--- /dev/null
+/*
+ * Copyright (c) 2023 Samsung Electronics Co., Ltd. All rights reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+#include <generic-backend/exception.h>
+#include <tz-backend/ctx.h>
+#include <tz-backend/internals.h>
+
+namespace CKM {
+namespace Crypto {
+
+void CipherCtx::customize(const CryptoAlgorithm& algo)
+{
+ RawBuffer aad;
+ if (!algo.getParam(ParamName::ED_AAD, aad))
+ ThrowErr(Exc::InputParam, "Missing AAD");
+
+ Internals::addAAD(m_opId, aad);
+}
+
+RawBuffer CipherCtx::update(const RawBuffer& input)
+{
+ return Internals::updateCipher(input);
+}
+
+RawBuffer CipherCtx::finalize(const RawBuffer& input)
+{
+ /*
+ * It is assumed that finalize for GCM encryption will return the GCM tag only.
+ * In case of GCM decryption the tag will be passed as finalizeCipher argument.
+ */
+ return Internals::finalizeCipher(input);
+}
+
+} // namespace Crypto
+} // namespace CKM
--- /dev/null
+/*
+ * Copyright (c) 2023 Samsung Electronics Co., Ltd. All rights reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+#pragma once
+
+#include <generic-backend/gctx.h>
+#include <ckm/ckm-type.h>
+
+namespace CKM {
+namespace Crypto {
+
+class CipherCtx : public GCtx {
+public:
+ explicit CipherCtx(uint32_t opId) : m_opId(opId) {}
+
+ void customize(const CryptoAlgorithm& algo) override;
+ RawBuffer update(const RawBuffer& input) override;
+ RawBuffer finalize(const RawBuffer& input) override;
+
+private:
+ uint32_t m_opId;
+};
+
+} // namespace Crypto
+} // namespace CKM
"Incorrect algorithm provided for asymmetric crypto operation");
}
+uint32_t initCipher(const RawBuffer &key,
+ const Pwd &pwd,
+ const CryptoAlgorithm &alg,
+ bool encrypt)
+{
+ AlgoType algo = unpack<AlgoType>(alg, ParamName::ALGO_TYPE);
+
+ switch (algo)
+ {
+ case AlgoType::AES_GCM: {
+ int tagSizeBits = Params::DEFAULT_AES_GCM_TAG_LEN_BITS;
+ alg.getParam(ParamName::ED_TAG_LEN, tagSizeBits);
+ RawBuffer aad;
+ alg.getParam(ParamName::ED_AAD, aad);
+ return TrustZoneContext::Instance().initGcmCipher(encrypt ? CIPHER_ENCRYPT : CIPHER_DECRYPT,
+ key,
+ pwd,
+ unpack<RawBuffer>(alg, ParamName::ED_IV),
+ tagSizeBits,
+ aad);
+ }
+ case AlgoType::AES_CBC:
+ case AlgoType::AES_CTR:
+ case AlgoType::AES_CFB:
+ // TODO optionally implement above modes as well
+ default:
+ break;
+ };
+
+ ThrowErr(Exc::Crypto::OperationNotSupported,
+ "Incorrect algorithm provided for symmetric crypto operation");
+}
+
+void addAAD(uint32_t opId,
+ const RawBuffer &aad)
+{
+ TrustZoneContext::Instance().addGcmAAD(opId, aad);
+}
+
+RawBuffer updateCipher(uint32_t opId,
+ const RawBuffer &data)
+{
+ return TrustZoneContext::Instance().updateGcmCipher(opId, data);
+}
+
+RawBuffer finalizeCipher(uint32_t opId,
+ const RawBuffer &data)
+{
+ return TrustZoneContext::Instance().finalizeGcmCipher(opId, data);
+}
+
RawBuffer sign(const RawBuffer &pkey,
const Pwd &pwd,
const CryptoAlgorithm &alg,
const RawBuffer &data,
const RawBuffer &aad = RawBuffer());
+uint32_t initCipher(const RawBuffer &key,
+ const Pwd &pwd,
+ const CryptoAlgorithm &alg,
+ bool encrypt);
+
+void addAAD(uint32_t opId,
+ const RawBuffer &aad);
+
+RawBuffer updateCipher(uint32_t opId,
+ const RawBuffer &data);
+
+RawBuffer finalizeCipher(uint32_t opId,
+ const RawBuffer &data);
+
RawBuffer sign(const RawBuffer &pkey,
const Pwd &pwd,
const CryptoAlgorithm &alg,
* @author Lukasz Kostyra (l.kostyra@samsung.com)
* @version 1.0
*/
+#include <memory>
+#include <utility>
#include <generic-backend/exception.h>
#include <generic-backend/algo-validation.h>
#include <tz-backend/obj.h>
+#include <tz-backend/ctx.h>
#include <tz-backend/store.h>
#include <tz-backend/internals.h>
return Internals::symmetricDecrypt(getBinary(), getPassword(), alg, cipher);
}
+GCtxShPtr SKey::initContext(const CryptoAlgorithm &alg, bool onward)
+{
+ auto opId = Internals::initCipher(getBinary(), getPassword(), alg, onward);
+
+ return std::make_shared<CipherCtx>(opId);
+}
+
RawBuffer AKey::encrypt(const CryptoAlgorithm &alg, const RawBuffer &data)
{
return Internals::asymmetricEncrypt(getBinary(), getPassword(), alg, data);
return Token(backendId(), DataType::BINARY_DATA, Store::pack(hash, pass, iv, tag));
}
+GCtxShPtr AKey::initContext(const CryptoAlgorithm &, bool)
+{
+ ThrowErr(Exc::Crypto::OperationNotSupported);
+}
+
RawBuffer AKey::sign(
const CryptoAlgorithm &alg,
const RawBuffer &message)
#include <generic-backend/gobj.h>
#include <generic-backend/gstore.h>
+#include <generic-backend/gctx.h>
#include <data-type.h>
namespace CKM {
RawBuffer encrypt(const CryptoAlgorithm &, const RawBuffer &) override;
RawBuffer decrypt(const CryptoAlgorithm &, const RawBuffer &) override;
+ GCtxShPtr initContext(const CryptoAlgorithm &, bool) override;
};
class AKey : public Key {
RawBuffer encrypt(const CryptoAlgorithm &, const RawBuffer &) override;
RawBuffer decrypt(const CryptoAlgorithm &, const RawBuffer &) override;
Token derive(const CryptoAlgorithm &, const Password &, const RawBuffer &) override;
+ GCtxShPtr initContext(const CryptoAlgorithm &, bool) override;
};
class Cert : public AKey {
sOut.Pull(out);
}
+uint32_t TrustZoneContext::initGcmCipher(uint32_t encrypt,
+ const RawBuffer &keyId,
+ const Pwd &pwd,
+ const RawBuffer &iv,
+ int tagSizeBits,
+ const RawBuffer &aad)
+{
+ // command ID = CMD_CIPHER_INIT (from km_ta_defines.h)
+ if (keyId.size() != KM_KEY_ID_SIZE) {
+ ThrowErr(Exc::Crypto::InternalError, "TZ Backend received incorrect key buffer");
+ }
+
+ auto sIn = makeSerializer(pwd, iv, keyId, aad, tagSizeBits);
+ TrustZoneMemory inMemory(m_Context, sIn.GetSize(), TEEC_MEM_INPUT);
+ sIn.Serialize(inMemory);
+
+ TEEC_Operation op = makeOp(TEEC_VALUE_INOUT, inMemory);
+ op.params[0].value.a = ALGO_AES_GCM;
+ op.params[0].value.b = encrypt;
+
+ Execute(CMD_CIPHER_INIT, &op);
+
+ return op.params[0].value.b;
+}
+
+void TrustZoneContext::addGcmAAD(uint32_t opId,
+ const RawBuffer &aad)
+{
+ // command ID = CMD_CIPHER_INIT_AAD (from km_ta_defines.h)
+ auto sIn = makeSerializer(aad);
+ TrustZoneMemory inMemory(m_Context, sIn.GetSize(), TEEC_MEM_INPUT);
+ sIn.Serialize(inMemory);
+
+ TEEC_Operation op = makeOp(TEEC_VALUE_INPUT, inMemory);
+ op.params[0].value.a = opId;
+
+ Execute(CMD_CIPHER_INIT_AAD, &op);
+}
+
+RawBuffer TrustZoneContext::updateGcmCipher(uint32_t opId,
+ const RawBuffer &data)
+{
+ auto sIn = makeSerializer(data);
+ TrustZoneMemory inMemory(m_Context, sIn.GetSize(), TEEC_MEM_INPUT);
+ sIn.Serialize(inMemory);
+
+ TZSerializer sOut;
+ sOut.Push(new TZSerializableBinary(data.size()));
+ TrustZoneMemory outMemory(m_Context, sOut.GetSize(), TEEC_MEM_OUTPUT);
+
+ TEEC_Operation op = makeOp(TEEC_VALUE_INOUT, inMemory, outMemory);
+ op.params[0].value.a = opId;
+
+ Execute(CMD_CIPHER_UPDATE, &op);
+
+ sOut.Deserialize(outMemory);
+
+ RawBuffer out;
+ sOut.Pull(out);
+ return out;
+}
+
+RawBuffer TrustZoneContext::finalizeGcmCipher(uint32_t opId,
+ const RawBuffer &data)
+{
+ auto sIn = makeSerializer(data);
+ TrustZoneMemory inMemory(m_Context, sIn.GetSize(), TEEC_MEM_INPUT);
+ sIn.Serialize(inMemory);
+
+ TZSerializer sOut;
+ sOut.Push(new TZSerializableBinary(data.size()));
+ TrustZoneMemory outMemory(m_Context, sOut.GetSize(), TEEC_MEM_OUTPUT);
+
+ TEEC_Operation op = makeOp(TEEC_VALUE_INOUT, inMemory, outMemory);
+ op.params[0].value.a = opId;
+
+ Execute(CMD_CIPHER_FINALIZE, &op);
+
+ sOut.Deserialize(outMemory);
+
+ RawBuffer out;
+ sOut.Pull(out);
+ return out;
+}
+
void TrustZoneContext::executeSign(tz_algo_type algo,
tz_hash_type hash,
const RawBuffer &keyId,
const RawBuffer &data,
RawBuffer &out);
+ uint32_t initGcmCipher(uint32_t encrypt,
+ const RawBuffer &keyId,
+ const Pwd &pwd,
+ const RawBuffer &iv,
+ int tagSizeBits,
+ const RawBuffer &aad);
+
+ void addGcmAAD(uint32_t opId,
+ const RawBuffer &aad);
+
+ RawBuffer updateGcmCipher(uint32_t opId,
+ const RawBuffer &data);
+
+ RawBuffer finalizeGcmCipher(uint32_t opId,
+ const RawBuffer &data);
+
void executeSign(tz_algo_type algo,
tz_hash_type hash,
const RawBuffer &keyId,
projects / platform / core / security / key-manager.git / commitdiff