xref: /aosp_15_r20/external/open-dice/include/dice/ops.h (revision 60b67249c2e226f42f35cc6cfe66c6048e0bae6b) 
1*60b67249SAndroid Build Coastguard Worker // Copyright 2021 Google LLC
2*60b67249SAndroid Build Coastguard Worker //
3*60b67249SAndroid Build Coastguard Worker // Licensed under the Apache License, Version 2.0 (the "License"); you may not
4*60b67249SAndroid Build Coastguard Worker // use this file except in compliance with the License. You may obtain a copy of
5*60b67249SAndroid Build Coastguard Worker // the License at
6*60b67249SAndroid Build Coastguard Worker //
7*60b67249SAndroid Build Coastguard Worker //     https://www.apache.org/licenses/LICENSE-2.0
8*60b67249SAndroid Build Coastguard Worker //
9*60b67249SAndroid Build Coastguard Worker // Unless required by applicable law or agreed to in writing, software
10*60b67249SAndroid Build Coastguard Worker // distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11*60b67249SAndroid Build Coastguard Worker // WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12*60b67249SAndroid Build Coastguard Worker // License for the specific language governing permissions and limitations under
13*60b67249SAndroid Build Coastguard Worker // the License.
14*60b67249SAndroid Build Coastguard Worker 
15*60b67249SAndroid Build Coastguard Worker #ifndef DICE_OPS_H_
16*60b67249SAndroid Build Coastguard Worker #define DICE_OPS_H_
17*60b67249SAndroid Build Coastguard Worker 
18*60b67249SAndroid Build Coastguard Worker #include <dice/config.h>
19*60b67249SAndroid Build Coastguard Worker #include <dice/dice.h>
20*60b67249SAndroid Build Coastguard Worker #include <dice/ops/clear_memory.h>
21*60b67249SAndroid Build Coastguard Worker 
22*60b67249SAndroid Build Coastguard Worker // These are the set of functions that implement various operations that the
23*60b67249SAndroid Build Coastguard Worker // main DICE functions depend on. They are provided as part of an integration
24*60b67249SAndroid Build Coastguard Worker // and resolved at link time.
25*60b67249SAndroid Build Coastguard Worker 
26*60b67249SAndroid Build Coastguard Worker #ifdef __cplusplus
27*60b67249SAndroid Build Coastguard Worker extern "C" {
28*60b67249SAndroid Build Coastguard Worker #endif
29*60b67249SAndroid Build Coastguard Worker 
30*60b67249SAndroid Build Coastguard Worker // Retrieves the DICE key parameters based on the key pair generation
31*60b67249SAndroid Build Coastguard Worker // algorithm set up at compile time or in the |context| parameter at runtime.
32*60b67249SAndroid Build Coastguard Worker DiceResult DiceGetKeyParam(void* context, DicePrincipal principal,
33*60b67249SAndroid Build Coastguard Worker                            DiceKeyParam* key_param);
34*60b67249SAndroid Build Coastguard Worker 
35*60b67249SAndroid Build Coastguard Worker // An implementation of SHA-512, or an alternative hash. Hashes |input_size|
36*60b67249SAndroid Build Coastguard Worker // bytes of |input| and populates |output| on success.
37*60b67249SAndroid Build Coastguard Worker DiceResult DiceHash(void* context, const uint8_t* input, size_t input_size,
38*60b67249SAndroid Build Coastguard Worker                     uint8_t output[DICE_HASH_SIZE]);
39*60b67249SAndroid Build Coastguard Worker 
40*60b67249SAndroid Build Coastguard Worker // An implementation of HKDF-SHA512, or an alternative KDF. Derives |length|
41*60b67249SAndroid Build Coastguard Worker // bytes from |ikm|, |salt|, and |info| and populates |output| on success.
42*60b67249SAndroid Build Coastguard Worker // |Output| must point to a buffer of at least |length| bytes.
43*60b67249SAndroid Build Coastguard Worker DiceResult DiceKdf(void* context, size_t length, const uint8_t* ikm,
44*60b67249SAndroid Build Coastguard Worker                    size_t ikm_size, const uint8_t* salt, size_t salt_size,
45*60b67249SAndroid Build Coastguard Worker                    const uint8_t* info, size_t info_size, uint8_t* output);
46*60b67249SAndroid Build Coastguard Worker 
47*60b67249SAndroid Build Coastguard Worker // Deterministically generates a public and private key pair from |seed|.
48*60b67249SAndroid Build Coastguard Worker // Since this is deterministic, |seed| is as sensitive as a private key and can
49*60b67249SAndroid Build Coastguard Worker // be used directly as the private key. The |private_key| may use an
50*60b67249SAndroid Build Coastguard Worker // implementation defined format so may only be passed to the |sign| operation.
51*60b67249SAndroid Build Coastguard Worker DiceResult DiceKeypairFromSeed(
52*60b67249SAndroid Build Coastguard Worker     void* context, DicePrincipal principal,
53*60b67249SAndroid Build Coastguard Worker     const uint8_t seed[DICE_PRIVATE_KEY_SEED_SIZE],
54*60b67249SAndroid Build Coastguard Worker     uint8_t public_key[DICE_PUBLIC_KEY_BUFFER_SIZE],
55*60b67249SAndroid Build Coastguard Worker     uint8_t private_key[DICE_PRIVATE_KEY_BUFFER_SIZE]);
56*60b67249SAndroid Build Coastguard Worker 
57*60b67249SAndroid Build Coastguard Worker // Calculates a signature of |message_size| bytes from |message| using
58*60b67249SAndroid Build Coastguard Worker // |private_key|. |private_key| was generated by |keypair_from_seed| to allow
59*60b67249SAndroid Build Coastguard Worker // an implementation to use their own private key format. |signature| points to
60*60b67249SAndroid Build Coastguard Worker // the buffer where the calculated signature is written.
61*60b67249SAndroid Build Coastguard Worker DiceResult DiceSign(void* context, const uint8_t* message, size_t message_size,
62*60b67249SAndroid Build Coastguard Worker                     const uint8_t private_key[DICE_PRIVATE_KEY_BUFFER_SIZE],
63*60b67249SAndroid Build Coastguard Worker                     uint8_t signature[DICE_SIGNATURE_BUFFER_SIZE]);
64*60b67249SAndroid Build Coastguard Worker 
65*60b67249SAndroid Build Coastguard Worker // Verifies, using |public_key|, that |signature| covers |message_size| bytes
66*60b67249SAndroid Build Coastguard Worker // from |message|.
67*60b67249SAndroid Build Coastguard Worker DiceResult DiceVerify(void* context, const uint8_t* message,
68*60b67249SAndroid Build Coastguard Worker                       size_t message_size,
69*60b67249SAndroid Build Coastguard Worker                       const uint8_t signature[DICE_SIGNATURE_BUFFER_SIZE],
70*60b67249SAndroid Build Coastguard Worker                       const uint8_t public_key[DICE_PUBLIC_KEY_BUFFER_SIZE]);
71*60b67249SAndroid Build Coastguard Worker 
72*60b67249SAndroid Build Coastguard Worker // Generates an X.509 certificate, or an alternative certificate format, from
73*60b67249SAndroid Build Coastguard Worker // the given |subject_private_key_seed| and |input_values|, and signed by
74*60b67249SAndroid Build Coastguard Worker // |authority_private_key_seed|. The subject private key seed is supplied here
75*60b67249SAndroid Build Coastguard Worker // so the implementation can choose between asymmetric mechanisms, for example
76*60b67249SAndroid Build Coastguard Worker // ECDSA vs Ed25519.
77*60b67249SAndroid Build Coastguard Worker DiceResult DiceGenerateCertificate(
78*60b67249SAndroid Build Coastguard Worker     void* context,
79*60b67249SAndroid Build Coastguard Worker     const uint8_t subject_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
80*60b67249SAndroid Build Coastguard Worker     const uint8_t authority_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
81*60b67249SAndroid Build Coastguard Worker     const DiceInputValues* input_values, size_t certificate_buffer_size,
82*60b67249SAndroid Build Coastguard Worker     uint8_t* certificate, size_t* certificate_actual_size);
83*60b67249SAndroid Build Coastguard Worker 
84*60b67249SAndroid Build Coastguard Worker #ifdef __cplusplus
85*60b67249SAndroid Build Coastguard Worker }  // extern "C"
86*60b67249SAndroid Build Coastguard Worker #endif
87*60b67249SAndroid Build Coastguard Worker 
88*60b67249SAndroid Build Coastguard Worker #endif  // DICE_OPS_H_
89