE_RSA_KEY_PAIR
PSA_KEY_TYPE_RSA_PUBLIC_KEY (asymmetric encryption only)

Definition at line 1733 of file crypto_values.h.

◆ PSA_ALG_RSA_PKCS1V15_SIGN

#define PSA_ALG_RSA_PKCS1V15_SIGN ( hash_alg ) ((psa_algorithm_t)(0x06000200 | ((hash_alg) & 0x000000ff)))

The RSA PKCS#1 v1.5 message signature scheme, with hashing.

This algorithm can be used with both the message and hash signature functions.

     This signature scheme is defined by PKCS #1: RSA Cryptography Specifications Version 2.2
     [RFC8017](https://tools.ietf.org/html/rfc8017.html) §8.2 under the name
     RSASSA-PKCS1-v1_5.

     When used with @ref psa_sign_hash() or @ref psa_verify_hash(), the provided hash
     parameter is used as `H` from step 2 onwards in the message encoding algorithm
     EMSA-PKCS1-V1_5-ENCODE() in [RFC8017](https://tools.ietf.org/html/rfc8017.html) §9.2.
     `H` is usually the message digest, using the @c hash_alg hash algorithm.

     @b Compatible @b key @b types
     - @ref PSA_KEY_TYPE_RSA_KEY_PAIR
     - @ref PSA_KEY_TYPE_RSA_PUBLIC_KEY (signature verification only)

Parameters

hash_alg A hash algorithm: a value of type psa_algorithm_t such that PSA_ALG_IS_HASH(hash_alg) is true. This includes PSA_ALG_ANY_HASH when specifying the algorithm in a key policy.

Returns: The corresponding RSA PKCS#1 v1.5 signature algorithm. Unspecified if hash_alg is not a supported hash algorithm.

Definition at line 1886 of file crypto_values.h.

◆ PSA_ALG_RSA_PKCS1V15_SIGN_RAW

#define PSA_ALG_RSA_PKCS1V15_SIGN_RAW ((psa_algorithm_t)0x06000200)

The raw RSA PKCS#1 v1.5 signature algorithm, without hashing.

This algorithm can be only used with the psa_sign_hash() and psa_verify_hash() functions. This signature scheme is defined by PKCS #1: RSA Cryptography Specifications Version 2.2 RFC8017 §8.2 under the name RSASSA-PKCS1-v1_5.

The hash parameter to psa_sign_hash() or psa_verify_hash() is used as T from step 3 onwards in the message encoding algorithm EMSA-PKCS1-V1_5-ENCODE() in RFC8017 §9.2.0 T is the DER encoding of the DigestInfo structure normally produced by step 2 in the message encoding algorithm.

The wildcard key policy PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) also permits a key to be used with the PSA_ALG_RSA_PKCS1V15_SIGN_RAW signature algorithm.

Compatible key types

PSA_KEY_TYPE_RSA_KEY_PAIR
PSA_KEY_TYPE_RSA_PUBLIC_KEY (signature verification only)

Definition at line 1538 of file crypto_values.h.

◆ PSA_ALG_RSA_PSS

#define PSA_ALG_RSA_PSS ( hash_alg ) ((psa_algorithm_t)(0x06000300 | ((hash_alg) & 0x000000ff)))

The RSA PSS message signature scheme, with hashing.

This algorithm can be used with both the message and hash signature functions.

     This algorithm is randomized: each invocation returns a different, equally valid
     signature.

     This is the signature scheme defined by
     [RFC8017](https://tools.ietf.org/html/rfc8017.html) §8.1 under the name RSASSA-PSS,
     with the following options:
     -   The mask generation function is MGF1 defined by
         [RFC8017](https://tools.ietf.org/html/rfc8017.html) Appendix B.
     -   When creating a signature, the salt length is equal to the length of the hash, or
         the largest possible salt length for the algorithm and key size if that is smaller
         than the hash length.
     -   When verifying a signature, the salt length must be equal to the length of the
         hash, or the largest possible salt length for the algorithm and key size if that is
         smaller than the hash length.
     -   The specified hash algorithm is used to hash the input message, to create the
         salted hash, and for the mask generation.

Note: The PSA_ALG_RSA_PSS_ANY_SALT() algorithm is equivalent to PSA_ALG_RSA_PSS() when creating a signature, but permits any salt length when verifying a signature.

Compatible key types

PSA_KEY_TYPE_RSA_KEY_PAIR
PSA_KEY_TYPE_RSA_PUBLIC_KEY (signature verification only)

Definition at line 1918 of file crypto_values.h.

◆ PSA_ALG_RSA_PSS_ANY_SALT

#define PSA_ALG_RSA_PSS_ANY_SALT ( hash_alg ) ((psa_algorithm_t)(0x06001300 | ((hash_alg) & 0x000000ff)))

The RSA PSS message signature scheme, with hashing.

This variant permits any salt length for signature verification.

This algorithm can be used with both the message and hash signature functions.

     This algorithm is randomized: each invocation returns a different, equally valid
     signature.

     This is the signature scheme defined by
     [RFC8017](https://tools.ietf.org/html/rfc8017.html) §8.1 under the name RSASSA-PSS,
     with the following options:
     -   The mask generation function is MGF1 defined by
         [RFC8017](https://tools.ietf.org/html/rfc8017.html) Appendix B.
     -   When creating a signature, the salt length is equal to the length of the hash, or
         the largest possible salt length for the algorithm and key size if that is smaller
         than the hash length.
     -   When verifying a signature, any salt length permitted by the RSASSA-PSS signature
         algorithm is accepted.
     -   The specified hash algorithm is used to hash the input message, to create the
         salted hash, and for the mask generation.

Note: The PSA_ALG_RSA_PSS() algorithm is equivalent to PSA_ALG_RSA_PSS_ANY_SALT() when creating a signature, but is strict about the permitted salt length when verifying a signature.

Compatible key types

PSA_KEY_TYPE_RSA_KEY_PAIR
PSA_KEY_TYPE_RSA_PUBLIC_KEY (signature verification only)

Definition at line 1951 of file crypto_values.h.

◆ PSA_ALG_SHA3_224

#define PSA_ALG_SHA3_224 ((psa_algorithm_t)0x02000010) /** SHA-3-224 */

The SHA3-224 message-digest algorithm.

SHA3-224 is defined in FIPS Publication 202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions FIPS202.

Definition at line 993 of file crypto_values.h.

◆ PSA_ALG_SHA3_256

#define PSA_ALG_SHA3_256 ((psa_algorithm_t)0x02000011) /** SHA-3-256 */

The SHA3-256 message-digest algorithm.

SHA3-256 is defined in FIPS202.

Definition at line 1000 of file crypto_values.h.

◆ PSA_ALG_SHA3_384

#define PSA_ALG_SHA3_384 ((psa_algorithm_t)0x02000012) /** SHA-3-384 */

The SHA3-384 message-digest algorithm.

SHA3-384 is defined in FIPS202.

Definition at line 1007 of file crypto_values.h.

◆ PSA_ALG_SHA3_512

#define PSA_ALG_SHA3_512 ((psa_algorithm_t)0x02000013) /** SHA-3-512 */

The SHA3-512 message-digest algorithm.

SHA3-512 is defined in FIPS202.

Definition at line 1014 of file crypto_values.h.

◆ PSA_ALG_SHA_1

#define PSA_ALG_SHA_1 ((psa_algorithm_t)0x02000005)

The SHA-1 message-digest algorithm.

Warning: The SHA-1 hash is weak and deprecated and is only recommended for use in legacy protocols.

SHA-1 is defined in FIPS Publication 180-4: Secure Hash Standard (SHS) FIPS180-4.

Definition at line 937 of file crypto_values.h.

◆ PSA_ALG_SHA_224

#define PSA_ALG_SHA_224 ((psa_algorithm_t)0x02000008) /** SHA-224 */

The SHA-224 message-digest algorithm.

SHA-224 is defined in FIPS Publication 180-4: Secure Hash Standard (SHS) FIPS180-4.

Definition at line 945 of file crypto_values.h.

◆ PSA_ALG_SHA_256

#define PSA_ALG_SHA_256 ((psa_algorithm_t)0x02000009) /** SHA-256 */

The SHA-256 message-digest algorithm.

SHA-256 is defined in FIPS Publication 180-4: Secure Hash Standard (SHS) FIPS180-4.

Definition at line 953 of file crypto_values.h.

◆ PSA_ALG_SHA_384

#define PSA_ALG_SHA_384 ((psa_algorithm_t)0x0200000a) /** SHA-384 */

The SHA-384 message-digest algorithm.

SHA-384 is defined in FIPS Publication 180-4: Secure Hash Standard (SHS) FIPS180-4.

Definition at line 961 of file crypto_values.h.

◆ PSA_ALG_SHA_512

#define PSA_ALG_SHA_512 ((psa_algorithm_t)0x0200000b) /** SHA-512 */

The SHA-512 message-digest algorithm.

SHA-512 is defined in FIPS Publication 180-4: Secure Hash Standard (SHS) FIPS180-4.

Definition at line 969 of file crypto_values.h.

◆ PSA_ALG_SHA_512_224

#define PSA_ALG_SHA_512_224 ((psa_algorithm_t)0x0200000c) /** SHA-512/224 */

The SHA-512/224 message-digest algorithm.

SHA-512-224 is defined in FIPS Publication 180-4: Secure Hash Standard (SHS) FIPS180-4.

Definition at line 977 of file crypto_values.h.

◆ PSA_ALG_SHA_512_256

#define PSA_ALG_SHA_512_256 ((psa_algorithm_t)0x0200000d) /** SHA-512/256 */

The SHA-512/256 message-digest algorithm.

SHA-512-256 is defined in FIPS Publication 180-4: Secure Hash Standard (SHS) FIPS180-4.

Definition at line 985 of file crypto_values.h.

◆ PSA_ALG_SHAKE256_512

#define PSA_ALG_SHAKE256_512 ((psa_algorithm_t)0x02000015)

The first 512 bits (64 bytes) of the SHAKE256 output.

This is the prehashing for Ed448ph (see PSA_ALG_ED448PH).

     SHAKE256 is defined in [FIPS202](https://doi.org/10.6028/NIST.FIPS.202).

Note: For other scenarios where a hash function based on SHA3 or SHAKE is required, SHA3-512 is recommended. SHA3-512 has the same output size, and a theoretically higher security strength.

Definition at line 1039 of file crypto_values.h.

◆ PSA_ALG_SM3

#define PSA_ALG_SM3 ((psa_algorithm_t)0x02000014) /** SM3 */

The SM3 message-digest algorithm.

SM3 is defined in ISO/IEC 10118-3:2018 IT Security techniques — Hash-functions — Part 3: Dedicated hash-functions ISO10118, and also in GM/T 0004-2012: SM3 cryptographic hash algorithm CSTC0004 (English version CSTC0004/E).

Definition at line 1026 of file crypto_values.h.

◆ PSA_ALG_STREAM_CIPHER

#define PSA_ALG_STREAM_CIPHER ((psa_algorithm_t)0x04800100)

The stream cipher mode of a stream cipher algorithm.

The underlying stream cipher is determined by the key type. The ARC4 and ChaCha20 ciphers use this algorithm identifier.

ARC4 To use ARC4, use a key type of PSA_KEY_TYPE_ARC4 and algorithm id PSA_ALG_STREAM_CIPHER.

Warning: The ARC4 cipher is weak and deprecated and is only recommended for use in legacy protocols.

The ARC4 cipher does not use an initialization vector (IV). When using a multi-part cipher operation with the PSA_ALG_STREAM_CIPHER algorithm and an ARC4 key, psa_cipher_generate_iv() and psa_cipher_set_iv() must not be called.

ChaCha20 To use ChaCha20, use a key type of PSA_KEY_TYPE_CHACHA20 and algorithm id PSA_ALG_STREAM_CIPHER.

Implementations must support the variant that is defined in ChaCha20 and Poly1305 for IETF Protocols RFC7539 §2.4, which has a 96-bit nonce and a 32-bit counter. Implementations can optionally also support the original variant, as defined in ChaCha, a variant of Salsa20 CHACHA20, which has a 64-bit nonce and a 64-bit counter. Except where noted, the RFC7539 variant must be used.

ChaCha20 defines a nonce and an initial counter to be provided to the encryption and decryption operations. When using a ChaCha20 key with the PSA_ALG_STREAM_CIPHER algorithm, these values are provided using the initialization vector (IV) functions in the following ways:

A call to psa_cipher_encrypt() will generate a random 12-byte nonce, and set the counter value to zero. The random nonce is output as a 12-byte IV value in the output.
A call to psa_cipher_decrypt() will use first 12 bytes of the input buffer as the nonce and set the counter value to zero.
A call to psa_cipher_generate_iv() on a multi-part cipher operation will generate and return a random 12-byte nonce and set the counter value to zero.
A call to psa_cipher_set_iv() on a multi-part cipher operation can support the following IV sizes:
- 12 bytes: the provided IV is used as the nonce, and the counter value is set to zero.
  - 16 bytes: the first four bytes of the IV are used as the counter value (encoded as little-endian), and the remaining 12 bytes is used as the nonce.
  - 8 bytes: the cipher operation uses the original CHACHA20 definition of ChaCha20: the provided IV is used as the 64-bit nonce, and the 64-bit counter value is set to zero.
  - It is recommended that implementations do not support other sizes of IV.

Compatible key types

Definition at line 1358 of file crypto_values.h.

◆ PSA_ALG_TLS12_PRF

#define PSA_ALG_TLS12_PRF ( hash_alg ) ((psa_algorithm_t)(0x08000200 | ((hash_alg) & 0x000000ff)))

Macro to build a TLS-1.2 PRF algorithm.

TLS 1.2 uses a custom pseudorandom function (PRF) for key schedule, specified in The Transport Layer Security (TLS) Protocol Version 1.2 RFC5246 §5. It is based on HMAC and can be used with either SHA-256 or SHA-384.

This key derivation algorithm uses the following inputs, which must be passed in the order given here:

PSA_KEY_DERIVATION_INPUT_SEED is the seed.
PSA_KEY_DERIVATION_INPUT_SECRET is the secret key.
PSA_KEY_DERIVATION_INPUT_LABEL is the label.

Each input may only be passed once.

For the application to TLS-1.2 key expansion:

The seed is the concatenation of ServerHello.Random + ClientHello.Random.
The label is key expansion.

Compatible key types

PSA_KEY_TYPE_DERIVE (for the secret key)
PSA_KEY_TYPE_RAW_DATA (for the other inputs)

Parameters

hash_alg A hash algorithm: a value of type psa_algorithm_t such that PSA_ALG_IS_HASH(hash_alg) is true.

Returns: The corresponding TLS-1.2 PRF algorithm. For example, PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256) represents the TLS 1.2 PRF using HMAC-SHA-256. Unspecified if hash_alg is not a supported hash algorithm.

Definition at line 1986 of file crypto_values.h.

◆ PSA_ALG_TLS12_PSK_TO_MS

#define PSA_ALG_TLS12_PSK_TO_MS ( hash_alg ) ((psa_algorithm_t)(0x08000300 | ((hash_alg) & 0x000000ff)))

Macro to build a TLS-1.2 PSK-to-MasterSecret algorithm.

In a pure-PSK handshake in TLS 1.2, the master secret (MS) is derived from the pre-shared key (PSK) through the application of padding (Pre-Shared Key Ciphersuites for Transport Layer Security (TLS) RFC4279 §2) and the TLS-1.2 PRF (The Transport Layer Security (TLS) Protocol Version 1.2 RFC5246 §5). The latter is based on HMAC and can be used with either SHA-256 or SHA-384.

This key derivation algorithm uses the following inputs, which must be passed in the order given here:

PSA_KEY_DERIVATION_INPUT_SEED is the seed.
PSA_KEY_DERIVATION_INPUT_SECRET is the PSK. The PSK must not be larger than PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE.
PSA_KEY_DERIVATION_INPUT_LABEL is the label.

Each input may only be passed once.

For the application to TLS-1.2:

The seed, which is forwarded to the TLS-1.2 PRF, is the concatenation of the ClientHello.Random + ServerHello.Random.
The label is "master secret" or "extended master secret".

Compatible key types

PSA_KEY_TYPE_DERIVE (for the PSK)
PSA_KEY_TYPE_RAW_DATA (for the other inputs)

Definition at line 2017 of file crypto_values.h.

◆ PSA_ALG_TRUNCATED_MAC

#define PSA_ALG_TRUNCATED_MAC	(	mac_alg,
		mac_length
	)	((psa_algorithm_t)(((mac_alg) & ~0x003f0000) \| (((mac_length) & 0x3f) << 16)))

Macro to build a truncated MAC algorithm.

A truncated MAC algorithm is identical to the corresponding MAC algorithm except that the MAC value for the truncated algorithm consists of only the first mac_length bytes of the MAC value for the untruncated algorithm.

Note: This macro might allow constructing algorithm identifiers that are not valid, either because the specified length is larger than the untruncated MAC or because the specified length is smaller than permitted by the implementation.; It is implementation-defined whether a truncated MAC that is truncated to the same length as the MAC of the untruncated algorithm is considered identical to the untruncated algorithm for policy comparison purposes.

The untruncated MAC algorithm can be recovered using PSA_ALG_FULL_LENGTH_MAC().

Compatible key types The resulting truncated MAC algorithm is compatible with the same key types as the MAC algorithm used to construct it.

Parameters

mac_alg	A MAC algorithm: a value of type psa_algorithm_t such that PSA_ALG_IS_MAC(`mac_alg`) is true. This can be a truncated or untruncated MAC algorithm.
mac_length	Desired length of the truncated MAC in bytes. This must be at most the untruncated length of the MAC and must be at least an implementation-specified minimum. The implementation-specified minimum must not be zero.

Returns: The corresponding MAC algorithm with the specified length. Unspecified if mac_alg is not a supported MAC algorithm or if mac_length is too small or too large for the specified MAC algorithm.

Definition at line 2053 of file crypto_values.h.

◆ PSA_ALG_XTS

#define PSA_ALG_XTS ((psa_algorithm_t)0x0440ff00)

The XEX with Ciphertext Stealing (XTS) cipher mode of a block cipher.

XTS is a cipher mode which is built from a block cipher, designed for use in disk encryption. It requires at least one full cipher block length of input, but beyond this minimum the input does not need to be a whole number of blocks.

XTS mode uses two keys for the underlying block cipher. These are provided by using a key that is twice the normal key size for the cipher. For example, to use AES-256-XTS the application must create a key with type PSA_KEY_TYPE_AES and bit size 512.

XTS mode requires an initialization vector (IV) that is the same size as the cipher block length. The IV for XTS is typically defined to be the sector number of the disk block being encrypted or decrypted.

The XTS block cipher mode is defined in 1619-2018 — IEEE Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices IEEE-XTS.

Compatible key types

Definition at line 1192 of file crypto_values.h.

◆ PSA_DH_FAMILY_RFC7919

#define PSA_DH_FAMILY_RFC7919 ((psa_dh_family_t)0x03)

Finite-field Diffie-Hellman groups defined for TLS in RFC 7919.

This family includes groups with the following key sizes (in bits): 2048, 3072, 4096, 6144, 8192. An implementation can support all of these sizes or only a subset.

Keys is this group can only be used with the PSA_ALG_FFDH key agreement algorithm.

These groups are defined by Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS) RFC7919 Appendix A.

Definition at line 2068 of file crypto_values.h.

◆ PSA_ECC_FAMILY_BRAINPOOL_P_R1

#define PSA_ECC_FAMILY_BRAINPOOL_P_R1 ((psa_ecc_family_t)0x30)

Brainpool P random curves.

This family comprises the following curves:

brainpoolP160r1 : key_bits = 160 (Deprecated)
brainpoolP192r1 : key_bits = 192
brainpoolP224r1 : key_bits = 224
brainpoolP256r1 : key_bits = 256
brainpoolP320r1 : key_bits = 320
brainpoolP384r1 : key_bits = 384
brainpoolP512r1 : key_bits = 512

They are defined in Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation RFC5639.

Warning: The 160-bit curve brainpoolP160r1 is weak and deprecated and is only recommended for use in legacy protocols.

Compatible algorithms

Definition at line 2094 of file crypto_values.h.

◆ PSA_ECC_FAMILY_FRP

#define PSA_ECC_FAMILY_FRP ((psa_ecc_family_t)0x33)

Curve used primarily in France and elsewhere in Europe.

This family comprises one 256-bit curve:

FRP256v1 : key_bits = 256

This is defined by Publication d'un paramétrage de courbe elliptique visant des applications de passeport électronique et de l'administration électronique française FRP.

Compatible algorithms

Definition at line 2113 of file crypto_values.h.

◆ PSA_ECC_FAMILY_MONTGOMERY

#define PSA_ECC_FAMILY_MONTGOMERY ((psa_ecc_family_t)0x41)

Montgomery curves.

This family comprises the following Montgomery curves:

Curve25519 : key_bits = 255
Curve448 : key_bits = 448

Curve25519 is defined in Curve25519: new Diffie-Hellman speed records Curve25519. Curve448 is defined in Ed448-Goldilocks, a new elliptic curve Curve448.

Compatible algorithms

PSA_ALG_ECDH (key pair only)

Definition at line 2130 of file crypto_values.h.

◆ PSA_ECC_FAMILY_SECP_K1

#define PSA_ECC_FAMILY_SECP_K1 ((psa_ecc_family_t)0x17)

SEC Koblitz curves over prime fields.

This family comprises the following curves:

secp192k1 : key_bits = 192
secp224k1 : key_bits = 225
secp256k1 : key_bits = 256

They are defined in SEC 2: Recommended Elliptic Curve Domain Parameters SEC2.

Compatible algorithms

Definition at line 2149 of file crypto_values.h.

◆ PSA_ECC_FAMILY_SECP_R1

#define PSA_ECC_FAMILY_SECP_R1 ((psa_ecc_family_t)0x12)

SEC random curves over prime fields.

This family comprises the following curves:

secp192r1 : key_bits = 192
secp224r1 : key_bits = 224
secp256r1 : key_bits = 256
secp384r1 : key_bits = 384
secp521r1 : key_bits = 521

They are defined in SEC2.

Compatible algorithms

Definition at line 2169 of file crypto_values.h.

◆ PSA_ECC_FAMILY_SECP_R2

#define PSA_ECC_FAMILY_SECP_R2 ((psa_ecc_family_t)0x1b)

Warning: This family of curves is weak and deprecated.

This family comprises the following curves:

secp160r2 : key_bits = 160 (Deprecated)

It is defined in the superseded SEC 2: Recommended Elliptic Curve Domain Parameters, Version 1.0 SEC2v1.

Compatible algorithms

Definition at line 2186 of file crypto_values.h.

◆ PSA_ECC_FAMILY_SECT_K1

#define PSA_ECC_FAMILY_SECT_K1 ((psa_ecc_family_t)0x27)

SEC Koblitz curves over binary fields.

This family comprises the following curves:

sect163k1 : key_bits = 163 (Deprecated)
sect233k1 : key_bits = 233
sect239k1 : key_bits = 239
sect283k1 : key_bits = 283
sect409k1 : key_bits = 409
sect571k1 : key_bits = 571

They are defined in SEC2.

Warning: The 163-bit curve sect163k1 is weak and deprecated and is only recommended for use in legacy protocols.

Compatible algorithms

Definition at line 2210 of file crypto_values.h.

◆ PSA_ECC_FAMILY_SECT_R1

#define PSA_ECC_FAMILY_SECT_R1 ((psa_ecc_family_t)0x22)

SEC random curves over binary fields.

This family comprises the following curves:

sect163r1 : key_bits = 163 (Deprecated)
sect233r1 : key_bits = 233
sect283r1 : key_bits = 283
sect409r1 : key_bits = 409
sect571r1 : key_bits = 571

They are defined in SEC2.

Warning: The 163-bit curve sect163r1 is weak and deprecated and is only recommended for use in legacy protocols.

Compatible algorithms

Definition at line 2233 of file crypto_values.h.

◆ PSA_ECC_FAMILY_SECT_R2

#define PSA_ECC_FAMILY_SECT_R2 ((psa_ecc_family_t)0x2b)

SEC additional random curves over binary fields.

This family comprises the following curves:

sect163r2 : key_bits = 163 (Deprecated)

It is defined in SEC2.

Warning: The 163-bit curve sect163r2 is weak and deprecated and is only recommended for use in legacy protocols.

Compatible algorithms

Definition at line 2252 of file crypto_values.h.

◆ PSA_ECC_FAMILY_TWISTED_EDWARDS

#define PSA_ECC_FAMILY_TWISTED_EDWARDS ((psa_ecc_family_t)0x42)

Twisted Edwards curves.

This family comprises the following twisted Edwards curves:

Edwards25519 : key_bits = 255. This curve is birationally equivalent to Curve25519.
Edwards448 : key_bits = 448. This curve is birationally equivalent to Curve448.

Edwards25519 is defined in Twisted Edwards curves Ed25519. Edwards448 is defined in Ed448-Goldilocks, a new elliptic curve Curve448.

Compatible algorithms

PSA_ALG_PURE_EDDSA
PSA_ALG_ED25519PH (Edwards25519 only)
PSA_ALG_ED448PH (Edwards448 only)

Definition at line 2271 of file crypto_values.h.

◆ PSA_ERROR_ALREADY_EXISTS

#define PSA_ERROR_ALREADY_EXISTS ((psa_status_t)-139)

Asking for an item that already exists.

Definition at line 3385 of file crypto_values.h.

◆ PSA_ERROR_BAD_STATE

#define PSA_ERROR_BAD_STATE ((psa_status_t)-137)

The requested action cannot be performed in the current state.

Definition at line 3395 of file crypto_values.h.

◆ PSA_ERROR_BUFFER_TOO_SMALL

#define PSA_ERROR_BUFFER_TOO_SMALL ((psa_status_t)-138)

An output buffer is too small.

Definition at line 3380 of file crypto_values.h.

◆ PSA_ERROR_COMMUNICATION_FAILURE

#define PSA_ERROR_COMMUNICATION_FAILURE ((psa_status_t)-145)

There was a communication failure inside the implementation.

Definition at line 3415 of file crypto_values.h.

◆ PSA_ERROR_CORRUPTION_DETECTED

#define PSA_ERROR_CORRUPTION_DETECTED ((psa_status_t)-151)

A tampering attempt was detected.

Definition at line 3440 of file crypto_values.h.

◆ PSA_ERROR_DATA_CORRUPT

#define PSA_ERROR_DATA_CORRUPT ((psa_status_t)-152)

Stored data has been corrupted.

Definition at line 3425 of file crypto_values.h.

◆ PSA_ERROR_DATA_INVALID

#define PSA_ERROR_DATA_INVALID ((psa_status_t)-153)

Data read from storage is not valid for the implementation.

Definition at line 3430 of file crypto_values.h.

◆ PSA_ERROR_DOES_NOT_EXIST

#define PSA_ERROR_DOES_NOT_EXIST ((psa_status_t)-140)

Asking for an item that doesn’t exist.

Definition at line 3390 of file crypto_values.h.

◆ PSA_ERROR_GENERIC_ERROR

#define PSA_ERROR_GENERIC_ERROR ((psa_status_t)-132)

An error occurred that does not correspond to any defined failure cause.

Definition at line 3365 of file crypto_values.h.

◆ PSA_ERROR_HARDWARE_FAILURE

#define PSA_ERROR_HARDWARE_FAILURE ((psa_status_t)-147)

A hardware failure was detected.

Definition at line 3435 of file crypto_values.h.

◆ PSA_ERROR_INSUFFICIENT_DATA

#define PSA_ERROR_INSUFFICIENT_DATA ((psa_status_t)-143)

Return this error when there’s insufficient data when attempting to read from a resource.

Definition at line 3462 of file crypto_values.h.

◆ PSA_ERROR_INSUFFICIENT_ENTROPY

#define PSA_ERROR_INSUFFICIENT_ENTROPY ((psa_status_t)-148)

There is not enough entropy to generate random data needed for the requested action.

Definition at line 3446 of file crypto_values.h.

◆ PSA_ERROR_INSUFFICIENT_MEMORY

#define PSA_ERROR_INSUFFICIENT_MEMORY ((psa_status_t)-141)

There is not enough runtime memory.

Definition at line 3405 of file crypto_values.h.

◆ PSA_ERROR_INSUFFICIENT_STORAGE

#define PSA_ERROR_INSUFFICIENT_STORAGE ((psa_status_t)-142)

There is not enough persistent storage.

Definition at line 3410 of file crypto_values.h.

◆ PSA_ERROR_INVALID_ARGUMENT

#define PSA_ERROR_INVALID_ARGUMENT ((psa_status_t)-135)

The parameters passed to the function are invalid.

Definition at line 3400 of file crypto_values.h.

◆ PSA_ERROR_INVALID_HANDLE

#define PSA_ERROR_INVALID_HANDLE ((psa_status_t)-136)

The key identifier is not valid.

Definition at line 3467 of file crypto_values.h.

◆ PSA_ERROR_INVALID_PADDING

#define PSA_ERROR_INVALID_PADDING ((psa_status_t)-150)

The decrypted padding is incorrect.

Definition at line 3456 of file crypto_values.h.

◆ PSA_ERROR_INVALID_SIGNATURE

#define PSA_ERROR_INVALID_SIGNATURE ((psa_status_t)-149)

The signature, MAC or hash is incorrect.

Definition at line 3451 of file crypto_values.h.

◆ PSA_ERROR_NOT_PERMITTED

#define PSA_ERROR_NOT_PERMITTED ((psa_status_t)-133)

The requested action is denied by a policy.

Definition at line 3375 of file crypto_values.h.

◆ PSA_ERROR_NOT_SUPPORTED

#define PSA_ERROR_NOT_SUPPORTED ((psa_status_t)-134)

The requested operation or a parameter is not supported by this implementation.

Definition at line 3370 of file crypto_values.h.

◆ PSA_ERROR_STORAGE_FAILURE

#define PSA_ERROR_STORAGE_FAILURE ((psa_status_t)-146)

There was a storage failure that might have led to data loss.

Definition at line 3420 of file crypto_values.h.

◆ PSA_KEY_DERIVATION_INPUT_CONTEXT

#define PSA_KEY_DERIVATION_INPUT_CONTEXT /* implementation-defined value */

A context for key derivation.

This is typically a direct input. It can also be a key of type PSA_KEY_TYPE_RAW_DATA.

Definition at line 2279 of file crypto_values.h.

◆ PSA_KEY_DERIVATION_INPUT_COST

#define PSA_KEY_DERIVATION_INPUT_COST /* implementation-defined value */

A cost parameter for password hashing or key stretching.

This must be a direct input, passed to psa_key_derivation_input_integer().

Definition at line 2286 of file crypto_values.h.

◆ PSA_KEY_DERIVATION_INPUT_INFO

#define PSA_KEY_DERIVATION_INPUT_INFO /* implementation-defined value */

An information string for key derivation.

This is typically a direct input. It can also be a key of type PSA_KEY_TYPE_RAW_DATA.

Definition at line 2294 of file crypto_values.h.

◆ PSA_KEY_DERIVATION_INPUT_LABEL

#define PSA_KEY_DERIVATION_INPUT_LABEL /* implementation-defined value */

A label for key derivation.

This is typically a direct input. It can also be a key of type PSA_KEY_TYPE_RAW_DATA.

Definition at line 2302 of file crypto_values.h.

◆ PSA_KEY_DERIVATION_INPUT_PASSWORD

#define PSA_KEY_DERIVATION_INPUT_PASSWORD /* implementation-defined value */

A low-entropy secret input for password hashing or key stretching.

This is usually a key of type PSA_KEY_TYPE_PASSWORD passed to psa_key_derivation_input_key() or a direct input passed to psa_key_derivation_input_bytes() that is a password or passphrase. It can also be high-entropy secret, for example, a key of type PSA_KEY_TYPE_DERIVE, or the shared secret resulting from a key agreement.

If the secret is a direct input, the derivation operation cannot be used to derive keys: the operation will not allow a call to psa_key_derivation_output_key().

Definition at line 2316 of file crypto_values.h.

◆ PSA_KEY_DERIVATION_INPUT_SALT

#define PSA_KEY_DERIVATION_INPUT_SALT /* implementation-defined value */

A salt for key derivation.

This is typically a direct input. It can also be a key of type PSA_KEY_TYPE_RAW_DATA or PSA_KEY_TYPE_PEPPER.

Definition at line 2324 of file crypto_values.h.

◆ PSA_KEY_DERIVATION_INPUT_SECRET

#define PSA_KEY_DERIVATION_INPUT_SECRET /* implementation-defined value */

A high-entropy secret input for key derivation.

This is typically a key of type PSA_KEY_TYPE_DERIVE passed to psa_key_derivation_input_key(), or the shared secret resulting from a key agreement obtained via psa_key_derivation_key_agreement().

The secret can also be a direct input passed to psa_key_derivation_input_bytes(). In this case, the derivation operation cannot be used to derive keys: the operation will not allow a call to psa_key_derivation_output_key().

Definition at line 2337 of file crypto_values.h.

◆ PSA_KEY_DERIVATION_INPUT_SEED

#define PSA_KEY_DERIVATION_INPUT_SEED /* implementation-defined value */

A seed for key derivation.

This is typically a direct input. It can also be a key of type PSA_KEY_TYPE_RAW_DATA.

Definition at line 2345 of file crypto_values.h.

◆ PSA_KEY_DERIVATION_UNLIMITED_CAPACITY

#define PSA_KEY_DERIVATION_UNLIMITED_CAPACITY /* implementation-defined value */

Use the maximum possible capacity for a key derivation operation.

Use this value as the capacity argument when setting up a key derivation to specify that the operation will use the maximum possible capacity. The value of the maximum possible capacity depends on the key derivation algorithm.

Definition at line 2354 of file crypto_values.h.

◆ PSA_KEY_ID_NULL

#define PSA_KEY_ID_NULL ((psa_key_id_t)0)

The null key identifier.

The null key identifier is always invalid, except when used without in a call to psa_destroy_key() which will return PSA_SUCCESS.

Definition at line 2363 of file crypto_values.h.

◆ PSA_KEY_ID_USER_MAX

#define PSA_KEY_ID_USER_MAX ((psa_key_id_t)0x3fffffff)

The maximum value for a key identifier chosen by the application.

Definition at line 2368 of file crypto_values.h.

◆ PSA_KEY_ID_USER_MIN

#define PSA_KEY_ID_USER_MIN ((psa_key_id_t)0x00000001)

The minimum value for a key identifier chosen by the application.

Definition at line 2373 of file crypto_values.h.

◆ PSA_KEY_ID_VENDOR_MAX

#define PSA_KEY_ID_VENDOR_MAX ((psa_key_id_t)0x7fffffff)

The maximum value for a key identifier chosen by the implementation.

Definition at line 2378 of file crypto_values.h.

◆ PSA_KEY_ID_VENDOR_MIN

#define PSA_KEY_ID_VENDOR_MIN ((psa_key_id_t)0x40000000)

The minimum value for a key identifier chosen by the implementation.

Definition at line 2383 of file crypto_values.h.

◆ PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION

#define PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION	(	persistence,
		location
	)	((location) << 8 \| (persistence))

Construct a lifetime from a persistence level and a location.

Parameters

persistence	The persistence level: a value of type psa_key_persistence_t.
location	The location indicator: a value of type psa_key_location_t.

Returns: The constructed lifetime value.

Definition at line 2393 of file crypto_values.h.

◆ PSA_KEY_LIFETIME_GET_LOCATION

#define PSA_KEY_LIFETIME_GET_LOCATION ( lifetime ) ((psa_key_location_t)((lifetime) >> 8))

Extract the location indicator from a key lifetime.

Parameters

lifetime The lifetime value to query: a value of type psa_key_lifetime_t.

Definition at line 2401 of file crypto_values.h.

◆ PSA_KEY_LIFETIME_GET_PERSISTENCE

#define PSA_KEY_LIFETIME_GET_PERSISTENCE ( lifetime ) ((psa_key_persistence_t)((lifetime) & 0x000000ff))

Extract the persistence level from a key lifetime.

Parameters

lifetime The lifetime value to query: a value of type psa_key_lifetime_t.

Definition at line 2409 of file crypto_values.h.

◆ PSA_KEY_LIFETIME_IS_VOLATILE

#define PSA_KEY_LIFETIME_IS_VOLATILE ( lifetime ) (PSA_KEY_LIFETIME_GET_PERSISTENCE(lifetime) == PSA_KEY_PERSISTENCE_VOLATILE)

Whether a key lifetime indicates that the key is volatile.

     A volatile key is automatically destroyed by the implementation when the application
     instance terminates. In particular, a volatile key is automatically destroyed on a
     power reset of the device.

     A key that is not volatile is persistent. Persistent keys are preserved until the
     application explicitly destroys them or until an implementation-specific device
     management event occurs, for example, a factory reset.

Parameters

lifetime The lifetime value to query: a value of type psa_key_lifetime_t.

Returns: 1 if the key is volatile, otherwise 0.

Definition at line 2427 of file crypto_values.h.

◆ PSA_KEY_LIFETIME_PERSISTENT

#define PSA_KEY_LIFETIME_PERSISTENT ((psa_key_lifetime_t)0x00000001)

The default lifetime for persistent keys.

A persistent key remains in storage until it is explicitly destroyed or until the corresponding storage area is wiped. This specification does not define any mechanism to wipe a storage area. Implementations are permitted to provide their own mechanism, for example, to perform a factory reset, to prepare for device refurbishment, or to uninstall an application.

This lifetime value is the default storage area for the calling application. Implementations can offer other storage areas designated by other lifetime values as implementation-specific extensions.

Definition at line 2443 of file crypto_values.h.

◆ PSA_KEY_LIFETIME_VOLATILE

#define PSA_KEY_LIFETIME_VOLATILE ((psa_key_lifetime_t)0x00000000)

The default lifetime for volatile keys.

A volatile key only exists as long as its identifier is not destroyed. The key material is guaranteed to be erased on a power reset.

A key with this lifetime is typically stored in the RAM area of the PSA Crypto subsystem. However this is an implementation choice. If an implementation stores data about the key in a non-volatile memory, it must release all the resources associated with the key and erase the key material if the calling application terminates.

Definition at line 2456 of file crypto_values.h.

◆ PSA_KEY_LOCATION_LOCAL_STORAGE

#define PSA_KEY_LOCATION_LOCAL_STORAGE ((psa_key_location_t)0x000000)

The local storage area for persistent keys.

This storage area is available on all systems that can store persistent keys without delegating the storage to a third-party cryptoprocessor.

See psa_key_location_t for more information.

Definition at line 2466 of file crypto_values.h.

◆ PSA_KEY_LOCATION_PRIMARY_SECURE_ELEMENT

#define PSA_KEY_LOCATION_PRIMARY_SECURE_ELEMENT ((psa_key_location_t)0x000001)

The default secure element storage area for persistent keys.

This storage location is available on systems that have one or more secure elements that are able to store keys.

Vendor-defined locations must be provided by the system for storing keys in additional secure elements.

See psa_key_location_t for more information.

Definition at line 2479 of file crypto_values.h.

◆ PSA_KEY_LOCATION_SE_MAX

#define PSA_KEY_LOCATION_SE_MAX ((psa_key_location_t)0x8000ff)

Maximum location value for secure elements.

Definition at line 2494 of file crypto_values.h.

◆ PSA_KEY_LOCATION_SE_MIN

#define PSA_KEY_LOCATION_SE_MIN (PSA_KEY_LOCATION_VENDOR_FLAG)

Minimum location value for secure elements.

Definition at line 2489 of file crypto_values.h.

◆ PSA_KEY_LOCATION_VENDOR_FLAG

#define PSA_KEY_LOCATION_VENDOR_FLAG ((psa_key_location_t)0x800000)

Mark vendor defined key locations.

Definition at line 2484 of file crypto_values.h.

◆ PSA_KEY_PERSISTENCE_DEFAULT

#define PSA_KEY_PERSISTENCE_DEFAULT ((psa_key_persistence_t)0x01)

The default persistence level for persistent keys.

See psa_key_persistence_t for more information.

Definition at line 2501 of file crypto_values.h.

◆ PSA_KEY_PERSISTENCE_READ_ONLY

#define PSA_KEY_PERSISTENCE_READ_ONLY ((psa_key_persistence_t)0xff)

A persistence level indicating that a key is never destroyed.

See psa_key_persistence_t for more information.

Definition at line 2508 of file crypto_values.h.

◆ PSA_KEY_PERSISTENCE_VOLATILE

#define PSA_KEY_PERSISTENCE_VOLATILE ((psa_key_persistence_t)0x00)

The persistence level of volatile keys.

See psa_key_persistence_t for more information.

Definition at line 2515 of file crypto_values.h.

◆ PSA_KEY_TYPE_AES

#define PSA_KEY_TYPE_AES ((psa_key_type_t)0x2400)

Key for a cipher, AEAD or MAC algorithm based on the AES block cipher.

The size of the key is related to the AES algorithm variant. For algorithms except the XTS block cipher mode, the following key sizes are used:

AES-128 uses a 16-byte key : key_bits = 128
AES-192 uses a 24-byte key : key_bits = 192
AES-256 uses a 32-byte key : key_bits = 256

For the XTS block cipher mode (PSA_ALG_XTS), the following key sizes are used:

AES-128-XTS uses two 16-byte keys : key_bits = 256
AES-192-XTS uses two 24-byte keys : key_bits = 384
AES-256-XTS uses two 32-byte keys : key_bits = 512

The AES block cipher is defined in FIPS Publication 197: Advanced Encryption Standard (AES) FIPS197.

Compatible algorithms

Definition at line 2587 of file crypto_values.h.

◆ PSA_KEY_TYPE_ARC4

#define PSA_KEY_TYPE_ARC4 ((psa_key_type_t)0x2002)

Key for the ARC4 stream cipher.

Warning: The ARC4 cipher is weak and deprecated and is only recommended for use in legacy protocols.

The ARC4 cipher supports key sizes between 40 and 2048 bits, that are multiples of 8. (5 to 256 bytes)

Use algorithm PSA_ALG_STREAM_CIPHER to use this key with the ARC4 cipher.

Definition at line 2600 of file crypto_values.h.

◆ PSA_KEY_TYPE_ARIA

#define PSA_KEY_TYPE_ARIA ((psa_key_type_t)0x2406)

Key for a cipher, AEAD or MAC algorithm based on the ARIA block cipher.

     The size of the key is related to the ARIA algorithm variant. For algorithms except the
     XTS block cipher mode, the following key sizes are used:
     - ARIA-128 uses a 16-byte key : @c key_bits = 128
     - ARIA-192 uses a 24-byte key : @c key_bits = 192
     - ARIA-256 uses a 32-byte key : @c key_bits = 256

     For the XTS block cipher mode (@ref PSA_ALG_XTS), the following key sizes are used:
     - ARIA-128-XTS uses two 16-byte keys : @c key_bits = 256
     - ARIA-192-XTS uses two 24-byte keys : @c key_bits = 384
     - ARIA-256-XTS uses two 32-byte keys : @c key_bits = 512

     The ARIA block cipher is defined in A Description of the ARIA Encryption Algorithm
     [RFC5794](https://datatracker.ietf.org/doc/html/rfc5794).

     @b Compatible @b algorithms
     - @ref PSA_ALG_CBC_MAC
     - @ref PSA_ALG_CMAC
     - @ref PSA_ALG_CTR
     - @ref PSA_ALG_CFB
     - @ref PSA_ALG_OFB
     - @ref PSA_ALG_XTS
     - @ref PSA_ALG_CBC_NO_PADDING
     - @ref PSA_ALG_CBC_PKCS7
     - @ref PSA_ALG_ECB_NO_PADDING
     - @ref PSA_ALG_CCM
     - @ref PSA_ALG_GCM

Definition at line 2632 of file crypto_values.h.

◆ PSA_KEY_TYPE_CAMELLIA

#define PSA_KEY_TYPE_CAMELLIA ((psa_key_type_t)0x2403)

Key for a cipher, AEAD or MAC algorithm based on the Camellia block cipher.

The size of the key is related to the Camellia algorithm variant. For algorithms except the XTS block cipher mode, the following key sizes are used:

Camellia-128 uses a 16-byte key : key_bits = 128
Camellia-192 uses a 24-byte key : key_bits = 192
Camellia-256 uses a 32-byte key : key_bits = 256

For the XTS block cipher mode (PSA_ALG_XTS), the following key sizes are used:

Camellia-128-XTS uses two 16-byte keys : key_bits = 256
Camellia-192-XTS uses two 24-byte keys : key_bits = 384
Camellia-256-XTS uses two 32-byte keys : key_bits = 512

The Camellia block cipher is defined in Specification of Camellia — a 128-bit Block Cipher NTT-CAM and also described in A Description of the Camellia Encryption Algorithm RFC3713.

Compatible algorithms

Definition at line 2666 of file crypto_values.h.

◆ PSA_KEY_TYPE_CATEGORY_FLAG_PAIR

#define PSA_KEY_TYPE_CATEGORY_FLAG_PAIR ((psa_key_type_t)0x3000)

Asymmetric key pair flag.

Definition at line 2555 of file crypto_values.h.

◆ PSA_KEY_TYPE_CATEGORY_KEY_PAIR

#define PSA_KEY_TYPE_CATEGORY_KEY_PAIR ((psa_key_type_t)0x7000)

Asymmetric key pair type.

Definition at line 2550 of file crypto_values.h.

◆ PSA_KEY_TYPE_CATEGORY_MASK

#define PSA_KEY_TYPE_CATEGORY_MASK ((psa_key_type_t)0x7000)

Mask for key type categories.

Definition at line 2530 of file crypto_values.h.

◆ PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY

#define PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY ((psa_key_type_t)0x4000)

Asymmetric public key type.

Definition at line 2545 of file crypto_values.h.

◆ PSA_KEY_TYPE_CATEGORY_RAW

#define PSA_KEY_TYPE_CATEGORY_RAW ((psa_key_type_t)0x1000)

Raw key data type.

Definition at line 2535 of file crypto_values.h.

◆ PSA_KEY_TYPE_CATEGORY_SYMMETRIC

#define PSA_KEY_TYPE_CATEGORY_SYMMETRIC ((psa_key_type_t)0x2000)

Symmetric key type.

Definition at line 2540 of file crypto_values.h.

◆ PSA_KEY_TYPE_CHACHA20

#define PSA_KEY_TYPE_CHACHA20 ((psa_key_type_t)0x2004)

Key for the ChaCha20 stream cipher or the ChaCha20-Poly1305 AEAD algorithm.

The ChaCha20 key size is 256 bits (32 bytes).

Use algorithm PSA_ALG_STREAM_CIPHER to use this key with the ChaCha20 cipher for unauthenticated encryption. See PSA_ALG_STREAM_CIPHER for details of this algorithm.
Use algorithm PSA_ALG_CHACHA20_POLY1305 to use this key with the ChaCha20 cipher and Poly1305 authenticator for AEAD. See PSA_ALG_CHACHA20_POLY1305 for details of this algorithm.

Compatible algorithms

Definition at line 2683 of file crypto_values.h.

◆ PSA_KEY_TYPE_DERIVE

#define PSA_KEY_TYPE_DERIVE ((psa_key_type_t)0x1200)

A secret for key derivation.

This key type is for high-entropy secrets only. For low-entropy secrets, PSA_KEY_TYPE_PASSWORD should be used instead.

These keys can be used in the PSA_KEY_DERIVATION_INPUT_SECRET or PSA_KEY_DERIVATION_INPUT_PASSWORD input step of key derivation algorithms.

The key policy determines which key derivation algorithm the key can be used for.

The bit size of a secret for key derivation must be a non-zero multiple of 8. The maximum size of a secret for key derivation is implementation defined.

Compatible algorithms

PSA_ALG_HKDF (secret input)
PSA_ALG_TLS12_PRF (secret input)
PSA_ALG_TLS12_PSK_TO_MS (secret input)

Definition at line 2704 of file crypto_values.h.

◆ PSA_KEY_TYPE_DES

#define PSA_KEY_TYPE_DES ((psa_key_type_t)0x2301)

Key for a cipher or MAC algorithm based on DES or 3DES (Triple-DES).

The size of the key determines which DES algorithm is used:

Single DES uses an 8-byte key : key_bits = 64
2-key 3DES uses a 16-byte key : key_bits = 128
3-key 3DES uses a 24-byte key : key_bits = 192

Warning: Single DES and 2-key 3DES are weak and strongly deprecated and are only recommended for decrypting legacy data. 3-key 3DES is weak and deprecated and is only recommended for use in legacy protocols.

The DES and 3DES block ciphers are defined in NIST Special Publication 800-67: Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher SP800-67.

Compatible algorithms

Definition at line 2733 of file crypto_values.h.

◆ PSA_KEY_TYPE_DH_GET_FAMILY

#define PSA_KEY_TYPE_DH_GET_FAMILY ( type ) ((psa_dh_family_t)((type) & 0x00ff))

Extract the group family from a Diffie-Hellman key type.

Parameters

type	A Diffie-Hellman key type: a value of type psa_key_type_t such that PSA_KEY_TYPE_IS_DH(`type`) is true.

Returns: The Diffie-Hellman group family id, if type is a supported Diffie-Hellman key. Unspecified if type is not a supported Diffie-Hellman key.

Definition at line 2744 of file crypto_values.h.

◆ PSA_KEY_TYPE_DH_KEY_PAIR

#define PSA_KEY_TYPE_DH_KEY_PAIR ( group ) ((psa_key_type_t)(0x7200 | (group)))

Finite-field Diffie-Hellman key pair: both the private key and public key.

Compatible algorithms

PSA_ALG_FFDH

Parameters

group A value of type psa_dh_family_t that identifies the Diffie-Hellman group family to be used.

Definition at line 2756 of file crypto_values.h.

◆ PSA_KEY_TYPE_DH_PUBLIC_KEY

#define PSA_KEY_TYPE_DH_PUBLIC_KEY ( group ) ((psa_key_type_t)(0x4200 | (group)))

Finite-field Diffie-Hellman public key.

Compatible algorithms None. Finite-field Diffie-Hellman public keys are exported to use in a key agreement algorithm, and the peer key is provided to the PSA_ALG_FFDH key agreement algorithm as a buffer of key data.

Parameters

group A value of type psa_dh_family_t that identifies the Diffie-Hellman group family to be used.

Definition at line 2770 of file crypto_values.h.

◆ PSA_KEY_TYPE_ECC_CURVE_MASK

#define PSA_KEY_TYPE_ECC_CURVE_MASK ((psa_key_type_t)0x00ff)

Mask for ECC curves.

Definition at line 2798 of file crypto_values.h.

◆ PSA_KEY_TYPE_ECC_GET_FAMILY

#define PSA_KEY_TYPE_ECC_GET_FAMILY ( type ) ((psa_ecc_family_t)((type) & 0x00ff))

Extract the curve family from an elliptic curve key type.

Parameters

type	An elliptic curve key type: a value of type psa_key_type_t such that PSA_KEY_TYPE_IS_ECC(`type`) is true.

Returns: The elliptic curve family id, if type is a supported elliptic curve key. Unspecified if type is not a supported elliptic curve key.

Definition at line 2782 of file crypto_values.h.

◆ PSA_KEY_TYPE_ECC_KEY_PAIR

#define PSA_KEY_TYPE_ECC_KEY_PAIR ( curve ) (PSA_KEY_TYPE_ECC_KEY_PAIR_BASE | (curve))

Elliptic curve key pair: both the private and public key.

The size of an elliptic curve key is the bit size associated with the curve, that is, the bit size of q for a curve over a field Fq. See the documentation of each Elliptic curve family for details.

Compatible algorithms

Elliptic curve key pairs can be used in Asymmetric signature and Key agreement algorithms.
The set of compatible algorithms depends on the Elliptic curve key family. See the Elliptic curve family for details.

Parameters

curve A value of type psa_ecc_family_t that identifies the ECC curve to be used.

Definition at line 2815 of file crypto_values.h.

◆ PSA_KEY_TYPE_ECC_KEY_PAIR_BASE

#define PSA_KEY_TYPE_ECC_KEY_PAIR_BASE ((psa_key_type_t)0x7100)

Base value for ECC key pairs.

Definition at line 2793 of file crypto_values.h.

◆ PSA_KEY_TYPE_ECC_PUBLIC_KEY [1/2]

#define PSA_KEY_TYPE_ECC_PUBLIC_KEY ( curve ) (PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE | (curve))

Elliptic curve public key.

The size of an elliptic curve public key is the same as the corresponding private key. See PSA_KEY_TYPE_ECC_KEY_PAIR() and the documentation of each Elliptic curve family for details.

Compatible algorithms Elliptic curve public keys can be used for verification in asymmetric signature algorithms. The set of compatible algorithms depends on the elliptic curve key family. See each elliptic curve family for details.

Parameters

curve A value of type psa_ecc_family_t that identifies the ECC curve to be used.

Definition at line 2833 of file crypto_values.h.

◆ PSA_KEY_TYPE_ECC_PUBLIC_KEY [2/2]

#define PSA_KEY_TYPE_ECC_PUBLIC_KEY ( curve ) (PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE | (curve))

Elliptic curve public key.

The size of an elliptic curve public key is the same as the corresponding private key. See PSA_KEY_TYPE_ECC_KEY_PAIR() and the documentation of each Elliptic curve family for details.

Compatible algorithms Elliptic curve public keys can be used for verification in asymmetric signature algorithms. The set of compatible algorithms depends on the elliptic curve key family. See each elliptic curve family for details.

Parameters

curve A value of type psa_ecc_family_t that identifies the ECC curve to be used.

Definition at line 2833 of file crypto_values.h.

◆ PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE

#define PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE ((psa_key_type_t)0x4100)

Base value for ECC public keys.

Definition at line 2788 of file crypto_values.h.

◆ PSA_KEY_TYPE_HMAC

#define PSA_KEY_TYPE_HMAC ((psa_key_type_t)0x1100)

HMAC key.

The key policy determines which underlying hash algorithm the key can be used for.

     The bit size of an HMAC key must be a non-zero multiple of 8. An HMAC key is typically
     the same size as the output of the underlying hash algorithm. An HMAC key that is
     longer than the block size of the underlying hash algorithm will be hashed before use.

     When an HMAC key is created that is longer than the block size, it is implementation
     defined whether the implementation stores the original HMAC key, or the hash of the
     HMAC key. If the hash of the key is stored, the key size reported by
     @ref psa_get_key_attributes() will be the size of the hashed key.

Note: PSA_HASH_LENGTH(alg) provides the output size of hash algorithm alg, in bytes. PSA_HASH_BLOCK_LENGTH(alg) provides the block size of hash algorithm alg, in bytes.

Compatible algorithms

PSA_ALG_HMAC

Definition at line 2900 of file crypto_values.h.

◆ PSA_KEY_TYPE_IS_ASYMMETRIC

#define PSA_KEY_TYPE_IS_ASYMMETRIC ( type ) (((type) & 0x4000) == 0x4000)

Whether a key type is asymmetric: either a key pair or a public key.

Parameters

type	A key type: a value of type psa_key_type_t.

Definition at line 2907 of file crypto_values.h.

◆ PSA_KEY_TYPE_IS_DH

#define PSA_KEY_TYPE_IS_DH ( type ) ((PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) & 0xff00) == 0x4200)

Whether a key type is a Diffie-Hellman key, either a key pair or a public key.

Parameters

type	A key type: a value of type psa_key_type_t.

Definition at line 2915 of file crypto_values.h.

◆ PSA_KEY_TYPE_IS_DH_KEY_PAIR

#define PSA_KEY_TYPE_IS_DH_KEY_PAIR ( type ) (((type) & 0xff00) == 0x7200)

Whether a key type is a Diffie-Hellman key pair.

Parameters

type	A key type: a value of type psa_key_type_t.

Definition at line 2923 of file crypto_values.h.

◆ PSA_KEY_TYPE_IS_DH_PUBLIC_KEY

#define PSA_KEY_TYPE_IS_DH_PUBLIC_KEY ( type ) (((type) & 0xff00) == 0x4200)

Whether a key type is a Diffie-Hellman public key.

Parameters

type	A key type: a value of type psa_key_type_t.

Definition at line 2931 of file crypto_values.h.

◆ PSA_KEY_TYPE_IS_ECC

#define PSA_KEY_TYPE_IS_ECC ( type ) ((PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) & 0xff00) == 0x4100)

Whether a key type is an elliptic curve key, either a key pair or a public key.

Parameters

type	A key type: a value of type psa_key_type_t.

Definition at line 2847 of file crypto_values.h.

◆ PSA_KEY_TYPE_IS_ECC_KEY_PAIR

#define PSA_KEY_TYPE_IS_ECC_KEY_PAIR ( type ) (((type) & 0xff00) == 0x7100)

Whether a key type is an elliptic curve key pair.

Parameters

type	A key type: a value of type psa_key_type_t.

Definition at line 2855 of file crypto_values.h.

◆ PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY

#define PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY ( type ) (((type) & 0xff00) == 0x4100)

Whether a key type is an elliptic curve public key.

Parameters

type	A key type: a value of type psa_key_type_t.

Definition at line 2863 of file crypto_values.h.

◆ PSA_KEY_TYPE_IS_KEY_PAIR

#define PSA_KEY_TYPE_IS_KEY_PAIR ( type ) (((type) & 0x7000) == 0x7000)

Whether a key type is a key pair containing a private part and a public part.

Parameters

type	A key type: a value of type psa_key_type_t.

Definition at line 2939 of file crypto_values.h.

◆ PSA_KEY_TYPE_IS_PUBLIC_KEY

#define PSA_KEY_TYPE_IS_PUBLIC_KEY ( type ) (((type) & 0x7000) == 0x4000)

Whether a key type is the public part of a key pair.

Parameters

type	A key type: a value of type psa_key_type_t.

Definition at line 2948 of file crypto_values.h.

◆ PSA_KEY_TYPE_IS_RSA

#define PSA_KEY_TYPE_IS_RSA ( type ) (PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) == 0x4001)

Whether a key type is an RSA key.

This includes both key pairs and public keys.

Parameters

type	A key type: a value of type psa_key_type_t.

Definition at line 2956 of file crypto_values.h.

◆ PSA_KEY_TYPE_IS_UNSTRUCTURED

#define PSA_KEY_TYPE_IS_UNSTRUCTURED ( type ) (((type) & 0x7000) == 0x1000 || ((type) & 0x7000) == 0x2000)

Whether a key type is an unstructured array of bytes.

This encompasses both symmetric keys and non-key data.

Parameters

type	A key type: a value of type psa_key_type_t.

Definition at line 2965 of file crypto_values.h.

◆ PSA_KEY_TYPE_KEY_PAIR_OF_PUBLIC_KEY

#define PSA_KEY_TYPE_KEY_PAIR_OF_PUBLIC_KEY ( type ) ((psa_key_type_t)((type) | 0x3000))

The key pair type corresponding to a public key type.

If type is a key pair type, it will be left unchanged.

Parameters

type	A public key type or key pair type.

Returns: The corresponding key pair type. If type is not a public key or a key pair, the return value is undefined.

Definition at line 2978 of file crypto_values.h.

◆ PSA_KEY_TYPE_NONE

#define PSA_KEY_TYPE_NONE ((psa_key_type_t)0x0000)

An invalid key type value.

Zero is not the encoding of any key type.

Definition at line 2986 of file crypto_values.h.

◆ PSA_KEY_TYPE_PASSWORD

#define PSA_KEY_TYPE_PASSWORD ((psa_key_type_t)0x1203)

A low-entropy secret for password hashing or key derivation.

This key type is suitable for passwords and passphrases which are typically intended to be memorizable by humans, and have a low entropy relative to their size. It can be used for randomly generated or derived keys with maximum or near-maximum entropy, but PSA_KEY_TYPE_DERIVE is more suitable for such keys. It is not suitable for passwords with extremely low entropy, such as numerical PINs.

These keys can be used in the PSA_KEY_DERIVATION_INPUT_PASSWORD input step of key derivation algorithms. Algorithms that accept such an input were designed to accept low-entropy secret and are known as password hashing or key stretching algorithms.

These keys cannot be used in the PSA_KEY_DERIVATION_INPUT_SECRET input step of key derivation algorithms, as the algorithms expect such an input to have high entropy.

The key policy determines which key derivation algorithm the key can be used for, among the permissible subset defined above.

Compatible algorithms

PSA_ALG_PBKDF2_HMAC() (password input)
PSA_ALG_PBKDF2_AES_CMAC_PRF_128 (password input)

Definition at line 3011 of file crypto_values.h.

◆ PSA_KEY_TYPE_PASSWORD_HASH

#define PSA_KEY_TYPE_PASSWORD_HASH ((psa_key_type_t)0x1205)

A secret value that can be used to verify a password hash.

The key policy determines which key derivation algorithm the key can be used for, among the same permissible subset as for PSA_KEY_TYPE_PASSWORD.

Compatible algorithms

PSA_ALG_PBKDF2_HMAC() (key output and verification)
PSA_ALG_PBKDF2_AES_CMAC_PRF_128 (key output and verification)

Definition at line 3023 of file crypto_values.h.

◆ PSA_KEY_TYPE_PEPPER

#define PSA_KEY_TYPE_PEPPER ((psa_key_type_t)0x1206)

A secret value that can be used when computing a password hash.

The key policy determines which key derivation algorithm the key can be used for, among the subset of algorithms that can use pepper.

Compatible algorithms

PSA_ALG_PBKDF2_HMAC() (salt input)
PSA_ALG_PBKDF2_AES_CMAC_PRF_128 (salt input)

Definition at line 3035 of file crypto_values.h.

◆ PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR

#define PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR ( type ) ((psa_key_type_t)((type) & ~0x3000))

The public key type corresponding to a key pair type.

You may also pass a key pair type as type, it will be left unchanged.

Parameters

type	A public key type or key pair type.

Returns: The corresponding public key type. If type is not a public key or a key pair, the return value is undefined.

Definition at line 2875 of file crypto_values.h.

◆ PSA_KEY_TYPE_RAW_DATA

#define PSA_KEY_TYPE_RAW_DATA ((psa_key_type_t)0x1001)

Raw data.

A “key” of this type cannot be used for any cryptographic operation. Applications can use this type to store arbitrary data in the keystore.

The bit size of a raw key must be a non-zero multiple of 8. The maximum size of a raw key is implementation defined.

Compatible algorithms

PSA_ALG_HKDF (non-secret inputs)
PSA_ALG_TLS12_PRF (non-secret inputs)
PSA_ALG_TLS12_PSK_TO_MS (non-secret inputs)

Definition at line 3051 of file crypto_values.h.

◆ PSA_KEY_TYPE_RSA_KEY_PAIR

#define PSA_KEY_TYPE_RSA_KEY_PAIR ((psa_key_type_t)0x7001)

RSA key pair: both the private and public key.

The size of an RSA key is the bit size of the modulus.

     @b Compatible @b algorithms
     - @ref PSA_ALG_RSA_OAEP
     - @ref PSA_ALG_RSA_PKCS1V15_CRYPT
     - @ref PSA_ALG_RSA_PKCS1V15_SIGN
     - @ref PSA_ALG_RSA_PKCS1V15_SIGN_RAW
     - @ref PSA_ALG_RSA_PSS
     - @ref PSA_ALG_RSA_PSS_ANY_SALT

Definition at line 3066 of file crypto_values.h.

◆ PSA_KEY_TYPE_RSA_PUBLIC_KEY

#define PSA_KEY_TYPE_RSA_PUBLIC_KEY ((psa_key_type_t)0x4001)

RSA public key.

The size of an RSA key is the bit size of the modulus.

     @b Compatible @b algorithms
     - @ref PSA_ALG_RSA_OAEP (encryption only)
     - @ref PSA_ALG_RSA_PKCS1V15_CRYPT (encryption only)
     - @ref PSA_ALG_RSA_PKCS1V15_SIGN (signature verification only)
     - @ref PSA_ALG_RSA_PKCS1V15_SIGN_RAW (signature verification only)
     - @ref PSA_ALG_RSA_PSS (signature verification only)
     - @ref PSA_ALG_RSA_PSS_ANY_SALT (signature verification only)

Definition at line 3081 of file crypto_values.h.

◆ PSA_KEY_TYPE_SM4

#define PSA_KEY_TYPE_SM4 ((psa_key_type_t)0x2405)

Key for a cipher, AEAD or MAC algorithm based on the SM4 block cipher.

For algorithms except the XTS block cipher mode, the SM4 key size is 128 bits (16 bytes).

For the XTS block cipher mode (PSA_ALG_XTS), the SM4 key size is 256 bits (two 16-byte keys).

The SM4 block cipher is defined in GM/T 0002-2012: SM4 block cipher algorithm CSTC0002 (English version CSTC0002/E).

Compatible algorithms

Definition at line 3110 of file crypto_values.h.

◆ PSA_KEY_TYPE_VENDOR_FLAG

#define PSA_KEY_TYPE_VENDOR_FLAG ((psa_key_type_t)0x8000)

Vendor-defined key type flag.

Key types defined by this standard will never have the PSA_KEY_TYPE_VENDOR_FLAG bit set. Vendors who define additional key types must use an encoding with the PSA_KEY_TYPE_VENDOR_FLAG bit set and should respect the bitwise structure used by standard encodings whenever practical.

Definition at line 2525 of file crypto_values.h.

◆ PSA_KEY_USAGE_CACHE

#define PSA_KEY_USAGE_CACHE ((psa_key_usage_t)0x00000004)

Permission for the implementation to cache the key.

This flag allows the implementation to make additional copies of the key material that are not in storage and not for the purpose of an ongoing operation. Applications can use it as a hint to keep the key around for repeated access.

An application can request that cached key material is removed from memory by calling psa_purge_key().

The presence of this usage flag when creating a key is a hint:

An implementation is not required to cache keys that have this usage flag.
An implementation must not report an error if it does not cache keys.

If this usage flag is not present, the implementation must ensure key material is removed from memory as soon as it is not required for an operation or for maintenance of a volatile key.

This flag must be preserved when reading back the attributes for all keys, regardless of key type or implementation behavior.

Definition at line 3133 of file crypto_values.h.

◆ PSA_KEY_USAGE_COPY

#define PSA_KEY_USAGE_COPY ((psa_key_usage_t)0x00000002)

Permission to copy the key.

This flag allows the use of psa_copy_key() to make a copy of the key with the same policy or a more restrictive policy.

For lifetimes for which the key is located in a secure element which enforce the non-exportability of keys, copying a key outside the secure element also requires the usage flag PSA_KEY_USAGE_EXPORT. Copying the key inside the secure element is permitted with just PSA_KEY_USAGE_COPY if the secure element supports it. For keys with the lifetime PSA_KEY_LIFETIME_VOLATILE or PSA_KEY_LIFETIME_PERSISTENT, the usage flag PSA_KEY_USAGE_COPY is sufficient to permit the copy.

Definition at line 3148 of file crypto_values.h.

◆ PSA_KEY_USAGE_DECRYPT

#define PSA_KEY_USAGE_DECRYPT ((psa_key_usage_t)0x00000200)

Permission to decrypt a message with the key.

This flag allows the key to be used for a symmetric decryption operation, for an AEAD decryption-and-verification operation, or for an asymmetric decryption operation, if otherwise permitted by the key’s type and policy. The flag must be present on keys used with the following APIs:

For a key pair, this concerns the private key.

Definition at line 3165 of file crypto_values.h.

◆ PSA_KEY_USAGE_DERIVE

#define PSA_KEY_USAGE_DERIVE ((psa_key_usage_t)0x00004000)

Permission to derive other keys or produce a password hash from this key.

This flag allows the key to be used for a key derivation operation or for a key agreement operation, if otherwise permitted by the key’s type and policy.

This flag must be present on keys used with the following APIs:

If this flag is present on all keys used in calls to psa_key_derivation_input_key() for a key derivation operation, then it permits calling psa_key_derivation_output_bytes() or psa_key_derivation_output_key() at the end of the operation.

Definition at line 3182 of file crypto_values.h.

◆ PSA_KEY_USAGE_ENCRYPT

#define PSA_KEY_USAGE_ENCRYPT ((psa_key_usage_t)0x00000100)

Permission to encrypt a message with the key.

This flag allows the key to be used for a symmetric encryption operation, for an AEAD encryption-and-authentication operation, or for an asymmetric encryption operation, if otherwise permitted by the key’s type and policy. The flag must be present on keys used with the following APIs:

For a key pair, this concerns the public key.

Definition at line 3199 of file crypto_values.h.

◆ PSA_KEY_USAGE_EXPORT

#define PSA_KEY_USAGE_EXPORT ((psa_key_usage_t)0x00000001)

Permission to export the key.

This flag allows the use of psa_export_key() to export a key from the cryptoprocessor. A public key or the public part of a key pair can always be exported regardless of the value of this permission flag.

This flag can also be required to copy a key using psa_copy_key() outside of a secure element. See also PSA_KEY_USAGE_COPY.

If a key does not have export permission, implementations must not allow the key to be exported in plain form from the cryptoprocessor, whether through psa_export_key() or through a proprietary interface. The key might still be exportable in a wrapped form, i.e. in a form where it is encrypted by another key.

Definition at line 3216 of file crypto_values.h.

◆ PSA_KEY_USAGE_SIGN_HASH

#define PSA_KEY_USAGE_SIGN_HASH ((psa_key_usage_t)0x00001000)

Permission to sign a message hash with the key.

This flag allows the key to be used to sign a message hash as part of an asymmetric signature operation, if otherwise permitted by the key’s type and policy. The flag must be present on keys used when calling psa_sign_hash().

This flag automatically sets PSA_KEY_USAGE_SIGN_MESSAGE : if an application sets the flag PSA_KEY_USAGE_SIGN_HASH when creating a key, then the key always has the permissions conveyed by PSA_KEY_USAGE_SIGN_MESSAGE, and the flag PSA_KEY_USAGE_SIGN_MESSAGE will also be present when the application queries the usage flags of the key.

For a key pair, this concerns the private key.

Definition at line 3233 of file crypto_values.h.

◆ PSA_KEY_USAGE_SIGN_MESSAGE

#define PSA_KEY_USAGE_SIGN_MESSAGE ((psa_key_usage_t)0x00000400)

Permission to sign a message with the key.

This flag allows the key to be used for a MAC calculation operation or for an asymmetric message signature operation, if otherwise permitted by the key’s type and policy. The flag must be present on keys used with the following APIs:

For a key pair, this concerns the private key.

Definition at line 3247 of file crypto_values.h.

◆ PSA_KEY_USAGE_VERIFY_DERIVATION

#define PSA_KEY_USAGE_VERIFY_DERIVATION ((psa_key_usage_t)0x00008000)

Permission to verify the result of a key derivation, including password hashing.

This flag allows the key to be used in a key derivation operation, if otherwise permitted by the key’s type and policy.

This flag must be present on keys used with psa_key_derivation_verify_key().

If this flag is present on all keys used in calls to psa_key_derivation_input_key() for a key derivation operation, then it permits calling psa_key_derivation_verify_bytes() or psa_key_derivation_verify_key() at the end of the operation.

Definition at line 3262 of file crypto_values.h.

◆ PSA_KEY_USAGE_VERIFY_HASH

#define PSA_KEY_USAGE_VERIFY_HASH ((psa_key_usage_t)0x00002000)

Permission to verify a message hash with the key.

This flag allows the key to be used to verify a message hash as part of an asymmetric signature verification operation, if otherwise permitted by the key’s type and policy. The flag must be present on keys used when calling psa_verify_hash().

This flag automatically sets PSA_KEY_USAGE_VERIFY_MESSAGE : if an application sets the flag PSA_KEY_USAGE_VERIFY_HASH when creating a key, then the key always has the permissions conveyed by PSA_KEY_USAGE_VERIFY_MESSAGE, and the flag PSA_KEY_USAGE_VERIFY_MESSAGE will also be present when the application queries the usage flags of the key.

For a key pair, this concerns the public key.

Definition at line 3279 of file crypto_values.h.

◆ PSA_KEY_USAGE_VERIFY_MESSAGE

#define PSA_KEY_USAGE_VERIFY_MESSAGE ((psa_key_usage_t)0x00000800)

Permission to verify a message signature with the key.

This flag allows the key to be used for a MAC verification operation or for an asymmetric message signature verification operation, if otherwise permitted by the key’s type and policy. The flag must be present on keys used with the following APIs:

For a key pair, this concerns the public key.

Definition at line 3293 of file crypto_values.h.

◆ PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE

#define PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE /* implementation-defined value */

Sufficient output buffer size for psa_raw_key_agreement(), for any of the supported key types and key agreement algorithms.

If the size of the output buffer is at least this large, it is guaranteed that psa_raw_key_agreement() will not fail due to an insufficient buffer size.

Definition at line 3304 of file crypto_values.h.

◆ PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE

#define PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE	(	key_type,
		key_bits
	)	/* implementation-defined value */

Sufficient output buffer size for psa_raw_key_agreement().

If the size of the output buffer is at least this large, it is guaranteed that psa_raw_key_agreement() will not fail due to an insufficient buffer size. The actual size of the output might be smaller in any given call.

Parameters

key_type	A supported key type.
key_bits	The size of the key in bits.

Returns: A sufficient output buffer size for the specified key type and size. 0 if key type is not supported. If the parameters are not valid, the return value is unspecified.

Definition at line 3323 of file crypto_values.h.

◆ PSA_SIGNATURE_MAX_SIZE

#define PSA_SIGNATURE_MAX_SIZE /* implementation-defined value */

A sufficient signature buffer size for psa_sign_message() and psa_sign_hash(), for any of the supported key types and asymmetric signature algorithms.

If the size of the signature buffer is at least this large, it is guaranteed that psa_sign_message() and psa_sign_hash() will not fail due to an insufficient buffer size.

◆ PSA_SUCCESS

#define PSA_SUCCESS ((psa_status_t)0)

The action was completed successfully.

Definition at line 3360 of file crypto_values.h.

◆ PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE

#define PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE /* implementation-defined value */

This macro returns the maximum supported length of the PSK for the TLS-1.2 PSK-to-MS key derivation.

This implementation-defined value specifies the maximum length for the PSK input used with a PSA_ALG_TLS12_PSK_TO_MS() key agreement algorithm.

Quoting Pre-Shared Key Ciphersuites for Transport Layer Security (TLS) RFC4279 §5.3: TLS implementations supporting these cipher suites MUST support arbitrary PSK identities up to 128 octets in length, and arbitrary PSKs up to 64 octets in length. Supporting longer identities and keys is RECOMMENDED.

Therefore, it is recommended that implementations define PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE with a value greater than or equal to 64.

Definition at line 3355 of file crypto_values.h.