diff options
author | Bartlomiej Grzelewski <b.grzelewski@samsung.com> | 2018-09-28 13:46:21 +0200 |
---|---|---|
committer | Bartlomiej Grzelewski <b.grzelewski@samsung.com> | 2018-10-04 15:00:19 +0200 |
commit | f0a0b4b6f6f5047df98a75ec999a964ce772b012 (patch) | |
tree | 21f6e26843a4fcd758f5f0410356e053a5db0a2d | |
parent | 78b884add004bc306a81bb79e91aacab44cb98a9 (diff) | |
download | key-manager-f0a0b4b6f6f5047df98a75ec999a964ce772b012.tar.gz key-manager-f0a0b4b6f6f5047df98a75ec999a964ce772b012.tar.bz2 key-manager-f0a0b4b6f6f5047df98a75ec999a964ce772b012.zip |
Support for encrypted initial-values
Add tag attribute in xml schema
Change-Id: Idc058e756ab6053103e1477292cacbacf57a9879
-rw-r--r-- | doc/example.xml | 190 | ||||
-rw-r--r-- | doc/initial_values.xsd | 5 | ||||
-rw-r--r-- | src/manager/crypto/generic-backend/encryption-params.h | 42 | ||||
-rw-r--r-- | src/manager/crypto/generic-backend/gstore.h | 9 | ||||
-rw-r--r-- | src/manager/crypto/sw-backend/store.cpp | 4 | ||||
-rw-r--r-- | src/manager/crypto/sw-backend/store.h | 2 | ||||
-rw-r--r-- | src/manager/crypto/tz-backend/internals.cpp | 4 | ||||
-rw-r--r-- | src/manager/crypto/tz-backend/internals.h | 2 | ||||
-rw-r--r-- | src/manager/crypto/tz-backend/store.cpp | 4 | ||||
-rw-r--r-- | src/manager/crypto/tz-backend/store.h | 2 | ||||
-rw-r--r-- | src/manager/crypto/tz-backend/tz-context.cpp | 20 | ||||
-rw-r--r-- | src/manager/crypto/tz-backend/tz-context.h | 3 | ||||
-rw-r--r-- | src/manager/initial-values/BufferHandler.cpp | 13 | ||||
-rw-r--r-- | src/manager/initial-values/BufferHandler.h | 8 | ||||
-rw-r--r-- | src/manager/initial-values/InitialValueHandler.cpp | 2 | ||||
-rw-r--r-- | src/manager/service/ckm-logic.cpp | 20 | ||||
-rw-r--r-- | src/manager/service/ckm-logic.h | 4 | ||||
-rw-r--r-- | tests/test_crypto-logic.cpp | 4 | ||||
-rw-r--r-- | tests/test_generic-backend.cpp | 5 | ||||
-rw-r--r-- | tests/test_tz-backend.cpp | 3 |
20 files changed, 128 insertions, 218 deletions
diff --git a/doc/example.xml b/doc/example.xml index cccc2142..3c6eb2ac 100644 --- a/doc/example.xml +++ b/doc/example.xml @@ -76,183 +76,19 @@ <Permission accessor="web_app1"/> <Permission accessor="web_app2"/> </Key> - <!-- key below is encrypted using AES-CBC algorithm. - The key used is decrypted <EncryptionKey> provided above. - IV is Base64 encoded. - Encryption: - * encrypt AES CBC: openssl aes-256-cbc -K `xxd -p -c 64 encryption_AES_key` -iv `xxd -p -c 64 encryption_AES_IV` -e -in data -out data.enc - --> - <Key name="test-encryption-prv" type="RSA_PRV"> - <EncryptedDER IV="X1RoaXNJc0lWRm9yQUVTXw=="> - BflJyNgOcGyJSqTegG+y7MJXI1crgsGY3PjFfMpbmMbwJkVexvxoEPdf2yE5Z7da - 6Vp4Qo2WOCUv/hllNTfm/dH7kOJOjcs/vaV1eRIfzEx3hvgKOyP82Hhkm1POynsF - 0GyMm/VwtJFwFHA5DaJzwLln2/AoD//vC731Qhucw0Zvi2hi74d6igPog9EugIj/ - tStvpgiNE6/Hb2ZRMDswgZ8o+tKCn+QHktR/YoZ19HfX7nDVRkMQxsiA8P4zO9Do - +iuiu/mGPVavlZA3df47TLG0kz+sz72jzPeEbfmvQo3gHWSuJ87TUwIcIoXDvaxY - xE8/On5OTqJy8HZ+jGvEThKI/96LQsFqKlEeGGenvzVJ+BVAF9x65uOkRll9yE6v - FIQcqbgipuBkdC6XLLaWTMgs5iiWvMn/lpNYrfZr52/TKqr09mNdei6yGvy+YuG8 - vu/xN7/3An/zE4FOIJadgI5eADj+Dz7exml3tKTuuDpR9fhxiXd7HmZhCCf11C3r - 54S6X9bZb7335L/5UfLxs4jMMfGhYD+1UF1Qb5zVW9IVMZ+owGeC6QQPUiX6HAxy - Rx7kLzd78uSbLNqeuiUeGiprxnuwMY2BgSqLq4WNCDWxY4hGTdkC7yg6DgY+L9Lz - wqVuJ6STmK9Hj9bL9YUe0KrzmVUfmsaq5PL+gfcv+S5lp2YlKw1cIVP9utw1ZuOo - j25EozWU8J+tuEa3l60Mmmh/sKzH9SH7C9EscwTYWOYjYYPwfCM9UIlNE9lnbl9s - bzkqJvaaXpB/HVY/b4wrldr1rK73+y9LOOzfNpV4L+R4spZXXjZ2HIW/iKQj/c14 + + <!-- + Example of trust zone (hardware) encrypted key: + * Data below are encrypted with AES_GCM and encoded with base64. + * The Data in plain form have value (in acscii): "ThisIsATopSecretAESKeyUsedInTest" + * Encyption key = decodeBase64("THIS/STRING/MUST/BE/REPLACED/IN/REAL/DEVICE=") + * IV is base64 encoded. + * tag is base64 encoded. + //--> + + <Key name="very-important-key" type="AES" backend="hardware"> + <EncryptedDER IV="5NQJ2cY7xQHQYs9EOflmvFG3JP7kCA3CCp2duiVcx30=" tag="RcRtXSrBOZyNQGgyT1m/LQ=="> + pawxDIglDfneINm8O7Nv6jxm21G9UEgDXK3yG6VK0fw= </EncryptedDER> </Key> - <Cert name="test-encryption-certificate" exportable="true"> - <!-- Note IV differs between items --> - <EncryptedDER IV="SVZkaWZmZXJzRnJJdGVtcw=="> - pPjY7wULPaBIwPKkgwKyKSZPa6NVJN3312q829KaXcNdQSoNJmsyyPDMqLr1W3Nw - /5DSfstMCh/MiUq4Dc1VCaHbVkRFVZMvitg7nfjDVkI9HGLpSGWzz1dc6kxn/rPv - l1Ox3sVog96Ebss+Givm4cKKYSQihCLTxcQcP6v4RGvTMhXIZmlz8n4Tr3MgyRB7 - XTWdoowosEUWrzPMSD39y18gRJVZ/ZKv68o5mntatSE8FS1L6dgb2TdKEFdydVd2 - /ob9GVwRkMxpBsQeUvPRYXnZS2f1L18IRPrKLKLKsDB+FysyXMAHMaxGWWil29/d - osOwMt34i6Bv21132lGt08t2LebmDJViZRVjzz9edIChBzsoG/E/3hX6v32ruJGU - 2kq5l0bOmpQFs9M0TTNNWnaZKvpFPA8b3ywaDRWeKAPHsNQpnrx0WygCmvbjUChf - TP1E5BVm6YjWxptvFvEINcotCj2+0fvG3zIcq01O/MpSFWbGdu9MLZtFl1rTRt8e - ER8+nOKZNi9JUOfsYJyrZmtwm56LXTPjgNYY+a8yp2EXFtHjO62QKYr8zAi98PxL - oiELHLF2xwFufvBAssSOPwRmDSIhljPbUy4UKUxFCeMJzdxgK0DMZw4FtcyBXGgG - ABP57OQ60HomoZZDwAQ/4B8unuOCp7uERsQH5Z4Ns+PiIM4Tk8j9Qg4YVN43FJtJ - tCsfagBPuQM+Cm5law0Y01asMr0wq/VlILMKX0KXpwgnVmQClRfcYBLHQmDTyCos - kYSWrSYDesvXJnB1j/hn1puCQHfyrmPH5fQTzanD5whyed7DeXBl+F5+f73uj9pC - DrtqG+YEOeJNj0PCAMq9B4Qe6xi06P6D/sG17Phl9wH5DSzfxxlst1xeaPBko9Bo - LM6Sh6echKIh0HddStmaBICXNeVKz958tD0piVYMVipZm5/+cpDxdGSuemUxWXJO - XAuYydZkuLksYjLyXDO5vEaqcVMtu54tjfdFS7vO87a9IF+mI7HHHdnNaDRHaAFi - 4rXdaGQr8zohq91NE3JYgSMbk1DlGfL1m9GN6IEUjqMQlAkGWal1Et9uwO98PpOk - a+r+N4lsYPKJbX2ywUvDHg== - </EncryptedDER> - </Cert> - <Data name="test-ascii-data-encryption"> - <!-- this below decrypts to ASCII: "My secret data" --> - <EncryptedASCII IV="X19hbm90aGVyX0lWXzJfXw==">zuBDjp8ptFthrU69Ua5cfg==</EncryptedASCII> - </Data> - <Data name="test-binary-data-encryption"> - <!-- this below decrypts to small PNG image --> - <EncryptedBinary IV="UE5HSVZQTkdJVlBOR0lWUA=="> - weK/LmGIPHeNA2YipqJa4K1+KPkE/Jl5EtfJjzP5x5ZGhf/OOTYe+fj4p2Wx47AC - Nd/heOAi3MkFrwu5x+swFMIeQMCMzQpRbXeCvTEuTXWnmRMoyMbHlPd7Nnk9xooF - oYfbKhVd5DOcHN3pwc+5DQkrRy/XaD1faj3YR3JEYSfOLq4F6hLlj4U7rYJyyFuf - kSBOTAQOXs0q83cc2L7RaK7OzFJPKYJjDkVYIakpIHXUcvNrb2DrJ13se4pcX6Zk - KARviziVu4x9r7hTRErU8SNEWrO6E63oDfyetWvtymT17MEhRsRKS39zhrVLHzGy - iWx2Igh6eH6t4UNkMIHZvJW4j8hxdmbRwhQstXrVq7Uyne0B1Fl2w7Lpn48jYEq8 - gaNlTZDzd8Pjz2ByrRq3/jln/xWnFwEY9oV/H53j6ctoJ2KUMiVYKej8anan8Fju - yO86HVEIYx++LblhqzuaqBhveVfB/feMYWpP8hi4AeWKcAGdM3L9QOYxbQ9OAOuC - Totu55NULkrzb5b+Rr+exTFpdEyic7sSEpBRV0vi6t/Lz72ebBq1oY3kn0dzZ6Ps - ia6ccITSdHW1MmW7cOkiA4XtyfvXtZtEJgmVnAnRrj4Qh0Oa9gxNOZrY/tlyyJod - v8JLYeBi3HRSlm2TME5hCHpBShVCRpkjLMQQ/nTPHvRNqr/BlPoXZg2FbJwreEzW - NZ2BaiKylRds5gnmmSnqnYUl4QtVSGsJPn8Hx0bNWwUeImjrXO9Nm01P8e5Iy+Ti - udxXTwpxZGyK2pbTs6EVxFY+fRF3SB4xcpup5fB6NHVPjiSrWABN848OReny3iS0 - FXwimWaVzmA5Ppnfqx1HGopmhH++oZyKt8W/f8GbhOffON0Gg3bsewhysW5Rz+Rx - IAGqzV5RR1lOb+UKPBI2OPXqYUWZ9ipicSw1LC39olImBZbDmmxLDEjX5r+rg77h - ss0hG/6847KQybmemJ7zUVE2oxmic2fONpgjn3OLecOZpUY/5n/1cvN8utLBJ2nx - asan7zBT+nW5RjAny8pOyyV1Ux2qga/CyV46LajHJiFPokAAl6JnDYRmahtA5BM0 - +jBvvnvSDGSM5qTh0EBLIN50WmN2TeEy/u2ZjuHFwJ41gtB6pARdJ1OT59+g5TcA - Ffc8twDzdbPbmWq8CGXVQHCvfS+2N2ECjwgnfVL1UZF69d5t9b5ysK17pU+ITPyI - Bxxde23I6U7sh2owrZgRAOVoA804flRg6g6rDJyVfu00oDkuui+Z/3RAsu6EiqiK - XISmLg236iumsxXcdAtOYyXn0nPZolsZnxzY2/bI0Df7rNSQ7RF5SSqhkFg1+OYT - gM4wMYYU0ts9jqr3ckJRWMRMdJxRsVVqSBo4fz8M5/dXMsOvGbLfnbwrqZSPCXrg - g+MX3QQdemmOgiEAGE+hxFBQMyQ6nIrDP061F4TVVhu4kGkZGxs/2W+CcQJT0aF8 - DC0EwfEBVP8yq4ytCU7Js72KkA4YsK2udUsQF/90cuzPSgT8FPDEOzszKsLGuct4 - T7Fj2Du1bVeVq4gPfdLgOdVRrZLab6vS5GFbli8UO0oAbM/Srxfh2Ghn4zS7Ol3q - MnwX36r3+KFNJYkBxCDMNEnj/QrSWpOlKo8LfAyGdvP/29CpmzPIGTUc1u8xZpJ0 - CmFOaxjaAFJH3BjW625QbcicOnN02p0Pv00andcDNEO4k3b3MgW6yjkDBKqQ61dz - traH19g0fFa0pjXycMqy2uwq7PhLW0QqYt4Q7cfvWRMnAOwJqhHOGGyzEixB1U5c - q4d8izdqb0JacE6px+WJ44a530L1nhy2O5jpaKVQmNYIKTBM+HYVuHNWTWmnauKP - ag4q8G+9EI/SRp9wKoGy81W5GwonV3D6/4N9hnQfqqRKUrbrhWc9NcUciWKh4b1n - Om499jdDw+7qXipi3ggPCFq0H3b9CPkKMFh4Y/YDy1SvXEDSlwJ4bXXakOpVzW9t - gDxk/fvZ8AHrFAYzW1wiDFZ8H5ZnhgBMyfztLOYBbjr5YSGej++Sq0DYoOkrK4X3 - 7+2nMrrhqmlukI7ufoP+8nsJjHdQK8yoQYGmwEEw9QHLyupqPVIQrO/VDgSN+6mW - YsulTKW9wPhk6dvsSMOscLUdDiOTeK0jGH7Qa6QQwk/u/agHSPWh7qLpEICjKBxx - pOMbZ3mGqTXIj+7tG0yO1/y2UXE6JTIXiMEvMmdCEiRcz1RJ6xx/aBwC2//tfiys - nNMswTCXePtv5P9Zn+ibIiOhpm0napHopQcqmevn/DSkxSuDfwevae3bgEcJ1gN9 - pkTnOm22CQzoGJY/b0wgNvxXdWhAAfeRhzpdh3V1C4dZEF8VXHDDt5gdjb0s1fNI - 2LiSruLVdAWmRNX5mrkUFfBOzWwsN3D34pG2Vaj6GuH8mAoko68oy6fUdjCjZooY - hn+u5bGm1T8Mf/YYloTWg4hlOWIEfOiLP7nCdCgRdsg+y0Gi5MY04fS29SlfffUp - VUdLzQAij+a/wbBLJZMLzJiYeHv+pFY6m1SbMoUsDbAo4PTRaLHmMOFKa6s/hlka - lfN408DHSNs63Gd6s3W+Owe5hMccfKyRvWdNRVrXBe39I101Sci7GwWAvHhhS9EP - 2HxxNyiwF1OCovnRHcm1b8Fcd42gbAveRVuFdI96dbFIeP0Z4I2gj+nk/yzlsG32 - LYYzE9D4WR2zjrTyVnylsJN76lyvjvkYjMt7fPt7lFYz7QLdZX8riGxqeFmim6Sk - UQ4RXxw/ObCw4omILxvgigW+eAhgng63Yb9mRDOrqk/cL5XECiahSs3VWTjV9sy2 - rNSPViWZW/LFOjuC3cT5rWEbc64cl0eKJTivEangOXxirRGW1ltTlzQo5kA933l/ - sRMr2tBSrX/+LqfPWNA8UZWSdMBcc0oDvDGrpTUtLcor5kshYN7PPdaR9TAf8ikY - 631mOef0HkQFsBUCFp9sr6QJD0/cfLlK5iLlyt+qFo2IgX2boddFwMtpYCt1+Uy1 - H2u6FuItIfpRu9lZ7MZf24HGibGx5/fzTXjqGMObPOaoLxI4eh1GGhIfVqmT9ntv - e2xHoNH+tLxOHPRNHEkKRtJoB1HH20+mT6JzEdPNPmsdTcN4R0xjw0ZHTha2iBkt - ocGow+1nYgkoieq1QweEbbCbF71XtUpyMxMSd+BAPIJJReRGvt3mD9RZ54HqlczW - MA0LYe1rUX0Mh2Ic0x1rXZuo33PXcsKsUpfb+EIPhBjpx2vCNMiFPcM+F0NVh/PP - zgbdjlnHr6DXn3rut6Y9fTau6UY8BmeOjG4LcNzcvcHHr9/8jXyW9wWAYYVRUI3J - 89/GR+YxW4WGuRBIV+wMkzBJmP7QDwAedSNBSAKa+08GKfJJRL2zIVgjffeBO+Un - TMTT7Q/a3bm+yekGsM6bchWTpY2ywdYQr936D55THonqCGlvPKyVHQaEa4U2eFDb - aIH84kP4olPCcC+TmWHBeBwMGvbW160hRCr3kSGY7hHcD0aXkdZPh1bYyWsIz/yS - eyUYCR+4Abu9lT1rTwHiSeo4YjNHOwQcfzBN9BwFUs6G1R81oC3qCwTYuJS2Eo09 - +sii/oH/o/7VjvewMmUzDHVJ4iMa8yRXtfOObrM9MfsQ0p9GnP7UTG3VwleIenFZ - 43DhvDl+kolw9phRuyCuCy7fSI8e7ejcQ3gSYWcIcgIIA5y/KdoCJDNdTjj3xDdo - p+hzg0OTjK57Fw286IVdzO5e5zznX0SPqXnZYncHHl2OmGZ+DT8ftkvD4BUJ74aO - fLsVwAZYJT1tSG2ymzu9yJR5p+hPTScpPi8HUDCnL4xL304Lmj3UfDauNJQcM/gT - mAJ/bfEtRqldMtN1EuH1TexvSkwkPrTUkryq2TYcw7vS72tNi+g6aZ7NdrQ8l4KZ - ZmrfwFnKNiVWus+zrffSDooEFZ3mj/vsFvV6fhw/Ni4QD1XAb0fJawUHvt0WHqZA - YnszBOzdmd8coJI17XbcwcP7DEoKIhLbPl1n0KNjL6j4EEoClwxZC+hAhi8kKMB3 - aWj4zpeIExYST8NgtCz44SoBTv5U0iCR19mhdcTnafGyRK82dGiBNguk8//siUiC - jt3Aa7chapoiQNwZGDCmSrZOxOoxMYlBuPRVQqeokPinsw5rkLh8+arz1XRDyuTK - vQ+jttyIVA9OFI5+e/hN0ryn4GPbiCG5wV5SKweRUCcX9m8TK5u6A3rhMvlcls3T - INn9/XjCX6HhVGgZ47LSmcZ5ojtWzOKpad0v8qjD3z2BWzUlbalgYsdWrsRPSeDA - wiGpKbqb9u0S1e6hMmGyNa8UbzhYtJ/AQ0qh003YR7j+nlfJXffNkt2B4DkDdsG3 - Alfhalwn5YUdcgm/6E+gnIg7JR4gXZhBL1R5SV1mzUgzyDEq5w2LBOx+TU33a3qf - ld0dJDJl0cG22n+GzQmm/6nPMnWX1ymK49h0tO9fLBLZsL8T1muo/PshhjhIv5VR - 9ET5UN5I+9d0nHWAv2DjNwetyD3WGZDHnuq0mpti58xzkOr4jfYqy9qKwFk/coAu - Briwv8OJ2U5XEOuU/9fEL+NdYWkHga++oObyxJUU5Qgfs6OWUXERyPwzgXHkbDqm - q6+GP1AxBAP32zD0XyGUht1nl+L5qpnbOpISJjMMrl7wuKezWbFAE8VzQNbbp62O - eI1GEX2c2resPXZ/tS5LtoZ2TrT8TKYRZ0k1qLuQhOTXXNYQhP8i4PGOAL6BMZsZ - USAEHcAZnlByBS8i49IlvJMewPfHmm7ceLu8aYlm3yOAr1QBNRMkxoJBXjAAnCCx - qCGIQtINrVIJNQDSogMPXa4JQzCRSsT0Hz8ejQeQ9xmaK4VjM64VRj11RWsHFexk - p+GdAGVteipz1xEQHBvnUdOVm/5ULHK+8w+5LgEwN0jGXlsQ6KhUX5BLQMWob0jL - 1np3Hml3MDxsPJPJjT4OKxNdWyyyP6PIDZj7DFqEa6+9Eg5Io7TSNk4e+LylfpPS - orsF2xaUzCaKOXjyXwPrW57UH8HtjnaeWh03qqdZCozCDdQ0pNpPk2vJYStZR/rY - BpQHZ6kZyLFdqLs+wMoPphF7q4bhjYk6MXwdHp5Q9q+MWPuM916g6vKaHUX+q6pL - YM8s13NkuUX1hEHaOC8I2dEsgcVPk++kDAR7JL5tn5hfJ06K8u5IHwuLUMtLKPt5 - ZA3LfrnXxqlZD164blhAvb1qPlRTh79+Tj+3zfwaUPma3PmTY12fvJiOn1aD4aYm - HgA0yrl2cApzB3C6M1S2QllsoJ/KrWVeSg16XuC+vjSnsRWgIj3PSvSwh9YVZT0h - TQlD/PoxrMOlPtQnpHzryQ8YKrTBc4SAuO23wKGkfUBkaBDFrUeprO2p0K9Eeus9 - jLkIgwTBwmF9bWMi214VdAI3I2BrJkGnx8Rb11C6rEu/5ZeI7g2dACSO27OhckNQ - ex490kQvqs1OJ6Fb/CyO8BsLBIyOhkEtglJsVibbcZrHnvoRYeRaWZj9TNdN6I3B - Dj0SwxDK9XAwGgWb+E4iwFUUg6yGrbBhUDWv5K7/ncgXz8iESXFKRowuD/J7rriU - V/s+yZ8URntBrZ35unuKu4xRieOEkn/JZg+HP0Grs5q3OQumEvZVjHqeJt40WaZ5 - RJ3NiiHGwWVa6Db/1q0cfETbTn5Qcy2k8ZE+OnRzAmI14nr6lt4eJRnMJ63k4nGc - Xj0WpVm7vhVWAQ9gfiYCcbYrR31dUeOBxsRtF+Lvg3TNEx8/x4LeGfxC9c5Ho1Sc - Z7fz+/ZycHFx+08W5Mb6PlKhI44uY8bed2Xz5gQhZ1hyXk6Y41uxabUryeCvrLrh - PJX25FkOcLhZnWDcyCQ1Rt4JltnZcZzHq12Ipgovos3lPOarySOzSHjs1TjB6Bv1 - zfBrCAGiY3rrG/W5gXs5eb97dWn5P8CD2uuZCBbTo0GVHdSHV9+JFHQO/0udmnEV - e9KRka43HU7AC+3aLeCq1KMoW/anl4DwPXdBCV6hj75TZ0EaA7Q51ETYFCLtyXzt - eiU9PE+bEymV6nk927wg7v38GLmdLTJ0F/G4MV0T4UxAdUrsAW33MGXC9/8YyOAz - zGh36fBdxTpM6hb1FHJl/tdboIAcTBJRobgmvhaDDVhsJiMJMwRhSFqcE7Q04c3c - 6rLNGZQ3/u5/Atj5ApZ60ZMH0N5LYcTm98HOROGiFbrYSiSqUyeoIPvME5FwijLw - eCxbwjP3WvUSw8XTeIoAf5QwzdI6GRX+6ontCvw6m3l1TohH/ACA+MK+qV1cTgMV - HdjywH4SKs3KfwCcTF4gxkHdYlNYDW63Z0lhAtDBXMxUNM/u215Wo+zX0gaSUqeu - by47hfhTHP5mW6ITRFvKcS/qUqo3iELljwSXhdw7PwM0whLnSEMGsYh27YVxEzBT - n9vcM5tqGykKs1wwmpXpEa6Zliu9swprpQCL5TcOVFKVMjSmDH2OwmaDwcFeTM50 - mg7BpiA5xLyQFphs8BPbyzkxNlbSI20S67Gx6yScrjsDxcEcVqmcyVVPwn/SqzVL - PyklAUbvRcRzkhvibBngIaFUfXXdCOrdQc8Ym/5kKeQ+QLiXxfIYmYKa2uyvMeTe - xoag7cmuUnICIYBrmHnVDNxXtC9mNiooUaX2S1lH2ct4s/NwRJm2c5O/igKO/byg - wQjiGqDZHyLlPSRxXbxG+tTf3qx8thYbJAO0r+AXYRj+sjJ+MtRozgY0nUeFEJb0 - ZeYQGlvtoXlGo876JWJ/e7JMatHxGGQ58vJApMTphe/PPh3WTJTE02Bs3Ylft2bp - EK5ODopXJ0UmQTn6T1hUwBRu9RO5rICr34XnFav06WekBT5/QTqHEvZ4k4//hvGr - d7PQS/EVLApiYWySLg56svmjn4RwfPSPHOwGagU311QOx7woYJD/vb4NBxXb99Qb - 7z42exUoZgqX+uKwHCuTzH/OVxhqrSoMX2yj09V6ZDUVHU11GOtDzVv07OU+u2vi - F0wPdrbedpmIr5BMCdCmqlIPYeBiaMVa/2+q3ud4o6/TeWmQpDZJCQ3xtxrNORQ7 - HTlY0MDp7G+sdPWJCN5OJ0Ac7uKW72ZC/5yHBJY7Lmrhi3V3vA+DH7A4GgPAphQM - yWlBP7sQqVWcA1XlgTycRzkfffXEUoS6qef+IgU/3i/kXmeNnf2kSvmtbiO4GRhC - Nhk2s71NUtYXNFJPav5/ZPXI3qOuySow5GYp3njGYmDhO45IzFCcQu40FqiOeyoV - lRYTS/BrybkMCu2S3VmIY9/2e7gguYigmyZRvvqOUED9JRqOfC14n5+wtxzSj/nw - xFFukVHQRNF6jcZLUNs0SoeFS/obPCE+QiDYBKVrTeT54LuwNLpTrgTnTkDE5VIm - LpX9ERh0Yh8HAO7eLHIPAiU/G1Etlc43GcDLN7bbGPQbCvKRzWKSUrLwKmryvTPi - eC36fh/yZEWtT2zEtddwbncRgXT20opzMJxB3qF5ZMQ1qLIsQbGYeUsRl9lxsT7A - CE6vCP235+urdA9IaBRPN1VpWDpV7YDbF/ZIkRDJevSnSSrBTed4WcXcSe7JNGFb - U3eFPi2vsekvb59CHqHPD8QvvqF3N/3Xp1uQZV+eBOCtRpMOZduBJ6QdZlGBaGrB - +RKJEl9ziqGkiqiQzw8MR2kSrRVKIs5cISbl/dOEqfkbp2A1Siy4kWt+2Zk5V+Sw - IPJDrjYIZKSzV6XhhN+fhMNOYJjByxEXXLvHRTydIUQpS5JPe3T1sMJCN8o41uKx - 4g+oPomYfJzKSbdpP84fVC4WQCMj+CiMGz/dWV27LgKPF0X9wel5s5gke4UDYQKe - FDf/4n3+neMgKohFUIcnqGnBTtThXqvK637m37WfQTIqNWkRH4pU/Acl/djkd+TD - yYRBt5UqwGovABM08jYkuA== - </EncryptedBinary> - </Data> </InitialValues> diff --git a/doc/initial_values.xsd b/doc/initial_values.xsd index 54672d9c..74b33a6a 100644 --- a/doc/initial_values.xsd +++ b/doc/initial_values.xsd @@ -148,11 +148,12 @@ <xsd:complexType name="EncryptedBase64Type"> <xsd:simpleContent> <xsd:extension base="EncodingRawType"> - <xsd:attribute name="IV" type="IV_Base64_string" use="required"/> + <xsd:attribute name="IV" type="Base64_string" use="required"/> + <xsd:attribute name="tag" type="Base64_string" use="required"/> </xsd:extension> </xsd:simpleContent> </xsd:complexType> - <xsd:simpleType name="IV_Base64_string"> + <xsd:simpleType name="Base64_string"> <xsd:restriction base="xsd:string"></xsd:restriction> </xsd:simpleType> diff --git a/src/manager/crypto/generic-backend/encryption-params.h b/src/manager/crypto/generic-backend/encryption-params.h new file mode 100644 index 00000000..5fa8e9c9 --- /dev/null +++ b/src/manager/crypto/generic-backend/encryption-params.h @@ -0,0 +1,42 @@ +/* + * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ +/* + * @file encryption-params.h + * @author Bartłomiej Grzelewski (b.grzelewski@samsung.com) + * @version 1.0 + */ +#pragma once + +#include <ckm/ckm-type.h> + +namespace CKM { +namespace Crypto { + +struct EncryptionParams { + EncryptionParams() {} + + EncryptionParams(RawBuffer iv, RawBuffer tag) : + iv(std::move(iv)), + tag(std::move(tag)) + {} + + RawBuffer iv; + RawBuffer tag; +}; + +} // namespace Crypto +} // namespace CKM + diff --git a/src/manager/crypto/generic-backend/gstore.h b/src/manager/crypto/generic-backend/gstore.h index 2984fdc1..638532d6 100644 --- a/src/manager/crypto/generic-backend/gstore.h +++ b/src/manager/crypto/generic-backend/gstore.h @@ -24,6 +24,7 @@ #include <generic-backend/exception.h> #include <generic-backend/gobj.h> +#include <generic-backend/encryption-params.h> #include <ckm/ckm-type.h> #include <crypto-backend.h> #include <token.h> @@ -57,11 +58,11 @@ public: } /* - * IV parameter makes sense only on device with built in key. - * IV parameter is used for decryption of Data. - * If Data is not encrypted it's ok to pass empty IV. + * EncryptionParams parameter makes sense only on device with built-in key. + * EncryptionParams parameter is used for decryption of Data. + * If Data is not encrypted it's ok to pass empty EncryptionParams. */ - virtual Token import(const Data &, const Password &, const RawBuffer & /* iv */) + virtual Token import(const Data &, const Password &, const EncryptionParams &) { ThrowErr(Exc::Crypto::OperationNotSupported); } diff --git a/src/manager/crypto/sw-backend/store.cpp b/src/manager/crypto/sw-backend/store.cpp index b41b8fdb..b4fd718a 100644 --- a/src/manager/crypto/sw-backend/store.cpp +++ b/src/manager/crypto/sw-backend/store.cpp @@ -219,9 +219,9 @@ Token Store::generateSKey(const CryptoAlgorithm &algorithm, return Token(m_backendId, ret.type, pack(ret.buffer, pass)); } -Token Store::import(const Data &data, const Password &pass, const RawBuffer &iv) +Token Store::import(const Data &data, const Password &pass, const EncryptionParams &e) { - if (!iv.empty()) + if (!e.iv.empty()) ThrowErr(Exc::Crypto::OperationNotSupported, "Encrypted import is not yet supported on software backend!"); diff --git a/src/manager/crypto/sw-backend/store.h b/src/manager/crypto/sw-backend/store.h index 82798cd5..3dc50b81 100644 --- a/src/manager/crypto/sw-backend/store.h +++ b/src/manager/crypto/sw-backend/store.h @@ -35,7 +35,7 @@ public: virtual TokenPair generateAKey(const CryptoAlgorithm &, const Password &, const Password &); virtual Token generateSKey(const CryptoAlgorithm &, const Password &); - virtual Token import(const Data &data, const Password &, const RawBuffer &); + virtual Token import(const Data &data, const Password &, const EncryptionParams &); virtual void destroy(const Token &) {} private: diff --git a/src/manager/crypto/tz-backend/internals.cpp b/src/manager/crypto/tz-backend/internals.cpp index 90cc9fb7..317a775c 100644 --- a/src/manager/crypto/tz-backend/internals.cpp +++ b/src/manager/crypto/tz-backend/internals.cpp @@ -119,7 +119,7 @@ void destroyKey(const RawBuffer &key) } RawBuffer importData(const Data &data, - const RawBuffer &encIV, + const EncryptionParams &encData, const Password &pwd, const RawBuffer &pwdIV, RawBuffer &tag) @@ -142,7 +142,7 @@ RawBuffer importData(const Data &data, uint32_t keySizeBits = data.data.size() * 8; TrustZoneContext::Instance().importData(dataType, data.data, - encIV, + encData, pwdBuf, pwdIV, keySizeBits, diff --git a/src/manager/crypto/tz-backend/internals.h b/src/manager/crypto/tz-backend/internals.h index c27933b0..1c76f8d3 100644 --- a/src/manager/crypto/tz-backend/internals.h +++ b/src/manager/crypto/tz-backend/internals.h @@ -49,7 +49,7 @@ Data generateSKey(const CryptoAlgorithm &alg, RawBuffer &tag); RawBuffer importData(const Data &key, - const RawBuffer &encIV, + const EncryptionParams &encData, const Password &pwd, const RawBuffer &pwdIV, RawBuffer &tag); diff --git a/src/manager/crypto/tz-backend/store.cpp b/src/manager/crypto/tz-backend/store.cpp index a3d65c75..166ae744 100644 --- a/src/manager/crypto/tz-backend/store.cpp +++ b/src/manager/crypto/tz-backend/store.cpp @@ -142,7 +142,7 @@ Token Store::generateSKey(const CryptoAlgorithm &alg, const Password &pass) return Token(m_backendId, ret.type, pack(ret.data, pass, iv, tag)); } -Token Store::import(const Data &data, const Password &pass, const RawBuffer &encIV) +Token Store::import(const Data &data, const Password &pass, const EncryptionParams &e) { if (!data.type.isBinaryData() && !data.type.isSKey()) ThrowErr(Exc::Crypto::DataTypeNotSupported, "Invalid data provided for import"); @@ -155,7 +155,7 @@ Token Store::import(const Data &data, const Password &pass, const RawBuffer &enc passIV = Internals::generateIV(); } - RawBuffer dataId = Internals::importData(data, encIV, pass, passIV, tag); + RawBuffer dataId = Internals::importData(data, e, pass, passIV, tag); return Token(m_backendId, data.type, pack(dataId, pass, passIV, tag)); } diff --git a/src/manager/crypto/tz-backend/store.h b/src/manager/crypto/tz-backend/store.h index 4d44b6bc..664c7562 100644 --- a/src/manager/crypto/tz-backend/store.h +++ b/src/manager/crypto/tz-backend/store.h @@ -35,7 +35,7 @@ public: virtual TokenPair generateAKey(const CryptoAlgorithm &, const Password &, const Password &); virtual Token generateSKey(const CryptoAlgorithm &, const Password &); - virtual Token import(const Data &, const Password &, const RawBuffer &); + virtual Token import(const Data &, const Password &, const EncryptionParams &); virtual void destroy(const Token &); // TODO device key ID is needed here to support importEncrypted diff --git a/src/manager/crypto/tz-backend/tz-context.cpp b/src/manager/crypto/tz-backend/tz-context.cpp index 859c5a2d..83ac6948 100644 --- a/src/manager/crypto/tz-backend/tz-context.cpp +++ b/src/manager/crypto/tz-backend/tz-context.cpp @@ -23,6 +23,7 @@ #include <tz-backend/tz-memory.h> #include <generic-backend/exception.h> #include <generic-backend/crypto-params.h> +#include <generic-backend/encryption-params.h> #include <dpl/log/log.h> #include <km_serialization.h> @@ -641,7 +642,7 @@ void TrustZoneContext::executeDestroy(const RawBuffer &keyId) void TrustZoneContext::importData( const uint32_t dataType, const RawBuffer &data, - const RawBuffer &encIV, + const Crypto::EncryptionParams &encData, const RawBuffer &pwd, const RawBuffer &iv, const uint32_t keySizeBits, @@ -655,7 +656,8 @@ void TrustZoneContext::importData( // uint32_t dataType contains information about type stored as binary data // KM_BinaryData with binary data // uint32_t binary/key size in bits - // KM_BinaryData IV for data decryption with build in key + // KM_BinaryData IV for data decryption with built in key + // KM_BinaryData TAG for data decryption with built in key // uint32_t boolean value - true if password is provided // KM_PwdData with password (optional) // Output: @@ -677,10 +679,15 @@ void TrustZoneContext::importData( inMemorySize += KM_SizeOfFlag(); KM_BinaryData ta_data_enc_iv; - ta_data_enc_iv.data_size = static_cast<uint32_t>(encIV.size()); - ta_data_enc_iv.data = const_cast<unsigned char *>(encIV.data()); + ta_data_enc_iv.data_size = static_cast<uint32_t>(encData.iv.size()); + ta_data_enc_iv.data = const_cast<unsigned char *>(encData.iv.data()); inMemorySize += KM_SizeOfBinaryData(&ta_data_enc_iv); + KM_BinaryData ta_data_enc_tag; + ta_data_enc_tag.data_size = static_cast<uint32_t>(encData.tag.size()); + ta_data_enc_tag.data = const_cast<unsigned char *>(encData.tag.data()); + inMemorySize += KM_SizeOfBinaryData(&ta_data_enc_tag); + uint32_t pwd_flag = pwd.empty() ? 0 : 1; inMemorySize += KM_SizeOfFlag(); @@ -723,6 +730,11 @@ void TrustZoneContext::importData( ThrowErr(Exc::Crypto::InternalError, "Failed to serialize data, ret: ", ret); } + ret = KM_SerializeBinaryData(&inMemoryPtr, &inMemorySize, &ta_data_enc_tag); + if (ret) { + ThrowErr(Exc::Crypto::InternalError, "Failed to serialize data, ret: ", ret); + } + ret = KM_SerializeFlag(&inMemoryPtr, &inMemorySize, pwd_flag); if (ret) { ThrowErr(Exc::Crypto::InternalError, "Failed to serialize data, ret: ", ret); diff --git a/src/manager/crypto/tz-backend/tz-context.h b/src/manager/crypto/tz-backend/tz-context.h index fdce3ebd..123c21e1 100644 --- a/src/manager/crypto/tz-backend/tz-context.h +++ b/src/manager/crypto/tz-backend/tz-context.h @@ -26,6 +26,7 @@ #include <km_ta_defines.h> #include <memory> #include <tz-backend/obj.h> +#include <generic-backend/encryption-params.h> namespace CKM { namespace Crypto { @@ -49,7 +50,7 @@ public: RawBuffer &pwdTag); void importData(uint32_t dataType, const RawBuffer &data, - const RawBuffer &encIV, + const Crypto::EncryptionParams &encData, const RawBuffer &pwd, const RawBuffer &pwdIV, const uint32_t keySizeBits, diff --git a/src/manager/initial-values/BufferHandler.cpp b/src/manager/initial-values/BufferHandler.cpp index cca06b20..59178442 100644 --- a/src/manager/initial-values/BufferHandler.cpp +++ b/src/manager/initial-values/BufferHandler.cpp @@ -29,6 +29,7 @@ namespace { const char *const XML_ATTR_IV = "IV"; +const char *const XML_ATTR_TAG = "tag"; } namespace CKM { @@ -39,14 +40,22 @@ BufferHandler::~BufferHandler() {} void BufferHandler::Start(const XML::Parser::Attributes &attr) { - // get key type if (attr.find(XML_ATTR_IV) != attr.end()) { std::string IVstring = attr.at(XML_ATTR_IV); Base64Decoder base64; base64.reset(); base64.append(RawBuffer(IVstring.begin(), IVstring.end())); base64.finalize(); - m_IV = base64.get(); + m_encryptionParams.iv = base64.get(); + } + + if (attr.find(XML_ATTR_TAG) != attr.end()) { + std::string tag = attr.at(XML_ATTR_TAG); + Base64Decoder base64; + base64.reset(); + base64.append(RawBuffer(tag.begin(), tag.end())); + base64.finalize(); + m_encryptionParams.tag = base64.get(); } } diff --git a/src/manager/initial-values/BufferHandler.h b/src/manager/initial-values/BufferHandler.h index 08bca527..1b45839b 100644 --- a/src/manager/initial-values/BufferHandler.h +++ b/src/manager/initial-values/BufferHandler.h @@ -26,7 +26,7 @@ #include <parser.h> #include <EncodingType.h> #include <ckm/ckm-type.h> -#include <generic-backend/gobj.h> +#include <generic-backend/encryption-params.h> namespace CKM { namespace InitialValues { @@ -47,14 +47,14 @@ public: return m_data; } - const RawBuffer &getIV() const + const Crypto::EncryptionParams &getEncryptionParams() const { - return m_IV; + return m_encryptionParams; } private: EncodingType m_encoding; - RawBuffer m_IV; + Crypto::EncryptionParams m_encryptionParams; RawBuffer m_data; }; diff --git a/src/manager/initial-values/InitialValueHandler.cpp b/src/manager/initial-values/InitialValueHandler.cpp index 7853d391..6ca335a7 100644 --- a/src/manager/initial-values/InitialValueHandler.cpp +++ b/src/manager/initial-values/InitialValueHandler.cpp @@ -80,7 +80,7 @@ void InitialValueHandler::End() int ec = m_db_logic.importInitialData(m_name, Crypto::Data(getDataType(), m_bufferHandler->getData()), - m_bufferHandler->getIV(), + m_bufferHandler->getEncryptionParams(), policy); if (CKM_API_SUCCESS != ec) { diff --git a/src/manager/service/ckm-logic.cpp b/src/manager/service/ckm-logic.cpp index 98248ec6..6a10ad78 100644 --- a/src/manager/service/ckm-logic.cpp +++ b/src/manager/service/ckm-logic.cpp @@ -405,7 +405,7 @@ DB::Row CKMLogic::createEncryptedRow( // do not encrypt data with password during cc_mode on Token token = store.import(data, m_accessControl.isCCMode() ? "" : policy.password, - RawBuffer()); + Crypto::EncryptionParams()); DB::Row row(std::move(token), name, owner, static_cast<int>(policy.extractable)); crypto.encryptRow(row); @@ -804,7 +804,7 @@ Crypto::GObjUPtr CKMLogic::rowToObject( store.destroy(row); // import it to store with new scheme: data -> pass(data) - Token token = store.import(Crypto::Data(row.dataType, row.data), pass, RawBuffer()); + Token token = store.import(Crypto::Data(row.dataType, row.data), pass, Crypto::EncryptionParams()); // get it from the store (it can be different than the data we imported into store) obj = store.getObject(token, pass); @@ -1160,10 +1160,15 @@ RawBuffer CKMLogic::getDataList( int CKMLogic::importInitialData( const Name &name, const Crypto::Data &data, - const RawBuffer &iv, + const Crypto::EncryptionParams &encParams, const Policy &policy) { try { + if (encParams.iv.empty() != encParams.tag.empty()) { + LogError("Both iv and tag must be empty or set"); + return CKM_API_ERROR_INPUT_PARAM; + } + // Inital values are always imported with root credentials. Client id is not important. Credentials rootCred(0, ""); @@ -1176,11 +1181,12 @@ int CKMLogic::importInitialData( if (retCode != CKM_API_SUCCESS) return retCode; - Crypto::GStore &store = m_decider.getStore(data.type, policy, !iv.empty()); + Crypto::GStore &store = + m_decider.getStore(data.type, policy, !encParams.iv.empty()); Token token; - if (iv.empty()) { + if (encParams.iv.empty()) { // Data are not encrypted, let's try to verify them Crypto::Data binaryData; @@ -1189,11 +1195,11 @@ int CKMLogic::importInitialData( token = store.import(binaryData, m_accessControl.isCCMode() ? "" : policy.password, - iv); + encParams); } else { token = store.import(data, m_accessControl.isCCMode() ? "" : policy.password, - iv); + encParams); } DB::Row row(std::move(token), name, CLIENT_ID_SYSTEM, diff --git a/src/manager/service/ckm-logic.h b/src/manager/service/ckm-logic.h index 8115117e..7f9b5f02 100644 --- a/src/manager/service/ckm-logic.h +++ b/src/manager/service/ckm-logic.h @@ -36,7 +36,7 @@ #include <certificate-impl.h> #include <sys/types.h> #include <generic-backend/gobj.h> - +#include <generic-backend/encryption-params.h> #include <platform/decider.h> namespace CKM { @@ -209,7 +209,7 @@ public: int importInitialData( const Name &name, const Crypto::Data &data, - const RawBuffer &iv, + const Crypto::EncryptionParams &encData, const Policy &policy); int unlockSystemDB(); diff --git a/tests/test_crypto-logic.cpp b/tests/test_crypto-logic.cpp index f519e27b..d13f6af3 100644 --- a/tests/test_crypto-logic.cpp +++ b/tests/test_crypto-logic.cpp @@ -91,7 +91,7 @@ BOOST_AUTO_TEST_CASE(row_encryption) Crypto::Data data(DataType(DataType::Type::BINARY_DATA), createRandom(10)); Crypto::Decider decider; Crypto::GStore &store = decider.getStore(data.type, policy); - Token token = store.import(data, policy.password, RawBuffer()); + Token token = store.import(data, policy.password, Crypto::EncryptionParams()); Name name = "test_data"; ClientId owner = "test_owner"; @@ -113,7 +113,7 @@ BOOST_AUTO_TEST_CASE(row_encryption_negatives) Crypto::Data data(DataType(DataType::Type::BINARY_DATA), createRandom(10)); Crypto::Decider decider; Crypto::GStore &store = decider.getStore(data.type, policy); - Token token = store.import(data, policy.password, RawBuffer()); + Token token = store.import(data, policy.password, Crypto::EncryptionParams()); Name name = "test_data"; ClientId owner = "test_owner"; diff --git a/tests/test_generic-backend.cpp b/tests/test_generic-backend.cpp index 0b39bf37..5814a264 100644 --- a/tests/test_generic-backend.cpp +++ b/tests/test_generic-backend.cpp @@ -15,7 +15,8 @@ */ #include <generic-backend/gobj.h> #include <generic-backend/gstore.h> -//#include <generic-backend/algo-validation.h> +#include <generic-backend/algo-validation.h> +#include <generic-backend/encryption-params.h> #include <boost/test/unit_test.hpp> @@ -72,7 +73,7 @@ BOOST_AUTO_TEST_CASE(gstore) Exc::Crypto::OperationNotSupported); BOOST_REQUIRE_THROW(store.generateSKey(CryptoAlgorithm(), Password()), Exc::Crypto::OperationNotSupported); - BOOST_REQUIRE_THROW(store.import(Crypto::Data(), Password(), RawBuffer()), + BOOST_REQUIRE_THROW(store.import(Crypto::Data(), Password(), Crypto::EncryptionParams()), Exc::Crypto::OperationNotSupported); BOOST_REQUIRE_THROW(store.destroy(Token()), Exc::Crypto::OperationNotSupported); diff --git a/tests/test_tz-backend.cpp b/tests/test_tz-backend.cpp index 880211bc..93447dea 100644 --- a/tests/test_tz-backend.cpp +++ b/tests/test_tz-backend.cpp @@ -14,6 +14,7 @@ * limitations under the License */ #include <tz-backend/store.h> +#include <generic-backend/encryption-params.h> #include <boost/test/unit_test.hpp> @@ -30,7 +31,7 @@ BOOST_AUTO_TEST_CASE(store) Exc::Crypto::OperationNotSupported); BOOST_REQUIRE_THROW(store.generateAKey(CryptoAlgorithm(), Password(), Password()), Exc::Crypto::OperationNotSupported); - BOOST_REQUIRE_THROW(store.import(Data(), Password(), RawBuffer()), + BOOST_REQUIRE_THROW(store.import(Data(), Password(), Crypto::EncryptionParams()), Exc::Crypto::OperationNotSupported); BOOST_REQUIRE_NO_THROW(store.destroy(Token())); } |