<Permission accessor="web_app1"/>
<Permission accessor="web_app2"/>
</Key>
- <!-- key below is encrypted using AES-CBC algorithm.
- The key used is decrypted <EncryptionKey> provided above.
- IV is Base64 encoded.
- Encryption:
- * encrypt AES CBC: openssl aes-256-cbc -K `xxd -p -c 64 encryption_AES_key` -iv `xxd -p -c 64 encryption_AES_IV` -e -in data -out data.enc
- -->
- <Key name="test-encryption-prv" type="RSA_PRV">
- <EncryptedDER IV="X1RoaXNJc0lWRm9yQUVTXw==">
- BflJyNgOcGyJSqTegG+y7MJXI1crgsGY3PjFfMpbmMbwJkVexvxoEPdf2yE5Z7da
- 6Vp4Qo2WOCUv/hllNTfm/dH7kOJOjcs/vaV1eRIfzEx3hvgKOyP82Hhkm1POynsF
- 0GyMm/VwtJFwFHA5DaJzwLln2/AoD//vC731Qhucw0Zvi2hi74d6igPog9EugIj/
- tStvpgiNE6/Hb2ZRMDswgZ8o+tKCn+QHktR/YoZ19HfX7nDVRkMQxsiA8P4zO9Do
- +iuiu/mGPVavlZA3df47TLG0kz+sz72jzPeEbfmvQo3gHWSuJ87TUwIcIoXDvaxY
- xE8/On5OTqJy8HZ+jGvEThKI/96LQsFqKlEeGGenvzVJ+BVAF9x65uOkRll9yE6v
- FIQcqbgipuBkdC6XLLaWTMgs5iiWvMn/lpNYrfZr52/TKqr09mNdei6yGvy+YuG8
- vu/xN7/3An/zE4FOIJadgI5eADj+Dz7exml3tKTuuDpR9fhxiXd7HmZhCCf11C3r
- 54S6X9bZb7335L/5UfLxs4jMMfGhYD+1UF1Qb5zVW9IVMZ+owGeC6QQPUiX6HAxy
- Rx7kLzd78uSbLNqeuiUeGiprxnuwMY2BgSqLq4WNCDWxY4hGTdkC7yg6DgY+L9Lz
- wqVuJ6STmK9Hj9bL9YUe0KrzmVUfmsaq5PL+gfcv+S5lp2YlKw1cIVP9utw1ZuOo
- j25EozWU8J+tuEa3l60Mmmh/sKzH9SH7C9EscwTYWOYjYYPwfCM9UIlNE9lnbl9s
- bzkqJvaaXpB/HVY/b4wrldr1rK73+y9LOOzfNpV4L+R4spZXXjZ2HIW/iKQj/c14
+
+ <!--
+ Example of trust zone (hardware) encrypted key:
+ * Data below are encrypted with AES_GCM and encoded with base64.
+ * The Data in plain form have value (in acscii): "ThisIsATopSecretAESKeyUsedInTest"
+ * Encyption key = decodeBase64("THIS/STRING/MUST/BE/REPLACED/IN/REAL/DEVICE=")
+ * IV is base64 encoded.
+ * tag is base64 encoded.
+ //-->
+
+ <Key name="very-important-key" type="AES" backend="hardware">
+ <EncryptedDER IV="5NQJ2cY7xQHQYs9EOflmvFG3JP7kCA3CCp2duiVcx30=" tag="RcRtXSrBOZyNQGgyT1m/LQ==">
+ pawxDIglDfneINm8O7Nv6jxm21G9UEgDXK3yG6VK0fw=
</EncryptedDER>
</Key>
- <Cert name="test-encryption-certificate" exportable="true">
- <!-- Note IV differs between items -->
- <EncryptedDER IV="SVZkaWZmZXJzRnJJdGVtcw==">
- pPjY7wULPaBIwPKkgwKyKSZPa6NVJN3312q829KaXcNdQSoNJmsyyPDMqLr1W3Nw
- /5DSfstMCh/MiUq4Dc1VCaHbVkRFVZMvitg7nfjDVkI9HGLpSGWzz1dc6kxn/rPv
- l1Ox3sVog96Ebss+Givm4cKKYSQihCLTxcQcP6v4RGvTMhXIZmlz8n4Tr3MgyRB7
- XTWdoowosEUWrzPMSD39y18gRJVZ/ZKv68o5mntatSE8FS1L6dgb2TdKEFdydVd2
- /ob9GVwRkMxpBsQeUvPRYXnZS2f1L18IRPrKLKLKsDB+FysyXMAHMaxGWWil29/d
- osOwMt34i6Bv21132lGt08t2LebmDJViZRVjzz9edIChBzsoG/E/3hX6v32ruJGU
- 2kq5l0bOmpQFs9M0TTNNWnaZKvpFPA8b3ywaDRWeKAPHsNQpnrx0WygCmvbjUChf
- TP1E5BVm6YjWxptvFvEINcotCj2+0fvG3zIcq01O/MpSFWbGdu9MLZtFl1rTRt8e
- ER8+nOKZNi9JUOfsYJyrZmtwm56LXTPjgNYY+a8yp2EXFtHjO62QKYr8zAi98PxL
- oiELHLF2xwFufvBAssSOPwRmDSIhljPbUy4UKUxFCeMJzdxgK0DMZw4FtcyBXGgG
- ABP57OQ60HomoZZDwAQ/4B8unuOCp7uERsQH5Z4Ns+PiIM4Tk8j9Qg4YVN43FJtJ
- tCsfagBPuQM+Cm5law0Y01asMr0wq/VlILMKX0KXpwgnVmQClRfcYBLHQmDTyCos
- kYSWrSYDesvXJnB1j/hn1puCQHfyrmPH5fQTzanD5whyed7DeXBl+F5+f73uj9pC
- DrtqG+YEOeJNj0PCAMq9B4Qe6xi06P6D/sG17Phl9wH5DSzfxxlst1xeaPBko9Bo
- LM6Sh6echKIh0HddStmaBICXNeVKz958tD0piVYMVipZm5/+cpDxdGSuemUxWXJO
- XAuYydZkuLksYjLyXDO5vEaqcVMtu54tjfdFS7vO87a9IF+mI7HHHdnNaDRHaAFi
- 4rXdaGQr8zohq91NE3JYgSMbk1DlGfL1m9GN6IEUjqMQlAkGWal1Et9uwO98PpOk
- a+r+N4lsYPKJbX2ywUvDHg==
- </EncryptedDER>
- </Cert>
- <Data name="test-ascii-data-encryption">
- <!-- this below decrypts to ASCII: "My secret data" -->
- <EncryptedASCII IV="X19hbm90aGVyX0lWXzJfXw==">zuBDjp8ptFthrU69Ua5cfg==</EncryptedASCII>
- </Data>
- <Data name="test-binary-data-encryption">
- <!-- this below decrypts to small PNG image -->
- <EncryptedBinary IV="UE5HSVZQTkdJVlBOR0lWUA==">
- weK/LmGIPHeNA2YipqJa4K1+KPkE/Jl5EtfJjzP5x5ZGhf/OOTYe+fj4p2Wx47AC
- Nd/heOAi3MkFrwu5x+swFMIeQMCMzQpRbXeCvTEuTXWnmRMoyMbHlPd7Nnk9xooF
- oYfbKhVd5DOcHN3pwc+5DQkrRy/XaD1faj3YR3JEYSfOLq4F6hLlj4U7rYJyyFuf
- kSBOTAQOXs0q83cc2L7RaK7OzFJPKYJjDkVYIakpIHXUcvNrb2DrJ13se4pcX6Zk
- KARviziVu4x9r7hTRErU8SNEWrO6E63oDfyetWvtymT17MEhRsRKS39zhrVLHzGy
- iWx2Igh6eH6t4UNkMIHZvJW4j8hxdmbRwhQstXrVq7Uyne0B1Fl2w7Lpn48jYEq8
- gaNlTZDzd8Pjz2ByrRq3/jln/xWnFwEY9oV/H53j6ctoJ2KUMiVYKej8anan8Fju
- yO86HVEIYx++LblhqzuaqBhveVfB/feMYWpP8hi4AeWKcAGdM3L9QOYxbQ9OAOuC
- Totu55NULkrzb5b+Rr+exTFpdEyic7sSEpBRV0vi6t/Lz72ebBq1oY3kn0dzZ6Ps
- ia6ccITSdHW1MmW7cOkiA4XtyfvXtZtEJgmVnAnRrj4Qh0Oa9gxNOZrY/tlyyJod
- v8JLYeBi3HRSlm2TME5hCHpBShVCRpkjLMQQ/nTPHvRNqr/BlPoXZg2FbJwreEzW
- NZ2BaiKylRds5gnmmSnqnYUl4QtVSGsJPn8Hx0bNWwUeImjrXO9Nm01P8e5Iy+Ti
- udxXTwpxZGyK2pbTs6EVxFY+fRF3SB4xcpup5fB6NHVPjiSrWABN848OReny3iS0
- FXwimWaVzmA5Ppnfqx1HGopmhH++oZyKt8W/f8GbhOffON0Gg3bsewhysW5Rz+Rx
- IAGqzV5RR1lOb+UKPBI2OPXqYUWZ9ipicSw1LC39olImBZbDmmxLDEjX5r+rg77h
- ss0hG/6847KQybmemJ7zUVE2oxmic2fONpgjn3OLecOZpUY/5n/1cvN8utLBJ2nx
- asan7zBT+nW5RjAny8pOyyV1Ux2qga/CyV46LajHJiFPokAAl6JnDYRmahtA5BM0
- +jBvvnvSDGSM5qTh0EBLIN50WmN2TeEy/u2ZjuHFwJ41gtB6pARdJ1OT59+g5TcA
- Ffc8twDzdbPbmWq8CGXVQHCvfS+2N2ECjwgnfVL1UZF69d5t9b5ysK17pU+ITPyI
- Bxxde23I6U7sh2owrZgRAOVoA804flRg6g6rDJyVfu00oDkuui+Z/3RAsu6EiqiK
- XISmLg236iumsxXcdAtOYyXn0nPZolsZnxzY2/bI0Df7rNSQ7RF5SSqhkFg1+OYT
- gM4wMYYU0ts9jqr3ckJRWMRMdJxRsVVqSBo4fz8M5/dXMsOvGbLfnbwrqZSPCXrg
- g+MX3QQdemmOgiEAGE+hxFBQMyQ6nIrDP061F4TVVhu4kGkZGxs/2W+CcQJT0aF8
- DC0EwfEBVP8yq4ytCU7Js72KkA4YsK2udUsQF/90cuzPSgT8FPDEOzszKsLGuct4
- T7Fj2Du1bVeVq4gPfdLgOdVRrZLab6vS5GFbli8UO0oAbM/Srxfh2Ghn4zS7Ol3q
- MnwX36r3+KFNJYkBxCDMNEnj/QrSWpOlKo8LfAyGdvP/29CpmzPIGTUc1u8xZpJ0
- CmFOaxjaAFJH3BjW625QbcicOnN02p0Pv00andcDNEO4k3b3MgW6yjkDBKqQ61dz
- traH19g0fFa0pjXycMqy2uwq7PhLW0QqYt4Q7cfvWRMnAOwJqhHOGGyzEixB1U5c
- q4d8izdqb0JacE6px+WJ44a530L1nhy2O5jpaKVQmNYIKTBM+HYVuHNWTWmnauKP
- ag4q8G+9EI/SRp9wKoGy81W5GwonV3D6/4N9hnQfqqRKUrbrhWc9NcUciWKh4b1n
- Om499jdDw+7qXipi3ggPCFq0H3b9CPkKMFh4Y/YDy1SvXEDSlwJ4bXXakOpVzW9t
- gDxk/fvZ8AHrFAYzW1wiDFZ8H5ZnhgBMyfztLOYBbjr5YSGej++Sq0DYoOkrK4X3
- 7+2nMrrhqmlukI7ufoP+8nsJjHdQK8yoQYGmwEEw9QHLyupqPVIQrO/VDgSN+6mW
- YsulTKW9wPhk6dvsSMOscLUdDiOTeK0jGH7Qa6QQwk/u/agHSPWh7qLpEICjKBxx
- pOMbZ3mGqTXIj+7tG0yO1/y2UXE6JTIXiMEvMmdCEiRcz1RJ6xx/aBwC2//tfiys
- nNMswTCXePtv5P9Zn+ibIiOhpm0napHopQcqmevn/DSkxSuDfwevae3bgEcJ1gN9
- pkTnOm22CQzoGJY/b0wgNvxXdWhAAfeRhzpdh3V1C4dZEF8VXHDDt5gdjb0s1fNI
- 2LiSruLVdAWmRNX5mrkUFfBOzWwsN3D34pG2Vaj6GuH8mAoko68oy6fUdjCjZooY
- hn+u5bGm1T8Mf/YYloTWg4hlOWIEfOiLP7nCdCgRdsg+y0Gi5MY04fS29SlfffUp
- VUdLzQAij+a/wbBLJZMLzJiYeHv+pFY6m1SbMoUsDbAo4PTRaLHmMOFKa6s/hlka
- lfN408DHSNs63Gd6s3W+Owe5hMccfKyRvWdNRVrXBe39I101Sci7GwWAvHhhS9EP
- 2HxxNyiwF1OCovnRHcm1b8Fcd42gbAveRVuFdI96dbFIeP0Z4I2gj+nk/yzlsG32
- LYYzE9D4WR2zjrTyVnylsJN76lyvjvkYjMt7fPt7lFYz7QLdZX8riGxqeFmim6Sk
- UQ4RXxw/ObCw4omILxvgigW+eAhgng63Yb9mRDOrqk/cL5XECiahSs3VWTjV9sy2
- rNSPViWZW/LFOjuC3cT5rWEbc64cl0eKJTivEangOXxirRGW1ltTlzQo5kA933l/
- sRMr2tBSrX/+LqfPWNA8UZWSdMBcc0oDvDGrpTUtLcor5kshYN7PPdaR9TAf8ikY
- 631mOef0HkQFsBUCFp9sr6QJD0/cfLlK5iLlyt+qFo2IgX2boddFwMtpYCt1+Uy1
- H2u6FuItIfpRu9lZ7MZf24HGibGx5/fzTXjqGMObPOaoLxI4eh1GGhIfVqmT9ntv
- e2xHoNH+tLxOHPRNHEkKRtJoB1HH20+mT6JzEdPNPmsdTcN4R0xjw0ZHTha2iBkt
- ocGow+1nYgkoieq1QweEbbCbF71XtUpyMxMSd+BAPIJJReRGvt3mD9RZ54HqlczW
- MA0LYe1rUX0Mh2Ic0x1rXZuo33PXcsKsUpfb+EIPhBjpx2vCNMiFPcM+F0NVh/PP
- zgbdjlnHr6DXn3rut6Y9fTau6UY8BmeOjG4LcNzcvcHHr9/8jXyW9wWAYYVRUI3J
- 89/GR+YxW4WGuRBIV+wMkzBJmP7QDwAedSNBSAKa+08GKfJJRL2zIVgjffeBO+Un
- TMTT7Q/a3bm+yekGsM6bchWTpY2ywdYQr936D55THonqCGlvPKyVHQaEa4U2eFDb
- aIH84kP4olPCcC+TmWHBeBwMGvbW160hRCr3kSGY7hHcD0aXkdZPh1bYyWsIz/yS
- eyUYCR+4Abu9lT1rTwHiSeo4YjNHOwQcfzBN9BwFUs6G1R81oC3qCwTYuJS2Eo09
- +sii/oH/o/7VjvewMmUzDHVJ4iMa8yRXtfOObrM9MfsQ0p9GnP7UTG3VwleIenFZ
- 43DhvDl+kolw9phRuyCuCy7fSI8e7ejcQ3gSYWcIcgIIA5y/KdoCJDNdTjj3xDdo
- p+hzg0OTjK57Fw286IVdzO5e5zznX0SPqXnZYncHHl2OmGZ+DT8ftkvD4BUJ74aO
- fLsVwAZYJT1tSG2ymzu9yJR5p+hPTScpPi8HUDCnL4xL304Lmj3UfDauNJQcM/gT
- mAJ/bfEtRqldMtN1EuH1TexvSkwkPrTUkryq2TYcw7vS72tNi+g6aZ7NdrQ8l4KZ
- ZmrfwFnKNiVWus+zrffSDooEFZ3mj/vsFvV6fhw/Ni4QD1XAb0fJawUHvt0WHqZA
- YnszBOzdmd8coJI17XbcwcP7DEoKIhLbPl1n0KNjL6j4EEoClwxZC+hAhi8kKMB3
- aWj4zpeIExYST8NgtCz44SoBTv5U0iCR19mhdcTnafGyRK82dGiBNguk8//siUiC
- jt3Aa7chapoiQNwZGDCmSrZOxOoxMYlBuPRVQqeokPinsw5rkLh8+arz1XRDyuTK
- vQ+jttyIVA9OFI5+e/hN0ryn4GPbiCG5wV5SKweRUCcX9m8TK5u6A3rhMvlcls3T
- INn9/XjCX6HhVGgZ47LSmcZ5ojtWzOKpad0v8qjD3z2BWzUlbalgYsdWrsRPSeDA
- wiGpKbqb9u0S1e6hMmGyNa8UbzhYtJ/AQ0qh003YR7j+nlfJXffNkt2B4DkDdsG3
- Alfhalwn5YUdcgm/6E+gnIg7JR4gXZhBL1R5SV1mzUgzyDEq5w2LBOx+TU33a3qf
- ld0dJDJl0cG22n+GzQmm/6nPMnWX1ymK49h0tO9fLBLZsL8T1muo/PshhjhIv5VR
- 9ET5UN5I+9d0nHWAv2DjNwetyD3WGZDHnuq0mpti58xzkOr4jfYqy9qKwFk/coAu
- Briwv8OJ2U5XEOuU/9fEL+NdYWkHga++oObyxJUU5Qgfs6OWUXERyPwzgXHkbDqm
- q6+GP1AxBAP32zD0XyGUht1nl+L5qpnbOpISJjMMrl7wuKezWbFAE8VzQNbbp62O
- eI1GEX2c2resPXZ/tS5LtoZ2TrT8TKYRZ0k1qLuQhOTXXNYQhP8i4PGOAL6BMZsZ
- USAEHcAZnlByBS8i49IlvJMewPfHmm7ceLu8aYlm3yOAr1QBNRMkxoJBXjAAnCCx
- qCGIQtINrVIJNQDSogMPXa4JQzCRSsT0Hz8ejQeQ9xmaK4VjM64VRj11RWsHFexk
- p+GdAGVteipz1xEQHBvnUdOVm/5ULHK+8w+5LgEwN0jGXlsQ6KhUX5BLQMWob0jL
- 1np3Hml3MDxsPJPJjT4OKxNdWyyyP6PIDZj7DFqEa6+9Eg5Io7TSNk4e+LylfpPS
- orsF2xaUzCaKOXjyXwPrW57UH8HtjnaeWh03qqdZCozCDdQ0pNpPk2vJYStZR/rY
- BpQHZ6kZyLFdqLs+wMoPphF7q4bhjYk6MXwdHp5Q9q+MWPuM916g6vKaHUX+q6pL
- YM8s13NkuUX1hEHaOC8I2dEsgcVPk++kDAR7JL5tn5hfJ06K8u5IHwuLUMtLKPt5
- ZA3LfrnXxqlZD164blhAvb1qPlRTh79+Tj+3zfwaUPma3PmTY12fvJiOn1aD4aYm
- HgA0yrl2cApzB3C6M1S2QllsoJ/KrWVeSg16XuC+vjSnsRWgIj3PSvSwh9YVZT0h
- TQlD/PoxrMOlPtQnpHzryQ8YKrTBc4SAuO23wKGkfUBkaBDFrUeprO2p0K9Eeus9
- jLkIgwTBwmF9bWMi214VdAI3I2BrJkGnx8Rb11C6rEu/5ZeI7g2dACSO27OhckNQ
- ex490kQvqs1OJ6Fb/CyO8BsLBIyOhkEtglJsVibbcZrHnvoRYeRaWZj9TNdN6I3B
- Dj0SwxDK9XAwGgWb+E4iwFUUg6yGrbBhUDWv5K7/ncgXz8iESXFKRowuD/J7rriU
- V/s+yZ8URntBrZ35unuKu4xRieOEkn/JZg+HP0Grs5q3OQumEvZVjHqeJt40WaZ5
- RJ3NiiHGwWVa6Db/1q0cfETbTn5Qcy2k8ZE+OnRzAmI14nr6lt4eJRnMJ63k4nGc
- Xj0WpVm7vhVWAQ9gfiYCcbYrR31dUeOBxsRtF+Lvg3TNEx8/x4LeGfxC9c5Ho1Sc
- Z7fz+/ZycHFx+08W5Mb6PlKhI44uY8bed2Xz5gQhZ1hyXk6Y41uxabUryeCvrLrh
- PJX25FkOcLhZnWDcyCQ1Rt4JltnZcZzHq12Ipgovos3lPOarySOzSHjs1TjB6Bv1
- zfBrCAGiY3rrG/W5gXs5eb97dWn5P8CD2uuZCBbTo0GVHdSHV9+JFHQO/0udmnEV
- e9KRka43HU7AC+3aLeCq1KMoW/anl4DwPXdBCV6hj75TZ0EaA7Q51ETYFCLtyXzt
- eiU9PE+bEymV6nk927wg7v38GLmdLTJ0F/G4MV0T4UxAdUrsAW33MGXC9/8YyOAz
- zGh36fBdxTpM6hb1FHJl/tdboIAcTBJRobgmvhaDDVhsJiMJMwRhSFqcE7Q04c3c
- 6rLNGZQ3/u5/Atj5ApZ60ZMH0N5LYcTm98HOROGiFbrYSiSqUyeoIPvME5FwijLw
- eCxbwjP3WvUSw8XTeIoAf5QwzdI6GRX+6ontCvw6m3l1TohH/ACA+MK+qV1cTgMV
- HdjywH4SKs3KfwCcTF4gxkHdYlNYDW63Z0lhAtDBXMxUNM/u215Wo+zX0gaSUqeu
- by47hfhTHP5mW6ITRFvKcS/qUqo3iELljwSXhdw7PwM0whLnSEMGsYh27YVxEzBT
- n9vcM5tqGykKs1wwmpXpEa6Zliu9swprpQCL5TcOVFKVMjSmDH2OwmaDwcFeTM50
- mg7BpiA5xLyQFphs8BPbyzkxNlbSI20S67Gx6yScrjsDxcEcVqmcyVVPwn/SqzVL
- PyklAUbvRcRzkhvibBngIaFUfXXdCOrdQc8Ym/5kKeQ+QLiXxfIYmYKa2uyvMeTe
- xoag7cmuUnICIYBrmHnVDNxXtC9mNiooUaX2S1lH2ct4s/NwRJm2c5O/igKO/byg
- wQjiGqDZHyLlPSRxXbxG+tTf3qx8thYbJAO0r+AXYRj+sjJ+MtRozgY0nUeFEJb0
- ZeYQGlvtoXlGo876JWJ/e7JMatHxGGQ58vJApMTphe/PPh3WTJTE02Bs3Ylft2bp
- EK5ODopXJ0UmQTn6T1hUwBRu9RO5rICr34XnFav06WekBT5/QTqHEvZ4k4//hvGr
- d7PQS/EVLApiYWySLg56svmjn4RwfPSPHOwGagU311QOx7woYJD/vb4NBxXb99Qb
- 7z42exUoZgqX+uKwHCuTzH/OVxhqrSoMX2yj09V6ZDUVHU11GOtDzVv07OU+u2vi
- F0wPdrbedpmIr5BMCdCmqlIPYeBiaMVa/2+q3ud4o6/TeWmQpDZJCQ3xtxrNORQ7
- HTlY0MDp7G+sdPWJCN5OJ0Ac7uKW72ZC/5yHBJY7Lmrhi3V3vA+DH7A4GgPAphQM
- yWlBP7sQqVWcA1XlgTycRzkfffXEUoS6qef+IgU/3i/kXmeNnf2kSvmtbiO4GRhC
- Nhk2s71NUtYXNFJPav5/ZPXI3qOuySow5GYp3njGYmDhO45IzFCcQu40FqiOeyoV
- lRYTS/BrybkMCu2S3VmIY9/2e7gguYigmyZRvvqOUED9JRqOfC14n5+wtxzSj/nw
- xFFukVHQRNF6jcZLUNs0SoeFS/obPCE+QiDYBKVrTeT54LuwNLpTrgTnTkDE5VIm
- LpX9ERh0Yh8HAO7eLHIPAiU/G1Etlc43GcDLN7bbGPQbCvKRzWKSUrLwKmryvTPi
- eC36fh/yZEWtT2zEtddwbncRgXT20opzMJxB3qF5ZMQ1qLIsQbGYeUsRl9lxsT7A
- CE6vCP235+urdA9IaBRPN1VpWDpV7YDbF/ZIkRDJevSnSSrBTed4WcXcSe7JNGFb
- U3eFPi2vsekvb59CHqHPD8QvvqF3N/3Xp1uQZV+eBOCtRpMOZduBJ6QdZlGBaGrB
- +RKJEl9ziqGkiqiQzw8MR2kSrRVKIs5cISbl/dOEqfkbp2A1Siy4kWt+2Zk5V+Sw
- IPJDrjYIZKSzV6XhhN+fhMNOYJjByxEXXLvHRTydIUQpS5JPe3T1sMJCN8o41uKx
- 4g+oPomYfJzKSbdpP84fVC4WQCMj+CiMGz/dWV27LgKPF0X9wel5s5gke4UDYQKe
- FDf/4n3+neMgKohFUIcnqGnBTtThXqvK637m37WfQTIqNWkRH4pU/Acl/djkd+TD
- yYRBt5UqwGovABM08jYkuA==
- </EncryptedBinary>
- </Data>
</InitialValues>
<xsd:complexType name="EncryptedBase64Type">
<xsd:simpleContent>
<xsd:extension base="EncodingRawType">
- <xsd:attribute name="IV" type="IV_Base64_string" use="required"/>
+ <xsd:attribute name="IV" type="Base64_string" use="required"/>
+ <xsd:attribute name="tag" type="Base64_string" use="required"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>
- <xsd:simpleType name="IV_Base64_string">
+ <xsd:simpleType name="Base64_string">
<xsd:restriction base="xsd:string"></xsd:restriction>
</xsd:simpleType>
--- /dev/null
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file encryption-params.h
+ * @author Bartłomiej Grzelewski (b.grzelewski@samsung.com)
+ * @version 1.0
+ */
+#pragma once
+
+#include <ckm/ckm-type.h>
+
+namespace CKM {
+namespace Crypto {
+
+struct EncryptionParams {
+ EncryptionParams() {}
+
+ EncryptionParams(RawBuffer iv, RawBuffer tag) :
+ iv(std::move(iv)),
+ tag(std::move(tag))
+ {}
+
+ RawBuffer iv;
+ RawBuffer tag;
+};
+
+} // namespace Crypto
+} // namespace CKM
+
#include <generic-backend/exception.h>
#include <generic-backend/gobj.h>
+#include <generic-backend/encryption-params.h>
#include <ckm/ckm-type.h>
#include <crypto-backend.h>
#include <token.h>
}
/*
- * IV parameter makes sense only on device with built in key.
- * IV parameter is used for decryption of Data.
- * If Data is not encrypted it's ok to pass empty IV.
+ * EncryptionParams parameter makes sense only on device with built-in key.
+ * EncryptionParams parameter is used for decryption of Data.
+ * If Data is not encrypted it's ok to pass empty EncryptionParams.
*/
- virtual Token import(const Data &, const Password &, const RawBuffer & /* iv */)
+ virtual Token import(const Data &, const Password &, const EncryptionParams &)
{
ThrowErr(Exc::Crypto::OperationNotSupported);
}
return Token(m_backendId, ret.type, pack(ret.buffer, pass));
}
-Token Store::import(const Data &data, const Password &pass, const RawBuffer &iv)
+Token Store::import(const Data &data, const Password &pass, const EncryptionParams &e)
{
- if (!iv.empty())
+ if (!e.iv.empty())
ThrowErr(Exc::Crypto::OperationNotSupported,
"Encrypted import is not yet supported on software backend!");
virtual TokenPair generateAKey(const CryptoAlgorithm &, const Password &,
const Password &);
virtual Token generateSKey(const CryptoAlgorithm &, const Password &);
- virtual Token import(const Data &data, const Password &, const RawBuffer &);
+ virtual Token import(const Data &data, const Password &, const EncryptionParams &);
virtual void destroy(const Token &) {}
private:
}
RawBuffer importData(const Data &data,
- const RawBuffer &encIV,
+ const EncryptionParams &encData,
const Password &pwd,
const RawBuffer &pwdIV,
RawBuffer &tag)
uint32_t keySizeBits = data.data.size() * 8;
TrustZoneContext::Instance().importData(dataType,
data.data,
- encIV,
+ encData,
pwdBuf,
pwdIV,
keySizeBits,
RawBuffer &tag);
RawBuffer importData(const Data &key,
- const RawBuffer &encIV,
+ const EncryptionParams &encData,
const Password &pwd,
const RawBuffer &pwdIV,
RawBuffer &tag);
return Token(m_backendId, ret.type, pack(ret.data, pass, iv, tag));
}
-Token Store::import(const Data &data, const Password &pass, const RawBuffer &encIV)
+Token Store::import(const Data &data, const Password &pass, const EncryptionParams &e)
{
if (!data.type.isBinaryData() && !data.type.isSKey())
ThrowErr(Exc::Crypto::DataTypeNotSupported, "Invalid data provided for import");
passIV = Internals::generateIV();
}
- RawBuffer dataId = Internals::importData(data, encIV, pass, passIV, tag);
+ RawBuffer dataId = Internals::importData(data, e, pass, passIV, tag);
return Token(m_backendId, data.type, pack(dataId, pass, passIV, tag));
}
virtual TokenPair generateAKey(const CryptoAlgorithm &, const Password &,
const Password &);
virtual Token generateSKey(const CryptoAlgorithm &, const Password &);
- virtual Token import(const Data &, const Password &, const RawBuffer &);
+ virtual Token import(const Data &, const Password &, const EncryptionParams &);
virtual void destroy(const Token &);
// TODO device key ID is needed here to support importEncrypted
#include <tz-backend/tz-memory.h>
#include <generic-backend/exception.h>
#include <generic-backend/crypto-params.h>
+#include <generic-backend/encryption-params.h>
#include <dpl/log/log.h>
#include <km_serialization.h>
void TrustZoneContext::importData(
const uint32_t dataType,
const RawBuffer &data,
- const RawBuffer &encIV,
+ const Crypto::EncryptionParams &encData,
const RawBuffer &pwd,
const RawBuffer &iv,
const uint32_t keySizeBits,
// uint32_t dataType contains information about type stored as binary data
// KM_BinaryData with binary data
// uint32_t binary/key size in bits
- // KM_BinaryData IV for data decryption with build in key
+ // KM_BinaryData IV for data decryption with built in key
+ // KM_BinaryData TAG for data decryption with built in key
// uint32_t boolean value - true if password is provided
// KM_PwdData with password (optional)
// Output:
inMemorySize += KM_SizeOfFlag();
KM_BinaryData ta_data_enc_iv;
- ta_data_enc_iv.data_size = static_cast<uint32_t>(encIV.size());
- ta_data_enc_iv.data = const_cast<unsigned char *>(encIV.data());
+ ta_data_enc_iv.data_size = static_cast<uint32_t>(encData.iv.size());
+ ta_data_enc_iv.data = const_cast<unsigned char *>(encData.iv.data());
inMemorySize += KM_SizeOfBinaryData(&ta_data_enc_iv);
+ KM_BinaryData ta_data_enc_tag;
+ ta_data_enc_tag.data_size = static_cast<uint32_t>(encData.tag.size());
+ ta_data_enc_tag.data = const_cast<unsigned char *>(encData.tag.data());
+ inMemorySize += KM_SizeOfBinaryData(&ta_data_enc_tag);
+
uint32_t pwd_flag = pwd.empty() ? 0 : 1;
inMemorySize += KM_SizeOfFlag();
ThrowErr(Exc::Crypto::InternalError, "Failed to serialize data, ret: ", ret);
}
+ ret = KM_SerializeBinaryData(&inMemoryPtr, &inMemorySize, &ta_data_enc_tag);
+ if (ret) {
+ ThrowErr(Exc::Crypto::InternalError, "Failed to serialize data, ret: ", ret);
+ }
+
ret = KM_SerializeFlag(&inMemoryPtr, &inMemorySize, pwd_flag);
if (ret) {
ThrowErr(Exc::Crypto::InternalError, "Failed to serialize data, ret: ", ret);
#include <km_ta_defines.h>
#include <memory>
#include <tz-backend/obj.h>
+#include <generic-backend/encryption-params.h>
namespace CKM {
namespace Crypto {
RawBuffer &pwdTag);
void importData(uint32_t dataType,
const RawBuffer &data,
- const RawBuffer &encIV,
+ const Crypto::EncryptionParams &encData,
const RawBuffer &pwd,
const RawBuffer &pwdIV,
const uint32_t keySizeBits,
namespace {
const char *const XML_ATTR_IV = "IV";
+const char *const XML_ATTR_TAG = "tag";
}
namespace CKM {
void BufferHandler::Start(const XML::Parser::Attributes &attr)
{
- // get key type
if (attr.find(XML_ATTR_IV) != attr.end()) {
std::string IVstring = attr.at(XML_ATTR_IV);
Base64Decoder base64;
base64.reset();
base64.append(RawBuffer(IVstring.begin(), IVstring.end()));
base64.finalize();
- m_IV = base64.get();
+ m_encryptionParams.iv = base64.get();
+ }
+
+ if (attr.find(XML_ATTR_TAG) != attr.end()) {
+ std::string tag = attr.at(XML_ATTR_TAG);
+ Base64Decoder base64;
+ base64.reset();
+ base64.append(RawBuffer(tag.begin(), tag.end()));
+ base64.finalize();
+ m_encryptionParams.tag = base64.get();
}
}
#include <parser.h>
#include <EncodingType.h>
#include <ckm/ckm-type.h>
-#include <generic-backend/gobj.h>
+#include <generic-backend/encryption-params.h>
namespace CKM {
namespace InitialValues {
return m_data;
}
- const RawBuffer &getIV() const
+ const Crypto::EncryptionParams &getEncryptionParams() const
{
- return m_IV;
+ return m_encryptionParams;
}
private:
EncodingType m_encoding;
- RawBuffer m_IV;
+ Crypto::EncryptionParams m_encryptionParams;
RawBuffer m_data;
};
int ec = m_db_logic.importInitialData(m_name,
Crypto::Data(getDataType(), m_bufferHandler->getData()),
- m_bufferHandler->getIV(),
+ m_bufferHandler->getEncryptionParams(),
policy);
if (CKM_API_SUCCESS != ec) {
// do not encrypt data with password during cc_mode on
Token token = store.import(data,
m_accessControl.isCCMode() ? "" : policy.password,
- RawBuffer());
+ Crypto::EncryptionParams());
DB::Row row(std::move(token), name, owner,
static_cast<int>(policy.extractable));
crypto.encryptRow(row);
store.destroy(row);
// import it to store with new scheme: data -> pass(data)
- Token token = store.import(Crypto::Data(row.dataType, row.data), pass, RawBuffer());
+ Token token = store.import(Crypto::Data(row.dataType, row.data), pass, Crypto::EncryptionParams());
// get it from the store (it can be different than the data we imported into store)
obj = store.getObject(token, pass);
int CKMLogic::importInitialData(
const Name &name,
const Crypto::Data &data,
- const RawBuffer &iv,
+ const Crypto::EncryptionParams &encParams,
const Policy &policy)
{
try {
+ if (encParams.iv.empty() != encParams.tag.empty()) {
+ LogError("Both iv and tag must be empty or set");
+ return CKM_API_ERROR_INPUT_PARAM;
+ }
+
// Inital values are always imported with root credentials. Client id is not important.
Credentials rootCred(0, "");
if (retCode != CKM_API_SUCCESS)
return retCode;
- Crypto::GStore &store = m_decider.getStore(data.type, policy, !iv.empty());
+ Crypto::GStore &store =
+ m_decider.getStore(data.type, policy, !encParams.iv.empty());
Token token;
- if (iv.empty()) {
+ if (encParams.iv.empty()) {
// Data are not encrypted, let's try to verify them
Crypto::Data binaryData;
token = store.import(binaryData,
m_accessControl.isCCMode() ? "" : policy.password,
- iv);
+ encParams);
} else {
token = store.import(data,
m_accessControl.isCCMode() ? "" : policy.password,
- iv);
+ encParams);
}
DB::Row row(std::move(token), name, CLIENT_ID_SYSTEM,
#include <certificate-impl.h>
#include <sys/types.h>
#include <generic-backend/gobj.h>
-
+#include <generic-backend/encryption-params.h>
#include <platform/decider.h>
namespace CKM {
int importInitialData(
const Name &name,
const Crypto::Data &data,
- const RawBuffer &iv,
+ const Crypto::EncryptionParams &encData,
const Policy &policy);
int unlockSystemDB();
Crypto::Data data(DataType(DataType::Type::BINARY_DATA), createRandom(10));
Crypto::Decider decider;
Crypto::GStore &store = decider.getStore(data.type, policy);
- Token token = store.import(data, policy.password, RawBuffer());
+ Token token = store.import(data, policy.password, Crypto::EncryptionParams());
Name name = "test_data";
ClientId owner = "test_owner";
Crypto::Data data(DataType(DataType::Type::BINARY_DATA), createRandom(10));
Crypto::Decider decider;
Crypto::GStore &store = decider.getStore(data.type, policy);
- Token token = store.import(data, policy.password, RawBuffer());
+ Token token = store.import(data, policy.password, Crypto::EncryptionParams());
Name name = "test_data";
ClientId owner = "test_owner";
*/
#include <generic-backend/gobj.h>
#include <generic-backend/gstore.h>
-//#include <generic-backend/algo-validation.h>
+#include <generic-backend/algo-validation.h>
+#include <generic-backend/encryption-params.h>
#include <boost/test/unit_test.hpp>
Exc::Crypto::OperationNotSupported);
BOOST_REQUIRE_THROW(store.generateSKey(CryptoAlgorithm(), Password()),
Exc::Crypto::OperationNotSupported);
- BOOST_REQUIRE_THROW(store.import(Crypto::Data(), Password(), RawBuffer()),
+ BOOST_REQUIRE_THROW(store.import(Crypto::Data(), Password(), Crypto::EncryptionParams()),
Exc::Crypto::OperationNotSupported);
BOOST_REQUIRE_THROW(store.destroy(Token()),
Exc::Crypto::OperationNotSupported);
* limitations under the License
*/
#include <tz-backend/store.h>
+#include <generic-backend/encryption-params.h>
#include <boost/test/unit_test.hpp>
Exc::Crypto::OperationNotSupported);
BOOST_REQUIRE_THROW(store.generateAKey(CryptoAlgorithm(), Password(), Password()),
Exc::Crypto::OperationNotSupported);
- BOOST_REQUIRE_THROW(store.import(Data(), Password(), RawBuffer()),
+ BOOST_REQUIRE_THROW(store.import(Data(), Password(), Crypto::EncryptionParams()),
Exc::Crypto::OperationNotSupported);
BOOST_REQUIRE_NO_THROW(store.destroy(Token()));
}
projects / platform / core / security / key-manager.git / commitdiff