1 /* 2 * Copyright (c) 2020-2021 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16 #ifndef __HUKS_ADAPTER_H__ 17 #define __HUKS_ADAPTER_H__ 18 19 #include "base.h" 20 #include "hichain.h" 21 22 #define safe_free(T) \ 23 do { \ 24 if ((T) != NULL) { \ 25 FREE(T); \ 26 } \ 27 } while (0) 28 29 #define array_size(arr) ((sizeof(arr)) / (sizeof((arr)[0]))) 30 31 enum huks_adapter_error_code { 32 ERROR_CODE_NO_PEER_PUBLIC_KEY = -10, 33 ERROR_CODE_FAILED = -1, 34 ERROR_CODE_INIT_PARAM_SET = -2, 35 ERROR_CODE_ADD_PARAM = -3, 36 ERROR_CODE_BUILD_PARAM_SET = -4, 37 ERROR_CODE_GENERATE_KEY = -5, 38 ERROR_CODE_FRESH_PARAM_SET = -6, 39 ERROR_CODE_GET_PUB_KEY_FROM_PARAM_SET = -7, 40 ERROR_CODE_GET_PRIV_KEY_FROM_PARAM_SET = -8, 41 ERROR_CODE_NO_SPACE = -9, 42 ERROR_CODE_SUCCESS = 0 43 }; 44 45 enum huks_key_alias_type { 46 KEY_ALIAS_ACCESSOR_PK = HC_USER_TYPE_ACCESSORY, 47 KEY_ALIAS_CONTROLLER_PK = HC_USER_TYPE_CONTROLLER, 48 KEY_ALIAS_LT_KEY_PAIR, 49 KEY_ALIAS_KEK, 50 KEY_ALIAS_DEK, 51 KEY_ALIAS_TMP, 52 }; 53 54 enum hc_pair_type { 55 HC_PAIR_TYPE_BIND, 56 HC_PAIR_TYPE_AUTH, 57 }; 58 59 struct huks_key_type { 60 uint8_t user_type; 61 uint8_t pair_type; 62 uint8_t reserved1; 63 uint8_t reserved2; 64 }; 65 66 enum huks_derived_type { 67 HUKS_DERIVED_TYPE_KEK = KEY_ALIAS_KEK, 68 HUKS_DERIVED_TYPE_DEK = KEY_ALIAS_DEK, 69 }; 70 71 struct service_id generate_service_id(const struct session_identity *identity); 72 73 /* 74 * generate key alias by service id and auth id 75 * 76 * @param service_id: service id 77 * @param hc_auth_id: auth id 78 * @param key_type: ACCESSOR_PK:0 CONTROLLER_PK:1 LT_KEY_PAIR:2 KEK:3 DEK:4 79 * @return key alias 80 */ 81 struct hc_key_alias generate_key_alias(const struct service_id *service_id, 82 const struct hc_auth_id *auth_id, enum huks_key_alias_type key_type); 83 84 /* 85 * Generate temporary key pair X25519 86 * 87 * @param keyPair: the public&private key struct 88 * @param keyPairType: the key pair type, support X25519 and ED25519 89 * @return 0 -- success, others -- failed 90 */ 91 int32_t generate_st_key_pair(struct st_key_pair *out_key_pair); 92 93 /* 94 * Generate a long-lived key pair ED25519. 95 * 96 * @param key_alias: key alias 97 * @return 0 -- success, others -- failed 98 */ 99 int32_t generate_lt_key_pair(struct hc_key_alias *key_alias, const struct hc_auth_id *auth_id); 100 101 /* 102 * Export long-acting public key 103 * 104 * @param key_alias: the public key alias 105 * @return 0 -- success, others -- failed 106 */ 107 int32_t export_lt_public_key(struct hc_key_alias *key_alias, struct ltpk *out_public_key); 108 109 /* 110 * Delete stored public key 111 * 112 * @param key_alias: the public key alias 113 * @return 0 -- success, others -- failed 114 */ 115 int32_t delete_lt_public_key(struct hc_key_alias *key_alias); 116 117 /* 118 * Import public key 119 * 120 * @param key_alias: the public key alias 121 * @param peer_public_key: the peer public key to be store 122 * @return 0 -- success, others -- failed 123 */ 124 int32_t import_lt_public_key(struct hc_key_alias *key_alias, struct ltpk *peer_public_key, 125 const int32_t user_type, const int32_t pair_type, struct hc_auth_id *auth_id); 126 127 /* 128 * Check if the public key exists according to alias 129 * 130 * @param key_alias: the public key alias 131 * @return 0 -- exist, others -- not exist 132 */ 133 int32_t check_lt_public_key_exist(struct hc_key_alias *key_alias); 134 135 /* 136 * Check if the public key exists according to alias 137 * 138 * @param key_alias: the public key alias 139 * @return 0 -- is owner, others -- not 140 */ 141 int32_t check_key_alias_is_owner(struct hc_key_alias *key_alias); 142 143 /* 144 * Check if the public key exists according to alias 145 * 146 * @param key_alias: key alias 147 * @param out_key_type: output param, with key type info 148 * @param out_auth_id: output param, with auth id 149 * @return 0 -- work, others -- failed 150 */ 151 int32_t get_lt_key_info(struct hc_key_alias *alias, struct huks_key_type *out_key_type, struct hc_auth_id *out_auth_id); 152 153 /* 154 * Query the list of imported and stored ed25519 public keys 155 * 156 * @param owner_auth_id: input null, output binding list;input owner, output auth list;other ,output null 157 * @param trust_user_type: the public key alias 158 * @return 0 -- exist, others -- not exist 159 */ 160 int32_t get_lt_public_key_list(const struct hc_auth_id *owner_auth_id, int32_t trust_user_type, 161 struct hc_auth_id *out_auth_list, uint32_t *out_count); 162 163 /* 164 * compute shared secret by X25519. 165 * 166 * @param self_private_key: the private key 167 * @param peer_public_key: the peer public key 168 * @param out_shared_key: out shared key 169 * @return 0 -- success, others -- failed 170 */ 171 int32_t compute_sts_shared_secret(struct stsk *self_private_key, 172 struct stpk *peer_public_key, struct sts_shared_secret *out_shared_key); 173 174 /* 175 * sign by ED25519. 176 * 177 * @param key_alias: the key alias 178 * @param message: the message to sign 179 * @param out_sig: sign result 180 * @return 0 -- success, others -- failed 181 */ 182 int32_t sign(struct hc_key_alias *key_alias, const struct uint8_buff *message, struct signature *out_signature); 183 184 /* 185 * verify by ED25519. 186 * 187 * @param service_id: the service ID 188 * @param hc_auth_id: the auth ID 189 * @param user_type: accessor:0 controller:1 190 * @param message: the message to verify 191 * @param signature: signature to compare 192 * @return 0 -- success, others -- failed 193 */ 194 int32_t verify(struct hc_key_alias *key_alias, const int32_t user_type, const struct uint8_buff *message, 195 struct signature *signature); 196 197 /* 198 * verify by ED25519, pass public_key. 199 * 200 * @param service_id: the service ID 201 * @param hc_auth_id: the auth ID 202 * @param user_type: accessor:0 controller:1 203 * @param message: the message to verify 204 * @param public_key: the public key 205 * @param signature: signature to compare 206 * @return 0 -- success, others -- failed 207 */ 208 int32_t verify_with_public_key(const int32_t user_type, const struct uint8_buff *message, 209 struct var_buffer *public_key, struct signature *signature); 210 211 /* 212 * Check public key's legality 213 * @param key: public key 214 * @param bigNumLen: big num len 384 or 256 215 * @return true -- legal, false -- illegal 216 */ 217 int32_t CheckDlSpekePublicKey(const struct var_buffer *key, uint32_t bigNumLen); 218 219 /* 220 * Calculate BigNum Exponent 221 * @param base 32 byte 222 * @param exp 32 byte 223 * @param big_num_len: big num len 384 or 256 224 * @param out_result 225 * @return others -- failed, 0 -- success 226 */ 227 int32_t cal_bignum_exp(struct var_buffer *base, struct var_buffer *exp, 228 const uint32_t big_num_len, struct big_num *out_result); 229 230 /* 231 * generate random string 232 * 233 * @param length : length of required random byte array 234 * @return generated random uint8_t array 235 */ 236 struct random_value generate_random(uint32_t length); 237 238 /* 239 * HMAC method 240 * 241 * @param key HMAC key 242 * @param message message to be digested 243 * @return others -- failed, 0 -- success 244 */ 245 int32_t compute_hmac(struct var_buffer *key, const struct uint8_buff *message, struct hmac *out_hmac); 246 247 /* 248 * key derivation of HKDF, salt and info are offered 249 * 250 * @param sharedSecret the seed of the key derivation 251 * @param salt salt used in HKDF 252 * @param [out] out_hkadf,the derived key, out_hkadf.length must be specified 253 * @return 0 = success, -1 = failed 254 */ 255 int32_t compute_hkdf(struct var_buffer *shared_secret, struct hc_salt *salt, char *key_info, 256 uint32_t hkdf_len, struct var_buffer *out_hkdf); 257 258 /* 259 * aes gcm encrypt. 260 * 261 * @param key: encrypt key 262 * @param plain: data to be encrypted 263 * @param aad: aad for encrypt 264 * @param out_cipher: encrypted data 265 * @return 0 -- success, others -- failed 266 */ 267 int32_t aes_gcm_encrypt(struct var_buffer *key, const struct uint8_buff *plain, 268 struct aes_aad *aad, struct uint8_buff *out_cipher); 269 270 /* 271 * aes gcm decrypt. 272 * 273 * @param key: encrypt key 274 * @param cipher: data to be decrypted 275 * @param aad: aad for encrypt 276 * @param out_plain: edecrypted data 277 * @return 0 -- success, others -- failed 278 */ 279 int32_t aes_gcm_decrypt(struct var_buffer *key, const struct uint8_buff *cipher, 280 struct aes_aad *aad, struct uint8_buff *out_plain); 281 282 #if (defined(_SUPPORT_SEC_CLONE_) || defined(_SUPPORT_SEC_CLONE_SERVER_)) 283 int32_t generate_lt_X25519_key_pair(struct hc_key_alias *key_alias, const struct hc_auth_id *auth_id); 284 285 int32_t aes_ccm_decrypt(struct var_buffer *key, const struct uint8_buff *cipher, 286 struct aes_aad *aad, struct uint8_buff *out_plain); 287 288 int32_t get_cert_chain(const struct uint8_buff *challenge, struct hc_key_alias *sk_alias, 289 struct uint8_buff *out_cert_chain); 290 291 int32_t asset_unwrap(struct uint8_buff *sec_data, struct hc_key_alias *dec_alias, 292 struct hc_key_alias *target_alias); 293 294 int32_t get_key_attestation(const struct uint8_buff *challenge, struct hc_key_alias *sk_alias, 295 struct uint8_buff *out_cert_chain); 296 297 #endif 298 299 /* 300 * load file hks keystore to buffer 301 * 302 * @return 0 -- success, others -- failed 303 */ 304 int32_t key_info_init(void); 305 306 #endif 307