ep11cmds

package
v0.0.0-...-a4b61b0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 9, 2021 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source 
const CEX6P_PUBLIC_KEY_LENGTH = 133

* Length of the public key in the OA certificate for a CEX6P crypto module

View Source 
const ECC_BRAINPOOL = 0x01
View Source 
const ECC_PRIME = 0x00
View Source 
const OA_ECC = 2
View Source 
const OA_NEW_CERT = 1
View Source 
const OA_RSA = 0
View Source 
const XCP_ADMINT_MODE = 4

* Domain operational mode

View Source 
const XCP_ADMINT_PERMITS = 3

* Domain permissions

View Source 
const XCP_ADMINT_REVOKE_THR = 2

* Domain revocation signature threshold

View Source 
const XCP_ADMINT_SIGN_THR = 1

* Domain signature threshold

View Source 
const XCP_ADMINT_STD = 5

* Domain security standards compliance

View Source 
const XCP_IMPRKEY_EC_P521 = 3 //@T390301CLH

Request to generate P521 EC importer key

View Source 
const XCP_IMPRKEY_RSA_2048 = 0 //@T390301CLH

Request to generate 2048-bit RSA importer key

Variables

View Source 
var A0_TAG byte = 0xA0
View Source 
var A1_TAG byte = 0xA1
View Source 
var ASN1_NULL = []byte{
	0x05, 0x00,
}

* ASN.1 representation of NULL

View Source 
var CK_IBM_XCPQ_DOMAIN = []byte{0x00, 0x00, 0x00, 0x03}

* get_xcp_info subtype to retrieve domain information

View Source 
var CK_IBM_XCPQ_MODULE = []byte{0x00, 0x00, 0x00, 0x01}

* get_xcp_info subtype to retrieve module information

View Source 
var CMK_STATUS_VALID int = 1
View Source 
var FNID_ADMIN = []byte{0x00, 0x01, 0x00, 0x29}

* Function ID for m_admin

View Source 
var FNID_GET_XCP_INFO = []byte{0x00, 0x01, 0x00, 0x26}

* Function ID for get_xcp_info

View Source 
var MK_STATUS_EMPTY int = 0
View Source 
var NMK_STATUS_FULL_COMMITTED int = 3
View Source 
var NMK_STATUS_FULL_UNCOMMITTED int = 2
View Source 
var OID_aes256_wrap = []byte{
	0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x2D,
}

* Object identifier for aes256-wrap ( 2 16 840 1 101 3 4 1 45 )

View Source 
var OID_ecPublicKey = []byte{
	0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01,
}

* Object identifier for ecPublicKey ( 1 2 840 10045 2 1 )

View Source 
var OID_ecdsaWithSHA512 = []byte{
	0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x04,
}

* Object identifier for signature algorithm: ecdsaWithSHA512

View Source 
var OID_rsaEncryption = []byte{
	0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01,
}

* Object identifier for signature algorithm: rsaEncryption

View Source 
var OID_sha256 = []byte{
	0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
}

* Object identifier for digest algorithm: SHA-256

View Source 
var OID_sha512 = []byte{
	0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
}

#B@T372621CLH * Object identifier for digest algorithm: SHA-512

View Source 
var OID_stdDH_sha256kdf = []byte{
	0x06, 0x06, 0x2B, 0x81, 0x04, 0x01, 0x0B, 0x01,
}

* Object identifier for stdDH-sha156kdf ( 1 3 132 1 11 1 )

View Source 
var RSAEncryption = []uint{1, 2, 840, 113549, 1, 1, 1} // 1.2.840.113549.1.1.1
View Source 
var SHA256WithRSAEncryption = []uint{1, 2, 840, 113549, 1, 1, 11} // 1.2.840.113549.1.1.11
View Source 
var VERSION_3 = []byte{
	0x02, 0x01, 0x03,
}

* ASN.1 representation of the integer 3 (to designate version = 3)

View Source 
var XCP_ADMQ_ADMIN = []byte{0x00, 0x01, 0x00, 0x01}

* Query administrative SKI/certificate

View Source 
var XCP_ADMQ_ATTRS = []byte{0x00, 0x01, 0x00, 0x09}

* Query card attributes

View Source 
var XCP_ADMQ_AUDIT_STATE = []byte{0x00, 0x01, 0x00, 0x10}

* Query cloning state

View Source 
var XCP_ADMQ_CTRLPOINTS = []byte{0x00, 0x01, 0x00, 0x05}

* Query card control points or profile

View Source 
var XCP_ADMQ_DEVICE_CERT = []byte{0x00, 0x01, 0x00, 0x03}

* Query module CA (OA) certificate

View Source 
var XCP_ADMQ_DOMADMIN = []byte{0x00, 0x01, 0x00, 0x02}

* Query domain administrative SKI/certificate

View Source 
var XCP_ADMQ_DOM_ATTRS = []byte{0x00, 0x01, 0x00, 0x0A}

* Query domain attributes

View Source 
var XCP_ADMQ_DOM_CTRLPOINTS = []byte{0x00, 0x01, 0x00, 0x06}

* Query domain control points or profile

View Source 
var XCP_ADMQ_FCV = []byte{0x00, 0x01, 0x00, 0x0B}

* Query Function Control Vector

View Source 
var XCP_ADMQ_IMPORTER_CERT = []byte{0x00, 0x01, 0x00, 0x0F}

* Query current WK importer

View Source 
var XCP_ADMQ_INTERNAL_STATE = []byte{0x00, 0x01, 0x00, 0x0E}

* Query cloning state

View Source 
var XCP_ADMQ_NEXT_WK = []byte{0x00, 0x01, 0x00, 0x08}

* Query pending wrapping key

View Source 
var XCP_ADMQ_RKLIST = []byte{0x00, 0x01, 0x00, 0x0D}

* Query retained keys

View Source 
var XCP_ADMQ_WK = []byte{0x00, 0x01, 0x00, 0x07}

* Query current wrapping key

View Source 
var XCP_ADMQ_WK_ORIGINS = []byte{0x00, 0x01, 0x00, 0x0C}

* Query information on original WK

View Source 
var XCP_ADM_ADMIN_LOGIN = []byte{0x00, 0x00, 0x00, 0x01}

* Add administrator certificate

View Source 
var XCP_ADM_ADMIN_LOGOUT = []byte{0x00, 0x00, 0x00, 0x03}

* Revoke administrator certificate

View Source 
var XCP_ADM_ADMIN_REPLACE = []byte{0x00, 0x00, 0x00, 0x05}

* Transition administrator certificate

View Source 
var XCP_ADM_CLEAR_NEXT_WK = []byte{0x00, 0x00, 0x00, 0x1C}

* Erase pending WK

View Source 
var XCP_ADM_CLEAR_WK = []byte{0x00, 0x00, 0x00, 0x1B}

* Erase current WK

View Source 
var XCP_ADM_COMMIT_STATE = []byte{0x00, 0x00, 0x00, 0x20}

* Commit imported state

View Source 
var XCP_ADM_COMMIT_WK = []byte{0x00, 0x00, 0x00, 0x0D}

* Activate pending WK

View Source 
var XCP_ADM_CONTROLPOINT_ADD = []byte{0x00, 0x00, 0x00, 0x17}

* Enable control points -- not currently used

View Source 
var XCP_ADM_CONTROLPOINT_DEL = []byte{0x00, 0x00, 0x00, 0x18}

* Disable control points -- not currently used

View Source 
var XCP_ADM_CONTROLPOINT_SET = []byte{0x00, 0x00, 0x00, 0x16}

* Fix control points -- not currently used

View Source 
var XCP_ADM_DOMAINS_ZEROIZE = []byte{0x00, 0x00, 0x00, 0x24}

* Multi-domain zeroize

View Source 
var XCP_ADM_DOM_ADMIN_LOGIN = []byte{0x00, 0x00, 0x00, 0x02}

* Add domain administrator certificate

View Source 
var XCP_ADM_DOM_ADMIN_LOGOUT = []byte{0x00, 0x00, 0x00, 0x04}

* Revoke domain administrator certificate

View Source 
var XCP_ADM_DOM_ADMIN_REPLACE = []byte{0x00, 0x00, 0x00, 0x06}

* Transition domain administrator certificate

View Source 
var XCP_ADM_DOM_CONTROLPOINT_ADD = []byte{0x00, 0x00, 0x00, 0x12}

* Enable domain control points

View Source 
var XCP_ADM_DOM_CONTROLPOINT_DEL = []byte{0x00, 0x00, 0x00, 0x13}

* Disable domain control points

View Source 
var XCP_ADM_DOM_CONTROLPOINT_SET = []byte{0x00, 0x00, 0x00, 0x11}

* Fix domain control points

View Source 
var XCP_ADM_DOM_SET_ATTR = []byte{0x00, 0x00, 0x00, 0x08}

* Set domain attribute/s

View Source 
var XCP_ADM_DOM_ZEROIZE = []byte{0x00, 0x00, 0x00, 0x10}

* Release CSPs from domain/s

View Source 
var XCP_ADM_EXPORT_NEXT_WK = []byte{0x00, 0x00, 0x00, 0x26} //@T390301CLH

* wrap+output next WK or parts

View Source 
var XCP_ADM_EXPORT_STATE = []byte{0x00, 0x00, 0x00, 0x1E}

* Export state

View Source 
var XCP_ADM_EXPORT_WK = []byte{0x00, 0x00, 0x00, 0x0B}

* Wrap+output WK or parts

View Source 
var XCP_ADM_FINALIZE_WK = []byte{0x00, 0x00, 0x00, 0x0E}

* Remove previous WK's

View Source 
var XCP_ADM_GEN_IMPORTER = []byte{0x00, 0x00, 0x00, 0x09}

* Generate new importer (PK) key

View Source 
var XCP_ADM_GEN_MODULE_IMPORTER = []byte{0x00, 0x00, 0x00, 0x22}

* Generate module imported key

View Source 
var XCP_ADM_GEN_WK = []byte{0x00, 0x00, 0x00, 0x0A}

* Create random domain WK

View Source 
var XCP_ADM_IMPORT_STATE = []byte{0x00, 0x00, 0x00, 0x1F}

* Import state (part)

View Source 
var XCP_ADM_IMPORT_WK = []byte{0x00, 0x00, 0x00, 0x0C}

* Set (set of) WK (parts) to pending

View Source 
var XCP_ADM_REENCRYPT = []byte{0x00, 0x00, 0x00, 0x19}

* Transform blobs to next WK -- not used by TKE

View Source 
var XCP_ADM_REMOVE_STATE = []byte{0x00, 0x00, 0x00, 0x21}

* Remove cloning state

View Source 
var XCP_ADM_RK_REMOVE = []byte{0x00, 0x00, 0x00, 0x1A}

* Remove (semi-) retained key -- not used by TKE

View Source 
var XCP_ADM_SET_ATTR = []byte{0x00, 0x00, 0x00, 0x07}

* Set card attribute/s

View Source 
var XCP_ADM_SET_CLOCK = []byte{0x00, 0x00, 0x00, 0x14}

* Set module-internal UTC time

View Source 
var XCP_ADM_SET_FCV = []byte{0x00, 0x00, 0x00, 0x15}

* Set function-control vector

View Source 
var XCP_ADM_SET_TRUSTED = []byte{0x00, 0x00, 0x00, 0x23}

* Set trusted attribute on blob/SPKI

View Source 
var XCP_ADM_SYSTEM_ZEROIZE = []byte{0x00, 0x00, 0x00, 0x1D}

* Card zeroize, preserving system key, if it is present (i.e. retaining

  • the Support Element administrator)
View Source 
var XCP_ADM_ZEROIZE = []byte{0x00, 0x00, 0x00, 0x0F}

* Release CSPs from entire module

View Source 
var XCP_DOMAIN_0 = []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}

* OCTET STRING representing domain 0 with all zero "instance identifier"

Functions

func AddDomainAdmin 

func AddDomainAdmin(authToken string, urlStart string, de common.DomainEntry,
	cert []byte, sigkeys []string, sigkeySkis []string,
	sigkeyTokens []string) error

---------------------------------------------------------------------------- 

Adds a domain administrator

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the domain where an administrator is to be added
[]byte -- certificate containing the public key for the administrator
[]string -- identifies the signature keys to use to sign the command
[]string -- the Subject Key Identifiers for the signature keys
[]string -- authentication tokens for the signature keys

Outputs:
error -- reports any errors for the operation

----------------------------------------------------------------------------

func AddDomainAdminReq 

func AddDomainAdminReq(authToken string, urlStart string, de common.DomainEntry,
	cert []byte, sigkeys []string, sigkeySkis []string,
	sigkeyTokens []string) (string, error)

---------------------------------------------------------------------------- 

Creates the HTPRequest for adding a domain administrator

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the domain whose current wrapping key register
   is to be exported
[]byte -- certificate containing the public key for the administrator to
   be added
[]string -- identifies the signature keys to use to sign the command
[]string -- the Subject Key Identifiers for the signature keys
[]string -- authentication tokens for the signature keys

Outputs:
string -- the HTPRequest string with the signed CPRB for the command
error -- reports any errors

----------------------------------------------------------------------------

func AddDomainControlPoints 

func AddDomainControlPoints(authToken string, urlStart string, de common.DomainEntry,
	cpsToSet []byte, sigkeys []string, sigkeySkis []string,
	sigkeyTokens []string) error

---------------------------------------------------------------------------- 

Adds domain control points

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the domain whose attributes are to be set
[]byte -- bit mask of control points to be enabled.  16 bytes are expected.
[]string -- identifies the signature keys to use to sign the command
[]string -- the Subject Key Identifiers for the signature keys
[]string -- authentication tokens for the signature keys

Outputs:
error -- reports any errors for the operation

----------------------------------------------------------------------------

func AddDomainControlPointsReq 

func AddDomainControlPointsReq(authToken string, urlStart string,
	de common.DomainEntry, cpsToSet []byte, sigkeys []string,
	sigkeySkis []string, sigkeyTokens []string) (string, error)

---------------------------------------------------------------------------- 

Creates the HTPRequest for adding domain control points

----------------------------------------------------------------------------

func BuildAdminDomainIndex 

func BuildAdminDomainIndex(domainIndex int) []byte

---------------------------------------------------------------------------- 

Initializes the administrative domain field of an xcpAdminBlk.

The first four bytes contains the domain index.  The last four bytes
contains the domain instance identifier.  For unsigned commands and
module-level commands, the domain instance identifier can be all zeros.
For signed commands to a domain, the domain instance identifier is filled
in later using data returned by the Query Domain Attributes command.

----------------------------------------------------------------------------

func ClearCurrentWK 

func ClearCurrentWK(authToken string, urlStart string, de common.DomainEntry,
	sigkeys []string, sigkeySkis []string, sigkeyTokens []string) error

---------------------------------------------------------------------------- 

Clears the current wrapping key register

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the domain whose current wrapping key register
   is to be cleared
[]string -- identifies the signature keys to use to sign the command
[]string -- the Subject Key Identifiers for the signature keys
[]string -- authentication tokens for the signature keys

Outputs:
error -- reports any errors for the operation

----------------------------------------------------------------------------

func ClearCurrentWKReq 

func ClearCurrentWKReq(authToken string, urlStart string, de common.DomainEntry,
	sigkeys []string, sigkeySkis []string, sigkeyTokens []string) (string, error)

---------------------------------------------------------------------------- 

Creates the HTPRequest for clearing the current wrapping key register

----------------------------------------------------------------------------

func ClearPendingWK 

func ClearPendingWK(authToken string, urlStart string, de common.DomainEntry,
	sigkeys []string, sigkeySkis []string, sigkeyTokens []string) error

---------------------------------------------------------------------------- 

Clears the pending wrapping key register

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the domain whose pending wrapping key register
   is to be cleared
[]string -- identifies the signature keys to use to sign the command
[]string -- the Subject Key Identifiers for the signature keys
[]string -- authentication tokens for the signature keys

Outputs:
error -- reports any errors for the operation

----------------------------------------------------------------------------

func ClearPendingWKReq 

func ClearPendingWKReq(authToken string, urlStart string, de common.DomainEntry,
	sigkeys []string, sigkeySkis []string, sigkeyTokens []string) (string, error)

---------------------------------------------------------------------------- 

Creates the HTPRequest for clearing the pending wrapping key register

----------------------------------------------------------------------------

func CommitPendingWK 

func CommitPendingWK(authToken string, urlStart string, de common.DomainEntry,
	sigkeys []string, sigkeySkis []string, sigkeyTokens []string) error

---------------------------------------------------------------------------- 

Commits the pending wrapping key register

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the domain whose pending wrapping key register
   is to be committed
[]string -- identifies the signature keys to use to sign the command
[]string -- the Subject Key Identifiers for the signature keys
[]string -- authentication tokens for the signature keys

Outputs:
error -- reports any errors for the operation

----------------------------------------------------------------------------

func CommitPendingWKReq 

func CommitPendingWKReq(authToken string, urlStart string,
	de common.DomainEntry, vp []byte, sigkeys []string, sigkeySkis []string,
	sigkeyTokens []string) (string, error)

---------------------------------------------------------------------------- 

Creates the HTPRequest for committing the pending wrapping key register

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the domain whose pending wrapping key register
   is to be committed
[]byte -- the verification pattern of the pending wrapping key register
   to be committed
[]string -- identifies the signature keys to use to sign the command
[]string -- the Subject Key Identifiers for the signature keys
[]string -- authentication tokens for the signature keys

Outputs:
string -- the HTPRequest string with the signed CPRB for the command
error -- reports any errors

----------------------------------------------------------------------------

func Create2048RSASignerInfoFields 

func Create2048RSASignerInfoFields(dataToSign []byte, sigkey string,
	sigkeySki string, sigkeyToken string) ([][]byte, error)

---------------------------------------------------------------------------- 

Creates a set of ASN.1 OCTET STRINGS to be made into an ASN.1 sequence
that forms the SignerInfo for data signed by a 2048-bit RSA signature key.

Inputs:
[]byte dataToSign -- the data to be signed
string sigkey -- identifies the signature key to use
string sigkeySki -- Subject Key Identifier for the signature key
string sigkeyToken -- authentication token for the signature key

Outputs:
[][]byte -- a set of ASN.1 OCTET STRINGS that will form SignerInfo
    containing an RSA signature
error -- reports any error encountered

----------------------------------------------------------------------------

func CreateAdminCertP521EC 

func CreateAdminCertP521EC(ecKey ecdsa.PrivateKey, adminName string) ([]byte, error)

---------------------------------------------------------------------------- 

Creates an administrator certificate containing a P521 EC public key.

Inputs:
ecdsa.PrivateKey ecKey -- the EC private key
string adminName -- the administrator name

Outputs:
[]byte -- the administrator certificate
error -- reports any error

----------------------------------------------------------------------------

func CreateAdminCertUsingSigningService 

func CreateAdminCertUsingSigningService(ssURL string, sigkey string,
	sigkeyToken string, adminName string) ([]byte, error)

---------------------------------------------------------------------------- 

Creates an administrator certificate containing a P521 EC public key
using a signing service.

Inputs:
string -- base URL for the signing service
string -- identifies the signature key to be used
string -- authentication token for the signature key
string -- administrator name to be placed in the certificate

Outputs:
[]byte -- an administrator certificate containing the EC public key
error -- reports any errors

----------------------------------------------------------------------------

func CreateP521ECSignerInfoFields 

func CreateP521ECSignerInfoFields(dataToSign []byte, sigkey string,
	sigkeySki string, sigkeyToken string) ([][]byte, error)

---------------------------------------------------------------------------- 

Creates a set of ASN.1 OCTET STRINGS to be made into an ASN.1 sequence
that forms the SignerInfo for data signed by a P521 EC signature key.

Inputs:
[]byte dataToSign -- the data to be signed
string sigkey -- identifies the signature key to use
string sigkeySki -- Subject Key Identifier for the signature key
string sigkeyToken -- authentication token for the signature key

Outputs:
[][]byte -- a set of ASN.1 OCTET STRINGS that will form SignerInfo
    containing an EC signature
error -- reports any error encountered

----------------------------------------------------------------------------

func CreateQueryHTPRequest 

func CreateQueryHTPRequest(cryptoModuleIndex int, domainIndex int,
	adminBlock AdminBlk) string

---------------------------------------------------------------------------- 

Creates the HTPRequest string for an unsigned query.

For unsigned queries, the administrative domain, the module identifier,
and the transaction counter in the xcpAdminReq do not need to be filled
in.

----------------------------------------------------------------------------

func CreateRandomWK 

func CreateRandomWK(authToken string, urlStart string, de common.DomainEntry,
	sigkeys []string, sigkeySkis []string, sigkeyTokens []string) (error, []byte)

---------------------------------------------------------------------------- 

Loads a random value in one of the wrapping key registers.

If the current wrapping key register is empty, it is loaded with a random
value.

If the current wrapping key register is not empty but the pending wrapping
key register is empty, the pending wrapping key register is loaded with a
random value.

If both the current wrapping key register and pending wrapping key
register are not empty, an error is returned.

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the domain where a random value is to be loaded
   in one of the wrapping key registers
[]string -- identifies the signature keys to use to sign the command
[]string -- the Subject Key Identifiers for the signature keys
[]string -- authentication tokens for the signature keys

Outputs:
error -- reports any errors for the operation
[]byte -- the verification pattern of the generated master key value

----------------------------------------------------------------------------

func CreateRandomWKReq 

func CreateRandomWKReq(authToken string, urlStart string, de common.DomainEntry,
	sigkeys []string, sigkeySkis []string, sigkeyTokens []string) (string, error)

---------------------------------------------------------------------------- 

Creates the HTPRequest for loading a random value in one of the wrapping
key registers

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the domain where a random value is to be loaded
   in one of the wrapping key registers
[]string -- identifies the signature keys to use to sign the command
[]string -- the Subject Key Identifiers for the signature keys
[]string -- authentication tokens for the signature keys

Outputs:
string -- the HTPRequest string with the signed CPRB for the command
error -- reports any errors

----------------------------------------------------------------------------

func CreateRecipientInfoP521EC 

func CreateRecipientInfoP521EC(publicKey []byte, ukm []byte, ski []byte,
	encryptedKeyPart []byte) ([]byte, error)

---------------------------------------------------------------------------- 

Creates the RecipientInfo needed to import a master key part when a
P521 EC importer key is used.

Inputs:
[]byte publicKey -- the P521 EC public key (133 bytes)
[]byte ukm -- user key material, (40 random bytes)
[]byte ski -- subject key identifier for the P521 EC public key (32 bytes)
[]byte encryptedKeyPart -- the encrypted key part (40 bytes)

Outputs:
[]byte -- ASN.1 sequence for the RecipientInfo
error -- reports any error encountered

----------------------------------------------------------------------------

func CreateSignedHTPRequest 

func CreateSignedHTPRequest(authToken string, urlStart string, de common.DomainEntry,
	adminBlock AdminBlk, sigkeys []string, sigkeySkis []string,
	sigkeyTokens []string) (string, error)

---------------------------------------------------------------------------- 

Creates the HTPRequest string for a signed command.

For a signed command, the administrative domain, the module identifier,
and the transaction counter are determined by issuing a Query Domain
Attributes command.

The number of signature keys provided indicates the number of signatures
that need to be collected for the command.

----------------------------------------------------------------------------

func CreateSignerInfo 

func CreateSignerInfo(dataToSign []byte, sigkeys []string,
	sigkeySkis []string, sigkeyTokens []string) ([]byte, error)

---------------------------------------------------------------------------- 

Signs the input data using a set of signature keys.  A set of concatenated
ASN.1 sequences, one for each signature key, is returned.

Inputs:
[]byte dataToSign -- the data to be signed
[]string sigkeys -- identifies the signature keys to be used
[]string sigkeySkis -- the Subject Key Identifiers for the signature keys
[]string sigkeyTokens -- authentication tokens for the signature keys

Outputs:
[]byte -- a set of concatenated ASN.1 structures, one for each signature
error -- reports any error encountered

----------------------------------------------------------------------------

func ExportPendingWK 

func ExportPendingWK(authToken string, urlStart string, de common.DomainEntry,
	pfile []byte, sigkeys []string, sigkeySkis []string,
	sigkeyTokens []string) ([]byte, error)

---------------------------------------------------------------------------- 

Exports the pending wrapping key register

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the domain whose pending wrapping key register
   is to be exported
[]byte -- parameter file with format described in section 5.3 ("Serialized
   module state") of the EP11 wire formats document.  Contains inputs to
   the Export WK command, such as the M policy and KPH certificates to use.
[]string -- identifies the signature keys to use to sign the command
[]string -- the Subject Key Identifiers for the signature keys
[]string -- authentication tokens for the signature keys

Outputs:
[]byte -- raw encrypted key parts
error -- reports any errors for the operation

----------------------------------------------------------------------------

func ExportPendingWKReq 

func ExportPendingWKReq(authToken string, urlStart string, de common.DomainEntry,
	pfile []byte, sigkeys []string, sigkeySkis []string,
	sigkeyTokens []string) (string, error)

---------------------------------------------------------------------------- 

Creates the HTPRequest for exporting the pending wrapping key register

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the domain whose pending wrapping key register
   is to be exported
[]byte -- parameter file with format described in section 5.3 ("Serialized
   module state") of the EP11 wire formats document.  Contains inputs to
   the Export WK command, such as the M policy and KPH certificates to use.
[]string -- identifies the signature keys to use to sign the command
[]string -- the Subject Key Identifiers for the signature keys
[]string -- authentication tokens for the signature keys

Outputs:
string -- the HTPRequest string with the signed CPRB for the command
error -- reports any errors

----------------------------------------------------------------------------

func ExportWK 

func ExportWK(authToken string, urlStart string, de common.DomainEntry,
	pfile []byte, sigkeys []string, sigkeySkis []string,
	sigkeyTokens []string) ([]byte, error)

---------------------------------------------------------------------------- 

Exports the current wrapping key register using a single key part

A more complicated form of this could be written to support multiple key
parts, but for our purposes it isn't necessary.  The more complicated
version would need to have an array of KPH certificates as input, and
specify the M policy (number of key parts needed to reconstruct the key).
The output would be a concatenated set of RecipientInfo structures.

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the domain whose current wrapping key register
   is to be exported
[]byte -- parameter file with format described in section 5.3 ("Serialized
   module state") of the EP11 wire formats document.  Contains inputs to
   the Export WK command, such as the M policy and KPH certificates to use.
[]string -- identifies the signature keys to use to sign the command
[]string -- the Subject Key Identifiers for the signature keys
[]string -- authentication tokens for the signature keys

Outputs:
[]byte -- single RecipientInfo structure containing the encrypted key part
error -- reports any errors for the operation

----------------------------------------------------------------------------

func ExportWKParameterFile 

func ExportWKParameterFile(kphcert []byte) []byte

---------------------------------------------------------------------------- 

Construct a parameter file for the Export WK request.

Parameter files are described in section 5.3 "Serialized module state" in
the EP11 wire formats document.  A parameter file is an ASN.1 sequence of
octet strings, where the data in each octet string is a two-byte type,
followed by a four-byte index, followed by variable length data.  The data
may be omitted (have zero length).

Input:
[]byte -- KPH certificate to use to encrypt key parts.  Can use the same
   certificate for multiple key parts.

Output:
[]byte -- the parameter file

----------------------------------------------------------------------------

func ExportWKReq 

func ExportWKReq(authToken string, urlStart string, de common.DomainEntry,
	pfile []byte, sigkeys []string, sigkeySkis []string,
	sigkeyTokens []string) (string, error)

---------------------------------------------------------------------------- 

Creates the HTPRequest for exporting the current wrapping key register

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the domain whose current wrapping key register
   is to be exported
[]byte -- parameter file with format described in section 5.3 ("Serialized
   module state") of the EP11 wire formats document.  Contains inputs to
   the Export WK command, such as the M policy and KPH certificates to use.
[]string -- identifies the signature keys to use to sign the command
[]string -- the Subject Key Identifiers for the signature keys
[]string -- authentication tokens for the signature keys

Outputs:
string -- the HTPRequest string with the signed CPRB for the command
error -- reports any errors

----------------------------------------------------------------------------

func FinalizeWK 

func FinalizeWK(authToken string, urlStart string, de common.DomainEntry,
	sigkeys []string, sigkeySkis []string, sigkeyTokens []string) error

---------------------------------------------------------------------------- 

Finalizes the pending wrapping key register

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the domain whose pending wrapping key register
   is to be finalized
[]string -- identifies the signature keys to use to sign the command
[]string -- the Subject Key Identifiers for the signature keys
[]string -- authentication tokens for the signature keys

Outputs:
error -- reports any errors for the operation

----------------------------------------------------------------------------

func FinalizeWKReq 

func FinalizeWKReq(authToken string, urlStart string, de common.DomainEntry,
	vp []byte, sigkeys []string, sigkeySkis []string,
	sigkeyTokens []string) (string, error)

---------------------------------------------------------------------------- 

Creates the HTPRequest for finalizing the pending wrapping key register

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the domain whose pending wrapping key register
   is to be finalized
[]byte -- the verification pattern of the pending wrapping key register
   to be finalized
[]string -- identifies the signature keys to use to sign the command
[]string -- the Subject Key Identifiers for the signature keys
[]string -- authentication tokens for the signature keys

Outputs:
string -- the HTPRequest string with the signed CPRB for the command
error -- reports any errors

----------------------------------------------------------------------------

func Generate2048RSAImporterKey 

func Generate2048RSAImporterKey(authToken string, urlStart string,
	de common.DomainEntry, sigkeys []string, sigkeySkis []string,
	sigkeyTokens []string) (rsa.PublicKey, []byte, error)

---------------------------------------------------------------------------- 

Generates a 2048-bit RSA importer key.

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the domain whose attributes are to be set
[]string -- identifies the signature keys to use to sign the command
[]string -- the Subject Key Identifiers for the signature keys
[]string -- authentication tokens for the signature keys

Outputs:
rsa.PublicKey -- the public part of the generated 2048-bit RSA key
[]byte -- the Subject Key Identifier of the RSA public key
error -- reports any errors for the operation

----------------------------------------------------------------------------

func Generate2048RSAImporterKeyResponse 

func Generate2048RSAImporterKeyResponse(htpResponse string, de common.DomainEntry) (rsa.PublicKey, []byte, error)

---------------------------------------------------------------------------- 

Parse a generate importer key response for an RSA 2048 importer key.

Returns the RSA public importer key and its SKI, and any error

----------------------------------------------------------------------------

func GenerateImporterKeyRequest 

func GenerateImporterKeyRequest(authToken string, urlStart string, de common.DomainEntry,
	importerKeyType uint32, sigkeys []string, sigkeySkis []string,
	sigkeyTokens []string) (string, error)

---------------------------------------------------------------------------- 

Creates the HTPRequest for generating a domain importer key

----------------------------------------------------------------------------

func GenerateP521ECImporterKey 

func GenerateP521ECImporterKey(authToken string, urlStart string,
	de common.DomainEntry, sigkeys []string, sigkeySkis []string,
	sigkeyTokens []string) (ecdsa.PublicKey, []byte, error)

---------------------------------------------------------------------------- 

Generates a P521 EC importer key.

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the domain whose attributes are to be set
[]string -- identifies the signature keys to use to sign the command
[]string -- the Subject Key Identifiers for the signature keys
[]string -- authentication tokens for the signature keys

Outputs:
ecdsa.PublicKey -- the public part of the generated P521 EC key
[]byte -- the Subject Key Identifier of the EC public key
error -- reports any errors for the operation

----------------------------------------------------------------------------

func GenerateP521ECImporterKeyResponse 

func GenerateP521ECImporterKeyResponse(htpResponse string, de common.DomainEntry) (ecdsa.PublicKey, []byte, error)

---------------------------------------------------------------------------- 

Parse the response from a generate importer key request when a P521 EC
key was requested.

Returns the EC public importer key, its SKI, and any error

----------------------------------------------------------------------------

func GetEP11ErrorMsg 

func GetEP11ErrorMsg(returnCode string, reasonCode string) string

---------------------------------------------------------------------------- 

Returns message text for an error reported by an EP11 crypto module.

On TKE, the message type for these errors is "3".
The EP11 crypto module does not always supply a reason code.
When both a return code and a reason code are supplied, look for the
specific pair first.  If not found, look for just the return code.
If no message is found, returns an empty string.

----------------------------------------------------------------------------

func GetErrorMsg 

func GetErrorMsg(errorType string, returnCode string, reasonCode string) string

func GetRspPayload 

func GetRspPayload(theRsp string) ([]byte, error)

Remove the front part of the HTPResponse (including the CPRB) and just return the payload

func ImportWK 

func ImportWK(authToken string, urlStart string, de common.DomainEntry,
	recipientInfo [][]byte, sigkeys []string, sigkeySkis []string,
	sigkeyTokens []string) error

---------------------------------------------------------------------------- 

Loads the new wrapping key register.

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the domain whose new wrapping key register is
   to be loaded.
[][]byte -- array of recipient info, one entry per key part
[]string -- identifies the signature keys to use to sign the command
[]string -- the Subject Key Identifiers for the signature keys
[]string -- authentication tokens for the signature keys
   Only one signature is needed for this command.

Output:
error -- reports any errors for the operation

----------------------------------------------------------------------------

func IncrementTransactionCounter 

func IncrementTransactionCounter(original []byte) []byte

---------------------------------------------------------------------------- 

Increments the transaction counter

----------------------------------------------------------------------------

func KPHCert 

func KPHCert(pubKey ecdsa.PublicKey) []byte

---------------------------------------------------------------------------- 

Construct and return a KPH certificate containing the given P521 EC public
key using the proprietary TKE format.

----------------------------------------------------------------------------

func NewCPRB 

func NewCPRB(domainIndex int, payloadParm []byte) []byte

---------------------------------------------------------------------------- 

Create a CPRB to send to a host system

----------------------------------------------------------------------------

func NewXPNUMRequest 

func NewXPNUMRequest(cryptoModuleIndex int, domainIndex int, sequence []byte) string

---------------------------------------------------------------------------- 

Create a HTPRequest specifying the XPNUM rule

----------------------------------------------------------------------------

func QueryDeviceCertificate 

func QueryDeviceCertificate(authToken string, urlStart string,
	de common.DomainEntry, certificateIndex uint32) ([]byte, error)

---------------------------------------------------------------------------- 

Reads an OA certificate

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the crypto module and domain to be queried
certificateIndex -- index into the certificate chain
   0 = currently active epoch key, 1 = its parent, etc.

Outputs:
[]byte -- the returned OA certificate
error -- reports any errors for the operation

----------------------------------------------------------------------------

func QueryDeviceCertificateReq 

func QueryDeviceCertificateReq(cryptoModuleIndex int, domainIndex int,
	certificateIndex uint32) string

---------------------------------------------------------------------------- 

Creates the HTPRequest to return a specific OA certificate

Inputs:
cryptoModuleIndex -- identifies the crypto module to be queried
domainIndex -- the domain assigned to the user.  We know this is a control
   domain, and it will get past the domain check when the cloud processes
   the POST /hsms request.
certificateIndex -- index into the certificate chain
   0 = currently active epoch key, 1 = its parent, etc.

Output:
string -- hexadecimal string representing the HTPRequest

----------------------------------------------------------------------------

func QueryDomainAdminName 

func QueryDomainAdminName(authToken string, urlStart string,
	de common.DomainEntry, ski []byte) (string, error)

---------------------------------------------------------------------------- 

Retrieves the name of a domain administrator.

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the domain to be queried
[]byte -- Subject Key Identifier of the domain administrator of interest

Outputs:
string -- name of the domain administrator
error -- reports any errors for the operation

----------------------------------------------------------------------------

func QueryDomainAdminRsp 

func QueryDomainAdminRsp(theRsp string, de common.DomainEntry) (AdminRspBlk, Certificate)

Process the response to a query domain administrator request. This function will return the admin response block plus a certificate containing information about the domain administrator.

func QueryDomainAdmins 

func QueryDomainAdmins(authToken string, urlStart string,
	de common.DomainEntry) ([][]byte, error)

---------------------------------------------------------------------------- 

Queries the domain administrators.

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the domain to be queried

Outputs:
[][]byte -- array of Subject Key Identifiers (SKIs), one for each
   administrator installed in the domain
error -- reports any errors for the operation

----------------------------------------------------------------------------

func QueryDomainAdminsReq 

func QueryDomainAdminsReq(cryptoModuleIndex int, domainIndex int, aSKI []byte) string

* Create a query domain administrators request. The aSKI parameter may contain the SKI for an administrator or be nil.

func QueryDomainAttributes 

func QueryDomainAttributes(authToken string, urlStart string,
	de common.DomainEntry) (DomainAttributes, AdminRspBlk, error)

---------------------------------------------------------------------------- 

Queries the domain attributes

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the domain to be queried

Outputs:
DomainAttributes -- structure with the domain attributes
AdminRspBlk -- the xcpAdminRspBlk from the query.  The Query Domain
   Attributes command is issued before each signed command to determine
   the administrative domain,  module ID, and transaction counter fields
   that should be used for the signed command.
error -- reports any errors for the operation

----------------------------------------------------------------------------

func QueryDomainAttributesReq 

func QueryDomainAttributesReq(cryptoModuleIndex int, domainIndex int) string

---------------------------------------------------------------------------- 

Creates the HTPRequest for querying domain attributes

----------------------------------------------------------------------------

func QueryDomainControlPoints 

func QueryDomainControlPoints(authToken string, urlStart string,
	de common.DomainEntry) ([]byte, error)

---------------------------------------------------------------------------- 

Queries the domain control points

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the domain to be queried

Outputs:
[]byte -- the domain control points (16 bytes long)
error -- reports any errors for the operation

----------------------------------------------------------------------------

func QueryDomainControlPointsReq 

func QueryDomainControlPointsReq(cryptoModuleIndex int, domainIndex int) string

---------------------------------------------------------------------------- 

Creates the HTPRequest for querying domain control points

----------------------------------------------------------------------------

func QueryDomainInfoRequest 

func QueryDomainInfoRequest(cryptoModuleIndex int, domainIndex int) string

func QueryModuleInfoRequest 

func QueryModuleInfoRequest(cryptoModuleIndex int, domainIndex int) string

---------------------------------------------------------------------------- 

Creates the HTPRequest for get_xcp_info with a request for module
information

Inputs:
cryptoModuleIndex -- identifies the crypto module to be queried
domainIndex -- the domain assigned to the user.  We know this is a control
   domain, and it will get past the domain check when the cloud processes
   the POST /hsms request.

Output:
string -- hexadecimal string representing the HTPRequest

----------------------------------------------------------------------------

func QueryNumberDeviceCertificates 

func QueryNumberDeviceCertificates(authToken string, urlStart string,
	de common.DomainEntry) (uint32, error)

---------------------------------------------------------------------------- 

Returns the number of OA certificates in the OA certificate chain

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the crypto module and domain to be queried

Outputs:
uint32 -- the number of certificates in the OA certificate chain
error -- reports any errors for the operation

----------------------------------------------------------------------------

func QueryNumberDeviceCertificatesReq 

func QueryNumberDeviceCertificatesReq(cryptoModuleIndex int,
	domainIndex int) string

---------------------------------------------------------------------------- 

Creates the HTPRequest to return the number of OA certificates in the OA
certificate chain

Inputs:
cryptoModuleIndex -- identifies the crypto module to be queried
domainIndex -- the domain assigned to the user.  We know this is a control
   domain, and it will get past the domain check when the cloud processes
   the POST /hsms request.

Output:
string -- hexadecimal string representing the HTPRequest

----------------------------------------------------------------------------

func RemoveDomainAdminReq 

func RemoveDomainAdminReq(authToken string, urlStart string,
	de common.DomainEntry, ski []byte, sigkeys []string,
	sigkeySkis []string, sigkeyTokens []string) (string, error)

---------------------------------------------------------------------------- 

Creates the HTPRequest for removing a domain administrator

----------------------------------------------------------------------------

func RemoveDomainAdministrator 

func RemoveDomainAdministrator(authToken string, urlStart string,
	de common.DomainEntry, ski string, sigkeys []string,
	sigkeySkis []string, sigkeyTokens []string) error

---------------------------------------------------------------------------- 

Removes an administrator

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the domain with the administrator to be removed
string -- the Subject Key Identifier of the administator to be removed
[]string -- identifies the signature keys to use to sign the command
[]string -- the Subject Key Identifiers for the signature keys
[]string -- authentication tokens for the signature keys

Outputs:
error -- reports any errors for the operation

----------------------------------------------------------------------------

func SetDomainAttributes 

func SetDomainAttributes(authToken string, urlStart string,
	de common.DomainEntry, newAttributes DomainAttributes,
	sigkeys []string, sigkeySkis []string, sigkeyTokens []string) error

---------------------------------------------------------------------------- 

Sets the domain attributes

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the domain whose attributes are to be set
DomainAttributes -- new set of attributes to be loaded in the domain
[]string -- identifies the signature keys to use to sign the command
[]string -- the Subject Key Identifiers for the signature keys
[]string -- authentication tokens for the signature keys

Outputs:
error -- reports any errors for the operation

----------------------------------------------------------------------------

func SetDomainAttributesReq 

func SetDomainAttributesReq(authToken string, urlStart string, de common.DomainEntry,
	newAttributes DomainAttributes, sigkeys []string, sigkeySkis []string,
	sigkeyTokens []string) (string, error)

---------------------------------------------------------------------------- 

Creates the HTPRequest for setting the domain attributes

----------------------------------------------------------------------------

func VerifyCertificate 

func VerifyCertificate(authToken string, urlStart string, de common.DomainEntry,
	certIndex uint32, aCertificate OACertificateX) error

---------------------------------------------------------------------------- 

Verifies an OA certificate returned by a CEX5P.

Adapted from a method of the same name in
com.ibm.tke.model.xcp.XCPCryptoModuleClass

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies a domain assigned to the user.  The OA
   certificate chain for the crypto module containing that domain is to
   be verified.
certIndex -- index of the OA certificate to start with.  0 = currently
   active epoch key, 1 = its parent, etc.  This method calls itself
   recursively to read and verify the entire OA certificate chain.
aCertificate -- the OA certificate to be verified

Outputs:
error -- reports any errors for the operation

----------------------------------------------------------------------------

func VerifyOA2Certificate 

func VerifyOA2Certificate(authToken string, urlStart string, de common.DomainEntry,
	certIndex uint32, aCertificate OA2CertificateX) error

---------------------------------------------------------------------------- 

Verifies an OA certificate returned by a CEX6P or CEX7P.

Adapted from a method of the same name in
com.ibm.tke.model.xcp.XCPCryptoModuleClass

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies a domain assigned to the user.  The OA
   certificate chain for the crypto module containing that domain is to
   be verified.
certIndex -- index of the OA certificate to start with.  0 = currently
   active epoch key, 1 = its parent, etc.  This method calls itself
   recursively to read and verify the entire OA certificate chain.
aCertificate -- the OA certificate to be verified

Outputs:
error -- reports any errors for the operation

----------------------------------------------------------------------------

func ZeroizeDomain 

func ZeroizeDomain(authToken string, urlStart string, de common.DomainEntry,
	sigkeys []string, sigkeySkis []string, sigkeyTokens []string) error

---------------------------------------------------------------------------- 

Zeroizes the domain

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the domain to be zeroized
[]string -- identifies the signature keys to use to sign the command
[]string -- the Subject Key Identifiers for the signature keys
[]string -- authentication tokens for the signature keys

Outputs:
error -- reports any errors for the operation

----------------------------------------------------------------------------

func ZeroizeDomainReq 

func ZeroizeDomainReq(authToken string, urlStart string, de common.DomainEntry,
	sigkeys []string, sigkeySkis []string, sigkeyTokens []string) (string, error)

---------------------------------------------------------------------------- 

Creates the HTPRequest for zeroizing a domain

----------------------------------------------------------------------------

Types

type AdminBlk 

type AdminBlk struct {
	CmdID              []byte
	DomainID           []byte
	ModuleID           []byte
	TransactionCounter []byte
	CmdInput           []byte
}

* Represents an EP11 xcpAdminBlk

func BigImportWKRequest 

func BigImportWKRequest(domainID []byte, moduleID []byte, transactionCounter []byte,
	keyPartRequests []byte) AdminBlk

---------------------------------------------------------------------------- 

Build an import wrapping key request containing all of the inport wrapping
requests for each individual key part

----------------------------------------------------------------------------

func ImportWKRequest 

func ImportWKRequest(domainID []byte, moduleID []byte, transactionCounter []byte,
	recipientInfo []byte) AdminBlk

---------------------------------------------------------------------------- 

Build an import wrapping key request for a single key part

----------------------------------------------------------------------------

type AdminReq 

type AdminReq struct {
	CmdID      []byte
	DomainID   []byte
	AdminBlock []byte
	SignerInfo []byte
}

* Represents an EP11 xcpAdminReq

type AdminRsp 

type AdminRsp struct {
	CmdID       []byte
	DomainID    []byte
	ReturnCode  []byte
	AdminRspBlk []byte
	SignerInfo  []byte
}

* Represents an EP11 xcpAdminRsp (normal case)

type AdminRspBlk 

type AdminRspBlk struct {
	CmdID              []byte
	DomainID           []byte
	ModuleID           []byte
	TransactionCounter []byte
	ReturnCode         []byte
	CmdOutput          []byte
}

* Represents an EP11 xcpAdminRspBlk

func ImportWKResponse 

func ImportWKResponse(htpResponse string, de common.DomainEntry) (AdminRspBlk, error)

---------------------------------------------------------------------------- 

Parse an import wrapping key response

----------------------------------------------------------------------------

func QueryDomainAdminsListRsp 

func QueryDomainAdminsListRsp(theRsp string, de common.DomainEntry) (AdminRspBlk, [][]byte, error)

* Process the response to a query domain administrators list request. This function will return the admin response block plus an array containing a SKI value for each domain administrator.

func (*AdminRspBlk) GetSerialNumber 

func (resp *AdminRspBlk) GetSerialNumber() string

---------------------------------------------------------------------------- 

Extracts the crypto module serial number from the moduleIdentifier field
of an xcpAdminRspBlk.

----------------------------------------------------------------------------

type AdminRspError 

type AdminRspError struct {
	CmdID      []byte
	DomainID   []byte
	ReturnCode []byte
}

* Represents an EP11 xcpAdminRsp (error case)

type AlgID 

type AlgID struct {
	ObjID  asn1.Oid
	Null   asn1.Null `asn1:"optional"`
	ObjID2 asn1.Oid  `asn1:"optional"`
}

type AlgIDRSA2048 

type AlgIDRSA2048 struct {
	ObjID  asn1.Oid
	Null   asn1.Null // not optional in this case
	ObjID2 asn1.Oid  `asn1:"optional"` // will always be nil for encode, here so we can copy
}

type CPRB 

type CPRB struct {
	// contains filtered or unexported fields
}

* Implements the first 32 bytes of an EP11 CPRB

type CertBody 

type CertBody struct {
	TheVersion    CertVersion `asn1:"tag:0"`
	SerialNumber  int
	Algorithm     AlgID
	TheIssuer     Names
	Validity      TimeRange
	TheSubject    Names
	ThePublicKey  PublicKey
	TheExtensions Extensions `asn1:"tag:3"`
}

type CertBodyRSA2048 

type CertBodyRSA2048 struct {
	TheVersion    CertVersion `asn1:"tag:0"`
	SerialNumber  int
	Algorithm     AlgID
	TheIssuer     Names
	Validity      TimeRange
	TheSubject    Names
	ThePublicKey  PublicKeyRSA2048
	TheExtensions Extensions `asn1:"tag:3"`
}

type CertVersion 

type CertVersion struct {
	Version int
}

type Certificate 

type Certificate struct {
	TheBody   CertBody
	Algorithm AlgID
	Signature []byte `asn1:"universal,tag:3"`
}

func (Certificate) GetAdminName 

func (cert Certificate) GetAdminName() []byte

Get the administrator name out of the certificate

func (Certificate) GetPublicKey 

func (cert Certificate) GetPublicKey() []byte

func (Certificate) GetSKI 

func (cert Certificate) GetSKI() []byte

func (Certificate) IsTKECertificate 

func (cert Certificate) IsTKECertificate() bool

Returns true if the certificate is one associated with TKE operations

type CertificateRSA2048 

type CertificateRSA2048 struct {
	TheBody   CertBodyRSA2048
	Algorithm AlgID
	Signature []byte `asn1:"universal,tag:3"`
}

func (*CertificateRSA2048) Initialize 

func (cert *CertificateRSA2048) Initialize()

---------------------------------------------------------------------------- 

Initialize an administrator certificate that will contain a 2048-bit RSA
public key.

Operates on CertificateRSA2048 (both input and output).

----------------------------------------------------------------------------

func (*CertificateRSA2048) SetAdminName 

func (cert *CertificateRSA2048) SetAdminName(newName []byte)

---------------------------------------------------------------------------- 

Sets the administrator name in an administrator certificate containing a
2048-bit RSA public key.

Operates on CertificateRSA2048 (both input and output).

Inputs:
[]byte newName -- the administrator name to be set in the certificate.
    Can be up to 30 bytes long.

----------------------------------------------------------------------------

func (*CertificateRSA2048) SetPublicKey 

func (cert *CertificateRSA2048) SetPublicKey(publicKey []byte)

---------------------------------------------------------------------------- 

Sets the 2048-bit RSA public key and associated subject key identifier in
an administrator certificate.

Operates on CertificateRSA2048 (both input and output).

Inputs:
[]byte publicKey -- the RSA public key to be set in the certificate.
    Actually, just the modulus.  The public exponent is assumed to be
    65537.  Must be 257 bytes long.

----------------------------------------------------------------------------

func (*CertificateRSA2048) SetSignature 

func (cert *CertificateRSA2048) SetSignature(rsaKey *rsa.PrivateKey)

---------------------------------------------------------------------------- 

Sets the signature field in an administrator certificate containing a
2048-bit RSA public key.

Operates on CertificateRSA2048 (both input and output).

Inputs:
rsa.PrivateKey rsaKey -- the RSA private key to use to create the
    signature.

----------------------------------------------------------------------------

type DomainAttributes 

type DomainAttributes struct {
	SignatureThreshold           uint32
	RevocationSignatureThreshold uint32
	Permissions                  uint32
	OperationalMode              uint32
	StandardsCompliance          uint32
}

type DomainInfoRspInfo 

type DomainInfoRspInfo struct {
	CurrentMKVP     []byte
	NewMKVP         []byte
	CurrentMKStatus int
	NewMKStatus     int
}

func QueryDomainInfo 

func QueryDomainInfo(authToken string, urlStart string,
	de common.DomainEntry) (DomainInfoRspInfo, error)

---------------------------------------------------------------------------- 

Queries the domain master key register status and verification pattern

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the domain to be queried

Outputs:
DomainInfoRspInfo -- contains the status and verification patterns of the
   new and current master key registers
error -- reports any errors for the operation

----------------------------------------------------------------------------

func QueryDomainInfoRsp 

func QueryDomainInfoRsp(theRsp string) (DomainInfoRspInfo, error)

Process the response from get_xcp_info to retrieve domain information.

type ECSignature 

type ECSignature struct {
	R *big.Int
	S *big.Int
}

* Used to create an ASN.1 sequence representing an EC signature

type Extensions 

type Extensions struct {
	TheSeq1 Seq1
}

type ModAndExp 

type ModAndExp struct {
	Modulus  []byte `asn1:"universal,tag:2"`
	Exponent int
}

type ModuleInfoRspInfo 

type ModuleInfoRspInfo struct {
	APIOrdinalNumber      []byte
	FirmwareIdentifier    []byte
	APIVersionMajor       byte
	APIVersionMinor       byte
	CSPVersionMajor       byte
	CSPVersionMinor       byte
	FirmwareConfiguration []byte
	XCPConfiguration      []byte
	SerialNumber          []byte
	// other fields omitted...see section 5.1.1 in XCP wire formats document
	// for full list
	SerialNumberString string
}

* Output fields from get_xcp_info to retrieve module information

func QueryModuleInfo 

func QueryModuleInfo(authToken string, urlStart string,
	de common.DomainEntry) (ModuleInfoRspInfo, error)

---------------------------------------------------------------------------- 

Issues get_xcp_info to retrieve module information

Inputs:
authToken -- the authority token to use for the request
urlStart -- the base URL to use for the request
DomainEntry -- identifies the crypto module and domain to be queried

Outputs:
ModuleInfoRspInfo -- returned data from the query
error -- reports any errors for the operation

----------------------------------------------------------------------------

func QueryModuleInfoRsp 

func QueryModuleInfoRsp(htpResponseString string) (ModuleInfoRspInfo, error)

---------------------------------------------------------------------------- 

Processes the HTP response from get_xcp_data to retrieve module
information.

Input:
htpResponseString -- HTPResponse string from POST /hsms

ModuleInfoRspInfo -- structure containing output fields from the query
error -- reports any errors for the operation

----------------------------------------------------------------------------

type Name 

type Name struct {
	OID             asn1.Oid
	PrintableString []byte `asn1:"universal,tag:19"`
}

type Name2 

type Name2 struct {
	TheName Name
}

type Names 

type Names struct {
	OrgName    Name2 `asn1:"set"`
	CommonName Name2 `asn1:"set"`
}

type OA2CertificateX 

type OA2CertificateX struct {
	Header     []byte
	Info       []byte
	MetaData   []byte
	AuxData    []byte
	Spki       []byte
	SignerInfo []byte

	HdrMagic           byte
	HdrSpare           []byte
	HdrSectionCount    byte
	HdrByteCount       uint32
	HdrSectionLengths0 uint32
	HdrSectionLengths1 uint32
	HdrSectionLengths2 uint32
	HdrSectionLengths3 uint32
	HdrSectionLengths4 uint32
	HdrPadBytes        []byte

	InfoAlgID    uint32
	InfoPadBytes []byte

	MetaDataDer1         []byte
	MetaDataObjVersion   uint32
	MetaDataDer2         []byte
	MetaDataRootCA       byte
	MetaDataTrustBits    byte
	MetaDataIssuingSeg   byte
	MetaDataSubjectSeg   byte
	MetaDataDer3         []byte
	MetaDataAdapterType  []byte
	MetaDataDer4         []byte
	MetaDataAdapterID    []byte
	MetaDataDer5         []byte
	MetaDataSourceConfig []byte
	MetaDataDer6         []byte
	MetaDataCreationBoot uint32
	MetaDataDer7         []byte
	MetaDataKeyType      uint32
	MetaDataDer8         []byte
	MetaDataSubjectSKI   []byte
	MetaDataDer9         []byte
	MetaDataSignerSKI    []byte
	MetaDataDer10        []byte
	MetaDataSigningTime  []byte
	MetaDataDer11        []byte
	MetaDataOAInfo       []byte
	MetaDataPadBytes     []byte

	AuxDataDer1     []byte
	AuxDataVersion  byte
	AuxDataDer2     []byte
	AuxDataSegHash  []byte
	AuxDataDer3     []byte
	AuxDataOwner2   []byte
	AuxDataDer4     []byte
	AuxDataOwner3   []byte
	AuxDataPadBytes []byte

	SpkiDer1        []byte
	SpkiOID1        []byte
	SpkiDer2        []byte
	SpkiOID2        []byte
	SpkiDer3        []byte
	SpkiCompressed  byte
	SpkiXCoordinate []byte
	SpkiYCoordinate []byte
	SpkiPadBytes    []byte

	SpkiPublicKey []byte

	Body []byte // everything except the SignerInfo

	SignerInfoDer1        []byte
	SignerInfoVersion     byte
	SignerInfoDer2        []byte
	SignerInfoSKI         []byte
	SignerInfoDer3        []byte
	SignerInfoDigestAlgID []byte
	SignerInfoDer4        []byte
	SignerInfoSigAlgID    []byte
	SignerInfoDer5        []byte
	SignerInfoR           []byte
	SignerInfoDer6        []byte
	SignerInfoS           []byte
	SignerInfoPadByte     byte
}

func (*OA2CertificateX) Init 

func (cert *OA2CertificateX) Init(data []byte) error

---------------------------------------------------------------------------- 

Initializes an OA2CertificateX structure using data read from a crypto
module

----------------------------------------------------------------------------

type OACertificateX 

type OACertificateX struct {
	Header      []byte
	Body        []byte
	PublicKey   []byte
	DescriptorA []byte
	DescriptorB []byte
	Signature   []byte

	HeaderIdName      byte
	HeaderIdVersion   byte
	HeaderTData       uint32
	HeaderVDataOffset uint32
	HeaderVDataLen    uint32
	HeaderVSigOffset  uint32
	HeaderVSigLen     uint32
	HeaderTSig        uint32
	HeaderCkoName     []byte
	HeaderCkoType     uint32
	HeaderCkoStatus   uint32
	HeaderParentName  []byte

	BodyIdName              byte
	BodyIdVersion           byte
	BodyTPublic             uint32
	BodyVPublicOffset       uint32
	BodyVPublicLen          uint32
	BodyVDescAOffset        uint32
	BodyVDescALen           uint32
	BodyVDescBOffset        uint32
	BodyVDescBLen           uint32
	BodyDeviceNameIdName    byte
	BodyDeviceNameIdVersion byte
	BodyDeviceNameAdapterId []byte
	BodyCkoName             []byte
	BodyCkoNameNameType     uint16
	BodyCkoNameIndex        uint16
	BodyCkoType             uint32
	BodyParentName          []byte
	BodyParentNameNameType  uint16
	BodyParentNameIndex     uint16

	// fields set when the certificate contains an RSA public key
	PublicKeyType        uint32
	PublicKeyTokenLength uint32
	PublicKeyNBitLength  uint32
	PublicKeyNLength     uint32
	PublicKeyELength     uint32
	PublicKeyNOffset     uint32
	PublicKeyEOffset     uint32
	PublicKeyTokenData   []byte
	PublicKeyN           []byte
	PublicKeyE           []byte

	// fields set when the certificate contains an EC public key
	ECCCurveType     uint32
	ECCCurveSize     uint16
	ECCPublicKeyQLen uint16
	ECCPublicKeyQ    []byte
	ECCPublicKeyX    []byte
	ECCPublicKeyY    []byte

	// fields set when the certificate contains an EC signature
	ECCSignatureR []byte
	ECCSignatureS []byte
}

func (*OACertificateX) Init 

func (cert *OACertificateX) Init(data []byte) error

---------------------------------------------------------------------------- 

Initializes an OACertificateX structure using data read from a crypto
module

----------------------------------------------------------------------------

type PublicKey 

type PublicKey struct {
	Algorithm    AlgID
	ThePublicKey []byte `asn1:"universal,tag:3"`
}

type PublicKeyECP521 

type PublicKeyECP521 struct {
	Algorithm    AlgID
	ThePublicKey []byte `asn1:"universal,tag:3"`
}

#B@T372621CLH

type PublicKeyRSA2048 

type PublicKeyRSA2048 struct {
	Algorithm    AlgIDRSA2048
	ThePublicKey []byte `asn1:"universal,tag:3"`
}

type RecipientInfo2048 

type RecipientInfo2048 struct {
	Version      int
	SKI          []byte `asn1:"tag:0"`
	AlgID        AlgIDRSA2048
	EncryptedKey []byte
}

func (*RecipientInfo2048) Initialize 

func (info *RecipientInfo2048) Initialize(ski []byte, encrKey []byte)

---------------------------------------------------------------------------- 

Initializes an RSA 2048 recipient info structure, including the encrypting
key's SKI and the encrypted key part.

----------------------------------------------------------------------------

type RspInfo 

type RspInfo struct {
	ErrorType     string
	ReturnCode    string
	ReasonCode    string
	ProgramID     string
	ErrorLocation string
	ErrorText     string
}

* Contains error information from the second section of an HTPResponse

func ParseResponse 

func ParseResponse(theRsp string) (RspInfo, string, error)

rsp error type rsp return code rsp reason code ---------------------------------------------------------------------------- 

Extracts the error information and EP11 response CPRB from an HTPResponse.

Only valid for HTPResponses containing an EP11 response CPRB.

The HTPResponse string contains three fields, separated by ";".
1. A length field (ignored here)
2. Error information
3. The EP11 response CPRB

Inputs:
theRsp string -- HTPResponse string from POST /hsms

Outputs:
RspInfo -- structure containing error information from the HTPResponse
string -- the EP11 response CPRB
error -- identifies any errors found parsing the HTPResponse

----------------------------------------------------------------------------

type Seq1 

type Seq1 struct {
	TheSeq2 Seq2
}

type Seq2 

type Seq2 struct {
	ObjID asn1.Oid
	SKI   []byte
}

type SignerInfo 

type SignerInfo struct {
	Version              int
	SubjectKeyID         []byte // 32-byte SKI, without ASN.1 tags or lengths
	DigestAlgorithmID    []byte
	SignatureAlgorithmID []byte
	Signature            []byte // signature, ECC signatures are represented as an ASN.1 sequence of two INTEGERs
	SignatureR           []byte
	SignatureS           []byte
}

* Represents EP11 SignerInfo in xcpAdminRsp with EC OA signature

func DecodeSignerInfo 

func DecodeSignerInfo(signerInfoBytes []byte) (SignerInfo, error)

---------------------------------------------------------------------------- 

Isolates the individual fields of the SignerInfo returned in an
xcpAdminRsp.

SignerInfo is an ASN.1 sequence but the sequence elements are not all
octet strings.  asn1.Decode returns with an error when given SignerInfo
to process.  This function can be called instead of asn1.Decode.

Inputs:
signerInfoBytes -- the ASN.1 SignerInfo sequence to process

Outputs:
SignerInfo -- structure with entries for each of the SignerInfo fields
error -- identifies any errors found parsing the input sequence

----------------------------------------------------------------------------

type TimeRange 

type TimeRange struct {
	NotBefore []byte `asn1:"universal,tag:24"`
	NotAfter  []byte `asn1:"universal,tag:24"`
}

type VerbError 

type VerbError interface {
	error
	ReturnCode() int
	ReasonCode() int
}

func NewVerbError 

func NewVerbError(text string, returnCode int, reasonCode int) VerbError

type VerbErrorStruct 

type VerbErrorStruct struct {
	// contains filtered or unexported fields
}

func (*VerbErrorStruct) Error 

func (ves *VerbErrorStruct) Error() string

func (*VerbErrorStruct) ReasonCode 

func (ves *VerbErrorStruct) ReasonCode() int

func (*VerbErrorStruct) ReturnCode 

func (ves *VerbErrorStruct) ReturnCode() int

type XCPReq 

type XCPReq struct {
	CmdId      []byte
	DomainID   []byte
	CmdSubtype []byte
	Unused     []byte
}

* XCPReq fields for get_xcp_info to retrieve module or domain information

type XCPRsp 

type XCPRsp struct {
	CmdId      []byte
	DomainID   []byte
	ReturnCode []byte
	Payload    []byte
}

* XCPRsp fields for get_xcp_info to retrieve module or domain information

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.