2 * @file tlcTeeKeymaster_if.h
3 * @brief Contains TEE Keymaster trustlet connector interface definitions
5 * Copyright Giesecke & Devrient GmbH 2012
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. The name of the author may not be used to endorse or promote
16 * products derived from this software without specific prior
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS
20 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
21 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
23 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
25 * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
27 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
28 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
29 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32 #ifndef __TLCTEEKEYMASTERIF_H__
33 #define __TLCTEEKEYMASTERIF_H__
46 #define TEE_RSA_KEY_SIZE_512 512
47 #define TEE_RSA_KEY_SIZE_1024 1024
48 #define TEE_RSA_KEY_SIZE_2048 2048
56 TEE_ERR_INVALID_BUFFER
= 2,
57 TEE_ERR_BUFFER_TOO_SMALL
= 3,
58 TEE_ERR_NOT_IMPLEMENTED
= 4,
60 TEE_ERR_MC_DEVICE
= 6,
61 TEE_ERR_NOTIFICATION
= 7,
64 /* more can be added as required */
68 /* RSA key pair types */
70 TEE_KEYPAIR_RSA
= 1, /**< RSA public and RSA private key. */
71 TEE_KEYPAIR_RSACRT
= 2 /**< RSA public and RSA CRT private key. */
72 } teeRsaKeyPairType_t
;
75 /* Supported RSA signature algorithms */
79 TEE_RSA_SHA_ISO9796
= 1, /**< 20-byte SHA-1 digest, padded according to the ISO 9796-2 scheme as specified in EMV '96 and EMV 2000, encrypted using RSA. */
80 TEE_RSA_SHA_ISO9796_MR
= 2, /**< 20-byte SHA-1 digest, padded according to the ISO9796-2 specification and encrypted using RSA. */
81 TEE_RSA_SHA_PKCS1
= 3, /**< 20-byte SHA-1 digest, padded according to the PKCS#1 (v1.5) scheme, and encrypted using RSA. */
82 TEE_RSA_SHA256_PSS
= 4, /**< SHA-256 digest and PSS padding */
83 TEE_RSA_SHA1_PSS
= 5, /**< SHA-256 digest and PSS padding */
84 TEE_RSA_NODIGEST_NOPADDING
= 6, /**< No digest and padding */
97 * RSA private key metadata (Private modulus and exponent lengths)
100 uint32_t lenprimod
; /**< Private key modulus length */
101 uint32_t lenpriexp
; /**< Private key exponent length */
102 } teeRsaPrivKeyMeta_t
;
106 * RSA CRT private key metadata (Private modulus and exponent lengths)
109 uint32_t lenprimod
; /**< Private key modulus length */
110 uint32_t lenp
; /**< Prime p length */
111 uint32_t lenq
; /**< Prime q length */
112 uint32_t lendp
; /**< DP length */
113 uint32_t lendq
; /**< DQ length */
114 uint32_t lenqinv
; /**< QP length */
115 } teeRsaCrtPrivKeyMeta_t
;
119 * Key metadata (public key hash, key size, modulus/exponent lengths, etc..)
122 uint32_t keytype
; /**< Key type, e.g. RSA */
123 uint32_t keysize
; /**< Key size, e.g. 1024, 2048 */
124 uint32_t lenpubmod
; /**< Public key modulus length */
125 uint32_t lenpubexp
; /**< Public key exponent length */
127 teeRsaPrivKeyMeta_t rsapriv
; /**< RSA private key */
128 teeRsaCrtPrivKeyMeta_t rsacrtpriv
; /**< RSA CRT private key */
130 uint32_t rfu
; /**< Reserved for future use */
131 uint32_t rfulen
; /**< Reserved for future use */
135 * TEE_RSAGenerateKeyPair
137 * Generates RSA key pair and returns key pair data as wrapped object
139 * @param keyType [in] Key pair type. RSA or RSACRT
140 * @param keyData [in] Pointer to the key data buffer
141 * @param keyDataLength [in] Key data buffer length
142 * @param keySize [in] Key size
143 * @param exponent [in] Exponent number
144 * @param soLen [out] Key data secure object length
146 teeResult_t
TEE_RSAGenerateKeyPair(
147 teeRsaKeyPairType_t keyType
,
149 uint32_t keyDataLength
,
158 * Signs given plain data and returns signature data
160 * @param keyData [in] Pointer to key data buffer
161 * @param keyDataLength [in] Key data buffer length
162 * @param plainData [in] Pointer to plain data to be signed
163 * @param plainDataLength [in] Plain data length
164 * @param signatureData [out] Pointer to signature data
165 * @param signatureDataLength [out] Signature data length
166 * @param algorithm [in] RSA signature algorithm
168 teeResult_t
TEE_RSASign(
169 const uint8_t* keyData
,
170 const uint32_t keyDataLength
,
171 const uint8_t* plainData
,
172 const uint32_t plainDataLength
,
173 uint8_t* signatureData
,
174 uint32_t* signatureDataLength
,
175 teeRsaSigAlg_t algorithm
);
181 * Verifies given data with RSA public key and return status
183 * @param keyData [in] Pointer to key data buffer
184 * @param keyDataLength [in] Key data buffer length
185 * @param plainData [in] Pointer to plain data to be signed
186 * @param plainDataLength [in] Plain data length
187 * @param signatureData [in] Pointer to signed data
188 * @param signatureData [in] Plain data length
189 * @param algorithm [in] RSA signature algorithm
190 * @param validity [out] Signature validity
192 teeResult_t
TEE_RSAVerify(
193 const uint8_t* keyData
,
194 const uint32_t keyDataLength
,
195 const uint8_t* plainData
,
196 const uint32_t plainDataLength
,
197 const uint8_t* signatureData
,
198 const uint32_t signatureDataLength
,
199 teeRsaSigAlg_t algorithm
,
204 * TEE_HMACKeyGenerate
206 * Generates random key for HMAC calculation and returns key data as wrapped object
209 * @param keyData [out] Pointer to key data
210 * @param keyDataLength [in] Key data buffer length
211 * @param soLen [out] Key data secure object length
213 teeResult_t
TEE_HMACKeyGenerate(
215 uint32_t keyDataLength
,
222 * Signs given plain data and returns HMAC signature data
224 * @param keyData [in] Pointer to key data buffer
225 * @param keyDataLength [in] Key data buffer length
226 * @param plainData [in] Pointer to plain data to be signed
227 * @param plainDataLength [in] Plain data length
228 * @param signatureData [out] Pointer to signature data
229 * @param signatureDataLength [out] Signature data length
230 * @param digest [in] Digest type
232 teeResult_t
TEE_HMACSign(
233 const uint8_t* keyData
,
234 const uint32_t keyDataLength
,
235 const uint8_t* plainData
,
236 const uint32_t plainDataLength
,
237 uint8_t* signatureData
,
238 uint32_t* signatureDataLength
,
245 * Verifies given data HMAC key data and return status
247 * @param keyData [in] Pointer to key data buffer
248 * @param keyDataLength [in] Key data buffer length
249 * @param plainData [in] Pointer to plain data to be signed
250 * @param plainDataLength [in] Plain data length
251 * @param signatureData [in] Pointer to signed data
252 * @param signatureData [in] Plain data length
253 * @param digest [in] Digest type
254 * @param validity [out] Signature validity
256 teeResult_t
TEE_HMACVerify(
257 const uint8_t* keyData
,
258 const uint32_t keyDataLength
,
259 const uint8_t* plainData
,
260 const uint32_t plainDataLength
,
261 const uint8_t* signatureData
,
262 const uint32_t signatureDataLength
,
270 * Imports key data and returns key data as secure object
272 * Key data needs to be in the following format
275 * |--key metadata--|--public modulus--|--public exponent--|--private exponent--|
278 * |--key metadata--|--public modulus--|--public exponent--|--P--|--Q--|--DP--|--DQ--|--Qinv--|
281 * P: secret prime factor
282 * Q: secret prime factor
287 * @param keyData [in] Pointer to key data
288 * @param keyDataLength [in] Key data length
289 * @param soData [out] Pointer to wrapped key data
290 * @param soDataLength [out] Wrapped key data length
292 teeResult_t
TEE_KeyImport(
293 const uint8_t* keyData
,
294 const uint32_t keyDataLength
,
296 uint32_t* soDataLength
);
302 * Retrieves public key daya (modulus and exponent) from wrapped key data
304 * @param keyData [in] Pointer to key data
305 * @param keyDataLength [in] Key data length
306 * @param modulus [out] Pointer to public key modulus data
307 * @param modulusLength [out] Modulus data length
308 * @param exponent [out] Pointer to public key exponent data
309 * @param exponentLength [out] Exponent data length
311 teeResult_t
TEE_GetPubKey(
312 const uint8_t* keyData
,
313 const uint32_t keyDataLength
,
315 uint32_t* modulusLength
,
317 uint32_t* exponentLength
);
324 #endif // __TLCTEEKEYMASTERIF_H__