1 /** 2 * @file tlcTeeKeymaster_if.h 3 * @brief Contains TEE Keymaster trustlet connector interface definitions 4 * 5 * Copyright Giesecke & Devrient GmbH 2012 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. The name of the author may not be used to endorse or promote 16 * products derived from this software without specific prior 17 * written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS 20 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 21 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 23 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE 25 * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 27 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 28 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 29 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #ifndef __TLCTEEKEYMASTERIF_H__ 33 #define __TLCTEEKEYMASTERIF_H__ 34 35 #ifdef __cplusplus 36 extern "C" { 37 #endif 38 39 #include <stdint.h> 40 #include <stdbool.h> 41 42 43 /** 44 * Key sizes 45 */ 46 #define TEE_RSA_KEY_SIZE_512 512 47 #define TEE_RSA_KEY_SIZE_1024 1024 48 #define TEE_RSA_KEY_SIZE_2048 2048 49 50 51 /* error codes */ 52 typedef enum 53 { 54 TEE_ERR_NONE = 0, 55 TEE_ERR_FAIL = 1, 56 TEE_ERR_INVALID_BUFFER = 2, 57 TEE_ERR_BUFFER_TOO_SMALL = 3, 58 TEE_ERR_NOT_IMPLEMENTED = 4, 59 TEE_ERR_SESSION = 5, 60 TEE_ERR_MC_DEVICE = 6, 61 TEE_ERR_NOTIFICATION = 7, 62 TEE_ERR_MEMORY = 8, 63 TEE_ERR_MAP = 9 64 /* more can be added as required */ 65 } teeResult_t; 66 67 68 /* RSA key pair types */ 69 typedef enum { 70 TEE_KEYPAIR_RSA = 1, /**< RSA public and RSA private key. */ 71 TEE_KEYPAIR_RSACRT = 2 /**< RSA public and RSA CRT private key. */ 72 } teeRsaKeyPairType_t; 73 74 75 /* Supported RSA signature algorithms */ 76 typedef enum 77 { 78 /* RSA */ 79 TEE_RSA_SHA_ISO9796 = 1, /**< 20-byte SHA-1 digest, padded according to the ISO 9796-2 scheme as specified in EMV '96 and EMV 2000, encrypted using RSA. */ 80 TEE_RSA_SHA_ISO9796_MR = 2, /**< 20-byte SHA-1 digest, padded according to the ISO9796-2 specification and encrypted using RSA. */ 81 TEE_RSA_SHA_PKCS1 = 3, /**< 20-byte SHA-1 digest, padded according to the PKCS#1 (v1.5) scheme, and encrypted using RSA. */ 82 TEE_RSA_SHA256_PSS = 4, /**< SHA-256 digest and PSS padding */ 83 TEE_RSA_SHA1_PSS = 5, /**< SHA-256 digest and PSS padding */ 84 TEE_RSA_NODIGEST_NOPADDING = 6, /**< No digest and padding */ 85 } teeRsaSigAlg_t; 86 87 88 /* Digest types */ 89 typedef enum 90 { 91 TEE_DIGEST_SHA1, 92 TEE_DIGEST_SHA256 93 } teeDigest_t; 94 95 96 /** 97 * RSA private key metadata (Private modulus and exponent lengths) 98 */ 99 typedef struct { 100 uint32_t lenprimod; /**< Private key modulus length */ 101 uint32_t lenpriexp; /**< Private key exponent length */ 102 } teeRsaPrivKeyMeta_t; 103 104 105 /** 106 * RSA CRT private key metadata (Private modulus and exponent lengths) 107 */ 108 typedef struct { 109 uint32_t lenprimod; /**< Private key modulus length */ 110 uint32_t lenp; /**< Prime p length */ 111 uint32_t lenq; /**< Prime q length */ 112 uint32_t lendp; /**< DP length */ 113 uint32_t lendq; /**< DQ length */ 114 uint32_t lenqinv; /**< QP length */ 115 } teeRsaCrtPrivKeyMeta_t; 116 117 118 /** 119 * Key metadata (public key hash, key size, modulus/exponent lengths, etc..) 120 */ 121 typedef struct { 122 uint32_t keytype; /**< Key type, e.g. RSA */ 123 uint32_t keysize; /**< Key size, e.g. 1024, 2048 */ 124 uint32_t lenpubmod; /**< Public key modulus length */ 125 uint32_t lenpubexp; /**< Public key exponent length */ 126 union { 127 teeRsaPrivKeyMeta_t rsapriv; /**< RSA private key */ 128 teeRsaCrtPrivKeyMeta_t rsacrtpriv; /**< RSA CRT private key */ 129 }; 130 uint32_t rfu; /**< Reserved for future use */ 131 uint32_t rfulen; /**< Reserved for future use */ 132 } teeRsaKeyMeta_t; 133 134 /** 135 * TEE_RSAGenerateKeyPair 136 * 137 * Generates RSA key pair and returns key pair data as wrapped object 138 * 139 * @param keyType [in] Key pair type. RSA or RSACRT 140 * @param keyData [in] Pointer to the key data buffer 141 * @param keyDataLength [in] Key data buffer length 142 * @param keySize [in] Key size 143 * @param exponent [in] Exponent number 144 * @param soLen [out] Key data secure object length 145 */ 146 teeResult_t TEE_RSAGenerateKeyPair( 147 teeRsaKeyPairType_t keyType, 148 uint8_t* keyData, 149 uint32_t keyDataLength, 150 uint32_t keySize, 151 uint32_t exponent, 152 uint32_t* soLen); 153 154 155 /** 156 * TEE_RSASign 157 * 158 * Signs given plain data and returns signature data 159 * 160 * @param keyData [in] Pointer to key data buffer 161 * @param keyDataLength [in] Key data buffer length 162 * @param plainData [in] Pointer to plain data to be signed 163 * @param plainDataLength [in] Plain data length 164 * @param signatureData [out] Pointer to signature data 165 * @param signatureDataLength [out] Signature data length 166 * @param algorithm [in] RSA signature algorithm 167 */ 168 teeResult_t TEE_RSASign( 169 const uint8_t* keyData, 170 const uint32_t keyDataLength, 171 const uint8_t* plainData, 172 const uint32_t plainDataLength, 173 uint8_t* signatureData, 174 uint32_t* signatureDataLength, 175 teeRsaSigAlg_t algorithm); 176 177 178 /** 179 * TEE_RSAVerify 180 * 181 * Verifies given data with RSA public key and return status 182 * 183 * @param keyData [in] Pointer to key data buffer 184 * @param keyDataLength [in] Key data buffer length 185 * @param plainData [in] Pointer to plain data to be signed 186 * @param plainDataLength [in] Plain data length 187 * @param signatureData [in] Pointer to signed data 188 * @param signatureData [in] Plain data length 189 * @param algorithm [in] RSA signature algorithm 190 * @param validity [out] Signature validity 191 */ 192 teeResult_t TEE_RSAVerify( 193 const uint8_t* keyData, 194 const uint32_t keyDataLength, 195 const uint8_t* plainData, 196 const uint32_t plainDataLength, 197 const uint8_t* signatureData, 198 const uint32_t signatureDataLength, 199 teeRsaSigAlg_t algorithm, 200 bool *validity); 201 202 203 /** 204 * TEE_HMACKeyGenerate 205 * 206 * Generates random key for HMAC calculation and returns key data as wrapped object 207 * (key is encrypted) 208 * 209 * @param keyData [out] Pointer to key data 210 * @param keyDataLength [in] Key data buffer length 211 * @param soLen [out] Key data secure object length 212 */ 213 teeResult_t TEE_HMACKeyGenerate( 214 uint8_t* keyData, 215 uint32_t keyDataLength, 216 uint32_t* soLen); 217 218 219 /** 220 * TEE_HMACSign 221 * 222 * Signs given plain data and returns HMAC signature data 223 * 224 * @param keyData [in] Pointer to key data buffer 225 * @param keyDataLength [in] Key data buffer length 226 * @param plainData [in] Pointer to plain data to be signed 227 * @param plainDataLength [in] Plain data length 228 * @param signatureData [out] Pointer to signature data 229 * @param signatureDataLength [out] Signature data length 230 * @param digest [in] Digest type 231 */ 232 teeResult_t TEE_HMACSign( 233 const uint8_t* keyData, 234 const uint32_t keyDataLength, 235 const uint8_t* plainData, 236 const uint32_t plainDataLength, 237 uint8_t* signatureData, 238 uint32_t* signatureDataLength, 239 teeDigest_t digest); 240 241 242 /** 243 * TEE_HMACVerify 244 * 245 * Verifies given data HMAC key data and return status 246 * 247 * @param keyData [in] Pointer to key data buffer 248 * @param keyDataLength [in] Key data buffer length 249 * @param plainData [in] Pointer to plain data to be signed 250 * @param plainDataLength [in] Plain data length 251 * @param signatureData [in] Pointer to signed data 252 * @param signatureData [in] Plain data length 253 * @param digest [in] Digest type 254 * @param validity [out] Signature validity 255 */ 256 teeResult_t TEE_HMACVerify( 257 const uint8_t* keyData, 258 const uint32_t keyDataLength, 259 const uint8_t* plainData, 260 const uint32_t plainDataLength, 261 const uint8_t* signatureData, 262 const uint32_t signatureDataLength, 263 teeDigest_t digest, 264 bool *validity); 265 266 267 /** 268 * TEE_KeyImport 269 * 270 * Imports key data and returns key data as secure object 271 * 272 * Key data needs to be in the following format 273 * 274 * RSA key data: 275 * |--key metadata--|--public modulus--|--public exponent--|--private exponent--| 276 * 277 * RSA CRT key data: 278 * |--key metadata--|--public modulus--|--public exponent--|--P--|--Q--|--DP--|--DQ--|--Qinv--| 279 * 280 * Where: 281 * P: secret prime factor 282 * Q: secret prime factor 283 * DP: d mod (p-1) 284 * DQ: d mod (q-1) 285 * Qinv: q^-1 mod p 286 * 287 * @param keyData [in] Pointer to key data 288 * @param keyDataLength [in] Key data length 289 * @param soData [out] Pointer to wrapped key data 290 * @param soDataLength [out] Wrapped key data length 291 */ 292 teeResult_t TEE_KeyImport( 293 const uint8_t* keyData, 294 const uint32_t keyDataLength, 295 uint8_t* soData, 296 uint32_t* soDataLength); 297 298 299 /** 300 * TEE_GetPubKey 301 * 302 * Retrieves public key daya (modulus and exponent) from wrapped key data 303 * 304 * @param keyData [in] Pointer to key data 305 * @param keyDataLength [in] Key data length 306 * @param modulus [out] Pointer to public key modulus data 307 * @param modulusLength [out] Modulus data length 308 * @param exponent [out] Pointer to public key exponent data 309 * @param exponentLength [out] Exponent data length 310 */ 311 teeResult_t TEE_GetPubKey( 312 const uint8_t* keyData, 313 const uint32_t keyDataLength, 314 uint8_t* modulus, 315 uint32_t* modulusLength, 316 uint8_t* exponent, 317 uint32_t* exponentLength); 318 319 320 #ifdef __cplusplus 321 } 322 #endif 323 324 #endif // __TLCTEEKEYMASTERIF_H__ 325
