diff options
author | Bartlomiej Grzelewski <b.grzelewski@samsung.com> | 2017-11-29 16:32:28 +0100 |
---|---|---|
committer | Bartlomiej Grzelewski <b.grzelewski@samsung.com> | 2017-11-29 17:22:12 +0100 |
commit | 4376dc1d73f2be35a52bc3a4039aa1c24de53fb3 (patch) | |
tree | a9885838e6405e77b3cdace313fc0f5691e5b7fd | |
parent | b69ec951ea341627a7670d202a1873553ca266ec (diff) | |
download | key-manager-4376dc1d73f2be35a52bc3a4039aa1c24de53fb3.tar.gz key-manager-4376dc1d73f2be35a52bc3a4039aa1c24de53fb3.tar.bz2 key-manager-4376dc1d73f2be35a52bc3a4039aa1c24de53fb3.zip |
Add backend field in policysubmit/tizen/20180312.095815submit/tizen/20171204.124944accepted/tizen/unified/20171205.155557
New field will allow user to force usage of software/hardwere backend
during runtime.
Change-Id: I6f3c575fa979807f456a32a70b278942cdb28b04
-rw-r--r-- | src/include/ckm/ckm-type.h | 14 | ||||
-rw-r--r-- | src/manager/common/protocols.h | 4 | ||||
-rw-r--r-- | src/manager/crypto/platform/decider.cpp | 19 | ||||
-rw-r--r-- | src/manager/crypto/platform/decider.h | 2 | ||||
-rw-r--r-- | src/manager/service/ckm-logic.cpp | 14 | ||||
-rw-r--r-- | tests/test_crypto-logic.cpp | 4 |
6 files changed, 42 insertions, 15 deletions
diff --git a/src/include/ckm/ckm-type.h b/src/include/ckm/ckm-type.h index e534384c..5a07a3de 100644 --- a/src/include/ckm/ckm-type.h +++ b/src/include/ckm/ckm-type.h @@ -70,12 +70,22 @@ enum class CertificateFieldId : int { SUBJECT }; +enum class PolicyBackend : int { + DEFAULT = 0, + FORCE_SOFTWARE = 1, + FORCE_HARDWARE = 2, +}; + struct Policy { - Policy(const Password &pass = Password(), bool extract = true) : - password(pass), extractable(extract) {} + Policy(const Password &pass = Password(), bool extract = true, PolicyBackend policyBackend = PolicyBackend::DEFAULT) + : password(pass) + , extractable(extract) + , backend(policyBackend) + {} virtual ~Policy() {} Password password; // byte array used to encrypt data inside CKM bool extractable; // if true key may be extracted from storage + PolicyBackend backend; }; enum class HashAlgorithm : int { diff --git a/src/manager/common/protocols.h b/src/manager/common/protocols.h index 6141a840..e8be62bf 100644 --- a/src/manager/common/protocols.h +++ b/src/manager/common/protocols.h @@ -89,14 +89,18 @@ struct COMMON_API PolicySerializable : public Policy, ISerializable { explicit PolicySerializable(IStream &stream) { + int policyBackend; Deserialization::Deserialize(stream, password); Deserialization::Deserialize(stream, extractable); + Deserialization::Deserialize(stream, policyBackend); + backend = static_cast<PolicyBackend>(policyBackend); } void Serialize(IStream &stream) const { Serialization::Serialize(stream, password); Serialization::Serialize(stream, extractable); + Serialization::Serialize(stream, static_cast<int>(backend)); } }; diff --git a/src/manager/crypto/platform/decider.cpp b/src/manager/crypto/platform/decider.cpp index 98bd69f8..d5a55063 100644 --- a/src/manager/crypto/platform/decider.cpp +++ b/src/manager/crypto/platform/decider.cpp @@ -66,9 +66,18 @@ std::string convertTeecUUIDToString(TEEC_UUID uuid) return uuidStr; } -CryptoBackend chooseCryptoBackend(DataType data, bool exportable, - bool encrypted) +CryptoBackend chooseCryptoBackend(DataType data, + const Policy &policy, + bool encrypted) { + // user directly point proper backend - we will not discuss with it + if (policy.backend == CKM::PolicyBackend::FORCE_SOFTWARE) + return CryptoBackend::OpenSSL; + + // user directly point proper backend - we will not discuss with it + if (policy.backend == CKM::PolicyBackend::FORCE_HARDWARE) + return CryptoBackend::TrustZone; + // For now only software backend supports device encyption key // TODO tz-backend could support the master key, but it would require // hardcoding a known key ID and querying TA whether the key is @@ -77,7 +86,7 @@ CryptoBackend chooseCryptoBackend(DataType data, bool exportable, return CryptoBackend::OpenSSL; // Only software backend allows for key export - if (exportable) + if (policy.extractable) return CryptoBackend::OpenSSL; // Use TrustZone only with symmetric keys until asymmetric @@ -127,9 +136,9 @@ GStore &Decider::getStore(CryptoBackend cryptoBackend) const "Backend not available. BackendId: ", (int)cryptoBackend); } -GStore &Decider::getStore(DataType data, bool exportable, bool encrypted) const +GStore &Decider::getStore(DataType data, const Policy &policy, bool encrypted) const { - return getStore(chooseCryptoBackend(data, exportable, encrypted)); + return getStore(chooseCryptoBackend(data, policy, encrypted)); } } // namespace Crypto diff --git a/src/manager/crypto/platform/decider.h b/src/manager/crypto/platform/decider.h index 184f698a..ef0522c0 100644 --- a/src/manager/crypto/platform/decider.h +++ b/src/manager/crypto/platform/decider.h @@ -36,7 +36,7 @@ class Decider { public: Decider(); GStore &getStore(const Token &token) const; - GStore &getStore(DataType data, bool exportable, bool encrypted = false) const; + GStore &getStore(DataType data, const Policy &policy, bool encrypted = false) const; virtual ~Decider() {} diff --git a/src/manager/service/ckm-logic.cpp b/src/manager/service/ckm-logic.cpp index 2da20703..7d976a9f 100644 --- a/src/manager/service/ckm-logic.cpp +++ b/src/manager/service/ckm-logic.cpp @@ -401,7 +401,7 @@ DB::Row CKMLogic::createEncryptedRow( const Crypto::Data &data, const Policy &policy) const { - Crypto::GStore &store = m_decider.getStore(data.type, policy.extractable); + Crypto::GStore &store = m_decider.getStore(data.type, policy); // do not encrypt data with password during cc_mode on Token token = store.import(data, @@ -1176,8 +1176,7 @@ int CKMLogic::importInitialData( if (retCode != CKM_API_SUCCESS) return retCode; - Crypto::GStore &store = - m_decider.getStore(data.type, policy.extractable, !enc.encryptedKey.empty()); + Crypto::GStore &store = m_decider.getStore(data.type, policy, !enc.encryptedKey.empty()); Token token; @@ -1313,7 +1312,7 @@ int CKMLogic::createKeyAESHelper( keyGenAlgorithm.setParam(ParamName::ALGO_TYPE, AlgoType::AES_GEN); keyGenAlgorithm.setParam(ParamName::GEN_KEY_LEN, size); Token key = m_decider.getStore(DataType::KEY_AES, - policy.extractable).generateSKey(keyGenAlgorithm, policy.password); + policy).generateSKey(keyGenAlgorithm, policy.password); // save the data DB::Row row(std::move(key), name, ownerLabel, @@ -1349,6 +1348,9 @@ int CKMLogic::createKeyPairHelper( if (!dt.isKey()) ThrowErr(Exc::InputParam, "Error, parameter ALGO_TYPE with wrong value."); + if (policyPrivate.backend != policyPublic.backend) + ThrowErr(Exc::InputParam, "Error, key pair must be supported with the same backend."); + // use client label if not explicitly provided const Label &ownerLabelPrv = labelPrivate.empty() ? cred.smackLabel : labelPrivate; @@ -1365,7 +1367,9 @@ int CKMLogic::createKeyPairHelper( return CKM_API_ERROR_INPUT_PARAM; bool exportable = policyPrivate.extractable || policyPublic.extractable; - TokenPair keys = m_decider.getStore(dt, exportable).generateAKey(keyGenParams, + Policy lessRestricted(Password(), exportable, policyPrivate.backend); + + TokenPair keys = m_decider.getStore(dt, lessRestricted).generateAKey(keyGenParams, policyPrivate.password, policyPublic.password); diff --git a/tests/test_crypto-logic.cpp b/tests/test_crypto-logic.cpp index ffe67ff3..6bb84cd0 100644 --- a/tests/test_crypto-logic.cpp +++ b/tests/test_crypto-logic.cpp @@ -90,7 +90,7 @@ BOOST_AUTO_TEST_CASE(row_encryption) Policy policy(Password(), true); Crypto::Data data(DataType(DataType::Type::BINARY_DATA), createRandom(10)); Crypto::Decider decider; - Crypto::GStore &store = decider.getStore(data.type, true); + Crypto::GStore &store = decider.getStore(data.type, policy); Token token = store.import(data, policy.password); Name name = "test_data"; @@ -112,7 +112,7 @@ BOOST_AUTO_TEST_CASE(row_encryption_negatives) Policy policy(Password(), true); Crypto::Data data(DataType(DataType::Type::BINARY_DATA), createRandom(10)); Crypto::Decider decider; - Crypto::GStore &store = decider.getStore(data.type, true); + Crypto::GStore &store = decider.getStore(data.type, policy); Token token = store.import(data, policy.password); Name name = "test_data"; |