#include <platform/decider.h>
#include <generic-backend/exception.h>
-#include <sw-backend/store.h>
#ifdef TZ_BACKEND_ENABLED
-#include <tz-backend/store.h>
#include <tz-backend/tz-context.h>
#include <tee_client_api.h>
// TODO tz-backend could support the master key, but it would require
// hardcoding a known key ID and querying TA whether the key is
// reachable
- if (params[0].encrypted)
+ if (params[0].encrypted) {
return CryptoBackend::OpenSSL;
+ }
// tz-backend allows only for data binary export
- if (params[0].policy.extractable && !params[0].data.isBinaryData())
+ if (params[0].policy.extractable && !params[0].data.isBinaryData()) {
return CryptoBackend::OpenSSL;
+ }
// Use TrustZone only with symmetric keys or unencrypted binary
// data until asymmetric cryptography is implemented
- if (!params[0].data.isSKey() && !params[0].data.isBinaryData())
+ if (!params[0].data.isSKey() && !params[0].data.isBinaryData()) {
return CryptoBackend::OpenSSL;
+ }
} else if (params.size() == 2) {
- LogDebug("2 keys - asymmetric encryption not yet supported, selecting OpenSSL");
- return CryptoBackend::OpenSSL;
+ // extractable private key can only be handled by OpenSSL
+ if (params[0].policy.extractable) {
+ return CryptoBackend::OpenSSL;
+ }
+
+ // ECDSA algorithm is unsupported by GP API 1.0
+ if (params[0].data.isEllipticCurve() || params[1].data.isEllipticCurve()) {
+ return CryptoBackend::OpenSSL;
+ }
}
try {
} // namespace
Decider::Decider()
- : m_swStore(new SW::Store(CryptoBackend::OpenSSL))
+ : m_swStore(CryptoBackend::OpenSSL)
#ifdef TZ_BACKEND_ENABLED
- , m_tzStore(new TZ::Store(CryptoBackend::TrustZone))
+ , m_tzStore(CryptoBackend::TrustZone)
#endif
{
}
-GStore &Decider::getStore(const Token &token) const
+GStore &Decider::getStore(const Token &token)
{
return getStore(token.backendId);
};
-GStore &Decider::getStore(CryptoBackend cryptoBackend) const
+GStore &Decider::getStore(CryptoBackend cryptoBackend)
{
GStore *gStore = NULL;
if (cryptoBackend == CryptoBackend::OpenSSL)
- gStore = m_swStore.get();
+ gStore = &m_swStore;
#ifdef TZ_BACKEND_ENABLED
if (cryptoBackend == CryptoBackend::TrustZone)
- gStore = m_tzStore.get();
+ gStore = &m_tzStore;
#endif
if (gStore)
return *gStore;
"Backend not available. BackendId: ", (int)cryptoBackend);
}
-GStore &Decider::getStore(DataType data, const Policy &policy, bool encrypted) const
+GStore &Decider::getStore(DataType data, const Policy &policy, bool encrypted)
{
DataParams params{
DataParam(data, policy, encrypted)
return getStore(chooseCryptoBackend(params));
}
-GStore &Decider::getStore(const DataParams& params) const
+GStore &Decider::getStore(const DataParams& params)
{
return getStore(chooseCryptoBackend(params));
}