Support for encrypted initial-values 70/190270/3
authorBartlomiej Grzelewski <b.grzelewski@samsung.com>
Fri, 28 Sep 2018 11:46:21 +0000 (13:46 +0200)
committerBartlomiej Grzelewski <b.grzelewski@samsung.com>
Thu, 4 Oct 2018 13:00:19 +0000 (15:00 +0200)
Add tag attribute in xml schema

Change-Id: Idc058e756ab6053103e1477292cacbacf57a9879

20 files changed:
doc/example.xml
doc/initial_values.xsd
src/manager/crypto/generic-backend/encryption-params.h [new file with mode: 0644]
src/manager/crypto/generic-backend/gstore.h
src/manager/crypto/sw-backend/store.cpp
src/manager/crypto/sw-backend/store.h
src/manager/crypto/tz-backend/internals.cpp
src/manager/crypto/tz-backend/internals.h
src/manager/crypto/tz-backend/store.cpp
src/manager/crypto/tz-backend/store.h
src/manager/crypto/tz-backend/tz-context.cpp
src/manager/crypto/tz-backend/tz-context.h
src/manager/initial-values/BufferHandler.cpp
src/manager/initial-values/BufferHandler.h
src/manager/initial-values/InitialValueHandler.cpp
src/manager/service/ckm-logic.cpp
src/manager/service/ckm-logic.h
tests/test_crypto-logic.cpp
tests/test_generic-backend.cpp
tests/test_tz-backend.cpp

index cccc214..3c6eb2a 100644 (file)
     <Permission accessor="web_app1"/>
     <Permission accessor="web_app2"/>
   </Key>
-  <!-- key below is encrypted using AES-CBC algorithm.
-     The key used is decrypted <EncryptionKey> provided above.
-     IV is Base64 encoded.
-     Encryption:
-       * encrypt AES CBC: openssl aes-256-cbc -K `xxd -p -c 64 encryption_AES_key` -iv `xxd -p -c 64 encryption_AES_IV` -e -in data -out data.enc
-  -->
-  <Key name="test-encryption-prv" type="RSA_PRV">
-    <EncryptedDER IV="X1RoaXNJc0lWRm9yQUVTXw==">
-      BflJyNgOcGyJSqTegG+y7MJXI1crgsGY3PjFfMpbmMbwJkVexvxoEPdf2yE5Z7da
-      6Vp4Qo2WOCUv/hllNTfm/dH7kOJOjcs/vaV1eRIfzEx3hvgKOyP82Hhkm1POynsF
-      0GyMm/VwtJFwFHA5DaJzwLln2/AoD//vC731Qhucw0Zvi2hi74d6igPog9EugIj/
-      tStvpgiNE6/Hb2ZRMDswgZ8o+tKCn+QHktR/YoZ19HfX7nDVRkMQxsiA8P4zO9Do
-      +iuiu/mGPVavlZA3df47TLG0kz+sz72jzPeEbfmvQo3gHWSuJ87TUwIcIoXDvaxY
-      xE8/On5OTqJy8HZ+jGvEThKI/96LQsFqKlEeGGenvzVJ+BVAF9x65uOkRll9yE6v
-      FIQcqbgipuBkdC6XLLaWTMgs5iiWvMn/lpNYrfZr52/TKqr09mNdei6yGvy+YuG8
-      vu/xN7/3An/zE4FOIJadgI5eADj+Dz7exml3tKTuuDpR9fhxiXd7HmZhCCf11C3r
-      54S6X9bZb7335L/5UfLxs4jMMfGhYD+1UF1Qb5zVW9IVMZ+owGeC6QQPUiX6HAxy
-      Rx7kLzd78uSbLNqeuiUeGiprxnuwMY2BgSqLq4WNCDWxY4hGTdkC7yg6DgY+L9Lz
-      wqVuJ6STmK9Hj9bL9YUe0KrzmVUfmsaq5PL+gfcv+S5lp2YlKw1cIVP9utw1ZuOo
-      j25EozWU8J+tuEa3l60Mmmh/sKzH9SH7C9EscwTYWOYjYYPwfCM9UIlNE9lnbl9s
-      bzkqJvaaXpB/HVY/b4wrldr1rK73+y9LOOzfNpV4L+R4spZXXjZ2HIW/iKQj/c14
+
+  <!--
+    Example of trust zone (hardware) encrypted key:
+    * Data below are encrypted with AES_GCM and encoded with base64.
+    * The Data in plain form have value (in acscii): "ThisIsATopSecretAESKeyUsedInTest"
+    * Encyption key = decodeBase64("THIS/STRING/MUST/BE/REPLACED/IN/REAL/DEVICE=")
+    * IV is base64 encoded.
+    * tag is base64 encoded.
+  //-->
+
+  <Key name="very-important-key" type="AES" backend="hardware">
+    <EncryptedDER IV="5NQJ2cY7xQHQYs9EOflmvFG3JP7kCA3CCp2duiVcx30=" tag="RcRtXSrBOZyNQGgyT1m/LQ==">
+      pawxDIglDfneINm8O7Nv6jxm21G9UEgDXK3yG6VK0fw=
     </EncryptedDER>
   </Key>
-  <Cert name="test-encryption-certificate" exportable="true">
-    <!-- Note IV differs between items -->
-    <EncryptedDER IV="SVZkaWZmZXJzRnJJdGVtcw==">
-      pPjY7wULPaBIwPKkgwKyKSZPa6NVJN3312q829KaXcNdQSoNJmsyyPDMqLr1W3Nw
-      /5DSfstMCh/MiUq4Dc1VCaHbVkRFVZMvitg7nfjDVkI9HGLpSGWzz1dc6kxn/rPv
-      l1Ox3sVog96Ebss+Givm4cKKYSQihCLTxcQcP6v4RGvTMhXIZmlz8n4Tr3MgyRB7
-      XTWdoowosEUWrzPMSD39y18gRJVZ/ZKv68o5mntatSE8FS1L6dgb2TdKEFdydVd2
-      /ob9GVwRkMxpBsQeUvPRYXnZS2f1L18IRPrKLKLKsDB+FysyXMAHMaxGWWil29/d
-      osOwMt34i6Bv21132lGt08t2LebmDJViZRVjzz9edIChBzsoG/E/3hX6v32ruJGU
-      2kq5l0bOmpQFs9M0TTNNWnaZKvpFPA8b3ywaDRWeKAPHsNQpnrx0WygCmvbjUChf
-      TP1E5BVm6YjWxptvFvEINcotCj2+0fvG3zIcq01O/MpSFWbGdu9MLZtFl1rTRt8e
-      ER8+nOKZNi9JUOfsYJyrZmtwm56LXTPjgNYY+a8yp2EXFtHjO62QKYr8zAi98PxL
-      oiELHLF2xwFufvBAssSOPwRmDSIhljPbUy4UKUxFCeMJzdxgK0DMZw4FtcyBXGgG
-      ABP57OQ60HomoZZDwAQ/4B8unuOCp7uERsQH5Z4Ns+PiIM4Tk8j9Qg4YVN43FJtJ
-      tCsfagBPuQM+Cm5law0Y01asMr0wq/VlILMKX0KXpwgnVmQClRfcYBLHQmDTyCos
-      kYSWrSYDesvXJnB1j/hn1puCQHfyrmPH5fQTzanD5whyed7DeXBl+F5+f73uj9pC
-      DrtqG+YEOeJNj0PCAMq9B4Qe6xi06P6D/sG17Phl9wH5DSzfxxlst1xeaPBko9Bo
-      LM6Sh6echKIh0HddStmaBICXNeVKz958tD0piVYMVipZm5/+cpDxdGSuemUxWXJO
-      XAuYydZkuLksYjLyXDO5vEaqcVMtu54tjfdFS7vO87a9IF+mI7HHHdnNaDRHaAFi
-      4rXdaGQr8zohq91NE3JYgSMbk1DlGfL1m9GN6IEUjqMQlAkGWal1Et9uwO98PpOk
-      a+r+N4lsYPKJbX2ywUvDHg==
-    </EncryptedDER>
-  </Cert>
-  <Data name="test-ascii-data-encryption">
-    <!-- this below decrypts to ASCII: "My secret data" -->
-    <EncryptedASCII IV="X19hbm90aGVyX0lWXzJfXw==">zuBDjp8ptFthrU69Ua5cfg==</EncryptedASCII>
-  </Data>
-  <Data name="test-binary-data-encryption">
-    <!-- this below decrypts to small PNG image -->
-    <EncryptedBinary IV="UE5HSVZQTkdJVlBOR0lWUA==">
-      weK/LmGIPHeNA2YipqJa4K1+KPkE/Jl5EtfJjzP5x5ZGhf/OOTYe+fj4p2Wx47AC
-      Nd/heOAi3MkFrwu5x+swFMIeQMCMzQpRbXeCvTEuTXWnmRMoyMbHlPd7Nnk9xooF
-      oYfbKhVd5DOcHN3pwc+5DQkrRy/XaD1faj3YR3JEYSfOLq4F6hLlj4U7rYJyyFuf
-      kSBOTAQOXs0q83cc2L7RaK7OzFJPKYJjDkVYIakpIHXUcvNrb2DrJ13se4pcX6Zk
-      KARviziVu4x9r7hTRErU8SNEWrO6E63oDfyetWvtymT17MEhRsRKS39zhrVLHzGy
-      iWx2Igh6eH6t4UNkMIHZvJW4j8hxdmbRwhQstXrVq7Uyne0B1Fl2w7Lpn48jYEq8
-      gaNlTZDzd8Pjz2ByrRq3/jln/xWnFwEY9oV/H53j6ctoJ2KUMiVYKej8anan8Fju
-      yO86HVEIYx++LblhqzuaqBhveVfB/feMYWpP8hi4AeWKcAGdM3L9QOYxbQ9OAOuC
-      Totu55NULkrzb5b+Rr+exTFpdEyic7sSEpBRV0vi6t/Lz72ebBq1oY3kn0dzZ6Ps
-      ia6ccITSdHW1MmW7cOkiA4XtyfvXtZtEJgmVnAnRrj4Qh0Oa9gxNOZrY/tlyyJod
-      v8JLYeBi3HRSlm2TME5hCHpBShVCRpkjLMQQ/nTPHvRNqr/BlPoXZg2FbJwreEzW
-      NZ2BaiKylRds5gnmmSnqnYUl4QtVSGsJPn8Hx0bNWwUeImjrXO9Nm01P8e5Iy+Ti
-      udxXTwpxZGyK2pbTs6EVxFY+fRF3SB4xcpup5fB6NHVPjiSrWABN848OReny3iS0
-      FXwimWaVzmA5Ppnfqx1HGopmhH++oZyKt8W/f8GbhOffON0Gg3bsewhysW5Rz+Rx
-      IAGqzV5RR1lOb+UKPBI2OPXqYUWZ9ipicSw1LC39olImBZbDmmxLDEjX5r+rg77h
-      ss0hG/6847KQybmemJ7zUVE2oxmic2fONpgjn3OLecOZpUY/5n/1cvN8utLBJ2nx
-      asan7zBT+nW5RjAny8pOyyV1Ux2qga/CyV46LajHJiFPokAAl6JnDYRmahtA5BM0
-      +jBvvnvSDGSM5qTh0EBLIN50WmN2TeEy/u2ZjuHFwJ41gtB6pARdJ1OT59+g5TcA
-      Ffc8twDzdbPbmWq8CGXVQHCvfS+2N2ECjwgnfVL1UZF69d5t9b5ysK17pU+ITPyI
-      Bxxde23I6U7sh2owrZgRAOVoA804flRg6g6rDJyVfu00oDkuui+Z/3RAsu6EiqiK
-      XISmLg236iumsxXcdAtOYyXn0nPZolsZnxzY2/bI0Df7rNSQ7RF5SSqhkFg1+OYT
-      gM4wMYYU0ts9jqr3ckJRWMRMdJxRsVVqSBo4fz8M5/dXMsOvGbLfnbwrqZSPCXrg
-      g+MX3QQdemmOgiEAGE+hxFBQMyQ6nIrDP061F4TVVhu4kGkZGxs/2W+CcQJT0aF8
-      DC0EwfEBVP8yq4ytCU7Js72KkA4YsK2udUsQF/90cuzPSgT8FPDEOzszKsLGuct4
-      T7Fj2Du1bVeVq4gPfdLgOdVRrZLab6vS5GFbli8UO0oAbM/Srxfh2Ghn4zS7Ol3q
-      MnwX36r3+KFNJYkBxCDMNEnj/QrSWpOlKo8LfAyGdvP/29CpmzPIGTUc1u8xZpJ0
-      CmFOaxjaAFJH3BjW625QbcicOnN02p0Pv00andcDNEO4k3b3MgW6yjkDBKqQ61dz
-      traH19g0fFa0pjXycMqy2uwq7PhLW0QqYt4Q7cfvWRMnAOwJqhHOGGyzEixB1U5c
-      q4d8izdqb0JacE6px+WJ44a530L1nhy2O5jpaKVQmNYIKTBM+HYVuHNWTWmnauKP
-      ag4q8G+9EI/SRp9wKoGy81W5GwonV3D6/4N9hnQfqqRKUrbrhWc9NcUciWKh4b1n
-      Om499jdDw+7qXipi3ggPCFq0H3b9CPkKMFh4Y/YDy1SvXEDSlwJ4bXXakOpVzW9t
-      gDxk/fvZ8AHrFAYzW1wiDFZ8H5ZnhgBMyfztLOYBbjr5YSGej++Sq0DYoOkrK4X3
-      7+2nMrrhqmlukI7ufoP+8nsJjHdQK8yoQYGmwEEw9QHLyupqPVIQrO/VDgSN+6mW
-      YsulTKW9wPhk6dvsSMOscLUdDiOTeK0jGH7Qa6QQwk/u/agHSPWh7qLpEICjKBxx
-      pOMbZ3mGqTXIj+7tG0yO1/y2UXE6JTIXiMEvMmdCEiRcz1RJ6xx/aBwC2//tfiys
-      nNMswTCXePtv5P9Zn+ibIiOhpm0napHopQcqmevn/DSkxSuDfwevae3bgEcJ1gN9
-      pkTnOm22CQzoGJY/b0wgNvxXdWhAAfeRhzpdh3V1C4dZEF8VXHDDt5gdjb0s1fNI
-      2LiSruLVdAWmRNX5mrkUFfBOzWwsN3D34pG2Vaj6GuH8mAoko68oy6fUdjCjZooY
-      hn+u5bGm1T8Mf/YYloTWg4hlOWIEfOiLP7nCdCgRdsg+y0Gi5MY04fS29SlfffUp
-      VUdLzQAij+a/wbBLJZMLzJiYeHv+pFY6m1SbMoUsDbAo4PTRaLHmMOFKa6s/hlka
-      lfN408DHSNs63Gd6s3W+Owe5hMccfKyRvWdNRVrXBe39I101Sci7GwWAvHhhS9EP
-      2HxxNyiwF1OCovnRHcm1b8Fcd42gbAveRVuFdI96dbFIeP0Z4I2gj+nk/yzlsG32
-      LYYzE9D4WR2zjrTyVnylsJN76lyvjvkYjMt7fPt7lFYz7QLdZX8riGxqeFmim6Sk
-      UQ4RXxw/ObCw4omILxvgigW+eAhgng63Yb9mRDOrqk/cL5XECiahSs3VWTjV9sy2
-      rNSPViWZW/LFOjuC3cT5rWEbc64cl0eKJTivEangOXxirRGW1ltTlzQo5kA933l/
-      sRMr2tBSrX/+LqfPWNA8UZWSdMBcc0oDvDGrpTUtLcor5kshYN7PPdaR9TAf8ikY
-      631mOef0HkQFsBUCFp9sr6QJD0/cfLlK5iLlyt+qFo2IgX2boddFwMtpYCt1+Uy1
-      H2u6FuItIfpRu9lZ7MZf24HGibGx5/fzTXjqGMObPOaoLxI4eh1GGhIfVqmT9ntv
-      e2xHoNH+tLxOHPRNHEkKRtJoB1HH20+mT6JzEdPNPmsdTcN4R0xjw0ZHTha2iBkt
-      ocGow+1nYgkoieq1QweEbbCbF71XtUpyMxMSd+BAPIJJReRGvt3mD9RZ54HqlczW
-      MA0LYe1rUX0Mh2Ic0x1rXZuo33PXcsKsUpfb+EIPhBjpx2vCNMiFPcM+F0NVh/PP
-      zgbdjlnHr6DXn3rut6Y9fTau6UY8BmeOjG4LcNzcvcHHr9/8jXyW9wWAYYVRUI3J
-      89/GR+YxW4WGuRBIV+wMkzBJmP7QDwAedSNBSAKa+08GKfJJRL2zIVgjffeBO+Un
-      TMTT7Q/a3bm+yekGsM6bchWTpY2ywdYQr936D55THonqCGlvPKyVHQaEa4U2eFDb
-      aIH84kP4olPCcC+TmWHBeBwMGvbW160hRCr3kSGY7hHcD0aXkdZPh1bYyWsIz/yS
-      eyUYCR+4Abu9lT1rTwHiSeo4YjNHOwQcfzBN9BwFUs6G1R81oC3qCwTYuJS2Eo09
-      +sii/oH/o/7VjvewMmUzDHVJ4iMa8yRXtfOObrM9MfsQ0p9GnP7UTG3VwleIenFZ
-      43DhvDl+kolw9phRuyCuCy7fSI8e7ejcQ3gSYWcIcgIIA5y/KdoCJDNdTjj3xDdo
-      p+hzg0OTjK57Fw286IVdzO5e5zznX0SPqXnZYncHHl2OmGZ+DT8ftkvD4BUJ74aO
-      fLsVwAZYJT1tSG2ymzu9yJR5p+hPTScpPi8HUDCnL4xL304Lmj3UfDauNJQcM/gT
-      mAJ/bfEtRqldMtN1EuH1TexvSkwkPrTUkryq2TYcw7vS72tNi+g6aZ7NdrQ8l4KZ
-      ZmrfwFnKNiVWus+zrffSDooEFZ3mj/vsFvV6fhw/Ni4QD1XAb0fJawUHvt0WHqZA
-      YnszBOzdmd8coJI17XbcwcP7DEoKIhLbPl1n0KNjL6j4EEoClwxZC+hAhi8kKMB3
-      aWj4zpeIExYST8NgtCz44SoBTv5U0iCR19mhdcTnafGyRK82dGiBNguk8//siUiC
-      jt3Aa7chapoiQNwZGDCmSrZOxOoxMYlBuPRVQqeokPinsw5rkLh8+arz1XRDyuTK
-      vQ+jttyIVA9OFI5+e/hN0ryn4GPbiCG5wV5SKweRUCcX9m8TK5u6A3rhMvlcls3T
-      INn9/XjCX6HhVGgZ47LSmcZ5ojtWzOKpad0v8qjD3z2BWzUlbalgYsdWrsRPSeDA
-      wiGpKbqb9u0S1e6hMmGyNa8UbzhYtJ/AQ0qh003YR7j+nlfJXffNkt2B4DkDdsG3
-      Alfhalwn5YUdcgm/6E+gnIg7JR4gXZhBL1R5SV1mzUgzyDEq5w2LBOx+TU33a3qf
-      ld0dJDJl0cG22n+GzQmm/6nPMnWX1ymK49h0tO9fLBLZsL8T1muo/PshhjhIv5VR
-      9ET5UN5I+9d0nHWAv2DjNwetyD3WGZDHnuq0mpti58xzkOr4jfYqy9qKwFk/coAu
-      Briwv8OJ2U5XEOuU/9fEL+NdYWkHga++oObyxJUU5Qgfs6OWUXERyPwzgXHkbDqm
-      q6+GP1AxBAP32zD0XyGUht1nl+L5qpnbOpISJjMMrl7wuKezWbFAE8VzQNbbp62O
-      eI1GEX2c2resPXZ/tS5LtoZ2TrT8TKYRZ0k1qLuQhOTXXNYQhP8i4PGOAL6BMZsZ
-      USAEHcAZnlByBS8i49IlvJMewPfHmm7ceLu8aYlm3yOAr1QBNRMkxoJBXjAAnCCx
-      qCGIQtINrVIJNQDSogMPXa4JQzCRSsT0Hz8ejQeQ9xmaK4VjM64VRj11RWsHFexk
-      p+GdAGVteipz1xEQHBvnUdOVm/5ULHK+8w+5LgEwN0jGXlsQ6KhUX5BLQMWob0jL
-      1np3Hml3MDxsPJPJjT4OKxNdWyyyP6PIDZj7DFqEa6+9Eg5Io7TSNk4e+LylfpPS
-      orsF2xaUzCaKOXjyXwPrW57UH8HtjnaeWh03qqdZCozCDdQ0pNpPk2vJYStZR/rY
-      BpQHZ6kZyLFdqLs+wMoPphF7q4bhjYk6MXwdHp5Q9q+MWPuM916g6vKaHUX+q6pL
-      YM8s13NkuUX1hEHaOC8I2dEsgcVPk++kDAR7JL5tn5hfJ06K8u5IHwuLUMtLKPt5
-      ZA3LfrnXxqlZD164blhAvb1qPlRTh79+Tj+3zfwaUPma3PmTY12fvJiOn1aD4aYm
-      HgA0yrl2cApzB3C6M1S2QllsoJ/KrWVeSg16XuC+vjSnsRWgIj3PSvSwh9YVZT0h
-      TQlD/PoxrMOlPtQnpHzryQ8YKrTBc4SAuO23wKGkfUBkaBDFrUeprO2p0K9Eeus9
-      jLkIgwTBwmF9bWMi214VdAI3I2BrJkGnx8Rb11C6rEu/5ZeI7g2dACSO27OhckNQ
-      ex490kQvqs1OJ6Fb/CyO8BsLBIyOhkEtglJsVibbcZrHnvoRYeRaWZj9TNdN6I3B
-      Dj0SwxDK9XAwGgWb+E4iwFUUg6yGrbBhUDWv5K7/ncgXz8iESXFKRowuD/J7rriU
-      V/s+yZ8URntBrZ35unuKu4xRieOEkn/JZg+HP0Grs5q3OQumEvZVjHqeJt40WaZ5
-      RJ3NiiHGwWVa6Db/1q0cfETbTn5Qcy2k8ZE+OnRzAmI14nr6lt4eJRnMJ63k4nGc
-      Xj0WpVm7vhVWAQ9gfiYCcbYrR31dUeOBxsRtF+Lvg3TNEx8/x4LeGfxC9c5Ho1Sc
-      Z7fz+/ZycHFx+08W5Mb6PlKhI44uY8bed2Xz5gQhZ1hyXk6Y41uxabUryeCvrLrh
-      PJX25FkOcLhZnWDcyCQ1Rt4JltnZcZzHq12Ipgovos3lPOarySOzSHjs1TjB6Bv1
-      zfBrCAGiY3rrG/W5gXs5eb97dWn5P8CD2uuZCBbTo0GVHdSHV9+JFHQO/0udmnEV
-      e9KRka43HU7AC+3aLeCq1KMoW/anl4DwPXdBCV6hj75TZ0EaA7Q51ETYFCLtyXzt
-      eiU9PE+bEymV6nk927wg7v38GLmdLTJ0F/G4MV0T4UxAdUrsAW33MGXC9/8YyOAz
-      zGh36fBdxTpM6hb1FHJl/tdboIAcTBJRobgmvhaDDVhsJiMJMwRhSFqcE7Q04c3c
-      6rLNGZQ3/u5/Atj5ApZ60ZMH0N5LYcTm98HOROGiFbrYSiSqUyeoIPvME5FwijLw
-      eCxbwjP3WvUSw8XTeIoAf5QwzdI6GRX+6ontCvw6m3l1TohH/ACA+MK+qV1cTgMV
-      HdjywH4SKs3KfwCcTF4gxkHdYlNYDW63Z0lhAtDBXMxUNM/u215Wo+zX0gaSUqeu
-      by47hfhTHP5mW6ITRFvKcS/qUqo3iELljwSXhdw7PwM0whLnSEMGsYh27YVxEzBT
-      n9vcM5tqGykKs1wwmpXpEa6Zliu9swprpQCL5TcOVFKVMjSmDH2OwmaDwcFeTM50
-      mg7BpiA5xLyQFphs8BPbyzkxNlbSI20S67Gx6yScrjsDxcEcVqmcyVVPwn/SqzVL
-      PyklAUbvRcRzkhvibBngIaFUfXXdCOrdQc8Ym/5kKeQ+QLiXxfIYmYKa2uyvMeTe
-      xoag7cmuUnICIYBrmHnVDNxXtC9mNiooUaX2S1lH2ct4s/NwRJm2c5O/igKO/byg
-      wQjiGqDZHyLlPSRxXbxG+tTf3qx8thYbJAO0r+AXYRj+sjJ+MtRozgY0nUeFEJb0
-      ZeYQGlvtoXlGo876JWJ/e7JMatHxGGQ58vJApMTphe/PPh3WTJTE02Bs3Ylft2bp
-      EK5ODopXJ0UmQTn6T1hUwBRu9RO5rICr34XnFav06WekBT5/QTqHEvZ4k4//hvGr
-      d7PQS/EVLApiYWySLg56svmjn4RwfPSPHOwGagU311QOx7woYJD/vb4NBxXb99Qb
-      7z42exUoZgqX+uKwHCuTzH/OVxhqrSoMX2yj09V6ZDUVHU11GOtDzVv07OU+u2vi
-      F0wPdrbedpmIr5BMCdCmqlIPYeBiaMVa/2+q3ud4o6/TeWmQpDZJCQ3xtxrNORQ7
-      HTlY0MDp7G+sdPWJCN5OJ0Ac7uKW72ZC/5yHBJY7Lmrhi3V3vA+DH7A4GgPAphQM
-      yWlBP7sQqVWcA1XlgTycRzkfffXEUoS6qef+IgU/3i/kXmeNnf2kSvmtbiO4GRhC
-      Nhk2s71NUtYXNFJPav5/ZPXI3qOuySow5GYp3njGYmDhO45IzFCcQu40FqiOeyoV
-      lRYTS/BrybkMCu2S3VmIY9/2e7gguYigmyZRvvqOUED9JRqOfC14n5+wtxzSj/nw
-      xFFukVHQRNF6jcZLUNs0SoeFS/obPCE+QiDYBKVrTeT54LuwNLpTrgTnTkDE5VIm
-      LpX9ERh0Yh8HAO7eLHIPAiU/G1Etlc43GcDLN7bbGPQbCvKRzWKSUrLwKmryvTPi
-      eC36fh/yZEWtT2zEtddwbncRgXT20opzMJxB3qF5ZMQ1qLIsQbGYeUsRl9lxsT7A
-      CE6vCP235+urdA9IaBRPN1VpWDpV7YDbF/ZIkRDJevSnSSrBTed4WcXcSe7JNGFb
-      U3eFPi2vsekvb59CHqHPD8QvvqF3N/3Xp1uQZV+eBOCtRpMOZduBJ6QdZlGBaGrB
-      +RKJEl9ziqGkiqiQzw8MR2kSrRVKIs5cISbl/dOEqfkbp2A1Siy4kWt+2Zk5V+Sw
-      IPJDrjYIZKSzV6XhhN+fhMNOYJjByxEXXLvHRTydIUQpS5JPe3T1sMJCN8o41uKx
-      4g+oPomYfJzKSbdpP84fVC4WQCMj+CiMGz/dWV27LgKPF0X9wel5s5gke4UDYQKe
-      FDf/4n3+neMgKohFUIcnqGnBTtThXqvK637m37WfQTIqNWkRH4pU/Acl/djkd+TD
-      yYRBt5UqwGovABM08jYkuA==
-    </EncryptedBinary>
-  </Data>
 </InitialValues>
index 54672d9..74b33a6 100644 (file)
        <xsd:complexType name="EncryptedBase64Type">
                <xsd:simpleContent>
                        <xsd:extension base="EncodingRawType">
-                               <xsd:attribute name="IV" type="IV_Base64_string" use="required"/>
+                               <xsd:attribute name="IV" type="Base64_string" use="required"/>
+                               <xsd:attribute name="tag" type="Base64_string" use="required"/>
                        </xsd:extension>
                </xsd:simpleContent>
        </xsd:complexType>
-       <xsd:simpleType name="IV_Base64_string">
+       <xsd:simpleType name="Base64_string">
                <xsd:restriction base="xsd:string"></xsd:restriction>
        </xsd:simpleType>
 
diff --git a/src/manager/crypto/generic-backend/encryption-params.h b/src/manager/crypto/generic-backend/encryption-params.h
new file mode 100644 (file)
index 0000000..5fa8e9c
--- /dev/null
@@ -0,0 +1,42 @@
+/*
+ *  Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License
+ */
+/*
+ * @file       encryption-params.h
+ * @author     BartÅ‚omiej Grzelewski (b.grzelewski@samsung.com)
+ * @version    1.0
+ */
+#pragma once
+
+#include <ckm/ckm-type.h>
+
+namespace CKM {
+namespace Crypto {
+
+struct EncryptionParams {
+       EncryptionParams() {}
+
+       EncryptionParams(RawBuffer iv, RawBuffer tag) :
+               iv(std::move(iv)),
+               tag(std::move(tag))
+       {}
+
+       RawBuffer iv;
+       RawBuffer tag;
+};
+
+} // namespace Crypto
+} // namespace CKM
+
index 2984fdc..638532d 100644 (file)
@@ -24,6 +24,7 @@
 
 #include <generic-backend/exception.h>
 #include <generic-backend/gobj.h>
+#include <generic-backend/encryption-params.h>
 #include <ckm/ckm-type.h>
 #include <crypto-backend.h>
 #include <token.h>
@@ -57,11 +58,11 @@ public:
        }
 
        /*
-        * IV parameter makes sense only on device with built in key.
-        * IV parameter is used for decryption of Data.
-        * If Data is not encrypted it's ok to pass empty IV.
+        * EncryptionParams parameter makes sense only on device with built-in key.
+        * EncryptionParams parameter is used for decryption of Data.
+        * If Data is not encrypted it's ok to pass empty EncryptionParams.
         */
-       virtual Token import(const Data &, const Password &, const RawBuffer & /* iv */)
+       virtual Token import(const Data &, const Password &, const EncryptionParams &)
        {
                ThrowErr(Exc::Crypto::OperationNotSupported);
        }
index b41b8fd..b4fd718 100644 (file)
@@ -219,9 +219,9 @@ Token Store::generateSKey(const CryptoAlgorithm &algorithm,
        return Token(m_backendId, ret.type, pack(ret.buffer, pass));
 }
 
-Token Store::import(const Data &data, const Password &pass, const RawBuffer &iv)
+Token Store::import(const Data &data, const Password &pass, const EncryptionParams &e)
 {
-       if (!iv.empty())
+       if (!e.iv.empty())
                ThrowErr(Exc::Crypto::OperationNotSupported,
                        "Encrypted import is not yet supported on software backend!");
 
index 82798cd..3dc50b8 100644 (file)
@@ -35,7 +35,7 @@ public:
        virtual TokenPair generateAKey(const CryptoAlgorithm &, const Password &,
                                                                   const Password &);
        virtual Token generateSKey(const CryptoAlgorithm &, const Password &);
-       virtual Token import(const Data &data, const Password &, const RawBuffer &);
+       virtual Token import(const Data &data, const Password &, const EncryptionParams &);
        virtual void destroy(const Token &) {}
 
 private:
index 90cc9fb..317a775 100644 (file)
@@ -119,7 +119,7 @@ void destroyKey(const RawBuffer &key)
 }
 
 RawBuffer importData(const Data &data,
-                                        const RawBuffer &encIV,
+                                        const EncryptionParams &encData,
                                         const Password &pwd,
                                         const RawBuffer &pwdIV,
                                         RawBuffer &tag)
@@ -142,7 +142,7 @@ RawBuffer importData(const Data &data,
        uint32_t keySizeBits = data.data.size() * 8;
        TrustZoneContext::Instance().importData(dataType,
                                                                                data.data,
-                                                                               encIV,
+                                                                               encData,
                                                                                pwdBuf,
                                                                                pwdIV,
                                                                                keySizeBits,
index c27933b..1c76f8d 100644 (file)
@@ -49,7 +49,7 @@ Data generateSKey(const CryptoAlgorithm &alg,
                                RawBuffer &tag);
 
 RawBuffer importData(const Data &key,
-                                        const RawBuffer &encIV,
+                                        const EncryptionParams &encData,
                                         const Password &pwd,
                                         const RawBuffer &pwdIV,
                                         RawBuffer &tag);
index a3d65c7..166ae74 100644 (file)
@@ -142,7 +142,7 @@ Token Store::generateSKey(const CryptoAlgorithm &alg, const Password &pass)
        return Token(m_backendId, ret.type, pack(ret.data, pass, iv, tag));
 }
 
-Token Store::import(const Data &data, const Password &pass, const RawBuffer &encIV)
+Token Store::import(const Data &data, const Password &pass, const EncryptionParams &e)
 {
        if (!data.type.isBinaryData() && !data.type.isSKey())
                ThrowErr(Exc::Crypto::DataTypeNotSupported, "Invalid data provided for import");
@@ -155,7 +155,7 @@ Token Store::import(const Data &data, const Password &pass, const RawBuffer &enc
                passIV = Internals::generateIV();
        }
 
-       RawBuffer dataId = Internals::importData(data, encIV, pass, passIV, tag);
+       RawBuffer dataId = Internals::importData(data, e, pass, passIV, tag);
        return Token(m_backendId, data.type, pack(dataId, pass, passIV, tag));
 }
 
index 4d44b6b..664c756 100644 (file)
@@ -35,7 +35,7 @@ public:
        virtual TokenPair generateAKey(const CryptoAlgorithm &, const Password &,
                                                                   const Password &);
        virtual Token generateSKey(const CryptoAlgorithm &, const Password &);
-       virtual Token import(const Data &, const Password &, const RawBuffer &);
+       virtual Token import(const Data &, const Password &, const EncryptionParams &);
        virtual void destroy(const Token &);
 
        // TODO device key ID is needed here to support importEncrypted
index 859c5a2..83ac694 100644 (file)
@@ -23,6 +23,7 @@
 #include <tz-backend/tz-memory.h>
 #include <generic-backend/exception.h>
 #include <generic-backend/crypto-params.h>
+#include <generic-backend/encryption-params.h>
 #include <dpl/log/log.h>
 
 #include <km_serialization.h>
@@ -641,7 +642,7 @@ void TrustZoneContext::executeDestroy(const RawBuffer &keyId)
 void TrustZoneContext::importData(
                                const uint32_t dataType,
                                const RawBuffer &data,
-                               const RawBuffer &encIV,
+                               const Crypto::EncryptionParams &encData,
                                const RawBuffer &pwd,
                                const RawBuffer &iv,
                                const uint32_t keySizeBits,
@@ -655,7 +656,8 @@ void TrustZoneContext::importData(
        //        uint32_t dataType contains information about type stored as binary data
        //        KM_BinaryData with binary data
        //        uint32_t binary/key size in bits
-       //        KM_BinaryData IV for data decryption with build in key
+       //        KM_BinaryData IV for data decryption with built in key
+       //        KM_BinaryData TAG for data decryption with built in key
        //        uint32_t boolean value - true if password is provided
        //        KM_PwdData with password (optional)
        // Output:
@@ -677,10 +679,15 @@ void TrustZoneContext::importData(
        inMemorySize += KM_SizeOfFlag();
 
        KM_BinaryData ta_data_enc_iv;
-       ta_data_enc_iv.data_size = static_cast<uint32_t>(encIV.size());
-       ta_data_enc_iv.data = const_cast<unsigned char *>(encIV.data());
+       ta_data_enc_iv.data_size = static_cast<uint32_t>(encData.iv.size());
+       ta_data_enc_iv.data = const_cast<unsigned char *>(encData.iv.data());
        inMemorySize += KM_SizeOfBinaryData(&ta_data_enc_iv);
 
+       KM_BinaryData ta_data_enc_tag;
+       ta_data_enc_tag.data_size = static_cast<uint32_t>(encData.tag.size());
+       ta_data_enc_tag.data = const_cast<unsigned char *>(encData.tag.data());
+       inMemorySize += KM_SizeOfBinaryData(&ta_data_enc_tag);
+
        uint32_t pwd_flag = pwd.empty() ? 0 : 1;
        inMemorySize += KM_SizeOfFlag();
 
@@ -723,6 +730,11 @@ void TrustZoneContext::importData(
                ThrowErr(Exc::Crypto::InternalError, "Failed to serialize data, ret: ", ret);
        }
 
+       ret = KM_SerializeBinaryData(&inMemoryPtr, &inMemorySize, &ta_data_enc_tag);
+       if (ret) {
+               ThrowErr(Exc::Crypto::InternalError, "Failed to serialize data, ret: ", ret);
+       }
+
        ret = KM_SerializeFlag(&inMemoryPtr, &inMemorySize, pwd_flag);
        if (ret) {
                ThrowErr(Exc::Crypto::InternalError, "Failed to serialize data, ret: ", ret);
index fdce3eb..123c21e 100644 (file)
@@ -26,6 +26,7 @@
 #include <km_ta_defines.h>
 #include <memory>
 #include <tz-backend/obj.h>
+#include <generic-backend/encryption-params.h>
 
 namespace CKM {
 namespace Crypto {
@@ -49,7 +50,7 @@ public:
                                                RawBuffer &pwdTag);
        void importData(uint32_t dataType,
                                        const RawBuffer &data,
-                                       const RawBuffer &encIV,
+                                       const Crypto::EncryptionParams &encData,
                                        const RawBuffer &pwd,
                                        const RawBuffer &pwdIV,
                                        const uint32_t keySizeBits,
index cca06b2..5917844 100644 (file)
@@ -29,6 +29,7 @@
 
 namespace {
 const char *const XML_ATTR_IV  = "IV";
+const char *const XML_ATTR_TAG = "tag";
 }
 
 namespace CKM {
@@ -39,14 +40,22 @@ BufferHandler::~BufferHandler() {}
 
 void BufferHandler::Start(const XML::Parser::Attributes &attr)
 {
-       // get key type
        if (attr.find(XML_ATTR_IV) != attr.end()) {
                std::string IVstring = attr.at(XML_ATTR_IV);
                Base64Decoder base64;
                base64.reset();
                base64.append(RawBuffer(IVstring.begin(), IVstring.end()));
                base64.finalize();
-               m_IV = base64.get();
+               m_encryptionParams.iv = base64.get();
+       }
+
+       if (attr.find(XML_ATTR_TAG) != attr.end()) {
+               std::string tag = attr.at(XML_ATTR_TAG);
+               Base64Decoder base64;
+               base64.reset();
+               base64.append(RawBuffer(tag.begin(), tag.end()));
+               base64.finalize();
+               m_encryptionParams.tag = base64.get();
        }
 }
 
index 08bca52..1b45839 100644 (file)
@@ -26,7 +26,7 @@
 #include <parser.h>
 #include <EncodingType.h>
 #include <ckm/ckm-type.h>
-#include <generic-backend/gobj.h>
+#include <generic-backend/encryption-params.h>
 
 namespace CKM {
 namespace InitialValues {
@@ -47,14 +47,14 @@ public:
                return m_data;
        }
 
-       const RawBuffer &getIV() const
+       const Crypto::EncryptionParams &getEncryptionParams() const
        {
-               return m_IV;
+               return m_encryptionParams;
        }
 
 private:
        EncodingType m_encoding;
-       RawBuffer m_IV;
+       Crypto::EncryptionParams m_encryptionParams;
        RawBuffer m_data;
 };
 
index 7853d39..6ca335a 100644 (file)
@@ -80,7 +80,7 @@ void InitialValueHandler::End()
 
        int ec = m_db_logic.importInitialData(m_name,
                                              Crypto::Data(getDataType(), m_bufferHandler->getData()),
-                                             m_bufferHandler->getIV(),
+                                             m_bufferHandler->getEncryptionParams(),
                                              policy);
 
        if (CKM_API_SUCCESS != ec) {
index 98248ec..6a10ad7 100644 (file)
@@ -405,7 +405,7 @@ DB::Row CKMLogic::createEncryptedRow(
        // do not encrypt data with password during cc_mode on
        Token token = store.import(data,
                                                           m_accessControl.isCCMode() ? "" : policy.password,
-                                                          RawBuffer());
+                                                          Crypto::EncryptionParams());
        DB::Row row(std::move(token), name, owner,
                                static_cast<int>(policy.extractable));
        crypto.encryptRow(row);
@@ -804,7 +804,7 @@ Crypto::GObjUPtr CKMLogic::rowToObject(
                store.destroy(row);
 
                // import it to store with new scheme: data -> pass(data)
-               Token token = store.import(Crypto::Data(row.dataType, row.data), pass, RawBuffer());
+               Token token = store.import(Crypto::Data(row.dataType, row.data), pass, Crypto::EncryptionParams());
 
                // get it from the store (it can be different than the data we imported into store)
                obj = store.getObject(token, pass);
@@ -1160,10 +1160,15 @@ RawBuffer CKMLogic::getDataList(
 int CKMLogic::importInitialData(
        const Name &name,
        const Crypto::Data &data,
-       const RawBuffer &iv,
+       const Crypto::EncryptionParams &encParams,
        const Policy &policy)
 {
        try {
+               if (encParams.iv.empty() != encParams.tag.empty()) {
+                       LogError("Both iv and tag must be empty or set");
+                       return CKM_API_ERROR_INPUT_PARAM;
+               }
+
                // Inital values are always imported with root credentials. Client id is not important.
                Credentials rootCred(0, "");
 
@@ -1176,11 +1181,12 @@ int CKMLogic::importInitialData(
                if (retCode != CKM_API_SUCCESS)
                        return retCode;
 
-               Crypto::GStore &store = m_decider.getStore(data.type, policy, !iv.empty());
+               Crypto::GStore &store =
+                               m_decider.getStore(data.type, policy, !encParams.iv.empty());
 
                Token token;
 
-               if (iv.empty()) {
+               if (encParams.iv.empty()) {
             // Data are not encrypted, let's try to verify them
                        Crypto::Data binaryData;
 
@@ -1189,11 +1195,11 @@ int CKMLogic::importInitialData(
 
                        token = store.import(binaryData,
                                                                 m_accessControl.isCCMode() ? "" : policy.password,
-                                                                iv);
+                                                                encParams);
                } else {
                        token = store.import(data,
                                                                 m_accessControl.isCCMode() ? "" : policy.password,
-                                                                iv);
+                                                                encParams);
                }
 
                DB::Row row(std::move(token), name, CLIENT_ID_SYSTEM,
index 8115117..7f9b5f0 100644 (file)
@@ -36,7 +36,7 @@
 #include <certificate-impl.h>
 #include <sys/types.h>
 #include <generic-backend/gobj.h>
-
+#include <generic-backend/encryption-params.h>
 #include <platform/decider.h>
 
 namespace CKM {
@@ -209,7 +209,7 @@ public:
        int importInitialData(
                const Name &name,
                const Crypto::Data &data,
-               const RawBuffer &iv,
+               const Crypto::EncryptionParams &encData,
                const Policy &policy);
 
        int unlockSystemDB();
index f519e27..d13f6af 100644 (file)
@@ -91,7 +91,7 @@ BOOST_AUTO_TEST_CASE(row_encryption)
        Crypto::Data data(DataType(DataType::Type::BINARY_DATA), createRandom(10));
        Crypto::Decider decider;
        Crypto::GStore &store = decider.getStore(data.type, policy);
-       Token token = store.import(data, policy.password, RawBuffer());
+       Token token = store.import(data, policy.password, Crypto::EncryptionParams());
 
        Name name = "test_data";
        ClientId owner = "test_owner";
@@ -113,7 +113,7 @@ BOOST_AUTO_TEST_CASE(row_encryption_negatives)
        Crypto::Data data(DataType(DataType::Type::BINARY_DATA), createRandom(10));
        Crypto::Decider decider;
        Crypto::GStore &store = decider.getStore(data.type, policy);
-       Token token = store.import(data, policy.password, RawBuffer());
+       Token token = store.import(data, policy.password, Crypto::EncryptionParams());
 
        Name name = "test_data";
        ClientId owner = "test_owner";
index 0b39bf3..5814a26 100644 (file)
@@ -15,7 +15,8 @@
  */
 #include <generic-backend/gobj.h>
 #include <generic-backend/gstore.h>
-//#include <generic-backend/algo-validation.h>
+#include <generic-backend/algo-validation.h>
+#include <generic-backend/encryption-params.h>
 
 #include <boost/test/unit_test.hpp>
 
@@ -72,7 +73,7 @@ BOOST_AUTO_TEST_CASE(gstore)
                                                Exc::Crypto::OperationNotSupported);
        BOOST_REQUIRE_THROW(store.generateSKey(CryptoAlgorithm(), Password()),
                                                Exc::Crypto::OperationNotSupported);
-       BOOST_REQUIRE_THROW(store.import(Crypto::Data(), Password(), RawBuffer()),
+       BOOST_REQUIRE_THROW(store.import(Crypto::Data(), Password(), Crypto::EncryptionParams()),
                                                Exc::Crypto::OperationNotSupported);
        BOOST_REQUIRE_THROW(store.destroy(Token()),
                                                Exc::Crypto::OperationNotSupported);
index 880211b..93447de 100644 (file)
@@ -14,6 +14,7 @@
  *  limitations under the License
  */
 #include <tz-backend/store.h>
+#include <generic-backend/encryption-params.h>
 
 #include <boost/test/unit_test.hpp>
 
@@ -30,7 +31,7 @@ BOOST_AUTO_TEST_CASE(store)
                                                Exc::Crypto::OperationNotSupported);
        BOOST_REQUIRE_THROW(store.generateAKey(CryptoAlgorithm(), Password(), Password()),
                                                Exc::Crypto::OperationNotSupported);
-       BOOST_REQUIRE_THROW(store.import(Data(), Password(), RawBuffer()),
+       BOOST_REQUIRE_THROW(store.import(Data(), Password(), Crypto::EncryptionParams()),
                                                Exc::Crypto::OperationNotSupported);
        BOOST_REQUIRE_NO_THROW(store.destroy(Token()));
 }