From 12b745376eba24d5da65e70bb0fcf681b2cb57a4 Mon Sep 17 00:00:00 2001 From: Krzysztof Jackiewicz Date: Thu, 23 Mar 2023 09:21:05 +0100 Subject: [PATCH] Key wrapping implementation in TZ backend Change-Id: I3d33a0b41e8eb4b58706a32fb298b0476a0525cc --- src/manager/crypto/tz-backend/internals.cpp | 23 ++++++++++++++ src/manager/crypto/tz-backend/internals.h | 6 ++++ src/manager/crypto/tz-backend/obj.cpp | 29 +++++++++++++++++ src/manager/crypto/tz-backend/obj.h | 8 +++++ src/manager/crypto/tz-backend/tz-context.cpp | 47 ++++++++++++++++++++++++++++ src/manager/crypto/tz-backend/tz-context.h | 9 ++++++ 6 files changed, 122 insertions(+) diff --git a/src/manager/crypto/tz-backend/internals.cpp b/src/manager/crypto/tz-backend/internals.cpp index cec70b8..d732c4c 100644 --- a/src/manager/crypto/tz-backend/internals.cpp +++ b/src/manager/crypto/tz-backend/internals.cpp @@ -396,6 +396,29 @@ void importWrappedKey(const RawBuffer &wrappingKey, encryptedKeyId); } +RawBuffer exportWrappedKey(const RawBuffer &wrappingKey, + const Pwd &wrappingKeyPwd, + const CryptoAlgorithm &alg, + const RawBuffer &keyToWrapId, + const Pwd &keyToWrapPwd) +{ + AlgoType algo; + uint32_t ctrLenOrTagSizeBits = 0; + RawBuffer iv; + RawBuffer aad; + decompose(alg, algo, ctrLenOrTagSizeBits, iv, aad); + + // TODO it is awful! + return TrustZoneContext::Instance().exportWrappedKey(wrappingKey, + wrappingKeyPwd, + getAlgType(algo), + iv, + ctrLenOrTagSizeBits, + aad, + keyToWrapId, + keyToWrapPwd); +} + RawBuffer getData(const RawBuffer &dataId, const Pwd &pwd) { diff --git a/src/manager/crypto/tz-backend/internals.h b/src/manager/crypto/tz-backend/internals.h index 77b8c36..5c1596c 100644 --- a/src/manager/crypto/tz-backend/internals.h +++ b/src/manager/crypto/tz-backend/internals.h @@ -71,6 +71,12 @@ void importWrappedKey(const RawBuffer &wrappingKey, RawBuffer &encryptedKeyTag, const RawBuffer &encryptedKeyId); +RawBuffer exportWrappedKey(const RawBuffer &wrappingKey, + const Pwd &wrappingKeyPwd, + const CryptoAlgorithm &alg, + const RawBuffer &keyToWrapId, + const Pwd &keyToWrapPwd); + RawBuffer getData(const RawBuffer &dataId, const Pwd &pwd); diff --git a/src/manager/crypto/tz-backend/obj.cpp b/src/manager/crypto/tz-backend/obj.cpp index 717c012..94a4c58 100644 --- a/src/manager/crypto/tz-backend/obj.cpp +++ b/src/manager/crypto/tz-backend/obj.cpp @@ -97,6 +97,28 @@ Token Key::unwrap(const CryptoAlgorithm ¶ms, return Token(backendId(), encryptedKey.type, Store::pack(hash, pass, passIV, tag)); } +RawBuffer Key::wrap(const CryptoAlgorithm &alg, + const Token &keyToWrap, + const Password &keyToWrapPass) +{ + int keyToWrapScheme; + RawBuffer keyToWrapId; + RawBuffer keyToWrapIV; + RawBuffer keyToWrapTag; + Store::unpack(keyToWrap.data, + keyToWrapPass, + keyToWrapScheme, + keyToWrapId, + keyToWrapIV, + keyToWrapTag); + + return Internals::exportWrappedKey(getBinary(), + getPassword(), + alg, + keyToWrapId, + Pwd(keyToWrapPass, keyToWrapIV, keyToWrapTag)); +} + RawBuffer SKey::encrypt(const CryptoAlgorithm &alg, const RawBuffer &data) { return Internals::symmetricEncrypt(getBinary(), getPassword(), alg, data); @@ -171,6 +193,13 @@ Token Cert::unwrap(const CryptoAlgorithm &, ThrowErr(Exc::Crypto::OperationNotSupported); } +RawBuffer Cert::wrap(const CryptoAlgorithm &, + const Token &, + const Password &) +{ + ThrowErr(Exc::Crypto::OperationNotSupported); +} + } // namespace TZ } // namespace Crypto } // namespace CKM diff --git a/src/manager/crypto/tz-backend/obj.h b/src/manager/crypto/tz-backend/obj.h index 96e4efc..13f63a0 100644 --- a/src/manager/crypto/tz-backend/obj.h +++ b/src/manager/crypto/tz-backend/obj.h @@ -96,6 +96,10 @@ public: const Password &pass, const RawBuffer &hash) override; + RawBuffer wrap(const CryptoAlgorithm ¶ms, + const Token &keyToWrap, + const Password &keyToWrapPass) override; + protected: int m_scheme; Pwd m_password; @@ -133,6 +137,10 @@ public: const Data &, const Password &, const RawBuffer &) override; + + RawBuffer wrap(const CryptoAlgorithm ¶ms, + const Token &keyToWrap, + const Password &keyToWrapPass) override; }; } // namespace TZ diff --git a/src/manager/crypto/tz-backend/tz-context.cpp b/src/manager/crypto/tz-backend/tz-context.cpp index a998bc9..bf603c9 100644 --- a/src/manager/crypto/tz-backend/tz-context.cpp +++ b/src/manager/crypto/tz-backend/tz-context.cpp @@ -650,6 +650,53 @@ void TrustZoneContext::importWrappedKey(const RawBuffer &wrappingKey, LogDebug("Imported object ID is (hex): " << rawToHexString(encryptedKeyId)); } +RawBuffer TrustZoneContext::exportWrappedKey(const RawBuffer &wrappingKey, + const Pwd &wrappingKeyPwd, + tz_algo_type algo, + const RawBuffer &iv, + const uint32_t ctrLenOrTagSizeBits, + const RawBuffer &aad, + const RawBuffer &keyToWrapId, + const Pwd &keyToWrapPwd) +{ + // command ID = CMD_EXPORT_WRAPPED_KEY + LogDebug("TrustZoneContext::exportWrappedKey"); + + auto sIn = makeSerializer(wrappingKey, + wrappingKeyPwd, + algo, + iv, + ctrLenOrTagSizeBits, + aad, + keyToWrapId, + keyToWrapPwd); + + TrustZoneMemory inMemory(m_Context, sIn.GetSize(), TEEC_MEM_INPUT); + sIn.Serialize(inMemory); + + uint32_t data_size = 0; + GetDataSize(keyToWrapId, data_size); + + LogDebug("GetData data_size = [" << data_size << "]"); + + // encrypted data may be longer + TZSerializer sOut; + sOut.Push(new TZSerializableBinary(data_size + KM_ENCRYPTION_OVERHEAD)); + TrustZoneMemory outMemory(m_Context, sOut.GetSize(), TEEC_MEM_OUTPUT); + sOut.Serialize(outMemory); + + TEEC_Operation op = makeOp(TEEC_VALUE_INOUT, inMemory, outMemory); + + Execute(CMD_EXPORT_WRAPPED_KEY, &op); + + sOut.Deserialize(outMemory); + + RawBuffer wrappedKey; + sOut.Pull(wrappedKey); + + return wrappedKey; +} + void TrustZoneContext::GetDataSize(const RawBuffer &dataId, uint32_t &dataSize) { // command ID = CMD_GET_DATA_SIZE diff --git a/src/manager/crypto/tz-backend/tz-context.h b/src/manager/crypto/tz-backend/tz-context.h index 71ef9c9..e48e642 100644 --- a/src/manager/crypto/tz-backend/tz-context.h +++ b/src/manager/crypto/tz-backend/tz-context.h @@ -102,6 +102,15 @@ public: RawBuffer &encryptedKeyTag, const RawBuffer &encryptedKeyHash); + RawBuffer exportWrappedKey(const RawBuffer &wrappingKey, + const Pwd &wrappingKeyPwd, + tz_algo_type algo, + const RawBuffer &iv, + const uint32_t ctrLenOrTagSizeBits, + const RawBuffer &aad, + const RawBuffer &keyToWrapId, + const Pwd &keyToWrapPwd); + void executeCrypt(tz_command cmd, tz_algo_type algo, const RawBuffer &keyId, -- 2.7.4