protected:
GKey(){}
public:
- virtual RawBuffer getBinary() {
+ virtual RawBuffer getBinary() const {
ThrowErr(Exc::Crypto::OperationNotSupported);
}
, m_tzStore(new TZ::Store(CryptoBackend::TrustZone))
{}
-GStore& Decider::getStore(const Token &token) {
+GStore& Decider::getStore(const Token &token) const {
return getStore(token.backendId);
};
-GStore& Decider::getStore(CryptoBackend cryptoBackend) {
+GStore& Decider::getStore(CryptoBackend cryptoBackend) const {
GStore *gStore = NULL;
if (cryptoBackend == CryptoBackend::OpenSSL)
gStore = m_swStore.get();
"Backend not available. BackendId: ", (int)cryptoBackend);
}
-GStore& Decider::getStore(DataType data, bool exportable) {
+GStore& Decider::getStore(DataType data, bool exportable) const {
return getStore(chooseCryptoBackend(data, exportable));
}
class Decider {
public:
Decider();
- GStore& getStore(const Token &token);
- GStore& getStore(DataType data, bool exportable);
+ GStore& getStore(const Token &token) const;
+ GStore& getStore(DataType data, bool exportable) const;
CryptoBackend chooseCryptoBackend(DataType data, bool exportable) const;
virtual ~Decider(){}
protected:
- GStore& getStore(CryptoBackend id);
+ GStore& getStore(CryptoBackend id) const;
std::unique_ptr<GStore> m_swStore;
std::unique_ptr<GStore> m_tzStore;
#include <generic-backend/exception.h>
-// TODO move it to static const int
-#define AES_GCM_TAG_SIZE 16
-
namespace CKM {
namespace Crypto {
namespace SW {
#include <generic-backend/exception.h>
#include <sw-backend/internals.h>
+#include <sw-backend/crypto.h>
#define OPENSSL_SUCCESS 1 // DO NOTCHANGE THIS VALUE
#define OPENSSL_FAIL 0 // DO NOTCHANGE THIS VALUE
output.resize(size);
return output;
}
+
+template<typename T>
+T unpack(
+ const CKM::CryptoAlgorithm &alg,
+ CKM::ParamName paramName)
+{
+ T result;
+ if (!alg.getParam(paramName, result)) {
+ ThrowErr(CKM::Exc::Crypto::InputParam, "Wrong input param");
+ }
+ return result;
+}
+
} // anonymous namespace
namespace CKM {
return Token(backendId, DataType(KeyType::KEY_AES), CKM::RawBuffer(key, key+sizeBytes));
}
+RawBuffer encryptDataAesCbc(
+ const RawBuffer &key,
+ const RawBuffer &data,
+ const RawBuffer &iv)
+{
+ Crypto::SW::Cipher::AesCbcEncryption enc(key, iv);
+ RawBuffer result = enc.Append(data);
+ RawBuffer tmp = enc.Finalize();
+ std::copy(tmp.begin(), tmp.end(), std::back_inserter(result));
+ return result;
+}
+
+std::pair<RawBuffer, RawBuffer> encryptDataAesGcm(
+ const RawBuffer &key,
+ const RawBuffer &data,
+ const RawBuffer &iv,
+ int tagSize)
+{
+ RawBuffer tag(tagSize);
+ Crypto::SW::Cipher::AesGcmEncryption enc(key, iv);
+ RawBuffer result = enc.Append(data);
+ RawBuffer tmp = enc.Finalize();
+ std::copy(tmp.begin(), tmp.end(), std::back_inserter(result));
+ if (0 == enc.Control(EVP_CTRL_GCM_GET_TAG, tagSize, tag.data())) {
+ ThrowErr(Exc::Crypto::InternalError, "Error in AES control function. Get tag failed.");
+ }
+ return std::make_pair(result, tag);
+}
+
+RawBuffer encryptDataAesGcmPacked(
+ const RawBuffer &key,
+ const RawBuffer &data,
+ const RawBuffer &iv,
+ int tagSize)
+{
+ auto pair = encryptDataAesGcm(key, data, iv, tagSize);
+ std::copy(pair.second.begin(), pair.second.end(), std::back_inserter(pair.first));
+ return pair.first;
+}
+
+RawBuffer decryptDataAesCbc(
+ const RawBuffer &key,
+ const RawBuffer &data,
+ const RawBuffer &iv)
+{
+ Crypto::SW::Cipher::AesCbcDecryption dec(key, iv);
+ RawBuffer result = dec.Append(data);
+ RawBuffer tmp = dec.Finalize();
+ std::copy(tmp.begin(), tmp.end(), std::back_inserter(result));
+ return result;
+}
+
+RawBuffer decryptDataAesGcm(
+ const RawBuffer &key,
+ const RawBuffer &data,
+ const RawBuffer &iv,
+ const RawBuffer &tag)
+{
+ Crypto::SW::Cipher::AesGcmDecryption dec(key, iv);
+ void *ptr = (void*)tag.data();
+ if (0 == dec.Control(EVP_CTRL_GCM_SET_TAG, tag.size(), ptr)) {
+ ThrowErr(Exc::Crypto::InternalError,
+ "Error in AES control function. Set tag failed.");
+ }
+ RawBuffer result = dec.Append(data);
+ RawBuffer tmp = dec.Finalize();
+ std::copy(tmp.begin(), tmp.end(), std::back_inserter(result));
+ return result;
+}
+
+RawBuffer decryptDataAesGcmPacked(
+ const RawBuffer &key,
+ const RawBuffer &data,
+ const RawBuffer &iv,
+ int tagSize)
+{
+ if (tagSize > static_cast<int>(data.size()))
+ ThrowErr(Exc::Crypto::InputParam, "Wrong size of tag");
+
+ auto tagPos = data.data() + data.size() - tagSize;
+ return decryptDataAesGcm(
+ key,
+ RawBuffer(data.data(), tagPos),
+ iv,
+ RawBuffer(tagPos, data.data() + data.size()));
+}
+
+RawBuffer symmetricEncrypt(const RawBuffer &key,
+ const CryptoAlgorithm &alg,
+ const RawBuffer &data)
+{
+ AlgoType keyType = unpack<AlgoType>(alg, ParamName::ALGO_TYPE);
+
+ switch(keyType)
+ {
+ case AlgoType::AES_CBC:
+ return encryptDataAesCbc(key, data, unpack<RawBuffer>(alg, ParamName::ED_IV));
+ case AlgoType::AES_GCM:
+ return encryptDataAesGcmPacked(key, data, unpack<RawBuffer>(alg, ParamName::ED_IV),
+ unpack<int>(alg, ParamName::ED_TAG_LEN));
+ default:
+ break;
+ }
+ ThrowErr(Exc::Crypto::OperationNotSupported,
+ "symmetric enc error: algorithm not recognized");
+}
+
+RawBuffer symmetricDecrypt(const RawBuffer &key,
+ const CryptoAlgorithm &alg,
+ const RawBuffer &data)
+{
+ AlgoType keyType = unpack<AlgoType>(alg, ParamName::ALGO_TYPE);
+
+ switch(keyType)
+ {
+ case AlgoType::AES_CBC:
+ return decryptDataAesCbc(key, data, unpack<RawBuffer>(alg, ParamName::ED_IV));
+ case AlgoType::AES_GCM:
+ return decryptDataAesGcmPacked(key, data, unpack<RawBuffer>(alg, ParamName::ED_IV),
+ unpack<int>(alg, ParamName::ED_TAG_LEN));
+ default:
+ break;
+ }
+ ThrowErr(Exc::Crypto::InputParam, "symmetric dec error: algorithm not recognized");
+}
+
RawBuffer sign(EVP_PKEY *pkey,
const CryptoAlgorithm &alg,
const RawBuffer &message)
TokenPair createKeyPairECDSA(CryptoBackend backendId, ElipticCurve type1);
Token createKeyAES(CryptoBackend backendId, const int sizeBits);
+RawBuffer symmetricEncrypt(const RawBuffer &key,
+ const CryptoAlgorithm &alg,
+ const RawBuffer &data);
+RawBuffer symmetricDecrypt(const RawBuffer &key,
+ const CryptoAlgorithm &alg,
+ const RawBuffer &cipher);
+
+std::pair<RawBuffer, RawBuffer> encryptDataAesGcm(const RawBuffer &key,
+ const RawBuffer &data,
+ const RawBuffer &iv,
+ int tagSize);
+
+RawBuffer decryptDataAesGcm(const RawBuffer &key,
+ const RawBuffer &data,
+ const RawBuffer &iv,
+ const RawBuffer &tag);
+
+RawBuffer encryptDataAesCbc(const RawBuffer &key,
+ const RawBuffer &data,
+ const RawBuffer &iv);
+
+RawBuffer decryptDataAesCbc(const RawBuffer &key,
+ const RawBuffer &data,
+ const RawBuffer &iv);
+
RawBuffer sign(EVP_PKEY *pkey,
const CryptoAlgorithm &alg,
const RawBuffer &message);
typedef std::unique_ptr<BIO, std::function<void(BIO*)>> BioUniquePtr;
+RawBuffer SKey::getBinary() const {
+ return m_key;
+}
+
+RawBuffer SKey::encrypt(const CryptoAlgorithm &alg, const RawBuffer &data)
+{
+ return Internals::symmetricEncrypt(getBinary(), alg, data);
+}
+RawBuffer SKey::decrypt(const CryptoAlgorithm &alg, const RawBuffer &cipher)
+{
+ return Internals::symmetricDecrypt(getBinary(), alg, cipher);
+}
+
RawBuffer AKey::sign(
const CryptoAlgorithm &alg,
const RawBuffer &message)
return Internals::sign(getEvpShPtr().get(), alg, message);
}
+RawBuffer AKey::getBinary() const {
+ return m_key;
+}
+
int AKey::verify(const CryptoAlgorithm &alg, const RawBuffer &message, const RawBuffer &sign) {
return Internals::verify(getEvpShPtr().get(), alg, message, sign);
}
: m_key(std::move(buffer))
, m_type(keyType)
{}
+
+ virtual RawBuffer getBinary() const;
+ virtual RawBuffer encrypt(const CryptoAlgorithm &, const RawBuffer &);
+ virtual RawBuffer decrypt(const CryptoAlgorithm &, const RawBuffer &);
protected:
RawBuffer m_key;
DataType m_type;
{}
virtual RawBuffer sign(const CryptoAlgorithm &alg, const RawBuffer &message);
virtual int verify(const CryptoAlgorithm &alg, const RawBuffer &message, const RawBuffer &sign);
+ virtual RawBuffer getBinary() const;
virtual ~AKey(){}
protected:
virtual EvpShPtr getEvpShPtr();
#include <digest.h>
#include <crypto-logic.h>
-#include <sw-backend/crypto.h>
+#include <generic-backend/exception.h>
+#include <sw-backend/internals.h>
-#define AES_CBC_KEY_SIZE 32
+namespace {
+
+const static int AES_CBC_KEY_SIZE = 32;
+const static int AES_GCM_TAG_SIZE = 16;
+
+} // anonymous namespace
namespace CKM {
-CryptoLogic::CryptoLogic(){}
+CryptoLogic::CryptoLogic() {}
CryptoLogic::CryptoLogic(CryptoLogic &&second) {
m_keyMap = std::move(second.m_keyMap);
}
void CryptoLogic::pushKey(const Label &smackLabel,
- const RawBuffer &applicationKey)
+ const RawBuffer &applicationKey)
{
if (smackLabel.length() == 0) {
ThrowErr(Exc::InternalError, "Empty smack label.");
ThrowErr(Exc::InternalError, "Application key for ", smackLabel,
"label already exists.");
}
+
m_keyMap[smackLabel] = applicationKey;
}
m_keyMap.erase(smackLabel);
}
-RawBuffer CryptoLogic::encryptDataAesCbc(
- const RawBuffer &data,
- const RawBuffer &key,
- const RawBuffer &iv) const
-{
- Crypto::SW::Cipher::AesCbcEncryption enc(key, iv);
- RawBuffer result = enc.Append(data);
- RawBuffer tmp = enc.Finalize();
- std::copy(tmp.begin(), tmp.end(), std::back_inserter(result));
- return result;
-}
-
-RawBuffer CryptoLogic::decryptDataAesCbc(
- const RawBuffer &data,
- const RawBuffer &key,
- const RawBuffer &iv) const
-{
- Crypto::SW::Cipher::AesCbcDecryption dec(key, iv);
- RawBuffer result = dec.Append(data);
- RawBuffer tmp = dec.Finalize();
- std::copy(tmp.begin(), tmp.end(), std::back_inserter(result));
- return result;
-}
-
-std::pair<RawBuffer,RawBuffer> CryptoLogic::encryptDataAesGcm(
- const RawBuffer &data,
- const RawBuffer &key,
- const RawBuffer &iv) const
-{
- RawBuffer tag(AES_GCM_TAG_SIZE);
- Crypto::SW::Cipher::AesGcmEncryption enc(key, iv);
- RawBuffer result = enc.Append(data);
- RawBuffer tmp = enc.Finalize();
- std::copy(tmp.begin(), tmp.end(), std::back_inserter(result));
- if (0 == enc.Control(EVP_CTRL_GCM_GET_TAG, AES_GCM_TAG_SIZE, tag.data())) {
- ThrowErr(Exc::InternalError, "Error in aes control function. Get tag failed.");
- }
- return std::make_pair(result, tag);
-}
-
-RawBuffer CryptoLogic::decryptDataAesGcm(
- const RawBuffer &data,
- const RawBuffer &key,
- const RawBuffer &iv,
- const RawBuffer &tag) const
-{
- Crypto::SW::Cipher::AesGcmDecryption dec(key, iv);
- if (tag.size() < AES_GCM_TAG_SIZE) {
- ThrowErr(Exc::AuthenticationFailed, "Error in decryptDataAesGcm. Tag is too short");
- }
- void *ptr = (void*)tag.data();
- if (0 == dec.Control(EVP_CTRL_GCM_SET_TAG, AES_GCM_TAG_SIZE, ptr)) {
- ThrowErr(Exc::AuthenticationFailed, "Error in aes control function. Set tag failed.");
- }
- RawBuffer result = dec.Append(data);
- RawBuffer tmp = dec.Finalize();
- std::copy(tmp.begin(), tmp.end(), std::back_inserter(result));
- return result;
-}
-
RawBuffer CryptoLogic::passwordToKey(
const Password &password,
const RawBuffer &salt,
{
ThrowErr(Exc::InternalError, "PCKS5_PKKDF_HMAC_SHA1 failed.");
}
+
return result;
}
key = m_keyMap[row.ownerLabel];
crow.encryptionScheme = ENCR_APPKEY;
- auto dataPair = encryptDataAesGcm(crow.data, key, crow.iv);
+ auto dataPair = Crypto::SW::Internals::encryptDataAesGcm(key, crow.data, crow.iv, AES_GCM_TAG_SIZE);
crow.data = dataPair.first;
+
crow.tag = dataPair.second;
if (!password.empty()) {
key = passwordToKey(password, crow.iv, AES_CBC_KEY_SIZE);
- crow.data = encryptDataAesCbc(crow.data, key, crow.iv);
+
+ crow.data = Crypto::SW::Internals::encryptDataAesCbc(key, crow.data, crow.iv);
crow.encryptionScheme |= ENCR_PASSWORD;
}
if (crow.encryptionScheme & ENCR_PASSWORD) {
key = passwordToKey(password, crow.iv, AES_CBC_KEY_SIZE);
- crow.data = decryptDataAesCbc(crow.data, key, crow.iv);
+ crow.data = Crypto::SW::Internals::decryptDataAesCbc(key, crow.data, crow.iv);
}
if (crow.encryptionScheme & ENCR_APPKEY) {
key = m_keyMap[crow.ownerLabel];
- crow.data = decryptDataAesGcm(crow.data, key, crow.iv, crow.tag);
+ crow.data = Crypto::SW::Internals::decryptDataAesGcm(key, crow.data, crow.iv, crow.tag);
}
if (static_cast<int>(crow.data.size()) < crow.dataSize) {
void removeKey(const Label &smackLabel);
private:
- static const int ENCR_BASE64 = 1 << 0;
- static const int ENCR_APPKEY = 1 << 1;
- static const int ENCR_PASSWORD = 1 << 2;
+ static const int ENCR_BASE64 = 1 << 0;
+ static const int ENCR_APPKEY = 1 << 1;
+ static const int ENCR_PASSWORD = 1 << 2;
- std::map<Label, RawBuffer> m_keyMap;
+ std::map<Label, RawBuffer> m_keyMap;
RawBuffer generateRandIV() const;
RawBuffer passwordToKey(const Password &password,
const RawBuffer &salt,
size_t keySize) const;
- RawBuffer encryptDataAesCbc(
- const RawBuffer &data,
- const RawBuffer &key,
- const RawBuffer &iv) const;
-
- RawBuffer decryptDataAesCbc(
- const RawBuffer &data,
- const RawBuffer &key,
- const RawBuffer &iv) const;
-
- std::pair<RawBuffer, RawBuffer> encryptDataAesGcm(
- const RawBuffer &data,
- const RawBuffer &key,
- const RawBuffer &iv) const;
-
- RawBuffer decryptDataAesGcm(
- const RawBuffer &data,
- const RawBuffer &key,
- const RawBuffer &iv,
- const RawBuffer &tag) const;
-
void decBase64(RawBuffer &data);
void encBase64(RawBuffer &data);
bool equalDigests(RawBuffer &dig1, RawBuffer &dig2);
#define AES256_KEY_LEN_BITS 256
#define AES256_KEY_LEN_BYTSE (AES256_KEY_LEN_BITS / 8)
-#define AES_GCM_TAG_SIZE 32
+// Unused
+//#define AES_GCM_TAG_SIZE 32
#define PBKDF2_SALT_LEN 16
#define PBKDF2_ITERATIONS 4096
projects / platform / core / security / key-manager.git / commitdiff