From 127f0a0e5983dbf2642e0badcb1a3aab3e450079 Mon Sep 17 00:00:00 2001 From: Krzysztof Jackiewicz Date: Wed, 28 Jun 2023 10:21:21 +0200 Subject: [PATCH] Implement public key extraction in TZ backend Public keys are not secrets and there are scenarios like ECDH when they have to be extracted in raw form. Exportability logic still applies. * Separate the object id and the raw data in TZ backend objects. * Rename function arguments to make their meaning more adequate. * Use object id when making operations using given key or binary data. * Return raw data only to CKMLogic via getBinary() method. * Make getBinary() return an empty buffer for private and symmetric keys. * Move m_type to AKey where it's used. Change-Id: Idf6db51387d98f6560f0da18e2fc1d9bbc3abc4f --- src/manager/crypto/tz-backend/internals.cpp | 68 +++++++++++++------------- src/manager/crypto/tz-backend/internals.h | 28 +++++------ src/manager/crypto/tz-backend/obj.cpp | 22 ++++----- src/manager/crypto/tz-backend/obj.h | 73 +++++++++++++++++----------- src/manager/crypto/tz-backend/store.cpp | 18 ++++--- src/manager/crypto/tz-backend/tz-context.cpp | 12 ++--- src/manager/crypto/tz-backend/tz-context.h | 6 +-- 7 files changed, 123 insertions(+), 104 deletions(-) diff --git a/src/manager/crypto/tz-backend/internals.cpp b/src/manager/crypto/tz-backend/internals.cpp index aca0124..2cbdf23 100644 --- a/src/manager/crypto/tz-backend/internals.cpp +++ b/src/manager/crypto/tz-backend/internals.cpp @@ -337,9 +337,9 @@ AlgoType generateAKey(const CryptoAlgorithm &alg, return keyType; } -void destroyKey(const RawBuffer &key) +void destroyKey(const RawBuffer &keyId) { - TrustZoneContext::Instance().executeDestroy(key); + TrustZoneContext::Instance().executeDestroy(keyId); } void importData(const Data &data, @@ -364,7 +364,7 @@ void importData(const Data &data, hash); } -void importWrappedKey(const RawBuffer &wrappingKey, +void importWrappedKey(const RawBuffer &wrappingKeyId, const Pwd &wrappingKeyPwd, const CryptoAlgorithm &alg, const Data &encryptedKey, @@ -382,7 +382,7 @@ void importWrappedKey(const RawBuffer &wrappingKey, decompose(alg, algo, ctrLenOrTagSizeBits, iv, aad); // TODO it is awful! - TrustZoneContext::Instance().importWrappedKey(wrappingKey, + TrustZoneContext::Instance().importWrappedKey(wrappingKeyId, wrappingKeyPwd, getAlgType(algo), iv, @@ -396,7 +396,7 @@ void importWrappedKey(const RawBuffer &wrappingKey, encryptedKeyId); } -RawBuffer exportWrappedKey(const RawBuffer &wrappingKey, +RawBuffer exportWrappedKey(const RawBuffer &wrappingKeyId, const Pwd &wrappingKeyPwd, const CryptoAlgorithm &alg, const RawBuffer &keyToWrapId, @@ -409,7 +409,7 @@ RawBuffer exportWrappedKey(const RawBuffer &wrappingKey, decompose(alg, algo, ctrLenOrTagSizeBits, iv, aad); // TODO it is awful! - return TrustZoneContext::Instance().exportWrappedKey(wrappingKey, + return TrustZoneContext::Instance().exportWrappedKey(wrappingKeyId, wrappingKeyPwd, getAlgType(algo), iv, @@ -434,7 +434,7 @@ void destroyData(const RawBuffer &dataId) TrustZoneContext::Instance().destroyData(dataId); } -BufferPair encryptDataAesGcm(const RawBuffer &key, +BufferPair encryptDataAesGcm(const RawBuffer &keyId, const Pwd &pwd, const RawBuffer &iv, int tagSize, @@ -444,26 +444,26 @@ BufferPair encryptDataAesGcm(const RawBuffer &key, RawBuffer result; RawBuffer tag; - TrustZoneContext::Instance().executeEncryptAE(key, pwd, iv, tagSize, + TrustZoneContext::Instance().executeEncryptAE(keyId, pwd, iv, tagSize, aad, data, result, tag); return std::make_pair(result, tag); } -RawBuffer encryptDataAesGcmPacked(const RawBuffer &key, +RawBuffer encryptDataAesGcmPacked(const RawBuffer &keyId, const Pwd &pwd, const RawBuffer &iv, int tagSize, const RawBuffer &data, const RawBuffer &aad) { - auto pair = encryptDataAesGcm(key, pwd, iv, tagSize, data, aad); + auto pair = encryptDataAesGcm(keyId, pwd, iv, tagSize, data, aad); std::copy(pair.second.begin(), pair.second.end(), std::back_inserter(pair.first)); return pair.first; } -RawBuffer decryptDataAesGcm(const RawBuffer &key, +RawBuffer decryptDataAesGcm(const RawBuffer &keyId, const Pwd &pwd, const RawBuffer &iv, int tagSizeBits, @@ -473,13 +473,13 @@ RawBuffer decryptDataAesGcm(const RawBuffer &key, { RawBuffer result; - TrustZoneContext::Instance().executeDecryptAE(key, pwd, iv, tagSizeBits, + TrustZoneContext::Instance().executeDecryptAE(keyId, pwd, iv, tagSizeBits, tag, aad, data, result); return result; } -RawBuffer decryptDataAesGcmPacked(const RawBuffer &key, +RawBuffer decryptDataAesGcmPacked(const RawBuffer &keyId, const Pwd &pwd, const RawBuffer &iv, int tagSizeBits, @@ -491,7 +491,7 @@ RawBuffer decryptDataAesGcmPacked(const RawBuffer &key, ThrowErr(Exc::Crypto::InputParam, "Wrong size of tag"); auto tagPos = data.data() + data.size() - tagSizeBytes; - return decryptDataAesGcm(key, + return decryptDataAesGcm(keyId, pwd, iv, tagSizeBits, @@ -501,7 +501,7 @@ RawBuffer decryptDataAesGcmPacked(const RawBuffer &key, } -RawBuffer symmetricEncrypt(const RawBuffer &key, +RawBuffer symmetricEncrypt(const RawBuffer &keyId, const Pwd &pwd, const CryptoAlgorithm &alg, const RawBuffer &data) @@ -525,7 +525,7 @@ RawBuffer symmetricEncrypt(const RawBuffer &key, RawBuffer result; TrustZoneContext::Instance().executeCrypt(CMD_ENCRYPT, getAlgType(algo), - key, + keyId, pwd, unpack(alg, ParamName::ED_IV), data, @@ -537,7 +537,7 @@ RawBuffer symmetricEncrypt(const RawBuffer &key, alg.getParam(ParamName::ED_TAG_LEN, tagLenBits); RawBuffer aad; alg.getParam(ParamName::ED_AAD, aad); - return encryptDataAesGcmPacked(key, + return encryptDataAesGcmPacked(keyId, pwd, unpack(alg, ParamName::ED_IV), tagLenBits, @@ -552,7 +552,7 @@ RawBuffer symmetricEncrypt(const RawBuffer &key, "Incorrect algorithm provided for symmetric crypto operation"); } -RawBuffer symmetricDecrypt(const RawBuffer &key, +RawBuffer symmetricDecrypt(const RawBuffer &keyId, const Pwd &pwd, const CryptoAlgorithm &alg, const RawBuffer &data) @@ -576,7 +576,7 @@ RawBuffer symmetricDecrypt(const RawBuffer &key, RawBuffer result; TrustZoneContext::Instance().executeCrypt(CMD_DECRYPT, getAlgType(algo), - key, + keyId, pwd, unpack(alg, ParamName::ED_IV), data, @@ -588,7 +588,7 @@ RawBuffer symmetricDecrypt(const RawBuffer &key, alg.getParam(ParamName::ED_TAG_LEN, tagSizeBits); RawBuffer aad; alg.getParam(ParamName::ED_AAD, aad); - return decryptDataAesGcmPacked(key, + return decryptDataAesGcmPacked(keyId, pwd, unpack(alg, ParamName::ED_IV), tagSizeBits, @@ -603,7 +603,7 @@ RawBuffer symmetricDecrypt(const RawBuffer &key, "Incorrect algorithm provided for symmetric crypto operation"); } -RawBuffer asymmetricEncrypt(const RawBuffer &key, +RawBuffer asymmetricEncrypt(const RawBuffer &keyId, const Pwd &pwd, const CryptoAlgorithm &alg, const RawBuffer &data) @@ -616,7 +616,7 @@ RawBuffer asymmetricEncrypt(const RawBuffer &key, case AlgoType::RSA_OAEP: { TrustZoneContext::Instance().executeCrypt(CMD_ENCRYPT, getAlgType(algo), - key, + keyId, pwd, result, // unused dummy data, @@ -631,7 +631,7 @@ RawBuffer asymmetricEncrypt(const RawBuffer &key, "Incorrect algorithm provided for asymmetric crypto operation"); } -RawBuffer asymmetricDecrypt(const RawBuffer &key, +RawBuffer asymmetricDecrypt(const RawBuffer &keyId, const Pwd &pwd, const CryptoAlgorithm &alg, const RawBuffer &cipher) @@ -644,7 +644,7 @@ RawBuffer asymmetricDecrypt(const RawBuffer &key, case AlgoType::RSA_OAEP: { TrustZoneContext::Instance().executeCrypt(CMD_DECRYPT, getAlgType(algo), - key, + keyId, pwd, result, // unused dummy cipher, @@ -659,7 +659,7 @@ RawBuffer asymmetricDecrypt(const RawBuffer &key, "Incorrect algorithm provided for asymmetric crypto operation"); } -uint32_t initCipher(const RawBuffer &key, +uint32_t initCipher(const RawBuffer &keyId, const Pwd &pwd, const CryptoAlgorithm &alg, bool encrypt) @@ -674,7 +674,7 @@ uint32_t initCipher(const RawBuffer &key, RawBuffer aad; alg.getParam(ParamName::ED_AAD, aad); return TrustZoneContext::Instance().initGcmCipher(encrypt ? CIPHER_ENCRYPT : CIPHER_DECRYPT, - key, + keyId, pwd, unpack(alg, ParamName::ED_IV), tagSizeBits, @@ -710,7 +710,7 @@ RawBuffer finalizeCipher(uint32_t opId, return TrustZoneContext::Instance().finalizeGcmCipher(opId, data); } -RawBuffer sign(const RawBuffer &pkey, +RawBuffer sign(const RawBuffer &pkeyId, const Pwd &pwd, const CryptoAlgorithm &alg, const RawBuffer &message) @@ -723,14 +723,14 @@ RawBuffer sign(const RawBuffer &pkey, RawBuffer signature; TrustZoneContext::Instance().executeSign(getAlgType(algo), getHashType(hash), - pkey, + pkeyId, pwd, message, signature); return signature; } -int verify(const RawBuffer &pkey, +int verify(const RawBuffer &pkeyId, const Pwd &pwd, const CryptoAlgorithm &alg, const RawBuffer &message, @@ -743,13 +743,13 @@ int verify(const RawBuffer &pkey, return TrustZoneContext::Instance().executeVerify(getAlgType(algo), getHashType(hash), - pkey, + pkeyId, pwd, message, signature); } -void deriveECDH(const RawBuffer &prvKey, +void deriveECDH(const RawBuffer &prvKeyId, const Pwd &prvKeyPwd, const RawBuffer &pubKey, const Password &secretPwd, @@ -789,7 +789,7 @@ void deriveECDH(const RawBuffer &prvKey, RawBuffer secretPwdBuf(secretPwd.begin(), secretPwd.end()); - TrustZoneContext::Instance().executeEcdh(prvKey, + TrustZoneContext::Instance().executeEcdh(prvKeyId, prvKeyPwd, xBuf, yBuf, @@ -799,7 +799,7 @@ void deriveECDH(const RawBuffer &prvKey, secretHash); } -void deriveKBKDF(const RawBuffer &secret, +void deriveKBKDF(const RawBuffer &secretId, const CryptoAlgorithm &alg, const Password &keyPwd, const RawBuffer &keyPwdIV, @@ -821,7 +821,7 @@ void deriveKBKDF(const RawBuffer &secret, RawBuffer keyPwdBuf(keyPwd.begin(), keyPwd.end()); - TrustZoneContext::Instance().executeKbkdf(secret, + TrustZoneContext::Instance().executeKbkdf(secretId, label, context, fixed, diff --git a/src/manager/crypto/tz-backend/internals.h b/src/manager/crypto/tz-backend/internals.h index cb6b814..bb8e444 100644 --- a/src/manager/crypto/tz-backend/internals.h +++ b/src/manager/crypto/tz-backend/internals.h @@ -62,7 +62,7 @@ void importData(const Data &key, RawBuffer &tag, const RawBuffer &hash); -void importWrappedKey(const RawBuffer &wrappingKey, +void importWrappedKey(const RawBuffer &wrappingKeyId, const Pwd &wrappingKeyPwd, const CryptoAlgorithm &alg, const Data &encryptedKey, @@ -71,7 +71,7 @@ void importWrappedKey(const RawBuffer &wrappingKey, RawBuffer &encryptedKeyTag, const RawBuffer &encryptedKeyId); -RawBuffer exportWrappedKey(const RawBuffer &wrappingKey, +RawBuffer exportWrappedKey(const RawBuffer &wrappingKeyId, const Pwd &wrappingKeyPwd, const CryptoAlgorithm &alg, const RawBuffer &keyToWrapId, @@ -82,47 +82,47 @@ RawBuffer getData(const RawBuffer &dataId, void destroyData(const RawBuffer &dataId); -void destroyKey(const RawBuffer &key); +void destroyKey(const RawBuffer &keyId); RawBuffer symmetricEncrypt( - const RawBuffer &key, + const RawBuffer &keyId, const Pwd &pwd, const CryptoAlgorithm &alg, const RawBuffer &data); RawBuffer symmetricDecrypt( - const RawBuffer &key, + const RawBuffer &keyId, const Pwd &pwd, const CryptoAlgorithm &alg, const RawBuffer &cipher); RawBuffer asymmetricEncrypt( - const RawBuffer &key, + const RawBuffer &keyId, const Pwd &pwd, const CryptoAlgorithm &alg, const RawBuffer &data); RawBuffer asymmetricDecrypt( - const RawBuffer &key, + const RawBuffer &keyId, const Pwd &pwd, const CryptoAlgorithm &alg, const RawBuffer &cipher); -BufferPair encryptDataAesGcm(const RawBuffer &key, +BufferPair encryptDataAesGcm(const RawBuffer &keyId, const Pwd &pwd, const RawBuffer &iv, int tagSize, const RawBuffer &data, const RawBuffer &aad = RawBuffer()); -RawBuffer decryptDataAesGcm(const RawBuffer &key, +RawBuffer decryptDataAesGcm(const RawBuffer &keyId, const Pwd &pwd, const RawBuffer &iv, const RawBuffer &tag, const RawBuffer &data, const RawBuffer &aad = RawBuffer()); -uint32_t initCipher(const RawBuffer &key, +uint32_t initCipher(const RawBuffer &keyId, const Pwd &pwd, const CryptoAlgorithm &alg, bool encrypt); @@ -136,18 +136,18 @@ RawBuffer updateCipher(uint32_t opId, RawBuffer finalizeCipher(uint32_t opId, const RawBuffer &data); -RawBuffer sign(const RawBuffer &pkey, +RawBuffer sign(const RawBuffer &pkeyId, const Pwd &pwd, const CryptoAlgorithm &alg, const RawBuffer &message); -int verify(const RawBuffer &pkey, +int verify(const RawBuffer &pkeyId, const Pwd &pwd, const CryptoAlgorithm &alg, const RawBuffer &message, const RawBuffer &signature); -void deriveECDH(const RawBuffer &prvKey, +void deriveECDH(const RawBuffer &prvKeyId, const Pwd &prvKeyPwd, const RawBuffer &pubKey, const Password &secretPwd, @@ -155,7 +155,7 @@ void deriveECDH(const RawBuffer &prvKey, RawBuffer &secretTag, const RawBuffer &secretHash); -void deriveKBKDF(const RawBuffer &secret, +void deriveKBKDF(const RawBuffer &secretId, const CryptoAlgorithm &alg, const Password &keyPwd, const RawBuffer &keyPwdIV, diff --git a/src/manager/crypto/tz-backend/obj.cpp b/src/manager/crypto/tz-backend/obj.cpp index d743753..fa464f1 100644 --- a/src/manager/crypto/tz-backend/obj.cpp +++ b/src/manager/crypto/tz-backend/obj.cpp @@ -66,7 +66,7 @@ Token BData::derive(const CryptoAlgorithm &alg, const Password &pass, const RawB iv = Internals::generateIV(); } - Internals::deriveKBKDF(getBinary(), alg, pass, iv, tag, hash); + Internals::deriveKBKDF(getId(), alg, pass, iv, tag, hash); return Token(backendId(), DataType(KeyType::KEY_AES), Store::pack(hash, pass, iv, tag)); } @@ -88,7 +88,7 @@ Token Key::unwrap(const CryptoAlgorithm ¶ms, passIV = Internals::generateIV(); } - Internals::importWrappedKey(getBinary(), + Internals::importWrappedKey(getId(), getPassword(), params, encryptedKey, @@ -115,7 +115,7 @@ RawBuffer Key::wrap(const CryptoAlgorithm &alg, keyToWrapIV, keyToWrapTag); - return Internals::exportWrappedKey(getBinary(), + return Internals::exportWrappedKey(getId(), getPassword(), alg, keyToWrapId, @@ -124,29 +124,29 @@ RawBuffer Key::wrap(const CryptoAlgorithm &alg, RawBuffer SKey::encrypt(const CryptoAlgorithm &alg, const RawBuffer &data) { - return Internals::symmetricEncrypt(getBinary(), getPassword(), alg, data); + return Internals::symmetricEncrypt(getId(), getPassword(), alg, data); } RawBuffer SKey::decrypt(const CryptoAlgorithm &alg, const RawBuffer &cipher) { - return Internals::symmetricDecrypt(getBinary(), getPassword(), alg, cipher); + return Internals::symmetricDecrypt(getId(), getPassword(), alg, cipher); } GCtxShPtr SKey::initContext(const CryptoAlgorithm &alg, bool onward) { - auto opId = Internals::initCipher(getBinary(), getPassword(), alg, onward); + auto opId = Internals::initCipher(getId(), getPassword(), alg, onward); return std::make_shared(opId); } RawBuffer AKey::encrypt(const CryptoAlgorithm &alg, const RawBuffer &data) { - return Internals::asymmetricEncrypt(getBinary(), getPassword(), alg, data); + return Internals::asymmetricEncrypt(getId(), getPassword(), alg, data); } RawBuffer AKey::decrypt(const CryptoAlgorithm &alg, const RawBuffer &cipher) { - return Internals::asymmetricDecrypt(getBinary(), getPassword(), alg, cipher); + return Internals::asymmetricDecrypt(getId(), getPassword(), alg, cipher); } Token AKey::derive(const CryptoAlgorithm &alg, const Password &pass, const RawBuffer &hash) @@ -167,7 +167,7 @@ Token AKey::derive(const CryptoAlgorithm &alg, const Password &pass, const RawBu iv = Internals::generateIV(); } - Internals::deriveECDH(getBinary(), getPassword(), pubKey, pass, iv, tag, hash); + Internals::deriveECDH(getId(), getPassword(), pubKey, pass, iv, tag, hash); return Token(backendId(), DataType::BINARY_DATA, Store::pack(hash, pass, iv, tag)); } @@ -183,7 +183,7 @@ RawBuffer AKey::sign( { CryptoAlgorithm algWithType(alg); algWithType.setParam(ParamName::ALGO_TYPE, key2algo(m_type)); - return Internals::sign(getBinary(), getPassword(), algWithType, message); + return Internals::sign(getId(), getPassword(), algWithType, message); } int AKey::verify(const CryptoAlgorithm &alg, const RawBuffer &message, @@ -197,7 +197,7 @@ int AKey::verify(const CryptoAlgorithm &alg, const RawBuffer &message, algWithType.setParam(ParamName::ALGO_TYPE, key2algo(m_type)); } - return Internals::verify(getBinary(), getPassword(), algWithType, message, sign); + return Internals::verify(getId(), getPassword(), algWithType, message, sign); } Token Cert::unwrap(const CryptoAlgorithm &, diff --git a/src/manager/crypto/tz-backend/obj.h b/src/manager/crypto/tz-backend/obj.h index dd35a8e..2b0fff3 100644 --- a/src/manager/crypto/tz-backend/obj.h +++ b/src/manager/crypto/tz-backend/obj.h @@ -52,7 +52,6 @@ public: return m_tag; } - private: RawBuffer m_password; RawBuffer m_iv; @@ -61,36 +60,46 @@ private: class BData : public GObj { public: - explicit BData(CryptoBackend backendId, RawBuffer buffer) : - GObj(backendId), m_raw(std::move(buffer)) {} + BData(CryptoBackend backendId, + int scheme, + RawBuffer id, + Pwd pwd, + RawBuffer buffer = RawBuffer()) : + GObj(backendId), + m_scheme(scheme), + m_password(std::move(pwd)), + m_id(std::move(id)), + m_raw(std::move(buffer)) {} RawBuffer getBinary() const override { return m_raw; } + virtual const RawBuffer& getId() const + { + return m_id; + } + virtual int getScheme() const + { + return m_scheme; + } + virtual const Pwd& getPassword() const + { + return m_password; + } Token derive(const CryptoAlgorithm &, const Password &, const RawBuffer &) override; protected: + int m_scheme; + Pwd m_password; + RawBuffer m_id; RawBuffer m_raw; }; class Key : public BData { public: - Key(CryptoBackend backendId, int scheme, RawBuffer buffer, Pwd pwd, DataType dataType) : - BData(backendId, std::move(buffer)), - m_scheme(scheme), - m_password(std::move(pwd)), - m_type(dataType) {} - - virtual int getScheme() const - { - return m_scheme; - } - - virtual Pwd getPassword() const - { - return m_password; - } + Key(CryptoBackend backendId, int scheme, RawBuffer id, Pwd pwd) : + BData(backendId, scheme, std::move(id), std::move(pwd)) {} Token unwrap(const CryptoAlgorithm ¶ms, const Data &encryptedKey, @@ -100,17 +109,12 @@ public: RawBuffer wrap(const CryptoAlgorithm ¶ms, const Token &keyToWrap, const Password &keyToWrapPass) override; - -protected: - int m_scheme; - Pwd m_password; - DataType m_type; }; class SKey : public Key { public: - SKey(CryptoBackend backendId, int scheme, RawBuffer buffer, Pwd pwd, DataType dataType) : - Key(backendId, scheme, std::move(buffer), std::move(pwd), dataType) {} + SKey(CryptoBackend backendId, int scheme, RawBuffer id, Pwd pwd) : + Key(backendId, scheme, std::move(id), std::move(pwd)) {} RawBuffer encrypt(const CryptoAlgorithm &, const RawBuffer &) override; RawBuffer decrypt(const CryptoAlgorithm &, const RawBuffer &) override; @@ -119,8 +123,16 @@ public: class AKey : public Key { public: - AKey(CryptoBackend backendId, int scheme, RawBuffer buffer, Pwd pwd, DataType dataType) : - Key(backendId, scheme, std::move(buffer), std::move(pwd), dataType) {} + AKey(CryptoBackend backendId, + int scheme, + RawBuffer id, + Pwd pwd, + DataType dataType, + RawBuffer raw = RawBuffer()) : + Key(backendId, scheme, std::move(id), std::move(pwd)), m_type(dataType) + { + m_raw = std::move(raw); + } RawBuffer sign(const CryptoAlgorithm &alg, const RawBuffer &message) override; int verify(const CryptoAlgorithm &alg, const RawBuffer &message, @@ -129,12 +141,15 @@ public: RawBuffer decrypt(const CryptoAlgorithm &, const RawBuffer &) override; Token derive(const CryptoAlgorithm &, const Password &, const RawBuffer &) override; GCtxShPtr initContext(const CryptoAlgorithm &, bool) override; + +protected: + DataType m_type; }; class Cert : public AKey { public: - Cert(CryptoBackend backendId, int scheme, RawBuffer buffer, Pwd pwd, DataType dataType) : - AKey(backendId, scheme, std::move(buffer), std::move(pwd), dataType) {} + Cert(CryptoBackend backendId, int scheme, RawBuffer id, Pwd pwd, DataType dataType) : + AKey(backendId, scheme, std::move(id), std::move(pwd), dataType) {} Token unwrap(const CryptoAlgorithm &, const Data &, diff --git a/src/manager/crypto/tz-backend/store.cpp b/src/manager/crypto/tz-backend/store.cpp index 302fd2a..ff06b77 100644 --- a/src/manager/crypto/tz-backend/store.cpp +++ b/src/manager/crypto/tz-backend/store.cpp @@ -68,19 +68,23 @@ GObjUPtr Store::getObject(const Token &token, const Password &pass) RawBuffer tag; unpack(token.data, pass, scheme, id, iv, tag); - if (token.dataType.isKeyPrivate() || token.dataType.isKeyPublic()) + if (token.dataType.isKeyPrivate()) return make(scheme, std::move(id), Pwd(pass, iv, tag), token.dataType); if (token.dataType.isSymmetricKey()) - return make(scheme, std::move(id), Pwd(pass, iv, tag), token.dataType); + return make(scheme, std::move(id), Pwd(pass, iv, tag)); if (token.dataType.isCertificate() || token.dataType.isChainCert()) return make(scheme, std::move(id), Pwd(pass, iv, tag), token.dataType); - if (token.dataType.isBinaryData()) { - RawBuffer exported_data = Internals::getData(std::move(id), Pwd(pass, iv, tag)); - return make(std::move(exported_data)); - } + auto pwd = Pwd(pass, iv, tag); + RawBuffer raw = Internals::getData(id, pwd); + + if (token.dataType.isKeyPublic()) + return make(scheme, std::move(id), std::move(pwd), token.dataType, std::move(raw)); + + if (token.dataType.isBinaryData()) + return make(scheme, std::move(id), std::move(pwd), std::move(raw)); ThrowErr(Exc::Crypto::DataTypeNotSupported, "This type of data is not supported by trustzone backend: ", token.dataType); @@ -198,7 +202,7 @@ void Store::unpack(const RawBuffer &packed, buffer.Deserialize(data); } - if (scheme & EncryptionScheme::PASSWORD && password.empty()) { + if ((scheme & EncryptionScheme::PASSWORD) && password.empty()) { ThrowErr(Exc::Crypto::AuthenticationFailed, "This token is protected with password and none passed"); } else if (!(scheme & EncryptionScheme::PASSWORD) && !password.empty()) { diff --git a/src/manager/crypto/tz-backend/tz-context.cpp b/src/manager/crypto/tz-backend/tz-context.cpp index cc9a78c..f33897b 100644 --- a/src/manager/crypto/tz-backend/tz-context.cpp +++ b/src/manager/crypto/tz-backend/tz-context.cpp @@ -685,7 +685,7 @@ void TrustZoneContext::importData( LogDebug("Imported object ID is (hex): " << rawToHexString(hash)); } -void TrustZoneContext::importWrappedKey(const RawBuffer &wrappingKey, +void TrustZoneContext::importWrappedKey(const RawBuffer &wrappingKeyId, const Pwd &wrappingKeyPwd, tz_algo_type algo, const RawBuffer &iv, @@ -701,7 +701,7 @@ void TrustZoneContext::importWrappedKey(const RawBuffer &wrappingKey, // command ID = CMD_IMPORT_WRAPPED_KEY LogDebug("TrustZoneContext::importWrappedKey encryptedKey size = [" << encryptedKey.size() << "]"); - auto sIn = makeSerializer(wrappingKey, + auto sIn = makeSerializer(wrappingKeyId, wrappingKeyPwd, algo, iv, @@ -736,7 +736,7 @@ void TrustZoneContext::importWrappedKey(const RawBuffer &wrappingKey, LogDebug("Imported object ID is (hex): " << rawToHexString(encryptedKeyId)); } -RawBuffer TrustZoneContext::exportWrappedKey(const RawBuffer &wrappingKey, +RawBuffer TrustZoneContext::exportWrappedKey(const RawBuffer &wrappingKeyId, const Pwd &wrappingKeyPwd, tz_algo_type algo, const RawBuffer &iv, @@ -748,7 +748,7 @@ RawBuffer TrustZoneContext::exportWrappedKey(const RawBuffer &wrappingKey, // command ID = CMD_EXPORT_WRAPPED_KEY LogDebug("TrustZoneContext::exportWrappedKey"); - auto sIn = makeSerializer(wrappingKey, + auto sIn = makeSerializer(wrappingKeyId, wrappingKeyPwd, algo, iv, @@ -886,7 +886,7 @@ void TrustZoneContext::executeEcdh(const RawBuffer &prvKeyId, LogDebug("Derived object ID is (hex): " << rawToHexString(secretHash)); } -void TrustZoneContext::executeKbkdf(const RawBuffer& secret, +void TrustZoneContext::executeKbkdf(const RawBuffer& secretId, const RawBuffer& label, const RawBuffer& context, const RawBuffer& fixed, @@ -904,7 +904,7 @@ void TrustZoneContext::executeKbkdf(const RawBuffer& secret, // command ID = CMD_DERIVE LogDebug("TrustZoneContext::executeKbkdf"); - auto sIn = makeSerializer(secret, + auto sIn = makeSerializer(secretId, label, context, fixed, diff --git a/src/manager/crypto/tz-backend/tz-context.h b/src/manager/crypto/tz-backend/tz-context.h index da27aa2..7233ef7 100644 --- a/src/manager/crypto/tz-backend/tz-context.h +++ b/src/manager/crypto/tz-backend/tz-context.h @@ -89,7 +89,7 @@ public: RawBuffer &pwdTag, const RawBuffer &hash); - void importWrappedKey(const RawBuffer &wrappingKey, + void importWrappedKey(const RawBuffer &wrappingKeyId, const Pwd &wrappingKeyPwd, tz_algo_type algo, const RawBuffer &iv, @@ -102,7 +102,7 @@ public: RawBuffer &encryptedKeyTag, const RawBuffer &encryptedKeyHash); - RawBuffer exportWrappedKey(const RawBuffer &wrappingKey, + RawBuffer exportWrappedKey(const RawBuffer &wrappingKeyId, const Pwd &wrappingKeyPwd, tz_algo_type algo, const RawBuffer &iv, @@ -182,7 +182,7 @@ public: RawBuffer &secretTag, const RawBuffer &secretHash); - void executeKbkdf(const RawBuffer& secret, + void executeKbkdf(const RawBuffer& secretId, const RawBuffer& label, const RawBuffer& context, const RawBuffer& fixed, -- 2.7.4