From: Sungbae Yoo <sungbae.yoo@samsung.com>
Date: Mon, 7 Nov 2016 09:14:02 +0000 (+0900)
Subject: Add key-manager to manage device key and password
X-Git-Tag: submit/tizen/20170213.020148~47
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=e5e420157aaca68897300554b533ecdf6b852066;p=platform%2Fcore%2Fsecurity%2Fode.git

Add key-manager to manage device key and password

Signed-off-by: Sungbae Yoo <sungbae.yoo@samsung.com>
Change-Id: I75c5a6c9722c183db36fde2936b71351dad331cf
---

diff --git a/server/CMakeLists.txt b/server/CMakeLists.txt
index 1560574..6a6f5c3 100644
--- a/server/CMakeLists.txt
+++ b/server/CMakeLists.txt
@@ -21,7 +21,8 @@ SET(SERVER_SRCS	main.cpp
 				engine/ext4-engine.cpp
 				engine/dmcrypt-engine.cpp
 				engine/ecryptfs-engine.cpp
-				key-manager/keystore.cpp
+				key-manager/key-store.cpp
+				key-manager/key-manager.cpp
 				key-manager/key-generator.cpp
 )
 
diff --git a/server/external-encryption.cpp b/server/external-encryption.cpp
index e538119..a9e3800 100644
--- a/server/external-encryption.cpp
+++ b/server/external-encryption.cpp
@@ -17,8 +17,7 @@
 #include <klay/audit/logger.h>
 
 #include "engine/ecryptfs-engine.h"
-#include "key-manager/keystore.h"
-#include "key-manager/key-generator.h"
+#include "key-manager/key-manager.h"
 
 #include "rmi/external-encryption.h"
 
diff --git a/server/internal-encryption.cpp b/server/internal-encryption.cpp
index a4956e3..6978dfc 100644
--- a/server/internal-encryption.cpp
+++ b/server/internal-encryption.cpp
@@ -17,8 +17,7 @@
 #include <klay/audit/logger.h>
 
 #include "engine/dmcrypt-engine.h"
-#include "key-manager/keystore.h"
-#include "key-manager/key-generator.h"
+#include "key-manager/key-manager.h"
 
 #include "rmi/internal-encryption.h"
 
diff --git a/server/key-manager/key-generator.cpp b/server/key-manager/key-generator.cpp
index ccb5934..aad4128 100644
--- a/server/key-manager/key-generator.cpp
+++ b/server/key-manager/key-generator.cpp
@@ -22,7 +22,8 @@
 
 namespace ode {
 
-KeyGenerator::KeyGenerator()
+KeyGenerator::KeyGenerator(int size) :
+	keySize(size)
 {
 }
 
diff --git a/server/key-manager/key-generator.h b/server/key-manager/key-generator.h
index 5a1a4b6..b5b0d1a 100644
--- a/server/key-manager/key-generator.h
+++ b/server/key-manager/key-generator.h
@@ -23,7 +23,7 @@ namespace ode {
 
 class KeyGenerator final {
 public:
-	KeyGenerator();
+	KeyGenerator(int size);
 	KeyGenerator(const KeyGenerator&) = delete;
 	KeyGenerator(KeyGenerator&&) = delete;
 	~KeyGenerator();
@@ -37,6 +37,9 @@ public:
 	const data AES(const data& in1, const data& in2);
 	const data HMAC(const data& original, const data& key);
 	const data RNG();
+
+private:
+	int keySize;
 };
 
 } // namespace ode
diff --git a/server/key-manager/key-manager.cpp b/server/key-manager/key-manager.cpp
new file mode 100644
index 0000000..6333c4a
--- /dev/null
+++ b/server/key-manager/key-manager.cpp
@@ -0,0 +1,104 @@
+/*
+ *  Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License
+ */
+#include "key-manager.h"
+
+namespace ode {
+
+KeyManager::KeyManager(const std::string& storeName) :
+	store(storeName), keyGen(store.getKeySize())
+{
+}
+
+KeyManager::~KeyManager()
+{
+}
+
+bool KeyManager::isInitialized()
+{
+	return store.isInitialized();
+}
+
+void KeyManager::initPassword(const KeyManager::data& password)
+{
+	data salt, edk, emk;
+	data mk, dek;
+
+	salt = keyGen.RNG();
+	mk = keyGen.PBKDF(password, salt);
+	dek = keyGen.RNG();
+
+	edk = keyGen.AES(dek, mk);
+	emk = keyGen.HMAC(mk, edk);
+
+	store.setSalt(salt);
+	store.setEDK(edk);
+	store.setEMK(emk);
+}
+
+void KeyManager::changePassword(const KeyManager::data& old_password,
+								const KeyManager::data& new_password)
+{
+	data salt, edk, emk;
+	data mk, dek;
+
+	salt = store.getSalt();
+	edk = store.getEDK();
+
+	mk = keyGen.PBKDF(old_password, salt);
+	dek = keyGen.AES(edk, mk);
+
+	salt = keyGen.RNG();
+	mk = keyGen.PBKDF(new_password, salt);
+	edk = keyGen.AES(dek, mk);
+	emk = keyGen.HMAC(mk, edk);
+
+	store.setSalt(salt);
+	store.setEDK(edk);
+	store.setEMK(emk);
+}
+
+bool KeyManager::verifyPassword(const KeyManager::data& password)
+{
+	data salt, edk, emk;
+	data mk;
+
+	salt = store.getSalt();
+	edk = store.getEDK();
+	emk = store.getEMK();
+
+	mk = keyGen.PBKDF(password, salt);
+
+	if (emk == keyGen.HMAC(mk, edk)) {
+		return true;
+	} else {
+		return false;
+	}
+}
+
+KeyManager::data KeyManager::getDEK(const KeyManager::data& password)
+{
+	data salt, edk;
+	data mk;
+
+	salt = store.getSalt();
+	edk = store.getEDK();
+
+	mk = keyGen.PBKDF(password, salt);
+
+	return keyGen.AES(edk, mk);
+}
+
+} // namespace ode
diff --git a/server/key-manager/key-manager.h b/server/key-manager/key-manager.h
new file mode 100644
index 0000000..299de31
--- /dev/null
+++ b/server/key-manager/key-manager.h
@@ -0,0 +1,51 @@
+/*
+ *  Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License
+ */
+
+#ifndef __KEY_MANAGER_H__
+#define __KEY_MANAGER_H__
+
+#include "key-store.h"
+#include "key-generator.h"
+
+namespace ode {
+
+class KeyManager final {
+public:
+	KeyManager(const std::string& storeName);
+	KeyManager(const KeyManager&) = delete;
+	KeyManager(KeyManager&&) = delete;
+	~KeyManager();
+
+	KeyManager& operator=(const KeyManager&) = delete;
+	KeyManager& operator=(KeyManager&&) = delete;
+
+	typedef std::vector<unsigned char> data;
+
+	bool isInitialized();
+
+	void initPassword(const data& password);
+	void changePassword(const data& old_password, const data& new_password);
+	bool verifyPassword(const data& password);
+	data getDEK(const data& password);
+
+private:
+	KeyStore store;
+	KeyGenerator keyGen;
+};
+
+} // namespace ode
+
+#endif // __KEY_MANAGER_H__
diff --git a/server/key-manager/key-store.cpp b/server/key-manager/key-store.cpp
new file mode 100644
index 0000000..98b9d52
--- /dev/null
+++ b/server/key-manager/key-store.cpp
@@ -0,0 +1,89 @@
+/*
+ *  Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License
+ */
+#include <klay/filesystem.h>
+#include <klay/audit/logger.h>
+
+#include "key-store.h"
+
+#define FOOTER_FILE_PATH "/opt/etc/.ode_footer"
+#define KEY_SIZE	(256 / 8)
+
+namespace ode {
+
+KeyStore::KeyStore(const std::string& name) :
+	file(FOOTER_FILE_PATH)
+{
+}
+
+KeyStore::~KeyStore()
+{
+}
+
+size_t KeyStore::getKeySize() const
+{
+	return KEY_SIZE;
+}
+
+bool KeyStore::isInitialized()
+{
+	//TODO
+
+	return false;
+}
+
+KeyStore::data KeyStore::getEDK()
+{
+	data ret;
+
+	//TODO
+
+	return ret;
+}
+
+KeyStore::data KeyStore::getEMK()
+{
+	data ret;
+
+	//TODO
+
+	return ret;
+}
+
+KeyStore::data KeyStore::getSalt()
+{
+	data ret;
+
+	//TODO
+
+	return ret;
+}
+
+void KeyStore::setEDK(const KeyStore::data& key)
+{
+	//TODO
+}
+
+void KeyStore::setEMK(const KeyStore::data& key)
+{
+	//TODO
+}
+
+void KeyStore::setSalt(const KeyStore::data& key)
+{
+	//TODO
+}
+
+} // namespace ode
diff --git a/server/key-manager/key-store.h b/server/key-manager/key-store.h
new file mode 100644
index 0000000..125accd
--- /dev/null
+++ b/server/key-manager/key-store.h
@@ -0,0 +1,58 @@
+/*
+ *  Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License
+ */
+
+#ifndef __KEY_STORE_H__
+#define __KEY_STORE_H__
+
+#include <vector>
+#include <string>
+
+#include <klay/filesystem.h>
+
+namespace ode {
+
+class KeyStore final {
+public:
+	KeyStore(const std::string& name);
+	KeyStore(const KeyStore&) = delete;
+	KeyStore(KeyStore&&) = delete;
+	~KeyStore();
+
+	KeyStore& operator=(const KeyStore&) = delete;
+	KeyStore& operator=(KeyStore&&) = delete;
+
+	size_t getKeySize() const;
+
+	bool isInitialized();
+
+	typedef std::vector<unsigned char> data;
+
+	data getEDK();
+	data getEMK();
+	data getSalt();
+
+	void setEDK(const data& key);
+	void setEMK(const data& key);
+	void setSalt(const data& key);
+
+private:
+	runtime::File file;
+	int index;
+};
+
+} // namespace ode
+
+#endif // __KEY_STORE_H__
diff --git a/server/key-manager/keystore.cpp b/server/key-manager/keystore.cpp
deleted file mode 100644
index 20de6de..0000000
--- a/server/key-manager/keystore.cpp
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- *  Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved
- *
- *  Licensed under the Apache License, Version 2.0 (the "License");
- *  you may not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS,
- *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License
- */
-#include <klay/filesystem.h>
-#include <klay/audit/logger.h>
-
-#include "keystore.h"
-
-namespace ode {
-
-KeyStore::KeyStore(const std::string& name) :
-	file(name)
-{
-}
-
-KeyStore::~KeyStore()
-{
-}
-
-KeyStore::data KeyStore::getEncryptedDeviceKey()
-{
-	data ret;
-
-	//TODO
-
-	return ret;
-}
-
-KeyStore::data KeyStore::getEncryptedMasterKey()
-{
-	data ret;
-
-	//TODO
-
-	return ret;
-}
-
-void KeyStore::setEncryptedDeviceKey(const KeyStore::data& key)
-{
-	//TODO
-}
-
-void KeyStore::setEncryptedMasterKey(const KeyStore::data& key)
-{
-	//TODO
-}
-
-} // namespace ode
diff --git a/server/key-manager/keystore.h b/server/key-manager/keystore.h
deleted file mode 100644
index d6d0e5e..0000000
--- a/server/key-manager/keystore.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- *  Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved
- *
- *  Licensed under the Apache License, Version 2.0 (the "License");
- *  you may not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS,
- *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License
- */
-
-#ifndef __KEY_STORAGE_H__
-#define __KEY_STORAGE_H__
-
-#include <vector>
-#include <string>
-
-#include <klay/filesystem.h>
-
-namespace ode {
-
-class KeyStore final {
-public:
-	KeyStore(const std::string& name);
-	KeyStore(const KeyStore&) = delete;
-	KeyStore(KeyStore&&) = delete;
-	~KeyStore();
-
-	KeyStore& operator=(const KeyStore&) = delete;
-	KeyStore& operator=(KeyStore&&) = delete;
-
-	typedef std::vector<unsigned char> data;
-
-	data getEncryptedDeviceKey();
-	data getEncryptedMasterKey();
-
-	void setEncryptedDeviceKey(const data& key);
-	void setEncryptedMasterKey(const data& key);
-
-private:
-	runtime::File file;
-};
-
-} // namespace ode
-
-#endif // __KEY_STORAGE_H__