2 * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the License);
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an AS IS BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
16 #ifndef __TIZEN_CORE_KEY_MANAGER_DOC_H__
17 #define __TIZEN_CORE_KEY_MANAGER_DOC_H__
19 * @ingroup CAPI_SECURITY_FRAMEWORK
20 * @defgroup CAPI_KEY_MANAGER_MODULE Key Manager
21 * @brief The key manager provides a secure repository protected by a user’s passwords for keys, certificates, and sensitive data of users and/or their APPs. Additionally, the key manager provides secure cryptographic operations for non-exportable keys without revealing key values to clients.
23 * @section CAPI_KEY_MANAGER_MODULE_OVERVIEW Overview
25 * <tr><th>API</th><th>Description</th></tr>
27 * <td> @ref CAPI_KEY_MANAGER_CLIENT_MODULE</td>
28 * <td> Provides APIs accessing on the secure repository and additional secure cryptographic operations.</td>
31 * <td> @ref CAPI_KEY_MANAGER_TYPES_MODULE</td>
32 * <td> Defines a data types used in this APIs and provides utility methods handling them.</td>
36 * It provides a secure repository for keys, certificates, and sensitive data of users and/or their APPs which are protected by a user’s passwords.
37 * Additionally, it provides secure cryptographic operations for non-exportable keys without revealing key values to clients.
39 * @image html capi_key_manager_overview_diagram.png
41 * The key manager provides 2 types of API.
42 * - secure repository APIs : These APIs provides storing, retrieving, and removing functions for keys, certificates, and data.
43 * - secure crypto APIs : These APIs provides additional cryptographic operations(create asymmetric key pair, sign/verify signature, verify certificate)
46 * A client can specify a simple access rules when storing a data in Key Manager.
47 * - Restricted/Non-Restricted:
48 * Data stored in Key Manager can be access on only by its owner if the data is tagged as restricted.
49 * For data tagged as non-restricted, all clients can access on the data.
50 * - Exportable/Non-Exportable:
51 * Only for data tagged as exportable, Key Manager returns the raw value of the data.
52 * If data is tagged as non-exportable, Key Manager doesn’t return its raw value. For that case, Key Manager provides secure cryptographic operations for non-exportable keys without revealing key values to clients.
54 * All data in Key Manager is protected by a user’s password.
55 * Besides, a client can encrypt its data using its own password additionally.
56 * If a client provides a password when storing a data, the data will be encrypted with the password. This password should be provided when get the data from Key Manager.
58 * User Login/Logout and Data Protection
59 * - When a user logs in, logs out or changes his/her password, Key Manager should know about it.
60 * Privileged APPs such as ockScreen APP or Setting APP can notify to key manager using these control APIs.
61 * - When a user logs in, the key manager decrypts the user's DKEK(with which a user's data file is encrypted) with a user password.
62 * So during the login period, any client can access its data which is protected by a user's password.
63 * "user key" in API means DKEK.
64 * - When a user logs out, the key manager removes the user's DKEK from memory.
65 * Therefore, any clients cannot access to any data.
66 * - When a user change his/her password, the key manager re-encrypted the user's DKEK with a new password.
70 #endif /* __TIZEN_CORE_KEY_MANAGER_DOC_H__ */