const static int AES_CBC_KEY_SIZE = 32;
const static int AES_GCM_TAG_SIZE = 16;
-// Encryption scheme flags (enable/disable specific encryption type, multiple choice)
-const int ENCR_BASE64 = 1 << 0;
-const int ENCR_APPKEY = 1 << 1;
-const int ENCR_PASSWORD = 1 << 2;
-
-// Encryption order flags (single choice)
-const int ENCR_ORDER_OFFSET = 24;
-const int ENCR_ORDER_FILTER =
- (UINT_MAX >> ENCR_ORDER_OFFSET) << ENCR_ORDER_OFFSET; // 0xff000000
-const int ENCR_ORDER_CLEAR = ~ENCR_ORDER_FILTER; // 0x00ffffff
-/*
- * ENCR_ORDER_V1 - v1 encryption order. Token returned from store is encrypted with app key and
- * optionally by custom user password. In such form it is stored in db.
- */
-const int ENCR_ORDER_V1 = CryptoLogic::ENCRYPTION_V1 << ENCR_ORDER_OFFSET;
-/*
- * ENCR_ORDER_V2 - v2 encryption order. Stored data is optionally encrypted by store with
- * user password. Returned token is encrypted with app key and stored in db.
- */
-const int ENCR_ORDER_V2 = CryptoLogic::ENCRYPTION_V2 << ENCR_ORDER_OFFSET;
-
} // anonymous namespace
CryptoLogic::CryptoLogic() {}
crow.iv = generateRandIV();
key = m_keyMap[row.ownerLabel];
- crow.encryptionScheme = ENCR_APPKEY;
+ CLEAR_FLAG(crow.encryptionScheme);
+ SET_FLAG(ENCR_APPKEY, crow.encryptionScheme);
auto dataPair = Crypto::SW::Internals::encryptDataAesGcm(key, crow.data,
crow.iv, AES_GCM_TAG_SIZE);
crow.tag = dataPair.second;
encBase64(crow.data);
- crow.encryptionScheme |= ENCR_BASE64;
+ SET_FLAG(ENCR_BASE64, crow.encryptionScheme);
encBase64(crow.iv);
- crow.encryptionScheme &= ENCR_ORDER_CLEAR;
- crow.encryptionScheme |= ENCR_ORDER_V2;
+ SET_ENCRYPTION_VERSION(ENCRYPTION_V2, crow.encryptionScheme);
row = std::move(crow);
}
if (row.algorithmType != DBCMAlgType::AES_GCM_256)
ThrowErr(Exc::AuthenticationFailed, "Invalid algorithm type.");
- if ((row.encryptionScheme & ENCR_PASSWORD) && password.empty())
+ if (GET_FLAG(ENCR_PASSWORD, row.encryptionScheme) && password.empty())
ThrowErr(Exc::AuthenticationFailed,
"DB row is password protected, but given password is empty.");
- if (!(row.encryptionScheme & ENCR_PASSWORD) && !password.empty())
+ if (!GET_FLAG(ENCR_PASSWORD, row.encryptionScheme) && !password.empty())
ThrowErr(Exc::AuthenticationFailed,
"DB row is not password protected, but given password is not empty.");
- if ((row.encryptionScheme & ENCR_APPKEY) && !haveKey(row.ownerLabel))
+ if (GET_FLAG(ENCR_APPKEY, row.encryptionScheme) && !haveKey(row.ownerLabel))
ThrowErr(Exc::AuthenticationFailed,
"Missing application key for ",
row.ownerLabel,
decBase64(crow.iv);
- if (crow.encryptionScheme & ENCR_BASE64)
+ if (GET_FLAG(ENCR_BASE64, crow.encryptionScheme))
decBase64(crow.data);
try {
- if ((crow.encryptionScheme >> ENCR_ORDER_OFFSET) == ENCR_ORDER_V2) {
- if (crow.encryptionScheme & ENCR_APPKEY) {
+ if (GET_ENCRYPTION_VERSION(crow.encryptionScheme) == ENCRYPTION_V2) {
+ if (GET_FLAG(ENCR_APPKEY, crow.encryptionScheme)) {
key = m_keyMap[crow.ownerLabel];
crow.data = Crypto::SW::Internals::decryptDataAesGcm(key, crow.data, crow.iv,
crow.tag);
}
} else {
- if (crow.encryptionScheme & ENCR_PASSWORD) {
+ if (GET_FLAG(ENCR_PASSWORD, crow.encryptionScheme)) {
key = passwordToKey(password, crow.iv, AES_CBC_KEY_SIZE);
crow.data = Crypto::SW::Internals::decryptDataAes(AlgoType::AES_CBC, key,
crow.data, crow.iv);
}
- if (crow.encryptionScheme & ENCR_APPKEY) {
+ if (GET_FLAG(ENCR_APPKEY, crow.encryptionScheme)) {
key = m_keyMap[crow.ownerLabel];
crow.data = Crypto::SW::Internals::decryptDataAesGcm(key, crow.data, crow.iv,
crow.tag);
const RawBuffer &applicationKey);
void removeKey(const Label &smackLabel);
+ /*
+ * v1 encryption.
+ * Token returned from store is encrypted with app key and
+ * optionally by custom user password.
+ */
static const int ENCRYPTION_V1 = 0;
+
+ /*
+ * v2 encryption.
+ * Stored data is optionally encrypted by store with user password.
+ * Returned token is encrypted with app key and stored in db.
+ */
static const int ENCRYPTION_V2 = 1;
private:
static const int ENCR_APPKEY = 1 << 1;
static const int ENCR_PASSWORD = 1 << 2;
- // Encryption order flags (single choice)
- static const int ENCR_ORDER_CLEAR = 0x00ffffff;
- static const int ENCR_ORDER_FILTER = ~ENCR_ORDER_CLEAR;
- /*
- * ENCR_ORDER_V1 - v1 encryption order. Token returned from store is encrypted with app key and
- * optionally by custom user password. Is such form it is stored in db.
- */
- static const int ENCR_ORDER_V1 = ENCR_ORDER_CLEAR + 0;
- /*
- * ENCR_ORDER_V2 - v2 encryption order. Stored data is optionally encrypted by store with
- * user password. Returned token is encrypted with app key and stored in db.
- */
- static const int ENCR_ORDER_V2 = ENCR_ORDER_CLEAR + 1;
+ static const int ENCR_ORDER_OFFSET = 24;
+
+ static inline void CLEAR_FLAG(int &encryptionScheme) {
+ encryptionScheme = 0;
+ }
+
+ static inline void SET_FLAG(int fieldId, int &encryptionScheme) {
+ encryptionScheme |= fieldId;
+ }
+
+ static inline bool GET_FLAG(int fieldId, int encryptionScheme) {
+ return encryptionScheme & fieldId;
+ }
+
+ static inline void SET_ENCRYPTION_VERSION(int version, int &encryptionScheme) {
+ encryptionScheme |= (version << ENCR_ORDER_OFFSET);
+ }
+
+ static inline int GET_ENCRYPTION_VERSION(int encryptionScheme) {
+ return encryptionScheme >> ENCR_ORDER_OFFSET;
+ }
std::map<Label, RawBuffer> m_keyMap;
projects / platform / core / security / key-manager.git / commitdiff