/*
- * Copyright (c) 2015 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2015-2019 Samsung Electronics Co., Ltd. All rights reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
#include <km_ta_defines.h>
#endif // TZ_BACKEND_ENABLED
-#include <sstream>
-#include <fstream>
-#include <iomanip>
-
namespace CKM {
namespace Crypto {
namespace {
-template <typename T>
-std::string ValueToString(const T& value)
-{
- std::stringstream str;
- // we need to re-cast because otherwise stringstream
- // will write our value incorrectly
- str << std::setfill('0') << std::setw(2 * sizeof(T)) << std::hex
- << static_cast<uint64_t>(value);
- return str.str();
-}
-
-CryptoBackend chooseCryptoBackend(const DataParams& params)
-{
#ifdef TZ_BACKEND_ENABLED
- if (params.size() != 1 && params.size() != 2) {
- ThrowErr(Exc::Crypto::InternalError, "Invalid number of key parameters provided to decider");
- }
-
- // user directly point proper backend - we will not discuss with it
- if (params[0].policy.backend == CKM::PolicyBackend::FORCE_SOFTWARE)
- return CryptoBackend::OpenSSL;
-
- // user directly point proper backend - we will not discuss with it
- if (params[0].policy.backend == CKM::PolicyBackend::FORCE_HARDWARE)
- return CryptoBackend::TrustZone;
-
- if (params.size() == 1) {
- // For now only software backend supports device encyption key
- // TODO tz-backend could support the master key, but it would require
- // hardcoding a known key ID and querying TA whether the key is
- // reachable
- if (params[0].encrypted) {
- return CryptoBackend::OpenSSL;
- }
-
- // tz-backend allows only for data binary export
- if (params[0].policy.extractable && !params[0].data.isBinaryData()) {
- return CryptoBackend::OpenSSL;
- }
-
- // Use TrustZone only with symmetric keys or unencrypted binary
- // data until asymmetric cryptography is implemented
- if (!params[0].data.isSKey() && !params[0].data.isBinaryData()) {
- return CryptoBackend::OpenSSL;
- }
- } else if (params.size() == 2) {
- // extractable private key can only be handled by OpenSSL
- if (params[0].policy.extractable) {
- return CryptoBackend::OpenSSL;
- }
-
- // ECDSA algorithm is unsupported by GP API 1.0
- if (params[0].data.isEllipticCurve() || params[1].data.isEllipticCurve()) {
- return CryptoBackend::OpenSSL;
- }
- }
-
+CryptoBackend tryGetTzBackend()
+{
try {
LogDebug("Trying to open TA session...");
TZ::Internals::TrustZoneContext::Instance();
LogDebug("...succeeded. Selecting TZ backend.");
return CryptoBackend::TrustZone;
+}
+#endif
+template <class ForceOpenSSL>
+CryptoBackend chooseBackend(const Policy &policy, const ForceOpenSSL &forceOpenSSL)
+{
+#ifdef TZ_BACKEND_ENABLED
+ switch (policy.backend) {
+ case CKM::PolicyBackend::FORCE_SOFTWARE: return CryptoBackend::OpenSSL;
+ case CKM::PolicyBackend::FORCE_HARDWARE: return CryptoBackend::TrustZone;
+ case CKM::PolicyBackend::DEFAULT: break;
+ }
+ return forceOpenSSL() ? CryptoBackend::OpenSSL : tryGetTzBackend();
#else // TZ_BACKEND_ENABLED
- (void) params;
- return CryptoBackend::OpenSSL;
+ (void)policy;
+ (void)forceOpenSSL;
+ return CryptoBackend::OpenSSL;
#endif // TZ_BACKEND_ENABLED
}
GStore &Decider::getStore(DataType data, const Policy &policy, bool encrypted)
{
- DataParams params{
- DataParam(data, policy, encrypted)
- };
-
- return getStore(chooseCryptoBackend(params));
+ return getStore(chooseBackend(policy, [&]{
+ return !encrypted && !data.isBinaryData() && (
+ // tz-backend allows only for data binary export
+ policy.extractable ||
+ // Use TrustZone only with symmetric keys or unencrypted binary
+ // data until asymmetric cryptography is implemented
+ !data.isSKey()
+ );
+ }));
}
-GStore &Decider::getStore(const DataParams& params)
+GStore &Decider::getStore(const Policy &policyPrv, DataType prv, DataType pub)
{
- return getStore(chooseCryptoBackend(params));
+ return getStore(chooseBackend(policyPrv, [&]{
+ return
+ // extractable private key can only be handled by OpenSSL
+ policyPrv.extractable ||
+ // ECDSA algorithm is unsupported by GP API 1.0
+ prv.isEllipticCurve() || pub.isEllipticCurve();
+ }));
}
} // namespace Crypto
/*
- * Copyright (c) 2015 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2015-2019 Samsung Electronics Co., Ltd. All rights reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*/
#pragma once
-#include <vector>
-
#include <ckm/ckm-type.h>
#include <crypto-backend.h>
namespace CKM {
namespace Crypto {
-struct DataParam {
- DataParam() = delete;
- DataParam(const DataType &d, const Policy &pol, bool enc = false)
- : data(d)
- , policy(pol)
- , encrypted(enc)
- {
- }
-
- DataType data;
- Policy policy;
- bool encrypted;
-};
-
-using DataParams = std::vector<DataParam>;
-
class Decider final {
public:
Decider();
GStore &getStore(const Token &token);
GStore &getStore(DataType data, const Policy &policy, bool encrypted = false);
- GStore &getStore(const DataParams& params);
+ GStore &getStore(const Policy &policyPrv, DataType prv, DataType pub);
private:
GStore &getStore(CryptoBackend id);
/*
- * Copyright (c) 2014 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2014-2019 Samsung Electronics Co., Ltd. All rights reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
bool exportable = policyPrivate.extractable || policyPublic.extractable;
Policy lessRestricted(Password(), exportable, policyPrivate.backend);
- Crypto::DataParams params{
- Crypto::DataParam(dt.first, policyPrivate),
- Crypto::DataParam(dt.second, policyPublic),
- };
-
- TokenPair keys = m_decider.getStore(params).generateAKey(keyGenParams,
+ TokenPair keys = m_decider.getStore(policyPrivate, dt.first, dt.second).generateAKey(keyGenParams,
policyPrivate.password,
policyPublic.password);
projects / platform / core / security / key-manager.git / commitdiff