diff --git a/modules/llrt_crypto/src/sha_hash.rs b/modules/llrt_crypto/src/sha_hash.rs
index acd1df389e..091c44cf27 100644
--- a/modules/llrt_crypto/src/sha_hash.rs
+++ b/modules/llrt_crypto/src/sha_hash.rs
@@ -2,13 +2,14 @@
 // SPDX-License-Identifier: Apache-2.0
 use llrt_utils::{
     bytes::{bytes_to_typed_array, ObjectBytes},
-    iterable_enum, str_enum,
+    iterable_enum,
+    result::ResultExt,
 };
 use ring::{
     digest::{self, Context as DigestContext},
     hmac::{self, Context as HmacContext},
 };
-use rquickjs::{function::Opt, prelude::This, Class, Ctx, Exception, Result, Value};
+use rquickjs::{function::Opt, prelude::This, Class, Ctx, Result, Value};
 
 use super::encoded_bytes;
 
@@ -23,18 +24,8 @@ pub struct Hmac {
 impl Hmac {
     #[qjs(skip)]
     pub fn new<'js>(ctx: Ctx<'js>, algorithm: String, key_value: ObjectBytes<'js>) -> Result<Self> {
-        let algorithm = match algorithm.to_lowercase().as_str() {
-            "sha1" => hmac::HMAC_SHA1_FOR_LEGACY_USE_ONLY,
-            "sha256" => hmac::HMAC_SHA256,
-            "sha384" => hmac::HMAC_SHA384,
-            "sha512" => hmac::HMAC_SHA512,
-            _ => {
-                return Err(Exception::throw_message(
-                    &ctx,
-                    &["Algorithm \"", &algorithm, "\" not supported"].concat(),
-                ))
-            },
-        };
+        let algorithm = ShaAlgorithm::try_from(algorithm.as_str()).or_throw(&ctx)?;
+        let algorithm = *algorithm.hmac_algorithm();
 
         Ok(Self {
             context: HmacContext::with_key(&hmac::Key::new(algorithm, key_value.as_bytes())),
@@ -81,18 +72,8 @@ pub struct Hash {
 impl Hash {
     #[qjs(skip)]
     pub fn new(ctx: Ctx<'_>, algorithm: String) -> Result<Self> {
-        let algorithm = match algorithm.to_lowercase().as_str() {
-            "sha1" => &digest::SHA1_FOR_LEGACY_USE_ONLY,
-            "sha256" => &digest::SHA256,
-            "sha384" => &digest::SHA384,
-            "sha512" => &digest::SHA512,
-            _ => {
-                return Err(Exception::throw_message(
-                    &ctx,
-                    &["Algorithm \"", &algorithm, "\" not supported"].concat(),
-                ))
-            },
-        };
+        let algorithm = ShaAlgorithm::try_from(algorithm.as_str()).or_throw(&ctx)?;
+        let algorithm = algorithm.digest_algorithm();
 
         Ok(Self {
             context: DigestContext::new(algorithm),
@@ -130,7 +111,6 @@ pub enum ShaAlgorithm {
 }
 
 iterable_enum!(ShaAlgorithm, SHA1, SHA256, SHA384, SHA512);
-str_enum!(ShaAlgorithm, SHA1 => "SHA-1", SHA256 => "SHA-256", SHA384 => "SHA-384", SHA512 => "SHA-512");
 
 impl ShaAlgorithm {
     pub fn class_name(&self) -> &'static str {
@@ -158,6 +138,38 @@ impl ShaAlgorithm {
             ShaAlgorithm::SHA512 => &digest::SHA512,
         }
     }
+
+    pub fn as_str(&self) -> &'static str {
+        match self {
+            ShaAlgorithm::SHA1 => "SHA-1",
+            ShaAlgorithm::SHA256 => "SHA-256",
+            ShaAlgorithm::SHA384 => "SHA-384",
+            ShaAlgorithm::SHA512 => "SHA-512",
+        }
+    }
+}
+
+impl TryFrom<&str> for ShaAlgorithm {
+    type Error = String;
+    fn try_from(s: &str) -> std::result::Result<Self, Self::Error> {
+        Ok(match s.to_ascii_uppercase().as_str() {
+            "SHA1" => ShaAlgorithm::SHA1,
+            "SHA-1" => ShaAlgorithm::SHA1,
+            "SHA256" => ShaAlgorithm::SHA256,
+            "SHA-256" => ShaAlgorithm::SHA256,
+            "SHA384" => ShaAlgorithm::SHA384,
+            "SHA-384" => ShaAlgorithm::SHA384,
+            "SHA512" => ShaAlgorithm::SHA512,
+            "SHA-512" => ShaAlgorithm::SHA512,
+            _ => return Err(["'", s, "' not available"].concat()),
+        })
+    }
+}
+
+impl AsRef<str> for ShaAlgorithm {
+    fn as_ref(&self) -> &str {
+        self.as_str()
+    }
 }
 
 #[rquickjs::class]
diff --git a/modules/llrt_crypto/src/subtle/crypto_key.rs b/modules/llrt_crypto/src/subtle/crypto_key.rs
index df2ce738be..21eaf29447 100644
--- a/modules/llrt_crypto/src/subtle/crypto_key.rs
+++ b/modules/llrt_crypto/src/subtle/crypto_key.rs
@@ -80,6 +80,13 @@ impl CryptoKey {
                 return Ok(());
             }
         }
-        Err(["CryptoKey doesn't support '", usage, "'"].concat())
+        Err([
+            "CryptoKey with '",
+            self.name.as_ref(),
+            "', doesn't support '",
+            usage,
+            "'",
+        ]
+        .concat())
     }
 }
diff --git a/modules/llrt_crypto/src/subtle/derive.rs b/modules/llrt_crypto/src/subtle/derive.rs
index 9ae342e87d..551ea0878e 100644
--- a/modules/llrt_crypto/src/subtle/derive.rs
+++ b/modules/llrt_crypto/src/subtle/derive.rs
@@ -10,7 +10,7 @@ use rquickjs::{Array, ArrayBuffer, Class, Ctx, Exception, Result, Value};
 use super::{
     algorithm_not_supported_error,
     derive_algorithm::DeriveAlgorithm,
-    key_algorithm::{classify_and_check_usages, KeyAlgorithm, KeyAlgorithmMode, KeyDerivation},
+    key_algorithm::{KeyAlgorithm, KeyAlgorithmMode, KeyAlgorithmWithUsages, KeyDerivation},
 };
 
 use crate::{
@@ -46,7 +46,7 @@ fn derive_bits(
     length: u32,
 ) -> Result<Vec<u8>> {
     Ok(match algorithm {
-        DeriveAlgorithm::Edch { curve, public } => match curve {
+        DeriveAlgorithm::Ecdh { curve, public } => match curve {
             EllipticCurve::P256 => {
                 let secret_key = p256::SecretKey::from_pkcs8_der(base_key).or_throw(ctx)?;
                 let public_key = p256::SecretKey::from_pkcs8_der(public)
@@ -127,8 +127,18 @@ pub async fn subtle_derive_key<'js>(
     extractable: bool,
     key_usages: Array<'js>,
 ) -> Result<Class<'js, CryptoKey>> {
-    let (derived_key_algorithm, name) =
-        KeyAlgorithm::from_js(&ctx, KeyAlgorithmMode::Derive, derived_key_algorithm)?;
+    let KeyAlgorithmWithUsages {
+        algorithm: derived_key_algorithm,
+        name,
+        public_usages,
+        ..
+    } = KeyAlgorithm::from_js(
+        &ctx,
+        KeyAlgorithmMode::Derive,
+        derived_key_algorithm,
+        key_usages,
+    )?;
+
     let length: u16 = match &derived_key_algorithm {
         KeyAlgorithm::Aes { length } => *length,
         KeyAlgorithm::Hmac { length, .. } => *length,
@@ -138,8 +148,6 @@ pub async fn subtle_derive_key<'js>(
         },
     };
 
-    let (_, public_usages) = classify_and_check_usages(&ctx, &name, &key_usages)?;
-
     let handle = &base_key.borrow().handle;
 
     let bytes = derive_bits(&ctx, &algorithm, handle, length as u32)?;
diff --git a/modules/llrt_crypto/src/subtle/derive_algorithm.rs b/modules/llrt_crypto/src/subtle/derive_algorithm.rs
index 603000ee3b..e6c2c2db3b 100644
--- a/modules/llrt_crypto/src/subtle/derive_algorithm.rs
+++ b/modules/llrt_crypto/src/subtle/derive_algorithm.rs
@@ -10,7 +10,7 @@ use super::{
 
 #[derive(Debug)]
 pub enum DeriveAlgorithm {
-    Edch {
+    Ecdh {
         curve: EllipticCurve,
         public: Rc<[u8]>,
     },
@@ -24,7 +24,7 @@ impl<'js> FromJs<'js> for DeriveAlgorithm {
         let name: String = obj.get_required("name", "algorithm")?;
 
         Ok(match name.as_str() {
-            "ECDH" => {
+            "ECDH" | "X25519" => {
                 let public_key: Class<CryptoKey> = obj.get_required("public", "algorithm")?;
                 let public_key = public_key.borrow();
                 let curve = if let KeyAlgorithm::Ec { curve } = &public_key.algorithm {
@@ -36,7 +36,7 @@ impl<'js> FromJs<'js> for DeriveAlgorithm {
                     ));
                 };
 
-                DeriveAlgorithm::Edch {
+                DeriveAlgorithm::Ecdh {
                     curve,
                     public: public_key.handle.clone(),
                 }
@@ -46,7 +46,7 @@ impl<'js> FromJs<'js> for DeriveAlgorithm {
             _ => {
                 return Err(Exception::throw_message(
                     ctx,
-                    "Algorithm 'name' must be ECDH | HKDF | PBKDF2",
+                    "Algorithm 'name' must be X25519 | ECDH | HKDF | PBKDF2",
                 ))
             },
         })
diff --git a/modules/llrt_crypto/src/subtle/generate_key.rs b/modules/llrt_crypto/src/subtle/generate_key.rs
index c68c7c5247..b55db63f3d 100644
--- a/modules/llrt_crypto/src/subtle/generate_key.rs
+++ b/modules/llrt_crypto/src/subtle/generate_key.rs
@@ -15,7 +15,7 @@ use crate::{sha_hash::ShaAlgorithm, CryptoKey, SYSTEM_RANDOM};
 
 use super::{
     algorithm_not_supported_error,
-    key_algorithm::{classify_and_check_usages, KeyAlgorithm, KeyAlgorithmMode},
+    key_algorithm::{KeyAlgorithm, KeyAlgorithmMode, KeyAlgorithmWithUsages},
 };
 
 pub async fn subtle_generate_key<'js>(
@@ -24,9 +24,13 @@ pub async fn subtle_generate_key<'js>(
     extractable: bool,
     key_usages: Array<'js>,
 ) -> Result<Value<'js>> {
-    let (key_algorithm, name) = KeyAlgorithm::from_js(&ctx, KeyAlgorithmMode::Generate, algorithm)?;
+    let KeyAlgorithmWithUsages {
+        name,
+        algorithm: key_algorithm,
+        private_usages,
+        public_usages,
+    } = KeyAlgorithm::from_js(&ctx, KeyAlgorithmMode::Generate, algorithm, key_usages)?;
 
-    let (private_usages, public_usages) = classify_and_check_usages(&ctx, &name, &key_usages)?;
     let bytes = generate_key(&ctx, &key_algorithm)?;
 
     if matches!(
diff --git a/modules/llrt_crypto/src/subtle/import_key.rs b/modules/llrt_crypto/src/subtle/import_key.rs
index 9d33dde4b1..dc9bc21a12 100644
--- a/modules/llrt_crypto/src/subtle/import_key.rs
+++ b/modules/llrt_crypto/src/subtle/import_key.rs
@@ -5,7 +5,7 @@ use rquickjs::{Array, Class, Ctx, Exception, Result, Value};
 
 use crate::subtle::CryptoKey;
 
-use super::key_algorithm::{classify_and_check_usages, KeyAlgorithm, KeyAlgorithmMode};
+use super::key_algorithm::{KeyAlgorithm, KeyAlgorithmMode, KeyAlgorithmWithUsages};
 
 pub async fn subtle_import_key<'js>(
     ctx: Ctx<'js>,
@@ -37,9 +37,12 @@ pub async fn subtle_import_key<'js>(
         }
     }
 
-    let (key_algorithm, name) = KeyAlgorithm::from_js(&ctx, KeyAlgorithmMode::Import, algorithm)?;
-
-    let (_, public_usages) = classify_and_check_usages(&ctx, &name, &key_usages)?;
+    let KeyAlgorithmWithUsages {
+        name,
+        algorithm: key_algorithm,
+        public_usages,
+        ..
+    } = KeyAlgorithm::from_js(&ctx, KeyAlgorithmMode::Import, algorithm, key_usages)?;
 
     Class::instance(
         ctx,
diff --git a/modules/llrt_crypto/src/subtle/key_algorithm.rs b/modules/llrt_crypto/src/subtle/key_algorithm.rs
index 9d02f482c9..7cda3712a8 100644
--- a/modules/llrt_crypto/src/subtle/key_algorithm.rs
+++ b/modules/llrt_crypto/src/subtle/key_algorithm.rs
@@ -1,7 +1,7 @@
 use llrt_utils::{bytes::ObjectBytes, object::ObjectExt, result::ResultExt};
 use rquickjs::{atom::PredefinedAtom, Array, Ctx, Exception, Object, Result, TypedArray, Value};
 
-use std::{collections::HashSet, rc::Rc};
+use std::rc::Rc;
 
 use crate::sha_hash::ShaAlgorithm;
 
@@ -15,93 +15,17 @@ static RSA_OAEP_USAGES: &[&str] = &["decrypt", "unwrapKey"];
 static ECDH_USAGES: &[&str] = &["deriveKey", "deriveBits"];
 static AES_KW_USAGES: &[&str] = &["wrapKey", "unwrapKey"];
 
-static SUPPORTED_USAGES_ARRAY: &[(&str, &[&str])] = &[
-    ("AES-CBC", SYMMETRIC_USAGES),
-    ("AES-CTR", SYMMETRIC_USAGES),
-    ("AES-GCM", SYMMETRIC_USAGES),
-    ("AES-KW", AES_KW_USAGES),
-    ("ECDH", ECDH_USAGES),
-    ("ECDSA", SIGNATURE_USAGES),
-    ("Ed25519", SIGNATURE_USAGES),
-    ("HMAC", SIGNATURE_USAGES),
-    ("RSA-OAEP", SYMMETRIC_USAGES),
-    ("RSA-PSS", SIGNATURE_USAGES),
-    ("RSASSA-PKCS1-v1_5", SIGNATURE_USAGES),
-    ("PBKDF2", ECDH_USAGES),
-    ("HKDF", ECDH_USAGES),
-];
-
-static MANDATORY_USAGES_ARRAY: &[(&str, &[&str])] = &[
-    ("AES-CBC", EMPTY_USAGES),
-    ("AES-CTR", EMPTY_USAGES),
-    ("AES-GCM", EMPTY_USAGES),
-    ("AES-KW", EMPTY_USAGES),
-    ("ECDH", ECDH_USAGES),
-    ("ECDSA", SIGN_USAGES),
-    ("Ed25519", SIGN_USAGES),
-    ("HMAC", EMPTY_USAGES),
-    ("RSA-OAEP", RSA_OAEP_USAGES),
-    ("RSA-PSS", SIGN_USAGES),
-    ("RSASSA-PKCS1-v1_5", SIGN_USAGES),
-    ("PBKDF2", EMPTY_USAGES),
-    ("HKDF", EMPTY_USAGES),
-];
-
-fn find_usages<'a>(
-    ctx: &Ctx<'_>,
-    table: &'a [(&str, &[&str])],
-    algorithm: &str,
-) -> Result<&'a [&'a str]> {
-    if let Some(res) = table
-        .iter()
-        .find(|(name, _)| *name == algorithm)
-        .map(|(_, usages)| *usages)
-    {
-        return Ok(res);
-    };
-
-    algorithm_not_supported_error(ctx)
-}
+// fn find_usages<'a>(ctx: &Ctx<'_>, algorithm: &str) -> Result<&'a [&'a str]> {
+//     if let Some(res) = table
+//         .iter()
+//         .find(|(name, _)| *name == algorithm)
+//         .map(|(_, usages)| *usages)
+//     {
+//         return Ok(res);
+//     };
 
-pub fn classify_and_check_usages<'js>(
-    ctx: &Ctx<'js>,
-    name: &str,
-    key_usages: &Array<'js>,
-) -> Result<(Vec<String>, Vec<String>)> {
-    let mut key_usages_set = HashSet::with_capacity(8);
-    for value in key_usages.clone().into_iter() {
-        if let Some(string) = value?.as_string() {
-            key_usages_set.insert(string.to_string()?);
-        }
-    }
-
-    let supported_usages = find_usages(ctx, SUPPORTED_USAGES_ARRAY, name)?;
-    let mandatory_usages = find_usages(ctx, MANDATORY_USAGES_ARRAY, name)?;
-    let mut private_usages: Vec<String> = Vec::with_capacity(key_usages_set.len());
-    let mut public_usages: Vec<String> = Vec::with_capacity(key_usages_set.len());
-
-    for usage in key_usages_set {
-        if !supported_usages.contains(&usage.as_str()) {
-            return Err(Exception::throw_range(
-                ctx,
-                &["'", &usage, "' is not supported for ", name].concat(),
-            ));
-        }
-        if mandatory_usages.contains(&usage.as_str()) {
-            private_usages.push(usage);
-        } else {
-            public_usages.push(usage);
-        }
-    }
-    if !mandatory_usages.is_empty() && private_usages.is_empty() {
-        return Err(Exception::throw_range(
-            ctx,
-            &[name, " is missing some mandatory usages"].concat(),
-        ));
-    }
-
-    Ok((private_usages, public_usages))
-}
+//     algorithm_not_supported_error(ctx)
+// }
 
 #[derive(Debug, Clone)]
 pub enum KeyDerivation {
@@ -182,18 +106,76 @@ pub enum KeyAlgorithmMode {
     Derive,
 }
 
+pub struct KeyAlgorithmWithUsages {
+    pub name: String,
+    pub algorithm: KeyAlgorithm,
+    pub public_usages: Vec<String>,
+    pub private_usages: Vec<String>,
+}
+
 impl KeyAlgorithm {
     pub fn from_js<'js>(
         ctx: &Ctx<'js>,
         mode: KeyAlgorithmMode,
         value: Value<'js>,
-    ) -> Result<(Self, String)> {
+        usages: Array<'js>,
+    ) -> Result<KeyAlgorithmWithUsages> {
         let (name, obj) = to_name_and_maybe_object(ctx, value)?;
-
-        let algorithm = match name.as_str() {
-            "Ed25519" => KeyAlgorithm::Ed25519,
-            "X25519" => KeyAlgorithm::X25519,
+        let mut public_usages = vec![];
+        let mut private_usages = vec![];
+        let name_ref = name.as_str();
+        let mut is_symmetric = false;
+        let algorithm = match name_ref {
+            "Ed25519" => {
+                if !matches!(mode, KeyAlgorithmMode::Import) {
+                    Self::classify_and_check_signature_usages(
+                        ctx,
+                        name_ref,
+                        &usages,
+                        is_symmetric,
+                        &mut private_usages,
+                        &mut public_usages,
+                    )?;
+                }
+                KeyAlgorithm::Ed25519
+            },
+            "X25519" => {
+                if !matches!(mode, KeyAlgorithmMode::Import) {
+                    Self::classify_and_check_symmetric_usages(
+                        ctx,
+                        name_ref,
+                        &usages,
+                        is_symmetric,
+                        &mut private_usages,
+                        &mut public_usages,
+                    )?;
+                }
+                KeyAlgorithm::X25519
+            },
             "AES-CBC" | "AES-CTR" | "AES-GCM" | "AES-KW" => {
+                is_symmetric = true;
+                if name_ref == "AES-KW" {
+                    Self::classify_and_check_usages(
+                        ctx,
+                        name_ref,
+                        &usages,
+                        AES_KW_USAGES,
+                        EMPTY_USAGES,
+                        is_symmetric,
+                        &mut private_usages,
+                        &mut public_usages,
+                    )?;
+                } else {
+                    Self::classify_and_check_symmetric_usages(
+                        ctx,
+                        name_ref,
+                        &usages,
+                        is_symmetric,
+                        &mut private_usages,
+                        &mut public_usages,
+                    )?;
+                }
+
                 let length: u16 = obj.or_throw(ctx)?.get_required("length", "algorithm")?;
 
                 if !matches!(length, 128 | 192 | 256) {
@@ -209,18 +191,87 @@ impl KeyAlgorithm {
                 let obj = obj.or_throw(ctx)?;
                 let curive: String = obj.get_required("namedCurve", "algorithm")?;
                 let curve = EllipticCurve::try_from(curive.as_str()).or_throw(ctx)?;
+                if !matches!(mode, KeyAlgorithmMode::Import) {
+                    match name_ref {
+                        "ECDH" => match mode {
+                            KeyAlgorithmMode::Generate => Self::classify_and_check_usages(
+                                ctx,
+                                name_ref,
+                                &usages,
+                                ECDH_USAGES,
+                                EMPTY_USAGES,
+                                is_symmetric,
+                                &mut private_usages,
+                                &mut public_usages,
+                            )?,
+                            KeyAlgorithmMode::Derive => Self::classify_and_check_symmetric_usages(
+                                ctx,
+                                name_ref,
+                                &usages,
+                                is_symmetric,
+                                &mut private_usages,
+                                &mut public_usages,
+                            )?,
+                            _ => unreachable!(),
+                        },
+                        "ECDSA" => Self::classify_and_check_signature_usages(
+                            ctx,
+                            name_ref,
+                            &usages,
+                            is_symmetric,
+                            &mut private_usages,
+                            &mut public_usages,
+                        )?,
+                        _ => unreachable!(),
+                    }
+                }
                 KeyAlgorithm::Ec { curve }
             },
 
             "HMAC" => {
+                is_symmetric = true;
+                Self::classify_and_check_usages(
+                    ctx,
+                    name_ref,
+                    &usages,
+                    SIGNATURE_USAGES,
+                    EMPTY_USAGES,
+                    is_symmetric,
+                    &mut private_usages,
+                    &mut public_usages,
+                )?;
+
                 let obj = obj.or_throw(ctx)?;
                 let hash = extract_sha_hash(ctx, &obj)?;
-
                 let length = obj.get_optional("length")?.unwrap_or_default();
 
                 KeyAlgorithm::Hmac { hash, length }
             },
             "RSA-OAEP" | "RSA-PSS" | "RSASSA-PKCS1-v1_5" => {
+                if !matches!(mode, KeyAlgorithmMode::Import) {
+                    if name == "RSA-PSS" {
+                        Self::classify_and_check_usages(
+                            ctx,
+                            name_ref,
+                            &usages,
+                            SYMMETRIC_USAGES,
+                            RSA_OAEP_USAGES,
+                            is_symmetric,
+                            &mut private_usages,
+                            &mut public_usages,
+                        )?;
+                    } else {
+                        Self::classify_and_check_signature_usages(
+                            ctx,
+                            name_ref,
+                            &usages,
+                            is_symmetric,
+                            &mut private_usages,
+                            &mut public_usages,
+                        )?;
+                    }
+                }
+
                 let obj = obj.or_throw(ctx)?;
                 let hash = extract_sha_hash(ctx, &obj)?;
 
@@ -232,6 +283,7 @@ impl KeyAlgorithm {
                     .ok_or_else(|| Exception::throw_message(ctx, "array buffer has been detached"))?
                     .into();
                 let public_exponent = Rc::new(public_exponent);
+
                 KeyAlgorithm::Rsa {
                     modulus_length,
                     public_exponent,
@@ -241,6 +293,15 @@ impl KeyAlgorithm {
             "HKDF" => match mode {
                 KeyAlgorithmMode::Import => KeyAlgorithm::HkdfImport,
                 KeyAlgorithmMode::Derive => {
+                    Self::classify_and_check_symmetric_usages(
+                        ctx,
+                        name_ref,
+                        &usages,
+                        is_symmetric,
+                        &mut private_usages,
+                        &mut public_usages,
+                    )?;
+
                     let obj = obj.or_throw(ctx)?;
                     KeyAlgorithm::Derive(KeyDerivation::for_hkdf_object(ctx, obj)?)
                 },
@@ -252,6 +313,15 @@ impl KeyAlgorithm {
             "PBKDF2" => match mode {
                 KeyAlgorithmMode::Import => KeyAlgorithm::Pbkdf2Import,
                 KeyAlgorithmMode::Derive => {
+                    Self::classify_and_check_symmetric_usages(
+                        ctx,
+                        name_ref,
+                        &usages,
+                        is_symmetric,
+                        &mut private_usages,
+                        &mut public_usages,
+                    )?;
+
                     let obj = obj.or_throw(ctx)?;
                     KeyAlgorithm::Derive(KeyDerivation::for_pbkf2_object(&ctx, obj)?)
                 },
@@ -261,7 +331,21 @@ impl KeyAlgorithm {
             },
             _ => return algorithm_not_supported_error(ctx),
         };
-        Ok((algorithm, name))
+
+        //some import key algorithms allows for unchecked usages, let's just classify
+        if public_usages.is_empty() && private_usages.is_empty() {
+            for usage in usages.iter() {
+                let usage = usage?;
+                classify_usage(usage, is_symmetric, &mut private_usages, &mut public_usages);
+            }
+        }
+
+        Ok(KeyAlgorithmWithUsages {
+            name,
+            algorithm,
+            public_usages,
+            private_usages,
+        })
     }
 
     pub fn as_object<'js, T: AsRef<str>>(&self, ctx: &Ctx<'js>, name: T) -> Result<Object<'js>> {
@@ -317,6 +401,116 @@ impl KeyAlgorithm {
         };
         Ok(obj)
     }
+
+    fn classify_and_check_signature_usages<'js>(
+        ctx: &Ctx<'js>,
+        name: &str,
+        usages: &Array<'js>,
+        is_symmetric: bool,
+        private_usages: &mut Vec<String>,
+        public_usages: &mut Vec<String>,
+    ) -> Result<()> {
+        Self::classify_and_check_usages(
+            ctx,
+            name,
+            usages,
+            SIGNATURE_USAGES,
+            SIGN_USAGES,
+            is_symmetric,
+            private_usages,
+            public_usages,
+        )
+    }
+
+    fn classify_and_check_symmetric_usages<'js>(
+        ctx: &Ctx<'js>,
+        name: &str,
+        usages: &Array<'js>,
+        is_symmetric: bool,
+        private_usages: &mut Vec<String>,
+        public_usages: &mut Vec<String>,
+    ) -> Result<()> {
+        Self::classify_and_check_usages(
+            ctx,
+            name,
+            usages,
+            SYMMETRIC_USAGES,
+            EMPTY_USAGES,
+            is_symmetric,
+            private_usages,
+            public_usages,
+        )
+    }
+
+    #[allow(clippy::too_many_arguments)]
+    fn classify_and_check_usages<'js>(
+        ctx: &Ctx<'js>,
+        name: &str,
+        key_usages: &Array<'js>,
+        allowed_usages: &[&str],
+        required_usages: &[&str],
+        is_symmetric: bool,
+        private_usages: &mut Vec<String>,
+        public_usages: &mut Vec<String>,
+    ) -> Result<()> {
+        let usages_len = key_usages.len();
+
+        let mut generated_public_usages = Vec::with_capacity(usages_len);
+        let mut generated_private_usages = Vec::with_capacity(usages_len);
+        let mut has_any_required_usages = required_usages.is_empty();
+        for usage in key_usages.iter::<String>() {
+            let value = usage?;
+            if !allowed_usages.contains(&value.as_str()) {
+                return Err(Exception::throw_range(
+                    ctx,
+                    &["'", &value, "' is not supported for ", name].concat(),
+                ));
+            }
+
+            if !has_any_required_usages {
+                has_any_required_usages = required_usages.contains(&value.as_str());
+            }
+
+            classify_usage(
+                value,
+                is_symmetric,
+                &mut generated_private_usages,
+                &mut generated_public_usages,
+            );
+        }
+
+        if !has_any_required_usages {
+            return Err(Exception::throw_range(
+                ctx,
+                &[name, " is missing some required usages"].concat(),
+            ));
+        }
+
+        *public_usages = generated_public_usages;
+        *private_usages = generated_private_usages;
+
+        Ok(())
+    }
+}
+
+fn classify_usage(
+    value: String,
+    is_symmetric: bool,
+    private_usages: &mut Vec<String>,
+    public_usages: &mut Vec<String>,
+) {
+    if is_symmetric {
+        public_usages.push(value);
+        return;
+    }
+    match value.as_str() {
+        "sign" | "decrypt" | "unwrapKey" | "deriveKey" | "deriveBits" => {
+            private_usages.push(value);
+        },
+        _ => {
+            public_usages.push(value);
+        },
+    }
 }
 
 pub fn extract_sha_hash<'js>(ctx: &Ctx<'js>, obj: &Object<'js>) -> Result<ShaAlgorithm> {
diff --git a/modules/llrt_crypto/src/subtle/mod.rs b/modules/llrt_crypto/src/subtle/mod.rs
index 99a38215a1..d1050ada6d 100644
--- a/modules/llrt_crypto/src/subtle/mod.rs
+++ b/modules/llrt_crypto/src/subtle/mod.rs
@@ -180,7 +180,7 @@ impl EllipticCurve {
     }
 }
 
-str_enum!(EllipticCurve,P256 => "P-256",P384 => "P-384");
+str_enum!(EllipticCurve,P256 => "P-256", P384 => "P-384");
 
 pub fn rsa_private_key(
     ctx: &Ctx<'_>,
diff --git a/modules/llrt_crypto/src/subtle/sign_algorithm.rs b/modules/llrt_crypto/src/subtle/sign_algorithm.rs
index 6ef7929199..b98cd899c0 100644
--- a/modules/llrt_crypto/src/subtle/sign_algorithm.rs
+++ b/modules/llrt_crypto/src/subtle/sign_algorithm.rs
@@ -16,16 +16,6 @@ pub enum SigningAlgorithm {
     Hmac,
 }
 
-// impl<T: SignatureScheme> From<&ShaAlgorithm> for T {
-//     fn from(value: &ShaAlgorithm) -> Self {
-//         match value {
-
-//             ShaAlgorithm::Sha256 => T::new_with_prefix(rsa::pkcs1v15::SigningKey::<T>::new_sha256()),
-//             ShaAlgorithm::Sha384 => T::new_with_prefix(rsa::pkcs1v15::SigningKey::<T>::new_sha384()),
-//             ShaAlgorithm::Sha512 => T::new_with_prefix(rsa::pkcs1v15::SigningKey::<T>::new_sha512()),
-//         }
-// }
-
 impl<'js> FromJs<'js> for SigningAlgorithm {
     fn from_js(ctx: &Ctx<'js>, value: Value<'js>) -> Result<Self> {
         let (name, obj) = to_name_and_maybe_object(ctx, value)?;