From e5e420157aaca68897300554b533ecdf6b852066 Mon Sep 17 00:00:00 2001 From: Sungbae Yoo Date: Mon, 7 Nov 2016 18:14:02 +0900 Subject: [PATCH] Add key-manager to manage device key and password Signed-off-by: Sungbae Yoo Change-Id: I75c5a6c9722c183db36fde2936b71351dad331cf --- server/CMakeLists.txt | 3 +- server/external-encryption.cpp | 3 +- server/internal-encryption.cpp | 3 +- server/key-manager/key-generator.cpp | 3 +- server/key-manager/key-generator.h | 5 +- server/key-manager/key-manager.cpp | 104 ++++++++++++++++++ server/key-manager/key-manager.h | 51 +++++++++ .../{keystore.cpp => key-store.cpp} | 41 ++++++- .../key-manager/{keystore.h => key-store.h} | 21 ++-- 9 files changed, 214 insertions(+), 20 deletions(-) create mode 100644 server/key-manager/key-manager.cpp create mode 100644 server/key-manager/key-manager.h rename server/key-manager/{keystore.cpp => key-store.cpp} (62%) rename server/key-manager/{keystore.h => key-store.h} (79%) diff --git a/server/CMakeLists.txt b/server/CMakeLists.txt index 1560574..6a6f5c3 100644 --- a/server/CMakeLists.txt +++ b/server/CMakeLists.txt @@ -21,7 +21,8 @@ SET(SERVER_SRCS main.cpp engine/ext4-engine.cpp engine/dmcrypt-engine.cpp engine/ecryptfs-engine.cpp - key-manager/keystore.cpp + key-manager/key-store.cpp + key-manager/key-manager.cpp key-manager/key-generator.cpp ) diff --git a/server/external-encryption.cpp b/server/external-encryption.cpp index e538119..a9e3800 100644 --- a/server/external-encryption.cpp +++ b/server/external-encryption.cpp @@ -17,8 +17,7 @@ #include #include "engine/ecryptfs-engine.h" -#include "key-manager/keystore.h" -#include "key-manager/key-generator.h" +#include "key-manager/key-manager.h" #include "rmi/external-encryption.h" diff --git a/server/internal-encryption.cpp b/server/internal-encryption.cpp index a4956e3..6978dfc 100644 --- a/server/internal-encryption.cpp +++ b/server/internal-encryption.cpp @@ -17,8 +17,7 @@ #include #include "engine/dmcrypt-engine.h" -#include "key-manager/keystore.h" -#include "key-manager/key-generator.h" +#include "key-manager/key-manager.h" #include "rmi/internal-encryption.h" diff --git a/server/key-manager/key-generator.cpp b/server/key-manager/key-generator.cpp index ccb5934..aad4128 100644 --- a/server/key-manager/key-generator.cpp +++ b/server/key-manager/key-generator.cpp @@ -22,7 +22,8 @@ namespace ode { -KeyGenerator::KeyGenerator() +KeyGenerator::KeyGenerator(int size) : + keySize(size) { } diff --git a/server/key-manager/key-generator.h b/server/key-manager/key-generator.h index 5a1a4b6..b5b0d1a 100644 --- a/server/key-manager/key-generator.h +++ b/server/key-manager/key-generator.h @@ -23,7 +23,7 @@ namespace ode { class KeyGenerator final { public: - KeyGenerator(); + KeyGenerator(int size); KeyGenerator(const KeyGenerator&) = delete; KeyGenerator(KeyGenerator&&) = delete; ~KeyGenerator(); @@ -37,6 +37,9 @@ public: const data AES(const data& in1, const data& in2); const data HMAC(const data& original, const data& key); const data RNG(); + +private: + int keySize; }; } // namespace ode diff --git a/server/key-manager/key-manager.cpp b/server/key-manager/key-manager.cpp new file mode 100644 index 0000000..6333c4a --- /dev/null +++ b/server/key-manager/key-manager.cpp @@ -0,0 +1,104 @@ +/* + * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ +#include "key-manager.h" + +namespace ode { + +KeyManager::KeyManager(const std::string& storeName) : + store(storeName), keyGen(store.getKeySize()) +{ +} + +KeyManager::~KeyManager() +{ +} + +bool KeyManager::isInitialized() +{ + return store.isInitialized(); +} + +void KeyManager::initPassword(const KeyManager::data& password) +{ + data salt, edk, emk; + data mk, dek; + + salt = keyGen.RNG(); + mk = keyGen.PBKDF(password, salt); + dek = keyGen.RNG(); + + edk = keyGen.AES(dek, mk); + emk = keyGen.HMAC(mk, edk); + + store.setSalt(salt); + store.setEDK(edk); + store.setEMK(emk); +} + +void KeyManager::changePassword(const KeyManager::data& old_password, + const KeyManager::data& new_password) +{ + data salt, edk, emk; + data mk, dek; + + salt = store.getSalt(); + edk = store.getEDK(); + + mk = keyGen.PBKDF(old_password, salt); + dek = keyGen.AES(edk, mk); + + salt = keyGen.RNG(); + mk = keyGen.PBKDF(new_password, salt); + edk = keyGen.AES(dek, mk); + emk = keyGen.HMAC(mk, edk); + + store.setSalt(salt); + store.setEDK(edk); + store.setEMK(emk); +} + +bool KeyManager::verifyPassword(const KeyManager::data& password) +{ + data salt, edk, emk; + data mk; + + salt = store.getSalt(); + edk = store.getEDK(); + emk = store.getEMK(); + + mk = keyGen.PBKDF(password, salt); + + if (emk == keyGen.HMAC(mk, edk)) { + return true; + } else { + return false; + } +} + +KeyManager::data KeyManager::getDEK(const KeyManager::data& password) +{ + data salt, edk; + data mk; + + salt = store.getSalt(); + edk = store.getEDK(); + + mk = keyGen.PBKDF(password, salt); + + return keyGen.AES(edk, mk); +} + +} // namespace ode diff --git a/server/key-manager/key-manager.h b/server/key-manager/key-manager.h new file mode 100644 index 0000000..299de31 --- /dev/null +++ b/server/key-manager/key-manager.h @@ -0,0 +1,51 @@ +/* + * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#ifndef __KEY_MANAGER_H__ +#define __KEY_MANAGER_H__ + +#include "key-store.h" +#include "key-generator.h" + +namespace ode { + +class KeyManager final { +public: + KeyManager(const std::string& storeName); + KeyManager(const KeyManager&) = delete; + KeyManager(KeyManager&&) = delete; + ~KeyManager(); + + KeyManager& operator=(const KeyManager&) = delete; + KeyManager& operator=(KeyManager&&) = delete; + + typedef std::vector data; + + bool isInitialized(); + + void initPassword(const data& password); + void changePassword(const data& old_password, const data& new_password); + bool verifyPassword(const data& password); + data getDEK(const data& password); + +private: + KeyStore store; + KeyGenerator keyGen; +}; + +} // namespace ode + +#endif // __KEY_MANAGER_H__ diff --git a/server/key-manager/keystore.cpp b/server/key-manager/key-store.cpp similarity index 62% rename from server/key-manager/keystore.cpp rename to server/key-manager/key-store.cpp index 20de6de..98b9d52 100644 --- a/server/key-manager/keystore.cpp +++ b/server/key-manager/key-store.cpp @@ -16,12 +16,15 @@ #include #include -#include "keystore.h" +#include "key-store.h" + +#define FOOTER_FILE_PATH "/opt/etc/.ode_footer" +#define KEY_SIZE (256 / 8) namespace ode { KeyStore::KeyStore(const std::string& name) : - file(name) + file(FOOTER_FILE_PATH) { } @@ -29,7 +32,19 @@ KeyStore::~KeyStore() { } -KeyStore::data KeyStore::getEncryptedDeviceKey() +size_t KeyStore::getKeySize() const +{ + return KEY_SIZE; +} + +bool KeyStore::isInitialized() +{ + //TODO + + return false; +} + +KeyStore::data KeyStore::getEDK() { data ret; @@ -38,7 +53,7 @@ KeyStore::data KeyStore::getEncryptedDeviceKey() return ret; } -KeyStore::data KeyStore::getEncryptedMasterKey() +KeyStore::data KeyStore::getEMK() { data ret; @@ -47,12 +62,26 @@ KeyStore::data KeyStore::getEncryptedMasterKey() return ret; } -void KeyStore::setEncryptedDeviceKey(const KeyStore::data& key) +KeyStore::data KeyStore::getSalt() +{ + data ret; + + //TODO + + return ret; +} + +void KeyStore::setEDK(const KeyStore::data& key) +{ + //TODO +} + +void KeyStore::setEMK(const KeyStore::data& key) { //TODO } -void KeyStore::setEncryptedMasterKey(const KeyStore::data& key) +void KeyStore::setSalt(const KeyStore::data& key) { //TODO } diff --git a/server/key-manager/keystore.h b/server/key-manager/key-store.h similarity index 79% rename from server/key-manager/keystore.h rename to server/key-manager/key-store.h index d6d0e5e..125accd 100644 --- a/server/key-manager/keystore.h +++ b/server/key-manager/key-store.h @@ -14,8 +14,8 @@ * limitations under the License */ -#ifndef __KEY_STORAGE_H__ -#define __KEY_STORAGE_H__ +#ifndef __KEY_STORE_H__ +#define __KEY_STORE_H__ #include #include @@ -34,18 +34,25 @@ public: KeyStore& operator=(const KeyStore&) = delete; KeyStore& operator=(KeyStore&&) = delete; + size_t getKeySize() const; + + bool isInitialized(); + typedef std::vector data; - data getEncryptedDeviceKey(); - data getEncryptedMasterKey(); + data getEDK(); + data getEMK(); + data getSalt(); - void setEncryptedDeviceKey(const data& key); - void setEncryptedMasterKey(const data& key); + void setEDK(const data& key); + void setEMK(const data& key); + void setSalt(const data& key); private: runtime::File file; + int index; }; } // namespace ode -#endif // __KEY_STORAGE_H__ +#endif // __KEY_STORE_H__ -- 2.34.1