sdk/fidl/fuchsia.kms/key_manager.fidl - fuchsia - Git at Google

 // Copyright 2018 The Fuchsia Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 library fuchsia.kms;

 using fuchsia.mem as mem;

 const uint8 MAX_KEY_NAME_SIZE = 32;
 const uint32 MAX_DATA_SIZE = 65536;

 enum Status {
     OK = 0;
     // Internal unexpected error.
     INTERNAL_ERROR = 1;
     // When trying to create/import a new key however another key with the same name already exists.
     KEY_ALREADY_EXISTS = 2;
     // When the key you are trying to use is not found.
     KEY_NOT_FOUND = 3;
     // When the key material could not be parsed.
     PARSE_KEY_ERROR = 4;
     // When the size for input data is larger than MAX_DATA_SIZE.
     INPUT_TOO_LARGE = 5;
 };

 enum AsymmetricKeyAlgorithm {
     RSA_SSA_PSS_SHA256_2048 = 1;
     RSA_SSA_PSS_SHA256_3072 = 2;
     RSA_SSA_PSS_SHA512_4096 = 3;
     RSA_SSA_PKCS1_SHA256_2048 = 4;
     RSA_SSA_PKCS1_SHA256_3072 = 5;
     RSA_SSA_PKCS1_SHA512_4096 = 6;
     ECDSA_SHA256_P256 = 7;
     ECDSA_SHA512_P384 = 8;
     ECDSA_SHA512_P521 = 9;
 };

 enum KeyOrigin {
     // The key was generated in this KMS instance.
     GENERATED = 1;
     // The key was imported.
     IMPORTED = 2;
 };

 struct Signature {
     bytes:512 bytes;
 };

 struct PublicKey {
     bytes:256 bytes;
 };

 [Discoverable]
 protocol KeyManager {
     // Seal data to an encrypted form.
     //
     // Seal data to an encrypted form. The sealed data can only be unsealed by the same KMS instance
     // by using UnsealData. |plain_text| needs to be less than MAX_DATA_SIZE bytes.
     SealData(mem.Buffer plain_text) -> (Status status, mem.Buffer? cipher_text);

     // Unseal sealed data.
     //
     // Unseal data previously sealed by this KMS instance.
     UnsealData(mem.Buffer cipher_text) -> (Status status, mem.Buffer? plain_text);

     // Generate an asymmetric key.
     //
     // Generate an asymmetric key using |key_name| as the unique name. |key| is the generated
     // asymmetric key interface request. If the |key_name| is not unique, you would get
     // KEY_ALREADY_EXISTS. The generated key can be used to sign data. The algorithm used for
     // generating asymmetric key is ECDSA_SHA512_P521.
     GenerateAsymmetricKey(
         string:MAX_KEY_NAME_SIZE key_name,
         request<AsymmetricPrivateKey> key) -> (Status status);

     // Generate an asymmetric key with a specific algorithm.
     //
     // Generate an asymmetric key using |key_name| as the unique name and |key_algorithm| as
     // algorithm. |key| is the generated asymmetric key interface request. If the |key_name| is not
     // unique, you would get KEY_ALREADY_EXISTS.
     GenerateAsymmetricKeyWithAlgorithm(
         string:MAX_KEY_NAME_SIZE key_name,
         AsymmetricKeyAlgorithm key_algorithm,
         request<AsymmetricPrivateKey> key) -> (Status status);

     // Import an asymmetric private key with a specific algorithm.
     //
     // Import an asymmetric private key using |key_name| as the unique name, |key_algorithm| as
     // algorithm and |data| as key data. |key| is imported asymmetric key interface request. Key
     // data should be in asn.1 encoded DER format. If the |key_name| is not unique, you would get
     // KEY_ALREADY_EXISTS.
     ImportAsymmetricPrivateKey(
         bytes data,
         string:MAX_KEY_NAME_SIZE key_name,
         AsymmetricKeyAlgorithm key_algorithm,
         request<AsymmetricPrivateKey> key) -> (Status status);

     // Get an asymmetric private key handle.
     //
     // Get an asymmetric private key handle using the |key_name|. If such key is not found, would
     // return KEY_NOT_FOUND.
     GetAsymmetricPrivateKey(
         string:MAX_KEY_NAME_SIZE key_name,
         request<AsymmetricPrivateKey> key) -> (Status status);

     // Delete a key.
     //
     // Delete a key for |key_name|.  For all the current handle to the deleted key, they would
     // become invalid and all following requests on those handles would return KEY_NOT_FOUND, user
     // should close the invalid handles once get KEY_NOT_FOUND Status.
     DeleteKey(string:MAX_KEY_NAME_SIZE key_name) -> (Status status);
 };

 [FragileBase]
 protocol Key {
     // Get the key origin (generated/imported).
     GetKeyOrigin() -> (Status status, KeyOrigin key_origin);
 };

 protocol AsymmetricPrivateKey {
     compose Key;

     // Sign |data| using the current key. |data| needs to be less than MAX_DATA_SIZE bytes.
     Sign(mem.Buffer data) -> (Status status, Signature? signature);
     // Get the DER format public key for the current private key.
     GetPublicKey() -> (Status status, PublicKey? public_key);
     // Get the key algorithm.
     GetKeyAlgorithm() -> (Status status, AsymmetricKeyAlgorithm key_algorithm);
 };
	// Copyright 2018 The Fuchsia Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	library fuchsia.kms;

	using fuchsia.mem as mem;

	const uint8 MAX_KEY_NAME_SIZE = 32;
	const uint32 MAX_DATA_SIZE = 65536;

	enum Status {
	OK = 0;
	// Internal unexpected error.
	INTERNAL_ERROR = 1;
	// When trying to create/import a new key however another key with the same name already exists.
	KEY_ALREADY_EXISTS = 2;
	// When the key you are trying to use is not found.
	KEY_NOT_FOUND = 3;
	// When the key material could not be parsed.
	PARSE_KEY_ERROR = 4;
	// When the size for input data is larger than MAX_DATA_SIZE.
	INPUT_TOO_LARGE = 5;
	};

	enum AsymmetricKeyAlgorithm {
	RSA_SSA_PSS_SHA256_2048 = 1;
	RSA_SSA_PSS_SHA256_3072 = 2;
	RSA_SSA_PSS_SHA512_4096 = 3;
	RSA_SSA_PKCS1_SHA256_2048 = 4;
	RSA_SSA_PKCS1_SHA256_3072 = 5;
	RSA_SSA_PKCS1_SHA512_4096 = 6;
	ECDSA_SHA256_P256 = 7;
	ECDSA_SHA512_P384 = 8;
	ECDSA_SHA512_P521 = 9;
	};

	enum KeyOrigin {
	// The key was generated in this KMS instance.
	GENERATED = 1;
	// The key was imported.
	IMPORTED = 2;
	};

	struct Signature {
	bytes:512 bytes;
	};

	struct PublicKey {
	bytes:256 bytes;
	};

	[Discoverable]
	protocol KeyManager {
	// Seal data to an encrypted form.
	//
	// Seal data to an encrypted form. The sealed data can only be unsealed by the same KMS instance
	// by using UnsealData. \|plain_text\| needs to be less than MAX_DATA_SIZE bytes.
	SealData(mem.Buffer plain_text) -> (Status status, mem.Buffer? cipher_text);

	// Unseal sealed data.
	//
	// Unseal data previously sealed by this KMS instance.
	UnsealData(mem.Buffer cipher_text) -> (Status status, mem.Buffer? plain_text);

	// Generate an asymmetric key.
	//
	// Generate an asymmetric key using \|key_name\| as the unique name. \|key\| is the generated
	// asymmetric key interface request. If the \|key_name\| is not unique, you would get
	// KEY_ALREADY_EXISTS. The generated key can be used to sign data. The algorithm used for
	// generating asymmetric key is ECDSA_SHA512_P521.
	GenerateAsymmetricKey(
	string:MAX_KEY_NAME_SIZE key_name,
	request<AsymmetricPrivateKey> key) -> (Status status);

	// Generate an asymmetric key with a specific algorithm.
	//
	// Generate an asymmetric key using \|key_name\| as the unique name and \|key_algorithm\| as
	// algorithm. \|key\| is the generated asymmetric key interface request. If the \|key_name\| is not
	// unique, you would get KEY_ALREADY_EXISTS.
	GenerateAsymmetricKeyWithAlgorithm(
	string:MAX_KEY_NAME_SIZE key_name,
	AsymmetricKeyAlgorithm key_algorithm,
	request<AsymmetricPrivateKey> key) -> (Status status);

	// Import an asymmetric private key with a specific algorithm.
	//
	// Import an asymmetric private key using \|key_name\| as the unique name, \|key_algorithm\| as
	// algorithm and \|data\| as key data. \|key\| is imported asymmetric key interface request. Key
	// data should be in asn.1 encoded DER format. If the \|key_name\| is not unique, you would get
	// KEY_ALREADY_EXISTS.
	ImportAsymmetricPrivateKey(
	bytes data,
	string:MAX_KEY_NAME_SIZE key_name,
	AsymmetricKeyAlgorithm key_algorithm,
	request<AsymmetricPrivateKey> key) -> (Status status);

	// Get an asymmetric private key handle.
	//
	// Get an asymmetric private key handle using the \|key_name\|. If such key is not found, would
	// return KEY_NOT_FOUND.
	GetAsymmetricPrivateKey(
	string:MAX_KEY_NAME_SIZE key_name,
	request<AsymmetricPrivateKey> key) -> (Status status);

	// Delete a key.
	//
	// Delete a key for \|key_name\|. For all the current handle to the deleted key, they would
	// become invalid and all following requests on those handles would return KEY_NOT_FOUND, user
	// should close the invalid handles once get KEY_NOT_FOUND Status.
	DeleteKey(string:MAX_KEY_NAME_SIZE key_name) -> (Status status);
	};

	[FragileBase]
	protocol Key {
	// Get the key origin (generated/imported).
	GetKeyOrigin() -> (Status status, KeyOrigin key_origin);
	};

	protocol AsymmetricPrivateKey {
	compose Key;

	// Sign \|data\| using the current key. \|data\| needs to be less than MAX_DATA_SIZE bytes.
	Sign(mem.Buffer data) -> (Status status, Signature? signature);
	// Get the DER format public key for the current private key.
	GetPublicKey() -> (Status status, PublicKey? public_key);
	// Get the key algorithm.
	GetKeyAlgorithm() -> (Status status, AsymmetricKeyAlgorithm key_algorithm);
	};