Turn backends into Decider members

[platform/core/security/key-manager.git] / src / manager / crypto / platform / decider.cpp

diff --git a/src/manager/crypto/platform/decider.cpp b/src/manager/crypto/platform/decider.cpp
index 2a93729..9540509 100644 (file)
--- a/src/manager/crypto/platform/decider.cpp
+++ b/src/manager/crypto/platform/decider.cpp
@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2015 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
  *  you may not use this file except in compliance with the License.
@@ -26,12 +26,13 @@
 #include <platform/decider.h>
 
 #include <generic-backend/exception.h>
-#include <sw-backend/store.h>
-#include <tz-backend/store.h>
+
+#ifdef TZ_BACKEND_ENABLED
 #include <tz-backend/tz-context.h>
 
 #include <tee_client_api.h>
 #include <km_ta_defines.h>
+#endif // TZ_BACKEND_ENABLED
 
 #include <sstream>
 #include <fstream>
@@ -53,33 +54,51 @@ std::string ValueToString(const T& value)
        return str.str();
 }
 
-CryptoBackend chooseCryptoBackend(DataType data,
-                                  const Policy &policy,
-                                  bool encrypted)
+CryptoBackend chooseCryptoBackend(const DataParams& params)
 {
+#ifdef TZ_BACKEND_ENABLED
+       if (params.size() != 1 && params.size() != 2) {
+               ThrowErr(Exc::Crypto::InternalError, "Invalid number of key parameters provided to decider");
+       }
+
        // user directly point proper backend - we will not discuss with it
-       if (policy.backend == CKM::PolicyBackend::FORCE_SOFTWARE)
+       if (params[0].policy.backend == CKM::PolicyBackend::FORCE_SOFTWARE)
                return CryptoBackend::OpenSSL;
 
        // user directly point proper backend - we will not discuss with it
-       if (policy.backend == CKM::PolicyBackend::FORCE_HARDWARE)
+       if (params[0].policy.backend == CKM::PolicyBackend::FORCE_HARDWARE)
                return CryptoBackend::TrustZone;
 
-       // For now only software backend supports device encyption key
-       // TODO tz-backend could support the master key, but it would require
-       //      hardcoding a known key ID and querying TA whether the key is
-       //      reachable
-       if (encrypted)
-               return CryptoBackend::OpenSSL;
-
-       // Only software backend allows for key export
-       if (policy.extractable)
-               return CryptoBackend::OpenSSL;
-
-       // Use TrustZone only with symmetric keys until asymmetric
-       // cryptography is implemented
-       if (!data.isSKey())
-               return CryptoBackend::OpenSSL;
+       if (params.size() == 1) {
+               // For now only software backend supports device encyption key
+               // TODO tz-backend could support the master key, but it would require
+               //      hardcoding a known key ID and querying TA whether the key is
+               //      reachable
+               if (params[0].encrypted) {
+                       return CryptoBackend::OpenSSL;
+               }
+
+               // tz-backend allows only for data binary export
+               if (params[0].policy.extractable && !params[0].data.isBinaryData()) {
+                       return CryptoBackend::OpenSSL;
+               }
+
+               // Use TrustZone only with symmetric keys or unencrypted binary
+               // data until asymmetric cryptography is implemented
+               if (!params[0].data.isSKey() && !params[0].data.isBinaryData()) {
+                       return CryptoBackend::OpenSSL;
+               }
+       } else if (params.size() == 2) {
+               // extractable private key can only be handled by OpenSSL
+               if (params[0].policy.extractable) {
+                       return CryptoBackend::OpenSSL;
+               }
+
+               // ECDSA algorithm is unsupported by GP API 1.0
+               if (params[0].data.isEllipticCurve() || params[1].data.isEllipticCurve()) {
+                       return CryptoBackend::OpenSSL;
+               }
+       }
 
        try {
                LogDebug("Trying to open TA session...");
@@ -91,31 +110,38 @@ CryptoBackend chooseCryptoBackend(DataType data,
 
        LogDebug("...succeeded. Selecting TZ backend.");
        return CryptoBackend::TrustZone;
+
+#else // TZ_BACKEND_ENABLED
+    (void) params;
+    return CryptoBackend::OpenSSL;
+#endif // TZ_BACKEND_ENABLED
 }
 
 } // namespace
 
 Decider::Decider()
-       : m_swStore(new SW::Store(CryptoBackend::OpenSSL))
-       , m_tzStore(new TZ::Store(CryptoBackend::TrustZone))
+       : m_swStore(CryptoBackend::OpenSSL)
+#ifdef TZ_BACKEND_ENABLED
+       , m_tzStore(CryptoBackend::TrustZone)
+#endif
 {
 }
 
-GStore &Decider::getStore(const Token &token) const
+GStore &Decider::getStore(const Token &token)
 {
        return getStore(token.backendId);
 };
 
-GStore &Decider::getStore(CryptoBackend cryptoBackend) const
+GStore &Decider::getStore(CryptoBackend cryptoBackend)
 {
        GStore *gStore = NULL;
 
        if (cryptoBackend == CryptoBackend::OpenSSL)
-               gStore = m_swStore.get();
-
+               gStore = &m_swStore;
+#ifdef TZ_BACKEND_ENABLED
        if (cryptoBackend == CryptoBackend::TrustZone)
-               gStore = m_tzStore.get();
-
+               gStore = &m_tzStore;
+#endif
        if (gStore)
                return *gStore;
 
@@ -123,9 +149,18 @@ GStore &Decider::getStore(CryptoBackend cryptoBackend) const
                         "Backend not available. BackendId: ", (int)cryptoBackend);
 }
 
-GStore &Decider::getStore(DataType data, const Policy &policy, bool encrypted) const
+GStore &Decider::getStore(DataType data, const Policy &policy, bool encrypted)
+{
+       DataParams params{
+               DataParam(data, policy, encrypted)
+       };
+
+       return getStore(chooseCryptoBackend(params));
+}
+
+GStore &Decider::getStore(const DataParams& params)
 {
-       return getStore(chooseCryptoBackend(data, policy, encrypted));
+       return getStore(chooseCryptoBackend(params));
 }
 
 } // namespace Crypto