diff options
authorKrzysztof Jackiewicz <>2019-02-19 12:39:17 +0100
committerKrzysztof Jackiewicz <>2019-02-19 12:52:44 +0100
commitee2c14eb1eafd0ecbdb660a8deb8568090230e33 (patch)
parent2cb35737891323de4b0fea29e060958375f25c26 (diff)
Refactor PKEK2 related functions
PKEK2 is used to derive both DB DEK and APP DEK. Currently, variable names and comments are a bit misleading. This commit refactors the variable names and comments to better describe the actual purpose of this key. Change-Id: If8ee266ec2da63c929f498f1ed009df5d79c134f
2 files changed, 12 insertions, 11 deletions
diff --git a/src/manager/service/key-provider.cpp b/src/manager/service/key-provider.cpp
index 1891153..e89af16 100644
--- a/src/manager/service/key-provider.cpp
+++ b/src/manager/service/key-provider.cpp
@@ -146,12 +146,12 @@ KeyData makePKEK1(const KeyComponentsInfo& keyInfo, const Password &password)
return key;
-// derives a key used for DB DEK encryption (aka PKEK2) from DomainKEK and user id
-KeyData makePKEK2(const uint8_t *domainKEK, const std::string &user)
+// derives a key (PKEK2) from DomainKEK and custom client string (may be a client id or uid)
+KeyData makePKEK2(const uint8_t *domainKEK, const std::string &client)
KeyData key;
- if (!PKCS5_PBKDF2_HMAC_SHA1(user.c_str(),
- user.size(),
+ if (!PKCS5_PBKDF2_HMAC_SHA1(client.c_str(),
+ client.size(),
@@ -413,7 +413,7 @@ RawBuffer KeyProvider::getPureDEK(const RawBuffer &DEKInWrapForm)
(kmcDEK.getKeyAndInfo().key) + kmcDEK.getKeyAndInfo().keyInfo.keyLength);
-RawBuffer KeyProvider::generateDEK(const ClientId &client)
+RawBuffer KeyProvider::generateDEK(const std::string &client)
if (!m_isInitialized)
ThrowErr(Exc::InternalError, "Object not initialized!");
diff --git a/src/manager/service/key-provider.h b/src/manager/service/key-provider.h
index 23523fa..668786e 100644
--- a/src/manager/service/key-provider.h
+++ b/src/manager/service/key-provider.h
@@ -136,14 +136,15 @@ public:
// This api should be used only on Tizen 2.2.1
RawBuffer getWrappedDomainKEK(const Password &password);
- // EncryptedKey key extracted from database. Used to encrypt application data.
- // This key will be used to decrypt/encrypt data in ROW
+ // Unwraps (decrypts) a DEK using a key derived from DomainKEK and data stored in wrapped key
+ // info. It returns the DEK in unencrypted form.
RawBuffer getPureDEK(const RawBuffer &DEKInWrapForm);
- // Returns WRAPPED DEK. This will be written to database.
- // This key will be used to encrypt all application information.
- // All application are identified by client id.
- RawBuffer generateDEK(const ClientId &client);
+ // Generates a random DEK and encrypts it using a key derived from DomainKEK and custom client
+ // string (not to be confused with ClientId). The function returns the DEK in wrapped
+ // (encrypted) form. The function is used to produce a key for database encryption as well as
+ // application keys.
+ RawBuffer generateDEK(const std::string &client);
// used by change user password. On error -> exception
static RawBuffer reencrypt(