Mistake on this page? Email us
key_config_manager.h
Go to the documentation of this file.
1 // ----------------------------------------------------------------------------
2 // Copyright 2016-2017 ARM Ltd.
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 // http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 // ----------------------------------------------------------------------------
16 
17 #ifndef __KEYS_CONFIG_MANAGER_H__
18 #define __KEYS_CONFIG_MANAGER_H__
19 
20 #include <stdlib.h>
21 #include <stdbool.h>
22 #include <inttypes.h>
23 #include "kcm_status.h"
24 #include "kcm_defs.h"
25 
26 #ifdef __cplusplus
27 extern "C" {
28 #endif
29 
35  /* === Initialization and Finalization === */
36 
45  kcm_status_e kcm_init(void);
46 
56 
57  /* === Key, certificate, and configuration data storage === */
58 
90  kcm_status_e kcm_item_store(const uint8_t *kcm_item_name,
91  size_t kcm_item_name_len,
92  kcm_item_type_e kcm_item_type,
93  bool kcm_item_is_factory,
94  const uint8_t *kcm_item_data,
95  size_t kcm_item_data_size,
96  const kcm_security_desc_s kcm_item_info);
97 
98  /* === Key, certificate, and configuration data retrieval === */
99 
118  kcm_status_e kcm_item_get_data_size(const uint8_t *kcm_item_name,
119  size_t kcm_item_name_len,
120  kcm_item_type_e kcm_item_type,
121  size_t *kcm_item_data_size_out);
122 
144  kcm_status_e kcm_item_get_data(const uint8_t *kcm_item_name,
145  size_t kcm_item_name_len,
146  kcm_item_type_e kcm_item_type,
147  uint8_t *kcm_item_data_out,
148  size_t kcm_item_data_max_size,
149  size_t *kcm_item_data_act_size_out);
150 
175  kcm_status_e kcm_item_get_size_and_data(const uint8_t * kcm_item_name,
176  size_t kcm_item_name_len,
177  kcm_item_type_e kcm_item_type,
178  uint8_t ** kcm_item_data_out,
179  size_t * kcm_item_data_size_out);
180 
181 #ifdef MBED_CONF_MBED_CLOUD_CLIENT_PSA_SUPPORT
182 
183  /* === Key and Configuration Manager with Platform Secure Architecture (PSA) support uses PSA key IDs from 0x1 up to 0x2800 === */
184 
185 
203  kcm_status_e kcm_item_get_handle(const uint8_t *kcm_item_name,
204  size_t kcm_item_name_len,
205  kcm_item_type_e kcm_item_type,
206  kcm_key_handle_t *key_handle_out);
207 
217  kcm_status_e kcm_item_close_handle(kcm_key_handle_t *key_handle);
218 
219 #ifdef MBED_CONF_MBED_CLOUD_CLIENT_SECURE_ELEMENT_SUPPORT
220 
224 #define KCM_ITEM_EXTRA_INFO_INIT {KCM_LOCATION_PSA, KCM_LOCATION_PSA}
225  static inline kcm_item_extra_info_s kcm_item_extra_info_init(void)
226  {
227  const kcm_item_extra_info_s extra_info = KCM_ITEM_EXTRA_INFO_INIT;
228  return (extra_info);
229  }
230 
248  kcm_status_e kcm_item_get_location(const uint8_t *item_name,
249  size_t item_name_len,
250  kcm_item_type_e kcm_item_type,
251  kcm_item_location_e *item_location_out);
252 
253 
266  kcm_status_e kcm_se_private_key_get_slot(const uint8_t *prv_key_name,
267  size_t prv_key_name_len,
268  uint64_t *se_prv_key_slot);
269 
270 
271 #endif // #ifdef MBED_CONF_MBED_CLOUD_CLIENT_SECURE_ELEMENT_SUPPORT
272 #endif // #ifdef MBED_CONF_MBED_CLOUD_CLIENT_PSA_SUPPORT
273 
274  /* === Key, certificate, and configuration delete === */
275 
292  kcm_status_e kcm_item_delete(const uint8_t *kcm_item_name,
293  size_t kcm_item_name_len,
294  kcm_item_type_e kcm_item_type);
295 
296  /* === Certificate chain APIs === */
297 
312  kcm_status_e kcm_cert_chain_create(kcm_cert_chain_handle *kcm_chain_handle,
313  const uint8_t *kcm_chain_name,
314  size_t kcm_chain_name_len,
315  size_t kcm_chain_len,
316  bool kcm_chain_is_factory);
317 
339  kcm_status_e kcm_cert_chain_open(kcm_cert_chain_handle *kcm_chain_handle,
340  const uint8_t *kcm_chain_name,
341  size_t kcm_chain_name_len,
342  size_t *kcm_chain_len_out);
343 
361  kcm_status_e kcm_cert_chain_add_next(kcm_cert_chain_handle kcm_chain_handle,
362  const uint8_t *kcm_cert_data,
363  size_t kcm_cert_data_size);
364 
376  kcm_status_e kcm_cert_chain_delete(const uint8_t *kcm_chain_name,
377  size_t kcm_chain_name_len);
378 
393  kcm_status_e kcm_cert_chain_get_next_size(kcm_cert_chain_handle kcm_chain_handle,
394  size_t *kcm_cert_data_size);
395 
412  kcm_status_e kcm_cert_chain_get_next_data(kcm_cert_chain_handle kcm_chain_handle,
413  uint8_t *kcm_cert_data,
414  size_t kcm_max_cert_data_size,
415  size_t *kcm_actual_cert_data_size);
416 
417 
430  kcm_status_e kcm_cert_chain_close(kcm_cert_chain_handle kcm_chain_handle);
431 
432 
433  /* === Factory Reset === */
434 
443 
444 
469  const uint8_t *private_key_name,
470  size_t private_key_name_len,
471  const uint8_t *public_key_name,
472  size_t public_key_name_len,
473  bool kcm_item_is_factory,
474  const kcm_security_desc_s kcm_item_info);
475 
476 
491  kcm_status_e kcm_csr_generate(const uint8_t *private_key_name,
492  size_t private_key_name_len,
493  const kcm_csr_params_s *csr_params,
494  uint8_t *csr_buff_out,
495  size_t csr_buff_max_size,
496  size_t *csr_buff_act_size);
497 
498 
529  const uint8_t *private_key_name,
530  size_t private_key_name_len,
531  const uint8_t *public_key_name,
532  size_t public_key_name_len,
533  bool kcm_item_is_factory,
534  const kcm_csr_params_s *csr_params,
535  uint8_t *csr_buff_out,
536  size_t csr_buff_max_size,
537  size_t *csr_buff_act_size_out,
538  const kcm_security_desc_s kcm_item_info);
539 
558  kcm_status_e kcm_certificate_verify_with_private_key(const uint8_t *kcm_cert_data,
559  size_t kcm_cert_data_size,
560  const uint8_t *kcm_priv_key_name,
561  size_t kcm_priv_key_name_len);
562 
563 
587  const uint8_t *private_key_name,
588  size_t private_key_name_len,
589  const uint8_t *hash_digest,
590  size_t hash_digest_size,
591  uint8_t *signature_data_out,
592  size_t signature_data_max_size,
593  size_t *signature_data_act_size_out);
594 
595 
619  const uint8_t *public_key_name,
620  size_t public_key_name_len,
621  const uint8_t *hash_digest,
622  size_t hash_digest_size,
623  const uint8_t *signature,
624  size_t signature_size);
625 
639  kcm_status_e kcm_generate_random(uint8_t *buffer, size_t buffer_size);
640 
641 #ifndef MBED_CONF_MBED_CLOUD_CLIENT_PSA_SUPPORT
642  /* Computes a shared secret using the elliptic curve Diffie-Hellman algorithm.
643  *
644  * @param[in] private_key_name The private key name to fetch from storage.
645  * @param[in] private_key_name_len The length of the private key name.
646  * @param[in] peer_public_key The public key from a peer in DER format.
647  * @param[in] peer_public_key_size The length of the public key from a peer.
648  * @param[out] shared_secret A pointer to the output shared secret buffer.
649  * @param[in] shared_secret_max_size The size of the shared secret buffer. Must be at least ::KCM_EC_SECP256R1_SHARED_SECRET_SIZE bytes.
650  * @param[out] shared_secret_act_size_out The actual size of the shared secret buffer.
651  *
652  * @returns
653  * KCM_STATUS_SUCCESS on success.
654  * KCM_STATUS_INVALID_PARAMETER if one of the parameters is illegal.
655  * One of the ::kcm_status_e errors otherwise.
656  *
657  */
658  kcm_status_e kcm_ecdh_key_agreement(
659  const uint8_t *private_key_name,
660  size_t private_key_name_len,
661  const uint8_t *peer_public_key,
662  size_t peer_public_key_size,
663  uint8_t *shared_secret,
664  size_t shared_secret_max_size,
665  size_t *shared_secret_act_size_out);
666 #else //MBED_CONF_MBED_CLOUD_CLIENT_PSA_SUPPORT
667 
668  /* Computes a shared secret using the elliptic curve Diffie-Hellman algorithm.
669  *
670  * A few limitations to consider:
671  * (1) If a secure element exists, this function enables use of a single key only - ALG_ECDSA(ALG_SHA_256).
672  * (2) If PSA and secure element do not exist, this function enables use of multiple keys, except LPC55S69_NS and CY8CKIT_062_WIFI_BT_PSA targets.
673  *
674  * @param[in] private_key_name The private key name to fetch from storage.
675  * @param[in] private_key_name_len The length of the private key name.
676  * @param[in] peer_public_key The public key from a peer in DER format.
677  * @param[in] peer_public_key_size The length of the public key from a peer.
678  * @param[out] shared_secret A pointer to the output shared secret buffer.
679  * @param[in] shared_secret_max_size The size of the shared secret buffer. Must be at least ::KCM_EC_SECP256R1_SHARED_SECRET_SIZE bytes.
680  * @param[out] shared_secret_act_size_out The actual size of the shared secret buffer.
681  *
682  * @returns
683  * KCM_STATUS_SUCCESS on success.
684  * KCM_STATUS_INVALID_PARAMETER if one of the parameters is illegal.
685  * One of the ::kcm_status_e errors otherwise.
686  *
687  * \deprecated for PSA configuration, due to `psa_set_key_enrollment_algorithm()` API deprecation in mbed-crypto that is used by `kcm_ecdh_key_agreement`.
688  */
689  kcm_status_e kcm_ecdh_key_agreement(
690  const uint8_t *private_key_name,
691  size_t private_key_name_len,
692  const uint8_t *peer_public_key,
693  size_t peer_public_key_size,
694  uint8_t *shared_secret,
695  size_t shared_secret_max_size,
696  size_t *shared_secret_act_size_out);
697 
698 #endif //MBED_CONF_MBED_CLOUD_CLIENT_PSA_SUPPORT
699 
700 #ifdef __cplusplus
701 }
702 #endif
703 
704 #endif //__KEYS_CONFIG_MANAGER_H__
kcm_crypto_key_scheme_e
Definition: kcm_defs.h:74
kcm_status_e kcm_cert_chain_close(kcm_cert_chain_handle kcm_chain_handle)
kcm_status_e kcm_asymmetric_sign(const uint8_t *private_key_name, size_t private_key_name_len, const uint8_t *hash_digest, size_t hash_digest_size, uint8_t *signature_data_out, size_t signature_data_max_size, size_t *signature_data_act_size_out)
Key and configuration manager (KCM) status/error codes. This list may grow as needed.
kcm_status_e kcm_csr_generate(const uint8_t *private_key_name, size_t private_key_name_len, const kcm_csr_params_s *csr_params, uint8_t *csr_buff_out, size_t csr_buff_max_size, size_t *csr_buff_act_size)
kcm_status_e kcm_cert_chain_add_next(kcm_cert_chain_handle kcm_chain_handle, const uint8_t *kcm_cert_data, size_t kcm_cert_data_size)
kcm_status_e kcm_cert_chain_open(kcm_cert_chain_handle *kcm_chain_handle, const uint8_t *kcm_chain_name, size_t kcm_chain_name_len, size_t *kcm_chain_len_out)
uintptr_t kcm_key_handle_t
Definition: kcm_defs.h:88
kcm_status_e kcm_item_delete(const uint8_t *kcm_item_name, size_t kcm_item_name_len, kcm_item_type_e kcm_item_type)
kcm_status_e kcm_finalize(void)
kcm_status_e kcm_item_get_size_and_data(const uint8_t *kcm_item_name, size_t kcm_item_name_len, kcm_item_type_e kcm_item_type, uint8_t **kcm_item_data_out, size_t *kcm_item_data_size_out)
void * kcm_security_desc_s
Definition: kcm_defs.h:94
Definition: kcm_defs.h:104
kcm_status_e kcm_generate_random(uint8_t *buffer, size_t buffer_size)
kcm_status_e kcm_item_get_data(const uint8_t *kcm_item_name, size_t kcm_item_name_len, kcm_item_type_e kcm_item_type, uint8_t *kcm_item_data_out, size_t kcm_item_data_max_size, size_t *kcm_item_data_act_size_out)
kcm_status_e kcm_cert_chain_get_next_size(kcm_cert_chain_handle kcm_chain_handle, size_t *kcm_cert_data_size)
kcm_item_type_e
Definition: kcm_defs.h:34
kcm_status_e kcm_factory_reset(void)
kcm_status_e kcm_item_get_data_size(const uint8_t *kcm_item_name, size_t kcm_item_name_len, kcm_item_type_e kcm_item_type, size_t *kcm_item_data_size_out)
Key and configuration manager (KCM) definitions.
kcm_status_e kcm_item_store(const uint8_t *kcm_item_name, size_t kcm_item_name_len, kcm_item_type_e kcm_item_type, bool kcm_item_is_factory, const uint8_t *kcm_item_data, size_t kcm_item_data_size, const kcm_security_desc_s kcm_item_info)
kcm_status_e kcm_asymmetric_verify(const uint8_t *public_key_name, size_t public_key_name_len, const uint8_t *hash_digest, size_t hash_digest_size, const uint8_t *signature, size_t signature_size)
kcm_status_e
Definition: kcm_status.h:30
kcm_status_e kcm_cert_chain_delete(const uint8_t *kcm_chain_name, size_t kcm_chain_name_len)
kcm_status_e kcm_cert_chain_create(kcm_cert_chain_handle *kcm_chain_handle, const uint8_t *kcm_chain_name, size_t kcm_chain_name_len, size_t kcm_chain_len, bool kcm_chain_is_factory)
kcm_status_e kcm_generate_keys_and_csr(kcm_crypto_key_scheme_e key_scheme, const uint8_t *private_key_name, size_t private_key_name_len, const uint8_t *public_key_name, size_t public_key_name_len, bool kcm_item_is_factory, const kcm_csr_params_s *csr_params, uint8_t *csr_buff_out, size_t csr_buff_max_size, size_t *csr_buff_act_size_out, const kcm_security_desc_s kcm_item_info)
kcm_status_e kcm_init(void)
kcm_status_e kcm_cert_chain_get_next_data(kcm_cert_chain_handle kcm_chain_handle, uint8_t *kcm_cert_data, size_t kcm_max_cert_data_size, size_t *kcm_actual_cert_data_size)
kcm_status_e kcm_certificate_verify_with_private_key(const uint8_t *kcm_cert_data, size_t kcm_cert_data_size, const uint8_t *kcm_priv_key_name, size_t kcm_priv_key_name_len)
kcm_status_e kcm_key_pair_generate_and_store(const kcm_crypto_key_scheme_e key_scheme, const uint8_t *private_key_name, size_t private_key_name_len, const uint8_t *public_key_name, size_t public_key_name_len, bool kcm_item_is_factory, const kcm_security_desc_s kcm_item_info)