GClarkson/BoilerControlUnit_Firmware
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Imported more library files

Browse Source 
Not compiling currently
This commit is contained in:
GClarkson
2025-04-12 23:37:19 +01:00
parent 264a3462e0
commit 9d06f983af
2518 changed files with 1021900 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

619
Libs/util/plugin/security_manager/security_manager.c Normal file
View File

@@ -0,0 +1,619 @@
/***************************************************************************//**
* @file
* @brief This file implements abstracting the PSA CRYPTO interface.
*******************************************************************************
* # License
* <b>Copyright 2022 Silicon Laboratories Inc. www.silabs.com</b>
*******************************************************************************
*
* The licensor of this software is Silicon Laboratories Inc. Your use of this
* software is governed by the terms of Silicon Labs Master Software License
* Agreement (MSLA) available at
* www.silabs.com/about-us/legal/master-software-license-agreement. This
* software is distributed to you in Source Code format and is governed by the
* sections of the MSLA applicable to Source Code.
*
******************************************************************************/
#include "security_manager.h"
#include "em_device.h"
#include "psa/crypto.h"
#include "sl_psa_crypto.h"
#include "sli_psa_crypto.h"
#include "psa/internal_trusted_storage.h"
#include "psa/sli_internal_trusted_storage.h"
#ifdef SL_COMPONENT_CATALOG_PRESENT
#include "sl_component_catalog.h"
#endif // SL_COMPONENT_CATALOG_PRESENT
#if defined(SL_CATALOG_NVM3_PRESENT)
#include "nvm3.h"
#endif
#define SL_SEC_MAN_AES_BLOCK_SIZE 16
#define SL_SEC_MAN_TRANSIENT_KEY_ID 0x200F0
static void sl_sec_man_set_key_attributes(psa_key_id_t * sl_psa_key_id,
psa_key_attributes_t *sl_psa_key_attr,
psa_key_type_t sl_psa_key_type,
psa_algorithm_t sl_psa_key_algorithm,
psa_key_usage_t sl_psa_key_usage,
psa_key_persistence_t sl_psa_key_persistence,
size_t sl_psa_key_len)
{
// By default, prefer to wrap (encrypt) keys in storage
psa_key_location_t sl_psa_key_location = sl_psa_get_most_secure_key_location();
// Dont wrap volatile keys used for HMAC operation, as opaque keys cannot be used for multi-part HMAC.
if (sl_psa_key_type == PSA_KEY_TYPE_HMAC && sl_psa_key_persistence == PSA_KEY_PERSISTENCE_VOLATILE) {
sl_psa_key_location = PSA_KEY_LOCATION_LOCAL_STORAGE;
}
// This next function gives us our preferred location if the chip supports it,
// else, we get PSA_KEY_LOCATION_LOCAL_STORAGE
sl_psa_set_key_lifetime_with_location_preference(sl_psa_key_attr,
sl_psa_key_persistence,
sl_psa_key_location); // preferred location
if (sl_psa_key_persistence == PSA_KEY_PERSISTENCE_DEFAULT) {
psa_set_key_id(sl_psa_key_attr, *sl_psa_key_id);
}
psa_set_key_usage_flags(sl_psa_key_attr, sl_psa_key_usage);
psa_set_key_algorithm(sl_psa_key_attr, sl_psa_key_algorithm);
psa_set_key_type(sl_psa_key_attr, sl_psa_key_type);
// If we are importing a public key, dont set key bits, as it is not needed
if (!PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(sl_psa_key_type)) {
psa_set_key_bits(sl_psa_key_attr, sl_psa_key_len);
}
}
psa_status_t sl_sec_man_import_key(psa_key_id_t * sl_psa_key_id,
psa_key_type_t sl_psa_key_type,
psa_algorithm_t sl_psa_key_algorithm,
psa_key_usage_t sl_psa_key_usage,
psa_key_persistence_t sl_psa_key_persistence,
const uint8_t * sl_psa_key_literal,
size_t sl_key_literal_len)
{
psa_status_t status;
psa_key_attributes_t sl_psa_key_attr = PSA_KEY_ATTRIBUTES_INIT;
if ((sl_psa_key_id == NULL) || (sl_psa_key_literal == NULL)) {
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
sl_sec_man_set_key_attributes(sl_psa_key_id, &sl_psa_key_attr, sl_psa_key_type, sl_psa_key_algorithm,
sl_psa_key_usage, sl_psa_key_persistence, (sl_key_literal_len * 8));
/* Import the key */
status = psa_import_key(&sl_psa_key_attr, sl_psa_key_literal, sl_key_literal_len, sl_psa_key_id);
exit:
return status;
}
psa_status_t sl_sec_man_generate_key(psa_key_id_t * sl_psa_key_id,
psa_key_type_t sl_psa_key_type,
psa_algorithm_t sl_psa_key_algorithm,
psa_key_usage_t sl_psa_key_usage,
psa_key_persistence_t sl_psa_key_persistence,
size_t sl_psa_key_len)
{
psa_status_t status;
psa_key_attributes_t sl_psa_key_attr = PSA_KEY_ATTRIBUTES_INIT;
if (sl_psa_key_id == NULL) {
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
sl_sec_man_set_key_attributes(sl_psa_key_id, &sl_psa_key_attr, sl_psa_key_type, sl_psa_key_algorithm,
sl_psa_key_usage, sl_psa_key_persistence, sl_psa_key_len);
/* Import the key */
status = psa_generate_key(&sl_psa_key_attr, sl_psa_key_id);
exit:
return status;
}
psa_status_t sl_sec_man_export_key(psa_key_id_t sl_psa_key_id,
uint8_t * sl_psa_key_buffer,
size_t sl_psa_key_buffer_len,
size_t * sl_psa_key_len)
{
psa_status_t status;
if ((sl_psa_key_buffer == NULL) || (sl_psa_key_len == NULL)) {
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
status = psa_export_key(sl_psa_key_id, sl_psa_key_buffer, sl_psa_key_buffer_len, sl_psa_key_len);
exit:
return status;
}
psa_status_t sl_sec_man_get_key_attributes(psa_key_id_t sl_psa_key_id,
psa_key_attributes_t *sl_psa_key_attributes)
{
psa_status_t status;
if (sl_psa_key_attributes == NULL) {
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
status = psa_get_key_attributes(sl_psa_key_id, sl_psa_key_attributes);
exit:
return status;
}
psa_status_t sl_sec_man_destroy_key(psa_key_id_t sl_psa_key_id)
{
return psa_destroy_key(sl_psa_key_id);
}
psa_status_t sl_sec_man_copy_key(psa_key_id_t sl_psa_source_key_id,
psa_key_attributes_t *sl_psa_key_attributes,
psa_key_id_t *sl_psa_dest_key_id)
{
psa_status_t status;
bool overwrite_original;
if (sl_psa_key_attributes == NULL || sl_psa_dest_key_id == NULL) {
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
// Do we need to overwrite original key?
overwrite_original = (sl_psa_source_key_id == *sl_psa_dest_key_id);
if (overwrite_original) {
#ifndef SL_TRUSTZONE_NONSECURE
// Set the target key id to a default value.
// Note, this needs to be either in thread or zigbee NVM range.
*sl_psa_dest_key_id = SL_SEC_MAN_TRANSIENT_KEY_ID;
#else
status = PSA_ERROR_NOT_SUPPORTED;
goto exit;
#endif
}
// Set the key id for the new key
psa_set_key_id(sl_psa_key_attributes, *sl_psa_dest_key_id);
// Copy the key from source to destnation
status = psa_copy_key(sl_psa_source_key_id, sl_psa_key_attributes, sl_psa_dest_key_id);
if (status != PSA_SUCCESS) {
goto exit;
}
#if !defined(SL_TRUSTZONE_NONSECURE) && defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
if (overwrite_original) {
// After making a copy, if we need to replace the old key,
// first destroy the original key.
psa_destroy_key(sl_psa_source_key_id);
//Set the new key's keyid to match the original keyid
status = sli_psa_its_change_key_id(*sl_psa_dest_key_id, sl_psa_source_key_id);
}
#endif
exit:
return status;
}
psa_status_t sl_sec_man_aes_encrypt(psa_key_id_t sl_psa_key_id,
psa_algorithm_t sl_psa_aes_alg,
const uint8_t * sl_psa_aes_input,
uint8_t * sl_psa_aes_output)
{
size_t sl_psa_aes_enc_len = 0;
psa_status_t status = PSA_SUCCESS;
if ((sl_psa_aes_input == NULL) || (sl_psa_aes_output == NULL)) {
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
status = psa_cipher_encrypt(sl_psa_key_id, sl_psa_aes_alg, sl_psa_aes_input, SL_SEC_MAN_AES_BLOCK_SIZE, sl_psa_aes_output,
SL_SEC_MAN_AES_BLOCK_SIZE, &sl_psa_aes_enc_len);
exit:
return status;
}
psa_status_t sl_sec_man_aes_decrypt(psa_key_id_t sl_psa_key_id,
psa_algorithm_t sl_psa_aes_alg,
const uint8_t * sl_psa_aes_input,
uint8_t * sl_psa_aes_output)
{
size_t sl_psa_aes_enc_len = 0;
psa_status_t status = PSA_SUCCESS;
if ((sl_psa_aes_input == NULL) || (sl_psa_aes_output == NULL)) {
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
status = psa_cipher_decrypt(sl_psa_key_id, sl_psa_aes_alg, sl_psa_aes_input, SL_SEC_MAN_AES_BLOCK_SIZE, sl_psa_aes_output,
SL_SEC_MAN_AES_BLOCK_SIZE, &sl_psa_aes_enc_len);
exit:
return status;
}
//Use PSA for AES-CCM* encryption and tagging operations
psa_status_t sl_sec_man_aes_ccm_crypt(psa_key_id_t sl_psa_key_id,
uint8_t* nonce,
bool encrypt,
const uint8_t* input,
uint8_t encryption_start_index,
uint8_t length,
uint8_t mic_length,
uint8_t* output)
{
psa_status_t psa_status;
//contains size of output + MIC
size_t output_length;
size_t NONCE_LENGTH = 13;
//return full output packet (including unencrypted authentication data)
memmove(output, input, encryption_start_index);
psa_algorithm_t aes_ccm_tag_alg = PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, mic_length);
if (encrypt) {
psa_status = psa_aead_encrypt(
sl_psa_key_id,
aes_ccm_tag_alg,
(const uint8_t *) nonce, NONCE_LENGTH,
input, encryption_start_index,
input + encryption_start_index, length - encryption_start_index,
output + encryption_start_index, length - encryption_start_index + mic_length, &output_length);
} else {
psa_status = psa_aead_decrypt(
sl_psa_key_id,
aes_ccm_tag_alg,
(const uint8_t *) nonce, NONCE_LENGTH,
input, encryption_start_index,
input + encryption_start_index, length - encryption_start_index + mic_length,
output + encryption_start_index, length - encryption_start_index, &output_length);
}
if (psa_status == PSA_ERROR_INVALID_SIGNATURE) {
return psa_status;
}
if (psa_status != PSA_SUCCESS || (!encrypt && output_length != (size_t) (length - encryption_start_index))
|| (encrypt && output_length != (size_t) (length + mic_length - encryption_start_index))) {
return PSA_ERROR_INVALID_ARGUMENT;
} else {
return PSA_SUCCESS;
}
}
psa_status_t sl_sec_man_hmac_start(psa_mac_operation_t *sl_psa_hmac_ctx, psa_key_id_t sl_psa_key_id)
{
psa_status_t status = PSA_SUCCESS;
if (sl_psa_hmac_ctx == NULL) {
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
status = psa_mac_sign_setup(sl_psa_hmac_ctx, sl_psa_key_id, PSA_ALG_HMAC(PSA_ALG_SHA_256));
exit:
return status;
}
psa_status_t sl_sec_man_hmac_update(psa_mac_operation_t *sl_psa_hmac_ctx,
const uint8_t * sl_psa_hmac_buffer,
size_t sl_psa_hmac_buffer_len)
{
psa_status_t status = PSA_SUCCESS;
if ((sl_psa_hmac_ctx == NULL) || (sl_psa_hmac_buffer == NULL)) {
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
status = psa_mac_update(sl_psa_hmac_ctx, sl_psa_hmac_buffer, sl_psa_hmac_buffer_len);
exit:
return status;
}
psa_status_t sl_sec_man_hmac_finish(psa_mac_operation_t *sl_psa_hmac_ctx,
const uint8_t * sl_psa_hmac_buffer,
size_t sl_psa_hmac_buffer_len)
{
psa_status_t status = PSA_SUCCESS;
size_t sl_psa_mac_length = 0;
if ((sl_psa_hmac_ctx == NULL) || (sl_psa_hmac_buffer == NULL)) {
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
status = psa_mac_sign_finish(sl_psa_hmac_ctx, (uint8_t *)sl_psa_hmac_buffer,
sl_psa_hmac_buffer_len, &sl_psa_mac_length);
exit:
return status;
}
psa_status_t sl_sec_man_hmac_deinit(psa_mac_operation_t *sl_psa_hmac_ctx)
{
psa_status_t status = PSA_SUCCESS;
if (sl_psa_hmac_ctx == NULL) {
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
status = psa_mac_abort(sl_psa_hmac_ctx);
exit:
return status;
}
psa_status_t sl_sec_man_key_derivation_extract(psa_key_derivation_operation_t *sl_psa_key_derivation_ctx,
psa_algorithm_t sl_psa_key_derivation_algorithm,
psa_key_id_t sl_psa_key_id,
const uint8_t * sl_psa_key_derivation_salt,
uint16_t sl_psa_key_derivation_salt_length)
{
psa_status_t status = PSA_SUCCESS;
if (sl_psa_key_derivation_ctx == NULL) {
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
*sl_psa_key_derivation_ctx = psa_key_derivation_operation_init();
// PRK is calculated as HMAC-Hash(aSalt, aInputKey)
status = psa_key_derivation_setup(sl_psa_key_derivation_ctx, PSA_ALG_HKDF(sl_psa_key_derivation_algorithm));
if (status != PSA_SUCCESS) {
goto exit;
}
status = psa_key_derivation_input_bytes(sl_psa_key_derivation_ctx, PSA_KEY_DERIVATION_INPUT_SALT,
sl_psa_key_derivation_salt, sl_psa_key_derivation_salt_length);
if (status != PSA_SUCCESS) {
goto exit;
}
status = psa_key_derivation_input_key(sl_psa_key_derivation_ctx, PSA_KEY_DERIVATION_INPUT_SECRET, sl_psa_key_id);
if (status != PSA_SUCCESS) {
goto exit;
}
exit:
if (status != PSA_SUCCESS) {
psa_key_derivation_abort(sl_psa_key_derivation_ctx);
}
return status;
}
psa_status_t sl_sec_man_key_derivation_expand(psa_key_derivation_operation_t *sl_psa_key_derivation_ctx,
const uint8_t * sl_psa_key_derivation_info,
uint16_t sl_psa_key_derivation_info_length,
uint8_t * sl_psa_key_derivation_output_key,
uint16_t sl_psa_key_derivation_output_key_len)
{
psa_status_t status = PSA_SUCCESS;
if ((sl_psa_key_derivation_ctx == NULL) || (sl_psa_key_derivation_output_key == NULL)
|| (sl_psa_key_derivation_info == NULL)) {
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
status = psa_key_derivation_input_bytes(sl_psa_key_derivation_ctx, PSA_KEY_DERIVATION_INPUT_INFO,
sl_psa_key_derivation_info, sl_psa_key_derivation_info_length);
if (status != PSA_SUCCESS) {
goto exit;
}
status = psa_key_derivation_output_bytes(sl_psa_key_derivation_ctx, sl_psa_key_derivation_output_key,
sl_psa_key_derivation_output_key_len);
if (status != PSA_SUCCESS) {
goto exit;
}
exit:
if (status != PSA_SUCCESS) {
psa_key_derivation_abort(sl_psa_key_derivation_ctx);
}
return status;
}
psa_hash_operation_t sl_sec_man_hash_init(void)
{
return psa_hash_operation_init();
}
psa_status_t sl_sec_man_hash_deinit(psa_hash_operation_t *sl_psa_hash_ctx)
{
psa_status_t status = PSA_SUCCESS;
if (sl_psa_hash_ctx == NULL) {
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
status = psa_hash_abort(sl_psa_hash_ctx);
exit:
return status;
}
psa_status_t sl_sec_man_hash_start(psa_hash_operation_t *sl_psa_hash_ctx, psa_algorithm_t sl_psa_hash_alg)
{
psa_status_t status = PSA_SUCCESS;
if (sl_psa_hash_ctx == NULL) {
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
status = psa_hash_setup(sl_psa_hash_ctx, sl_psa_hash_alg);
exit:
return status;
}
psa_status_t sl_sec_man_hash_update(psa_hash_operation_t *sl_psa_hash_ctx,
uint8_t * sl_psa_hash_buffer,
uint16_t sl_psa_hash_buffer_len)
{
psa_status_t status = PSA_SUCCESS;
if ((sl_psa_hash_ctx == NULL) || (sl_psa_hash_buffer == NULL)) {
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
status = psa_hash_update(sl_psa_hash_ctx, sl_psa_hash_buffer, sl_psa_hash_buffer_len);
exit:
return status;
}
psa_status_t sl_sec_man_hash_finish(psa_hash_operation_t *sl_psa_hash_ctx,
uint8_t * sl_psa_hash,
uint16_t sl_psa_hash_size,
size_t * sl_psa_hash_len)
{
psa_status_t status = PSA_SUCCESS;
if ((sl_psa_hash_ctx == NULL) || (sl_psa_hash == NULL) || (sl_psa_hash_len == NULL)) {
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
status = psa_hash_finish(sl_psa_hash_ctx, sl_psa_hash, sl_psa_hash_size, sl_psa_hash_len);
exit:
return status;
}
psa_status_t sl_sec_man_get_random(uint8_t *sl_psa_output_buffer,
uint16_t sl_psa_output_size)
{
psa_status_t status = PSA_SUCCESS;
if (sl_psa_output_buffer == NULL) {
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
status = psa_generate_random(sl_psa_output_buffer, sl_psa_output_size);
exit:
return status;
}
psa_status_t sl_sec_man_export_public_key(psa_key_id_t sl_psa_key_id,
uint8_t *sl_psa_output_buffer,
size_t sl_output_buffer_size,
size_t *sl_psa_key_len)
{
psa_status_t status = PSA_SUCCESS;
if ((sl_psa_output_buffer == NULL) && (sl_psa_key_len == NULL)) {
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
status = psa_export_public_key(sl_psa_key_id, sl_psa_output_buffer, sl_output_buffer_size, sl_psa_key_len);
exit:
return status;
}
psa_status_t sl_sec_man_sign(psa_key_id_t sl_psa_key_id,
psa_algorithm_t sl_dsa_algorithm,
const uint8_t *sl_dsa_input_buf,
size_t sl_dsa_input_size,
uint8_t *sl_dsa_signature_buf,
size_t sl_dsa_signature_size,
size_t *sl_dsa_signature_len,
bool sl_is_hash)
{
psa_status_t status = PSA_SUCCESS;
if ((sl_dsa_input_buf == NULL) && (sl_dsa_signature_buf == NULL) && (sl_dsa_signature_len == NULL)) {
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
if (sl_is_hash) {
status = psa_sign_hash(sl_psa_key_id,
sl_dsa_algorithm,
sl_dsa_input_buf,
sl_dsa_input_size,
sl_dsa_signature_buf,
sl_dsa_signature_size,
sl_dsa_signature_len);
} else {
status = psa_sign_message(sl_psa_key_id,
sl_dsa_algorithm,
sl_dsa_input_buf,
sl_dsa_input_size,
sl_dsa_signature_buf,
sl_dsa_signature_size,
sl_dsa_signature_len);
}
exit:
return status;
}
psa_status_t sl_sec_man_verify(psa_key_id_t sl_psa_key_id,
psa_algorithm_t sl_dsa_algorithm,
const uint8_t *sl_dsa_input_buf,
size_t sl_dsa_input_size,
const uint8_t *sl_dsa_signature_buf,
size_t sl_dsa_signature_size,
bool sl_is_hash)
{
psa_status_t status = PSA_SUCCESS;
if ((sl_dsa_input_buf == NULL) && (sl_dsa_signature_buf == NULL)) {
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
if (sl_is_hash) {
status = psa_verify_hash(sl_psa_key_id,
sl_dsa_algorithm,
sl_dsa_input_buf,
sl_dsa_input_size,
sl_dsa_signature_buf,
sl_dsa_signature_size);
} else {
status = psa_verify_message(sl_psa_key_id,
sl_dsa_algorithm,
sl_dsa_input_buf,
sl_dsa_input_size,
sl_dsa_signature_buf,
sl_dsa_signature_size);
}
exit:
return status;
}

429
Libs/util/plugin/security_manager/security_manager.h Normal file
View File

@@ -0,0 +1,429 @@
/***************************************************************************//**
* @file
* @brief This file implements abstracting the PSA CRYPTO interface.
*******************************************************************************
* # License
* <b>Copyright 2022 Silicon Laboratories Inc. www.silabs.com</b>
*******************************************************************************
*
* The licensor of this software is Silicon Laboratories Inc. Your use of this
* software is governed by the terms of Silicon Labs Master Software License
* Agreement (MSLA) available at
* www.silabs.com/about-us/legal/master-software-license-agreement. This
* software is distributed to you in Source Code format and is governed by the
* sections of the MSLA applicable to Source Code.
*
******************************************************************************/
#ifndef SECURITY_MANAGER_H_
#define SECURITY_MANAGER_H_
#include <psa/crypto_types.h>
#include <stdbool.h>
#include <string.h>
#include "psa/crypto.h"
#include "psa/crypto_values.h"
/**
* Import a key into PSA ITS.
*
* The caller must Provide a valid key.
*
* Based on the parameters passed, the security manager will choose the storage location.
* For persistent keys, key_id is managed by the application, and for volatiles keys,
* PSA will create a key_id and returns the same to the application. All the keys will be wrapped
* before storage and the key_id is further used for all the security operations.
*
* @param[out] sl_psa_key_id Pointer to Key Id to be used for persistent keys. If the key is stored
* in RAM, PSA will allocate the key ID and pass it to the application. For
* non-volatile keys, key ID provided by application will be assigned as the reference.
* @param[in] sl_psa_key_type Key type encoding for the key.
* @param[in] sl_psa_key_algorithm Key algorithm encoding for the key.
* @param[in] sl_psa_key_usage Key Usage encoding for the key.
* @param[in] sl_psa_key_persistence What persistence level needs to be applied to the key.
* @param[in] sl_psa_key_literal Pointer to the actual key.
* @param[in] sl_key_literal_len Length of the key.
*
* @retval A psa_status_t status code. Refer to /ref psa_status_t.
*
*/
psa_status_t sl_sec_man_import_key(psa_key_id_t * sl_psa_key_id,
psa_key_type_t sl_psa_key_type,
psa_algorithm_t sl_psa_key_algorithm,
psa_key_usage_t sl_psa_key_usage,
psa_key_persistence_t sl_psa_key_persistence,
const uint8_t * sl_psa_key_literal,
size_t sl_key_literal_len);
/**
* Generates a key and stores the same in PSA.
*
* Based on the parameters passed, the security manager will choose the storage location.
* For persistent keys, key_id is managed by the application, and for volatiles keys,
* PSA will create a key_id and returns the same to the application. All the keys will be wrapped
* before storage and the key_id is further used for all the security operations.
*
* @param[out] sl_psa_key_id Pointer to Key Id to be used for persistent keys. If the key is stored
* in RAM, PSA will allocate the key ID and pass it to the application. For
* non-volatile keys, key ID provided by application will be assigned as the reference.
* @param[in] sl_psa_key_type Key type encoding for the key.
* @param[in] sl_psa_key_algorithm Key algorithm encoding for the key.
* @param[in] sl_psa_key_usage Key Usage encoding for the key.
* @param[in] sl_psa_key_persistence What persistence level needs to be applied to the key.
* @param[in] sl_psa_key_len Length of the key.
*
* @retval A psa_status_t status code. Refer to /ref psa_status_t.
*
*/
psa_status_t sl_sec_man_generate_key(psa_key_id_t * sl_psa_key_id,
psa_key_type_t sl_psa_key_type,
psa_algorithm_t sl_psa_key_algorithm,
psa_key_usage_t sl_psa_key_usage,
psa_key_persistence_t sl_psa_key_persistence,
size_t sl_psa_key_len);
/**
* Export a key from PSA ITS.
*
* This API can be used to export the key stored in the PSA. Only keys marked as exportable can be
* read back from the storage as plaintext.
*
* @param[in] sl_psa_key_id Key ID used as a reference to the key. This is either passed to import key,
* for persistent keys, or returned to the application in the key context, for
* volatile keys.
* @param[in] sl_psa_key_buffer Pointer to the buffer to store the key.
* @param[in] sl_psa_key_buffer_len Length of the buffer.
* @param[out] sl_psa_key_len Length of the exported key.
*
* @retval A psa_status_t status code. Refer to /ref psa_status_t.
*
*/
psa_status_t sl_sec_man_export_key(psa_key_id_t sl_psa_key_id,
uint8_t * sl_psa_key_buffer,
size_t sl_psa_key_buffer_len,
size_t * sl_psa_key_len);
/**
* Get attributes for a key stored in PSA ITS.
*
* @param[in] sl_psa_key_id Key ID used as a reference to the key.
* @param[out] sl_psa_key_attributes output pointer for key attributes.
*
* @retval A psa_status_t status code. Refer to /ref psa_status_t.
*
*/
psa_status_t sl_sec_man_get_key_attributes(psa_key_id_t sl_psa_key_id,
psa_key_attributes_t *sl_psa_key_attributes);
/**
* Destroy a key stored in PSA ITS.
*
* This API can be used to dispose a stored key from PSA.
*
* @param[in] sl_psa_key_id Key ID used as a reference to the key.
*
* @retval A psa_status_t status code. Refer to /ref psa_status_t.
*
*/
psa_status_t sl_sec_man_destroy_key(psa_key_id_t sl_psa_key_id);
/**
* Make a copy a key stored in the ITS.
*
* This API can be used to make copies of a key in ITS.
* This API can also be used to change the key attributes of a existing key.
*
* If the source and destination key ids are the same, a copy of the original
* key will be made with new additional attributes.
*
* If the source and destination keyids are different, a copy of source key is
* made, and new attributes additional attributes, and the keyId of new key will
* be returned.
*
* @note /ref psa_copy_key() only supports unwrapped source keys.
* This API will fail if the sl_psa_source_key_id is wrapped.
* @note There are restrictions on what attributes can be changed. Refer to /ref psa_copy_key()
*
* @param[in] sl_psa_source_key_id Key ID of the source key.
* @param[in] sl_psa_key_attributes New key attributes to be added.
* @param[inout] sl_psa_dest_key_id KeyId for new key.
*
* @retval A psa_status_t status code. Refer to /ref psa_status_t.
*
*/
psa_status_t sl_sec_man_copy_key(psa_key_id_t sl_psa_source_key_id,
psa_key_attributes_t *sl_psa_key_attributes,
psa_key_id_t *sl_psa_dest_key_id);
/**
* API to encrypt or decrypt data using AES ECB.
*
* This API can be used to perform AES ECB on given data. The user will have to
* pass a valid key reference in the form of a key_id to the API.
*
* @param[in] sl_psa_key_id Key ID used as a reference to the key.
* @param[in] sl_psa_aes_alg AES Algorithm to use.
* @param[in] sl_psa_aes_input Pointer to the data to be encrypted or decrypted.
* @param[out] sl_psa_aes_output Pointer to buffer to hold the output data.
*
* @retval A psa_status_t status code. Refer to /ref psa_status_t.
*
*/
psa_status_t sl_sec_man_aes_encrypt(psa_key_id_t sl_psa_key_id,
psa_algorithm_t sl_psa_aes_alg,
const uint8_t* sl_psa_aes_input,
uint8_t* sl_psa_aes_output);
psa_status_t sl_sec_man_aes_decrypt(psa_key_id_t sl_psa_key_id,
psa_algorithm_t sl_psa_aes_alg,
const uint8_t* sl_psa_aes_input,
uint8_t* sl_psa_aes_output);
/**
* API to encrypt data using AES-CCM*.
*
* This API can be used to perform AES-CCM* operations on given data which is in packet format.
* (Authentication data is followed by the data to be encrypted/decrypted, with a MIC
* located after the encryption data)
* @note returns an error if given invalid psa key id
*
* @param[in] sl_psa_key_id Key ID used as a reference to the key.
* @param[in] nonce Nonce value to use in the CCM* operation.
* @param[in] encrypt Function mode. False for authenticated decryption,
true otherwise.
* @param[in] input Pointer to the packet to be encrypted.
* @param[in] encryption_start_index Index where the data to be encrypted begins, equal to
* the length of the authenticated data.
* @param[in] length Total combined length of authenticated and encrypted data.
* @param[in] mic_length Length of the MIC to be output after the encrypted data.
* This must be consistent with what the referenced key
* permits for its encryption algorithm.
* @param[out] output Pointer to buffer to hold the output packet.
*
* @retval A psa_status_t status code. Refer to /ref psa_status_t.
*
*/
psa_status_t sl_sec_man_aes_ccm_crypt(psa_key_id_t sl_psa_key_id,
uint8_t* nonce,
bool encrypt,
const uint8_t* input,
uint8_t encryption_start_index,
uint8_t length,
uint8_t mic_length,
uint8_t* output);
/**
* Start the HMAC operation.
*
* @param[in] sl_psa_hmac_ctx Operation Context for HMAC operation.
* @param[out] sl_psa_key_id Reference to the key to be used for HMAC operation.
*
* @retval A psa_status_t status code. Refer to /ref psa_status_t.
*
*/
psa_status_t sl_sec_man_hmac_start(psa_mac_operation_t *sl_psa_hmac_ctx, psa_key_id_t sl_psa_key_id);
/**
* Update the HMAC operation with new input.
*
* @param[in] sl_psa_hmac_ctx Operation Context for HMAC operation.
* @param[out] sl_psa_hmac_buffer A pointer to the input buffer.
* @param[in] sl_psa_hmac_buffer_len The length of @p sl_psa_hmac_buffer in bytes.
*
* @retval A psa_status_t status code. Refer to /ref psa_status_t.
*
*/
psa_status_t sl_sec_man_hmac_update(psa_mac_operation_t *sl_psa_hmac_ctx,
const uint8_t * sl_psa_hmac_buffer,
size_t sl_psa_hmac_buffer_len);
/**
* Complete the HMAC operation.
*
* @param[in] sl_psa_hmac_ctx Operation Context for HMAC operation.
* @param[out] sl_psa_hmac_buffer A pointer to the output buffer.
* @param[in] sl_psa_hmac_buffer_len The length of @p sl_psa_hmac_buffer in bytes.
*
* @retval A psa_status_t status code. Refer to /ref psa_status_t.
*
*/
psa_status_t sl_sec_man_hmac_finish(psa_mac_operation_t *sl_psa_hmac_ctx,
const uint8_t * sl_psa_hmac_buffer,
size_t sl_psa_hmac_buffer_len);
/**
* Uninitialize the HMAC operation.
*
* @param[in] sl_psa_hmac_ctx Operation Context for HMAC operation.
*
* @retval A psa_status_t status code. Refer to /ref psa_status_t.
*
*/
psa_status_t sl_sec_man_hmac_deinit(psa_mac_operation_t *sl_psa_hmac_ctx);
/**
* Perform HKDF Extract step.
*
* @param[in] sl_psa_key_derivation_ctx Operation context for key derivation operation.
* @param[in] sl_psa_key_derivation_algorithm Algorithm being used for key derivation.
* @param[in] sl_psa_key_id Reference to key stored in PSA ITS.
* @param[in] sl_psa_key_derivation_salt Pointer to the Salt for key derivation.
* @param[in] sl_psa_key_derivation_salt_length Length of Salt.
*
* @retval A psa_status_t status code. Refer to /ref psa_status_t.
*
*/
psa_status_t sl_sec_man_key_derivation_extract(psa_key_derivation_operation_t *sl_psa_key_derivation_ctx,
psa_algorithm_t sl_psa_key_derivation_algorithm,
psa_key_id_t sl_psa_key_id,
const uint8_t * sl_psa_key_derivation_salt,
uint16_t sl_psa_key_derivation_salt_length);
/**
* Perform HKDF Expand step.
*
* @param[in] sl_psa_key_derivation_ctx Operation context for HKDF operation.
* @param[in] sl_psa_key_derivation_info Pointer to the Info sequence.
* @param[in] sl_psa_key_derivation_info_length Length of the Info sequence.
* @param[out] sl_psa_key_derivation_output_key Pointer to the output Key.
* @param[in] sl_psa_key_derivation_output_key_len Size of the output key buffer.
*
* @retval A psa_status_t status code. Refer to /ref psa_status_t.
*
*/
psa_status_t sl_sec_man_key_derivation_expand(psa_key_derivation_operation_t *sl_psa_key_derivation_ctx,
const uint8_t * sl_psa_key_derivation_info,
uint16_t sl_psa_key_derivation_info_length,
uint8_t * sl_psa_key_derivation_output_key,
uint16_t sl_psa_key_derivation_output_key_len);
/**
* Initialise the hashing operation.
*
* @param[in] sl_psa_hash_ctx Context for hashing operation.
*
* @retval Initial value for a hash operation object.
*/
psa_hash_operation_t sl_sec_man_hash_init(void);
/**
* De-Initialise the hashing operation.
*
* @param[in] sl_psa_hash_ctx Context for hashing operation.
*
* @retval A psa_status_t status code. Refer to /ref psa_status_t.
*/
psa_status_t sl_sec_man_hash_deinit(psa_hash_operation_t *sl_psa_hash_ctx);
/**
* Start SHA-256 operation.
*
* @param[in] sl_psa_hash_ctx Context for hashing operation.
* @param[in] sl_psa_hash_alg Hashing algorithm to use.
*
* @retval A psa_status_t status code. Refer to /ref psa_status_t.
*
*/
psa_status_t sl_sec_man_hash_start(psa_hash_operation_t *sl_psa_hash_ctx, psa_algorithm_t sl_psa_hash_alg);
/**
* Update hashing operation with new input.
*
* @param[in] sl_psa_hash_ctx Context for hashing operation.
* @param[out] sl_psa_hash_buffer A pointer to the input buffer.
* @param[in] sl_psa_hash_buffer_len The length of @p sl_psa_hash_buffer in bytes.
*
* @retval A psa_status_t status code. Refer to /ref psa_status_t.
*/
psa_status_t sl_sec_man_hash_update(psa_hash_operation_t *sl_psa_hash_ctx,
uint8_t * sl_psa_hash_buffer,
uint16_t sl_psa_hash_buffer_len);
/**
* Finish hashing operation.
*
* @param[in] sl_psa_hash_ctx Context for hashing operation.
* @param[in] sl_psa_hash_hash A pointer to the output buffer, where hash needs to be stored.
* @param[in] sl_psa_hash_hash_size The length of @p sl_psa_hash_hash in bytes.
*
* @retval A psa_status_t status code. Refer to /ref psa_status_t.
*/
psa_status_t sl_sec_man_hash_finish(psa_hash_operation_t *sl_psa_hash_ctx,
uint8_t * sl_psa_hash,
uint16_t sl_psa_hash_size,
size_t * sl_psa_hash_len);
/**
* Generate Entropy.
*
* @param[in] sl_psa_output_buffer Buffer to store the generated entropy.
* @param[in] sl_psa_output_size Amount of entropy needed in bytes.
*
* @retval A psa_status_t status code. Refer to /ref psa_status_t.
*
*/
psa_status_t sl_sec_man_get_random(uint8_t *sl_psa_output_buffer,
uint16_t sl_psa_output_size);
/**
* Export the public key from the key pair.
*
* @param[in] sl_psa_key_id Key ID used as a reference to the key.
* @param[out] sl_psa_output_buffer A pointer to the output buffer to store the public key.
* @param[in] sl_output_buffer_size The length of @p sl_psa_output_buffer in bytes.
* @param[out] sl_public_key_len A pointer to a variable to store length of the exported public key.
*
* @retval A psa_status_t status code. Refer to /ref psa_status_t.
*
*/
psa_status_t sl_sec_man_export_public_key(psa_key_id_t sl_psa_key_id,
uint8_t *sl_psa_output_buffer,
size_t sl_output_buffer_size,
size_t *sl_public_key_len);
/**
* Sign the given input buffer using the algorithm specified.
*
* @param[in] sl_psa_key_id Key ID used as a reference to the key.
* @param[in] sl_dsa_algorithm DSA Algorithm to use to perform ECDSA sign operation.
* @param[in] sl_dsa_input_buf A pointer to the input buffer.
* @param[in] sl_dsa_input_size The length of @p sl_dsa_input_buf in bytes.
* @param[out] sl_dsa_signature_buf A pointer to the output buffer to store the signature.
* @param[in] sl_dsa_signature_size The length of @p sl_dsa_signature_buf in bytes.
* @param[out] sl_dsa_signature_len A pointer to a variable to store length of the generated signature.
* @param[in] sl_is_hash Is the input a message hash?
*
* @retval A psa_status_t status code. Refer to /ref psa_status_t.
*
*/
psa_status_t sl_sec_man_sign(psa_key_id_t sl_psa_key_id,
psa_algorithm_t sl_dsa_algorithm,
const uint8_t *sl_dsa_input_buf,
size_t sl_dsa_input_size,
uint8_t *sl_dsa_signature_buf,
size_t sl_dsa_signature_size,
size_t *sl_dsa_signature_len,
bool sl_is_hash);
/**
* Verify the given signature using the algorithm specified.
*
* @param[in] sl_psa_key_id Key ID used as a reference to the key.
* @param[in] sl_dsa_algorithm DSA Algorithm to use to perform ECDSA verify operation.
* @param[in] sl_dsa_input_buf A pointer to the input buffer.
* @param[in] sl_dsa_input_size The length of @p sl_dsa_input_buf in bytes.
* @param[in] sl_dsa_signature_buf A pointer to the input buffer to store the signature.
* @param[in] sl_dsa_signature_size The length of @p sl_dsa_signature_buf in bytes.
* @param[in] sl_is_hash Is the input a message hash?
*
* @retval A psa_status_t status code. Refer to /ref psa_status_t.
*/
psa_status_t sl_sec_man_verify(psa_key_id_t sl_psa_key_id,
psa_algorithm_t sl_dsa_algorithm,
const uint8_t *sl_dsa_input_buf,
size_t sl_dsa_input_size,
const uint8_t *sl_dsa_signature_buf,
size_t sl_dsa_signature_size,
bool sl_is_hash);
#endif /* SECURITY_MANAGER_H_ */