Fix policy validity check on key creation.
Add a non-regression test.
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index f1ddb14..258caad 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -1469,10 +1469,6 @@
return( status );
}
- status = psa_check_key_slot_policy( slot );
- if( status != PSA_SUCCESS )
- return( status );
-
/* Refuse to create overly large keys.
* Note that this doesn't trigger on import if the attributes don't
* explicitly specify a size (so psa_get_key_bits returns 0), so
@@ -1487,6 +1483,10 @@
slot->attr = attributes->core;
+ status = psa_check_key_slot_policy( slot );
+ if( status != PSA_SUCCESS )
+ return( status );
+
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
/* For a key in a secure element, we need to do three things:
* create the key file in internal storage, create the
diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index 9bf2290..e04fdf8 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -52,6 +52,9 @@
PSA invalid handle (largest plausible handle)
invalid_handle:-1
+PSA import: bad usage flag
+import_with_policy:PSA_KEY_TYPE_RAW_DATA:0x40000000:0:PSA_ERROR_INVALID_ARGUMENT
+
PSA import: invalid type (0)
import_with_policy:PSA_KEY_TYPE_NONE:0:0:PSA_ERROR_NOT_SUPPORTED