@@ -792,12 +792,12 @@ psa_status_t psa_export_public_key(psa_key_handle_t handle,
792792 * \retval #PSA_SUCCESS
793793 * \retval #PSA_ERROR_INVALID_HANDLE
794794 * \retval #PSA_ERROR_OCCUPIED_SLOT
795- * \p target already contains key material.
795+ * \p target_handle already contains key material.
796796 * \retval #PSA_ERROR_EMPTY_SLOT
797- * \p source does not contain key material.
797+ * \p source_handle does not contain key material.
798798 * \retval #PSA_ERROR_INVALID_ARGUMENT
799799 * The policy constraints on the source, on the target and
800- * \p constraints are incompatible.
800+ * \p constraint are incompatible.
801801 * \retval #PSA_ERROR_NOT_PERMITTED
802802 * The source key is not exportable and its lifetime does not
803803 * allow copying it to the target's lifetime.
@@ -1152,7 +1152,7 @@ psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation,
11521152 * \retval #PSA_ERROR_EMPTY_SLOT
11531153 * \retval #PSA_ERROR_NOT_PERMITTED
11541154 * \retval #PSA_ERROR_INVALID_ARGUMENT
1155- * \p key is not compatible with \p alg.
1155+ * \p handle is not compatible with \p alg.
11561156 * \retval #PSA_ERROR_NOT_SUPPORTED
11571157 * \p alg is not supported or is not a MAC algorithm.
11581158 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
@@ -1191,7 +1191,7 @@ psa_status_t psa_mac_compute(psa_key_handle_t handle,
11911191 * \retval #PSA_ERROR_EMPTY_SLOT
11921192 * \retval #PSA_ERROR_NOT_PERMITTED
11931193 * \retval #PSA_ERROR_INVALID_ARGUMENT
1194- * \p key is not compatible with \p alg.
1194+ * \p handle is not compatible with \p alg.
11951195 * \retval #PSA_ERROR_NOT_SUPPORTED
11961196 * \p alg is not supported or is not a MAC algorithm.
11971197 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
@@ -1294,7 +1294,7 @@ static psa_mac_operation_t psa_mac_operation_init(void);
12941294 * \retval #PSA_ERROR_EMPTY_SLOT
12951295 * \retval #PSA_ERROR_NOT_PERMITTED
12961296 * \retval #PSA_ERROR_INVALID_ARGUMENT
1297- * \p key is not compatible with \p alg.
1297+ * \p handle is not compatible with \p alg.
12981298 * \retval #PSA_ERROR_NOT_SUPPORTED
12991299 * \p alg is not supported or is not a MAC algorithm.
13001300 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
@@ -1532,7 +1532,7 @@ psa_status_t psa_mac_abort(psa_mac_operation_t *operation);
15321532 * \retval #PSA_ERROR_EMPTY_SLOT
15331533 * \retval #PSA_ERROR_NOT_PERMITTED
15341534 * \retval #PSA_ERROR_INVALID_ARGUMENT
1535- * \p key is not compatible with \p alg.
1535+ * \p handle is not compatible with \p alg.
15361536 * \retval #PSA_ERROR_NOT_SUPPORTED
15371537 * \p alg is not supported or is not a cipher algorithm.
15381538 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
@@ -1574,7 +1574,7 @@ psa_status_t psa_cipher_encrypt(psa_key_handle_t handle,
15741574 * \retval #PSA_ERROR_EMPTY_SLOT
15751575 * \retval #PSA_ERROR_NOT_PERMITTED
15761576 * \retval #PSA_ERROR_INVALID_ARGUMENT
1577- * \p key is not compatible with \p alg.
1577+ * \p handle is not compatible with \p alg.
15781578 * \retval #PSA_ERROR_NOT_SUPPORTED
15791579 * \p alg is not supported or is not a cipher algorithm.
15801580 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
@@ -1680,7 +1680,7 @@ static psa_cipher_operation_t psa_cipher_operation_init(void);
16801680 * \retval #PSA_ERROR_EMPTY_SLOT
16811681 * \retval #PSA_ERROR_NOT_PERMITTED
16821682 * \retval #PSA_ERROR_INVALID_ARGUMENT
1683- * \p key is not compatible with \p alg.
1683+ * \p handle is not compatible with \p alg.
16841684 * \retval #PSA_ERROR_NOT_SUPPORTED
16851685 * \p alg is not supported or is not a cipher algorithm.
16861686 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
@@ -1739,7 +1739,7 @@ psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
17391739 * \retval #PSA_ERROR_EMPTY_SLOT
17401740 * \retval #PSA_ERROR_NOT_PERMITTED
17411741 * \retval #PSA_ERROR_INVALID_ARGUMENT
1742- * \p key is not compatible with \p alg.
1742+ * \p handle is not compatible with \p alg.
17431743 * \retval #PSA_ERROR_NOT_SUPPORTED
17441744 * \p alg is not supported or is not a cipher algorithm.
17451745 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
@@ -1967,7 +1967,7 @@ psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation);
19671967 * \retval #PSA_ERROR_EMPTY_SLOT
19681968 * \retval #PSA_ERROR_NOT_PERMITTED
19691969 * \retval #PSA_ERROR_INVALID_ARGUMENT
1970- * \p key is not compatible with \p alg.
1970+ * \p handle is not compatible with \p alg.
19711971 * \retval #PSA_ERROR_NOT_SUPPORTED
19721972 * \p alg is not supported or is not an AEAD algorithm.
19731973 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
@@ -2025,7 +2025,7 @@ psa_status_t psa_aead_encrypt(psa_key_handle_t handle,
20252025 * The ciphertext is not authentic.
20262026 * \retval #PSA_ERROR_NOT_PERMITTED
20272027 * \retval #PSA_ERROR_INVALID_ARGUMENT
2028- * \p key is not compatible with \p alg.
2028+ * \p handle is not compatible with \p alg.
20292029 * \retval #PSA_ERROR_NOT_SUPPORTED
20302030 * \p alg is not supported or is not an AEAD algorithm.
20312031 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
@@ -2144,7 +2144,7 @@ static psa_aead_operation_t psa_aead_operation_init(void);
21442144 * \retval #PSA_ERROR_EMPTY_SLOT
21452145 * \retval #PSA_ERROR_NOT_PERMITTED
21462146 * \retval #PSA_ERROR_INVALID_ARGUMENT
2147- * \p key is not compatible with \p alg.
2147+ * \p handle is not compatible with \p alg.
21482148 * \retval #PSA_ERROR_NOT_SUPPORTED
21492149 * \p alg is not supported or is not an AEAD algorithm.
21502150 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
@@ -2206,7 +2206,7 @@ psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation,
22062206 * \retval #PSA_ERROR_EMPTY_SLOT
22072207 * \retval #PSA_ERROR_NOT_PERMITTED
22082208 * \retval #PSA_ERROR_INVALID_ARGUMENT
2209- * \p key is not compatible with \p alg.
2209+ * \p handle is not compatible with \p alg.
22102210 * \retval #PSA_ERROR_NOT_SUPPORTED
22112211 * \p alg is not supported or is not an AEAD algorithm.
22122212 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
@@ -2444,7 +2444,7 @@ psa_status_t psa_aead_update(psa_aead_operation_t *operation,
24442444 * psa_aead_update() does not buffer any output and therefore \p ciphertext
24452445 * will not contain any output and can be a 0-sized buffer.
24462446 * - \p tag contains the authentication tag. Its length is always
2447- * #PSA_AEAD_TAG_LENGTH(\p alg) where \p alg is the AEAD algorithm
2447+ * #PSA_AEAD_TAG_LENGTH(\c alg) where \c alg is the AEAD algorithm
24482448 * that the operation performs.
24492449 *
24502450 * When this function returns, the operation becomes inactive.
@@ -2467,7 +2467,7 @@ psa_status_t psa_aead_update(psa_aead_operation_t *operation,
24672467 * The operation state is not valid (not set up, nonce not set,
24682468 * decryption, or already completed).
24692469 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2470- * The size of the \p output buffer is too small.
2470+ * The size of the \p ciphertext or \p tag buffer is too small.
24712471 * \retval #PSA_ERROR_INVALID_ARGUMENT
24722472 * The total length of input to psa_aead_update_ad() so far is
24732473 * less than the additional data length that was previously
@@ -2509,8 +2509,6 @@ psa_status_t psa_aead_finish(psa_aead_operation_t *operation,
25092509 * \retval #PSA_ERROR_BAD_STATE
25102510 * The operation state is not valid (not set up, nonce not set,
25112511 * encryption, or already completed).
2512- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2513- * The size of the \p output buffer is too small.
25142512 * \retval #PSA_ERROR_INVALID_ARGUMENT
25152513 * The total length of input to psa_aead_update_ad() so far is
25162514 * less than the additional data length that was previously
@@ -2576,7 +2574,7 @@ psa_status_t psa_aead_abort(psa_aead_operation_t *operation);
25762574 * \param handle Handle to the key to use for the operation.
25772575 * It must be an asymmetric key pair.
25782576 * \param alg A signature algorithm that is compatible with
2579- * the type of \p key .
2577+ * the type of \p handle .
25802578 * \param[in] hash The hash or message to sign.
25812579 * \param hash_length Size of the \p hash buffer in bytes.
25822580 * \param[out] signature Buffer where the signature is to be written.
@@ -2590,7 +2588,7 @@ psa_status_t psa_aead_abort(psa_aead_operation_t *operation);
25902588 * determine a sufficient buffer size by calling
25912589 * #PSA_ASYMMETRIC_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
25922590 * where \c key_type and \c key_bits are the type and bit-size
2593- * respectively of \p key .
2591+ * respectively of \p handle .
25942592 * \retval #PSA_ERROR_NOT_SUPPORTED
25952593 * \retval #PSA_ERROR_INVALID_ARGUMENT
25962594 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
@@ -2623,7 +2621,7 @@ psa_status_t psa_asymmetric_sign(psa_key_handle_t handle,
26232621 * \param handle Handle to the key to use for the operation.
26242622 * It must be a public key or an asymmetric key pair.
26252623 * \param alg A signature algorithm that is compatible with
2626- * the type of \p key .
2624+ * the type of \p handle .
26272625 * \param[in] hash The hash or message whose signature is to be
26282626 * verified.
26292627 * \param hash_length Size of the \p hash buffer in bytes.
@@ -2660,7 +2658,7 @@ psa_status_t psa_asymmetric_verify(psa_key_handle_t handle,
26602658 * It must be a public key or an asymmetric
26612659 * key pair.
26622660 * \param alg An asymmetric encryption algorithm that is
2663- * compatible with the type of \p key .
2661+ * compatible with the type of \p handle .
26642662 * \param[in] input The message to encrypt.
26652663 * \param input_length Size of the \p input buffer in bytes.
26662664 * \param[in] salt A salt or label, if supported by the
@@ -2687,7 +2685,7 @@ psa_status_t psa_asymmetric_verify(psa_key_handle_t handle,
26872685 * determine a sufficient buffer size by calling
26882686 * #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
26892687 * where \c key_type and \c key_bits are the type and bit-size
2690- * respectively of \p key .
2688+ * respectively of \p handle .
26912689 * \retval #PSA_ERROR_NOT_SUPPORTED
26922690 * \retval #PSA_ERROR_INVALID_ARGUMENT
26932691 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
@@ -2716,7 +2714,7 @@ psa_status_t psa_asymmetric_encrypt(psa_key_handle_t handle,
27162714 * \param handle Handle to the key to use for the operation.
27172715 * It must be an asymmetric key pair.
27182716 * \param alg An asymmetric encryption algorithm that is
2719- * compatible with the type of \p key .
2717+ * compatible with the type of \p handle .
27202718 * \param[in] input The message to decrypt.
27212719 * \param input_length Size of the \p input buffer in bytes.
27222720 * \param[in] salt A salt or label, if supported by the
@@ -2743,7 +2741,7 @@ psa_status_t psa_asymmetric_encrypt(psa_key_handle_t handle,
27432741 * determine a sufficient buffer size by calling
27442742 * #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
27452743 * where \c key_type and \c key_bits are the type and bit-size
2746- * respectively of \p key .
2744+ * respectively of \p handle .
27472745 * \retval #PSA_ERROR_NOT_SUPPORTED
27482746 * \retval #PSA_ERROR_INVALID_ARGUMENT
27492747 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
@@ -2880,24 +2878,89 @@ psa_status_t psa_generator_read(psa_crypto_generator_t *generator,
28802878 uint8_t * output ,
28812879 size_t output_length );
28822880
2883- /** Create a symmetric key from data read from a generator.
2884- *
2885- * This function reads a sequence of bytes from a generator and imports
2886- * these bytes as a key.
2887- * The data that is read is discarded from the generator. The generator's
2888- * capacity is decreased by the number of bytes read.
2889- *
2890- * This function is equivalent to calling #psa_generator_read and
2891- * passing the resulting output to #psa_import_key, but
2892- * if the implementation provides an isolation boundary then
2893- * the key material is not exposed outside the isolation boundary.
2881+ /** Generate a key deterministically from data read from a generator.
2882+ *
2883+ * This function uses the output of a generator to derive a key.
2884+ * How much output it consumes and how the key is derived depends on the
2885+ * key type.
2886+ *
2887+ * - For key types for which the key is an arbitrary sequence of bytes
2888+ * of a given size,
2889+ * this function is functionally equivalent to calling #psa_generator_read
2890+ * and passing the resulting output to #psa_import_key.
2891+ * However, this function has a security benefit:
2892+ * if the implementation provides an isolation boundary then
2893+ * the key material is not exposed outside the isolation boundary.
2894+ * As a consequence, for these key types, this function always consumes
2895+ * exactly (\p bits / 8) bytes from the generator.
2896+ * The following key types defined in this specification follow this scheme:
2897+ *
2898+ * - #PSA_KEY_TYPE_AES;
2899+ * - #PSA_KEY_TYPE_ARC4;
2900+ * - #PSA_KEY_TYPE_CAMELLIA;
2901+ * - #PSA_KEY_TYPE_DERIVE;
2902+ * - #PSA_KEY_TYPE_HMAC.
2903+ *
2904+ * - For ECC keys on a Montgomery elliptic curve
2905+ * (#PSA_KEY_TYPE_ECC_KEYPAIR(\c curve) where \c curve designates a
2906+ * Montgomery curve), this function always draws a byte string whose
2907+ * length is determined by the curve, and sets the mandatory bits
2908+ * accordingly. That is:
2909+ *
2910+ * - #PSA_ECC_CURVE_CURVE25519: draw a 32-byte string
2911+ * and process it as specified in RFC 7748 §5.
2912+ * - #PSA_ECC_CURVE_CURVE448: draw a 56-byte string
2913+ * and process it as specified in RFC 7748 §5.
2914+ *
2915+ * - For key types for which the key is represented by a single sequence of
2916+ * \p bits bits with constraints as to which bit sequences are acceptable,
2917+ * this function draws a byte string of length (\p bits / 8) bytes rounded
2918+ * up to the nearest whole number of bytes. If the resulting byte string
2919+ * is acceptable, it becomes the key, otherwise the drawn bytes are discarded.
2920+ * This process is repeated until an acceptable byte string is drawn.
2921+ * The byte string drawn from the generator is interpreted as specified
2922+ * for the output produced by psa_export_key().
2923+ * The following key types defined in this specification follow this scheme:
2924+ *
2925+ * - #PSA_KEY_TYPE_DES.
2926+ * Force-set the parity bits, but discard forbidden weak keys.
2927+ * For 2-key and 3-key triple-DES, the three keys are generated
2928+ * successively (for example, for 3-key triple-DES,
2929+ * if the first 8 bytes specify a weak key and the next 8 bytes do not,
2930+ * discard the first 8 bytes, use the next 8 bytes as the first key,
2931+ * and continue reading output from the generator to derive the other
2932+ * two keys).
2933+ * - Finite-field Diffie-Hellman keys (#PSA_KEY_TYPE_DH_KEYPAIR),
2934+ * DSA keys (#PSA_KEY_TYPE_DSA_KEYPAIR), and
2935+ * ECC keys on a Weierstrass elliptic curve
2936+ * (#PSA_KEY_TYPE_ECC_KEYPAIR(\c curve) where \c curve designates a
2937+ * Weierstrass curve).
2938+ * For these key types, interpret the byte string as integer
2939+ * in big-endian order. Discard it if it is not in the range
2940+ * [0, *N* - 2] where *N* is the boundary of the private key domain
2941+ * (the prime *p* for Diffie-Hellman, the subprime *q* for DSA,
2942+ * or the order of the curve's base point for ECC).
2943+ * Add 1 to the resulting integer and use this as the private key *x*.
2944+ * This method allows compliance to NIST standards, specifically
2945+ * the methods titled "key-pair generation by testing candidates"
2946+ * in NIST SP 800-56A §5.6.1.1.4 for Diffie-Hellman,
2947+ * in FIPS 186-4 §B.1.2 for DSA, and
2948+ * in NIST SP 800-56A §5.6.1.2.2 or
2949+ * FIPS 186-4 §B.4.2 for elliptic curve keys.
2950+ *
2951+ * - For other key types, including #PSA_KEY_TYPE_RSA_KEYPAIR,
2952+ * the way in which the generator output is consumed is
2953+ * implementation-defined.
2954+ *
2955+ * In all cases, the data that is read is discarded from the generator.
2956+ * The generator's capacity is decreased by the number of bytes read.
28942957 *
28952958 * \param handle Handle to the slot where the key will be stored.
28962959 * It must have been obtained by calling
28972960 * psa_allocate_key() or psa_create_key() and must
28982961 * not contain key material yet.
28992962 * \param type Key type (a \c PSA_KEY_TYPE_XXX value).
2900- * This must be a symmetric key type.
2963+ * This must be a secret key type or a key pair type.
29012964 * \param bits Key size in bits.
29022965 * \param[in,out] generator The generator object to read from.
29032966 *
@@ -2906,12 +2969,10 @@ psa_status_t psa_generator_read(psa_crypto_generator_t *generator,
29062969 * If the key is persistent, the key material and the key's metadata
29072970 * have been saved to persistent storage.
29082971 * \retval #PSA_ERROR_INSUFFICIENT_CAPACITY
2909- * There were fewer than \p output_length bytes
2910- * in the generator. Note that in this case, no
2911- * output is written to the output buffer.
2912- * The generator's capacity is set to 0, thus
2913- * subsequent calls to this function will not
2914- * succeed, even with a smaller output buffer.
2972+ * There was not enough data to create the desired key.
2973+ * Note that in this case, no output is written to the output buffer.
2974+ * The generator's capacity is set to 0, thus subsequent calls to
2975+ * this function will not succeed, even with a smaller output buffer.
29152976 * \retval #PSA_ERROR_NOT_SUPPORTED
29162977 * The key type or key size is not supported, either by the
29172978 * implementation in general or in this particular slot.
@@ -3114,8 +3175,8 @@ psa_status_t psa_key_derivation_input_key(psa_crypto_generator_t *generator,
31143175 * psa_key_derivation_setup() with a
31153176 * key agreement and derivation algorithm
31163177 * \c alg (\c PSA_ALG_XXX value such that
3117- * #PSA_ALG_IS_KEY_AGREEMENT(\p alg) is true
3118- * and #PSA_ALG_IS_RAW_KEY_AGREEMENT(\p alg)
3178+ * #PSA_ALG_IS_KEY_AGREEMENT(\c alg) is true
3179+ * and #PSA_ALG_IS_RAW_KEY_AGREEMENT(\c alg)
31193180 * is false).
31203181 * The generator must be ready for an
31213182 * input of the type given by \p step.
0 commit comments