diff options
| author | Krzysztof Jackiewicz <k.jackiewicz@samsung.com> | 2019-02-19 12:39:17 +0100 |
|---|---|---|
| committer | Krzysztof Jackiewicz <k.jackiewicz@samsung.com> | 2019-02-19 12:52:44 +0100 |
| commit | ee2c14eb1eafd0ecbdb660a8deb8568090230e33 (patch) | |
| tree | 43c35f352c1a6c0cbf40c15af3896c36b278fa7b | |
| parent | 2cb35737891323de4b0fea29e060958375f25c26 (diff) | |
| download | key-manager-ee2c14eb1eafd0ecbdb660a8deb8568090230e33.tar.gz key-manager-ee2c14eb1eafd0ecbdb660a8deb8568090230e33.tar.bz2 key-manager-ee2c14eb1eafd0ecbdb660a8deb8568090230e33.zip | |
Refactor PKEK2 related functions
PKEK2 is used to derive both DB DEK and APP DEK. Currently, variable names and
comments are a bit misleading.
This commit refactors the variable names and comments to better describe the
actual purpose of this key.
Change-Id: If8ee266ec2da63c929f498f1ed009df5d79c134f
| -rw-r--r-- | src/manager/service/key-provider.cpp | 10 | ||||
| -rw-r--r-- | src/manager/service/key-provider.h | 13 |
2 files changed, 12 insertions, 11 deletions
diff --git a/src/manager/service/key-provider.cpp b/src/manager/service/key-provider.cpp index 18911537..e89af167 100644 --- a/src/manager/service/key-provider.cpp +++ b/src/manager/service/key-provider.cpp @@ -146,12 +146,12 @@ KeyData makePKEK1(const KeyComponentsInfo& keyInfo, const Password &password) return key; } -// derives a key used for DB DEK encryption (aka PKEK2) from DomainKEK and user id -KeyData makePKEK2(const uint8_t *domainKEK, const std::string &user) +// derives a key (PKEK2) from DomainKEK and custom client string (may be a client id or uid) +KeyData makePKEK2(const uint8_t *domainKEK, const std::string &client) { KeyData key; - if (!PKCS5_PBKDF2_HMAC_SHA1(user.c_str(), - user.size(), + if (!PKCS5_PBKDF2_HMAC_SHA1(client.c_str(), + client.size(), domainKEK, MAX_SALT_SIZE, PBKDF2_ITERATIONS, @@ -413,7 +413,7 @@ RawBuffer KeyProvider::getPureDEK(const RawBuffer &DEKInWrapForm) (kmcDEK.getKeyAndInfo().key) + kmcDEK.getKeyAndInfo().keyInfo.keyLength); } -RawBuffer KeyProvider::generateDEK(const ClientId &client) +RawBuffer KeyProvider::generateDEK(const std::string &client) { if (!m_isInitialized) ThrowErr(Exc::InternalError, "Object not initialized!"); diff --git a/src/manager/service/key-provider.h b/src/manager/service/key-provider.h index 23523fae..668786ee 100644 --- a/src/manager/service/key-provider.h +++ b/src/manager/service/key-provider.h @@ -136,14 +136,15 @@ public: // This api should be used only on Tizen 2.2.1 RawBuffer getWrappedDomainKEK(const Password &password); - // EncryptedKey key extracted from database. Used to encrypt application data. - // This key will be used to decrypt/encrypt data in ROW + // Unwraps (decrypts) a DEK using a key derived from DomainKEK and data stored in wrapped key + // info. It returns the DEK in unencrypted form. RawBuffer getPureDEK(const RawBuffer &DEKInWrapForm); - // Returns WRAPPED DEK. This will be written to database. - // This key will be used to encrypt all application information. - // All application are identified by client id. - RawBuffer generateDEK(const ClientId &client); + // Generates a random DEK and encrypts it using a key derived from DomainKEK and custom client + // string (not to be confused with ClientId). The function returns the DEK in wrapped + // (encrypted) form. The function is used to produce a key for database encryption as well as + // application keys. + RawBuffer generateDEK(const std::string &client); // used by change user password. On error -> exception static RawBuffer reencrypt( |