Save RSA and ECDSA keys in TZ if only private key is unexportable.
Save DSA key pair in TZ if only both keys are unexportable.
Change-Id: I2cfd6a22386e265a1bb65b3d3e0dfe052f5b0aaa
}
/*
- * operation encrypted type extractable backend
- * ----------------------------------------------
- * import FALSE binary * TZ/SW
- * skey FALSE TZ/SW
- * skey TRUE SW
- * akey FALSE TZ/SW
- * akey TRUE SW
- * cert * SW
- * ----------------------------------------------
- * import TRUE binary * TZ
- * skey FALSE TZ
- * skey TRUE NONE
- * akey FALSE TZ
- * akey TRUE NONE
- * cert * NONE
- * ----------------------------------------------
- * generate N/A binary * TZ/SW
- * skey FALSE TZ/SW
- * skey TRUE SW
- * akey FALSE TZ/SW
- * akey TRUE SW
- * cert * NONE
+ * operation encrypted type extractable backend
+ * ----------------------------------------------------------
+ * import FALSE binary * TZ/SW
+ * skey FALSE TZ/SW
+ * skey TRUE SW
+ * akey FALSE TZ/SW
+ * akey TRUE SW
+ * cert * SW
+ * ----------------------------------------------------------
+ * import TRUE binary * TZ
+ * skey FALSE TZ
+ * skey TRUE NONE
+ * akey FALSE TZ
+ * akey TRUE NONE
+ * cert * NONE
+ * ----------------------------------------------------------
+ * generate N/A binary * TZ/SW
+ * skey FALSE TZ/SW
+ * skey TRUE SW
+ * akey(DSA) FALSE(PRV|PUB) TZ/SW
+ * akey(DSA) TRUE(PRV|PUB) SW
+ * akey(RSA,ECDSA) FALSE(PRV) TZ/SW
+ * akey(RSA,ECDSA) TRUE(PRV) SW
+ * cert * NONE
*/
std::deque<CryptoBackend> Decider::getCompatibleBackends(DataType data,
const Policy &policy,
ThrowErr(Exc::Crypto::InternalError, "Failed to connect to a compatible backend.");
}
+GStore &Decider::getStore(DataType data,
+ const Policy &policyPrivate,
+ const Policy &policyPublic,
+ bool import,
+ bool encrypted)
+{
+ Policy resultPolicy = policyPrivate;
+
+ if (data == DataType::Type::KEY_DSA_PUBLIC ||
+ data == DataType::Type::KEY_DSA_PRIVATE)
+ {
+ resultPolicy.extractable |= policyPublic.extractable;
+ }
+
+ return getStore(data, resultPolicy, import, encrypted);
+}
+
bool Decider::checkStore(CryptoBackend requestedBackend,
DataType data,
const Policy &policy,
const Policy &policy,
bool import = true,
bool encrypted = false);
+ GStore &getStore(DataType data,
+ const Policy &policyPrivate,
+ const Policy &policyPublic,
+ bool import = true,
+ bool encrypted = false);
bool checkStore(CryptoBackend id,
DataType data,
const Policy &policy,
#include <algorithm>
#include <sw-backend/store.h>
#include <generic-backend/exception.h>
+#include <generic-backend/algo-validation.h>
#include <ss-migrate.h>
+#include <unordered_map>
namespace {
const char *const CERT_SYSTEM_DIR = CA_CERTS_DIR;
if (policyPrv.backend != policyPub.backend)
ThrowErr(Exc::InputParam, "Error, key pair must be supported with the same backend.");
- bool exportable = policyPrv.extractable || policyPub.extractable;
- Policy lessRestricted(Password(), exportable, policyPrv.backend);
+ const std::unordered_map<AlgoType, DataType::Type> algoTypeToDataTypeConverter = {
+ { AlgoType::RSA_GEN, DataType::Type::KEY_RSA_PRIVATE },
+ { AlgoType::DSA_GEN, DataType::Type::KEY_DSA_PRIVATE },
+ { AlgoType::ECDSA_GEN, DataType::Type::KEY_ECDSA_PRIVATE }
+ };
+
+ const auto dataTypeIt = algoTypeToDataTypeConverter.find(
+ CKM::Crypto::unpack<AlgoType>(keyGenParams, ParamName::ALGO_TYPE));
+
+ if (dataTypeIt == algoTypeToDataTypeConverter.cend())
+ {
+ ThrowErr(Exc::InputParam, "Error, key pair must be RSA or DSA or ECDSA.");
+ }
- // For now any asymmetric key will do. If necessary we can extract it from keyGenParams.
- TokenPair keys = m_decider.getStore(DataType::DB_KEY_FIRST, policyPrv, false).generateAKey(
- keyGenParams,
- policyPrv.password,
- policyPub.password,
- digestPrv, digestPub);
+ TokenPair keys = m_decider.getStore(
+ dataTypeIt->second, policyPrv, policyPub, false).generateAKey(
+ keyGenParams,
+ policyPrv.password,
+ policyPub.password,
+ digestPrv, digestPub);
dbOpPrv.finalize(std::move(keys.first), policyPrv);
dbOpPub.finalize(std::move(keys.second), policyPub);