SUBJECT
};
+enum class PolicyBackend : int {
+ DEFAULT = 0,
+ FORCE_SOFTWARE = 1,
+ FORCE_HARDWARE = 2,
+};
+
struct Policy {
- Policy(const Password &pass = Password(), bool extract = true) :
- password(pass), extractable(extract) {}
+ Policy(const Password &pass = Password(), bool extract = true, PolicyBackend policyBackend = PolicyBackend::DEFAULT)
+ : password(pass)
+ , extractable(extract)
+ , backend(policyBackend)
+ {}
virtual ~Policy() {}
Password password; // byte array used to encrypt data inside CKM
bool extractable; // if true key may be extracted from storage
+ PolicyBackend backend;
};
enum class HashAlgorithm : int {
explicit PolicySerializable(IStream &stream)
{
+ int policyBackend;
Deserialization::Deserialize(stream, password);
Deserialization::Deserialize(stream, extractable);
+ Deserialization::Deserialize(stream, policyBackend);
+ backend = static_cast<PolicyBackend>(policyBackend);
}
void Serialize(IStream &stream) const
{
Serialization::Serialize(stream, password);
Serialization::Serialize(stream, extractable);
+ Serialization::Serialize(stream, static_cast<int>(backend));
}
};
return uuidStr;
}
-CryptoBackend chooseCryptoBackend(DataType data, bool exportable,
- bool encrypted)
+CryptoBackend chooseCryptoBackend(DataType data,
+ const Policy &policy,
+ bool encrypted)
{
+ // user directly point proper backend - we will not discuss with it
+ if (policy.backend == CKM::PolicyBackend::FORCE_SOFTWARE)
+ return CryptoBackend::OpenSSL;
+
+ // user directly point proper backend - we will not discuss with it
+ if (policy.backend == CKM::PolicyBackend::FORCE_HARDWARE)
+ return CryptoBackend::TrustZone;
+
// For now only software backend supports device encyption key
// TODO tz-backend could support the master key, but it would require
// hardcoding a known key ID and querying TA whether the key is
return CryptoBackend::OpenSSL;
// Only software backend allows for key export
- if (exportable)
+ if (policy.extractable)
return CryptoBackend::OpenSSL;
// Use TrustZone only with symmetric keys until asymmetric
"Backend not available. BackendId: ", (int)cryptoBackend);
}
-GStore &Decider::getStore(DataType data, bool exportable, bool encrypted) const
+GStore &Decider::getStore(DataType data, const Policy &policy, bool encrypted) const
{
- return getStore(chooseCryptoBackend(data, exportable, encrypted));
+ return getStore(chooseCryptoBackend(data, policy, encrypted));
}
} // namespace Crypto
public:
Decider();
GStore &getStore(const Token &token) const;
- GStore &getStore(DataType data, bool exportable, bool encrypted = false) const;
+ GStore &getStore(DataType data, const Policy &policy, bool encrypted = false) const;
virtual ~Decider() {}
const Crypto::Data &data,
const Policy &policy) const
{
- Crypto::GStore &store = m_decider.getStore(data.type, policy.extractable);
+ Crypto::GStore &store = m_decider.getStore(data.type, policy);
// do not encrypt data with password during cc_mode on
Token token = store.import(data,
if (retCode != CKM_API_SUCCESS)
return retCode;
- Crypto::GStore &store =
- m_decider.getStore(data.type, policy.extractable, !enc.encryptedKey.empty());
+ Crypto::GStore &store = m_decider.getStore(data.type, policy, !enc.encryptedKey.empty());
Token token;
keyGenAlgorithm.setParam(ParamName::ALGO_TYPE, AlgoType::AES_GEN);
keyGenAlgorithm.setParam(ParamName::GEN_KEY_LEN, size);
Token key = m_decider.getStore(DataType::KEY_AES,
- policy.extractable).generateSKey(keyGenAlgorithm, policy.password);
+ policy).generateSKey(keyGenAlgorithm, policy.password);
// save the data
DB::Row row(std::move(key), name, ownerLabel,
if (!dt.isKey())
ThrowErr(Exc::InputParam, "Error, parameter ALGO_TYPE with wrong value.");
+ if (policyPrivate.backend != policyPublic.backend)
+ ThrowErr(Exc::InputParam, "Error, key pair must be supported with the same backend.");
+
// use client label if not explicitly provided
const Label &ownerLabelPrv = labelPrivate.empty() ? cred.smackLabel :
labelPrivate;
return CKM_API_ERROR_INPUT_PARAM;
bool exportable = policyPrivate.extractable || policyPublic.extractable;
- TokenPair keys = m_decider.getStore(dt, exportable).generateAKey(keyGenParams,
+ Policy lessRestricted(Password(), exportable, policyPrivate.backend);
+
+ TokenPair keys = m_decider.getStore(dt, lessRestricted).generateAKey(keyGenParams,
policyPrivate.password,
policyPublic.password);
Policy policy(Password(), true);
Crypto::Data data(DataType(DataType::Type::BINARY_DATA), createRandom(10));
Crypto::Decider decider;
- Crypto::GStore &store = decider.getStore(data.type, true);
+ Crypto::GStore &store = decider.getStore(data.type, policy);
Token token = store.import(data, policy.password);
Name name = "test_data";
Policy policy(Password(), true);
Crypto::Data data(DataType(DataType::Type::BINARY_DATA), createRandom(10));
Crypto::Decider decider;
- Crypto::GStore &store = decider.getStore(data.type, true);
+ Crypto::GStore &store = decider.getStore(data.type, policy);
Token token = store.import(data, policy.password);
Name name = "test_data";