Key derivation: forbid output_key without input_key

If none of the inputs to a key derivation is a PSA_KEY_DERIVATION_INPUT_SECRET passed with psa_key_derivation_input_key(), forbid psa_key_derivation_output_key(). It usually doesn't make sense to derive a key object if the secret isn't itself a proper key.
2025-07-29 11:41:15 +03:00 · 2019-09-24 18:21:06 +02:00
parent 1a2904c49a
commit 178c9aa966
5 changed files with 53 additions and 6 deletions
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@ -1622,7 +1622,11 @@
 * (passed to psa_key_derivation_input_key())
 * or the shared secret resulting from a key agreement
 * (obtained via psa_key_derivation_key_agreement()).
- * It can also be a direct input (passed to key_derivation_input_bytes()).
+ *
+ * The secret can also be a direct input (passed to
+ * key_derivation_input_bytes()). In this case, the derivation operation
+ * may not be used to derive keys: the operation will only allow
+ * psa_key_derivation_output_bytes(), not psa_key_derivation_output_key().
 */
 #define PSA_KEY_DERIVATION_INPUT_SECRET     ((psa_key_derivation_step_t)0x0101)