Software APIs
kdf.h
Go to the documentation of this file.
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #ifndef OPENTITAN_SW_DEVICE_LIB_CRYPTO_INCLUDE_KDF_H_
6 #define OPENTITAN_SW_DEVICE_LIB_CRYPTO_INCLUDE_KDF_H_
7 
8 #include "datatypes.h"
9 #include "mac.h"
10 
11 /**
12  * @file
13  * @brief Key derivation functions for the OpenTitan cryptography library.
14  *
15  * Includes HMAC- and KMAC-based KDFs.
16  */
17 
18 #ifdef __cplusplus
19 extern "C" {
20 #endif // __cplusplus
21 
22 /**
23  * Performs the key derivation function in counter mode wtih HMAC according to
24  * NIST SP 800-108r1.
25  *
26  * The supported PRF engine for the KDF function is HMAC (since KMAC does not
27  * use the counter mode).
28  *
29  * The caller should allocate and partially populate the `keying_material`
30  * blinded key struct, including populating the key configuration and
31  * allocating space for the keyblob. The caller should indicate the length of
32  * the allocated keyblob; this function will return an error if the keyblob
33  * length does not match expectations. For hardware-backed keys, the keyblob
34  * expectations. If the key is hardware-backed, the caller should pass a fully
35  * populated private key handle such as the kind returned by
36  * `otcrypto_hw_backed_key`. For non-hardware-backed keys, the keyblob should
37  * be twice the length of the key. The value in the `checksum` field of the
38  * blinded key struct will be populated by this function.
39  *
40  * @param key_derivation_key Blinded key derivation key.
41  * @param kdf_label Label string according to SP 800-108r1.
42  * @param kdf_context Context string according to SP 800-108r1.
43  * @param required_byte_len Required length of the derived key in bytes.
44  * @param[out] keying_material Pointer to the blinded keying material to be
45  * populated by this function.
46  * @return Result of the key derivation operation.
47  */
48 otcrypto_status_t otcrypto_kdf_hmac_ctr(
49  const otcrypto_blinded_key_t key_derivation_key,
50  const otcrypto_const_byte_buf_t kdf_label,
51  const otcrypto_const_byte_buf_t kdf_context, size_t required_byte_len,
52  otcrypto_blinded_key_t *keying_material);
53 
54 /**
55  * Performs the key derivation function with single KMAC invocation according to
56  * NIST SP 800-108r1.
57  *
58  * This function initially validates the `key_derivation_key` struct, by
59  * checking for NULL pointers, checking whether key length and its
60  * keyblob_length match each other, verifying its checksum etc. Moreover, its
61  * `hw_backed` field is used to determine whether the derivation key comes from
62  * Keymgr. In that case, this function requests Keymgr to generate the key
63  * according to diversification values passed in keyblob.
64  * (see `keyblob_buffer_to_keymgr_diversification` function in `keyblob.h`).
65  * For non-hardware-backed keys, the keyblob should be twice the length of the
66  * key.
67  *
68  * `kmac_mode` input argument is used to decide whether KMAC128 or KMAC256 is
69  * used and it is also checked against `key_mode` from `key_derivation_key`.
70  *
71  * The produced key is returned in the `keying_material` blinded key struct.
72  * The caller should allocate and partially populate `keying_material`,
73  * including populating the key configuration and allocating space for the
74  * keyblob. The key length is also checked against `required_byte_len`. The
75  * value in the `checksum` field of the blinded key struct will be populated
76  * by this function. The use case where `keying_material` needs to be hw-backed
77  * is not supported by this function, hence `hw_backed` must be set tofalse.
78  * See `otcrypto_hw_backed_key` from `key_transport` for that specific use case.
79  *
80  * Note that it is the responsibility of the user of `keying_material` to
81  * further validate the key configuration. While populating the key, this
82  * function ignores `exportable`, `key_mode`, and `security_level` fields
83  * therefore the users must validate their `keying_material` config before use.
84  *
85  * @param key_derivation_key Blinded key derivation key.
86  * @param kmac_mode Either KMAC128 or KMAC256 as PRF.
87  * @param kdf_label Label string according to SP 800-108r1.
88  * @param kdf_context Context string according to SP 800-108r1.
89  * @param required_byte_len Required length of the derived key in bytes.
90  * @param[out] keying_material Pointer to the blinded keying material to be
91  * populated by this function.
92  * @return Result of the key derivation operation.
93  */
94 otcrypto_status_t otcrypto_kdf_kmac(
95  const otcrypto_blinded_key_t key_derivation_key,
96  otcrypto_kmac_mode_t kmac_mode, const otcrypto_const_byte_buf_t kdf_label,
97  const otcrypto_const_byte_buf_t kdf_context, size_t required_byte_len,
98  otcrypto_blinded_key_t *keying_material);
99 
100 /**
101  * Performs HKDF in one shot, both expand and extract stages.
102  *
103  * HKDF is defined in IETF RFC 5869 and is based on HMAC. The HMAC hash
104  * function is determined by the mode of the key derivation key, e.g. the key
105  * mode `kOtcryptoKeyModeHmacSha256` results in HMAC with SHA-256. The key mode
106  * for the output pseudo-random key (PRK) should match the key mode for the
107  * input key derivation key.
108  *
109  * The caller should allocate and partially populate the `prk` blinded key
110  * struct, including populating the key configuration and allocating space for
111  * the keyblob. The PRK configuration may not indicate a hardware-backed key.
112  * The allocated keyblob length should be twice the length of the hash function
113  * digest length.
114  * The caller should allocate and partially populate the `derived_key` blinded
115  * key struct, including populating the key configuration and allocating space
116  * for the keyblob. The key configuration may not indicate a hardware-backed
117  * key. The allocated keyblob length should be twice the key length indicated
118  * in the key configuration, and this key length must not be longer than
119  * 255*<length of hash digest> as per the RFC.
120  *
121  * @param key_derivation_key Blinded key derivation key.
122  * @param salt Salt value (optional, may be empty).
123  * @param info Context-specific string (optional, may be empty).
124  * @param[out] derived_key Derived keying material.
125  * @return Result of the key derivation operation.
126  */
127 otcrypto_status_t otcrypto_kdf_hkdf(
128  const otcrypto_blinded_key_t key_derivation_key,
129  otcrypto_const_byte_buf_t salt, otcrypto_const_byte_buf_t info,
130  otcrypto_blinded_key_t *derived_key);
131 
132 /**
133  * Performs the "extract" step of HKDF.
134  *
135  * HKDF is defined in IETF RFC 5869 and is based on HMAC. The HMAC hash
136  * function is determined by the mode of the key derivation key, e.g. the key
137  * mode `kOtcryptoKeyModeHmacSha256` results in HMAC with SHA-256. The key mode
138  * for the output pseudo-random key (PRK) should match the key mode for the
139  * input key derivation key.
140  *
141  * The resulting pseudo-random key is then input for the "expand" step of HKDF.
142  * The length of PRK is the same as the digest length for the specified hash
143  * function (e.g. 256 bits for SHA-256).
144  *
145  * The caller should allocate and partially populate the `prk` blinded key
146  * struct, including populating the key configuration and allocating space for
147  * the keyblob. The PRK configuration may not indicate a hardware-backed key.
148  * The allocated keyblob length should be twice the length of the hash function
149  * digest length.
150  *
151  * @param ikm Blinded input key material.
152  * @param salt Salt value (optional, may be empty).
153  * @param[out] prk Extracted pseudo-random key.
154  * @return Result of the key derivation operation.
155  */
156 otcrypto_status_t otcrypto_kdf_hkdf_extract(const otcrypto_blinded_key_t ikm,
157  otcrypto_const_byte_buf_t salt,
158  otcrypto_blinded_key_t *prk);
159 
160 /**
161  * Performs the "expand" step of HKDF.
162  *
163  * HKDF is defined in IETF RFC 5869 and is based on HMAC. The HMAC hash
164  * function is inferred from the key mode of the pseudo-random key (PRK).
165  *
166  * The input pseudo-random key should be generated from the "extract" step of
167  * HKDF. Its length should always be the same as the digest length of the hash
168  * function.
169  *
170  * The caller should allocate and partially populate the `okm` blinded key
171  * struct, including populating the key configuration and allocating space for
172  * the keyblob. The key configuration may not indicate a hardware-backed key.
173  * The allocated keyblob length should be twice the key length indicated in the
174  * key configuration, and this key length must not be longer than 255*<length
175  * of hash digest> as per the RFC.
176  *
177  * @param prk Pseudo-random key from HKDF-extract.
178  * @param info Context-specific string (optional).
179  * @param[out] okm Blinded output key material.
180  * @return Result of the key derivation operation.
181  */
182 otcrypto_status_t otcrypto_kdf_hkdf_expand(const otcrypto_blinded_key_t prk,
183  otcrypto_const_byte_buf_t info,
184  otcrypto_blinded_key_t *okm);
185 
186 #ifdef __cplusplus
187 } // extern "C"
188 #endif // __cplusplus
189 
190 #endif // OPENTITAN_SW_DEVICE_LIB_CRYPTO_INCLUDE_KDF_H_
Return to OpenTitan Documentation