diff --git a/en/application-dev/security/huks-overview.md b/en/application-dev/security/huks-overview.md index 18a1a076bf7d33aa9f5178b9f9edded37cfc862b..b51c57abae53c09f8b4cf61b536d6b6f97bda45d 100644 --- a/en/application-dev/security/huks-overview.md +++ b/en/application-dev/security/huks-overview.md @@ -23,29 +23,29 @@ Before using the HUKS for development, you are advised to understand the followi - HUKS Core - HUKS Core is a core component that implements functions, including cryptographic calculation of keys, encryption and decryption of plaintext keys, and key access control. Generally, it runs in a secure environment (such as the TEE or security chip) of the device to ensure that the keys in plaintext are always in the HUKS Core. + HUKS Core is a core component that implements functions, including cryptographic calculation of keys, encryption and decryption of plaintext keys, and key access control. Generally, it runs in a secure environment such as a Trusted Execution Environment (TEE) or a secure chipset of the device to ensure that the keys in plaintext are always in the HUKS Core. - Key session - A key session holds information about the key operation date, key information, and access control attributes when a key is used. You need to pass in a key alias to create a session for the key. The HUKS generates a globally unique handle for each session. A general key operation involves creating a session, passing in data and parameters, and finalizing the session (or aborting the session). + A key session holds the key information, including the key operation data, key properties, and access control attributes, when a key is used. You need to pass in a key alias to create a session for the key. The HUKS generates a globally unique handle for each session. A general key operation involves creating a session, passing in data and parameters, and finishing the session (or aborting the session). ## Working Principles The security design of the HUKS includes the following: -- Always keep keys in a secure environment. +- Keys in a secure environment in lifecycle In the lifecycle of a key, the plaintext will never be exposed outside the HUKS Core. For the devices with a Trusted Execution Environment (TEE) or secure chipset, the HUKS Core runs in the TEE or secure chipset. This prevents the key plaintext from being disclosed even if the Rich Execution Environment (REE) is cracked. -- Encrypt keys for storage. +- Encrypted keys for storage The service keys are encrypted based on the device root key. Some keys can be protected by passwords if the devices support this feature. -- Apply strict access control over keys. +- Strict access control over keys Only authorized services can access keys. For security-sensitive services, user identity authentication can be enabled for key access. -- Provide key attestation. +- Key attestation - The HUKS provides attestation for hardware-backed key storage. It proves that the key has not been tampered with, is stored in the hardware-backed HUKS Core, and has correct key attributes. + The HUKS provides attestation for hardware-backed key storage. It proves that the key has not been tampered with, is stored in the hardware-backed HUKS Core, and has correct key properties. A key session is the basis for key operations in the HUKS. It initializes key information and caches the service data. Cryptographic operations on data and encryption and decryption are performed in the HUKS Core for security purposes. diff --git a/en/device-dev/subsystems/figures/HUKS-architecture.png b/en/device-dev/subsystems/figures/HUKS-architecture.png new file mode 100644 index 0000000000000000000000000000000000000000..3cb0916925b1737af0c69cb082ec91ad20fb66c1 Binary files /dev/null and b/en/device-dev/subsystems/figures/HUKS-architecture.png differ diff --git a/en/device-dev/subsystems/subsys-security-huks-guide.md b/en/device-dev/subsystems/subsys-security-huks-guide.md index 3f315b54ce4e2b57b03b89c1a4b9828ba2b0932a..d9cd48403f47fda888f4c27ab43cc96a36ad87e6 100644 --- a/en/device-dev/subsystems/subsys-security-huks-guide.md +++ b/en/device-dev/subsystems/subsys-security-huks-guide.md @@ -1,159 +1,213 @@ -# Development on HUKS +# HUKS Development ## Overview -### Introduction +### HUKS -OpenHarmony Universal KeyStore (HUKS) provides system-level key management capabilities, ensuring secure management and use of keys throughout their lifecycle (generation, storage, use, and destruction). The environment where a key is stored and used is of the most importance to key security. For example, the key in plaintext must be used in a secure environment, such as a Trusted Execution Environment (TEE) or security chip. This document describes how to configure a secure environment based on the HUKS architecture and how to verify the configuration. +OpenHarmony Universal KeyStore (HUKS) provides lifecycle key management from key generation, storage, use to destruction and attestation for the keys stored in the HUKS. In the HUKS hierarchical architecture, the HUKS core layer (HUKS Core) at the bottom implements key management functions and runs in a secure hardware environment, such as a Trusted Execution Environment (TEE) or secure chipset. The implementation of the HUKS core layer varies depending on the secure hardware environment of the vendor. To ensure consistency of the architecture and interfaces between the service layer and application layer, the HUKS core layer defines a set of Hardware Device Interface (HDI) APIs. -HUKS supports key lifecycle management, which covers the following: +This document describes how to develop the HUKS core layer functions using the HUKS HDI APIs. -- Key generation and import +The HUKS core layer is supposed to support the following functions: -- Key storage +- Generation of keys. -- Key use (including encryption and decryption, signing and verification, key derivation and agreement, hash, and key access control) +- Import of keys. -- Key destruction +- Key operations, including encryption and decryption, signing and signature verification, key derivation, key agreement, and generation of message authentication codes (MACs). -### Basic Concepts +- Key access control. + +- Key attestation. -- HUKS Service +- Export of the public key from a chipset. - An independent OpenHarmony service that supports key management. It belongs to the huks_service process. Instead of handling key calculation, the HUKS Service depends on the HUKS Core to provide services for the upper layer. +### Basic Concepts - HUKS Core + + HUKS Core is a core component that implements functions, including cryptographic calculation of keys, encryption and decryption, and key access control. Generally, it runs in a secure environment (such as a TEE or secure chipset) of a device to ensure that the keys in plaintext are never exposed outside the HUKS Core. + +- Key session + + A key session holds the key information, including the key operation data, key properties, and access control attributes, when a key is used. You need to pass in a key alias to create a session for the key. The HUKS generates a globally unique handle for each session. A general key operation involves creating a session, passing in data and parameters, and finishing the session (or aborting the session). - A functional module that provides the key management service. This module must run in a secure environment, and the keys in plaintext must be kept inside the HUKS Core module throughout the lifecycle. - TEE - A secure area created by isolating software and hardware resources to protect the applications and data in the secure area from unauthorized access. This isolation mechanism yields two execution environments: TEE and Rich Execution Environment (REE). Each execution environment has independent internal data path and memory, protecting the data inside the TEEs from being disclosed. The applications in an REE cannot access resources in a TEE. The applications in a TEE cannot access resources in another TEE without authorization. + A TEE is a secure area created by isolating software and hardware resources to protect the applications and data in the secure area from unauthorized access. This isolation mechanism yields two execution environments: TEE and Rich Execution Environment (REE). Each execution environment has independent internal data path and memory, protecting the data inside the TEE from being disclosed. The applications in an REE cannot access resources in a TEE. The applications in a TEE cannot access resources in another TEE without authorization. + + +## Working Principles + +The HUKS is divided into the following layers: + +- Application layer: provides APIs for applications. +- Service layer: processes key management requests from applications and performs key ciphertext management, identity verification, and key session management. +- Core layer: implements core functions, such as key generation, key operations, key access control, and key attestation. + +**Figure 1** HUKS architecture -- Init-Update-Finish +![huks_architect](./figures/HUKS-architecture.png) - **Init**: initializes data for a key operation. +## Constraints - **Update**: operates data by segment and returns the result, or appends data. + - Keys in a secure environment in lifecycle - **Finish**: finalizes the **Update** operation, and returns the result. + In the lifecycle of a key, the plaintext will never be exposed outside the HUKS Core. For the devices with a TEE or secure chipset, the HUKS Core runs in the TEE or secure chipset. This prevents the key plaintext from being disclosed even if the REE is cracked. That is why the key materials used in all HUKS passthrough HDI APIs are in ciphertext. -### Working Principles +- Encrypted keys for storage -The following uses the key generation process as an example to describe the communication between the HUKS Service and HUKS Core. Other key operations are similar. -The upper-layer application invokes the HUKS Service through the key management SDK. The HUKS Service invokes the HUKS Core, which invokes the key management module to generate a key. The HUKS Core uses a work key derived from the root key to encrypt the generated key and sends the encrypted key to the HUKS Service. The HUKS Service stores the encrypted key in a file. + The service keys are encrypted based on the device root key. If supported by the device, certain keys can be further protected by a password. -![](figures/HUKS-GenerateKey1.png) +- Strict access control over keys -### Constraints + Only authorized services can access keys. For security-critical services, user identity authentication can be enabled for key access. + +- Key attestation -* HUKS must be implemented in a TEE for security purposes. + The HUKS provides attestation for hardware-backed key storage. It proves that the key has not been tampered with, is stored in the hardware-backed HUKS Core, and has correct key properties. -* The certificate chain returned by **HuksHdiAttestKey** must be in the sequence of the application certificate, device certificate, CA certificate, and root certificate, with the certificate length added before each certificate. The certificate chain and its length are assembled in the binary large object (BLOB) format. If you want to define the certificate format, the format must be the same as that parsed by the server. +- Key material format + + When a key (key pair, public key, or private key) is imported or exported, the key material format must meet HUKS requirements. For details, see [Key Material Formats](../../application-dev/security/huks-appendix.md#key-material-formats). -![CertChain format](figures/HUKS-CertChain.png) +- Certificate chain format -* The key returned by the API must be assembled into a **KeyBlob** based on the key storage status. For details about the APIs that must comply with this constraint, see [Available APIs](#available-apis). + The certificate chain returned by **AttestKey()** must be assembled in the sequence of the application certificate, device certificate, CA certificate, and root certificate, with the certificate length added before each certificate. The certificate chain and its length are in the binary large object (BLOB) format. If you want to define the certificate format, the format must be the same as that parsed by the server. - The **KeyBlob** stores both the key and its attributes. The figure below shows the **KeyBlob** structure. For details about how to construct a **KeyBlob**, see [hks_keyblob.c/HksBuildKeyBlob](https://gitee.com/openharmony/security_huks/blob/master/services/huks_standard/huks_engine/main/core/src/hks_keyblob.c). + ![CertChain format](figures/HUKS-CertChain.png) -![KeyBlob format](figures/HUKS-KeyBlob.png) +- KeyBlob + -## Development Guidelines +The key returned by the APIs must be assembled into a **KeyBlob** based on the key storage status. For details about the APIs that must comply with this constraint, see [Available APIs](#available-apis). + + ![KeyBlob format](figures/HUKS-KeyBlob.png) + +## How to Develop ### When to Use -The HUKS Core provides KeyStore (KS) capabilities for applications, including key management and key cryptography operations. If you want to replace the HUKS Core with your own implementation, you need to implement the following APIs: +The HUKS Core provides KeyStore capabilities for applications, including key management and cryptographic operations. If you want to replace the HUKS Core with your own implementation, you need to implement the following APIs. ### Available APIs **Table 1** Available APIs -| API | Description | Constraints | Corresponding JS API | +| API | Description | Constraints | JS API | | ------------------------------------------------------------ | ---------------------------------------- | ----------------------------- | ------------------------------------------------------------ | -| [HuksHdiModuleInit()](#hukshdimoduleinit) | Initializes the HUKS Core. | – | –| -| [HuksHdiRefresh()](#hukshdirefresh) | Refreshes the root key. | – | –| -| [HuksHdiGenerateKey()](#hukshdigeneratekey) | Generates a key. | The key generated must be in the **KeyBlob** format. |generateKey(keyAlias: string, options: HuksOptions)| -| [HuksHdiImportKey()](#hukshdiimportkey) | Imports a key in plaintext. | The output parameter must be in the **KeyBlob** format. | importKey(keyAlias: string, options: HuksOptions)| -| [HuksHdiImportWrappedKey()](#hukshdiimportwrappedkey) |Imports an encrypted key. | The output parameter must be in the **KeyBlob** format. | importWrappedKey(keyAlias: string, wrappingKeyAlias: string, options: HuksOptions)| -| [HuksHdiExportPublicKey()](#hukshdiexportpublickey) | Exports a public key. |– | exportKey(keyAlias: string, options: HuksOptions) | -| [HuksHdiInit()](#hukshdiinit) | Initializes data for a key operation. This API is of the Init-Update-Final model. |– | init(keyAlias: string, options: HuksOptions) | -| [HuksHdiUpdate()](#hukshdiupdate) | Operates data by segment or appends data for the key operation. This API is of the Init-Update-Final model. |The input parameter for signing and signature verification must be the raw data. | update(handle: number, token?: Uint8Array, options: HuksOptions) | -| [HuksHdiFinish()](#hukshdifinish) | Finalizes the key operation. This API is of the Init-Update-Final model. |The input parameter for signing and signature verification must be the signed data. | finish(handle: number, options: HuksOptions) | -| [HuksHdiAbort()](#hukshdiabort) | Aborts Init-Update-Finish. |– | abort(handle: number, options: HuksOptions) | -| [HuksHdiGetKeyProperties()](#hukshdigetkeyproperties) | Obtains key properties. |– | getKeyProperties(keyAlias: string, options: HuksOptions)| -| [HuksHdiAttestKey()](#hukshdiattestkey) | Obtains the key certificate. |The output parameter must be in the **certChain** format. | attestKey(keyAlias: string, options: HuksOptions)| -| [HuksHdiExportChipsetPlatformPublicKey()](#hukshdiexportchipsetplatformpublickey) | Exports the public key of a chipset key pair. | The output parameters are the raw data of ECC P-256 x-axis and y-axis values, each of which are of 32 bytes. | –| -| [HuksHdiUpgradeKey()](#hukshdiupgradekey) | Updates the key file. | – | –| +| [ModuleInit()](#moduleinit) | Initializes the HUKS Core. | N/A | N/A| +| [ModuleDestroy()](#moduledestroy) | Destroys the HUKS Core. | N/A | N/A| +| [GenerateKey()](#generatekey) | Generates a key based on the cryptographic algorithm parameters. | The key output must be in the **KeyBlob** format. |generateKey(keyAlias: string, options: HuksOptions)| +| [ImportKey()](#importkey) | Imports a key in plaintext. | The key output must be in the **KeyBlob** format. | importKey(keyAlias: string, options: HuksOptions)| +| [ImportWrappedKey()](#importwrappedkey) |Imports a wrapped (encrypted) key. | The key output must be in the **KeyBlob** format. | importWrappedKey(keyAlias: string, wrappingKeyAlias: string, options: HuksOptions)| +| [ExportPublicKey()](#exportpublickey) | Exports the public key of a key pair. |N/A | exportKey(keyAlias: string, options: HuksOptions) | +| [Init()](#init) | Initializes a key session. This API returns a key session handle and an authentication token (optional). |N/A | init(keyAlias: string, options: HuksOptions) | +| [Update()](#update) | Updates key operation data. |The input parameters for signature verification must be the raw data. | update(handle: number, token?: Uint8Array, options: HuksOptions) | +| [Finish()](#finish) | Finishes a key session. |The input parameter for signature verification must be the signed data. | finish(handle: number, options: HuksOptions) | +| [Abort()](#abort) | Aborts a key session. |N/A | abort(handle: number, options: HuksOptions) | +| [CheckKeyValidity()](#checkkeyvalidity) | Checks the key material (ciphertext) validity. |N/A | N/A| +| [AttestKey()](#attestkey) | Attests a key. |The output parameter must be in the certificate chain format. | attestKey(keyAlias: string, options: HuksOptions)| +| [ExportChipsetPlatformPublicKey()](#exportchipsetplatformpublickey) | Exports the public key of a chipset key pair. | The output parameters are the raw data of ECC P-256 x-axis and y-axis values, each of which are of 32 bytes. | N/A| +| [UpgradeKey()](#upgradekey) | Updates the key file. | N/A | N/A| +| [GenerateRandom()](#generaterandom) | Generates a random number. | N/A | N/A| +| [Encrypt()](#encrypt) | Encrypts data. | N/A | N/A| +| [Decrypt()](#decrypt) | Decrypts data. | N/A | N/A| +| [Sign()](#sign) | Signs data. | N/A | N/A| +| [Verify()](#verify) | Verifies a signature. | N/A | N/A| +| [AgreeKey()](#agreekey) | Performs key agreement. | N/A | N/A| +| [DeriveKey()](#derivekey) | Derives a key. | N/A | N/A| +| [Mac()](#mac) | Generates a MAC. | N/A | N/A| - - - -#### HuksHdiModuleInit +#### ModuleInit **API Description** -Initializes the HUKS Core, including the lock, encryption algorithm library, authtoken key, and root key. +Initializes the HUKS Core. You can use this API to initialize global variables, such as the global thread locks, algorithm library, and the AuthToken key and root key used for access control. **Prototype** -
int32_t HuksHdiModuleInit();
+int32_t ModuleInit(struct IHuks *self);
++ struct IHuks *self + Pointer to the HUKS HDI struct. ++
int32_t HuksHdiRefresh();
+int32_t ModuleDestroy(struct IHuks *self);
++ struct IHuks *self + Pointer to the HUKS HDI struct. ++
int32_t HuksHdiGenerateKey(const struct HksBlob *keyAlias, const struct HksParamSet *paramSet, const struct HksBlob *keyIn, struct HksBlob *keyOut);
+int32_t GenerateKey(struct IHuks *self, const struct HuksBlob *keyAlias, const struct HuksParamSet *paramSet,
+ const struct HuksBlob *keyIn, struct HuksBlob *encKeyOut);
- const struct HksBlob *keyAlias + struct IHuks *self + Pointer to the HUKS HDI struct. +
+ const struct HuksBlob *keyAlias Pointer to the alias of the key to generate. The value must meet the following requirements: 1. keyAlias != null 2. keyAlias -> data != null - 3. keyAlias -> size != 0 + 3. keyAlias -> dataLen != 0
- const struct HksParamSet *paramSet + const struct HuksParamSet *paramSet Pointer to the parameters for generating the key.
- const struct HksBlob *keyIn - This parameter is used in key agreement. + const struct HuksBlob *keyIn + Pointer to the original key material to be passed in if the key is generated through key agreement or key derivation. This parameter is optional.
- struct HksBlob *keyOut - Pointer to the output parameter, which holds **paramSet** and the key generated. + struct HuksBlob *encKeyOut + Pointer to the key generated in ciphertext. It holds the **paramSet** and the key ciphertext in the KeyBlob format.
int32_t HuksHdiImportKey(const struct HksBlob *keyAlias, const struct HksBlob *key, const struct HksParamSet *paramSet, struct HksBlob *keyOut);
+int32_t ImportKey(struct IHuks *self, const struct HuksBlob *keyAlias, const struct HuksBlob *key,
+ const struct HuksParamSet *paramSet, struct HuksBlob *encKeyOut);
- const struct HksBlob *msg - Pointer to the alias of the key to import. The value must meet the following requirements: + struct IHuks *self + Pointer to the HUKS HDI struct. +
+ const struct HuksBlob *keyAlias + Pointer to the alias of the key to import. The alias must meet the following requirements: 1. keyAlias != null 2. keyAlias -> data != null - 3. keyAlias -> size != 0 + 3. keyAlias -> dataLen != 0
- const struct HksBlob *key - Pointer to the key to import. The value must meet the following requirements: + const struct HuksBlob *key + Pointer to the plaintext key material to import. For details about the key material format, see Key Material Formats. The value must meet the following requirements: 1. key != null 2. key -> data != null - 3. key -> size != 0 -
- const struct HksParamSet *paramSet - Pointer to the parameters for importing the key. + 3. key -> dataLen != 0
- struct HksBlob *keyOut - Pointer to the output parameter, which holds **paramSet** and the key imported. + const struct HuksParamSet *paramSet + Pointer to the parameters of the key to import.
+ struct HuksBlob *encKeyOut + Pointer to the imported key in ciphertext. It holds the **paramSet** and the imported key ciphertext in the KeyBlob format.
int32_t HuksHdiImportWrappedKey(const struct HksBlob *keyAlias, const struct HksBlob *wrappingUsedkey, const struct HksBlob *wrappedKeyData, const struct HksParamSet *paramSet, struct HksBlob *keyOut);
+int32_t ImportWrappedKey(struct IHuks *self, const struct HuksBlob *wrappingKeyAlias,
+ const struct HuksBlob *wrappingEncKey, const struct HuksBlob *wrappedKeyData, const struct HuksParamSet *paramSet,
+ struct HuksBlob *encKeyOut);
- const struct HksBlob *KeyAlias - Pointer to the alias of the key to import. The value must meet the following requirements: - 1. keyAlias != null - 2. keyAlias -> data != null - 3. keyAlias -> size != 0 + struct IHuks *self + Pointer to the HUKS HDI struct. +
+ const struct HuksBlob *wrappingKeyAlias + Pointer to the alias of the key used to encrypt the key to import (it is not the alias of the key to import). The value must meet the following requirements: + 1. wrappingKeyAlias != null + 2. wrappingKeyAlias -> data != null + 3. wrappingKeyAlias -> dataLen != 0
- const struct HksBlob *key + const struct HuksBlob *wrappingEncKey Pointer to the key used to encrypt the key to import. The value must meet the following requirements: - 1. wrappingUsedkey != null - 2. wrappingUsedkey -> data != null - 3. wrappingUsedkey -> size != 0 + 1. wrappingEncKey != null + 2. wrappingEncKey -> data != null + 3. wrappingEncKey -> dataLen != 0
- const struct HksBlob *wrappedKeyData - Pointer to the encrypted data of the key to import. The value must meet the following requirements: + const struct HuksBlob *wrappedKeyData + Pointer to the key material of the key to import. For details abut the key material format, see Importing a Key Securely. The value must meet the following requirements: 1. wrappedKeyData != null 2. wrappedKeyData -> data != null - 3. wrappedKeyData -> size != 0 + 3. wrappedKeyData -> dataLen != 0
- const struct HksParamSet *paramSet - Pointer to the parameters for importing the key. + const struct HuksParamSet *paramSet + Pointer to the properties of the key to import.
- struct HksBlob *keyOut - Pointer to the output parameter, which holds **paramSet** and the key imported. + struct HuksBlob *encKeyOut + Pointer to the imported key material (ciphertext) in the KeyBlob format.
int32_t HuksHdiExportPublicKey(const struct HksBlob *key, const struct HksParamSet *paramSet, struct HksBlob *keyOut);
+int32_t ExportPublicKey(struct IHuks *self, const struct HuksBlob *encKey,
+ const struct HuksParamSet *paramSet, struct HuksBlob *keyOut);
- const struct HksBlob *key - Pointer to the private key corresponding to the public key to export. The value must meet the following requirements: - 1. key != null - 2. key -> data != null - 3. key -> size != 0 + struct IHuks *self + Pointer to the HUKS HDI struct. +
+ const struct HuksBlob *encKey + Pointer to the key pair material. The value must meet the following requirements: + 1. encKey != null + 2. encKey -> data != null + 3. encKey -> dataLen != 0
- const struct HksParamSet *paramSet - Pointer to the parameter set, which is empty. + const struct HuksParamSet *paramSet + Pointer to the parameters for exporting the public key. By default, this parameter is left blank.
- struct HksBlob *keyOut - Pointer to the output parameter, which holds the public key exported. + struct HuksBlob *keyOut + Pointer to the public key exported.
int32_t HuksHdiInit(const struct HksBlob *key, const struct HksParamSet *paramSet, struct HksBlob *handle, struct HksBlob *token);
+int32_t Init(struct IHuks *self, const struct HuksBlob *encKey, const struct HuksParamSet *paramSet,
+ struct HuksBlob *handle, struct HuksBlob *token);
- const struct HksBlob *key - Pointer to the key, on which the **Init** operation is to perform. The value must meet the following requirements: - 1. key != null - 2. key -> data != null - 3. key -> size != 0 + struct IHuks *self + Pointer to the HUKS HDI struct.
- const struct HksParamSet *paramSet - Pointer to the parameters of the **Init** operation. + const struct HuksBlob *encKey + Pointer to the ciphertext material of the key to be operated. The value must meet the following requirements: + 1. encKey != null + 2. encKey -> data != null + 3. encKey -> dataLen != 0
- struct HksBlob *handle - Pointer to the handle of Init-Update-Finish. + const struct HuksParamSet *paramSet + Pointer to the parameters for initializing the key session.
- struct HksBlob *token - Pointer to the challenge used for secure access control. + struct HuksBlob *handle + Pointer to the key session handle generated, which identifies the key session in Update(), Finish(), and Abort(). +
+ struct HuksBlob *token + Pointer to the authentication token generated for key access control (if required).
int32_t HuksHdiUpdate(const struct HksBlob *handle, const struct HksParamSet *paramSet, const struct HksBlob *inData, struct HksBlob *outData);
+int32_t Update(struct IHuks *self, const struct HuksBlob *handle, const struct HuksParamSet *paramSet,
+ const struct HuksBlob *inData, struct HuksBlob *outData);
- const struct HksBlob *handle - Pointer to the handle of Init-Update-Finish. + struct IHuks *self + Pointer to the HUKS HDI struct.
- const struct HksParamSet *paramSet - Pointer to the parameters of the **Update** operation. + const struct HuksBlob *handle + Pointer to the handle of the key session.
- const struct HksBlob *inData - Pointer to the input of the **Update** operation. + const struct HuksParamSet *paramSet + Pointer to the parameters for the update operation.
- struct HksBlob *outData - Pointer to the result of the **Update** operation. + const struct HuksBlob *inData + Pointer to the data to be passed in. +
+ struct HuksBlob *outData + Pointer to the result of the update operation.
int32_t HuksHdiFinish(const struct HksBlob *handle, const struct HksParamSet *paramSet, const struct HksBlob *inData, struct HksBlob *outData);
+int32_t Finish(struct IHuks *self, const struct HuksBlob *handle, const struct HuksParamSet *paramSet,
+ const struct HuksBlob *inData, struct HuksBlob *outData);
- const struct HksBlob *handle - Pointer to the handle of Init-Update-Finish. + struct IHuks *self + Pointer to the HUKS HDI struct.
- const struct HksParamSet *paramSet - Pointer to the parameters of the **Finish** operation. + const struct HuksBlob *handle + Pointer to the handle of the key session.
- const struct HksBlob *inData - Pointer to the input of the **Finish** operation. + const struct HuksParamSet *paramSet + Pointer to the parameters for the last operation.
- struct HksBlob *outData - Pointer to the result of the **Finish** operation. + const struct HuksBlob *inData + Pointer to the last data to be passed in. +
+ struct HuksBlob *outData + Pointer to the result of the key operation.
int32_t HuksHdiAbort(const struct HksBlob *handle, const struct HksParamSet *paramSet);
-
+int32_t Abort(struct IHuks *self, const struct HuksBlob *handle, const struct HuksParamSet *paramSet);
- const struct HksBlob *handle - Pointer to the handle of Init-Update-Finish. + struct IHuks *self + Pointer to the HUKS HDI struct.
- const struct HksParamSet *paramSet - Pointer to the parameters of the **Abort** operation. + const struct HuksBlob *handle + Pointer to the handle of the key session. +
+ const struct HuksParamSet *paramSet + Pointer to the parameters of the Abort() operation.
int32_t HuksHdiGetKeyProperties(const struct HksParamSet *paramSet, const struct HksBlob *key);
+int32_t CheckKeyValidity(struct IHuks *self, const struct HuksParamSet *paramSet,
+ const struct HuksBlob *encKey);
- const struct HksParamSet *paramSet - Pointer to the parameter set, which is empty. + struct IHuks *self + Pointer to the HUKS HDI struct. +
+ const struct HuksParamSet *paramSet + Pointer to the parameters for checking the key integrity. By default, this parameter is left empty.
- const struct HksBlob *key - Pointer to the target key. + const struct HuksBlob *encKey + Pointer to the key material (ciphertext) to be checked.
int32_t (*HuksHdiAttestKey)(const struct HksBlob *key, const struct HksParamSet *paramSet, struct HksBlob *certChain);
+int32_t AttestKey(struct IHuks *self, const struct HuksBlob *encKey, const struct HuksParamSet *paramSet,
+ struct HuksBlob *certChain);
- const struct HksBlob *key - Pointer to the target key. + struct IHuks *self + Pointer to the HUKS HDI struct.
- const struct HksParamSet *paramSet - Pointer to the parameters for the operation. + const struct HuksBlob *encKey + Pointer to the key pair material in ciphertext.
- struct HksBlob *certChain - Pointer to the output parameter, which holds the certificate obtained. + const struct HuksParamSet *paramSet + Pointer to the parameters (such as the challenge) for obtaining the key certificate chain. +
+ struct HuksBlob *certChain + Pointer to the certificate chain obtained.
int32_t (*HuksHdiExportChipsetPlatformPublicKey)(const struct HksBlob *salt, enum HksChipsetPlatformDecryptScene scene, struct HksBlob *publicKey);
+int32_t ExportChipsetPlatformPublicKey(struct IHuks *self, const struct HuksBlob *salt,
+ enum HuksChipsetPlatformDecryptScene scene, struct HuksBlob *publicKey);
- const struct HksBlob *salt - Factor used to derive the chipset key pair. + struct IHuks *self + Pointer to the HUKS HDI struct.
- enum HksChipsetPlatformDecryptScene scene - Expected chipset platform decryption scenario. + const struct HuksBlob *salt + Pointer to the factor used to derive the chipset key pair.
- struct HksBlob *publicKey - The output parameters are the raw data of ECC P-256 x-axis and y-axis values, each of which are of 32 bytes. + enum HuksChipsetPlatformDecryptScene scene + Expected chipset decryption scenario. +
+ struct HuksBlob *publicKey + Pointer to the raw data of ECC P-256 x-axis and y-axis values, each of which are of 32 bytes.
int32_t (*HuksHdiUpgradeKey)(const struct HksBlob *oldKey, const struct HksParamSet *paramSet, struct HksBlob *newKey);
+int32_t UpgradeKey(struct IHuks *self, const struct HuksBlob *encOldKey, const struct HuksParamSet *paramSet,
+ struct HuksBlob *encNewKey);
- const struct HksBlob *oldKey - Key file data to update. + struct IHuks *self + Pointer to the HUKS HDI struct.
- const struct HksParamSet *paramSet - Parameters for updating the key file data. + const struct HuksBlob *encOldKey + Pointer to the key file data to update.
- struct HksBlob *newKey - New key file data. + const struct HuksParamSet *paramSet + Pointer to the parameters for updating the key file data. +
+ struct HuksBlob *newKey + Pointer to the new key file data.
int32_t GenerateRandom(struct IHuks *self, const struct HuksParamSet *paramSet, struct HuksBlob *random);
++ struct IHuks *self + Pointer to the HUKS HDI struct. ++
+ const struct HuksParamSet *paramSet + Pointer to the parameters of the random number to generate, such as the length. +
+ struct HuksBlob *random + Pointer to the random number generated. +
int32_t Sign(struct IHuks *self, const struct HuksBlob *encKey, const struct HuksParamSet *paramSet,
+ const struct HuksBlob *srcData, struct HuksBlob *signature);
+
++ struct IHuks *self + Pointer to the HUKS HDI struct. ++
+ const struct HuksBlob *encKey + Pointer to the key pair material (ciphertext) used for signing. +
+ const struct HuksParamSet *paramSet + Pointer to the parameters used for signing, such as the digest mode. +
+ const struct HuksBlob *srcData + Pointer to the data to be signed. +
+ struct HuksBlob *signature + Pointer to the signature generated. +
int32_t Verify(struct IHuks *self, const struct HuksBlob *encKey, const struct HuksParamSet *paramSet,
+ const struct HuksBlob *srcData, const struct HuksBlob *signature);
+
++ struct IHuks *self + Pointer to the HUKS HDI struct. ++
+ const struct HuksBlob *encKey + Pointer to the key pair material (ciphertext) used for signature verification. +
+ const struct HuksParamSet *paramSet + Pointer to the parameters for signature verification, such as the digest mode. +
+ const struct HuksBlob *srcData + Pointer to the data with the signature to be verified. +
+ const struct HuksBlob *signature + Pointer to the signature to verify. +
int32_t Encrypt(struct IHuks *self, const struct HuksBlob *encKey, const struct HuksParamSet *paramSet,
+ const struct HuksBlob *plainText, struct HuksBlob *cipherText);
+
++ struct IHuks *self + Pointer to the HUKS HDI struct. ++
+ const struct HuksBlob *encKey + Pointer to the key material (ciphertext) used for encryption. +
+ const struct HuksParamSet *paramSet + Pointer to the key parameters for encryption, such as the key working mode and padding mode. +
+ const struct HuksBlob *plainText + Pointer to the plaintext data to encrypt. +
+ const struct HuksBlob *cipherText + Pointer to the encrypted data (data in ciphertext). +
int32_t Decrypt(struct IHuks *self, const struct HuksBlob *encKey, const struct HuksParamSet *paramSet,
+ const struct HuksBlob *cipherText, struct HuksBlob *plainText);
+
++ struct IHuks *self + Pointer to the HUKS HDI struct. ++
+ const struct HuksBlob *encKey + Pointer to the key material (ciphertext) used for decryption. +
+ const struct HuksParamSet *paramSet + Pointer to the key parameters for decryption, such as the key working mode and padding mode. +
+ const struct HuksBlob *cipherText + Pointer to the data to decrypt. +
+ const struct HuksBlob *plainText + Pointer to the encrypted data in plaintext. +
int32_t AgreeKey(struct IHuks *self, const struct HuksParamSet *paramSet,
+ const struct HuksBlob *encPrivateKey, const struct HuksBlob *peerPublicKey, struct HuksBlob *agreedKey);
+
++ struct IHuks *self + Pointer to the HUKS HDI struct. ++
+ const struct HuksParamSet *paramSet + Pointer to the parameters for key agreement, such as the length of the agreed key. +
+ const struct HuksBlob *encPrivateKey + Pointer to the private key material (ciphertext) used for key agreement. +
+ const struct HuksBlob *peerPublicKey + Pointer to the public key (plaintext) used for key agreement. +
+ struct HuksBlob *agreedKey + Pointer to the agreed key in plaintext. +
int32_t DeriveKey(struct IHuks *self, const struct HuksParamSet *paramSet, const struct HuksBlob *encKdfKey,
+ struct HuksBlob *derivedKey);
+
++ struct IHuks *self + Pointer to the HUKS HDI struct. ++
+ const struct HuksParamSet *paramSet + Pointer to the parameters for key derivation, such as the length of the derived key. +
+ const struct HuksBlob *encKdfKey + Pointer to the key material (ciphertext) used for deriving a key. +
+ struct HuksBlob *derivedKey + Pointer to the derived key in plaintext. +
int32_t Mac(struct IHuks *self, const struct HuksBlob *encKey, const struct HuksParamSet *paramSet,
+ const struct HuksBlob *srcData, struct HuksBlob *mac);
+
++ struct IHuks *self + Pointer to the HUKS HDI struct. ++
+ const struct HuksBlob *encKey + Pointer to the key material (ciphertext) used to generate the MAC. +
+ const struct HuksParamSet *paramSet + Pointer to the parameters for generating the MAC. +
+ const struct HuksBlob *srcData + Pointre to the source data for which the MAC is to be generated. +
+ struct HuksBlob *mac + Pointer to the MAC generated. +