Data structures
These structures are used in the API of the current libica version.
For the definitions of older functions, see previous versions of this book. The older functions are no longer recommended for use, but they are supported.
typedef struct {
unsigned int key_length;
unsigned char* modulus;
unsigned char* exponent;
} ica_rsa_key_mod_expo_t;typedef struct {
unsigned int key_length;
unsigned char* p;
unsigned char* q;
unsigned char* dp;
unsigned char* dq;
unsigned char* qInverse;
} ica_rsa_key_crt_t;typedef struct {
unsigned int mech_mode_id;
unsigned int flags;
unsigned int property;
} libica_func_list_element;
typedef struct {
unsigned char vendor_id[16];
unsigned char machine_type[16];
} libica_hw_info;
typedef struct kma_ctx_t kma_ctx; * mech_mode_id: Unique mechanism ID for each mechanism implemented in libica, as follows:
#define SHA1 1
#define SHA224 2
#define SHA256 3
#define SHA384 4
#define SHA512 5
#define SHA3_224 6
#define SHA3_256 7
#define SHA3_384 8
#define SHA3_512 9
#define G_HASH 10
#define SHAKE_128 11
#define SHAKE_256 12
#define DES_ECB 20
#define DES_CBC 21
#define DES_CBC_CS 22
#define DES_OFB 23
#define DES_CFB 24
#define DES_CTR 25
#define DES_CTRLST 26
#define DES_CBC_MAC 27
#define DES_CMAC 28
#define DES3_ECB 41
#define DES3_CBC 42
#define DES3_CBC_CS 43
#define DES3_OFB 44
#define DES3_CFB 45
#define DES3_CTR 46
#define DES3_CTRLST 47
#define DES3_CBC_MAC 48
#define DES3_CMAC 49
#define AES_ECB 60
#define AES_CBC 61
#define AES_CBC_CS 62
#define AES_OFB 63
#define AES_CFB 64
#define AES_CTR 65
#define AES_CTRLST 66
#define AES_CBC_MAC 67
#define AES_CMAC 68
#define AES_CCM 69
#define AES_GCM 70
#define AES_XTS 71
#define AES_GCM_KMA 72
#define P_RNG 80
#define EC_DH 85
#define EC_DSA_SIGN 86
#define EC_DSA_VERIFY 87
#define EC_KGEN 88
#define RSA_ME 90
#define RSA_CRT 91
#define RSA_KEY_GEN_ME 92
#define RSA_KEY_GEN_CRT 93
#define SHA512_DRNG 94
#define SHA512_224 95
#define SHA512_256 96
#define ED25519_KEYGEN 100
#define ED25519_SIGN 101
#define ED25519_VERIFY 102
#define ED448_KEYGEN 103
#define ED448_SIGN 104
#define ED448_VERIFY 105
#define X25519_KEYGEN 106
#define X25519_DERIVE 107
#define X448_KEYGEN 108
#define X448_DERIVE 109
For more details regarding these mechanisms, refer to openCryptoki - An Open Source Implementation of PKCS #11.
- * flags
- This flag represents the type of hardware/software support for each mechanism.
- #define ICA_FLAG_SHW 4
- Static hardware support (operations on CPACF). Hardware support will be available unless a hardware error occurs.
- #define ICA_FLAG_DHW 2
- Dynamic hardware support (operations on crypto cards). Hardware support will be available unless the hardware is reconfigured.
- #define ICA_FLAG_SW 1
- Software support. If both static and dynamic hardware support as well as software support are available, then software support is used as fall back if hardware support fails.
- * property
- This property field is optional depending on the mechanism. It is used to declare mechanism
specific parameters, such as key sizes for RSA and AES.
For RSA mechanisms:
- - bit 0
- 512 bit key size support
- - bit 1
- 1024 bit key size support
- - bit 2
- 2048 bit key size support
- - bit 3
- 4096 bit key size support
For ECC mechanisms:
- - bit 0
- support for Brainpool curves
- - bit 1
- support for NIST curves
- - bit 2
- support for Edwards curves
For AES mechanisms:
- - bit 0
- 128 bit key size support
- - bit 1
- 192 bit key size support
- - bit 2
- 256 bit key size support
For all non-RSA/AES/ECC mechanisms this field is empty.
Take note of these considerations:
- The buffers pointed to by members of type unsigned char * must be manually allocated and deallocated by the user.
- Key parts must always be right-aligned in their fields.
- All buffers pointed to by members modulus and exponent in struct ica_rsa_key_mod_expo_t must be of length key_length.
- All buffers pointed to by members p, q, dp, dq, and qInverse in struct ica_rsa_key_crt_t must be of size key_length / 2 or larger.
- In the struct ica_rsa_key_crt_t, the buffers p, dp, and qInverse must contain 8 bytes of zero padding in front of the actual values.
- If an exponent is set in struct ica_rsa_key_mod_expo_t as part of a public key for key generation, be aware that due to a restriction in OpenSSL, the public exponent cannot be larger than a size of unsigned long. Therefore, you must have zeros left-padded in the buffer pointed to by exponent in the struct ica_rsa_key_mod_expo_t struct. Be aware that this buffer also must be of size key_length.
- This key_length value should be calculated from the length of the
modulus in bits, according to this calculation:
key_length = (modulus_bits + 7) / 8
typedef struct {
uint64_t runningLength;
unsigned char shaHash[LENGTH_SHA_HASH];
} sha_context_t; typedef struct {
uint64_t runningLength;
unsigned char sha256Hash[LENGTH_SHA256_HASH];
} sha256_context_t;
typedef struct {
uint64_t runningLengthHigh;
uint64_t runningLengthLow;
unsigned char sha512Hash[LENGTH_SHA512_HASH];
} sha512_context_t;
typedef struct {
uint64_t runningLength;
unsigned char sha3_224Hash[SHA3_224_HASH_LENGTH];
} sha3_224_context_t;
typedef struct {
uint64_t runningLength;
unsigned char sha3_256Hash[SHA3_256_HASH_LENGTH];
} sha3_256_context_t;
typedef struct {
uint64_t runningLengthHigh;
uint64_t runningLengthLow;
unsigned char sha3_384Hash[SHA3_384_HASH_LENGTH];
} sha3_384_context_t;
typedef struct {
uint64_t runningLengthHigh;
uint64_t runningLengthLow;
unsigned char sha3_512Hash[SHA3_512_HASH_LENGTH];
} sha3_512_context_t;
typedef struct {
uint64_t runningLengthHigh;
uint64_t runningLengthLow;
unsigned int output_length;
unsigned char shake_128Hash[200];
} shake_128_context_t;
typedef struct {
uint64_t runningLengthHigh;
uint64_t runningLengthLow;
unsigned int output_length;
unsigned char shake_256Hash[200];
} shake_256_context_t;
typedef struct {
unsigned int major_version;
unsigned int minor_version;
unsigned int fixpack_version;
} libica_version_info;