From ae8aeca3723fc26e07d666dfb63277d4eba7ea52 Mon Sep 17 00:00:00 2001 From: Lukasz Kostyra Date: Tue, 5 Feb 2019 12:13:56 +0100 Subject: decider: Allow multiple policies for more complex logic When generating asymmetric keys, ckm-logic selected less restrictive policy out of two provided and selected key store this way. Now, both policies are supplied to Decider, which will allow for more complex backend selection logic. Change-Id: Id2b845326cae7bbf5d90bb575645c8af36c20d0f --- src/manager/common/data-type.cpp | 36 +---------------- src/manager/common/data-type.h | 3 +- src/manager/crypto/platform/decider.cpp | 63 ++++++++++++++++++----------- src/manager/crypto/platform/decider.h | 21 +++++++++- src/manager/crypto/tz-backend/internals.cpp | 4 +- src/manager/service/ckm-logic.cpp | 23 +++++++++-- tests/test_data-type.cpp | 44 +------------------- 7 files changed, 82 insertions(+), 112 deletions(-) diff --git a/src/manager/common/data-type.cpp b/src/manager/common/data-type.cpp index 9049d1be..0bcf74f5 100644 --- a/src/manager/common/data-type.cpp +++ b/src/manager/common/data-type.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2016 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -76,40 +76,6 @@ DataType::DataType(KeyType key) } } -DataType::DataType(AlgoType algorithmType) -{ - switch (algorithmType) { - case AlgoType::AES_CTR: - case AlgoType::AES_CBC: - case AlgoType::AES_GCM: - case AlgoType::AES_CFB: - case AlgoType::AES_GEN: - m_dataType = DataType::KEY_AES; - break; - - case AlgoType::RSA_SV: - case AlgoType::RSA_OAEP: - case AlgoType::RSA_GEN: - m_dataType = DataType::KEY_RSA_PUBLIC; - break; - - case AlgoType::DSA_SV: - case AlgoType::DSA_GEN: - m_dataType = DataType::KEY_DSA_PUBLIC; - break; - - case AlgoType::ECDSA_SV: - case AlgoType::ECDSA_GEN: - m_dataType = DataType::KEY_ECDSA_PUBLIC; - break; - - default: - ThrowErr(Exc::InputParam, - "Invalid conversion from AlgoType=", static_cast(algorithmType), - " to DBDataType"); - } -} - DataType::DataType(int data) : m_dataType(static_cast(data)) { diff --git a/src/manager/common/data-type.h b/src/manager/common/data-type.h index ba3c4fd0..30829e15 100644 --- a/src/manager/common/data-type.h +++ b/src/manager/common/data-type.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2016 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -70,7 +70,6 @@ public: DataType(Type data); explicit DataType(int data); explicit DataType(KeyType key); - explicit DataType(AlgoType algorithmType); DataType(const DataType &) = default; DataType &operator=(const DataType &) = default; diff --git a/src/manager/crypto/platform/decider.cpp b/src/manager/crypto/platform/decider.cpp index a7e6b32f..e14e9b6a 100644 --- a/src/manager/crypto/platform/decider.cpp +++ b/src/manager/crypto/platform/decider.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2015 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -56,34 +56,41 @@ std::string ValueToString(const T& value) return str.str(); } -CryptoBackend chooseCryptoBackend(DataType data, - const Policy &policy, - bool encrypted) +CryptoBackend chooseCryptoBackend(const DataParams& params) { #ifdef TZ_BACKEND_ENABLED + if (params.size() != 1 && params.size() != 2) { + ThrowErr(Exc::Crypto::InternalError, "Invalid number of key parameters provided to decider"); + } + // user directly point proper backend - we will not discuss with it - if (policy.backend == CKM::PolicyBackend::FORCE_SOFTWARE) + if (params[0].policy.backend == CKM::PolicyBackend::FORCE_SOFTWARE) return CryptoBackend::OpenSSL; // user directly point proper backend - we will not discuss with it - if (policy.backend == CKM::PolicyBackend::FORCE_HARDWARE) + if (params[0].policy.backend == CKM::PolicyBackend::FORCE_HARDWARE) return CryptoBackend::TrustZone; - // For now only software backend supports device encyption key - // TODO tz-backend could support the master key, but it would require - // hardcoding a known key ID and querying TA whether the key is - // reachable - if (encrypted) - return CryptoBackend::OpenSSL; - - // tz-backend allows only for data binary export - if (policy.extractable && !data.isBinaryData()) - return CryptoBackend::OpenSSL; - - // Use TrustZone only with symmetric keys or unencrypted binary - // data until asymmetric cryptography is implemented - if (!data.isSKey() && !data.isBinaryData()) + if (params.size() == 1) { + // For now only software backend supports device encyption key + // TODO tz-backend could support the master key, but it would require + // hardcoding a known key ID and querying TA whether the key is + // reachable + if (params[0].encrypted) + return CryptoBackend::OpenSSL; + + // tz-backend allows only for data binary export + if (params[0].policy.extractable && !params[0].data.isBinaryData()) + return CryptoBackend::OpenSSL; + + // Use TrustZone only with symmetric keys or unencrypted binary + // data until asymmetric cryptography is implemented + if (!params[0].data.isSKey() && !params[0].data.isBinaryData()) + return CryptoBackend::OpenSSL; + } else if (params.size() == 2) { + LogDebug("2 keys - asymmetric encryption not yet supported, selecting OpenSSL"); return CryptoBackend::OpenSSL; + } try { LogDebug("Trying to open TA session..."); @@ -95,10 +102,9 @@ CryptoBackend chooseCryptoBackend(DataType data, LogDebug("...succeeded. Selecting TZ backend."); return CryptoBackend::TrustZone; + #else // TZ_BACKEND_ENABLED - (void) data; - (void) policy; - (void) encrypted; + (void) params; return CryptoBackend::OpenSSL; #endif // TZ_BACKEND_ENABLED } @@ -137,7 +143,16 @@ GStore &Decider::getStore(CryptoBackend cryptoBackend) const GStore &Decider::getStore(DataType data, const Policy &policy, bool encrypted) const { - return getStore(chooseCryptoBackend(data, policy, encrypted)); + DataParams params{ + DataParam(data, policy, encrypted) + }; + + return getStore(chooseCryptoBackend(params)); +} + +GStore &Decider::getStore(const DataParams& params) const +{ + return getStore(chooseCryptoBackend(params)); } } // namespace Crypto diff --git a/src/manager/crypto/platform/decider.h b/src/manager/crypto/platform/decider.h index ef0522c0..14d10718 100644 --- a/src/manager/crypto/platform/decider.h +++ b/src/manager/crypto/platform/decider.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2015 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,6 +21,7 @@ #pragma once #include +#include #include @@ -32,11 +33,28 @@ namespace CKM { namespace Crypto { +struct DataParam { + DataParam() = delete; + DataParam(const DataType &d, const Policy &pol, bool enc = false) + : data(d) + , policy(pol) + , encrypted(enc) + { + } + + DataType data; + Policy policy; + bool encrypted; +}; + +using DataParams = std::vector; + class Decider { public: Decider(); GStore &getStore(const Token &token) const; GStore &getStore(DataType data, const Policy &policy, bool encrypted = false) const; + GStore &getStore(const DataParams& params) const; virtual ~Decider() {} @@ -49,4 +67,3 @@ protected: } // Crypto } // CKM - diff --git a/src/manager/crypto/tz-backend/internals.cpp b/src/manager/crypto/tz-backend/internals.cpp index 317a775c..71038e0a 100644 --- a/src/manager/crypto/tz-backend/internals.cpp +++ b/src/manager/crypto/tz-backend/internals.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017 - 2018 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2017 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -86,7 +86,7 @@ Data generateSKey(const CryptoAlgorithm &alg, int keyBits = unpack(alg, ParamName::GEN_KEY_LEN); Data keyData; - keyData.type = DataType(keyType); + keyData.type = DataType(KeyType::KEY_AES); if (!pwd.empty()) { if (iv.empty()) { diff --git a/src/manager/service/ckm-logic.cpp b/src/manager/service/ckm-logic.cpp index c54b9a4f..aedf0646 100644 --- a/src/manager/service/ckm-logic.cpp +++ b/src/manager/service/ckm-logic.cpp @@ -55,6 +55,16 @@ bool isNameValid(const CKM::Name &name) return true; } +// keypair data type, having private key data type and public key data type +// private is assumed to be .first, public .second +using DataTypePair = std::pair; + +const std::map ALGO_TYPE_TO_DATA_TYPE_PAIR_MAP = { + { CKM::AlgoType::RSA_GEN, { CKM::DataType(CKM::KeyType::KEY_RSA_PRIVATE), CKM::DataType(CKM::KeyType::KEY_RSA_PUBLIC) } }, + { CKM::AlgoType::DSA_GEN, { CKM::DataType(CKM::KeyType::KEY_DSA_PRIVATE), CKM::DataType(CKM::KeyType::KEY_DSA_PUBLIC) } }, + { CKM::AlgoType::ECDSA_GEN, { CKM::DataType(CKM::KeyType::KEY_ECDSA_PRIVATE), CKM::DataType(CKM::KeyType::KEY_ECDSA_PUBLIC) } }, +}; + } // anonymous namespace namespace CKM { @@ -1391,10 +1401,10 @@ int CKMLogic::createKeyPairHelper( if (!keyGenParams.getParam(ParamName::ALGO_TYPE, keyType)) ThrowErr(Exc::InputParam, "Error, parameter ALGO_TYPE not found."); - DataType dt(keyType); - - if (!dt.isKey()) + const auto dtIt = ALGO_TYPE_TO_DATA_TYPE_PAIR_MAP.find(keyType); + if (dtIt == ALGO_TYPE_TO_DATA_TYPE_PAIR_MAP.end()) ThrowErr(Exc::InputParam, "Error, parameter ALGO_TYPE with wrong value."); + const DataTypePair& dt = dtIt->second; if (policyPrivate.backend != policyPublic.backend) ThrowErr(Exc::InputParam, "Error, key pair must be supported with the same backend."); @@ -1417,7 +1427,12 @@ int CKMLogic::createKeyPairHelper( bool exportable = policyPrivate.extractable || policyPublic.extractable; Policy lessRestricted(Password(), exportable, policyPrivate.backend); - TokenPair keys = m_decider.getStore(dt, lessRestricted).generateAKey(keyGenParams, + Crypto::DataParams params{ + Crypto::DataParam(dt.first, policyPrivate), + Crypto::DataParam(dt.second, policyPublic), + }; + + TokenPair keys = m_decider.getStore(params).generateAKey(keyGenParams, policyPrivate.password, policyPublic.password); diff --git a/tests/test_data-type.cpp b/tests/test_data-type.cpp index 3598273b..c1475418 100644 --- a/tests/test_data-type.cpp +++ b/tests/test_data-type.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2016 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -37,48 +37,6 @@ BOOST_AUTO_TEST_CASE(CONSTRUCTOR) CKM::Exc::InputParam); BOOST_REQUIRE_THROW(DataType(static_cast(999)), CKM::Exc::InputParam); - - std::vector types; - - types.emplace_back(AlgoType::AES_CTR); - types.emplace_back(AlgoType::AES_CBC); - types.emplace_back(AlgoType::AES_GCM); - types.emplace_back(AlgoType::AES_CFB); - types.emplace_back(AlgoType::AES_GEN); - - for (auto &type : types) - BOOST_REQUIRE(type == DataType(DataType::KEY_AES)); - - types.clear(); - - types.emplace_back(AlgoType::RSA_SV); - types.emplace_back(AlgoType::RSA_OAEP); - types.emplace_back(AlgoType::RSA_GEN); - - for (auto &type : types) - BOOST_REQUIRE(type == DataType(DataType::KEY_RSA_PUBLIC)); - - types.clear(); - - types.emplace_back(AlgoType::DSA_SV); - types.emplace_back(AlgoType::DSA_GEN); - - for (auto &type : types) - BOOST_REQUIRE(type == DataType(DataType::KEY_DSA_PUBLIC)); - - types.clear(); - - types.emplace_back(AlgoType::ECDSA_SV); - types.emplace_back(AlgoType::ECDSA_GEN); - - for (auto &type : types) - BOOST_REQUIRE(type == DataType(DataType::KEY_ECDSA_PUBLIC)); - - types.clear(); - - BOOST_REQUIRE_THROW( - DataType(static_cast(-1)), - CKM::Exc::InputParam); } BOOST_AUTO_TEST_CASE(KEY_TYPE_CASTING) -- cgit v1.2.3