Modules#
Crypto - Platform#
This module includes the platform abstraction for Crypto.
Enumerations#
This enumeration defines the key types.
This enumeration defines the key algorithms.
This enumeration defines the key usage flags.
This enumeration defines the key storage types.
Typedefs#
This datatype represents the key reference.
This structure represents a SHA-256 hash.
Variables#
Functions#
Initialize the Crypto module.
Import a key into PSA ITS.
Export a key stored in PSA ITS.
Destroy a key stored in PSA ITS.
Check if the key ref passed has an associated key in PSA ITS.
Initialize the HMAC operation.
Uninitialize the HMAC operation.
Start HMAC operation.
Update the HMAC operation with new input.
Complete the HMAC operation.
Initialise the AES operation.
Set the key for AES operation.
Encrypt the given data.
Free the AES context.
Initialise the HKDF context.
Perform HKDF Expand step.
Perform HKDF Extract step.
Uninitialize the HKDF context.
Initialise the SHA-256 operation.
Uninitialize the SHA-256 operation.
Start SHA-256 operation.
Update SHA-256 operation with new input.
Finish SHA-256 operation.
Initialize cryptographically-secure pseudorandom number generator (CSPRNG).
Deinitialize cryptographically-secure pseudorandom number generator (CSPRNG).
Fills a given buffer with cryptographically secure random bytes.
Generate and populate the output buffer with a new ECDSA key-pair.
Get the associated public key from the input context.
Calculate the ECDSA signature for a hashed message using the private key from the input context.
Use the key from the input context to verify the ECDSA signature of a hashed message.
Calculate the ECDSA signature for a hashed message using the Key reference passed.
Get the associated public key from the key reference passed.
Generate and import a new ECDSA key-pair at reference passed.
Use the keyref to verify the ECDSA signature of a hashed message.
Perform PKCS#5 PBKDF2 using CMAC (AES-CMAC-PRF-128).
Macros#
Length of SHA256 hash (in bytes).
Max buffer size (in bytes) for representing the EDCSA key-pair in DER format.
Buffer size (in bytes) for representing the EDCSA public key.
Buffer size (in bytes) for representing the EDCSA signature.
Max PBKDF2 SALT length: salt prefix (6) + extended panid (8) + network name (16)
Enumeration Documentation#
otCryptoKeyType#
otCryptoKeyType
This enumeration defines the key types.
| Enumerator | |
|---|---|
| OT_CRYPTO_KEY_TYPE_RAW | Key Type: Raw Data. |
| OT_CRYPTO_KEY_TYPE_AES | Key Type: AES. |
| OT_CRYPTO_KEY_TYPE_HMAC | Key Type: HMAC. |
| OT_CRYPTO_KEY_TYPE_ECDSA | Key Type: ECDSA. |
otCryptoKeyAlgorithm#
otCryptoKeyAlgorithm
This enumeration defines the key algorithms.
| Enumerator | |
|---|---|
| OT_CRYPTO_KEY_ALG_VENDOR | Key Algorithm: Vendor Defined. |
| OT_CRYPTO_KEY_ALG_AES_ECB | Key Algorithm: AES ECB. |
| OT_CRYPTO_KEY_ALG_HMAC_SHA_256 | Key Algorithm: HMAC SHA-256. |
| OT_CRYPTO_KEY_ALG_ECDSA | Key Algorithm: ECDSA. |
@12#
@12
This enumeration defines the key usage flags.
| Enumerator | |
|---|---|
| OT_CRYPTO_KEY_USAGE_NONE | Key Usage: Key Usage is empty. |
| OT_CRYPTO_KEY_USAGE_EXPORT | Key Usage: Key can be exported. |
| OT_CRYPTO_KEY_USAGE_ENCRYPT | Key Usage: Encryption (vendor defined). |
| OT_CRYPTO_KEY_USAGE_DECRYPT | Key Usage: AES ECB. |
| OT_CRYPTO_KEY_USAGE_SIGN_HASH | Key Usage: Sign Hash. |
| OT_CRYPTO_KEY_USAGE_VERIFY_HASH | Key Usage: Verify Hash. |
otCryptoKeyStorage#
otCryptoKeyStorage
This enumeration defines the key storage types.
| Enumerator | |
|---|---|
| OT_CRYPTO_KEY_STORAGE_VOLATILE | Key Persistence: Key is volatile. |
| OT_CRYPTO_KEY_STORAGE_PERSISTENT | Key Persistence: Key is persistent. |
Typedef Documentation#
otPlatCryptoSha256Hash#
typedef struct otPlatCryptoSha256Hash otPlatCryptoSha256Hash
This structure represents a SHA-256 hash.
Variable Documentation#
Function Documentation#
otPlatCryptoInit#
void otPlatCryptoInit (void )
Initialize the Crypto module.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| void | N/A |
otPlatCryptoImportKey#
otError otPlatCryptoImportKey (otCryptoKeyRef * aKeyRef, otCryptoKeyType aKeyType, otCryptoKeyAlgorithm aKeyAlgorithm, int aKeyUsage, otCryptoKeyStorage aKeyPersistence, const uint8_t * aKey, size_t aKeyLen)
Import a key into PSA ITS.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| otCryptoKeyRef * | [inout] | aKeyRef | Pointer to the key ref to be used for crypto operations. |
| otCryptoKeyType | [in] | aKeyType | Key Type encoding for the key. |
| otCryptoKeyAlgorithm | [in] | aKeyAlgorithm | Key algorithm encoding for the key. |
| int | [in] | aKeyUsage | Key Usage encoding for the key (combinations of |
| otCryptoKeyStorage | [in] | aKeyPersistence | Key Persistence for this key |
| const uint8_t * | [in] | aKey | Actual key to be imported. |
| size_t | [in] | aKeyLen | Length of the key to be imported. |
Note
If OT_CRYPTO_KEY_STORAGE_PERSISTENT is passed for aKeyPersistence then
aKeyRefis input and platform should use the given aKeyRef and MUST not change it.
If OT_CRYPTO_KEY_STORAGE_VOLATILE is passed for aKeyPersistence then aKeyRef is output, the initial value does not matter and platform API MUST update it to return the new key ref.
This API is only used by OT core when OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE is enabled.
otPlatCryptoExportKey#
otError otPlatCryptoExportKey (otCryptoKeyRef aKeyRef, uint8_t * aBuffer, size_t aBufferLen, size_t * aKeyLen)
Export a key stored in PSA ITS.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| otCryptoKeyRef | [in] | aKeyRef | The key ref to be used for crypto operations. |
| uint8_t * | [out] | aBuffer | Pointer to the buffer where key needs to be exported. |
| size_t | [in] | aBufferLen | Length of the buffer passed to store the exported key. |
| size_t * | [out] | aKeyLen | Pointer to return the length of the exported key. |
Note
This API is only used by OT core when
OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLEis enabled.
otPlatCryptoDestroyKey#
otError otPlatCryptoDestroyKey (otCryptoKeyRef aKeyRef)
Destroy a key stored in PSA ITS.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| otCryptoKeyRef | [in] | aKeyRef | The key ref to be destroyed |
Note
This API is only used by OT core when
OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLEis enabled.
otPlatCryptoHasKey#
bool otPlatCryptoHasKey (otCryptoKeyRef aKeyRef)
Check if the key ref passed has an associated key in PSA ITS.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| otCryptoKeyRef | [in] | aKeyRef | The Key Ref to check. |
Note
This API is only used by OT core when
OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLEis enabled.
otPlatCryptoHmacSha256Init#
otError otPlatCryptoHmacSha256Init (otCryptoContext * aContext)
Initialize the HMAC operation.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| otCryptoContext * | [in] | aContext | Context for HMAC operation. |
Note
The platform driver shall point the context to the correct object such as psa_mac_operation_t or mbedtls_md_context_t.
otPlatCryptoHmacSha256Deinit#
otError otPlatCryptoHmacSha256Deinit (otCryptoContext * aContext)
Uninitialize the HMAC operation.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| otCryptoContext * | [in] | aContext | Context for HMAC operation. |
otPlatCryptoHmacSha256Start#
otError otPlatCryptoHmacSha256Start (otCryptoContext * aContext, const otCryptoKey * aKey)
Start HMAC operation.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| otCryptoContext * | [in] | aContext | Context for HMAC operation. |
| const otCryptoKey * | [in] | aKey | Key material to be used for HMAC operation. |
otPlatCryptoHmacSha256Update#
otError otPlatCryptoHmacSha256Update (otCryptoContext * aContext, const void * aBuf, uint16_t aBufLength)
Update the HMAC operation with new input.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| otCryptoContext * | [in] | aContext | Context for HMAC operation. |
| const void * | [in] | aBuf | A pointer to the input buffer. |
| uint16_t | [in] | aBufLength | The length of |
otPlatCryptoHmacSha256Finish#
otError otPlatCryptoHmacSha256Finish (otCryptoContext * aContext, uint8_t * aBuf, size_t aBufLength)
Complete the HMAC operation.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| otCryptoContext * | [in] | aContext | Context for HMAC operation. |
| uint8_t * | [out] | aBuf | A pointer to the output buffer. |
| size_t | [in] | aBufLength | The length of |
otPlatCryptoAesInit#
otError otPlatCryptoAesInit (otCryptoContext * aContext)
Initialise the AES operation.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| otCryptoContext * | [in] | aContext | Context for AES operation. |
Note
The platform driver shall point the context to the correct object such as psa_key_id or mbedtls_aes_context_t.
otPlatCryptoAesSetKey#
otError otPlatCryptoAesSetKey (otCryptoContext * aContext, const otCryptoKey * aKey)
Set the key for AES operation.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| otCryptoContext * | [in] | aContext | Context for AES operation. |
| const otCryptoKey * | [out] | aKey | Key to use for AES operation. |
otPlatCryptoAesEncrypt#
otError otPlatCryptoAesEncrypt (otCryptoContext * aContext, const uint8_t * aInput, uint8_t * aOutput)
Encrypt the given data.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| otCryptoContext * | [in] | aContext | Context for AES operation. |
| const uint8_t * | [in] | aInput | Pointer to the input buffer. |
| uint8_t * | [in] | aOutput | Pointer to the output buffer. |
otPlatCryptoAesFree#
otError otPlatCryptoAesFree (otCryptoContext * aContext)
Free the AES context.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| otCryptoContext * | [in] | aContext | Context for AES operation. |
otPlatCryptoHkdfInit#
otError otPlatCryptoHkdfInit (otCryptoContext * aContext)
Initialise the HKDF context.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| otCryptoContext * | [in] | aContext | Context for HKDF operation. |
Note
The platform driver shall point the context to the correct object such as psa_key_derivation_operation_t or HmacSha256::Hash
otPlatCryptoHkdfExpand#
otError otPlatCryptoHkdfExpand (otCryptoContext * aContext, const uint8_t * aInfo, uint16_t aInfoLength, uint8_t * aOutputKey, uint16_t aOutputKeyLength)
Perform HKDF Expand step.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| otCryptoContext * | [in] | aContext | Operation context for HKDF operation. |
| const uint8_t * | [in] | aInfo | Pointer to the Info sequence. |
| uint16_t | [in] | aInfoLength | Length of the Info sequence. |
| uint8_t * | [out] | aOutputKey | Pointer to the output Key. |
| uint16_t | [in] | aOutputKeyLength | Size of the output key buffer. |
otPlatCryptoHkdfExtract#
otError otPlatCryptoHkdfExtract (otCryptoContext * aContext, const uint8_t * aSalt, uint16_t aSaltLength, const otCryptoKey * aInputKey)
Perform HKDF Extract step.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| otCryptoContext * | [in] | aContext | Operation context for HKDF operation. |
| const uint8_t * | [in] | aSalt | Pointer to the Salt for HKDF. |
| uint16_t | [in] | aSaltLength | Length of Salt. |
| const otCryptoKey * | [in] | aInputKey | Pointer to the input key. |
otPlatCryptoHkdfDeinit#
otError otPlatCryptoHkdfDeinit (otCryptoContext * aContext)
Uninitialize the HKDF context.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| otCryptoContext * | [in] | aContext | Context for HKDF operation. |
otPlatCryptoSha256Init#
otError otPlatCryptoSha256Init (otCryptoContext * aContext)
Initialise the SHA-256 operation.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| otCryptoContext * | [in] | aContext | Context for SHA-256 operation. |
Note
The platform driver shall point the context to the correct object such as psa_hash_operation_t or mbedtls_sha256_context.
otPlatCryptoSha256Deinit#
otError otPlatCryptoSha256Deinit (otCryptoContext * aContext)
Uninitialize the SHA-256 operation.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| otCryptoContext * | [in] | aContext | Context for SHA-256 operation. |
otPlatCryptoSha256Start#
otError otPlatCryptoSha256Start (otCryptoContext * aContext)
Start SHA-256 operation.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| otCryptoContext * | [in] | aContext | Context for SHA-256 operation. |
otPlatCryptoSha256Update#
otError otPlatCryptoSha256Update (otCryptoContext * aContext, const void * aBuf, uint16_t aBufLength)
Update SHA-256 operation with new input.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| otCryptoContext * | [in] | aContext | Context for SHA-256 operation. |
| const void * | [in] | aBuf | A pointer to the input buffer. |
| uint16_t | [in] | aBufLength | The length of |
otPlatCryptoSha256Finish#
otError otPlatCryptoSha256Finish (otCryptoContext * aContext, uint8_t * aHash, uint16_t aHashSize)
Finish SHA-256 operation.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| otCryptoContext * | [in] | aContext | Context for SHA-256 operation. |
| uint8_t * | [in] | aHash | A pointer to the output buffer, where hash needs to be stored. |
| uint16_t | [in] | aHashSize | The length of |
otPlatCryptoRandomInit#
void otPlatCryptoRandomInit (void )
Initialize cryptographically-secure pseudorandom number generator (CSPRNG).
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| void | N/A |
otPlatCryptoRandomDeinit#
void otPlatCryptoRandomDeinit (void )
Deinitialize cryptographically-secure pseudorandom number generator (CSPRNG).
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| void | N/A |
otPlatCryptoRandomGet#
otError otPlatCryptoRandomGet (uint8_t * aBuffer, uint16_t aSize)
Fills a given buffer with cryptographically secure random bytes.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| uint8_t * | [out] | aBuffer | A pointer to a buffer to fill with the random bytes. |
| uint16_t | [in] | aSize | Size of buffer (number of bytes to fill). |
otPlatCryptoEcdsaGenerateKey#
otError otPlatCryptoEcdsaGenerateKey (otPlatCryptoEcdsaKeyPair * aKeyPair)
Generate and populate the output buffer with a new ECDSA key-pair.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| otPlatCryptoEcdsaKeyPair * | [out] | aKeyPair | A pointer to an ECDSA key-pair structure to store the generated key-pair. |
otPlatCryptoEcdsaGetPublicKey#
otError otPlatCryptoEcdsaGetPublicKey (const otPlatCryptoEcdsaKeyPair * aKeyPair, otPlatCryptoEcdsaPublicKey * aPublicKey)
Get the associated public key from the input context.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| const otPlatCryptoEcdsaKeyPair * | [in] | aKeyPair | A pointer to an ECDSA key-pair structure where the key-pair is stored. |
| otPlatCryptoEcdsaPublicKey * | [out] | aPublicKey | A pointer to an ECDSA public key structure to store the public key. |
otPlatCryptoEcdsaSign#
otError otPlatCryptoEcdsaSign (const otPlatCryptoEcdsaKeyPair * aKeyPair, const otPlatCryptoSha256Hash * aHash, otPlatCryptoEcdsaSignature * aSignature)
Calculate the ECDSA signature for a hashed message using the private key from the input context.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| const otPlatCryptoEcdsaKeyPair * | [in] | aKeyPair | A pointer to an ECDSA key-pair structure where the key-pair is stored. |
| const otPlatCryptoSha256Hash * | [in] | aHash | A pointer to a SHA-256 hash structure where the hash value for signature calculation is stored. |
| otPlatCryptoEcdsaSignature * | [out] | aSignature | A pointer to an ECDSA signature structure to output the calculated signature. |
This method uses the deterministic digital signature generation procedure from RFC 6979.
otPlatCryptoEcdsaVerify#
otError otPlatCryptoEcdsaVerify (const otPlatCryptoEcdsaPublicKey * aPublicKey, const otPlatCryptoSha256Hash * aHash, const otPlatCryptoEcdsaSignature * aSignature)
Use the key from the input context to verify the ECDSA signature of a hashed message.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| const otPlatCryptoEcdsaPublicKey * | [in] | aPublicKey | A pointer to an ECDSA public key structure where the public key for signature verification is stored. |
| const otPlatCryptoSha256Hash * | [in] | aHash | A pointer to a SHA-256 hash structure where the hash value for signature verification is stored. |
| const otPlatCryptoEcdsaSignature * | [in] | aSignature | A pointer to an ECDSA signature structure where the signature value to be verified is stored. |
otPlatCryptoEcdsaSignUsingKeyRef#
otError otPlatCryptoEcdsaSignUsingKeyRef (otCryptoKeyRef aKeyRef, const otPlatCryptoSha256Hash * aHash, otPlatCryptoEcdsaSignature * aSignature)
Calculate the ECDSA signature for a hashed message using the Key reference passed.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| otCryptoKeyRef | [in] | aKeyRef | Key Reference to the slot where the key-pair is stored. |
| const otPlatCryptoSha256Hash * | [in] | aHash | A pointer to a SHA-256 hash structure where the hash value for signature calculation is stored. |
| otPlatCryptoEcdsaSignature * | [out] | aSignature | A pointer to an ECDSA signature structure to output the calculated signature. |
This method uses the deterministic digital signature generation procedure from RFC 6979.
Note
This API is only used by OT core when
OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLEis enabled.
otPlatCryptoEcdsaExportPublicKey#
otError otPlatCryptoEcdsaExportPublicKey (otCryptoKeyRef aKeyRef, otPlatCryptoEcdsaPublicKey * aPublicKey)
Get the associated public key from the key reference passed.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| otCryptoKeyRef | [in] | aKeyRef | Key Reference to the slot where the key-pair is stored. |
| otPlatCryptoEcdsaPublicKey * | [out] | aPublicKey | A pointer to an ECDSA public key structure to store the public key. |
The public key is stored differently depending on the crypto backend library being used (OPENTHREAD_CONFIG_CRYPTO_LIB).
This API must make sure to return the public key as a byte sequence representation of an uncompressed curve point (RFC 6605 - sec 4)
Note
This API is only used by OT core when
OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLEis enabled.
otPlatCryptoEcdsaGenerateAndImportKey#
otError otPlatCryptoEcdsaGenerateAndImportKey (otCryptoKeyRef aKeyRef)
Generate and import a new ECDSA key-pair at reference passed.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| otCryptoKeyRef | [in] | aKeyRef | Key Reference to the slot where the key-pair is stored. |
Note
This API is only used by OT core when
OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLEis enabled.
otPlatCryptoEcdsaVerifyUsingKeyRef#
otError otPlatCryptoEcdsaVerifyUsingKeyRef (otCryptoKeyRef aKeyRef, const otPlatCryptoSha256Hash * aHash, const otPlatCryptoEcdsaSignature * aSignature)
Use the keyref to verify the ECDSA signature of a hashed message.
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| otCryptoKeyRef | [in] | aKeyRef | Key Reference to the slot where the key-pair is stored. |
| const otPlatCryptoSha256Hash * | [in] | aHash | A pointer to a SHA-256 hash structure where the hash value for signature verification is stored. |
| const otPlatCryptoEcdsaSignature * | [in] | aSignature | A pointer to an ECDSA signature structure where the signature value to be verified is stored. |
Note
This API is only used by OT core when
OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLEis enabled.
otPlatCryptoPbkdf2GenerateKey#
void otPlatCryptoPbkdf2GenerateKey (const uint8_t * aPassword, uint16_t aPasswordLen, const uint8_t * aSalt, uint16_t aSaltLen, uint32_t aIterationCounter, uint16_t aKeyLen, uint8_t * aKey)
Perform PKCS#5 PBKDF2 using CMAC (AES-CMAC-PRF-128).
| Type | Direction | Argument Name | Description |
|---|---|---|---|
| const uint8_t * | [in] | aPassword | Password to use when generating key. |
| uint16_t | [in] | aPasswordLen | Length of password. |
| const uint8_t * | [in] | aSalt | Salt to use when generating key. |
| uint16_t | [in] | aSaltLen | Length of salt. |
| uint32_t | [in] | aIterationCounter | Iteration count. |
| uint16_t | [in] | aKeyLen | Length of generated key in bytes. |
| uint8_t * | [out] | aKey | A pointer to the generated key. |