Intel

Developer Zone

EpidAlgEx2

com.intel.crypto

Class EpidAlgEx2

  • All Implemented Interfaces:
    Signature


    public abstract class EpidAlgEx2
    extends EpidAlg

    This abstract class represents the extended version of the Intel® Enhanced Privacy ID (Intel® EPID) signing algorithm: Intel® EPID2.0. This algorithm extends the Intel EPID support by providing the following mechanisms:

    • Supplying a signature revocation list to provide non-revocation proof to the signature verifier

    This class is stateful and setting the class properties before the signature will affect the result. By default the signature will be a basic signature with no signature revocation listwill be set to all zeros

    The following inherited methods are not supported by this class and will throw NotSupportedException:
    • signComplete
    • verifyComplete
    • setNonce
    • setBasename
    • getNonceLength
    • getBasenameLength
    • Method Summary

      Methods
      Modifier and Type Method and Description
      static EpidAlgEx2 createAlg()
      Factory method for creating a concrete instance.
      abstract short getBasenameLength()
      Return the buffer size for the basename
      abstract short getCertificateLength()
      Return the size of Intel EPID public certificate
      abstract short getGroupId(byte[] groupId, short groupIdIndex)
      Returns the Intel EPID Group ID for this platform.
      abstract short getGroupIdLength()
      Returns the length of the Intel EPID Group ID.
      abstract short getNonceLength()
      Returns the buffer size for the nonce
      abstract short getProvisionDataMaxOutputLength()
      Returns the maximum size of output buffer that must be allocated while calling the provisionData() method, if the response size is not known in advance.
      abstract short getSignatureLength()
      Returns the length of the signature generated by this instance.
      abstract short getSignatureRevocationListMaxLength()
      Returns the maximum size allowed for the signature revocation list (SIG-RL) buffer
      abstract short getTaskInfoSize()
      Return the size of TaskInfo buffer
      abstract void interactiveSign(byte[] data, short dataIndex, short dataLength, byte[] signature, short signatureIndex, short signatureLength, byte[] certificate, short certificateIndex, short certificateLength, byte[] taskInfo, short taskInfoIndex, short taskInfoLength)
      Signs the provided input data using the key currently stored by the instance.
      abstract boolean isProvisioned()
      Indicates whether the Intel EPID 2.0 provisioning process was already performed on this platform.
      abstract short provisionData(byte[] input, short inputIndex, short inputLength, byte[] output, short outputIndex)
      A transport tunnel for passing Intel EPID provisioning data from an external source (for example, a host software application) to the firmware.
      abstract void setBasename(byte[] basename, short index, short length)
      Sets the basename that will be signed as part of the signature
      abstract void setNonce(byte[] nonce, short index, short length)
      Sets the nonce that will be signed as part of the signature
      abstract void setSignatureRevocationList(byte[] sigRl, short index, short length)
      Sets the signature revocation list (SIG-RL) that will be signed as part of the signature
      abstract void setVerifierMessage(byte[] verifierMessag, short index, short length)
      Sets the verifier message that will be signed as part of the signature
      abstract short signComplete(byte[] data, short dataIndex, short dataLength, byte[] signature, short signatureIndex)
      Signs the provided input data using the key currently stored by the instance.
      abstract boolean verifyComplete(byte[] data, short dataIndex, short dataLength, byte[] signature, short signatureIndex, short signatureLength)
      Verifies the signature on the provided input data using the key currently stored by the instance.
      • Methods inherited from class java.lang.Object

        equals, getClass, hashCode, toString
    • Method Detail

      • isProvisioned

        public abstract boolean isProvisioned()
        Indicates whether the Intel EPID 2.0 provisioning process was already performed on this platform. If the INtel EPID public key is provisioned, this class can be used to generate Intel PID signatures.
        Specified by:
        isProvisioned in class EpidAlg
        Returns:
        true if Intel EPID 1.1 is provisioned, false otherwise.
      • provisionData

        public abstract short provisionData(byte[] input,
                          short inputIndex,
                          short inputLength,
                          byte[] output,
                          short outputIndex)
                                     throws CryptoException
        A transport tunnel for passing Intel EPID provisioning data from an external source (for example, a host software application) to the firmware. Note that this method does not perform any parsing on the input/output data, but simply passes the data as a blob to/from the internal firmware module that handles Intel EPID provisioning. The getProvisionDataMaxOutputLength method can be used to retrieve the maximum required size of the output array.
        Specified by:
        provisionData in class EpidAlg
        Parameters:
        input - input data
        inputIndex - index in the input array
        inputLength - input data length
        output - an array to hold the output data
        outputIndex - index in the output array
        Returns:
        The number of bytes returned in output array.
        Throws:
        IllegalParameterException - if the buffer is in an illegal length
        CryptoException - if some other unexpected failure has occurred
      • getProvisionDataMaxOutputLength

        public abstract short getProvisionDataMaxOutputLength()
        Returns the maximum size of output buffer that must be allocated while calling the provisionData() method, if the response size is not known in advance.
        Specified by:
        getProvisionDataMaxOutputLength in class EpidAlg
        Returns:
        The maximum response size (in bytes) for the provisionData method.
      • getGroupId

        public abstract short getGroupId(byte[] groupId,
                       short groupIdIndex)
        Returns the Intel EPID Group ID for this platform. The getGroupIdLength method can be used to retrieve the required size of the output array.
        Specified by:
        getGroupId in class EpidAlg
        Parameters:
        groupId - an array to hold the Group ID
        groupIdIndex - index in the array
        Returns:
        Group ID length.
      • getGroupIdLength

        public abstract short getGroupIdLength()
        Returns the length of the Intel EPID Group ID.
        Specified by:
        getGroupIdLength in class EpidAlg
        Returns:
        Intel EPID Group ID length in bytes.
      • getSignatureRevocationListMaxLength

        public abstract short getSignatureRevocationListMaxLength()
        Returns the maximum size allowed for the signature revocation list (SIG-RL) buffer
      • getBasenameLength

        public abstract short getBasenameLength()
        Return the buffer size for the basename
        Throws:
        NotSupportedException - always
      • getNonceLength

        public abstract short getNonceLength()
        Returns the buffer size for the nonce
        Throws:
        NotSupportedException - always
      • setSignatureRevocationList

        public abstract void setSignatureRevocationList(byte[] sigRl,
                                      short index,
                                      short length)
                                                 throws CryptoException
        Sets the signature revocation list (SIG-RL) that will be signed as part of the signature
        Parameters:
        sigRl - the buffer for the signature revocation list or null to set no revocation
        index - the offset in the sigRl array
        length - the length of the sigRl array
        Throws:
        IllegalParameterException - if the buffer is in an illegal length
        CryptoException - if some other unexpected failure has occurred
      • Note:
        If setSignatureRevocationList is called with invalid data, the exception may not be thrown immediately. In such a case, it may be thrown only after calling getSignatureLength or interactiveSign.
      • setVerifierMessage

        public abstract void setVerifierMessage(byte[] verifierMessag,
                              short index,
                              short length)
        Sets the verifier message that will be signed as part of the signature
        Parameters:
        verifierData - the information the verifier provides to the prover for signature
        index - the index of the data in the buffer
        length - the verifier data size
      • signComplete

        public abstract short signComplete(byte[] data,
                         short dataIndex,
                         short dataLength,
                         byte[] signature,
                         short signatureIndex)
                                    throws CryptoException
        Signs the provided input data using the key currently stored by the instance. Note that getSignatureLength() should be called to allocate the signature buffer right before this call as length of the signature is subject to change based on the current configuration of the signature.
        Specified by:
        signComplete in interface Signature
        Specified by:
        signComplete in class EpidAlg
        Parameters:
        data - the input data to sign
        dataIndex - index in the input array
        dataLength - input data length
        signature - an array to hold the output data
        signatureIndex - index in the output array
        Returns:
        The number of bytes written into the signature array.
        Throws:
        NotSupportedException - always
        NotInitializedException - if this instance is not configured correctly in order to generate a signature. For example, the key required for signing the data is not set.
        IllegalParameterException - if the data provided for signing is illegal
        CryptoException - if some unexpected error has occurred
      • verifyComplete

        public abstract boolean verifyComplete(byte[] data,
                             short dataIndex,
                             short dataLength,
                             byte[] signature,
                             short signatureIndex,
                             short signatureLength)
                                        throws CryptoException
        Verifies the signature on the provided input data using the key currently stored by the instance.
        Specified by:
        verifyComplete in interface Signature
        Specified by:
        verifyComplete in class EpidAlg
        Parameters:
        data - the input data that was signed
        dataIndex - index in the input array
        dataLength - input data length
        signature - the signature to verify
        signatureIndex - index in the signature array
        signatureLength - signature length
        Returns:
        true if the signature verified successfully, false otherwise.
        Throws:
        NotSupportedException - always
        NotInitializedException - if this instance is not configured correctly in order to verify the signature. For example, the key required for verifying the signature is not set.
        IllegalParameterException - if the data provided for verification is illegal
        CryptoException - if some unexpected error has occurred
      • getSignatureLength

        public abstract short getSignatureLength()
                                          throws CryptoException
        Returns the length of the signature generated by this instance.
        Returns:
        Signature length in bytes.
        Throws:
        NotInitializedException - if this instance is not configured correctly in order to calculate the signature size. For example, a required key is not set.
        CryptoException - if some unexpected error has occurred
      • getCertificateLength

        public abstract short getCertificateLength()
                                            throws CryptoException
        Return the size of the Intel EPID public certificate
        Returns:
        the size of the Intel EPID public certificate
        Throws:
        CryptoException
      • getTaskInfoSize

        public abstract short getTaskInfoSize()
        Return the size of TaskInfo buffer
        Returns:
        Return the size of TaskInfo buffer
      • interactiveSign

        public abstract void interactiveSign(byte[] data,
                           short dataIndex,
                           short dataLength,
                           byte[] signature,
                           short signatureIndex,
                           short signatureLength,
                           byte[] certificate,
                           short certificateIndex,
                           short certificateLength,
                           byte[] taskInfo,
                           short taskInfoIndex,
                           short taskInfoLength)
                                      throws CryptoException
        Signs the provided input data using the key currently stored by the instance. Note that getSignatureLength() should be called to allocate the signature buffer right before this call as length of the signature is subject to change based on the current configuration of the signature. The maximum data size to be signed is limited to 32KB. Note that this method will prepend the taskInfo data to the data buffer and sign on it. the taskInfo data will return as a buffer.
        Parameters:
        data - the data to be signed
        dataIndex - the index of the data in the buffer
        dataLength - the data length
        signature - buffer the the siganture
        signatureIndex - index in the buffer to start copy to
        signatureLength - size of sapce in the buffer for the signature
        certificate - buffer for the public EIPD certificate
        certificateIndex - index in the buffer to start copy to
        certificateLength - size of space in the buffer for the certificate
        taskInfo - buffer for the task Info meta data that added to the signature
        taskInfoIndex - index in the buffer to start copy to
        taskInfoLength - size of space in the buffer for the TaskInfo
        Throws:
        CryptoException
        IllegalParameterException - if the buffer is in an illegal length
      • createAlg

        public static EpidAlgEx2 createAlg()
        Factory method for creating a concrete instance.
        Returns:
        EpidAlgEx2 instance.