diff options
| author | Bartlomiej Grzelewski <b.grzelewski@samsung.com> | 2018-09-18 15:49:00 +0200 |
|---|---|---|
| committer | Krzysztof Jackiewicz <k.jackiewicz@samsung.com> | 2018-10-03 11:01:40 +0000 |
| commit | f6e9b94fd69a801f9594b92e8fff59410a089736 (patch) | |
| tree | 0a4e8887d7b2253c9010c9a53021d8b218e5c230 | |
| parent | a42856cbf7fa08b9971cf689a535eef3da93fd90 (diff) | |
| download | key-manager-f6e9b94fd69a801f9594b92e8fff59410a089736.tar.gz key-manager-f6e9b94fd69a801f9594b92e8fff59410a089736.tar.bz2 key-manager-f6e9b94fd69a801f9594b92e8fff59410a089736.zip | |
Add parser support of new schema version
Version 1 of xml with initial values is not supported from now.
From now software backend will not support encrypted data.
Allow parser to accept xml version 2.
Initial values files will contain information about
type of backend that should be used to store data.
Change-Id: Ib3a73b14148a2476ab288ca364fffe9289400ebd
| -rw-r--r-- | src/manager/crypto/generic-backend/gstore.h | 24 | ||||
| -rw-r--r-- | src/manager/crypto/sw-backend/store.cpp | 27 | ||||
| -rw-r--r-- | src/manager/crypto/sw-backend/store.h | 4 | ||||
| -rw-r--r-- | src/manager/crypto/tz-backend/store.cpp | 7 | ||||
| -rw-r--r-- | src/manager/crypto/tz-backend/store.h | 7 | ||||
| -rw-r--r-- | src/manager/initial-values/InitialValueHandler.cpp | 30 | ||||
| -rw-r--r-- | src/manager/initial-values/InitialValueHandler.h | 20 | ||||
| -rw-r--r-- | src/manager/initial-values/InitialValuesFile.cpp | 16 | ||||
| -rw-r--r-- | src/manager/initial-values/InitialValuesFile.h | 3 | ||||
| -rw-r--r-- | src/manager/service/ckm-logic.cpp | 13 | ||||
| -rw-r--r-- | src/manager/service/ckm-logic.h | 4 | ||||
| -rw-r--r-- | tests/test_generic-backend.cpp | 4 | ||||
| -rw-r--r-- | tests/test_tz-backend.cpp | 4 |
13 files changed, 68 insertions, 95 deletions
diff --git a/src/manager/crypto/generic-backend/gstore.h b/src/manager/crypto/generic-backend/gstore.h index d66d9eae..564e4dd2 100644 --- a/src/manager/crypto/generic-backend/gstore.h +++ b/src/manager/crypto/generic-backend/gstore.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2015 - 2018 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -39,26 +39,15 @@ struct Data { RawBuffer data; // buffer will be better? }; -// Too generic. The name does not say anything aobut content. -struct DataEncryption { - DataEncryption() {} - DataEncryption(RawBuffer encKey, RawBuffer ivector) - : encryptedKey(std::move(encKey)) - , iv(std::move(ivector)) - { - } - RawBuffer encryptedKey; - RawBuffer iv; -}; - class GStore { public: virtual GObjUPtr getObject(const Token &, const Password &) { ThrowErr(Exc::Crypto::OperationNotSupported); } - virtual TokenPair generateAKey(const CryptoAlgorithm &, const Password &, - const Password &) + virtual TokenPair generateAKey(const CryptoAlgorithm &, + const Password &, + const Password &) { ThrowErr(Exc::Crypto::OperationNotSupported); } @@ -70,8 +59,9 @@ public: { ThrowErr(Exc::Crypto::OperationNotSupported); } - virtual Token importEncrypted(const Data &, const Password &, - const DataEncryption &) + virtual Token importEncrypted(const Data &, + const Password &, + const RawBuffer & /* iv */) { ThrowErr(Exc::Crypto::OperationNotSupported); } diff --git a/src/manager/crypto/sw-backend/store.cpp b/src/manager/crypto/sw-backend/store.cpp index 63cd046c..69308735 100644 --- a/src/manager/crypto/sw-backend/store.cpp +++ b/src/manager/crypto/sw-backend/store.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2015 - 2018 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -224,31 +224,6 @@ Token Store::import(const Data &data, const Password &pass) return Token(m_backendId, data.type, pack(data.data, pass)); } -Token Store::importEncrypted(const Data &data, const Password &pass, - const DataEncryption &enc) -{ - if (!m_deviceKey) - ThrowErr(Exc::Crypto::InternalError, "No device key present"); - - // decrypt the AES key using device key - CryptoAlgorithm algorithmRSAOAEP; - algorithmRSAOAEP.setParam(ParamName::ALGO_TYPE, AlgoType::RSA_OAEP); - Crypto::SW::SKey aesKey(m_deviceKey->decrypt(algorithmRSAOAEP, - enc.encryptedKey), DataType::KEY_AES); - - // decrypt the buffer using AES key - CryptoAlgorithm algorithmAESCBC; - algorithmAESCBC.setParam(ParamName::ALGO_TYPE, AlgoType::AES_CBC); - algorithmAESCBC.setParam(ParamName::ED_IV, enc.iv); - RawBuffer rawData = aesKey.decrypt(algorithmAESCBC, data.data); - - if (!Internals::verifyBinaryData(data.type, rawData)) - ThrowErr(Exc::Crypto::InputParam, - "Verification failed. Data could not be imported!"); - - return Token(m_backendId, data.type, pack(rawData, pass)); -} - } // namespace SW } // namespace Crypto } // namespace CKM diff --git a/src/manager/crypto/sw-backend/store.h b/src/manager/crypto/sw-backend/store.h index 6132b92b..a12e5611 100644 --- a/src/manager/crypto/sw-backend/store.h +++ b/src/manager/crypto/sw-backend/store.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2015 - 2018 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -36,8 +36,6 @@ public: const Password &); virtual Token generateSKey(const CryptoAlgorithm &, const Password &); virtual Token import(const Data &data, const Password &); - virtual Token importEncrypted(const Data &, const Password &, - const DataEncryption &); virtual void destroy(const Token &) {} private: diff --git a/src/manager/crypto/tz-backend/store.cpp b/src/manager/crypto/tz-backend/store.cpp index 92aaad55..3404acbb 100644 --- a/src/manager/crypto/tz-backend/store.cpp +++ b/src/manager/crypto/tz-backend/store.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2015 - 2018 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -172,8 +172,9 @@ Token Store::import(const Data &data, const Password &pass) return Token(m_backendId, data.type, pack(keyId, pass, iv, tag)); } -Token Store::importEncrypted(const Data &, const Password &, - const DataEncryption &) +Token Store::importEncrypted(const Data &, + const Password &, + const RawBuffer &) { ThrowErr(Exc::Crypto::OperationNotSupported, "Encrypted import is not yet supported on TrustZone backend!"); diff --git a/src/manager/crypto/tz-backend/store.h b/src/manager/crypto/tz-backend/store.h index 2eddfbec..706c341b 100644 --- a/src/manager/crypto/tz-backend/store.h +++ b/src/manager/crypto/tz-backend/store.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2015 - 2018 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -36,8 +36,9 @@ public: const Password &); virtual Token generateSKey(const CryptoAlgorithm &, const Password &); virtual Token import(const Data &, const Password &); - virtual Token importEncrypted(const Data &, const Password &, - const DataEncryption &); + virtual Token importEncrypted(const Data &, + const Password &, + const RawBuffer &); virtual void destroy(const Token &); // TODO device key ID is needed here to support importEncrypted diff --git a/src/manager/initial-values/InitialValueHandler.cpp b/src/manager/initial-values/InitialValueHandler.cpp index cd92dd67..acb2e4b0 100644 --- a/src/manager/initial-values/InitialValueHandler.cpp +++ b/src/manager/initial-values/InitialValueHandler.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2015 - 2018 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -32,6 +32,9 @@ namespace { const char *const XML_ATTR_NAME = "name"; const char *const XML_ATTR_PASSWORD = "password"; const char *const XML_ATTR_EXPORTABLE = "exportable"; +const char *const XML_ATTR_BACKEND = "backend"; +const char *const XML_ATTR_BACKEND_SW = "software"; +const char *const XML_ATTR_BACKEND_HW = "hardware"; } namespace CKM { @@ -54,6 +57,15 @@ void InitialValueHandler::Start(const XML::Parser::Attributes &attr) std::istringstream is(flagVal); is >> std::boolalpha >> m_exportable; } + + // get backend + if (attr.find(XML_ATTR_BACKEND) != attr.end()) { + std::string value = attr.at(XML_ATTR_BACKEND); + if (value == XML_ATTR_BACKEND_SW) + m_backend = PolicyBackend::FORCE_SOFTWARE; + else if (value == XML_ATTR_BACKEND_HW) + m_backend = PolicyBackend::FORCE_HARDWARE; + } } void InitialValueHandler::End() @@ -64,19 +76,17 @@ void InitialValueHandler::End() } // save data - Policy policy(m_password, m_exportable); + Policy policy(m_password, m_exportable, m_backend); - Crypto::DataEncryption de; + RawBuffer iv; - if (m_bufferHandler->isEncrypted()) { - de.encryptedKey = m_encryptedKey; - de.iv = m_bufferHandler->getIV(); - } + if (m_bufferHandler->isEncrypted()) + iv = m_bufferHandler->getIV(); int ec = m_db_logic.importInitialData(m_name, - Crypto::Data(getDataType(), m_bufferHandler->getData()), - de, - policy); + Crypto::Data(getDataType(), m_bufferHandler->getData()), + iv, + policy); if (CKM_API_SUCCESS != ec) { LogError("Saving type: " << getDataType() << " with params: name(" << diff --git a/src/manager/initial-values/InitialValueHandler.h b/src/manager/initial-values/InitialValueHandler.h index 5a73ee92..f8d8a25e 100644 --- a/src/manager/initial-values/InitialValueHandler.h +++ b/src/manager/initial-values/InitialValueHandler.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2015 - 2018 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -39,9 +39,13 @@ class InitialValueHandler : public NoCharactersHandler { public: typedef std::shared_ptr<InitialValueHandler> InitialValueHandlerPtr; - explicit InitialValueHandler(CKMLogic &db_logic, - const CKM::RawBuffer &encryptedKey) - : m_exportable(false), m_db_logic(db_logic), m_encryptedKey(encryptedKey) {} + explicit InitialValueHandler(CKMLogic &db_logic, const CKM::RawBuffer &encryptedKey) : + m_exportable(false), + m_backend(PolicyBackend::DEFAULT), + m_db_logic(db_logic), + m_encryptedKey(encryptedKey) + {} + virtual ~InitialValueHandler() {} BufferHandler::BufferHandlerPtr CreateBufferHandler(EncodingType type); @@ -52,9 +56,11 @@ public: protected: virtual DataType getDataType() const = 0; - Alias m_name; - Password m_password; - bool m_exportable; + Alias m_name; + Password m_password; + bool m_exportable; + PolicyBackend m_backend; + CKMLogic &m_db_logic; const CKM::RawBuffer &m_encryptedKey; diff --git a/src/manager/initial-values/InitialValuesFile.cpp b/src/manager/initial-values/InitialValuesFile.cpp index 854567e5..8108af12 100644 --- a/src/manager/initial-values/InitialValuesFile.cpp +++ b/src/manager/initial-values/InitialValuesFile.cpp @@ -33,9 +33,8 @@ #include <dpl/log/log.h> namespace { -const int XML_CURRENT_VERSION = 1; +const int XML_CURRENT_VERSION = 2; const char *const XML_TAG_INITIAL_VALUES = "InitialValues"; -const char *const XML_TAG_ENCRYPTION_KEY = "EncryptionKey"; const char *const XML_TAG_KEY = "Key"; const char *const XML_TAG_DATA = "Data"; const char *const XML_TAG_CERT = "Cert"; @@ -56,8 +55,7 @@ namespace InitialValues { InitialValuesFile::InitialValuesFile(const std::string &XML_filename, CKMLogic &db_logic) : m_parser(XML_filename), m_db_logic(db_logic), - m_header(std::make_shared<HeaderHandler>(*this)), - m_encryptionKeyHandler(std::make_shared<EncryptionKeyHandler>(*this)) + m_header(std::make_shared<HeaderHandler>(*this)) { m_parser.RegisterErrorCb(InitialValuesFile::Error); m_parser.RegisterElementCb(XML_TAG_INITIAL_VALUES, @@ -65,13 +63,6 @@ InitialValuesFile::InitialValuesFile(const std::string &XML_filename, return m_header; }, [this](const XML::Parser::ElementHandlerPtr &) {}); - m_parser.RegisterElementCb(XML_TAG_ENCRYPTION_KEY, - [this]() -> XML::Parser::ElementHandlerPtr { - return m_encryptionKeyHandler; - }, - [this](const XML::Parser::ElementHandlerPtr &) { - m_encryptedAESkey = m_encryptionKeyHandler->getEncryptedKey(); - }); } void InitialValuesFile::registerElementListeners() @@ -290,9 +281,10 @@ void InitialValuesFile::HeaderHandler::Start(const XML::Parser::Attributes m_parent.registerElementListeners(); } } + bool InitialValuesFile::HeaderHandler::isCorrectVersion() const { - return m_version == XML_CURRENT_VERSION; + return XML_CURRENT_VERSION == m_version; } } diff --git a/src/manager/initial-values/InitialValuesFile.h b/src/manager/initial-values/InitialValuesFile.h index a11747b3..51a478e3 100644 --- a/src/manager/initial-values/InitialValuesFile.h +++ b/src/manager/initial-values/InitialValuesFile.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2015 - 2018 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -97,7 +97,6 @@ private: typedef std::shared_ptr<HeaderHandler> HeaderHandlerPtr; typedef std::shared_ptr<EncryptionKeyHandler> EncryptionKeyHandlerPtr; HeaderHandlerPtr m_header; - EncryptionKeyHandlerPtr m_encryptionKeyHandler; CKM::RawBuffer m_encryptedAESkey; void registerElementListeners(); diff --git a/src/manager/service/ckm-logic.cpp b/src/manager/service/ckm-logic.cpp index f3c21541..e988b7f4 100644 --- a/src/manager/service/ckm-logic.cpp +++ b/src/manager/service/ckm-logic.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2014 - 2018 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -1159,7 +1159,7 @@ RawBuffer CKMLogic::getDataList( int CKMLogic::importInitialData( const Name &name, const Crypto::Data &data, - const Crypto::DataEncryption &enc, + const RawBuffer &iv, const Policy &policy) { try { @@ -1175,21 +1175,22 @@ int CKMLogic::importInitialData( if (retCode != CKM_API_SUCCESS) return retCode; - Crypto::GStore &store = m_decider.getStore(data.type, policy, !enc.encryptedKey.empty()); + Crypto::GStore &store = m_decider.getStore(data.type, policy, !iv.empty()); Token token; - if (enc.encryptedKey.empty()) { + if (iv.empty()) { Crypto::Data binaryData; if (CKM_API_SUCCESS != (retCode = toBinaryData(data, binaryData))) return retCode; token = store.import(binaryData, - m_accessControl.isCCMode() ? "" : policy.password); + m_accessControl.isCCMode() ? "" : policy.password); } else { token = store.importEncrypted(data, - m_accessControl.isCCMode() ? "" : policy.password, enc); + m_accessControl.isCCMode() ? "" : policy.password, + iv); } DB::Row row(std::move(token), name, CLIENT_ID_SYSTEM, diff --git a/src/manager/service/ckm-logic.h b/src/manager/service/ckm-logic.h index 95048cb7..8115117e 100644 --- a/src/manager/service/ckm-logic.h +++ b/src/manager/service/ckm-logic.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2014 - 2018 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -209,7 +209,7 @@ public: int importInitialData( const Name &name, const Crypto::Data &data, - const Crypto::DataEncryption &enc, + const RawBuffer &iv, const Policy &policy); int unlockSystemDB(); diff --git a/tests/test_generic-backend.cpp b/tests/test_generic-backend.cpp index c2e80a04..114d794a 100644 --- a/tests/test_generic-backend.cpp +++ b/tests/test_generic-backend.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2017 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2017 - 2018 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -75,7 +75,7 @@ BOOST_AUTO_TEST_CASE(gstore) BOOST_REQUIRE_THROW(store.import(Crypto::Data(), Password()), Exc::Crypto::OperationNotSupported); BOOST_REQUIRE_THROW(store.importEncrypted(Crypto::Data(), Password(), - Crypto::DataEncryption()), + RawBuffer()), Exc::Crypto::OperationNotSupported); BOOST_REQUIRE_THROW(store.destroy(Token()), Exc::Crypto::OperationNotSupported); diff --git a/tests/test_tz-backend.cpp b/tests/test_tz-backend.cpp index 745d3f8a..853326cb 100644 --- a/tests/test_tz-backend.cpp +++ b/tests/test_tz-backend.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2017 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2017 - 2018 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -32,7 +32,7 @@ BOOST_AUTO_TEST_CASE(store) Exc::Crypto::OperationNotSupported); BOOST_REQUIRE_THROW(store.import(Data(), Password()), Exc::Crypto::OperationNotSupported); - BOOST_REQUIRE_THROW(store.importEncrypted(Data(), Password(), DataEncryption()), + BOOST_REQUIRE_THROW(store.importEncrypted(Data(), Password(), RawBuffer()), Exc::Crypto::OperationNotSupported); BOOST_REQUIRE_NO_THROW(store.destroy(Token())); } |