2 * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License
17 * @file ckmc-manager.h
19 * @brief provides management functions(storing, retrieving, and removing) for keys, certificates and data of a user and additional crypto functions.
23 #ifndef __TIZEN_CORE_CKMC_MANAGER_H
24 #define __TIZEN_CORE_CKMC_MANAGER_H
27 #include <sys/types.h>
28 #include <ckmc/ckmc-type.h>
35 * @addtogroup CAPI_KEY_MANAGER_MODULE
41 * @brief Stores a key inside key manager based on the provided policy.
43 * @remarks Currently only four types of keys are supported for this API. These are RSA public/private key and ECDSA /private key.
44 * @remarks key_type in key may be set to #CKM_KEY_NONE as an input. key_type is determined inside key manager during storing keys.
45 * @remarks Some private key files are protected by a password. if raw_key in key read from those encrypted files is encrypted with a password, the password should be provided in the #ckm_key structure.
46 * @remarks if password in policy is provided, the key is additionally encrypted with the password in policy.
48 * @param[in] alias is the name of a key to be stored
49 * @param[in] key has a key's binary value to be stored.
50 * @param[in] policy is about how to store a key securely.
52 * @return 0 on success, otherwise a negative error value
53 * @retval #CKM_API_SUCCESS Successful
54 * @retval #CKM_API_ERROR_INPUT_PARAM input parameter is invalid
55 * @retval #CKM_API_ERROR_DB_LOCKED a user key is not loaded in memory(a user is not logged in)
56 * @retval #CKM_API_ERROR_DB_ALIAS_EXISTS alias already exists.
57 * @retval #CKM_API_ERROR_INVALID_FORMAT the format of raw_key is not valid.
58 * @retval #CKM_API_ERROR_DB_ERROR failed due to other DB transaction unexpectedly.
60 * @pre User must be already logged in and his user key is already loaded into memory in plain text form.
62 * @see ckm_remove_key()
64 * @see ckm_get_key_alias_list()
68 int ckm_save_key(const char *alias, const ckm_key key, const ckm_policy policy);
71 * @brief Removes a key from key manager
73 * @remarks a client can remove only keys stored by the client.
75 * @param[in] alias is the name of a key to be removed
77 * @return 0 on success, otherwise a negative error value
78 * @retval #CKM_API_SUCCESS Successful
79 * @retval #CKM_API_ERROR_INPUT_PARAM input parameter is invalid
80 * @retval #CKM_API_ERROR_DB_LOCKED a user key is not loaded in memory(a user is not logged in)
81 * @retval #CKM_API_ERROR_DB_ERROR failed due to the error with unknown reason
82 * @retval #CKM_API_ERROR_DB_ALIAS_UNKNOWN alias doesn't exists.
84 * @pre User must be already logged in and his user key is already loaded into memory in plain text form.
88 * @see ckm_get_key_alias_list()
90 int ckm_remove_key(const char *alias);
93 * @brief Get a key from key manager
95 * @remarks a client can access only data stored by the client and non-restricted data stored by other clients.
96 * @remarks A newly created ppkey should be destroyed by calling ckm_key_free() if it is no longer needed.
98 * @param[in] alias is the name of a key to retrieve
99 * @param[in] password is used in decrypting a key value. If password of policy is provided in ckm_save_key(), the same password should be provided.
100 * @param[out] ppkey is a pointer to a newly created ckm_key handle
102 * @return 0 on success, otherwise a negative error value
103 * @retval #CKM_API_SUCCESS Successful
104 * @retval #CKM_API_ERROR_INPUT_PARAM input parameter is invalid
105 * @retval #CKM_API_ERROR_DB_LOCKED a user key is not loaded in memory(a user is not logged in)
106 * @retval #CKM_API_ERROR_DB_ERROR failed due to the error with unknown reason
107 * @retval #CKM_API_ERROR_DB_ALIAS_UNKNOWN alias doesn't exists.
109 * @pre User must be already logged in and his user key is already loaded into memory in plain text form.
111 * @see ckm_save_key()
112 * @see ckm_remove_key()
113 * @see ckm_get_key_alias_list()
115 int ckm_get_key(const char *alias, const char *password, ckm_key **ppkey);
118 * @brief Get a all alias of keys to which the client can access
120 * @remarks a client can access only data stored by the client and non-restricted data stored by other clients.
121 * @remarks A newly created ppalias_list should be destroyed by calling ckm_alias_list_all_free() if it is no longer needed.
123 * @param[out] ppalias_list is a pointer to a newly created ckm_alias_list handle containing all available alias of keys. If there is no available key alias, *ppalias_list will be null.
125 * @return 0 on success, otherwise a negative error value
126 * @retval #CKM_API_SUCCESS Successful
127 * @retval #CKM_API_ERROR_INPUT_PARAM input parameter is invalid
128 * @retval #CKM_API_ERROR_DB_LOCKED a user key is not loaded in memory(a user is not logged in)
129 * @retval #CKM_API_ERROR_DB_ERROR failed due to the error with unknown reason
130 * @retval #CKM_API_ERROR_DB_ALIAS_UNKNOWN alias doesn't exists.
132 * @pre User must be already logged in and his user key is already loaded into memory in plain text form.
134 * @see ckm_save_key()
135 * @see ckm_remove_key()
138 int ckm_get_key_alias_list(ckm_alias_list** ppalias_list);
144 * @brief Stores a certificate inside key manager based on the provided policy.
146 * @param[in] alias is the name of a certificate to be stored
147 * @param[in] cert has a certificate's binary value to be stored.
148 * @param[in] policy is about how to store a certificate securely.
150 * @return 0 on success, otherwise a negative error value
151 * @retval #CKM_API_SUCCESS Successful
152 * @retval #CKM_API_ERROR_INPUT_PARAM input parameter is invalid
153 * @retval #CKM_API_ERROR_DB_LOCKED a user key is not loaded in memory(a user is not logged in)
154 * @retval #CKM_API_ERROR_DB_ALIAS_EXISTS alias already exists.
155 * @retval #CKM_API_ERROR_INVALID_FORMAT the format of raw_cert is not valid.
156 * @retval #CKM_API_ERROR_DB_ERROR failed due to other DB transaction unexpectedly.
158 * @pre User must be already logged in and his user key is already loaded into memory in plain text form.
160 * @see ckm_remove_cert()
161 * @see ckm_get_cert()
162 * @see ckm_get_cert_alias_list()
166 int ckm_save_cert(const char *alias, const ckm_cert cert, const ckm_policy policy);
169 * @brief Removes a certificate from key manager
171 * @remarks a client can remove only certificates stored by the client.
173 * @param[in] alias is the name of a certificate to be removed
175 * @return 0 on success, otherwise a negative error value
176 * @retval #CKM_API_SUCCESS Successful
177 * @retval #CKM_API_ERROR_INPUT_PARAM input parameter is invalid
178 * @retval #CKM_API_ERROR_DB_LOCKED a user key is not loaded in memory(a user is not logged in)
179 * @retval #CKM_API_ERROR_DB_ERROR failed due to the error with unknown reason
180 * @retval #CKM_API_ERROR_DB_ALIAS_UNKNOWN alias doesn't exists.
182 * @pre User must be already logged in and his user key is already loaded into memory in plain text form.
184 * @see ckm_save_cert()
185 * @see ckm_get_cert()
186 * @see ckm_get_cert_alias_list()
188 int ckm_remove_cert(const char *alias);
191 * @brief Get a certificate from key manager
193 * @remarks a client can access only certificate stored by the client and non-restricted certificate stored by other clients.
194 * @remarks A newly created ppcert should be destroyed by calling ckm_cert_free() if it is no longer needed.
196 * @param[in] alias is the name of a certificate to retrieve
197 * @param[in] password is used in decrypting a certificate value. If password of policy is provided in ckm_save_cert(), the same password should be provided.
198 * @param[out] ppcert is a pointer to a newly created ckm_cert handle
200 * @return 0 on success, otherwise a negative error value
201 * @retval #CKM_API_SUCCESS Successful
202 * @retval #CKM_API_ERROR_INPUT_PARAM input parameter is invalid
203 * @retval #CKM_API_ERROR_DB_LOCKED a user key is not loaded in memory(a user is not logged in)
204 * @retval #CKM_API_ERROR_DB_ERROR failed due to the error with unknown reason
205 * @retval #CKM_API_ERROR_DB_ALIAS_UNKNOWN alias doesn't exists.
207 * @pre User must be already logged in and his user key is already loaded into memory in plain text form.
209 * @see ckm_save_cert()
210 * @see ckm_remove_cert()
211 * @see ckm_get_cert_alias_list()
213 int ckm_get_cert(const char *alias, const char *password, const ckm_cert **ppcert);
216 * @brief Get a all alias of certificates to which the client can access
218 * @remarks a client can access only data stored by the client and non-restricted data stored by other clients.
219 * @remarks A newly created ppalias_list should be destroyed by calling ckm_alias_list_all_free() if it is no longer needed.
221 * @param[out] ppalias_list is a pointer to a newly created ckm_alias_list handle containing all available alias of keys. If there is no available key alias, *ppalias_list will be null.
223 * @return 0 on success, otherwise a negative error value
224 * @retval #CKM_API_SUCCESS Successful
225 * @retval #CKM_API_ERROR_INPUT_PARAM input parameter is invalid
226 * @retval #CKM_API_ERROR_DB_LOCKED a user key is not loaded in memory(a user is not logged in)
227 * @retval #CKM_API_ERROR_DB_ERROR failed due to the error with unknown reason
228 * @retval #CKM_API_ERROR_DB_ALIAS_UNKNOWN alias doesn't exists.
230 * @pre User must be already logged in and his user key is already loaded into memory in plain text form.
232 * @see ckm_save_cert()
233 * @see ckm_remove_cert()
234 * @see ckm_get_cert()
236 int ckm_get_cert_alias_list(ckm_alias_list** ppalias_list);
242 * @brief Stores a data inside key manager based on the provided policy.
244 * @param[in] alias is the name of a data to be stored
245 * @param[in] data has a binary value to be stored.
246 * @param[in] policy is about how to store a data securely.
248 * @return 0 on success, otherwise a negative error value
249 * @retval #CKM_API_SUCCESS Successful
250 * @retval #CKM_API_ERROR_INPUT_PARAM input parameter is invalid
251 * @retval #CKM_API_ERROR_DB_LOCKED a user key is not loaded in memory(a user is not logged in)
252 * @retval #CKM_API_ERROR_DB_ALIAS_EXISTS alias already exists.
253 * @retval #CKM_API_ERROR_DB_ERROR failed due to other DB transaction unexpectedly.
255 * @pre User must be already logged in and his user key is already loaded into memory in plain text form.
257 * @see ckm_remove_data()
258 * @see ckm_get_data()
259 * @see ckm_get_data_alias_list()
260 * @see #ckm_raw_buffer
263 int ckm_save_data(const char *alias, ckm_raw_buffer data, const ckm_policy policy);
266 * @brief Removes a data from key manager
268 * @remarks a client can remove only data stored by the client.
270 * @param[in] alias is the name of a data to be removed
272 * @return 0 on success, otherwise a negative error value
273 * @retval #CKM_API_SUCCESS Successful
274 * @retval #CKM_API_ERROR_INPUT_PARAM input parameter is invalid
275 * @retval #CKM_API_ERROR_DB_LOCKED a user key is not loaded in memory(a user is not logged in)
276 * @retval #CKM_API_ERROR_DB_ERROR failed due to the error with unknown reason
277 * @retval #CKM_API_ERROR_DB_ALIAS_UNKNOWN alias doesn't exists.
279 * @pre User must be already logged in and his user key is already loaded into memory in plain text form.
281 * @see ckm_save_data()
282 * @see ckm_get_data()
283 * @see ckm_get_data_alias_list()
285 int ckm_remove_data(const char *alias);
288 * @brief Get a data from key manager
290 * @remarks a client can access only data stored by the client and non-restricted data stored by other clients.
291 * @remarks A newly created ppdata should be destroyed by calling ckm_buffer_free() if it is no longer needed.
293 * @param[in] alias is the name of a data to retrieve
294 * @param[in] password is used in decrypting a data value. If password of policy is provided in ckm_save_data(), the same password should be provided.
295 * @param[out] ppdata is a pointer to a newly created ckm_raw_buffer handle
297 * @return 0 on success, otherwise a negative error value
298 * @retval #CKM_API_SUCCESS Successful
299 * @retval #CKM_API_ERROR_INPUT_PARAM input parameter is invalid
300 * @retval #CKM_API_ERROR_DB_LOCKED a user key is not loaded in memory(a user is not logged in)
301 * @retval #CKM_API_ERROR_DB_ERROR failed due to the error with unknown reason
302 * @retval #CKM_API_ERROR_DB_ALIAS_UNKNOWN alias doesn't exists.
304 * @pre User must be already logged in and his user key is already loaded into memory in plain text form.
306 * @see ckm_save_data()
307 * @see ckm_remove_data()
308 * @see ckm_get_data_alias_list()
310 int ckm_get_data(const char *alias, const char *password, ckm_raw_buffer **ppdata);
313 * @brief Get a all alias of data to which the client can access
315 * @remarks a client can access only data stored by the client and non-restricted data stored by other clients.
316 * @remarks A newly created ppalias_list should be destroyed by calling ckm_alias_list_all_free() if it is no longer needed.
318 * @param[out] ppalias_list is a pointer to a newly created ckm_alias_list handle containing all available alias of keys. If there is no available key alias, *ppalias_list will be null.
320 * @return 0 on success, otherwise a negative error value
321 * @retval #CKM_API_SUCCESS Successful
322 * @retval #CKM_API_ERROR_INPUT_PARAM input parameter is invalid
323 * @retval #CKM_API_ERROR_DB_LOCKED a user key is not loaded in memory(a user is not logged in)
324 * @retval #CKM_API_ERROR_DB_ERROR failed due to the error with unknown reason
325 * @retval #CKM_API_ERROR_DB_ALIAS_UNKNOWN alias doesn't exists.
327 * @pre User must be already logged in and his user key is already loaded into memory in plain text form.
329 * @see ckm_save_data()
330 * @see ckm_remove_data()
331 * @see ckm_get_data()
333 int ckm_get_data_alias_list(ckm_alias_list** ppalias_list);
339 * @brief Creates RSA private/public key pair and stores them inside key manager based on each policy.
341 * @remarks if password in policy is provided, the key is additionally encrypted with the password in policy.
343 * @param[in] size is the size of key strength to be created. 1024, 2048, and 4096 are supported.
344 * @param[in] private_key_alias is the name of private key to be stored.
345 * @param[in] public_key_alias is the name of public key to be stored.
346 * @param[in] policy_private_key is about how to store a private key securely.
347 * @param[in] policy_public_key is about how to store a public key securely.
349 * @return 0 on success, otherwise a negative error value
350 * @retval #CKM_API_SUCCESS Successful
351 * @retval #CKM_API_ERROR_INPUT_PARAM input parameter is invalid
352 * @retval #CKM_API_ERROR_DB_LOCKED a user key is not loaded in memory(a user is not logged in)
353 * @retval #CKM_API_ERROR_DB_ALIAS_EXISTS alias already exists.
354 * @retval #CKM_API_ERROR_DB_ERROR failed due to other DB transaction unexpectedly.
356 * @pre User must be already logged in and his user key is already loaded into memory in plain text form.
358 * @see ckm_create_key_pair_ecdsa()
359 * @see ckm_create_signature()
360 * @see ckm_verify_signature()
362 int ckm_create_key_pair_rsa(const size_t size, const char *private_key_alias, const char *public_key_alias, const ckm_policy policy_private_key, const ckm_policy policy_public_key);
365 * @brief Creates ECDSA private/public key pair and stores them inside key manager based on each policy.
367 * @remarks if password in policy is provided, the key is additionally encrypted with the password in policy.
369 * @param[in] type is the type of eliptic curve of ECDSA.
370 * @param[in] private_key_alias is the name of private key to be stored.
371 * @param[in] public_key_alias is the name of public key to be stored.
372 * @param[in] policy_private_key is about how to store a private key securely.
373 * @param[in] policy_public_key is about how to store a public key securely.
375 * @return 0 on success, otherwise a negative error value
376 * @retval #CKM_API_SUCCESS Successful
377 * @retval #CKM_API_ERROR_INPUT_PARAM input parameter is invalid
378 * @retval #CKM_API_ERROR_DB_LOCKED a user key is not loaded in memory(a user is not logged in)
379 * @retval #CKM_API_ERROR_DB_ALIAS_EXISTS alias already exists.
380 * @retval #CKM_API_ERROR_DB_ERROR failed due to other DB transaction unexpectedly.
382 * @pre User must be already logged in and his user key is already loaded into memory in plain text form.
384 * @see ckm_create_key_pair_rsa()
385 * @see ckm_create_signature()
386 * @see ckm_verify_signature()
389 int ckm_create_key_pair_ecdsa(const ckm_ec_type type, const char *private_key_alias, const char *public_key_alias, const ckm_policy policy_private_key, const ckm_policy policy_public_key);
392 * @brief Creates a signature on a given message using a private key and returns the signature
394 * @remarks If password of policy is provided during storing a key, the same password should be provided.
395 * @remarks A newly created ppsignature should be destroyed by calling ckm_buffer_free() if it is no longer needed.
398 * @param[in] private_key_alias is the name of private key.
399 * @param[in] password is used in decrypting a private key value.
400 * @param[in] message is signed with a private key .
401 * @param[in] hash is the hash algorithm used in creating signature.
402 * @param[in] padding is the RSA padding algorithm used in creating signature. It is used only when the signature algorithm is RSA.
403 * @param[out] ppsignature is a pointer to a newly created signature's. If an error occurs, *ppsignature will be null.
405 * @return 0 on success, otherwise a negative error value
406 * @retval #CKM_API_SUCCESS Successful
407 * @retval #CKM_API_ERROR_INPUT_PARAM input parameter is invalid
408 * @retval #CKM_API_ERROR_DB_LOCKED a user key is not loaded in memory(a user is not logged in)
409 * @retval #CKM_API_ERROR_DB_ALIAS_UNKNOWN alias doesn't exists.
411 * @pre User must be already logged in and his user key is already loaded into memory in plain text form.
413 * @see ckm_create_key_pair_rsa()
414 * @see ckm_create_key_pair_ecdsa()
415 * @see ckm_verify_signature()
416 * @see ckm_buffer_free()
417 * @see #ckm_hash_algo
418 * @see #ckm_rsa_padding_algo
420 int ckm_create_signature(const char *private_key_alias, const char *password, const ckm_raw_buffer message, const ckm_hash_algo hash, const ckm_rsa_padding_algo padding, ckm_raw_buffer **ppsignature);
423 * @brief Verify a given signature on a given message using a public key and returns the signature status.
425 * @remarks If password of policy is provided during storing a key, the same password should be provided.
427 * @param[in] public_key_alias is the name of public key.
428 * @param[in] password is used in decrypting a public key value.
429 * @param[in] message is a input on which the signature is created.
430 * @param[in] signature is verified with public key.
431 * @param[in] hash is the hash algorithm used in verifying signature.
432 * @param[in] padding is the RSA padding algorithm used in verifying signature. It is used only when the signature algorithm is RSA.
434 * @return 0 on success and the signature is valid, otherwise a negative error value
435 * @retval #CKM_API_SUCCESS Successful
436 * @retval #CKM_API_ERROR_VERIFICATION_FAILED the signature is invalid
437 * @retval #CKM_API_ERROR_INPUT_PARAM input parameter is invalid
438 * @retval #CKM_API_ERROR_DB_LOCKED a user key is not loaded in memory(a user is not logged in)
439 * @retval #CKM_API_ERROR_DB_ALIAS_UNKNOWN alias doesn't exists.
441 * @pre User must be already logged in and his user key is already loaded into memory in plain text form.
443 * @see ckm_create_key_pair_rsa()
444 * @see ckm_create_key_pair_ecdsa()
445 * @see ckm_verify_signature()
446 * @see #ckm_hash_algo
447 * @see #ckm_rsa_padding_algo
449 int ckm_verify_signature(const char *public_key_alias, const char *password, const ckm_raw_buffer message, const ckm_raw_buffer signature, const ckm_hash_algo hash, const ckm_rsa_padding_algo padding);
452 * @brief Verify a certificate chain and return that chain.
454 * @remarks The trusted root certificate of the chain should exist in the system's certificate storage.
455 * @remarks A newly created ppcert_chain_list should be destroyed by calling ckm_cert_list_all_free() if it is no longer needed.
457 * @param[in] cert is the certificate to be verified
458 * @param[in] untrustedcerts is the untrusted CA certificates to be used in verifying a certificate chain.
459 * @param[out] ppcert_chain_list is a pointer to a newly created certificate chain's handle. If an error occurs, *ppcert_chain_list will be null.
461 * @return 0 on success and the signature is valid, otherwise a negative error value
462 * @retval #CKM_API_SUCCESS Successful
463 * @retval #CKM_API_ERROR_VERIFICATION_FAILED the certificate chain is not valid
464 * @retval #CKM_API_ERROR_INPUT_PARAM input parameter is invalid
465 * @retval #CKM_API_ERROR_DB_LOCKED a user key is not loaded in memory(a user is not logged in)
466 * @retval #CKM_API_ERROR_INVALID_FORMAT the format of certificate is not valid.
468 * @pre User must be already logged in and his user key is already loaded into memory in plain text form.
470 * @see ckm_get_cert_chain_with_alias())
471 * @see ckm_cert_list_all_free()
473 int ckm_get_cert_chain(const ckm_cert *cert, const ckm_cert_list *untrustedcerts, ckm_cert_list **ppcert_chain_list);
476 * @brief Verify a certificate chain using a alias list of untrusted certificates and return that chain.
478 * @remarks The trusted root certificate of the chain should exist in the system's certificate storage.
479 * @remarks A newly created ppcert_chain_list should be destroyed by calling ckm_cert_list_all_free() if it is no longer needed.
481 * @param[in] cert is the certificate to be verified
482 * @param[in] untrustedcerts is an alias list of untrusted CA certificates stored in key manager to be used in verifying a certificate chain.
483 * @param[out] ppcert_chain_list is a pointer to a newly created certificate chain's handle. If an error occurs, *ppcert_chain_list will be null.
485 * @return 0 on success and the signature is valid, otherwise a negative error value
486 * @retval #CKM_API_SUCCESS Successful
487 * @retval #CKM_API_ERROR_VERIFICATION_FAILED the certificate chain is not valid
488 * @retval #CKM_API_ERROR_INPUT_PARAM input parameter is invalid
489 * @retval #CKM_API_ERROR_DB_LOCKED a user key is not loaded in memory(a user is not logged in)
490 * @retval #CKM_API_ERROR_DB_ALIAS_UNKNOWN alias doesn't exists.
491 * @retval #CKM_API_ERROR_INVALID_FORMAT the format of certificate is not valid.
493 * @pre User must be already logged in and his user key is already loaded into memory in plain text form.
495 * @see ckm_get_cert_chain())
496 * @see ckm_cert_list_all_free()
498 int ckm_get_cert_chain_with_alias(const ckm_cert *cert, const ckm_alias_list *untrustedcerts, ckm_cert_list **ppcert_chain_list);
510 #endif /* __TIZEN_CORE_CKMC_MANAGER_H */