/*
- * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* @file ckm-manager.h
* @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
- * @version 1.0
+ * @version 2.0
* @brief Main header file for client library.
*/
#pragma once
#include <string>
-#include <vector>
#include <memory>
#include <ckm/ckm-certificate.h>
#include <ckm/ckm-error.h>
#include <ckm/ckm-key.h>
+#include <ckm/ckm-pkcs12.h>
#include <ckm/ckm-type.h>
// Central Key Manager namespace
namespace CKM {
-/*
-class Pkcs12 {
-public:
- Pkcs12();
- Pkcs12(const RawBuffer &rawData, const RawBuffer &password = RawBuffer());
-
- Pkcs12(const Pkcs12 &pkcs);
- Pkcs12(Pkcs12 &&pkcs);
- Pkcs12& operator=(const Pkcs12 &pkcs);
- Pkcs12& operator=(Pkcs12 &&pkcs);
-
- Key getKey(const RawBuffer &password = RawBuffer());
- Certificate getCertificate(); // this is connected with Key
-
- // check the API in openssl and translate it 1 to 1.
-
- CertificateShPtrVector getCertificateShPtrVector();
-
- bool empty();
- virtual ~Pkcs12();
-private:
- class Pkcs12Impl;
- Pkcs12Impl *m_impl;
-};
-*/
-
class Manager;
typedef std::shared_ptr<Manager> ManagerShPtr;
-class Manager {
-public:
- virtual ~Manager(){}
-
- virtual int saveKey(const Alias &alias, const KeyShPtr &key, const Policy &policy) = 0;
- virtual int saveCertificate(const Alias &alias, const CertificateShPtr &cert, const Policy &policy) = 0;
-
- /*
- * Data must be extractable. If you set extractable bit to false funciton will
- * return ERROR_INPUT_PARAM.
- */
- virtual int saveData(const Alias &alias, const RawBuffer &data, const Policy &policy) = 0;
-
- virtual int removeKey(const Alias &alias) = 0;
- virtual int removeCertificate(const Alias &alias) = 0;
- virtual int removeData(const Alias &alias) = 0;
-
- virtual int getKey(const Alias &alias, const Password &password, KeyShPtr &key) = 0;
- virtual int getCertificate(
- const Alias &alias,
- const Password &password,
- CertificateShPtr &certificate) = 0;
- virtual int getData(const Alias &alias, const Password &password, RawBuffer &data) = 0;
-
- // send request for list of all keys/certificates/data that application/user may use
- virtual int getKeyAliasVector(AliasVector &aliasVector) = 0;
- virtual int getCertificateAliasVector(AliasVector &aliasVector) = 0;
- virtual int getDataAliasVector(AliasVector &aliasVector) = 0;
-
- virtual int createKeyPairRSA(
- const int size, // size in bits [1024, 2048, 4096]
- const Alias &privateKeyAlias,
- const Alias &publicKeyAlias,
- const Policy &policyPrivateKey = Policy(),
- const Policy &policyPublicKey = Policy()) = 0;
-
- virtual int createKeyPairECDSA(
- const ElipticCurve type,
- const Alias &privateKeyAlias,
- const Alias &publicKeyAlias,
- const Policy &policyPrivateKey = Policy(),
- const Policy &policyPublicKey = Policy()) = 0;
-
- virtual int getCertificateChain(
- const CertificateShPtr &certificate,
- const CertificateShPtrVector &untrustedCertificates,
- CertificateShPtrVector &certificateChainVector) = 0;
-
- virtual int getCertificateChain(
- const CertificateShPtr &certificate,
- const AliasVector &untrustedCertificates,
- CertificateShPtrVector &certificateChainVector) = 0;
-
- virtual int createSignature(
- const Alias &privateKeyAlias,
- const Password &password, // password for private_key
- const RawBuffer &message,
- const HashAlgorithm hash,
- const RSAPaddingAlgorithm padding,
- RawBuffer &signature) = 0;
-
- virtual int verifySignature(
- const Alias &publicKeyOrCertAlias,
- const Password &password, // password for public_key (optional)
- const RawBuffer &message,
- const RawBuffer &signature,
- const HashAlgorithm hash,
- const RSAPaddingAlgorithm padding) = 0;
-
- // This function will check all certificates in chain except Root CA.
- // This function will delegate task to service. You may use this even
- // if application does not have permission to use network.
- virtual int ocspCheck(const CertificateShPtrVector &certificateChainVector, int &ocspStatus) = 0;
-
- static ManagerShPtr create();
-// static ManagerShPtr getManager(int uid); // TODO
-};
-
-/*
-// Asynchronous interface to Central Key Manager. This implementation uses
-// internal thread for connection.
-class ManagerAsync {
+class KEY_MANAGER_API Manager {
public:
- class ManagerAsyncImpl;
-
- // Observer will observer custom operation.
- struct Observer {
- // Error callback - all errors
- // ERROR_API_NOT_SUPPORTED,
- // ERROR_API_CONNECTION_LOST,
- // ERROR_API_PARSING_ERROR,
- // ERROR_API_ALIAS_UNKNOWN
- virtual void ReceivedError(int error, const std::string &errormsg);
-
- // This will return data
- virtual void ReceivedKey(Key && key) {}
- virtual void ReceivedCertificate(Certificate && certificate) {}
- virtual void ReceivedKeyAliasVector(AliasVector && aliasVector) {}
- virtual void ReceivedCertificateAliasVector(AliasVector && aliasVector) {}
-
- // This callbacks will confirm successful operation
- virtual void ReceivedSaveKey() {}
- virtual void ReceivedSaveCertificate() {}
- virtual void ReceivedRemovedKey() {}
- virtual void ReceivedRemovedCertificate() {}
-
- // Added By Dongsun Lee
- virtual void ReceivedData(RawBuffer && data) {}
- virtual void ReceivedDataAliasVector(AliasVector && aliasVector) {}
-
- // This callbacks will confirm successful operation
- virtual void ReceivedSaveData() {}
- virtual void ReceivedRemovedData() {}
- virtual void ReceivedCreateKeyPairRSA() {}
- virtual void ReceivedCreateKeyPairECDSA() {}
- virtual void ReceivedCreateSignature(RawBuffer && signature) {}
-
- // TODO: describe status
- virtual void ReceivedVerifySignature() {}
- // TODO: describe status
- // Do we need some chain of the certificate?
- virtual void ReceivedVerifyCertificate() {}
-
- virtual void ReceivedGetCertiticateChain(CertificateShPtrVector &&certificateVector) {}
- virtual void ReceivedStrictCACheck();
- virtual void ReceivedOCSPCheck();
-
- virtual ~Observer() {}
- };
-
- ManagerAsync();
- ManagerAsync(const ManagerAsync &);
- ManagerAsync(ManagerAsync &&);
- ManagerAsync& operator=(const ManagerAsync &);
- ManagerAsync& operator=(ManagerAsync &&);
- virtual ~ManagerAsync();
-
- // observer will be destroyed after use
- void saveKey(Observer *observer, const Alias &alias, const Key &key, const Policy &policy);
- void saveCertificate(Observer *observer, const Alias &alias, const Certificate &cert, const Policy &policy);
-
- void removeKey(Observer *observer, const Alias &alias);
- void removeCertificate(Observer *observer, const Alias &alias);
-
- void requestKey(Observer *observer, const Alias &alias);
- void requestCertificate(Observer *observer, const Alias &alias);
-
- // This will extract list of all Keys and Certificates in Key Store
- void requestKeyAliasVector(Observer *observer); // send request for list of all keys that application/user may use
- void requestCertificateAliasVector(Observer *observer); // send request for list of all certs that application/user may use
-
- // Added By Dongsun Lee
- void saveData(Observer *observer, const Alias &alias, const RawBuffer &data, const Policy &policy);
- void removeData(Observer *observer, const Alias &alias);
- void requestData(Observer *observer, const Alias &alias);
- void requestDataAliasVector(Observer *observer); // send request for list of all data that application/user may use
- void createKeyPairRSA(Observer *observer, const Alias &privateKeyAlias, const Alias &publicKeyAlias, const int &size, const Policy &policy);
- void createKeyPairECDSA(Observer *observer, const Alias &privateKeyAlias, const Alias &publicKeyAlias, ECType type, const int &size, const Policy &policy);
- void createSignature(Observer *observer, const Alias &privateKeyAlias, const RawBuffer &password, const RawBuffer &message);
- void verifySignature(Observer *observer, const Alias &publicKeyOrCertAlias, const RawBuffer &password, const RawBuffer &message, const RawBuffer &signature);
-
- // Should we use also certificates stored by user in Certral Key Manager?
- // Sometimes we may want to verify certificate without OCSP (for example we are installing side-loaded app and network is not working).
- void verifyCertificate(Observer *observer, const Certificate &certificate, const CertificateShPtrVector &untrusted, const bool ocspCheck, const bool strictCaFlagCheck);
-
- void createKeyPairRSA(
- Observer *observer,
- const int size, // size in bits [1024, 2048, 4096]
- const Alias &privateKeyAlias,
- const Alias &publicKeyAlias,
- const Policy &policyPrivateKey = Policy(),
- const Policy &policyPublicKey = Policy());
-
- void createKeyPairECDSA(
- Observer *observer,
- const Key::ECType type,
- const Alias &privateKeyAlias,
- const Alias &publicKeyAlias,
- const Policy &policyPrivateKey = Policy(),
- const Policy &policyPublicKey = Policy());
-
- // this fuction will return chains of certificates and check it with openssl
- // status : OK, INCOMPLETE_CHAIN, VERIFICATION_FAILED
- void getCertiticateChain(
- const Certificate &certificate,
- const CertificateShPtrVector &untrustedCertificates);
-
- void getCertificateChain(
- const Certificate &certificate,
- const AliasVector &untrustedCertificates);
-
- void strictCACheck(const CertificateShPtrVector &certificateVector);
+ class Impl;
+
+ Manager();
+ Manager(const Manager &) = delete;
+ Manager &operator=(const Manager &) = delete;
+
+ virtual ~Manager();
+
+ int saveKey(const Alias &alias, const KeyShPtr &key, const Policy &policy);
+ int saveCertificate(const Alias &alias, const CertificateShPtr &cert,
+ const Policy &policy);
+ int savePKCS12(
+ const Alias &alias,
+ const PKCS12ShPtr &pkcs,
+ const Policy &keyPolicy,
+ const Policy &certPolicy);
+
+ int saveData(const Alias &alias, const RawBuffer &data, const Policy &policy);
+
+ int removeAlias(const Alias &alias);
+
+ int getKey(const Alias &alias, const Password &password, KeyShPtr &key);
+ int getCertificate(
+ const Alias &alias,
+ const Password &password,
+ CertificateShPtr &certificate);
+ int getData(const Alias &alias, const Password &password, RawBuffer &data);
+ int getPKCS12(const Alias &alias, PKCS12ShPtr &pkcs);
+ int getPKCS12(
+ const Alias &alias,
+ const Password &keyPass,
+ const Password &certPass,
+ PKCS12ShPtr &pkcs);
+
+ // send request for list of all keys/certificates/data that application/user may use
+ int getKeyAliasVector(AliasVector &aliasVector);
+ int getKeyAliasPwdVector(AliasPwdVector &aliasPwdVector);
+ int getKeyEncryptionStatus(const Alias &alias, bool &status);
+ int getCertificateAliasVector(AliasVector &aliasVector);
+ int getCertificateAliasPwdVector(AliasPwdVector &aliasPwdVector);
+ int getCertificateEncryptionStatus(const Alias &alias, bool &status);
+ int getDataAliasVector(AliasVector &aliasVector);
+ int getDataAliasPwdVector(AliasPwdVector &aliasPwdVector);
+ int getDataEncryptionStatus(const Alias &alias, bool &status);
+
+ int createKeyPairRSA(
+ const int size, // size in bits [1024, 2048, 4096]
+ const Alias &privateKeyAlias,
+ const Alias &publicKeyAlias,
+ const Policy &policyPrivateKey = Policy(),
+ const Policy &policyPublicKey = Policy());
+
+ int createKeyPairDSA(
+ const int size, // size in bits [1024, 2048, 3072, 4096]
+ const Alias &privateKeyAlias,
+ const Alias &publicKeyAlias,
+ const Policy &policyPrivateKey = Policy(),
+ const Policy &policyPublicKey = Policy());
+
+ int createKeyPairECDSA(
+ const ElipticCurve type,
+ const Alias &privateKeyAlias,
+ const Alias &publicKeyAlias,
+ const Policy &policyPrivateKey = Policy(),
+ const Policy &policyPublicKey = Policy());
+
+ int createKeyAES(
+ const int size, // size in bits [128, 192, 256]
+ const Alias &keyAlias,
+ const Policy &policyKey = Policy());
+
+ int getCertificateChain(
+ const CertificateShPtr &certificate,
+ const CertificateShPtrVector &untrustedCertificates,
+ const CertificateShPtrVector &trustedCertificates,
+ bool useTrustedSystemCertificates,
+ CertificateShPtrVector &certificateChainVector);
+
+ int getCertificateChain(
+ const CertificateShPtr &certificate,
+ const AliasVector &untrustedCertificates,
+ const AliasVector &trustedCertificates,
+ bool useTrustedSystemCertificates,
+ CertificateShPtrVector &certificateChainVector);
+
+ int createSignature(
+ const Alias &privateKeyAlias,
+ const Password &password, // password for private_key
+ const RawBuffer &message,
+ const HashAlgorithm hash,
+ const RSAPaddingAlgorithm padding,
+ RawBuffer &signature);
+
+ int verifySignature(
+ const Alias &publicKeyOrCertAlias,
+ const Password &password, // password for public_key (optional)
+ const RawBuffer &message,
+ const RawBuffer &signature,
+ const HashAlgorithm hash,
+ const RSAPaddingAlgorithm padding);
// This function will check all certificates in chain except Root CA.
- void ocspCheck(const CertificateShPtrVector &certificateChainVector);
+ // This function will delegate task to service. You may use this even
+ // if application does not have permission to use network.
+ int ocspCheck(const CertificateShPtrVector &certificateChainVector,
+ int &ocspStatus);
+
+ int setPermission(const Alias &alias, const ClientId &accessor,
+ PermissionMask permissionMask);
+
+ // This function will encrypt data.
+ // Since Tizen 5.0, on chosen images using TEE backend:
+ // * maximum size of data can be limited to TEE-specific value; minimum 500 kB is supported)
+ // * GCM modes with short tags (32 and 64 bits) are not supported
+ // In these cases, key-manager can return a CKM_API_ERROR_SERVER_ERROR
+ int encrypt(const CryptoAlgorithm &algo,
+ const Alias &keyAlias,
+ const Password &password,
+ const RawBuffer &plain,
+ RawBuffer &encrypted);
+
+ // This function will decrypt data.
+ // Since Tizen 5.0, on chosen images using TEE backend:
+ // * maximum size of data can be limited to TEE-specific value; minimum 500 kB is supported)
+ // * GCM modes with short tags (32 and 64 bits) are not supported
+ // In these cases, key-manager can return a CKM_API_ERROR_SERVER_ERROR
+ int decrypt(const CryptoAlgorithm &algo,
+ const Alias &keyAlias,
+ const Password &password,
+ const RawBuffer &encrypted,
+ RawBuffer &decrypted);
+
+ int deriveKey(const CryptoAlgorithm &algo,
+ const Alias &secretAlias,
+ const Password &secretPassword,
+ const Alias &newKeyAlias,
+ const Policy &newKeyPolicy);
+
+ static ManagerShPtr create();
+
+ int importWrappedKey(const CryptoAlgorithm ¶ms,
+ const Alias &wrappingKeyAlias,
+ const Password &wrappingKeyPassword,
+ const Alias &alias,
+ const RawBuffer &encryptedKey,
+ const KeyType keyType,
+ const Policy &policy);
private:
- ConnectionAsyncImpl *m_impl;
+ std::unique_ptr<Impl> m_impl;
};
-class ManagerAsyncThread : public ManagerAsync {
-public:
- ManagerAsyncThread();
- ManagerAsyncThread(int uid); // connect to database related to uid
- ManagerAsyncThread(const ConnectionAsyncThread &);
- ManagerAsyncThread(ConnectionAsyncThread &&);
- ManagerAsyncThread& operator=(const ConnectionAsyncThread &);
- ManagerAsyncThread& operator=(ConnectionAsyncThread &&);
- virtual ~ConnectionAsyncThread() {}
-};
-*/
-// Out of scope
-/*
-class ManagerAsyncNoThread : public ManagerAsync {
-public:
- ManagerAsyncNoThread();
- ManagerAsyncNoThread(const ConnectionAsyncNoThread &);
- ManagerAsyncNoThread(ConnectionAsyncNoThread &&);
- ManagerAsyncNoThread& operator=(const ConnectionAsyncNoThread &);
- ManagerAsyncNoThread& operator=(ConnectionAsyncNoThread &&);
- virtual ~ConnecitonAsyncNoThread() {}
-
- int getDesc(); // extract descriptor number
- int processDesc(); // send request and receive data from central key manager
-};
-*/
-
} // namespace CKM
-