diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h
index be89f289f8..381abf9605 100644
--- a/include/psa/crypto_struct.h
+++ b/include/psa/crypto_struct.h
@@ -392,15 +392,19 @@ static inline psa_key_lifetime_t psa_get_key_lifetime(
     return( attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(lifetime) );
 }
 
-static inline void psa_set_key_usage_flags( psa_key_attributes_t *attributes,
-                                           psa_key_usage_t usage_flags )
+static inline void psa_extend_key_usage_flags( psa_key_usage_t *usage_flags )
 {
-    if( usage_flags & PSA_KEY_USAGE_SIGN_HASH )
-        usage_flags |= PSA_KEY_USAGE_SIGN_MESSAGE;
+    if( *usage_flags & PSA_KEY_USAGE_SIGN_HASH )
+        *usage_flags |= PSA_KEY_USAGE_SIGN_MESSAGE;
 
-    if( usage_flags & PSA_KEY_USAGE_VERIFY_HASH )
-        usage_flags |= PSA_KEY_USAGE_VERIFY_MESSAGE;
+    if( *usage_flags & PSA_KEY_USAGE_VERIFY_HASH )
+        *usage_flags |= PSA_KEY_USAGE_VERIFY_MESSAGE;
+}
 
+static inline void psa_set_key_usage_flags(psa_key_attributes_t *attributes,
+                                           psa_key_usage_t usage_flags)
+{
+    psa_extend_key_usage_flags( &usage_flags );
     attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(usage) = usage_flags;
 }
 
diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c
index 925d68428c..bab2a1aa78 100644
--- a/library/psa_crypto_slot_management.c
+++ b/library/psa_crypto_slot_management.c
@@ -391,6 +391,10 @@ psa_status_t psa_get_and_lock_key_slot( mbedtls_svc_key_id_t key,
         if( status == PSA_ERROR_DOES_NOT_EXIST )
             status = PSA_ERROR_INVALID_HANDLE;
     }
+    else
+        /* Do the key usage policy extension. */
+        psa_extend_key_usage_flags( &(*p_slot)->attr.policy.usage );
+
     return( status );
 #else /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
     return( PSA_ERROR_INVALID_HANDLE );