Intel

Developer Zone

DataMigration

com.intel.crypto

Class DataMigration

  • java.lang.Object
    • com.intel.crypto.DataMigration


  • public abstract class DataMigration
    extends java.lang.Object
    This class provides the ability to apply the previous PBIND key to retrieve data that was encrypted\HMAC'd using the PBIND key.

    When the Intel CSME Firmware Secure Version Number (SVN) is incremented (via firmware update), the applet PBIND key changes. Therefore any data that was encrypted\HMAC'd with the PBIND key will no longer be usable. The Intel CSME Firmware SVN increment can be detected using PlatformInfo.getSecurityEngineSVN() The following classes support PBIND operations:

    If the Intel CSME Firmware SVN was never incremented on the platform, NotSupportedException will be thrown.
    NOTE: Only a single migration step is supported. I.e., if the user performs an SVN firmware update from SVN X to SVN Y (where Y > X) and then performs another SVN firmware update to SVN Z (where Z > Y) without performing data migration after the transition to SVN Y and before the transition to SVN Z, all the encrypted/signed data created in SVN X is lost.

    • Method Summary

      Methods
      Modifier and Type Method and Description
      static DataMigration create(short algType)
      Factory method for creating a concrete instance.
      abstract short decryptComplete(byte[] input, short inputIndex, short inputLength, byte[] output, short outputIndex)
      Decrypts the provided input data using the previous PBIND key stored by the instance.
      abstract short decryptUpdate(byte[] input, short inputIndex, short inputLength, byte[] output, short outputIndex)
      Decrypts the provided input data, using the key currently stored by the instance, and maintains the instance state for the next operation.
      abstract void setIV(byte[] ivArray, short ivIndex, short ivLength)
      Sets the initialization vector (IV) to be used by this instance for encrypt/decrypt operations.
      abstract boolean verifyComplete(byte[] input, short inputIndex, short inputLength, byte[] signature, short signatureIndex, short signatureLength)
      Verifies the signature on the provided input data using the previous PBIND key stored by the instance.
      abstract void verifyUpdate(byte[] data, short dataIndex, short dataLength)
      Verifies the signature on the provided input data, using the key currently stored by the instance, and maintains the instance state for the next operation.
      • Methods inherited from class java.lang.Object

        equals, getClass, hashCode, toString
    • Field Detail

      • DECRYPT_ALG_TYPE_PBIND_AES_128_CBC

        public static final short DECRYPT_ALG_TYPE_PBIND_AES_128_CBC
        AES deccryption with 128 bit Platform Binding key in CBC mode.
        See Also:
        Constant Field Values
      • DECRYPT_ALG_TYPE_PBIND_AES_256_CBC

        public static final short DECRYPT_ALG_TYPE_PBIND_AES_256_CBC
        AES cryption with 256 bit Platform Binding key in CBC mode.
        See Also:
        Constant Field Values
      • SIGNATURE_ALG_TYPE_PBIND_HMAC_SHA1

        public static final short SIGNATURE_ALG_TYPE_PBIND_HMAC_SHA1
        HMAC SHA1 with Platform Binding key algorithm.
        See Also:
        Constant Field Values
      • SIGNATURE_ALG_TYPE_PBIND_HMAC_SHA256

        public static final short SIGNATURE_ALG_TYPE_PBIND_HMAC_SHA256
        HMAC SHA256 with Platform Binding key algorithm.
        See Also:
        Constant Field Values
    • Method Detail

      • setIV

        public abstract void setIV(byte[] ivArray,
                 short ivIndex,
                 short ivLength)
                            throws CryptoException
        Sets the IV to be used by this instance for encrypt/decrypt operations. Note that once set, the new IV value is used for all future encrypt/decrypt operations until the IV is reset to a new value (by calling the setIV method again). In addition, calling this method resets any sequence of operations that has already started. This method is required only for algorithm types that implement CBC or CTR mode.
        Parameters:
        ivArray - the IV data
        ivIndex - index in the IV array
        ivLength - IV length in bytes
        Throws:
        NotSupportedException - when called for an instance that does not support IV (for example, ECB cipher)
        IllegalParameterException - when the provided IV size is illegal or not supported
        NotInitializedException - when using DataMigration without proper initialization
        CryptoException - if an internal error occurred
      • decryptUpdate

        public abstract short decryptUpdate(byte[] input,
                          short inputIndex,
                          short inputLength,
                          byte[] output,
                          short outputIndex)
                                     throws CryptoException
        Decrypts the provided input data, using the key currently stored by the instance, and maintains the instance state for the next operation. The decryptComplete method must be called to complete the decryption. operations sequence and clear the internal state maintained by the instance.
        Parameters:
        input - the input data to decrypt
        inputIndex - index in the input array
        inputLength - input data length
        output - an array to hold the decrypted data (if any number of complete blocks was decrypted)
        outputIndex - index in the output array
        Returns:
        The number of bytes returned in output array.
        Throws:
        NotInitializedException - if a required decryption parameter is not configured (for example, key for non-Platform Binding algorithms, IV for CBC ciphers, etc.) or using DataMigration without proper initialization
        java.lang.ArrayIndexOutOfBoundsException - when inputIndes or outputIndex are out of bounds
        IllegalUseException - when illegal input was provided/dd>
        CryptoException - if an internal error occurred
      • decryptComplete

        public abstract short decryptComplete(byte[] input,
                            short inputIndex,
                            short inputLength,
                            byte[] output,
                            short outputIndex)
        Decrypts the provided input data using the previous PBIND key stored by the instance.
        Parameters:
        input - the input data to decrypt
        inputIndex - index in the input array
        inputLength - input data length
        output - an array to hold the decrypted data
        outputIndex - index in the output array
        Returns:
        The number of bytes returned in output array.
        Throws:
        NotInitializedException - if a required decryption parameter is not configured (for example, the key to be used for decryption) or using DataMigration without proper initialization
        IllegalParameterException - when one or more of the input parameters are illegal
        java.lang.ArrayIndexOutOfBoundsException - when inputIndes or outputIndex are out of bounds
        IllegalUseException - when illegal input was provided
        CryptoException - if an internal error occurred
      • verifyUpdate

        public abstract void verifyUpdate(byte[] data,
                        short dataIndex,
                        short dataLength)
                                   throws CryptoException
        Verifies the signature on the provided input data, using the key currently stored by the instance, and maintains the instance state for the next operation. The verifyComplete method must be called to complete the verify operations sequence and receive the verification result.
        Parameters:
        data - the input data that was signed
        dataIndex - index in the input array
        dataLength - input data length
        Throws:
        NotInitializedException - if this instance is not configured correctly in order to verify the signature. For example, the key with which the data was signed is not set or using DataMigration without properly initialization
        IllegalParameterException - if the data provided for verification is illegal
        java.lang.ArrayIndexOutOfBoundsException - when inputIndes or outputIndex are out of bounds
        CryptoException - if some unexpected error has occurred
      • verifyComplete

        public abstract boolean verifyComplete(byte[] input,
                             short inputIndex,
                             short inputLength,
                             byte[] signature,
                             short signatureIndex,
                             short signatureLength)
        Verifies the signature on the provided input data using the previous PBIND key stored by the instance.
        Parameters:
        input - the input data that was signed
        inputIndex - index in the input array
        inputLength - input data length
        signature - the signature to verify
        signatureIndex - index in the signature array
        signatureLength - signature length
        Returns:
        true if the signature verified successfully, false otherwise.
        Throws:
        NotInitializedException - if this instance is not configured correctly in order to verify the signature. For example, the key required for verifying the signature is not set or using DataMigration without proper initialization
        IllegalParameterException - if the data provided for verification is illegal
        java.lang.ArrayIndexOutOfBoundsException - when inputIndes or outputIndex are out of bounds
        CryptoException - if some unexpected error has occurred
      • create

        public static final DataMigration create(short algType)
        Factory method for creating a concrete instance.
        Parameters:
        algType - the requested algorithm, see SIGNATURE_ALG_TYPE.. or DECRYPT_ALG_TYPE definitions above for the possible values
        Returns:
        DataMigration instance of the requested type.
        Throws:
        NotSupportedException - if the requested algorithm type is not supported or data migration is not supported.
        NotInitializedException - if the previous seed does not exist.