Snapdragon® Telematics Application Framework (TelAF) Interface Specification
|
Key Store is an access control-based service with access to trusted hardware bound cryptography. It ensures that all cryptographic keys generated are bound to the device cryptographically and all cryptographic operations run in a trusted execution environment.
Key Store service provides APIs to applications for key management, key access control, and cryptographic operations. It has a built-in reliable and secure backend storage to save cryptographic keys created by client applications. It also supports client authentication which means only the key owner has the permission to access or use the key for certain purposes.
The functions of this API are provided by the tafKeyStoreSvc application service.
The following example illustrates how to bind to the Key Store service.
bindings: { clientExe.clientComponent.taf_ks -> tafKeyStoreSvc.taf_ks }
A new key can be created using taf_ks_CreateKey() with the desired key name and key usage passed as input parameters. A key reference output parameter is returned to the client for subsequent operations.
New keys initially have no value and cannot be used for any cryptographic operations. Applications shall call taf_ks_ProvisionXXX() API to provision or import the key value and save the key into backend storage. The following key provision/import APIs are supported.
The following example illustrates how to create and provision an AES GCM key.
Optionally, application can call taf_ks_SetKeyXXX() to set the attribute of key access control before key provisioning. The following key access control APIs are supported.
Call taf_ks_GetKey() to get a key reference by the key name and call taf_ks_GetKeyUsage() to get the key usage by the key reference.
Call taf_ks_ExportKey() to export the x.509 DER format public key.
Call taf_ks_DeleteKey() to delete a key from the backend storage.
The typical use cases are data encryption/decryption and message signing/verification. Each cryptographic operation must be processed within a context. A cryptographic session bound to the context must be created to use a key for certain cryptographic operations.
Call taf_ks_CryptoSessionCreate() to create a session and get the session reference for subsequent operations.
Call taf_ks_CryptoSessionSetAesNonce() to set the NONCE specifically for the AES CBC/CTR/GCM key.
Call taf_ks_CryptoSessionStart() to start the session.
The following example illustrates how to create a cryptographic session and start the session for data encryption.
Call taf_ks_CryptoSessionProcess() to process the input data and get the output data in a running crypto session started with taf_ks_CryptoSessionStart(). It shall be called for multiple times if the input data size is greater than TAF_KS_MAX_PACKET_SIZE, which means the input data shall be split into small pieces with the size of each piece less than TAF_KS_MAX_PACKET_SIZE.
Call taf_ks_CryptoSessionEnd() to normally finish the cryptographic operation in the running session after all input data is processed by taf_ks_CryptoSessionProcess().
The following example illustrates how to process the input plain text and get the encrypted data, the encrypted data will be saved in the byte array of encryptedData with size of totalEncSize.