com.intel.crypto
Class DataMigration
- java.lang.Object
-
- com.intel.crypto.DataMigration
-
public abstract class DataMigration extends java.lang.Object
This class provides the ability to apply the previous PBIND key to retrieve data that was encrypted\HMAC'd using the PBIND key.When the Intel CSME Firmware Secure Version Number (SVN) is incremented (via firmware update), the applet PBIND key changes. Therefore any data that was encrypted\HMAC'd with the PBIND key will no longer be usable. The Intel CSME Firmware SVN increment can be detected using
If the Intel CSME Firmware SVN was never incremented on the platform,PlatformInfo.getSecurityEngineSVN()
The following classes support PBIND operations:NotSupportedException
will be thrown.
NOTE: Only a single migration step is supported. I.e., if the user performs an SVN firmware update from SVN X to SVN Y (where Y > X) and then performs another SVN firmware update to SVN Z (where Z > Y) without performing data migration after the transition to SVN Y and before the transition to SVN Z, all the encrypted/signed data created in SVN X is lost.
-
-
Field Summary
Fields Modifier and Type Field and Description static short
DECRYPT_ALG_TYPE_PBIND_AES_128_CBC
AES decryption with 128-bit Platform Binding key in CBC mode.static short
DECRYPT_ALG_TYPE_PBIND_AES_256_CBC
AES decryption with 256-bit Platform Binding key in CBC mode.static short
SIGNATURE_ALG_TYPE_PBIND_HMAC_SHA1
HMAC SHA1 with Platform Binding key algorithm.static short
SIGNATURE_ALG_TYPE_PBIND_HMAC_SHA256
HMAC SHA256 with Platform Binding key algorithm.
-
Method Summary
Methods Modifier and Type Method and Description static DataMigration
create(short algType)
Factory method for creating a concrete instance.abstract short
decryptComplete(byte[] input, short inputIndex, short inputLength, byte[] output, short outputIndex)
Decrypts the provided input data using the previous PBIND key stored by the instance.abstract short
decryptUpdate(byte[] input, short inputIndex, short inputLength, byte[] output, short outputIndex)
Decrypts the provided input data, using the key currently stored by the instance, and maintains the instance state for the next operation.abstract void
setIV(byte[] ivArray, short ivIndex, short ivLength)
Sets the initialization vector (IV) to be used by this instance for encrypt/decrypt operations.abstract boolean
verifyComplete(byte[] input, short inputIndex, short inputLength, byte[] signature, short signatureIndex, short signatureLength)
Verifies the signature on the provided input data using the previous PBIND key stored by the instance.abstract void
verifyUpdate(byte[] data, short dataIndex, short dataLength)
Verifies the signature on the provided input data, using the key currently stored by the instance, and maintains the instance state for the next operation.
-
-
-
Field Detail
-
DECRYPT_ALG_TYPE_PBIND_AES_128_CBC
public static final short DECRYPT_ALG_TYPE_PBIND_AES_128_CBC
AES deccryption with 128 bit Platform Binding key in CBC mode.- See Also:
- Constant Field Values
-
DECRYPT_ALG_TYPE_PBIND_AES_256_CBC
public static final short DECRYPT_ALG_TYPE_PBIND_AES_256_CBC
AES cryption with 256 bit Platform Binding key in CBC mode.- See Also:
- Constant Field Values
-
SIGNATURE_ALG_TYPE_PBIND_HMAC_SHA1
public static final short SIGNATURE_ALG_TYPE_PBIND_HMAC_SHA1
HMAC SHA1 with Platform Binding key algorithm.- See Also:
- Constant Field Values
-
SIGNATURE_ALG_TYPE_PBIND_HMAC_SHA256
public static final short SIGNATURE_ALG_TYPE_PBIND_HMAC_SHA256
HMAC SHA256 with Platform Binding key algorithm.- See Also:
- Constant Field Values
-
-
Method Detail
-
setIV
public abstract void setIV(byte[] ivArray, short ivIndex, short ivLength) throws CryptoException
Sets the IV to be used by this instance for encrypt/decrypt operations. Note that once set, the new IV value is used for all future encrypt/decrypt operations until the IV is reset to a new value (by calling thesetIV
method again). In addition, calling this method resets any sequence of operations that has already started. This method is required only for algorithm types that implement CBC or CTR mode.- Parameters:
ivArray
- the IV dataivIndex
- index in the IV arrayivLength
- IV length in bytes- Throws:
NotSupportedException
- when called for an instance that does not support IV (for example, ECB cipher)IllegalParameterException
- when the provided IV size is illegal or not supportedNotInitializedException
- when using DataMigration without proper initializationCryptoException
- if an internal error occurred
-
decryptUpdate
public abstract short decryptUpdate(byte[] input, short inputIndex, short inputLength, byte[] output, short outputIndex) throws CryptoException
Decrypts the provided input data, using the key currently stored by the instance, and maintains the instance state for the next operation. ThedecryptComplete
method must be called to complete the decryption. operations sequence and clear the internal state maintained by the instance.- Parameters:
input
- the input data to decryptinputIndex
- index in the input arrayinputLength
- input data lengthoutput
- an array to hold the decrypted data (if any number of complete blocks was decrypted)outputIndex
- index in the output array- Returns:
- The number of bytes returned in output array.
- Throws:
NotInitializedException
- if a required decryption parameter is not configured (for example, key for non-Platform Binding algorithms, IV for CBC ciphers, etc.) or using DataMigration without proper initializationjava.lang.ArrayIndexOutOfBoundsException
- when inputIndes or outputIndex are out of boundsIllegalUseException
- when illegal input was provided/dd>CryptoException
- if an internal error occurred
-
decryptComplete
public abstract short decryptComplete(byte[] input, short inputIndex, short inputLength, byte[] output, short outputIndex)
Decrypts the provided input data using the previous PBIND key stored by the instance.- Parameters:
input
- the input data to decryptinputIndex
- index in the input arrayinputLength
- input data lengthoutput
- an array to hold the decrypted dataoutputIndex
- index in the output array- Returns:
- The number of bytes returned in output array.
- Throws:
NotInitializedException
- if a required decryption parameter is not configured (for example, the key to be used for decryption) or using DataMigration without proper initializationIllegalParameterException
- when one or more of the input parameters are illegaljava.lang.ArrayIndexOutOfBoundsException
- when inputIndes or outputIndex are out of boundsIllegalUseException
- when illegal input was providedCryptoException
- if an internal error occurred
-
verifyUpdate
public abstract void verifyUpdate(byte[] data, short dataIndex, short dataLength) throws CryptoException
Verifies the signature on the provided input data, using the key currently stored by the instance, and maintains the instance state for the next operation. TheverifyComplete
method must be called to complete the verify operations sequence and receive the verification result.- Parameters:
data
- the input data that was signeddataIndex
- index in the input arraydataLength
- input data length- Throws:
NotInitializedException
- if this instance is not configured correctly in order to verify the signature. For example, the key with which the data was signed is not set or using DataMigration without properly initializationIllegalParameterException
- if the data provided for verification is illegaljava.lang.ArrayIndexOutOfBoundsException
- when inputIndes or outputIndex are out of boundsCryptoException
- if some unexpected error has occurred
-
verifyComplete
public abstract boolean verifyComplete(byte[] input, short inputIndex, short inputLength, byte[] signature, short signatureIndex, short signatureLength)
Verifies the signature on the provided input data using the previous PBIND key stored by the instance.- Parameters:
input
- the input data that was signedinputIndex
- index in the input arrayinputLength
- input data lengthsignature
- the signature to verifysignatureIndex
- index in the signature arraysignatureLength
- signature length- Returns:
true
if the signature verified successfully,false
otherwise.- Throws:
NotInitializedException
- if this instance is not configured correctly in order to verify the signature. For example, the key required for verifying the signature is not set or using DataMigration without proper initializationIllegalParameterException
- if the data provided for verification is illegaljava.lang.ArrayIndexOutOfBoundsException
- when inputIndes or outputIndex are out of boundsCryptoException
- if some unexpected error has occurred
-
create
public static final DataMigration create(short algType)
Factory method for creating a concrete instance.- Parameters:
algType
- the requested algorithm, see SIGNATURE_ALG_TYPE.. or DECRYPT_ALG_TYPE definitions above for the possible values- Returns:
DataMigration
instance of the requested type.- Throws:
NotSupportedException
- if the requested algorithm type is not supported or data migration is not supported.NotInitializedException
- if the previous seed does not exist.
-
-