PSA Key derivation does not allow key output if using key agreement for input secret step

[sbailey-arm]

Description

• Type: Bug
• Priority: Minor

mbed TLS build:
Version: latest commit ID: 0ca6d38

Expected behavior
psa_key_derivation_output_key should be allowed if PSA_KEY_DERIVATION_INPUT_SECRET has been provided using psa_key_derivation_key_agreement.

Actual behavior
psa_key_derivation_output_key fails with PSA_ERROR_NOT_PERMITTED. can_output_key is only set if PSA_KEY_DERIVATION_INPUT_SECRET is provided with a key.

Steps to reproduce
Follow the steps for key derivation as specified in the PSA spec, using psa_key_derivation_key_agreement as the input for step PSA_KEY_DERIVATION_INPUT_SECRET (this was done using psa-crypo as part of this PR).

[gilles-peskine-arm]

The documentation of the PSA_ERROR_NOT_PERMITTED case of psa_key_derivation_output_key is incomplete and inconsistent with the documentation of PSA_KEY_DERIVATION_INPUT_SECRET, which is correct. You can use it after a key agreement. This patch will be in version 1.0.1 of the PSA specification:

-        The `PSA_KEY_DERIVATION_INPUT_SECRET` input was not provided through a key.
+        The `PSA_KEY_DERIVATION_INPUT_SECRET` input was neither provided through a key nor the result of a key agreement.

[gilles-peskine-arm]

This was fixed in #3743.