/*
* Copyright (c) 2002-2009 Nokia Corporation and/or its subsidiary(-ies).
* All rights reserved.
* This component and the accompanying materials are made available
* under the terms of the License "Eclipse Public License v1.0"
* which accompanies this distribution, and is available
* at the URL "http://www.eclipse.org/legal/epl-v10.html".
*
* Initial Contributors:
* Nokia Corporation - initial contribution.
*
* Contributors:
*
* Description:
* ** IMPORTANT ** PublishedPartner API's in this file are published to 3rd party developers via the
* Symbian website. Changes to these API's should be treated as PublishedAll API changes and the Security TA should be consulted.
*
*/
/**
@file
@publishedPartner
@released
*/
#ifndef __PBE_H__
#define __PBE_H__
#include <e32std.h>
#include <pbebase.h>
class CPBEncryptionData;
class CPBEncryptor;
class CPBDecryptor;
/**
* Password Based Encryption ciphers.
*
* Note that RC2 has an additional key parameter, the "effective key length".
*
* Used in the construction of CPBEncryptElement, CPBEncryptSet, CPBEncryptParms,
* and CPBEncryptionData objects and in the CPBEncryptParms::Cipher() function.
*/
enum TPBECipher
{
/** AES cipher in CBC mode with a supplied key size of 128 bits. */
ECipherAES_CBC_128,
/** AES cipher in CBC mode with a supplied key size of 192 bits. */
ECipherAES_CBC_192,
/** AES cipher in CBC mode with a supplied key size of 256 bits. */
ECipherAES_CBC_256,
/** DES cipher in CBC mode (with a supplied key size of 56 bits). */
ECipherDES_CBC,
/** Triple-DES cipher in CBC mode. */
ECipher3DES_CBC,
/**
* RC2 cipher in CBC mode with a supplied key length of 40 bits.
*
* It has an effective key length of 1024 bits (128 bytes), which is compatible
* with OpenSSL RC2 encryption.
*/
ECipherRC2_CBC_40,
/**
* RC2 cipher in CBC mode with a supplied key length of 128 bits.
*
* It has an effective key length of 1024 bits (128 bytes), which is compatible
* with OpenSSL RC2 encryption.
*/
ECipherRC2_CBC_128,
/**
* RC2 cipher in CBC mode with a supplied key length of 40 bits.
*
* It has an effective key length of 128 bits (16 bytes), which is compatible
* with the RC2 encryption used in PKCS#8 encryption keys generated by OpenSSL
*/
ECipherRC2_CBC_40_16,
/**
* RC2 cipher in CBC mode with a supplied key length of 128 bits.
*
* It has an effective key length of 128 bits (16 bytes), which is compatible
* with the RC2 encryption used in PKCS#8 encryption keys generated by OpenSSL
*/
ECipherRC2_CBC_128_16,
/**
* ARC4 cipher with a supplied key length of 128 bits.
* PKCS#12 PBE encryption algorithm
*/
ECipherARC4_128,
/**
* ARC4 cipher with a supplied key length of 40 bits.
* PKCS#12 PBE encryption algorithm
*/
ECipherARC4_40,
/**
* 2_KeyTriple-DES cipher in CBC mode.
* PKCS#12 PBE encryption algorithm
*/
ECipher2Key3DES_CBC,
/**
* RC2 Cipher in CBC mode with a supplied & effective key length of 40 bits.
* PKCS#12 PBE encryption algorithm
*/
ECipherRC2_CBC_40_5,
};
/**
* Allows the password based encryption and decryption of elements.
* Contains the encryption key and its associated encryption data.
* See the Cryptography api-guide documentation for more information
* and sample code.
*/
class CPBEncryptElement : public CPBEncryptionBase
{
public:
/**
* Creates a new CPBEncryptElement object for encryption of new data.
*
* If strong cryptography is present, a 128 bit AES cipher is used;
* otherwise, for weak cryptography, a 56 bit DES cipher is used.
*
* The symmetric key is derived from the password and a random salt using TPKCS5KDF::DeriveKeyL().
*
* @param aPassword The user supplied password
* @return The new CPBEncryptElement object
*/
IMPORT_C static CPBEncryptElement* NewL(const TPBPassword& aPassword);
/**
* Creates a new CPBEncryptElement object for encryption of new data.
*
* If strong cryptography is present, a 128 bit AES cipher is used;
* otherwise, for weak cryptography, a 56 bit DES cipher is used.
*
* The symmetric key is derived from the password and a random salt using TPKCS5KDF::DeriveKeyL().
*
* A pointer to the returned object is put onto the cleanup stack.
*
* @param aPassword The user supplied password
* @return The new CPBEncryptElement object
*/
IMPORT_C static CPBEncryptElement* NewLC(const TPBPassword& aPassword);
/**
* Creates a new CPBEncryptElement object for encryption of new data.
*
* The symmetric key is derived from the password and a random salt using TPKCS5KDF::DeriveKeyL().
*
* @param aPassword The user supplied password
* @param aCipher The cipher to use
* @return The new CPBEncryptElement object
*/
IMPORT_C static CPBEncryptElement* NewL(const TPBPassword& aPassword,
TPBECipher aCipher);
/**
* Creates a new CPBEncryptElement object for encryption of new data.
*
* The symmetric key is derived from the password and a random salt using TPKCS5KDF::DeriveKeyL().
*
* A pointer to the returned object is put onto the cleanup stack.
*
* @param aPassword The user supplied password
* @param aCipher The cipher to use
* @return The new CPBEncryptElement object
*/
IMPORT_C static CPBEncryptElement* NewLC(const TPBPassword& aPassword,
TPBECipher aCipher);
/**
* Creates a new CPBEncryptElement object for encryption of new data.
*
* The symmetric key is derived from the password using TPKCS5KDF::DeriveKeyL().
*
* @param aPassword The user supplied password
* @param aParms An encryption parameter object comprising the cipher,
* salt, IV, and iteration count value.
* @return The new CPBEncryptElement object
*/
IMPORT_C static CPBEncryptElement* NewL(const TPBPassword& aPassword,
const CPBEncryptParms& aParms);
/**
* Creates a new CPBEncryptElement object for encryption of new data.
*
* The symmetric key is derived from the password using TPKCS5KDF::DeriveKeyL().
*
* A pointer to the returned object is put onto the cleanup stack.
*
* @param aPassword The user supplied password
* @param aParms An encryption parameter object comprising the cipher,
* salt, IV, and iteration count value.
* @return The new CPBEncryptElement object
*/
IMPORT_C static CPBEncryptElement* NewLC(const TPBPassword& aPassword,
const CPBEncryptParms& aParms);
/**
* Creates a new CPBEncryptElement object for decryption of existing data.
*
* If the specified password is valid, the function regenerates the encryption key;
* otherwise, it leaves with KErrBadPassphrase.
*
* @param aData The encryption data object
* @param aPassword The user supplied password
* @return The new CPBEncryptElement object
* @leave KErrBadPassphrase If the specified password is incorrect
*/
IMPORT_C static CPBEncryptElement* NewL(const CPBEncryptionData& aData,
const TPBPassword& aPassword);
/**
* Creates a new CPBEncryptElement object for decryption of existing data.
*
* If the specified password is valid, the function regenerates the encryption key;
* otherwise, it leaves with KErrBadPassphrase.
*
* A pointer to the returned object is put onto the cleanup stack.
*
* @param aData The encryption data object
* @param aPassword The user supplied password
* @return The new CPBEncryptElement object
* @leave KErrBadPassphrase If the specified password is incorrect
*/
IMPORT_C static CPBEncryptElement* NewLC(const CPBEncryptionData& aData,
const TPBPassword& aPassword);
/**
* Gets the parameters allowing one to re-create the object with the
* same state at another point in the future.
*
* In order to decrypt any information previously encrypted with this object,
* you <B><I>must</I></B> store this encryption data along with it. Failure
* to do this will result in the permanent loss of the encrypted information.
*
* @return The data allowing one to re-create this object at a later time.
*/
const CPBEncryptionData& EncryptionData(void) const;
/**
* Constructs a CPBEncryptor object allowing the encryption of data.
*
* @return A pointer to a CPBEncryptor object.
* The caller assumes ownership of the returned object.
*/
CPBEncryptor* NewEncryptL(void) const;
/**
* Constructs a CPBEncryptor object allowing the encryption of data.
*
* @return A pointer to a CPBEncryptor object.
* The caller assumes ownership of the returned object.
* The returned pointer is left on the cleanup stack.
*/
CPBEncryptor* NewEncryptLC(void) const;
/**
* Constructs a CPBDecryptor object allowing the decryption of data.
*
* @return A pointer to a CPBDecryptor object.
* The caller assumes ownership of the returned object.
*/
CPBDecryptor* NewDecryptL(void) const;
/**
* Constructs a CPBDecryptor object allowing the decryption of data.
*
* @return A pointer to a CPBDecryptor object.
* The caller assumes ownership of the returned object.
* The returned pointer is left on the cleanup stack.
*/
CPBDecryptor* NewDecryptLC(void) const;
/**
* Gets the maximum output ciphertext length given a specified input plaintext length.
*
* @param aPlaintextLength The plaintext length
* @return The maximum ciphertext length given a plaintext length.
*/
TInt MaxCiphertextLength(TInt aPlaintextLength) const;
/**
* Gets the maximum output plaintext length given a specified input ciphertext length.
*
* @param aCiphertextLength The ciphertext length
* @return The maximum plaintext length given a ciphertext length.
*/
TInt MaxPlaintextLength(TInt aCiphertextLength) const;
/** Destructor */
virtual ~CPBEncryptElement(void);
protected:
/** @internalAll */
void ConstructL(const TDesC8& aPassword);
/** @internalAll */
void ConstructL(const TDesC8& aPassword, const TPBECipher aCipher);
/** @internalAll */
void ConstructL(const TDesC8& aPassword, const CPBEncryptParms& aParms);
/** @internalAll */
void ConstructL(const CPBEncryptionData& aData, const TPBPassword& aPassword);
/** @internalAll */
TBool AuthenticateL(const TPBPassword& aPassword);
/** @internalAll */
void MakeEncryptKeyL(TUint aKeySize, const TDesC8& aPassword);
/** @internalAll */
CPBEncryptElement(void);
protected:
/** The encryption data */
CPBEncryptionData* iData;
/** The derived encryption key */
HBufC8* iEncryptKey;
private:
CPBEncryptElement(const CPBEncryptElement&);
CPBEncryptElement& operator= (const CPBEncryptElement&);
};
/**
* Derived class to allow the efficient password based encryption and
* decryption of multiple elements.
*
* This is useful if one wants random access to an encrypted source consisting
* of multiple independent elements, for example, a database or a store.
*
* Since it is unreasonable to force the decryption of an entire set to allow
* access to just a tiny portion of it, and since it is too costly to derive separate
* keys for each element within the set, a single randomly generated <I>master</I>
* key is used. This master key is encrypted with the password provided by the
* user of the class. Known plaintext attacks against the ciphertext are prevented
* by using a randomly chosen Initialisation Vector (IV) for each element.
*
* Contains the master encryption key.
*
* See the Cryptography api-guide documentation for more information and sample code.
*
* @see CPBEncryptElement
*
* @since v8.0
*/
class CPBEncryptSet : public CPBEncryptElement
{
public:
/**
* Creates a new CPBEncryptSet object for encryption of new data
* (and generates an encrypted master key).
*
* If strong cryptography is present, a 128 bit AES cipher is used;
* otherwise, for weak cryptography, a 56 bit DES cipher is used.
*
* The symmetric key is derived from the password and a random salt using TPKCS5KDF::DeriveKeyL().
*
* @param aPassword The users password.
* @return A new CPBEncryptSet object
*/
IMPORT_C static CPBEncryptSet* NewL(const TPBPassword& aPassword);
/**
* Creates a new CPBEncryptSet object for encryption of new data
* (and generates an encrypted master key).
*
* The returned pointer is put onto the cleanup stack.
*
* If strong cryptography is present, a 128 bit AES cipher is used;
* otherwise, for weak cryptography, a 56 bit DES cipher is used.
*
* The symmetric key is derived from the password and a random salt using TPKCS5KDF::DeriveKeyL().
*
* @param aPassword The user supplied password
* @return The new CPBEncryptSet object
*/
IMPORT_C static CPBEncryptSet* NewLC(const TPBPassword& aPassword);
/**
* Creates a new CPBEncryptSet object for encryption of new data
* (and generates an encrypted master key).
*
* The symmetric key is derived from the password and a random salt using TPKCS5KDF::DeriveKeyL().
*
* @param aPassword The user supplied password
* @param aCipher The cipher to use
* @return The new CPBEncryptSet object
*/
IMPORT_C static CPBEncryptSet* NewL(const TPBPassword& aPassword,
TPBECipher aCipher);
/**
* Creates a new CPBEncryptSet object for encryption of new data
* (and generates an encrypted master key).
*
* The returned pointer is put onto the cleanup stack.
*
* The symmetric key is derived from the password and a random salt using TPKCS5KDF::DeriveKeyL().
*
* @param aPassword The user supplied password
* @param aCipher The cipher to use
* @return The new CPBEncryptSet object
*/
IMPORT_C static CPBEncryptSet* NewLC(const TPBPassword& aPassword,
TPBECipher aCipher);
/**
* Creates a new CPBEncryptSet object for encryption of new data
* (and generates an encrypted master key).
*
* The symmetric key is derived from the password using TPKCS5KDF::DeriveKeyL().
*
* @param aPassword The user supplied password
* @param aParms An encryption parameter object comprising the cipher,
* salt, IV, and iteration count value.
* @return The new CPBEncryptSet object
*/
IMPORT_C static CPBEncryptSet* NewL(const TPBPassword& aPassword,
const CPBEncryptParms& aParms);
/**
* Creates a new CPBEncryptSet object for encryption of new data
* (and generates an encrypted master key).
*
* The returned pointer is put onto the cleanup stack.
*
* The symmetric key is derived from the password using TPKCS5KDF::DeriveKeyL().
*
* @param aPassword The user supplied password
* @param aParms An encryption parameter object comprising the cipher,
* salt, IV, and iteration count value.
* @return The new CPBEncryptSet object
*/
IMPORT_C static CPBEncryptSet* NewLC(const TPBPassword& aPassword,
const CPBEncryptParms& aParms);
/**
* Creates a new CPBEncryptSet object for encryption of new data
* (and generates an encrypted master key).
*
* If the specified password is valid, the function regenerates the encryption key;
* otherwise, it leaves with KErrBadPassphrase.
*
* @param aData The encryption data object to copy
* @param aEncryptedMasterKey On return, the encrypted master key
* @param aPassword The user supplied password
* @return The new CPBEncryptSet object
* @leave KErrBadPassphrase If the specified password is incorrect
*/
IMPORT_C static CPBEncryptSet* NewL(const CPBEncryptionData& aData,
const TDesC8& aEncryptedMasterKey, const TPBPassword& aPassword);
/**
* Creates a new CPBEncryptSet object for encryption of new data
* (and generates an encrypted master key).
*
* The returned pointer is put onto the cleanup stack.
*
* If the specified password is valid, the function regenerates the encryption key;
* otherwise, it leaves with KErrBadPassphrase.
*
* @param aData The encryption data object to copy
* @param aEncryptedMasterKey On return, the encrypted master key
* @param aPassword The user supplied password
* @return The new CPBEncryptSet object
* @leave KErrBadPassphrase If the specified password is incorrect
*/
IMPORT_C static CPBEncryptSet* NewLC(const CPBEncryptionData& aData,
const TDesC8& aEncryptedMasterKey, const TPBPassword& aPassword);
/**
* Gets the encrypted form of the master key.
*
* This must be stored along with the object returned by CPBEncryptElement::EncryptionData()
* in order for the object to be reconstructed with the same state at
* some time in the future. Failure to do so will result in the permanent
* loss of any information encrypted with this object.
*
* @return The encrypted master key.
*/
IMPORT_C const TDesC8& EncryptedMasterKey(void) const;
/**
* Constructs a CPBEncryptor object based on the state of this object
* (i.e., the cipher and master key) allowing the encryption of data.
*
* @return A pointer to a CPBEncryptor object.
* The caller assumes ownership of the returned object.
*/
CPBEncryptor* NewEncryptL(void) const;
/**
* Constructs a CPBEncryptor object based on the state of this object
* (i.e., the cipher and master key) allowing the encryption of data.
*
* @return A pointer to a CPBEncryptor object.
* The caller assumes ownership of the returned object.
* The returned pointer is left on the cleanup stack.
*/
CPBEncryptor* NewEncryptLC(void) const;
/**
* Constructs a CPBDecryptor object based on the state of this object
* (i.e., the cipher and master key) allowing the decryption of data.
*
* @return A pointer to a CPBDecryptor object.
* The caller assumes ownership of the returned object.
*/
CPBDecryptor* NewDecryptL(void) const;
/**
* Constructs a CPBDecryptor object based on the state of this object
* (i.e., the cipher and master key) allowing the decryption of data.
*
* @return A pointer to a CPBDecryptor object.
* The caller assumes ownership of the returned object.
* The returned pointer is left on the cleanup stack.
*/
CPBDecryptor* NewDecryptLC(void) const;
/**
* Re-encrypts the master key with the specified new password.
*
* @param aNewPassword The new password
*/
IMPORT_C void ChangePasswordL(const TPBPassword& aNewPassword);
/**
* Gets the maximum output ciphertext length given a specified input plaintext length.
*
* @param aPlaintextLength The plaintext length
* @return The maximum ciphertext length given a plaintext length.
*/
TInt MaxCiphertextLength(TInt aPlaintextLength) const;
/**
* Gets the maximum output plaintext length given a specified input ciphertext length.
*
* @param aCiphertextLength The ciphertext length
* @return The maximum plaintext length given a ciphertext length.
*/
TInt MaxPlaintextLength(TInt aCiphertextLength) const;
/** Destructor */
virtual ~CPBEncryptSet(void);
protected:
/** @internalAll */
void ConstructL(const TDesC8& aPassword);
/** @internalAll */
void ConstructL(const TDesC8& aPassword, TPBECipher aCipher);
/** @internalAll */
void ConstructL(const TDesC8& aPassword, const CPBEncryptParms& aParms);
/** @internalAll */
void ConstructMasterKeyL(void);
/** @internalAll */
void ConstructL(const CPBEncryptionData& aData,
const TDesC8& aEncryptedMasterKey, const TPBPassword& aPassword);
/** @internalAll */
void DecryptMasterKeyL(TDes8& aMasterKey) const;
/** @internalAll */
void EncryptMasterKeyL(const TDesC8& aMasterKey);
protected:
/** @internalAll */
CPBEncryptSet(void);
/** The derived encrypted master key*/
HBufC8* iEncryptedMasterKey;
private:
CPBEncryptSet(const CPBEncryptSet&);
CPBEncryptSet& operator= (const CPBEncryptSet&);
};
/**
* Class representing both 8 and 16 bit descriptor passwords.
* Internally these are stored as 8 bit passwords.
*/
class TPBPassword
{
public:
/**
* Sets the password.
*
* Constructs a TPBPassword object with an 8 bit descriptor.
*
* Internally this is represented as an octet byte sequence
* (aka 8 bit TPtrC8 descriptor).
*
* @param aPassword A const reference to an 8 bit descriptor.
* representing the users initial password.
*/
IMPORT_C TPBPassword(const TDesC8& aPassword);
/**
* Sets the password.
*
* Constructs a TPBPassword object with a 16 bit descriptor.
*
* Internally this is represented as an octet byte sequence
* (aka 8 bit TPtrC8 descriptor).
*
* @param aPassword A const reference to a 16 bit descriptor
* representing the users initial password.
*/
IMPORT_C TPBPassword(const TDesC16& aPassword);
/**
* Gets the password.
*
* Gets a const reference to an 8 bit descriptor representing the users
* initial password (which could have been either 8 or 16 bit).
*
* @return A const reference to an 8 bit descriptor.
*/
IMPORT_C const TDesC8& Password(void) const;
private:
TPtrC8 iPassword;
};
#endif