2 * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License
17 * @file access-control.cpp
18 * @author Maciej Karpiuk (m.karpiuk2@samsung.com)
20 * @brief DB access control layer implementation.
22 #include <access-control.h>
23 #include <dpl/log/log.h>
24 #include <ckm/ckm-error.h>
25 #include <ckm/ckm-type.h>
26 #include <openssl/crypto.h>
30 void AccessControl::updateCCMode() {
31 int fipsModeStatus = 0;
35 if (newMode == m_ccMode)
40 fipsModeStatus = FIPS_mode();
43 if (fipsModeStatus == 0) { // If FIPS mode off
44 rc = FIPS_mode_set(1); // Change FIPS_mode from off to on
46 LogError("Error in FIPS_mode_set function");
50 if (fipsModeStatus == 1) { // If FIPS mode on
51 rc = FIPS_mode_set(0); // Change FIPS_mode from on to off
53 LogError("Error in FIPS_mode_set function");
59 bool AccessControl::isCCMode() const
64 int AccessControl::canSave(
65 const Label & ownerLabel,
66 const Label & accessorLabel) const
68 if(ownerLabel != accessorLabel)
69 return CKM_API_ERROR_ACCESS_DENIED;
71 return CKM_API_SUCCESS;
74 int AccessControl::canModify(
75 const Label & ownerLabel,
76 const Label & accessorLabel) const
78 return canSave(ownerLabel, accessorLabel);
81 int AccessControl::canRead(
82 const PermissionForLabel & permissionLabel) const
84 if(permissionLabel & Permission::READ)
85 return CKM_API_SUCCESS;
87 return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
90 int AccessControl::canExport(
92 const PermissionForLabel & permissionLabel) const
95 if(CKM_API_SUCCESS != (ec = canRead(permissionLabel)))
98 // check if can export
99 if(row.exportable == 0)
100 return CKM_API_ERROR_NOT_EXPORTABLE;
102 // prevent extracting private keys during cc-mode on
103 if (isCCMode() && row.dataType.isKeyPrivate())
104 return CKM_API_ERROR_BAD_REQUEST;
106 return CKM_API_SUCCESS;
109 int AccessControl::canDelete(
110 const PermissionForLabel & permissionLabel) const
112 if(permissionLabel & Permission::REMOVE)
113 return CKM_API_SUCCESS;
114 if(permissionLabel & Permission::READ)
115 return CKM_API_ERROR_ACCESS_DENIED;
117 return CKM_API_ERROR_DB_ALIAS_UNKNOWN;