@@ -593,27 +593,24 @@ class P256Keypair : public P256KeypairBase
593
593
bool mInitialized = false ;
594
594
};
595
595
596
- using Symmetric128BitsKeyByteArray = uint8_t [CHIP_CRYPTO_SYMMETRIC_KEY_LENGTH_BYTES];
597
-
598
596
/* *
599
- * @brief Platform-specific Symmetric key handle
597
+ * @brief Platform-specific symmetric key handle
600
598
*
601
599
* The class represents a key used by the Matter stack either in the form of raw key material or key
602
600
* reference, depending on the platform. To achieve that, it contains an opaque context that can be
603
- * cast to a concrete representation used by the given platform. Note that currently Matter uses
604
- * 128-bit symmetric keys only.
601
+ * cast to a concrete representation used by the given platform.
605
602
*
606
- * @note Symmetric128BitsKeyHandle is an abstract class to force child classes for each key handle type.
607
- * Symmetric128BitsKeyHandle class implements all the necessary components for handles.
608
- * Child classes only need to implement a constructor and delete all the copy operators.
603
+ * @note SymmetricKeyHandle is an abstract class to force child classes for each key handle type.
604
+ * SymmetricKeyHandle class implements all the necessary components for handles.
609
605
*/
610
- class Symmetric128BitsKeyHandle
606
+ template <size_t ContextSize>
607
+ class SymmetricKeyHandle
611
608
{
612
609
public:
613
- Symmetric128BitsKeyHandle (const Symmetric128BitsKeyHandle &) = delete ;
614
- Symmetric128BitsKeyHandle (Symmetric128BitsKeyHandle &&) = delete ;
615
- void operator =(const Symmetric128BitsKeyHandle &) = delete ;
616
- void operator =(Symmetric128BitsKeyHandle &&) = delete ;
610
+ SymmetricKeyHandle (const SymmetricKeyHandle &) = delete ;
611
+ SymmetricKeyHandle (SymmetricKeyHandle &&) = delete ;
612
+ void operator =(const SymmetricKeyHandle &) = delete ;
613
+ void operator =(SymmetricKeyHandle &&) = delete ;
617
614
618
615
/* *
619
616
* @brief Get internal context cast to the desired key representation
@@ -634,44 +631,44 @@ class Symmetric128BitsKeyHandle
634
631
}
635
632
636
633
protected:
637
- Symmetric128BitsKeyHandle () = default ;
638
- ~Symmetric128BitsKeyHandle () { ClearSecretData (mContext .mOpaque ); }
634
+ SymmetricKeyHandle () = default ;
635
+ ~SymmetricKeyHandle () { ClearSecretData (mContext .mOpaque ); }
639
636
640
637
private:
641
- static constexpr size_t kContextSize = CHIP_CRYPTO_SYMMETRIC_KEY_LENGTH_BYTES;
642
-
643
638
struct alignas (uintptr_t ) OpaqueContext
644
639
{
645
- uint8_t mOpaque [kContextSize ] = {};
640
+ uint8_t mOpaque [ContextSize ] = {};
646
641
} mContext ;
647
642
};
648
643
644
+ using Symmetric128BitsKeyByteArray = uint8_t [CHIP_CRYPTO_SYMMETRIC_KEY_LENGTH_BYTES];
645
+
649
646
/* *
650
- * @brief Platform-specific AES key handle
647
+ * @brief Platform-specific 128-bit symmetric key handle
651
648
*/
652
- class Aes128KeyHandle final : public Symmetric128BitsKeyHandle
649
+ class Symmetric128BitsKeyHandle : public SymmetricKeyHandle <CHIP_CRYPTO_SYMMETRIC_KEY_LENGTH_BYTES>
653
650
{
654
- public:
655
- Aes128KeyHandle () = default ;
651
+ };
656
652
657
- Aes128KeyHandle (const Aes128KeyHandle &) = delete ;
658
- Aes128KeyHandle (Aes128KeyHandle &&) = delete ;
659
- void operator =(const Aes128KeyHandle &) = delete ;
660
- void operator =(Aes128KeyHandle &&) = delete ;
653
+ /* *
654
+ * @brief Platform-specific 128-bit AES key handle
655
+ */
656
+ class Aes128KeyHandle final : public Symmetric128BitsKeyHandle
657
+ {
661
658
};
662
659
663
660
/* *
664
- * @brief Platform-specific HMAC key handle
661
+ * @brief Platform-specific 128-bit HMAC key handle
665
662
*/
666
663
class Hmac128KeyHandle final : public Symmetric128BitsKeyHandle
667
664
{
668
- public:
669
- Hmac128KeyHandle () = default ;
665
+ };
670
666
671
- Hmac128KeyHandle (const Hmac128KeyHandle &) = delete ;
672
- Hmac128KeyHandle (Hmac128KeyHandle &&) = delete ;
673
- void operator =(const Hmac128KeyHandle &) = delete ;
674
- void operator =(Hmac128KeyHandle &&) = delete ;
667
+ /* *
668
+ * @brief Platform-specific HKDF key handle
669
+ */
670
+ class HkdfKeyHandle final : public SymmetricKeyHandle<CHIP_CONFIG_HKDF_KEY_HANDLE_CONTEXT_SIZE>
671
+ {
675
672
};
676
673
677
674
/* *
@@ -1090,6 +1087,9 @@ class PBKDF2_sha256
1090
1087
unsigned int iteration_count, uint32_t key_length, uint8_t * output);
1091
1088
};
1092
1089
1090
+ // TODO: Extract Spake2p to a separate header and replace the forward declaration with #include SessionKeystore.h
1091
+ class SessionKeystore ;
1092
+
1093
1093
/* *
1094
1094
* The below class implements the draft 01 version of the Spake2+ protocol as
1095
1095
* defined in https://www.ietf.org/id/draft-bar-cfrg-spake2plus-01.html.
@@ -1205,14 +1205,17 @@ class Spake2p
1205
1205
virtual CHIP_ERROR KeyConfirm (const uint8_t * in, size_t in_len);
1206
1206
1207
1207
/* *
1208
- * @brief Return the shared secret.
1208
+ * @brief Return the shared HKDF key.
1209
+ *
1210
+ * Returns the shared key established during the Spake2+ process, which can be used
1211
+ * to derive application-specific keys using HKDF.
1209
1212
*
1210
- * @param out The output secret .
1211
- * @param out_len The output secret length .
1213
+ * @param keystore The session keystore for managing the HKDF key lifetime .
1214
+ * @param key The output HKDF key .
1212
1215
*
1213
1216
* @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise
1214
1217
**/
1215
- CHIP_ERROR GetKeys (uint8_t * out, size_t * out_len) ;
1218
+ CHIP_ERROR GetKeys (SessionKeystore & keystore, HkdfKeyHandle & key) const ;
1216
1219
1217
1220
CHIP_ERROR InternalHash (const uint8_t * in, size_t in_len);
1218
1221
CHIP_ERROR WriteMN ();
0 commit comments