Intel

Developer Zone

EpidAlgEx

com.intel.crypto

Class EpidAlgEx

This API is supported only on Bay Trail platforms (Intel SEC1.1.x and Intel SEC1.2.x), as of Intel firmware kit SEC 1.1.6.2165.
  • All Implemented Interfaces:
    Signature


    public abstract class EpidAlgEx
    extends EpidAlg
    implements Signature

    This abstract class represents the extended version of the Enhanced Privacy ID (EPID) signing algorithm: EPID1.1. This algorithm extends the EPID support by providing the following mechanisms:

    • Supplying a signature revocation list to provide non-revocation proof to the signature verifier
    • Providing a basename to be signed as part of the signature, if needed by the signature verifier
    • Providing a nonce to thwart replay attacks

    This class is stateful and setting the class properties before the signature will affect the result. By default the signature will be a basic signature with no basename (will be chosen at random), no signature revocation list and the nonce will be set to all zeros

    The following inherited methods are not supported by this class and will throw NotSupportedException:
    • verifyComplete
    • Method Summary

      Methods
      Modifier and Type Method and Description
      static EpidAlgEx createAlg()
      Factory method for creating a concrete instance.
      abstract short getBasenameLength()
      Return the buffer size for the basename
      abstract short getGroupId(byte[] groupId, short groupIdIndex)
      Returns the EPID Group ID for this platform.
      abstract short getGroupIdLength()
      Returns the length of the EPID Group ID.
      abstract short getNonceLength()
      Returns the buffer size for the nonce
      abstract short getProvisionDataMaxOutputLength()
      Returns the maximum size of output buffer that must be allocated while calling the provisionData() method, if the response size is not known in advance.
      abstract short getSignatureLength()
      Returns the length of the signature generated by this instance.
      abstract short getSignatureRevocationListMaxLength()
      Returns the maximum size allowed for the signature revocation list (SIG-RL) buffer
      abstract boolean isProvisioned()
      Indicates whether the EPID 1.1 provisioning process was already done on this platform.
      abstract short provisionData(byte[] input, short inputIndex, short inputLength, byte[] output, short outputIndex)
      A transport tunnel for passing EPID provisioning data from an external source (for example, a host software application) to the firmware.
      abstract void setBasename(byte[] basename, short index, short length)
      Sets the basename that will be signed as part of the signature
      abstract void setNonce(byte[] nonce, short index, short length)
      Sets the nonce that will be signed as part of the signature
      abstract void setSignatureRevocationList(byte[] sigRl, short index, short length)
      Sets the signature revocation list (SIG-RL) that will be signed as part of the signature
      abstract short signComplete(byte[] data, short dataIndex, short dataLength, byte[] signature, short signatureIndex)
      Signs the provided input data using the key currently stored by the instance.
      abstract boolean verifyComplete(byte[] data, short dataIndex, short dataLength, byte[] signature, short signatureIndex, short signatureLength)
      Verifies the signature on the provided input data using the key currently stored by the instance.
      • Methods inherited from class java.lang.Object

        equals, getClass, hashCode, toString
    • Method Detail

      • isProvisioned

        public abstract boolean isProvisioned()
        Indicates whether the EPID 1.1 provisioning process was already done on this platform. If EPID public key is provisioned, this class can be used to generate EPID signatures.
        Specified by:
        isProvisioned in class EpidAlg
        Returns:
        true if EPID 1.1 is provisioned, false otherwise.
      • provisionData

        public abstract short provisionData(byte[] input,
                          short inputIndex,
                          short inputLength,
                          byte[] output,
                          short outputIndex)
                                     throws CryptoException
        A transport tunnel for passing EPID provisioning data from an external source (for example, a host software application) to the firmware. Note that this method does not perform any parsing on the input/output data, but simply passes the data as a blob to/from the internal firmware module that handles EPID provisioning. The getProvisionDataMaxOutputLength method can be used to retrieve the maximum required size of the output array.
        Specified by:
        provisionData in class EpidAlg
        Parameters:
        input - input data
        inputIndex - index in the input array
        inputLength - input data length
        output - an array to hold the output data
        outputIndex - index in the output array
        Returns:
        The number of bytes returned in output array.
        Throws:
        IllegalParameterException - if the buffer is in an illegal length
        CryptoException - if some other unexpected failure has occurred
      • getProvisionDataMaxOutputLength

        public abstract short getProvisionDataMaxOutputLength()
        Returns the maximum size of output buffer that must be allocated while calling the provisionData() method, if the response size is not known in advance.
        Specified by:
        getProvisionDataMaxOutputLength in class EpidAlg
        Returns:
        The maximum response size (in bytes) for the provisionData method.
      • getGroupId

        public abstract short getGroupId(byte[] groupId,
                       short groupIdIndex)
        Returns the EPID Group ID for this platform. The getGroupIdLength method can be used to retrieve the required size of the output array.
        Specified by:
        getGroupId in class EpidAlg
        Parameters:
        groupId - an array to hold the Group ID
        groupIdIndex - index in the array
        Returns:
        Group ID length.
      • getGroupIdLength

        public abstract short getGroupIdLength()
        Returns the length of the EPID Group ID.
        Specified by:
        getGroupIdLength in class EpidAlg
        Returns:
        EPID Group ID length in bytes.
      • getSignatureRevocationListMaxLength

        public abstract short getSignatureRevocationListMaxLength()
        Returns the maximum size allowed for the signature revocation list (SIG-RL) buffer
        Returns:
        The maximum size allowed for the signature revocation list (SIG-RL) buffer
      • getBasenameLength

        public abstract short getBasenameLength()
        Return the buffer size for the basename
        Returns:
        The buffer size for the basename
      • getNonceLength

        public abstract short getNonceLength()
        Returns the buffer size for the nonce
        Returns:
        The buffer size for the nonce
      • setSignatureRevocationList

        public abstract void setSignatureRevocationList(byte[] sigRl,
                                      short index,
                                      short length)
                                                 throws CryptoException
        Sets the signature revocation list (SIG-RL) that will be signed as part of the signature
        Parameters:
        sigRl - the buffer for the signature revocation list or null to set no revocation
        index - the offset in the sigRl array
        length - the length of the sigRl array
        Throws:
        IllegalParameterException - if the buffer is in an illegal length
        CryptoException - if some other unexpected failure has occurred
      • setBasename

        public abstract void setBasename(byte[] basename,
                       short index,
                       short length)
                                  throws CryptoException
        Sets the basename that will be signed as part of the signature
        Parameters:
        basename - the buffer for the basename or null for random basename (the default)
        index - the offset in the basename array
        length - the length of the basename array
        Throws:
        IllegalParameterException - if the buffer is in an illegal length
        CryptoException - if some other unexpected failure has occurred
      • setNonce

        public abstract void setNonce(byte[] nonce,
                    short index,
                    short length)
                               throws CryptoException
        Sets the nonce that will be signed as part of the signature
        Parameters:
        nonce - the buffer for the nonce. can't be null.
        index - the offset in the nonce array
        length - the length of the nonce array
        Throws:
        IllegalParameterException - if the buffer is in an illegal length
        CryptoException - if some other unexpected failure has occurred
      • signComplete

        public abstract short signComplete(byte[] data,
                         short dataIndex,
                         short dataLength,
                         byte[] signature,
                         short signatureIndex)
                                    throws CryptoException
        Signs the provided input data using the key currently stored by the instance. Note that getSignatureLength() should be called to allocate the signature buffer right before this call as length of the signature is subject to change based on the current configuration of the signature. The maximum data size to be signed is limited to 32KB. Note that this method will prepend the following data to the data buffer:
        • Task info type - 4-byte integer, value should be 0
        • Task info length - 4-byte integer, value should be 72
        • Task ID - 4-byte integer, value should be 8
        • Sub-task ID - 4-byte integer, value should be 0
        • Reserved for ME core - 32-byte buffer, value should be all 0
        • Reserved for application - 32-byte buffer. First 16 bytes are the applet ID, the rest are 0
        • Nonce - 32-byte buffer. The value is determined by the setNonce() method
        Specified by:
        signComplete in interface Signature
        Specified by:
        signComplete in class EpidAlg
        Parameters:
        data - the input data to sign
        dataIndex - index in the input array
        dataLength - input data length
        signature - an array to hold the output data
        signatureIndex - index in the output array
        Returns:
        The number of bytes written into the signature array.
        Throws:
        NotInitializedException - if this method is called before EPID1.0 was provisioned
        IllegalUseException - if called before setNonce() was called
        IllegalParameterException - if the buffer is in an illegal length
        CryptoException - if some other unexpected failure has occurred
      • verifyComplete

        public abstract boolean verifyComplete(byte[] data,
                             short dataIndex,
                             short dataLength,
                             byte[] signature,
                             short signatureIndex,
                             short signatureLength)
                                        throws CryptoException
        Verifies the signature on the provided input data using the key currently stored by the instance.
        Specified by:
        verifyComplete in interface Signature
        Specified by:
        verifyComplete in class EpidAlg
        Parameters:
        data - the input data that was signed
        dataIndex - index in the input array
        dataLength - input data length
        signature - the signature to verify
        signatureIndex - index in the signature array
        signatureLength - signature length
        Returns:
        true if the signature verified successfully, false otherwise.
        Throws:
        NotSupportedException - always
        NotInitializedException - if this instance is not configured correctly in order to verify the signature. For example, the key required for verifying the signature is not set.
        IllegalParameterException - if the data provided for verification is illegal
        CryptoException - if some unexpected error has occurred
      • getSignatureLength

        public abstract short getSignatureLength()
                                          throws CryptoException
        Returns the length of the signature generated by this instance. Should be called after setting all the signature properties as it might affect the signature length.
        Specified by:
        getSignatureLength in interface Signature
        Returns:
        Signature length in bytes.
        Throws:
        NotInitializedException - if this instance is not configured correctly in order to calculate the signature size. For example, a required key is not set.
        CryptoException - if some unexpected error has occurred
      • createAlg

        public static EpidAlgEx createAlg()
        Factory method for creating a concrete instance.
        Returns:
        EpidAlgEx instance.