2 * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License
18 * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
20 * @brief Sample service implementation.
22 #include <vconf/vconf.h>
23 #include <dpl/serialization.h>
24 #include <dpl/log/log.h>
25 #include <ckm/ckm-error.h>
26 #include <ckm/ckm-type.h>
27 #include <key-provider.h>
28 #include <file-system.h>
29 #include <CryptoService.h>
30 #include <ckm-logic.h>
33 #ifndef VCONFKEY_SECURITY_MDPP_STATE
34 #define VCONFKEY_SECURITY_MDPP_STATE = "file/security_mdpp/security_mdpp_state";
38 const char * const CERT_SYSTEM_DIR = "/etc/ssl/certs";
40 const char* const MDPP_MODE_ENFORCING = "Enforcing";
41 const char* const MDPP_MODE_ENABLED = "Enabled";
43 } // anonymous namespace
47 CKMLogic::CKMLogic() : m_ccMode(false)
49 int retCode = FileSystem::init();
50 // TODO what can I do when init went wrong? exit(-1) ??
52 LogError("Fatal error in FileSystem::init()");
55 if (CKM_API_SUCCESS != m_certStore.setSystemCertificateDir(CERT_SYSTEM_DIR)) {
56 LogError("Fatal error in CertificateStore::setSystemCertificateDir. Chain creation will not work");
59 updateCCMode_internal();
62 CKMLogic::~CKMLogic(){}
64 RawBuffer CKMLogic::unlockUserKey(uid_t user, const Password &password) {
65 // TODO try catch for all errors that should be supported by error code
66 int retCode = CKM_API_SUCCESS;
69 if (0 == m_userDataMap.count(user) || !(m_userDataMap[user].keyProvider.isInitialized())) {
70 auto &handle = m_userDataMap[user];
72 auto wrappedDomainKEK = fs.getDKEK();
74 if (wrappedDomainKEK.empty()) {
75 wrappedDomainKEK = KeyProvider::generateDomainKEK(std::to_string(user), password);
76 fs.saveDKEK(wrappedDomainKEK);
79 handle.keyProvider = KeyProvider(wrappedDomainKEK, password);
81 auto wrappedDatabaseDEK = fs.getDBDEK();
83 if (wrappedDatabaseDEK.empty()) {
84 wrappedDatabaseDEK = handle.keyProvider.generateDEK(std::to_string(user));
85 fs.saveDBDEK(wrappedDatabaseDEK);
88 RawBuffer key = handle.keyProvider.getPureDEK(wrappedDatabaseDEK);
89 handle.database = DBCrypto(fs.getDBPath(), key);
90 handle.crypto = CryptoLogic();
92 // remove data of removed apps during locked state
93 AppLabelVector removedApps = fs.clearRemovedsApps();
94 for(auto& appSmackLabel : removedApps) {
95 handle.database.deleteKey(appSmackLabel);
100 } catch (const KeyProvider::Exception::PassWordError &e) {
101 LogError("Incorrect Password " << e.GetMessage());
102 retCode = CKM_API_ERROR_AUTHENTICATION_FAILED;
103 } catch (const KeyProvider::Exception::Base &e) {
104 LogError("Error in KeyProvider " << e.GetMessage());
105 retCode = CKM_API_ERROR_SERVER_ERROR;
106 } catch (const CryptoLogic::Exception::Base &e) {
107 LogError("CryptoLogic error: " << e.GetMessage());
108 retCode = CKM_API_ERROR_SERVER_ERROR;
109 } catch (const CKM::Exception &e) {
110 LogError("CKM::Exception: " << e.GetMessage());
111 retCode = CKM_API_ERROR_SERVER_ERROR;
114 if(retCode != CKM_API_SUCCESS) {
115 // When not successful, UserData in m_userDataMap should be erased.
116 // Because other operations make decision based on the existence of UserData in m_userDataMap.
117 m_userDataMap.erase(user);
120 return MessageBuffer::Serialize(retCode).Pop();
123 void CKMLogic::updateCCMode_internal() {
124 int fipsModeStatus = 0;
128 char *mdppState = vconf_get_str(VCONFKEY_SECURITY_MDPP_STATE);
129 newMode = ( mdppState && (!strcmp(mdppState, MDPP_MODE_ENABLED) ||
130 !strcmp(mdppState, MDPP_MODE_ENFORCING)) );
131 if (newMode == m_ccMode)
136 fipsModeStatus = FIPS_mode();
139 if(fipsModeStatus == 0) { // If FIPS mode off
140 rc = FIPS_mode_set(1); // Change FIPS_mode from off to on
142 LogError("Error in FIPS_mode_set function");
146 if(fipsModeStatus == 1) { // If FIPS mode on
147 rc = FIPS_mode_set(0); // Change FIPS_mode from on to off
149 LogError("Error in FIPS_mode_set function");
155 RawBuffer CKMLogic::updateCCMode() {
156 updateCCMode_internal();
157 return MessageBuffer::Serialize(CKM_API_SUCCESS).Pop();
160 RawBuffer CKMLogic::lockUserKey(uid_t user) {
161 int retCode = CKM_API_SUCCESS;
162 // TODO try catch for all errors that should be supported by error code
163 m_userDataMap.erase(user);
165 return MessageBuffer::Serialize(retCode).Pop();
169 RawBuffer CKMLogic::removeUserData(uid_t user) {
170 int retCode = CKM_API_SUCCESS;
171 // TODO try catch for all errors that should be supported by error code
172 m_userDataMap.erase(user);
177 return MessageBuffer::Serialize(retCode).Pop();
180 RawBuffer CKMLogic::changeUserPassword(
182 const Password &oldPassword,
183 const Password &newPassword)
185 int retCode = CKM_API_SUCCESS;
188 auto wrappedDomainKEK = fs.getDKEK();
189 if (wrappedDomainKEK.empty()) {
190 retCode = CKM_API_ERROR_BAD_REQUEST;
192 wrappedDomainKEK = KeyProvider::reencrypt(wrappedDomainKEK, oldPassword, newPassword);
193 fs.saveDKEK(wrappedDomainKEK);
195 } catch (const KeyProvider::Exception::PassWordError &e) {
196 LogError("Incorrect Password " << e.GetMessage());
197 retCode = CKM_API_ERROR_AUTHENTICATION_FAILED;
198 } catch (const KeyProvider::Exception::Base &e) {
199 LogError("Error in KeyProvider " << e.GetMessage());
200 retCode = CKM_API_ERROR_SERVER_ERROR;
201 } catch (const CKM::Exception &e) {
202 LogError("CKM::Exception: " << e.GetMessage());
203 retCode = CKM_API_ERROR_SERVER_ERROR;
206 return MessageBuffer::Serialize(retCode).Pop();
209 RawBuffer CKMLogic::resetUserPassword(
211 const Password &newPassword)
213 int retCode = CKM_API_SUCCESS;
215 if (0 == m_userDataMap.count(user)) {
216 retCode = CKM_API_ERROR_BAD_REQUEST;
218 auto &handler = m_userDataMap[user];
220 fs.saveDKEK(handler.keyProvider.getWrappedDomainKEK(newPassword));
223 return MessageBuffer::Serialize(retCode).Pop();
226 RawBuffer CKMLogic::removeApplicationData(const std::string &smackLabel) {
227 int retCode = CKM_API_SUCCESS;
231 if (smackLabel.empty()) {
232 retCode = CKM_API_ERROR_INPUT_PARAM;
234 UidVector uids = FileSystem::getUIDsFromDBFile();
235 for (auto userId : uids) {
236 if (0 == m_userDataMap.count(userId)) {
237 FileSystem fs(userId);
238 fs.addRemovedApp(smackLabel);
240 auto &handle = m_userDataMap[userId];
241 handle.database.deleteKey(smackLabel);
246 } catch (const DBCrypto::Exception::InternalError &e) {
247 LogError("DBCrypto couldn't remove data: " << e.GetMessage());
248 retCode = CKM_API_ERROR_DB_ERROR;
249 } catch (const DBCrypto::Exception::TransactionError &e) {
250 LogError("DBCrypto transaction failed with message " << e.GetMessage());
251 retCode = CKM_API_ERROR_DB_ERROR;
254 return MessageBuffer::Serialize(retCode).Pop();
257 int CKMLogic::saveDataHelper(
261 const RawBuffer &key,
262 const PolicySerializable &policy)
264 if (0 == m_userDataMap.count(cred.uid))
265 return CKM_API_ERROR_DB_LOCKED;
267 // proceed to data save
268 DBRow row = { alias, cred.smackLabel,
269 policy.extractable, dataType, DBCMAlgType::NONE,
270 0, RawBuffer(), static_cast<int>(key.size()), key, RawBuffer() };
272 auto &handler = m_userDataMap[cred.uid];
273 DBCrypto::Transaction transaction(&handler.database);
274 if (!handler.crypto.haveKey(cred.smackLabel)) {
276 auto key_optional = handler.database.getKey(cred.smackLabel);
278 LogDebug("No Key in database found. Generating new one for label: "
280 key = handler.keyProvider.generateDEK(cred.smackLabel);
281 handler.database.saveKey(cred.smackLabel, key);
283 LogDebug("Key from DB");
287 key = handler.keyProvider.getPureDEK(key);
288 handler.crypto.pushKey(cred.smackLabel, key);
291 // Do not encrypt data with password during cc_mode on
293 handler.crypto.encryptRow("", row);
295 handler.crypto.encryptRow(policy.password, row);
298 handler.database.saveDBRow(row);
299 transaction.commit();
300 return CKM_API_SUCCESS;
303 void CKMLogic::verifyBinaryData(DBDataType dataType, const RawBuffer &input_data) const
305 // verify the data integrity
308 case DBDataType::KEY_RSA_PUBLIC:
309 case DBDataType::KEY_RSA_PRIVATE:
310 case DBDataType::KEY_ECDSA_PUBLIC:
311 case DBDataType::KEY_ECDSA_PRIVATE:
312 case DBDataType::KEY_DSA_PUBLIC:
313 case DBDataType::KEY_DSA_PRIVATE:
314 case DBDataType::KEY_AES:
316 KeyShPtr output_key = CKM::Key::create(input_data);
317 if(output_key.get() == NULL)
318 ThrowMsg(CKMLogic::Exception::InputDataInvalid, "provided binary data is not valid key data");
322 case DBDataType::CERTIFICATE:
324 CertificateShPtr cert = CKM::Certificate::create(input_data, DataFormat::FORM_DER);
325 if(cert.get() == NULL)
326 ThrowMsg(CKMLogic::Exception::InputDataInvalid, "provided binary data is not valid certificate data");
330 // TODO: add here BINARY_DATA verification, i.e: max size etc.
336 RawBuffer CKMLogic::saveData(
341 const RawBuffer &key,
342 const PolicySerializable &policy)
344 int retCode = CKM_API_SUCCESS;
346 verifyBinaryData(dataType, key);
348 retCode = saveDataHelper(cred, dataType, alias, key, policy);
349 LogDebug("SaveDataHelper returned: " << retCode);
350 } catch (const CKMLogic::Exception::InputDataInvalid &e) {
351 LogError("Provided data invalid: " << e.GetMessage());
352 retCode = CKM_API_ERROR_INPUT_PARAM;
353 } catch (const KeyProvider::Exception::Base &e) {
354 LogError("KeyProvider failed with message: " << e.GetMessage());
355 retCode = CKM_API_ERROR_SERVER_ERROR;
356 } catch (const CryptoLogic::Exception::Base &e) {
357 LogError("CryptoLogic failed with message: " << e.GetMessage());
358 retCode = CKM_API_ERROR_SERVER_ERROR;
359 } catch (const DBCrypto::Exception::InternalError &e) {
360 LogError("DBCrypto failed with message: " << e.GetMessage());
361 retCode = CKM_API_ERROR_DB_ERROR;
362 } catch (const DBCrypto::Exception::AliasExists &e) {
363 LogError("DBCrypto couldn't save duplicate alias");
364 retCode = CKM_API_ERROR_DB_ALIAS_EXISTS;
365 } catch (const DBCrypto::Exception::TransactionError &e) {
366 LogError("DBCrypto transaction failed with message " << e.GetMessage());
367 retCode = CKM_API_ERROR_DB_ERROR;
370 auto response = MessageBuffer::Serialize(static_cast<int>(LogicCommand::SAVE),
373 static_cast<int>(dataType));
374 return response.Pop();
377 RawBuffer CKMLogic::removeData(
383 int retCode = CKM_API_SUCCESS;
385 if (0 < m_userDataMap.count(cred.uid)) {
387 auto erased = m_userDataMap[cred.uid].database.deleteDBRow(alias, cred.smackLabel);
388 // check if the data existed or not
390 LogError("No row for given alias and label");
391 retCode = CKM_API_ERROR_DB_ALIAS_UNKNOWN;
393 } Catch (DBCrypto::Exception::PermissionDenied) {
394 LogError("Error: not enough permissions!");
395 retCode = CKM_API_ERROR_ACCESS_DENIED;
396 } Catch (CKM::Exception) {
397 LogError("Error in deleting row!");
398 retCode = CKM_API_ERROR_DB_ERROR;
401 retCode = CKM_API_ERROR_DB_LOCKED;
404 auto response = MessageBuffer::Serialize(static_cast<int>(LogicCommand::REMOVE),
407 static_cast<int>(dataType));
408 return response.Pop();
411 int CKMLogic::getDataHelper(
415 const Password &password,
418 if (0 == m_userDataMap.count(cred.uid))
419 return CKM_API_ERROR_DB_LOCKED;
421 auto &handler = m_userDataMap[cred.uid];
423 DBCrypto::DBRowOptional row_optional;
424 if (dataType == DBDataType::CERTIFICATE || dataType == DBDataType::BINARY_DATA) {
425 row_optional = handler.database.getDBRow(alias, cred.smackLabel, dataType);
426 } else if ((static_cast<int>(dataType) >= static_cast<int>(DBDataType::DB_KEY_FIRST))
427 && (static_cast<int>(dataType) <= static_cast<int>(DBDataType::DB_KEY_LAST)))
429 row_optional = handler.database.getKeyDBRow(alias, cred.smackLabel);
431 LogError("Unknown type of requested data" << (int)dataType);
432 return CKM_API_ERROR_BAD_REQUEST;
435 LogError("No row for given alias, label and type");
436 return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
441 if (!handler.crypto.haveKey(row.smackLabel)) {
443 auto key_optional = handler.database.getKey(row.smackLabel);
445 LogError("No key for given label in database");
446 return CKM_API_ERROR_DB_ERROR;
449 key = handler.keyProvider.getPureDEK(key);
450 handler.crypto.pushKey(cred.smackLabel, key);
452 handler.crypto.decryptRow(password, row);
454 return CKM_API_SUCCESS;
457 RawBuffer CKMLogic::getData(
462 const Password &password)
464 int retCode = CKM_API_SUCCESS;
468 retCode = getDataHelper(cred, dataType, alias, password, row);
469 } catch (const KeyProvider::Exception::Base &e) {
470 LogError("KeyProvider failed with error: " << e.GetMessage());
471 retCode = CKM_API_ERROR_SERVER_ERROR;
472 } catch (const CryptoLogic::Exception::Base &e) {
473 LogError("CryptoLogic failed with message: " << e.GetMessage());
474 retCode = CKM_API_ERROR_SERVER_ERROR;
475 } catch (const DBCrypto::Exception::PermissionDenied &e) {
476 LogError("DBCrypto failed with message: " << e.GetMessage());
477 retCode = CKM_API_ERROR_ACCESS_DENIED;
478 } catch (const DBCrypto::Exception::Base &e) {
479 LogError("DBCrypto failed with message: " << e.GetMessage());
480 retCode = CKM_API_ERROR_DB_ERROR;
483 if (CKM_API_SUCCESS != retCode) {
485 row.dataType = dataType;
488 if ((CKM_API_SUCCESS == retCode) && (row.exportable == 0)) {
490 retCode = CKM_API_ERROR_NOT_EXPORTABLE;
493 // Prevent extracting private keys during cc-mode on
494 if((m_ccMode) && (row.dataType == DBDataType::KEY_RSA_PRIVATE ||
495 row.dataType == DBDataType::KEY_ECDSA_PRIVATE ||
496 row.dataType == DBDataType::KEY_DSA_PRIVATE))
499 retCode = CKM_API_ERROR_BAD_REQUEST;
502 auto response = MessageBuffer::Serialize(static_cast<int>(LogicCommand::GET),
505 static_cast<int>(row.dataType),
507 return response.Pop();
510 RawBuffer CKMLogic::getDataList(
515 int retCode = CKM_API_SUCCESS;
516 AliasVector aliasVector;
518 if (0 < m_userDataMap.count(cred.uid)) {
519 auto &handler = m_userDataMap[cred.uid];
521 if (dataType == DBDataType::CERTIFICATE || dataType == DBDataType::BINARY_DATA) {
522 handler.database.getAliases(cred.smackLabel, dataType, aliasVector);
524 handler.database.getKeyAliases(cred.smackLabel, aliasVector);
526 } Catch (CKM::Exception) {
527 LogError("Failed to get aliases");
528 retCode = CKM_API_ERROR_DB_ERROR;
531 retCode = CKM_API_ERROR_DB_LOCKED;
534 auto response = MessageBuffer::Serialize(static_cast<int>(LogicCommand::GET_LIST),
537 static_cast<int>(dataType),
539 return response.Pop();
543 int CKMLogic::createKeyPairHelper(
545 const KeyType key_type,
546 const int additional_param,
547 const Alias &aliasPrivate,
548 const Alias &aliasPublic,
549 const PolicySerializable &policyPrivate,
550 const PolicySerializable &policyPublic)
552 if (0 >= m_userDataMap.count(cred.uid))
553 return CKM_API_ERROR_DB_LOCKED;
555 auto &handler = m_userDataMap[cred.uid];
560 case KeyType::KEY_RSA_PUBLIC:
561 case KeyType::KEY_RSA_PRIVATE:
562 retCode = CryptoService::createKeyPairRSA(additional_param, prv, pub);
565 case KeyType::KEY_DSA_PUBLIC:
566 case KeyType::KEY_DSA_PRIVATE:
567 retCode = CryptoService::createKeyPairDSA(additional_param, prv, pub);
570 case KeyType::KEY_ECDSA_PUBLIC:
571 case KeyType::KEY_ECDSA_PRIVATE:
572 retCode = CryptoService::createKeyPairECDSA(static_cast<ElipticCurve>(additional_param), prv, pub);
576 return CKM_API_ERROR_INPUT_PARAM;
579 if (CKM_CRYPTO_CREATEKEY_SUCCESS != retCode)
581 LogDebug("CryptoService error with code: " << retCode);
582 return CKM_API_ERROR_SERVER_ERROR; // TODO error code
585 DBCrypto::Transaction transaction(&handler.database);
586 retCode = saveDataHelper(cred,
587 toDBDataType(prv.getType()),
592 if (CKM_API_SUCCESS != retCode)
595 retCode = saveDataHelper(cred,
596 toDBDataType(pub.getType()),
601 if (CKM_API_SUCCESS != retCode)
604 transaction.commit();
609 RawBuffer CKMLogic::createKeyPair(
611 LogicCommand protocol_cmd,
613 const int additional_param,
614 const Alias &aliasPrivate,
615 const Alias &aliasPublic,
616 const PolicySerializable &policyPrivate,
617 const PolicySerializable &policyPublic)
619 int retCode = CKM_API_SUCCESS;
621 KeyType key_type = KeyType::KEY_NONE;
624 case LogicCommand::CREATE_KEY_PAIR_RSA:
625 key_type = KeyType::KEY_RSA_PUBLIC;
627 case LogicCommand::CREATE_KEY_PAIR_DSA:
628 key_type = KeyType::KEY_DSA_PUBLIC;
630 case LogicCommand::CREATE_KEY_PAIR_ECDSA:
631 key_type = KeyType::KEY_ECDSA_PUBLIC;
638 retCode = createKeyPairHelper(
647 } catch (DBCrypto::Exception::AliasExists &e) {
648 LogDebug("DBCrypto error: alias exists: " << e.GetMessage());
649 retCode = CKM_API_ERROR_DB_ALIAS_EXISTS;
650 } catch (DBCrypto::Exception::TransactionError &e) {
651 LogDebug("DBCrypto error: transaction error: " << e.GetMessage());
652 retCode = CKM_API_ERROR_DB_ERROR;
653 } catch (CKM::CryptoLogic::Exception::Base &e) {
654 LogDebug("CryptoLogic error: " << e.GetMessage());
655 retCode = CKM_API_ERROR_SERVER_ERROR;
656 } catch (DBCrypto::Exception::InternalError &e) {
657 LogDebug("DBCrypto internal error: " << e.GetMessage());
658 retCode = CKM_API_ERROR_DB_ERROR;
661 return MessageBuffer::Serialize(static_cast<int>(protocol_cmd), commandId, retCode).Pop();
664 RawBuffer CKMLogic::getCertificateChain(
667 const RawBuffer &certificate,
668 const RawBufferVector &untrustedRawCertVector)
672 CertificateImpl cert(certificate, DataFormat::FORM_DER);
673 CertificateImplVector untrustedCertVector;
674 CertificateImplVector chainVector;
675 RawBufferVector chainRawVector;
677 for (auto &e: untrustedRawCertVector)
678 untrustedCertVector.push_back(CertificateImpl(e, DataFormat::FORM_DER));
680 LogDebug("Cert is empty: " << cert.empty());
682 int retCode = m_certStore.verifyCertificate(cert, untrustedCertVector, chainVector);
684 if (retCode == CKM_API_SUCCESS) {
685 for (auto &e : chainVector)
686 chainRawVector.push_back(e.getDER());
689 auto response = MessageBuffer::Serialize(static_cast<int>(LogicCommand::GET_CHAIN_CERT),
693 return response.Pop();
696 RawBuffer CKMLogic::getCertificateChain(
699 const RawBuffer &certificate,
700 const AliasVector &aliasVector)
702 int retCode = CKM_API_SUCCESS;
703 RawBufferVector chainRawVector;
705 CertificateImpl cert(certificate, DataFormat::FORM_DER);
706 CertificateImplVector untrustedCertVector;
707 CertificateImplVector chainVector;
711 retCode = CKM_API_ERROR_SERVER_ERROR;
715 for (auto &i: aliasVector) {
716 retCode = getDataHelper(cred, DBDataType::CERTIFICATE, i, Password(), row);
718 if (retCode != CKM_API_SUCCESS)
721 untrustedCertVector.push_back(CertificateImpl(row.data, DataFormat::FORM_DER));
724 retCode = m_certStore.verifyCertificate(cert, untrustedCertVector, chainVector);
726 if (retCode != CKM_API_SUCCESS)
729 for (auto &i: chainVector)
730 chainRawVector.push_back(i.getDER());
732 } catch (const CryptoLogic::Exception::Base &e) {
733 LogError("DBCyptorModule failed with message: " << e.GetMessage());
734 retCode = CKM_API_ERROR_SERVER_ERROR;
735 } catch (const DBCrypto::Exception::PermissionDenied &e) {
736 LogError("DBCrypto failed with message: " << e.GetMessage());
737 retCode = CKM_API_ERROR_ACCESS_DENIED;
738 } catch (const DBCrypto::Exception::Base &e) {
739 LogError("DBCrypto failed with message: " << e.GetMessage());
740 retCode = CKM_API_ERROR_DB_ERROR;
742 LogError("Unknown error.");
746 auto response = MessageBuffer::Serialize(static_cast<int>(LogicCommand::GET_CHAIN_ALIAS),
750 return response.Pop();
753 RawBuffer CKMLogic::createSignature(
756 const Alias &privateKeyAlias,
757 const Password &password, // password for private_key
758 const RawBuffer &message,
759 const HashAlgorithm hash,
760 const RSAPaddingAlgorithm padding)
766 int retCode = CKM_API_SUCCESS;
770 retCode = getDataHelper(cred, DBDataType::DB_KEY_FIRST, privateKeyAlias, password, row);
771 if (CKM_API_SUCCESS != retCode) {
772 LogError("getDataHelper return error");
776 KeyImpl keyParsed(row.data, Password());
777 if (keyParsed.empty())
778 retCode = CKM_API_ERROR_SERVER_ERROR;
780 retCode = cs.createSignature(keyParsed, message, hash, padding, signature);
782 } catch (const KeyProvider::Exception::Base &e) {
783 LogError("KeyProvider failed with message: " << e.GetMessage());
784 retCode = CKM_API_ERROR_SERVER_ERROR;
785 } catch (const CryptoLogic::Exception::Base &e) {
786 LogError("CryptoLogic failed with message: " << e.GetMessage());
787 retCode = CKM_API_ERROR_SERVER_ERROR;
788 } catch (const DBCrypto::Exception::PermissionDenied &e) {
789 LogError("DBCrypto failed with message: " << e.GetMessage());
790 retCode = CKM_API_ERROR_ACCESS_DENIED;
791 } catch (const DBCrypto::Exception::Base &e) {
792 LogError("DBCrypto failed with message: " << e.GetMessage());
793 retCode = CKM_API_ERROR_DB_ERROR;
794 } catch (const CKM::Exception &e) {
795 LogError("Unknown CKM::Exception: " << e.GetMessage());
796 retCode = CKM_API_ERROR_SERVER_ERROR;
799 auto response = MessageBuffer::Serialize(static_cast<int>(LogicCommand::CREATE_SIGNATURE),
803 return response.Pop();
806 RawBuffer CKMLogic::verifySignature(
809 const Alias &publicKeyOrCertAlias,
810 const Password &password, // password for public_key (optional)
811 const RawBuffer &message,
812 const RawBuffer &signature,
813 const HashAlgorithm hash,
814 const RSAPaddingAlgorithm padding)
816 int retCode = CKM_API_ERROR_VERIFICATION_FAILED;
824 retCode = getDataHelper(cred, DBDataType::DB_KEY_FIRST, publicKeyOrCertAlias, password, row);
826 if (retCode == CKM_API_SUCCESS) {
827 key = KeyImpl(row.data);
828 } else if (retCode == CKM_API_ERROR_DB_ALIAS_UNKNOWN) {
829 retCode = getDataHelper(cred, DBDataType::CERTIFICATE, publicKeyOrCertAlias, password, row);
830 if (retCode != CKM_API_SUCCESS)
832 CertificateImpl cert(row.data, DataFormat::FORM_DER);
833 key = cert.getKeyImpl();
839 retCode = CKM_API_ERROR_SERVER_ERROR;
843 retCode = cs.verifySignature(key, message, signature, hash, padding);
845 } catch (const CryptoService::Exception::Crypto_internal &e) {
846 LogError("KeyProvider failed with message: " << e.GetMessage());
847 retCode = CKM_API_ERROR_SERVER_ERROR;
848 } catch (const CryptoService::Exception::opensslError &e) {
849 LogError("KeyProvider failed with message: " << e.GetMessage());
850 retCode = CKM_API_ERROR_SERVER_ERROR;
851 } catch (const KeyProvider::Exception::Base &e) {
852 LogError("KeyProvider failed with error: " << e.GetMessage());
853 retCode = CKM_API_ERROR_SERVER_ERROR;
854 } catch (const CryptoLogic::Exception::Base &e) {
855 LogError("CryptoLogic failed with message: " << e.GetMessage());
856 retCode = CKM_API_ERROR_SERVER_ERROR;
857 } catch (const DBCrypto::Exception::PermissionDenied &e) {
858 LogError("DBCrypto failed with message: " << e.GetMessage());
859 retCode = CKM_API_ERROR_ACCESS_DENIED;
860 } catch (const DBCrypto::Exception::Base &e) {
861 LogError("DBCrypto failed with message: " << e.GetMessage());
862 retCode = CKM_API_ERROR_DB_ERROR;
863 } catch (const CKM::Exception &e) {
864 LogError("Unknown CKM::Exception: " << e.GetMessage());
865 retCode = CKM_API_ERROR_SERVER_ERROR;
868 auto response = MessageBuffer::Serialize(static_cast<int>(LogicCommand::VERIFY_SIGNATURE),
871 return response.Pop();
874 RawBuffer CKMLogic::allowAccess(
878 const Alias &item_alias,
879 const std::string &accessor_label,
880 const AccessRight req_rights)
882 int retCode = CKM_API_ERROR_VERIFICATION_FAILED;
884 if (0 < m_userDataMap.count(cred.uid))
887 retCode = m_userDataMap[cred.uid].database.setAccessRights(cred.smackLabel, item_alias, accessor_label, req_rights);
888 } Catch (DBCrypto::Exception::InvalidArgs) {
889 LogError("Error: invalid args!");
890 retCode = CKM_API_ERROR_INPUT_PARAM;
891 } Catch (DBCrypto::Exception::PermissionDenied) {
892 LogError("Error: not enough permissions!");
893 retCode = CKM_API_ERROR_ACCESS_DENIED;
894 } Catch (CKM::Exception) {
895 LogError("Error in set row!");
896 retCode = CKM_API_ERROR_DB_ERROR;
899 retCode = CKM_API_ERROR_DB_LOCKED;
902 return MessageBuffer::Serialize(command, msgID, retCode).Pop();
905 RawBuffer CKMLogic::denyAccess(
909 const Alias &item_alias,
910 const std::string &accessor_label)
912 int retCode = CKM_API_ERROR_VERIFICATION_FAILED;
914 if (0 < m_userDataMap.count(cred.uid))
917 retCode = m_userDataMap[cred.uid].database.clearAccessRights(cred.smackLabel, item_alias, accessor_label);
918 } Catch (DBCrypto::Exception::PermissionDenied) {
919 LogError("Error: not enough permissions!");
920 retCode = CKM_API_ERROR_ACCESS_DENIED;
921 } Catch (DBCrypto::Exception::InvalidArgs) {
922 LogError("Error: permission not found!");
923 retCode = CKM_API_ERROR_INPUT_PARAM;
924 } Catch (CKM::Exception) {
925 LogError("Error in deleting row!");
926 retCode = CKM_API_ERROR_DB_ERROR;
929 retCode = CKM_API_ERROR_DB_LOCKED;
932 return MessageBuffer::Serialize(command, msgID, retCode).Pop();