keySize);
}
+RawBuffer encapsulateKey(const RawBuffer &publicKeyId,
+ const Pwd &publicKeyPwd,
+ const CryptoAlgorithm ¶ms,
+ const Password &sharedSecretPwd,
+ const RawBuffer &sharedSecretIV,
+ RawBuffer &sharedSecretTag,
+ const RawBuffer &sharedSecretId)
+{
+ CKM::KemType kt = unpack<CKM::KemType>(params, ParamName::GEN_KEM_TYPE);
+ RawBuffer sharedSecretPwdBuf(sharedSecretPwd.begin(), sharedSecretPwd.end());
+
+ return TrustZoneContext::Instance().encapsulateKey(publicKeyId,
+ publicKeyPwd,
+ toTzKem(kt),
+ sharedSecretPwdBuf,
+ sharedSecretIV,
+ sharedSecretTag,
+ sharedSecretId);
+}
+
+void decapsulateKey(const RawBuffer &privateKeyId,
+ const Pwd &privateKeyPwd,
+ const CryptoAlgorithm ¶ms,
+ const Password &sharedSecretPwd,
+ const RawBuffer &sharedSecretIV,
+ RawBuffer &sharedSecretTag,
+ const RawBuffer &sharedSecretId,
+ const RawBuffer &ciphertext)
+{
+ CKM::KemType kt = unpack<CKM::KemType>(params, ParamName::GEN_KEM_TYPE);
+ RawBuffer sharedSecretPwdBuf(sharedSecretPwd.begin(), sharedSecretPwd.end());
+
+ TrustZoneContext::Instance().decapsulateKey(privateKeyId,
+ privateKeyPwd,
+ toTzKem(kt),
+ sharedSecretPwdBuf,
+ sharedSecretIV,
+ sharedSecretTag,
+ sharedSecretId,
+ ciphertext);
+}
+
RawBuffer getData(const RawBuffer &dataId,
const Pwd &pwd,
const DataType &type)
const RawBuffer &encryptedKeyId,
size_t keySize);
+RawBuffer encapsulateKey(const RawBuffer &publicKeyId,
+ const Pwd &publicKeyPwd,
+ const CryptoAlgorithm ¶ms,
+ const Password &sharedSecretPwd,
+ const RawBuffer &sharedSecretIV,
+ RawBuffer &sharedSecretTag,
+ const RawBuffer &sharedSecretId);
+
+void decapsulateKey(const RawBuffer &privateKeyId,
+ const Pwd &privateKeyPwd,
+ const CryptoAlgorithm ¶ms,
+ const Password &sharedSecretPwd,
+ const RawBuffer &sharedSecretIV,
+ RawBuffer &sharedSecretTag,
+ const RawBuffer &sharedSecretId,
+ const RawBuffer &ciphertext);
+
RawBuffer getData(const RawBuffer &dataId,
const Pwd &pwd,
const DataType &type);
#include <tz-backend/ctx.h>
#include <tz-backend/store.h>
#include <tz-backend/internals.h>
+#include <dpl/log/log.h>
namespace CKM {
namespace Crypto {
return Token(backendId(), DataType(KeyType::KEY_AES), Store::pack(hash, pass, iv, tag));
}
+std::tuple<Token, RawBuffer> BData::encapsulateKey(const CryptoAlgorithm ¶ms,
+ const Token &,
+ const Password &,
+ const Password &sharedSecretPass,
+ const RawBuffer &sharedSecretHash)
+{
+ RawBuffer sharedSecretIV;
+ RawBuffer sharedSecretTag;
+
+ if (!sharedSecretPass.empty()) {
+ // IV is needed for data encryption with pwd
+ sharedSecretIV = Internals::generateIV();
+ }
+
+ RawBuffer ciphertext = Internals::encapsulateKey(getId(),
+ getPassword(),
+ params,
+ sharedSecretPass,
+ sharedSecretIV,
+ sharedSecretTag,
+ sharedSecretHash);
+
+ return std::make_tuple(Token(backendId(), DataType::KEY_AES, Store::pack(
+ sharedSecretHash, sharedSecretPass, sharedSecretIV, sharedSecretTag)),
+ ciphertext);
+}
+
+Token BData::decapsulateKey(const CryptoAlgorithm ¶ms,
+ const Token &,
+ const Password &,
+ const Password &sharedSecretPass,
+ const RawBuffer &ciphertext,
+ const RawBuffer &sharedSecretHash)
+{
+ RawBuffer sharedSecretIV;
+ RawBuffer sharedSecretTag;
+
+ if (!sharedSecretPass.empty()) {
+ // IV is needed for data encryption with pwd
+ sharedSecretIV = Internals::generateIV();
+ }
+
+ Internals::decapsulateKey(getId(),
+ getPassword(),
+ params,
+ sharedSecretPass,
+ sharedSecretIV,
+ sharedSecretTag,
+ sharedSecretHash,
+ ciphertext);
+
+ return Token(backendId(), DataType::KEY_AES, Store::pack(
+ sharedSecretHash, sharedSecretPass, sharedSecretIV, sharedSecretTag));
+}
+
Token Key::unwrap(const CryptoAlgorithm ¶ms,
const Data &encryptedKey,
const Password &pass,
ThrowErr(Exc::Crypto::OperationNotSupported);
}
+std::tuple<Token, RawBuffer> Cert::encapsulateKey(const CryptoAlgorithm &,
+ const Token &,
+ const Password &,
+ const Password &,
+ const RawBuffer &)
+{
+ ThrowErr(Exc::Crypto::OperationNotSupported);
+}
+
+Token Cert::decapsulateKey(const CryptoAlgorithm &,
+ const Token &,
+ const Password &,
+ const Password &,
+ const RawBuffer &,
+ const RawBuffer &)
+{
+ ThrowErr(Exc::Crypto::OperationNotSupported);
+}
+
+
} // namespace TZ
} // namespace Crypto
} // namespace CKM
}
Token derive(const CryptoAlgorithm &, const Password &, const RawBuffer &) override;
+ std::tuple<Token, RawBuffer> encapsulateKey(const CryptoAlgorithm ¶ms,
+ const Token &pubKey,
+ const Password &pubKeyPass,
+ const Password &sharedSecretPass,
+ const RawBuffer &) override;
+
+ Token decapsulateKey(const CryptoAlgorithm ¶ms,
+ const Token &privKey,
+ const Password &privKeyPass,
+ const Password &sharedSecretPass,
+ const RawBuffer &ciphertext,
+ const RawBuffer &) override;
+
protected:
int m_scheme;
Pwd m_password;
const Password &,
size_t,
const RawBuffer &) override;
+
+ std::tuple<Token, RawBuffer> encapsulateKey(const CryptoAlgorithm &,
+ const Token &,
+ const Password &,
+ const Password &,
+ const RawBuffer &) override;
+
+ Token decapsulateKey(const CryptoAlgorithm &,
+ const Token &,
+ const Password &,
+ const Password &,
+ const RawBuffer &,
+ const RawBuffer &) override;
};
} // namespace TZ
return userData;
}
+RawBuffer TrustZoneContext::encapsulateKey(const RawBuffer &publicKeyId,
+ const Pwd &publicKeyPwd,
+ tz_kem kemType,
+ const RawBuffer &sharedSecretPwdBuf,
+ const RawBuffer &sharedSecretIV,
+ RawBuffer &sharedSecretTag,
+ const RawBuffer &sharedSecretId)
+{
+ // command ID = CMD_ENCAPSULATE_KEY
+ LogDebug("TrustZoneContext::encapsulateKey");
+
+ TZSerializer sIn = makeSerializer(publicKeyId,
+ publicKeyPwd,
+ EncPwd{sharedSecretPwdBuf, sharedSecretIV},
+ sharedSecretId);
+
+ TrustZoneMemory inMemory(m_Context, sIn.GetSize(), TEEC_MEM_INPUT);
+ sIn.Serialize(inMemory);
+
+ TZSerializer sOut;
+ uint32_t outMemorySize = 0;
+ switch (kemType)
+ {
+ case ML_KEM_768:
+ outMemorySize = 1088;
+ break;
+ case ML_KEM_1024:
+ outMemorySize = 1568;
+ break;
+ default:
+ break;
+ }
+ sOut.Push(new TZSerializableBinary(outMemorySize, false));
+ if (!sharedSecretPwdBuf.empty()) {
+ uint32_t tagSizeBytes = Params::DEFAULT_AES_GCM_TAG_LEN_BYTES;
+ sOut.Push(new TZSerializableBinary(tagSizeBytes));
+ }
+ TrustZoneMemory outMemory(m_Context, sOut.GetSize(), TEEC_MEM_OUTPUT);
+
+ TEEC_Operation op = makeOp(TEEC_VALUE_INOUT, inMemory, outMemory);
+ op.params[0].value.a = static_cast<uint32_t>(kemType);
+
+ Execute(CMD_ENCAPSULATE_KEY, &op);
+
+ sOut.Deserialize(outMemory);
+ RawBuffer ciphertext;
+ sOut.Pull(ciphertext);
+
+ if (!sharedSecretPwdBuf.empty()) {
+ sOut.Pull(sharedSecretTag);
+ }
+
+ return ciphertext;
+}
+
+void TrustZoneContext::decapsulateKey(const RawBuffer &privateKeyId,
+ const Pwd &privateKeyPwd,
+ tz_kem kemType,
+ const RawBuffer &sharedSecretPwdBuf,
+ const RawBuffer &sharedSecretIV,
+ RawBuffer &sharedSecretTag,
+ const RawBuffer &sharedSecretId,
+ const RawBuffer &ciphertext)
+{
+ // command ID = CMD_DECAPSULATE_KEY
+ LogDebug("TrustZoneContext::decapsulateKey");
+
+ TZSerializer sIn = makeSerializer(privateKeyId,
+ privateKeyPwd,
+ EncPwd{sharedSecretPwdBuf, sharedSecretIV},
+ sharedSecretId,
+ ciphertext);
+
+ TrustZoneMemory inMemory(m_Context, sIn.GetSize(), TEEC_MEM_INPUT);
+ sIn.Serialize(inMemory);
+
+ TZSerializer sOut;
+ if (!sharedSecretPwdBuf.empty()) {
+ uint32_t tagSizeBytes = Params::DEFAULT_AES_GCM_TAG_LEN_BYTES;
+ sOut.Push(new TZSerializableBinary(tagSizeBytes));
+ }
+ TrustZoneMemory outMemory(m_Context, sOut.GetSize(), TEEC_MEM_OUTPUT);
+
+ TEEC_Operation op = makeOp(TEEC_VALUE_INOUT, inMemory);
+ if (!sharedSecretPwdBuf.empty())
+ op = makeOp(TEEC_VALUE_INOUT, inMemory, outMemory);
+
+ op.params[0].value.a = static_cast<uint32_t>(kemType);
+
+ Execute(CMD_DECAPSULATE_KEY, &op);
+
+ if (!sharedSecretPwdBuf.empty()) {
+ sOut.Deserialize(outMemory);
+ sOut.Pull(sharedSecretTag);
+ }
+}
+
void TrustZoneContext::GetDataSize(const RawBuffer &dataId,
const Pwd &pwd,
const tz_data_type type,
sOut.Pull(data);
}
-
void TrustZoneContext::destroyData(const RawBuffer &dataId)
{
// command ID = CMD_DESTROY_DATA
const RawBuffer &encryptedKeyId,
size_t keySize);
+ RawBuffer encapsulateKey(const RawBuffer &publicKeyId,
+ const Pwd &publicKeyPwd,
+ tz_kem kemType,
+ const RawBuffer &sharedSecretPwdBuf,
+ const RawBuffer &sharedSecretIV,
+ RawBuffer &sharedSecretTag,
+ const RawBuffer &sharedSecretId);
+
+ void decapsulateKey(const RawBuffer &privateKeyId,
+ const Pwd &privateKeyPwd,
+ tz_kem kemType,
+ const RawBuffer &sharedSecretPwdBuf,
+ const RawBuffer &sharedSecretIV,
+ RawBuffer &sharedSecretTag,
+ const RawBuffer &sharedSecretId,
+ const RawBuffer &ciphertext);
+
void executeCrypt(tz_command cmd,
tz_algo_type algo,
tz_hash_type hash,
retCode2 = readRowHelper(false, cred, DataType::KEY_KEM_PRIVATE, privateKeyAlias, privateKeyOwner,
privateKeyPassword, privateKeyRow, privateKeyType);
-
if (retCode2 != CKM_API_SUCCESS)
return retCode2;
projects / platform / core / security / key-manager.git / commitdiff