Add new key type PASSWORD_HASH

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-03-29 22:20:30 +00:00 · 2021-05-03 10:49:54 +02:00 · 2021-05-03 10:49:54 +02:00 · 2171e421c6
commit 2171e421c6
parent 88658becd4
2 changed files with 19 additions and 9 deletions
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h
@ -3536,7 +3536,8 @@ psa_status_t psa_key_derivation_output_bytes(
 *     - #PSA_KEY_TYPE_ARC4;
 *     - #PSA_KEY_TYPE_CAMELLIA;
 *     - #PSA_KEY_TYPE_DERIVE;
- *     - #PSA_KEY_TYPE_HMAC.
+ *     - #PSA_KEY_TYPE_HMAC;
+ *     - #PSA_KEY_TYPE_PASSWORD_HASH.
 *
 * - For ECC keys on a Montgomery elliptic curve
 *   (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a
@ -3722,12 +3723,13 @@ psa_status_t psa_key_derivation_verify_bytes(
 * psa_key_derivation_abort().
 *
 * \param[in,out] operation The key derivation operation object to read from.
- * \param[in] expected      A key of type #PSA_KEY_TYPE_RAW_DATA containing
- *                          the expected output. Its policy must include the
- *                          #PSA_KEY_USAGE_VERIFY_DERIVATION flag and the
- *                          permitted algorithm must match the operation.
- *                          The value of this key was likely computed by a
- *                          previous call to psa_key_derivation_output_key().
+ * \param[in] expected      A key of type #PSA_KEY_TYPE_PASSWORD_HASH
+ *                          containing the expected output. Its policy must
+ *                          include the #PSA_KEY_USAGE_VERIFY_DERIVATION flag
+ *                          and the permitted algorithm must match the
+ *                          operation. The value of this key was likely
+ *                          computed by a previous call to
+ *                          psa_key_derivation_output_key().
 *
 * \retval #PSA_SUCCESS
 * \retval #PSA_ERROR_INVALID_SIGNATURE
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@ -443,12 +443,20 @@
 */
 #define PSA_KEY_TYPE_PASSWORD                       ((psa_key_type_t)0x1203)

+/** A secret value that can be used to verify a password hash.
+ *
+ * The key policy determines which key derivation algorithm the key
+ * can be used for, among the same permissible subset as for
+ * #PSA_KEY_TYPE_PASSWORD.
+ */
+#define PSA_KEY_TYPE_PASSWORD_HASH                  ((psa_key_type_t)0x1205)
+
 /** A secret value that can be used in when computing a password hash.
 *
 * The key policy determines which key derivation algorithm the key
 * can be used for, among the subset of algorithms that can use pepper.
 */
-#define PSA_KEY_TYPE_PEPPER                         ((psa_key_type_t)0x1205)
+#define PSA_KEY_TYPE_PEPPER                         ((psa_key_type_t)0x1206)

 /** Key for a cipher, AEAD or MAC algorithm based on the AES block cipher.
 *
@ -2204,7 +2212,7 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key )
 *
 * This flag allows the key to be used:
 *
- * - for a key of type #PSA_KEY_TYPE_RAW_DATA, as the \c key argument of
+ * - for a key of type #PSA_KEY_TYPE_PASSWORD_HASH, as the \c key argument of
 *   psa_key_derivation_verify_key();
 * - for a key of type #PSA_KEY_TYPE_PASSWORD (or #PSA_KEY_TYPE_DERIVE), as
 *   the input to psa_key_derivation_input_key() at the step