HMAC key APIs - zpc/hmac_key.h
In file zpc/hmac_key.h, libzpc provides APIs for managing HMAC key objects.
Data structures
zpc_hmac_key is opaque for the
application:struct zpc_hmac_key;Supported key types
The following variants of protected HMAC keys are supported:
- retrieved from ultravisor (UV) retrievable secrets (denoted by the type keyword PVSECRET, where the PV stands for protected virtualization, and therefore sometimes shortly referred to as pvsecrets)
- created from given clear key data
- randomly generated via
sysfsattributesprotkey_hmac_512andprotkey_hmac_1024in /sys/devices/virtual/misc/pkey/protkey. Each new read on one of thesesysfsattributes provides a new key of the related type.
The zpc/hmac_key.h file defines the following constants for the supported key type:
# define ZPC_HMAC_KEY_TYPE_PVSECRET 9
Properties
The following hash functions to be used in the zpc_hmac_key_set_hash_function() API are defined:
typedef enum {
ZPC_HMAC_HASHFUNC_NOT_SET = -2,
ZPC_HMAC_HASHFUNC_INVALID = -1,
ZPC_HMAC_HASHFUNC_SHA_224 = 0,
ZPC_HMAC_HASHFUNC_SHA_256,
ZPC_HMAC_HASHFUNC_SHA_384,
ZPC_HMAC_HASHFUNC_SHA_512,
} zpc_hmac_hashfunc_t;
The remainder of this information unit describes the available APIs for managing HMAC keys.
zpc_hmac_key_alloc
Purpose: Allocate a new HMAC key object with reference count 1.
int zpc_hmac_key_alloc(
struct zpc_hmac_key **key );
Parameters:
| Direction | Name | Description |
|---|---|---|
| input, output | key | Pointer to an HMAC key |
Return codes:
0 on success. Otherwise, a non-zero error code is returned.
zpc_hmac_key_set_type
Purpose: Set the HMAC key type.
int zpc_hmac_key_set_type(
struct zpc_hmac_key *key,
int type );
Parameters:
| Direction | Name | Description |
|---|---|---|
| input, output | key | Pointer to an HMAC key. |
| input | type | One type is supported: ZPC_HMAC_KEY_TYPE_PVSECRET. |
Return codes:
0 on success. Otherwise, a non-zero error code is returned.
zpc_hmac_key_set_hash_function
Purpose: Set the hash function to be used in the context of an HMAC operation. This hash function is also used if clear key data is imported later and needs to be hashed to form a block-sized key.
int zpc_hmac_key_set_hash_function(
struct zpc_hmac_key *key,
zpc_hmac_hashfunc_t func );
Parameters:
| Direction | Name | Description |
|---|---|---|
| input, output | key | Pointer to an HMAC key. |
| input | func | HMAC hash function: sha-224, sha-256, sha-384, or sha-512. See Data structures for
how to define the desired hash function. The size of the HMAC key (64 bytes or 128 bytes) is given
by the block size of the hash function:
|
Return codes:
0 on success. Otherwise, a non-zero error code is returned.
zpc_hmac_key_import
Purpose: Import an HMAC protected key (from origin secure key or retrievable secret ID).
int zpc_hmac_key_import(
struct zpc_hmac_key *key,
const unsigned char *origin,
size_t originlen );
Parameters:
| Direction | Name | Description |
|---|---|---|
| input, output | key | Pointer to an HMAC key. |
| input | origin | Pointer to an HMAC protected key (origin: secure key or retrievable secret). |
| input | originlen | HMAC key origin length in bytes. |
Return codes:
0 on success. Otherwise, a non-zero error code is returned.
zpc_hmac_key_import_clear
Purpose: Import an HMAC clear-key. Such keys have no persistent key part (secure key or secret ID) and can therefore not be re-derived in case of a WKVP mismatch.
int zpc_hmac_key_import_clear(
struct zpc_hmac_key *key,
const unsigned char *clrkey,
size_t keylen );
Parameters:
| Direction | Name | Description |
|---|---|---|
| input, output | key | Pointer to an HMAC key. |
| input | clrkey | Pointer to an HMAC clear-key. |
| input | keylen | HMAC clear key length in bytes. According to the HMAC specification, keys shorter than the block size of the underlying hash function of the key are padded with zeroes on the right up to the hash function block size. Keys longer than the hash function block size are first hashed using this hash function and then padded with zeroes up to the block size. |
Return codes:
0 on success. Otherwise, a non-zero error code is returned.
zpc_hmac_key_export
Purpose: Export an HMAC protected key (from origin secure key or retrievable secret ID).
int zpc_hmac_key_export(
struct zpc_hmac_key *key,
unsigned char *origin,
size_t originlen );
Parameters:
| Direction | Name | Description |
|---|---|---|
| input, output | key | Pointer to an HMAC key. |
| output | origin | Pointer to an HMAC protected key (from origin secure key or retrievable secret ID). |
| input, output | originlen | Pointer to a field containing the HMAC protected key length in bytes. |
Return codes:
0 on success. Otherwise, a non-zero error code is returned.
zpc_hmac_key_generate
Purpose: Generate a random HMAC protected-key.
int zpc_hmac_key_generate(
struct zpc_hmac_key *key );
Parameters:
| Direction | Name | Description |
|---|---|---|
| input, output | key | Pointer to an HMAC protected key. |
Return codes:
0 on success. Otherwise, a non-zero error code is returned.
zpc_hmac_key_free
Purpose: Decrease the reference count of an HMAC key object and free it, if the count reaches 0.
int zpc_hmac_key_free(
struct zpc_hmac_key **key );
Parameters:
| Direction | Name | Description |
|---|---|---|
| input, output | key | Pointer to an HMAC protected key. |