Remove old implementation of sign/verify methods.
Change-Id: I391d29ffc3ae8a2fe49b09259387efa2023abec2
#pragma once
#include <stdint.h>
+#include <cassert>
#include <string>
#include <vector>
std::map<ParamName, BaseParamPtr> m_params;
};
+template <typename T>
+bool CryptoAlgorithm::getParam(ParamName name, T& value) const {
+ auto param = m_params.find(name);
+ if (param == m_params.end())
+ return false;
+ assert(param->second);
+
+ uint64_t valueTmp;
+ if (param->second->getInt(valueTmp)) {
+ value = static_cast<T>(valueTmp);
+ return true;
+ }
+ return false;
+}
+
+template <>
+bool CryptoAlgorithm::getParam(ParamName name, RawBuffer& value) const;
+
+template <typename T>
+bool CryptoAlgorithm::addParam(ParamName name, const T& value) {
+ return m_params.emplace(name, IntParam::create(static_cast<uint64_t>(value))).second;
+}
+
+template <>
+bool CryptoAlgorithm::addParam(ParamName name, const RawBuffer& value);
} // namespace CKM
}
template <>
-bool CryptoAlgorithm::getParam<uint64_t>(ParamName name, uint64_t& value) const
-{
- auto param = m_params.find(name);
- if (param == m_params.end())
- return false;
-
- assert(param->second);
- return param->second->getInt(value);
-}
-
-template <>
-bool CryptoAlgorithm::getParam<RawBuffer>(ParamName name, RawBuffer& value) const
+bool CryptoAlgorithm::getParam(ParamName name, RawBuffer& value) const
{
auto param = m_params.find(name);
if (param == m_params.end())
}
template <>
-bool CryptoAlgorithm::addParam<uint64_t>(ParamName name, const uint64_t& value)
-{
- return m_params.emplace(name, IntParam::create(value)).second;
-}
-
-template <>
-bool CryptoAlgorithm::addParam<int>(ParamName name, const int& value)
-{
- return m_params.emplace(name, IntParam::create(value)).second;
-}
-
-template <>
-bool CryptoAlgorithm::addParam<RawBuffer>(ParamName name, const RawBuffer& value)
+bool CryptoAlgorithm::addParam(ParamName name, const RawBuffer& value)
{
return m_params.emplace(name, BufferParam::create(value)).second;
}
DECLARE_EXCEPTION_TYPE(Base, KeyNotSupported)
DECLARE_EXCEPTION_TYPE(Base, OperationNotSupported)
DECLARE_EXCEPTION_TYPE(Base, WrongBackend)
+DECLARE_EXCEPTION_TYPE(Base, InputParam)
} // namespace Exception
} // namespace Crypto
Throw(Exception::OperationNotSupported);
}
- virtual bool verify(const CryptoAlgorithm &, const RawBuffer &, const RawBuffer &) {
+ virtual int verify(const CryptoAlgorithm &, const RawBuffer &, const RawBuffer &) {
Throw(Exception::OperationNotSupported);
}
CryptoBackend m_backendId;
};
-typedef std::shared_ptr<GStore> GStoreShPtr;
-
} // namespace Crypto
} // namespace CKM
+/*
+ * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file decider.cpp
+ * @author Bartłomiej Grzelewski (b.grzelewski@samsung.com)
+ * @version 1.0
+ */
+#include <dpl/log/log.h>
+
+#include <crypto-backend.h>
+
#include <platform/decider.h>
#include <sw-backend/store.h>
namespace Crypto {
Decider::Decider()
- : m_store(new SW::Store(CryptoBackend::OpenSSL))
+ : m_swStore(new SW::Store(CryptoBackend::OpenSSL))
{}
-GStoreShPtr Decider::getStore(const Token &) {
+GStore& Decider::getStore(const Token &) {
// This the place where we should choose backend bases on token information.
- return m_store;
+ if (!m_swStore) {
+ LogError("No backend available.");
+ ThrowMsg(CKM::Crypto::Exception::Base, "No backend available.");
+ }
+ return *m_swStore;
};
+CryptoBackend Decider::chooseCryptoBackend(DataType, const Policy &) const {
+ return CryptoBackend::OpenSSL;
+}
+
} // namespace Crypto
} // namespace CKM
+/*
+ * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file decider.h
+ * @author Bartłomiej Grzelewski (b.grzelewski@samsung.com)
+ * @version 1.0
+ */
#pragma once
#include <memory>
+#include <ckm/ckm-type.h>
+
+#include <crypto-backend.h>
+
#include <generic-backend/gstore.h>
#include <token.h>
class Decider {
public:
Decider();
- GStoreShPtr getStore(const Token &token);
+ GStore& getStore(const Token &token);
+ CryptoBackend chooseCryptoBackend(DataType data, const Policy &policy) const;
+
virtual ~Decider(){}
private:
- GStoreShPtr m_store;
+ std::unique_ptr<GStore> m_swStore;
};
} // Crypto
CryptoService::~CryptoService(){
}
-
-
int CryptoService::initialize() {
int hw_rand_ret = 0;
int u_rand_ret = 0;
return CKM_CRYPTO_INIT_SUCCESS;
}
-const EVP_MD *CryptoService::getMdAlgo(const HashAlgorithm hashAlgo) {
- const EVP_MD *md_algo=NULL;
- switch(hashAlgo) {
- case HashAlgorithm::NONE:
- md_algo = NULL;
- break;
- case HashAlgorithm::SHA1:
- md_algo = EVP_sha1();
- break;
- case HashAlgorithm::SHA256:
- md_algo = EVP_sha256();
- break;
- case HashAlgorithm::SHA384:
- md_algo = EVP_sha384();
- break;
- case HashAlgorithm::SHA512:
- md_algo = EVP_sha512();
- break;
- default:
- LogError("Error in hashAlgorithm value");
- ThrowMsg(CryptoService::Exception::Crypto_internal, "Error in hashAlgorithm value");
- }
- return md_algo;
-}
-
-int CryptoService::getRsaPadding(const RSAPaddingAlgorithm padAlgo) {
- int rsa_padding = -1;
- switch(padAlgo) {
- case RSAPaddingAlgorithm::NONE:
- rsa_padding = RSA_NO_PADDING;
- break;
- case RSAPaddingAlgorithm::PKCS1:
- rsa_padding = RSA_PKCS1_PADDING;
- break;
- case RSAPaddingAlgorithm::X931:
- rsa_padding = RSA_X931_PADDING;
- break;
- default:
- LogError("Error in RSAPaddingAlgorithm value");
- ThrowMsg(CryptoService::Exception::Crypto_internal, "Error in RSAPaddingAlgorithm value");
- }
- return rsa_padding;
-}
-
int CryptoService::createKeyPairRSA(const int size, // size in bits [1024, 2048, 4096]
KeyImpl &createdPrivateKey, // returned value
KeyImpl &createdPublicKey) // returned value
return CKM_CRYPTO_CREATEKEY_SUCCESS;
}
-int CryptoService::createSignature(const KeyImpl &privateKey,
- const RawBuffer &message,
- const HashAlgorithm hashAlgo,
- const RSAPaddingAlgorithm padAlgo,
- RawBuffer &signature)
-{
- int retCode = CKM_API_SUCCESS;
- int rsa_padding = NOT_DEFINED;
- const EVP_MD *md_algo = NULL;
-
- md_algo = getMdAlgo(hashAlgo);
-
-
- if((privateKey.getType() != KeyType::KEY_RSA_PRIVATE) &&
- (privateKey.getType() != KeyType::KEY_DSA_PRIVATE) &&
- (privateKey.getType() != KeyType::KEY_ECDSA_PRIVATE))
- {
- LogError("Error in private key type");
- ThrowMsg(CryptoService::Exception::Crypto_internal, "Error in private key type");
- }
-
- if(privateKey.getType()==KeyType::KEY_RSA_PRIVATE) {
- rsa_padding = getRsaPadding(padAlgo);
- }
-
- auto shrPKey = privateKey.getEvpShPtr();
- if (NULL == shrPKey.get()) {
- LogError("Error in EVP_PKEY_keygen function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_PKEY_keygen function");
- }
-
- if(md_algo == NULL) {
- retCode = signMessage(shrPKey.get(), message, rsa_padding, signature);
- }else {
- retCode = digestSignMessage(shrPKey.get(),message, md_algo, rsa_padding, signature);
- }
-
- return retCode;
-}
-
-int CryptoService::signMessage(EVP_PKEY *privKey,
- const RawBuffer &message,
- const int rsa_padding,
- RawBuffer &signature)
-{
- int retCode = CKM_API_SUCCESS;
- EVP_PKEY_CTX *pctx = NULL;
-
- Try {
- if(!(pctx = EVP_PKEY_CTX_new(privKey, NULL))) {
- LogError("Error in EVP_PKEY_CTX_new function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_PKEY_CTX_new function");
- }
-
- if(EVP_PKEY_sign_init(pctx) != EVP_SUCCESS) {
- LogError("Error in EVP_PKEY_sign_init function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_PKEY_sign_init function");
- }
-
- /* Set padding algorithm */
- if(EVP_PKEY_type(privKey->type) == EVP_PKEY_RSA) {
- if(EVP_SUCCESS != EVP_PKEY_CTX_set_rsa_padding(pctx, rsa_padding)) {
- LogError("Error in EVP_PKEY_CTX_set_rsa_padding function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_PKEY_CTX_set_rsa_padding function");
- }
- }
-
- /* Finalize the Sign operation */
- /* First call EVP_PKEY_sign with a NULL sig parameter to obtain the length of the
- * signature. Length is returned in slen */
- size_t slen;
- if(EVP_SUCCESS != EVP_PKEY_sign(pctx, NULL, &slen, message.data(), message.size())) {
- LogError("Error in EVP_PKEY_sign function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_PKEY_sign function");
- }
-
- /* Allocate memory for the signature based on size in slen */
- unsigned char sig[slen];
-
- if(EVP_SUCCESS == EVP_PKEY_sign(pctx, sig, &slen, message.data(), message.size())) {
- // Set value to return RawData
- signature.assign(sig, sig+slen);
- retCode = CKM_API_SUCCESS;
- }else {
- LogError("Error in EVP_PKEY_sign function: check input parameter");
- retCode = CKM_API_ERROR_INPUT_PARAM;
- }
- } Catch(CryptoService::Exception::opensslError) {
- if(pctx != NULL) {
- EVP_PKEY_CTX_free(pctx);
- }
- ReThrowMsg(CryptoService::Exception::opensslError,"Error in openssl function !!");
- }
-
- if(pctx != NULL) {
- EVP_PKEY_CTX_free(pctx);
- }
- return retCode;
-}
-
-int CryptoService::digestSignMessage(EVP_PKEY *privKey,
- const RawBuffer &message,
- const EVP_MD *md_algo,
- const int rsa_padding,
- RawBuffer &signature)
-{
- EVP_MD_CTX *mdctx = NULL;
- EVP_PKEY_CTX *pctx = NULL;
-
- Try {
- // Create the Message Digest Context
- if(!(mdctx = EVP_MD_CTX_create())) {
- LogError("Error in EVP_MD_CTX_create function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_MD_CTX_create function");
- }
-
- if(EVP_SUCCESS != EVP_DigestSignInit(mdctx, &pctx, md_algo, NULL, privKey)) {
- LogError("Error in EVP_DigestSignInit function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_DigestSignInit function");
- }
-
- /* Set padding algorithm */
- if(EVP_PKEY_type(privKey->type) == EVP_PKEY_RSA) {
- if(EVP_SUCCESS != EVP_PKEY_CTX_set_rsa_padding(pctx, rsa_padding)) {
- LogError("Error in EVP_PKEY_CTX_set_rsa_padding function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_PKEY_CTX_set_rsa_padding function");
- }
- }
-
- /* Call update with the message */
- if(EVP_SUCCESS != EVP_DigestSignUpdate(mdctx, message.data(), message.size())) {
- LogError("Error in EVP_DigestSignUpdate function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_DigestSignUpdate function");
- }
-
- /* Finalize the DigestSign operation */
- /* First call EVP_DigestSignFinal with a NULL sig parameter to obtain the length of the
- * signature. Length is returned in slen */
- size_t slen;
- if(EVP_SUCCESS != EVP_DigestSignFinal(mdctx, NULL, &slen)) {
- LogError("Error in EVP_DigestSignFinal function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_DigestSignFinal function");
- }
- /* Allocate memory for the signature based on size in slen */
- unsigned char sig[slen];
-
- /* Obtain the signature */
- if(EVP_SUCCESS != EVP_DigestSignFinal(mdctx, sig, &slen)) {
- LogError("Error in EVP_DigestSignFinal function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_DigestSignFinal function");
- }
-
- // Set value to return RawData
- signature.assign(sig, sig+slen);
- } Catch(CryptoService::Exception::opensslError) {
- if(mdctx != NULL) {
- EVP_MD_CTX_destroy(mdctx);
- }
-
- ReThrowMsg(CryptoService::Exception::opensslError,"Error in openssl function !!");
- }
-
- if(mdctx != NULL) {
- EVP_MD_CTX_destroy(mdctx);
- }
-
- return CKM_API_SUCCESS;
-}
-
-int CryptoService::verifySignature(const KeyImpl &publicKey,
- const RawBuffer &message,
- const RawBuffer &signature,
- const HashAlgorithm hashAlgo,
- const RSAPaddingAlgorithm padAlgo)
-{
- int rsa_padding = NOT_DEFINED;
- const EVP_MD *md_algo;
- int retCode = CKM_API_ERROR_VERIFICATION_FAILED;
-
- md_algo = getMdAlgo(hashAlgo);
-
-
- if((publicKey.getType() != KeyType::KEY_RSA_PUBLIC) &&
- (publicKey.getType() != KeyType::KEY_DSA_PUBLIC) &&
- (publicKey.getType() != KeyType::KEY_ECDSA_PUBLIC))
- {
- LogError("Error in private key type");
- ThrowMsg(CryptoService::Exception::Crypto_internal, "Error in private key type");
- }
-
- if(publicKey.getType()==KeyType::KEY_RSA_PUBLIC) {
- rsa_padding = getRsaPadding(padAlgo);
- }
-
- auto shrPKey = publicKey.getEvpShPtr();
- if (NULL == shrPKey.get()) {
- LogError("Error in getEvpShPtr function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in getEvpShPtr function");
- }
-
- if(md_algo == NULL) {
- retCode = verifyMessage(shrPKey.get(), message, signature, rsa_padding);
- }else {
- retCode = digestVerifyMessage(shrPKey.get(),message, signature, md_algo, rsa_padding);
- }
-
- return retCode;
-}
-
-int CryptoService::verifyMessage(EVP_PKEY *pubKey,
- const RawBuffer &message,
- const RawBuffer &signature,
- const int rsa_padding)
-{
- int ret = CKM_API_ERROR_VERIFICATION_FAILED;
- EVP_PKEY_CTX *pctx = NULL;
-
- Try {
- if(!(pctx = EVP_PKEY_CTX_new(pubKey, NULL))) {
- LogError("Error in EVP_PKEY_CTX_new function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_PKEY_CTX_new function");
- }
-
- if(EVP_PKEY_verify_init(pctx) != EVP_SUCCESS) {
- LogError("Error in EVP_PKEY_verify_init function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_PKEY_verify_init function");
- }
-
- /* Set padding algorithm */
- if(EVP_PKEY_type(pubKey->type) == EVP_PKEY_RSA) {
- if(EVP_SUCCESS != EVP_PKEY_CTX_set_rsa_padding(pctx, rsa_padding)) {
- LogError("Error in EVP_PKEY_CTX_set_rsa_padding function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_PKEY_CTX_set_rsa_padding function");
- }
- }
-
- if(EVP_SUCCESS == EVP_PKEY_verify(pctx, signature.data(), signature.size(), message.data(), message.size())) {
- ret = CKM_API_SUCCESS;
- }else {
- LogError("EVP_PKEY_verify Failed");
- ret = CKM_API_ERROR_VERIFICATION_FAILED;
- }
- } Catch(CryptoService::Exception::opensslError) {
- if(pctx != NULL) {
- EVP_PKEY_CTX_free(pctx);
- }
- ReThrowMsg(CryptoService::Exception::opensslError,"Error in openssl function !!");
- }
-
- if(pctx != NULL) {
- EVP_PKEY_CTX_free(pctx);
- }
-
- return ret;
-}
-
-int CryptoService::digestVerifyMessage(EVP_PKEY *pubKey,
- const RawBuffer &message,
- const RawBuffer &signature,
- const EVP_MD *md_algo,
- const int rsa_padding)
-{
- int ret = CKM_API_ERROR_VERIFICATION_FAILED;
- EVP_MD_CTX *mdctx = NULL;
- EVP_PKEY_CTX *pctx = NULL;
-
- Try {
- /* Create the Message Digest Context */
- if(!(mdctx = EVP_MD_CTX_create())) {
- LogError("Error in EVP_MD_CTX_create function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_MD_CTX_create function");
- }
-
- if(EVP_SUCCESS != EVP_DigestVerifyInit(mdctx, &pctx, md_algo, NULL, pubKey)) {
- LogError("Error in EVP_DigestVerifyInit function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_DigestVerifyInit function");
- }
-
- if(EVP_PKEY_type(pubKey->type) == EVP_PKEY_RSA) {
- if(EVP_SUCCESS != EVP_PKEY_CTX_set_rsa_padding(pctx, rsa_padding)) {
- LogError("Error in EVP_PKEY_CTX_set_rsa_padding function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_PKEY_CTX_set_rsa_padding function");
- }
- }
-
- if(EVP_SUCCESS != EVP_DigestVerifyUpdate(mdctx, message.data(), message.size()) ) {
- LogError("Error in EVP_DigestVerifyUpdate function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_DigestVerifyUpdate function");
- }
-
- if(EVP_SUCCESS == EVP_DigestVerifyFinal(mdctx, const_cast<unsigned char*>(signature.data()), signature.size()) ) {
- ret = CKM_API_SUCCESS;
- }else {
- LogError("EVP_PKEY_verify Failed");
- ret = CKM_API_ERROR_VERIFICATION_FAILED;
- }
- } Catch(CryptoService::Exception::opensslError) {
- if(mdctx != NULL) {
- EVP_MD_CTX_destroy(mdctx);
- }
- ReThrowMsg(CryptoService::Exception::opensslError,"Error in openssl function !!");
- }
-
- if(mdctx != NULL) {
- EVP_MD_CTX_destroy(mdctx);
- }
-
- return ret;
-}
-
} // namespace SW
} // namespace Crypto
} // namespace CKM
KeyImpl &createdPrivateKey, // returned value
KeyImpl &createdPublicKey); // returned value
- int createSignature(const KeyImpl &privateKey,
- const RawBuffer &message,
- const HashAlgorithm hashAlgo,
- const RSAPaddingAlgorithm padAlgo,
- RawBuffer &signature);
-
- int verifySignature(const KeyImpl &publicKey,
- const RawBuffer &message,
- const RawBuffer &signature,
- const HashAlgorithm hashAlgo,
- const RSAPaddingAlgorithm padAlgo);
-
private:
- const EVP_MD *getMdAlgo(const HashAlgorithm hashAlgo);
- int getRsaPadding(const RSAPaddingAlgorithm padAlgo);
-
- int signMessage(EVP_PKEY *privKey,
- const RawBuffer &message,
- const int rsa_padding,
- RawBuffer &signature);
- int digestSignMessage(EVP_PKEY *privKey,
- const RawBuffer &message,
- const EVP_MD *md_algo,
- const int rsa_padding,
- RawBuffer &signature);
-
- int verifyMessage(EVP_PKEY *pubKey,
- const RawBuffer &message,
- const RawBuffer &signature,
- const int rsa_padding);
- int digestVerifyMessage(EVP_PKEY *pubKey,
- const RawBuffer &message,
- const RawBuffer &signature,
- const EVP_MD *md_algo,
- const int rsa_padding);
};
} // namespace SW
int rsa_padding = NOT_DEFINED;
const EVP_MD *md_algo = NULL;
- (void) alg;
-// md_algo = getMdAlgo(hashAlgo);
+ HashAlgorithm hashTmp = HashAlgorithm::NONE;
+ alg.getParam(ParamName::SV_HASH_ALGO, hashTmp);
+ md_algo = getMdAlgo(hashTmp);
+
+ RSAPaddingAlgorithm rsaPad = RSAPaddingAlgorithm::NONE;
+ alg.getParam(ParamName::SV_RSA_PADDING, rsaPad);
+ rsa_padding = getRsaPadding(rsaPad);
+
//
// if((privateKey.getType() != KeyType::KEY_RSA_PRIVATE) &&
// (privateKey.getType() != KeyType::KEY_DSA_PRIVATE) &&
return sig;
}
- LogError("Error in EVP_PKEY_sign function");
- ThrowMsg(Crypto::Exception::InternalError, "Error in EVP_PKEY_sign function");
+ LogError("Error in EVP_PKEY_sign function. Input param error.");
+ ThrowMsg(Crypto::Exception::InputParam, "Error in EVP_PKEY_sign function. Input param error.");
}
RawBuffer digestSignMessage(EVP_PKEY *privKey,
int rsa_padding = NOT_DEFINED;
const EVP_MD *md_algo = NULL;
- (void)alg;
-// md_algo = getMdAlgo(hashAlgo);
+ HashAlgorithm hashTmp = HashAlgorithm::NONE;
+ alg.getParam(ParamName::SV_HASH_ALGO, hashTmp);
+ md_algo = getMdAlgo(hashTmp);
+
+ RSAPaddingAlgorithm rsaPad = RSAPaddingAlgorithm::NONE;
+ alg.getParam(ParamName::SV_RSA_PADDING, rsaPad);
+ rsa_padding = getRsaPadding(rsaPad);
+
//
// if((publicKey.getType() != KeyType::KEY_RSA_PUBLIC) &&
// (publicKey.getType() != KeyType::KEY_DSA_PUBLIC) &&
return Internals::sign(getEvpShPtr().get(), alg, message);
}
-bool AKey::verify(const CryptoAlgorithm &alg, const RawBuffer &message, const RawBuffer &sign) {
+int AKey::verify(const CryptoAlgorithm &alg, const RawBuffer &message, const RawBuffer &sign) {
return Internals::verify(getEvpShPtr().get(), alg, message, sign);
}
return m_evp;
}
+EvpShPtr Cert::getEvpShPtr() {
+ if (m_evp)
+ return m_evp;
+
+ int size = static_cast<int>(m_key.size());
+ const unsigned char *ptr = reinterpret_cast<const unsigned char *>(m_key.data());
+
+ X509 *x509 = d2i_X509(NULL, &ptr, size);
+
+ if (!x509) {
+ LogError("Failed to parse certificate.");
+ ThrowMsg(Exception::InternalError, "Failed to parse certificate.");
+ }
+
+ m_evp.reset(X509_get_pubkey(x509), EVP_PKEY_free);
+ X509_free(x509);
+ return m_evp;
+}
+
} // namespace SW
} // namespace Crypto
} // namespace CKM
class AKey : public GKey {
public:
- AKey(RawBuffer buffer, DataType dataType = DataType::KEY_AES)
+ AKey(RawBuffer buffer, DataType dataType)
: m_key(std::move(buffer))
, m_type(dataType)
{}
virtual RawBuffer sign(const CryptoAlgorithm &alg, const RawBuffer &message);
- virtual bool verify(const CryptoAlgorithm &alg, const RawBuffer &message, const RawBuffer &sign);
+ virtual int verify(const CryptoAlgorithm &alg, const RawBuffer &message, const RawBuffer &sign);
virtual ~AKey(){}
protected:
virtual EvpShPtr getEvpShPtr();
DataType m_type;
};
+class Cert : public AKey {
+public:
+ Cert(RawBuffer buffer, DataType dataType)
+ : AKey(std::move(buffer), dataType)
+ {}
+ virtual ~Cert(){}
+protected:
+ virtual EvpShPtr getEvpShPtr();
+};
+
} // namespace SW
} // namespace Crypto
} // namespace CKM
GKeyShPtr Store::getKey(const Token &token) {
if (token.backendId != m_backendId) {
- LogDebug("Decider choose wrong backend!");
+ LogError("Decider choose wrong backend!");
ThrowMsg(Exception::WrongBackend, "Decider choose wrong backend!");
}
return std::make_shared<SKey>(token.data, token.dataType);
}
+ if (token.dataType.isCertificate()) {
+ return std::make_shared<Cert>(token.data, token.dataType);
+ }
+
LogDebug(
"This type of data is not supported by openssl backend: " << (int)token.dataType);
ThrowMsg(Exception::KeyNotSupported,
#include <certificate-config.h>
#include <certificate-store.h>
+#include <generic-backend/exception.h>
#include <sw-backend/crypto-service.h>
namespace {
const Policy &policy) const
{
DB::Row row(name, label, static_cast<int>(policy.extractable), dataType, data, static_cast<int>(data.size()));
+ row.backendId = m_decider.chooseCryptoBackend(dataType, policy);
// do not encrypt data with password during cc_mode on
if(m_accessControl.isCCMode()) {
const RSAPaddingAlgorithm padding)
{
DB::Row row;
- Crypto::SW::CryptoService cs;
RawBuffer signature;
+ CryptoAlgorithm cryptoAlg;
+ cryptoAlg.addParam(ParamName::SV_HASH_ALGO, hash);
+ cryptoAlg.addParam(ParamName::SV_RSA_PADDING, padding);
int retCode = CKM_API_SUCCESS;
try {
retCode = readDataHelper(false, cred, DataType::DB_KEY_FIRST, privateKeyName, ownerLabel, password, row);
- if(retCode == CKM_API_SUCCESS)
- {
- KeyImpl keyParsed(row.data, Password());
- if (keyParsed.empty())
- retCode = CKM_API_ERROR_SERVER_ERROR;
- else
- retCode = cs.createSignature(keyParsed, message, hash, padding, signature);
+ if(retCode == CKM_API_SUCCESS) {
+ signature = m_decider.getStore(row).getKey(row)->sign(cryptoAlg, message);
}
} catch (const KeyProvider::Exception::Base &e) {
LogError("KeyProvider failed with message: " << e.GetMessage());
} catch (const CKMLogic::Exception::DatabaseLocked &e) {
LogError("Error " << e.GetMessage());
retCode = CKM_API_ERROR_DB_LOCKED;
+ } catch (const CKM::Crypto::Exception::InputParam &e) {
+ LogError("CKM::Crypto failed with message: " << e.GetMessage());
+ retCode = CKM_API_ERROR_INPUT_PARAM;
+ } catch (const CKM::Crypto::Exception::Base &e) {
+ LogError("CKM::Crypto failed with message: " << e.GetMessage());
+ retCode = CKM_API_ERROR_SERVER_ERROR;
} catch (const CKM::Exception &e) {
LogError("Unknown CKM::Exception: " << e.GetMessage());
retCode = CKM_API_ERROR_SERVER_ERROR;
int retCode = CKM_API_ERROR_VERIFICATION_FAILED;
try {
- do {
- Crypto::SW::CryptoService cs;
- DB::Row row;
- KeyImpl key;
-
- // try certificate first - looking for a public key.
- // in case of PKCS, pub key from certificate will be found first
- // rather than private key from the same PKCS.
- retCode = readDataHelper(false, cred, DataType::CERTIFICATE, publicKeyOrCertName, ownerLabel, password, row);
- if (retCode == CKM_API_SUCCESS) {
- CertificateImpl cert(row.data, DataFormat::FORM_DER);
- key = cert.getKeyImpl();
- } else if (retCode == CKM_API_ERROR_DB_ALIAS_UNKNOWN) {
- retCode = readDataHelper(false, cred, DataType::DB_KEY_FIRST, publicKeyOrCertName, ownerLabel, password, row);
- if (retCode != CKM_API_SUCCESS)
- break;
- key = KeyImpl(row.data);
- } else {
- break;
- }
-
- if (key.empty()) {
- retCode = CKM_API_ERROR_SERVER_ERROR;
- break;
- }
+ DB::Row row;
+ KeyImpl key;
+
+ CryptoAlgorithm params;
+ params.addParam(ParamName::SV_HASH_ALGO, hash);
+ params.addParam(ParamName::SV_RSA_PADDING, padding);
+
+ // try certificate first - looking for a public key.
+ // in case of PKCS, pub key from certificate will be found first
+ // rather than private key from the same PKCS.
+ retCode = readDataHelper(false, cred, DataType::CERTIFICATE, publicKeyOrCertName, ownerLabel, password, row);
+ if (retCode == CKM_API_ERROR_DB_ALIAS_UNKNOWN) {
+ retCode = readDataHelper(false, cred, DataType::DB_KEY_FIRST, publicKeyOrCertName, ownerLabel, password, row);
+ }
- retCode = cs.verifySignature(key, message, signature, hash, padding);
- } while(0);
+ if (retCode == CKM_API_SUCCESS) {
+ retCode = m_decider.getStore(row).getKey(row)->verify(params, message, signature);
+ }
} catch (const Crypto::SW::CryptoService::Exception::Crypto_internal &e) {
LogError("KeyProvider failed with message: " << e.GetMessage());
retCode = CKM_API_ERROR_SERVER_ERROR;
#include <certificate-impl.h>
#include <sys/types.h>
+#include <platform/decider.h>
+
namespace CKM {
struct UserData {
std::map<uid_t, UserData> m_userDataMap;
AccessControl m_accessControl;
+ Crypto::Decider m_decider;
//FileLock m_lock;
};
projects / platform / core / security / key-manager.git / commitdiff