From 429456a17331db0de65a9ab66ec2ebd528e321a9 Mon Sep 17 00:00:00 2001 From: Dariusz Michaluk Date: Fri, 26 Jun 2020 11:22:49 +0200 Subject: [PATCH] Remove KSE backend Konai Secure Element is not supported anymore. Change-Id: I606b11863fcfba0daa30ff12452f41b2d206aac9 --- CMakeLists.txt | 8 +- .../device-certificate-manager-backend-dummy.spec | 4 +- .../device-certificate-manager-backend-kse.spec | 52 -- src/kse-backend/CMakeLists.txt | 52 -- src/kse-backend/cert_utils.cpp | 257 ---------- src/kse-backend/cert_utils.h | 50 -- src/kse-backend/dcm-backend-api-kse.cpp | 57 --- src/kse-backend/konaise.h | 532 --------------------- src/kse-backend/ksebackend.cpp | 55 --- src/kse-backend/ksebackend.h | 48 -- src/kse-backend/ksebackendcontext.cpp | 215 --------- src/kse-backend/ksebackendcontext.h | 50 -- src/kse-backend/soresolver.cpp | 105 ---- src/kse-backend/soresolver.h | 55 --- src/kse-backend/tools/CMakeLists.txt | 36 -- src/kse-backend/tools/konaise_tool.cpp | 318 ------------ 16 files changed, 2 insertions(+), 1892 deletions(-) delete mode 100644 packaging/device-certificate-manager-backend-kse.spec delete mode 100644 src/kse-backend/CMakeLists.txt delete mode 100644 src/kse-backend/cert_utils.cpp delete mode 100644 src/kse-backend/cert_utils.h delete mode 100644 src/kse-backend/dcm-backend-api-kse.cpp delete mode 100644 src/kse-backend/konaise.h delete mode 100644 src/kse-backend/ksebackend.cpp delete mode 100644 src/kse-backend/ksebackend.h delete mode 100644 src/kse-backend/ksebackendcontext.cpp delete mode 100644 src/kse-backend/ksebackendcontext.h delete mode 100644 src/kse-backend/soresolver.cpp delete mode 100644 src/kse-backend/soresolver.h delete mode 100644 src/kse-backend/tools/CMakeLists.txt delete mode 100644 src/kse-backend/tools/konaise_tool.cpp diff --git a/CMakeLists.txt b/CMakeLists.txt index 93e5048..71c0db0 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -38,10 +38,4 @@ ADD_DEFINITIONS("-Wextra") SET(CMAKE_POSITION_INDEPENDENT_CODE "True") SET(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -pie") -IF(DCM_BACKEND_TYPE STREQUAL "dummy") - ADD_SUBDIRECTORY(src/dummy-backend) -ELSEIF(DCM_BACKEND_TYPE STREQUAL "kse") - ADD_SUBDIRECTORY(src/kse-backend) -ELSE() - ADD_SUBDIRECTORY(src/dummy-backend) -ENDIF() +ADD_SUBDIRECTORY(src/dummy-backend) diff --git a/packaging/device-certificate-manager-backend-dummy.spec b/packaging/device-certificate-manager-backend-dummy.spec index 920f2fb..e68d391 100644 --- a/packaging/device-certificate-manager-backend-dummy.spec +++ b/packaging/device-certificate-manager-backend-dummy.spec @@ -14,7 +14,6 @@ BuildRequires: openssl1.1 Requires(post): /sbin/ldconfig Requires(postun): /sbin/ldconfig Requires: device-certificate-manager -Conflicts:device-certificate-manager-backend-kse %description Device Certificate Manager dummy (based on the OpenSSL) backend library @@ -25,8 +24,7 @@ cp -a %{SOURCE1001} . %build %cmake . -DCMAKE_BUILD_TYPE=%{?build_type:%build_type}%{!?build_type:Release} \ - -DDCM_BACKEND_API=%{dcm_backend_api} \ - -DDCM_BACKEND_TYPE=dummy + -DDCM_BACKEND_API=%{dcm_backend_api} make %{?jobs:-j%jobs} diff --git a/packaging/device-certificate-manager-backend-kse.spec b/packaging/device-certificate-manager-backend-kse.spec deleted file mode 100644 index fa64d2c..0000000 --- a/packaging/device-certificate-manager-backend-kse.spec +++ /dev/null @@ -1,52 +0,0 @@ -Name: device-certificate-manager-backend-kse -Summary: Device Certificate Manager KONAISE backend library -Version: 1.0 -Release: 1 -Group: Security/Development -License: Apache-2.0 -Source0: %{name}-%{version}.tar.gz -Source1001: device-certificate-manager-backend.manifest -BuildRequires: cmake -BuildRequires: pkgconfig(dlog) -BuildRequires: pkgconfig(iotivity) -BuildRequires: pkgconfig(device-certificate-manager-backend) -BuildRequires: boost-devel -Requires(post): /sbin/ldconfig -Requires(postun): /sbin/ldconfig -Requires: device-certificate-manager -Conflicts:device-certificate-manager-backend-dummy - -%description -Device Certificate Manager KONAISE backend library - -%package tests -Summary: Internal tool for testing the DCM KONAISE backend -Group: Security/Testing -Requires: device-certificate-manager-backend-kse - -%description tests -Internal tool for testing the DCM KONAISE backend - -%prep -%setup -q -cp -a %{SOURCE1001} . - -%build -%cmake . -DCMAKE_BUILD_TYPE=%{?build_type:%build_type}%{!?build_type:Release} \ - -DDCM_BACKEND_API=%{dcm_backend_api} \ - -DDCM_BACKEND_TYPE=kse - -make %{?jobs:-j%jobs} - -%install -%make_install - -%files -%manifest device-certificate-manager-backend.manifest -%license LICENSE -%{_libdir}/lib%{dcm_backend_api}.so* - -%files tests -%manifest device-certificate-manager-backend.manifest -%license LICENSE -%{_bindir}/dcm_konaise_tool diff --git a/src/kse-backend/CMakeLists.txt b/src/kse-backend/CMakeLists.txt deleted file mode 100644 index 3d2a67a..0000000 --- a/src/kse-backend/CMakeLists.txt +++ /dev/null @@ -1,52 +0,0 @@ -# Copyright (c) 2020 Samsung Electronics Co., Ltd All Rights Reserved -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# @file src/kse-backend/CMakeLists.txt -# @author Pawel Kowalski -# - -FIND_PACKAGE(PkgConfig REQUIRED) -FIND_LIBRARY(MBEDTLS_LIB mbedtls) - -PKG_CHECK_MODULES(KSE_DEPS REQUIRED dlog device-certificate-manager-backend) -INCLUDE_DIRECTORIES(SYSTEM ${KSE_DEPS_INCLUDE_DIRS}) -LINK_DIRECTORIES(${KSE_DEPS_LIBRARY_DIRS}) - -INCLUDE_DIRECTORIES(../shared) - -ADD_LIBRARY(${DCM_BACKEND_API} - SHARED - dcm-backend-api-kse.cpp - soresolver.cpp - ksebackend.cpp - ksebackendcontext.cpp - ../shared/log.cpp) - -TARGET_LINK_LIBRARIES(${DCM_BACKEND_API} - ${MBEDTLS_LIB} - ${KSE_DEPS_LIBRARIES}) - -SET_TARGET_PROPERTIES(${DCM_BACKEND_API} - PROPERTIES - VERSION 1.0 - DEFINE_SYMBOL DCM_BACKEND_API_SEE_EXPORT - VISIBILITY_INLINES_HIDDEN TRUE - C_VISIBILITY_PRESET hidden - CXX_VISIBILITY_PRESET hidden) - -INSTALL(TARGETS ${DCM_BACKEND_API} - LIBRARY DESTINATION - ${CMAKE_INSTALL_LIBDIR}) - -ADD_SUBDIRECTORY(tools) diff --git a/src/kse-backend/cert_utils.cpp b/src/kse-backend/cert_utils.cpp deleted file mode 100644 index a238ecd..0000000 --- a/src/kse-backend/cert_utils.cpp +++ /dev/null @@ -1,257 +0,0 @@ -/****************************************************************** - * - * Copyright 2017 Samsung Electronics All Rights Reserved. - * - * Author: Jaroslaw Pelczar - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - ******************************************************************/ - -#include "cert_utils.h" -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include "log.h" - -int x509_crt_rewriter::parse(const unsigned char * buffer, size_t length) -{ - return mbedtls_x509_crt_parse(fChain, buffer, length); -} - -/* - * Like memcmp, but case-insensitive and always returns -1 if different - */ -static int x509_memcasecmp( const void *s1, const void *s2, size_t len ) -{ - size_t i; - unsigned char diff; - const unsigned char *n1 = (const unsigned char *)s1, *n2 = (const unsigned char *)s2; - - for( i = 0; i < len; i++ ) - { - diff = n1[i] ^ n2[i]; - - if( diff == 0 ) - continue; - - if( diff == 32 && - ( ( n1[i] >= 'a' && n1[i] <= 'z' ) || - ( n1[i] >= 'A' && n1[i] <= 'Z' ) ) ) - { - continue; - } - - return( -1 ); - } - - return( 0 ); -} - -/* - * Compare two X.509 strings, case-insensitive, and allowing for some encoding - * variations (but not all). - * - * Return 0 if equal, -1 otherwise. - */ -static int x509_string_cmp( const mbedtls_x509_buf *a, const mbedtls_x509_buf *b ) -{ - if( a->tag == b->tag && - a->len == b->len && - memcmp( a->p, b->p, b->len ) == 0 ) - { - return( 0 ); - } - - if( ( a->tag == MBEDTLS_ASN1_UTF8_STRING || a->tag == MBEDTLS_ASN1_PRINTABLE_STRING ) && - ( b->tag == MBEDTLS_ASN1_UTF8_STRING || b->tag == MBEDTLS_ASN1_PRINTABLE_STRING ) && - a->len == b->len && - x509_memcasecmp( a->p, b->p, b->len ) == 0 ) - { - return( 0 ); - } - - return( -1 ); -} - -/* - * Compare two X.509 Names (aka rdnSequence). - * - * See RFC 5280 section 7.1, though we don't implement the whole algorithm: - * we sometimes return unequal when the full algorithm would return equal, - * but never the other way. (In particular, we don't do Unicode normalisation - * or space folding.) - * - * Return 0 if equal, -1 otherwise. - */ -static int x509_name_cmp( const mbedtls_x509_name *a, const mbedtls_x509_name *b ) -{ - /* Avoid recursion, it might not be optimised by the compiler */ - while( a != NULL || b != NULL ) - { - if( a == NULL || b == NULL ) - return( -1 ); - - /* type */ - if( a->oid.tag != b->oid.tag || - a->oid.len != b->oid.len || - memcmp( a->oid.p, b->oid.p, b->oid.len ) != 0 ) - { - return( -1 ); - } - - /* value */ - if( x509_string_cmp( &a->val, &b->val ) != 0 ) - return( -1 ); - - /* structure of the list of sets */ - if( a->next_merged != b->next_merged ) - return( -1 ); - - a = a->next; - b = b->next; - } - - /* a == NULL == b */ - return( 0 ); -} - -void x509_crt_rewriter::sort_chain() -{ - // Only 1 certificate - don't bother - if(!fChain->next) { - fChainSize = fChain->raw.len; - fNumCerts = 1; - return; - } - - std::vector list; - std::multimap subject_of; - std::set visited; - - // Build list of all certificates - for(auto * cert = fChain ; cert ; cert = cert->next) { - list.push_back(cert); - } - - // Create graph vertices to map issuer to subject - for(size_t i = 0 ; i < list.size() ; ++i) { - mbedtls_x509_crt * issuer = nullptr; - // Find issuer - ignore ourselves as we always want root CA issuer to be nullptr - for(size_t j = 0 ; j < list.size() ; ++j) { - if(i != j && x509_name_cmp(&list[i]->issuer, &list[j]->subject) == 0) { - issuer = list[j]; - break; - } - } - - // In case there are multiple subjects for one issuer, the chain - // must be horribly broken - subject_of.emplace(issuer, list[i]); - } - - // BFS algorithm queue - std::list queue; - // Final output chain - std::list final_chain; - - // Find root certificates - they will not have any issuer - auto root_range = subject_of.equal_range(nullptr); - - // Perform BFS for each root - for(auto it = root_range.first ; it != root_range.second ; ++it) { - mbedtls_x509_crt * root_cert = it->second; - - if(visited.find(root_cert) == visited.end()) { - visited.insert(root_cert); - queue.push_back(root_cert); - - while(!queue.empty()) { - auto s = queue.front(); - // Write out chain from root back to leaf - final_chain.push_back(s); - queue.pop_front(); - - auto range = subject_of.equal_range(s); - for(auto it = range.first ; it != range.second ; ++it) { - mbedtls_x509_crt * cert = it->second; - if(visited.find(cert) == visited.end()) { - visited.insert(cert); - queue.push_back(cert); - } - } - } - } - } - - fChain = nullptr; - fChainSize = 0; - fNumCerts = list.size(); - - // Rebuild certificate linked list - for(auto it = final_chain.begin() ; it != final_chain.end() ; ++it) { - auto cert(*it); - cert->next = fChain; - fChain = cert; - fChainSize += cert->raw.len; - } -} - -#define PEM_BEGIN_CRT "-----BEGIN CERTIFICATE-----\n" -#define PEM_END_CRT "-----END CERTIFICATE-----\n" - -std::string x509_crt_rewriter::emit_pem() -{ - std::string buffer; - - if(fChainSize == 0) - throw std::runtime_error("State failure"); - - // Always rewrite the chain as PEM - - buffer.resize(fChainSize * 4 + fNumCerts * (sizeof(PEM_BEGIN_CRT) + sizeof(PEM_END_CRT))); - - unsigned char * out_buffer = (unsigned char *)buffer.c_str(); - size_t out_capacity = buffer.size(); - size_t total_size = 0; - size_t this_len; - - for(auto cert = fChain ; cert ; cert = cert->next) { - int error = mbedtls_pem_write_buffer(PEM_BEGIN_CRT, - PEM_END_CRT, - cert->raw.p, - cert->raw.len, - out_buffer + total_size, - out_capacity - total_size, - &this_len); - - if(error != 0) { - throw std::runtime_error("Certificate write failure"); - } - - // Account for final 0 byte - total_size += this_len - 1; - } - - buffer.resize(total_size); - buffer.push_back(0); - - return buffer; -} diff --git a/src/kse-backend/cert_utils.h b/src/kse-backend/cert_utils.h deleted file mode 100644 index 51d0c2b..0000000 --- a/src/kse-backend/cert_utils.h +++ /dev/null @@ -1,50 +0,0 @@ -/****************************************************************** - * - * Copyright 2017 - 2019 Samsung Electronics All Rights Reserved. - * - * Author: Jaroslaw Pelczar - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - ******************************************************************/ - -#ifndef CERT_UTILS_H_ -#define CERT_UTILS_H_ - -#include -#include - -struct x509_crt_rewriter { -private: - mbedtls_x509_crt * fChain; - size_t fChainSize = 0; - size_t fNumCerts = 0; - -public: - x509_crt_rewriter() : - fChain(new mbedtls_x509_crt()) - { - mbedtls_x509_crt_init(fChain); - } - - ~x509_crt_rewriter() { - mbedtls_x509_crt_free(fChain); - delete fChain; - } - - int parse(const unsigned char * buffer, size_t length); - void sort_chain(); - std::string emit_pem(); -}; - -#endif /* CERT_UTILS_H_ */ diff --git a/src/kse-backend/dcm-backend-api-kse.cpp b/src/kse-backend/dcm-backend-api-kse.cpp deleted file mode 100644 index 9f3c3ad..0000000 --- a/src/kse-backend/dcm-backend-api-kse.cpp +++ /dev/null @@ -1,57 +0,0 @@ -/****************************************************************** - * - * Copyright 2019 Samsung Electronics All Rights Reserved. - * - * Author: Pawel Kowalski - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - ******************************************************************/ - -#include "ksebackend.h" -#include "ksebackendcontext.h" -#include - -static std::shared_ptr backend(new kse_backend()); - -void dcm_backend_create_key_context(dcm_backend_context& ctx, - const std::string& keyType) { - ctx.backend = new kse_backend_context(backend, keyType); -} - -void dcm_backend_free_key_context(dcm_backend_context& ctx) { - delete static_cast(ctx.backend); - ctx.backend= nullptr; -} - -int dcm_backend_request_certificate_chain(dcm_backend_context& ctx, - std::string& mutable_chain) { - return ctx.backend ? static_cast(ctx.backend) - ->request_certificate_chain(mutable_chain) : -1; -} - -int dcm_backend_sign_crypto_data(dcm_backend_context& ctx, - MessageDigestType digestType, - const std::string& dataToSign, - std::string& digestResult) { - return ctx.backend ? static_cast(ctx.backend) - ->sign_crypto_data(digestType, dataToSign, digestResult) : -1; -} - -CryptoKeyType dcm_backend_key_type(dcm_backend_context& ctx) { - return ctx.backend ? static_cast(ctx.backend)->key_type() : CryptoKeyType::CRYPTO_KEY_TYPE_INVALID; -} - -unsigned int dcm_backend_key_length(dcm_backend_context& ctx) { - return ctx.backend ? static_cast(ctx.backend)->key_length() : 0; -} diff --git a/src/kse-backend/konaise.h b/src/kse-backend/konaise.h deleted file mode 100644 index b13d13c..0000000 --- a/src/kse-backend/konaise.h +++ /dev/null @@ -1,532 +0,0 @@ -#ifndef _KONAISE_H_ -#define _KONAISE_H_ - -// real header file name is security_hal.h - -/** - * This header file is included to define _EXPORT_. - */ -#include -#include -#include - -#define _IN_ -#define _OUT_ -#define _INOUT_ - -#ifdef __cplusplus -extern "C" { -#endif - -/* - * Common - */ - -/* Enumerator */ -enum hal_result_e { - HAL_SUCCESS, - - HAL_NOT_INITIALIZED, - HAL_INVALID_ARGS, - - HAL_INVALID_SLOT_RANGE, - HAL_INVALID_SLOT_TYPE, //ex. request to save key into cert slot - HAL_EMPTY_SLOT, - - HAL_BAD_KEY, - HAL_BAD_KEY_PAIR, //public and private keys do not match - HAL_BAD_CERT, - HAL_BAD_CERTKEY_PAIR, //certificate and key do not match - - HAL_NOT_ENOUGH_MEMORY, - HAL_ALLOC_FAIL, - HAL_KEY_IN_USE, - HAL_CERT_IN_USE, - HAL_DATA_IN_USE, - - HAL_NOT_SUPPORTED, - HAL_NOT_IMPLEMENTED, - - HAL_BUSY, - HAL_FAIL, -}; - -typedef enum { - HAL_HASH_MD5, - HAL_HASH_SHA1, - HAL_HASH_SHA224, - HAL_HASH_SHA256, - HAL_HASH_SHA384, - HAL_HASH_SHA512, - HAL_HASH_UNKNOWN, -} hal_hash_type; - -typedef enum { - HAL_DH_1024, - HAL_DH_2048, -} hal_dh_key_type; - -typedef enum{ - HAL_RSA_1024, - HAL_RSA_2048, -} hal_rsa_key_type; - -typedef enum { - HAL_AES_128, - HAL_AES_192, - HAL_AES_256, -} hal_aes_key_type; - -typedef enum { - HAL_HMAC_MD5, - HAL_HMAC_SHA1, - HAL_HMAC_SHA224, - HAL_HMAC_SHA256, - HAL_HMAC_SHA384, - HAL_HMAC_SHA512, - HAL_HMAC_UNKNOWN, -} hal_hmac_type; - -typedef enum { - HAL_ECDSA_BRAINPOOL_P256R1, - HAL_ECDSA_BRAINPOOL_P384R1, - HAL_ECDSA_BRAINPOOL_P512R1, - HAL_ECDSA_SEC_P256R1, - HAL_ECDSA_SEC_P384R1, - HAL_ECDSA_SEC_P512R1, -} hal_ecdsa_curve; - -typedef enum { - HAL_AES_ECB_NOPAD, - HAL_AES_ECB_ISO9797_M1, - HAL_AES_ECB_ISO9797_M2, - HAL_AES_ECB_PKCS5, - HAL_AES_ECB_PKCS7, - HAL_AES_CBC_NOPAD, - HAL_AES_CBC_ISO9797_M1, - HAL_AES_CBC_ISO9797_M2, - HAL_AES_CBC_PKCS5, - HAL_AES_CBC_PKCS7, - HAL_AES_CTR, -} hal_aes_algo; - -typedef enum { - HAL_RSASSA_PKCS1_V1_5, - HAL_RSASSA_PKCS1_PSS_MGF1, -} hal_rsa_algo; - -typedef enum { - /* AES */ - HAL_KEY_AES_128,// 128 bits aes algorithm - HAL_KEY_AES_192, // 192 bits aes algorithm - HAL_KEY_AES_256, // 256 bits aes algorithm - /* RSA */ - HAL_KEY_RSA_1024, // 1024 bits rsa algorithm - HAL_KEY_RSA_2048, // 2048 bits rsa algorithm - HAL_KEY_RSA_3072, // 3072 bits rsa algorithm - HAL_KEY_RSA_4096, - /* ECC: it doesn't support whole algorithm that mbedTLS support. it's have to be added*/ - HAL_KEY_ECC_BRAINPOOL_P256R1, // ecc brainpool curve for p256r1 - HAL_KEY_ECC_BRAINPOOL_P384R1, // ecc brainpool curve for p384r1 - HAL_KEY_ECC_BRAINPOOL_P512R1, // ecc brainpool curve for p512r1 - HAL_KEY_ECC_SEC_P256R1, // nist curve for p256r1 - HAL_KEY_ECC_SEC_P384R1, // nist curve for p384r1 - HAL_KEY_ECC_SEC_P512R1, // nist curve for p512r1 - /* Hmac */ - HAL_KEY_HMAC_MD5, // hmac with md5 - HAL_KEY_HMAC_SHA1, // hmac with sha1 - HAL_KEY_HMAC_SHA224, // hmac with sha224 - HAL_KEY_HMAC_SHA256, // hmac with sha256 - HAL_KEY_HMAC_SHA384, // hmac with sha384 - HAL_KEY_HMAC_SHA512, // hmac with sha512 - /* DH */ - HAL_KEY_DH_1024, - HAL_KEY_DH_2048, - HAL_KEY_UNKNOWN, -} hal_key_type; - -/* Structure */ -typedef struct _hal_init_param { - uint32_t i2c_port; - uint32_t i2c_speed; - uint32_t gpio; - uint8_t i2c_slave_address; -} hal_init_param; - -typedef struct _hal_data { - void *data; - uint32_t data_len; - void *priv; -} hal_data; - -typedef struct _hal_rsa_mode { - hal_rsa_algo rsa_a; - hal_hash_type hash_t; - hal_hash_type mgf; - uint32_t salt_byte_len; -} hal_rsa_mode; - -typedef struct _hal_aes_param { - hal_aes_algo mode; - unsigned char *iv; - unsigned int iv_len; -} hal_aes_param; - -typedef struct _hal_ecdsa_mode { - hal_ecdsa_curve curve; - hal_hash_type hash_t; -} hal_ecdsa_mode; - -typedef struct _hal_dh_data { - hal_dh_key_type mode; - hal_data *G; - hal_data *P; - hal_data *pubkey; -} hal_dh_data; - -typedef struct _hal_ecdh_data { - hal_ecdsa_curve curve; - hal_data *pubkey_x; - hal_data *pubkey_y; -} hal_ecdh_data; - -typedef struct _hal_ss_info { - unsigned int size; - struct _hal_ss_info *next; -} hal_ss_info; - - -// ====================================== -// Function -// ====================================== - -/** - * Common - */ - -/* - * Reference - * Desc: Initialize HAL - * Artik SEE API: - * TizenRT SEE API: - * ISP: - * NOTE: Initialize secure channel - */ -EXPORT_API int hal_init(_IN_ hal_init_param *params); - -/* - * Reference - * Desc: Deinitialize HAL - * Artik SEE API: - * TizenRT SEE API: - * ISP: - * NOTE: Deinitialize secure channel - */ -EXPORT_API int hal_deinit(void); - -/* - * Reference - * Desc: free memory allocated within HAL - * Artik SEE API: - * TizenRT SEE API: - * ISP: - */ -EXPORT_API int hal_free_data(_IN_ hal_data *data); - -/* - * Reference - * Desc: get status of SE - * Artik SEE API: - * TizenRT SEE API: - * ISP: - * return value: busy, not initialized, ... - * NOTE: BUSY/IDLE check should be conducted within each HAL APIs as well. - */ -EXPORT_API int hal_get_status(void); - -/** - * Key Manager - */ -/* - * Reference - * Desc: If key type is asymmetric then private key can be stored. - * Artik SEE API: int see_set_key(see_algorithm algo, const char *key_name, see_data key); - * TizenRT SEE API: - * ISP: - */ -EXPORT_API int hal_set_key(_IN_ hal_key_type mode, _IN_ uint32_t key_idx, _IN_ hal_data *key, _IN_ hal_data *prikey); - - -/* - * Reference - * Desc: - * Artik SEE API: int see_get_pubkey(see_algorithm algo, const char *key_name, see_data *pub_key); - * TizenRT SEE API: - * ISP: - * NOTE: Return key type in key->priv - */ -EXPORT_API int hal_get_key(_IN_ hal_key_type mode, _IN_ uint32_t key_idx, _OUT_ hal_data *key); - - -/* - * Reference - * Desc: - * Artik SEE API: int see_remove_key(see_algorithm algo, const char *key_name); - * TizenRT SEE API: - * ISP: - */ -EXPORT_API int hal_remove_key(_IN_ hal_key_type mode, _IN_ uint32_t key_idx); - - -/* - * Reference - * Desc: - * Artik SEE API: int see_generate_key(see_algorithm algo, const char *key_name, see_data *pub_key) - * TizenRT SEE API: - * ISP: - */ -EXPORT_API int hal_generate_key(_IN_ hal_key_type mode, _IN_ uint32_t key_idx); - - -/** - * Authenticate - */ - -/* - * Reference - * Desc: Generate random - * Artik SEE API: int see_generate_random(unsigned int size, see_data *random) - * TizenRT SEE API: int see_generate_random(unsigned int *data, unsigned int len) - * ISP: int isp_generate_random(unsigned int *random, unsigned int wlen); - */ -EXPORT_API int hal_generate_random(_IN_ uint32_t len, _OUT_ hal_data *random); - -/* - * Reference - * Desc: Get HASH - * Artik SEE API: int see_get_hash(see_algorithm algo, see_data data, see_data *hash); - * TizenRT SEE API: int see_get_hash(struct sHASH_MSG *h_param, unsigned char *hash, unsigned int mode) - * ISP: int isp_hash(unsigned char *hash, struct sHASH_MSG *hash_msg, unsigned int object_id); - */ -EXPORT_API int hal_get_hash(_IN_ hal_hash_type mode, _IN_ hal_data *input, _OUT_ hal_data *hash); - -/* - * Reference - * Desc: Get HMAC - * Artik SEE API: int see_get_hmac(see_algorithm algo, const char *key_name, see_data data, see_data *hmac); - * TizenRT SEE API: int see_get_hmac(struct sHMAC_MSG *hmac_msg, unsigned char *output, unsigned int object_id, unsigned int key_index) - * ISP: int isp_hmac_securekey(unsigned char *mac, struct sHMAC_MSG *hmac_msg, unsigned int object_id, unsigned int key_index) - * w - */ -EXPORT_API int hal_get_hmac(_IN_ hal_hmac_type mode, _IN_ hal_data *input, _IN_ uint32_t key_idx, _OUT_ hal_data *hmac); - -/* - * Reference - * Desc: get signature using RSA key - * Artik SEE API: int see_get_rsa_signature(see_rsa_mode mode, const char *key_name, see_data hash, see_data *sign) - * TizenRT SEE API: int see_get_rsa_signature(struct sRSA_SIGN *rsa_sign, unsigned char *hash, unsigned int hash_len, unsigned int key_index) - * ISP: int isp_rsa_sign_md_securekey(struct sRSA_SIGN *rsa_sign, unsigned char *msg_digest, unsigned int msg_digest_byte_len, unsigned int key_index) - */ -EXPORT_API int hal_rsa_sign_md(_IN_ hal_rsa_mode mode, _IN_ hal_data *hash, _IN_ uint32_t key_idx, _OUT_ hal_data *sign); - -/* - * Reference - * Desc: - * Artik SEE API: int see_verify_rsa_signature(see_rsa_mode mode, const char *key_name, see_data hash, see_data sign) - * TizenRT SEE API: int see_verify_rsa_signature(struct sRSA_SIGN *rsa_sign, unsigned char *hash, unsigned int hash_len, unsigned int key_index) - * ISP: int isp_rsa_verify_md_securekey(struct sRSA_SIGN *rsa_sign, unsigned char *msg_digest, unsigned int msg_digest_byte_len, unsigned int key_index); - */ -EXPORT_API int hal_rsa_verify_md(_IN_ hal_rsa_mode mode, _IN_ hal_data *hash, _IN_ hal_data *sign, _IN_ uint32_t key_idx); - -/* - * Reference - * Desc: Get signature - * Artik SEE API: int see_get_ecdsa_signature(see_ecdsa_curve curve, const char *key_name, see_data hash, see_data *sign) - * TizenRT SEE API: int see_get_ecdsa_signature(struct sECC_SIGN *ecc_sign, unsigned char *hash, unsigned int hash_len, unsigned int key_index) - * ISP: int isp_ecdsa_sign_md_securekey(struct sECC_SIGN *ecc_sign, unsigned char *msg_digest, unsigned int msg_digest_byte_len, unsigned int key_index) - */ -EXPORT_API int hal_ecdsa_sign_md(_IN_ hal_data *hash, _IN_ uint32_t key_idx, _INOUT_ hal_ecdsa_mode *mode, _OUT_ hal_data *sign); - -/* - * Reference - * Artik SEE API: - * TizenRT SEE API: int see_verify_ecdsa_signature(struct sECC_SIGN *ecc_sign, unsigned char *hash, unsigned int hash_len, unsigned int key_index) - * ISP: int isp_ecdsa_verify_md_securekey(struct sECC_SIGN *ecc_sign, unsigned char *msg_digest, unsigned int msg_digest_byte_len, unsigned int key_index) - */ -EXPORT_API int hal_ecdsa_verify_md(_IN_ hal_ecdsa_mode mode, _IN_ hal_data *hash, _IN_ hal_data *sign, _IN_ uint32_t key_idx); - - -/* - * Reference - * Desc: Generate key at slot of index - * Artik SEE API: - - * TizenRT SEE API: int see_generate_dhm_params(struct sDH_PARAM *d_param, unsigned int key_index) - * ISP: int isp_dh_generate_keypair_userparam_securestorage(struct sDH_PARAM *i_dh_param, unsigned int dh_param_index); - */ -/* - * The function generates GX (G^X mod P) which is pubkey in dh_param with given G, P - * X will be generate and will be protected inside slot in SE - * X have to be removed by using hal_remove_key() - */ -EXPORT_API int hal_dh_generate_param(_IN_ uint32_t dh_idx, _INOUT_ hal_dh_data *dh_param); - -/* - * Reference - * Desc: Get shared secret - * Artik SEE API: - - * TizenRT SEE API: int see_compute_dhm_param(struct sDH_PARAM *d_param, unsigned int key_index, unsigned char *output, unsigned int *olen) - * ISP: int isp_dh_compute_shared_secret_securekey(unsigned char *shared_secret, unsigned int *shared_secret_byte_len, struct sDH_PARAM dh_publickey, unsigned int key_index); - */ -EXPORT_API int hal_dh_compute_shared_secret(_IN_ hal_dh_data *dh_param, _IN_ uint32_t dh_idx, _OUT_ hal_data *shared_secret); - -/* - * Reference - * Desc: Get ECDH shared secret - * Artik SEE API: - - * TizenRT SEE API: int see_compute_ecdh_param(struct sECC_KEY *ecc_pub, unsigned int key_index, unsigned char *output, unsigned int *olen) - * ISP: int isp_compute_ecdh_securekey(unsigned char *shared_secret, unsigned int *shared_secret_byte_len, struct sECC_KEY ecc_publickey, unsigned int key_index); - * NOTE: pubkey denotes a public key from the target which tries to share a secret - */ -EXPORT_API int hal_ecdh_compute_shared_secret(_IN_ hal_ecdh_data *ecdh_mode, _IN_ uint32_t key_idx, _OUT_ hal_data *shared_secret); - -/* - * Reference - * Desc: Set certificate in secure storage - * Artik SEE API: - - * TizenRT SEE API: int see_set_certificate(unsigned char *cert, unsigned int cert_len, unsigned int cert_index, unsigned int cert_type) - * ISP: int isp_write_cert(unsigned char *data, unsigned int data_byte_len, unsigned int index) - * NOTE: When cert_in consists of chains, cert_in->data represents the last certificate, and then, cert_in->priv denotes the next chain formatted hal_data. - * (Root CA has to be the end of hal_data) - */ -EXPORT_API int hal_set_certificate(_IN_ uint32_t cert_idx, _IN_ hal_data *cert_in); - -/* - * Reference - * Desc: Get certificate in secure storage - * Artik SEE API: - - * TizenRT SEE API: int see_get_certificate(unsigned char *cert, unsigned int *cert_len, unsigned int cert_index, unsigned int cert_type) - * ISP: int isp_read_cert(unsigned char *data, unsigned int *data_byte_len, unsigned int index); - * NOTE: When cert_out consists of chains, cert_out->data represents the last certificate, and then, cert_out->priv denotes the next chain formatted hal_data. - * (Root CA has to be the end of hal_data) - */ -EXPORT_API int hal_get_certificate(_IN_ uint32_t cert_idx, _OUT_ hal_data *cert_out); -/* - * Reference - * Desc: Remove certificate in secure storage - * Artik SEE API: - - * TizenRT SEE API: - - * ISP: - - */ -EXPORT_API int hal_remove_certificate(_IN_ uint32_t cert_idx); - -EXPORT_API int hal_get_factorykey_data(_IN_ uint32_t key_idx, _IN_ hal_data *data); // old api -/* - * Reference - * Desc: Get factory key - * Artik SEE API: - - * TizenRT SEE API: int see_get_publickey(unsigned char *key_der, unsigned int *key_len) - * ISP: int isp_get_factorykey_data(unsigned char *data, unsigned int *data_byte_len, unsigned int data_id); - */ - -EXPORT_API int hal_get_factory_key(_IN_ uint32_t key_idx, _IN_ hal_data *key); -/* - * Reference - * Desc: Get factory cert - * Artik SEE API: - - * TizenRT SEE API: - * ISP: int isp_get_factorykey2_data(unsigned char *data, unsigned int *data_byte_len, unsigned int data_id); - */ -EXPORT_API int hal_get_factory_cert(_IN_ uint32_t cert_idx, _IN_ hal_data *cert); - -/* - * Reference - * Desc: Get factory data - * Artik SEE API: - - * TizenRT SEE API: - * ISP: int isp_get_factorykey2_data(unsigned char *data, unsigned int *data_byte_len, unsigned int data_id); - */ -EXPORT_API int hal_get_factory_data(_IN_ uint32_t data_idx, _IN_ hal_data *data); - - -/** - * Crypto - */ - -/* - * Reference - * Desc: Encrypt data using AES - * Artik SEE API: - - * TizenRT SEE API: int see_aes_encrypt(unsigned int key_index, struct sAES_PARAM *aes_param) - * ISP: int isp_aes_encrypt_securekey(struct sAES_PARAM *aes_param, unsigned int key_index) - */ -EXPORT_API int hal_aes_encrypt(_IN_ hal_data *dec_data, _IN_ hal_aes_param *aes_param, _IN_ uint32_t key_idx, _OUT_ hal_data *enc_data); - -/* - * Reference - * Desc: Decrypt data using AES - * Artik SEE API: - - * TizenRT SEE API: int see_aes_decrypt(unsigned int key_index, struct sAES_PARAM *aes_param) - * ISP: int isp_aes_decrypt_securekey(struct sAES_PARAM *aes_param, unsigned int key_index) - */ -EXPORT_API int hal_aes_decrypt(_IN_ hal_data *enc_data, _IN_ hal_aes_param *aes_param, _IN_ uint32_t key_idx, _OUT_ hal_data *dec_data); - -/* - * Reference - * Desc: Encrypt data using RSA - * Artik SEE API: - - * TizenRT SEE API: int see_rsa_encryption(unsigned int key_index, unsigned int pad_type, unsigned char *output, unsigned int *outlen, unsigned char *input, unsigned int inlen) - * ISP: int isp_rsa_encrypt_securekey(unsigned char *output, unsigned int *output_byte_len, unsigned char *input, unsigned int input_byte_len, unsigned int key_index) - */ -EXPORT_API int hal_rsa_encrypt(_IN_ hal_data *dec_data, _IN_ hal_rsa_mode *mode, _IN_ uint32_t key_idx, _OUT_ hal_data *enc_data); - -/* - * Reference - * Desc: Decrypt data using RSA - * Artik SEE API: - - * TizenRT SEE API: - * ISP: - */ -EXPORT_API int hal_rsa_decrypt(_IN_ hal_data *enc_data, _IN_ hal_rsa_mode *mode, _IN_ uint32_t key_idx, _OUT_ hal_data *dec_data); - - -/** - * Secure Storage - */ - -/* - * Reference - * Desc: write data in secure storage of ss_idx - * Artik SEE API: - - * TizenRT SEE API: int see_read_secure_storage(unsigned char *data, unsigned int *data_len, unsigned index) - * ISP: int isp_read_storage(unsigned char *data, unsigned int *data_byte_len, unsigned int index) - */ -EXPORT_API int hal_write_storage(_IN_ uint32_t ss_idx, _IN_ hal_data *data); - -/* - * Reference - * Desc: Read data from secure storage of ss_idx - * Artik SEE API: - - * TizenRT SEE API: int see_read_secure_storage(unsigned char *data, unsigned int *data_len, unsigned index) - * ISP: int isp_read_storage(unsigned char *data, unsigned int *data_byte_len, unsigned int index) - */ -EXPORT_API int hal_read_storage(_IN_ uint32_t ss_idx, _OUT_ hal_data *data); - -/* - * Reference - * Desc: Delete data in secure storage of ss_idx - * Artik SEE API: - - * TizenRT SEE API: int see_read_secure_storage(unsigned char *data, unsigned int *data_len, unsigned index) - * ISP: int isp_read_storage(unsigned char *data, unsigned int *data_byte_len, unsigned int index) - */ -EXPORT_API int hal_delete_storage(_IN_ uint32_t ss_idx); - -// This method is dummy. - -EXPORT_API bool tizenkonaise(void); - - -#ifdef __cplusplus -} -#endif -#endif // _KONAISE_H_ - diff --git a/src/kse-backend/ksebackend.cpp b/src/kse-backend/ksebackend.cpp deleted file mode 100644 index e7e47a9..0000000 --- a/src/kse-backend/ksebackend.cpp +++ /dev/null @@ -1,55 +0,0 @@ -/****************************************************************** - * - * Copyright 2019 Samsung Electronics All Rights Reserved. - * - * Author: Dongsun Lee - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - ******************************************************************/ - -#include "ksebackend.h" -#include "ksebackendcontext.h" -#include "log.h" -#include - -#include "konaise.h" - -#define KSE_LIB_NAME "libkonaise.so" - -kse_backend::kse_backend() : - fKseInitOK(false), - fSoResolver(std::string(KSE_LIB_NAME)) -{ - initialize_kse(); - LOGD("Constructed KSE backend"); -} - -kse_backend::~kse_backend() { - LOGD("Destructed KSE backend"); -} - -void kse_backend::initialize_kse() { - if(fKseInitOK) - return; - - LOGD("Initializing KSE backend"); - - std::unique_lock locker(fKSEMutex); - - if(!fSoResolver.ensure_loaded()) { - LOGE("KSE framework init failure: Fail to load KSE library"); - fKseInitOK = false; - return; - } -} diff --git a/src/kse-backend/ksebackend.h b/src/kse-backend/ksebackend.h deleted file mode 100644 index bb50c0f..0000000 --- a/src/kse-backend/ksebackend.h +++ /dev/null @@ -1,48 +0,0 @@ -/****************************************************************** - * - * Copyright 2019 Samsung Electronics All Rights Reserved. - * - * Author: Dongsun Lee - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - ******************************************************************/ - - -#ifndef KSE_BACKEND_KSEBACKEND_H_ -#define KSE_BACKEND_KSEBACKEND_H_ - -#include "soresolver.h" -#include - - -class kse_backend -{ -public: - kse_backend(); - ~kse_backend(); - - inline so_resolver& get_so_resolver() { - return fSoResolver; - } - -private: - void initialize_kse(); - -private: - bool fKseInitOK; - std::mutex fKSEMutex; - so_resolver fSoResolver; -}; - -#endif /* KSE_BACKEND_KSEBACKEND_H_ */ diff --git a/src/kse-backend/ksebackendcontext.cpp b/src/kse-backend/ksebackendcontext.cpp deleted file mode 100644 index 1e538d6..0000000 --- a/src/kse-backend/ksebackendcontext.cpp +++ /dev/null @@ -1,215 +0,0 @@ -/****************************************************************** - * - * Copyright 2019-2020 Samsung Electronics All Rights Reserved. - * - * Author: Dongsun Lee - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - ******************************************************************/ - -#include "ksebackendcontext.h" -#include "log.h" -#include "konaise.h" -#include "cert_utils.h" - -#include -#include -#include - -#include - -#define PRIVATE_KEY_INDEX 1 -#define SUBCA_CERT_INDEX 2 -#define LEAF_CERT_INDEX 3 - -static int kse_get_certificate_key = 0; -static int kse_get_ecdsa_signature_key = 1; - -kse_backend_context::kse_backend_context(std::shared_ptr backend, const std::string& keyType) : - fBackendPtr(backend) -{ - LOGD("Created new KSE with key " << keyType); - - if(keyType.empty() || keyType == "ECDSA") { - fKeyType = CRYPTO_KEY_TYPE_ECDSA; - } else { - throw std::invalid_argument("Unsupported key type"); - } - - LOGD("Created new KSE context at " << this); -} - -kse_backend_context::~kse_backend_context() -{ - LOGD("Deleting KSE context " << this); -} - -int kse_backend_context::get_certificate(unsigned int index, std::string& outcert) -{ - hal_data cert = {NULL, 0, NULL}; - const char *method_name = "hal_get_certificate"; - - auto backend = fBackendPtr.lock(); - if(!backend) { - LOGE("Unable to acquire backend pointer"); - return -EINVAL; - } - - auto& resolver(backend->get_so_resolver()); - int error = 0; - try { - error = resolver.invoke(&kse_get_certificate_key, - method_name, index, &cert); - } catch(...) { - LOGE("KSE: Got exception when calling resolver.invoke"); - throw; - } - - if(error != 0) { - LOGE("Failed to get certificate. error=" << error); - return -EINVAL; - } - - LOGD("KSE: Got certificate with " << cert.data_len << " bytes and index " << index); - try { - outcert.assign((const char *)cert.data, cert.data_len); - } catch(...) { - LOGE("KSE: Got exception when assigning data"); - free(cert.data); - throw; - } - free(cert.data); - - return 0; -} - -int kse_backend_context::request_certificate_chain(std::string& mutable_chain) -{ - LOGD("KSE : Request certificate chain"); - - std::string leaf_cert; - std::string subca_cert; - - int error = 0; - - if((error = get_certificate(LEAF_CERT_INDEX, leaf_cert))) - return error; - if((error = get_certificate(SUBCA_CERT_INDEX, subca_cert))) - return error; - - x509_crt_rewriter cert_writer; - if((error = cert_writer.parse(reinterpret_cast(leaf_cert.c_str()), - leaf_cert.length()+1))) { - return error; - } - if((error = cert_writer.parse(reinterpret_cast(subca_cert.c_str()), - subca_cert.length()+1))) { - return error; - } - cert_writer.sort_chain(); - - mutable_chain.append(cert_writer.emit_pem()); - - LOGD("Requested certificate in " << this); - - return 0; -} - -hal_hash_type _get_hal_hash_type(MessageDigestType digestType) { - switch(digestType) { - case MD_MD5: return HAL_HASH_MD5; - case MD_SHA1: return HAL_HASH_SHA1; - case MD_SHA224: return HAL_HASH_SHA224; - case MD_SHA256: return HAL_HASH_SHA256; - case MD_SHA384: return HAL_HASH_SHA384; - case MD_SHA512: return HAL_HASH_SHA512; - case MD_NONE: - case MD_MD2: - case MD_MD4: - case MD_RIPEMD160: - default: return HAL_HASH_UNKNOWN; - } -} - -int kse_backend_context::sign_crypto_data(MessageDigestType digestType, const std::string& dataToSign, - std::string& digestResult) -{ - hal_data hashed_data = {NULL, 0, NULL}; - hal_data signed_data = {NULL, 0, NULL}; - - hashed_data.data = (void *)dataToSign.c_str(); - hashed_data.data_len = dataToSign.size(); - - LOGD("KSE: Sign " << hashed_data.data_len << " bytes"); - - auto backend = fBackendPtr.lock(); - - if(!backend) { - LOGE("Unable to acquire backend pointer"); - return -EINVAL; - } - - auto& resolver(backend->get_so_resolver()); - - try { - std::string hex; - boost::algorithm::hex((const unsigned char *)hashed_data.data, - (const unsigned char *)hashed_data.data + hashed_data.data_len, - std::back_inserter(hex)); - LOGD("Hashed data is " << hex); - } catch(...) { - } - - const char *method_name = "hal_ecdsa_sign_md"; - hal_ecdsa_mode mode = {HAL_ECDSA_SEC_P256R1, _get_hal_hash_type(digestType)}; - - int error = resolver.invoke( - &kse_get_ecdsa_signature_key, method_name, - &hashed_data, PRIVATE_KEY_INDEX, &mode, &signed_data); - - if(error != 0) { - char buffer[256]; - mbedtls_strerror(error, buffer, sizeof(buffer)); - LOGE("Unable to generate ECDSA signature in " << this << " (" << error << ") : " << std::string(buffer)); - - return MBEDTLS_ERR_PK_BAD_INPUT_DATA; - } - - LOGD("Signature length is " << signed_data.data_len); - - try { - std::string hex; - boost::algorithm::hex((const unsigned char *)signed_data.data, - (const unsigned char *)signed_data.data + signed_data.data_len, - std::back_inserter(hex)); - LOGD("Hex signature is " << hex); - } catch(...) { - } - LOGD("KSE: Generated ECDSA signature"); - - digestResult.assign((const char *)signed_data.data, signed_data.data_len); - - free(signed_data.data); - return 0; -} - -CryptoKeyType kse_backend_context::key_type() -{ - return fKeyType; -} - -unsigned int kse_backend_context::key_length() -{ - return 256; -} diff --git a/src/kse-backend/ksebackendcontext.h b/src/kse-backend/ksebackendcontext.h deleted file mode 100644 index de00c31..0000000 --- a/src/kse-backend/ksebackendcontext.h +++ /dev/null @@ -1,50 +0,0 @@ -/****************************************************************** - * - * Copyright 2019 Samsung Electronics All Rights Reserved. - * - * Author: Dongsun Lee - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - ******************************************************************/ - -#ifndef KSE_BACKEND_KSEBACKENDCONTEXT_H_ -#define KSE_BACKEND_KSEBACKENDCONTEXT_H_ - -#include "ksebackend.h" -#include - -class kse_backend_context -{ -public: - kse_backend_context(std::shared_ptr backend, const std::string& keyType); - ~kse_backend_context(); - - int request_certificate_chain(std::string& mutable_chain); - - int sign_crypto_data(MessageDigestType digestType, const std::string& dataToSign, - std::string& digestResult); - - CryptoKeyType key_type(); - - unsigned int key_length(); - -private: - int get_certificate(unsigned int index, std::string& cert); - -private: - CryptoKeyType fKeyType; - std::weak_ptr fBackendPtr; -}; - -#endif /* KSE_BACKEND_KSEBACKENDCONTEXT_H_ */ diff --git a/src/kse-backend/soresolver.cpp b/src/kse-backend/soresolver.cpp deleted file mode 100644 index 8e60e3b..0000000 --- a/src/kse-backend/soresolver.cpp +++ /dev/null @@ -1,105 +0,0 @@ -/****************************************************************** - * - * Copyright 2017 - 2019 Samsung Electronics All Rights Reserved. - * - * Author: Jaroslaw Pelczar - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - ******************************************************************/ - -#include "soresolver.h" -#include "log.h" -#include -#include - -so_resolver::so_resolver(const std::string& libraryName) : - fLibraryName(libraryName), - fLibraryHandle(nullptr) -{ -} - -so_resolver::~so_resolver() -{ - if(fLibraryHandle.load(std::memory_order_relaxed)) { - LOGD("Unloading library " << fLibraryName); - dlclose(fLibraryHandle.exchange(nullptr, std::memory_order_relaxed)); - LOGD("Unloaded library " << fLibraryName); - } -} - -void * so_resolver::resolve_function(const int * key_ptr, const char * name) noexcept -{ - std::unique_lock locker(fCacheLock); - - if(key_ptr) { - auto it = fCache.find(key_ptr); - - if(it != fCache.end()) - return it->second; - } - - void * handle = fLibraryHandle.load(std::memory_order_relaxed); - - if(handle) { - LOGD("Resolving symbol " << name << " from " << fLibraryName); - void * sym = dlsym(handle, name); - if(!sym) { - LOGE("Unable to resolve symbol " << name << " from " << fLibraryName << ": Error is " << dlerror()); - } else { - try { - if(key_ptr) { - fCache.emplace(key_ptr, sym); - } - } catch(...) { - LOGE("Problem with updating symbol cache!!"); - sym = nullptr; - } - } - return sym; - } - - LOGE("Trying to resolve symbol " << name << " from not loaded library " << fLibraryName); - - return nullptr; -} - -bool so_resolver::ensure_loaded() noexcept -{ - std::unique_lock locker(fCacheLock); - - void * handle = fLibraryHandle.load(std::memory_order_acquire); - - if(handle) - return true; - - LOGD("Loading library " << fLibraryName); - - handle = dlopen(fLibraryName.c_str(), RTLD_LAZY | RTLD_LOCAL); - - if(!handle) { - LOGE("Unable to load library " << fLibraryName << ": " << dlerror()); - return false; - } - - LOGD("Library loaded " << fLibraryName); - - void * expectedValue = nullptr; - - if(!fLibraryHandle.compare_exchange_strong(expectedValue, handle, std::memory_order_release)) { - // Someone else have opened the library - dlclose(handle); - } - - return true; -} diff --git a/src/kse-backend/soresolver.h b/src/kse-backend/soresolver.h deleted file mode 100644 index f729404..0000000 --- a/src/kse-backend/soresolver.h +++ /dev/null @@ -1,55 +0,0 @@ -/****************************************************************** - * - * Copyright 2017 - 2019 Samsung Electronics All Rights Reserved. - * - * Author: Jaroslaw Pelczar - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - ******************************************************************/ - -#ifndef SORESOLVER_H_ -#define SORESOLVER_H_ - -#include -#include -#include -#include -#include -#include - -class so_resolver : public boost::noncopyable { -public: - so_resolver(const std::string& libraryName); - ~so_resolver(); - - bool ensure_loaded() noexcept; - void * resolve_function(const int * key_ptr, const char * name) noexcept; - - template ReturnValue invoke(const int * __key_ptr, const char * name, Args... args) { - typedef ReturnValue (* function_t)(Args...); - function_t func = (function_t)resolve_function(__key_ptr, name); - if(!func) { - throw std::runtime_error("Trying to call unresolved function"); - } - return func(args...); - } - -private: - std::string fLibraryName; - std::atomic fLibraryHandle; - std::mutex fCacheLock; - std::map fCache; -}; - -#endif /* SORESOLVER_H_ */ diff --git a/src/kse-backend/tools/CMakeLists.txt b/src/kse-backend/tools/CMakeLists.txt deleted file mode 100644 index d33ce32..0000000 --- a/src/kse-backend/tools/CMakeLists.txt +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright (c) 2020 Samsung Electronics Co., Ltd All Rights Reserved -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# @file src/kse-backend/CMakeLists.txt -# @author Pawel Kowalski -# - -FIND_PACKAGE(PkgConfig REQUIRED) - -PKG_CHECK_MODULES(TOOL_DEPS REQUIRED dlog) -INCLUDE_DIRECTORIES(SYSTEM ${TOOL_DEPS_INCLUDE_DIRS}) -LINK_DIRECTORIES(${TOOL_DEPS_LIBRARY_DIRS}) - -INCLUDE_DIRECTORIES(../ ../../shared) - -SET(TARGET_TOOL "dcm_konaise_tool") -ADD_EXECUTABLE(${TARGET_TOOL} - konaise_tool.cpp - ../soresolver.cpp - ../../shared/log.cpp) - -TARGET_LINK_LIBRARIES(${TARGET_TOOL} ${TOOL_DEPS_LIBRARIES} dl) - -INSTALL(TARGETS ${TARGET_TOOL} - RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR}) diff --git a/src/kse-backend/tools/konaise_tool.cpp b/src/kse-backend/tools/konaise_tool.cpp deleted file mode 100644 index 6597969..0000000 --- a/src/kse-backend/tools/konaise_tool.cpp +++ /dev/null @@ -1,318 +0,0 @@ -/****************************************************************** - * - * Copyright 2019-2020 Samsung Electronics All Rights Reserved. - * - * Author: Dongsun Lee - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - ******************************************************************/ - -#include -#include -#include -#include "soresolver.h" -#include "konaise.h" - -#define KSE_LIB_NAME "libkonaise.so" - -static int kse_cert_get = 0x00; -static int kse_cert_add = 0x01; -static int kse_key_get = 0x10; -static int kse_key_add = 0x11; -static int kse_key_del = 0x12; -static int kse_ec_sign = 0x21; -static int kse_ec_verify= 0x22; - - -class SEKonai { -public: - SEKonai(const std::string& libraryName) : - fSoResolver(libraryName) - { - loaded = fSoResolver.ensure_loaded(); - } - - ~SEKonai(){ - } - - bool is_loaded() { - return loaded; - } - - void get_cert(int idx, const std::string& fileName){ - hal_data cert = {NULL, 0, NULL}; - - const char *method_name = "hal_get_certificate"; - int error = fSoResolver.invoke(&kse_cert_get, - method_name, idx, &cert); - if(error == 0) { - write_file(fileName, cert); - std::cout << "SUCCEEDED in " << method_name << "." << std::endl; - } else { - std::cout << "FAILED in " << method_name << ". ERROR=" << error << std::endl; - } - } - - void get_key(hal_key_type key_type, int idx, const std::string& fileName) { - hal_data data = {NULL, 0, NULL}; - const char *method_name = "hal_get_key"; - int error = fSoResolver.invoke(&kse_key_get, - method_name, key_type, idx, &data); - if(error == 0) { - write_file(fileName, data); - std::cout << "SUCCEEDED in " << method_name << "." << std::endl; - } else { - std::cout << "FAILED in " << method_name << ". ERROR=" << error << std::endl; - } - } - - void add_cert(const std::string& fileName, int idx) { - hal_data *data = read_file(fileName); - const char *method_name = "hal_set_certificate"; - int error = fSoResolver.invoke(&kse_cert_add, - method_name, idx, data); - if(error == 0) { - std::cout << "SUCCEEDED in " << method_name << "." << std::endl; - } else { - std::cout << "FAILED in " << method_name << ". ERROR=" << error << std::endl; - } - free_hal_data(data); - } - - void add_key(const std::string& fileName, hal_key_type key_type, int idx, - const std::string& privFileName) { - hal_data *key = read_file(fileName); - hal_data *priKey = {0}; - if(privFileName.size() != 0) - priKey = read_file(privFileName); - const char *method_name = "hal_set_key"; - int error = fSoResolver.invoke( - &kse_key_add, method_name, key_type, idx, key, priKey); - if(error == 0) { - std::cout << "SUCCEEDED in " << method_name << "." << std::endl; - } else { - std::cout << "FAILED in " << method_name << ". ERROR=" << error << std::endl; - } - free_hal_data(key); - free_hal_data(priKey); - } - - void del_cert(int idx) { - const char *method_name = "hal_remove_certificate"; - int error = fSoResolver.invoke(&kse_key_del, method_name, idx); - if(error == 0) { - std::cout << "SUCCEEDED in " << method_name << "." << std::endl; - } else { - std::cout << "FAILED in " << method_name << ". ERROR=" << error << std::endl; - } - } - - void del_key(hal_key_type key_type, int idx) { - const char *method_name = "hal_remove_key"; - int error = fSoResolver.invoke(&kse_key_del, method_name, - key_type, idx); - if(error == 0) { - std::cout << "SUCCEEDED in " << method_name << "." << std::endl; - } else { - std::cout << "FAILED in " << method_name << ". ERROR=" << error << std::endl; - } - } - - void ec_sec_p256r1_sign(std::string hash_file, int key_idx, std::string sig_file) { - hal_data *hashed_data = read_file(hash_file); - hal_data signed_data = {NULL, 0, NULL}; - const char *method_name = "hal_ecdsa_sign_md"; - hal_ecdsa_mode mode = {HAL_ECDSA_SEC_P256R1, HAL_HASH_SHA256}; - int error = fSoResolver.invoke( - &kse_ec_sign, method_name, - hashed_data, key_idx, &mode, &signed_data); - if(error == 0) { - write_file(sig_file, signed_data); - std::cout << "SUCCEEDED in " << method_name << "." << std::endl; - } else { - std::cout << "FAILED in " << method_name << ". ERROR=" << error << std::endl; - } - free_hal_data(hashed_data); - free(signed_data.data); - } - - void ec_sec_p256r1_verify(std::string hash_file, int key_idx, std::string sig_file) { - // ec_sign hash_file key_index key_type sigfile(out) - hal_data *hashed_data = read_file(hash_file); - hal_data *signed_data = read_file(sig_file); - - const char *method_name = "hal_ecdsa_verify_md"; - hal_ecdsa_mode mode = {HAL_ECDSA_SEC_P256R1, HAL_HASH_SHA256}; - - int error = fSoResolver.invoke( - &kse_ec_verify, method_name, - mode, hashed_data, signed_data, key_idx); - if(error == 0) { - std::cout << "SUCCEEDED in " << method_name << "." << std::endl; - } else { - std::cout << "FAILED in " << method_name << ". ERROR=" << error << std::endl; - } - free_hal_data(hashed_data); - free_hal_data(signed_data); - } - - hal_key_type get_key_type(const std::string& keyType) { - if(keyType.compare("HAL_KEY_AES_128") == 0) return HAL_KEY_AES_128; - if(keyType.compare("HAL_KEY_AES_192") == 0) return HAL_KEY_AES_192; - if(keyType.compare("HAL_KEY_AES_256") == 0) return HAL_KEY_AES_256; - if(keyType.compare("HAL_KEY_RSA_1024") == 0) return HAL_KEY_RSA_1024; - if(keyType.compare("HAL_KEY_RSA_2048") == 0) return HAL_KEY_RSA_2048; - if(keyType.compare("HAL_KEY_RSA_3072") == 0) return HAL_KEY_RSA_3072; - if(keyType.compare("HAL_KEY_RSA_4096") == 0) return HAL_KEY_RSA_4096; - if(keyType.compare("HAL_KEY_ECC_BRAINPOOL_P256R1") == 0) return HAL_KEY_ECC_BRAINPOOL_P256R1; - if(keyType.compare("HAL_KEY_ECC_BRAINPOOL_P384R1") == 0) return HAL_KEY_ECC_BRAINPOOL_P384R1; - if(keyType.compare("HAL_KEY_ECC_BRAINPOOL_P512R1") == 0) return HAL_KEY_ECC_BRAINPOOL_P512R1; - if(keyType.compare("HAL_KEY_ECC_SEC_P256R1") == 0) return HAL_KEY_ECC_SEC_P256R1; - if(keyType.compare("HAL_KEY_ECC_SEC_P384R1") == 0) return HAL_KEY_ECC_SEC_P384R1; - if(keyType.compare("HAL_KEY_ECC_SEC_P512R1") == 0) return HAL_KEY_ECC_SEC_P512R1; - if(keyType.compare("HAL_KEY_HMAC_MD5") == 0) return HAL_KEY_HMAC_MD5; - if(keyType.compare("HAL_KEY_HMAC_SHA1") == 0) return HAL_KEY_HMAC_SHA1; - if(keyType.compare("HAL_KEY_HMAC_SHA224") == 0) return HAL_KEY_HMAC_SHA224; - if(keyType.compare("HAL_KEY_HMAC_SHA256") == 0) return HAL_KEY_HMAC_SHA256; - if(keyType.compare("HAL_KEY_HMAC_SHA384") == 0) return HAL_KEY_HMAC_SHA384; - if(keyType.compare("HAL_KEY_HMAC_SHA512") == 0) return HAL_KEY_HMAC_SHA512; - if(keyType.compare("HAL_KEY_DH_1024") == 0) return HAL_KEY_DH_1024; - if(keyType.compare("HAL_KEY_DH_2048") == 0) return HAL_KEY_DH_2048; - return HAL_KEY_UNKNOWN; - } - - std::string get_key_type_str(hal_key_type keyType) { - switch(keyType) { - case HAL_KEY_AES_128: return std::string("HAL_KEY_AES_128"); - case HAL_KEY_AES_192: return std::string("HAL_KEY_AES_192"); - case HAL_KEY_AES_256: return std::string("HAL_KEY_AES_256"); - case HAL_KEY_RSA_1024: return std::string("HAL_KEY_RSA_1024"); - case HAL_KEY_RSA_2048: return std::string("HAL_KEY_RSA_2048"); - case HAL_KEY_RSA_3072: return std::string("HAL_KEY_RSA_3072"); - case HAL_KEY_RSA_4096: return std::string("HAL_KEY_RSA_4096"); - case HAL_KEY_ECC_BRAINPOOL_P256R1: return std::string("HAL_KEY_ECC_BRAINPOOL_P256R1"); - case HAL_KEY_ECC_BRAINPOOL_P384R1: return std::string("HAL_KEY_ECC_BRAINPOOL_P384R1"); - case HAL_KEY_ECC_BRAINPOOL_P512R1: return std::string("HAL_KEY_ECC_BRAINPOOL_P512R1"); - case HAL_KEY_ECC_SEC_P256R1: return std::string("HAL_KEY_ECC_SEC_P256R1"); - case HAL_KEY_ECC_SEC_P384R1: return std::string("HAL_KEY_ECC_SEC_P384R1"); - case HAL_KEY_ECC_SEC_P512R1: return std::string("HAL_KEY_ECC_SEC_P512R1"); - case HAL_KEY_HMAC_MD5: return std::string("HAL_KEY_HMAC_MD5"); - case HAL_KEY_HMAC_SHA1: return std::string("HAL_KEY_HMAC_SHA1"); - case HAL_KEY_HMAC_SHA224: return std::string("HAL_KEY_HMAC_SHA224"); - case HAL_KEY_HMAC_SHA256: return std::string("HAL_KEY_HMAC_SHA256"); - case HAL_KEY_HMAC_SHA384: return std::string("HAL_KEY_HMAC_SHA384"); - case HAL_KEY_HMAC_SHA512: return std::string("HAL_KEY_HMAC_SHA512"); - case HAL_KEY_DH_1024: return std::string("HAL_KEY_DH_1024"); - case HAL_KEY_DH_2048: return std::string("HAL_KEY_DH_2048"); - default: return std::string("HAL_KEY_UNKNOWN"); - } - } - -private: - so_resolver fSoResolver; - bool loaded; - - void free_hal_data(hal_data *data) { - if(data == NULL) - return; - if(data->data != NULL) - free(data->data); - free(data); - } - - void write_file(const std::string& fileName, hal_data in) { - std::fstream outfile; - outfile = std::fstream(fileName, std::ios::out | std::ios::binary); - outfile.write((char*)in.data, in.data_len); - outfile.close(); - } - - hal_data* read_file(const std::string& fileName) { - if(fileName.size() == 0) - return NULL; - std::ifstream input(fileName, std::ios::binary); - std::vector buffer(std::istreambuf_iterator(input), {}); - unsigned char* data = (unsigned char*) malloc(buffer.size()); - for(unsigned int i = 0; i < buffer.size(); i++) - data[i] = buffer[i]; - hal_data *ret = (hal_data *) malloc(sizeof(hal_data)); - ret->data = data; - ret->data_len = buffer.size(); - ret->priv = NULL; - return ret; - } -}; - -void print_usage(char *prog_name) { - std::cout << prog_name << " command opt1 opt2 . . . " << std::endl; - std::cout << " example: " << prog_name << " get_cert index outfile" << std::endl; - std::cout << " example: " << prog_name << " add_cert infile index" << std::endl; - std::cout << " example: " << prog_name << " del_cert index" << std::endl; - std::cout << " example: " << prog_name << " get_key key_type index outfile" << std::endl; - std::cout << " example: " << prog_name << " add_key infile key_type index in_privfile"< 3) { - se.get_cert(std::stoi(argv[2]), std::string(argv[3])); - }else if((cmd.compare("add_cert") == 0) && argc > 3) { - se.add_cert(std::string(argv[2]), std::stoi(argv[3])); - }else if((cmd.compare("del_cert") == 0) && argc > 2) { - se.del_cert(std::stoi(argv[2])); - }else if((cmd.compare("get_key") == 0) && argc > 4) { - se.get_key(se.get_key_type(std::string(argv[2])), - std::stoi(argv[3]), std::string(argv[4])); - }else if((cmd.compare("add_key") == 0) && argc >= 5) { - char * priv_file = nullptr; - if(argc > 5) - priv_file = argv[5]; - se.add_key(std::string(argv[2]), se.get_key_type(std::string(argv[3])), - std::stoi(argv[4]), priv_file ? std::string(priv_file) : std::string()); - }else if((cmd.compare("del_key") == 0) && argc > 3) { - se.del_key(se.get_key_type(std::string(argv[2])), std::stoi(argv[3])); - }else if((cmd.compare("ec_sec_p256r1_sign") == 0) && argc > 4) { - se.ec_sec_p256r1_sign(std::string(argv[2]), std::stoi(argv[3]), - std::string(argv[4])); - }else if((cmd.compare("ec_sec_p256r1_verify") == 0) && argc > 4) { - se.ec_sec_p256r1_verify(std::string(argv[2]), std::stoi(argv[3]), - std::string(argv[4])); - }else { - print_usage(argv[0]); - return -1; - } - } catch (...) { - std::cout << "EXCEPTION OCCURRED!!" << std::endl; - return -1; - } - return 0; -} -- 2.7.4