2 * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the License);
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an AS IS BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 #ifndef __TIZEN_CORE_KEY_MANAGER_DOC_H__
19 #define __TIZEN_CORE_KEY_MANAGER_DOC_H__
23 * @ingroup CAPI_SECURITY_FRAMEWORK
24 * @defgroup CAPI_KEY_MANAGER_MODULE Key Manager
25 * @brief The key manager provides a secure repository protected by Tizen platform for keys, certificates, and sensitive data of users and/or their APPs.
26 * Additionally, the key manager provides secure cryptographic operations for non-exportable keys without revealing key values to clients.
27 * Since Tizen 5.0 on chosen system images, module may use ARM TrustZone technology and may rely on particular TEE (Trusted Execution Environment) implementation.
28 * @section CAPI_KEY_MANAGER_MODULE_OVERVIEW Overview
30 * <tr><th>API</th><th>Description</th></tr>
32 * <td> @ref CAPI_KEY_MANAGER_CLIENT_MODULE</td>
33 * <td> Provides APIs for accessing the secure repository and additional secure cryptographic operations.</td>
36 * <td> @ref CAPI_KEY_MANAGER_TYPES_MODULE</td>
37 * <td> Defines data types used in these APIs and provides utility methods handling them.</td>
40 * It provides a secure repository for keys, certificates, and sensitive data of users and/or their APPs which are protected by Tizen platform.
41 * Additionally, it provides secure cryptographic operations for non-exportable keys without revealing key values to clients.
43 * @image html capi_key_manager_overview_diagram.png
44 * The key manager provides 2 types of API.
45 * - secure repository APIs: These APIs provides storing, retrieving, and removing functions for keys, certificates, and data.
46 * - secure crypto APIs: These APIs provides additional cryptographic operations (create asymmetric key pair, sign/verify signature, verify certificate).
48 * A client can specify simple access rules when storing data in Key Manager.
49 * - Exportable/Non-Exportable:
50 * Only for data tagged as exportable, Key Manager returns the raw value of the data.
51 * If data is tagged as non-exportable, Key Manager does not return its raw value.
52 * In that case, Key Manager provides secure cryptographic operations for non-exportable keys without revealing key values to clients.
54 * All data in Key Manager is protected by Tizen platform.
55 * Besides, a client can encrypt its data using its own password additionally.
56 * If a client provides a password when storing a data, the data will be encrypted with the password.
57 * This password should be provided when getting the data from Key Manager.
59 * - By default, only the owner of a data can access to the data.
60 * - If the owner grants the access to other applications, those applications can read or delete the data from key-manager DB.
61 * - When an application is deleted, the data and access control information granted by the application are also removed.
63 * - The format of alias is "package_id name".
64 * - If package_id is not provided by a client, the key-manager will add the package_id of the client to the name internally.
65 * - The client can specify only its own package id in the alias when storing a key, certificate, or data.
66 * - A client should specify the package id of the owner in the alias to retrieve a a key, certificate, or data shared by other applications.
67 * - Aliases are returned as the format of "package_id name" from the key-manager.
69 * Since Tizen 5.0 on chosen images, the realization of module functionality can be implemened using ARM TrustZone technology.
70 * Differences in standards governing TrustZone implementation and previous software-based implementation cause following differences in module operation:
71 * - When using TrustZone-based backend, GCM modes with 32 and 64 bit tag lengths are not supported.
72 * Global Platform TEE specification treats these configurations as unsafe and not supported.
73 * - When using TrustZone-based backend, passing big amounts of data (encryption/decryption) to the module has additional size restriction.
74 * Now it depends on the TEEC_CONFIG_SHAREDMEM_MAX_SIZE definition, specific for given TEE implementation, minus size of key-information needed to be passed to TEE.
75 * Minimum supported value for passing data to the module is at 500 kB.
79 #endif /* __TIZEN_CORE_KEY_MANAGER_DOC_H__ */