Software APIs
key_transport.h
Go to the documentation of this file.
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #ifndef OPENTITAN_SW_DEVICE_LIB_CRYPTO_INCLUDE_KEY_TRANSPORT_H_
6 #define OPENTITAN_SW_DEVICE_LIB_CRYPTO_INCLUDE_KEY_TRANSPORT_H_
7 
8 #include "datatypes.h"
9 
10 /**
11  * @file
12  * @brief Key import/export for the OpenTitan cryptography library.
13  *
14  * These functions allow library users to translate to and from the crypto
15  * library's key representations.
16  */
17 
18 #ifdef __cplusplus
19 extern "C" {
20 #endif // __cplusplus
21 
22 /**
23  * Generates a new, random symmetric key.
24  *
25  * Use this only for symmetric algorithms (e.g. AES, HMAC, KMAC). Asymmetric
26  * algorithms (e.g. ECDSA, RSA) have their own specialized key-generation
27  * routines. Cannot be used for hardware-backed keys; use
28  * `otcrypto_hw_backed_key` instead to generate these.
29  *
30  * The caller should allocate space for the keyblob and populate the blinded
31  * key struct with the length of the keyblob, the pointer to the keyblob
32  * buffer, and the key configuration. The value in the `checksum` field of
33  * the blinded key struct will be populated by the key generation function.
34  * The keyblob should be twice the length of the unblinded key. This function
35  * will return an error if the keyblob length does not match expectations based
36  * on the key mode and configuration.
37  *
38  * The keyblob should be twice the length of the key. The caller only needs to
39  * allocate the keyblob, not populate it.
40  *
41  * The personalization string may empty, and may be up to 48 bytes long; any
42  * longer will result in an error. It is passed as an extra seed input to the
43  * DRBG, in addition to the hardware TRNG.
44  *
45  * @param perso_string Optional personalization string to be passed to DRBG.
46  * @param[out] key Destination blinded key struct.
47  * @return The result of the operation.
48  */
49 OT_WARN_UNUSED_RESULT
50 otcrypto_status_t otcrypto_symmetric_keygen(
51  otcrypto_const_byte_buf_t perso_string, otcrypto_blinded_key_t *key);
52 
53 /**
54  * Creates a handle for a hardware-backed key.
55  *
56  * This routine may be used for both symmetric and asymmetric algorithms, since
57  * conceptually it only creates some data that the key manager can use to
58  * generate key material at the time of use. However, not all algorithms are
59  * suitable for hardware-backed keys (for example, RSA is not suitable), so
60  * some choices of algorithm may result in errors.
61  *
62  * The caller should partially populate the blinded key struct; they should set
63  * the full key configuration and the keyblob length (always 32 bytes), and
64  * then allocate 32 bytes of space for the keyblob and set the keyblob pointer.
65  *
66  * This function will populate the `checksum` field and copy the salt/version
67  * data into the keyblob buffer in the specific order that the rest of
68  * cryptolib expects.
69  *
70  * @param version Key version.
71  * @param salt Key salt (diversification data for KDF).
72  * @param[out] key Destination blinded key struct.
73  * @return The result of the operation.
74  */
75 OT_WARN_UNUSED_RESULT
76 otcrypto_status_t otcrypto_hw_backed_key(uint32_t version,
77  const uint32_t salt[7],
78  otcrypto_blinded_key_t *key);
79 
80 /**
81  * Returns the length that the blinded key will have once wrapped.
82  *
83  * @param config Key configuration.
84  * @param[out] wrapped_num_words Number of 32b words for the wrapped key.
85  * @return Result of the operation.
86  */
87 OT_WARN_UNUSED_RESULT
88 otcrypto_status_t otcrypto_wrapped_key_len(const otcrypto_key_config_t config,
89  size_t *wrapped_num_words);
90 
91 /**
92  * Wraps (encrypts) a secret key.
93  *
94  * The key wrap function uses AES-KWP (key wrapping with padding), an
95  * authenticated encryption mode designed for encrypting key material.
96  *
97  * The caller should allocate space for the `wrapped_key` buffer according to
98  * `otcrypto_wrapped_key_len`, and set the length of expected output in the
99  * `len` field of `wrapped_key`. If the user-set length and the output length
100  * do not match, an error message will be returned.
101  *
102  * The blinded key struct to wrap must be 32-bit aligned.
103  *
104  * @param key_to_wrap Blinded key that will be encrypted.
105  * @param key_kek AES-KWP key used to encrypt `key_to_wrap`.
106  * @param[out] wrapped_key Encrypted key data.
107  * @return Result of the wrap operation.
108  */
109 OT_WARN_UNUSED_RESULT
110 otcrypto_status_t otcrypto_key_wrap(const otcrypto_blinded_key_t *key_to_wrap,
111  const otcrypto_blinded_key_t *key_kek,
112  otcrypto_word32_buf_t wrapped_key);
113 
114 /**
115  * Unwraps (decrypts) a secret key.
116  *
117  * The key unwrap function uses AES-KWP (key wrapping with padding), an
118  * authenticated encryption mode designed for encrypting key material.
119  *
120  * The caller must allocate space for the keyblob and set the keyblob-length
121  * and keyblob fields in `unwrapped_key` accordingly. If there is not enough
122  * space in the keyblob, this function will return an error. Too much space in
123  * the keyblob is okay; this function will write to the first part of the
124  * keyblob buffer and set the keyblob length field to the correct exact value
125  * for the unwrapped key, at which point it is safe to check the new length and
126  * free the remaining keyblob memory. It is always safe to allocate a keyblob
127  * the same size as the wrapped key; this will always be enough space by
128  * definition.
129  *
130  * The caller does not need to populate the blinded key configuration, since
131  * this information is encrypted along with the key. However, the caller may
132  * want to check that the configuration matches expectations.
133  *
134  * An OK status from this function does NOT necessarily mean that unwrapping
135  * succeeded; the caller must check both the returned status and the `success`
136  * parameter before reading the unwrapped key.
137  *
138  * @param wrapped_key Encrypted key data.
139  * @param key_kek AES-KWP key used to decrypt `wrapped_key`.
140  * @param[out] success Whether the wrapped key was valid.
141  * @param[out] unwrapped_key Decrypted key data.
142  * @return Result of the aes-kwp unwrap operation.
143  */
144 OT_WARN_UNUSED_RESULT
145 otcrypto_status_t otcrypto_key_unwrap(otcrypto_const_word32_buf_t wrapped_key,
146  const otcrypto_blinded_key_t *key_kek,
147  hardened_bool_t *success,
148  otcrypto_blinded_key_t *unwrapped_key);
149 
150 /**
151  * Creates a blinded key struct from masked key material.
152  *
153  * The caller should allocate and partially populate the blinded key struct,
154  * including populating the key configuration and allocating space for the
155  * keyblob. The keyblob should be twice the length of the user key.
156  * Hardware-backed and asymmetric (ECC or RSA) keys cannot be imported this
157  * way. For asymmetric keys, use algorithm-specific key construction methods.
158  *
159  * This function will copy the data from the shares into the keyblob; it is
160  * safe to free `key_share0` and `key_share1` after this call.
161  *
162  * @param key_share0 First share of the user provided key.
163  * @param key_share1 Second share of the user provided key.
164  * @param[out] blinded_key Generated blinded key struct.
165  * @return Result of the blinded key import operation.
166  */
167 OT_WARN_UNUSED_RESULT
168 otcrypto_status_t otcrypto_import_blinded_key(
169  const otcrypto_const_word32_buf_t key_share0,
170  const otcrypto_const_word32_buf_t key_share1,
171  otcrypto_blinded_key_t *blinded_key);
172 
173 /**
174  * Exports a blinded key to the user provided key buffer, in shares.
175  *
176  * This function will copy data from the keyblob into the shares; after the
177  * call, it is safe to free the blinded key and the data pointed to by
178  * `blinded_key.keyblob`.
179  *
180  * Hardware-backed, non-exportable, and asymmetric (ECC or RSA) keys cannot be
181  * exported this way. For asymmetric keys, use an algorithm-specific funtion.
182  *
183  * @param blinded_key Blinded key struct to be exported.
184  * @param[out] key_share0 First share of the blinded key.
185  * @param[out] key_share1 Second share of the blinded key.
186  * @return Result of the blinded key export operation.
187  */
188 OT_WARN_UNUSED_RESULT
189 otcrypto_status_t otcrypto_export_blinded_key(
190  const otcrypto_blinded_key_t blinded_key, otcrypto_word32_buf_t key_share0,
191  otcrypto_word32_buf_t key_share1);
192 
193 #ifdef __cplusplus
194 } // extern "C"
195 #endif // __cplusplus
196 
197 #endif // OPENTITAN_SW_DEVICE_LIB_CRYPTO_INCLUDE_KEY_TRANSPORT_H_
Return to OpenTitan Documentation