com.intel.crypto
Class DataMigration
- java.lang.Object
-
- com.intel.crypto.DataMigration
-
public abstract class DataMigration extends java.lang.Object
This class provides the ability to apply the previous PBIND key to retrieve data which was encrypted\hmaced using PBIND key.When CSME FW Secure Version Number (SVN) is incremented (via FW update) the applet PBIND key will change. Therefore any data which was encrypted\hmaced with the PBIND key will no longer be usable. The CSME FW SVN increment can be detected using
In case the CSME FW SVN was never incremented on the platformPlatformInfo.getSecurityEngineSVN()
The following classes support PBIND operations:NotSupportedException
will be thrown.
NOTE: only a single migration step is supported, i.e. if the user will perform SVN FW update from SVN X to SVN Y (where Y > X) and do another SVN FW update to SVN Z (Where Z > Y) without preforming data migration after the transition to SVN Y and before the transition to SVN Z all the encrypted/signed data created in SVN X will be lost.
-
-
Field Summary
Fields Modifier and Type Field and Description static short
DECRYPT_ALG_TYPE_PBIND_AES_128_CBC
AES deccryption with 128 bit Platform Binding key in CBC mode.static short
DECRYPT_ALG_TYPE_PBIND_AES_256_CBC
AES cryption with 256 bit Platform Binding key in CBC mode.static short
SIGNATURE_ALG_TYPE_PBIND_HMAC_SHA1
HMAC SHA1 with Platform Binding key algorithm.static short
SIGNATURE_ALG_TYPE_PBIND_HMAC_SHA256
HMAC SHA256 with Platform Binding key algorithm.
-
Method Summary
Methods Modifier and Type Method and Description static DataMigration
create(short algType)
Factory method for creating a concrete instance.abstract short
decryptComplete(byte[] input, short inputIndex, short inputLength, byte[] output, short outputIndex)
Decrypts the provided input data using the previous PBIND key stored by the instance.abstract short
decryptUpdate(byte[] input, short inputIndex, short inputLength, byte[] output, short outputIndex)
Decrypts the provided input data, using the key currently stored by the instance, and maintains the instance state for the next operation.abstract void
setIV(byte[] ivArray, short ivIndex, short ivLength)
Sets the IV to be used by this instance for encrypt/decrypt operations.abstract boolean
verifyComplete(byte[] input, short inputIndex, short inputLength, byte[] signature, short signatureIndex, short signatureLength)
Verifies the signature on the provided input data using the previous PBIND key stored by the instance.abstract void
verifyUpdate(byte[] data, short dataIndex, short dataLength)
Verifies the signature on the provided input data, using the key currently stored by the instance, and maintains the instance state for the next operation.
-
-
-
Field Detail
-
DECRYPT_ALG_TYPE_PBIND_AES_128_CBC
public static final short DECRYPT_ALG_TYPE_PBIND_AES_128_CBC
AES deccryption with 128 bit Platform Binding key in CBC mode.- See Also:
- Constant Field Values
-
DECRYPT_ALG_TYPE_PBIND_AES_256_CBC
public static final short DECRYPT_ALG_TYPE_PBIND_AES_256_CBC
AES cryption with 256 bit Platform Binding key in CBC mode.- See Also:
- Constant Field Values
-
SIGNATURE_ALG_TYPE_PBIND_HMAC_SHA1
public static final short SIGNATURE_ALG_TYPE_PBIND_HMAC_SHA1
HMAC SHA1 with Platform Binding key algorithm.- See Also:
- Constant Field Values
-
SIGNATURE_ALG_TYPE_PBIND_HMAC_SHA256
public static final short SIGNATURE_ALG_TYPE_PBIND_HMAC_SHA256
HMAC SHA256 with Platform Binding key algorithm.- See Also:
- Constant Field Values
-
-
Method Detail
-
setIV
public abstract void setIV(byte[] ivArray, short ivIndex, short ivLength) throws CryptoException
Sets the IV to be used by this instance for encrypt/decrypt operations. Note that once set the new IV value is used for all future encrypt/decrypt operations until the IV is reset to a new value (by calling thesetIV
method again). In addition, calling this method resets any sequence of operations that has already started. This method is required only for algorithm types that implement CBC or CTR mode.- Parameters:
ivArray
- the IV dataivIndex
- index in the IV arrayivLength
- IV length in bytes- Throws:
NotSupportedException
- when called for an instance that does not support IV (for example, ECB cipher)IllegalParameterException
- when the provided IV size is illegal or not supportedNotInitializedException
- when using DataMigaration without properly initializetionCryptoException
-
decryptUpdate
public abstract short decryptUpdate(byte[] input, short inputIndex, short inputLength, byte[] output, short outputIndex) throws CryptoException
Decrypts the provided input data, using the key currently stored by the instance, and maintains the instance state for the next operation. ThedecryptComplete
method must be called to complete the decryption operations sequence and clear the internal state maintained by the instance.- Parameters:
input
- the input data to decryptinputIndex
- index in the input arrayinputLength
- input data lengthoutput
- an array to hold the decrypted data (if any number of complete blocks was decrypted)outputIndex
- index in the output array- Returns:
- The number of bytes returned in output array.
- Throws:
NotInitializedException
- if a required decryption parameter is not configured (for example, key for non-Platform Binding algorithms, IV for CBC ciphers, etc.) or using DataMigaration without properly initializetionjava.lang.ArrayIndexOutOfBoundsException
- when inputIndes or outputIndex are out of boundsIllegalUseException
- when provide ilegal inputCryptoException
- if an internal error occurred
-
decryptComplete
public abstract short decryptComplete(byte[] input, short inputIndex, short inputLength, byte[] output, short outputIndex)
Decrypts the provided input data using the previous PBIND key stored by the instance.- Parameters:
input
- the input data to decryptinputIndex
- index in the input arrayinputLength
- input data lengthoutput
- an array to hold the decrypted dataoutputIndex
- index in the output array- Returns:
- The number of bytes returned in output array.
- Throws:
NotInitializedException
- if a required decryption parameter is not configured (for example, the key to be used for decryption) or using DataMigaration without properly initializetionIllegalParameterException
- when one or more of the input parameters are illegaljava.lang.ArrayIndexOutOfBoundsException
- when inputIndes or outputIndex are out of boundsIllegalUseException
- when provide ilegal inputCryptoException
- if an internal error occurred
-
verifyUpdate
public abstract void verifyUpdate(byte[] data, short dataIndex, short dataLength) throws CryptoException
Verifies the signature on the provided input data, using the key currently stored by the instance, and maintains the instance state for the next operation. TheverifyComplete
method must be called to complete the verify operations sequence and receive the verification result.- Parameters:
data
- the input data that was signeddataIndex
- index in the input arraydataLength
- input data length- Throws:
NotInitializedException
- if this instance is not configured correctly in order to verify the signature. For example, the key the data was signed with is not set or using DataMigaration without properly initializetionIllegalParameterException
- if the data provided for verification is illegaljava.lang.ArrayIndexOutOfBoundsException
- when inputIndes or outputIndex are out of boundsCryptoException
- if some unexpected error has occurred
-
verifyComplete
public abstract boolean verifyComplete(byte[] input, short inputIndex, short inputLength, byte[] signature, short signatureIndex, short signatureLength)
Verifies the signature on the provided input data using the previous PBIND key stored by the instance.- Parameters:
input
- the input data that was signedinputIndex
- index in the input arrayinputLength
- input data lengthsignature
- the signature to verifysignatureIndex
- index in the signature arraysignatureLength
- signature length- Returns:
true
if the signature verified successfully,false
otherwise.- Throws:
NotInitializedException
- if this instance is not configured correctly in order to verify the signature. For example, the key required for verifying the signature is not set or using DataMigaration without properly initializetionIllegalParameterException
- if the data provided for verification is illegaljava.lang.ArrayIndexOutOfBoundsException
- when inputIndes or outputIndex are out of boundsCryptoException
- if some unexpected error has occurred
-
create
public static final DataMigration create(short algType)
Factory method for creating a concrete instance.- Parameters:
algType
- the requested algorithm, see SIGNATURE_ALG_TYPE.. or DECRYPT_ALG_TYPE definitions above for the possible values- Returns:
DataMigration
instance of the requested type.- Throws:
NotSupportedException
- if the requested algorithm type is not supported or data migration is not supported.
-
-