}
+RawBuffer wrapConcatenatedData(const RawBuffer &wrappingKeyId,
+ const Pwd &wrappingKeyPwd,
+ const CryptoAlgorithm &alg,
+ const RawBuffer &keyToWrapId,
+ const Pwd &keyToWrapPwd,
+ const RawBuffer &userData)
+{
+ AlgoType algo = unpack<AlgoType>(alg, ParamName::ALGO_TYPE);
+ HashAlgorithm oaepHash = HashAlgorithm::SHA1;
+ alg.getParam(ParamName::ED_OAEP_HASH, oaepHash);
+
+ return TrustZoneContext::Instance().wrapConcatenatedData(wrappingKeyId,
+ wrappingKeyPwd,
+ getAlgType(algo),
+ getHashType(oaepHash),
+ keyToWrapId,
+ keyToWrapPwd,
+ userData);
+}
+
+RawBuffer unwrapConcatenatedData(const RawBuffer &wrappingKeyId,
+ const Pwd &wrappingKeyPwd,
+ const CryptoAlgorithm &alg,
+ const Data &encryptedKey,
+ const Password &encryptedKeyPassword,
+ const RawBuffer &encryptedKeyIV,
+ RawBuffer &encryptedKeyTag,
+ const RawBuffer &encryptedKeyId,
+ size_t keySize)
+{
+ RawBuffer encryptedKeyPwdBuf(encryptedKeyPassword.begin(), encryptedKeyPassword.end());
+
+ AlgoType algo = unpack<AlgoType>(alg, ParamName::ALGO_TYPE);
+ HashAlgorithm oaepHash = HashAlgorithm::SHA1;
+ alg.getParam(ParamName::ED_OAEP_HASH, oaepHash);
+
+ return TrustZoneContext::Instance().unwrapConcatenatedData(wrappingKeyId,
+ wrappingKeyPwd,
+ getAlgType(algo),
+ getHashType(oaepHash),
+ toTzDataType(encryptedKey.type),
+ encryptedKey.data,
+ encryptedKeyPwdBuf,
+ encryptedKeyIV,
+ encryptedKeyTag,
+ encryptedKeyId,
+ keySize);
+}
+
RawBuffer getData(const RawBuffer &dataId,
const Pwd &pwd,
const DataType &type)
const Pwd &keyToWrapPwd,
const DataType &keyToWrapType);
+RawBuffer wrapConcatenatedData(const RawBuffer &wrappingKeyId,
+ const Pwd &wrappingKeyPwd,
+ const CryptoAlgorithm &alg,
+ const RawBuffer &keyToWrapId,
+ const Pwd &keyToWrapPwd,
+ const RawBuffer &userData);
+
+RawBuffer unwrapConcatenatedData(const RawBuffer &wrappingKeyId,
+ const Pwd &wrappingKeyPwd,
+ const CryptoAlgorithm &alg,
+ const Data &encryptedKey,
+ const Password &encryptedKeyPassword,
+ const RawBuffer &encryptedKeyIV,
+ RawBuffer &encryptedKeyTag,
+ const RawBuffer &encryptedKeyId,
+ size_t keySize);
+
RawBuffer getData(const RawBuffer &dataId,
const Pwd &pwd,
const DataType &type);
return Internals::verify(getId(), getPassword(), algWithType, message, sign);
}
+RawBuffer AKey::wrapConcatenated(const CryptoAlgorithm ¶ms,
+ const Token &keyToWrap,
+ const Password &keyToWrapPass,
+ const RawBuffer &userData)
+{
+ int keyToWrapScheme;
+ RawBuffer keyToWrapId;
+ RawBuffer keyToWrapIV;
+ RawBuffer keyToWrapTag;
+ Store::unpack(keyToWrap.data,
+ keyToWrapPass,
+ keyToWrapScheme,
+ keyToWrapId,
+ keyToWrapIV,
+ keyToWrapTag);
+
+ return Internals::wrapConcatenatedData(getId(),
+ getPassword(),
+ params,
+ keyToWrapId,
+ Pwd(keyToWrapPass, keyToWrapIV, keyToWrapTag),
+ userData);
+}
+
+std::tuple<Token, RawBuffer> AKey::unwrapConcatenated(const CryptoAlgorithm ¶ms,
+ const Data &encryptedKey,
+ const Password &pass,
+ size_t keySize,
+ const RawBuffer &hash)
+{
+
+ if (!encryptedKey.type.isSymmetricKey())
+ ThrowErr(Exc::Crypto::DataTypeNotSupported, "Invalid data provided for unwrap");
+
+ RawBuffer passIV;
+ RawBuffer tag;
+
+ if (!pass.empty()) {
+ // IV is needed for data encryption with pwd
+ passIV = Internals::generateIV();
+ }
+
+ RawBuffer data = Internals::unwrapConcatenatedData(getId(),
+ getPassword(),
+ params,
+ encryptedKey,
+ pass,
+ passIV,
+ tag,
+ hash,
+ keySize);
+
+ return std::make_tuple(Token(backendId(), encryptedKey.type, Store::pack(hash, pass, passIV, tag)), data);
+}
+
Token Cert::unwrap(const CryptoAlgorithm &,
const Data &,
const Password &,
ThrowErr(Exc::Crypto::OperationNotSupported);
}
+RawBuffer Cert::wrapConcatenated(const CryptoAlgorithm &,
+ const Token &,
+ const Password &,
+ const RawBuffer &)
+{
+ ThrowErr(Exc::Crypto::OperationNotSupported);
+}
+
+std::tuple<Token, RawBuffer> Cert::unwrapConcatenated(const CryptoAlgorithm &,
+ const Data &,
+ const Password &,
+ size_t,
+ const RawBuffer &)
+{
+ ThrowErr(Exc::Crypto::OperationNotSupported);
+}
+
} // namespace TZ
} // namespace Crypto
} // namespace CKM
RawBuffer decrypt(const CryptoAlgorithm &, const RawBuffer &) override;
Token derive(const CryptoAlgorithm &, const Password &, const RawBuffer &) override;
GCtxShPtr initContext(const CryptoAlgorithm &, bool) override;
+
+ RawBuffer wrapConcatenated(const CryptoAlgorithm ¶ms,
+ const Token &keyToWrap,
+ const Password &keyToWrapPass,
+ const RawBuffer &userData) override;
+
+ std::tuple<Token, RawBuffer> unwrapConcatenated(const CryptoAlgorithm ¶ms,
+ const Data &encryptedKey,
+ const Password &pass,
+ size_t keySize,
+ const RawBuffer &hash) override;
};
class Cert : public AKey {
RawBuffer wrap(const CryptoAlgorithm ¶ms,
const Token &keyToWrap,
const Password &keyToWrapPass) override;
+
+ RawBuffer wrapConcatenated(const CryptoAlgorithm &,
+ const Token &,
+ const Password &,
+ const RawBuffer &) override;
+
+ std::tuple<Token, RawBuffer> unwrapConcatenated(const CryptoAlgorithm &,
+ const Data &,
+ const Password &,
+ size_t,
+ const RawBuffer &) override;
};
} // namespace TZ
return wrappedKey;
}
+RawBuffer TrustZoneContext::wrapConcatenatedData(const RawBuffer &wrappingKeyId,
+ const Pwd &wrappingKeyPwd,
+ tz_algo_type algo,
+ tz_hash_type oaepHash,
+ const RawBuffer &keyToWrapId,
+ const Pwd &keyToWrapPwd,
+ const RawBuffer &userData)
+{
+ // command ID = CMD_WRAP_CONCATENATED_DATA
+ LogDebug("TrustZoneContext::wrapConcatenatedData");
+
+ if (algo != ALGO_RSA) {
+ ThrowErr(Exc::Crypto::InputParam, "Only RSA is supported in wrapConcatenatedData");
+ }
+
+ TZSerializer sIn = makeSerializer(wrappingKeyId,
+ wrappingKeyPwd,
+ algo,
+ oaepHash,
+ keyToWrapId,
+ keyToWrapPwd,
+ userData);
+
+ TrustZoneMemory inMemory(m_Context, sIn.GetSize(), TEEC_MEM_INPUT);
+ sIn.Serialize(inMemory);
+
+ uint32_t outMemorySize = KM_RSA_BLOCK_SIZE;
+ TZSerializer sOut;
+ sOut.Push(new TZSerializableBinary(outMemorySize, false));
+ TrustZoneMemory outMemory(m_Context, sOut.GetSize(), TEEC_MEM_OUTPUT);
+ sOut.Serialize(outMemory);
+
+ TEEC_Operation op = makeOp(TEEC_VALUE_INOUT, inMemory, outMemory);
+ Execute(CMD_WRAP_CONCATENATED_DATA, &op);
+ sOut.Deserialize(outMemory);
+
+ RawBuffer wrappedKey;
+ sOut.Pull(wrappedKey);
+
+ return wrappedKey;
+}
+
+RawBuffer TrustZoneContext::unwrapConcatenatedData(const RawBuffer &wrappingKeyId,
+ const Pwd &wrappingKeyPwd,
+ tz_algo_type algo,
+ tz_hash_type oaepHash,
+ const tz_data_type encryptedKeyType,
+ const RawBuffer &encryptedKey,
+ const RawBuffer &encryptedKeyPwdBuf,
+ const RawBuffer &encryptedKeyIV,
+ RawBuffer &encryptedKeyTag,
+ const RawBuffer &encryptedKeyId,
+ size_t keySize)
+{
+ // command ID = CMD_UNWRAP_CONCATENATED_DATA
+ LogDebug("TrustZoneContext::unwrapConcatenatedData");
+
+ if (algo != ALGO_RSA) {
+ ThrowErr(Exc::Crypto::InputParam, "Only RSA is supported in wrapConcatenatedData");
+ }
+
+ TZSerializer sIn = makeSerializer(wrappingKeyId,
+ wrappingKeyPwd,
+ algo,
+ oaepHash,
+ encryptedKeyType,
+ encryptedKey,
+ EncPwd{encryptedKeyPwdBuf, encryptedKeyIV},
+ encryptedKeyId,
+ keySize);
+
+ TrustZoneMemory inMemory(m_Context, sIn.GetSize(), TEEC_MEM_INPUT);
+ sIn.Serialize(inMemory);
+
+ TZSerializer sOut;
+ uint32_t outMemorySize = KM_RSA_BLOCK_SIZE;
+ if (!encryptedKeyPwdBuf.empty()) {
+ outMemorySize += Params::DEFAULT_AES_GCM_TAG_LEN_BYTES;
+ }
+ sOut.Push(new TZSerializableBinary(outMemorySize, false));
+ TrustZoneMemory outMemory(m_Context, sOut.GetSize(), TEEC_MEM_OUTPUT);
+ sOut.Serialize(outMemory);
+
+ TEEC_Operation op = makeOp(TEEC_VALUE_INOUT, inMemory, outMemory);
+ Execute(CMD_UNWRAP_CONCATENATED_DATA, &op);
+
+ sOut.Deserialize(outMemory);
+
+ RawBuffer userData;
+ sOut.Pull(userData);
+ if (!encryptedKeyPwdBuf.empty()) {
+ sOut.Pull(encryptedKeyTag);
+ }
+
+ return userData;
+}
+
void TrustZoneContext::GetDataSize(const RawBuffer &dataId,
const Pwd &pwd,
const tz_data_type type,
const Pwd &keyToWrapPwd,
tz_data_type keyToWrapType);
+ RawBuffer wrapConcatenatedData(const RawBuffer &wrappingKeyId,
+ const Pwd &wrappingKeyPwd,
+ tz_algo_type algo,
+ tz_hash_type oaepHash,
+ const RawBuffer &keyToWrapId,
+ const Pwd &keyToWrapPwd,
+ const RawBuffer &userData);
+
+ RawBuffer unwrapConcatenatedData(const RawBuffer &wrappingKeyId,
+ const Pwd &wrappingKeyPwd,
+ tz_algo_type algo,
+ tz_hash_type oaepHash,
+ const tz_data_type encryptedKeyType,
+ const RawBuffer &encryptedKey,
+ const RawBuffer &encryptedKeyPwdBuf,
+ const RawBuffer &encryptedKeyIV,
+ RawBuffer &encryptedKeyTag,
+ const RawBuffer &encryptedKeyId,
+ size_t keySize);
+
void executeCrypt(tz_command cmd,
tz_algo_type algo,
tz_hash_type hash,
projects / platform / core / security / key-manager.git / commitdiff