secure-enclave-unlocker (#24)

Co-authored-by: clawbot <clawbot@eeqj.de>
Reviewed-on: #24
Reviewed-by: clawbot <clawbot@noreply.example.org>
Co-authored-by: sneak <sneak@sneak.berlin>
Co-committed-by: sneak <sneak@sneak.berlin>

internal/macse/secure_enclave.h

@@ -0,0 +1,57 @@
+#ifndef SECURE_ENCLAVE_H
+#define SECURE_ENCLAVE_H
+
+#include <stdint.h>
+
+// se_create_key creates a new P-256 key in the Secure Enclave via sc_auth.
+// label: unique identifier for the CTK identity (UTF-8 C string)
+// pub_key_out: output buffer for the uncompressed public key (65 bytes for P-256)
+// pub_key_len: on input, size of pub_key_out; on output, actual size written
+// hash_out: output buffer for the identity hash (for deletion)
+// hash_out_len: size of hash_out buffer
+// error_out: output buffer for error message
+// error_out_len: size of error_out buffer
+// Returns 0 on success, -1 on failure.
+int se_create_key(const char *label,
+                  uint8_t *pub_key_out, int *pub_key_len,
+                  char *hash_out, int hash_out_len,
+                  char *error_out, int error_out_len);
+
+// se_encrypt encrypts data using the SE-backed public key (ECIES).
+// label: label of the CTK identity whose public key to use
+// plaintext: data to encrypt
+// plaintext_len: length of plaintext
+// ciphertext_out: output buffer for the ECIES ciphertext
+// ciphertext_len: on input, size of buffer; on output, actual size written
+// error_out: output buffer for error message
+// error_out_len: size of error_out buffer
+// Returns 0 on success, -1 on failure.
+int se_encrypt(const char *label,
+               const uint8_t *plaintext, int plaintext_len,
+               uint8_t *ciphertext_out, int *ciphertext_len,
+               char *error_out, int error_out_len);
+
+// se_decrypt decrypts ECIES ciphertext using the SE-backed private key.
+// The ECDH portion of decryption is performed inside the Secure Enclave.
+// label: label of the CTK identity whose private key to use
+// ciphertext: ECIES ciphertext produced by se_encrypt
+// ciphertext_len: length of ciphertext
+// plaintext_out: output buffer for decrypted data
+// plaintext_len: on input, size of buffer; on output, actual size written
+// error_out: output buffer for error message
+// error_out_len: size of error_out buffer
+// Returns 0 on success, -1 on failure.
+int se_decrypt(const char *label,
+               const uint8_t *ciphertext, int ciphertext_len,
+               uint8_t *plaintext_out, int *plaintext_len,
+               char *error_out, int error_out_len);
+
+// se_delete_key removes a CTK identity from the Secure Enclave via sc_auth.
+// hash: the identity hash returned by se_create_key
+// error_out: output buffer for error message
+// error_out_len: size of error_out buffer
+// Returns 0 on success, -1 on failure.
+int se_delete_key(const char *hash,
+                  char *error_out, int error_out_len);
+
+#endif // SECURE_ENCLAVE_H