To use the Intel® EPID APIs, you need to use the following items that are created by the issuer:
If you want to use the Intel Key Generation Facility (iKGF) as the issuer, contact info@digital-cp.com to get started.
If you choose to use iKGF as the issuer, you can take advantage of tools included in the SDK that are designed to make it easier for you to interact with iKGF by creating requests to update revocation lists and by extracting member private keys and group public keys from iKGF files.
The Intel® EPID SDK includes tools to help you request additions to revocation lists managed by iKGF if you are using iKGF as the issuer.
These tools are designed to create a revocation request in the format required by iKGF. In order to update a revocation list, the requests generated by these tools must be submitted to the issuer.
To access the tools, go to _install/epid-sdk/tools in the SDK directory.
You need to build the SDK before you can use these tools. For more information, refer to Building from Source.
The following tools are available:
| Tool | Purpose |
|---|---|
revokegrp | Create group revocation request |
revokekey | Create member private key revocation request |
revokesig | Create signature revocation request |
The revokegrp tool adds a group to the revocation request file.
Usage: revokegrp [OPTION]...
Revoke Intel(R) EPID group
Options:
--gpubkey=FILE
load group public key from FILE (default: pubkey.bin)
--capubkey=FILE
load IoT Issuing CA public key from FILE
--reason=NUM
revocation reason (default: 0)
--req=FILE
append group revocation request to FILE (default: grprlreq.dat)
-h, --help
display this help and exit
-v, --verbose
print status messages to stdout
The revokekey tool adds a member private key to the revocation request file.
Usage: revokekey [OPTION]
Revoke Intel(R) EPID private key
Options:
--mprivkey=FILE
load private key to revoke from FILE (default: mprivkey.dat)
--req=FILE
append private key revocation request to FILE (default: privreq.dat)
-h, --help
display this help and exit
-v,--verbose
print status messages to stdout
The following options are only needed for compressed keys:
--gpubkey=FILE
load group public key from FILE (default: pubkey.bin)
--capubkey=FILE
load IoT Issuing CA public key from FILE
The revokesig tool creates a request to add a signature to the revocation request file.
revokesig only accepts valid signatures for addition to the revocation request.
Usage: revokesig [OPTION]...
Revoke Intel(R) EPID signature
Options:
--sig=FILE
load signature to revoke from FILE (default: sig.dat)
--msg=MESSAGE
MESSAGE used to generate signature to revoke
--msgfile=FILE
FILE containing message used to generate signature to revoke
--gpubkey=FILE
load group public key from FILE (default: pubkey.bin)
--capubkey=FILE
load IoT Issuing CA public key from FILE
--req=FILE
append signature revocation request to FILE (default: sigrlreq.dat)
-h, --help
display this help and exit
-v, --verbose
print status messages to stdout
The Intel® EPID SDK includes tools to help you extract individual keys from files provided by the Intel Key Generation Facility (iKGF) if you are using iKGF as the issuer.
To access the tools, go to _install/epid-sdk/tools in the SDK directory.
You need to build the SDK before you can use these tools. For more information, refer to Building from Source.
The following tools are available:
| Tool | Purpose |
|---|---|
extractgrps | Extracts group public keys |
extractkeys | Extracts member private keys |
The extractgrps tool extracts group public keys from the input file to the current directory.
Usage: extractgrps [OPTION]... [FILE] [NUM]
Extract the first NUM group certs from FILE to current directory
Options:
-h, --help
display this help and exit
-v, --verbose
print status messages to stdout
The extractkeys tool extracts member private keys from the input file to the current directory.
Usage: extractkeys [OPTION]... [FILE] [NUM]
Extract the first NUM private keys from FILE to current directory.
Options:
-c, --compressed
extract compressed keys
-h, --help
display this help and exit
-v, --verbose
print status messages to stdout