| // Copyright 2020 The Fuchsia Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| library fuchsia.weave; |
| |
| using fuchsia.mem; |
| |
| /// The maximum size of a signature supported by Weave. |
| /// |
| /// Currently, Weave only supports ECDSA signatures using the P224 curve, |
| /// however, to allow this protocol to support future changes to supported |
| /// Weave signatures the maximum size of the returned signature is set to |
| /// 139 bytes which is the largest amount of space needed to return an |
| /// encoded ECDSA P521 signature. |
| const MAX_SIGNATURE_SIZE uint32 = 139; |
| |
| /// The maximum size for a public key produced when generating a key pair. |
| const MAX_PUBLIC_KEY_SIZE uint32 = 65; |
| |
| /// Bytes representing a wrapped private key. Since the size of the wrapping is |
| /// implementation-defined, the bytes are only bounded by MAX. The bytes should |
| /// be considered opaque, both in structure and in content, as the value is only |
| /// meaningful to operations such as [`Provisioner.GenerateKeyPair`]. |
| alias PrivateKey = bytes:MAX; |
| |
| /// This protocol is used for just-in-time provisioning operations. |
| @discoverable |
| protocol Provisioner { |
| /// Generate key for just-in-time provisioning operations, used when |
| /// working with Weave operational certificates. On success, a wrapped |
| /// private key and public key pair is returned in `result`. The |
| /// `wrapped_private_key` can be passed to [`Signer.SignHashWithPrivateKey`] |
| /// to sign Weave messages. |
| /// |
| /// Currently, Weave only supports ECDSA signatures. This protocol returns |
| /// a key-pair compatible with the Signer protocol (e.g. P256). |
| GenerateKeyPair() -> (struct { |
| wrapped_private_key PrivateKey; |
| public_key bytes:MAX_PUBLIC_KEY_SIZE; |
| }) error ErrorCode; |
| }; |
| |
| /// This protocol is used for signing operations with the factory-provisioned |
| /// Weave key or generated private keys. |
| @discoverable |
| protocol Signer { |
| /// Sign the provided `hash` with the factory provisioned key. On success |
| /// the result is returned in `signature`. The signature must be of a type |
| /// that is supported by Weave, and must take the standard form of an ASN.1 |
| /// DER SEQUENCE. This operation must support SHA1 and SHA256 hash values. |
| SignHash(struct { |
| hash bytes:32; |
| }) -> (struct { |
| signature bytes:MAX_SIGNATURE_SIZE; |
| }) error ErrorCode; |
| |
| /// Sign the provided `hash` with the provided `wrapped_private_key`. On |
| /// success, the result is returned in `signature`. The signature must be |
| /// of a type that is supported by Weave, and must take the standard form |
| /// of an ASN.1 DER SEQUENCE. This operation must support SHA1 and SHA256 |
| /// hash values. |
| @transitional |
| SignHashWithPrivateKey(struct { |
| hash bytes:32; |
| wrapped_private_key PrivateKey; |
| }) -> (struct { |
| signature bytes:MAX_SIGNATURE_SIZE; |
| }) error ErrorCode; |
| }; |
| |
| /// This protocol is used to retrieve factory data that may be encrypted at |
| /// rest. |
| @discoverable |
| protocol FactoryDataManager { |
| /// Return the device `pairing_code` on success. |
| GetPairingCode() -> (struct { |
| pairing_code bytes:16; |
| }) error ErrorCode; |
| |
| /// Returns the factory provisioned Weave certificate in PEM format. |
| GetWeaveCertificate() -> (resource struct { |
| certificate fuchsia.mem.Buffer; |
| }) error ErrorCode; |
| }; |