X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=src%2Finclude%2Fckm%2Fckm-manager.h;h=defe6ce07eae1e2726f5b73cca98de384200fb87;hb=c36626103cad463618e75f57abca98919842fa71;hp=d995f5f98341a984aaeae49ee2e3593e8d8588f6;hpb=4d7b2340ebaab181fa20858d20f93cb18d6cf5d0;p=platform%2Fcore%2Fsecurity%2Fkey-manager.git diff --git a/src/include/ckm/ckm-manager.h b/src/include/ckm/ckm-manager.h index d995f5f..defe6ce 100644 --- a/src/include/ckm/ckm-manager.h +++ b/src/include/ckm/ckm-manager.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,7 +16,7 @@ * * @file ckm-manager.h * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) - * @version 1.0 + * @version 2.0 * @brief Main header file for client library. */ #pragma once @@ -27,6 +27,7 @@ #include #include #include +#include #include // Central Key Manager namespace @@ -35,94 +36,158 @@ namespace CKM { class Manager; typedef std::shared_ptr ManagerShPtr; -class Manager { +class KEY_MANAGER_API Manager { public: - virtual ~Manager(){} - - virtual int saveKey(const Alias &alias, const KeyShPtr &key, const Policy &policy) = 0; - virtual int saveCertificate(const Alias &alias, const CertificateShPtr &cert, const Policy &policy) = 0; - - /* - * Data must be extractable. If you set extractable bit to false funciton will - * return ERROR_INPUT_PARAM. - */ - virtual int saveData(const Alias &alias, const RawBuffer &data, const Policy &policy) = 0; - - virtual int removeKey(const Alias &alias) = 0; - virtual int removeCertificate(const Alias &alias) = 0; - virtual int removeData(const Alias &alias) = 0; - - virtual int getKey(const Alias &alias, const Password &password, KeyShPtr &key) = 0; - virtual int getCertificate( - const Alias &alias, - const Password &password, - CertificateShPtr &certificate) = 0; - virtual int getData(const Alias &alias, const Password &password, RawBuffer &data) = 0; - - // send request for list of all keys/certificates/data that application/user may use - virtual int getKeyAliasVector(AliasVector &aliasVector) = 0; - virtual int getCertificateAliasVector(AliasVector &aliasVector) = 0; - virtual int getDataAliasVector(AliasVector &aliasVector) = 0; - - virtual int createKeyPairRSA( - const int size, // size in bits [1024, 2048, 4096] - const Alias &privateKeyAlias, - const Alias &publicKeyAlias, - const Policy &policyPrivateKey = Policy(), - const Policy &policyPublicKey = Policy()) = 0; - - virtual int createKeyPairDSA( - const int size, // size in bits [1024, 2048, 3072, 4096] - const Alias &privateKeyAlias, - const Alias &publicKeyAlias, - const Policy &policyPrivateKey = Policy(), - const Policy &policyPublicKey = Policy()) = 0; - - virtual int createKeyPairECDSA( - const ElipticCurve type, - const Alias &privateKeyAlias, - const Alias &publicKeyAlias, - const Policy &policyPrivateKey = Policy(), - const Policy &policyPublicKey = Policy()) = 0; - - virtual int getCertificateChain( - const CertificateShPtr &certificate, - const CertificateShPtrVector &untrustedCertificates, - CertificateShPtrVector &certificateChainVector) = 0; - - virtual int getCertificateChain( - const CertificateShPtr &certificate, - const AliasVector &untrustedCertificates, - CertificateShPtrVector &certificateChainVector) = 0; - - virtual int createSignature( - const Alias &privateKeyAlias, - const Password &password, // password for private_key - const RawBuffer &message, - const HashAlgorithm hash, - const RSAPaddingAlgorithm padding, - RawBuffer &signature) = 0; - - virtual int verifySignature( - const Alias &publicKeyOrCertAlias, - const Password &password, // password for public_key (optional) - const RawBuffer &message, - const RawBuffer &signature, - const HashAlgorithm hash, - const RSAPaddingAlgorithm padding) = 0; - - // This function will check all certificates in chain except Root CA. - // This function will delegate task to service. You may use this even - // if application does not have permission to use network. - virtual int ocspCheck(const CertificateShPtrVector &certificateChainVector, int &ocspStatus) = 0; - - virtual int allowAccess(const Alias &alias, const Label &accessor, AccessRight granted) = 0; - virtual int denyAccess(const Alias &alias, const Label &accessor) = 0; - - - static ManagerShPtr create(); -// static ManagerShPtr getManager(int uid); // TODO + class Impl; + + Manager(); + Manager(const Manager &) = delete; + Manager &operator=(const Manager &) = delete; + + virtual ~Manager(); + + int saveKey(const Alias &alias, const KeyShPtr &key, const Policy &policy); + int saveCertificate(const Alias &alias, const CertificateShPtr &cert, + const Policy &policy); + int savePKCS12( + const Alias &alias, + const PKCS12ShPtr &pkcs, + const Policy &keyPolicy, + const Policy &certPolicy); + + int saveData(const Alias &alias, const RawBuffer &data, const Policy &policy); + + int removeAlias(const Alias &alias); + + int getKey(const Alias &alias, const Password &password, KeyShPtr &key); + int getCertificate( + const Alias &alias, + const Password &password, + CertificateShPtr &certificate); + int getData(const Alias &alias, const Password &password, RawBuffer &data); + int getPKCS12(const Alias &alias, PKCS12ShPtr &pkcs); + int getPKCS12( + const Alias &alias, + const Password &keyPass, + const Password &certPass, + PKCS12ShPtr &pkcs); + + // send request for list of all keys/certificates/data that application/user may use + int getKeyAliasVector(AliasVector &aliasVector); + int getKeyAliasPwdVector(AliasPwdVector &aliasPwdVector); + int getKeyEncryptionStatus(const Alias &alias, bool &status); + int getCertificateAliasVector(AliasVector &aliasVector); + int getCertificateAliasPwdVector(AliasPwdVector &aliasPwdVector); + int getCertificateEncryptionStatus(const Alias &alias, bool &status); + int getDataAliasVector(AliasVector &aliasVector); + int getDataAliasPwdVector(AliasPwdVector &aliasPwdVector); + int getDataEncryptionStatus(const Alias &alias, bool &status); + + int createKeyPairRSA( + const int size, // size in bits [1024, 2048, 4096] + const Alias &privateKeyAlias, + const Alias &publicKeyAlias, + const Policy &policyPrivateKey = Policy(), + const Policy &policyPublicKey = Policy()); + + int createKeyPairDSA( + const int size, // size in bits [1024, 2048, 3072, 4096] + const Alias &privateKeyAlias, + const Alias &publicKeyAlias, + const Policy &policyPrivateKey = Policy(), + const Policy &policyPublicKey = Policy()); + + int createKeyPairECDSA( + const ElipticCurve type, + const Alias &privateKeyAlias, + const Alias &publicKeyAlias, + const Policy &policyPrivateKey = Policy(), + const Policy &policyPublicKey = Policy()); + + int createKeyAES( + const int size, // size in bits [128, 192, 256] + const Alias &keyAlias, + const Policy &policyKey = Policy()); + + int getCertificateChain( + const CertificateShPtr &certificate, + const CertificateShPtrVector &untrustedCertificates, + const CertificateShPtrVector &trustedCertificates, + bool useTrustedSystemCertificates, + CertificateShPtrVector &certificateChainVector); + + int getCertificateChain( + const CertificateShPtr &certificate, + const AliasVector &untrustedCertificates, + const AliasVector &trustedCertificates, + bool useTrustedSystemCertificates, + CertificateShPtrVector &certificateChainVector); + + int createSignature( + const Alias &privateKeyAlias, + const Password &password, // password for private_key + const RawBuffer &message, + const HashAlgorithm hash, + const RSAPaddingAlgorithm padding, + RawBuffer &signature); + + int verifySignature( + const Alias &publicKeyOrCertAlias, + const Password &password, // password for public_key (optional) + const RawBuffer &message, + const RawBuffer &signature, + const HashAlgorithm hash, + const RSAPaddingAlgorithm padding); + + // This function will check all certificates in chain except Root CA. + // This function will delegate task to service. You may use this even + // if application does not have permission to use network. + int ocspCheck(const CertificateShPtrVector &certificateChainVector, + int &ocspStatus); + + int setPermission(const Alias &alias, const ClientId &accessor, + PermissionMask permissionMask); + + // This function will encrypt data. + // Since Tizen 5.0, on chosen images using TEE backend: + // * maximum size of data can be limited to TEE-specific value; minimum 500 kB is supported) + // * GCM modes with short tags (32 and 64 bits) are not supported + // In these cases, key-manager can return a CKM_API_ERROR_SERVER_ERROR + int encrypt(const CryptoAlgorithm &algo, + const Alias &keyAlias, + const Password &password, + const RawBuffer &plain, + RawBuffer &encrypted); + + // This function will decrypt data. + // Since Tizen 5.0, on chosen images using TEE backend: + // * maximum size of data can be limited to TEE-specific value; minimum 500 kB is supported) + // * GCM modes with short tags (32 and 64 bits) are not supported + // In these cases, key-manager can return a CKM_API_ERROR_SERVER_ERROR + int decrypt(const CryptoAlgorithm &algo, + const Alias &keyAlias, + const Password &password, + const RawBuffer &encrypted, + RawBuffer &decrypted); + + int deriveKey(const CryptoAlgorithm &algo, + const Alias &secretAlias, + const Password &secretPassword, + const Alias &newKeyAlias, + const Policy &newKeyPolicy); + + static ManagerShPtr create(); + + int importWrappedKey(const CryptoAlgorithm ¶ms, + const Alias &wrappingKeyAlias, + const Password &wrappingKeyPassword, + const Alias &alias, + const RawBuffer &encryptedKey, + const KeyType keyType, + const Policy &policy); + +private: + std::unique_ptr m_impl; }; } // namespace CKM -