Tizen(Headless) Native API  6.0
Key Manager Client

It provides APIs accessing on the secure repository and additional secure cryptographic operations.

Required Header

#include <ckmc/ckmc-manager.h>

Overview

It provides APIs for storing, getting, and removing APIs for keys, certificates, and sensitive data on/from the Key Manager secure repository which is protected by a user’s passwords. Additionally, it provides secure cryptographic operations for non-exportable keys without revealing key values to clients.

Functions

int ckmc_save_key (const char *alias, const ckmc_key_s key, const ckmc_policy_s policy)
 Stores a key inside key manager based on the provided policy.
int ckmc_remove_key (const char *alias) TIZEN_DEPRECATED_API
 Removes a key from key manager.
int ckmc_get_key (const char *alias, const char *password, ckmc_key_s **ppkey)
 Gets a key from key manager.
int ckmc_get_key_alias_list (ckmc_alias_list_s **ppalias_list)
 Gets all the alias of keys that the client can access.
int ckmc_get_key_alias_info_list (ckmc_alias_info_list_s **ppalias_list)
 Gets the information about all the aliases of keys that the client can access.
int ckmc_save_cert (const char *alias, const ckmc_cert_s cert, const ckmc_policy_s policy)
 Stores a certificate inside key manager based on the provided policy.
int ckmc_remove_cert (const char *alias) TIZEN_DEPRECATED_API
 Removes a certificate from key manager.
int ckmc_get_cert (const char *alias, const char *password, ckmc_cert_s **ppcert)
 Gets a certificate from key manager.
int ckmc_get_cert_alias_list (ckmc_alias_list_s **ppalias_list)
 Gets all alias of certificates which the client can access.
int ckmc_get_cert_alias_info_list (ckmc_alias_info_list_s **ppalias_list)
 Gets the information about all the aliases of certificates that the client can access.
int ckmc_save_pkcs12 (const char *alias, const ckmc_pkcs12_s *pkcs, const ckmc_policy_s key_policy, const ckmc_policy_s cert_policy)
 Stores PKCS12's contents inside key manager based on the provided policies. All items from the PKCS12 will use the same alias.
int ckmc_get_pkcs12 (const char *alias, const char *key_password, const char *cert_password, ckmc_pkcs12_s **pkcs12)
 Gets a pkcs12 from key manager.
int ckmc_save_data (const char *alias, ckmc_raw_buffer_s data, const ckmc_policy_s policy)
 Stores a data inside key manager based on the provided policy.
int ckmc_remove_data (const char *alias) TIZEN_DEPRECATED_API
 Removes a data from key manager.
int ckmc_get_data (const char *alias, const char *password, ckmc_raw_buffer_s **ppdata)
 Gets a data from key manager.
int ckmc_get_data_alias_list (ckmc_alias_list_s **ppalias_list)
 Gets all alias of data which the client can access.
int ckmc_get_data_alias_info_list (ckmc_alias_info_list_s **ppalias_list)
 Gets the information about all the aliases of data that the client can access.
int ckmc_create_key_pair_rsa (const size_t size, const char *private_key_alias, const char *public_key_alias, const ckmc_policy_s policy_private_key, const ckmc_policy_s policy_public_key)
 Creates RSA private/public key pair and stores them inside key manager based on each policy.
int ckmc_create_key_pair_dsa (const size_t size, const char *private_key_alias, const char *public_key_alias, const ckmc_policy_s policy_private_key, const ckmc_policy_s policy_public_key)
 Creates DSA private/public key pair and stores them inside key manager based on each policy.
int ckmc_create_key_pair_ecdsa (const ckmc_ec_type_e type, const char *private_key_alias, const char *public_key_alias, const ckmc_policy_s policy_private_key, const ckmc_policy_s policy_public_key)
 Creates ECDSA private/public key pair and stores them inside key manager based on each policy.
int ckmc_create_key_aes (size_t size, const char *key_alias, ckmc_policy_s key_policy)
 Creates AES key and stores it inside key manager based on the policy.
int ckmc_create_signature (const char *private_key_alias, const char *password, const ckmc_raw_buffer_s message, const ckmc_hash_algo_e hash, const ckmc_rsa_padding_algo_e padding, ckmc_raw_buffer_s **ppsignature)
 Creates a signature on a given message using a private key and returns the signature.
int ckmc_verify_signature (const char *public_key_alias, const char *password, const ckmc_raw_buffer_s message, const ckmc_raw_buffer_s signature, const ckmc_hash_algo_e hash, const ckmc_rsa_padding_algo_e padding)
 Verifies a given signature on a given message using a public key and returns the signature status.
int ckmc_get_cert_chain (const ckmc_cert_s *cert, const ckmc_cert_list_s *untrustedcerts, ckmc_cert_list_s **ppcert_chain_list)
 Verifies a certificate chain and returns that chain.
int ckmc_get_cert_chain_with_alias (const ckmc_cert_s *cert, const ckmc_alias_list_s *untrustedcerts, ckmc_cert_list_s **ppcert_chain_list) TIZEN_DEPRECATED_API
 Verifies a certificate chain using an alias list of untrusted certificates and return that chain.
int ckmc_get_cert_chain_with_trustedcert (const ckmc_cert_s *cert, const ckmc_cert_list_s *untrustedcerts, const ckmc_cert_list_s *trustedcerts, const bool use_trustedsystemcerts, ckmc_cert_list_s **ppcert_chain_list)
 Verifies a certificate chain and returns that chain using user-entered, trusted, and untrusted CA certificates.
int ckmc_ocsp_check (const ckmc_cert_list_s *pcert_chain_list, ckmc_ocsp_status_e *ocsp_status)
 Performs OCSP that checks certificate is whether revoked or not.
int ckmc_allow_access (const char *alias, const char *accessor, ckmc_access_right_e granted) TIZEN_DEPRECATED_API
 Allows another application to access client's application data.
int ckmc_set_permission (const char *alias, const char *accessor, int permissions)
 Allows another application to access client's application data.
int ckmc_deny_access (const char *alias, const char *accessor) TIZEN_DEPRECATED_API
 Revokes another application's access to client's application data.
int ckmc_remove_alias (const char *alias)
 Removes an entry (no matter of type) from the key manager.
int ckmc_encrypt_data (ckmc_param_list_h params, const char *key_alias, const char *password, const ckmc_raw_buffer_s decrypted, ckmc_raw_buffer_s **ppencrypted)
 Encrypts data using selected key and algorithm.
int ckmc_decrypt_data (ckmc_param_list_h params, const char *key_alias, const char *password, const ckmc_raw_buffer_s encrypted, ckmc_raw_buffer_s **ppdecrypted)
 Decrypts data using selected key and algorithm.
int ckmc_import_wrapped_key (const ckmc_param_list_h params, const char *wrapping_key_alias, const char *wrapping_key_password, const char *alias, const ckmc_key_s *wrapped_key, const ckmc_policy_s policy)
 Unwraps one key with another and stores it inside key manager.
int ckmc_export_wrapped_key (const ckmc_param_list_h params, const char *wrapping_key_alias, const char *wrapping_key_password, const char *alias, const char *password, ckmc_key_s **ppwrapped_key)
 Wraps one key with another and returns it to the client.
int ckmc_key_derive (const ckmc_param_list_h params, const char *secret_alias, const char *secret_password, const char *new_key_alias, ckmc_policy_s new_key_policy)
 Derives a secret or key from another key/secret and stores it inside key manager.
int ckmc_cipher_initialize (ckmc_param_list_h params, const char *key_alias, const char *key_password, bool encrypt, ckmc_cipher_ctx_h *context)
 Sets up a symmetric encryption or decryption context with given key and parameters.
int ckmc_cipher_update (ckmc_cipher_ctx_h context, const ckmc_raw_buffer_s in, ckmc_raw_buffer_s **ppout)
 Performs symmetric encryption or decryption of the input and places the result in the output.
int ckmc_cipher_finalize (ckmc_cipher_ctx_h context, const ckmc_raw_buffer_s *in, ckmc_raw_buffer_s **ppout)
 Finalizes symmetric encryption or decryption and returns remaining output if any.
void ckmc_cipher_free (ckmc_cipher_ctx_h context)
 Destroys the encryption/decryption context and releases all its resources.
int ckmc_get_backend_info (ckmc_backend_id_e backend, ckmc_backend_info_h *ppinfo)
 Retrieves backend information.

Function Documentation

int ckmc_allow_access ( const char *  alias,
const char *  accessor,
ckmc_access_right_e  granted 
)

Allows another application to access client's application data.

Deprecated:
Deprecated since 2.4. [Use ckmc_set_permission() instead]
Since :
2.3
Remarks:
http://tizen.org/privilege/keymanager (public level privilege) is no longer required to use this function since 3.0.
Data identified by alias should exist.
Parameters:
[in]aliasData alias for which access will be granted
[in]accessorPackage id of the application that will gain access rights
[in]grantedRights granted for accessor application
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager or modify permissions
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ERRORFailed due to the error with unknown reason
CKMC_ERROR_DB_ALIAS_UNKNOWNAlias does not exist
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_deny_access()
int ckmc_cipher_finalize ( ckmc_cipher_ctx_h  context,
const ckmc_raw_buffer_s in,
ckmc_raw_buffer_s **  ppout 
)

Finalizes symmetric encryption or decryption and returns remaining output if any.

Since :
6.0
Remarks:
After the call to this function the ckmc_cipher_update() can be called no more.
The newly created ppout must be destroyed using ckmc_buffer_free() when it's no longer needed.
When using CKMC_ALGO_AES_GCM decryption the GCM tag must be passed as in. In other cases in should be set to NULL.
When using CKMC_ALGO_AES_GCM encryption the GCM tag will be returned in ppout.
Parameters:
[in]contextEncryption/decryption context created with ckmc_cipher_initialize()
[in]inOptional additional decryption input required by some of the modes.
[out]ppoutEncryption/decryption output. Will be set to NULL if the output is empty.
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid (context = NULL, ppout = NULL)
CKMC_ERROR_SERVER_ERRORUnknown error
See also:
ckmc_cipher_ctx_h
ckmc_cipher_initialize()
ckmc_cipher_update()
ckmc_cipher_free()

Destroys the encryption/decryption context and releases all its resources.

Since :
6.0
Parameters:
[in]contextEncryption/decryption context created with ckmc_cipher_initialize()
See also:
ckmc_cipher_ctx_h
ckmc_cipher_initialize()
ckmc_cipher_update()
ckmc_cipher_finalize()
int ckmc_cipher_initialize ( ckmc_param_list_h  params,
const char *  key_alias,
const char *  key_password,
bool  encrypt,
ckmc_cipher_ctx_h context 
)

Sets up a symmetric encryption or decryption context with given key and parameters.

Since :
6.0
Remarks:
The newly created context must be destroyed using ckmc_cipher_free() when it's no longer needed.
To perform the encryption/decryption, one or more calls to ckmc_cipher_update() must be folowed by one call to ckmc_cipher_finalize().
To pass CKMC_PARAM_ED_AAD in multiple chunks call the ckmc_cipher_initialize() multiple times with consecutive portions of the AAD in the params and the context returned from the first call. It must be done before the first call to ckmc_cipher_update().
Parameters:
[in]paramsAlgorithm parameter list handle. See ckmc_param_list_h and ckmc_algo_type_e for details. Supported algorithms:
[in]key_aliasAlias of the key to be used for encryption/decryption
[in]key_passwordOptional password of the key used for encryption/decryption
[in]encryptEncryption/decryption switch (true=encryption, false=decryption)
[out]contextEncryption/decryption context. Must point to NULL if it's the first call. Otherwise, it must point to the previously returned context.
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDInsufficient permissions to access key manager or the key
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid (missing or invalid mandatory algorithm parameter, key_alias = NULL, context = NULL)
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ALIAS_UNKNOWNkey_alias does not exist
CKMC_ERROR_DB_ERRORFailed due to a database error
CKMC_ERROR_AUTHENTICATION_FAILEDKey decryption failed because key_password is incorrect
CKMC_ERROR_SERVER_ERRORUnknown error
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_cipher_ctx_h
ckmc_cipher_update()
ckmc_cipher_finalize()
ckmc_cipher_free()
int ckmc_cipher_update ( ckmc_cipher_ctx_h  context,
const ckmc_raw_buffer_s  in,
ckmc_raw_buffer_s **  ppout 
)

Performs symmetric encryption or decryption of the input and places the result in the output.

Since :
6.0
Remarks:
The function may be called multiple times to encrypt succcessive blocks of data.
The newly created ppout must be destroyed using ckmc_buffer_free() when it's no longer needed.
Note that the backend may impose limit on the maximum size of processed data (ckmc_backend_get_max_chunk_size()).
Parameters:
[in]contextEncryption/decryption context created with ckmc_cipher_initialize()
[in]inEncryption/decryption input
[out]ppoutEncryption/decryption output. Will be set to NULL if the output is empty.
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid (context = NULL, ppout = NULL)
CKMC_ERROR_SERVER_ERRORUnknown error
See also:
ckmc_cipher_ctx_h
ckmc_cipher_initialize()
ckmc_cipher_finalize()
ckmc_cipher_free()
int ckmc_create_key_aes ( size_t  size,
const char *  key_alias,
ckmc_policy_s  key_policy 
)

Creates AES key and stores it inside key manager based on the policy.

Since :
3.0
Remarks:
If password in the policy is provided, the key is additionally encrypted with the password in the policy.
Parameters:
[in]sizeThe size of key strength to be created. 128, 192 and 256 are supported
[in]key_aliasThe name of key to be stored
[in]key_policyThe policy about how to store the key securely
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDInsufficient permissions to access key manager or to create the key
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ALIAS_EXISTSAlias already exists
CKMC_ERROR_DB_ERRORFailed due to other DB transaction unexpectedly
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_create_key_pair_rsa()
ckmc_create_key_pair_dsa()
ckmc_create_key_pair_ecdsa()
ckmc_policy_s
int ckmc_create_key_pair_dsa ( const size_t  size,
const char *  private_key_alias,
const char *  public_key_alias,
const ckmc_policy_s  policy_private_key,
const ckmc_policy_s  policy_public_key 
)

Creates DSA private/public key pair and stores them inside key manager based on each policy.

Since :
2.3
Remarks:
http://tizen.org/privilege/keymanager (public level privilege) is no longer required to use this function since 3.0.
If password in the policy is provided, the key is additionally encrypted with the password in the policy.
Parameters:
[in]sizeThe size of key strength to be created. 1024, 2048, 3072 and 4096 are supported
[in]private_key_aliasThe name of private key to be stored
[in]public_key_aliasThe name of public key to be stored
[in]policy_private_keyThe policy about how to store a private key securely
[in]policy_public_keyThe policy about how to store a public key securely
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ALIAS_EXISTSAlias already exists
CKMC_ERROR_DB_ERRORFailed due to other DB transaction unexpectedly
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_create_key_pair_rsa()
ckmc_create_key_pair_ecdsa()
ckmc_create_signature()
ckmc_verify_signature()
int ckmc_create_key_pair_ecdsa ( const ckmc_ec_type_e  type,
const char *  private_key_alias,
const char *  public_key_alias,
const ckmc_policy_s  policy_private_key,
const ckmc_policy_s  policy_public_key 
)

Creates ECDSA private/public key pair and stores them inside key manager based on each policy.

Since :
2.3
Remarks:
http://tizen.org/privilege/keymanager (public level privilege) is no longer required to use this function since 3.0.
If password in the policy is provided, the key is additionally encrypted with the password in the policy.
Parameters:
[in]typeThe type of elliptic curve of ECDSA
[in]private_key_aliasThe name of private key to be stored
[in]public_key_aliasThe name of public key to be stored
[in]policy_private_keyThe policy about how to store a private key securely
[in]policy_public_keyThe policy about how to store a public key securely
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ALIAS_EXISTSAlias already exists
CKMC_ERROR_DB_ERRORFailed due to other DB transaction unexpectedly
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_create_key_pair_rsa()
ckmc_create_key_pair_dsa()
ckmc_create_signature()
ckmc_verify_signature()
ckmc_ec_type_e
int ckmc_create_key_pair_rsa ( const size_t  size,
const char *  private_key_alias,
const char *  public_key_alias,
const ckmc_policy_s  policy_private_key,
const ckmc_policy_s  policy_public_key 
)

Creates RSA private/public key pair and stores them inside key manager based on each policy.

Since :
2.3
Remarks:
http://tizen.org/privilege/keymanager (public level privilege) is no longer required to use this function since 3.0.
If password in the policy is provided, the key is additionally encrypted with the password in the policy.
Parameters:
[in]sizeThe size of key strength to be created. 1024, 2048, and 4096 are supported
[in]private_key_aliasThe name of private key to be stored
[in]public_key_aliasThe name of public key to be stored
[in]policy_private_keyThe policy about how to store a private key securely
[in]policy_public_keyThe policy about how to store a public key securely
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ALIAS_EXISTSAlias already exists
CKMC_ERROR_DB_ERRORFailed due to other DB transaction unexpectedly
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_create_key_pair_dsa()
ckmc_create_key_pair_ecdsa()
ckmc_create_signature()
ckmc_verify_signature()
int ckmc_create_signature ( const char *  private_key_alias,
const char *  password,
const ckmc_raw_buffer_s  message,
const ckmc_hash_algo_e  hash,
const ckmc_rsa_padding_algo_e  padding,
ckmc_raw_buffer_s **  ppsignature 
)

Creates a signature on a given message using a private key and returns the signature.

Since :
2.3
Remarks:
http://tizen.org/privilege/keymanager (public level privilege) is no longer required to use this function since 3.0.
If password of policy is provided during storing a key, the same password should be provided.
You must destroy the newly created ppsignature by calling ckmc_buffer_free() if it is no longer needed.
Parameters:
[in]private_key_aliasThe name of private key
[in]passwordThe password used in decrypting a private key value
[in]messageThe message that is signed with a private key
[in]hashThe hash algorithm used in creating signature. CKMC_HASH_NONE is invalid for DSA & ECDSA
[in]paddingThe RSA padding algorithm used in creating signature. It is used only when the signature algorithm is RSA. If padding is CKMC_NONE_PADDING you must use CKMC_HASH_NONE and the message must be equal to key length
[out]ppsignatureThe pointer to a newly created signature. If an error occurs, *ppsignature will be NULL
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ERRORFailed due to the error with unknown reason
CKMC_ERROR_DB_ALIAS_UNKNOWNAlias does not exist
CKMC_ERROR_AUTHENTICATION_FAILEDDecryption failed because password is incorrect
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_create_key_pair_rsa()
ckmc_create_key_pair_ecdsa()
ckmc_verify_signature()
ckmc_buffer_free()
ckmc_hash_algo_e
ckmc_rsa_padding_algo_e
int ckmc_decrypt_data ( ckmc_param_list_h  params,
const char *  key_alias,
const char *  password,
const ckmc_raw_buffer_s  encrypted,
ckmc_raw_buffer_s **  ppdecrypted 
)

Decrypts data using selected key and algorithm.

Since :
3.0
Remarks:
Key identified by key_alias should exist.
You must destroy ppdecrypted with ckmc_buffer_free().
Parameters:
[in]paramsAlgorithm parameter list handle. You should use the same parameters that were used for encryption. See ckmc_param_list_h and ckmc_algo_type_e for details. Supported algorithms:
[in]key_aliasAlias of the key to be used for encryption
[in]passwordThe password used in decrypting a key value. If password of the policy is provided in ckmc_save_key(), the same password should be provided
[in]encryptedData to be decrypted. CKMC_ALGO_AES_GCM mode requires GCM tag to be appended at the end. In case of AES algorithm the backend may impose limit on the maximum size of processed data (ckmc_backend_get_max_chunk_size()). For RSA the size must be smaller or equal to key size in bytes - 42.
[out]ppdecryptedDecrypted data
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager or the decrypting key
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid (missing or invalid mandatory algorithm parameter, GCM tag authentication failed, key or data is wrong, in case of RSA key is wrong or data too long, encrypted = NULL, ppdecrypted = NULL)
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ERRORFailed due to the error with unknown reason
CKMC_ERROR_DB_ALIAS_UNKNOWNKey with given alias does not exist
CKMC_ERROR_AUTHENTICATION_FAILEDKey decryption failed because password is incorrect
CKMC_ERROR_SERVER_ERRORToo big data size or unsupported GCM mode (32 and 64 bit tag lengths not supported on TEE backend) or internal error
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_buffer_free()
ckmc_param_list_new()
ckmc_param_list_free()
ckmc_param_list_set_integer()
ckmc_param_list_set_buffer()
ckmc_generate_new_params()
ckmc_param_list_h
ckmc_param_name_e
ckmc_algo_type_e
int ckmc_deny_access ( const char *  alias,
const char *  accessor 
)

Revokes another application's access to client's application data.

Deprecated:
Deprecated since 2.4. [Use ckmc_set_permission() instead]
Since :
2.3
Remarks:
http://tizen.org/privilege/keymanager (public level privilege) is no longer required to use this function since 3.0.
Data identified by alias should exist.
Only access previously granted with ckmc_allow_access() can be revoked.
Parameters:
[in]aliasData alias for which access will be revoked
[in]accessorPackage id of the application that will lose access rights
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager or modify permissions
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid or the accessor doesn't have access to alias
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ERRORFailed due to the error with unknown reason
CKMC_ERROR_DB_ALIAS_UNKNOWNAlias does not exist
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_allow_access()
ckmc_set_permission()
int ckmc_encrypt_data ( ckmc_param_list_h  params,
const char *  key_alias,
const char *  password,
const ckmc_raw_buffer_s  decrypted,
ckmc_raw_buffer_s **  ppencrypted 
)

Encrypts data using selected key and algorithm.

Since :
3.0
Remarks:
Key identified by key_alias should exist.
You must destroy ppencrypted with ckmc_buffer_free().
Parameters:
[in]paramsAlgorithm parameter list handle. See ckmc_param_list_h and ckmc_algo_type_e for details. Supported algorithms:
[in]key_aliasAlias of the key to be used for encryption
[in]passwordThe password used in decrypting a key value. If password of the policy is provided in ckmc_save_key(), the same password should be provided
[in]decryptedData to be encrypted. In case of AES algorithm the backend may impose limit on the maximum size of processed data (ckmc_backend_get_max_chunk_size()). For RSA the size must be smaller or equal to key size in bytes - 42. Example: for 1024 RSA key the maximum data size is 1024/8 - 42 = 86.
[out]ppencryptedEncrypted data. In CKMC_ALGO_AES_GCM mode it includes the GCM tag appended at the end.
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager or the encrypting key
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid (missing or invalid mandatory algorithm parameter or RSA data too long, decrypted = NULL, ppencrypted = NULL)
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ERRORFailed due to the error with unknown reason
CKMC_ERROR_DB_ALIAS_UNKNOWNKey with given alias does not exist
CKMC_ERROR_AUTHENTICATION_FAILEDKey decryption failed because password is incorrect
CKMC_ERROR_SERVER_ERRORToo big data size or unsupported GCM mode (32 and 64 bit tag lengths not supported on TEE backend) or internal error
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_buffer_free()
ckmc_param_list_new()
ckmc_param_list_free()
ckmc_param_list_set_integer()
ckmc_param_list_set_buffer()
ckmc_generate_new_params()
ckmc_param_list_h
ckmc_param_name_e
ckmc_algo_type_e
int ckmc_export_wrapped_key ( const ckmc_param_list_h  params,
const char *  wrapping_key_alias,
const char *  wrapping_key_password,
const char *  alias,
const char *  password,
ckmc_key_s **  ppwrapped_key 
)

Wraps one key with another and returns it to the client.

Since :
6.0
Remarks:
The wrapping key must be either symmetric (CKMC_KEY_AES) or public RSA (CKMC_KEY_RSA_PUBLIC).
The ppwrapped_key should be released using ckmc_key_free().
The key denoted by alias can only be CKMC_KEY_AES.
Parameters:
[in]paramsAlgorithm parameter list handle. See ckmc_param_list_h and ckmc_algo_type_e for details. Supported algorithms:
[in]wrapping_key_aliasThe name of the wrapping key
[in]wrapping_key_passwordAn optional password of the wrapping key
[in]aliasThe name of the key to be wrapped and exported
[in]passwordAn optional password used to decrypt the key pointed by alias
[out]ppwrapped_keyThe wrapped key. In CKMC_ALGO_AES_GCM mode it includes the GCM tag appended at the end.
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDInsufficient permissions to access key manager, the wrapping key or the key being wrapped
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid (missing or invalid mandatory algorithm parameter, GCM tag authentication failed, wrapping_key_alias = NULL, alias = NULL, ppwrapped_key = NULL)
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ALIAS_UNKNOWNwrapping_key_alias or alias does not exist
CKMC_ERROR_DB_ERRORFailed due to a database error
CKMC_ERROR_AUTHENTICATION_FAILEDWrapping key decryption failed because wrapping_key_password is incorrect
CKMC_ERROR_SERVER_ERRORUnknown error
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_import_wrapped_key()
ckmc_key_s
ckmc_param_list_h

Retrieves backend information.

Since :
6.0
Remarks:
The newly created ppinfo must be destroyed using ckmc_backend_info_free() when it's no longer needed.
Parameters:
[in]backendBackend identifier
[out]ppinfoBackend information handle
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDInsufficient permissions to access key manager
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid (backend is invalid, ppinfo = NULL)
CKMC_ERROR_SERVER_ERRORUnknown error
See also:
ckmc_backend_id_e
ckmc_backend_info_h
ckmc_alias_info_get_backend()
ckmc_backend_get_max_chunk_size()
ckmc_backend_info_free()
int ckmc_get_cert ( const char *  alias,
const char *  password,
ckmc_cert_s **  ppcert 
)

Gets a certificate from key manager.

Since :
2.3
Remarks:
http://tizen.org/privilege/keymanager (public level privilege) is no longer required to use this function since 3.0.
A client can access only certificate stored by the client.
A DER encoded certificate will be returned as a return value.
You must destroy the newly created ppcert by calling ckmc_cert_free() if it is no longer needed.
Parameters:
[in]aliasThe name of a certificate to retrieve
[in]passwordThe password used in decrypting a certificate value. If password of policy is provided in ckmc_save_cert(), the same password should be provided
[out]ppcertThe pointer to a newly created ckmc_cert_s handle
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ERRORFailed due to a database error
CKMC_ERROR_DB_ALIAS_UNKNOWNAlias does not exists
CKMC_ERROR_AUTHENTICATION_FAILEDDecryption failed because password is incorrect
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_save_cert()
ckmc_remove_alias()
ckmc_get_cert_alias_list()

Gets the information about all the aliases of certificates that the client can access.

Since :
5.5
Remarks:
A client can access only data stored by the client and the entries from system database if it was explicitly permitted to.
You must destroy the newly created ppalias_list by calling ckmc_alias_info_list_all_free() if it is no longer needed.
Parameters:
[out]ppalias_listThe pointer to a newly created ckmc_alias_info_list_s handle containing information about all certificate aliases. If there is no available certificate alias, *ppalias_list will be NULL
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDInsufficient permissions to access key manager or to read the alias list
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ERRORFailed due to a database error
CKMC_ERROR_DB_ALIAS_UNKNOWNAlias does not exist
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_save_cert()
ckmc_remove_alias()
ckmc_get_cert()
int ckmc_get_cert_alias_list ( ckmc_alias_list_s **  ppalias_list)

Gets all alias of certificates which the client can access.

Since :
2.3
Remarks:
http://tizen.org/privilege/keymanager (public level privilege) is no longer required to use this function since 3.0.
A client can access only data stored by the client.
You must destroy the newly created ppalias_list by calling ckmc_alias_list_all_free() if it is no longer needed.
Parameters:
[out]ppalias_listThe pointer to a newly created ckmc_alias_list_s handle containing all available alias of keys. If there is no available key alias, *ppalias_list will be NULL
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ERRORFailed due to a database error
CKMC_ERROR_DB_ALIAS_UNKNOWNAlias does not exist
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_save_cert()
ckmc_remove_alias()
ckmc_get_cert()
int ckmc_get_cert_chain ( const ckmc_cert_s cert,
const ckmc_cert_list_s untrustedcerts,
ckmc_cert_list_s **  ppcert_chain_list 
)

Verifies a certificate chain and returns that chain.

Since :
2.3
Remarks:
http://tizen.org/privilege/keymanager (public level privilege) is no longer required to use this function since 3.0.
The trusted root certificate of the chain should exist in the system's certificate storage.
You must destroy the newly created ppcert_chain_list by calling ckmc_cert_list_all_free() if it is no longer needed.
Parameters:
[in]certThe certificate to be verified
[in]untrustedcertsThe untrusted CA certificates to be used in verifying a certificate chain
[out]ppcert_chain_listThe pointer to a newly created certificate chain's handle. If an error occurs, *ppcert_chain_list will be NULL
Returns:
0 on success and the signature is valid, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_VERIFICATION_FAILEDThe certificate chain is not valid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ERRORFailed due to the error with unknown reason
CKMC_ERROR_INVALID_FORMATThe format of certificate is not valid
CKMC_ERROR_AUTHENTICATION_FAILEDDecryption failed because password is incorrect
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_cert_list_all_free()
int ckmc_get_cert_chain_with_alias ( const ckmc_cert_s cert,
const ckmc_alias_list_s untrustedcerts,
ckmc_cert_list_s **  ppcert_chain_list 
)

Verifies a certificate chain using an alias list of untrusted certificates and return that chain.

Deprecated:
Deprecated since 2.4. [Use ckmc_get_cert_chain() instead]
Since :
2.3
Remarks:
http://tizen.org/privilege/keymanager (public level privilege) is no longer required to use this function since 3.0.
The trusted root certificate of the chain should exist in the system's certificate storage.
You must destroy the newly created ppcert_chain_list by calling ckmc_cert_list_all_free() if it is no longer needed.
untrustedcerts shouldn't be protected with optional password.
Parameters:
[in]certThe certificate to be verified
[in]untrustedcertsThe alias list of untrusted CA certificates stored in key manager to be used in verifying a certificate chain
[out]ppcert_chain_listThe pointer to a newly created certificate chain's handle. If an error occurs, *ppcert_chain_list will be NULL
Returns:
0 on success and the signature is valid, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_VERIFICATION_FAILEDThe certificate chain is not valid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ERRORFailed due to the error with unknown reason
CKMC_ERROR_DB_ALIAS_UNKNOWNAlias does not exist
CKMC_ERROR_INVALID_FORMATThe format of certificate is not valid
CKMC_ERROR_AUTHENTICATION_FAILEDSome certificates were encrypted with password and could not be used
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_get_cert_chain()
ckmc_cert_list_all_free()
int ckmc_get_cert_chain_with_trustedcert ( const ckmc_cert_s cert,
const ckmc_cert_list_s untrustedcerts,
const ckmc_cert_list_s trustedcerts,
const bool  use_trustedsystemcerts,
ckmc_cert_list_s **  ppcert_chain_list 
)

Verifies a certificate chain and returns that chain using user-entered, trusted, and untrusted CA certificates.

Since :
2.4
Remarks:
http://tizen.org/privilege/keymanager (public level privilege) is no longer required to use this function since 3.0.
If the trusted root certificates are provided as a user input, these certificates do not need to exist in the system's certificate storage.
You must destroy the newly created ppcert_chain_list by calling ckmc_cert_list_all_free() if it is no longer needed.
Parameters:
[in]certThe certificate to be verified
[in]untrustedcertsThe untrusted CA certificates to be used in verifying a certificate chain
[in]trustedcertsThe trusted CA certificates to be used in verifying a certificate chain
[in]use_trustedsystemcertsThe flag indicating the use of the trusted root certificates in the system's certificate storage
[out]ppcert_chain_listThe pointer to a newly created certificate chain's handle. If an error occurs, *ppcert_chain_list will be NULL
Returns:
0 on success and the signature is valid, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_VERIFICATION_FAILEDThe certificate chain is not valid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ERRORFailed due to the error with unknown reason
CKMC_ERROR_INVALID_FORMATThe format of certificate is not valid
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_cert_list_all_free()
int ckmc_get_data ( const char *  alias,
const char *  password,
ckmc_raw_buffer_s **  ppdata 
)

Gets a data from key manager.

Since :
2.3
Remarks:
http://tizen.org/privilege/keymanager (public level privilege) is no longer required to use this function since 3.0.
A client can access only data stored by the client.
You must destroy the newly created ppdata by calling ckmc_buffer_free() if it is no longer needed.
Parameters:
[in]aliasThe name of a data to retrieve
[in]passwordThe password used in decrypting a data value. If password of policy is provided in ckmc_save_data(), the same password should be provided
[out]ppdataThe pointer to a newly created ckmc_raw_buffer_s handle
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ERRORFailed due to the error with unknown reason
CKMC_ERROR_DB_ALIAS_UNKNOWNAlias does not exist
CKMC_ERROR_AUTHENTICATION_FAILEDDecryption failed because password is incorrect
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_save_data()
ckmc_remove_alias()
ckmc_get_data_alias_list()

Gets the information about all the aliases of data that the client can access.

Since :
5.5
Remarks:
A client can access only data stored by the client and the entries from system database if it was explicitly permitted to.
You must destroy the newly created ppalias_list by calling ckmc_alias_info_list_all_free() if it is no longer needed.
Parameters:
[out]ppalias_listThe pointer to a newly created ckmc_alias_info_list_s handle containing information about all data aliases. If there is no available data alias, *ppalias_list will be NULL
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDInsufficient permissions to access key manager or to read the alias list
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ERRORFailed due to the error with unknown reason
CKMC_ERROR_DB_ALIAS_UNKNOWNAlias does not exist
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_save_data()
ckmc_remove_alias()
ckmc_get_data()
int ckmc_get_data_alias_list ( ckmc_alias_list_s **  ppalias_list)

Gets all alias of data which the client can access.

Since :
2.3
Remarks:
http://tizen.org/privilege/keymanager (public level privilege) is no longer required to use this function since 3.0.
A client can access only data stored by the client.
You must destroy the newly created ppalias_list by calling ckmc_alias_list_all_free() if it is no longer needed.
Parameters:
[out]ppalias_listThe pointer to a newly created ckmc_alias_list_s handle containing all available alias of keys. If there is no available key alias, *ppalias_list will be NULL
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ERRORFailed due to the error with unknown reason
CKMC_ERROR_DB_ALIAS_UNKNOWNAlias does not exist
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_save_data()
ckmc_remove_alias()
ckmc_get_data()
int ckmc_get_key ( const char *  alias,
const char *  password,
ckmc_key_s **  ppkey 
)

Gets a key from key manager.

Since :
2.3
Remarks:
http://tizen.org/privilege/keymanager (public level privilege) is no longer required to use this function since 3.0.
A client can access only data stored by the client.
You must destroy the newly created ppkey by calling ckmc_key_free() if it is no longer needed.
Parameters:
[in]aliasThe name of a key to retrieve
[in]passwordThe password used in decrypting a key value. If password of policy is provided in ckmc_save_key(), the same password should be provided
[out]ppkeyThe pointer to a newly created ckmc_key_s handle
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ERRORFailed due to a database error
CKMC_ERROR_DB_ALIAS_UNKNOWNAlias does not exist
CKMC_ERROR_AUTHENTICATION_FAILEDDecryption failed because password is incorrect
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_save_key()
ckmc_remove_alias()
ckmc_get_key_alias_list()

Gets the information about all the aliases of keys that the client can access.

Since :
5.5
Remarks:
A client can access only data stored by the client and the entries from system database if it was explicitly permitted to.
You must destroy the newly created ppalias_list by calling ckmc_alias_info_list_all_free() if it is no longer needed.
Parameters:
[out]ppalias_listThe pointer to a newly created ckmc_alias_info_list_s handle containing information about all key aliases. If there is no available key alias, *ppalias_list will be NULL
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDInsufficient permissions to access key manager or to read the alias list
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ERRORFailed due to a database error
CKMC_ERROR_DB_ALIAS_UNKNOWNAlias does not exist
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_save_key()
ckmc_remove_alias()
ckmc_get_key()
int ckmc_get_key_alias_list ( ckmc_alias_list_s **  ppalias_list)

Gets all the alias of keys that the client can access.

Since :
2.3
Remarks:
http://tizen.org/privilege/keymanager (public level privilege) is no longer required to use this function since 3.0.
A client can access only data stored by the client.
You must destroy the newly created ppalias_list by calling ckmc_alias_list_all_free() if it is no longer needed.
Parameters:
[out]ppalias_listThe pointer to a newly created ckmc_alias_list_s handle containing all available alias of keys. If there is no available key alias, *ppalias_list will be NULL
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ERRORFailed due to a database error
CKMC_ERROR_DB_ALIAS_UNKNOWNAlias does not exist
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_save_key()
ckmc_remove_alias()
ckmc_get_key()
int ckmc_get_pkcs12 ( const char *  alias,
const char *  key_password,
const char *  cert_password,
ckmc_pkcs12_s **  pkcs12 
)

Gets a pkcs12 from key manager.

Since :
2.4
Remarks:
http://tizen.org/privilege/keymanager (public level privilege) is no longer required to use this function since 3.0.
A client can access only data stored by the client.
You must destroy the newly created pkcs12 by calling ckmc_pkcs12_free() if it is no longer needed.
Parameters:
[in]aliasThe name of a data to retrieve
[in]key_passwordPassword that was used to encrypt privateKey (may be NULL)
[in]cert_passwordPassword used to encrypt certificates (may be NULL)
[out]pkcs12The pointer to a newly created ckmc_pkcs12_s handle
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ERRORFailed due to a database error
CKMC_ERROR_DB_ALIAS_UNKNOWNAlias does not exist
CKMC_ERROR_AUTHENTICATION_FAILEDkey_password or cert_password does not match with password used to encrypt data
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_save_pkcs12()
ckmc_remove_alias()
int ckmc_import_wrapped_key ( const ckmc_param_list_h  params,
const char *  wrapping_key_alias,
const char *  wrapping_key_password,
const char *  alias,
const ckmc_key_s wrapped_key,
const ckmc_policy_s  policy 
)

Unwraps one key with another and stores it inside key manager.

Since :
6.0
Remarks:
The wrapping key must be either symmetric (CKMC_KEY_AES) or private RSA (CKMC_KEY_RSA_PRIVATE).
key_type in wrapped_key can only be CKMC_KEY_AES.
password in wrapped_key must be set to NULL. There's no need to additionally encrypt a wrapped key.
If password in policy is provided, the stored key is additionally encrypted with it.
If extractable in policy is set to false, the stored key may still be exported in a wrapped form.
Note that the backend may impose limit on the maximum size of wrapped_key (ckmc_backend_get_max_chunk_size()).
Parameters:
[in]paramsAlgorithm parameter list handle. See ckmc_param_list_h and ckmc_algo_type_e for details. Supported algorithms:
[in]wrapping_key_aliasThe name of the wrapping key.
[in]wrapping_key_passwordAn optional password of the wrapping key
[in]aliasThe name of a key to be stored
[in]wrapped_keyThe wrapped key to be unwrapped and stored. CKMC_ALGO_AES_GCM mode requires GCM tag to be appended at the end of the wrapped_key.
[in]policyThe policy about how to store a key securely
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDInsufficient permissions to access key manager, the wrapping key or to create the unwrapped key
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid (missing or invalid mandatory algorithm parameter, GCM tag authentication failed, wrapping_key_alias = NULL, alias = NULL, wrapped_key = NULL)
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ALIAS_UNKNOWNwrapping_key_alias does not exist
CKMC_ERROR_DB_ALIAS_EXISTSalias already exists
CKMC_ERROR_INVALID_FORMATThe format of wrapped_key is not valid
CKMC_ERROR_DB_ERRORFailed due to a database error
CKMC_ERROR_AUTHENTICATION_FAILEDWrapping key decryption failed because wrapping_key_password is incorrect
CKMC_ERROR_SERVER_ERRORUnknown error
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_export_wrapped_key()
ckmc_key_s
ckmc_param_list_h
ckmc_policy_s
int ckmc_key_derive ( const ckmc_param_list_h  params,
const char *  secret_alias,
const char *  secret_password,
const char *  new_key_alias,
ckmc_policy_s  new_key_policy 
)

Derives a secret or key from another key/secret and stores it inside key manager.

Since :
6.0
Remarks:
In case of CKMC_ALGO_KBKDF algorithm, the secret pointed to by secret_alias must be a binary data or a symmetric key (CKMC_KEY_AES). The derived key pointed to by new_key_alias will be a symmetric one. It will be stored as a CKMC_KEY_AES.
In case of CKMC_ALGO_ECDH algorithm, the key pointed to by secret_alias must be a private EC key (CKMC_KEY_ECDSA_PRIVATE). The derived secret pointed to by new_key_alias will be in binary data form.
Parameters:
[in]paramsAlgorithm parameter list handle. See ckmc_param_list_h and ckmc_algo_type_e for details. Supported algorithms:
[in]secret_aliasAlias of the secret/key to use as an input
[in]secret_passwordOptional password of the secret/key used as an input
[in]new_key_aliasThe name under which the derived key or secret will be stored
[in]new_key_policyPolicy used to store the derived key or secret
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDInsufficient permissions to access key manager, the secret or to create the new key/secret
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid (missing or invalid mandatory algorithm parameter, secret_alias = NULL, new_key_alias = NULL)
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ALIAS_UNKNOWNsecret_alias does not exist
CKMC_ERROR_DB_ALIAS_EXISTSnew_key_alias already exists
CKMC_ERROR_DB_ERRORFailed due to a database error
CKMC_ERROR_AUTHENTICATION_FAILEDSecret decryption failed because secret_password is incorrect
CKMC_ERROR_SERVER_ERRORUnknown error
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
Example
int key_derive(const ckmc_raw_buffer_s* peers_public)
{
    int ret;

    const char* const SECRET_ALIAS = "shared_secret";
    const char* const KEY_ALIAS = "derived_key";
    const char* const OURS_PRV_ALIAS = "ours_private";
    const char* const OURS_PUB_ALIAS = "ours_public";

    char label[] = "label";
    char context[] = "context";

    ckmc_param_list_h ecdh_params = nullptr;
    ckmc_param_list_h kbkdf_params = nullptr;
    ckmc_raw_buffer_s* label_buf = nullptr;
    ckmc_raw_buffer_s* context_buf = nullptr;

    ckmc_policy_s unexportable { nullptr, false };
    ckmc_policy_s exportable { nullptr, true };

    // generate EC key pair
    ret = ckmc_create_key_pair_ecdsa(CKMC_EC_PRIME256V1,
                                     OURS_PRV_ALIAS,
                                     OURS_PUB_ALIAS,
                                     unexportable,
                                     exportable);
    if (ret != CKMC_ERROR_NONE)
        return -1;

    // set ECDH params
    ret = ckmc_param_list_new(&ecdh_params);
    if (ret != CKMC_ERROR_NONE)
        goto exit;

    ret = ckmc_param_list_set_integer(ecdh_params, CKMC_PARAM_ALGO_TYPE, CKMC_ALGO_ECDH);
    if (ret != CKMC_ERROR_NONE)
        goto exit;

    ret = ckmc_param_list_set_buffer(ecdh_params, CKMC_PARAM_ECDH_PUBKEY, peers_public);
    if (ret != CKMC_ERROR_NONE)
        goto exit;

    // derive shared secret
    ret = ckmc_key_derive(ecdh_params, OURS_PRV_ALIAS, nullptr, SECRET_ALIAS, unexportable);
    if (ret != CKMC_ERROR_NONE)
        goto exit;

    // set KBKDF params
    ret = ckmc_param_list_new(&kbkdf_params);
    if (ret != CKMC_ERROR_NONE)
        goto exit;

    ret = ckmc_param_list_set_integer(kbkdf_params, CKMC_PARAM_ALGO_TYPE, CKMC_ALGO_KBKDF);
    if (ret != CKMC_ERROR_NONE)
        goto exit;

    ret = ckmc_param_list_set_integer(kbkdf_params, CKMC_PARAM_KDF_PRF, CKMC_KDF_PRF_HMAC_SHA256);
    if (ret != CKMC_ERROR_NONE)
        goto exit;

    ret = ckmc_param_list_set_integer(kbkdf_params, CKMC_PARAM_KBKDF_MODE, CKMC_KBKDF_MODE_COUNTER);
    if (ret != CKMC_ERROR_NONE)
        goto exit;

    ret = ckmc_param_list_set_integer(kbkdf_params,
                                      CKMC_PARAM_KBKDF_COUNTER_LOCATION,
                                      CKMC_KBKDF_COUNTER_BEFORE_FIXED);
    if (ret != CKMC_ERROR_NONE)
        goto exit;

    ret = ckmc_buffer_new(reinterpret_cast<unsigned char*>(label), strlen(label), &label_buf);
    if (ret != CKMC_ERROR_NONE)
        goto exit;

    ret = ckmc_param_list_set_buffer(kbkdf_params, CKMC_PARAM_KBKDF_LABEL, label_buf);
    if (ret != CKMC_ERROR_NONE)
        goto exit;

    ret = ckmc_buffer_new(reinterpret_cast<unsigned char*>(context), strlen(context), &context_buf);
    if (ret != CKMC_ERROR_NONE)
        goto exit;

    ret = ckmc_param_list_set_buffer(kbkdf_params, CKMC_PARAM_KBKDF_CONTEXT, context_buf);
    if (ret != CKMC_ERROR_NONE)
        goto exit;

    ret = ckmc_param_list_set_integer(kbkdf_params, CKMC_PARAM_KDF_LEN, 32);
    if (ret != CKMC_ERROR_NONE)
        goto exit;

    // derive symmetric key
    ret = ckmc_key_derive(kbkdf_params, SECRET_ALIAS, nullptr, KEY_ALIAS, unexportable);

exit:
    ckmc_remove_alias(OURS_PRV_ALIAS);
    ckmc_remove_alias(OURS_PUB_ALIAS);
    ckmc_param_list_free(ecdh_params);
    ckmc_buffer_free(label_buf);
    ckmc_buffer_free(context_buf);
    ckmc_param_list_free(kbkdf_params);
    ckmc_remove_alias(SECRET_ALIAS);
    return ret;
}
See also:
ckmc_param_list_h
ckmc_policy_s
int ckmc_ocsp_check ( const ckmc_cert_list_s pcert_chain_list,
ckmc_ocsp_status_e ocsp_status 
)

Performs OCSP that checks certificate is whether revoked or not.

Since :
2.4
Privilege Level:
public
Privilege:
http://tizen.org/privilege/internet
Remarks:
http://tizen.org/privilege/internet (public level privilege) is required to use this function instead of http://tizen.org/privilege/keymanager (public level privilege) since 3.0.
Parameters:
[in]pcert_chain_listValid certificate chain to perform OCSP check
[out]ocsp_statusThe pointer to status result of OCSP check
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_NOT_SUPPORTEDDevice needed to run API is not supported
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
pcert_chain_list is created with ckmc_get_cert_chain() or ckmc_get_cert_chain_with_alias().
See also:
ckmc_get_cert_chain())
ckmc_cert_list_all_free()
int ckmc_remove_alias ( const char *  alias)

Removes an entry (no matter of type) from the key manager.

Since :
2.4
Remarks:
http://tizen.org/privilege/keymanager (public level privilege) is no longer required to use this function since 3.0.
To remove item, client must have remove permission to the specified item.
The item owner can remove by default.
Parameters:
[in]aliasItem alias to be removed
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager or the item to remove
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ERRORFailed due to a database error
CKMC_ERROR_DB_ALIAS_UNKNOWNAlias does not exist
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_save_key()
ckmc_save_cert()
ckmc_save_data()
ckmc_save_pkcs12()
ckmc_create_key_pair_rsa()
ckmc_create_key_pair_dsa()
ckmc_create_key_pair_ecdsa()
int ckmc_remove_cert ( const char *  alias)

Removes a certificate from key manager.

Deprecated:
Deprecated since 2.4. [Use ckmc_remove_alias() instead]
Since :
2.3
Remarks:
http://tizen.org/privilege/keymanager (public level privilege) is no longer required to use this function since 3.0.
To remove certificate, client must have remove permission to the specified certificate.
The key owner can remove by default.
Parameters:
[in]aliasThe name of a certificate to be removed
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ERRORFailed due to a database error
CKMC_ERROR_DB_ALIAS_UNKNOWNAlias does not exist
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_save_cert()
ckmc_get_cert()
ckmc_get_cert_alias_list()
int ckmc_remove_data ( const char *  alias)

Removes a data from key manager.

Deprecated:
Deprecated since 2.4. [Use ckmc_remove_alias() instead]
Since :
2.3
Remarks:
http://tizen.org/privilege/keymanager (public level privilege) is no longer required to use this function since 3.0.
To remove data, client must have remove permission to the specified data object.
The data owner can remove by default.
Parameters:
[in]aliasThe name of a data to be removed
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ERRORFailed due to the error with unknown reason
CKMC_ERROR_DB_ALIAS_UNKNOWNAlias does not exist
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_save_data()
ckmc_get_data()
ckmc_get_data_alias_list()
int ckmc_remove_key ( const char *  alias)

Removes a key from key manager.

Deprecated:
Deprecated since 2.4. [Use ckmc_remove_alias() instead]
Since :
2.3
Remarks:
http://tizen.org/privilege/keymanager (public level privilege) is no longer required to use this function since 3.0.
To remove key, client must have remove permission to the specified key.
The key owner can remove by default.
Parameters:
[in]aliasThe name of a key to be removed
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ERRORFailed due to a database error
CKMC_ERROR_DB_ALIAS_UNKNOWNAlias does not exist
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_save_key()
ckmc_get_key()
ckmc_get_key_alias_list()
int ckmc_save_cert ( const char *  alias,
const ckmc_cert_s  cert,
const ckmc_policy_s  policy 
)

Stores a certificate inside key manager based on the provided policy.

Since :
2.3
Remarks:
http://tizen.org/privilege/keymanager (public level privilege) is no longer required to use this function since 3.0
The certificate's binary value will be converted and saved as binary DER encoded certificates.
Parameters:
[in]aliasThe name of a certificate to be stored
[in]certThe certificate's binary value to be stored
[in]policyThe policy about how to store a certificate securely
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ALIAS_EXISTSAlias already exists
CKMC_ERROR_INVALID_FORMATThe format of raw_cert is not valid
CKMC_ERROR_DB_ERRORFailed due to a database error
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_remove_alias()
ckmc_get_cert()
ckmc_get_cert_alias_list()
ckmc_cert_s
ckmc_policy_s
int ckmc_save_data ( const char *  alias,
ckmc_raw_buffer_s  data,
const ckmc_policy_s  policy 
)

Stores a data inside key manager based on the provided policy.

Since :
2.3
Remarks:
http://tizen.org/privilege/keymanager (public level privilege) is no longer required to use this function since 3.0.
Parameters:
[in]aliasThe name of a data to be stored
[in]dataThe binary value to be stored
[in]policyThe policy about how to store a data securely
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ALIAS_EXISTSAlias already exists
CKMC_ERROR_DB_ERRORFailed due to a database error
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_remove_alias()
ckmc_get_data()
ckmc_get_data_alias_list()
ckmc_raw_buffer_s
ckmc_policy_s
int ckmc_save_key ( const char *  alias,
const ckmc_key_s  key,
const ckmc_policy_s  policy 
)

Stores a key inside key manager based on the provided policy.

Since :
2.3
Remarks:
http://tizen.org/privilege/keymanager (public level privilege) is no longer required to use this function since 3.0.
Currently API supports seven types of keys. These are RSA public/private key, DSA public/private key, ECDSA public/private key, and AES symmetric key.
key_type in key may be set to CKMC_KEY_NONE as an input. key_type is determined inside key manager during storing keys.
Some private key files are protected by a password. If raw_key in key read from those encrypted files is encrypted with a password, the password should be provided in the ckmc_key_s structure.
If password in policy is provided, the key is additionally encrypted with the password in the policy.
Parameters:
[in]aliasThe name of a key to be stored
[in]keyThe key's binary value to be stored
[in]policyThe policy about how to store a key securely
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ALIAS_EXISTSAlias already exists
CKMC_ERROR_INVALID_FORMATThe format of raw_key is not valid
CKMC_ERROR_DB_ERRORFailed due to a database error
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_remove_alias()
ckmc_get_key()
ckmc_get_key_alias_list()
ckmc_key_s
ckmc_policy_s
int ckmc_save_pkcs12 ( const char *  alias,
const ckmc_pkcs12_s pkcs,
const ckmc_policy_s  key_policy,
const ckmc_policy_s  cert_policy 
)

Stores PKCS12's contents inside key manager based on the provided policies. All items from the PKCS12 will use the same alias.

Since :
2.4
Remarks:
http://tizen.org/privilege/keymanager (public level privilege) is no longer required to use this function since 3.0.
Parameters:
[in]aliasThe name of a data to be stored
[in]pkcsPointer to the pkcs12 structure to be saved
[in]key_policyThe policy about how to store pkcs's private key
[in]cert_policyThe policy about how to store pkcs's certificate
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ALIAS_EXISTSAlias already exists
CKMC_ERROR_DB_ERRORFailed due to a database error
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_remove_alias()
ckmc_get_pkcs12()
ckmc_get_data_alias_list()
ckmc_pkcs12_load()
ckmc_pkcs12_s
ckmc_policy_s
int ckmc_set_permission ( const char *  alias,
const char *  accessor,
int  permissions 
)

Allows another application to access client's application data.

Since :
2.4
Remarks:
http://tizen.org/privilege/keymanager (public level privilege) is no longer required to use this function since 3.0.
Data identified by alias should exist.
Parameters:
[in]aliasData alias for which access will be granted
[in]accessorPackage id of the application that will gain access rights
[in]permissionsMask of permissions granted for accessor application (ckmc_permission_e) (previous permission mask will be replaced with the new mask value)
Returns:
0 on success, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager or modify permissions
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ERRORFailed due to the error with unknown reason
CKMC_ERROR_DB_ALIAS_UNKNOWNAlias does not exist
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
int ckmc_verify_signature ( const char *  public_key_alias,
const char *  password,
const ckmc_raw_buffer_s  message,
const ckmc_raw_buffer_s  signature,
const ckmc_hash_algo_e  hash,
const ckmc_rsa_padding_algo_e  padding 
)

Verifies a given signature on a given message using a public key and returns the signature status.

Since :
2.3
Remarks:
http://tizen.org/privilege/keymanager (public level privilege) is no longer required to use this function since 3.0.
If password of policy is provided during storing a key, the same password should be provided.
Parameters:
[in]public_key_aliasThe name of public key
[in]passwordThe password used in decrypting a public key value
[in]messageThe input on which the signature is created
[in]signatureThe signature that is verified with public key
[in]hashThe hash algorithm used in verifying signature. CKMC_HASH_NONE is invalid for DSA & ECDSA
[in]paddingThe RSA padding algorithm used in verifying signature. It is used only when the signature algorithm is RSA. If padding is CKMC_NONE_PADDING you must use CKMC_HASH_NONE and the message must be equal to key length
Returns:
0 on success and the signature is valid, otherwise a negative error value
Return values:
CKMC_ERROR_NONESuccessful
CKMC_ERROR_PERMISSION_DENIEDFailed to access key manager
CKMC_ERROR_INVALID_PARAMETERInput parameter is invalid
CKMC_ERROR_VERIFICATION_FAILEDThe signature is invalid
CKMC_ERROR_DB_LOCKEDA user key is not loaded in memory (a user is not logged in)
CKMC_ERROR_DB_ERRORFailed due to the error with unknown reason
CKMC_ERROR_DB_ALIAS_UNKNOWNAlias does not exist
CKMC_ERROR_AUTHENTICATION_FAILEDDecryption failed because password is incorrect
Precondition:
User is already logged in and the user key is already loaded into memory in plain text form.
See also:
ckmc_create_key_pair_rsa()
ckmc_create_key_pair_ecdsa()
ckmc_create_signature()
ckmc_hash_algo_e
ckmc_rsa_padding_algo_e