The type of a structure containing key attributes.
This is an opaque structure that can represent the metadata of a key object. Metadata that can be stored in attributes includes:
- The location of the key in storage, indicated by its key identifier and its lifetime.
- The key's policy, comprising usage flags and a specification of the permitted algorithm(s).
- Information about the key itself: the key type and its size.
- Implementations may define additional attributes.
The actual key material is not considered an attribute of a key. Key attributes do not contain information that is generally considered highly confidential.
An attribute structure can be a simple data structure where each function psa_set_key_xxx sets a field and the corresponding function psa_get_key_xxx retrieves the value of the corresponding field. However, implementations may report values that are equivalent to the original one, but have a different encoding. For example, an implementation may use a more compact representation for types where many bit-patterns are invalid or not supported, and store all values that it does not support as a special marker value. In such an implementation, after setting an invalid value, the corresponding get function returns an invalid value which may not be the one that was originally stored.
An attribute structure may contain references to auxiliary resources, for example pointers to allocated memory or indirect references to pre-calculated values. In order to free such resources, the application must call cy_p64_psa_reset_key_attributes(). As an exception, calling cy_p64_psa_reset_key_attributes() on an attribute structure is optional if the structure has only been modified by the following functions since it was initialized or last reset with cy_p64_psa_reset_key_attributes():
Before calling any function on a key attribute structure, the application must initialize it by any of the following means:
- Set the structure to all-bits-zero, for example:
memset(&attributes, 0, sizeof(attributes));
- Initialize the structure to logical zero values, for example:
- Initialize the structure to the initializer CY_P64_PSA_KEY_ATTRIBUTES_INIT, for example:
- Assign the result of the function cy_p64_psa_key_attributes_init() to the structure, for example:
A freshly initialized attribute structure contains the following values:
- lifetime: CY_P64_PSA_KEY_LIFETIME_VOLATILE.
- key identifier: 0 (which is not a valid key identifier).
- type:
0 (meaning that the type is unspecified).
- key size:
0 (meaning that the size is unspecified).
- usage flags:
0 (which allows no usage except exporting a public key).
- algorithm:
0 (which allows no cryptographic usage, but allows exporting).
A typical sequence to create a key is as follows:
- Create and initialize an attribute structure.
- If the key is persistent, call cy_p64_psa_set_key_id(). Also call cy_p64_psa_set_key_lifetime() to place the key in a non-default location.
- Set the key policy with cy_p64_psa_set_key_usage_flags() and cy_p64_psa_set_key_algorithm().
- Set the key type with cy_p64_psa_set_key_type(). Skip this step if copying an existing key with psa_copy_key().
- When generating a random key with cy_p64_psa_generate_key() or deriving a key with cy_p64_psa_key_derivation_output_key(), set the desired key size with cy_p64_psa_set_key_bits().
- Call a key creation function: cy_p64_psa_import_key(), cy_p64_psa_generate_key(), cy_p64_psa_key_derivation_output_key() or psa_copy_key(). This function reads the attribute structure, creates a key with these attributes, and outputs a handle to the newly created key.
- The attribute structure is now no longer necessary. You may call cy_p64_psa_reset_key_attributes(), although this is optional with the workflow presented here because the attributes currently defined in this specification do not require any additional resources beyond the structure itself.
A typical sequence to query a key's attributes is as follows:
- Call cy_p64_psa_get_key_attributes().
- Call
psa_get_key_xxx functions to retrieve the attribute(s) that you are interested in.
- Call cy_p64_cy_p64_psa_reset_key_attributes() to free any resources that may be used by the attribute structure.
Once a key is created, it is impossible to change its attributes.
