Konai Secure Element is not supported anymore.
Change-Id: I606b11863fcfba0daa30ff12452f41b2d206aac9
SET(CMAKE_POSITION_INDEPENDENT_CODE "True")
SET(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -pie")
-IF(DCM_BACKEND_TYPE STREQUAL "dummy")
- ADD_SUBDIRECTORY(src/dummy-backend)
-ELSEIF(DCM_BACKEND_TYPE STREQUAL "kse")
- ADD_SUBDIRECTORY(src/kse-backend)
-ELSE()
- ADD_SUBDIRECTORY(src/dummy-backend)
-ENDIF()
+ADD_SUBDIRECTORY(src/dummy-backend)
Requires(post): /sbin/ldconfig
Requires(postun): /sbin/ldconfig
Requires: device-certificate-manager
-Conflicts:device-certificate-manager-backend-kse
%description
Device Certificate Manager dummy (based on the OpenSSL) backend library
%build
%cmake . -DCMAKE_BUILD_TYPE=%{?build_type:%build_type}%{!?build_type:Release} \
- -DDCM_BACKEND_API=%{dcm_backend_api} \
- -DDCM_BACKEND_TYPE=dummy
+ -DDCM_BACKEND_API=%{dcm_backend_api}
make %{?jobs:-j%jobs}
+++ /dev/null
-Name: device-certificate-manager-backend-kse
-Summary: Device Certificate Manager KONAISE backend library
-Version: 1.0
-Release: 1
-Group: Security/Development
-License: Apache-2.0
-Source0: %{name}-%{version}.tar.gz
-Source1001: device-certificate-manager-backend.manifest
-BuildRequires: cmake
-BuildRequires: pkgconfig(dlog)
-BuildRequires: pkgconfig(iotivity)
-BuildRequires: pkgconfig(device-certificate-manager-backend)
-BuildRequires: boost-devel
-Requires(post): /sbin/ldconfig
-Requires(postun): /sbin/ldconfig
-Requires: device-certificate-manager
-Conflicts:device-certificate-manager-backend-dummy
-
-%description
-Device Certificate Manager KONAISE backend library
-
-%package tests
-Summary: Internal tool for testing the DCM KONAISE backend
-Group: Security/Testing
-Requires: device-certificate-manager-backend-kse
-
-%description tests
-Internal tool for testing the DCM KONAISE backend
-
-%prep
-%setup -q
-cp -a %{SOURCE1001} .
-
-%build
-%cmake . -DCMAKE_BUILD_TYPE=%{?build_type:%build_type}%{!?build_type:Release} \
- -DDCM_BACKEND_API=%{dcm_backend_api} \
- -DDCM_BACKEND_TYPE=kse
-
-make %{?jobs:-j%jobs}
-
-%install
-%make_install
-
-%files
-%manifest device-certificate-manager-backend.manifest
-%license LICENSE
-%{_libdir}/lib%{dcm_backend_api}.so*
-
-%files tests
-%manifest device-certificate-manager-backend.manifest
-%license LICENSE
-%{_bindir}/dcm_konaise_tool
+++ /dev/null
-# Copyright (c) 2020 Samsung Electronics Co., Ltd All Rights Reserved
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# @file src/kse-backend/CMakeLists.txt
-# @author Pawel Kowalski <p.kowalski2@partner.samsung.com>
-#
-
-FIND_PACKAGE(PkgConfig REQUIRED)
-FIND_LIBRARY(MBEDTLS_LIB mbedtls)
-
-PKG_CHECK_MODULES(KSE_DEPS REQUIRED dlog device-certificate-manager-backend)
-INCLUDE_DIRECTORIES(SYSTEM ${KSE_DEPS_INCLUDE_DIRS})
-LINK_DIRECTORIES(${KSE_DEPS_LIBRARY_DIRS})
-
-INCLUDE_DIRECTORIES(../shared)
-
-ADD_LIBRARY(${DCM_BACKEND_API}
- SHARED
- dcm-backend-api-kse.cpp
- soresolver.cpp
- ksebackend.cpp
- ksebackendcontext.cpp
- ../shared/log.cpp)
-
-TARGET_LINK_LIBRARIES(${DCM_BACKEND_API}
- ${MBEDTLS_LIB}
- ${KSE_DEPS_LIBRARIES})
-
-SET_TARGET_PROPERTIES(${DCM_BACKEND_API}
- PROPERTIES
- VERSION 1.0
- DEFINE_SYMBOL DCM_BACKEND_API_SEE_EXPORT
- VISIBILITY_INLINES_HIDDEN TRUE
- C_VISIBILITY_PRESET hidden
- CXX_VISIBILITY_PRESET hidden)
-
-INSTALL(TARGETS ${DCM_BACKEND_API}
- LIBRARY DESTINATION
- ${CMAKE_INSTALL_LIBDIR})
-
-ADD_SUBDIRECTORY(tools)
+++ /dev/null
-/******************************************************************
- *
- * Copyright 2017 Samsung Electronics All Rights Reserved.
- *
- * Author: Jaroslaw Pelczar <j.pelczar@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- ******************************************************************/
-
-#include "cert_utils.h"
-#include <vector>
-#include <map>
-#include <algorithm>
-#include <cstring>
-#include <cstdlib>
-#include <mbedtls/pem.h>
-#include <stdexcept>
-#include <cassert>
-#include <set>
-#include <list>
-#include "log.h"
-
-int x509_crt_rewriter::parse(const unsigned char * buffer, size_t length)
-{
- return mbedtls_x509_crt_parse(fChain, buffer, length);
-}
-
-/*
- * Like memcmp, but case-insensitive and always returns -1 if different
- */
-static int x509_memcasecmp( const void *s1, const void *s2, size_t len )
-{
- size_t i;
- unsigned char diff;
- const unsigned char *n1 = (const unsigned char *)s1, *n2 = (const unsigned char *)s2;
-
- for( i = 0; i < len; i++ )
- {
- diff = n1[i] ^ n2[i];
-
- if( diff == 0 )
- continue;
-
- if( diff == 32 &&
- ( ( n1[i] >= 'a' && n1[i] <= 'z' ) ||
- ( n1[i] >= 'A' && n1[i] <= 'Z' ) ) )
- {
- continue;
- }
-
- return( -1 );
- }
-
- return( 0 );
-}
-
-/*
- * Compare two X.509 strings, case-insensitive, and allowing for some encoding
- * variations (but not all).
- *
- * Return 0 if equal, -1 otherwise.
- */
-static int x509_string_cmp( const mbedtls_x509_buf *a, const mbedtls_x509_buf *b )
-{
- if( a->tag == b->tag &&
- a->len == b->len &&
- memcmp( a->p, b->p, b->len ) == 0 )
- {
- return( 0 );
- }
-
- if( ( a->tag == MBEDTLS_ASN1_UTF8_STRING || a->tag == MBEDTLS_ASN1_PRINTABLE_STRING ) &&
- ( b->tag == MBEDTLS_ASN1_UTF8_STRING || b->tag == MBEDTLS_ASN1_PRINTABLE_STRING ) &&
- a->len == b->len &&
- x509_memcasecmp( a->p, b->p, b->len ) == 0 )
- {
- return( 0 );
- }
-
- return( -1 );
-}
-
-/*
- * Compare two X.509 Names (aka rdnSequence).
- *
- * See RFC 5280 section 7.1, though we don't implement the whole algorithm:
- * we sometimes return unequal when the full algorithm would return equal,
- * but never the other way. (In particular, we don't do Unicode normalisation
- * or space folding.)
- *
- * Return 0 if equal, -1 otherwise.
- */
-static int x509_name_cmp( const mbedtls_x509_name *a, const mbedtls_x509_name *b )
-{
- /* Avoid recursion, it might not be optimised by the compiler */
- while( a != NULL || b != NULL )
- {
- if( a == NULL || b == NULL )
- return( -1 );
-
- /* type */
- if( a->oid.tag != b->oid.tag ||
- a->oid.len != b->oid.len ||
- memcmp( a->oid.p, b->oid.p, b->oid.len ) != 0 )
- {
- return( -1 );
- }
-
- /* value */
- if( x509_string_cmp( &a->val, &b->val ) != 0 )
- return( -1 );
-
- /* structure of the list of sets */
- if( a->next_merged != b->next_merged )
- return( -1 );
-
- a = a->next;
- b = b->next;
- }
-
- /* a == NULL == b */
- return( 0 );
-}
-
-void x509_crt_rewriter::sort_chain()
-{
- // Only 1 certificate - don't bother
- if(!fChain->next) {
- fChainSize = fChain->raw.len;
- fNumCerts = 1;
- return;
- }
-
- std::vector<mbedtls_x509_crt *> list;
- std::multimap<mbedtls_x509_crt *, mbedtls_x509_crt *> subject_of;
- std::set<mbedtls_x509_crt *> visited;
-
- // Build list of all certificates
- for(auto * cert = fChain ; cert ; cert = cert->next) {
- list.push_back(cert);
- }
-
- // Create graph vertices to map issuer to subject
- for(size_t i = 0 ; i < list.size() ; ++i) {
- mbedtls_x509_crt * issuer = nullptr;
- // Find issuer - ignore ourselves as we always want root CA issuer to be nullptr
- for(size_t j = 0 ; j < list.size() ; ++j) {
- if(i != j && x509_name_cmp(&list[i]->issuer, &list[j]->subject) == 0) {
- issuer = list[j];
- break;
- }
- }
-
- // In case there are multiple subjects for one issuer, the chain
- // must be horribly broken
- subject_of.emplace(issuer, list[i]);
- }
-
- // BFS algorithm queue
- std::list<mbedtls_x509_crt *> queue;
- // Final output chain
- std::list<mbedtls_x509_crt *> final_chain;
-
- // Find root certificates - they will not have any issuer
- auto root_range = subject_of.equal_range(nullptr);
-
- // Perform BFS for each root
- for(auto it = root_range.first ; it != root_range.second ; ++it) {
- mbedtls_x509_crt * root_cert = it->second;
-
- if(visited.find(root_cert) == visited.end()) {
- visited.insert(root_cert);
- queue.push_back(root_cert);
-
- while(!queue.empty()) {
- auto s = queue.front();
- // Write out chain from root back to leaf
- final_chain.push_back(s);
- queue.pop_front();
-
- auto range = subject_of.equal_range(s);
- for(auto it = range.first ; it != range.second ; ++it) {
- mbedtls_x509_crt * cert = it->second;
- if(visited.find(cert) == visited.end()) {
- visited.insert(cert);
- queue.push_back(cert);
- }
- }
- }
- }
- }
-
- fChain = nullptr;
- fChainSize = 0;
- fNumCerts = list.size();
-
- // Rebuild certificate linked list
- for(auto it = final_chain.begin() ; it != final_chain.end() ; ++it) {
- auto cert(*it);
- cert->next = fChain;
- fChain = cert;
- fChainSize += cert->raw.len;
- }
-}
-
-#define PEM_BEGIN_CRT "-----BEGIN CERTIFICATE-----\n"
-#define PEM_END_CRT "-----END CERTIFICATE-----\n"
-
-std::string x509_crt_rewriter::emit_pem()
-{
- std::string buffer;
-
- if(fChainSize == 0)
- throw std::runtime_error("State failure");
-
- // Always rewrite the chain as PEM
-
- buffer.resize(fChainSize * 4 + fNumCerts * (sizeof(PEM_BEGIN_CRT) + sizeof(PEM_END_CRT)));
-
- unsigned char * out_buffer = (unsigned char *)buffer.c_str();
- size_t out_capacity = buffer.size();
- size_t total_size = 0;
- size_t this_len;
-
- for(auto cert = fChain ; cert ; cert = cert->next) {
- int error = mbedtls_pem_write_buffer(PEM_BEGIN_CRT,
- PEM_END_CRT,
- cert->raw.p,
- cert->raw.len,
- out_buffer + total_size,
- out_capacity - total_size,
- &this_len);
-
- if(error != 0) {
- throw std::runtime_error("Certificate write failure");
- }
-
- // Account for final 0 byte
- total_size += this_len - 1;
- }
-
- buffer.resize(total_size);
- buffer.push_back(0);
-
- return buffer;
-}
+++ /dev/null
-/******************************************************************
- *
- * Copyright 2017 - 2019 Samsung Electronics All Rights Reserved.
- *
- * Author: Jaroslaw Pelczar <j.pelczar@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- ******************************************************************/
-
-#ifndef CERT_UTILS_H_
-#define CERT_UTILS_H_
-
-#include <mbedtls/x509_crt.h>
-#include <string>
-
-struct x509_crt_rewriter {
-private:
- mbedtls_x509_crt * fChain;
- size_t fChainSize = 0;
- size_t fNumCerts = 0;
-
-public:
- x509_crt_rewriter() :
- fChain(new mbedtls_x509_crt())
- {
- mbedtls_x509_crt_init(fChain);
- }
-
- ~x509_crt_rewriter() {
- mbedtls_x509_crt_free(fChain);
- delete fChain;
- }
-
- int parse(const unsigned char * buffer, size_t length);
- void sort_chain();
- std::string emit_pem();
-};
-
-#endif /* CERT_UTILS_H_ */
+++ /dev/null
-/******************************************************************
- *
- * Copyright 2019 Samsung Electronics All Rights Reserved.
- *
- * Author: Pawel Kowalski <p.kowalski2@partner.samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- ******************************************************************/
-
-#include "ksebackend.h"
-#include "ksebackendcontext.h"
-#include <device-certificate-manager-backend/dcm-backend-api.h>
-
-static std::shared_ptr<kse_backend> backend(new kse_backend());
-
-void dcm_backend_create_key_context(dcm_backend_context& ctx,
- const std::string& keyType) {
- ctx.backend = new kse_backend_context(backend, keyType);
-}
-
-void dcm_backend_free_key_context(dcm_backend_context& ctx) {
- delete static_cast<kse_backend_context*>(ctx.backend);
- ctx.backend= nullptr;
-}
-
-int dcm_backend_request_certificate_chain(dcm_backend_context& ctx,
- std::string& mutable_chain) {
- return ctx.backend ? static_cast<kse_backend_context*>(ctx.backend)
- ->request_certificate_chain(mutable_chain) : -1;
-}
-
-int dcm_backend_sign_crypto_data(dcm_backend_context& ctx,
- MessageDigestType digestType,
- const std::string& dataToSign,
- std::string& digestResult) {
- return ctx.backend ? static_cast<kse_backend_context*>(ctx.backend)
- ->sign_crypto_data(digestType, dataToSign, digestResult) : -1;
-}
-
-CryptoKeyType dcm_backend_key_type(dcm_backend_context& ctx) {
- return ctx.backend ? static_cast<kse_backend_context*>(ctx.backend)->key_type() : CryptoKeyType::CRYPTO_KEY_TYPE_INVALID;
-}
-
-unsigned int dcm_backend_key_length(dcm_backend_context& ctx) {
- return ctx.backend ? static_cast<kse_backend_context*>(ctx.backend)->key_length() : 0;
-}
+++ /dev/null
-#ifndef _KONAISE_H_
-#define _KONAISE_H_
-
-// real header file name is security_hal.h
-
-/**
- * This header file is included to define _EXPORT_.
- */
-#include <stdbool.h>
-#include <stdint.h>
-#include <tizen.h>
-
-#define _IN_
-#define _OUT_
-#define _INOUT_
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/*
- * Common
- */
-
-/* Enumerator */
-enum hal_result_e {
- HAL_SUCCESS,
-
- HAL_NOT_INITIALIZED,
- HAL_INVALID_ARGS,
-
- HAL_INVALID_SLOT_RANGE,
- HAL_INVALID_SLOT_TYPE, //ex. request to save key into cert slot
- HAL_EMPTY_SLOT,
-
- HAL_BAD_KEY,
- HAL_BAD_KEY_PAIR, //public and private keys do not match
- HAL_BAD_CERT,
- HAL_BAD_CERTKEY_PAIR, //certificate and key do not match
-
- HAL_NOT_ENOUGH_MEMORY,
- HAL_ALLOC_FAIL,
- HAL_KEY_IN_USE,
- HAL_CERT_IN_USE,
- HAL_DATA_IN_USE,
-
- HAL_NOT_SUPPORTED,
- HAL_NOT_IMPLEMENTED,
-
- HAL_BUSY,
- HAL_FAIL,
-};
-
-typedef enum {
- HAL_HASH_MD5,
- HAL_HASH_SHA1,
- HAL_HASH_SHA224,
- HAL_HASH_SHA256,
- HAL_HASH_SHA384,
- HAL_HASH_SHA512,
- HAL_HASH_UNKNOWN,
-} hal_hash_type;
-
-typedef enum {
- HAL_DH_1024,
- HAL_DH_2048,
-} hal_dh_key_type;
-
-typedef enum{
- HAL_RSA_1024,
- HAL_RSA_2048,
-} hal_rsa_key_type;
-
-typedef enum {
- HAL_AES_128,
- HAL_AES_192,
- HAL_AES_256,
-} hal_aes_key_type;
-
-typedef enum {
- HAL_HMAC_MD5,
- HAL_HMAC_SHA1,
- HAL_HMAC_SHA224,
- HAL_HMAC_SHA256,
- HAL_HMAC_SHA384,
- HAL_HMAC_SHA512,
- HAL_HMAC_UNKNOWN,
-} hal_hmac_type;
-
-typedef enum {
- HAL_ECDSA_BRAINPOOL_P256R1,
- HAL_ECDSA_BRAINPOOL_P384R1,
- HAL_ECDSA_BRAINPOOL_P512R1,
- HAL_ECDSA_SEC_P256R1,
- HAL_ECDSA_SEC_P384R1,
- HAL_ECDSA_SEC_P512R1,
-} hal_ecdsa_curve;
-
-typedef enum {
- HAL_AES_ECB_NOPAD,
- HAL_AES_ECB_ISO9797_M1,
- HAL_AES_ECB_ISO9797_M2,
- HAL_AES_ECB_PKCS5,
- HAL_AES_ECB_PKCS7,
- HAL_AES_CBC_NOPAD,
- HAL_AES_CBC_ISO9797_M1,
- HAL_AES_CBC_ISO9797_M2,
- HAL_AES_CBC_PKCS5,
- HAL_AES_CBC_PKCS7,
- HAL_AES_CTR,
-} hal_aes_algo;
-
-typedef enum {
- HAL_RSASSA_PKCS1_V1_5,
- HAL_RSASSA_PKCS1_PSS_MGF1,
-} hal_rsa_algo;
-
-typedef enum {
- /* AES */
- HAL_KEY_AES_128,// 128 bits aes algorithm
- HAL_KEY_AES_192, // 192 bits aes algorithm
- HAL_KEY_AES_256, // 256 bits aes algorithm
- /* RSA */
- HAL_KEY_RSA_1024, // 1024 bits rsa algorithm
- HAL_KEY_RSA_2048, // 2048 bits rsa algorithm
- HAL_KEY_RSA_3072, // 3072 bits rsa algorithm
- HAL_KEY_RSA_4096,
- /* ECC: it doesn't support whole algorithm that mbedTLS support. it's have to be added*/
- HAL_KEY_ECC_BRAINPOOL_P256R1, // ecc brainpool curve for p256r1
- HAL_KEY_ECC_BRAINPOOL_P384R1, // ecc brainpool curve for p384r1
- HAL_KEY_ECC_BRAINPOOL_P512R1, // ecc brainpool curve for p512r1
- HAL_KEY_ECC_SEC_P256R1, // nist curve for p256r1
- HAL_KEY_ECC_SEC_P384R1, // nist curve for p384r1
- HAL_KEY_ECC_SEC_P512R1, // nist curve for p512r1
- /* Hmac */
- HAL_KEY_HMAC_MD5, // hmac with md5
- HAL_KEY_HMAC_SHA1, // hmac with sha1
- HAL_KEY_HMAC_SHA224, // hmac with sha224
- HAL_KEY_HMAC_SHA256, // hmac with sha256
- HAL_KEY_HMAC_SHA384, // hmac with sha384
- HAL_KEY_HMAC_SHA512, // hmac with sha512
- /* DH */
- HAL_KEY_DH_1024,
- HAL_KEY_DH_2048,
- HAL_KEY_UNKNOWN,
-} hal_key_type;
-
-/* Structure */
-typedef struct _hal_init_param {
- uint32_t i2c_port;
- uint32_t i2c_speed;
- uint32_t gpio;
- uint8_t i2c_slave_address;
-} hal_init_param;
-
-typedef struct _hal_data {
- void *data;
- uint32_t data_len;
- void *priv;
-} hal_data;
-
-typedef struct _hal_rsa_mode {
- hal_rsa_algo rsa_a;
- hal_hash_type hash_t;
- hal_hash_type mgf;
- uint32_t salt_byte_len;
-} hal_rsa_mode;
-
-typedef struct _hal_aes_param {
- hal_aes_algo mode;
- unsigned char *iv;
- unsigned int iv_len;
-} hal_aes_param;
-
-typedef struct _hal_ecdsa_mode {
- hal_ecdsa_curve curve;
- hal_hash_type hash_t;
-} hal_ecdsa_mode;
-
-typedef struct _hal_dh_data {
- hal_dh_key_type mode;
- hal_data *G;
- hal_data *P;
- hal_data *pubkey;
-} hal_dh_data;
-
-typedef struct _hal_ecdh_data {
- hal_ecdsa_curve curve;
- hal_data *pubkey_x;
- hal_data *pubkey_y;
-} hal_ecdh_data;
-
-typedef struct _hal_ss_info {
- unsigned int size;
- struct _hal_ss_info *next;
-} hal_ss_info;
-
-
-// ======================================
-// Function
-// ======================================
-
-/**
- * Common
- */
-
-/*
- * Reference
- * Desc: Initialize HAL
- * Artik SEE API:
- * TizenRT SEE API:
- * ISP:
- * NOTE: Initialize secure channel
- */
-EXPORT_API int hal_init(_IN_ hal_init_param *params);
-
-/*
- * Reference
- * Desc: Deinitialize HAL
- * Artik SEE API:
- * TizenRT SEE API:
- * ISP:
- * NOTE: Deinitialize secure channel
- */
-EXPORT_API int hal_deinit(void);
-
-/*
- * Reference
- * Desc: free memory allocated within HAL
- * Artik SEE API:
- * TizenRT SEE API:
- * ISP:
- */
-EXPORT_API int hal_free_data(_IN_ hal_data *data);
-
-/*
- * Reference
- * Desc: get status of SE
- * Artik SEE API:
- * TizenRT SEE API:
- * ISP:
- * return value: busy, not initialized, ...
- * NOTE: BUSY/IDLE check should be conducted within each HAL APIs as well.
- */
-EXPORT_API int hal_get_status(void);
-
-/**
- * Key Manager
- */
-/*
- * Reference
- * Desc: If key type is asymmetric then private key can be stored.
- * Artik SEE API: int see_set_key(see_algorithm algo, const char *key_name, see_data key);
- * TizenRT SEE API:
- * ISP:
- */
-EXPORT_API int hal_set_key(_IN_ hal_key_type mode, _IN_ uint32_t key_idx, _IN_ hal_data *key, _IN_ hal_data *prikey);
-
-
-/*
- * Reference
- * Desc:
- * Artik SEE API: int see_get_pubkey(see_algorithm algo, const char *key_name, see_data *pub_key);
- * TizenRT SEE API:
- * ISP:
- * NOTE: Return key type in key->priv
- */
-EXPORT_API int hal_get_key(_IN_ hal_key_type mode, _IN_ uint32_t key_idx, _OUT_ hal_data *key);
-
-
-/*
- * Reference
- * Desc:
- * Artik SEE API: int see_remove_key(see_algorithm algo, const char *key_name);
- * TizenRT SEE API:
- * ISP:
- */
-EXPORT_API int hal_remove_key(_IN_ hal_key_type mode, _IN_ uint32_t key_idx);
-
-
-/*
- * Reference
- * Desc:
- * Artik SEE API: int see_generate_key(see_algorithm algo, const char *key_name, see_data *pub_key)
- * TizenRT SEE API:
- * ISP:
- */
-EXPORT_API int hal_generate_key(_IN_ hal_key_type mode, _IN_ uint32_t key_idx);
-
-
-/**
- * Authenticate
- */
-
-/*
- * Reference
- * Desc: Generate random
- * Artik SEE API: int see_generate_random(unsigned int size, see_data *random)
- * TizenRT SEE API: int see_generate_random(unsigned int *data, unsigned int len)
- * ISP: int isp_generate_random(unsigned int *random, unsigned int wlen);
- */
-EXPORT_API int hal_generate_random(_IN_ uint32_t len, _OUT_ hal_data *random);
-
-/*
- * Reference
- * Desc: Get HASH
- * Artik SEE API: int see_get_hash(see_algorithm algo, see_data data, see_data *hash);
- * TizenRT SEE API: int see_get_hash(struct sHASH_MSG *h_param, unsigned char *hash, unsigned int mode)
- * ISP: int isp_hash(unsigned char *hash, struct sHASH_MSG *hash_msg, unsigned int object_id);
- */
-EXPORT_API int hal_get_hash(_IN_ hal_hash_type mode, _IN_ hal_data *input, _OUT_ hal_data *hash);
-
-/*
- * Reference
- * Desc: Get HMAC
- * Artik SEE API: int see_get_hmac(see_algorithm algo, const char *key_name, see_data data, see_data *hmac);
- * TizenRT SEE API: int see_get_hmac(struct sHMAC_MSG *hmac_msg, unsigned char *output, unsigned int object_id, unsigned int key_index)
- * ISP: int isp_hmac_securekey(unsigned char *mac, struct sHMAC_MSG *hmac_msg, unsigned int object_id, unsigned int key_index)
- * w
- */
-EXPORT_API int hal_get_hmac(_IN_ hal_hmac_type mode, _IN_ hal_data *input, _IN_ uint32_t key_idx, _OUT_ hal_data *hmac);
-
-/*
- * Reference
- * Desc: get signature using RSA key
- * Artik SEE API: int see_get_rsa_signature(see_rsa_mode mode, const char *key_name, see_data hash, see_data *sign)
- * TizenRT SEE API: int see_get_rsa_signature(struct sRSA_SIGN *rsa_sign, unsigned char *hash, unsigned int hash_len, unsigned int key_index)
- * ISP: int isp_rsa_sign_md_securekey(struct sRSA_SIGN *rsa_sign, unsigned char *msg_digest, unsigned int msg_digest_byte_len, unsigned int key_index)
- */
-EXPORT_API int hal_rsa_sign_md(_IN_ hal_rsa_mode mode, _IN_ hal_data *hash, _IN_ uint32_t key_idx, _OUT_ hal_data *sign);
-
-/*
- * Reference
- * Desc:
- * Artik SEE API: int see_verify_rsa_signature(see_rsa_mode mode, const char *key_name, see_data hash, see_data sign)
- * TizenRT SEE API: int see_verify_rsa_signature(struct sRSA_SIGN *rsa_sign, unsigned char *hash, unsigned int hash_len, unsigned int key_index)
- * ISP: int isp_rsa_verify_md_securekey(struct sRSA_SIGN *rsa_sign, unsigned char *msg_digest, unsigned int msg_digest_byte_len, unsigned int key_index);
- */
-EXPORT_API int hal_rsa_verify_md(_IN_ hal_rsa_mode mode, _IN_ hal_data *hash, _IN_ hal_data *sign, _IN_ uint32_t key_idx);
-
-/*
- * Reference
- * Desc: Get signature
- * Artik SEE API: int see_get_ecdsa_signature(see_ecdsa_curve curve, const char *key_name, see_data hash, see_data *sign)
- * TizenRT SEE API: int see_get_ecdsa_signature(struct sECC_SIGN *ecc_sign, unsigned char *hash, unsigned int hash_len, unsigned int key_index)
- * ISP: int isp_ecdsa_sign_md_securekey(struct sECC_SIGN *ecc_sign, unsigned char *msg_digest, unsigned int msg_digest_byte_len, unsigned int key_index)
- */
-EXPORT_API int hal_ecdsa_sign_md(_IN_ hal_data *hash, _IN_ uint32_t key_idx, _INOUT_ hal_ecdsa_mode *mode, _OUT_ hal_data *sign);
-
-/*
- * Reference
- * Artik SEE API:
- * TizenRT SEE API: int see_verify_ecdsa_signature(struct sECC_SIGN *ecc_sign, unsigned char *hash, unsigned int hash_len, unsigned int key_index)
- * ISP: int isp_ecdsa_verify_md_securekey(struct sECC_SIGN *ecc_sign, unsigned char *msg_digest, unsigned int msg_digest_byte_len, unsigned int key_index)
- */
-EXPORT_API int hal_ecdsa_verify_md(_IN_ hal_ecdsa_mode mode, _IN_ hal_data *hash, _IN_ hal_data *sign, _IN_ uint32_t key_idx);
-
-
-/*
- * Reference
- * Desc: Generate key at slot of index
- * Artik SEE API: -
- * TizenRT SEE API: int see_generate_dhm_params(struct sDH_PARAM *d_param, unsigned int key_index)
- * ISP: int isp_dh_generate_keypair_userparam_securestorage(struct sDH_PARAM *i_dh_param, unsigned int dh_param_index);
- */
-/*
- * The function generates GX (G^X mod P) which is pubkey in dh_param with given G, P
- * X will be generate and will be protected inside slot in SE
- * X have to be removed by using hal_remove_key()
- */
-EXPORT_API int hal_dh_generate_param(_IN_ uint32_t dh_idx, _INOUT_ hal_dh_data *dh_param);
-
-/*
- * Reference
- * Desc: Get shared secret
- * Artik SEE API: -
- * TizenRT SEE API: int see_compute_dhm_param(struct sDH_PARAM *d_param, unsigned int key_index, unsigned char *output, unsigned int *olen)
- * ISP: int isp_dh_compute_shared_secret_securekey(unsigned char *shared_secret, unsigned int *shared_secret_byte_len, struct sDH_PARAM dh_publickey, unsigned int key_index);
- */
-EXPORT_API int hal_dh_compute_shared_secret(_IN_ hal_dh_data *dh_param, _IN_ uint32_t dh_idx, _OUT_ hal_data *shared_secret);
-
-/*
- * Reference
- * Desc: Get ECDH shared secret
- * Artik SEE API: -
- * TizenRT SEE API: int see_compute_ecdh_param(struct sECC_KEY *ecc_pub, unsigned int key_index, unsigned char *output, unsigned int *olen)
- * ISP: int isp_compute_ecdh_securekey(unsigned char *shared_secret, unsigned int *shared_secret_byte_len, struct sECC_KEY ecc_publickey, unsigned int key_index);
- * NOTE: pubkey denotes a public key from the target which tries to share a secret
- */
-EXPORT_API int hal_ecdh_compute_shared_secret(_IN_ hal_ecdh_data *ecdh_mode, _IN_ uint32_t key_idx, _OUT_ hal_data *shared_secret);
-
-/*
- * Reference
- * Desc: Set certificate in secure storage
- * Artik SEE API: -
- * TizenRT SEE API: int see_set_certificate(unsigned char *cert, unsigned int cert_len, unsigned int cert_index, unsigned int cert_type)
- * ISP: int isp_write_cert(unsigned char *data, unsigned int data_byte_len, unsigned int index)
- * NOTE: When cert_in consists of chains, cert_in->data represents the last certificate, and then, cert_in->priv denotes the next chain formatted hal_data.
- * (Root CA has to be the end of hal_data)
- */
-EXPORT_API int hal_set_certificate(_IN_ uint32_t cert_idx, _IN_ hal_data *cert_in);
-
-/*
- * Reference
- * Desc: Get certificate in secure storage
- * Artik SEE API: -
- * TizenRT SEE API: int see_get_certificate(unsigned char *cert, unsigned int *cert_len, unsigned int cert_index, unsigned int cert_type)
- * ISP: int isp_read_cert(unsigned char *data, unsigned int *data_byte_len, unsigned int index);
- * NOTE: When cert_out consists of chains, cert_out->data represents the last certificate, and then, cert_out->priv denotes the next chain formatted hal_data.
- * (Root CA has to be the end of hal_data)
- */
-EXPORT_API int hal_get_certificate(_IN_ uint32_t cert_idx, _OUT_ hal_data *cert_out);
-/*
- * Reference
- * Desc: Remove certificate in secure storage
- * Artik SEE API: -
- * TizenRT SEE API: -
- * ISP: -
- */
-EXPORT_API int hal_remove_certificate(_IN_ uint32_t cert_idx);
-
-EXPORT_API int hal_get_factorykey_data(_IN_ uint32_t key_idx, _IN_ hal_data *data); // old api
-/*
- * Reference
- * Desc: Get factory key
- * Artik SEE API: -
- * TizenRT SEE API: int see_get_publickey(unsigned char *key_der, unsigned int *key_len)
- * ISP: int isp_get_factorykey_data(unsigned char *data, unsigned int *data_byte_len, unsigned int data_id);
- */
-
-EXPORT_API int hal_get_factory_key(_IN_ uint32_t key_idx, _IN_ hal_data *key);
-/*
- * Reference
- * Desc: Get factory cert
- * Artik SEE API: -
- * TizenRT SEE API:
- * ISP: int isp_get_factorykey2_data(unsigned char *data, unsigned int *data_byte_len, unsigned int data_id);
- */
-EXPORT_API int hal_get_factory_cert(_IN_ uint32_t cert_idx, _IN_ hal_data *cert);
-
-/*
- * Reference
- * Desc: Get factory data
- * Artik SEE API: -
- * TizenRT SEE API:
- * ISP: int isp_get_factorykey2_data(unsigned char *data, unsigned int *data_byte_len, unsigned int data_id);
- */
-EXPORT_API int hal_get_factory_data(_IN_ uint32_t data_idx, _IN_ hal_data *data);
-
-
-/**
- * Crypto
- */
-
-/*
- * Reference
- * Desc: Encrypt data using AES
- * Artik SEE API: -
- * TizenRT SEE API: int see_aes_encrypt(unsigned int key_index, struct sAES_PARAM *aes_param)
- * ISP: int isp_aes_encrypt_securekey(struct sAES_PARAM *aes_param, unsigned int key_index)
- */
-EXPORT_API int hal_aes_encrypt(_IN_ hal_data *dec_data, _IN_ hal_aes_param *aes_param, _IN_ uint32_t key_idx, _OUT_ hal_data *enc_data);
-
-/*
- * Reference
- * Desc: Decrypt data using AES
- * Artik SEE API: -
- * TizenRT SEE API: int see_aes_decrypt(unsigned int key_index, struct sAES_PARAM *aes_param)
- * ISP: int isp_aes_decrypt_securekey(struct sAES_PARAM *aes_param, unsigned int key_index)
- */
-EXPORT_API int hal_aes_decrypt(_IN_ hal_data *enc_data, _IN_ hal_aes_param *aes_param, _IN_ uint32_t key_idx, _OUT_ hal_data *dec_data);
-
-/*
- * Reference
- * Desc: Encrypt data using RSA
- * Artik SEE API: -
- * TizenRT SEE API: int see_rsa_encryption(unsigned int key_index, unsigned int pad_type, unsigned char *output, unsigned int *outlen, unsigned char *input, unsigned int inlen)
- * ISP: int isp_rsa_encrypt_securekey(unsigned char *output, unsigned int *output_byte_len, unsigned char *input, unsigned int input_byte_len, unsigned int key_index)
- */
-EXPORT_API int hal_rsa_encrypt(_IN_ hal_data *dec_data, _IN_ hal_rsa_mode *mode, _IN_ uint32_t key_idx, _OUT_ hal_data *enc_data);
-
-/*
- * Reference
- * Desc: Decrypt data using RSA
- * Artik SEE API: -
- * TizenRT SEE API:
- * ISP:
- */
-EXPORT_API int hal_rsa_decrypt(_IN_ hal_data *enc_data, _IN_ hal_rsa_mode *mode, _IN_ uint32_t key_idx, _OUT_ hal_data *dec_data);
-
-
-/**
- * Secure Storage
- */
-
-/*
- * Reference
- * Desc: write data in secure storage of ss_idx
- * Artik SEE API: -
- * TizenRT SEE API: int see_read_secure_storage(unsigned char *data, unsigned int *data_len, unsigned index)
- * ISP: int isp_read_storage(unsigned char *data, unsigned int *data_byte_len, unsigned int index)
- */
-EXPORT_API int hal_write_storage(_IN_ uint32_t ss_idx, _IN_ hal_data *data);
-
-/*
- * Reference
- * Desc: Read data from secure storage of ss_idx
- * Artik SEE API: -
- * TizenRT SEE API: int see_read_secure_storage(unsigned char *data, unsigned int *data_len, unsigned index)
- * ISP: int isp_read_storage(unsigned char *data, unsigned int *data_byte_len, unsigned int index)
- */
-EXPORT_API int hal_read_storage(_IN_ uint32_t ss_idx, _OUT_ hal_data *data);
-
-/*
- * Reference
- * Desc: Delete data in secure storage of ss_idx
- * Artik SEE API: -
- * TizenRT SEE API: int see_read_secure_storage(unsigned char *data, unsigned int *data_len, unsigned index)
- * ISP: int isp_read_storage(unsigned char *data, unsigned int *data_byte_len, unsigned int index)
- */
-EXPORT_API int hal_delete_storage(_IN_ uint32_t ss_idx);
-
-// This method is dummy.
-
-EXPORT_API bool tizenkonaise(void);
-
-
-#ifdef __cplusplus
-}
-#endif
-#endif // _KONAISE_H_
-
+++ /dev/null
-/******************************************************************
- *
- * Copyright 2019 Samsung Electronics All Rights Reserved.
- *
- * Author: Dongsun Lee <ds73.lee@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- ******************************************************************/
-
-#include "ksebackend.h"
-#include "ksebackendcontext.h"
-#include "log.h"
-#include <mutex>
-
-#include "konaise.h"
-
-#define KSE_LIB_NAME "libkonaise.so"
-
-kse_backend::kse_backend() :
- fKseInitOK(false),
- fSoResolver(std::string(KSE_LIB_NAME))
-{
- initialize_kse();
- LOGD("Constructed KSE backend");
-}
-
-kse_backend::~kse_backend() {
- LOGD("Destructed KSE backend");
-}
-
-void kse_backend::initialize_kse() {
- if(fKseInitOK)
- return;
-
- LOGD("Initializing KSE backend");
-
- std::unique_lock<std::mutex> locker(fKSEMutex);
-
- if(!fSoResolver.ensure_loaded()) {
- LOGE("KSE framework init failure: Fail to load KSE library");
- fKseInitOK = false;
- return;
- }
-}
+++ /dev/null
-/******************************************************************
- *
- * Copyright 2019 Samsung Electronics All Rights Reserved.
- *
- * Author: Dongsun Lee <ds73.lee@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- ******************************************************************/
-
-
-#ifndef KSE_BACKEND_KSEBACKEND_H_
-#define KSE_BACKEND_KSEBACKEND_H_
-
-#include "soresolver.h"
-#include <mutex>
-
-
-class kse_backend
-{
-public:
- kse_backend();
- ~kse_backend();
-
- inline so_resolver& get_so_resolver() {
- return fSoResolver;
- }
-
-private:
- void initialize_kse();
-
-private:
- bool fKseInitOK;
- std::mutex fKSEMutex;
- so_resolver fSoResolver;
-};
-
-#endif /* KSE_BACKEND_KSEBACKEND_H_ */
+++ /dev/null
-/******************************************************************
- *
- * Copyright 2019-2020 Samsung Electronics All Rights Reserved.
- *
- * Author: Dongsun Lee <ds73.lee@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- ******************************************************************/
-
-#include "ksebackendcontext.h"
-#include "log.h"
-#include "konaise.h"
-#include "cert_utils.h"
-
-#include <mbedtls/asn1write.h>
-#include <mbedtls/error.h>
-#include <mbedtls/pk.h>
-
-#include <boost/algorithm/hex.hpp>
-
-#define PRIVATE_KEY_INDEX 1
-#define SUBCA_CERT_INDEX 2
-#define LEAF_CERT_INDEX 3
-
-static int kse_get_certificate_key = 0;
-static int kse_get_ecdsa_signature_key = 1;
-
-kse_backend_context::kse_backend_context(std::shared_ptr<kse_backend> backend, const std::string& keyType) :
- fBackendPtr(backend)
-{
- LOGD("Created new KSE with key " << keyType);
-
- if(keyType.empty() || keyType == "ECDSA") {
- fKeyType = CRYPTO_KEY_TYPE_ECDSA;
- } else {
- throw std::invalid_argument("Unsupported key type");
- }
-
- LOGD("Created new KSE context at " << this);
-}
-
-kse_backend_context::~kse_backend_context()
-{
- LOGD("Deleting KSE context " << this);
-}
-
-int kse_backend_context::get_certificate(unsigned int index, std::string& outcert)
-{
- hal_data cert = {NULL, 0, NULL};
- const char *method_name = "hal_get_certificate";
-
- auto backend = fBackendPtr.lock();
- if(!backend) {
- LOGE("Unable to acquire backend pointer");
- return -EINVAL;
- }
-
- auto& resolver(backend->get_so_resolver());
- int error = 0;
- try {
- error = resolver.invoke<int, unsigned int, hal_data *>(&kse_get_certificate_key,
- method_name, index, &cert);
- } catch(...) {
- LOGE("KSE: Got exception when calling resolver.invoke");
- throw;
- }
-
- if(error != 0) {
- LOGE("Failed to get certificate. error=" << error);
- return -EINVAL;
- }
-
- LOGD("KSE: Got certificate with " << cert.data_len << " bytes and index " << index);
- try {
- outcert.assign((const char *)cert.data, cert.data_len);
- } catch(...) {
- LOGE("KSE: Got exception when assigning data");
- free(cert.data);
- throw;
- }
- free(cert.data);
-
- return 0;
-}
-
-int kse_backend_context::request_certificate_chain(std::string& mutable_chain)
-{
- LOGD("KSE : Request certificate chain");
-
- std::string leaf_cert;
- std::string subca_cert;
-
- int error = 0;
-
- if((error = get_certificate(LEAF_CERT_INDEX, leaf_cert)))
- return error;
- if((error = get_certificate(SUBCA_CERT_INDEX, subca_cert)))
- return error;
-
- x509_crt_rewriter cert_writer;
- if((error = cert_writer.parse(reinterpret_cast<const unsigned char *>(leaf_cert.c_str()),
- leaf_cert.length()+1))) {
- return error;
- }
- if((error = cert_writer.parse(reinterpret_cast<const unsigned char *>(subca_cert.c_str()),
- subca_cert.length()+1))) {
- return error;
- }
- cert_writer.sort_chain();
-
- mutable_chain.append(cert_writer.emit_pem());
-
- LOGD("Requested certificate in " << this);
-
- return 0;
-}
-
-hal_hash_type _get_hal_hash_type(MessageDigestType digestType) {
- switch(digestType) {
- case MD_MD5: return HAL_HASH_MD5;
- case MD_SHA1: return HAL_HASH_SHA1;
- case MD_SHA224: return HAL_HASH_SHA224;
- case MD_SHA256: return HAL_HASH_SHA256;
- case MD_SHA384: return HAL_HASH_SHA384;
- case MD_SHA512: return HAL_HASH_SHA512;
- case MD_NONE:
- case MD_MD2:
- case MD_MD4:
- case MD_RIPEMD160:
- default: return HAL_HASH_UNKNOWN;
- }
-}
-
-int kse_backend_context::sign_crypto_data(MessageDigestType digestType, const std::string& dataToSign,
- std::string& digestResult)
-{
- hal_data hashed_data = {NULL, 0, NULL};
- hal_data signed_data = {NULL, 0, NULL};
-
- hashed_data.data = (void *)dataToSign.c_str();
- hashed_data.data_len = dataToSign.size();
-
- LOGD("KSE: Sign " << hashed_data.data_len << " bytes");
-
- auto backend = fBackendPtr.lock();
-
- if(!backend) {
- LOGE("Unable to acquire backend pointer");
- return -EINVAL;
- }
-
- auto& resolver(backend->get_so_resolver());
-
- try {
- std::string hex;
- boost::algorithm::hex((const unsigned char *)hashed_data.data,
- (const unsigned char *)hashed_data.data + hashed_data.data_len,
- std::back_inserter(hex));
- LOGD("Hashed data is " << hex);
- } catch(...) {
- }
-
- const char *method_name = "hal_ecdsa_sign_md";
- hal_ecdsa_mode mode = {HAL_ECDSA_SEC_P256R1, _get_hal_hash_type(digestType)};
-
- int error = resolver.invoke<int, hal_data *, unsigned int, hal_ecdsa_mode *, hal_data *>(
- &kse_get_ecdsa_signature_key, method_name,
- &hashed_data, PRIVATE_KEY_INDEX, &mode, &signed_data);
-
- if(error != 0) {
- char buffer[256];
- mbedtls_strerror(error, buffer, sizeof(buffer));
- LOGE("Unable to generate ECDSA signature in " << this << " (" << error << ") : " << std::string(buffer));
-
- return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
- }
-
- LOGD("Signature length is " << signed_data.data_len);
-
- try {
- std::string hex;
- boost::algorithm::hex((const unsigned char *)signed_data.data,
- (const unsigned char *)signed_data.data + signed_data.data_len,
- std::back_inserter(hex));
- LOGD("Hex signature is " << hex);
- } catch(...) {
- }
- LOGD("KSE: Generated ECDSA signature");
-
- digestResult.assign((const char *)signed_data.data, signed_data.data_len);
-
- free(signed_data.data);
- return 0;
-}
-
-CryptoKeyType kse_backend_context::key_type()
-{
- return fKeyType;
-}
-
-unsigned int kse_backend_context::key_length()
-{
- return 256;
-}
+++ /dev/null
-/******************************************************************
- *
- * Copyright 2019 Samsung Electronics All Rights Reserved.
- *
- * Author: Dongsun Lee <ds73.lee@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- ******************************************************************/
-
-#ifndef KSE_BACKEND_KSEBACKENDCONTEXT_H_
-#define KSE_BACKEND_KSEBACKENDCONTEXT_H_
-
-#include "ksebackend.h"
-#include <device-certificate-manager-backend/dcm-backend-api.h>
-
-class kse_backend_context
-{
-public:
- kse_backend_context(std::shared_ptr<kse_backend> backend, const std::string& keyType);
- ~kse_backend_context();
-
- int request_certificate_chain(std::string& mutable_chain);
-
- int sign_crypto_data(MessageDigestType digestType, const std::string& dataToSign,
- std::string& digestResult);
-
- CryptoKeyType key_type();
-
- unsigned int key_length();
-
-private:
- int get_certificate(unsigned int index, std::string& cert);
-
-private:
- CryptoKeyType fKeyType;
- std::weak_ptr<kse_backend> fBackendPtr;
-};
-
-#endif /* KSE_BACKEND_KSEBACKENDCONTEXT_H_ */
+++ /dev/null
-/******************************************************************
- *
- * Copyright 2017 - 2019 Samsung Electronics All Rights Reserved.
- *
- * Author: Jaroslaw Pelczar <j.pelczar@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- ******************************************************************/
-
-#include "soresolver.h"
-#include "log.h"
-#include <dlfcn.h>
-#include <memory>
-
-so_resolver::so_resolver(const std::string& libraryName) :
- fLibraryName(libraryName),
- fLibraryHandle(nullptr)
-{
-}
-
-so_resolver::~so_resolver()
-{
- if(fLibraryHandle.load(std::memory_order_relaxed)) {
- LOGD("Unloading library " << fLibraryName);
- dlclose(fLibraryHandle.exchange(nullptr, std::memory_order_relaxed));
- LOGD("Unloaded library " << fLibraryName);
- }
-}
-
-void * so_resolver::resolve_function(const int * key_ptr, const char * name) noexcept
-{
- std::unique_lock<std::mutex> locker(fCacheLock);
-
- if(key_ptr) {
- auto it = fCache.find(key_ptr);
-
- if(it != fCache.end())
- return it->second;
- }
-
- void * handle = fLibraryHandle.load(std::memory_order_relaxed);
-
- if(handle) {
- LOGD("Resolving symbol " << name << " from " << fLibraryName);
- void * sym = dlsym(handle, name);
- if(!sym) {
- LOGE("Unable to resolve symbol " << name << " from " << fLibraryName << ": Error is " << dlerror());
- } else {
- try {
- if(key_ptr) {
- fCache.emplace(key_ptr, sym);
- }
- } catch(...) {
- LOGE("Problem with updating symbol cache!!");
- sym = nullptr;
- }
- }
- return sym;
- }
-
- LOGE("Trying to resolve symbol " << name << " from not loaded library " << fLibraryName);
-
- return nullptr;
-}
-
-bool so_resolver::ensure_loaded() noexcept
-{
- std::unique_lock<std::mutex> locker(fCacheLock);
-
- void * handle = fLibraryHandle.load(std::memory_order_acquire);
-
- if(handle)
- return true;
-
- LOGD("Loading library " << fLibraryName);
-
- handle = dlopen(fLibraryName.c_str(), RTLD_LAZY | RTLD_LOCAL);
-
- if(!handle) {
- LOGE("Unable to load library " << fLibraryName << ": " << dlerror());
- return false;
- }
-
- LOGD("Library loaded " << fLibraryName);
-
- void * expectedValue = nullptr;
-
- if(!fLibraryHandle.compare_exchange_strong(expectedValue, handle, std::memory_order_release)) {
- // Someone else have opened the library
- dlclose(handle);
- }
-
- return true;
-}
+++ /dev/null
-/******************************************************************
- *
- * Copyright 2017 - 2019 Samsung Electronics All Rights Reserved.
- *
- * Author: Jaroslaw Pelczar <j.pelczar@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- ******************************************************************/
-
-#ifndef SORESOLVER_H_
-#define SORESOLVER_H_
-
-#include <boost/noncopyable.hpp>
-#include <string>
-#include <atomic>
-#include <stdexcept>
-#include <map>
-#include <mutex>
-
-class so_resolver : public boost::noncopyable {
-public:
- so_resolver(const std::string& libraryName);
- ~so_resolver();
-
- bool ensure_loaded() noexcept;
- void * resolve_function(const int * key_ptr, const char * name) noexcept;
-
- template<typename ReturnValue, typename... Args> ReturnValue invoke(const int * __key_ptr, const char * name, Args... args) {
- typedef ReturnValue (* function_t)(Args...);
- function_t func = (function_t)resolve_function(__key_ptr, name);
- if(!func) {
- throw std::runtime_error("Trying to call unresolved function");
- }
- return func(args...);
- }
-
-private:
- std::string fLibraryName;
- std::atomic<void *> fLibraryHandle;
- std::mutex fCacheLock;
- std::map<const int *, void *> fCache;
-};
-
-#endif /* SORESOLVER_H_ */
+++ /dev/null
-# Copyright (c) 2020 Samsung Electronics Co., Ltd All Rights Reserved
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# @file src/kse-backend/CMakeLists.txt
-# @author Pawel Kowalski <p.kowalski2@partner.samsung.com>
-#
-
-FIND_PACKAGE(PkgConfig REQUIRED)
-
-PKG_CHECK_MODULES(TOOL_DEPS REQUIRED dlog)
-INCLUDE_DIRECTORIES(SYSTEM ${TOOL_DEPS_INCLUDE_DIRS})
-LINK_DIRECTORIES(${TOOL_DEPS_LIBRARY_DIRS})
-
-INCLUDE_DIRECTORIES(../ ../../shared)
-
-SET(TARGET_TOOL "dcm_konaise_tool")
-ADD_EXECUTABLE(${TARGET_TOOL}
- konaise_tool.cpp
- ../soresolver.cpp
- ../../shared/log.cpp)
-
-TARGET_LINK_LIBRARIES(${TARGET_TOOL} ${TOOL_DEPS_LIBRARIES} dl)
-
-INSTALL(TARGETS ${TARGET_TOOL}
- RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR})
+++ /dev/null
-/******************************************************************
- *
- * Copyright 2019-2020 Samsung Electronics All Rights Reserved.
- *
- * Author: Dongsun Lee <ds73.lee@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- ******************************************************************/
-
-#include <iostream>
-#include <fstream>
-#include <vector>
-#include "soresolver.h"
-#include "konaise.h"
-
-#define KSE_LIB_NAME "libkonaise.so"
-
-static int kse_cert_get = 0x00;
-static int kse_cert_add = 0x01;
-static int kse_key_get = 0x10;
-static int kse_key_add = 0x11;
-static int kse_key_del = 0x12;
-static int kse_ec_sign = 0x21;
-static int kse_ec_verify= 0x22;
-
-
-class SEKonai {
-public:
- SEKonai(const std::string& libraryName) :
- fSoResolver(libraryName)
- {
- loaded = fSoResolver.ensure_loaded();
- }
-
- ~SEKonai(){
- }
-
- bool is_loaded() {
- return loaded;
- }
-
- void get_cert(int idx, const std::string& fileName){
- hal_data cert = {NULL, 0, NULL};
-
- const char *method_name = "hal_get_certificate";
- int error = fSoResolver.invoke<int, unsigned int, hal_data *>(&kse_cert_get,
- method_name, idx, &cert);
- if(error == 0) {
- write_file(fileName, cert);
- std::cout << "SUCCEEDED in " << method_name << "." << std::endl;
- } else {
- std::cout << "FAILED in " << method_name << ". ERROR=" << error << std::endl;
- }
- }
-
- void get_key(hal_key_type key_type, int idx, const std::string& fileName) {
- hal_data data = {NULL, 0, NULL};
- const char *method_name = "hal_get_key";
- int error = fSoResolver.invoke<int, hal_key_type, unsigned int, hal_data *>(&kse_key_get,
- method_name, key_type, idx, &data);
- if(error == 0) {
- write_file(fileName, data);
- std::cout << "SUCCEEDED in " << method_name << "." << std::endl;
- } else {
- std::cout << "FAILED in " << method_name << ". ERROR=" << error << std::endl;
- }
- }
-
- void add_cert(const std::string& fileName, int idx) {
- hal_data *data = read_file(fileName);
- const char *method_name = "hal_set_certificate";
- int error = fSoResolver.invoke<int, unsigned int, hal_data *>(&kse_cert_add,
- method_name, idx, data);
- if(error == 0) {
- std::cout << "SUCCEEDED in " << method_name << "." << std::endl;
- } else {
- std::cout << "FAILED in " << method_name << ". ERROR=" << error << std::endl;
- }
- free_hal_data(data);
- }
-
- void add_key(const std::string& fileName, hal_key_type key_type, int idx,
- const std::string& privFileName) {
- hal_data *key = read_file(fileName);
- hal_data *priKey = {0};
- if(privFileName.size() != 0)
- priKey = read_file(privFileName);
- const char *method_name = "hal_set_key";
- int error = fSoResolver.invoke<int, hal_key_type, unsigned int, hal_data *, hal_data *>(
- &kse_key_add, method_name, key_type, idx, key, priKey);
- if(error == 0) {
- std::cout << "SUCCEEDED in " << method_name << "." << std::endl;
- } else {
- std::cout << "FAILED in " << method_name << ". ERROR=" << error << std::endl;
- }
- free_hal_data(key);
- free_hal_data(priKey);
- }
-
- void del_cert(int idx) {
- const char *method_name = "hal_remove_certificate";
- int error = fSoResolver.invoke<int, unsigned int>(&kse_key_del, method_name, idx);
- if(error == 0) {
- std::cout << "SUCCEEDED in " << method_name << "." << std::endl;
- } else {
- std::cout << "FAILED in " << method_name << ". ERROR=" << error << std::endl;
- }
- }
-
- void del_key(hal_key_type key_type, int idx) {
- const char *method_name = "hal_remove_key";
- int error = fSoResolver.invoke<int, hal_key_type, unsigned int>(&kse_key_del, method_name,
- key_type, idx);
- if(error == 0) {
- std::cout << "SUCCEEDED in " << method_name << "." << std::endl;
- } else {
- std::cout << "FAILED in " << method_name << ". ERROR=" << error << std::endl;
- }
- }
-
- void ec_sec_p256r1_sign(std::string hash_file, int key_idx, std::string sig_file) {
- hal_data *hashed_data = read_file(hash_file);
- hal_data signed_data = {NULL, 0, NULL};
- const char *method_name = "hal_ecdsa_sign_md";
- hal_ecdsa_mode mode = {HAL_ECDSA_SEC_P256R1, HAL_HASH_SHA256};
- int error = fSoResolver.invoke<int, hal_data *,
- unsigned int, hal_ecdsa_mode *, hal_data *>(
- &kse_ec_sign, method_name,
- hashed_data, key_idx, &mode, &signed_data);
- if(error == 0) {
- write_file(sig_file, signed_data);
- std::cout << "SUCCEEDED in " << method_name << "." << std::endl;
- } else {
- std::cout << "FAILED in " << method_name << ". ERROR=" << error << std::endl;
- }
- free_hal_data(hashed_data);
- free(signed_data.data);
- }
-
- void ec_sec_p256r1_verify(std::string hash_file, int key_idx, std::string sig_file) {
- // ec_sign hash_file key_index key_type sigfile(out)
- hal_data *hashed_data = read_file(hash_file);
- hal_data *signed_data = read_file(sig_file);
-
- const char *method_name = "hal_ecdsa_verify_md";
- hal_ecdsa_mode mode = {HAL_ECDSA_SEC_P256R1, HAL_HASH_SHA256};
-
- int error = fSoResolver.invoke<int, hal_ecdsa_mode, hal_data *, hal_data *,
- unsigned int>(
- &kse_ec_verify, method_name,
- mode, hashed_data, signed_data, key_idx);
- if(error == 0) {
- std::cout << "SUCCEEDED in " << method_name << "." << std::endl;
- } else {
- std::cout << "FAILED in " << method_name << ". ERROR=" << error << std::endl;
- }
- free_hal_data(hashed_data);
- free_hal_data(signed_data);
- }
-
- hal_key_type get_key_type(const std::string& keyType) {
- if(keyType.compare("HAL_KEY_AES_128") == 0) return HAL_KEY_AES_128;
- if(keyType.compare("HAL_KEY_AES_192") == 0) return HAL_KEY_AES_192;
- if(keyType.compare("HAL_KEY_AES_256") == 0) return HAL_KEY_AES_256;
- if(keyType.compare("HAL_KEY_RSA_1024") == 0) return HAL_KEY_RSA_1024;
- if(keyType.compare("HAL_KEY_RSA_2048") == 0) return HAL_KEY_RSA_2048;
- if(keyType.compare("HAL_KEY_RSA_3072") == 0) return HAL_KEY_RSA_3072;
- if(keyType.compare("HAL_KEY_RSA_4096") == 0) return HAL_KEY_RSA_4096;
- if(keyType.compare("HAL_KEY_ECC_BRAINPOOL_P256R1") == 0) return HAL_KEY_ECC_BRAINPOOL_P256R1;
- if(keyType.compare("HAL_KEY_ECC_BRAINPOOL_P384R1") == 0) return HAL_KEY_ECC_BRAINPOOL_P384R1;
- if(keyType.compare("HAL_KEY_ECC_BRAINPOOL_P512R1") == 0) return HAL_KEY_ECC_BRAINPOOL_P512R1;
- if(keyType.compare("HAL_KEY_ECC_SEC_P256R1") == 0) return HAL_KEY_ECC_SEC_P256R1;
- if(keyType.compare("HAL_KEY_ECC_SEC_P384R1") == 0) return HAL_KEY_ECC_SEC_P384R1;
- if(keyType.compare("HAL_KEY_ECC_SEC_P512R1") == 0) return HAL_KEY_ECC_SEC_P512R1;
- if(keyType.compare("HAL_KEY_HMAC_MD5") == 0) return HAL_KEY_HMAC_MD5;
- if(keyType.compare("HAL_KEY_HMAC_SHA1") == 0) return HAL_KEY_HMAC_SHA1;
- if(keyType.compare("HAL_KEY_HMAC_SHA224") == 0) return HAL_KEY_HMAC_SHA224;
- if(keyType.compare("HAL_KEY_HMAC_SHA256") == 0) return HAL_KEY_HMAC_SHA256;
- if(keyType.compare("HAL_KEY_HMAC_SHA384") == 0) return HAL_KEY_HMAC_SHA384;
- if(keyType.compare("HAL_KEY_HMAC_SHA512") == 0) return HAL_KEY_HMAC_SHA512;
- if(keyType.compare("HAL_KEY_DH_1024") == 0) return HAL_KEY_DH_1024;
- if(keyType.compare("HAL_KEY_DH_2048") == 0) return HAL_KEY_DH_2048;
- return HAL_KEY_UNKNOWN;
- }
-
- std::string get_key_type_str(hal_key_type keyType) {
- switch(keyType) {
- case HAL_KEY_AES_128: return std::string("HAL_KEY_AES_128");
- case HAL_KEY_AES_192: return std::string("HAL_KEY_AES_192");
- case HAL_KEY_AES_256: return std::string("HAL_KEY_AES_256");
- case HAL_KEY_RSA_1024: return std::string("HAL_KEY_RSA_1024");
- case HAL_KEY_RSA_2048: return std::string("HAL_KEY_RSA_2048");
- case HAL_KEY_RSA_3072: return std::string("HAL_KEY_RSA_3072");
- case HAL_KEY_RSA_4096: return std::string("HAL_KEY_RSA_4096");
- case HAL_KEY_ECC_BRAINPOOL_P256R1: return std::string("HAL_KEY_ECC_BRAINPOOL_P256R1");
- case HAL_KEY_ECC_BRAINPOOL_P384R1: return std::string("HAL_KEY_ECC_BRAINPOOL_P384R1");
- case HAL_KEY_ECC_BRAINPOOL_P512R1: return std::string("HAL_KEY_ECC_BRAINPOOL_P512R1");
- case HAL_KEY_ECC_SEC_P256R1: return std::string("HAL_KEY_ECC_SEC_P256R1");
- case HAL_KEY_ECC_SEC_P384R1: return std::string("HAL_KEY_ECC_SEC_P384R1");
- case HAL_KEY_ECC_SEC_P512R1: return std::string("HAL_KEY_ECC_SEC_P512R1");
- case HAL_KEY_HMAC_MD5: return std::string("HAL_KEY_HMAC_MD5");
- case HAL_KEY_HMAC_SHA1: return std::string("HAL_KEY_HMAC_SHA1");
- case HAL_KEY_HMAC_SHA224: return std::string("HAL_KEY_HMAC_SHA224");
- case HAL_KEY_HMAC_SHA256: return std::string("HAL_KEY_HMAC_SHA256");
- case HAL_KEY_HMAC_SHA384: return std::string("HAL_KEY_HMAC_SHA384");
- case HAL_KEY_HMAC_SHA512: return std::string("HAL_KEY_HMAC_SHA512");
- case HAL_KEY_DH_1024: return std::string("HAL_KEY_DH_1024");
- case HAL_KEY_DH_2048: return std::string("HAL_KEY_DH_2048");
- default: return std::string("HAL_KEY_UNKNOWN");
- }
- }
-
-private:
- so_resolver fSoResolver;
- bool loaded;
-
- void free_hal_data(hal_data *data) {
- if(data == NULL)
- return;
- if(data->data != NULL)
- free(data->data);
- free(data);
- }
-
- void write_file(const std::string& fileName, hal_data in) {
- std::fstream outfile;
- outfile = std::fstream(fileName, std::ios::out | std::ios::binary);
- outfile.write((char*)in.data, in.data_len);
- outfile.close();
- }
-
- hal_data* read_file(const std::string& fileName) {
- if(fileName.size() == 0)
- return NULL;
- std::ifstream input(fileName, std::ios::binary);
- std::vector<unsigned char> buffer(std::istreambuf_iterator<char>(input), {});
- unsigned char* data = (unsigned char*) malloc(buffer.size());
- for(unsigned int i = 0; i < buffer.size(); i++)
- data[i] = buffer[i];
- hal_data *ret = (hal_data *) malloc(sizeof(hal_data));
- ret->data = data;
- ret->data_len = buffer.size();
- ret->priv = NULL;
- return ret;
- }
-};
-
-void print_usage(char *prog_name) {
- std::cout << prog_name << " command opt1 opt2 . . . " << std::endl;
- std::cout << " example: " << prog_name << " get_cert index outfile" << std::endl;
- std::cout << " example: " << prog_name << " add_cert infile index" << std::endl;
- std::cout << " example: " << prog_name << " del_cert index" << std::endl;
- std::cout << " example: " << prog_name << " get_key key_type index outfile" << std::endl;
- std::cout << " example: " << prog_name << " add_key infile key_type index in_privfile"<<std::endl;
- std::cout << " example: " << prog_name << " del_key key_type index" << std::endl;
- std::cout << " example: " << prog_name << " ec_sec_p256r1_sign hash_file key_idx sigfile(out)" << std::endl;
- std::cout << " example: " << prog_name << " ec_sec_p256r1_verify hash_file key_idx sigfile(in)" << std::endl;
-}
-
-int main(int argc, char ** argv)
-{
- try {
- if(argc < 2) {
- print_usage(argv[0]);
- return -1;
- }
-
- SEKonai se(KSE_LIB_NAME);
- if(!se.is_loaded()) {
- std::cout << "LIBRARY WAS NOT LOADED!!" << std::endl;
- return -1;
- }
- std::string cmd(argv[1]);
-
- if((cmd.compare("get_cert") == 0) && argc > 3) {
- se.get_cert(std::stoi(argv[2]), std::string(argv[3]));
- }else if((cmd.compare("add_cert") == 0) && argc > 3) {
- se.add_cert(std::string(argv[2]), std::stoi(argv[3]));
- }else if((cmd.compare("del_cert") == 0) && argc > 2) {
- se.del_cert(std::stoi(argv[2]));
- }else if((cmd.compare("get_key") == 0) && argc > 4) {
- se.get_key(se.get_key_type(std::string(argv[2])),
- std::stoi(argv[3]), std::string(argv[4]));
- }else if((cmd.compare("add_key") == 0) && argc >= 5) {
- char * priv_file = nullptr;
- if(argc > 5)
- priv_file = argv[5];
- se.add_key(std::string(argv[2]), se.get_key_type(std::string(argv[3])),
- std::stoi(argv[4]), priv_file ? std::string(priv_file) : std::string());
- }else if((cmd.compare("del_key") == 0) && argc > 3) {
- se.del_key(se.get_key_type(std::string(argv[2])), std::stoi(argv[3]));
- }else if((cmd.compare("ec_sec_p256r1_sign") == 0) && argc > 4) {
- se.ec_sec_p256r1_sign(std::string(argv[2]), std::stoi(argv[3]),
- std::string(argv[4]));
- }else if((cmd.compare("ec_sec_p256r1_verify") == 0) && argc > 4) {
- se.ec_sec_p256r1_verify(std::string(argv[2]), std::stoi(argv[3]),
- std::string(argv[4]));
- }else {
- print_usage(argv[0]);
- return -1;
- }
- } catch (...) {
- std::cout << "EXCEPTION OCCURRED!!" << std::endl;
- return -1;
- }
- return 0;
-}
projects / platform / core / security / device-certificate-manager-backend.git / commitdiff