[platform/core/test/security-tests.git] / src / e2ee-adaptation-layer / e2ee-adaptation-layer.h

/*
 * Copyright (c) 2023 Samsung Electronics Co., Ltd All Rights Reserved
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License
 */

#pragma once

#include <stddef.h>
#include <ckmc/ckmc-type.h>

/**
 * @brief Derives a common symmetric key using ECDH and KBKDF.
 *
 * @since_tizen 7.5
 *
 * @remarks The derived key will be a symmetric one. It will be stored as a #CKMC_KEY_AES.
 * @remarks The function first generates a shared secret using ECDH and temporarily stores it in
 *          key-manager. Then it derives a symmetric key from it, stores it in key-manager too and
 *          removes the shared secret.
 * @remarks Shared secret length and KBKDF algorithm parameters are fixed in the code.
 * @remarks To simplify the API, it is assumed that the private key alias does not use a custom
 *          password.
 *
 * @param[in] private_key_alias Alias of the private key to be used in ECDH
 * @param[in] raw_public_key Peer's public key in DER format to be used in ECDH
 * @param[in] raw_public_key_len Length of the @a raw_public_key
 * @param[in] new_key_alias The name under which the new key will be known in key-manager
 *
 * @return @c 0 on success, otherwise a negative error value
 *
 * @retval #CKMC_ERROR_NONE Successful
 * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid (@a private_key_alias = NULL,
 *                                       @a raw_public_key = NULL, @a new_key_alias = NULL)
 * @retval #CKMC_ERROR_DB_LOCKED A user is not logged in to key-manager
 * @retval #CKMC_ERROR_DB_ALIAS_UNKNOWN @a private_key_alias does not exist
 * @retval #CKMC_ERROR_DB_ALIAS_EXISTS @a new_key_alias already exists
 * @retval #CKMC_ERROR_INVALID_FORMAT The format of @a raw_public_key is not valid
 * @retval #CKMC_ERROR_DB_ERROR Failed due to a database error
 * @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager
 * @retval #CKMC_ERROR_AUTHENTICATION_FAILED Secret decryption failed because @a private_key_alias
 *                                           needed a password and none was given
 * @retval #CKMC_ERROR_SERVER_ERROR Unknown error
 *
 * @pre User is already logged in to key-manager.
 *
 * @see ckmc_key_derive()
 */
int ckmew_key_agreement(const char *private_key_alias,
                        const unsigned char *raw_public_key,
                        size_t raw_public_key_len,
                        const char *new_key_alias);

/**
 * @brief Derives a symmetric key from a password using PBKFD2 and stores it in key-manager
 *
 * @since_tizen 7.5
 *
 * @remarks The password is temporarily stored in key-manager. It is deleted after key derivation
 *          is performed.
 * @remarks The key-manager's policy for storing the derived key is fixed in the code.
 * @remarks The number of PBKDF2 iteration is fixed in the code.
 *
 * @param[in] password The password to derive the key from
 * @param[in] salt The salt used for PBKDF2
 * @param[in] salt_len Length of the @a salt
 * @param[in] new_key_len The desired length of the derived key
 * @param[in] new_key_alias The name under which the new key will be known in key-manager
 *
 * @return @c 0 on success, otherwise a negative error value
 *
 * @retval #CKMC_ERROR_NONE Successful
 * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid (@a password = NULL or
 *                                       @a salt = NULL)
 * @retval #CKMC_ERROR_NOT_SUPPORTED Unsupported key length
 * @retval #CKMC_ERROR_DB_LOCKED A user is not logged in to key-manager
 * @retval #CKMC_ERROR_DB_ALIAS_EXISTS @a new_key_alias already exists
 * @retval #CKMC_ERROR_DB_ERROR Failed due to a database error
 * @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager
 * @retval #CKMC_ERROR_SERVER_ERROR Unknown error
 *
 * @pre User is already logged in to key-manager.
 *
 * @see ckmc_key_derive()
 */
int ckmew_key_derive_pbkdf2(const char *password,
                            const unsigned char *salt,
                            size_t salt_len,
                            size_t new_key_len,
                            const char *new_key_alias);

/**
 * @platform
 *
 * @since_tizen 7.5
 *
 * @brief Constructs OCF certificate chain and returns it
 *
 * @privlevel platform
 * @privilege %http://tizen.org/privilege/devicecertificate
 *
 * @remarks The @a cert_chain should be freed using free().
 *
 * @param[out] cert_chain Certificate chain in binary, will be allocated by the library
 * @param[out] cert_chain_len The total length of certificate chain
 *
 * @return #DCM_ERROR_NONE on success, otherwise a negative error value
 *
 * @retval #DCM_ERROR_NONE Successful
 * @retval #DCM_ERROR_INVALID_PARAMETER Input parameter is invalid
 * @retval #DCM_ERROR_OUT_OF_MEMORY Out of memory during processing
 * @retval #DCM_ERROR_PERMISSION_DENIED Failed to access device certificate manager
 * @retval #DCM_ERROR_NOT_SUPPORTED Feature needed to run API is not supported
 * @retval #DCM_ERROR_SOCKET Socket error between client and server
 * @retval #DCM_ERROR_NO_DATA No certificate chain available
 * @retval #DCM_ERROR_UNKNOWN Unknown error
 */
int ckmew_get_ocf_cert_chain(char **cert_chain, size_t *cert_chain_len);

/**
 * @platform
 *
 * @since_tizen 7.5
 *
 * @brief Signs given public key with OCF using E2EE signing scheme.
 *
 * @privlevel platform
 * @privilege %http://tizen.org/privilege/devicecertificate
 *
 * @remarks The public key will be retrieved from key-manager.
 * @remarks It is assumed that the public key is not encrypted with a custom password in
 *          key-manager and thus there's no need to pass additional argument.
 *
 * @param[in] public_key_alias Alias of the public key to be signed
 * @param[out] message The E2EE message composed from public key and E2EE prefixes. It has to be
 *             freed using ckmc_buffer_free()
 * @param[out] signature The OCF signature calculated for @a message. It has to be
 *             freed using ckmc_buffer_free()
 *
 * @return #DCM_ERROR_NONE on success, otherwise a negative error value
 *
 * @retval #DCM_ERROR_NONE Successful
 * @retval #DCM_ERROR_INVALID_PARAMETER Input parameter is invalid
 * @retval #DCM_ERROR_OUT_OF_MEMORY Out of memory during processing
 * @retval #DCM_ERROR_PERMISSION_DENIED Failed to access device certificate manager
 * @retval #DCM_ERROR_NOT_SUPPORTED Feature needed to run API is not supported
 * @retval #DCM_ERROR_SOCKET Socket error between client and server
 * @retval #DCM_ERROR_NO_DATA If OCF or public key are not available
 * @retval #DCM_ERROR_UNKNOWN Unknown error
 * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
 * @retval #CKMC_ERROR_OUT_OF_MEMORY Not enough memory
 * @retval #CKMC_ERROR_DB_LOCKED A user key is not loaded in memory (a user is not logged in)
 * @retval #CKMC_ERROR_DB_ERROR Failed due to a database error
 * @retval #CKMC_ERROR_DB_ALIAS_UNKNOWN Alias does not exist
 * @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager
 * @retval #CKMC_ERROR_AUTHENTICATION_FAILED Decryption failed because password is incorrect
 */
int ckmew_sign_with_ocf(const char *public_key_alias,
                        ckmc_raw_buffer_s **message,
                        ckmc_raw_buffer_s **signature);