From b80aa5c4a61b8648a97ba722adf138be7d9090e8 Mon Sep 17 00:00:00 2001
From: Krzysztof Jackiewicz <k.jackiewicz@samsung.com>
Date: Mon, 24 Jul 2023 12:59:40 +0200
Subject: [PATCH] Allow only symmetric key wraping/unwrapping

Change-Id: I36549b09d891d0d3e34667c71aa0294389441f76
---
 src/include/ckmc/ckmc-manager.h   |  3 ++-
 src/manager/service/ckm-logic.cpp | 10 ++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/include/ckmc/ckmc-manager.h b/src/include/ckmc/ckmc-manager.h
index 35d021c..b911cb2 100644
--- a/src/include/ckmc/ckmc-manager.h
+++ b/src/include/ckmc/ckmc-manager.h
@@ -1106,7 +1106,7 @@ int ckmc_decrypt_data(ckmc_param_list_h params,
  *
  * @remarks The wrapping key must be either symmetric (#CKMC_KEY_AES) or private RSA
  *          (#CKMC_KEY_RSA_PRIVATE).
- * @remarks key_type in @a wrapped_key must not be set to #CKMC_KEY_NONE.
+ * @remarks key_type in @a wrapped_key can only be #CKMC_KEY_AES.
  * @remarks password in @a wrapped_key must be set to NULL. There's no need to additionally encrypt
  *          a wrapped key.
  * @remarks If password in @a policy is provided, the stored key is additionally encrypted with it.
@@ -1169,6 +1169,7 @@ int ckmc_import_wrapped_key(const ckmc_param_list_h params,
  * @remarks The wrapping key must be either symmetric (#CKMC_KEY_AES) or public RSA
  *          (#CKMC_KEY_RSA_PUBLIC).
  * @remarks The @a ppwrapped_key should be released using ckmc_key_free().
+ * @remarks The key denoted by @a wrapping_key_alias can only be #CKMC_KEY_AES.
  *
  * @param[in] params Algorithm parameter list handle. See #ckmc_param_list_h and #ckmc_algo_type_e
  *                   for details. Supported algorithms:
diff --git a/src/manager/service/ckm-logic.cpp b/src/manager/service/ckm-logic.cpp
index ea59099..ae9a7ed 100644
--- a/src/manager/service/ckm-logic.cpp
+++ b/src/manager/service/ckm-logic.cpp
@@ -1585,6 +1585,11 @@ RawBuffer CKMLogic::importWrappedKey(
 	return SerializeMessage(msgId, tryRet([&] {
 		Crypto::GObjUPtr wrappingKey;
 
+		if (!keyType.isSymmetricKey()) {
+			LogError("Only symmetric key can be imported");
+			return CKM_API_ERROR_INPUT_PARAM;
+		}
+
 		auto [dbOp, digest, retCode] = beginSaveAndGetHash(cred, keyName, keyOwner);
 		if (retCode != CKM_API_SUCCESS)
 			return retCode;
@@ -1638,6 +1643,11 @@ RawBuffer CKMLogic::exportWrappedKey(
 		if (retCode2 != CKM_API_SUCCESS)
 			return retCode2;
 
+		if (!wrappedKeyType.isSymmetricKey()) {
+			LogError("Only symmetric key can be exported");
+			return CKM_API_ERROR_INPUT_PARAM;
+		}
+
 		wrappedKey = wrappingKey->wrap(params, wrappedKeyRow, keyPassword);
 
 		return retCode2;
-- 
2.7.4