Mistake on this page?
Report an issue in GitHub or email us
Functions
Key management

Functions

psa_status_t psa_purge_key (mbedtls_svc_key_id_t key)
 Remove non-essential copies of key material from memory. More...
 
psa_status_t psa_copy_key (mbedtls_svc_key_id_t source_key, const psa_key_attributes_t *attributes, mbedtls_svc_key_id_t *target_key)
 Make a copy of a key. More...
 
psa_status_t psa_destroy_key (mbedtls_svc_key_id_t key)
 Destroy a key. More...
 
psa_status_t psa_open_key (psa_key_id_t id, psa_key_handle_t *handle)
 Open a handle to an existing persistent key. More...
 
psa_status_t psa_close_key (psa_key_handle_t handle)
 Close a key handle. More...
 

Detailed Description

Function Documentation

psa_status_t psa_close_key ( psa_key_handle_t  handle)

Close a key handle.

If the handle designates a volatile key, this will destroy the key material and free all associated resources, just like psa_destroy_key().

If this is the last open handle to a persistent key, then closing the handle will free all resources associated with the key in volatile memory. The key data in persistent storage is not affected and can be opened again later with a call to psa_open_key().

Closing the key handle makes the handle invalid, and the key handle must not be used again by the application.

Note
If the key handle was used to set up an active :ref:`multipart operation <multipart-operations>`, then closing the key handle can cause the multipart operation to fail. Applications should maintain the key handle until after the multipart operation has finished.
Parameters
handleThe key handle to close. If this is 0, do nothing and return PSA_SUCCESS.
Return values
PSA_SUCCESShandle was a valid handle or 0. It is now closed.
PSA_ERROR_INVALID_HANDLEhandle is not a valid handle nor 0.
PSA_ERROR_COMMUNICATION_FAILURE
PSA_ERROR_CORRUPTION_DETECTED
PSA_ERROR_BAD_STATEThe library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code.
psa_status_t psa_copy_key ( mbedtls_svc_key_id_t  source_key,
const psa_key_attributes_t attributes,
mbedtls_svc_key_id_t *  target_key 
)

Make a copy of a key.

Copy key material from one location to another.

This function is primarily useful to copy a key from one location to another, since it populates a key using the material from another key which may have a different lifetime.

This function may be used to share a key with a different party, subject to implementation-defined restrictions on key sharing.

The policy on the source key must have the usage flag PSA_KEY_USAGE_COPY set. This flag is sufficient to permit the copy if the key has the lifetime PSA_KEY_LIFETIME_VOLATILE or PSA_KEY_LIFETIME_PERSISTENT. Some secure elements do not provide a way to copy a key without making it extractable from the secure element. If a key is located in such a secure element, then the key must have both usage flags PSA_KEY_USAGE_COPY and PSA_KEY_USAGE_EXPORT in order to make a copy of the key outside the secure element.

The resulting key may only be used in a way that conforms to both the policy of the original key and the policy specified in the attributes parameter:

  • The usage flags on the resulting key are the bitwise-and of the usage flags on the source policy and the usage flags in attributes.
  • If both allow the same algorithm or wildcard-based algorithm policy, the resulting key has the same algorithm policy.
  • If either of the policies allows an algorithm and the other policy allows a wildcard-based algorithm policy that includes this algorithm, the resulting key allows the same algorithm.
  • If the policies do not allow any algorithm in common, this function fails with the status PSA_ERROR_INVALID_ARGUMENT.

The effect of this function on implementation-defined attributes is implementation-defined.

Parameters
source_keyThe key to copy. It must allow the usage PSA_KEY_USAGE_COPY. If a private or secret key is being copied outside of a secure element it must also allow PSA_KEY_USAGE_EXPORT.
[in]attributesThe attributes for the new key. They are used as follows:
  • The key type and size may be 0. If either is nonzero, it must match the corresponding attribute of the source key.
  • The key location (the lifetime and, for persistent keys, the key identifier) is used directly.
  • The policy constraints (usage flags and algorithm policy) are combined from the source key and attributes so that both sets of restrictions apply, as described in the documentation of this function.
[out]target_keyOn success, an identifier for the newly created key. For persistent keys, this is the key identifier defined in attributes. 0 on failure.
Return values
PSA_SUCCESS
PSA_ERROR_INVALID_HANDLEsource_key is invalid.
PSA_ERROR_ALREADY_EXISTSThis is an attempt to create a persistent key, and there is already a persistent key with the given identifier.
PSA_ERROR_INVALID_ARGUMENTThe lifetime or identifier in attributes are invalid.
PSA_ERROR_INVALID_ARGUMENTThe policy constraints on the source and specified in attributes are incompatible.
PSA_ERROR_INVALID_ARGUMENTattributes specifies a key type or key size which does not match the attributes of the source key.
PSA_ERROR_NOT_PERMITTEDThe source key does not have the PSA_KEY_USAGE_COPY usage flag.
PSA_ERROR_NOT_PERMITTEDThe source key is not exportable and its lifetime does not allow copying it to the target's lifetime.
PSA_ERROR_INSUFFICIENT_MEMORY
PSA_ERROR_INSUFFICIENT_STORAGE
PSA_ERROR_COMMUNICATION_FAILURE
PSA_ERROR_HARDWARE_FAILURE
PSA_ERROR_STORAGE_FAILURE
PSA_ERROR_CORRUPTION_DETECTED
PSA_ERROR_BAD_STATEThe library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code.

Copy key material from one location to another.

This function is primarily useful to copy a key from one location to another, since it populates a key using the material from another key which may have a different lifetime.

This function may be used to share a key with a different party, subject to implementation-defined restrictions on key sharing.

The policy on the source key must have the usage flag PSA_KEY_USAGE_COPY set. This flag is sufficient to permit the copy if the key has the lifetime PSA_KEY_LIFETIME_VOLATILE or PSA_KEY_LIFETIME_PERSISTENT. Some secure elements do not provide a way to copy a key without making it extractable from the secure element. If a key is located in such a secure element, then the key must have both usage flags PSA_KEY_USAGE_COPY and PSA_KEY_USAGE_EXPORT in order to make a copy of the key outside the secure element.

The resulting key may only be used in a way that conforms to both the policy of the original key and the policy specified in the attributes parameter:

  • The usage flags on the resulting key are the bitwise-and of the usage flags on the source policy and the usage flags in attributes.
  • If both allow the same algorithm or wildcard-based algorithm policy, the resulting key has the same algorithm policy.
  • If either of the policies allows an algorithm and the other policy allows a wildcard-based algorithm policy that includes this algorithm, the resulting key allows the same algorithm.
  • If the policies do not allow any algorithm in common, this function fails with the status PSA_ERROR_INVALID_ARGUMENT.

The effect of this function on implementation-defined attributes is implementation-defined.

Parameters
source_keyThe key to copy. It must allow the usage PSA_KEY_USAGE_COPY. If a private or secret key is being copied outside of a secure element it must also allow PSA_KEY_USAGE_EXPORT.
[in]attributesThe attributes for the new key. They are used as follows:
  • The key type and size may be 0. If either is nonzero, it must match the corresponding attribute of the source key.
  • The key location (the lifetime and, for persistent keys, the key identifier) is used directly.
  • The policy constraints (usage flags and algorithm policy) are combined from the source key and attributes so that both sets of restrictions apply, as described in the documentation of this function.
[out]target_keyOn success, an identifier for the newly created key. For persistent keys, this is the key identifier defined in attributes. 0 on failure.
Return values
PSA_SUCCESS
PSA_ERROR_INVALID_HANDLEsource_key is invalid.
PSA_ERROR_ALREADY_EXISTSThis is an attempt to create a persistent key, and there is already a persistent key with the given identifier.
PSA_ERROR_INVALID_ARGUMENTThe lifetime or identifier in attributes are invalid.
PSA_ERROR_INVALID_ARGUMENTThe policy constraints on the source and specified in attributes are incompatible.
PSA_ERROR_INVALID_ARGUMENTattributes specifies a key type or key size which does not match the attributes of the source key.
PSA_ERROR_NOT_PERMITTEDThe source key does not have the PSA_KEY_USAGE_COPY usage flag.
PSA_ERROR_NOT_PERMITTEDThe source key is not exportable and its lifetime does not allow copying it to the target's lifetime.
PSA_ERROR_INSUFFICIENT_MEMORY
PSA_ERROR_INSUFFICIENT_STORAGE
PSA_ERROR_COMMUNICATION_FAILURE
PSA_ERROR_HARDWARE_FAILURE
PSA_ERROR_DATA_INVALID
PSA_ERROR_DATA_CORRUPT
PSA_ERROR_STORAGE_FAILURE
PSA_ERROR_CORRUPTION_DETECTED
PSA_ERROR_BAD_STATEThe library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code.

Copy key material from one location to another.

This function is primarily useful to copy a key from one location to another, since it populates a key using the material from another key which may have a different lifetime.

This function may be used to share a key with a different party, subject to implementation-defined restrictions on key sharing.

The policy on the source key must have the usage flag PSA_KEY_USAGE_COPY set. This flag is sufficient to permit the copy if the key has the lifetime PSA_KEY_LIFETIME_VOLATILE or PSA_KEY_LIFETIME_PERSISTENT. Some secure elements do not provide a way to copy a key without making it extractable from the secure element. If a key is located in such a secure element, then the key must have both usage flags PSA_KEY_USAGE_COPY and PSA_KEY_USAGE_EXPORT in order to make a copy of the key outside the secure element.

The resulting key may only be used in a way that conforms to both the policy of the original key and the policy specified in the attributes parameter:

  • The usage flags on the resulting key are the bitwise-and of the usage flags on the source policy and the usage flags in attributes.
  • If both allow the same algorithm or wildcard-based algorithm policy, the resulting key has the same algorithm policy.
  • If either of the policies allows an algorithm and the other policy allows a wildcard-based algorithm policy that includes this algorithm, the resulting key allows the same algorithm.
  • If the policies do not allow any algorithm in common, this function fails with the status PSA_ERROR_INVALID_ARGUMENT.

The effect of this function on implementation-defined attributes is implementation-defined.

Parameters
source_handleThe key to copy. It must be a valid key handle.
[in]attributesThe attributes for the new key. They are used as follows:
  • The key type and size may be 0. If either is nonzero, it must match the corresponding attribute of the source key.
  • The key location (the lifetime and, for persistent keys, the key identifier) is used directly.
  • The policy constraints (usage flags and algorithm policy) are combined from the source key and attributes so that both sets of restrictions apply, as described in the documentation of this function.
[out]target_handleOn success, a handle to the newly created key. 0 on failure.
Return values
PSA_SUCCESS
PSA_ERROR_INVALID_HANDLEsource_handle is invalid.
PSA_ERROR_ALREADY_EXISTSThis is an attempt to create a persistent key, and there is already a persistent key with the given identifier.
PSA_ERROR_INVALID_ARGUMENTThe lifetime or identifier in attributes are invalid.
PSA_ERROR_INVALID_ARGUMENTThe policy constraints on the source and specified in attributes are incompatible.
PSA_ERROR_INVALID_ARGUMENTattributes specifies a key type or key size which does not match the attributes of the source key.
PSA_ERROR_NOT_PERMITTEDThe source key does not have the PSA_KEY_USAGE_COPY usage flag.
PSA_ERROR_NOT_PERMITTEDThe source key is not exportable and its lifetime does not allow copying it to the target's lifetime.
PSA_ERROR_INSUFFICIENT_MEMORY
PSA_ERROR_INSUFFICIENT_STORAGE
PSA_ERROR_COMMUNICATION_FAILURE
PSA_ERROR_HARDWARE_FAILURE
PSA_ERROR_STORAGE_FAILURE
PSA_ERROR_CORRUPTION_DETECTED
PSA_ERROR_BAD_STATEThe library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code.
psa_status_t psa_destroy_key ( mbedtls_svc_key_id_t  key)

Destroy a key.

This function destroys a key from both volatile memory and, if applicable, non-volatile storage. Implementations shall make a best effort to ensure that that the key material cannot be recovered.

This function also erases any metadata such as policies and frees resources associated with the key.

If a key is currently in use in a multipart operation, then destroying the key will cause the multipart operation to fail.

Parameters
keyIdentifier of the key to erase. If this is 0, do nothing and return PSA_SUCCESS.
Return values
PSA_SUCCESSkey was a valid identifier and the key material that it referred to has been erased. Alternatively, key is 0.
PSA_ERROR_NOT_PERMITTEDThe key cannot be erased because it is read-only, either due to a policy or due to physical restrictions.
PSA_ERROR_INVALID_HANDLEkey is not a valid identifier nor 0.
PSA_ERROR_COMMUNICATION_FAILUREThere was an failure in communication with the cryptoprocessor. The key material may still be present in the cryptoprocessor.
PSA_ERROR_STORAGE_FAILUREThe storage is corrupted. Implementations shall make a best effort to erase key material even in this stage, however applications should be aware that it may be impossible to guarantee that the key material is not recoverable in such cases.
PSA_ERROR_CORRUPTION_DETECTEDAn unexpected condition which is not a storage corruption or a communication failure occurred. The cryptoprocessor may have been compromised.
PSA_ERROR_BAD_STATEThe library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code.

This function destroys a key from both volatile memory and, if applicable, non-volatile storage. Implementations shall make a best effort to ensure that that the key material cannot be recovered.

This function also erases any metadata such as policies and frees resources associated with the key.

If a key is currently in use in a multipart operation, then destroying the key will cause the multipart operation to fail.

Parameters
keyIdentifier of the key to erase. If this is 0, do nothing and return PSA_SUCCESS.
Return values
PSA_SUCCESSkey was a valid identifier and the key material that it referred to has been erased. Alternatively, key is 0.
PSA_ERROR_NOT_PERMITTEDThe key cannot be erased because it is read-only, either due to a policy or due to physical restrictions.
PSA_ERROR_INVALID_HANDLEkey is not a valid identifier nor 0.
PSA_ERROR_COMMUNICATION_FAILUREThere was an failure in communication with the cryptoprocessor. The key material may still be present in the cryptoprocessor.
PSA_ERROR_DATA_INVALIDThis error is typically a result of either storage corruption on a cleartext storage backend, or an attempt to read data that was written by an incompatible version of the library.
PSA_ERROR_STORAGE_FAILUREThe storage is corrupted. Implementations shall make a best effort to erase key material even in this stage, however applications should be aware that it may be impossible to guarantee that the key material is not recoverable in such cases.
PSA_ERROR_CORRUPTION_DETECTEDAn unexpected condition which is not a storage corruption or a communication failure occurred. The cryptoprocessor may have been compromised.
PSA_ERROR_BAD_STATEThe library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code.

This function destroys a key from both volatile memory and, if applicable, non-volatile storage. Implementations shall make a best effort to ensure that that the key material cannot be recovered.

This function also erases any metadata such as policies and frees resources associated with the key. To free all resources associated with the key, all handles to the key must be closed or destroyed.

Destroying the key makes the handle invalid, and the key handle must not be used again by the application. Using other open handles to the destroyed key in a cryptographic operation will result in an error.

If a key is currently in use in a multipart operation, then destroying the key will cause the multipart operation to fail.

Parameters
handleHandle to the key to erase. If this is 0, do nothing and return PSA_SUCCESS.
Return values
PSA_SUCCESShandle was a valid handle and the key material that it referred to has been erased. Alternatively, handle is 0.
PSA_ERROR_NOT_PERMITTEDThe key cannot be erased because it is read-only, either due to a policy or due to physical restrictions.
PSA_ERROR_INVALID_HANDLEhandle is not a valid handle nor 0.
PSA_ERROR_COMMUNICATION_FAILUREThere was an failure in communication with the cryptoprocessor. The key material may still be present in the cryptoprocessor.
PSA_ERROR_STORAGE_FAILUREThe storage is corrupted. Implementations shall make a best effort to erase key material even in this stage, however applications should be aware that it may be impossible to guarantee that the key material is not recoverable in such cases.
PSA_ERROR_CORRUPTION_DETECTEDAn unexpected condition which is not a storage corruption or a communication failure occurred. The cryptoprocessor may have been compromised.
PSA_ERROR_BAD_STATEThe library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code.
psa_status_t psa_open_key ( psa_key_id_t  id,
psa_key_handle_t *  handle 
)

Open a handle to an existing persistent key.

Open a handle to a persistent key. A key is persistent if it was created with a lifetime other than PSA_KEY_LIFETIME_VOLATILE. A persistent key always has a nonzero key identifier, set with psa_set_key_id() when creating the key. Implementations may provide additional pre-provisioned keys that can be opened with psa_open_key(). Such keys have a key identifier in the vendor range, as documented in the description of psa_key_id_t.

The application must eventually close the handle with psa_close_key() or psa_destroy_key() to release associated resources. If the application dies without calling one of these functions, the implementation should perform the equivalent of a call to psa_close_key().

Some implementations permit an application to open the same key multiple times. If this is successful, each call to psa_open_key() will return a different key handle.

Note
Applications that rely on opening a key multiple times will not be portable to implementations that only permit a single key handle to be opened. See also :ref:`key-handles`.
Parameters
idThe persistent identifier of the key.
[out]handleOn success, a handle to the key.
Return values
PSA_SUCCESSSuccess. The application can now use the value of *handle to access the key.
PSA_ERROR_INSUFFICIENT_MEMORYThe implementation does not have sufficient resources to open the key. This can be due to reaching an implementation limit on the number of open keys, the number of open key handles, or available memory.
PSA_ERROR_DOES_NOT_EXISTThere is no persistent key with key identifier id.
PSA_ERROR_INVALID_ARGUMENTid is not a valid persistent key identifier.
PSA_ERROR_NOT_PERMITTEDThe specified key exists, but the application does not have the permission to access it. Note that this specification does not define any way to create such a key, but it may be possible through implementation-specific means.
PSA_ERROR_COMMUNICATION_FAILURE
PSA_ERROR_CORRUPTION_DETECTED
PSA_ERROR_STORAGE_FAILURE
PSA_ERROR_BAD_STATEThe library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code.
psa_status_t psa_purge_key ( mbedtls_svc_key_id_t  key)

Remove non-essential copies of key material from memory.

If the key identifier designates a volatile key, this functions does not do anything and returns successfully.

If the key identifier designates a persistent key, then this function will free all resources associated with the key in volatile memory. The key data in persistent storage is not affected and the key can still be used.

Parameters
keyIdentifier of the key to purge.
Return values
PSA_SUCCESSThe key material will have been removed from memory if it is not currently required.
PSA_ERROR_INVALID_ARGUMENTkey is not a valid key identifier.
PSA_ERROR_BAD_STATEThe library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code.
Important Information for this Arm website

This site uses cookies to store information on your computer. By continuing to use our site, you consent to our cookies. If you are not happy with the use of these cookies, please review our Cookie Policy to learn how they can be disabled. By disabling cookies, some features of the site will not work.