Add context cleanup command for TZ

[platform/core/security/key-manager.git] / src / manager / crypto / tz-backend / store.cpp

/*
 *  Copyright (c) 2015 - 2021 Samsung Electronics Co., Ltd All Rights Reserved
 *
 *  Licensed under the Apache License, Version 2.0 (the "License");
 *  you may not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License
 */
/*
 * @file       store.cpp
 * @author     Lukasz Kostyra (l.kostyra@samsung.com)
 * @version    1.0
 */

#include <generic-backend/exception.h>
#include <generic-backend/crypto-params.h>
#include <tz-backend/obj.h>
#include <tz-backend/store.h>
#include <tz-backend/internals.h>

#include <message-buffer.h>

namespace CKM {
namespace Crypto {
namespace TZ {

namespace {

// internal SW encryption scheme flags
enum EncryptionScheme {
        NONE = 0,
        PASSWORD = 1 << 0
};

RawBuffer unpackData(const RawBuffer &packed)
{
        MessageBuffer buffer;
        buffer.Push(RawBuffer(packed));

        int scheme;
        buffer.Deserialize(scheme);

        RawBuffer data;
        buffer.Deserialize(data);
        return data;
}

} // namespace

Store::Store(CryptoBackend backendId) :
        GStore(backendId)
{
}

GObjUPtr Store::getObject(const Token &token, const Password &pass)
{
        int scheme;
        RawBuffer id;
        RawBuffer iv;
        RawBuffer tag;
        unpack(token.data, pass, scheme, id, iv, tag);

        if (token.dataType.isKeyPrivate() || token.dataType.isKeyPublic())
                return make<AKey>(scheme, std::move(id), Pwd(pass, iv, tag), token.dataType);

        if (token.dataType.isSymmetricKey())
                return make<SKey>(scheme, std::move(id), Pwd(pass, iv, tag));

        if (token.dataType.isCertificate() || token.dataType.isChainCert())
                return make<Cert>(scheme, std::move(id), Pwd(pass, iv, tag), token.dataType);

        auto pwd = Pwd(pass, iv, tag);
        RawBuffer raw = Internals::getData(id, pwd, token.dataType);

        if (token.dataType.isBinaryData())
                return make<BData>(scheme, std::move(id), std::move(pwd), std::move(raw));

        ThrowErr(Exc::Crypto::DataTypeNotSupported,
                         "This type of data is not supported by trustzone backend: ", token.dataType);
}

TokenPair Store::generateAKey(const CryptoAlgorithm &alg, const Password &privPass,
                                                          const Password &pubPass, const RawBuffer &hashPriv, const RawBuffer &hashPub)
{
        RawBuffer pubIv, privIv;
        RawBuffer pubTag, privTag;
        if (!pubPass.empty()) {
                pubIv = Internals::generateIV();
        }
        if (!privPass.empty()) {
                privIv = Internals::generateIV();
        }

        AlgoType keyType;
        DataType pubType, privType;
        keyType = Internals::generateAKey(alg, pubPass, privPass, pubIv, privIv, pubTag, privTag, hashPriv, hashPub);
        if(keyType == AlgoType::RSA_GEN){
                pubType = DataType(KeyType::KEY_RSA_PUBLIC);
                privType = DataType(KeyType::KEY_RSA_PRIVATE);
        }
        else if(keyType == AlgoType::DSA_GEN){
                pubType= DataType(KeyType::KEY_DSA_PUBLIC);
                privType = DataType(KeyType::KEY_DSA_PRIVATE);
        }
        else if(keyType == AlgoType::ECDSA_GEN){
                pubType= DataType(KeyType::KEY_ECDSA_PUBLIC);
                privType = DataType(KeyType::KEY_ECDSA_PRIVATE);
        }

        return std::make_pair<Token, Token>(
                Token(m_backendId, privType, pack(hashPriv, privPass, privIv, privTag)),
                Token(m_backendId, pubType, pack(hashPub, pubPass, pubIv, pubTag))
        );
}

Token Store::generateSKey(const CryptoAlgorithm &alg,
                                                  const Password &pass,
                                                  const RawBuffer &hash)
{
        RawBuffer iv;
        RawBuffer tag;
        if (!pass.empty()) {
                // IV is needed for key encryption
                iv = Internals::generateIV();
        }

        Internals::generateSKey(alg, pass, iv, tag, hash);
        return Token(m_backendId, DataType(KeyType::KEY_AES), pack(hash, pass, iv, tag));
}

Token Store::import(const Data &data, const Password &pass, const EncryptionParams &e,
                                                                   const RawBuffer &hash)
{
        if (!data.type.isBinaryData() && !data.type.isKey())
                ThrowErr(Exc::Crypto::DataTypeNotSupported, "Invalid data provided for import");

        RawBuffer passIV;
        RawBuffer tag;

        if (!pass.empty()) {
                // IV is needed for data encryption with pwd
                passIV = Internals::generateIV();
        }

        Internals::importData(data, e, pass, passIV, tag, hash);
        return Token(m_backendId, data.type, pack(hash, pass, passIV, tag));
}

void Store::destroy(const Token &token)
{
        RawBuffer id = unpackData(token.data);
        if (token.dataType.isBinaryData()) {
                // TODO this should be a generic "destroy persistent memory object" once
                // serialization in key-manager-ta is unified
                Internals::destroyData(id);
        }
        Internals::destroyKey(id);
}

RawBuffer Store::pack(const RawBuffer &keyId,
                                          const Password &pwd,
                                          const RawBuffer &iv,
                                          const RawBuffer &tag)
{
        // determine whether the key is password protected and store schema info
        // we don't need to additionally encrypt key ID
        int scheme = pwd.empty() ? EncryptionScheme::NONE : EncryptionScheme::PASSWORD;

        if (scheme == EncryptionScheme::PASSWORD) {
                return SerializeMessage(scheme, keyId, iv, tag);
        } else {
                return SerializeMessage(scheme, keyId);
        }
}

void Store::unpack(const RawBuffer &packed,
                                   const Password& password,
                                   int &scheme,
                                   RawBuffer &data,
                                   RawBuffer &iv,
                                   RawBuffer &tag)
{
        MessageBuffer buffer;
        buffer.Push(RawBuffer(packed));

        buffer.Deserialize(scheme);

        if (scheme == EncryptionScheme::PASSWORD) {
                buffer.Deserialize(data, iv, tag);
        } else {
                buffer.Deserialize(data);
        }

        if ((scheme & EncryptionScheme::PASSWORD) && password.empty()) {
                ThrowErr(Exc::Crypto::AuthenticationFailed,
                                 "This token is protected with password and none passed");
        } else if (!(scheme & EncryptionScheme::PASSWORD) && !password.empty()) {
                ThrowErr(Exc::Crypto::AuthenticationFailed,
                                 "This token is not protected with password but passed one");
        }
}

size_t Store::maxChunkSize() const
{
        return Internals::maxChunkSize();
}

} // namespace TZ
} // namespace Crypto
} // namespace CKM