Concatenated wrapping API draft

Change-Id: Ie154b19b3c59727ec9bf5b8ece91ce9a549d2feb

diff --git a/packaging/key-manager.spec b/packaging/key-manager.spec
index c932ed1c6236fe92d5e0eec1924d0a28ee169979..a2f3b439a3e78e3ea20c6e56653ecfdd981ceabc 100644 (file)
--- a/packaging/key-manager.spec
+++ b/packaging/key-manager.spec
@@ -378,6 +378,7 @@ fi
 %{_includedir}/ckm/ckmc/ckmc-control.h
 %{_includedir}/ckm/ckmc/ckmc-error.h
 %{_includedir}/ckm/ckmc/ckmc-type.h
+%{_includedir}/ckm/ckmc/ckmc-extended.h
 %{_libdir}/pkgconfig/*.pc
 
 %files -n key-manager-initial-values

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index a9b1f15a000d12e8db1b2bfd8d2f7ab68416897e..fea604a10d1907a31182d4cd6bfeb6a3c2c52638 100644 (file)
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -205,6 +205,7 @@ INSTALL(FILES
     ${KEY_MANAGER_SRC_PATH}/include/ckmc/ckmc-control.h
     ${KEY_MANAGER_SRC_PATH}/include/ckmc/ckmc-error.h
     ${KEY_MANAGER_SRC_PATH}/include/ckmc/ckmc-type.h
+    ${KEY_MANAGER_SRC_PATH}/include/ckmc/ckmc-extended.h
     DESTINATION /usr/include/ckm/ckmc
     )
 ################################################################################

diff --git a/src/include/ckmc/ckmc-extended.h b/src/include/ckmc/ckmc-extended.h
new file mode 100644 (file)
index 0000000..2154cd1
--- /dev/null
+++ b/src/include/ckmc/ckmc-extended.h
@@ -0,0 +1,177 @@
+/*
+ * Copyright (c) 2024 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ *
+ */
+
+
+#ifndef __TIZEN_CORE_CKMC_EXTENDED_H__
+#define __TIZEN_CORE_CKMC_EXTENDED_H__
+
+
+#include <stddef.h>
+#include <stdint.h>
+#include <ckmc/ckmc-type.h>
+#include <ckmc/ckmc-error.h>
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+/**
+ * @addtogroup CAPI_KEY_MANAGER_CLIENT_EXTENDED_MODULE
+ * @{
+ */
+
+
+/**
+ * @platform
+ * @brief Wraps concatenated key and data (key|data) with wrapping key and returns it to the client.
+ *
+ * @since_tizen 7.0
+ * @privlevel platform
+ * @privilege %http://tizen.org/privilege/keymanager.extended
+ *
+ * @remarks The wrapping key must be public RSA (#CKMC_KEY_RSA_PUBLIC).
+ * @remarks The key denoted by @a alias can only be #CKMC_KEY_AES.
+ * @remarks The key and the wrapping key must be stored in the same backend.
+ * @remarks The data size must be smaller or equal to:
+ *          wrapping key size in bytes - key size in bytes -
+ *          2* hash function output size in bytes - 2.
+ *          Example: for 3072 RSA wrapping key, 256 AES key and hash SHA384 the maximum
+ *          data size is: 3072/8 - 256/8 - 2*384/8 - 2 = 254 bytes.
+ * @remarks Considering the data size limit it's recommended to use RSA key longer than
+ *          @c 1024 bits.
+ * @remarks The @a ppwrapped_key should be released using ckmc_key_free().
+ *
+ * @param[in] params Algorithm parameter list handle. See #ckmc_param_list_h and #ckmc_algo_type_e
+ *                   for details. Supported algorithms:
+ *                   - #CKMC_ALGO_RSA_OAEP
+ * @param[in] wrapping_key_alias The name of the wrapping key
+ * @param[in] wrapping_key_password An optional password of the wrapping key
+ * @param[in] alias The name of the key to be concatenated, wrapped and exported
+ * @param[in] password An optional password used to decrypt the key pointed by @a alias
+ * @param[in] data Data to be concatenated, wrapped and exported
+ * @param[out] ppwrapped_key The wrapped key.
+ *
+ * @return @c 0 on success, otherwise a negative error value
+ * @retval #CKMC_ERROR_NONE Successful
+ * @retval #CKMC_ERROR_PERMISSION_DENIED Insufficient permissions to access key manager, the
+ *                                       wrapping key or the key being wrapped
+ * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid (missing or invalid mandatory
+ *                                       algorithm parameter or data too long,
+ *                                       @a wrapping_key_alias = NULL,
+ *                                       @a alias = NULL, @a data = NULL,
+ *                                       @a ppwrapped_key = NULL)
+ * @retval #CKMC_ERROR_DB_LOCKED A user key is not loaded in memory (a user is not logged in)
+ * @retval #CKMC_ERROR_DB_ALIAS_UNKNOWN @a wrapping_key_alias or @a alias does not exist
+ * @retval #CKMC_ERROR_DB_ERROR Failed due to a database error
+ * @retval #CKMC_ERROR_AUTHENTICATION_FAILED Wrapping key decryption failed because
+ *                                           @a wrapping_key_password is incorrect
+ * @retval #CKMC_ERROR_SERVER_ERROR Unknown error
+ *
+ * @pre User is already logged in and the user key is already loaded into memory in plain text form.
+ *
+ * @see ckmc_unwrap_concatenated_data()
+ * @see #ckmc_param_list_h
+ * @see #ckmc_raw_buffer_s
+ * @see #ckmc_key_s
+ */
+int ckmc_wrap_concatenated_data(const ckmc_param_list_h params,
+                                const char *wrapping_key_alias,
+                                const char *wrapping_key_password,
+                                const char *alias,
+                                const char *password,
+                                const ckmc_raw_buffer_s *data,
+                                ckmc_key_s **ppwrapped_key);
+
+
+/**
+ * @platform
+ * @brief Unwraps concatenated key and data (key|data) with wrapping key.
+ *        Splits to key (stored inside key manager) and data (returned to the client).
+ *
+ * @since_tizen 7.0
+ * @privlevel platform
+ * @privilege %http://tizen.org/privilege/keymanager.extended
+ *
+ * @remarks The wrapping key must be private RSA (#CKMC_KEY_RSA_PRIVATE).
+ * @remarks key_type in @a wrapped_key can only be #CKMC_KEY_AES.
+ * @remarks password in @a wrapped_key must be set to NULL. There's no need to additionally encrypt
+ *          a wrapped key.
+ * @remarks The key denoted by @a alias can only be #CKMC_KEY_AES.
+ * @remarks If password in @a policy is provided, the stored key is additionally encrypted with it.
+ * @remarks If extractable in @a policy is set to false, the stored key may still be exported in a
+ *          wrapped form.
+ * @remarks The @a ppdata should be released using ckmc_buffer_free().
+ *
+ * @param[in] params Algorithm parameter list handle. See #ckmc_param_list_h and #ckmc_algo_type_e
+ *                   for details. Supported algorithms:
+ *                   - #CKMC_ALGO_RSA_OAEP
+ * @param[in] wrapping_key_alias The name of the wrapping key
+ * @param[in] wrapping_key_password An optional password of the wrapping key
+ * @param[in] wrapped_key The wrapped key to be unwrapped, splitted and stored
+ * @param[in] alias The name of a key to be stored
+ * @param[in] size The size in bits of the key to be stored. @c 128, @c 192 and @c 256 are supported
+ * @param[in] policy The policy about how to store a key securely
+ * @param[out] ppdata The unwrapped data.
+ *
+ * @return @c 0 on success, otherwise a negative error value
+ * @retval #CKMC_ERROR_NONE Successful
+ * @retval #CKMC_ERROR_PERMISSION_DENIED Insufficient permissions to access key manager, the
+ *                                       wrapping key or to create the unwrapped key
+ * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid (missing or invalid mandatory
+ *                                       algorithm parameter or invalid key size,
+ *                                       @a wrapping_key_alias = NULL, @a wrapped_key = NULL,
+ *                                       @a alias = NULL, @a ppdata = NULL)
+ * @retval #CKMC_ERROR_DB_LOCKED A user key is not loaded in memory (a user is not logged in)
+ * @retval #CKMC_ERROR_DB_ALIAS_UNKNOWN @a wrapping_key_alias does not exist
+ * @retval #CKMC_ERROR_DB_ALIAS_EXISTS @a alias already exists
+ * @retval #CKMC_ERROR_INVALID_FORMAT The format of @a wrapped_key is not valid
+ * @retval #CKMC_ERROR_DB_ERROR Failed due to a database error
+ * @retval #CKMC_ERROR_AUTHENTICATION_FAILED Wrapping key decryption failed because
+ *                                           @a wrapping_key_password is incorrect
+ * @retval #CKMC_ERROR_SERVER_ERROR Unknown error
+ *
+ * @pre User is already logged in and the user key is already loaded into memory in plain text form.
+ *
+ * @see ckmc_wrap_concatenated_data()
+ * @see #ckmc_param_list_h
+ * @see #ckmc_key_s
+ * @see #ckmc_policy_s
+ * @see #ckmc_raw_buffer_s
+ */
+int ckmc_unwrap_concatenated_data(const ckmc_param_list_h params,
+                                  const char *wrapping_key_alias,
+                                  const char *wrapping_key_password,
+                                  const ckmc_key_s *wrapped_key,
+                                  const char *alias,
+                                  size_t size,
+                                  const ckmc_policy_s policy,
+                                  ckmc_raw_buffer_s **ppdata);
+
+
+#ifdef __cplusplus
+}
+#endif
+
+
+/**
+ * @}
+ */
+
+
+#endif /* __TIZEN_CORE_CKMC_EXTENDED_H__ */

diff --git a/src/manager/client-capi/ckmc-manager.cpp b/src/manager/client-capi/ckmc-manager.cpp
index 601f9d1556721349f528d7209b45a75f27941393..3712becf9b446272da6e7251f1fc5f39b1a98696 100644 (file)
--- a/src/manager/client-capi/ckmc-manager.cpp
+++ b/src/manager/client-capi/ckmc-manager.cpp
@@ -25,6 +25,7 @@
 #include <ckm/ckm-manager.h>
 #include <ckmc/ckmc-type.h>
 #include <ckmc/ckmc-manager.h>
+#include <ckmc/ckmc-extended.h>
 #include <ckmc/ckmc-error.h>
 #include <ckmc-type-converter.h>
 #include <client-common.h>
@@ -1257,3 +1258,45 @@ void ckmc_cipher_free(ckmc_cipher_ctx_h context)
 
        delete ctx;
 }
+
+KEY_MANAGER_CAPI
+int ckmc_wrap_concatenated_data(const ckmc_param_list_h params,
+                                const char *wrapping_key_alias,
+                                const char *wrapping_key_password,
+                                const char *alias,
+                                const char *password,
+                                const ckmc_raw_buffer_s *data,
+                                ckmc_key_s **ppwrapped_key)
+{
+       (void) params;
+       (void) wrapping_key_alias;
+       (void) wrapping_key_password;
+       (void) alias;
+       (void) password;
+       (void) data;
+       (void) ppwrapped_key;
+
+       return CKMC_ERROR_NONE;
+}
+
+KEY_MANAGER_CAPI
+int ckmc_unwrap_concatenated_data(const ckmc_param_list_h params,
+                                  const char *wrapping_key_alias,
+                                  const char *wrapping_key_password,
+                                  const ckmc_key_s *wrapped_key,
+                                  const char *alias,
+                                  size_t size,
+                                  const ckmc_policy_s policy,
+                                  ckmc_raw_buffer_s **ppdata)
+{
+       (void) params;
+       (void) wrapping_key_alias;
+       (void) wrapping_key_password;
+       (void) wrapped_key;
+       (void) alias;
+       (void) size;
+       (void) policy;
+       (void) ppdata;
+
+       return CKMC_ERROR_NONE;
+}
\ No newline at end of file