 |
PSoC64 Secure Boot Utilities Middleware Library 1.0
|
|
PSoC64 Secure Boot Utilities Middleware Library 1.0
|
Macros | |
| #define | CY_P64_PSA_KEY_DERIVATION_OPERATION_INIT {0} |
| This only zeroes out the first byte in the union, the rest is unspecified. More... | |
| #define | CY_P64_PSA_KEY_DERIVATION_INPUT_SECRET ((cy_p64_psa_key_derivation_step_t)0x0101) |
| A secret input for key derivation. More... | |
| #define | CY_P64_PSA_KEY_DERIVATION_INPUT_LABEL ((cy_p64_psa_key_derivation_step_t)0x0201) |
| A label for key derivation. More... | |
| #define | CY_P64_PSA_KEY_DERIVATION_INPUT_SALT ((cy_p64_psa_key_derivation_step_t)0x0202) |
| A salt for key derivation. More... | |
| #define | CY_P64_PSA_KEY_DERIVATION_INPUT_INFO ((cy_p64_psa_key_derivation_step_t)0x0203) |
| An information string for key derivation. More... | |
| #define | CY_P64_PSA_KEY_DERIVATION_INPUT_SEED ((cy_p64_psa_key_derivation_step_t)0x0204) |
| A seed for key derivation. More... | |
Typedefs | |
| typedef struct cy_p64_psa_key_derivation_s | cy_p64_psa_key_derivation_operation_t |
| The type of the state data structure for key derivation operations. More... | |
| typedef uint16_t | cy_p64_psa_key_derivation_step_t |
| Encoding of the step of a key derivation. More... | |
| #define CY_P64_PSA_KEY_DERIVATION_OPERATION_INIT {0} |
This only zeroes out the first byte in the union, the rest is unspecified.
| #define CY_P64_PSA_KEY_DERIVATION_INPUT_SECRET ((cy_p64_psa_key_derivation_step_t)0x0101) |
A secret input for key derivation.
This should be a key of type CY_P64_PSA_KEY_TYPE_DERIVE (passed to psa_key_derivation_input_key()) or the shared secret resulting from a key agreement (obtained via psa_key_derivation_key_agreement()).
The secret can also be a direct input (passed to key_derivation_input_bytes()). In this case, the derivation operation may not be used to derive keys: the operation will only allow psa_key_derivation_output_bytes(), not psa_key_derivation_output_key().
| #define CY_P64_PSA_KEY_DERIVATION_INPUT_LABEL ((cy_p64_psa_key_derivation_step_t)0x0201) |
A label for key derivation.
This should be a direct input. It can also be a key of type CY_P64_PSA_KEY_TYPE_RAW_DATA.
| #define CY_P64_PSA_KEY_DERIVATION_INPUT_SALT ((cy_p64_psa_key_derivation_step_t)0x0202) |
A salt for key derivation.
This should be a direct input. It can also be a key of type CY_P64_PSA_KEY_TYPE_RAW_DATA.
| #define CY_P64_PSA_KEY_DERIVATION_INPUT_INFO ((cy_p64_psa_key_derivation_step_t)0x0203) |
An information string for key derivation.
This should be a direct input. It can also be a key of type CY_P64_PSA_KEY_TYPE_RAW_DATA.
| #define CY_P64_PSA_KEY_DERIVATION_INPUT_SEED ((cy_p64_psa_key_derivation_step_t)0x0204) |
A seed for key derivation.
This should be a direct input. It can also be a key of type CY_P64_PSA_KEY_TYPE_RAW_DATA.
| typedef struct cy_p64_psa_key_derivation_s cy_p64_psa_key_derivation_operation_t |
The type of the state data structure for key derivation operations.
Before calling any function on a key derivation operation object, the application must initialize it by any of the following means:
This is an implementation-defined struct. Applications should not make any assumptions about the content of this structure except as directed by the documentation of a specific implementation.
| typedef uint16_t cy_p64_psa_key_derivation_step_t |
Encoding of the step of a key derivation.
| cy_p64_psa_status_t cy_p64_psa_key_derivation_abort | ( | cy_p64_psa_key_derivation_operation_t * | operation | ) |
Aborts a key derivation operation.
Aborting an operation frees all associated resources except for the operation structure itself. Once aborted, the operation object can be reused for another operation by calling cy_p64_psa_key_derivation_setup() again.
This function may be called at any time after the operation object has been initialized as described in cy_p64_psa_key_derivation_operation_t.
In particular, it is valid to call cy_p64_psa_key_derivation_abort() twice, or to call cy_p64_psa_key_derivation_abort() on an operation that has not been set up.
| [in,out] | operation | The operation to abort. |
| CY_P64_PSA_SUCCESS | |
| CY_P64_PSA_ERROR_COMMUNICATION_FAILURE | |
| CY_P64_PSA_ERROR_HARDWARE_FAILURE | |
| CY_P64_PSA_ERROR_CORRUPTION_DETECTED | |
| CY_P64_PSA_ERROR_BAD_STATE | It is implementation-dependent whether initialize results fails in this error code |
| cy_p64_psa_status_t cy_p64_psa_key_derivation_setup | ( | cy_p64_psa_key_derivation_operation_t * | operation, |
| cy_p64_psa_algorithm_t | alg | ||
| ) |
Sets up a key derivation operation.
A key derivation algorithm takes some inputs and uses them to generate a byte stream in a deterministic way. This byte stream can be used to produce keys and other cryptographic material.
To derive a key:
If this function returns an error, the key derivation operation object is not changed.
If an error occurs at any step after a call to cy_p64_psa_key_derivation_setup(), the operation will need to be reset by a call to cy_p64_psa_key_derivation_abort().
Implementations must reject an attempt to derive a key of size 0.
| [in,out] | operation | The key derivation operation object to set up. It must have been initialized but not set up yet. |
| alg | The key derivation algorithm to compute (CY_P64_PSA_ALG_XXX value such that CY_P64_PSA_ALG_IS_KEY_DERIVATION(alg) is true). |
| CY_P64_PSA_SUCCESS | Success. |
| CY_P64_PSA_ERROR_INVALID_ARGUMENT | alg is not a key derivation algorithm. |
| CY_P64_PSA_ERROR_NOT_SUPPORTED | alg is not supported or is not a key derivation algorithm. |
| CY_P64_PSA_ERROR_INSUFFICIENT_MEMORY | |
| CY_P64_PSA_ERROR_COMMUNICATION_FAILURE | |
| CY_P64_PSA_ERROR_HARDWARE_FAILURE | |
| CY_P64_PSA_ERROR_CORRUPTION_DETECTED | |
| CY_P64_PSA_ERROR_STORAGE_FAILURE | |
| CY_P64_PSA_ERROR_BAD_STATE | The operation state is not valid (it must be inactive). |
| cy_p64_psa_status_t cy_p64_psa_key_derivation_inp_key | ( | cy_p64_psa_key_derivation_operation_t * | operation, |
| cy_p64_psa_key_derivation_step_t | step, | ||
| cy_p64_psa_key_handle_t | handle | ||
| ) |
Provides an input for key derivation in the form of a key.
Which inputs are required and in what order depends on the algorithm. Refer to the documentation of each key derivation or key agreement algorithm for information.
This function obtains input from a key object, which is usually correct for secret inputs or for non-secret personalization strings kept in the key store. To pass a non-secret parameter which is not in the key store, call CY_P64_PSA_key_derivation_inp_bytes() instead of this function. Refer to the documentation of individual step types (PSA_KEY_DERIVATION_INPUT_xxx values of type cy_p64_psa_key_derivation_step_t) for more information.
If this function returns an error status, the operation enters an error state and must be aborted by calling cy_p64_psa_key_derivation_abort().
| [in,out] | operation | The key derivation operation object to use. It must have been set up with cy_p64_psa_key_derivation_setup() and must not have produced any output yet. |
| step | Which step the input data is for. | |
| handle | Handle to the key. It must have an appropriate type for step and must allow the usage CY_P64_PSA_KEY_USAGE_DERIVE. |
| CY_P64_PSA_SUCCESS | Success. |
| CY_P64_PSA_ERROR_INVALID_HANDLE | |
| CY_P64_PSA_ERROR_NOT_PERMITTED | |
| CY_P64_PSA_ERROR_INVALID_ARGUMENT | step is not compatible with the operation's algorithm. |
| CY_P64_PSA_ERROR_INVALID_ARGUMENT | step does not allow key inputs of the given type or does not allow key inputs at all. |
| CY_P64_PSA_ERROR_INSUFFICIENT_MEMORY | |
| CY_P64_PSA_ERROR_COMMUNICATION_FAILURE | |
| CY_P64_PSA_ERROR_HARDWARE_FAILURE | |
| CY_P64_PSA_ERROR_CORRUPTION_DETECTED | |
| CY_P64_PSA_ERROR_STORAGE_FAILURE | |
| CY_P64_PSA_ERROR_BAD_STATE | The operation state is not valid for this input step. |
| cy_p64_psa_status_t cy_p64_psa_key_derivation_inp_bytes | ( | cy_p64_psa_key_derivation_operation_t * | operation, |
| cy_p64_psa_key_derivation_step_t | step, | ||
| const uint8_t * | data, | ||
| size_t | data_length | ||
| ) |
Provides an input for key derivation or key agreement.
Which inputs are required and in what order depends on the algorithm. Refer to the documentation of each key derivation or key agreement algorithm for information.
This function passes direct inputs, which is usually correct for non-secret inputs. To pass a secret input, which should be in a key object, call cy_p64_psa_key_derivation_input_key() instead of this function. Refer to the documentation of individual step types (CY_P64_PSA_KEY_DERIVATION_INPUT_xxx values of type cy_p64_psa_key_derivation_step_t) for more information.
If this function returns an error status, the operation enters an error state and must be aborted by calling cy_p64_psa_key_derivation_abort().
| [in,out] | operation | The key derivation operation object to use. It must have been set up with cy_p64_psa_key_derivation_setup() and must not have produced any output yet. |
| step | Which step the input data is for. | |
| [in] | data | Input data to use. |
| data_length | Size of the data buffer in bytes. |
| CY_P64_PSA_SUCCESS | Success. |
| CY_P64_PSA_ERROR_INVALID_ARGUMENT | step is not compatible with the operation's algorithm. |
| CY_P64_PSA_ERROR_INVALID_ARGUMENT | step does not allow direct inputs. |
| CY_P64_PSA_ERROR_INSUFFICIENT_MEMORY | |
| CY_P64_PSA_ERROR_COMMUNICATION_FAILURE | |
| CY_P64_PSA_ERROR_HARDWARE_FAILURE | |
| CY_P64_PSA_ERROR_CORRUPTION_DETECTED | |
| CY_P64_PSA_ERROR_STORAGE_FAILURE | |
| CY_P64_PSA_ERROR_BAD_STATE | The operation state is not valid for this input step. |
| cy_p64_psa_status_t cy_p64_psa_key_derivation_key_agreement | ( | cy_p64_psa_key_derivation_operation_t * | operation, |
| cy_p64_psa_key_derivation_step_t | step, | ||
| cy_p64_psa_key_handle_t | private_key, | ||
| const uint8_t * | peer_key, | ||
| size_t | peer_key_length | ||
| ) |
Performs a key agreement and use the shared secret as input to a key derivation.
A key agreement algorithm takes two inputs: a private key private_key a public key peer_key. The result of this function is passed as input to a key derivation. The output of this key derivation can be extracted by reading from the resulting operation to produce keys and other cryptographic material.
If this function returns an error status, the operation enters an error state and must be aborted by calling cy_p64_psa_key_derivation_abort().
| [in,out] | operation | The key derivation operation object to use. It must have been set up with cy_p64_psa_key_derivation_setup() with a key agreement and derivation algorithm alg (CY_P64_PSA_ALG_XXX value such that CY_P64_PSA_ALG_IS_KEY_AGREEMENT(alg) is true and CY_P64_PSA_ALG_IS_RAW_KEY_AGREEMENT(alg) is false). The operation must be ready for an input of the type given by step. |
| step | Which step the input data is for. | |
| private_key | Handle to the private key to use. | |
| [in] | peer_key | The public key of the peer. The peer key must be in the same format that cy_p64_psa_import_key() accepts for the public key type corresponding to the type of private_key. That is, this function performs the equivalent of cy_p64_psa_import_key(..., peer_key, peer_key_length) where with key attributes indicating the public key type corresponding to the type of private_key. For example, for EC keys, this means that peer_key is interpreted as a point on the curve that the private key is on. The standard formats for public keys are documented in the documentation of cy_p64_psa_export_public_key(). |
| peer_key_length | Size of peer_key in bytes. |
| CY_P64_PSA_SUCCESS | Success. |
| CY_P64_PSA_ERROR_BAD_STATE | The operation state is not valid for this key agreement step. |
| CY_P64_PSA_ERROR_INVALID_HANDLE | |
| CY_P64_PSA_ERROR_NOT_PERMITTED | |
| CY_P64_PSA_ERROR_INVALID_ARGUMENT | private_key is not compatible with alg, or peer_key is not valid for alg or not compatible with private_key. |
| CY_P64_PSA_ERROR_NOT_SUPPORTED | alg is not supported or is not a key derivation algorithm. |
| CY_P64_PSA_ERROR_INVALID_ARGUMENT | step does not allow an input resulting from a key agreement. |
| CY_P64_PSA_ERROR_INSUFFICIENT_MEMORY | |
| CY_P64_PSA_ERROR_COMMUNICATION_FAILURE | |
| CY_P64_PSA_ERROR_HARDWARE_FAILURE | |
| CY_P64_PSA_ERROR_CORRUPTION_DETECTED | |
| CY_P64_PSA_ERROR_STORAGE_FAILURE |
| cy_p64_psa_status_t cy_p64_psa_key_derivation_out_bytes | ( | cy_p64_psa_key_derivation_operation_t * | operation, |
| uint8_t * | output, | ||
| size_t | output_length | ||
| ) |
Reads some data from a key derivation operation.
This function calculates output bytes from a key derivation algorithm and return those bytes. If you view the key derivation's output as a stream of bytes, this function destructively reads the requested number of bytes from the stream. The operation's capacity decreases by the number of bytes read.
If this function returns an error status other than CY_P64_PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error state and must be aborted by calling cy_p64_psa_key_derivation_abort().
| [in,out] | operation | The key derivation operation object to read from. |
| [out] | output | Buffer where the output will be written. |
| output_length | Number of bytes to output. |
| CY_P64_PSA_SUCCESS | |
| CY_P64_PSA_ERROR_INSUFFICIENT_DATA | The operation's capacity was less than output_length bytes. Note that in this case, no output is written to the output buffer. The operation's capacity is set to 0, thus subsequent calls to this function will not succeed, even with a smaller output buffer. |
| CY_P64_PSA_ERROR_BAD_STATE | The operation state is not valid (it must be active and completed all required input steps). |
| CY_P64_PSA_ERROR_INSUFFICIENT_MEMORY | |
| CY_P64_PSA_ERROR_COMMUNICATION_FAILURE | |
| CY_P64_PSA_ERROR_HARDWARE_FAILURE | |
| CY_P64_PSA_ERROR_CORRUPTION_DETECTED | |
| CY_P64_PSA_ERROR_STORAGE_FAILURE |
| cy_p64_psa_status_t cy_p64_psa_key_derivation_out_key | ( | const cy_p64_psa_key_attributes_t * | attributes, |
| cy_p64_psa_key_derivation_operation_t * | operation, | ||
| cy_p64_psa_key_handle_t * | handle | ||
| ) |
Derives a key from an ongoing key derivation operation.
This function calculates output bytes from a key derivation algorithm and uses those bytes to generate a key deterministically. The key's location, usage policy, type and size are taken from attributes.
If you view the key derivation's output as a stream of bytes, this function destructively reads as many bytes as required from the stream. The operation's capacity decreases by the number of bytes read.
If this function returns an error status other than CY_P64_PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error state and must be aborted by calling cy_p64_psa_key_derivation_abort().
How much output is produced and consumed from the operation, and how the key is derived, depends on the key type:
bits / 8) bytes from the operation. The following key types defined in this specification follow this scheme:
curve) where curve designates a Montgomery curve), this function always draws a byte string whose length is determined by the curve, and sets the mandatory bits accordingly. That is:bits bits with constraints as to which bit sequences are acceptable, this function draws a byte string of length (bits / 8) bytes rounded up to the nearest whole number of bytes. If the resulting byte string is acceptable, it becomes the key, otherwise the drawn bytes are discarded. This process is repeated until an acceptable byte string is drawn. The byte string drawn from the operation is interpreted as specified for the output produced by cy_p64_psa_export_key(). The following key types defined in this specification follow this scheme:group) where group designates any Diffie-Hellman group) and ECC keys on a Weierstrass elliptic curve (CY_P64_PSA_KEY_TYPE_ECC_KEY_PAIR(curve) where curve designates a Weierstrass curve). For these key types, interpret the byte string as integer in big-endian order. Discard it if it is not in the range [0, N - 2] where N is the boundary of the private key domain (the prime p for Diffie-Hellman, the subprime q for DSA, or the order of the curve's base point for ECC). Add 1 to the resulting integer and use this as the private key x. This method allows compliance to NIST standards, specifically the methods titled "key-pair generation by testing candidates" in NIST SP 800-56A §5.6.1.1.4 for Diffie-Hellman, in FIPS 186-4 §B.1.2 for DSA, and in NIST SP 800-56A §5.6.1.2.2 or FIPS 186-4 §B.4.2 for elliptic curve keys.In all cases, the data that is read is discarded from the operation. The operation's capacity is decreased by the number of bytes read.
For algorithms that take an input step CY_P64_PSA_KEY_DERIVATION_INPUT_SECRET, the input to that step must be provided with cy_p64_psa_key_derivation_input_key(). Future versions of this specification may include additional restrictions on the derived key based on the attributes and strength of the secret key.
| [in] | attributes | The attributes for the new key. |
| [in,out] | operation | The key derivation operation object to read from. |
| [out] | handle | On success, a handle to the newly created key. 0 on failure. |
| CY_P64_PSA_SUCCESS | Success. If the key is persistent, the key material and the key's metadata have been saved to persistent storage. |
| CY_P64_PSA_ERROR_ALREADY_EXISTS | This is an attempt to create a persistent key, and there is already a persistent key with the given identifier. |
| CY_P64_PSA_ERROR_INSUFFICIENT_DATA | There was not enough data to create the desired key. Note that in this case, no output is written to the output buffer. The operation's capacity is set to 0, thus subsequent calls to this function will not succeed, even with a smaller output buffer. |
| CY_P64_PSA_ERROR_NOT_SUPPORTED | The key type or key size is not supported, either by the implementation in general or in this particular location. |
| CY_P64_PSA_ERROR_INVALID_ARGUMENT | The provided key attributes are not valid for the operation. |
| CY_P64_PSA_ERROR_NOT_PERMITTED | The CY_P64_PSA_KEY_DERIVATION_INPUT_SECRET input was not provided through a key. |
| CY_P64_PSA_ERROR_BAD_STATE | The operation state is not valid (it must be active and completed all required input steps). |
| CY_P64_PSA_ERROR_INSUFFICIENT_MEMORY | |
| CY_P64_PSA_ERROR_INSUFFICIENT_STORAGE | |
| CY_P64_PSA_ERROR_COMMUNICATION_FAILURE | |
| CY_P64_PSA_ERROR_HARDWARE_FAILURE | |
| CY_P64_PSA_ERROR_CORRUPTION_DETECTED | |
| CY_P64_PSA_ERROR_STORAGE_FAILURE |