Inconsistency in usage flags for psa mac multi-step/single-step operations
KhaledPakizeh opened this issue · 3 comments
There is consistency in the key usage flags for the keys between the multi-step and single step operations for all the PSA_MAC operations when the key type is PSA_KEY_TYPE_HMAC.
Example:
-
In test_c046 which is psa_mac_compute (single step operation) we see that the usage flag is PSA_KEY_USAGE_SIGN_HASH.
-
In test_c027 we see the key usage flag is set to PSA_KEY_USAGE_SIGN_MESSAGE.
-
It not correct to have two different usage flags since the operation is completing the same task. I believe the correct flag to use for both multi-step and single-step operations for the HMAC algorithm is PSA_KEY_USAGE_SIGN_MESSAGE.
-
This can be verified by looking at the psa_mac definitions
-
All cases in (psa_mac_abort test_c31) are effected.
@Kpakizeh , please refer the PSA_KEY_USAGE_SIGN_HASH in spec,
PSA_KEY_USAGE_SIGN_HASH (macro)
Permission to sign a message hash with the key.
#define PSA_KEY_USAGE_SIGN_HASH ((psa_key_usage_t)0x00001000)
This �ag allows the key to be used to sign a message hash as part of an asymmetric signature operation, if
otherwise permitted by the key’s type and policy. The �ag must be present on keys used when calling
psa_sign_hash().
This �ag automatically sets PSA_KEY_USAGE_SIGN_MESSAGE: if an application sets the �ag
PSA_KEY_USAGE_SIGN_HASH when creating a key, then the key always has the permissions conveyed by
PSA_KEY_USAGE_SIGN_MESSAGE, and the �ag PSA_KEY_USAGE_SIGN_MESSAGE will also be present when the
application queries the usage �ags of the key.
For a key pair, this concerns the private key.
@Kpakizeh , hope you are agreeing on the explanation. if so lets close this ticket. i will wait for your reply.
closing this ticket.