From 12b745376eba24d5da65e70bb0fcf681b2cb57a4 Mon Sep 17 00:00:00 2001
From: Krzysztof Jackiewicz <k.jackiewicz@samsung.com>
Date: Thu, 23 Mar 2023 09:21:05 +0100
Subject: [PATCH] Key wrapping implementation in TZ backend

Change-Id: I3d33a0b41e8eb4b58706a32fb298b0476a0525cc
---
 src/manager/crypto/tz-backend/internals.cpp  | 23 ++++++++++++++
 src/manager/crypto/tz-backend/internals.h    |  6 ++++
 src/manager/crypto/tz-backend/obj.cpp        | 29 +++++++++++++++++
 src/manager/crypto/tz-backend/obj.h          |  8 +++++
 src/manager/crypto/tz-backend/tz-context.cpp | 47 ++++++++++++++++++++++++++++
 src/manager/crypto/tz-backend/tz-context.h   |  9 ++++++
 6 files changed, 122 insertions(+)

diff --git a/src/manager/crypto/tz-backend/internals.cpp b/src/manager/crypto/tz-backend/internals.cpp
index cec70b8..d732c4c 100644
--- a/src/manager/crypto/tz-backend/internals.cpp
+++ b/src/manager/crypto/tz-backend/internals.cpp
@@ -396,6 +396,29 @@ void importWrappedKey(const RawBuffer &wrappingKey,
 												  encryptedKeyId);
 }
 
+RawBuffer exportWrappedKey(const RawBuffer &wrappingKey,
+						   const Pwd &wrappingKeyPwd,
+						   const CryptoAlgorithm &alg,
+						   const RawBuffer &keyToWrapId,
+						   const Pwd &keyToWrapPwd)
+{
+	AlgoType algo;
+	uint32_t ctrLenOrTagSizeBits = 0;
+	RawBuffer iv;
+	RawBuffer aad;
+	decompose(alg, algo, ctrLenOrTagSizeBits, iv, aad);
+
+	// TODO it is awful!
+	return TrustZoneContext::Instance().exportWrappedKey(wrappingKey,
+														 wrappingKeyPwd,
+														 getAlgType(algo),
+														 iv,
+														 ctrLenOrTagSizeBits,
+														 aad,
+														 keyToWrapId,
+														 keyToWrapPwd);
+}
+
 RawBuffer getData(const RawBuffer &dataId,
 				  const Pwd &pwd)
 {
diff --git a/src/manager/crypto/tz-backend/internals.h b/src/manager/crypto/tz-backend/internals.h
index 77b8c36..5c1596c 100644
--- a/src/manager/crypto/tz-backend/internals.h
+++ b/src/manager/crypto/tz-backend/internals.h
@@ -71,6 +71,12 @@ void importWrappedKey(const RawBuffer &wrappingKey,
 					  RawBuffer &encryptedKeyTag,
 					  const RawBuffer &encryptedKeyId);
 
+RawBuffer exportWrappedKey(const RawBuffer &wrappingKey,
+						   const Pwd &wrappingKeyPwd,
+						   const CryptoAlgorithm &alg,
+						   const RawBuffer &keyToWrapId,
+						   const Pwd &keyToWrapPwd);
+
 RawBuffer getData(const RawBuffer &dataId,
 				  const Pwd &pwd);
 
diff --git a/src/manager/crypto/tz-backend/obj.cpp b/src/manager/crypto/tz-backend/obj.cpp
index 717c012..94a4c58 100644
--- a/src/manager/crypto/tz-backend/obj.cpp
+++ b/src/manager/crypto/tz-backend/obj.cpp
@@ -97,6 +97,28 @@ Token Key::unwrap(const CryptoAlgorithm &params,
 	return Token(backendId(), encryptedKey.type, Store::pack(hash, pass, passIV, tag));
 }
 
+RawBuffer Key::wrap(const CryptoAlgorithm &alg,
+					const Token &keyToWrap,
+					const Password &keyToWrapPass)
+{
+	int keyToWrapScheme;
+	RawBuffer keyToWrapId;
+	RawBuffer keyToWrapIV;
+	RawBuffer keyToWrapTag;
+	Store::unpack(keyToWrap.data,
+				  keyToWrapPass,
+				  keyToWrapScheme,
+				  keyToWrapId,
+				  keyToWrapIV,
+				  keyToWrapTag);
+
+	return Internals::exportWrappedKey(getBinary(),
+									   getPassword(),
+									   alg,
+									   keyToWrapId,
+									   Pwd(keyToWrapPass, keyToWrapIV, keyToWrapTag));
+}
+
 RawBuffer SKey::encrypt(const CryptoAlgorithm &alg, const RawBuffer &data)
 {
     return Internals::symmetricEncrypt(getBinary(), getPassword(), alg, data);
@@ -171,6 +193,13 @@ Token Cert::unwrap(const CryptoAlgorithm &,
 	ThrowErr(Exc::Crypto::OperationNotSupported);
 }
 
+RawBuffer Cert::wrap(const CryptoAlgorithm &,
+					 const Token &,
+					 const Password &)
+{
+	ThrowErr(Exc::Crypto::OperationNotSupported);
+}
+
 } // namespace TZ
 } // namespace Crypto
 } // namespace CKM
diff --git a/src/manager/crypto/tz-backend/obj.h b/src/manager/crypto/tz-backend/obj.h
index 96e4efc..13f63a0 100644
--- a/src/manager/crypto/tz-backend/obj.h
+++ b/src/manager/crypto/tz-backend/obj.h
@@ -96,6 +96,10 @@ public:
 				 const Password &pass,
 				 const RawBuffer &hash) override;
 
+	RawBuffer wrap(const CryptoAlgorithm &params,
+				   const Token &keyToWrap,
+				   const Password &keyToWrapPass) override;
+
 protected:
 	int m_scheme;
 	Pwd m_password;
@@ -133,6 +137,10 @@ public:
 				 const Data &,
 				 const Password &,
 				 const RawBuffer &) override;
+
+	RawBuffer wrap(const CryptoAlgorithm &params,
+				   const Token &keyToWrap,
+				   const Password &keyToWrapPass) override;
 };
 
 } // namespace TZ
diff --git a/src/manager/crypto/tz-backend/tz-context.cpp b/src/manager/crypto/tz-backend/tz-context.cpp
index a998bc9..bf603c9 100644
--- a/src/manager/crypto/tz-backend/tz-context.cpp
+++ b/src/manager/crypto/tz-backend/tz-context.cpp
@@ -650,6 +650,53 @@ void TrustZoneContext::importWrappedKey(const RawBuffer &wrappingKey,
 	LogDebug("Imported object ID is (hex): " << rawToHexString(encryptedKeyId));
 }
 
+RawBuffer TrustZoneContext::exportWrappedKey(const RawBuffer &wrappingKey,
+											 const Pwd &wrappingKeyPwd,
+											 tz_algo_type algo,
+											 const RawBuffer &iv,
+											 const uint32_t ctrLenOrTagSizeBits,
+											 const RawBuffer &aad,
+											 const RawBuffer &keyToWrapId,
+											 const Pwd &keyToWrapPwd)
+{
+	// command ID = CMD_EXPORT_WRAPPED_KEY
+	LogDebug("TrustZoneContext::exportWrappedKey");
+
+	auto sIn = makeSerializer(wrappingKey,
+							  wrappingKeyPwd,
+							  algo,
+							  iv,
+							  ctrLenOrTagSizeBits,
+							  aad,
+							  keyToWrapId,
+							  keyToWrapPwd);
+
+	TrustZoneMemory inMemory(m_Context, sIn.GetSize(), TEEC_MEM_INPUT);
+	sIn.Serialize(inMemory);
+
+	uint32_t data_size = 0;
+	GetDataSize(keyToWrapId, data_size);
+
+	LogDebug("GetData data_size = [" << data_size << "]");
+
+	// encrypted data may be longer
+	TZSerializer sOut;
+	sOut.Push(new TZSerializableBinary(data_size + KM_ENCRYPTION_OVERHEAD));
+	TrustZoneMemory outMemory(m_Context, sOut.GetSize(), TEEC_MEM_OUTPUT);
+	sOut.Serialize(outMemory);
+
+	TEEC_Operation op = makeOp(TEEC_VALUE_INOUT, inMemory, outMemory);
+
+	Execute(CMD_EXPORT_WRAPPED_KEY, &op);
+
+	sOut.Deserialize(outMemory);
+
+	RawBuffer wrappedKey;
+	sOut.Pull(wrappedKey);
+
+	return wrappedKey;
+}
+
 void TrustZoneContext::GetDataSize(const RawBuffer &dataId, uint32_t &dataSize)
 {
 	// command ID = CMD_GET_DATA_SIZE
diff --git a/src/manager/crypto/tz-backend/tz-context.h b/src/manager/crypto/tz-backend/tz-context.h
index 71ef9c9..e48e642 100644
--- a/src/manager/crypto/tz-backend/tz-context.h
+++ b/src/manager/crypto/tz-backend/tz-context.h
@@ -102,6 +102,15 @@ public:
 						  RawBuffer &encryptedKeyTag,
 						  const RawBuffer &encryptedKeyHash);
 
+	RawBuffer exportWrappedKey(const RawBuffer &wrappingKey,
+							   const Pwd &wrappingKeyPwd,
+							   tz_algo_type algo,
+							   const RawBuffer &iv,
+							   const uint32_t ctrLenOrTagSizeBits,
+							   const RawBuffer &aad,
+							   const RawBuffer &keyToWrapId,
+							   const Pwd &keyToWrapPwd);
+
 	void executeCrypt(tz_command cmd,
 					tz_algo_type algo,
 					const RawBuffer &keyId,
-- 
2.7.4