2 * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License
17 * @file key-provider.h
18 * @author kyungwook tak (k.tak@samsung.com)
20 * @brief Provide Domain KEK and Application KEK for key-manager.
27 #include <ckm/ckm-type.h>
28 #include <dpl/exception.h>
37 #ifndef INVALID_ARGUMENTS
38 #define INVALID_ARGUMENTS -2
40 #ifndef VERIFY_DATA_ERROR
41 #define VERIFY_DATA_ERROR -3
43 #ifndef OPENSSL_ENGINE_ERROR
44 #define OPENSSL_ENGINE_ERROR -4
47 #define UNKNOWN_ERROR -5
50 #define AES256_KEY_LEN_BITS 256
51 #define AES256_KEY_LEN_BYTSE (AES256_KEY_LEN_BITS / 8)
52 #define AES_GCM_TAG_SIZE 32
54 #define PBKDF2_SALT_LEN 16
55 #define PBKDF2_ITERATIONS 4096
57 #define MAX_IV_SIZE 16
58 #define MAX_SALT_SIZE 16
59 #define MAX_KEY_SIZE 32
60 #define MAX_WRAPPED_KEY_SIZE 32
61 #define MAX_LABEL_SIZE 32
62 #define DOMAIN_NAME_SIZE 32
63 #define APP_LABEL_SIZE 32
67 typedef struct KeyComponentsInfo_ {
69 char label[MAX_LABEL_SIZE];
70 uint8_t salt[MAX_SALT_SIZE];
71 uint8_t iv[MAX_IV_SIZE];
72 uint8_t tag[MAX_IV_SIZE];
75 typedef struct KeyAndInfo_ {
76 KeyComponentsInfo keyInfo;
77 uint8_t key[MAX_KEY_SIZE];
80 typedef struct WrappedKeyAndInfo_ {
81 KeyComponentsInfo keyInfo;
82 uint8_t wrappedKey[MAX_WRAPPED_KEY_SIZE];
85 class WrappedKeyAndInfoContainer{
87 WrappedKeyAndInfoContainer();
89 WrappedKeyAndInfoContainer(const WrappedKeyAndInfoContainer &);
90 WrappedKeyAndInfoContainer &operator=(const WrappedKeyAndInfoContainer &);
92 WrappedKeyAndInfoContainer(const unsigned char*);
93 WrappedKeyAndInfo& getWrappedKeyAndInfo();
94 void setKeyInfoKeyLength(const unsigned int);
95 void setKeyInfoLabel(const std::string);
96 void setKeyInfoSalt(const unsigned char*, const int);
97 void setKeyInfo(const KeyComponentsInfo*);
98 ~WrappedKeyAndInfoContainer();
100 WrappedKeyAndInfo *wrappedKeyAndInfo;
103 class KeyAndInfoContainer{
107 DECLARE_EXCEPTION_TYPE(CKM::Exception, Base)
109 KeyAndInfoContainer();
111 KeyAndInfoContainer(const KeyAndInfoContainer &);
112 KeyAndInfoContainer &operator=(const KeyAndInfoContainer &);
114 KeyAndInfoContainer(const unsigned char*);
115 KeyAndInfo& getKeyAndInfo();
116 void setKeyInfoKeyLength(const unsigned int);
117 void setKeyInfo(const KeyComponentsInfo*);
118 ~KeyAndInfoContainer();
120 KeyAndInfo *keyAndInfo;
124 // This is internal api so all functions should throw exception on errors.
129 DECLARE_EXCEPTION_TYPE(CKM::Exception, Base)
130 DECLARE_EXCEPTION_TYPE(Base, InitFailed)
131 DECLARE_EXCEPTION_TYPE(Base, GenFailed)
132 DECLARE_EXCEPTION_TYPE(Base, WrapFailed)
133 DECLARE_EXCEPTION_TYPE(Base, UnwrapFailed)
134 DECLARE_EXCEPTION_TYPE(Base, PassWordError)
135 DECLARE_EXCEPTION_TYPE(Base, InputParamError)
136 DECLARE_EXCEPTION_TYPE(Base, OpensslEngineError)
139 // To store in std containers
141 KeyProvider(const RawBuffer &domainKEKInWrapForm, const Password &password);
143 KeyProvider(KeyProvider &&);
144 KeyProvider(const KeyProvider &) = delete;
145 KeyProvider& operator=(const KeyProvider &) = delete;
146 KeyProvider& operator=(KeyProvider &&);
148 bool isInitialized();
150 // Returns Key used to decrypt database.
151 RawBuffer getPureDomainKEK();
153 // Returns Key in form used to store key in file
154 // Requied by Control::resetPassword(const RawBuffer &newPassword);
155 // This api should be used only on Tizen 2.2.1
156 RawBuffer getWrappedDomainKEK(const Password &password);
158 // EncryptedKey key extracted from database. Used to encrypt application data.
159 // This key will be used to decrypt/encrypt data in ROW
160 RawBuffer getPureDEK(const RawBuffer &DEKInWrapForm);
162 // Returns WRAPPED DEK. This will be written to datbase.
163 // This key will be used to encrypt all application information.
164 // All application are identified by smackLabel.
165 RawBuffer generateDEK(const std::string &smackLabel);
167 // used by change user password. On error -> exception
168 static RawBuffer reencrypt(
169 const RawBuffer &domainKEKInWrapForm,
170 const Password &oldPass,
171 const Password &newPass);
173 // First run of application for some user. DomainKEK was not created yet. We must create one.
174 // This key will be used to encrypt user database.
175 static RawBuffer generateDomainKEK(const std::string &user, const Password &userPassword);
177 // This will be called by framework at the begin of the program
178 static int initializeLibrary();
179 // This will be called by framework at the end of the program
180 static int closeLibrary();
182 virtual ~KeyProvider();
185 // KeyAndInfoContainer class
186 std::shared_ptr<KeyAndInfoContainer> m_kmcDKEK;
187 bool m_isInitialized;
189 static int encryptAes256Gcm(
190 const unsigned char *plaintext,
192 const unsigned char *key,
193 const unsigned char *iv,
194 unsigned char *ciphertext,
197 static int decryptAes256Gcm(
198 const unsigned char *ciphertext,
201 const unsigned char *key,
202 const unsigned char *iv,
203 unsigned char *plaintext);
205 static char * concat_password_user(
207 const char *password);
209 static const char* getConvertedStr(const Password &password);