--- /dev/null
+/*
+ * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <algorithm>
+#include <memory>
+
+#include <string.h>
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+#include <openssl/buffer.h>
+
+#include "base64.h"
+
+namespace CKM {
+
+Base64Encoder::Base64Encoder() :
+ m_b64(0),
+ m_bmem(0),
+ m_finalized(false)
+{
+}
+
+void Base64Encoder::append(const RawBuffer &data)
+{
+ if (m_finalized) {
+ throw std::logic_error("Already finalized");
+ }
+
+ if (!m_b64)
+ reset();
+
+ BIO_write(m_b64, data.data(), data.size());
+}
+
+void Base64Encoder::finalize()
+{
+ if (m_finalized) {
+ throw std::logic_error("Already finalized.");
+ }
+
+ m_finalized = true;
+ (void)BIO_flush(m_b64);
+}
+
+RawBuffer Base64Encoder::get()
+{
+ if (!m_finalized) {
+ throw std::logic_error("Not finalized");
+ }
+
+ BUF_MEM *bptr = nullptr;
+ BIO_get_mem_ptr(m_b64, &bptr);
+
+ if (!bptr) {
+ throw std::logic_error("Bio internal error");
+ }
+
+ if (bptr->length > 0)
+ return RawBuffer(bptr->data, bptr->data + bptr->length);
+
+ return RawBuffer();
+}
+
+void Base64Encoder::reset()
+{
+ m_finalized = false;
+ BIO_free_all(m_b64);
+ m_b64 = BIO_new(BIO_f_base64());
+ m_bmem = BIO_new(BIO_s_mem());
+
+ if (!m_b64 || !m_bmem) {
+ throw std::logic_error("Error during allocation memory in BIO");
+ }
+
+ BIO_set_flags(m_b64, BIO_FLAGS_BASE64_NO_NL);
+ m_b64 = BIO_push(m_b64, m_bmem);
+}
+
+Base64Encoder::~Base64Encoder()
+{
+ BIO_free_all(m_b64);
+}
+
+Base64Decoder::Base64Decoder() :
+ m_finalized(false)
+{
+}
+
+void Base64Decoder::append(const RawBuffer &data)
+{
+ if (m_finalized) {
+ throw std::logic_error("Already finalized.");
+ }
+
+ std::copy(data.begin(), data.end(), std::back_inserter(m_input));
+}
+
+static bool whiteCharacter(char a)
+{
+ return a == '\n';
+}
+
+bool Base64Decoder::finalize()
+{
+ if (m_finalized) {
+ throw std::logic_error("Already finalized.");
+ }
+
+ m_finalized = true;
+
+ m_input.erase(std::remove_if(m_input.begin(),
+ m_input.end(),
+ whiteCharacter),
+ m_input.end());
+
+ for (size_t i = 0; i < m_input.size(); ++i) {
+ if (isalnum(m_input[i])
+ || m_input[i] == '+'
+ || m_input[i] == '/'
+ || m_input[i] == '=')
+ continue;
+
+ return false;
+ }
+
+ BIO *b64, *bmem;
+ size_t len = m_input.size();
+
+ RawBuffer buffer(len);
+
+ if (!buffer.data()) {
+ throw std::logic_error("Error in malloc.");
+ }
+
+ memset(buffer.data(), 0, buffer.size());
+ b64 = BIO_new(BIO_f_base64());
+
+ if (!b64) {
+ throw std::logic_error("Couldn't create BIO object.");
+ }
+
+ BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
+ RawBuffer tmp(m_input);
+ m_input.clear();
+
+ bmem = BIO_new_mem_buf(tmp.data(), len);
+
+ if (!bmem) {
+ BIO_free(b64);
+ throw std::logic_error("Internal error in BIO");
+ }
+
+ bmem = BIO_push(b64, bmem);
+
+ if (!bmem) {
+ BIO_free(b64);
+ throw std::logic_error("Internal error in BIO");
+ }
+
+ int readlen = BIO_read(bmem, buffer.data(), buffer.size());
+ m_output.clear();
+
+ bool status = true;
+
+ if (readlen > 0) {
+ buffer.resize(readlen);
+ m_output = std::move(buffer);
+ } else {
+ status = false;
+ }
+
+ BIO_free_all(bmem);
+ return status;
+}
+
+RawBuffer Base64Decoder::get() const
+{
+ if (!m_finalized) {
+ throw std::logic_error("Not finalized");
+ }
+
+ return m_output;
+}
+
+void Base64Decoder::reset()
+{
+ m_finalized = false;
+ m_input.clear();
+ m_output.clear();
+}
+
+} // namespace CKM
--- /dev/null
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file main.cpp
+ * @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
+ * @version 1.0
+ * @brief
+ */
+
+#include <cstdio>
+
+#include <unistd.h>
+#include <getopt.h>
+
+#include <cstdlib>
+
+#include <iostream>
+#include <memory>
+#include <fstream>
+#include <vector>
+#include <set>
+#include <string>
+#include <unordered_map>
+
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+
+#include <libxml/tree.h>
+#include <libxml/parser.h>
+
+#include "base64.h"
+
+typedef std::vector<unsigned char> Buffer;
+typedef std::istreambuf_iterator<char> InputIterator;
+
+const size_t DEFAULT_TAG_LEN = 16;
+const size_t DEFAULT_IV_LEN = 16;
+
+const struct option OPTS[] = {
+ {"xml", required_argument, 0, 'x'},
+ {"key", required_argument, 0, 'k'},
+ {"name", required_argument, 0, 'n'},
+ {"data", required_argument, 0, 'd'},
+ {"type", required_argument, 0, 't'},
+ {"subtype", required_argument, 0, 's'},
+ {"password", required_argument, 0, 'p'},
+ {"exportable", no_argument, 0, 'e'},
+ {"accessors", required_argument, 0, 'a'},
+ {"backend", required_argument, 0, 'b'},
+ {"help", no_argument, 0, 'h'},
+ {0, 0, 0, 0 }
+};
+
+const std::string KEY = "Key";
+const std::string DATA = "Data";
+const std::string CERT = "Cert";
+const std::set<std::string> TYPES = { KEY, DATA, CERT };
+const std::set<std::string> SUBTYPES = { "RSA_PRV", "RSA_PUB",
+ "DSA_PRV", "DSA_PUB",
+ "ECDSA_PRV", "ECDSA_PUB",
+ "AES"
+};
+const std::set<std::string> BACKENDS = { "software", "hardware" };
+
+struct FormatTag {
+ const std::string plain;
+ const std::string encrypted;
+};
+
+const std::unordered_map<std::string, FormatTag> FORMAT = {
+ { KEY, {"DER", "EncryptedDER"}},
+ { DATA, {"Base64", "EncryptedBinary"}},
+ { CERT, {"DER", "EncryptedDER"}},
+};
+
+std::string base64(const Buffer& data)
+{
+ try {
+ CKM::Base64Encoder encoder;
+ encoder.append(data);
+ encoder.finalize();
+ auto result = encoder.get();
+ return std::string(result.begin(), result.end());
+ } catch (std::exception &e) {
+ std::cerr << "Error: " << e.what() << std::endl;
+ }
+ return std::string();
+}
+
+struct InitialValue {
+ InitialValue() {}
+
+ std::string name, type, subType, data, iv, tag, password, format, backend, exportable;
+ std::set<std::string> accessors;
+};
+
+void usage()
+{
+ std::cout << std::endl <<
+ "Usage: ckm_initial_values <options>" << std::endl <<
+ std::endl <<
+ "Mandatory options:" << std::endl <<
+ " -d|--data <dataFile> Path to file containing initial value to be added. Supported" << std::endl <<
+ " formats:" << std::endl <<
+ " - Key:" << std::endl <<
+ " - raw binary (symmetric keys)" << std::endl <<
+ " - DER (asymmetric keys)" << std::endl <<
+ " - Data: raw binary" << std::endl <<
+ " - Cert: DER" << std::endl <<
+ " -n|--name <name> Name, under which the initial value will be saved." << std::endl <<
+ " -t|--type <type> Initial value type. One of: Key, Data, Cert." << std::endl <<
+ " -s|--subtype <subtype> Initial value subtype. For 'Key' type allowed values are:" << std::endl <<
+ " RSA_PRV, RSA_PUB, DSA_PRV, DSA_PUB, ECDSA_PRV, ECDSA_PUB, AES." << std::endl <<
+ " For other types this option should not be used." << std::endl <<
+ std::endl <<
+ "Optional:" << std::endl <<
+ " -x|--xml <xmlFile> Path to XML file that should be modified. If not provided output" << std::endl <<
+ " will be printed to stdout." << std::endl <<
+ " -k|--key <keyFile> Path to file containing AES key in binary form used for initial" << std::endl <<
+ " value encryption." << std::endl <<
+ " -p|--password <password> Password used to encrypt the initial value." << std::endl <<
+ " -e|--exportable If present the stored value can be later extracted via" << std::endl <<
+ " key-manager API." << std::endl <<
+ " -a|--accessors <accessor1>[,<accessor2>[,...]]" << std::endl <<
+ " A list of key-manager clients allowed to access given initial" << std::endl <<
+ " value separated by commas." << std::endl <<
+ " -b|--backend <backend> A key-manager's backed to use when saving the initial values." << std::endl;
+}
+
+Buffer readFile(const std::string& file)
+{
+ if (file.empty())
+ return Buffer();
+
+ std::ifstream stream(file);
+ if (!stream.good()) {
+ std::cerr << "Invalid file " << file << std::endl;
+ ::exit(EXIT_FAILURE);
+ }
+
+ Buffer data(InputIterator(stream), { });
+ return data;
+}
+
+
+bool encrypt(const Buffer& data, const Buffer& key, Buffer& output, Buffer& iv, Buffer& tag)
+{
+ OPENSSL_init();
+
+ iv.resize(DEFAULT_IV_LEN);
+
+ std::ifstream stream("/dev/urandom");
+ if (!stream.good()) {
+ std::cerr << "Can't open /dev/urandom" << std::endl;
+ return false;
+ }
+ // FIXIT
+ stream.read(reinterpret_cast<char*>(iv.data()), DEFAULT_IV_LEN);
+
+ std::unique_ptr<EVP_CIPHER_CTX, void (*)(EVP_CIPHER_CTX *)> ctx(EVP_CIPHER_CTX_new(),
+ EVP_CIPHER_CTX_free);
+
+ if (!ctx) {
+ std::cerr << "EVP_CIPHER_CTX_new() failed" << std::endl;
+ return false;
+ }
+
+ if (1 != EVP_EncryptInit_ex(ctx.get(), EVP_aes_256_gcm(), NULL, NULL, NULL)) {
+ std::cerr << "EVP_EncryptInit_ex() failed" << std::endl;
+ return false;
+ }
+
+ if (1 != EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_IVLEN, iv.size(), NULL)) {
+ std::cerr << "EVP_CIPHER_CTX_ctrl() failed" << std::endl;
+ return false;
+ }
+
+ if (1 != EVP_EncryptInit_ex(ctx.get(), NULL, NULL, key.data(), iv.data())) {
+ std::cerr << "EVP_EncryptInit_ex() failed" << std::endl;
+ return false;
+ }
+
+ int outputLen = 0;
+ output.resize(data.size() + EVP_CIPHER_CTX_block_size(ctx.get()));
+ int written = 0;
+
+ if (1 != EVP_EncryptUpdate(ctx.get(), output.data(), &written, data.data(), data.size())) {
+ std::cerr << "EVP_EncryptUpdate() failed" << std::endl;
+ return false;
+ }
+ outputLen += written;
+
+ if (1 != EVP_EncryptFinal_ex(ctx.get(), &output.data()[written], &written)) {
+ std::cerr << "EVP_EncryptFinal_ex() failed" << std::endl;
+ return false;
+ }
+ outputLen += written;
+ output.resize(outputLen);
+
+ tag.resize(DEFAULT_TAG_LEN);
+ if (1 != EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_GET_TAG, DEFAULT_TAG_LEN, tag.data())) {
+ std::cerr << "EVP_CIPHER_CTX_ctrl() failed" << std::endl;
+ return false;
+ }
+
+ return true;
+}
+
+struct ScopedXmlLib {
+ ScopedXmlLib() : doc(NULL), commit(false) {
+ xmlInitParser();
+ LIBXML_TEST_VERSION;
+ xmlKeepBlanksDefault(0);
+ }
+
+ ~ScopedXmlLib() {
+ xmlFreeDoc(doc);
+ xmlCleanupParser();
+ }
+
+ xmlDocPtr doc;
+ bool commit;
+};
+
+xmlNodePtr addChild(xmlNodePtr parent, const std::string& name)
+{
+ auto childNode = xmlNewNode(NULL, BAD_CAST name.c_str());
+ if (childNode == NULL) {
+ std::cerr << "xmlNewNode() failed for " << name << std::endl;
+ return NULL;
+ }
+
+ if (xmlAddChild(parent, childNode) == NULL) {
+ std::cerr << "xmlAddChild() failed" << std::endl;
+ xmlFreeNode(childNode);
+ return NULL;
+ }
+
+ return childNode;
+}
+
+bool addProperty(xmlNodePtr element, const std::string& name, const std::string& value)
+{
+ if (value.empty())
+ return true;
+
+ if (xmlNewProp(element, BAD_CAST name.c_str(), BAD_CAST value.c_str()) == NULL) {
+ std::cerr << "xmlNewProp() failed for " << name << std::endl;
+ return false;
+ }
+ return true;
+}
+
+bool addInitialValue(const std::string& xmlFile, const InitialValue& val)
+{
+ ScopedXmlLib lib;
+
+ lib.doc = xmlReadFile(xmlFile.c_str(), NULL, XML_PARSE_NOWARNING);
+ if (lib.doc == NULL) {
+ lib.doc = xmlNewDoc(BAD_CAST "1.0");
+ if (lib.doc == NULL) {
+ std::cerr << "xmlNewDoc() failed" << std::endl;
+ return false;
+ }
+ }
+
+ // root node
+ auto rootNode = xmlDocGetRootElement(lib.doc);
+ if (rootNode == NULL) {
+ rootNode = xmlNewNode(NULL, BAD_CAST "InitialValues");
+ if (rootNode == NULL) {
+ std::cerr << "xmlNewNode() failed" << std::endl;
+ return false;
+ }
+
+ xmlDocSetRootElement(lib.doc, rootNode);
+
+ if (!addProperty(rootNode, "version", "2"))
+ return false;
+ }
+
+ // value node
+ auto valNode = addChild(rootNode, val.type);
+ if (valNode == NULL)
+ return false;
+
+ if (!addProperty(valNode, "name", val.name))
+ return false;
+
+ if (!addProperty(valNode, "type", val.subType))
+ return false;
+
+ if (!addProperty(valNode, "password", val.password))
+ return false;
+
+ if (!addProperty(valNode, "exportable", val.exportable))
+ return false;
+
+ if (!addProperty(valNode, "backend", val.backend))
+ return false;
+
+ // data node
+ auto dataNode = xmlNewTextChild(valNode,
+ NULL,
+ BAD_CAST val.format.c_str(),
+ BAD_CAST val.data.c_str());
+ if (dataNode == NULL)
+ return false;
+
+ if (!addProperty(dataNode, "IV", val.iv))
+ return false;
+
+ if (!addProperty(dataNode, "tag", val.tag))
+ return false;
+
+ // accessor nodes
+ for (auto& accessor : val.accessors) {
+ auto accNode = addChild(valNode, "Permission");
+ if (accNode == NULL)
+ return false;
+
+ if (!addProperty(accNode, "accessor", accessor))
+ return false;
+ }
+
+ if (0 >= xmlSaveFormatFile(xmlFile.empty() ? "-" : xmlFile.c_str(), lib.doc, 1)) {
+ std::cerr << "xmlSaveFile() failed" << std::endl;
+ return false;
+ }
+ return true;
+}
+
+int main(int argc, char* argv[])
+{
+ std::string xmlFile, keyFile, dataFile;
+ Buffer key, data, iv, tag;
+ InitialValue val;
+
+ int idx = 0;
+ int c;
+ while ((c = ::getopt_long(argc, argv, "x:k:n:d:t:s:p:ea:b:h", OPTS, &idx)) != -1) {
+ switch (c) {
+ case 'x':
+ xmlFile = optarg;
+ break;
+ case 'k':
+ keyFile = optarg;
+ break;
+ case 'n':
+ val.name = optarg;
+ break;
+ case 'd':
+ dataFile = optarg;
+ break;
+ case 't':
+ val.type = optarg;
+ break;
+ case 's':
+ val.subType = optarg;
+ break;
+ case 'p':
+ val.password = optarg;
+ break;
+ case 'e':
+ val.exportable = "true";
+ break;
+ case 'a':
+ {
+ std::string tmp = optarg;
+ size_t pos = 0;
+ size_t found = 0;
+ while ((found = tmp.find(',', pos)) != std::string::npos) {
+ if (found != pos)
+ val.accessors.insert(tmp.substr(pos, found - pos));
+ pos = found + 1;
+ }
+ if (pos < tmp.size())
+ val.accessors.insert(tmp.substr(pos));
+ break;
+ }
+ case 'b':
+ val.backend = optarg;
+ break;
+ case 'h':
+ usage();
+ return EXIT_SUCCESS;
+ case '?':
+ case ':':
+ default:
+ usage();
+ return EXIT_FAILURE;
+ }
+ }
+
+ if (val.name.empty() || dataFile.empty() || val.type.empty()) {
+ usage();
+ return EXIT_FAILURE;
+ }
+
+ if (TYPES.find(val.type) == TYPES.end()) {
+ usage();
+ return EXIT_FAILURE;
+ }
+
+ if (val.type == KEY && (val.subType.empty() || SUBTYPES.find(val.subType) == SUBTYPES.end())) {
+ usage();
+ return EXIT_FAILURE;
+ }
+
+ if (!val.backend.empty() && BACKENDS.find(val.backend) == BACKENDS.end()) {
+ usage();
+ return EXIT_FAILURE;
+ }
+
+ data = readFile(dataFile);
+ if (data.empty()) {
+ std::cerr << "Empty data file " << dataFile << std::endl;
+ return EXIT_FAILURE;
+ }
+
+ key = readFile(keyFile);
+
+ val.format = FORMAT.at(val.type).plain;
+ if (!keyFile.empty()) {
+ if (key.size() != 32) {
+ std::cerr << "Invalid key size " << std::endl;
+ return EXIT_FAILURE;
+ }
+
+ Buffer output;
+ if (!encrypt(data, key, output, iv, tag))
+ return EXIT_FAILURE;
+
+ val.data = base64(output);
+ if (val.data.empty())
+ return EXIT_FAILURE;
+
+ val.iv = base64(iv);
+ if (val.iv.empty())
+ return EXIT_FAILURE;
+
+ val.tag = base64(tag);
+ if (val.tag.empty())
+ return EXIT_FAILURE;
+
+ val.format = FORMAT.at(val.type).encrypted;
+ } else {
+ val.data = base64(data);
+ }
+
+ if (!addInitialValue(xmlFile, val))
+ return EXIT_FAILURE;
+
+ return EXIT_SUCCESS;
+}
projects / platform / core / security / key-manager.git / commitdiff