src/manager/service/ckm-logic.cpp

   1 /*
   2  *  Copyright (c) 2014-2020 Samsung Electronics Co., Ltd. All rights reserved
   3  *
   4  *  Licensed under the Apache License, Version 2.0 (the "License");
   5  *  you may not use this file except in compliance with the License.
   6  *  You may obtain a copy of the License at
   7  *
   8  *      http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  *  Unless required by applicable law or agreed to in writing, software
  11  *  distributed under the License is distributed on an "AS IS" BASIS,
  12  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  *  See the License for the specific language governing permissions and
  14  *  limitations under the License
  15  *
  16  *
  17  * @file        ckm-logic.cpp
  18  * @author      Bartlomiej Grzelewski (b.grzelewski@samsung.com)
  19  * @version     1.0
  20  * @brief       Sample service implementation.
  21  */
  22 #include <dpl/serialization.h>
  23 #include <dpl/log/log.h>
  24 #include <ckm/ckm-error.h>
  25 #include <ckm/ckm-type.h>
  26 #include <key-provider.h>
  27 #include <file-system.h>
  28 #include <ckm-logic.h>
  29 #include <key-impl.h>
  30 #include <key-aes-impl.h>
  31 #include <certificate-config.h>
  32 #include <certificate-store.h>
  33 #include <algorithm>
  34 #include <sw-backend/store.h>
  35 #include <generic-backend/exception.h>
  36 #include <ss-migrate.h>
  37
  38 namespace {
  39 const char *const CERT_SYSTEM_DIR          = CA_CERTS_DIR;
  40 const char *const DEFAULT_UNLOCK_STRING    = "cAtRugU7";
  41
  42 bool isClientValid(const CKM::ClientId &client)
  43 {
  44         if (client.find(CKM::ALIAS_SEPARATOR) != CKM::ClientId::npos)
  45                 return false;
  46
  47         return true;
  48 }
  49
  50 bool isNameValid(const CKM::Name &name)
  51 {
  52         if (name.find(CKM::ALIAS_SEPARATOR) != CKM::Name::npos)
  53                 return false;
  54
  55         return true;
  56 }
  57
  58 // keypair data type, having private key data type and public key data type
  59 // private is assumed to be .first, public .second
  60 using DataTypePair = std::pair<CKM::DataType, CKM::DataType>;
  61
  62 const std::map<CKM::AlgoType, DataTypePair> ALGO_TYPE_TO_DATA_TYPE_PAIR_MAP = {
  63         { CKM::AlgoType::RSA_GEN,       { CKM::DataType(CKM::KeyType::KEY_RSA_PRIVATE), CKM::DataType(CKM::KeyType::KEY_RSA_PUBLIC) } },
  64         { CKM::AlgoType::DSA_GEN,       { CKM::DataType(CKM::KeyType::KEY_DSA_PRIVATE), CKM::DataType(CKM::KeyType::KEY_DSA_PUBLIC) } },
  65         { CKM::AlgoType::ECDSA_GEN,     { CKM::DataType(CKM::KeyType::KEY_ECDSA_PRIVATE), CKM::DataType(CKM::KeyType::KEY_ECDSA_PUBLIC) } },
  66 };
  67
  68 } // anonymous namespace
  69
  70 namespace CKM {
  71
  72 namespace {
  73
  74 template <int ERROR_ON_CKM_EXCEPTION = CKM_API_ERROR_SERVER_ERROR, class F>
  75 int tryRet(F &&f)
  76 {
  77         try {
  78                 static_assert(sizeof(int) == sizeof std::forward<F>(f)());
  79                 return std::forward<F>(f)();
  80         } catch (const Exc::Exception &e) {
  81                 return e.error();
  82         } catch (const CKM::Exception &e) {
  83                 LogError("CKM::Exception: " << e.GetMessage());
  84                 return ERROR_ON_CKM_EXCEPTION;
  85         }
  86 }
  87
  88 int toBinaryData(const Crypto::Data &input, Crypto::Data &output)
  89 {
  90         // verify the data integrity
  91         if (input.type.isKey()) {
  92                 KeyShPtr output_key;
  93
  94                 if (input.type.isSKey())
  95                         output_key = CKM::Key::createAES(input.data);
  96                 else
  97                         output_key = CKM::Key::create(input.data);
  98
  99                 if (output_key.get() == NULL) {
 100                         LogDebug("provided binary data is not valid key data");
 101                         return CKM_API_ERROR_INPUT_PARAM;
 102                 }
 103
 104                 output = std::move(Crypto::Data(input.type, output_key->getDER()));
 105         } else if (input.type.isCertificate() || input.type.isChainCert()) {
 106                 CertificateShPtr cert = CKM::Certificate::create(input.data,
 107                                                                 DataFormat::FORM_DER);
 108
 109                 if (cert.get() == NULL) {
 110                         LogDebug("provided binary data is not valid certificate data");
 111                         return CKM_API_ERROR_INPUT_PARAM;
 112                 }
 113
 114                 output = std::move(Crypto::Data(input.type, cert->getDER()));
 115         } else {
 116                 output = input;
 117         }
 118
 119         // TODO: add here BINARY_DATA verification, i.e: max size etc.
 120         return CKM_API_SUCCESS;
 121 }
 122
 123 int verifyBinaryData(Crypto::Data &input)
 124 {
 125         Crypto::Data dummy;
 126         return toBinaryData(input, dummy);
 127 }
 128
 129 int readSingleRow(const Name &name,
 130                 const ClientId &owner,
 131                 DataType dataType,
 132                 DB::Crypto &database,
 133                 DB::Row &row)
 134 {
 135         DB::Crypto::RowOptional row_optional;
 136
 137         if (dataType.isKey()) {
 138                 // read all key types
 139                 row_optional = database.getRow(name,
 140                                                                            owner,
 141                                                                            DataType::DB_KEY_FIRST,
 142                                                                            DataType::DB_KEY_LAST);
 143         } else {
 144                 // read anything else
 145                 row_optional = database.getRow(name,
 146                                                                            owner,
 147                                                                            dataType);
 148         }
 149
 150         if (!row_optional) {
 151                 LogDebug("No row for given name, owner and type");
 152                 return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
 153         } else {
 154                 row = *row_optional;
 155         }
 156
 157         return CKM_API_SUCCESS;
 158 }
 159
 160 int readMultiRow(const Name &name,
 161                 const ClientId &owner,
 162                 DataType dataType,
 163                 DB::Crypto &database,
 164                 DB::RowVector &output)
 165 {
 166         if (dataType.isKey())
 167                 // read all key types
 168                 database.getRows(name,
 169                                                  owner,
 170                                                  DataType::DB_KEY_FIRST,
 171                                                  DataType::DB_KEY_LAST,
 172                                                  output);
 173         else if (dataType.isChainCert())
 174                 // read all key types
 175                 database.getRows(name,
 176                                                  owner,
 177                                                  DataType::DB_CHAIN_FIRST,
 178                                                  DataType::DB_CHAIN_LAST,
 179                                                  output);
 180         else
 181                 // read anything else
 182                 database.getRows(name,
 183                                                  owner,
 184                                                  dataType,
 185                                                  output);
 186
 187         if (!output.size()) {
 188                 LogDebug("No row for given name, owner and type");
 189                 return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
 190         }
 191
 192         return CKM_API_SUCCESS;
 193 }
 194
 195 int loadAppKey(UserData &handle, const ClientId &owner)
 196 {
 197         if (!handle.crypto.haveKey(owner)) {
 198                 RawBuffer key;
 199                 auto key_optional = handle.database.getKey(owner);
 200
 201                 if (!key_optional) {
 202                         LogError("No key for given owner in database");
 203                         return CKM_API_ERROR_DB_ERROR;
 204                 }
 205
 206                 key = *key_optional;
 207                 key = handle.keyProvider.getPureDEK(key);
 208                 handle.crypto.pushKey(owner, key);
 209         }
 210
 211         return CKM_API_SUCCESS;
 212 }
 213
 214 } // namespace
 215
 216 const uid_t CKMLogic::SYSTEM_DB_UID = 0;
 217 const uid_t CKMLogic::ADMIN_USER_DB_UID = 5001;
 218
 219 CKMLogic::CKMLogic()
 220 {
 221         CertificateConfig::addSystemCertificateDir(CERT_SYSTEM_DIR);
 222
 223         m_accessControl.updateCCMode();
 224 }
 225
 226 CKMLogic::~CKMLogic() {}
 227
 228 void CKMLogic::loadDKEKFile(uid_t user, const Password &password)
 229 {
 230         auto &handle = m_userDataMap[user];
 231
 232         FileSystem fs(user);
 233
 234         auto wrappedDKEK = fs.getDKEK();
 235
 236         if (wrappedDKEK.empty()) {
 237                 wrappedDKEK = KeyProvider::generateDomainKEK(std::to_string(user), password);
 238                 fs.saveDKEK(wrappedDKEK);
 239         }
 240
 241         handle.keyProvider = KeyProvider(wrappedDKEK, password);
 242 }
 243
 244 void CKMLogic::saveDKEKFile(uid_t user, const Password &password)
 245 {
 246         auto &handle = m_userDataMap[user];
 247
 248         FileSystem fs(user);
 249         fs.saveDKEK(handle.keyProvider.getWrappedDomainKEK(password));
 250 }
 251
 252 void CKMLogic::migrateSecureStorageData(bool isAdminUser)
 253 {
 254         SsMigration::migrate(isAdminUser, [this](const std::string &name,
 255                                                                                          const Crypto::Data &data,
 256                                                                                          bool adminUserFlag) {
 257                 LogInfo("Migrate data called with  name: " << name);
 258                 auto ownerId = adminUserFlag ? CLIENT_ID_ADMIN_USER : CLIENT_ID_SYSTEM;
 259                 auto uid = adminUserFlag ? ADMIN_USER_DB_UID : SYSTEM_DB_UID;
 260
 261                 int ret = verifyAndSaveDataHelper(Credentials(uid, ownerId), name, ownerId, data,
 262                                                                                   PolicySerializable());
 263
 264                 if (ret == CKM_API_ERROR_DB_ALIAS_EXISTS)
 265                         LogWarning("Alias already exist for migrated name: " << name);
 266                 else if (ret != CKM_API_SUCCESS)
 267                         LogError("Failed to migrate secure-storage data. name: " << name <<
 268                                          " ret: " << ret);
 269         });
 270 }
 271
 272 int CKMLogic::unlockDatabase(uid_t user, const Password &password)
 273 {
 274         if (0 < m_userDataMap.count(user) &&
 275                         m_userDataMap[user].keyProvider.isInitialized())
 276                 return CKM_API_SUCCESS;
 277
 278         int retCode = tryRet([&] {
 279                 auto &handle = m_userDataMap[user];
 280
 281                 FileSystem fs(user);
 282                 loadDKEKFile(user, password);
 283
 284                 auto wrappedDatabaseDEK = fs.getDBDEK();
 285
 286                 if (wrappedDatabaseDEK.empty()) {
 287                         wrappedDatabaseDEK = handle.keyProvider.generateDEK(std::to_string(user));
 288                         fs.saveDBDEK(wrappedDatabaseDEK);
 289                 }
 290
 291                 RawBuffer key = handle.keyProvider.getPureDEK(wrappedDatabaseDEK);
 292
 293                 handle.database = DB::Crypto(fs.getLegacyDBPath(), fs.getDBPath(), key);
 294                 handle.crypto = CryptoLogic();
 295
 296                 if (!m_accessControl.isSystemService(user)) {
 297                         // remove data of removed apps during locked state
 298                         ClientIdVector removedApps = fs.clearRemovedsApps();
 299
 300                         for (auto &app : removedApps) {
 301                                 handle.crypto.removeKey(app);
 302                                 handle.database.deleteKey(app);
 303                         }
 304                 }
 305
 306                 if (user == SYSTEM_DB_UID && SsMigration::hasData())
 307                         migrateSecureStorageData(false);
 308                 else if (user == ADMIN_USER_DB_UID && SsMigration::hasData())
 309                         migrateSecureStorageData(true);
 310
 311                 return CKM_API_SUCCESS;
 312         });
 313
 314         if (CKM_API_SUCCESS != retCode)
 315                 m_userDataMap.erase(user);
 316
 317         return retCode;
 318 }
 319
 320 int CKMLogic::unlockSystemDB()
 321 {
 322         return unlockDatabase(SYSTEM_DB_UID, DEFAULT_UNLOCK_STRING);
 323 }
 324
 325 UserData &CKMLogic::selectDatabase(const Credentials &cred,
 326                                                                    const ClientId &explicitOwner)
 327 {
 328         // if user trying to access system service - check:
 329         //    * if user database is unlocked [mandatory]
 330         //    * if not - proceed with regular user database
 331         //    * if explicit system database owner given -> switch to system DB
 332         if (!m_accessControl.isSystemService(cred)) {
 333                 if (0 == m_userDataMap.count(cred.clientUid))
 334                         ThrowErr(Exc::DatabaseLocked, "database with UID: ", cred.clientUid, " locked");
 335
 336                 if (0 != explicitOwner.compare(CLIENT_ID_SYSTEM))
 337                         return m_userDataMap[cred.clientUid];
 338         }
 339
 340         // system database selected, modify the owner id
 341         if (CKM_API_SUCCESS != unlockSystemDB())
 342                 ThrowErr(Exc::DatabaseLocked, "can not unlock system database");
 343
 344         return m_userDataMap[SYSTEM_DB_UID];
 345 }
 346
 347 RawBuffer CKMLogic::unlockUserKey(uid_t user, const Password &password)
 348 {
 349         int retCode = CKM_API_SUCCESS;
 350
 351         if (!m_accessControl.isSystemService(user))
 352                 retCode = unlockDatabase(user, password);
 353         else // do not allow lock/unlock operations for system users
 354                 retCode = CKM_API_ERROR_INPUT_PARAM;
 355
 356         return SerializeMessage(retCode);
 357 }
 358
 359 RawBuffer CKMLogic::updateCCMode()
 360 {
 361         m_accessControl.updateCCMode();
 362         return SerializeMessage(CKM_API_SUCCESS);
 363 }
 364
 365 RawBuffer CKMLogic::lockUserKey(uid_t user)
 366 {
 367         int retCode = CKM_API_SUCCESS;
 368
 369         if (!m_accessControl.isSystemService(user))
 370                 m_userDataMap.erase(user);
 371         else // do not allow lock/unlock operations for system users
 372                 retCode = CKM_API_ERROR_INPUT_PARAM;
 373
 374         return SerializeMessage(retCode);
 375 }
 376
 377 RawBuffer CKMLogic::removeUserData(uid_t user)
 378 {
 379         if (m_accessControl.isSystemService(user))
 380                 user = SYSTEM_DB_UID;
 381
 382         m_userDataMap.erase(user);
 383
 384         const int retCode = FileSystem(user).removeUserData()
 385                 ? CKM_API_ERROR_FILE_SYSTEM
 386                 : CKM_API_SUCCESS;
 387
 388         return SerializeMessage(retCode);
 389 }
 390
 391 int CKMLogic::changeUserPasswordHelper(uid_t user,
 392                                                                            const Password &oldPassword,
 393                                                                            const Password &newPassword)
 394 {
 395         // do not allow to change system database password
 396         if (m_accessControl.isSystemService(user))
 397                 return CKM_API_ERROR_INPUT_PARAM;
 398
 399         loadDKEKFile(user, oldPassword);
 400         saveDKEKFile(user, newPassword);
 401
 402         return CKM_API_SUCCESS;
 403 }
 404
 405 RawBuffer CKMLogic::changeUserPassword(
 406         uid_t user,
 407         const Password &oldPassword,
 408         const Password &newPassword)
 409 {
 410         return SerializeMessage(tryRet([&] {
 411                 return changeUserPasswordHelper(user, oldPassword, newPassword);
 412         }));
 413 }
 414
 415 int CKMLogic::resetUserPasswordHelper(
 416         uid_t user,
 417         const Password &newPassword)
 418 {
 419         // do not allow to reset system database password
 420         if (m_accessControl.isSystemService(user))
 421                 return CKM_API_ERROR_INPUT_PARAM;
 422
 423         int retCode = CKM_API_SUCCESS;
 424
 425         if (0 == m_userDataMap.count(user)) {
 426                 // Check if key exists. If exists we must return error
 427                 FileSystem fs(user);
 428                 auto wrappedDKEKMain = fs.getDKEK();
 429
 430                 if (!wrappedDKEKMain.empty())
 431                         retCode = CKM_API_ERROR_BAD_REQUEST;
 432         } else {
 433                 saveDKEKFile(user, newPassword);
 434         }
 435
 436         return retCode;
 437 }
 438
 439 RawBuffer CKMLogic::resetUserPassword(
 440         uid_t user,
 441         const Password &newPassword)
 442 {
 443         return SerializeMessage(tryRet([&] {
 444                 return resetUserPasswordHelper(user, newPassword);
 445         }));
 446 }
 447
 448 RawBuffer CKMLogic::removeApplicationData(const ClientId &owner)
 449 {
 450         return SerializeMessage(tryRet([&] {
 451                 if (owner.empty())
 452                         return CKM_API_ERROR_INPUT_PARAM;
 453
 454                 UidVector uids = FileSystem::getUIDsFromDBFile();
 455
 456                 for (auto userId : uids) {
 457                         if (0 == m_userDataMap.count(userId)) {
 458                                 FileSystem fs(userId);
 459                                 fs.addRemovedApp(owner);
 460                         } else {
 461                                 auto &handle = m_userDataMap[userId];
 462                                 handle.crypto.removeKey(owner);
 463                                 handle.database.deleteKey(owner);
 464                         }
 465                 }
 466
 467                 return CKM_API_SUCCESS;
 468         }));
 469 }
 470
 471 int CKMLogic::checkSaveConditions(
 472         const Credentials &accessorCred,
 473         UserData &handler,
 474         const Name &name,
 475         const ClientId &owner)
 476 {
 477         // verify name and client are correct
 478         if (!isNameValid(name) || !isClientValid(owner)) {
 479                 LogDebug("Invalid parameter passed to key-manager");
 480                 return CKM_API_ERROR_INPUT_PARAM;
 481         }
 482
 483         // check if accessor is allowed to save owner's items
 484         int access_ec = m_accessControl.canSave(accessorCred, owner);
 485
 486         if (access_ec != CKM_API_SUCCESS) {
 487                 LogDebug("accessor " << accessorCred.client << " can not save rows owned by " <<
 488                                  owner);
 489                 return access_ec;
 490         }
 491
 492         // check if not a duplicate
 493         if (handler.database.isNameOwnerPresent(name, owner))
 494                 return CKM_API_ERROR_DB_ALIAS_EXISTS;
 495
 496         // encryption section
 497         if (!handler.crypto.haveKey(owner)) {
 498                 RawBuffer got_key;
 499                 auto key_optional = handler.database.getKey(owner);
 500
 501                 if (!key_optional) {
 502                         LogDebug("No Key in database found. Generating new one for client: " <<
 503                                          owner);
 504                         got_key = handler.keyProvider.generateDEK(owner);
 505                         handler.database.saveKey(owner, got_key);
 506                 } else {
 507                         LogDebug("Key from DB");
 508                         got_key = *key_optional;
 509                 }
 510
 511                 got_key = handler.keyProvider.getPureDEK(got_key);
 512                 handler.crypto.pushKey(owner, got_key);
 513         }
 514
 515         return CKM_API_SUCCESS;
 516 }
 517
 518 DB::Row CKMLogic::createEncryptedRow(
 519         CryptoLogic &crypto,
 520         const Name &name,
 521         const ClientId &owner,
 522         const Crypto::Data &data,
 523         const Policy &policy)
 524 {
 525         Crypto::GStore &store = m_decider.getStore(data.type, policy);
 526
 527         // do not encrypt data with password during cc_mode on
 528         Token token = store.import(data,
 529                                                            m_accessControl.isCCMode() ? "" : policy.password,
 530                                                            Crypto::EncryptionParams());
 531         DB::Row row(std::move(token), name, owner,
 532                                 static_cast<int>(policy.extractable));
 533         crypto.encryptRow(row);
 534         return row;
 535 }
 536
 537 int CKMLogic::verifyAndSaveDataHelper(
 538         const Credentials &cred,
 539         const Name &name,
 540         const ClientId &explicitOwner,
 541         const Crypto::Data &data,
 542         const PolicySerializable &policy)
 543 {
 544         return tryRet([&] {
 545                 // check if data is correct
 546                 Crypto::Data binaryData;
 547                 int retCode = toBinaryData(data, binaryData);
 548
 549                 return retCode != CKM_API_SUCCESS
 550                         ? retCode
 551                         : saveDataHelper(cred, name, explicitOwner, binaryData, policy);
 552         });
 553 }
 554
 555 int CKMLogic::getKeyForService(
 556         const Credentials &cred,
 557         const Name &name,
 558         const ClientId &explicitOwner,
 559         const Password &pass,
 560         Crypto::GObjShPtr &key)
 561 {
 562         return tryRet([&] {
 563                 // Key is for internal service use. It won't be exported to the client
 564                 Crypto::GObjUPtr obj;
 565                 int retCode = readDataHelper(false, cred, DataType::DB_KEY_FIRST, name, explicitOwner,
 566                                                                          pass, obj);
 567
 568                 if (retCode == CKM_API_SUCCESS)
 569                         key = std::move(obj);
 570
 571                 return retCode;
 572         });
 573 }
 574
 575 RawBuffer CKMLogic::saveData(
 576         const Credentials &cred,
 577         int msgId,
 578         const Name &name,
 579         const ClientId &explicitOwner,
 580         const Crypto::Data &data,
 581         const PolicySerializable &policy)
 582 {
 583         int retCode = verifyAndSaveDataHelper(cred, name, explicitOwner, data, policy);
 584         return SerializeMessage(msgId, retCode, data.type);
 585 }
 586
 587 int CKMLogic::extractPKCS12Data(
 588         CryptoLogic &crypto,
 589         const Name &name,
 590         const ClientId &owner,
 591         const PKCS12Serializable &pkcs,
 592         const PolicySerializable &keyPolicy,
 593         const PolicySerializable &certPolicy,
 594         DB::RowVector &output)
 595 {
 596         // private key is mandatory
 597         auto key = pkcs.getKey();
 598
 599         if (!key) {
 600                 LogError("Failed to get private key from pkcs");
 601                 return CKM_API_ERROR_INVALID_FORMAT;
 602         }
 603
 604         Crypto::Data keyData(DataType(key->getType()), key->getDER());
 605         int retCode = verifyBinaryData(keyData);
 606
 607         if (retCode != CKM_API_SUCCESS)
 608                 return retCode;
 609
 610         output.push_back(createEncryptedRow(crypto, name, owner, keyData,
 611                                                                                 keyPolicy));
 612
 613         // certificate is mandatory
 614         auto cert = pkcs.getCertificate();
 615
 616         if (!cert) {
 617                 LogError("Failed to get certificate from pkcs");
 618                 return CKM_API_ERROR_INVALID_FORMAT;
 619         }
 620
 621         Crypto::Data certData(DataType::CERTIFICATE, cert->getDER());
 622         retCode = verifyBinaryData(certData);
 623
 624         if (retCode != CKM_API_SUCCESS)
 625                 return retCode;
 626
 627         output.push_back(createEncryptedRow(crypto, name, owner, certData,
 628                                                                                 certPolicy));
 629
 630         // CA cert chain
 631         unsigned int cert_index = 0;
 632
 633         for (const auto &ca : pkcs.getCaCertificateShPtrVector()) {
 634                 Crypto::Data caCertData(DataType::getChainDatatype(cert_index ++),
 635                                                                 ca->getDER());
 636                 int retCode = verifyBinaryData(caCertData);
 637
 638                 if (retCode != CKM_API_SUCCESS)
 639                         return retCode;
 640
 641                 output.push_back(createEncryptedRow(crypto, name, owner, caCertData,
 642                                                                                         certPolicy));
 643         }
 644
 645         return CKM_API_SUCCESS;
 646 }
 647
 648 RawBuffer CKMLogic::savePKCS12(
 649         const Credentials &cred,
 650         int msgId,
 651         const Name &name,
 652         const ClientId &explicitOwner,
 653         const PKCS12Serializable &pkcs,
 654         const PolicySerializable &keyPolicy,
 655         const PolicySerializable &certPolicy)
 656 {
 657         return SerializeMessage(msgId, tryRet([&] {
 658                 return saveDataHelper(cred, name, explicitOwner, pkcs, keyPolicy, certPolicy);
 659         }));
 660 }
 661
 662
 663 int CKMLogic::removeDataHelper(
 664         const Credentials &cred,
 665         const Name &name,
 666         const ClientId &explicitOwner)
 667 {
 668         auto &handler = selectDatabase(cred, explicitOwner);
 669
 670         // use client id if not explicitly provided
 671         const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner;
 672
 673         if (!isNameValid(name) || !isClientValid(owner)) {
 674                 LogDebug("Invalid owner or name format");
 675                 return CKM_API_ERROR_INPUT_PARAM;
 676         }
 677
 678         DB::Crypto::Transaction transaction(&handler.database);
 679
 680         // read and check permissions
 681         PermissionMaskOptional permissionRowOpt =
 682                 handler.database.getPermissionRow(name, owner, cred.client);
 683         int retCode = m_accessControl.canDelete(cred,
 684                                                                                         toPermissionMask(permissionRowOpt));
 685
 686         if (retCode != CKM_API_SUCCESS) {
 687                 LogWarning("access control check result: " << retCode);
 688                 return retCode;
 689         }
 690
 691         // get all matching rows
 692         DB::RowVector rows;
 693         handler.database.getRows(name, owner, DataType::DB_FIRST,
 694                                                          DataType::DB_LAST, rows);
 695
 696         if (rows.empty()) {
 697                 LogDebug("No row for given name and owner");
 698                 return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
 699         }
 700
 701         // load app key if needed
 702         retCode = loadAppKey(handler, rows.front().owner);
 703
 704         if (CKM_API_SUCCESS != retCode)
 705                 return retCode;
 706
 707         // destroy it in store
 708         for (auto &r : rows) {
 709                 try {
 710                         handler.crypto.decryptRow(Password(), r);
 711                         m_decider.getStore(r).destroy(r);
 712                 } catch (const Exc::AuthenticationFailed &) {
 713                         LogDebug("Authentication failed when removing data. Ignored.");
 714                 }
 715         }
 716
 717         // delete row in db
 718         handler.database.deleteRow(name, owner);
 719         transaction.commit();
 720
 721         return CKM_API_SUCCESS;
 722 }
 723
 724 RawBuffer CKMLogic::removeData(
 725         const Credentials &cred,
 726         int msgId,
 727         const Name &name,
 728         const ClientId &explicitOwner)
 729 {
 730         return SerializeMessage(msgId, tryRet([&] {
 731                 return removeDataHelper(cred, name, explicitOwner);
 732         }));
 733 }
 734
 735
 736 int CKMLogic::checkDataPermissionsHelper(const Credentials &accessorCred,
 737                 const Name &name,
 738                 const ClientId &owner,
 739                 const DB::Row &row,
 740                 bool exportFlag,
 741                 DB::Crypto &database)
 742 {
 743         PermissionMaskOptional permissionRowOpt =
 744                 database.getPermissionRow(name, owner, accessorCred.client);
 745
 746         if (exportFlag)
 747                 return m_accessControl.canExport(accessorCred,
 748                                                                                  row,
 749                                                                                  toPermissionMask(permissionRowOpt));
 750
 751         return m_accessControl.canRead(accessorCred,
 752                                                                    toPermissionMask(permissionRowOpt));
 753 }
 754
 755 Crypto::GObjUPtr CKMLogic::rowToObject(
 756         UserData &handler,
 757         DB::Row row,
 758         const Password &password)
 759 {
 760         Crypto::GStore &store = m_decider.getStore(row);
 761
 762         Password pass = m_accessControl.isCCMode() ? "" : password;
 763
 764         // decrypt row
 765         Crypto::GObjUPtr obj;
 766
 767         if (CryptoLogic::getSchemeVersion(row.encryptionScheme) ==
 768                         CryptoLogic::ENCRYPTION_V2) {
 769                 handler.crypto.decryptRow(Password(), row);
 770
 771                 obj = store.getObject(row, pass);
 772         } else {
 773                 // decrypt entirely with old scheme: b64(pass(appkey(data))) -> data
 774                 handler.crypto.decryptRow(pass, row);
 775                 // destroy it in store
 776                 store.destroy(row);
 777
 778                 // import it to store with new scheme: data -> pass(data)
 779                 Token token = store.import(Crypto::Data(row.dataType, row.data), pass, Crypto::EncryptionParams());
 780
 781                 // get it from the store (it can be different than the data we imported into store)
 782                 obj = store.getObject(token, pass);
 783
 784                 // update row with new token
 785                 *static_cast<Token *>(&row) = std::move(token);
 786
 787                 // encrypt it with app key: pass(data) -> b64(appkey(pass(data))
 788                 handler.crypto.encryptRow(row);
 789
 790                 // update it in db
 791                 handler.database.updateRow(row);
 792         }
 793
 794         return obj;
 795 }
 796
 797 int CKMLogic::readDataHelper(
 798         bool exportFlag,
 799         const Credentials &cred,
 800         DataType dataType,
 801         const Name &name,
 802         const ClientId &explicitOwner,
 803         const Password &password,
 804         Crypto::GObjUPtrVector &objs)
 805 {
 806         auto &handler = selectDatabase(cred, explicitOwner);
 807
 808         // use client id if not explicitly provided
 809         const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner;
 810
 811         if (!isNameValid(name) || !isClientValid(owner))
 812                 return CKM_API_ERROR_INPUT_PARAM;
 813
 814         // read rows
 815         DB::Crypto::Transaction transaction(&handler.database);
 816         DB::RowVector rows;
 817         int retCode = readMultiRow(name, owner, dataType, handler.database, rows);
 818
 819         if (CKM_API_SUCCESS != retCode)
 820                 return retCode;
 821
 822         // all read rows belong to the same owner
 823         DB::Row &firstRow = rows.at(0);
 824
 825         // check access rights
 826         retCode = checkDataPermissionsHelper(cred, name, owner, firstRow,
 827                                                                                  exportFlag, handler.database);
 828
 829         if (CKM_API_SUCCESS != retCode)
 830                 return retCode;
 831
 832         // load app key if needed
 833         retCode = loadAppKey(handler, firstRow.owner);
 834
 835         if (CKM_API_SUCCESS != retCode)
 836                 return retCode;
 837
 838         // decrypt row
 839         for (auto &row : rows)
 840                 objs.push_back(rowToObject(handler, std::move(row), password));
 841
 842         // rowToObject may modify db
 843         transaction.commit();
 844
 845         return CKM_API_SUCCESS;
 846 }
 847
 848 int CKMLogic::readDataHelper(
 849         bool exportFlag,
 850         const Credentials &cred,
 851         DataType dataType,
 852         const Name &name,
 853         const ClientId &explicitOwner,
 854         const Password &password,
 855         Crypto::GObjUPtr &obj)
 856 {
 857         DataType objDataType;
 858         return readDataHelper(exportFlag, cred, dataType, name, explicitOwner,
 859                                                   password, obj, objDataType);
 860 }
 861
 862 int CKMLogic::readDataHelper(
 863         bool exportFlag,
 864         const Credentials &cred,
 865         DataType dataType,
 866         const Name &name,
 867         const ClientId &explicitOwner,
 868         const Password &password,
 869         Crypto::GObjUPtr &obj,
 870         DataType &objDataType)
 871 {
 872         auto &handler = selectDatabase(cred, explicitOwner);
 873
 874         // use client id if not explicitly provided
 875         const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner;
 876
 877         if (!isNameValid(name) || !isClientValid(owner))
 878                 return CKM_API_ERROR_INPUT_PARAM;
 879
 880         // read row
 881         DB::Crypto::Transaction transaction(&handler.database);
 882         DB::Row row;
 883         int retCode = readSingleRow(name, owner, dataType, handler.database, row);
 884
 885         if (CKM_API_SUCCESS != retCode)
 886                 return retCode;
 887
 888         objDataType = row.dataType;
 889
 890         // check access rights
 891         retCode = checkDataPermissionsHelper(cred, name, owner, row, exportFlag,
 892                                                                                  handler.database);
 893
 894         if (CKM_API_SUCCESS != retCode)
 895                 return retCode;
 896
 897         // load app key if needed
 898         retCode = loadAppKey(handler, row.owner);
 899
 900         if (CKM_API_SUCCESS != retCode)
 901                 return retCode;
 902
 903         obj = rowToObject(handler, std::move(row), password);
 904         // rowToObject may modify db
 905         transaction.commit();
 906
 907         return CKM_API_SUCCESS;
 908 }
 909
 910 RawBuffer CKMLogic::getData(
 911         const Credentials &cred,
 912         int msgId,
 913         DataType dataType,
 914         const Name &name,
 915         const ClientId &explicitOwner,
 916         const Password &password)
 917 {
 918         RawBuffer rowData;
 919         DataType objDataType;
 920
 921         int retCode = tryRet([&] {
 922                 Crypto::GObjUPtr obj;
 923                 int retCode = readDataHelper(true, cred, dataType, name, explicitOwner,
 924                                                                  password, obj, objDataType);
 925
 926                 if (retCode == CKM_API_SUCCESS)
 927                         rowData = obj->getBinary();
 928
 929                 return retCode;
 930         });
 931
 932         if (CKM_API_SUCCESS != retCode)
 933                 rowData.clear();
 934
 935         return SerializeMessage(msgId, retCode, objDataType, rowData);
 936 }
 937
 938 RawBuffer CKMLogic::getDataProtectionStatus(
 939                 const Credentials &cred,
 940                 int msgId,
 941                 DataType dataType,
 942                 const Name &name,
 943                 const ClientId &explicitOwner)
 944 {
 945         bool status = false;
 946         DataType objDataType;
 947         Password password;
 948
 949         int retCode = tryRet([&] {
 950                 Crypto::GObjUPtr obj;
 951                 return readDataHelper(false, cred, dataType, name, explicitOwner, password, obj, objDataType);
 952         });
 953
 954         if (retCode == CKM_API_ERROR_AUTHENTICATION_FAILED) {
 955                 status = true;
 956                 retCode = CKM_API_SUCCESS;
 957         }
 958
 959         return SerializeMessage(msgId, retCode, objDataType, status);
 960 }
 961
 962 int CKMLogic::getPKCS12Helper(
 963         const Credentials &cred,
 964         const Name &name,
 965         const ClientId &explicitOwner,
 966         const Password &keyPassword,
 967         const Password &certPassword,
 968         KeyShPtr &privKey,
 969         CertificateShPtr &cert,
 970         CertificateShPtrVector &caChain)
 971 {
 972         int retCode;
 973
 974         // read private key (mandatory)
 975         Crypto::GObjUPtr keyObj;
 976         retCode = readDataHelper(true, cred, DataType::DB_KEY_FIRST, name, explicitOwner,
 977                                                          keyPassword, keyObj);
 978
 979         if (retCode != CKM_API_SUCCESS) {
 980                 if (retCode != CKM_API_ERROR_NOT_EXPORTABLE)
 981                         return retCode;
 982         } else {
 983                 privKey = CKM::Key::create(keyObj->getBinary());
 984         }
 985
 986         // read certificate (mandatory)
 987         Crypto::GObjUPtr certObj;
 988         retCode = readDataHelper(true, cred, DataType::CERTIFICATE, name, explicitOwner,
 989                                                          certPassword, certObj);
 990
 991         if (retCode != CKM_API_SUCCESS) {
 992                 if (retCode != CKM_API_ERROR_NOT_EXPORTABLE)
 993                         return retCode;
 994         } else {
 995                 cert = CKM::Certificate::create(certObj->getBinary(), DataFormat::FORM_DER);
 996         }
 997
 998         // read CA cert chain (optional)
 999         Crypto::GObjUPtrVector caChainObjs;
1000         retCode = readDataHelper(true, cred, DataType::DB_CHAIN_FIRST, name, explicitOwner,
1001                                                          certPassword, caChainObjs);
1002
1003         if (retCode != CKM_API_SUCCESS && retCode != CKM_API_ERROR_DB_ALIAS_UNKNOWN) {
1004                 if (retCode != CKM_API_ERROR_NOT_EXPORTABLE)
1005                         return retCode;
1006         } else {
1007                 for (auto &caCertObj : caChainObjs)
1008                         caChain.push_back(CKM::Certificate::create(caCertObj->getBinary(),
1009                                                                                                            DataFormat::FORM_DER));
1010         }
1011
1012         // if anything found, return it
1013         if (privKey || cert || caChain.size() > 0)
1014                 retCode = CKM_API_SUCCESS;
1015
1016         return retCode;
1017 }
1018
1019 RawBuffer CKMLogic::getPKCS12(
1020         const Credentials &cred,
1021         int msgId,
1022         const Name &name,
1023         const ClientId &explicitOwner,
1024         const Password &keyPassword,
1025         const Password &certPassword)
1026 {
1027         PKCS12Serializable output;
1028
1029         int retCode = tryRet([&] {
1030                 KeyShPtr privKey;
1031                 CertificateShPtr cert;
1032                 CertificateShPtrVector caChain;
1033                 int retCode = getPKCS12Helper(cred, name, explicitOwner, keyPassword,
1034                                                                   certPassword, privKey, cert, caChain);
1035
1036                 // prepare response
1037                 if (retCode == CKM_API_SUCCESS)
1038                         output = PKCS12Serializable(std::move(privKey), std::move(cert), std::move(caChain));
1039
1040                 return retCode;
1041         });
1042
1043         return SerializeMessage(msgId, retCode, output);
1044 }
1045
1046 int CKMLogic::getDataListHelper(const Credentials &cred,
1047                                                                 const DataType dataType,
1048                                                                 OwnerNameVector &ownerNameVector)
1049 {
1050         int retCode = CKM_API_ERROR_DB_LOCKED;
1051
1052         if (0 < m_userDataMap.count(cred.clientUid)) {
1053                 auto &database = m_userDataMap[cred.clientUid].database;
1054
1055                 retCode = tryRet<CKM_API_ERROR_DB_ERROR>([&] {
1056                         OwnerNameVector tmpVector;
1057
1058                         if (dataType.isKey()) {
1059                                 // list all key types
1060                                 database.listNames(cred.client,
1061                                                                    tmpVector,
1062                                                                    DataType::DB_KEY_FIRST,
1063                                                                    DataType::DB_KEY_LAST);
1064                         } else {
1065                                 // list anything else
1066                                 database.listNames(cred.client,
1067                                                                    tmpVector,
1068                                                                    dataType);
1069                         }
1070
1071                         ownerNameVector.insert(ownerNameVector.end(), tmpVector.begin(),
1072                                                                    tmpVector.end());
1073                         return CKM_API_SUCCESS;
1074                 });
1075         }
1076
1077         return retCode;
1078 }
1079
1080 RawBuffer CKMLogic::getDataList(
1081         const Credentials &cred,
1082         int msgId,
1083         DataType dataType)
1084 {
1085         OwnerNameVector systemVector;
1086         OwnerNameVector userVector;
1087         OwnerNameVector ownerNameVector;
1088
1089         int retCode = unlockSystemDB();
1090
1091         if (CKM_API_SUCCESS == retCode) {
1092                 // system database
1093                 if (m_accessControl.isSystemService(cred)) {
1094                         // lookup system DB
1095                         retCode = getDataListHelper(Credentials(SYSTEM_DB_UID,
1096                                                                                                         CLIENT_ID_SYSTEM),
1097                                                                                 dataType,
1098                                                                                 systemVector);
1099                 } else {
1100                         // user - lookup system, then client DB
1101                         retCode = getDataListHelper(Credentials(SYSTEM_DB_UID,
1102                                                                                                         cred.client),
1103                                                                                 dataType,
1104                                                                                 systemVector);
1105
1106                         // private database
1107                         if (retCode == CKM_API_SUCCESS) {
1108                                 retCode = getDataListHelper(cred,
1109                                                                                         dataType,
1110                                                                                         userVector);
1111                         }
1112                 }
1113         }
1114
1115         if (retCode == CKM_API_SUCCESS) {
1116                 ownerNameVector.insert(ownerNameVector.end(), systemVector.begin(),
1117                                                            systemVector.end());
1118                 ownerNameVector.insert(ownerNameVector.end(), userVector.begin(),
1119                                                            userVector.end());
1120         }
1121
1122         return SerializeMessage(msgId, retCode, dataType, ownerNameVector);
1123 }
1124
1125 int CKMLogic::importInitialData(
1126         const Name &name,
1127         const Crypto::Data &data,
1128         const Crypto::EncryptionParams &encParams,
1129         const Policy &policy)
1130 {
1131         try {
1132                 return tryRet([&] {
1133                         if (encParams.iv.empty() != encParams.tag.empty()) {
1134                                 LogError("Both iv and tag must be empty or set");
1135                                 return CKM_API_ERROR_INPUT_PARAM;
1136                         }
1137
1138                         // Inital values are always imported with root credentials. Client id is not important.
1139                         Credentials rootCred(0, "");
1140
1141                         auto &handler = selectDatabase(rootCred, CLIENT_ID_SYSTEM);
1142
1143                         // check if save is possible
1144                         DB::Crypto::Transaction transaction(&handler.database);
1145                         int retCode = checkSaveConditions(rootCred, handler, name, CLIENT_ID_SYSTEM);
1146
1147                         if (retCode != CKM_API_SUCCESS)
1148                                 return retCode;
1149
1150                         Crypto::GStore &store =
1151                                         m_decider.getStore(data.type, policy, !encParams.iv.empty());
1152
1153                         Token token;
1154
1155                         if (encParams.iv.empty()) {
1156                                 // Data are not encrypted, let's try to verify them
1157                                 Crypto::Data binaryData;
1158
1159                                 if (CKM_API_SUCCESS != (retCode = toBinaryData(data, binaryData)))
1160                                         return retCode;
1161
1162                                 token = store.import(binaryData,
1163                                                                          m_accessControl.isCCMode() ? "" : policy.password,
1164                                                                          encParams);
1165                         } else {
1166                                 token = store.import(data,
1167                                                                          m_accessControl.isCCMode() ? "" : policy.password,
1168                                                                          encParams);
1169                         }
1170
1171                         DB::Row row(std::move(token), name, CLIENT_ID_SYSTEM,
1172                                                 static_cast<int>(policy.extractable));
1173                         handler.crypto.encryptRow(row);
1174
1175                         handler.database.saveRow(row);
1176                         transaction.commit();
1177
1178                         return CKM_API_SUCCESS;
1179                 });
1180         } catch (const std::exception &e) {
1181                 LogError("Std::exception: " << e.what());
1182                 return CKM_API_ERROR_SERVER_ERROR;
1183         }
1184 }
1185
1186 int CKMLogic::saveDataHelper(
1187         const Credentials &cred,
1188         const Name &name,
1189         const ClientId &explicitOwner,
1190         const Crypto::Data &data,
1191         const PolicySerializable &policy)
1192 {
1193         auto &handler = selectDatabase(cred, explicitOwner);
1194
1195         // use client id if not explicitly provided
1196         const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner;
1197
1198         if (m_accessControl.isSystemService(cred) &&
1199                         owner.compare(CLIENT_ID_SYSTEM) != 0) {
1200                 LogError("System services can only use " << CLIENT_ID_SYSTEM << " as owner id") ;
1201                 return CKM_API_ERROR_INPUT_PARAM;
1202         }
1203
1204         // check if save is possible
1205         DB::Crypto::Transaction transaction(&handler.database);
1206         int retCode = checkSaveConditions(cred, handler, name, owner);
1207
1208         if (retCode != CKM_API_SUCCESS)
1209                 return retCode;
1210
1211         // save the data
1212         DB::Row encryptedRow = createEncryptedRow(handler.crypto, name, owner,
1213                                                    data, policy);
1214         handler.database.saveRow(encryptedRow);
1215
1216         transaction.commit();
1217         return CKM_API_SUCCESS;
1218 }
1219
1220 int CKMLogic::saveDataHelper(
1221         const Credentials &cred,
1222         const Name &name,
1223         const ClientId &explicitOwner,
1224         const PKCS12Serializable &pkcs,
1225         const PolicySerializable &keyPolicy,
1226         const PolicySerializable &certPolicy)
1227 {
1228         auto &handler = selectDatabase(cred, explicitOwner);
1229
1230         // use client id if not explicitly provided
1231         const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner;
1232
1233         if (m_accessControl.isSystemService(cred) &&
1234                         owner.compare(CLIENT_ID_SYSTEM) != 0)
1235                 return CKM_API_ERROR_INPUT_PARAM;
1236
1237         // check if save is possible
1238         DB::Crypto::Transaction transaction(&handler.database);
1239         int retCode = checkSaveConditions(cred, handler, name, owner);
1240
1241         if (retCode != CKM_API_SUCCESS)
1242                 return retCode;
1243
1244         // extract and encrypt the data
1245         DB::RowVector encryptedRows;
1246         retCode = extractPKCS12Data(handler.crypto, name, owner, pkcs, keyPolicy,
1247                                                                 certPolicy, encryptedRows);
1248
1249         if (retCode != CKM_API_SUCCESS)
1250                 return retCode;
1251
1252         // save the data
1253         handler.database.saveRows(name, owner, encryptedRows);
1254         transaction.commit();
1255
1256         return CKM_API_SUCCESS;
1257 }
1258
1259
1260 int CKMLogic::createKeyAESHelper(
1261         const Credentials &cred,
1262         const int size,
1263         const Name &name,
1264         const ClientId &explicitOwner,
1265         const PolicySerializable &policy)
1266 {
1267         auto &handler = selectDatabase(cred, explicitOwner);
1268
1269         // use client id if not explicitly provided
1270         const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner;
1271
1272         if (m_accessControl.isSystemService(cred) &&
1273                         owner.compare(CLIENT_ID_SYSTEM) != 0)
1274                 return CKM_API_ERROR_INPUT_PARAM;
1275
1276         // check if save is possible
1277         DB::Crypto::Transaction transaction(&handler.database);
1278         int retCode = checkSaveConditions(cred, handler, name, owner);
1279
1280         if (retCode != CKM_API_SUCCESS)
1281                 return retCode;
1282
1283         // create key in store
1284         CryptoAlgorithm keyGenAlgorithm;
1285         keyGenAlgorithm.setParam(ParamName::ALGO_TYPE, AlgoType::AES_GEN);
1286         keyGenAlgorithm.setParam(ParamName::GEN_KEY_LEN, size);
1287         Token key = m_decider.getStore(DataType::KEY_AES,
1288                                        policy).generateSKey(keyGenAlgorithm, policy.password);
1289
1290         // save the data
1291         DB::Row row(std::move(key), name, owner,
1292                                 static_cast<int>(policy.extractable));
1293         handler.crypto.encryptRow(row);
1294
1295         handler.database.saveRow(row);
1296
1297         transaction.commit();
1298         return CKM_API_SUCCESS;
1299 }
1300
1301 int CKMLogic::createKeyPairHelper(
1302         const Credentials &cred,
1303         const CryptoAlgorithmSerializable &keyGenParams,
1304         const Name &namePrivate,
1305         const ClientId &explicitOwnerPrivate,
1306         const Name &namePublic,
1307         const ClientId &explicitOwnerPublic,
1308         const PolicySerializable &policyPrivate,
1309         const PolicySerializable &policyPublic)
1310 {
1311         auto &handlerPriv = selectDatabase(cred, explicitOwnerPrivate);
1312         auto &handlerPub = selectDatabase(cred, explicitOwnerPublic);
1313
1314         AlgoType keyType = AlgoType::RSA_GEN;
1315
1316         if (!keyGenParams.getParam(ParamName::ALGO_TYPE, keyType))
1317                 ThrowErr(Exc::InputParam, "Error, parameter ALGO_TYPE not found.");
1318
1319         const auto dtIt = ALGO_TYPE_TO_DATA_TYPE_PAIR_MAP.find(keyType);
1320         if (dtIt == ALGO_TYPE_TO_DATA_TYPE_PAIR_MAP.end())
1321                 ThrowErr(Exc::InputParam, "Error, parameter ALGO_TYPE with wrong value.");
1322         const DataTypePair& dt = dtIt->second;
1323
1324         if (policyPrivate.backend != policyPublic.backend)
1325                 ThrowErr(Exc::InputParam, "Error, key pair must be supported with the same backend.");
1326
1327         // use client id if not explicitly provided
1328         const ClientId &ownerPrv = explicitOwnerPrivate.empty() ? cred.client :
1329                                                            explicitOwnerPrivate;
1330
1331         if (m_accessControl.isSystemService(cred) &&
1332                         ownerPrv.compare(CLIENT_ID_SYSTEM) != 0)
1333                 return CKM_API_ERROR_INPUT_PARAM;
1334
1335         const ClientId &ownerPub = explicitOwnerPublic.empty() ? cred.client :
1336                                                            explicitOwnerPublic;
1337
1338         if (m_accessControl.isSystemService(cred) &&
1339                         ownerPub.compare(CLIENT_ID_SYSTEM) != 0)
1340                 return CKM_API_ERROR_INPUT_PARAM;
1341
1342         bool exportable = policyPrivate.extractable || policyPublic.extractable;
1343         Policy lessRestricted(Password(), exportable, policyPrivate.backend);
1344
1345         TokenPair keys = m_decider.getStore(policyPrivate, dt.first, dt.second).generateAKey(keyGenParams,
1346                                          policyPrivate.password,
1347                                          policyPublic.password);
1348
1349         DB::Crypto::Transaction transactionPriv(&handlerPriv.database);
1350         // in case the same database is used for private and public - the second
1351         // transaction will not be executed
1352         DB::Crypto::Transaction transactionPub(&handlerPub.database);
1353
1354         int retCode;
1355         retCode = checkSaveConditions(cred, handlerPriv, namePrivate, ownerPrv);
1356
1357         if (CKM_API_SUCCESS != retCode)
1358                 return retCode;
1359
1360         retCode = checkSaveConditions(cred, handlerPub, namePublic, ownerPub);
1361
1362         if (CKM_API_SUCCESS != retCode)
1363                 return retCode;
1364
1365         // save the data
1366         DB::Row rowPrv(std::move(keys.first), namePrivate, ownerPrv,
1367                                    static_cast<int>(policyPrivate.extractable));
1368         handlerPriv.crypto.encryptRow(rowPrv);
1369         handlerPriv.database.saveRow(rowPrv);
1370
1371         DB::Row rowPub(std::move(keys.second), namePublic, ownerPub,
1372                                    static_cast<int>(policyPublic.extractable));
1373         handlerPub.crypto.encryptRow(rowPub);
1374         handlerPub.database.saveRow(rowPub);
1375
1376         transactionPub.commit();
1377         transactionPriv.commit();
1378         return CKM_API_SUCCESS;
1379 }
1380
1381 RawBuffer CKMLogic::createKeyPair(
1382         const Credentials &cred,
1383         int msgId,
1384         const CryptoAlgorithmSerializable &keyGenParams,
1385         const Name &namePrivate,
1386         const ClientId &explicitOwnerPrivate,
1387         const Name &namePublic,
1388         const ClientId &explicitOwnerPublic,
1389         const PolicySerializable &policyPrivate,
1390         const PolicySerializable &policyPublic)
1391 {
1392         return SerializeMessage(msgId, tryRet([&] {
1393                 return createKeyPairHelper(cred, keyGenParams, namePrivate, explicitOwnerPrivate,
1394                                            namePublic, explicitOwnerPublic, policyPrivate, policyPublic);
1395         }));
1396 }
1397
1398 RawBuffer CKMLogic::createKeyAES(
1399         const Credentials &cred,
1400         int msgId,
1401         const int size,
1402         const Name &name,
1403         const ClientId &explicitOwner,
1404         const PolicySerializable &policy)
1405 {
1406         int retCode = CKM_API_SUCCESS;
1407
1408         try {
1409                 retCode = tryRet([&] {
1410                         return createKeyAESHelper(cred, size, name, explicitOwner, policy);
1411                 });
1412         } catch (std::invalid_argument &e) {
1413                 LogDebug("invalid argument error: " << e.what());
1414                 retCode = CKM_API_ERROR_INPUT_PARAM;
1415         }
1416
1417         return SerializeMessage(msgId, retCode);
1418 }
1419
1420 int CKMLogic::readCertificateHelper(
1421         const Credentials &cred,
1422         const OwnerNameVector &ownerNameVector,
1423         CertificateImplVector &certVector)
1424 {
1425         for (auto &i : ownerNameVector) {
1426                 // certificates can't be protected with custom user password
1427                 Crypto::GObjUPtr obj;
1428                 int ec;
1429                 ec = readDataHelper(true,
1430                                                         cred,
1431                                                         DataType::CERTIFICATE,
1432                                                         i.second,
1433                                                         i.first,
1434                                                         Password(),
1435                                                         obj);
1436
1437                 if (ec != CKM_API_SUCCESS)
1438                         return ec;
1439
1440                 certVector.emplace_back(obj->getBinary(), DataFormat::FORM_DER);
1441
1442                 // try to read chain certificates (if present)
1443                 Crypto::GObjUPtrVector caChainObjs;
1444                 ec = readDataHelper(true,
1445                                                         cred,
1446                                                         DataType::DB_CHAIN_FIRST,
1447                                                         i.second,
1448                                                         i.first,
1449                                                         CKM::Password(),
1450                                                         caChainObjs);
1451
1452                 if (ec != CKM_API_SUCCESS && ec != CKM_API_ERROR_DB_ALIAS_UNKNOWN)
1453                         return ec;
1454
1455                 for (auto &caCertObj : caChainObjs)
1456                         certVector.emplace_back(caCertObj->getBinary(), DataFormat::FORM_DER);
1457         }
1458
1459         return CKM_API_SUCCESS;
1460 }
1461
1462 int CKMLogic::getCertificateChainHelper(
1463         const CertificateImpl &cert,
1464         const RawBufferVector &untrustedCertificates,
1465         const RawBufferVector &trustedCertificates,
1466         bool useTrustedSystemCertificates,
1467         RawBufferVector &chainRawVector)
1468 {
1469         CertificateImplVector untrustedCertVector;
1470         CertificateImplVector trustedCertVector;
1471         CertificateImplVector chainVector;
1472
1473         if (cert.empty())
1474                 return CKM_API_ERROR_INPUT_PARAM;
1475
1476         for (auto &e : untrustedCertificates) {
1477                 CertificateImpl c(e, DataFormat::FORM_DER);
1478
1479                 if (c.empty())
1480                         return CKM_API_ERROR_INPUT_PARAM;
1481
1482                 untrustedCertVector.push_back(std::move(c));
1483         }
1484
1485         for (auto &e : trustedCertificates) {
1486                 CertificateImpl c(e, DataFormat::FORM_DER);
1487
1488                 if (c.empty())
1489                         return CKM_API_ERROR_INPUT_PARAM;
1490
1491                 trustedCertVector.push_back(std::move(c));
1492         }
1493
1494         CertificateStore store;
1495         int retCode = store.verifyCertificate(cert,
1496                                                                                   untrustedCertVector,
1497                                                                                   trustedCertVector,
1498                                                                                   useTrustedSystemCertificates,
1499                                                                                   m_accessControl.isCCMode(),
1500                                                                                   chainVector);
1501
1502         if (retCode != CKM_API_SUCCESS)
1503                 return retCode;
1504
1505         for (auto &e : chainVector)
1506                 chainRawVector.push_back(e.getDER());
1507
1508         return CKM_API_SUCCESS;
1509 }
1510
1511 int CKMLogic::getCertificateChainHelper(
1512         const Credentials &cred,
1513         const CertificateImpl &cert,
1514         const OwnerNameVector &untrusted,
1515         const OwnerNameVector &trusted,
1516         bool useTrustedSystemCertificates,
1517         RawBufferVector &chainRawVector)
1518 {
1519         CertificateImplVector untrustedCertVector;
1520         CertificateImplVector trustedCertVector;
1521         CertificateImplVector chainVector;
1522
1523         if (cert.empty())
1524                 return CKM_API_ERROR_INPUT_PARAM;
1525
1526         int retCode = readCertificateHelper(cred, untrusted, untrustedCertVector);
1527
1528         if (retCode != CKM_API_SUCCESS)
1529                 return retCode;
1530
1531         retCode = readCertificateHelper(cred, trusted, trustedCertVector);
1532
1533         if (retCode != CKM_API_SUCCESS)
1534                 return retCode;
1535
1536         CertificateStore store;
1537         retCode = store.verifyCertificate(cert,
1538                                                                           untrustedCertVector,
1539                                                                           trustedCertVector,
1540                                                                           useTrustedSystemCertificates,
1541                                                                           m_accessControl.isCCMode(),
1542                                                                           chainVector);
1543
1544         if (retCode != CKM_API_SUCCESS)
1545                 return retCode;
1546
1547         for (auto &i : chainVector)
1548                 chainRawVector.push_back(i.getDER());
1549
1550         return CKM_API_SUCCESS;
1551 }
1552
1553 RawBuffer CKMLogic::getCertificateChain(
1554         const Credentials & /*cred*/,
1555         int msgId,
1556         const RawBuffer &certificate,
1557         const RawBufferVector &untrustedCertificates,
1558         const RawBufferVector &trustedCertificates,
1559         bool useTrustedSystemCertificates)
1560 {
1561         CertificateImpl cert(certificate, DataFormat::FORM_DER);
1562         RawBufferVector chainRawVector;
1563         int retCode = CKM_API_ERROR_UNKNOWN;
1564
1565         try {
1566                 retCode = getCertificateChainHelper(cert,
1567                                                                                         untrustedCertificates,
1568                                                                                         trustedCertificates,
1569                                                                                         useTrustedSystemCertificates,
1570                                                                                         chainRawVector);
1571         } catch (const Exc::Exception &e) {
1572                 retCode = e.error();
1573         } catch (const std::exception &e) {
1574                 LogError("STD exception " << e.what());
1575                 retCode = CKM_API_ERROR_SERVER_ERROR;
1576         } catch (...) {
1577                 LogError("Unknown error.");
1578         }
1579
1580         return SerializeMessage(msgId, retCode, chainRawVector);
1581 }
1582
1583 RawBuffer CKMLogic::getCertificateChain(
1584         const Credentials &cred,
1585         int msgId,
1586         const RawBuffer &certificate,
1587         const OwnerNameVector &untrustedCertificates,
1588         const OwnerNameVector &trustedCertificates,
1589         bool useTrustedSystemCertificates)
1590 {
1591         int retCode = CKM_API_ERROR_UNKNOWN;
1592         CertificateImpl cert(certificate, DataFormat::FORM_DER);
1593         RawBufferVector chainRawVector;
1594
1595         try {
1596                 retCode = getCertificateChainHelper(cred,
1597                                                                                         cert,
1598                                                                                         untrustedCertificates,
1599                                                                                         trustedCertificates,
1600                                                                                         useTrustedSystemCertificates,
1601                                                                                         chainRawVector);
1602         } catch (const Exc::Exception &e) {
1603                 retCode = e.error();
1604         } catch (const std::exception &e) {
1605                 LogError("STD exception " << e.what());
1606                 retCode = CKM_API_ERROR_SERVER_ERROR;
1607         } catch (...) {
1608                 LogError("Unknown error.");
1609         }
1610
1611         return SerializeMessage(msgId, retCode, chainRawVector);
1612 }
1613
1614 RawBuffer CKMLogic::createSignature(
1615         const Credentials &cred,
1616         int msgId,
1617         const Name &privateKeyName,
1618         const ClientId &explicitOwner,
1619         const Password &password,           // password for private_key
1620         const RawBuffer &message,
1621         const CryptoAlgorithm &cryptoAlg)
1622 {
1623         RawBuffer signature;
1624
1625         int retCode = CKM_API_SUCCESS;
1626
1627         try {
1628                 retCode = tryRet([&] {
1629                         Crypto::GObjUPtr obj;
1630                         int retCode = readDataHelper(false, cred, DataType::DB_KEY_FIRST, privateKeyName,
1631                                                      explicitOwner, password, obj);
1632
1633                         if (retCode == CKM_API_SUCCESS)
1634                                 signature = obj->sign(cryptoAlg, message);
1635
1636                         return retCode;
1637                 });
1638         } catch (const std::exception &e) {
1639                 LogError("STD exception " << e.what());
1640                 retCode = CKM_API_ERROR_SERVER_ERROR;
1641         }
1642
1643         return SerializeMessage(msgId, retCode, signature);
1644 }
1645
1646 RawBuffer CKMLogic::verifySignature(
1647         const Credentials &cred,
1648         int msgId,
1649         const Name &publicKeyOrCertName,
1650         const ClientId &explicitOwner,
1651         const Password &password,           // password for public_key (optional)
1652         const RawBuffer &message,
1653         const RawBuffer &signature,
1654         const CryptoAlgorithm &params)
1655 {
1656         return SerializeMessage(msgId, tryRet([&] {
1657                 // try certificate first - looking for a public key.
1658                 // in case of PKCS, pub key from certificate will be found first
1659                 // rather than private key from the same PKCS.
1660                 Crypto::GObjUPtr obj;
1661                 int retCode = readDataHelper(false, cred, DataType::CERTIFICATE,
1662                                              publicKeyOrCertName, explicitOwner, password, obj);
1663
1664                 if (retCode == CKM_API_ERROR_DB_ALIAS_UNKNOWN)
1665                         retCode = readDataHelper(false, cred, DataType::DB_KEY_FIRST,
1666                                                                          publicKeyOrCertName, explicitOwner, password, obj);
1667
1668                 if (retCode == CKM_API_SUCCESS)
1669                         retCode = obj->verify(params, message, signature);
1670
1671                 return retCode;
1672         }));
1673 }
1674
1675 int CKMLogic::setPermissionHelper(
1676         const Credentials &cred,                // who's the client
1677         const Name &name,
1678         const ClientId &explicitOwner,                     // who's the owner
1679         const ClientId &accessor,             // who will get the access
1680         const PermissionMask permissionMask)
1681 {
1682         auto &handler = selectDatabase(cred, explicitOwner);
1683
1684         // we don't know the client
1685         if (cred.client.empty() || !isClientValid(cred.client))
1686                 return CKM_API_ERROR_INPUT_PARAM;
1687
1688         // use client id if not explicitly provided
1689         const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner;
1690
1691         // verify name and owner are correct
1692         if (!isNameValid(name) || !isClientValid(owner) ||
1693                         !isClientValid(accessor))
1694                 return CKM_API_ERROR_INPUT_PARAM;
1695
1696         // currently we don't support modification of owner's permissions to his own rows
1697         if (owner == accessor)
1698                 return CKM_API_ERROR_INPUT_PARAM;
1699
1700         // system database does not support write/remove permissions
1701         if ((0 == owner.compare(CLIENT_ID_SYSTEM)) &&
1702                         (permissionMask & Permission::REMOVE))
1703                 return CKM_API_ERROR_INPUT_PARAM;
1704
1705         // can the client modify permissions to owner's row?
1706         int retCode = m_accessControl.canModify(cred, owner);
1707
1708         if (retCode != CKM_API_SUCCESS)
1709                 return retCode;
1710
1711         DB::Crypto::Transaction transaction(&handler.database);
1712
1713         if (!handler.database.isNameOwnerPresent(name, owner))
1714                 return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
1715
1716         // set permissions to the row owned by owner for accessor
1717         handler.database.setPermission(name, owner, accessor, permissionMask);
1718         transaction.commit();
1719
1720         return CKM_API_SUCCESS;
1721 }
1722
1723 RawBuffer CKMLogic::setPermission(
1724         const Credentials &cred,
1725         const int msgID,
1726         const Name &name,
1727         const ClientId &explicitOwner,
1728         const ClientId &accessor,
1729         const PermissionMask permissionMask)
1730 {
1731         return SerializeMessage(msgID, tryRet([&] {
1732                 return setPermissionHelper(cred, name, explicitOwner, accessor, permissionMask);
1733         }));
1734 }
1735
1736 } // namespace CKM
1737