return keyType;
}
-void destroyKey(const RawBuffer &key)
+void destroyKey(const RawBuffer &keyId)
{
- TrustZoneContext::Instance().executeDestroy(key);
+ TrustZoneContext::Instance().executeDestroy(keyId);
}
void importData(const Data &data,
hash);
}
-void importWrappedKey(const RawBuffer &wrappingKey,
+void importWrappedKey(const RawBuffer &wrappingKeyId,
const Pwd &wrappingKeyPwd,
const CryptoAlgorithm &alg,
const Data &encryptedKey,
decompose(alg, algo, ctrLenOrTagSizeBits, iv, aad);
// TODO it is awful!
- TrustZoneContext::Instance().importWrappedKey(wrappingKey,
+ TrustZoneContext::Instance().importWrappedKey(wrappingKeyId,
wrappingKeyPwd,
getAlgType(algo),
iv,
encryptedKeyId);
}
-RawBuffer exportWrappedKey(const RawBuffer &wrappingKey,
+RawBuffer exportWrappedKey(const RawBuffer &wrappingKeyId,
const Pwd &wrappingKeyPwd,
const CryptoAlgorithm &alg,
const RawBuffer &keyToWrapId,
decompose(alg, algo, ctrLenOrTagSizeBits, iv, aad);
// TODO it is awful!
- return TrustZoneContext::Instance().exportWrappedKey(wrappingKey,
+ return TrustZoneContext::Instance().exportWrappedKey(wrappingKeyId,
wrappingKeyPwd,
getAlgType(algo),
iv,
TrustZoneContext::Instance().destroyData(dataId);
}
-BufferPair encryptDataAesGcm(const RawBuffer &key,
+BufferPair encryptDataAesGcm(const RawBuffer &keyId,
const Pwd &pwd,
const RawBuffer &iv,
int tagSize,
RawBuffer result;
RawBuffer tag;
- TrustZoneContext::Instance().executeEncryptAE(key, pwd, iv, tagSize,
+ TrustZoneContext::Instance().executeEncryptAE(keyId, pwd, iv, tagSize,
aad, data, result, tag);
return std::make_pair(result, tag);
}
-RawBuffer encryptDataAesGcmPacked(const RawBuffer &key,
+RawBuffer encryptDataAesGcmPacked(const RawBuffer &keyId,
const Pwd &pwd,
const RawBuffer &iv,
int tagSize,
const RawBuffer &data,
const RawBuffer &aad)
{
- auto pair = encryptDataAesGcm(key, pwd, iv, tagSize, data, aad);
+ auto pair = encryptDataAesGcm(keyId, pwd, iv, tagSize, data, aad);
std::copy(pair.second.begin(), pair.second.end(),
std::back_inserter(pair.first));
return pair.first;
}
-RawBuffer decryptDataAesGcm(const RawBuffer &key,
+RawBuffer decryptDataAesGcm(const RawBuffer &keyId,
const Pwd &pwd,
const RawBuffer &iv,
int tagSizeBits,
{
RawBuffer result;
- TrustZoneContext::Instance().executeDecryptAE(key, pwd, iv, tagSizeBits,
+ TrustZoneContext::Instance().executeDecryptAE(keyId, pwd, iv, tagSizeBits,
tag, aad, data, result);
return result;
}
-RawBuffer decryptDataAesGcmPacked(const RawBuffer &key,
+RawBuffer decryptDataAesGcmPacked(const RawBuffer &keyId,
const Pwd &pwd,
const RawBuffer &iv,
int tagSizeBits,
ThrowErr(Exc::Crypto::InputParam, "Wrong size of tag");
auto tagPos = data.data() + data.size() - tagSizeBytes;
- return decryptDataAesGcm(key,
+ return decryptDataAesGcm(keyId,
pwd,
iv,
tagSizeBits,
}
-RawBuffer symmetricEncrypt(const RawBuffer &key,
+RawBuffer symmetricEncrypt(const RawBuffer &keyId,
const Pwd &pwd,
const CryptoAlgorithm &alg,
const RawBuffer &data)
RawBuffer result;
TrustZoneContext::Instance().executeCrypt(CMD_ENCRYPT,
getAlgType(algo),
- key,
+ keyId,
pwd,
unpack<RawBuffer>(alg, ParamName::ED_IV),
data,
alg.getParam(ParamName::ED_TAG_LEN, tagLenBits);
RawBuffer aad;
alg.getParam(ParamName::ED_AAD, aad);
- return encryptDataAesGcmPacked(key,
+ return encryptDataAesGcmPacked(keyId,
pwd,
unpack<RawBuffer>(alg, ParamName::ED_IV),
tagLenBits,
"Incorrect algorithm provided for symmetric crypto operation");
}
-RawBuffer symmetricDecrypt(const RawBuffer &key,
+RawBuffer symmetricDecrypt(const RawBuffer &keyId,
const Pwd &pwd,
const CryptoAlgorithm &alg,
const RawBuffer &data)
RawBuffer result;
TrustZoneContext::Instance().executeCrypt(CMD_DECRYPT,
getAlgType(algo),
- key,
+ keyId,
pwd,
unpack<RawBuffer>(alg, ParamName::ED_IV),
data,
alg.getParam(ParamName::ED_TAG_LEN, tagSizeBits);
RawBuffer aad;
alg.getParam(ParamName::ED_AAD, aad);
- return decryptDataAesGcmPacked(key,
+ return decryptDataAesGcmPacked(keyId,
pwd,
unpack<RawBuffer>(alg, ParamName::ED_IV),
tagSizeBits,
"Incorrect algorithm provided for symmetric crypto operation");
}
-RawBuffer asymmetricEncrypt(const RawBuffer &key,
+RawBuffer asymmetricEncrypt(const RawBuffer &keyId,
const Pwd &pwd,
const CryptoAlgorithm &alg,
const RawBuffer &data)
case AlgoType::RSA_OAEP: {
TrustZoneContext::Instance().executeCrypt(CMD_ENCRYPT,
getAlgType(algo),
- key,
+ keyId,
pwd,
result, // unused dummy
data,
"Incorrect algorithm provided for asymmetric crypto operation");
}
-RawBuffer asymmetricDecrypt(const RawBuffer &key,
+RawBuffer asymmetricDecrypt(const RawBuffer &keyId,
const Pwd &pwd,
const CryptoAlgorithm &alg,
const RawBuffer &cipher)
case AlgoType::RSA_OAEP: {
TrustZoneContext::Instance().executeCrypt(CMD_DECRYPT,
getAlgType(algo),
- key,
+ keyId,
pwd,
result, // unused dummy
cipher,
"Incorrect algorithm provided for asymmetric crypto operation");
}
-uint32_t initCipher(const RawBuffer &key,
+uint32_t initCipher(const RawBuffer &keyId,
const Pwd &pwd,
const CryptoAlgorithm &alg,
bool encrypt)
RawBuffer aad;
alg.getParam(ParamName::ED_AAD, aad);
return TrustZoneContext::Instance().initGcmCipher(encrypt ? CIPHER_ENCRYPT : CIPHER_DECRYPT,
- key,
+ keyId,
pwd,
unpack<RawBuffer>(alg, ParamName::ED_IV),
tagSizeBits,
return TrustZoneContext::Instance().finalizeGcmCipher(opId, data);
}
-RawBuffer sign(const RawBuffer &pkey,
+RawBuffer sign(const RawBuffer &pkeyId,
const Pwd &pwd,
const CryptoAlgorithm &alg,
const RawBuffer &message)
RawBuffer signature;
TrustZoneContext::Instance().executeSign(getAlgType(algo),
getHashType(hash),
- pkey,
+ pkeyId,
pwd,
message,
signature);
return signature;
}
-int verify(const RawBuffer &pkey,
+int verify(const RawBuffer &pkeyId,
const Pwd &pwd,
const CryptoAlgorithm &alg,
const RawBuffer &message,
return TrustZoneContext::Instance().executeVerify(getAlgType(algo),
getHashType(hash),
- pkey,
+ pkeyId,
pwd,
message,
signature);
}
-void deriveECDH(const RawBuffer &prvKey,
+void deriveECDH(const RawBuffer &prvKeyId,
const Pwd &prvKeyPwd,
const RawBuffer &pubKey,
const Password &secretPwd,
RawBuffer secretPwdBuf(secretPwd.begin(), secretPwd.end());
- TrustZoneContext::Instance().executeEcdh(prvKey,
+ TrustZoneContext::Instance().executeEcdh(prvKeyId,
prvKeyPwd,
xBuf,
yBuf,
secretHash);
}
-void deriveKBKDF(const RawBuffer &secret,
+void deriveKBKDF(const RawBuffer &secretId,
const CryptoAlgorithm &alg,
const Password &keyPwd,
const RawBuffer &keyPwdIV,
RawBuffer keyPwdBuf(keyPwd.begin(), keyPwd.end());
- TrustZoneContext::Instance().executeKbkdf(secret,
+ TrustZoneContext::Instance().executeKbkdf(secretId,
label,
context,
fixed,
RawBuffer &tag,
const RawBuffer &hash);
-void importWrappedKey(const RawBuffer &wrappingKey,
+void importWrappedKey(const RawBuffer &wrappingKeyId,
const Pwd &wrappingKeyPwd,
const CryptoAlgorithm &alg,
const Data &encryptedKey,
RawBuffer &encryptedKeyTag,
const RawBuffer &encryptedKeyId);
-RawBuffer exportWrappedKey(const RawBuffer &wrappingKey,
+RawBuffer exportWrappedKey(const RawBuffer &wrappingKeyId,
const Pwd &wrappingKeyPwd,
const CryptoAlgorithm &alg,
const RawBuffer &keyToWrapId,
void destroyData(const RawBuffer &dataId);
-void destroyKey(const RawBuffer &key);
+void destroyKey(const RawBuffer &keyId);
RawBuffer symmetricEncrypt(
- const RawBuffer &key,
+ const RawBuffer &keyId,
const Pwd &pwd,
const CryptoAlgorithm &alg,
const RawBuffer &data);
RawBuffer symmetricDecrypt(
- const RawBuffer &key,
+ const RawBuffer &keyId,
const Pwd &pwd,
const CryptoAlgorithm &alg,
const RawBuffer &cipher);
RawBuffer asymmetricEncrypt(
- const RawBuffer &key,
+ const RawBuffer &keyId,
const Pwd &pwd,
const CryptoAlgorithm &alg,
const RawBuffer &data);
RawBuffer asymmetricDecrypt(
- const RawBuffer &key,
+ const RawBuffer &keyId,
const Pwd &pwd,
const CryptoAlgorithm &alg,
const RawBuffer &cipher);
-BufferPair encryptDataAesGcm(const RawBuffer &key,
+BufferPair encryptDataAesGcm(const RawBuffer &keyId,
const Pwd &pwd,
const RawBuffer &iv,
int tagSize,
const RawBuffer &data,
const RawBuffer &aad = RawBuffer());
-RawBuffer decryptDataAesGcm(const RawBuffer &key,
+RawBuffer decryptDataAesGcm(const RawBuffer &keyId,
const Pwd &pwd,
const RawBuffer &iv,
const RawBuffer &tag,
const RawBuffer &data,
const RawBuffer &aad = RawBuffer());
-uint32_t initCipher(const RawBuffer &key,
+uint32_t initCipher(const RawBuffer &keyId,
const Pwd &pwd,
const CryptoAlgorithm &alg,
bool encrypt);
RawBuffer finalizeCipher(uint32_t opId,
const RawBuffer &data);
-RawBuffer sign(const RawBuffer &pkey,
+RawBuffer sign(const RawBuffer &pkeyId,
const Pwd &pwd,
const CryptoAlgorithm &alg,
const RawBuffer &message);
-int verify(const RawBuffer &pkey,
+int verify(const RawBuffer &pkeyId,
const Pwd &pwd,
const CryptoAlgorithm &alg,
const RawBuffer &message,
const RawBuffer &signature);
-void deriveECDH(const RawBuffer &prvKey,
+void deriveECDH(const RawBuffer &prvKeyId,
const Pwd &prvKeyPwd,
const RawBuffer &pubKey,
const Password &secretPwd,
RawBuffer &secretTag,
const RawBuffer &secretHash);
-void deriveKBKDF(const RawBuffer &secret,
+void deriveKBKDF(const RawBuffer &secretId,
const CryptoAlgorithm &alg,
const Password &keyPwd,
const RawBuffer &keyPwdIV,
iv = Internals::generateIV();
}
- Internals::deriveKBKDF(getBinary(), alg, pass, iv, tag, hash);
+ Internals::deriveKBKDF(getId(), alg, pass, iv, tag, hash);
return Token(backendId(), DataType(KeyType::KEY_AES), Store::pack(hash, pass, iv, tag));
}
passIV = Internals::generateIV();
}
- Internals::importWrappedKey(getBinary(),
+ Internals::importWrappedKey(getId(),
getPassword(),
params,
encryptedKey,
keyToWrapIV,
keyToWrapTag);
- return Internals::exportWrappedKey(getBinary(),
+ return Internals::exportWrappedKey(getId(),
getPassword(),
alg,
keyToWrapId,
RawBuffer SKey::encrypt(const CryptoAlgorithm &alg, const RawBuffer &data)
{
- return Internals::symmetricEncrypt(getBinary(), getPassword(), alg, data);
+ return Internals::symmetricEncrypt(getId(), getPassword(), alg, data);
}
RawBuffer SKey::decrypt(const CryptoAlgorithm &alg, const RawBuffer &cipher)
{
- return Internals::symmetricDecrypt(getBinary(), getPassword(), alg, cipher);
+ return Internals::symmetricDecrypt(getId(), getPassword(), alg, cipher);
}
GCtxShPtr SKey::initContext(const CryptoAlgorithm &alg, bool onward)
{
- auto opId = Internals::initCipher(getBinary(), getPassword(), alg, onward);
+ auto opId = Internals::initCipher(getId(), getPassword(), alg, onward);
return std::make_shared<CipherCtx>(opId);
}
RawBuffer AKey::encrypt(const CryptoAlgorithm &alg, const RawBuffer &data)
{
- return Internals::asymmetricEncrypt(getBinary(), getPassword(), alg, data);
+ return Internals::asymmetricEncrypt(getId(), getPassword(), alg, data);
}
RawBuffer AKey::decrypt(const CryptoAlgorithm &alg, const RawBuffer &cipher)
{
- return Internals::asymmetricDecrypt(getBinary(), getPassword(), alg, cipher);
+ return Internals::asymmetricDecrypt(getId(), getPassword(), alg, cipher);
}
Token AKey::derive(const CryptoAlgorithm &alg, const Password &pass, const RawBuffer &hash)
iv = Internals::generateIV();
}
- Internals::deriveECDH(getBinary(), getPassword(), pubKey, pass, iv, tag, hash);
+ Internals::deriveECDH(getId(), getPassword(), pubKey, pass, iv, tag, hash);
return Token(backendId(), DataType::BINARY_DATA, Store::pack(hash, pass, iv, tag));
}
{
CryptoAlgorithm algWithType(alg);
algWithType.setParam(ParamName::ALGO_TYPE, key2algo(m_type));
- return Internals::sign(getBinary(), getPassword(), algWithType, message);
+ return Internals::sign(getId(), getPassword(), algWithType, message);
}
int AKey::verify(const CryptoAlgorithm &alg, const RawBuffer &message,
algWithType.setParam(ParamName::ALGO_TYPE, key2algo(m_type));
}
- return Internals::verify(getBinary(), getPassword(), algWithType, message, sign);
+ return Internals::verify(getId(), getPassword(), algWithType, message, sign);
}
Token Cert::unwrap(const CryptoAlgorithm &,
return m_tag;
}
-
private:
RawBuffer m_password;
RawBuffer m_iv;
class BData : public GObj {
public:
- explicit BData(CryptoBackend backendId, RawBuffer buffer) :
- GObj(backendId), m_raw(std::move(buffer)) {}
+ BData(CryptoBackend backendId,
+ int scheme,
+ RawBuffer id,
+ Pwd pwd,
+ RawBuffer buffer = RawBuffer()) :
+ GObj(backendId),
+ m_scheme(scheme),
+ m_password(std::move(pwd)),
+ m_id(std::move(id)),
+ m_raw(std::move(buffer)) {}
RawBuffer getBinary() const override
{
return m_raw;
}
+ virtual const RawBuffer& getId() const
+ {
+ return m_id;
+ }
+ virtual int getScheme() const
+ {
+ return m_scheme;
+ }
+ virtual const Pwd& getPassword() const
+ {
+ return m_password;
+ }
Token derive(const CryptoAlgorithm &, const Password &, const RawBuffer &) override;
protected:
+ int m_scheme;
+ Pwd m_password;
+ RawBuffer m_id;
RawBuffer m_raw;
};
class Key : public BData {
public:
- Key(CryptoBackend backendId, int scheme, RawBuffer buffer, Pwd pwd, DataType dataType) :
- BData(backendId, std::move(buffer)),
- m_scheme(scheme),
- m_password(std::move(pwd)),
- m_type(dataType) {}
-
- virtual int getScheme() const
- {
- return m_scheme;
- }
-
- virtual Pwd getPassword() const
- {
- return m_password;
- }
+ Key(CryptoBackend backendId, int scheme, RawBuffer id, Pwd pwd) :
+ BData(backendId, scheme, std::move(id), std::move(pwd)) {}
Token unwrap(const CryptoAlgorithm ¶ms,
const Data &encryptedKey,
RawBuffer wrap(const CryptoAlgorithm ¶ms,
const Token &keyToWrap,
const Password &keyToWrapPass) override;
-
-protected:
- int m_scheme;
- Pwd m_password;
- DataType m_type;
};
class SKey : public Key {
public:
- SKey(CryptoBackend backendId, int scheme, RawBuffer buffer, Pwd pwd, DataType dataType) :
- Key(backendId, scheme, std::move(buffer), std::move(pwd), dataType) {}
+ SKey(CryptoBackend backendId, int scheme, RawBuffer id, Pwd pwd) :
+ Key(backendId, scheme, std::move(id), std::move(pwd)) {}
RawBuffer encrypt(const CryptoAlgorithm &, const RawBuffer &) override;
RawBuffer decrypt(const CryptoAlgorithm &, const RawBuffer &) override;
class AKey : public Key {
public:
- AKey(CryptoBackend backendId, int scheme, RawBuffer buffer, Pwd pwd, DataType dataType) :
- Key(backendId, scheme, std::move(buffer), std::move(pwd), dataType) {}
+ AKey(CryptoBackend backendId,
+ int scheme,
+ RawBuffer id,
+ Pwd pwd,
+ DataType dataType,
+ RawBuffer raw = RawBuffer()) :
+ Key(backendId, scheme, std::move(id), std::move(pwd)), m_type(dataType)
+ {
+ m_raw = std::move(raw);
+ }
RawBuffer sign(const CryptoAlgorithm &alg, const RawBuffer &message) override;
int verify(const CryptoAlgorithm &alg, const RawBuffer &message,
RawBuffer decrypt(const CryptoAlgorithm &, const RawBuffer &) override;
Token derive(const CryptoAlgorithm &, const Password &, const RawBuffer &) override;
GCtxShPtr initContext(const CryptoAlgorithm &, bool) override;
+
+protected:
+ DataType m_type;
};
class Cert : public AKey {
public:
- Cert(CryptoBackend backendId, int scheme, RawBuffer buffer, Pwd pwd, DataType dataType) :
- AKey(backendId, scheme, std::move(buffer), std::move(pwd), dataType) {}
+ Cert(CryptoBackend backendId, int scheme, RawBuffer id, Pwd pwd, DataType dataType) :
+ AKey(backendId, scheme, std::move(id), std::move(pwd), dataType) {}
Token unwrap(const CryptoAlgorithm &,
const Data &,
RawBuffer tag;
unpack(token.data, pass, scheme, id, iv, tag);
- if (token.dataType.isKeyPrivate() || token.dataType.isKeyPublic())
+ if (token.dataType.isKeyPrivate())
return make<AKey>(scheme, std::move(id), Pwd(pass, iv, tag), token.dataType);
if (token.dataType.isSymmetricKey())
- return make<SKey>(scheme, std::move(id), Pwd(pass, iv, tag), token.dataType);
+ return make<SKey>(scheme, std::move(id), Pwd(pass, iv, tag));
if (token.dataType.isCertificate() || token.dataType.isChainCert())
return make<Cert>(scheme, std::move(id), Pwd(pass, iv, tag), token.dataType);
- if (token.dataType.isBinaryData()) {
- RawBuffer exported_data = Internals::getData(std::move(id), Pwd(pass, iv, tag));
- return make<BData>(std::move(exported_data));
- }
+ auto pwd = Pwd(pass, iv, tag);
+ RawBuffer raw = Internals::getData(id, pwd);
+
+ if (token.dataType.isKeyPublic())
+ return make<AKey>(scheme, std::move(id), std::move(pwd), token.dataType, std::move(raw));
+
+ if (token.dataType.isBinaryData())
+ return make<BData>(scheme, std::move(id), std::move(pwd), std::move(raw));
ThrowErr(Exc::Crypto::DataTypeNotSupported,
"This type of data is not supported by trustzone backend: ", token.dataType);
buffer.Deserialize(data);
}
- if (scheme & EncryptionScheme::PASSWORD && password.empty()) {
+ if ((scheme & EncryptionScheme::PASSWORD) && password.empty()) {
ThrowErr(Exc::Crypto::AuthenticationFailed,
"This token is protected with password and none passed");
} else if (!(scheme & EncryptionScheme::PASSWORD) && !password.empty()) {
LogDebug("Imported object ID is (hex): " << rawToHexString(hash));
}
-void TrustZoneContext::importWrappedKey(const RawBuffer &wrappingKey,
+void TrustZoneContext::importWrappedKey(const RawBuffer &wrappingKeyId,
const Pwd &wrappingKeyPwd,
tz_algo_type algo,
const RawBuffer &iv,
// command ID = CMD_IMPORT_WRAPPED_KEY
LogDebug("TrustZoneContext::importWrappedKey encryptedKey size = [" << encryptedKey.size() << "]");
- auto sIn = makeSerializer(wrappingKey,
+ auto sIn = makeSerializer(wrappingKeyId,
wrappingKeyPwd,
algo,
iv,
LogDebug("Imported object ID is (hex): " << rawToHexString(encryptedKeyId));
}
-RawBuffer TrustZoneContext::exportWrappedKey(const RawBuffer &wrappingKey,
+RawBuffer TrustZoneContext::exportWrappedKey(const RawBuffer &wrappingKeyId,
const Pwd &wrappingKeyPwd,
tz_algo_type algo,
const RawBuffer &iv,
// command ID = CMD_EXPORT_WRAPPED_KEY
LogDebug("TrustZoneContext::exportWrappedKey");
- auto sIn = makeSerializer(wrappingKey,
+ auto sIn = makeSerializer(wrappingKeyId,
wrappingKeyPwd,
algo,
iv,
LogDebug("Derived object ID is (hex): " << rawToHexString(secretHash));
}
-void TrustZoneContext::executeKbkdf(const RawBuffer& secret,
+void TrustZoneContext::executeKbkdf(const RawBuffer& secretId,
const RawBuffer& label,
const RawBuffer& context,
const RawBuffer& fixed,
// command ID = CMD_DERIVE
LogDebug("TrustZoneContext::executeKbkdf");
- auto sIn = makeSerializer(secret,
+ auto sIn = makeSerializer(secretId,
label,
context,
fixed,
RawBuffer &pwdTag,
const RawBuffer &hash);
- void importWrappedKey(const RawBuffer &wrappingKey,
+ void importWrappedKey(const RawBuffer &wrappingKeyId,
const Pwd &wrappingKeyPwd,
tz_algo_type algo,
const RawBuffer &iv,
RawBuffer &encryptedKeyTag,
const RawBuffer &encryptedKeyHash);
- RawBuffer exportWrappedKey(const RawBuffer &wrappingKey,
+ RawBuffer exportWrappedKey(const RawBuffer &wrappingKeyId,
const Pwd &wrappingKeyPwd,
tz_algo_type algo,
const RawBuffer &iv,
RawBuffer &secretTag,
const RawBuffer &secretHash);
- void executeKbkdf(const RawBuffer& secret,
+ void executeKbkdf(const RawBuffer& secretId,
const RawBuffer& label,
const RawBuffer& context,
const RawBuffer& fixed,
projects / platform / core / security / key-manager.git / commitdiff