In order to support a variety of cryptographically capable hardware we maintain loose coupling between our protocols and how a specific building block is invoked in a specific hardware. This is achieved using an abstract Vault trait.
A concrete implementation of the Vault trait is called an Ockam Vault. Over time, and with help from the Ockam open source community, we plan to add vaults for several TEEs, TPMs, HSMs, and Secure Enclaves.
This crate provides the Vault FFI bindings following the “C” calling convention, and generates static and dynamic C linkable libraries.
- Safety macro which ensures a buffer is not null and not empty.
- Error type relating to FFI specific failures.
- Represents the failures that can occur in an Ockam FFI Vault.
- Decrypt a payload using AES-GCM.
- Encrypt a payload using AES-GCM.
- Create and return a default Ockam Vault.
- De-initialize an Ockam Vault.
- Perform an ECDH operation on the supplied Ockam Vault
peer_publickey. The result is an Ockam Vault secret of unknown type.
- Perform an HMAC-SHA256 based key derivation function on the supplied salt and input key material.
- Retrieve the attributes for a specified secret.
- Delete an ockam vault secret.
- Export a secret key with the specific handle to the
- Generate a secret key with the specific attributes. Returns a handle for the secret.
- Import a secret key with the specific handle and attributes.
- Get the public key, given a secret key, and copy it to the output buffer.
- Compute the SHA-256 hash on
inputand put the result in
digestmust be 32 bytes in length.