diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index ba688bccd..dce8e097f 100755
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -1345,6 +1345,8 @@ psa_status_t psa_asymmetric_verify(psa_key_slot_t key,
     slot = &global_data.key_slots[key];
     if( slot->type == PSA_KEY_TYPE_NONE )
         return( PSA_ERROR_EMPTY_SLOT );
+    if (!(slot->policy.usage & PSA_KEY_USAGE_VERIFY))
+        return(PSA_ERROR_NOT_PERMITTED);
 
  #if defined(MBEDTLS_RSA_C)
     if( slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )
@@ -1431,6 +1433,8 @@ psa_status_t psa_asymmetric_encrypt(psa_key_slot_t key,
         return( PSA_ERROR_EMPTY_SLOT );
     if( ! PSA_KEY_TYPE_IS_KEYPAIR( slot->type ) )
         return( PSA_ERROR_INVALID_ARGUMENT );
+    if (!(slot->policy.usage & PSA_KEY_USAGE_ENCRYPT))
+        return(PSA_ERROR_NOT_PERMITTED);
 
 
 #if defined(MBEDTLS_RSA_C)
@@ -1505,6 +1509,8 @@ psa_status_t psa_asymmetric_decrypt(psa_key_slot_t key,
         return( PSA_ERROR_EMPTY_SLOT );
     if( ! PSA_KEY_TYPE_IS_KEYPAIR( slot->type ) )
         return( PSA_ERROR_INVALID_ARGUMENT );
+    if (!(slot->policy.usage & PSA_KEY_USAGE_DECRYPT))
+        return(PSA_ERROR_NOT_PERMITTED);
 
 #if defined(MBEDTLS_RSA_C)
     if( slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index caa0abd0b..690b22c88 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -595,6 +595,7 @@ void asymmetric_verify_fail( int key_type_arg, char *key_hex,
     size_t signature_size;
     psa_status_t actual_status;
     psa_status_t expected_status = expected_status_arg;
+    psa_key_policy_t policy = {0};
 
     key_data = unhexify_alloc( key_hex, &key_size );
     TEST_ASSERT( key_data != NULL );
@@ -605,6 +606,12 @@ void asymmetric_verify_fail( int key_type_arg, char *key_hex,
 
     TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
 
+    psa_key_policy_init( &policy );
+
+    psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_VERIFY, alg_arg );
+
+    TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS );
+
     TEST_ASSERT( psa_import_key( slot, key_type,
                                  key_data, key_size ) == PSA_SUCCESS );
 
@@ -643,6 +650,7 @@ void asymmetric_encrypt( int key_type_arg, char *key_hex,
     unsigned char *output2 = NULL;
     size_t output2_size = 0;
     size_t output2_length = 0;
+    psa_key_policy_t policy = {0};
 
     key_data = unhexify_alloc( key_hex, &key_size );
     TEST_ASSERT( key_data != NULL );
@@ -657,6 +665,10 @@ void asymmetric_encrypt( int key_type_arg, char *key_hex,
 
     TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
 
+    psa_key_policy_init( &policy );
+    psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT, alg_arg );
+    TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS );
+
     TEST_ASSERT( psa_import_key( slot, key_type,
                                  key_data, key_size ) == PSA_SUCCESS );
 
@@ -710,6 +722,7 @@ void asymmetric_encrypt_fail( int key_type_arg, char *key_hex,
     size_t output_length = 0;
     psa_status_t actual_status;
     psa_status_t expected_status = expected_status_arg;
+    psa_key_policy_t policy = {0};
 
     key_data = unhexify_alloc( key_hex, &key_size );
     TEST_ASSERT( key_data != NULL );
@@ -721,6 +734,10 @@ void asymmetric_encrypt_fail( int key_type_arg, char *key_hex,
 
     TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
 
+    psa_key_policy_init( &policy );
+    psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_ENCRYPT, alg_arg );
+    TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS );
+
     TEST_ASSERT( psa_import_key( slot, key_type,
                                  key_data, key_size ) == PSA_SUCCESS );
 
@@ -774,6 +791,10 @@ void asymmetric_decrypt( int key_type_arg, char *key_hex,
 
     TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
 
+    psa_key_policy_init( &policy );
+    psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_DECRYPT, alg_arg );
+    TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS );
+
     TEST_ASSERT( psa_import_key( slot, key_type,
                                  key_data, key_size ) == PSA_SUCCESS );
 
@@ -818,6 +839,7 @@ void asymmetric_decrypt_fail( int key_type_arg, char *key_hex,
     size_t output_length = 0;
     psa_status_t actual_status;
     psa_status_t expected_status = expected_status_arg;
+    psa_key_policy_t policy = {0};
 
     key_data = unhexify_alloc( key_hex, &key_size );
     TEST_ASSERT( key_data != NULL );
@@ -829,6 +851,10 @@ void asymmetric_decrypt_fail( int key_type_arg, char *key_hex,
 
     TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
 
+    psa_key_policy_init( &policy );
+    psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_DECRYPT, alg_arg );
+    TEST_ASSERT( psa_set_key_policy( slot, &policy ) == PSA_SUCCESS );
+
     TEST_ASSERT( psa_import_key( slot, key_type,
                                  key_data, key_size ) == PSA_SUCCESS );