1 /*############################################################################
2   # Copyright 2016-2017 Intel Corporation
3   #
4   # Licensed under the Apache License, Version 2.0 (the "License");
5   # you may not use this file except in compliance with the License.
6   # You may obtain a copy of the License at
7   #
8   #     http://www.apache.org/licenses/LICENSE-2.0
9   #
10   # Unless required by applicable law or agreed to in writing, software
11   # distributed under the License is distributed on an "AS IS" BASIS,
12   # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   # See the License for the specific language governing permissions and
14   # limitations under the License.
15   ############################################################################*/
16 /// Intel(R) EPID SDK member API.
17 /*! \file */
18 #ifndef EPID_MEMBER_API_H_
19 #define EPID_MEMBER_API_H_
20 
21 #ifdef __cplusplus
22 extern "C" {
23 #endif
24 
25 #include <stddef.h>
26 #include "epid/common/bitsupplier.h"
27 #include "epid/common/epiddefs.h"
28 #include "epid/common/errors.h"
29 #include "epid/common/types.h"
30 
31 /// Internal context of member.
32 typedef struct MemberCtx MemberCtx;
33 
34 /// Implementation specific configuration parameters.
35 typedef struct MemberParams MemberParams;
36 
37 /// Member functionality
38 /*!
39   \defgroup EpidMemberModule member
40 
41   Defines the APIs needed by Intel(R) EPID members. Each member
42   context (::MemberCtx) represents membership in a single group.
43 
44   To use this module, include the header epid/member/api.h.
45 
46   \ingroup EpidModule
47   @{
48 */
49 
50 /// Allocates and initializes a new member context.
51 /*!
52  \param[in] params
53  Implementation specific configuration parameters.
54  \param[out] ctx
55  Newly constructed member context.
56 
57  \warning buffers allocated using this function should not be
58  initialized with ::EpidMemberInit.
59 
60  \deprecated This API has been superseded by ::EpidMemberGetSize
61  and ::EpidMemberInit.
62 
63  \returns ::EpidStatus
64  */
65 EpidStatus EPID_API EpidMemberCreate(MemberParams const* params,
66                                      MemberCtx** ctx);
67 
68 /// Computes the size in bytes required for a member context
69 /*!
70  \param[in] params
71  Implementation specific configuration parameters.
72  \param[out] context_size
73  Number of bytes required for a ::MemberCtx buffer
74 
75  \returns ::EpidStatus
76   \see EpidMemberInit
77  */
78 EpidStatus EPID_API EpidMemberGetSize(MemberParams const* params,
79                                       size_t* context_size);
80 
81 /// Initializes a new member context.
82 /*!
83  \param[in] params
84  Implementation specific configuration parameters.
85  \param[in,out] ctx
86  An existing buffer that will be used as a ::MemberCtx.
87 
88  \warning ctx must be a buffer of at least the size reported by
89  ::EpidMemberGetSize for the same parameters.
90 
91  \returns ::EpidStatus
92  \see EpidMemberGetSize
93  */
94 EpidStatus EPID_API EpidMemberInit(MemberParams const* params, MemberCtx* ctx);
95 
96 /// Creates a request to join a group.
97 /*!
98 The created request is part of the interaction with an issuer needed to join
99 a group. This interaction with the issuer is outside the scope of this API.
100 
101 \param[in,out] ctx
102 The member context.
103 \param[in] pub_key
104 The group certificate of group to join.
105 \param[in] ni
106 The nonce chosen by issuer as part of join protocol.
107 \param[out] join_request
108 The join request.
109 
110 \returns ::EpidStatus
111 */
112 EpidStatus EPID_API EpidCreateJoinRequest(MemberCtx* ctx,
113                                           GroupPubKey const* pub_key,
114                                           IssuerNonce const* ni,
115                                           JoinRequest* join_request);
116 
117 /// Provisions a member context from a membership credential
118 /*!
119 \param[in,out] ctx
120 The member context.
121 \param[in] pub_key
122 The group certificate of group to provision.
123 \param[in] credential
124 membership credential.
125 \param[in] precomp_str
126 Precomputed state (implementation specific optional)
127 
128 \returns ::EpidStatus
129 */
130 EpidStatus EPID_API EpidProvisionCredential(
131     MemberCtx* ctx, GroupPubKey const* pub_key,
132     MembershipCredential const* credential, MemberPrecomp const* precomp_str);
133 
134 /// Provisions a member context from a compressed private key
135 /*!
136 \param[in,out] ctx
137 The member context.
138 \param[in] pub_key
139 The group certificate of group to provision.
140 \param[in] compressed_privkey
141 private key.
142 \param[in] precomp_str
143 Precomputed state (implementation specific optional)
144 
145 \returns ::EpidStatus
146 */
147 EpidStatus EPID_API
148 EpidProvisionCompressed(MemberCtx* ctx, GroupPubKey const* pub_key,
149                         CompressedPrivKey const* compressed_privkey,
150                         MemberPrecomp const* precomp_str);
151 
152 /// Provisions a member context from a private key
153 /*!
154 \param[in,out] ctx
155 The member context.
156 \param[in] pub_key
157 The group certificate of group to provision.
158 \param[in] priv_key
159 private key.
160 \param[in] precomp_str
161 Precomputed state (implementation specific optional)
162 
163 \returns ::EpidStatus
164 */
165 EpidStatus EPID_API EpidProvisionKey(MemberCtx* ctx, GroupPubKey const* pub_key,
166                                      PrivKey const* priv_key,
167                                      MemberPrecomp const* precomp_str);
168 
169 /// Change member from setup state to normal operation
170 /*!
171 \param[in,out] ctx
172 The member context.
173 
174 \returns ::EpidStatus
175 */
176 EpidStatus EPID_API EpidMemberStartup(MemberCtx* ctx);
177 
178 /// De-initializes an existing member context buffer.
179 /*!
180  Must be called to safely release a member context initialized using
181  ::EpidMemberInit.
182 
183  De-initializes the context.
184 
185  \param[in,out] ctx
186  The member context. Can be NULL.
187 
188  \warning This function should not be used on buffers allocated with
189  ::EpidMemberCreate. Those buffers should be released using ::EpidMemberDelete
190 
191  \see EpidMemberInit
192  */
193 void EPID_API EpidMemberDeinit(MemberCtx* ctx);
194 
195 /// Deletes an existing member context.
196 /*!
197  Must be called to safely release a member context created using
198  ::EpidMemberCreate.
199 
200  De-initializes the context, frees memory used by the context, and sets the
201  context pointer to NULL.
202 
203  \param[in,out] ctx
204  The member context. Can be NULL.
205 
206  \deprecated This API has been superseded by ::EpidMemberDeinit.
207 
208  \see EpidMemberCreate
209 
210  \b Example
211 
212  \ref UserManual_GeneratingAnIntelEpidSignature
213  */
214 void EPID_API EpidMemberDelete(MemberCtx** ctx);
215 
216 /// Sets the hash algorithm to be used by a member.
217 /*!
218  \param[in] ctx
219  The member context.
220  \param[in] hash_alg
221  The hash algorithm to use.
222 
223  \returns ::EpidStatus
224 
225  \note
226  If the result is not ::kEpidNoErr, the hash algorithm used by the member is
227  undefined.
228 
229  \see EpidMemberInit
230  \see ::HashAlg
231 
232  \b Example
233 
234  \ref UserManual_GeneratingAnIntelEpidSignature
235  */
236 EpidStatus EPID_API EpidMemberSetHashAlg(MemberCtx* ctx, HashAlg hash_alg);
237 
238 /// Sets the signature based revocation list to be used by a member.
239 /*!
240  The caller is responsible for ensuring the revocation list is authorized,
241  e.g. signed by the issuer. The caller is also responsible checking the version
242  of the revocation list. The call fails if trying to set an older version
243  of the revocation list than was last set.
244 
245  \attention
246  The memory pointed to by sig_rl is accessed directly by the member
247  until a new list is set or the member is destroyed. Do not modify the
248  contents of this memory. The behavior of subsequent operations that rely on
249  the revocation list is undefined if the memory is modified.
250 
251  \attention
252  It is the responsibility of the caller to free the memory pointed to by sig_rl
253  after the member is no longer using it.
254 
255  \param[in] ctx
256  The member context.
257  \param[in] sig_rl
258  The signature based revocation list.
259  \param[in] sig_rl_size
260  The size of the signature based revocation list in bytes.
261 
262  \returns ::EpidStatus
263 
264  \note
265  If the result is not ::kEpidNoErr the signature based revocation list pointed
266  to by the member is not changed.
267 
268  \see EpidMemberInit
269 
270  \b Example
271 
272  \ref UserManual_GeneratingAnIntelEpidSignature
273  */
274 EpidStatus EPID_API EpidMemberSetSigRl(MemberCtx* ctx, SigRl const* sig_rl,
275                                        size_t sig_rl_size);
276 
277 /// Computes the size in bytes required for an Intel(R) EPID signature.
278 /*!
279  \param[in] sig_rl
280  The signature based revocation list that is used. NULL is treated as
281  a zero length list.
282 
283  \returns
284  Size in bytes of an Intel(R) EPID signature including proofs for each entry
285  in the signature based revocation list.
286 
287  \see ::SigRl
288 
289  \b Example
290 
291  \ref UserManual_GeneratingAnIntelEpidSignature
292 */
293 size_t EPID_API EpidGetSigSize(SigRl const* sig_rl);
294 
295 /// Writes an Intel(R) EPID signature.
296 /*!
297  \param[in] ctx
298  The member context.
299  \param[in] msg
300  The message to sign.
301  \param[in] msg_len
302  The length in bytes of message.
303  \param[in] basename
304  Optional basename. If basename is NULL a random basename is used.
305  Signatures generated using random basenames are anonymous. Signatures
306  generated using the same basename are linkable by the verifier. If a
307  basename is provided, it must already be registered, or
308  ::kEpidBadArgErr is returned.
309  \param[in] basename_len
310  The size of basename in bytes. Must be 0 if basename is NULL.
311  \param[out] sig
312  The generated signature
313  \param[in] sig_len
314  The size of signature in bytes. Must be equal to value returned by
315  EpidGetSigSize().
316 
317  \returns ::EpidStatus
318 
319  \note
320  If the result is not ::kEpidNoErr the content of sig is undefined.
321 
322  \see EpidMemberInit
323  \see EpidMemberSetHashAlg
324  \see EpidMemberSetSigRl
325  \see EpidGetSigSize
326 
327  \b Example
328 
329  \ref UserManual_GeneratingAnIntelEpidSignature
330  */
331 EpidStatus EPID_API EpidSign(MemberCtx const* ctx, void const* msg,
332                              size_t msg_len, void const* basename,
333                              size_t basename_len, EpidSignature* sig,
334                              size_t sig_len);
335 
336 /// Registers a basename with a member.
337 /*!
338 
339  To prevent loss of privacy, the member keeps a list of basenames
340  (corresponding to authorized verifiers). The member signs a message
341  with a basename only if the basename is in the member's basename
342  list.
343 
344  \warning
345  The use of a name-based signature creates a platform unique
346  pseudonymous identifier. Because it reduces the member's privacy, the
347  user should be notified when it is used and should have control over
348  its use.
349 
350  \param[in] ctx
351  The member context.
352  \param[in] basename
353  The basename.
354  \param[in] basename_len
355  Length of the basename.
356 
357  \returns ::EpidStatus
358 
359  \retval ::kEpidDuplicateErr
360  The basename was already registered.
361 
362  \note
363  If the result is not ::kEpidNoErr or ::kEpidDuplicateErr it is undefined if the
364  basename is registered.
365 
366  \b Example
367 
368  \ref UserManual_GeneratingAnIntelEpidSignature
369  */
370 EpidStatus EPID_API EpidRegisterBasename(MemberCtx* ctx, void const* basename,
371                                          size_t basename_len);
372 
373 /// Clears registered basenames.
374 /*!
375 
376  Allows clearing registered basenames without recreating member.
377 
378  \param[in,out] ctx
379  The member context.
380 
381  \returns ::EpidStatus
382 
383  \see ::EpidRegisterBasename
384  */
385 EpidStatus EPID_API EpidClearRegisteredBasenames(MemberCtx* ctx);
386 
387 /// Extends the member's pool of pre-computed signatures.
388 /*!
389   Generate new pre-computed signatures and add them to the internal pool.
390 
391  \param[in] ctx
392  The member context.
393  \param[in] number_presigs
394  The number of pre-computed signatures to add to the internal pool.
395 
396  \returns ::EpidStatus
397 
398  \see ::EpidMemberInit
399  */
400 EpidStatus EPID_API EpidAddPreSigs(MemberCtx* ctx, size_t number_presigs);
401 
402 /// Gets the number of pre-computed signatures in the member's pool.
403 /*!
404  \param[in] ctx
405  The member context.
406 
407  \returns
408  Number of remaining pre-computed signatures. Returns 0 if ctx is NULL.
409 
410  \see ::EpidMemberInit
411 */
412 size_t EPID_API EpidGetNumPreSigs(MemberCtx const* ctx);
413 
414 /// Decompresses compressed member private key.
415 /*!
416 
417   Converts a compressed member private key into a member
418   private key for use by other member APIs.
419 
420   \param[in] pub_key
421   The public key of the group.
422   \param[in] compressed_privkey
423   The compressed member private key to be decompressed.
424   \param[out] priv_key
425   The member private key.
426 
427   \returns ::EpidStatus
428 
429   \b Example
430 
431   \ref UserManual_GeneratingAnIntelEpidSignature
432  */
433 EpidStatus EPID_API EpidDecompressPrivKey(
434     GroupPubKey const* pub_key, CompressedPrivKey const* compressed_privkey,
435     PrivKey* priv_key);
436 
437 /*! @} */
438 
439 #ifdef __cplusplus
440 }
441 #endif
442 
443 #endif  // EPID_MEMBER_API_H_
444