Check KBKDF parameters on key-manager side

[platform/core/security/key-manager.git] / src / manager / crypto / tz-backend / internals.cpp

diff --git a/src/manager/crypto/tz-backend/internals.cpp b/src/manager/crypto/tz-backend/internals.cpp
index b8abe24..2a5d83c 100644 (file)
--- a/src/manager/crypto/tz-backend/internals.cpp
+++ b/src/manager/crypto/tz-backend/internals.cpp
@@ -95,8 +95,10 @@ tz_data_type toTzDataType(const CKM::DataType dataType) {
        case CKM::DataType::KEY_AES:           return TYPE_SKEY;
        case CKM::DataType::KEY_DSA_PRIVATE:   return TYPE_AKEY_PRIVATE_DSA;
        case CKM::DataType::KEY_RSA_PRIVATE:   return TYPE_AKEY_PRIVATE_RSA;
+       case CKM::DataType::KEY_ECDSA_PRIVATE: return TYPE_AKEY_PRIVATE_EC;
        case CKM::DataType::KEY_DSA_PUBLIC:    return TYPE_AKEY_PUBLIC_DSA;
        case CKM::DataType::KEY_RSA_PUBLIC:    return TYPE_AKEY_PUBLIC_RSA;
+       case CKM::DataType::KEY_ECDSA_PUBLIC:  return TYPE_AKEY_PUBLIC_EC;
        default:
                ThrowErr(CKM::Exc::Crypto::DataTypeNotSupported,
                        "Data type could not be imported by tz-backend");
@@ -113,6 +115,37 @@ tz_ec toTzEc(CKM::ElipticCurve ec)
        }
 }
 
+tz_prf toTzPrf(CKM::KdfPrf prf)
+{
+       switch(prf) {
+       case CKM::KdfPrf::HMAC_SHA256: return PRF_HMAC_SHA256;
+       case CKM::KdfPrf::HMAC_SHA384: return PRF_HMAC_SHA384;
+       case CKM::KdfPrf::HMAC_SHA512: return PRF_HMAC_SHA512;
+       default: ThrowErr(CKM::Exc::Crypto::DataTypeNotSupported, "PRF not supported by tz-backend");
+       }
+}
+
+tz_kbkdf_mode toTzKbkdfMode(CKM::KbkdfMode mode)
+{
+       switch(mode) {
+       case CKM::KbkdfMode::COUNTER: return KBKDF_MODE_COUNTER;
+       default:
+               ThrowErr(CKM::Exc::Crypto::DataTypeNotSupported, "KBKDF mode not supported by tz-backend");
+       }
+}
+
+tz_kbkdf_ctr_loc toTzCtrLoc(CKM::KbkdfCounterLocation loc)
+{
+       switch(loc) {
+       case CKM::KbkdfCounterLocation::BEFORE_FIXED: return KBKDF_LOC_BEFORE_FIXED;
+       case CKM::KbkdfCounterLocation::AFTER_FIXED: return KBKDF_LOC_AFTER_FIXED;
+       case CKM::KbkdfCounterLocation::MIDDLE_FIXED: return KBKDF_LOC_MIDDLE_FIXED;
+       default:
+               ThrowErr(CKM::Exc::Crypto::DataTypeNotSupported,
+                       "KBKDF counter location not supported by tz-backend");
+       }
+}
+
 } // namespace
 
 namespace CKM {
@@ -120,6 +153,8 @@ namespace Crypto {
 namespace TZ {
 namespace Internals {
 
+namespace {
+
 tz_algo_type getGenSKeyType(AlgoType type)
 {
        switch (type)
@@ -158,6 +193,46 @@ tz_hash_type getHashType(HashAlgorithm hash)
        }
 }
 
+void decompose(const CryptoAlgorithm &alg,
+                          AlgoType &algo,
+                          uint32_t &ctrLenOrTagSizeBits,
+                          RawBuffer &iv,
+                          RawBuffer &aad)
+{
+       algo = unpack<AlgoType>(alg, ParamName::ALGO_TYPE);
+       switch (algo) {
+               case AlgoType::AES_CTR:
+                       iv = unpack<RawBuffer>(alg, ParamName::ED_IV);
+                       ctrLenOrTagSizeBits = Params::DEFAULT_AES_IV_LEN * 8;
+                       alg.getParam(ParamName::ED_CTR_LEN, ctrLenOrTagSizeBits);
+                       // counter length is in bits
+                       if (ctrLenOrTagSizeBits != Params::DEFAULT_AES_IV_LEN * 8) {
+                               LogError("CTR length invalid: " << std::to_string(ctrLenOrTagSizeBits));
+                               ThrowErr(Exc::Crypto::InputParam, "Invalid CTR length");
+                       }
+                       break;
+               case AlgoType::AES_CBC:
+                       iv = unpack<RawBuffer>(alg, ParamName::ED_IV);
+                       break;
+               case AlgoType::AES_CFB:
+                       iv = unpack<RawBuffer>(alg, ParamName::ED_IV);
+                       break;
+               case AlgoType::AES_GCM:
+                       iv = unpack<RawBuffer>(alg, ParamName::ED_IV);
+                       ctrLenOrTagSizeBits = Params::DEFAULT_AES_GCM_TAG_LEN_BITS;
+                       alg.getParam(ParamName::ED_TAG_LEN, ctrLenOrTagSizeBits);
+                       alg.getParam(ParamName::ED_AAD, aad);
+                       break;
+               case AlgoType::RSA_OAEP:
+                       break;
+               default:
+                       ThrowErr(Exc::Crypto::InputParam, "Invalid decryption algorithm");
+                       break;
+       }
+}
+
+} // namespace
+
 RawBuffer generateIV()
 {
        RawBuffer result;
@@ -266,9 +341,9 @@ AlgoType generateAKey(const CryptoAlgorithm &alg,
        return keyType;
 }
 
-void destroyKey(const RawBuffer &key)
+void destroyKey(const RawBuffer &keyId)
 {
-       TrustZoneContext::Instance().executeDestroy(key);
+       TrustZoneContext::Instance().executeDestroy(keyId);
 }
 
 void importData(const Data &data,
@@ -293,12 +368,71 @@ void importData(const Data &data,
                                                                                hash);
 }
 
+void importWrappedKey(const RawBuffer &wrappingKeyId,
+                                         const Pwd &wrappingKeyPwd,
+                                         const CryptoAlgorithm &alg,
+                                         const Data &encryptedKey,
+                                         const Password &encryptedKeyPassword,
+                                         const RawBuffer &encryptedKeyIV,
+                                         RawBuffer &encryptedKeyTag,
+                                         const RawBuffer &encryptedKeyId)
+{
+       RawBuffer encryptedKeyPwdBuf(encryptedKeyPassword.begin(), encryptedKeyPassword.end());
+
+       AlgoType algo;
+       uint32_t ctrLenOrTagSizeBits = 0;
+       RawBuffer iv;
+       RawBuffer aad;
+       decompose(alg, algo, ctrLenOrTagSizeBits, iv, aad);
+
+       // TODO it is awful!
+       TrustZoneContext::Instance().importWrappedKey(wrappingKeyId,
+                                                                                                 wrappingKeyPwd,
+                                                                                                 getAlgType(algo),
+                                                                                                 iv,
+                                                                                                 ctrLenOrTagSizeBits,
+                                                                                                 aad,
+                                                                                                 toTzDataType(encryptedKey.type),
+                                                                                                 encryptedKey.data,
+                                                                                                 encryptedKeyPwdBuf,
+                                                                                                 encryptedKeyIV,
+                                                                                                 encryptedKeyTag,
+                                                                                                 encryptedKeyId);
+}
+
+RawBuffer exportWrappedKey(const RawBuffer &wrappingKeyId,
+                                                  const Pwd &wrappingKeyPwd,
+                                                  const CryptoAlgorithm &alg,
+                                                  const RawBuffer &keyToWrapId,
+                                                  const Pwd &keyToWrapPwd,
+                                                  const DataType &keyToWrapType)
+{
+       AlgoType algo;
+       uint32_t ctrLenOrTagSizeBits = 0;
+       RawBuffer iv;
+       RawBuffer aad;
+       decompose(alg, algo, ctrLenOrTagSizeBits, iv, aad);
+
+       // TODO it is awful!
+       return TrustZoneContext::Instance().exportWrappedKey(wrappingKeyId,
+                                                                                                                wrappingKeyPwd,
+                                                                                                                getAlgType(algo),
+                                                                                                                iv,
+                                                                                                                ctrLenOrTagSizeBits,
+                                                                                                                aad,
+                                                                                                                keyToWrapId,
+                                                                                                                keyToWrapPwd,
+                                                                                                                toTzDataType(keyToWrapType));
+}
+
 RawBuffer getData(const RawBuffer &dataId,
-                                 const Pwd &pwd)
+                                 const Pwd &pwd,
+                                 const DataType &type)
 {
        RawBuffer result;
        TrustZoneContext::Instance().getData(dataId,
                                 pwd,
+                                toTzDataType(type),
                                 result);
        return result;
 }
@@ -308,7 +442,7 @@ void destroyData(const RawBuffer &dataId)
        TrustZoneContext::Instance().destroyData(dataId);
 }
 
-BufferPair encryptDataAesGcm(const RawBuffer &key,
+BufferPair encryptDataAesGcm(const RawBuffer &keyId,
                                                        const Pwd &pwd,
                                                        const RawBuffer &iv,
                                                        int tagSize,
@@ -318,26 +452,26 @@ BufferPair encryptDataAesGcm(const RawBuffer &key,
        RawBuffer result;
        RawBuffer tag;
 
-       TrustZoneContext::Instance().executeEncryptAE(key, pwd, iv, tagSize,
+       TrustZoneContext::Instance().executeEncryptAE(keyId, pwd, iv, tagSize,
                                                                                                aad, data, result, tag);
 
        return std::make_pair(result, tag);
 }
 
-RawBuffer encryptDataAesGcmPacked(const RawBuffer &key,
+RawBuffer encryptDataAesGcmPacked(const RawBuffer &keyId,
                                                                const Pwd &pwd,
                                                                const RawBuffer &iv,
                                                                int tagSize,
                                                                const RawBuffer &data,
                                                                const RawBuffer &aad)
 {
-       auto pair = encryptDataAesGcm(key, pwd, iv, tagSize, data, aad);
+       auto pair = encryptDataAesGcm(keyId, pwd, iv, tagSize, data, aad);
        std::copy(pair.second.begin(), pair.second.end(),
                        std::back_inserter(pair.first));
        return pair.first;
 }
 
-RawBuffer decryptDataAesGcm(const RawBuffer &key,
+RawBuffer decryptDataAesGcm(const RawBuffer &keyId,
                                                        const Pwd &pwd,
                                                        const RawBuffer &iv,
                                                        int tagSizeBits,
@@ -347,13 +481,13 @@ RawBuffer decryptDataAesGcm(const RawBuffer &key,
 {
        RawBuffer result;
 
-       TrustZoneContext::Instance().executeDecryptAE(key, pwd, iv, tagSizeBits,
+       TrustZoneContext::Instance().executeDecryptAE(keyId, pwd, iv, tagSizeBits,
                                                                                                tag, aad, data, result);
 
        return result;
 }
 
-RawBuffer decryptDataAesGcmPacked(const RawBuffer &key,
+RawBuffer decryptDataAesGcmPacked(const RawBuffer &keyId,
                                                                const Pwd &pwd,
                                                                const RawBuffer &iv,
                                                                int tagSizeBits,
@@ -365,7 +499,7 @@ RawBuffer decryptDataAesGcmPacked(const RawBuffer &key,
                ThrowErr(Exc::Crypto::InputParam, "Wrong size of tag");
 
        auto tagPos = data.data() + data.size() - tagSizeBytes;
-       return decryptDataAesGcm(key,
+       return decryptDataAesGcm(keyId,
                                                        pwd,
                                                        iv,
                                                        tagSizeBits,
@@ -375,17 +509,17 @@ RawBuffer decryptDataAesGcmPacked(const RawBuffer &key,
 }
 
 
-RawBuffer symmetricEncrypt(const RawBuffer &key,
+RawBuffer symmetricEncrypt(const RawBuffer &keyId,
                                                const Pwd &pwd,
                                                const CryptoAlgorithm &alg,
                                                const RawBuffer &data)
 {
        AlgoType algo = unpack<AlgoType>(alg, ParamName::ALGO_TYPE);
-       uint64_t ctrLen = 0;
+       uint64_t ctrLen = Params::DEFAULT_AES_IV_LEN * 8;
 
        switch (algo) {
                case AlgoType::AES_CTR: {
-                       ctrLen = unpack<uint64_t>(alg, ParamName::ED_CTR_LEN);
+                       alg.getParam(ParamName::ED_CTR_LEN, ctrLen);
                        // counter length is in bits
                        if (ctrLen != Params::DEFAULT_AES_IV_LEN * 8) {
                                LogError("CTR length invalid: " << std::to_string(ctrLen));
@@ -399,7 +533,7 @@ RawBuffer symmetricEncrypt(const RawBuffer &key,
                        RawBuffer result;
                        TrustZoneContext::Instance().executeCrypt(CMD_ENCRYPT,
                                                                                                        getAlgType(algo),
-                                                                                                       key,
+                                                                                                       keyId,
                                                                                                        pwd,
                                                                                                        unpack<RawBuffer>(alg, ParamName::ED_IV),
                                                                                                        data,
@@ -411,7 +545,7 @@ RawBuffer symmetricEncrypt(const RawBuffer &key,
                        alg.getParam(ParamName::ED_TAG_LEN, tagLenBits);
                        RawBuffer aad;
                        alg.getParam(ParamName::ED_AAD, aad);
-                       return encryptDataAesGcmPacked(key,
+                       return encryptDataAesGcmPacked(keyId,
                                                                                pwd,
                                                                                unpack<RawBuffer>(alg, ParamName::ED_IV),
                                                                                tagLenBits,
@@ -426,17 +560,17 @@ RawBuffer symmetricEncrypt(const RawBuffer &key,
                                "Incorrect algorithm provided for symmetric crypto operation");
 }
 
-RawBuffer symmetricDecrypt(const RawBuffer &key,
+RawBuffer symmetricDecrypt(const RawBuffer &keyId,
                                                const Pwd &pwd,
                                                const CryptoAlgorithm &alg,
                                                const RawBuffer &data)
 {
        AlgoType algo = unpack<AlgoType>(alg, ParamName::ALGO_TYPE);
-       uint64_t ctrLen = 0;
+       uint64_t ctrLen = Params::DEFAULT_AES_IV_LEN * 8;
 
        switch (algo) {
                case AlgoType::AES_CTR: {
-                       ctrLen = unpack<uint64_t>(alg, ParamName::ED_CTR_LEN);
+                       alg.getParam(ParamName::ED_CTR_LEN, ctrLen);
                        // counter length is in bits
                        if (ctrLen != Params::DEFAULT_AES_IV_LEN * 8) {
                                LogError("CTR length invalid: " << std::to_string(ctrLen));
@@ -450,7 +584,7 @@ RawBuffer symmetricDecrypt(const RawBuffer &key,
                        RawBuffer result;
                        TrustZoneContext::Instance().executeCrypt(CMD_DECRYPT,
                                                                                                        getAlgType(algo),
-                                                                                                       key,
+                                                                                                       keyId,
                                                                                                        pwd,
                                                                                                        unpack<RawBuffer>(alg, ParamName::ED_IV),
                                                                                                        data,
@@ -462,7 +596,7 @@ RawBuffer symmetricDecrypt(const RawBuffer &key,
                        alg.getParam(ParamName::ED_TAG_LEN, tagSizeBits);
                        RawBuffer aad;
                        alg.getParam(ParamName::ED_AAD, aad);
-                       return decryptDataAesGcmPacked(key,
+                       return decryptDataAesGcmPacked(keyId,
                                                                                pwd,
                                                                                unpack<RawBuffer>(alg, ParamName::ED_IV),
                                                                                tagSizeBits,
@@ -477,7 +611,7 @@ RawBuffer symmetricDecrypt(const RawBuffer &key,
                                "Incorrect algorithm provided for symmetric crypto operation");
 }
 
-RawBuffer asymmetricEncrypt(const RawBuffer &key,
+RawBuffer asymmetricEncrypt(const RawBuffer &keyId,
                                                        const Pwd &pwd,
                                                        const CryptoAlgorithm &alg,
                                                        const RawBuffer &data)
@@ -490,7 +624,7 @@ RawBuffer asymmetricEncrypt(const RawBuffer &key,
        case AlgoType::RSA_OAEP: {
                TrustZoneContext::Instance().executeCrypt(CMD_ENCRYPT,
                                                                                                getAlgType(algo),
-                                                                                               key,
+                                                                                               keyId,
                                                                                                pwd,
                                                                                                result, // unused dummy
                                                                                                data,
@@ -505,7 +639,7 @@ RawBuffer asymmetricEncrypt(const RawBuffer &key,
                                "Incorrect algorithm provided for asymmetric crypto operation");
 }
 
-RawBuffer asymmetricDecrypt(const RawBuffer &key,
+RawBuffer asymmetricDecrypt(const RawBuffer &keyId,
                                                        const Pwd &pwd,
                                                        const CryptoAlgorithm &alg,
                                                        const RawBuffer &cipher)
@@ -518,7 +652,7 @@ RawBuffer asymmetricDecrypt(const RawBuffer &key,
        case AlgoType::RSA_OAEP: {
                TrustZoneContext::Instance().executeCrypt(CMD_DECRYPT,
                                                                                                getAlgType(algo),
-                                                                                               key,
+                                                                                               keyId,
                                                                                                pwd,
                                                                                                result, // unused dummy
                                                                                                cipher,
@@ -533,7 +667,63 @@ RawBuffer asymmetricDecrypt(const RawBuffer &key,
                                "Incorrect algorithm provided for asymmetric crypto operation");
 }
 
-RawBuffer sign(const RawBuffer &pkey,
+uint32_t initCipher(const RawBuffer &keyId,
+                                       const Pwd &pwd,
+                                       const CryptoAlgorithm &alg,
+                                       bool encrypt)
+{
+       AlgoType algo = unpack<AlgoType>(alg, ParamName::ALGO_TYPE);
+
+       switch (algo)
+       {
+       case AlgoType::AES_GCM: {
+               int tagSizeBits = Params::DEFAULT_AES_GCM_TAG_LEN_BITS;
+               alg.getParam(ParamName::ED_TAG_LEN, tagSizeBits);
+               RawBuffer aad;
+               alg.getParam(ParamName::ED_AAD, aad);
+               return TrustZoneContext::Instance().initGcmCipher(encrypt ? CIPHER_ENCRYPT : CIPHER_DECRYPT,
+                                                                                                                 keyId,
+                                                                                                                 pwd,
+                                                                                                                 unpack<RawBuffer>(alg, ParamName::ED_IV),
+                                                                                                                 tagSizeBits,
+                                                                                                                 aad);
+       }
+       case AlgoType::AES_CBC:
+       case AlgoType::AES_CTR:
+       case AlgoType::AES_CFB:
+               // TODO optionally implement above modes as well
+       default:
+               break;
+       };
+
+       ThrowErr(Exc::Crypto::OperationNotSupported,
+                        "Incorrect algorithm provided for symmetric crypto operation");
+}
+
+void addAAD(uint32_t opId,
+                       const RawBuffer &aad)
+{
+       TrustZoneContext::Instance().addGcmAAD(opId, aad);
+}
+
+RawBuffer updateCipher(uint32_t opId,
+                                          const RawBuffer &data)
+{
+       return TrustZoneContext::Instance().updateGcmCipher(opId, data);
+}
+
+RawBuffer finalizeCipher(uint32_t opId,
+                                                const RawBuffer &data)
+{
+       return TrustZoneContext::Instance().finalizeGcmCipher(opId, data);
+}
+
+void cleanupCipher(uint32_t opId)
+{
+       return TrustZoneContext::Instance().cleanupCipher(opId);
+}
+
+RawBuffer sign(const RawBuffer &pkeyId,
                        const Pwd &pwd,
                        const CryptoAlgorithm &alg,
                        const RawBuffer &message)
@@ -546,14 +736,14 @@ RawBuffer sign(const RawBuffer &pkey,
        RawBuffer signature;
        TrustZoneContext::Instance().executeSign(getAlgType(algo),
                                                                                        getHashType(hash),
-                                                                                       pkey,
+                                                                                       pkeyId,
                                                                                        pwd,
                                                                                        message,
                                                                                        signature);
        return signature;
 }
 
-int verify(const RawBuffer &pkey,
+int verify(const RawBuffer &pkeyId,
                const Pwd &pwd,
                const CryptoAlgorithm &alg,
                const RawBuffer &message,
@@ -566,13 +756,13 @@ int verify(const RawBuffer &pkey,
 
        return TrustZoneContext::Instance().executeVerify(getAlgType(algo),
                                                                                                        getHashType(hash),
-                                                                                                       pkey,
+                                                                                                       pkeyId,
                                                                                                        pwd,
                                                                                                        message,
                                                                                                        signature);
 }
 
-void deriveECDH(const RawBuffer &prvKey,
+void deriveECDH(const RawBuffer &prvKeyId,
                                const Pwd &prvKeyPwd,
                                const RawBuffer &pubKey,
                                const Password &secretPwd,
@@ -612,8 +802,29 @@ void deriveECDH(const RawBuffer &prvKey,
 
        RawBuffer secretPwdBuf(secretPwd.begin(), secretPwd.end());
 
-       TrustZoneContext::Instance().executeEcdh(prvKey,
+       int pubCurve = EC_GROUP_get_curve_name(ecGroup);
+       tz_ec tzCurve;
+       switch (pubCurve)
+       {
+       case NID_X9_62_prime192v1:
+               tzCurve = EC_NIST_P192;
+               break;
+
+       case NID_X9_62_prime256v1:
+               tzCurve = EC_NIST_P256;
+               break;
+
+       case NID_secp384r1:
+               tzCurve = EC_NIST_P384;
+               break;
+
+       default:
+               ThrowErr(Exc::Crypto::InputParam, "Unsupported public key EC");
+       }
+
+       TrustZoneContext::Instance().executeEcdh(prvKeyId,
                                                                                         prvKeyPwd,
+                                                                                        tzCurve,
                                                                                         xBuf,
                                                                                         yBuf,
                                                                                         secretPwdBuf,
@@ -622,30 +833,61 @@ void deriveECDH(const RawBuffer &prvKey,
                                                                                         secretHash);
 }
 
-void deriveKBKDF(const RawBuffer &secret,
+void deriveKBKDF(const RawBuffer &secretId,
+                                const Pwd &secretPwd,
                                 const CryptoAlgorithm &alg,
                                 const Password &keyPwd,
                                 const RawBuffer &keyPwdIV,
                                 RawBuffer &keyTag,
                                 const RawBuffer &keyHash)
 {
-       auto prf = unpack<KdfPrf>(alg, ParamName::KDF_PRF);
-       auto mode = unpack<KbkdfMode>(alg, ParamName::KBKDF_MODE);
-       auto location = unpack<KbkdfCounterLocation>(alg, ParamName::KBKDF_COUNTER_LOCATION);
+       RawBuffer label, context, fixed;
+       KbkdfCounterLocation counterLocation;
+       KdfPrf prf;
+       KbkdfMode mode;
+       size_t length, rlenBits = 32, llenBits = 32, tmp;
+       bool hasLabel = alg.getParam(ParamName::KBKDF_LABEL, label);
+       bool hasContext = alg.getParam(ParamName::KBKDF_CONTEXT, context);
+       bool hasFixed = alg.getParam(ParamName::KBKDF_FIXED_INPUT, fixed);
+       alg.getParam(ParamName::KBKDF_COUNTER_LOCATION, counterLocation);
+       alg.getParam(ParamName::KBKDF_MODE, mode);
+       alg.getParam(ParamName::KDF_PRF, prf);
+       alg.getParam(ParamName::KDF_LEN, length);
+       alg.getParam(ParamName::KBKDF_RLEN, rlenBits);
+       bool hasLLen = alg.getParam(ParamName::KBKDF_LLEN, llenBits);
+       bool noSeparator = alg.getParam(ParamName::KBKDF_NO_SEPARATOR, tmp);
+
+       RawBuffer key;
+       if (hasFixed) {
+               if (hasLabel || hasContext || noSeparator || hasLLen ||
+                       counterLocation == KbkdfCounterLocation::MIDDLE_FIXED)
+                       ThrowErr(Exc::Crypto::InputParam, "Unexpected parameters for fixed input mode.");
+       } else {
+               if (!hasLabel || !hasContext)
+                       ThrowErr(Exc::Crypto::InputParam, "Missing label and/or context.");
+
+               if (llenBits != 0 && llenBits != 8 && llenBits != 16 && llenBits != 24 && llenBits != 32)
+                       ThrowErr(Exc::Crypto::InputParam, "Invalid llen value");
+       }
+       if (length != 16 && length != 24 && length != 32)
+               ThrowErr(Exc::Crypto::InputParam, "Invalid key length");
 
-       size_t rlen = 32, llen = 32, dummy;
-       alg.getParam(ParamName::KBKDF_RLEN, rlen);
-       alg.getParam(ParamName::KBKDF_LLEN, llen);
-       bool noSeparator = alg.getParam(ParamName::KBKDF_NO_SEPARATOR, dummy);
+       if (rlenBits != 8 && rlenBits != 16 && rlenBits != 24 && rlenBits != 32)
+               ThrowErr(Exc::Crypto::InputParam, "Invalid rlen value");
 
        RawBuffer keyPwdBuf(keyPwd.begin(), keyPwd.end());
 
-       TrustZoneContext::Instance().executeKbkdf(secret,
-                                                                                         prf,
-                                                                                         mode,
-                                                                                         location,
-                                                                                         rlen,
-                                                                                         llen,
+       TrustZoneContext::Instance().executeKbkdf(secretId,
+                                                                                         secretPwd,
+                                                                                         length,
+                                                                                         label,
+                                                                                         context,
+                                                                                         fixed,
+                                                                                         toTzPrf(prf),
+                                                                                         toTzKbkdfMode(mode),
+                                                                                         toTzCtrLoc(counterLocation),
+                                                                                         rlenBits,
+                                                                                         llenBits,
                                                                                          noSeparator,
                                                                                          keyPwdBuf,
                                                                                          keyPwdIV,
@@ -653,6 +895,10 @@ void deriveKBKDF(const RawBuffer &secret,
                                                                                          keyHash);
 }
 
+size_t maxChunkSize()
+{
+       return TrustZoneContext::Instance().getMaxChunkSize();
+}
 
 } // namespace Internals
 } // namespace TZ