Skip to content

Key usage policies #233

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
billphipps merged 2 commits into from
Nov 7, 2025
Merged

Key usage policies #233

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0f0072a
Add key usage policies and enforcement for cryptographic operations
bigbrett Oct 31, 2025
264d9a8
relax NULL checks in freshen key and helper function to support optional
bigbrett Nov 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 10 additions & 10 deletions benchmark/bench_modules/wh_bench_mod_aes.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,8 +71,8 @@ static int _benchAesCtr(whClientContext* client, whBenchOpContext* ctx, int id,
}

/* cache the key on the HSM */
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, sizeof(keyLabel),
(uint8_t*)key, keyLen, &keyId);
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
sizeof(keyLabel), (uint8_t*)key, keyLen, &keyId);
if (ret != 0) {
WH_BENCH_PRINTF("Failed to wh_Client_KeyCache %d\n", ret);
goto exit;
Expand Down Expand Up @@ -204,8 +204,8 @@ static int _benchAesEcb(whClientContext* client, whBenchOpContext* ctx, int id,
}

/* cache the key on the HSM */
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, sizeof(keyLabel),
(uint8_t*)key, keyLen, &keyId);
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
sizeof(keyLabel), (uint8_t*)key, keyLen, &keyId);
if (ret != 0) {
WH_BENCH_PRINTF("Failed to wh_Client_KeyCache %d\n", ret);
goto exit;
Expand Down Expand Up @@ -337,8 +337,8 @@ static int _benchAesCbc(whClientContext* client, whBenchOpContext* ctx, int id,
}

/* cache the key on the HSM */
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, sizeof(keyLabel),
(uint8_t*)key, keyLen, &keyId);
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
sizeof(keyLabel), (uint8_t*)key, keyLen, &keyId);
if (ret != 0) {
WH_BENCH_PRINTF("Failed to wh_Client_KeyCache %d\n", ret);
goto exit;
Expand Down Expand Up @@ -503,8 +503,8 @@ static int _benchAesGcmDma(whClientContext* client, whBenchOpContext* ctx,
}

/* cache the key on the HSM */
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, sizeof(keyLabel),
(uint8_t*)key, keyLen, &keyId);
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
sizeof(keyLabel), (uint8_t*)key, keyLen, &keyId);
if (ret != 0) {
WH_BENCH_PRINTF("Failed to wh_Client_KeyCache %d\n", ret);
goto exit;
Expand Down Expand Up @@ -635,8 +635,8 @@ static int _benchAesGcm(whClientContext* client, whBenchOpContext* ctx, int id,
}

/* cache the key on the HSM */
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, sizeof(keyLabel),
(uint8_t*)key, keyLen, &keyId);
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
sizeof(keyLabel), (uint8_t*)key, keyLen, &keyId);
if (ret != 0) {
WH_BENCH_PRINTF("Failed to wh_Client_KeyCache %d\n", ret);
goto exit;
Expand Down
4 changes: 2 additions & 2 deletions benchmark/bench_modules/wh_bench_mod_cmac.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,8 +55,8 @@ int _benchCmacAes(whClientContext* client, whBenchOpContext* ctx, int id,
uint8_t* out = NULL;

/* cache the key on the HSM */
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, sizeof(keyLabel),
(uint8_t*)key, keyLen, &keyId);
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
sizeof(keyLabel), (uint8_t*)key, keyLen, &keyId);
if (ret != 0) {
WH_BENCH_PRINTF("Failed to wh_Client_KeyCache %d\n", ret);
return ret;
Expand Down
10 changes: 6 additions & 4 deletions benchmark/bench_modules/wh_bench_mod_curve25519.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,16 +141,18 @@ int wh_Bench_Mod_Curve25519SharedSecret(whClientContext* client,
char keyLabel[] = "bench-key";

/* Cache Alice's key in the HSM */
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, strlen(keyLabel),
key1_der, sizeof(key1_der), &keyIdAlice);
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
strlen(keyLabel), key1_der, sizeof(key1_der),
&keyIdAlice);
if (ret != 0) {
WH_BENCH_PRINTF("Failed to cache Alice's key %d\n", ret);
return ret;
}

/* Cache Bob's key in the HSM */
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, strlen(keyLabel),
key2_der, sizeof(key2_der), &keyIdBob);
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
strlen(keyLabel), key2_der, sizeof(key2_der),
&keyIdBob);
if (ret != 0) {
WH_BENCH_PRINTF("Failed to cache Bob's key %d\n", ret);
wh_Client_KeyEvict(client, keyIdAlice);
Expand Down
18 changes: 10 additions & 8 deletions benchmark/bench_modules/wh_bench_mod_ecc.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,8 +86,8 @@ int _benchEccSign(whClientContext* client, whBenchOpContext* ctx, int id,
initialized_rng = 1;

/* Cache key in the HSM */
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, strlen(keyLabel),
(uint8_t*)key, keyLen, &keyId);
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
strlen(keyLabel), (uint8_t*)key, keyLen, &keyId);
if (ret != 0) {
WH_BENCH_PRINTF("Failed to cache key %d\n", ret);
goto exit;
Expand Down Expand Up @@ -197,8 +197,8 @@ int _benchEccVerify(whClientContext* client, whBenchOpContext* ctx, int id,
initialized_rng = 1;

/* Cache the key in the HSM */
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, strlen(keyLabel),
(uint8_t*)key, keyLen, &keyId);
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
strlen(keyLabel), (uint8_t*)key, keyLen, &keyId);
if (ret != 0) {
WH_BENCH_PRINTF("Failed to cache key %d\n", ret);
goto exit;
Expand Down Expand Up @@ -392,16 +392,18 @@ int _benchEccEcdh(whClientContext* client, whBenchOpContext* ctx, int id,
initialized_rng = 1;

/* Cache Alice's key in the HSM */
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, strlen(keyLabel),
(uint8_t*)aliceKeyData, aliceKeyLen, &keyIdAlice);
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
strlen(keyLabel), (uint8_t*)aliceKeyData,
aliceKeyLen, &keyIdAlice);
if (ret != 0) {
WH_BENCH_PRINTF("Failed to cache Alice's key %d\n", ret);
goto exit;
}

/* Cache Bob's key in the HSM */
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, strlen(keyLabel),
(uint8_t*)bobKeyData, bobKeyLen, &keyIdBob);
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
strlen(keyLabel), (uint8_t*)bobKeyData, bobKeyLen,
&keyIdBob);
if (ret != 0) {
WH_BENCH_PRINTF("Failed to cache Bob's key %d\n", ret);
goto exit;
Expand Down
16 changes: 10 additions & 6 deletions benchmark/bench_modules/wh_bench_mod_mldsa.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -664,14 +664,16 @@ static int _benchMlDsaSign(whClientContext* client, whBenchOpContext* ctx,
/* Import key to the HSM */
#if defined(WOLFHSM_CFG_DMA)
if (devId == WH_DEV_ID_DMA) {
ret = wh_Client_MlDsaImportKeyDma(client, &key, &keyId, 0,
ret = wh_Client_MlDsaImportKeyDma(client, &key, &keyId,
WH_NVM_FLAGS_USAGE_ANY,
strlen(keyLabel), (uint8_t*)keyLabel);
}
else
#endif /* !(WOLFHSM_CFG_DMA) */
{
ret = wh_Client_MlDsaImportKey(client, &key, &keyId, 0,
strlen(keyLabel), (uint8_t*)keyLabel);
ret = wh_Client_MlDsaImportKey(client, &key, &keyId,
WH_NVM_FLAGS_USAGE_ANY, strlen(keyLabel),
(uint8_t*)keyLabel);
}
if (ret != 0) {
WH_BENCH_PRINTF("Failed to cache key %d\n", ret);
Expand Down Expand Up @@ -812,14 +814,16 @@ static int _benchMlDsaVerify(whClientContext* client, whBenchOpContext* ctx,
/* Import key to the HSM */
#if defined(WOLFHSM_CFG_DMA)
if (devId == WH_DEV_ID_DMA) {
ret = wh_Client_MlDsaImportKeyDma(client, &key, &keyId, 0,
ret = wh_Client_MlDsaImportKeyDma(client, &key, &keyId,
WH_NVM_FLAGS_USAGE_ANY,
strlen(keyLabel), (uint8_t*)keyLabel);
}
else
#endif /* !(WOLFHSM_CFG_DMA) */
{
ret = wh_Client_MlDsaImportKey(client, &key, &keyId, 0,
strlen(keyLabel), (uint8_t*)keyLabel);
ret = wh_Client_MlDsaImportKey(client, &key, &keyId,
WH_NVM_FLAGS_USAGE_ANY, strlen(keyLabel),
(uint8_t*)keyLabel);
}
if (ret != 0) {
WH_BENCH_PRINTF("Failed to cache key %d\n", ret);
Expand Down
12 changes: 6 additions & 6 deletions benchmark/bench_modules/wh_bench_mod_rsa.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -361,8 +361,8 @@ int _benchRsaCrypt(whClientContext* client, whBenchOpContext* ctx, int id,
initialized_rng = 1;

/* Cache the RSA key in the HSM */
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, strlen(keyLabel),
(uint8_t*)key, keyLen, &keyId);
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
strlen(keyLabel), (uint8_t*)key, keyLen, &keyId);
if (ret != 0) {
WH_BENCH_PRINTF("Failed to cache RSA key %d\n", ret);
goto exit;
Expand Down Expand Up @@ -493,8 +493,8 @@ int _benchRsaVerify(whClientContext* client, whBenchOpContext* ctx, int id,
initialized_rng = 1;

/* Cache the RSA key in the HSM */
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, strlen(keyLabel),
(uint8_t*)key, keyLen, &keyId);
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
strlen(keyLabel), (uint8_t*)key, keyLen, &keyId);
if (ret != 0) {
WH_BENCH_PRINTF("Failed to cache RSA key %d\n", ret);
goto exit;
Expand Down Expand Up @@ -615,8 +615,8 @@ int _benchRsaSign(whClientContext* client, whBenchOpContext* ctx, int id,
initialized_rng = 1;

/* Cache the RSA key in the HSM */
ret = wh_Client_KeyCache(client, 0, (uint8_t*)keyLabel, strlen(keyLabel),
(uint8_t*)key, keyLen, &keyId);
ret = wh_Client_KeyCache(client, WH_NVM_FLAGS_USAGE_ANY, (uint8_t*)keyLabel,
strlen(keyLabel), (uint8_t*)key, keyLen, &keyId);
if (ret != 0) {
WH_BENCH_PRINTF("Failed to cache RSA key %d\n", ret);
goto exit;
Expand Down
73 changes: 44 additions & 29 deletions examples/demo/client/wh_demo_client_crypto.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -170,8 +170,9 @@ int wh_DemoClient_CryptoRsaImport(whClientContext* clientContext)
close(keyFd);

/* cache the key in the HSM, get HSM assigned keyId */
ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel,
strlen(keyLabel), keyBuf, keySz, &keyId);
ret = wh_Client_KeyCache(
clientContext, WH_NVM_FLAGS_USAGE_ENCRYPT | WH_NVM_FLAGS_USAGE_DECRYPT,
(uint8_t*)keyLabel, strlen(keyLabel), keyBuf, keySz, &keyId);
if (ret != 0) {
printf("Failed to wh_Client_KeyCache %d\n", ret);
goto exit;
Expand Down Expand Up @@ -359,8 +360,9 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext)


/* cache the key in the HSM, get HSM assigned keyId */
ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel,
strlen(keyLabel), keyBuf, keySz, &keyIdBob);
ret = wh_Client_KeyCache(clientContext, WH_NVM_FLAGS_USAGE_DERIVE,
(uint8_t*)keyLabel, strlen(keyLabel), keyBuf,
keySz, &keyIdBob);
if (ret != 0) {
printf("Failed to wh_Client_KeyCache %d\n", ret);
goto exit;
Expand Down Expand Up @@ -394,8 +396,9 @@ int wh_DemoClient_CryptoCurve25519Import(whClientContext* clientContext)
close(keyFd);

/* cache the key in the HSM, get HSM assigned keyId */
ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel,
strlen(keyLabel), keyBuf, keySz, &keyIdAlice);
ret = wh_Client_KeyCache(clientContext, WH_NVM_FLAGS_USAGE_DERIVE,
(uint8_t*)keyLabel, strlen(keyLabel), keyBuf,
keySz, &keyIdAlice);
if (ret != 0) {
printf("Failed to wh_Client_KeyCache %d\n", ret);
goto exit;
Expand Down Expand Up @@ -649,8 +652,11 @@ int wh_DemoClient_CryptoEccImport(whClientContext* clientContext)
close(keyFd);
/* Cache the key in the HSM, get HSM assigned keyId. From here on out, the
* keys are stored in the HSM and can be referred to by keyId */
ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel,
strlen(keyLabel), keyBuf, keySz, &keyIdAlice);
ret = wh_Client_KeyCache(
clientContext,
WH_NVM_FLAGS_USAGE_DERIVE | WH_NVM_FLAGS_USAGE_SIGN |
WH_NVM_FLAGS_USAGE_VERIFY,
(uint8_t*)keyLabel, strlen(keyLabel), keyBuf, keySz, &keyIdAlice);
if (ret != 0) {
printf("Failed to wh_Client_KeyCache %d\n", ret);
goto exit;
Expand Down Expand Up @@ -694,8 +700,11 @@ int wh_DemoClient_CryptoEccImport(whClientContext* clientContext)
}
close(keyFd);
/* Cache the key in the HSM, get HSM assigned keyId */
ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel,
strlen(keyLabel), keyBuf, keySz, &keyIdBob);
ret = wh_Client_KeyCache(
clientContext,
WH_NVM_FLAGS_USAGE_DERIVE | WH_NVM_FLAGS_USAGE_SIGN |
WH_NVM_FLAGS_USAGE_VERIFY,
(uint8_t*)keyLabel, strlen(keyLabel), keyBuf, keySz, &keyIdBob);
if (ret != 0) {
printf("Failed to wh_Client_KeyCache %d\n", ret);
goto exit;
Expand Down Expand Up @@ -902,8 +911,9 @@ int wh_DemoClient_CryptoAesCbcImport(whClientContext* clientContext)
}

/* cache the key on the HSM */
ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel,
sizeof(keyLabel), key, sizeof(key), &keyId);
ret = wh_Client_KeyCache(
clientContext, WH_NVM_FLAGS_USAGE_ENCRYPT | WH_NVM_FLAGS_USAGE_DECRYPT,
(uint8_t*)keyLabel, sizeof(keyLabel), key, sizeof(key), &keyId);
if (ret != 0) {
printf("Failed to wh_Client_KeyCache %d\n", ret);
goto exit;
Expand Down Expand Up @@ -1050,8 +1060,9 @@ int wh_DemoClient_CryptoAesGcmImport(whClientContext* clientContext)
}

/* cache the key on the HSM */
ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel,
sizeof(keyLabel), key, sizeof(key), &keyId);
ret = wh_Client_KeyCache(
clientContext, WH_NVM_FLAGS_USAGE_ENCRYPT | WH_NVM_FLAGS_USAGE_DECRYPT,
(uint8_t*)keyLabel, sizeof(keyLabel), key, sizeof(key), &keyId);
if (ret != 0) {
printf("Failed to wh_Client_KeyCache %d\n", ret);
goto exit;
Expand Down Expand Up @@ -1193,8 +1204,9 @@ int wh_DemoClient_CryptoCmacImport(whClientContext* clientContext)
}

/* cache the key on the HSM */
ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel,
sizeof(keyLabel), key, sizeof(key), &keyId);
ret = wh_Client_KeyCache(
clientContext, WH_NVM_FLAGS_USAGE_SIGN | WH_NVM_FLAGS_USAGE_VERIFY,
(uint8_t*)keyLabel, sizeof(keyLabel), key, sizeof(key), &keyId);
if (ret != 0) {
printf("Failed to wh_Client_KeyCache %d\n", ret);
goto exit;
Expand Down Expand Up @@ -1235,8 +1247,9 @@ int wh_DemoClient_CryptoCmacImport(whClientContext* clientContext)

/* cache the key on the HSM. This is required because the key is evicted
* after the non-DMA CMAC operation is finalized */
ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel,
sizeof(keyLabel), key, sizeof(key), &keyId);
ret = wh_Client_KeyCache(
clientContext, WH_NVM_FLAGS_USAGE_SIGN | WH_NVM_FLAGS_USAGE_VERIFY,
(uint8_t*)keyLabel, sizeof(keyLabel), key, sizeof(key), &keyId);
if (ret != 0) {
printf("Failed to wh_Client_KeyCache %d\n", ret);
goto exit;
Expand Down Expand Up @@ -1289,8 +1302,9 @@ int wh_DemoClient_CryptoCmacOneshotImport(whClientContext* clientContext)
}

/* cache the key on the HSM */
ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel,
sizeof(keyLabel), key, sizeof(key), &keyId);
ret = wh_Client_KeyCache(
clientContext, WH_NVM_FLAGS_USAGE_SIGN | WH_NVM_FLAGS_USAGE_VERIFY,
(uint8_t*)keyLabel, sizeof(keyLabel), key, sizeof(key), &keyId);
if (ret != 0) {
printf("Failed to wh_Client_KeyCache %d\n", ret);
goto exit;
Expand Down Expand Up @@ -1327,8 +1341,9 @@ int wh_DemoClient_CryptoCmacOneshotImport(whClientContext* clientContext)

/* cache the key on the HSM again, cmac keys are evicted after non-DMA CMAC
* operations are finalized is called */
ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel,
sizeof(keyLabel), key, sizeof(key), &keyId);
ret = wh_Client_KeyCache(
clientContext, WH_NVM_FLAGS_USAGE_SIGN | WH_NVM_FLAGS_USAGE_VERIFY,
(uint8_t*)keyLabel, sizeof(keyLabel), key, sizeof(key), &keyId);
if (ret != 0) {
printf("Failed to wh_Client_KeyCache %d\n", ret);
goto exit;
Expand Down Expand Up @@ -1419,7 +1434,7 @@ int wh_DemoClient_CryptoHkdfCache(whClientContext* clientContext)
const uint32_t outSz = 32; /* arbitrary output size */

/* Metadata flags/label for the cached key. Adjust to your requirements. */
whNvmFlags flags = WH_NVM_FLAGS_NONEXPORTABLE;
whNvmFlags flags = WH_NVM_FLAGS_NONEXPORTABLE | WH_NVM_FLAGS_USAGE_DERIVE;
char label[] = "hkdf-derived key";

/* Request the HSM to derive HKDF output and store it in the key cache.
Expand Down Expand Up @@ -1467,9 +1482,9 @@ int wh_DemoClient_CryptoHkdfCacheInputKey(whClientContext* clientContext)
byte okm[32]; /* Output key material */

/* First, cache the input key material in the HSM */
ret = wh_Client_KeyCache(clientContext, 0, (uint8_t*)keyLabel,
(uint32_t)strlen(keyLabel), ikm,
(uint32_t)sizeof(ikm), &keyIdIn);
ret = wh_Client_KeyCache(clientContext, WH_NVM_FLAGS_USAGE_DERIVE,
(uint8_t*)keyLabel, (uint32_t)strlen(keyLabel),
ikm, (uint32_t)sizeof(ikm), &keyIdIn);
if (ret != WH_ERROR_OK) {
printf("Failed to wh_Client_KeyCache %d\n", ret);
return ret;
Expand Down Expand Up @@ -1565,7 +1580,7 @@ int wh_DemoClient_CryptoCmacKdfCache(whClientContext* clientContext)
{
int ret = 0;
whKeyId keyId = WH_KEYID_ERASED;
whNvmFlags flags = WH_NVM_FLAGS_NONEXPORTABLE;
whNvmFlags flags = WH_NVM_FLAGS_NONEXPORTABLE | WH_NVM_FLAGS_USAGE_DERIVE;
const char label[] = "cmac-kdf cache";

ret = wh_Client_CmacKdfMakeCacheKey(
Expand Down Expand Up @@ -1609,7 +1624,7 @@ int wh_DemoClient_CryptoCmacKdfCacheInputs(whClientContext* clientContext)
* as the salt is usually not sensitive information. If it is desired to use
* HSM-only information as salt, then this would likely be provisioned
* as an offline step */
ret = wh_Client_KeyCache(clientContext, WH_NVM_FLAGS_NONE, NULL, 0,
ret = wh_Client_KeyCache(clientContext, WH_NVM_FLAGS_USAGE_DERIVE, NULL, 0,
demoCmacKdfSalt, (uint32_t)sizeof(demoCmacKdfSalt),
&saltKeyId);
if (ret != WH_ERROR_OK) {
Expand All @@ -1619,7 +1634,7 @@ int wh_DemoClient_CryptoCmacKdfCacheInputs(whClientContext* clientContext)

/* Cache the Z input. This would typically be done offline during the HSM
* provisioning step, but is shown here for completeness */
ret = wh_Client_KeyCache(clientContext, WH_NVM_FLAGS_NONE, NULL, 0,
ret = wh_Client_KeyCache(clientContext, WH_NVM_FLAGS_USAGE_DERIVE, NULL, 0,
demoCmacKdfZ, (uint32_t)sizeof(demoCmacKdfZ),
&zKeyId);
if (ret != WH_ERROR_OK) {
Expand Down
Loading