Merge "Add AGREE_KEY operation for EC keys."
diff --git a/keystore2/src/enforcements.rs b/keystore2/src/enforcements.rs
index 3fd2b19..3195ee0 100644
--- a/keystore2/src/enforcements.rs
+++ b/keystore2/src/enforcements.rs
@@ -384,6 +384,18 @@
return Err(Error::Km(Ec::INCOMPATIBLE_PURPOSE))
.context("In authorize_create: WRAP_KEY purpose is not allowed here.");
}
+ // Allow AGREE_KEY for EC keys only.
+ KeyPurpose::AGREE_KEY => {
+ for kp in key_params.iter() {
+ if kp.get_tag() == Tag::ALGORITHM
+ && *kp.key_parameter_value() != KeyParameterValue::Algorithm(Algorithm::EC)
+ {
+ return Err(Error::Km(Ec::UNSUPPORTED_PURPOSE)).context(
+ "In authorize_create: key agreement is only supported for EC keys.",
+ );
+ }
+ }
+ }
KeyPurpose::VERIFY | KeyPurpose::ENCRYPT => {
// We do not support ENCRYPT and VERIFY (the remaining two options of purpose) for
// asymmetric keys.