/*
- * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* @file ckm-manager.h
* @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
- * @version 1.0
+ * @version 2.0
* @brief Main header file for client library.
*/
#pragma once
#include <ckm/ckm-certificate.h>
#include <ckm/ckm-error.h>
#include <ckm/ckm-key.h>
+#include <ckm/ckm-pkcs12.h>
#include <ckm/ckm-type.h>
// Central Key Manager namespace
class Manager;
typedef std::shared_ptr<Manager> ManagerShPtr;
-class Manager {
+class KEY_MANAGER_API Manager {
public:
- virtual ~Manager(){}
-
- virtual int saveKey(const Alias &alias, const KeyShPtr &key, const Policy &policy) = 0;
- virtual int saveCertificate(const Alias &alias, const CertificateShPtr &cert, const Policy &policy) = 0;
-
- /*
- * Data must be extractable. If you set extractable bit to false funciton will
- * return ERROR_INPUT_PARAM.
- */
- virtual int saveData(const Alias &alias, const RawBuffer &data, const Policy &policy) = 0;
-
- virtual int removeKey(const Alias &alias) = 0;
- virtual int removeCertificate(const Alias &alias) = 0;
- virtual int removeData(const Alias &alias) = 0;
-
- virtual int getKey(const Alias &alias, const Password &password, KeyShPtr &key) = 0;
- virtual int getCertificate(
- const Alias &alias,
- const Password &password,
- CertificateShPtr &certificate) = 0;
- virtual int getData(const Alias &alias, const Password &password, RawBuffer &data) = 0;
-
- // send request for list of all keys/certificates/data that application/user may use
- virtual int getKeyAliasVector(AliasVector &aliasVector) = 0;
- virtual int getCertificateAliasVector(AliasVector &aliasVector) = 0;
- virtual int getDataAliasVector(AliasVector &aliasVector) = 0;
-
- virtual int createKeyPairRSA(
- const int size, // size in bits [1024, 2048, 4096]
- const Alias &privateKeyAlias,
- const Alias &publicKeyAlias,
- const Policy &policyPrivateKey = Policy(),
- const Policy &policyPublicKey = Policy()) = 0;
-
- virtual int createKeyPairDSA(
- const int size, // size in bits [1024, 2048, 3072, 4096]
- const Alias &privateKeyAlias,
- const Alias &publicKeyAlias,
- const Policy &policyPrivateKey = Policy(),
- const Policy &policyPublicKey = Policy()) = 0;
-
- virtual int createKeyPairECDSA(
- const ElipticCurve type,
- const Alias &privateKeyAlias,
- const Alias &publicKeyAlias,
- const Policy &policyPrivateKey = Policy(),
- const Policy &policyPublicKey = Policy()) = 0;
-
- virtual int getCertificateChain(
- const CertificateShPtr &certificate,
- const CertificateShPtrVector &untrustedCertificates,
- CertificateShPtrVector &certificateChainVector) = 0;
-
- virtual int getCertificateChain(
- const CertificateShPtr &certificate,
- const AliasVector &untrustedCertificates,
- CertificateShPtrVector &certificateChainVector) = 0;
-
- virtual int createSignature(
- const Alias &privateKeyAlias,
- const Password &password, // password for private_key
- const RawBuffer &message,
- const HashAlgorithm hash,
- const RSAPaddingAlgorithm padding,
- RawBuffer &signature) = 0;
-
- virtual int verifySignature(
- const Alias &publicKeyOrCertAlias,
- const Password &password, // password for public_key (optional)
- const RawBuffer &message,
- const RawBuffer &signature,
- const HashAlgorithm hash,
- const RSAPaddingAlgorithm padding) = 0;
-
- // This function will check all certificates in chain except Root CA.
- // This function will delegate task to service. You may use this even
- // if application does not have permission to use network.
- virtual int ocspCheck(const CertificateShPtrVector &certificateChainVector, int &ocspStatus) = 0;
-
- virtual int allowAccess(const Alias &alias, const Label &accessor, AccessRight granted) = 0;
- virtual int denyAccess(const Alias &alias, const Label &accessor) = 0;
-
-
- static ManagerShPtr create();
-// static ManagerShPtr getManager(int uid); // TODO
+ class Impl;
+
+ Manager();
+ Manager(const Manager &) = delete;
+ Manager &operator=(const Manager &) = delete;
+
+ virtual ~Manager();
+
+ int saveKey(const Alias &alias, const KeyShPtr &key, const Policy &policy);
+ int saveCertificate(const Alias &alias, const CertificateShPtr &cert,
+ const Policy &policy);
+ int savePKCS12(
+ const Alias &alias,
+ const PKCS12ShPtr &pkcs,
+ const Policy &keyPolicy,
+ const Policy &certPolicy);
+
+ int saveData(const Alias &alias, const RawBuffer &data, const Policy &policy);
+
+ int removeAlias(const Alias &alias);
+
+ int getKey(const Alias &alias, const Password &password, KeyShPtr &key);
+ int getCertificate(
+ const Alias &alias,
+ const Password &password,
+ CertificateShPtr &certificate);
+ int getData(const Alias &alias, const Password &password, RawBuffer &data);
+ int getPKCS12(const Alias &alias, PKCS12ShPtr &pkcs);
+ int getPKCS12(
+ const Alias &alias,
+ const Password &keyPass,
+ const Password &certPass,
+ PKCS12ShPtr &pkcs);
+
+ // send request for list of all keys/certificates/data that application/user may use
+ int getKeyAliasVector(AliasVector &aliasVector);
+ int getKeyAliasPwdVector(AliasPwdVector &aliasPwdVector);
+ int getKeyEncryptionStatus(const Alias &alias, bool &status);
+ int getCertificateAliasVector(AliasVector &aliasVector);
+ int getCertificateAliasPwdVector(AliasPwdVector &aliasPwdVector);
+ int getCertificateEncryptionStatus(const Alias &alias, bool &status);
+ int getDataAliasVector(AliasVector &aliasVector);
+ int getDataAliasPwdVector(AliasPwdVector &aliasPwdVector);
+ int getDataEncryptionStatus(const Alias &alias, bool &status);
+
+ int createKeyPairRSA(
+ const int size, // size in bits [1024, 2048, 4096]
+ const Alias &privateKeyAlias,
+ const Alias &publicKeyAlias,
+ const Policy &policyPrivateKey = Policy(),
+ const Policy &policyPublicKey = Policy());
+
+ int createKeyPairDSA(
+ const int size, // size in bits [1024, 2048, 3072, 4096]
+ const Alias &privateKeyAlias,
+ const Alias &publicKeyAlias,
+ const Policy &policyPrivateKey = Policy(),
+ const Policy &policyPublicKey = Policy());
+
+ int createKeyPairECDSA(
+ const ElipticCurve type,
+ const Alias &privateKeyAlias,
+ const Alias &publicKeyAlias,
+ const Policy &policyPrivateKey = Policy(),
+ const Policy &policyPublicKey = Policy());
+
+ int createKeyAES(
+ const int size, // size in bits [128, 192, 256]
+ const Alias &keyAlias,
+ const Policy &policyKey = Policy());
+
+ int getCertificateChain(
+ const CertificateShPtr &certificate,
+ const CertificateShPtrVector &untrustedCertificates,
+ const CertificateShPtrVector &trustedCertificates,
+ bool useTrustedSystemCertificates,
+ CertificateShPtrVector &certificateChainVector);
+
+ int getCertificateChain(
+ const CertificateShPtr &certificate,
+ const AliasVector &untrustedCertificates,
+ const AliasVector &trustedCertificates,
+ bool useTrustedSystemCertificates,
+ CertificateShPtrVector &certificateChainVector);
+
+ int createSignature(
+ const Alias &privateKeyAlias,
+ const Password &password, // password for private_key
+ const RawBuffer &message,
+ const HashAlgorithm hash,
+ const RSAPaddingAlgorithm padding,
+ RawBuffer &signature);
+
+ int verifySignature(
+ const Alias &publicKeyOrCertAlias,
+ const Password &password, // password for public_key (optional)
+ const RawBuffer &message,
+ const RawBuffer &signature,
+ const HashAlgorithm hash,
+ const RSAPaddingAlgorithm padding);
+
+ // This function will check all certificates in chain except Root CA.
+ // This function will delegate task to service. You may use this even
+ // if application does not have permission to use network.
+ int ocspCheck(const CertificateShPtrVector &certificateChainVector,
+ int &ocspStatus);
+
+ int setPermission(const Alias &alias, const ClientId &accessor,
+ PermissionMask permissionMask);
+
+ // This function will encrypt data.
+ // Since Tizen 5.0, on chosen images using TEE backend:
+ // * maximum size of data can be limited to TEE-specific value; minimum 500 kB is supported)
+ // * GCM modes with short tags (32 and 64 bits) are not supported
+ // In these cases, key-manager can return a CKM_API_ERROR_SERVER_ERROR
+ int encrypt(const CryptoAlgorithm &algo,
+ const Alias &keyAlias,
+ const Password &password,
+ const RawBuffer &plain,
+ RawBuffer &encrypted);
+
+ // This function will decrypt data.
+ // Since Tizen 5.0, on chosen images using TEE backend:
+ // * maximum size of data can be limited to TEE-specific value; minimum 500 kB is supported)
+ // * GCM modes with short tags (32 and 64 bits) are not supported
+ // In these cases, key-manager can return a CKM_API_ERROR_SERVER_ERROR
+ int decrypt(const CryptoAlgorithm &algo,
+ const Alias &keyAlias,
+ const Password &password,
+ const RawBuffer &encrypted,
+ RawBuffer &decrypted);
+
+ int deriveKey(const CryptoAlgorithm &algo,
+ const Alias &secretAlias,
+ const Password &secretPassword,
+ const Alias &newKeyAlias,
+ const Policy &newKeyPolicy);
+
+ static ManagerShPtr create();
+
+ int importWrappedKey(const CryptoAlgorithm ¶ms,
+ const Alias &wrappingKeyAlias,
+ const Password &wrappingKeyPassword,
+ const Alias &alias,
+ const RawBuffer &encryptedKey,
+ const KeyType keyType,
+ const Policy &policy);
+
+private:
+ std::unique_ptr<Impl> m_impl;
};
} // namespace CKM
-
projects / platform / core / security / key-manager.git / blobdiff