1 files changed, 61 insertions, 0 deletions

diff --git a/crypto/src/tls/crypto/TlsSecret.cs b/crypto/src/tls/crypto/TlsSecret.cs
new file mode 100644
index 000000000..9b092fc40
--- /dev/null
+++ b/crypto/src/tls/crypto/TlsSecret.cs
@@ -0,0 +1,61 @@
+using System;
+using System.IO;
+
+namespace Org.BouncyCastle.Tls.Crypto
+{
+    /// <summary>Interface supporting the generation of key material and other SSL/TLS secret values from PRFs.
+    /// </summary>
+    public interface TlsSecret
+    {
+        /// <summary>Return a new secret based on applying a PRF to this one.</summary>
+        /// <param name="prfAlgorithm">PRF algorithm to use.</param>
+        /// <param name="label">the label details.</param>
+        /// <param name="seed">the seed details.</param>
+        /// <param name="length">the size (in bytes) of the secret to generate.</param>
+        /// <returns>the new secret.</returns>
+        TlsSecret DeriveUsingPrf(int prfAlgorithm, string label, byte[] seed, int length);
+
+        /// <summary>Destroy the internal state of the secret.</summary>
+        /// <remarks>
+        /// After this call, any attempt to use the <see cref="TlsSecret"/> will result in an
+        /// <see cref="InvalidOperationException"/> being thrown.
+        /// </remarks>
+        void Destroy();
+
+        /// <summary>Return an encrypted copy of the data this secret is based on.</summary>
+        /// <param name="certificate">the certificate containing the public key to use for protecting the internal
+        /// data.</param>
+        /// <returns>an encrypted copy of this secret's internal data.</returns>
+        /// <exception cref="IOException"/>
+        byte[] Encrypt(TlsCertificate certificate);
+
+        /// <summary>Return the internal data from this secret.</summary>
+        /// <remarks>
+        /// The <see cref="TlsSecret"/> does not keep a copy of the data. After this call, any attempt to use the
+        /// <see cref="TlsSecret"/> will result in an <see cref="InvalidOperationException"/> being thrown.
+        /// </remarks>
+        /// <returns>the secret's internal data.</returns>
+        byte[] Extract();
+
+        /// <summary>RFC 5869 HKDF-Expand function, with this secret's data as the pseudo-random key ('prk').</summary>
+        /// <param name="cryptoHashAlgorithm">the hash algorithm to instantiate HMAC with. See
+        /// <see cref="CryptoHashAlgorithm"/> for values.</param>
+        /// <param name="info">optional context and application specific information (can be zero-length).</param>
+        /// <param name="length">length of output keying material in octets.</param>
+        /// <returns> output keying material (of 'length' octets).</returns>
+        TlsSecret HkdfExpand(int cryptoHashAlgorithm, byte[] info, int length);
+
+        /// <summary>RFC 5869 HKDF-Extract function, with this secret's data as the 'salt'.</summary>
+        /// <remarks>
+        /// The <see cref="TlsSecret"/> does not keep a copy of the data. After this call, any attempt to use
+        /// the <see cref="TlsSecret"/> will result in an <see cref="InvalidOperationException"/> being thrown.
+        /// </remarks>
+        /// <param name="cryptoHashAlgorithm">the hash algorithm to instantiate HMAC with. See
+        /// <see cref="CryptoHashAlgorithm"/> for values.</param>
+        /// <param name="ikm">input keying material.</param>
+        /// <returns>a pseudo-random key (of HashLen octets).</returns>
+        TlsSecret HkdfExtract(int cryptoHashAlgorithm, byte[] ikm);
+
+        bool IsAlive();
+    }
+}