Token Store::import(const Data &data, const Password &pass, const RawBuffer &encIV)
{
- if (data.type.isBinaryData()) {
- RawBuffer iv;
- RawBuffer tag;
- if (!pass.empty()) {
- // IV is needed for data encryption with pwd
- iv = Internals::generateIV();
- }
- RawBuffer dataId = Internals::importData(data, pass, iv, tag);
- return Token(m_backendId, data.type, pack(dataId, pass, iv, tag));
- }
-
- if (!data.type.isKey())
- ThrowErr(Exc::Crypto::InputParam, "Invalid data provided for import");
+ if (!data.type.isBinaryData() && !data.type.isSKey())
+ ThrowErr(Exc::Crypto::DataTypeNotSupported, "Invalid data provided for import");
- if (!data.type.isSKey())
- ThrowErr(Exc::Crypto::DataTypeNotSupported, "Asymmetric keys are not supported");
-
- RawBuffer iv;
+ RawBuffer passIV;
RawBuffer tag;
+
if (!pass.empty()) {
- // IV is needed for key encryption
- iv = Internals::generateIV();
+ // IV is needed for data encryption with pwd
+ passIV = Internals::generateIV();
}
- RawBuffer keyId = Internals::importKey(data, encIV, pass, iv, tag);
- return Token(m_backendId, data.type, pack(keyId, pass, iv, tag));
+ RawBuffer dataId = Internals::importData(data, encIV, pass, passIV, tag);
+ return Token(m_backendId, data.type, pack(dataId, pass, passIV, tag));
}
void Store::destroy(const Token &token)
memcpy(pwdTag.data(), tagData->data, Params::DEFAULT_AES_GCM_TAG_LEN_BYTES);
}
-
-void TrustZoneContext::importKey(tz_algo_type algo,
- const RawBuffer &key,
- const RawBuffer &encIV,
- const RawBuffer &pwd,
- const RawBuffer &pwdIV,
- RawBuffer &keyId,
- RawBuffer &pwdTag)
-{
- (void)encIV;
- // command ID = CMD_IMPORT_KEY
- //
- // TEEC_Operation layout:
- // params:
- // [0].value.a - key type
- // [0].value.b - key size in bits
- // [1].memref - seralized key & password data
- // output:
- // [0].value.a - return code
- // [2].memref - serialized key reference ID
-
- KM_BufferSizeDesc bufSize;
-
- memset(&bufSize, 0, sizeof(KM_BufferSizeDesc));
- bufSize.input_size = static_cast<uint32_t>(key.size());
- if (!pwd.empty()) {
- bufSize.with_pwd_data = true;
- bufSize.pwd_size = static_cast<uint32_t>(pwd.size());
- bufSize.pwd_iv_size = static_cast<uint32_t>(pwdIV.size());
- }
- uint32_t inMemorySize = KM_CalcBufferSize(bufSize);
- TrustZoneMemory inMemory(m_Context, inMemorySize, TEEC_MEM_INPUT);
-
- memset(&bufSize, 0, sizeof(KM_BufferSizeDesc));
- bufSize.out_size = KM_KEY_ID_SIZE;
- bufSize.tag_size = Params::DEFAULT_AES_GCM_TAG_LEN_BYTES;
- uint32_t keyMemorySize = KM_CalcBufferSize(bufSize);
- TrustZoneMemory keyMemory(m_Context, keyMemorySize, TEEC_MEM_OUTPUT);
-
- KM_SymmetricInput* input = nullptr;
- int ret = KM_ParamsSerializationInit(inMemory.Get()->buffer, inMemory.Get()->size, &input);
- if (ret) {
- ThrowErr(Exc::Crypto::InternalError, "Failed to initialize data serialization for key import: ", ret);
- }
-
- ret = KM_ParamsSerializeInputData(input, key.data(), key.size());
- if (ret) {
- ThrowErr(Exc::Crypto::InternalError, "Failed to serialize key to import: ", ret);
- }
-
- if (!pwd.empty()) {
- ret = KM_ParamsSerializePwdData(input, pwd.data(), pwd.size(), pwdIV.data(), pwdIV.size(),
- nullptr, 0, Params::DERIVED_KEY_LENGTH_BITS,
- Params::DERIVED_KEY_ITERATIONS, bufSize.tag_size * 8);
- if (ret) {
- ThrowErr(Exc::Crypto::InternalError, "Failed to serialize key data for import: ", ret);
- }
- }
-
- TEEC_Operation op;
- op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_INOUT, TEEC_MEMREF_WHOLE,
- TEEC_MEMREF_WHOLE, TEEC_NONE);
- op.params[0].value.a = algo;
- op.params[0].value.b = key.size() * 8;
- op.params[1].memref.parent = inMemory.Get();
- op.params[1].memref.offset = 0;
- op.params[1].memref.size = inMemory.Get()->size;
- op.params[2].memref.parent = keyMemory.Get();
- op.params[2].memref.offset = 0;
- op.params[2].memref.size = keyMemory.Get()->size;
- Execute(CMD_IMPORT_KEY, &op);
-
- KM_SymmetricInput* output = nullptr;
- ret = KM_ParamsDeserializationInit(keyMemory.Get()->buffer, keyMemory.Get()->size, &output);
- if (ret) {
- ThrowErr(Exc::Crypto::InternalError, "Failed to initialize deserialization for imported key ID");
- }
-
- KM_OutData* outData = nullptr;
- ret = KM_ParamsDeserializeOutData(output, &outData);
- if (ret) {
- ThrowErr(Exc::Crypto::InternalError, "Failed to deserialize imported key ID");
- }
-
- if (outData == nullptr || outData->data_size != KM_KEY_ID_SIZE) {
- ThrowErr(Exc::Crypto::InternalError, "Deserialized incorrect key ID");
- }
-
- keyId.resize(KM_KEY_ID_SIZE);
- memcpy(keyId.data(), outData->data, KM_KEY_ID_SIZE);
-
- if (!pwd.empty()) {
- KM_TagData* tagData = nullptr;
-
- ret = KM_ParamsDeserializeTagData(output, &tagData);
- if (ret) {
- ThrowErr(Exc::Crypto::InternalError, "Failed to deserialize imported key's tag");
- }
-
- if (tagData == nullptr || tagData->data_size != bufSize.tag_size) {
- ThrowErr(Exc::Crypto::InternalError, "Deserialized incorrect key tag");
- }
-
- pwdTag.resize(bufSize.tag_size);
- memcpy(pwdTag.data(), tagData->data, bufSize.tag_size);
- }
-}
-
void TrustZoneContext::executeCrypt(tz_command cmd,
tz_algo_type algo,
const RawBuffer &key,
Execute(CMD_DESTROY_KEY, &op);
}
-void TrustZoneContext::importData(const RawBuffer &data,
+void TrustZoneContext::importData(
+ const uint32_t dataType,
+ const RawBuffer &data,
+ const RawBuffer &encIV,
const RawBuffer &pwd,
const RawBuffer &iv,
+ const uint32_t keySizeBits,
+ const uint32_t pwdTagSizeBits,
RawBuffer &dataId,
RawBuffer &pwdTag)
{
// command ID = CMD_IMPORT_DATA
// input:
// [1].memref - reference to serialized buffer:
+ // uint32_t dataType contains information about type stored as binary data
// KM_BinaryData with binary data
- // uint32_t boolean value - true if password is provided
+ // uint32_t binary/key size in bits
+ // KM_BinaryData IV for data decryption with build in key
+ // uint32_t boolean value - true if password is provided
// KM_PwdData with password (optional)
// Output:
// [0].value.a - return code
// [2].memref - reference to serialized buffer:
// KM_BinaryData with data id
// KM_BinaryData with tag id (optional, if password was provided)
- KM_BinaryData kmTaData;
+ uint32_t inMemorySize = 0;
+
+ // place for dataType
+ inMemorySize += KM_SizeOfFlag();
+
+ KM_BinaryData ta_data;
+ ta_data.data_size = static_cast<uint32_t>(data.size());
+ ta_data.data = const_cast<unsigned char *>(data.data());
+ inMemorySize += KM_SizeOfBinaryData(&ta_data);
+
+ uint32_t keySizeBits_flags = static_cast<uint32_t>(keySizeBits);
+ inMemorySize += KM_SizeOfFlag();
+
+ KM_BinaryData ta_data_enc_iv;
+ ta_data_enc_iv.data_size = static_cast<uint32_t>(encIV.size());
+ ta_data_enc_iv.data = const_cast<unsigned char *>(encIV.data());
+ inMemorySize += KM_SizeOfBinaryData(&ta_data_enc_iv);
+
uint32_t pwd_flag = pwd.empty() ? 0 : 1;
- uint32_t pwdTagSizeBits = Params::DEFAULT_AES_GCM_TAG_LEN_BITS;
- kmTaData.data_size = static_cast<uint32_t>(data.size());
- kmTaData.data = const_cast<unsigned char *>(data.data());
- uint32_t inMemorySize = KM_SizeOfBinaryData(&kmTaData) + KM_SizeOfFlag();
+ inMemorySize += KM_SizeOfFlag();
+
KM_PwdData kmPwdData;
if (pwd_flag) {
memset(&kmPwdData, 0, sizeof(KM_PwdData));
TrustZoneMemory inMemory(m_Context, inMemorySize, TEEC_MEM_INPUT);
void *inMemoryPtr = inMemory.Get()->buffer;
- int ret = KM_SerializeBinaryData(&inMemoryPtr, &inMemorySize, &kmTaData);
+ int ret = KM_SerializeFlag(&inMemoryPtr, &inMemorySize, dataType);
+ if (ret){
+ ThrowErr(Exc::Crypto::InternalError, "Failed to serialize data, ret: ", ret);
+ }
+
+ ret = KM_SerializeBinaryData(&inMemoryPtr, &inMemorySize, &ta_data);
+ if (ret) {
+ ThrowErr(Exc::Crypto::InternalError, "Failed to serialize data, ret: ", ret);
+ }
+
+ ret = KM_SerializeFlag(&inMemoryPtr, &inMemorySize, keySizeBits_flags);
if (ret) {
ThrowErr(Exc::Crypto::InternalError, "Failed to serialize data, ret: ", ret);
}
+
+ ret = KM_SerializeBinaryData(&inMemoryPtr, &inMemorySize, &ta_data_enc_iv);
+ if (ret) {
+ ThrowErr(Exc::Crypto::InternalError, "Failed to serialize data, ret: ", ret);
+ }
+
ret = KM_SerializeFlag(&inMemoryPtr, &inMemorySize, pwd_flag);
if (ret) {
ThrowErr(Exc::Crypto::InternalError, "Failed to serialize data, ret: ", ret);
}
+
if (pwd_flag) {
ret = KM_SerializePwdData(&inMemoryPtr, &inMemorySize, &kmPwdData);
if (ret) {
projects / platform / core / security / key-manager.git / commitdiff