10.6. Key derivation
10.6.1. Key derivation algorithms
PSA_ALG_HKDF
(macro)
Macro to build an HKDF algorithm.
#define PSA_ALG_HKDF(hash_alg) /* specificationdefined value */
Parameters

hash_alg
A hash algorithm (
PSA_ALG_XXX
value such thatPSA_ALG_IS_HASH
(
hash_alg
)
is true).
Returns
The corresponding HKDF algorithm. For example, PSA_ALG_HKDF
(
PSA_ALG_SHA_256
)
is HKDF using HMACSHA256.
Unspecified if hash_alg
is not a supported hash algorithm.
Description
This is the HMACbased ExtractandExpand Key Derivation Function (HKDF) specified by HMACbased ExtractandExpand Key Derivation Function (HKDF) [RFC5869].
This key derivation algorithm uses the following inputs:
PSA_KEY_DERIVATION_INPUT_SALT
is the salt used in the “extract” step. It is optional; if omitted, the derivation uses an empty salt.PSA_KEY_DERIVATION_INPUT_SECRET
is the secret key used in the “extract” step.PSA_KEY_DERIVATION_INPUT_INFO
is the info string used in the “expand” step.
If PSA_KEY_DERIVATION_INPUT_SALT
is provided, it must be before PSA_KEY_DERIVATION_INPUT_SECRET
. PSA_KEY_DERIVATION_INPUT_INFO
can be provided at any time after setup and before starting to generate output.
Each input may only be passed once.
PSA_ALG_TLS12_PRF
(macro)
Macro to build a TLS1.2 PRF algorithm.
#define PSA_ALG_TLS12_PRF(hash_alg) /* specificationdefined value */
Parameters

hash_alg
A hash algorithm (
PSA_ALG_XXX
value such thatPSA_ALG_IS_HASH
(
hash_alg
)
is true).
Returns
The corresponding TLS1.2 PRF algorithm. For example, PSA_ALG_TLS12_PRF
(
PSA_ALG_SHA_256
)
represents the TLS 1.2 PRF using HMACSHA256.
Unspecified if hash_alg
is not a supported hash algorithm.
Description
TLS 1.2 uses a custom pseudorandom function (PRF) for key schedule, specified in The Transport Layer Security (TLS) Protocol Version 1.2 [RFC5246] §5. It is based on HMAC and can be used with either SHA256 or SHA384.
This key derivation algorithm uses the following inputs, which must be passed in the order given here:
PSA_KEY_DERIVATION_INPUT_SEED
is the seed.PSA_KEY_DERIVATION_INPUT_SECRET
is the secret key.PSA_KEY_DERIVATION_INPUT_LABEL
is the label.
Each input may only be passed once.
For the application to TLS1.2 key expansion:
The seed is the concatenation of
ServerHello.Random + ClientHello.Random
.The label is
"key expansion"
.
PSA_ALG_TLS12_PSK_TO_MS
(macro)
Macro to build a TLS1.2 PSKtoMasterSecret algorithm.
#define PSA_ALG_TLS12_PSK_TO_MS(hash_alg) /* specificationdefined value */
Parameters

hash_alg
A hash algorithm (
PSA_ALG_XXX
value such thatPSA_ALG_IS_HASH
(
hash_alg
)
is true).
Returns
The corresponding TLS1.2 PSK to MS algorithm. For example, PSA_ALG_TLS12_PSK_TO_MS
(
PSA_ALG_SHA_256
)
represents the TLS1.2 PSK to MasterSecret derivation PRF using HMACSHA256.
Unspecified if hash_alg
is not a supported hash algorithm.
Description
In a purePSK handshake in TLS 1.2, the master secret (MS) is derived from the preshared key (PSK) through the application of padding (PreShared Key Ciphersuites for Transport Layer Security (TLS) [RFC4279] §2) and the TLS1.2 PRF (The Transport Layer Security (TLS) Protocol Version 1.2 [RFC5246] §5). The latter is based on HMAC and can be used with either SHA256 or SHA384.
This key derivation algorithm uses the following inputs, which must be passed in the order given here:
PSA_KEY_DERIVATION_INPUT_SEED
is the seed.PSA_KEY_DERIVATION_INPUT_SECRET
is the PSK. The PSK must not be larger thanPSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE
.PSA_KEY_DERIVATION_INPUT_LABEL
is the label.
Each input may only be passed once.
For the application to TLS1.2:
The seed, which is forwarded to the TLS1.2 PRF, is the concatenation of the
ClientHello.Random + ServerHello.Random
.The label is
"master secret"
or"extended master secret"
.
10.6.2. Input step types
psa_key_derivation_step_t
(type)
Encoding of the step of a key derivation.
typedef uint16_t psa_key_derivation_step_t;
PSA_KEY_DERIVATION_INPUT_SECRET
(macro)
A secret input for key derivation.
#define PSA_KEY_DERIVATION_INPUT_SECRET /* implementationdefined value */
This is typically a key of type PSA_KEY_TYPE_DERIVE
passed to psa_key_derivation_input_key()
, or the shared secret resulting from a key agreement obtained via psa_key_derivation_key_agreement()
.
The secret can also be a direct input passed to psa_key_derivation_input_bytes()
. In this case, the derivation operation cannot be used to derive keys: the operation will only allow psa_key_derivation_output_bytes()
, not psa_key_derivation_output_key()
.
PSA_KEY_DERIVATION_INPUT_LABEL
(macro)
A label for key derivation.
#define PSA_KEY_DERIVATION_INPUT_LABEL /* implementationdefined value */
This is typically a direct input. It can also be a key of type PSA_KEY_TYPE_RAW_DATA
.
PSA_KEY_DERIVATION_INPUT_CONTEXT
(macro)
A context for key derivation.
#define PSA_KEY_DERIVATION_INPUT_CONTEXT /* implementationdefined value */
This is typically a direct input. It can also be a key of type PSA_KEY_TYPE_RAW_DATA
.
PSA_KEY_DERIVATION_INPUT_SALT
(macro)
A salt for key derivation.
#define PSA_KEY_DERIVATION_INPUT_SALT /* implementationdefined value */
This is typically a direct input. It can also be a key of type PSA_KEY_TYPE_RAW_DATA
.
PSA_KEY_DERIVATION_INPUT_INFO
(macro)
An information string for key derivation.
#define PSA_KEY_DERIVATION_INPUT_INFO /* implementationdefined value */
This is typically a direct input. It can also be a key of type PSA_KEY_TYPE_RAW_DATA
.
PSA_KEY_DERIVATION_INPUT_SEED
(macro)
A seed for key derivation.
#define PSA_KEY_DERIVATION_INPUT_SEED /* implementationdefined value */
This is typically a direct input. It can also be a key of type PSA_KEY_TYPE_RAW_DATA
.
10.6.3. Key derivation functions
psa_key_derivation_operation_t
(type)
The type of the state object for key derivation operations.
typedef /* implementationdefined type */ psa_key_derivation_operation_t;
Before calling any function on a key derivation operation object, the application must initialize it by any of the following means:
Set the object to allbitszero, for example:
psa_key_derivation_operation_t operation; memset(&operation, 0, sizeof(operation));
Initialize the object to logical zero values by declaring the object as static or global without an explicit initializer, for example:
static psa_key_derivation_operation_t operation;
Initialize the object to the initializer
PSA_KEY_DERIVATION_OPERATION_INIT
, for example:psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Assign the result of the function
psa_key_derivation_operation_init()
to the object, for example:psa_key_derivation_operation_t operation; operation = psa_key_derivation_operation_init();
This is an implementationdefined type. Applications that make assumptions about the content of this object will result in in implementationspecific behavior, and are nonportable.
PSA_KEY_DERIVATION_OPERATION_INIT
(macro)
This macro returns a suitable initializer for a key derivation operation object of type psa_key_derivation_operation_t
.
#define PSA_KEY_DERIVATION_OPERATION_INIT /* implementationdefined value */
psa_key_derivation_operation_init
(function)
Return an initial value for a key derivation operation object.
psa_key_derivation_operation_t psa_key_derivation_operation_init(void);
Returns: psa_key_derivation_operation_t
psa_key_derivation_setup
(function)
Set up a key derivation operation.
psa_status_t psa_key_derivation_setup(psa_key_derivation_operation_t * operation, psa_algorithm_t alg);
Parameters

operation
The key derivation operation object to set up. It must have been initialized but not set up yet.

alg
The key derivation algorithm to compute (
PSA_ALG_XXX
value such thatPSA_ALG_IS_KEY_DERIVATION
(
alg
)
is true).
Returns: psa_status_t

PSA_SUCCESS
Success.

PSA_ERROR_INVALID_ARGUMENT
alg
is not a key derivation algorithm.
PSA_ERROR_NOT_SUPPORTED
alg
is not supported or is not a key derivation algorithm.
PSA_ERROR_INSUFFICIENT_MEMORY

PSA_ERROR_COMMUNICATION_FAILURE

PSA_ERROR_HARDWARE_FAILURE

PSA_ERROR_CORRUPTION_DETECTED

PSA_ERROR_STORAGE_FAILURE

PSA_ERROR_DATA_CORRUPT

PSA_ERROR_DATA_INVALID

PSA_ERROR_BAD_STATE
The operation state is not valid: it must be inactive.

PSA_ERROR_BAD_STATE
The library has not been previously initialized by
psa_crypto_init()
. It is implementationdependent whether a failure to initialize results in this error code.
Description
A key derivation algorithm takes some inputs and uses them to generate a byte stream in a deterministic way. This byte stream can be used to produce keys and other cryptographic material.
To derive a key:
Start with an initialized object of type
psa_key_derivation_operation_t
.Call
psa_key_derivation_setup()
to select the algorithm.Provide the inputs for the key derivation by calling
psa_key_derivation_input_bytes()
orpsa_key_derivation_input_key()
as appropriate. Which inputs are needed, in what order, whether keys are permitted, and what type of keys depends on the algorithm.Optionally set the operation’s maximum capacity with
psa_key_derivation_set_capacity()
. This can be done before, in the middle of, or after providing inputs. For some algorithms, this step is mandatory because the output depends on the maximum capacity.To derive a key, call
psa_key_derivation_output_key()
. To derive a byte string for a different purpose, callpsa_key_derivation_output_bytes()
. Successive calls to these functions use successive output bytes calculated by the key derivation algorithm.Clean up the key derivation operation object with
psa_key_derivation_abort()
.
If this function returns an error, the key derivation operation object is not changed.
If an error occurs at any step after a call to psa_key_derivation_setup()
, the operation will need to be reset by a call to psa_key_derivation_abort()
.
Implementations must reject an attempt to derive a key of size 0
.
psa_key_derivation_get_capacity
(function)
Retrieve the current capacity of a key derivation operation.
psa_status_t psa_key_derivation_get_capacity(const psa_key_derivation_operation_t * operation, size_t * capacity);
Parameters

operation
The operation to query.

capacity
On success, the capacity of the operation.
Returns: psa_status_t

PSA_SUCCESS

PSA_ERROR_COMMUNICATION_FAILURE

PSA_ERROR_BAD_STATE
The operation state is not valid: it must be active.

PSA_ERROR_HARDWARE_FAILURE

PSA_ERROR_CORRUPTION_DETECTED

PSA_ERROR_BAD_STATE
The library has not been previously initialized by
psa_crypto_init()
. It is implementationdependent whether a failure to initialize results in this error code.
Description
The capacity of a key derivation is the maximum number of bytes that it can return. Reading N bytes of output from a key derivation operation reduces its capacity by at least N. The capacity can be reduced by more than N in the following situations:
Calling
psa_key_derivation_output_key()
can reduce the capacity by more than the key size, depending on the type of key being generated. Seepsa_key_derivation_output_key()
for details of the key derivation process.When the
psa_key_derivation_operation_t
object is operating as a deterministic random bit generator (DBRG), which reduces capacity in whole blocks, even when less than a block is read.
psa_key_derivation_set_capacity
(function)
Set the maximum capacity of a key derivation operation.
psa_status_t psa_key_derivation_set_capacity(psa_key_derivation_operation_t * operation, size_t capacity);
Parameters

operation
The key derivation operation object to modify.

capacity
The new capacity of the operation. It must be less or equal to the operation’s current capacity.
Returns: psa_status_t

PSA_SUCCESS

PSA_ERROR_INVALID_ARGUMENT
capacity
is larger than the operation’s current capacity. In this case, the operation object remains valid and its capacity remains unchanged.
PSA_ERROR_BAD_STATE
The operation state is not valid: it must be active.

PSA_ERROR_COMMUNICATION_FAILURE

PSA_ERROR_HARDWARE_FAILURE

PSA_ERROR_CORRUPTION_DETECTED

PSA_ERROR_BAD_STATE
The library has not been previously initialized by
psa_crypto_init()
. It is implementationdependent whether a failure to initialize results in this error code.
Description
The capacity of a key derivation operation is the maximum number of bytes that the key derivation operation can return from this point onwards.
psa_key_derivation_input_bytes
(function)
Provide an input for key derivation or key agreement.
psa_status_t psa_key_derivation_input_bytes(psa_key_derivation_operation_t * operation, psa_key_derivation_step_t step, const uint8_t * data, size_t data_length);
Parameters

operation
The key derivation operation object to use. It must have been set up with
psa_key_derivation_setup()
and must not have produced any output yet.
step
Which step the input data is for.

data
Input data to use.

data_length
Size of the
data
buffer in bytes.
Returns: psa_status_t

PSA_SUCCESS
Success.

PSA_ERROR_INVALID_ARGUMENT
step
is not compatible with the operation’s algorithm.
PSA_ERROR_INVALID_ARGUMENT
step
does not allow direct inputs.
PSA_ERROR_INSUFFICIENT_MEMORY

PSA_ERROR_COMMUNICATION_FAILURE

PSA_ERROR_HARDWARE_FAILURE

PSA_ERROR_CORRUPTION_DETECTED

PSA_ERROR_STORAGE_FAILURE

PSA_ERROR_DATA_CORRUPT

PSA_ERROR_DATA_INVALID

PSA_ERROR_BAD_STATE
The operation state is not valid for this input
step
. This can happen if the application provides a step out of order or repeats a step that may not be repeated.
PSA_ERROR_BAD_STATE
The library has not been previously initialized by
psa_crypto_init()
. It is implementationdependent whether a failure to initialize results in this error code.
Description
Which inputs are required and in what order depends on the algorithm. Refer to the documentation of each key derivation or key agreement algorithm for information.
This function passes direct inputs, which is usually correct for nonsecret inputs. To pass a secret input, which is normally in a key object, call psa_key_derivation_input_key()
instead of this function. Refer to the documentation of individual step types (PSA_KEY_DERIVATION_INPUT_xxx
values of type psa_key_derivation_step_t
) for more information.
If this function returns an error status, the operation enters an error state and must be aborted by calling psa_key_derivation_abort()
.
psa_key_derivation_input_key
(function)
Provide an input for key derivation in the form of a key.
psa_status_t psa_key_derivation_input_key(psa_key_derivation_operation_t * operation, psa_key_derivation_step_t step, psa_key_id_t key);
Parameters

operation
The key derivation operation object to use. It must have been set up with
psa_key_derivation_setup()
and must not have produced any output yet.
step
Which step the input data is for.

key
Identifier of the key. It must have an appropriate type for
step
and must allow the usagePSA_KEY_USAGE_DERIVE
.
Returns: psa_status_t

PSA_SUCCESS
Success.

PSA_ERROR_INVALID_HANDLE

PSA_ERROR_NOT_PERMITTED
The key does not have the
PSA_KEY_USAGE_DERIVE
flag.
PSA_ERROR_INVALID_ARGUMENT
step
is not compatible with the operation’s algorithm.
PSA_ERROR_INVALID_ARGUMENT
step
does not allow key inputs of the given type or does not allow key inputs at all.
PSA_ERROR_INSUFFICIENT_MEMORY

PSA_ERROR_COMMUNICATION_FAILURE

PSA_ERROR_HARDWARE_FAILURE

PSA_ERROR_CORRUPTION_DETECTED

PSA_ERROR_STORAGE_FAILURE

PSA_ERROR_DATA_CORRUPT

PSA_ERROR_DATA_INVALID

PSA_ERROR_BAD_STATE
The operation state is not valid for this input
step
. This can happen if the application provides a step out of order or repeats a step that may not be repeated.
PSA_ERROR_BAD_STATE
The library has not been previously initialized by
psa_crypto_init()
. It is implementationdependent whether a failure to initialize results in this error code.
Description
Which inputs are required and in what order depends on the algorithm. Refer to the documentation of each key derivation or key agreement algorithm for information.
This function obtains input from a key object, which is usually correct for secret inputs or for nonsecret personalization strings kept in the key store. To pass a nonsecret parameter which is not in the key store, call psa_key_derivation_input_bytes()
instead of this function. Refer to the documentation of individual step types (PSA_KEY_DERIVATION_INPUT_xxx
values of type psa_key_derivation_step_t
) for more information.
If this function returns an error status, the operation enters an error state and must be aborted by calling psa_key_derivation_abort()
.
psa_key_derivation_output_bytes
(function)
Read some data from a key derivation operation.
psa_status_t psa_key_derivation_output_bytes(psa_key_derivation_operation_t * operation, uint8_t * output, size_t output_length);
Parameters

operation
The key derivation operation object to read from.

output
Buffer where the output will be written.

output_length
Number of bytes to output.
Returns: psa_status_t

PSA_SUCCESS

PSA_ERROR_INSUFFICIENT_DATA
The operation’s capacity was less than
output_length
bytes. Note that in this case, no output is written to the output buffer. The operation’s capacity is set to0
, thus subsequent calls to this function will not succeed, even with a smaller output buffer.
PSA_ERROR_BAD_STATE
The operation state is not valid: it must be active and completed all required input steps.

PSA_ERROR_INSUFFICIENT_MEMORY

PSA_ERROR_COMMUNICATION_FAILURE

PSA_ERROR_HARDWARE_FAILURE

PSA_ERROR_CORRUPTION_DETECTED

PSA_ERROR_STORAGE_FAILURE

PSA_ERROR_DATA_CORRUPT

PSA_ERROR_DATA_INVALID

PSA_ERROR_BAD_STATE
The library has not been previously initialized by
psa_crypto_init()
. It is implementationdependent whether a failure to initialize results in this error code.
Description
This function calculates output bytes from a key derivation algorithm and returns those bytes. If the key derivation’s output is viewed as a stream of bytes, this function consumes the requested number of bytes from the stream and returns them to the caller. The operation’s capacity decreases by the number of bytes read.
If this function returns an error status other than PSA_ERROR_INSUFFICIENT_DATA
, the operation enters an error state and must be aborted by calling psa_key_derivation_abort()
.
psa_key_derivation_output_key
(function)
Derive a key from an ongoing key derivation operation.
psa_status_t psa_key_derivation_output_key(const psa_key_attributes_t * attributes, psa_key_derivation_operation_t * operation, psa_key_id_t * key);
Parameters

attributes
The attributes for the new key. This function uses the attributes as follows:
The key type is required. It cannot be an asymmetric public key.
The key size is required. It must be a valid size for the key type.
The key permittedalgorithm policy is required for keys that will be used for a cryptographic operation, see Permitted algorithms.
The key usage flags define what operations are permitted with the key, see Key usage flags.
The key lifetime and identifier are required for a persistent key.
Note
This is an input parameter: it is not updated with the final key attributes. The final attributes of the new key can be queried by calling
psa_get_key_attributes()
with the key’s identifier.
operation
The key derivation operation object to read from.

key
On success, an identifier for the newly created key.
PSA_KEY_ID_NULL
on failure.
Returns: psa_status_t

PSA_SUCCESS
Success. If the key is persistent, the key material and the key’s metadata have been saved to persistent storage.

PSA_ERROR_ALREADY_EXISTS
This is an attempt to create a persistent key, and there is already a persistent key with the given identifier.

PSA_ERROR_INSUFFICIENT_DATA
There was not enough data to create the desired key. Note that in this case, no output is written to the output buffer. The operation’s capacity is set to
0
, thus subsequent calls to this function will not succeed, even with a smaller output buffer.
PSA_ERROR_NOT_SUPPORTED
The key type or key size is not supported, either by the implementation in general or in this particular location.

PSA_ERROR_INVALID_ARGUMENT
The key attributes, as a whole, are invalid.

PSA_ERROR_INVALID_ARGUMENT
The key type is an asymmetric public key type.

PSA_ERROR_INVALID_ARGUMENT
The key size is not a valid size for the key type.

PSA_ERROR_NOT_PERMITTED
The
PSA_KEY_DERIVATION_INPUT_SECRET
input was neither provided through a key nor the result of a key agreement.
PSA_ERROR_BAD_STATE
The operation state is not valid: it must be active and completed all required input steps.

PSA_ERROR_INSUFFICIENT_MEMORY

PSA_ERROR_INSUFFICIENT_STORAGE

PSA_ERROR_COMMUNICATION_FAILURE

PSA_ERROR_HARDWARE_FAILURE

PSA_ERROR_CORRUPTION_DETECTED

PSA_ERROR_STORAGE_FAILURE

PSA_ERROR_DATA_CORRUPT

PSA_ERROR_DATA_INVALID

PSA_ERROR_BAD_STATE
The library has not been previously initialized by
psa_crypto_init()
. It is implementationdependent whether a failure to initialize results in this error code.
Description
This function calculates output bytes from a key derivation algorithm and uses those bytes to generate a key deterministically. The key’s location, policy, type and size are taken from attributes
.
If the key derivation’s output is viewed as a stream of bytes, this function consumes the required number of bytes from the stream. The operation’s capacity decreases by the number of bytes used to derive the key.
If this function returns an error status other than PSA_ERROR_INSUFFICIENT_DATA
, the operation enters an error state and must be aborted by calling psa_key_derivation_abort()
.
How much output is produced and consumed from the operation, and how the key is derived, depends on the key type. Table 5 describes the required key derivation procedures for standard key derivation algorithms. Implementations can use other methods for implementationspecific algorithms.
In all cases, the data that is read is discarded from the operation. The operation’s capacity is decreased by the number of bytes read.
Key type 
Key type details and derivation procedure 

AES ARC4 CAMELLIA ChaCha20 SM4 Secrets for derivation HMAC 
For key types for which the key is an arbitrary sequence of bytes of a given size, this function is functionally equivalent to calling 
DES 
This function generates a key using the following process:

2key 3DES 3key 3DES 
The two or three keys are generated by repeated application of the process used to generate a DES key. For example, for 3key 3DES, if the first 8 bytes specify a weak key and the next 8 bytes do not, discard the first 8 bytes, use the next 8 bytes as the first key, and continue reading output from the operation to derive the other two keys. 
Finitefield DiffieHellman keys ECC keys on a Weierstrass elliptic curve 
These key types require the generation of a private key which is an integer in the range [1, N  1], where N is the boundary of the private key domain: N is the prime p for DiffieHellman, or the order of the curve’s base point for ECC. Let
This method allows compliance to NIST standards, specifically the methods titled KeyPair Generation by Testing Candidates in the following publications:

ECC keys on a Montgomery elliptic curve 
This function always draws a byte string whose length is determined by the curve, and sets the mandatory bits accordingly. That is:

Other key types 
This includes The way in which the operation output is consumed is implementationdefined. 
For algorithms that take an input step PSA_KEY_DERIVATION_INPUT_SECRET
, the input to that step must be provided with psa_key_derivation_input_key()
. Future versions of this specification might include additional restrictions on the derived key based on the attributes and strength of the secret key.
psa_key_derivation_abort
(function)
Abort a key derivation operation.
psa_status_t psa_key_derivation_abort(psa_key_derivation_operation_t * operation);
Parameters

operation
The operation to abort.
Returns: psa_status_t

PSA_SUCCESS

PSA_ERROR_COMMUNICATION_FAILURE

PSA_ERROR_HARDWARE_FAILURE

PSA_ERROR_CORRUPTION_DETECTED

PSA_ERROR_BAD_STATE
The library has not been previously initialized by
psa_crypto_init()
. It is implementationdependent whether a failure to initialize results in this error code.
Description
Aborting an operation frees all associated resources except for the operation
object itself. Once aborted, the operation object can be reused for another operation by calling psa_key_derivation_setup()
again.
This function can be called at any time after the operation object has been initialized as described in psa_key_derivation_operation_t
.
In particular, it is valid to call psa_key_derivation_abort()
twice, or to call psa_key_derivation_abort()
on an operation that has not been set up.
10.6.4. Support macros
PSA_ALG_IS_HKDF
(macro)
Whether the specified algorithm is an HKDF algorithm.
#define PSA_ALG_IS_HKDF(alg) /* specificationdefined value */
Parameters

alg
An algorithm identifier (value of type
psa_algorithm_t
).
Returns
1
if alg
is an HKDF algorithm, 0
otherwise. This macro can return either 0
or 1
if alg
is not a supported key derivation algorithm identifier.
Description
HKDF is a family of key derivation algorithms that are based on a hash function and the HMAC construction.
PSA_ALG_IS_TLS12_PRF
(macro)
Whether the specified algorithm is a TLS1.2 PRF algorithm.
#define PSA_ALG_IS_TLS12_PRF(alg) /* specificationdefined value */
Parameters

alg
An algorithm identifier (value of type
psa_algorithm_t
).
Returns
1
if alg
is a TLS1.2 PRF algorithm, 0
otherwise. This macro can return either 0
or 1
if alg
is not a supported key derivation algorithm identifier.
PSA_ALG_IS_TLS12_PSK_TO_MS
(macro)
Whether the specified algorithm is a TLS1.2 PSK to MS algorithm.
#define PSA_ALG_IS_TLS12_PSK_TO_MS(alg) /* specificationdefined value */
Parameters

alg
An algorithm identifier (value of type
psa_algorithm_t
).
Returns
1
if alg
is a TLS1.2 PSK to MS algorithm, 0
otherwise. This macro can return either 0
or 1
if alg
is not a supported key derivation algorithm identifier.
PSA_KEY_DERIVATION_UNLIMITED_CAPACITY
(macro)
Use the maximum possible capacity for a key derivation operation.
#define PSA_KEY_DERIVATION_UNLIMITED_CAPACITY \ /* implementationdefined value */
Use this value as the capacity argument when setting up a key derivation to specify that the operation will use the maximum possible capacity. The value of the maximum possible capacity depends on the key derivation algorithm.
PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE
(macro)
This macro returns the maximum supported length of the PSK for the TLS1.2 PSKtoMS key derivation.
#define PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE /* implementationdefined value */
This implementationdefined value specifies the maximum length for the PSK input used with a PSA_ALG_TLS12_PSK_TO_MS()
key agreement algorithm.
Quoting PreShared Key Ciphersuites for Transport Layer Security (TLS) [RFC4279] §5.3:
TLS implementations supporting these cipher suites MUST support arbitrary PSK identities up to 128 octets in length, and arbitrary PSKs up to 64 octets in length. Supporting longer identities and keys is RECOMMENDED.
Therefore, it is recommended that implementations define PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE
with a value greater than or equal to 64
.