fuchsia.kms

PROTOCOLS

KeyManager

Defined in fuchsia.kms/key_manager.fidl

SealData

Seal data to an encrypted form.

Seal data to an encrypted form. The sealed data can only be unsealed by the same KMS instance by using UnsealData. plain_text needs to be less than MAX_DATA_SIZE bytes.

Request

NameType
plain_text fuchsia.mem/Buffer

Response

NameType
result KeyManager_SealData_Result

UnsealData

Unseal sealed data.

Unseal data previously sealed by this KMS instance.

Request

NameType
cipher_text fuchsia.mem/Buffer

Response

NameType
result KeyManager_UnsealData_Result

GenerateAsymmetricKey

Generate an asymmetric key.

Generate an asymmetric key using key_name as the unique name. key is the generated asymmetric key interface request. If the key_name is not unique, you would get KEY_ALREADY_EXISTS. The generated key can be used to sign data. The algorithm used for generating asymmetric key is ECDSA_SHA512_P521.

Request

NameType
key_name string[32]
key request<AsymmetricPrivateKey>

Response

NameType
result KeyManager_GenerateAsymmetricKey_Result

GenerateAsymmetricKeyWithAlgorithm

Generate an asymmetric key with a specific algorithm.

Generate an asymmetric key using key_name as the unique name and key_algorithm as algorithm. key is the generated asymmetric key interface request. If the key_name is not unique, you would get KEY_ALREADY_EXISTS.

Request

NameType
key_name string[32]
key_algorithm AsymmetricKeyAlgorithm
key request<AsymmetricPrivateKey>

Response

NameType
result KeyManager_GenerateAsymmetricKeyWithAlgorithm_Result

ImportAsymmetricPrivateKey

Import an asymmetric private key with a specific algorithm.

Import an asymmetric private key using key_name as the unique name, key_algorithm as algorithm and data as key data. key is imported asymmetric key interface request. Key data should be in asn.1 encoded DER format. If the key_name is not unique, you would get KEY_ALREADY_EXISTS.

Request

NameType
data vector<uint8>
key_name string[32]
key_algorithm AsymmetricKeyAlgorithm
key request<AsymmetricPrivateKey>

Response

NameType
result KeyManager_ImportAsymmetricPrivateKey_Result

GetAsymmetricPrivateKey

Get an asymmetric private key handle.

Get an asymmetric private key handle using the key_name. If such key is not found, would return KEY_NOT_FOUND.

Request

NameType
key_name string[32]
key request<AsymmetricPrivateKey>

Response

NameType
result KeyManager_GetAsymmetricPrivateKey_Result

DeleteKey

Delete a key.

Delete a key for key_name. For all the current handle to the deleted key, they would become invalid and all following requests on those handles would return KEY_NOT_FOUND, user should close the invalid handles once get KEY_NOT_FOUND error.

Request

NameType
key_name string[32]

Response

NameType
result KeyManager_DeleteKey_Result

Key

Defined in fuchsia.kms/key_manager.fidl

GetKeyOrigin

Get the key origin (generated/imported).

Request

NameType

Response

NameType
result Key_GetKeyOrigin_Result

GetKeyProvider

Get the name for the crypto provider backing up the key.

Request

NameType

Response

NameType
result Key_GetKeyProvider_Result

AsymmetricPrivateKey

Defined in fuchsia.kms/key_manager.fidl

GetKeyOrigin

Get the key origin (generated/imported).

Request

NameType

Response

NameType
result Key_GetKeyOrigin_Result

GetKeyProvider

Get the name for the crypto provider backing up the key.

Request

NameType

Response

NameType
result Key_GetKeyProvider_Result

Sign

Sign data using the current key. data needs to be less than MAX_DATA_SIZE bytes.

Request

NameType
data fuchsia.mem/Buffer

Response

NameType
result AsymmetricPrivateKey_Sign_Result

GetPublicKey

Get the DER format public key for the current private key.

Request

NameType

Response

NameType
result AsymmetricPrivateKey_GetPublicKey_Result

GetKeyAlgorithm

Get the key algorithm.

Request

NameType

Response

NameType
result AsymmetricPrivateKey_GetKeyAlgorithm_Result

StatelessKeyManager

Defined in fuchsia.kms/key_manager_stateless.fidl

GetHardwareDerivedKey

Get a hardware key derived key.

Get a key derived from hardware root key using | key_info | as info and the trusted app ID as salt. This call is deterministic and always returns the same result if given the same | key_info | on the same device and would be different across different devices if they have different hardware keys.

Request

NameType
key_info vector<uint8>[32]

Response

NameType
result StatelessKeyManager_GetHardwareDerivedKey_Result

STRUCTS

KeyManager_SealData_Response

generated

NameTypeDescriptionDefault
cipher_text fuchsia.mem/Buffer No default

KeyManager_UnsealData_Response

generated

NameTypeDescriptionDefault
plain_text fuchsia.mem/Buffer No default

KeyManager_GenerateAsymmetricKey_Response

generated

NameTypeDescriptionDefault

KeyManager_GenerateAsymmetricKeyWithAlgorithm_Response

generated

NameTypeDescriptionDefault

KeyManager_ImportAsymmetricPrivateKey_Response

generated

NameTypeDescriptionDefault

KeyManager_GetAsymmetricPrivateKey_Response

generated

NameTypeDescriptionDefault

KeyManager_DeleteKey_Response

generated

NameTypeDescriptionDefault

Key_GetKeyOrigin_Response

generated

NameTypeDescriptionDefault
key_origin KeyOrigin No default

Key_GetKeyProvider_Response

generated

NameTypeDescriptionDefault
key_provider KeyProvider No default

AsymmetricPrivateKey_Sign_Response

generated

NameTypeDescriptionDefault
signature Signature No default

AsymmetricPrivateKey_GetPublicKey_Response

generated

NameTypeDescriptionDefault
public_key PublicKey No default

AsymmetricPrivateKey_GetKeyAlgorithm_Response

generated

NameTypeDescriptionDefault
key_algorithm AsymmetricKeyAlgorithm No default

Signature

Defined in fuchsia.kms/key_manager.fidl

NameTypeDescriptionDefault
bytes vector<uint8>[512] No default

PublicKey

Defined in fuchsia.kms/key_manager.fidl

NameTypeDescriptionDefault
bytes vector<uint8>[256] No default

StatelessKeyManager_GetHardwareDerivedKey_Response

generated

NameTypeDescriptionDefault
derived_key vector<uint8>[32] No default

ENUMS

Error

Type: uint32

Defined in fuchsia.kms/key_manager.fidl

NameValueDescription
INTERNAL_ERROR 1

Internal unexpected error.

KEY_ALREADY_EXISTS 2

When trying to create/import a new key but a key with the same name already exists.

KEY_NOT_FOUND 3

When the key you are trying to use is not found.

PARSE_KEY_ERROR 4

When the key material could not be parsed.

INPUT_TOO_LARGE 5

When the size for input data is larger than MAX_DATA_SIZE.

AsymmetricKeyAlgorithm

Type: uint32

Defined in fuchsia.kms/key_manager.fidl

NameValueDescription
RSA_SSA_PSS_SHA256_2048 1
RSA_SSA_PSS_SHA256_3072 2
RSA_SSA_PSS_SHA512_4096 3
RSA_SSA_PKCS1_SHA256_2048 4
RSA_SSA_PKCS1_SHA256_3072 5
RSA_SSA_PKCS1_SHA512_4096 6
ECDSA_SHA256_P256 7
ECDSA_SHA512_P384 8
ECDSA_SHA512_P521 9

KeyOrigin

Type: uint32

Defined in fuchsia.kms/key_manager.fidl

NameValueDescription
GENERATED 1

The key was generated in this KMS instance.

IMPORTED 2

The key was imported.

KeyProvider

Type: uint32

Defined in fuchsia.kms/key_manager.fidl

NameValueDescription
MOCK_PROVIDER 1

A mock provider only used for unit testing.

SOFTWARE_PROVIDER 2

A software provider that uses rust AesGcm trait for symmetric key operation and mundane for asymmetric key operation.

SOFTWARE_ASYMMETRIC_ONLY_PROVIDER 3

A software provider that only supports mundane-based asymmetric key operation.

OPTEE_PROVIDER 4

A crypto provider based on Keysafe Trusted App in OPTEE.

UNIONS

KeyManager_SealData_Result

generated

NameTypeDescription
response KeyManager_SealData_Response
err Error

KeyManager_UnsealData_Result

generated

NameTypeDescription
response KeyManager_UnsealData_Response
err Error

KeyManager_GenerateAsymmetricKey_Result

generated

NameTypeDescription
response KeyManager_GenerateAsymmetricKey_Response
err Error

KeyManager_GenerateAsymmetricKeyWithAlgorithm_Result

generated

NameTypeDescription
response KeyManager_GenerateAsymmetricKeyWithAlgorithm_Response
err Error

KeyManager_ImportAsymmetricPrivateKey_Result

generated

NameTypeDescription
response KeyManager_ImportAsymmetricPrivateKey_Response
err Error

KeyManager_GetAsymmetricPrivateKey_Result

generated

NameTypeDescription
response KeyManager_GetAsymmetricPrivateKey_Response
err Error

KeyManager_DeleteKey_Result

generated

NameTypeDescription
response KeyManager_DeleteKey_Response
err Error

Key_GetKeyOrigin_Result

generated

NameTypeDescription
response Key_GetKeyOrigin_Response
err Error

Key_GetKeyProvider_Result

generated

NameTypeDescription
response Key_GetKeyProvider_Response
err Error

AsymmetricPrivateKey_Sign_Result

generated

NameTypeDescription
response AsymmetricPrivateKey_Sign_Response
err Error

AsymmetricPrivateKey_GetPublicKey_Result

generated

NameTypeDescription
response AsymmetricPrivateKey_GetPublicKey_Response
err Error

AsymmetricPrivateKey_GetKeyAlgorithm_Result

generated

NameTypeDescription
response AsymmetricPrivateKey_GetKeyAlgorithm_Response
err Error

StatelessKeyManager_GetHardwareDerivedKey_Result

generated

NameTypeDescription
response StatelessKeyManager_GetHardwareDerivedKey_Response
err Error

CONSTANTS

NameValueTypeDescription
MAX_KEY_NAME_SIZE 32 uint8
MAX_DATA_SIZE 65536 uint32
MAX_HARDWARE_DERIVE_KEY_INFO_SIZE 32 uint8
MAX_HARDWARE_DERIVED_KEY_SIZE 32 uint8