2 * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License
18 * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
20 * @brief Sample service implementation.
22 #include <dpl/serialization.h>
23 #include <dpl/log/log.h>
24 #include <ckm/ckm-error.h>
25 #include <ckm/ckm-type.h>
26 #include <key-provider.h>
27 #include <file-system.h>
28 #include <CryptoService.h>
29 #include <ckm-logic.h>
33 const char * const CERT_SYSTEM_DIR = "/etc/ssl/certs";
34 } // anonymous namespace
40 int retCode = FileSystem::init();
41 // TODO what can I do when init went wrong? exit(-1) ??
43 LogError("Fatal error in FileSystem::init()");
46 if (CKM_API_SUCCESS != m_certStore.setSystemCertificateDir(CERT_SYSTEM_DIR)) {
47 LogError("Fatal error in CertificateStore::setSystemCertificateDir. Chain creation will not work");
50 cc_mode_status = CCModeState::CC_MODE_OFF;
53 CKMLogic::~CKMLogic(){}
55 RawBuffer CKMLogic::unlockUserKey(uid_t user, const Password &password) {
56 // TODO try catch for all errors that should be supported by error code
57 int retCode = CKM_API_SUCCESS;
60 if (0 == m_userDataMap.count(user) || !(m_userDataMap[user].keyProvider.isInitialized())) {
61 auto &handle = m_userDataMap[user];
63 auto wrappedDomainKEK = fs.getDKEK();
65 if (wrappedDomainKEK.empty()) {
66 wrappedDomainKEK = KeyProvider::generateDomainKEK(std::to_string(user), password);
67 fs.saveDKEK(wrappedDomainKEK);
70 handle.keyProvider = KeyProvider(wrappedDomainKEK, password);
72 auto wrappedDatabaseDEK = fs.getDBDEK();
74 if (wrappedDatabaseDEK.empty()) {
75 wrappedDatabaseDEK = handle.keyProvider.generateDEK(std::to_string(user));
76 fs.saveDBDEK(wrappedDatabaseDEK);
79 RawBuffer key = handle.keyProvider.getPureDEK(wrappedDatabaseDEK);
80 handle.database = DBCrypto(fs.getDBPath(), key);
81 handle.crypto = CryptoLogic();
83 // remove data of removed apps during locked state
84 AppLabelVector removedApps = fs.clearRemovedsApps();
85 for(auto& appSmackLabel : removedApps) {
86 handle.database.deleteKey(appSmackLabel);
91 } catch (const KeyProvider::Exception::PassWordError &e) {
92 LogError("Incorrect Password " << e.GetMessage());
93 retCode = CKM_API_ERROR_AUTHENTICATION_FAILED;
94 } catch (const KeyProvider::Exception::Base &e) {
95 LogError("Error in KeyProvider " << e.GetMessage());
96 retCode = CKM_API_ERROR_SERVER_ERROR;
97 } catch (const CryptoLogic::Exception::Base &e) {
98 LogError("CryptoLogic error: " << e.GetMessage());
99 retCode = CKM_API_ERROR_SERVER_ERROR;
100 } catch (const CKM::Exception &e) {
101 LogError("CKM::Exception: " << e.GetMessage());
102 retCode = CKM_API_ERROR_SERVER_ERROR;
105 if(retCode != CKM_API_SUCCESS) {
106 // When not successful, UserData in m_userDataMap should be erased.
107 // Because other operations make decision based on the existence of UserData in m_userDataMap.
108 m_userDataMap.erase(user);
111 MessageBuffer response;
112 Serialization::Serialize(response, retCode);
113 return response.Pop();
116 RawBuffer CKMLogic::setCCModeStatus(CCModeState mode_status) {
118 int retCode = CKM_API_SUCCESS;
120 if((mode_status != CCModeState:: CC_MODE_OFF) && (mode_status != CCModeState:: CC_MODE_ON)) {
121 retCode = CKM_API_ERROR_INPUT_PARAM;
124 cc_mode_status = mode_status;
126 MessageBuffer response;
127 Serialization::Serialize(response, retCode);
128 return response.Pop();
131 RawBuffer CKMLogic::lockUserKey(uid_t user) {
132 int retCode = CKM_API_SUCCESS;
133 // TODO try catch for all errors that should be supported by error code
134 m_userDataMap.erase(user);
136 MessageBuffer response;
137 Serialization::Serialize(response, retCode);
138 return response.Pop();
141 RawBuffer CKMLogic::removeUserData(uid_t user) {
142 int retCode = CKM_API_SUCCESS;
143 // TODO try catch for all errors that should be supported by error code
144 m_userDataMap.erase(user);
149 MessageBuffer response;
150 Serialization::Serialize(response, retCode);
151 return response.Pop();
154 RawBuffer CKMLogic::changeUserPassword(
156 const Password &oldPassword,
157 const Password &newPassword)
159 int retCode = CKM_API_SUCCESS;
162 auto wrappedDomainKEK = fs.getDKEK();
163 if (wrappedDomainKEK.empty()) {
164 retCode = CKM_API_ERROR_BAD_REQUEST;
166 wrappedDomainKEK = KeyProvider::reencrypt(wrappedDomainKEK, oldPassword, newPassword);
167 fs.saveDKEK(wrappedDomainKEK);
169 } catch (const KeyProvider::Exception::PassWordError &e) {
170 LogError("Incorrect Password " << e.GetMessage());
171 retCode = CKM_API_ERROR_AUTHENTICATION_FAILED;
172 } catch (const KeyProvider::Exception::Base &e) {
173 LogError("Error in KeyProvider " << e.GetMessage());
174 retCode = CKM_API_ERROR_SERVER_ERROR;
175 } catch (const CKM::Exception &e) {
176 LogError("CKM::Exception: " << e.GetMessage());
177 retCode = CKM_API_ERROR_SERVER_ERROR;
180 MessageBuffer response;
181 Serialization::Serialize(response, retCode);
182 return response.Pop();
185 RawBuffer CKMLogic::resetUserPassword(
187 const Password &newPassword)
189 int retCode = CKM_API_SUCCESS;
191 if (0 == m_userDataMap.count(user)) {
192 retCode = CKM_API_ERROR_BAD_REQUEST;
194 auto &handler = m_userDataMap[user];
196 fs.saveDKEK(handler.keyProvider.getWrappedDomainKEK(newPassword));
199 MessageBuffer response;
200 Serialization::Serialize(response, retCode);
201 return response.Pop();
204 RawBuffer CKMLogic::removeApplicationData(const std::string &smackLabel) {
205 int retCode = CKM_API_SUCCESS;
209 if (smackLabel.empty()) {
210 retCode = CKM_API_ERROR_INPUT_PARAM;
212 UidVector uids = FileSystem::getUIDsFromDBFile();
213 for (auto userId : uids) {
214 if (0 == m_userDataMap.count(userId)) {
215 FileSystem fs(userId);
216 fs.addRemovedApp(smackLabel);
218 auto &handle = m_userDataMap[userId];
219 handle.database.deleteKey(smackLabel);
224 } catch (const DBCrypto::Exception::InternalError &e) {
225 LogError("DBCrypto couldn't remove data: " << e.GetMessage());
226 retCode = CKM_API_ERROR_DB_ERROR;
227 } catch (const DBCrypto::Exception::TransactionError &e) {
228 LogError("DBCrypto transaction failed with message " << e.GetMessage());
229 retCode = CKM_API_ERROR_DB_ERROR;
232 MessageBuffer response;
233 Serialization::Serialize(response, retCode);
234 return response.Pop();
237 int CKMLogic::saveDataHelper(
241 const RawBuffer &key,
242 const PolicySerializable &policy)
244 if (0 == m_userDataMap.count(cred.uid))
245 return CKM_API_ERROR_DB_LOCKED;
247 DBRow row = { alias, cred.smackLabel,
248 policy.extractable, dataType, DBCMAlgType::NONE,
249 0, RawBuffer(), static_cast<int>(key.size()), key, RawBuffer() };
251 auto &handler = m_userDataMap[cred.uid];
252 DBCrypto::Transaction transaction(&handler.database);
253 if (!handler.crypto.haveKey(cred.smackLabel)) {
255 auto key_optional = handler.database.getKey(cred.smackLabel);
257 LogDebug("No Key in database found. Generating new one for label: "
259 key = handler.keyProvider.generateDEK(cred.smackLabel);
260 handler.database.saveKey(cred.smackLabel, key);
262 LogDebug("Key from DB");
266 key = handler.keyProvider.getPureDEK(key);
267 handler.crypto.pushKey(cred.smackLabel, key);
270 // Do not encrypt data with password during cc_mode on
271 if(cc_mode_status == CCModeState::CC_MODE_ON) {
272 handler.crypto.encryptRow("", row);
274 handler.crypto.encryptRow(policy.password, row);
277 handler.database.saveDBRow(row);
278 transaction.commit();
279 return CKM_API_SUCCESS;
282 RawBuffer CKMLogic::saveData(
287 const RawBuffer &key,
288 const PolicySerializable &policy)
290 int retCode = CKM_API_SUCCESS;
292 retCode = saveDataHelper(cred, dataType, alias, key, policy);
293 LogDebug("SaveDataHelper returned: " << retCode);
294 } catch (const KeyProvider::Exception::Base &e) {
295 LogError("KeyProvider failed with message: " << e.GetMessage());
296 retCode = CKM_API_ERROR_SERVER_ERROR;
297 } catch (const CryptoLogic::Exception::Base &e) {
298 LogError("CryptoLogic failed with message: " << e.GetMessage());
299 retCode = CKM_API_ERROR_SERVER_ERROR;
300 } catch (const DBCrypto::Exception::InternalError &e) {
301 LogError("DBCrypto failed with message: " << e.GetMessage());
302 retCode = CKM_API_ERROR_DB_ERROR;
303 } catch (const DBCrypto::Exception::AliasExists &e) {
304 LogError("DBCrypto couldn't save duplicate alias");
305 retCode = CKM_API_ERROR_DB_ALIAS_EXISTS;
306 } catch (const DBCrypto::Exception::TransactionError &e) {
307 LogError("DBCrypto transaction failed with message " << e.GetMessage());
308 retCode = CKM_API_ERROR_DB_ERROR;
311 MessageBuffer response;
312 Serialization::Serialize(response, static_cast<int>(LogicCommand::SAVE));
313 Serialization::Serialize(response, commandId);
314 Serialization::Serialize(response, retCode);
315 Serialization::Serialize(response, static_cast<int>(dataType));
317 return response.Pop();
320 RawBuffer CKMLogic::removeData(
326 int retCode = CKM_API_SUCCESS;
328 if (0 < m_userDataMap.count(cred.uid)) {
330 auto erased = m_userDataMap[cred.uid].database.deleteDBRow(alias, cred.smackLabel);
331 // check if the data existed or not
333 LogError("No row for given alias and label");
334 retCode = CKM_API_ERROR_DB_ALIAS_UNKNOWN;
336 } Catch (DBCrypto::Exception::PermissionDenied) {
337 LogError("Error: not enough permissions!");
338 retCode = CKM_API_ERROR_ACCESS_DENIED;
339 } Catch (CKM::Exception) {
340 LogError("Error in deleting row!");
341 retCode = CKM_API_ERROR_DB_ERROR;
344 retCode = CKM_API_ERROR_DB_LOCKED;
347 MessageBuffer response;
348 Serialization::Serialize(response, static_cast<int>(LogicCommand::REMOVE));
349 Serialization::Serialize(response, commandId);
350 Serialization::Serialize(response, retCode);
351 Serialization::Serialize(response, static_cast<int>(dataType));
353 return response.Pop();
356 int CKMLogic::getDataHelper(
360 const Password &password,
363 if (0 == m_userDataMap.count(cred.uid))
364 return CKM_API_ERROR_DB_LOCKED;
366 auto &handler = m_userDataMap[cred.uid];
368 DBCrypto::DBRowOptional row_optional;
369 if (dataType == DBDataType::CERTIFICATE || dataType == DBDataType::BINARY_DATA) {
370 row_optional = handler.database.getDBRow(alias, cred.smackLabel, dataType);
371 } else if ((static_cast<int>(dataType) >= static_cast<int>(DBDataType::DB_KEY_FIRST))
372 && (static_cast<int>(dataType) <= static_cast<int>(DBDataType::DB_KEY_LAST)))
374 row_optional = handler.database.getKeyDBRow(alias, cred.smackLabel);
376 LogError("Unknown type of requested data" << (int)dataType);
377 return CKM_API_ERROR_BAD_REQUEST;
380 LogError("No row for given alias, label and type");
381 return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
386 if (!handler.crypto.haveKey(row.smackLabel)) {
388 auto key_optional = handler.database.getKey(row.smackLabel);
390 LogError("No key for given label in database");
391 return CKM_API_ERROR_DB_ERROR;
394 key = handler.keyProvider.getPureDEK(key);
395 handler.crypto.pushKey(cred.smackLabel, key);
397 handler.crypto.decryptRow(password, row);
399 return CKM_API_SUCCESS;
402 RawBuffer CKMLogic::getData(
407 const Password &password)
409 int retCode = CKM_API_SUCCESS;
413 retCode = getDataHelper(cred, dataType, alias, password, row);
414 } catch (const KeyProvider::Exception::Base &e) {
415 LogError("KeyProvider failed with error: " << e.GetMessage());
416 retCode = CKM_API_ERROR_SERVER_ERROR;
417 } catch (const CryptoLogic::Exception::Base &e) {
418 LogError("CryptoLogic failed with message: " << e.GetMessage());
419 retCode = CKM_API_ERROR_SERVER_ERROR;
420 } catch (const DBCrypto::Exception::PermissionDenied &e) {
421 LogError("DBCrypto failed with message: " << e.GetMessage());
422 retCode = CKM_API_ERROR_ACCESS_DENIED;
423 } catch (const DBCrypto::Exception::Base &e) {
424 LogError("DBCrypto failed with message: " << e.GetMessage());
425 retCode = CKM_API_ERROR_DB_ERROR;
428 if (CKM_API_SUCCESS != retCode) {
430 row.dataType = dataType;
433 if ((CKM_API_SUCCESS == retCode) && (row.exportable == 0)) {
435 retCode = CKM_API_ERROR_NOT_EXPORTABLE;
438 // Prevent extracting private keys during cc-mode on
439 if((cc_mode_status == CCModeState::CC_MODE_ON) && (row.dataType == DBDataType::KEY_RSA_PRIVATE || row.dataType == DBDataType::KEY_ECDSA_PRIVATE || row.dataType == DBDataType::KEY_DSA_PRIVATE)) {
441 retCode = CKM_API_ERROR_BAD_REQUEST;
444 MessageBuffer response;
445 Serialization::Serialize(response, static_cast<int>(LogicCommand::GET));
446 Serialization::Serialize(response, commandId);
447 Serialization::Serialize(response, retCode);
448 Serialization::Serialize(response, static_cast<int>(row.dataType));
449 Serialization::Serialize(response, row.data);
450 return response.Pop();
453 RawBuffer CKMLogic::getDataList(
458 int retCode = CKM_API_SUCCESS;
459 AliasVector aliasVector;
461 if (0 < m_userDataMap.count(cred.uid)) {
462 auto &handler = m_userDataMap[cred.uid];
464 if (dataType == DBDataType::CERTIFICATE || dataType == DBDataType::BINARY_DATA) {
465 handler.database.getAliases(cred.smackLabel, dataType, aliasVector);
467 handler.database.getKeyAliases(cred.smackLabel, aliasVector);
469 } Catch (CKM::Exception) {
470 LogError("Failed to get aliases");
471 retCode = CKM_API_ERROR_DB_ERROR;
474 retCode = CKM_API_ERROR_DB_LOCKED;
477 MessageBuffer response;
478 Serialization::Serialize(response, static_cast<int>(LogicCommand::GET_LIST));
479 Serialization::Serialize(response, commandId);
480 Serialization::Serialize(response, retCode);
481 Serialization::Serialize(response, static_cast<int>(dataType));
482 Serialization::Serialize(response, aliasVector);
483 return response.Pop();
487 int CKMLogic::createKeyPairHelper(
489 const KeyType key_type,
490 const int additional_param,
491 const Alias &aliasPrivate,
492 const Alias &aliasPublic,
493 const PolicySerializable &policyPrivate,
494 const PolicySerializable &policyPublic)
496 if (0 >= m_userDataMap.count(cred.uid))
497 return CKM_API_ERROR_DB_LOCKED;
499 auto &handler = m_userDataMap[cred.uid];
504 case KeyType::KEY_RSA_PUBLIC:
505 case KeyType::KEY_RSA_PRIVATE:
506 retCode = CryptoService::createKeyPairRSA(additional_param, prv, pub);
509 case KeyType::KEY_DSA_PUBLIC:
510 case KeyType::KEY_DSA_PRIVATE:
511 retCode = CryptoService::createKeyPairDSA(additional_param, prv, pub);
514 case KeyType::KEY_ECDSA_PUBLIC:
515 case KeyType::KEY_ECDSA_PRIVATE:
516 retCode = CryptoService::createKeyPairECDSA(static_cast<ElipticCurve>(additional_param), prv, pub);
520 return CKM_API_ERROR_INPUT_PARAM;
523 if (CKM_CRYPTO_CREATEKEY_SUCCESS != retCode)
525 LogDebug("CryptoService error with code: " << retCode);
526 return CKM_API_ERROR_SERVER_ERROR; // TODO error code
529 DBCrypto::Transaction transaction(&handler.database);
530 retCode = saveDataHelper(cred,
531 toDBDataType(prv.getType()),
536 if (CKM_API_SUCCESS != retCode)
539 retCode = saveDataHelper(cred,
540 toDBDataType(pub.getType()),
545 if (CKM_API_SUCCESS != retCode)
548 transaction.commit();
553 RawBuffer CKMLogic::createKeyPair(
555 LogicCommand protocol_cmd,
557 const int additional_param,
558 const Alias &aliasPrivate,
559 const Alias &aliasPublic,
560 const PolicySerializable &policyPrivate,
561 const PolicySerializable &policyPublic)
563 int retCode = CKM_API_SUCCESS;
565 KeyType key_type = KeyType::KEY_NONE;
568 case LogicCommand::CREATE_KEY_PAIR_RSA:
569 key_type = KeyType::KEY_RSA_PUBLIC;
571 case LogicCommand::CREATE_KEY_PAIR_DSA:
572 key_type = KeyType::KEY_DSA_PUBLIC;
574 case LogicCommand::CREATE_KEY_PAIR_ECDSA:
575 key_type = KeyType::KEY_ECDSA_PUBLIC;
582 retCode = createKeyPairHelper(
591 } catch (DBCrypto::Exception::AliasExists &e) {
592 LogDebug("DBCrypto error: alias exists: " << e.GetMessage());
593 retCode = CKM_API_ERROR_DB_ALIAS_EXISTS;
594 } catch (DBCrypto::Exception::TransactionError &e) {
595 LogDebug("DBCrypto error: transaction error: " << e.GetMessage());
596 retCode = CKM_API_ERROR_DB_ERROR;
597 } catch (CKM::CryptoLogic::Exception::Base &e) {
598 LogDebug("CryptoLogic error: " << e.GetMessage());
599 retCode = CKM_API_ERROR_SERVER_ERROR;
600 } catch (DBCrypto::Exception::InternalError &e) {
601 LogDebug("DBCrypto internal error: " << e.GetMessage());
602 retCode = CKM_API_ERROR_DB_ERROR;
605 MessageBuffer response;
606 Serialization::Serialize(response, static_cast<int>(protocol_cmd));
607 Serialization::Serialize(response, commandId);
608 Serialization::Serialize(response, retCode);
610 return response.Pop();
613 RawBuffer CKMLogic::getCertificateChain(
616 const RawBuffer &certificate,
617 const RawBufferVector &untrustedRawCertVector)
621 CertificateImpl cert(certificate, DataFormat::FORM_DER);
622 CertificateImplVector untrustedCertVector;
623 CertificateImplVector chainVector;
624 RawBufferVector chainRawVector;
626 for (auto &e: untrustedRawCertVector)
627 untrustedCertVector.push_back(CertificateImpl(e, DataFormat::FORM_DER));
629 LogDebug("Cert is empty: " << cert.empty());
631 int retCode = m_certStore.verifyCertificate(cert, untrustedCertVector, chainVector);
633 if (retCode == CKM_API_SUCCESS) {
634 for (auto &e : chainVector)
635 chainRawVector.push_back(e.getDER());
638 MessageBuffer response;
639 Serialization::Serialize(response, static_cast<int>(LogicCommand::GET_CHAIN_CERT));
640 Serialization::Serialize(response, commandId);
641 Serialization::Serialize(response, retCode);
642 Serialization::Serialize(response, chainRawVector);
643 return response.Pop();
646 RawBuffer CKMLogic::getCertificateChain(
649 const RawBuffer &certificate,
650 const AliasVector &aliasVector)
652 int retCode = CKM_API_SUCCESS;
653 RawBufferVector chainRawVector;
655 CertificateImpl cert(certificate, DataFormat::FORM_DER);
656 CertificateImplVector untrustedCertVector;
657 CertificateImplVector chainVector;
661 retCode = CKM_API_ERROR_SERVER_ERROR;
665 for (auto &i: aliasVector) {
666 retCode = getDataHelper(cred, DBDataType::CERTIFICATE, i, Password(), row);
668 if (retCode != CKM_API_SUCCESS)
671 untrustedCertVector.push_back(CertificateImpl(row.data, DataFormat::FORM_DER));
674 retCode = m_certStore.verifyCertificate(cert, untrustedCertVector, chainVector);
676 if (retCode != CKM_API_SUCCESS)
679 for (auto &i: chainVector)
680 chainRawVector.push_back(i.getDER());
682 } catch (const CryptoLogic::Exception::Base &e) {
683 LogError("DBCyptorModule failed with message: " << e.GetMessage());
684 retCode = CKM_API_ERROR_SERVER_ERROR;
685 } catch (const DBCrypto::Exception::PermissionDenied &e) {
686 LogError("DBCrypto failed with message: " << e.GetMessage());
687 retCode = CKM_API_ERROR_ACCESS_DENIED;
688 } catch (const DBCrypto::Exception::Base &e) {
689 LogError("DBCrypto failed with message: " << e.GetMessage());
690 retCode = CKM_API_ERROR_DB_ERROR;
692 LogError("Unknown error.");
696 MessageBuffer response;
697 Serialization::Serialize(response, static_cast<int>(LogicCommand::GET_CHAIN_ALIAS));
698 Serialization::Serialize(response, commandId);
699 Serialization::Serialize(response, retCode);
700 Serialization::Serialize(response, chainRawVector);
701 return response.Pop();
704 RawBuffer CKMLogic::createSignature(
707 const Alias &privateKeyAlias,
708 const Password &password, // password for private_key
709 const RawBuffer &message,
710 const HashAlgorithm hash,
711 const RSAPaddingAlgorithm padding)
717 int retCode = CKM_API_SUCCESS;
721 retCode = getDataHelper(cred, DBDataType::DB_KEY_FIRST, privateKeyAlias, password, row);
722 if (CKM_API_SUCCESS != retCode) {
723 LogError("getDataHelper return error");
727 KeyImpl keyParsed(row.data, Password());
728 if (keyParsed.empty())
729 retCode = CKM_API_ERROR_SERVER_ERROR;
731 retCode = cs.createSignature(keyParsed, message, hash, padding, signature);
733 } catch (const KeyProvider::Exception::Base &e) {
734 LogError("KeyProvider failed with message: " << e.GetMessage());
735 retCode = CKM_API_ERROR_SERVER_ERROR;
736 } catch (const CryptoLogic::Exception::Base &e) {
737 LogError("CryptoLogic failed with message: " << e.GetMessage());
738 retCode = CKM_API_ERROR_SERVER_ERROR;
739 } catch (const DBCrypto::Exception::PermissionDenied &e) {
740 LogError("DBCrypto failed with message: " << e.GetMessage());
741 retCode = CKM_API_ERROR_ACCESS_DENIED;
742 } catch (const DBCrypto::Exception::Base &e) {
743 LogError("DBCrypto failed with message: " << e.GetMessage());
744 retCode = CKM_API_ERROR_DB_ERROR;
745 } catch (const CKM::Exception &e) {
746 LogError("Unknown CKM::Exception: " << e.GetMessage());
747 retCode = CKM_API_ERROR_SERVER_ERROR;
750 MessageBuffer response;
751 Serialization::Serialize(response, static_cast<int>(LogicCommand::CREATE_SIGNATURE));
752 Serialization::Serialize(response, commandId);
753 Serialization::Serialize(response, retCode);
754 Serialization::Serialize(response, signature);
755 return response.Pop();
758 RawBuffer CKMLogic::verifySignature(
761 const Alias &publicKeyOrCertAlias,
762 const Password &password, // password for public_key (optional)
763 const RawBuffer &message,
764 const RawBuffer &signature,
765 const HashAlgorithm hash,
766 const RSAPaddingAlgorithm padding)
768 int retCode = CKM_API_ERROR_VERIFICATION_FAILED;
776 retCode = getDataHelper(cred, DBDataType::DB_KEY_FIRST, publicKeyOrCertAlias, password, row);
778 if (retCode == CKM_API_SUCCESS) {
779 key = KeyImpl(row.data);
780 } else if (retCode == CKM_API_ERROR_DB_ALIAS_UNKNOWN) {
781 retCode = getDataHelper(cred, DBDataType::CERTIFICATE, publicKeyOrCertAlias, password, row);
782 if (retCode != CKM_API_SUCCESS)
784 CertificateImpl cert(row.data, DataFormat::FORM_DER);
785 key = cert.getKeyImpl();
791 retCode = CKM_API_ERROR_SERVER_ERROR;
795 retCode = cs.verifySignature(key, message, signature, hash, padding);
797 } catch (const CryptoService::Exception::Crypto_internal &e) {
798 LogError("KeyProvider failed with message: " << e.GetMessage());
799 retCode = CKM_API_ERROR_SERVER_ERROR;
800 } catch (const CryptoService::Exception::opensslError &e) {
801 LogError("KeyProvider failed with message: " << e.GetMessage());
802 retCode = CKM_API_ERROR_SERVER_ERROR;
803 } catch (const KeyProvider::Exception::Base &e) {
804 LogError("KeyProvider failed with error: " << e.GetMessage());
805 retCode = CKM_API_ERROR_SERVER_ERROR;
806 } catch (const CryptoLogic::Exception::Base &e) {
807 LogError("CryptoLogic failed with message: " << e.GetMessage());
808 retCode = CKM_API_ERROR_SERVER_ERROR;
809 } catch (const DBCrypto::Exception::PermissionDenied &e) {
810 LogError("DBCrypto failed with message: " << e.GetMessage());
811 retCode = CKM_API_ERROR_ACCESS_DENIED;
812 } catch (const DBCrypto::Exception::Base &e) {
813 LogError("DBCrypto failed with message: " << e.GetMessage());
814 retCode = CKM_API_ERROR_DB_ERROR;
815 } catch (const CKM::Exception &e) {
816 LogError("Unknown CKM::Exception: " << e.GetMessage());
817 retCode = CKM_API_ERROR_SERVER_ERROR;
820 MessageBuffer response;
821 Serialization::Serialize(response, static_cast<int>(LogicCommand::VERIFY_SIGNATURE));
822 Serialization::Serialize(response, commandId);
823 Serialization::Serialize(response, retCode);
825 return response.Pop();
828 RawBuffer CKMLogic::allowAccess(
832 const Alias &item_alias,
833 const std::string &accessor_label,
834 const AccessRight req_rights)
836 int retCode = CKM_API_ERROR_VERIFICATION_FAILED;
838 if (0 < m_userDataMap.count(cred.uid))
841 retCode = m_userDataMap[cred.uid].database.setAccessRights(cred.smackLabel, item_alias, accessor_label, req_rights);
842 } Catch (DBCrypto::Exception::InvalidArgs) {
843 LogError("Error: invalid args!");
844 retCode = CKM_API_ERROR_INPUT_PARAM;
845 } Catch (DBCrypto::Exception::PermissionDenied) {
846 LogError("Error: not enough permissions!");
847 retCode = CKM_API_ERROR_ACCESS_DENIED;
848 } Catch (CKM::Exception) {
849 LogError("Error in set row!");
850 retCode = CKM_API_ERROR_DB_ERROR;
853 retCode = CKM_API_ERROR_DB_LOCKED;
856 MessageBuffer response;
857 Serialization::Serialize(response, command);
858 Serialization::Serialize(response, msgID);
859 Serialization::Serialize(response, retCode);
861 return response.Pop();
864 RawBuffer CKMLogic::denyAccess(
868 const Alias &item_alias,
869 const std::string &accessor_label)
871 int retCode = CKM_API_ERROR_VERIFICATION_FAILED;
873 if (0 < m_userDataMap.count(cred.uid))
876 retCode = m_userDataMap[cred.uid].database.clearAccessRights(cred.smackLabel, item_alias, accessor_label);
877 } Catch (DBCrypto::Exception::PermissionDenied) {
878 LogError("Error: not enough permissions!");
879 retCode = CKM_API_ERROR_ACCESS_DENIED;
880 } Catch (DBCrypto::Exception::InvalidArgs) {
881 LogError("Error: permission not found!");
882 retCode = CKM_API_ERROR_INPUT_PARAM;
883 } Catch (CKM::Exception) {
884 LogError("Error in deleting row!");
885 retCode = CKM_API_ERROR_DB_ERROR;
888 retCode = CKM_API_ERROR_DB_LOCKED;
891 MessageBuffer response;
892 Serialization::Serialize(response, command);
893 Serialization::Serialize(response, msgID);
894 Serialization::Serialize(response, retCode);
896 return response.Pop();