src/include/ckm/ckm-manager.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184

/*
 *  Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
 *
 *  Licensed under the Apache License, Version 2.0 (the "License");
 *  you may not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License
 *
 *
 * @file        ckm-manager.h
 * @author      Bartlomiej Grzelewski (b.grzelewski@samsung.com)
 * @version     2.0
 * @brief       Main header file for client library.
 */
#pragma once

#include <string>
#include <memory>

#include <ckm/ckm-certificate.h>
#include <ckm/ckm-error.h>
#include <ckm/ckm-key.h>
#include <ckm/ckm-pkcs12.h>
#include <ckm/ckm-type.h>

// Central Key Manager namespace
namespace CKM {

class Manager;
typedef std::shared_ptr<Manager> ManagerShPtr;

class KEY_MANAGER_API Manager {
public:
	class Impl;

	Manager();
	Manager(const Manager &) = delete;
	Manager &operator=(const Manager &) = delete;

	virtual ~Manager();

	int saveKey(const Alias &alias, const KeyShPtr &key, const Policy &policy);
	int saveCertificate(const Alias &alias, const CertificateShPtr &cert,
						const Policy &policy);
	int savePKCS12(
		const Alias &alias,
		const PKCS12ShPtr &pkcs,
		const Policy &keyPolicy,
		const Policy &certPolicy);

	/*
	 * Data must be extractable. If you set extractable bit to false function will
	 * return ERROR_INPUT_PARAM.
	 */
	int saveData(const Alias &alias, const RawBuffer &data, const Policy &policy);

	int removeAlias(const Alias &alias);

	int getKey(const Alias &alias, const Password &password, KeyShPtr &key);
	int getCertificate(
		const Alias &alias,
		const Password &password,
		CertificateShPtr &certificate);
	int getData(const Alias &alias, const Password &password, RawBuffer &data);
	int getPKCS12(const Alias &alias, PKCS12ShPtr &pkcs);
	int getPKCS12(
		const Alias &alias,
		const Password &keyPass,
		const Password &certPass,
		PKCS12ShPtr &pkcs);

	// send request for list of all keys/certificates/data that application/user may use
	int getKeyAliasVector(AliasVector &aliasVector);
	int getKeyAliasPwdVector(AliasPwdVector &aliasPwdVector);
	int getKeyEncryptionStatus(const Alias &alias, bool &status);
	int getCertificateAliasVector(AliasVector &aliasVector);
	int getCertificateAliasPwdVector(AliasPwdVector &aliasPwdVector);
	int getCertificateEncryptionStatus(const Alias &alias, bool &status);
	int getDataAliasVector(AliasVector &aliasVector);
	int getDataAliasPwdVector(AliasPwdVector &aliasPwdVector);
	int getDataEncryptionStatus(const Alias &alias, bool &status);

	int createKeyPairRSA(
		const int size,              // size in bits [1024, 2048, 4096]
		const Alias &privateKeyAlias,
		const Alias &publicKeyAlias,
		const Policy &policyPrivateKey = Policy(),
		const Policy &policyPublicKey = Policy());

	int createKeyPairDSA(
		const int size,              // size in bits [1024, 2048, 3072, 4096]
		const Alias &privateKeyAlias,
		const Alias &publicKeyAlias,
		const Policy &policyPrivateKey = Policy(),
		const Policy &policyPublicKey = Policy());

	int createKeyPairECDSA(
		const ElipticCurve type,
		const Alias &privateKeyAlias,
		const Alias &publicKeyAlias,
		const Policy &policyPrivateKey = Policy(),
		const Policy &policyPublicKey = Policy());

	int createKeyAES(
		const int size,              // size in bits [128, 192, 256]
		const Alias &keyAlias,
		const Policy &policyKey = Policy());

	int getCertificateChain(
		const CertificateShPtr &certificate,
		const CertificateShPtrVector &untrustedCertificates,
		const CertificateShPtrVector &trustedCertificates,
		bool useTrustedSystemCertificates,
		CertificateShPtrVector &certificateChainVector);

	int getCertificateChain(
		const CertificateShPtr &certificate,
		const AliasVector &untrustedCertificates,
		const AliasVector &trustedCertificates,
		bool useTrustedSystemCertificates,
		CertificateShPtrVector &certificateChainVector);

	int createSignature(
		const Alias &privateKeyAlias,
		const Password &password,           // password for private_key
		const RawBuffer &message,
		const HashAlgorithm hash,
		const RSAPaddingAlgorithm padding,
		RawBuffer &signature);

	int verifySignature(
		const Alias &publicKeyOrCertAlias,
		const Password &password,           // password for public_key (optional)
		const RawBuffer &message,
		const RawBuffer &signature,
		const HashAlgorithm hash,
		const RSAPaddingAlgorithm padding);

	// This function will check all certificates in chain except Root CA.
	// This function will delegate task to service. You may use this even
	// if application does not have permission to use network.
	int ocspCheck(const CertificateShPtrVector &certificateChainVector,
				  int &ocspStatus);

	int setPermission(const Alias &alias, const ClientId &accessor,
					  PermissionMask permissionMask);

	// This function will encrypt data.
	// Since Tizen 5.0, on chosen images using TEE backend:
	// * maximum size of data can be limited to TEE-specific value; minimum 500 kB is supported)
	// * GCM modes with short tags (32 and 64 bits) are not supported
	// In these cases, key-manager can return a CKM_API_ERROR_SERVER_ERROR
	int encrypt(const CryptoAlgorithm &algo,
				const Alias &keyAlias,
				const Password &password,
				const RawBuffer &plain,
				RawBuffer &encrypted);

	// This function will decrypt data.
	// Since Tizen 5.0, on chosen images using TEE backend:
	// * maximum size of data can be limited to TEE-specific value; minimum 500 kB is supported)
	// * GCM modes with short tags (32 and 64 bits) are not supported
	// In these cases, key-manager can return a CKM_API_ERROR_SERVER_ERROR
	int decrypt(const CryptoAlgorithm &algo,
				const Alias &keyAlias,
				const Password &password,
				const RawBuffer &encrypted,
				RawBuffer &decrypted);

	static ManagerShPtr create();

private:
	std::unique_ptr<Impl> m_impl;
};

} // namespace CKM