diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h
index aee4002e8..94242f897 100644
--- a/include/psa/crypto_struct.h
+++ b/include/psa/crypto_struct.h
@@ -391,15 +391,19 @@ static inline psa_key_lifetime_t psa_get_key_lifetime(
     return( attributes->core.lifetime );
 }
 
+static inline void psa_extend_key_usage_flags( psa_key_usage_t *usage_flags )
+{
+    if( *usage_flags & PSA_KEY_USAGE_SIGN_HASH )
+        *usage_flags |= PSA_KEY_USAGE_SIGN_MESSAGE;
+
+    if( *usage_flags & PSA_KEY_USAGE_VERIFY_HASH )
+        *usage_flags |= PSA_KEY_USAGE_VERIFY_MESSAGE;
+}
+
 static inline void psa_set_key_usage_flags(psa_key_attributes_t *attributes,
                                            psa_key_usage_t usage_flags)
 {
-    if( usage_flags & PSA_KEY_USAGE_SIGN_HASH )
-        usage_flags |= PSA_KEY_USAGE_SIGN_MESSAGE;
-
-    if( usage_flags & PSA_KEY_USAGE_VERIFY_HASH )
-        usage_flags |= PSA_KEY_USAGE_VERIFY_MESSAGE;
-
+    psa_extend_key_usage_flags( &usage_flags );
     attributes->core.policy.usage = usage_flags;
 }
 
diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c
index f90b0e333..3d10353cc 100644
--- a/library/psa_crypto_slot_management.c
+++ b/library/psa_crypto_slot_management.c
@@ -392,6 +392,10 @@ psa_status_t psa_get_and_lock_key_slot( mbedtls_svc_key_id_t key,
         if( status == PSA_ERROR_DOES_NOT_EXIST )
             status = PSA_ERROR_INVALID_HANDLE;
     }
+    else
+        /* Do the key usage policy extension. */
+        psa_extend_key_usage_flags( &(*p_slot)->attr.policy.usage );
+
     return( status );
 #else /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
     return( PSA_ERROR_INVALID_HANDLE );