From 41bb23c97dc5512bd8eb92da8b75328d88612c69 Mon Sep 17 00:00:00 2001 From: Krzysztof Jackiewicz Date: Wed, 18 Jan 2023 08:19:30 +0100 Subject: [PATCH] E2EE: Adaptation layer API Change-Id: Id16918721d65af96795104c1ccea229b5aa1a65a --- .../e2ee-adaptation-layer.cpp | 50 ++++++ src/e2ee-adaptation-layer/e2ee-adaptation-layer.h | 170 +++++++++++++++++++++ 2 files changed, 220 insertions(+) create mode 100644 src/e2ee-adaptation-layer/e2ee-adaptation-layer.cpp create mode 100644 src/e2ee-adaptation-layer/e2ee-adaptation-layer.h diff --git a/src/e2ee-adaptation-layer/e2ee-adaptation-layer.cpp b/src/e2ee-adaptation-layer/e2ee-adaptation-layer.cpp new file mode 100644 index 0000000..cf78576 --- /dev/null +++ b/src/e2ee-adaptation-layer/e2ee-adaptation-layer.cpp @@ -0,0 +1,50 @@ +/* + * Copyright (c) 2023 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#include "e2ee-adaptation-layer.h" + +int ckmew_key_agreement(const char * /*private_key_alias*/, + const unsigned char * /*raw_public_key*/, + size_t /*raw_public_key_len*/, + const char * /*new_key_alias*/) +{ + // TODO + return CKMC_ERROR_NONE; +} + +int ckmew_key_derive_pbkdf2(const char * /*password*/, + const unsigned char * /*salt*/, + size_t /*salt_len*/, + size_t /*new_key_len*/, + const char * /*new_key_alias*/) +{ + // TODO + return CKMC_ERROR_NONE; +} + +int ckmew_get_ocf_cert_chain(char ** /*cert_chain*/, size_t * /*cert_chain_len*/) +{ + // TODO + return DCM_ERROR_NONE; +} + +int ckmew_sign_with_ocf(const char * /*public_key_alias*/, + ckmc_raw_buffer_s** /*message_buf*/, + ckmc_raw_buffer_s** /*signature_buf*/) +{ + // TODO + return DCM_ERROR_NONE; +} diff --git a/src/e2ee-adaptation-layer/e2ee-adaptation-layer.h b/src/e2ee-adaptation-layer/e2ee-adaptation-layer.h new file mode 100644 index 0000000..f020951 --- /dev/null +++ b/src/e2ee-adaptation-layer/e2ee-adaptation-layer.h @@ -0,0 +1,170 @@ +/* + * Copyright (c) 2023 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#pragma once + +#include +#include + +/** + * @brief Derives a common symmetric key using ECDH and KBKDF. + * + * @since_tizen 7.5 + * + * @remarks The derived key will be a symmetric one. It will be stored as a #CKMC_KEY_AES. + * @remarks The function first generates a shared secret using ECDH and temporarily stores it in + * key-manager. Then it derives a symmetric key from it, stores it in key-manager too and + * removes the shared secret. + * @remarks Shared secret length and KBKDF algorithm parameters are fixed in the code. + * @remarks To simplify the API, it is assumed that the private key alias does not use a custom + * password. + * + * @param[in] private_key_alias Alias of the private key to be used in ECDH + * @param[in] raw_public_key Peer's public key in DER format to be used in ECDH + * @param[in] raw_public_key_len Length of the @a raw_public_key + * @param[in] new_key_alias The name under which the new key will be known in key-manager + * + * @return @c 0 on success, otherwise a negative error value + * + * @retval #CKMC_ERROR_NONE Successful + * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid (@a private_key_alias = NULL, + * @a raw_public_key = NULL, @a new_key_alias = NULL) + * @retval #CKMC_ERROR_DB_LOCKED A user is not logged in to key-manager + * @retval #CKMC_ERROR_DB_ALIAS_UNKNOWN @a private_key_alias does not exist + * @retval #CKMC_ERROR_DB_ALIAS_EXISTS @a new_key_alias already exists + * @retval #CKMC_ERROR_INVALID_FORMAT The format of @a raw_public_key is not valid + * @retval #CKMC_ERROR_DB_ERROR Failed due to a database error + * @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager + * @retval #CKMC_ERROR_AUTHENTICATION_FAILED Secret decryption failed because @a private_key_alias + * needed a password and none was given + * @retval #CKMC_ERROR_SERVER_ERROR Unknown error + * + * @pre User is already logged in to key-manager. + * + * @see ckmc_key_derive() + */ +int ckmew_key_agreement(const char *private_key_alias, + const unsigned char *raw_public_key, + size_t raw_public_key_len, + const char *new_key_alias); + +/** + * @brief Derives a symmetric key from a password using PBKFD2 and stores it in key-manager + * + * @since_tizen 7.5 + * + * @remarks The password is temporarily stored in key-manager. It is deleted after key derivation + * is performed. + * @remarks The key-manager's policy for storing the derived key is fixed in the code. + * @remarks The number of PBKDF2 iteration is fixed in the code. + * + * @param[in] password The password to derive the key from + * @param[in] salt The salt used for PBKDF2 + * @param[in] salt_len Length of the @a salt + * @param[in] new_key_len The desired length of the derived key + * @param[in] new_key_alias The name under which the new key will be known in key-manager + * + * @return @c 0 on success, otherwise a negative error value + * + * @retval #CKMC_ERROR_NONE Successful + * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid (@a password = NULL or + * @a salt = NULL) + * @retval #CKMC_ERROR_NOT_SUPPORTED Unsupported key length + * @retval #CKMC_ERROR_DB_LOCKED A user is not logged in to key-manager + * @retval #CKMC_ERROR_DB_ALIAS_EXISTS @a new_key_alias already exists + * @retval #CKMC_ERROR_DB_ERROR Failed due to a database error + * @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager + * @retval #CKMC_ERROR_SERVER_ERROR Unknown error + * + * @pre User is already logged in to key-manager. + * + * @see ckmc_key_derive() + */ +int ckmew_key_derive_pbkdf2(const char *password, + const unsigned char *salt, + size_t salt_len, + size_t new_key_len, + const char *new_key_alias); + +/** + * @platform + * + * @since_tizen 7.5 + * + * @brief Constructs OCF certificate chain and returns it + * + * @privlevel platform + * @privilege %http://tizen.org/privilege/devicecertificate + * + * @remarks The @a cert_chain should be freed using free(). + * + * @param[out] cert_chain Certificate chain in binary, will be allocated by the library + * @param[out] cert_chain_len The total length of certificate chain + * + * @return #DCM_ERROR_NONE on success, otherwise a negative error value + * + * @retval #DCM_ERROR_NONE Successful + * @retval #DCM_ERROR_INVALID_PARAMETER Input parameter is invalid + * @retval #DCM_ERROR_OUT_OF_MEMORY Out of memory during processing + * @retval #DCM_ERROR_PERMISSION_DENIED Failed to access device certificate manager + * @retval #DCM_ERROR_NOT_SUPPORTED Feature needed to run API is not supported + * @retval #DCM_ERROR_SOCKET Socket error between client and server + * @retval #DCM_ERROR_NO_DATA No certificate chain available + * @retval #DCM_ERROR_UNKNOWN Unknown error + */ +int ckmew_get_ocf_cert_chain(char **cert_chain, size_t *cert_chain_len); + +/** + * @platform + * + * @since_tizen 7.5 + * + * @brief Signs given public key with OCF using E2EE signing scheme. + * + * @privlevel platform + * @privilege %http://tizen.org/privilege/devicecertificate + * + * @remarks The public key will be retrieved from key-manager. + * @remarks It is assumed that the public key is not encrypted with a custom password in + * key-manager and thus there's no need to pass additional argument. + * + * @param[in] public_key_alias Alias of the public key to be signed + * @param[out] message The E2EE message composed from public key and E2EE prefixes. It has to be + * freed using ckmc_buffer_free() + * @param[out] signature The OCF signature calculated for @a message. It has to be + * freed using ckmc_buffer_free() + * + * @return #DCM_ERROR_NONE on success, otherwise a negative error value + * + * @retval #DCM_ERROR_NONE Successful + * @retval #DCM_ERROR_INVALID_PARAMETER Input parameter is invalid + * @retval #DCM_ERROR_OUT_OF_MEMORY Out of memory during processing + * @retval #DCM_ERROR_PERMISSION_DENIED Failed to access device certificate manager + * @retval #DCM_ERROR_NOT_SUPPORTED Feature needed to run API is not supported + * @retval #DCM_ERROR_SOCKET Socket error between client and server + * @retval #DCM_ERROR_NO_DATA If OCF or public key are not available + * @retval #DCM_ERROR_UNKNOWN Unknown error + * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid + * @retval #CKMC_ERROR_OUT_OF_MEMORY Not enough memory + * @retval #CKMC_ERROR_DB_LOCKED A user key is not loaded in memory (a user is not logged in) + * @retval #CKMC_ERROR_DB_ERROR Failed due to a database error + * @retval #CKMC_ERROR_DB_ALIAS_UNKNOWN Alias does not exist + * @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager + * @retval #CKMC_ERROR_AUTHENTICATION_FAILED Decryption failed because password is incorrect + */ +int ckmew_sign_with_ocf(const char *public_key_alias, + ckmc_raw_buffer_s **message, + ckmc_raw_buffer_s **signature); -- 2.7.4