2 * Copyright (c) 2014-2020 Samsung Electronics Co., Ltd. All rights reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License
18 * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
20 * @brief Sample service implementation.
22 #include <dpl/serialization.h>
23 #include <dpl/log/log.h>
24 #include <ckm/ckm-error.h>
25 #include <ckm/ckm-type.h>
26 #include <key-provider.h>
27 #include <file-system.h>
28 #include <ckm-logic.h>
30 #include <key-aes-impl.h>
31 #include <certificate-config.h>
32 #include <certificate-store.h>
34 #include <sw-backend/store.h>
35 #include <generic-backend/exception.h>
36 #include <ss-migrate.h>
39 const char *const CERT_SYSTEM_DIR = CA_CERTS_DIR;
40 const char *const SYSTEM_DB_PASSWD = "cAtRugU7";
42 bool isClientValid(const CKM::ClientId &client)
44 if (client.find(CKM::ALIAS_SEPARATOR) != CKM::ClientId::npos)
50 bool isNameValid(const CKM::Name &name)
52 if (name.find(CKM::ALIAS_SEPARATOR) != CKM::Name::npos)
58 // keypair data type, having private key data type and public key data type
59 // private is assumed to be .first, public .second
60 using DataTypePair = std::pair<CKM::DataType, CKM::DataType>;
62 const std::map<CKM::AlgoType, DataTypePair> ALGO_TYPE_TO_DATA_TYPE_PAIR_MAP = {
63 { CKM::AlgoType::RSA_GEN, { CKM::DataType(CKM::KeyType::KEY_RSA_PRIVATE), CKM::DataType(CKM::KeyType::KEY_RSA_PUBLIC) } },
64 { CKM::AlgoType::DSA_GEN, { CKM::DataType(CKM::KeyType::KEY_DSA_PRIVATE), CKM::DataType(CKM::KeyType::KEY_DSA_PUBLIC) } },
65 { CKM::AlgoType::ECDSA_GEN, { CKM::DataType(CKM::KeyType::KEY_ECDSA_PRIVATE), CKM::DataType(CKM::KeyType::KEY_ECDSA_PUBLIC) } },
68 } // anonymous namespace
72 const uid_t CKMLogic::SYSTEM_DB_UID = 0;
73 const uid_t CKMLogic::ADMIN_USER_DB_UID = 5001;
77 CertificateConfig::addSystemCertificateDir(CERT_SYSTEM_DIR);
79 m_accessControl.updateCCMode();
82 CKMLogic::~CKMLogic() {}
84 void CKMLogic::loadDKEKFile(uid_t user, const Password &password)
86 auto &handle = m_userDataMap[user];
90 auto wrappedDKEK = fs.getDKEK();
92 if (wrappedDKEK.empty()) {
93 wrappedDKEK = KeyProvider::generateDomainKEK(std::to_string(user), password);
94 fs.saveDKEK(wrappedDKEK);
97 handle.keyProvider = KeyProvider(wrappedDKEK, password);
100 void CKMLogic::saveDKEKFile(uid_t user, const Password &password)
102 auto &handle = m_userDataMap[user];
105 fs.saveDKEK(handle.keyProvider.getWrappedDomainKEK(password));
108 void CKMLogic::migrateSecureStorageData(bool isAdminUser)
110 SsMigration::migrate(isAdminUser, [this](const std::string &name,
111 const Crypto::Data &data,
112 bool adminUserFlag) {
113 LogInfo("Migrate data called with name: " << name);
114 auto ownerId = adminUserFlag ? CLIENT_ID_ADMIN_USER : CLIENT_ID_SYSTEM;
115 auto uid = adminUserFlag ? ADMIN_USER_DB_UID : SYSTEM_DB_UID;
117 int ret = verifyAndSaveDataHelper(Credentials(uid, ownerId), name, ownerId, data,
118 PolicySerializable());
120 if (ret == CKM_API_ERROR_DB_ALIAS_EXISTS)
121 LogWarning("Alias already exist for migrated name: " << name);
122 else if (ret != CKM_API_SUCCESS)
123 LogError("Failed to migrate secure-storage data. name: " << name <<
128 int CKMLogic::unlockDatabase(uid_t user, const Password &password)
130 if (0 < m_userDataMap.count(user) &&
131 m_userDataMap[user].keyProvider.isInitialized())
132 return CKM_API_SUCCESS;
134 int retCode = CKM_API_SUCCESS;
137 auto &handle = m_userDataMap[user];
140 loadDKEKFile(user, password);
142 auto wrappedDatabaseDEK = fs.getDBDEK();
144 if (wrappedDatabaseDEK.empty()) {
145 wrappedDatabaseDEK = handle.keyProvider.generateDEK(std::to_string(user));
146 fs.saveDBDEK(wrappedDatabaseDEK);
149 RawBuffer key = handle.keyProvider.getPureDEK(wrappedDatabaseDEK);
151 handle.database = DB::Crypto(fs.getLegacyDBPath(), fs.getDBPath(), key);
152 handle.crypto = CryptoLogic();
154 if (!m_accessControl.isSystemService(user)) {
155 // remove data of removed apps during locked state
156 ClientIdVector removedApps = fs.clearRemovedsApps();
158 for (auto &app : removedApps) {
159 handle.crypto.removeKey(app);
160 handle.database.deleteKey(app);
164 if (user == SYSTEM_DB_UID && SsMigration::hasData())
165 migrateSecureStorageData(false);
166 else if (user == ADMIN_USER_DB_UID && SsMigration::hasData())
167 migrateSecureStorageData(true);
168 } catch (const Exc::Exception &e) {
170 } catch (const CKM::Exception &e) {
171 LogError("CKM::Exception: " << e.GetMessage());
172 retCode = CKM_API_ERROR_SERVER_ERROR;
175 if (CKM_API_SUCCESS != retCode)
176 m_userDataMap.erase(user);
181 int CKMLogic::unlockSystemDB()
183 return unlockDatabase(SYSTEM_DB_UID, SYSTEM_DB_PASSWD);
186 UserData &CKMLogic::selectDatabase(const Credentials &cred,
187 const ClientId &explicitOwner)
189 // if user trying to access system service - check:
190 // * if user database is unlocked [mandatory]
191 // * if not - proceed with regular user database
192 // * if explicit system database owner given -> switch to system DB
193 if (!m_accessControl.isSystemService(cred)) {
194 if (0 == m_userDataMap.count(cred.clientUid))
195 ThrowErr(Exc::DatabaseLocked, "database with UID: ", cred.clientUid, " locked");
197 if (0 != explicitOwner.compare(CLIENT_ID_SYSTEM))
198 return m_userDataMap[cred.clientUid];
201 // system database selected, modify the owner id
202 if (CKM_API_SUCCESS != unlockSystemDB())
203 ThrowErr(Exc::DatabaseLocked, "can not unlock system database");
205 return m_userDataMap[SYSTEM_DB_UID];
208 RawBuffer CKMLogic::unlockUserKey(uid_t user, const Password &password)
210 int retCode = CKM_API_SUCCESS;
212 if (!m_accessControl.isSystemService(user))
213 retCode = unlockDatabase(user, password);
214 else // do not allow lock/unlock operations for system users
215 retCode = CKM_API_ERROR_INPUT_PARAM;
217 return MessageBuffer::Serialize(retCode).Pop();
220 RawBuffer CKMLogic::updateCCMode()
222 m_accessControl.updateCCMode();
223 return MessageBuffer::Serialize(CKM_API_SUCCESS).Pop();
226 RawBuffer CKMLogic::lockUserKey(uid_t user)
228 int retCode = CKM_API_SUCCESS;
230 if (!m_accessControl.isSystemService(user))
231 m_userDataMap.erase(user);
232 else // do not allow lock/unlock operations for system users
233 retCode = CKM_API_ERROR_INPUT_PARAM;
235 return MessageBuffer::Serialize(retCode).Pop();
238 RawBuffer CKMLogic::removeUserData(uid_t user)
240 if (m_accessControl.isSystemService(user))
241 user = SYSTEM_DB_UID;
243 m_userDataMap.erase(user);
245 const int retCode = FileSystem(user).removeUserData()
246 ? CKM_API_ERROR_FILE_SYSTEM
249 return MessageBuffer::Serialize(retCode).Pop();
252 int CKMLogic::changeUserPasswordHelper(uid_t user,
253 const Password &oldPassword,
254 const Password &newPassword)
256 // do not allow to change system database password
257 if (m_accessControl.isSystemService(user))
258 return CKM_API_ERROR_INPUT_PARAM;
260 loadDKEKFile(user, oldPassword);
261 saveDKEKFile(user, newPassword);
263 return CKM_API_SUCCESS;
266 RawBuffer CKMLogic::changeUserPassword(
268 const Password &oldPassword,
269 const Password &newPassword)
271 int retCode = CKM_API_SUCCESS;
274 retCode = changeUserPasswordHelper(user, oldPassword, newPassword);
275 } catch (const Exc::Exception &e) {
277 } catch (const CKM::Exception &e) {
278 LogError("CKM::Exception: " << e.GetMessage());
279 retCode = CKM_API_ERROR_SERVER_ERROR;
282 return MessageBuffer::Serialize(retCode).Pop();
285 int CKMLogic::resetUserPasswordHelper(
287 const Password &newPassword)
289 // do not allow to reset system database password
290 if (m_accessControl.isSystemService(user))
291 return CKM_API_ERROR_INPUT_PARAM;
293 int retCode = CKM_API_SUCCESS;
295 if (0 == m_userDataMap.count(user)) {
296 // Check if key exists. If exists we must return error
298 auto wrappedDKEKMain = fs.getDKEK();
300 if (!wrappedDKEKMain.empty())
301 retCode = CKM_API_ERROR_BAD_REQUEST;
303 saveDKEKFile(user, newPassword);
309 RawBuffer CKMLogic::resetUserPassword(
311 const Password &newPassword)
313 int retCode = CKM_API_SUCCESS;
316 retCode = resetUserPasswordHelper(user, newPassword);
317 } catch (const Exc::Exception &e) {
319 } catch (const CKM::Exception &e) {
320 LogError("CKM::Exception: " << e.GetMessage());
321 retCode = CKM_API_ERROR_SERVER_ERROR;
324 return MessageBuffer::Serialize(retCode).Pop();
327 RawBuffer CKMLogic::removeApplicationData(const ClientId &owner)
329 int retCode = CKM_API_SUCCESS;
333 retCode = CKM_API_ERROR_INPUT_PARAM;
335 UidVector uids = FileSystem::getUIDsFromDBFile();
337 for (auto userId : uids) {
338 if (0 == m_userDataMap.count(userId)) {
339 FileSystem fs(userId);
340 fs.addRemovedApp(owner);
342 auto &handle = m_userDataMap[userId];
343 handle.crypto.removeKey(owner);
344 handle.database.deleteKey(owner);
348 } catch (const Exc::Exception &e) {
350 } catch (const CKM::Exception &e) {
351 LogError("CKM::Exception: " << e.GetMessage());
352 retCode = CKM_API_ERROR_SERVER_ERROR;
355 return MessageBuffer::Serialize(retCode).Pop();
358 int CKMLogic::checkSaveConditions(
359 const Credentials &accessorCred,
362 const ClientId &owner)
364 // verify name and client are correct
365 if (!isNameValid(name) || !isClientValid(owner)) {
366 LogDebug("Invalid parameter passed to key-manager");
367 return CKM_API_ERROR_INPUT_PARAM;
370 // check if accessor is allowed to save owner's items
371 int access_ec = m_accessControl.canSave(accessorCred, owner);
373 if (access_ec != CKM_API_SUCCESS) {
374 LogDebug("accessor " << accessorCred.client << " can not save rows owned by " <<
379 // check if not a duplicate
380 if (handler.database.isNameOwnerPresent(name, owner))
381 return CKM_API_ERROR_DB_ALIAS_EXISTS;
383 // encryption section
384 if (!handler.crypto.haveKey(owner)) {
386 auto key_optional = handler.database.getKey(owner);
389 LogDebug("No Key in database found. Generating new one for client: " <<
391 got_key = handler.keyProvider.generateDEK(owner);
392 handler.database.saveKey(owner, got_key);
394 LogDebug("Key from DB");
395 got_key = *key_optional;
398 got_key = handler.keyProvider.getPureDEK(got_key);
399 handler.crypto.pushKey(owner, got_key);
402 return CKM_API_SUCCESS;
405 DB::Row CKMLogic::createEncryptedRow(
408 const ClientId &owner,
409 const Crypto::Data &data,
410 const Policy &policy)
412 Crypto::GStore &store = m_decider.getStore(data.type, policy);
414 // do not encrypt data with password during cc_mode on
415 Token token = store.import(data,
416 m_accessControl.isCCMode() ? "" : policy.password,
417 Crypto::EncryptionParams());
418 DB::Row row(std::move(token), name, owner,
419 static_cast<int>(policy.extractable));
420 crypto.encryptRow(row);
424 int CKMLogic::verifyBinaryData(Crypto::Data &input) const
427 return toBinaryData(input, dummy);
430 int CKMLogic::toBinaryData(const Crypto::Data &input,
431 Crypto::Data &output) const
433 // verify the data integrity
434 if (input.type.isKey()) {
437 if (input.type.isSKey())
438 output_key = CKM::Key::createAES(input.data);
440 output_key = CKM::Key::create(input.data);
442 if (output_key.get() == NULL) {
443 LogDebug("provided binary data is not valid key data");
444 return CKM_API_ERROR_INPUT_PARAM;
447 output = std::move(Crypto::Data(input.type, output_key->getDER()));
448 } else if (input.type.isCertificate() || input.type.isChainCert()) {
449 CertificateShPtr cert = CKM::Certificate::create(input.data,
450 DataFormat::FORM_DER);
452 if (cert.get() == NULL) {
453 LogDebug("provided binary data is not valid certificate data");
454 return CKM_API_ERROR_INPUT_PARAM;
457 output = std::move(Crypto::Data(input.type, cert->getDER()));
462 // TODO: add here BINARY_DATA verification, i.e: max size etc.
463 return CKM_API_SUCCESS;
466 int CKMLogic::verifyAndSaveDataHelper(
467 const Credentials &cred,
469 const ClientId &explicitOwner,
470 const Crypto::Data &data,
471 const PolicySerializable &policy)
473 int retCode = CKM_API_ERROR_UNKNOWN;
476 // check if data is correct
477 Crypto::Data binaryData;
478 retCode = toBinaryData(data, binaryData);
480 if (retCode != CKM_API_SUCCESS)
483 return saveDataHelper(cred, name, explicitOwner, binaryData, policy);
484 } catch (const Exc::Exception &e) {
486 } catch (const CKM::Exception &e) {
487 LogError("CKM::Exception: " << e.GetMessage());
488 return CKM_API_ERROR_SERVER_ERROR;
492 int CKMLogic::getKeyForService(
493 const Credentials &cred,
495 const ClientId &explicitOwner,
496 const Password &pass,
497 Crypto::GObjShPtr &key)
500 // Key is for internal service use. It won't be exported to the client
501 Crypto::GObjUPtr obj;
502 int retCode = readDataHelper(false, cred, DataType::DB_KEY_FIRST, name, explicitOwner,
505 if (retCode == CKM_API_SUCCESS)
506 key = std::move(obj);
509 } catch (const Exc::Exception &e) {
511 } catch (const CKM::Exception &e) {
512 LogError("CKM::Exception: " << e.GetMessage());
513 return CKM_API_ERROR_SERVER_ERROR;
517 RawBuffer CKMLogic::saveData(
518 const Credentials &cred,
521 const ClientId &explicitOwner,
522 const Crypto::Data &data,
523 const PolicySerializable &policy)
525 int retCode = verifyAndSaveDataHelper(cred, name, explicitOwner, data, policy);
526 auto response = MessageBuffer::Serialize(msgId, retCode, data.type);
527 return response.Pop();
530 int CKMLogic::extractPKCS12Data(
533 const ClientId &owner,
534 const PKCS12Serializable &pkcs,
535 const PolicySerializable &keyPolicy,
536 const PolicySerializable &certPolicy,
537 DB::RowVector &output)
539 // private key is mandatory
540 auto key = pkcs.getKey();
543 LogError("Failed to get private key from pkcs");
544 return CKM_API_ERROR_INVALID_FORMAT;
547 Crypto::Data keyData(DataType(key->getType()), key->getDER());
548 int retCode = verifyBinaryData(keyData);
550 if (retCode != CKM_API_SUCCESS)
553 output.push_back(createEncryptedRow(crypto, name, owner, keyData,
556 // certificate is mandatory
557 auto cert = pkcs.getCertificate();
560 LogError("Failed to get certificate from pkcs");
561 return CKM_API_ERROR_INVALID_FORMAT;
564 Crypto::Data certData(DataType::CERTIFICATE, cert->getDER());
565 retCode = verifyBinaryData(certData);
567 if (retCode != CKM_API_SUCCESS)
570 output.push_back(createEncryptedRow(crypto, name, owner, certData,
574 unsigned int cert_index = 0;
576 for (const auto &ca : pkcs.getCaCertificateShPtrVector()) {
577 Crypto::Data caCertData(DataType::getChainDatatype(cert_index ++),
579 int retCode = verifyBinaryData(caCertData);
581 if (retCode != CKM_API_SUCCESS)
584 output.push_back(createEncryptedRow(crypto, name, owner, caCertData,
588 return CKM_API_SUCCESS;
591 RawBuffer CKMLogic::savePKCS12(
592 const Credentials &cred,
595 const ClientId &explicitOwner,
596 const PKCS12Serializable &pkcs,
597 const PolicySerializable &keyPolicy,
598 const PolicySerializable &certPolicy)
600 int retCode = CKM_API_ERROR_UNKNOWN;
603 retCode = saveDataHelper(cred, name, explicitOwner, pkcs, keyPolicy, certPolicy);
604 } catch (const Exc::Exception &e) {
606 } catch (const CKM::Exception &e) {
607 LogError("CKM::Exception: " << e.GetMessage());
608 retCode = CKM_API_ERROR_SERVER_ERROR;
611 auto response = MessageBuffer::Serialize(msgId, retCode);
612 return response.Pop();
616 int CKMLogic::removeDataHelper(
617 const Credentials &cred,
619 const ClientId &explicitOwner)
621 auto &handler = selectDatabase(cred, explicitOwner);
623 // use client id if not explicitly provided
624 const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner;
626 if (!isNameValid(name) || !isClientValid(owner)) {
627 LogDebug("Invalid owner or name format");
628 return CKM_API_ERROR_INPUT_PARAM;
631 DB::Crypto::Transaction transaction(&handler.database);
633 // read and check permissions
634 PermissionMaskOptional permissionRowOpt =
635 handler.database.getPermissionRow(name, owner, cred.client);
636 int retCode = m_accessControl.canDelete(cred,
637 toPermissionMask(permissionRowOpt));
639 if (retCode != CKM_API_SUCCESS) {
640 LogWarning("access control check result: " << retCode);
644 // get all matching rows
646 handler.database.getRows(name, owner, DataType::DB_FIRST,
647 DataType::DB_LAST, rows);
650 LogDebug("No row for given name and owner");
651 return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
654 // load app key if needed
655 retCode = loadAppKey(handler, rows.front().owner);
657 if (CKM_API_SUCCESS != retCode)
660 // destroy it in store
661 for (auto &r : rows) {
663 handler.crypto.decryptRow(Password(), r);
664 m_decider.getStore(r).destroy(r);
665 } catch (const Exc::AuthenticationFailed &) {
666 LogDebug("Authentication failed when removing data. Ignored.");
671 handler.database.deleteRow(name, owner);
672 transaction.commit();
674 return CKM_API_SUCCESS;
677 RawBuffer CKMLogic::removeData(
678 const Credentials &cred,
681 const ClientId &explicitOwner)
683 int retCode = CKM_API_ERROR_UNKNOWN;
686 retCode = removeDataHelper(cred, name, explicitOwner);
687 } catch (const Exc::Exception &e) {
689 } catch (const CKM::Exception &e) {
690 LogError("Error: " << e.GetMessage());
691 retCode = CKM_API_ERROR_DB_ERROR;
694 auto response = MessageBuffer::Serialize(msgId, retCode);
695 return response.Pop();
698 int CKMLogic::readSingleRow(const Name &name,
699 const ClientId &owner,
701 DB::Crypto &database,
704 DB::Crypto::RowOptional row_optional;
706 if (dataType.isKey()) {
707 // read all key types
708 row_optional = database.getRow(name,
710 DataType::DB_KEY_FIRST,
711 DataType::DB_KEY_LAST);
713 // read anything else
714 row_optional = database.getRow(name,
720 LogDebug("No row for given name, owner and type");
721 return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
726 return CKM_API_SUCCESS;
730 int CKMLogic::readMultiRow(const Name &name,
731 const ClientId &owner,
733 DB::Crypto &database,
734 DB::RowVector &output)
736 if (dataType.isKey())
737 // read all key types
738 database.getRows(name,
740 DataType::DB_KEY_FIRST,
741 DataType::DB_KEY_LAST,
743 else if (dataType.isChainCert())
744 // read all key types
745 database.getRows(name,
747 DataType::DB_CHAIN_FIRST,
748 DataType::DB_CHAIN_LAST,
751 // read anything else
752 database.getRows(name,
757 if (!output.size()) {
758 LogDebug("No row for given name, owner and type");
759 return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
762 return CKM_API_SUCCESS;
765 int CKMLogic::checkDataPermissionsHelper(const Credentials &accessorCred,
767 const ClientId &owner,
770 DB::Crypto &database)
772 PermissionMaskOptional permissionRowOpt =
773 database.getPermissionRow(name, owner, accessorCred.client);
776 return m_accessControl.canExport(accessorCred,
778 toPermissionMask(permissionRowOpt));
780 return m_accessControl.canRead(accessorCred,
781 toPermissionMask(permissionRowOpt));
784 Crypto::GObjUPtr CKMLogic::rowToObject(
787 const Password &password)
789 Crypto::GStore &store = m_decider.getStore(row);
791 Password pass = m_accessControl.isCCMode() ? "" : password;
794 Crypto::GObjUPtr obj;
796 if (CryptoLogic::getSchemeVersion(row.encryptionScheme) ==
797 CryptoLogic::ENCRYPTION_V2) {
798 handler.crypto.decryptRow(Password(), row);
800 obj = store.getObject(row, pass);
802 // decrypt entirely with old scheme: b64(pass(appkey(data))) -> data
803 handler.crypto.decryptRow(pass, row);
804 // destroy it in store
807 // import it to store with new scheme: data -> pass(data)
808 Token token = store.import(Crypto::Data(row.dataType, row.data), pass, Crypto::EncryptionParams());
810 // get it from the store (it can be different than the data we imported into store)
811 obj = store.getObject(token, pass);
813 // update row with new token
814 *static_cast<Token *>(&row) = std::move(token);
816 // encrypt it with app key: pass(data) -> b64(appkey(pass(data))
817 handler.crypto.encryptRow(row);
820 handler.database.updateRow(row);
826 int CKMLogic::readDataHelper(
828 const Credentials &cred,
831 const ClientId &explicitOwner,
832 const Password &password,
833 Crypto::GObjUPtrVector &objs)
835 auto &handler = selectDatabase(cred, explicitOwner);
837 // use client id if not explicitly provided
838 const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner;
840 if (!isNameValid(name) || !isClientValid(owner))
841 return CKM_API_ERROR_INPUT_PARAM;
844 DB::Crypto::Transaction transaction(&handler.database);
846 int retCode = readMultiRow(name, owner, dataType, handler.database, rows);
848 if (CKM_API_SUCCESS != retCode)
851 // all read rows belong to the same owner
852 DB::Row &firstRow = rows.at(0);
854 // check access rights
855 retCode = checkDataPermissionsHelper(cred, name, owner, firstRow,
856 exportFlag, handler.database);
858 if (CKM_API_SUCCESS != retCode)
861 // load app key if needed
862 retCode = loadAppKey(handler, firstRow.owner);
864 if (CKM_API_SUCCESS != retCode)
868 for (auto &row : rows)
869 objs.push_back(rowToObject(handler, std::move(row), password));
871 // rowToObject may modify db
872 transaction.commit();
874 return CKM_API_SUCCESS;
877 int CKMLogic::readDataHelper(
879 const Credentials &cred,
882 const ClientId &explicitOwner,
883 const Password &password,
884 Crypto::GObjUPtr &obj)
886 DataType objDataType;
887 return readDataHelper(exportFlag, cred, dataType, name, explicitOwner,
888 password, obj, objDataType);
891 int CKMLogic::readDataHelper(
893 const Credentials &cred,
896 const ClientId &explicitOwner,
897 const Password &password,
898 Crypto::GObjUPtr &obj,
899 DataType &objDataType)
901 auto &handler = selectDatabase(cred, explicitOwner);
903 // use client id if not explicitly provided
904 const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner;
906 if (!isNameValid(name) || !isClientValid(owner))
907 return CKM_API_ERROR_INPUT_PARAM;
910 DB::Crypto::Transaction transaction(&handler.database);
912 int retCode = readSingleRow(name, owner, dataType, handler.database, row);
914 if (CKM_API_SUCCESS != retCode)
917 objDataType = row.dataType;
919 // check access rights
920 retCode = checkDataPermissionsHelper(cred, name, owner, row, exportFlag,
923 if (CKM_API_SUCCESS != retCode)
926 // load app key if needed
927 retCode = loadAppKey(handler, row.owner);
929 if (CKM_API_SUCCESS != retCode)
932 obj = rowToObject(handler, std::move(row), password);
933 // rowToObject may modify db
934 transaction.commit();
936 return CKM_API_SUCCESS;
939 RawBuffer CKMLogic::getData(
940 const Credentials &cred,
944 const ClientId &explicitOwner,
945 const Password &password)
947 int retCode = CKM_API_SUCCESS;
949 DataType objDataType;
952 Crypto::GObjUPtr obj;
953 retCode = readDataHelper(true, cred, dataType, name, explicitOwner,
954 password, obj, objDataType);
956 if (retCode == CKM_API_SUCCESS)
957 rowData = obj->getBinary();
958 } catch (const Exc::Exception &e) {
960 } catch (const CKM::Exception &e) {
961 LogError("CKM::Exception: " << e.GetMessage());
962 retCode = CKM_API_ERROR_SERVER_ERROR;
965 if (CKM_API_SUCCESS != retCode)
968 auto response = MessageBuffer::Serialize(msgId,
972 return response.Pop();
975 RawBuffer CKMLogic::getDataProtectionStatus(
976 const Credentials &cred,
980 const ClientId &explicitOwner)
982 int retCode = CKM_API_SUCCESS;
984 DataType objDataType;
988 Crypto::GObjUPtr obj;
989 retCode = readDataHelper(false, cred, dataType, name, explicitOwner,
990 password, obj, objDataType);
992 } catch (const Exc::Exception &e) {
994 } catch (const CKM::Exception &e) {
995 LogError("CKM::Exception: " << e.GetMessage());
996 retCode = CKM_API_ERROR_SERVER_ERROR;
999 if (retCode == CKM_API_ERROR_AUTHENTICATION_FAILED) {
1001 retCode = CKM_API_SUCCESS;
1004 auto response = MessageBuffer::Serialize(msgId,
1008 return response.Pop();
1011 int CKMLogic::getPKCS12Helper(
1012 const Credentials &cred,
1014 const ClientId &explicitOwner,
1015 const Password &keyPassword,
1016 const Password &certPassword,
1018 CertificateShPtr &cert,
1019 CertificateShPtrVector &caChain)
1023 // read private key (mandatory)
1024 Crypto::GObjUPtr keyObj;
1025 retCode = readDataHelper(true, cred, DataType::DB_KEY_FIRST, name, explicitOwner,
1026 keyPassword, keyObj);
1028 if (retCode != CKM_API_SUCCESS) {
1029 if (retCode != CKM_API_ERROR_NOT_EXPORTABLE)
1032 privKey = CKM::Key::create(keyObj->getBinary());
1035 // read certificate (mandatory)
1036 Crypto::GObjUPtr certObj;
1037 retCode = readDataHelper(true, cred, DataType::CERTIFICATE, name, explicitOwner,
1038 certPassword, certObj);
1040 if (retCode != CKM_API_SUCCESS) {
1041 if (retCode != CKM_API_ERROR_NOT_EXPORTABLE)
1044 cert = CKM::Certificate::create(certObj->getBinary(), DataFormat::FORM_DER);
1047 // read CA cert chain (optional)
1048 Crypto::GObjUPtrVector caChainObjs;
1049 retCode = readDataHelper(true, cred, DataType::DB_CHAIN_FIRST, name, explicitOwner,
1050 certPassword, caChainObjs);
1052 if (retCode != CKM_API_SUCCESS && retCode != CKM_API_ERROR_DB_ALIAS_UNKNOWN) {
1053 if (retCode != CKM_API_ERROR_NOT_EXPORTABLE)
1056 for (auto &caCertObj : caChainObjs)
1057 caChain.push_back(CKM::Certificate::create(caCertObj->getBinary(),
1058 DataFormat::FORM_DER));
1061 // if anything found, return it
1062 if (privKey || cert || caChain.size() > 0)
1063 retCode = CKM_API_SUCCESS;
1068 RawBuffer CKMLogic::getPKCS12(
1069 const Credentials &cred,
1072 const ClientId &explicitOwner,
1073 const Password &keyPassword,
1074 const Password &certPassword)
1076 int retCode = CKM_API_ERROR_UNKNOWN;
1078 PKCS12Serializable output;
1082 CertificateShPtr cert;
1083 CertificateShPtrVector caChain;
1084 retCode = getPKCS12Helper(cred, name, explicitOwner, keyPassword,
1085 certPassword, privKey, cert, caChain);
1088 if (retCode == CKM_API_SUCCESS)
1089 output = PKCS12Serializable(std::move(privKey), std::move(cert),
1090 std::move(caChain));
1091 } catch (const Exc::Exception &e) {
1092 retCode = e.error();
1093 } catch (const CKM::Exception &e) {
1094 LogError("CKM::Exception: " << e.GetMessage());
1095 retCode = CKM_API_ERROR_SERVER_ERROR;
1098 auto response = MessageBuffer::Serialize(msgId, retCode, output);
1099 return response.Pop();
1102 int CKMLogic::getDataListHelper(const Credentials &cred,
1103 const DataType dataType,
1104 OwnerNameVector &ownerNameVector)
1106 int retCode = CKM_API_ERROR_DB_LOCKED;
1108 if (0 < m_userDataMap.count(cred.clientUid)) {
1109 auto &database = m_userDataMap[cred.clientUid].database;
1112 OwnerNameVector tmpVector;
1114 if (dataType.isKey()) {
1115 // list all key types
1116 database.listNames(cred.client,
1118 DataType::DB_KEY_FIRST,
1119 DataType::DB_KEY_LAST);
1121 // list anything else
1122 database.listNames(cred.client,
1127 ownerNameVector.insert(ownerNameVector.end(), tmpVector.begin(),
1129 retCode = CKM_API_SUCCESS;
1130 } catch (const CKM::Exception &e) {
1131 LogError("Error: " << e.GetMessage());
1132 retCode = CKM_API_ERROR_DB_ERROR;
1133 } catch (const Exc::Exception &e) {
1134 retCode = e.error();
1141 RawBuffer CKMLogic::getDataList(
1142 const Credentials &cred,
1146 OwnerNameVector systemVector;
1147 OwnerNameVector userVector;
1148 OwnerNameVector ownerNameVector;
1150 int retCode = unlockSystemDB();
1152 if (CKM_API_SUCCESS == retCode) {
1154 if (m_accessControl.isSystemService(cred)) {
1156 retCode = getDataListHelper(Credentials(SYSTEM_DB_UID,
1161 // user - lookup system, then client DB
1162 retCode = getDataListHelper(Credentials(SYSTEM_DB_UID,
1168 if (retCode == CKM_API_SUCCESS) {
1169 retCode = getDataListHelper(cred,
1176 if (retCode == CKM_API_SUCCESS) {
1177 ownerNameVector.insert(ownerNameVector.end(), systemVector.begin(),
1178 systemVector.end());
1179 ownerNameVector.insert(ownerNameVector.end(), userVector.begin(),
1183 auto response = MessageBuffer::Serialize(msgId,
1187 return response.Pop();
1190 int CKMLogic::importInitialData(
1192 const Crypto::Data &data,
1193 const Crypto::EncryptionParams &encParams,
1194 const Policy &policy)
1197 if (encParams.iv.empty() != encParams.tag.empty()) {
1198 LogError("Both iv and tag must be empty or set");
1199 return CKM_API_ERROR_INPUT_PARAM;
1202 // Inital values are always imported with root credentials. Client id is not important.
1203 Credentials rootCred(0, "");
1205 auto &handler = selectDatabase(rootCred, CLIENT_ID_SYSTEM);
1207 // check if save is possible
1208 DB::Crypto::Transaction transaction(&handler.database);
1209 int retCode = checkSaveConditions(rootCred, handler, name, CLIENT_ID_SYSTEM);
1211 if (retCode != CKM_API_SUCCESS)
1214 Crypto::GStore &store =
1215 m_decider.getStore(data.type, policy, !encParams.iv.empty());
1219 if (encParams.iv.empty()) {
1220 // Data are not encrypted, let's try to verify them
1221 Crypto::Data binaryData;
1223 if (CKM_API_SUCCESS != (retCode = toBinaryData(data, binaryData)))
1226 token = store.import(binaryData,
1227 m_accessControl.isCCMode() ? "" : policy.password,
1230 token = store.import(data,
1231 m_accessControl.isCCMode() ? "" : policy.password,
1235 DB::Row row(std::move(token), name, CLIENT_ID_SYSTEM,
1236 static_cast<int>(policy.extractable));
1237 handler.crypto.encryptRow(row);
1239 handler.database.saveRow(row);
1240 transaction.commit();
1241 } catch (const Exc::Exception &e) {
1243 } catch (const CKM::Exception &e) {
1244 LogError("CKM::Exception: " << e.GetMessage());
1245 return CKM_API_ERROR_SERVER_ERROR;
1246 } catch (const std::exception &e) {
1247 LogError("Std::exception: " << e.what());
1248 return CKM_API_ERROR_SERVER_ERROR;
1251 return CKM_API_SUCCESS;
1254 int CKMLogic::saveDataHelper(
1255 const Credentials &cred,
1257 const ClientId &explicitOwner,
1258 const Crypto::Data &data,
1259 const PolicySerializable &policy)
1261 auto &handler = selectDatabase(cred, explicitOwner);
1263 // use client id if not explicitly provided
1264 const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner;
1266 if (m_accessControl.isSystemService(cred) &&
1267 owner.compare(CLIENT_ID_SYSTEM) != 0) {
1268 LogError("System services can only use " << CLIENT_ID_SYSTEM << " as owner id") ;
1269 return CKM_API_ERROR_INPUT_PARAM;
1272 // check if save is possible
1273 DB::Crypto::Transaction transaction(&handler.database);
1274 int retCode = checkSaveConditions(cred, handler, name, owner);
1276 if (retCode != CKM_API_SUCCESS)
1280 DB::Row encryptedRow = createEncryptedRow(handler.crypto, name, owner,
1282 handler.database.saveRow(encryptedRow);
1284 transaction.commit();
1285 return CKM_API_SUCCESS;
1288 int CKMLogic::saveDataHelper(
1289 const Credentials &cred,
1291 const ClientId &explicitOwner,
1292 const PKCS12Serializable &pkcs,
1293 const PolicySerializable &keyPolicy,
1294 const PolicySerializable &certPolicy)
1296 auto &handler = selectDatabase(cred, explicitOwner);
1298 // use client id if not explicitly provided
1299 const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner;
1301 if (m_accessControl.isSystemService(cred) &&
1302 owner.compare(CLIENT_ID_SYSTEM) != 0)
1303 return CKM_API_ERROR_INPUT_PARAM;
1305 // check if save is possible
1306 DB::Crypto::Transaction transaction(&handler.database);
1307 int retCode = checkSaveConditions(cred, handler, name, owner);
1309 if (retCode != CKM_API_SUCCESS)
1312 // extract and encrypt the data
1313 DB::RowVector encryptedRows;
1314 retCode = extractPKCS12Data(handler.crypto, name, owner, pkcs, keyPolicy,
1315 certPolicy, encryptedRows);
1317 if (retCode != CKM_API_SUCCESS)
1321 handler.database.saveRows(name, owner, encryptedRows);
1322 transaction.commit();
1324 return CKM_API_SUCCESS;
1328 int CKMLogic::createKeyAESHelper(
1329 const Credentials &cred,
1332 const ClientId &explicitOwner,
1333 const PolicySerializable &policy)
1335 auto &handler = selectDatabase(cred, explicitOwner);
1337 // use client id if not explicitly provided
1338 const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner;
1340 if (m_accessControl.isSystemService(cred) &&
1341 owner.compare(CLIENT_ID_SYSTEM) != 0)
1342 return CKM_API_ERROR_INPUT_PARAM;
1344 // check if save is possible
1345 DB::Crypto::Transaction transaction(&handler.database);
1346 int retCode = checkSaveConditions(cred, handler, name, owner);
1348 if (retCode != CKM_API_SUCCESS)
1351 // create key in store
1352 CryptoAlgorithm keyGenAlgorithm;
1353 keyGenAlgorithm.setParam(ParamName::ALGO_TYPE, AlgoType::AES_GEN);
1354 keyGenAlgorithm.setParam(ParamName::GEN_KEY_LEN, size);
1355 Token key = m_decider.getStore(DataType::KEY_AES,
1356 policy).generateSKey(keyGenAlgorithm, policy.password);
1359 DB::Row row(std::move(key), name, owner,
1360 static_cast<int>(policy.extractable));
1361 handler.crypto.encryptRow(row);
1363 handler.database.saveRow(row);
1365 transaction.commit();
1366 return CKM_API_SUCCESS;
1369 int CKMLogic::createKeyPairHelper(
1370 const Credentials &cred,
1371 const CryptoAlgorithmSerializable &keyGenParams,
1372 const Name &namePrivate,
1373 const ClientId &explicitOwnerPrivate,
1374 const Name &namePublic,
1375 const ClientId &explicitOwnerPublic,
1376 const PolicySerializable &policyPrivate,
1377 const PolicySerializable &policyPublic)
1379 auto &handlerPriv = selectDatabase(cred, explicitOwnerPrivate);
1380 auto &handlerPub = selectDatabase(cred, explicitOwnerPublic);
1382 AlgoType keyType = AlgoType::RSA_GEN;
1384 if (!keyGenParams.getParam(ParamName::ALGO_TYPE, keyType))
1385 ThrowErr(Exc::InputParam, "Error, parameter ALGO_TYPE not found.");
1387 const auto dtIt = ALGO_TYPE_TO_DATA_TYPE_PAIR_MAP.find(keyType);
1388 if (dtIt == ALGO_TYPE_TO_DATA_TYPE_PAIR_MAP.end())
1389 ThrowErr(Exc::InputParam, "Error, parameter ALGO_TYPE with wrong value.");
1390 const DataTypePair& dt = dtIt->second;
1392 if (policyPrivate.backend != policyPublic.backend)
1393 ThrowErr(Exc::InputParam, "Error, key pair must be supported with the same backend.");
1395 // use client id if not explicitly provided
1396 const ClientId &ownerPrv = explicitOwnerPrivate.empty() ? cred.client :
1397 explicitOwnerPrivate;
1399 if (m_accessControl.isSystemService(cred) &&
1400 ownerPrv.compare(CLIENT_ID_SYSTEM) != 0)
1401 return CKM_API_ERROR_INPUT_PARAM;
1403 const ClientId &ownerPub = explicitOwnerPublic.empty() ? cred.client :
1404 explicitOwnerPublic;
1406 if (m_accessControl.isSystemService(cred) &&
1407 ownerPub.compare(CLIENT_ID_SYSTEM) != 0)
1408 return CKM_API_ERROR_INPUT_PARAM;
1410 bool exportable = policyPrivate.extractable || policyPublic.extractable;
1411 Policy lessRestricted(Password(), exportable, policyPrivate.backend);
1413 TokenPair keys = m_decider.getStore(policyPrivate, dt.first, dt.second).generateAKey(keyGenParams,
1414 policyPrivate.password,
1415 policyPublic.password);
1417 DB::Crypto::Transaction transactionPriv(&handlerPriv.database);
1418 // in case the same database is used for private and public - the second
1419 // transaction will not be executed
1420 DB::Crypto::Transaction transactionPub(&handlerPub.database);
1423 retCode = checkSaveConditions(cred, handlerPriv, namePrivate, ownerPrv);
1425 if (CKM_API_SUCCESS != retCode)
1428 retCode = checkSaveConditions(cred, handlerPub, namePublic, ownerPub);
1430 if (CKM_API_SUCCESS != retCode)
1434 DB::Row rowPrv(std::move(keys.first), namePrivate, ownerPrv,
1435 static_cast<int>(policyPrivate.extractable));
1436 handlerPriv.crypto.encryptRow(rowPrv);
1437 handlerPriv.database.saveRow(rowPrv);
1439 DB::Row rowPub(std::move(keys.second), namePublic, ownerPub,
1440 static_cast<int>(policyPublic.extractable));
1441 handlerPub.crypto.encryptRow(rowPub);
1442 handlerPub.database.saveRow(rowPub);
1444 transactionPub.commit();
1445 transactionPriv.commit();
1446 return CKM_API_SUCCESS;
1449 RawBuffer CKMLogic::createKeyPair(
1450 const Credentials &cred,
1452 const CryptoAlgorithmSerializable &keyGenParams,
1453 const Name &namePrivate,
1454 const ClientId &explicitOwnerPrivate,
1455 const Name &namePublic,
1456 const ClientId &explicitOwnerPublic,
1457 const PolicySerializable &policyPrivate,
1458 const PolicySerializable &policyPublic)
1460 int retCode = CKM_API_SUCCESS;
1463 retCode = createKeyPairHelper(
1467 explicitOwnerPrivate,
1469 explicitOwnerPublic,
1472 } catch (const Exc::Exception &e) {
1473 retCode = e.error();
1474 } catch (const CKM::Exception &e) {
1475 LogError("CKM::Exception: " << e.GetMessage());
1476 retCode = CKM_API_ERROR_SERVER_ERROR;
1479 return MessageBuffer::Serialize(msgId, retCode).Pop();
1482 RawBuffer CKMLogic::createKeyAES(
1483 const Credentials &cred,
1487 const ClientId &explicitOwner,
1488 const PolicySerializable &policy)
1490 int retCode = CKM_API_SUCCESS;
1493 retCode = createKeyAESHelper(cred, size, name, explicitOwner, policy);
1494 } catch (const Exc::Exception &e) {
1495 retCode = e.error();
1496 } catch (std::invalid_argument &e) {
1497 LogDebug("invalid argument error: " << e.what());
1498 retCode = CKM_API_ERROR_INPUT_PARAM;
1499 } catch (const CKM::Exception &e) {
1500 LogError("CKM::Exception: " << e.GetMessage());
1501 retCode = CKM_API_ERROR_SERVER_ERROR;
1504 return MessageBuffer::Serialize(msgId, retCode).Pop();
1507 int CKMLogic::readCertificateHelper(
1508 const Credentials &cred,
1509 const OwnerNameVector &ownerNameVector,
1510 CertificateImplVector &certVector)
1512 for (auto &i : ownerNameVector) {
1513 // certificates can't be protected with custom user password
1514 Crypto::GObjUPtr obj;
1516 ec = readDataHelper(true,
1518 DataType::CERTIFICATE,
1524 if (ec != CKM_API_SUCCESS)
1527 certVector.emplace_back(obj->getBinary(), DataFormat::FORM_DER);
1529 // try to read chain certificates (if present)
1530 Crypto::GObjUPtrVector caChainObjs;
1531 ec = readDataHelper(true,
1533 DataType::DB_CHAIN_FIRST,
1539 if (ec != CKM_API_SUCCESS && ec != CKM_API_ERROR_DB_ALIAS_UNKNOWN)
1542 for (auto &caCertObj : caChainObjs)
1543 certVector.emplace_back(caCertObj->getBinary(), DataFormat::FORM_DER);
1546 return CKM_API_SUCCESS;
1549 int CKMLogic::getCertificateChainHelper(
1550 const CertificateImpl &cert,
1551 const RawBufferVector &untrustedCertificates,
1552 const RawBufferVector &trustedCertificates,
1553 bool useTrustedSystemCertificates,
1554 RawBufferVector &chainRawVector)
1556 CertificateImplVector untrustedCertVector;
1557 CertificateImplVector trustedCertVector;
1558 CertificateImplVector chainVector;
1561 return CKM_API_ERROR_INPUT_PARAM;
1563 for (auto &e : untrustedCertificates) {
1564 CertificateImpl c(e, DataFormat::FORM_DER);
1567 return CKM_API_ERROR_INPUT_PARAM;
1569 untrustedCertVector.push_back(std::move(c));
1572 for (auto &e : trustedCertificates) {
1573 CertificateImpl c(e, DataFormat::FORM_DER);
1576 return CKM_API_ERROR_INPUT_PARAM;
1578 trustedCertVector.push_back(std::move(c));
1581 CertificateStore store;
1582 int retCode = store.verifyCertificate(cert,
1583 untrustedCertVector,
1585 useTrustedSystemCertificates,
1586 m_accessControl.isCCMode(),
1589 if (retCode != CKM_API_SUCCESS)
1592 for (auto &e : chainVector)
1593 chainRawVector.push_back(e.getDER());
1595 return CKM_API_SUCCESS;
1598 int CKMLogic::getCertificateChainHelper(
1599 const Credentials &cred,
1600 const CertificateImpl &cert,
1601 const OwnerNameVector &untrusted,
1602 const OwnerNameVector &trusted,
1603 bool useTrustedSystemCertificates,
1604 RawBufferVector &chainRawVector)
1606 CertificateImplVector untrustedCertVector;
1607 CertificateImplVector trustedCertVector;
1608 CertificateImplVector chainVector;
1611 return CKM_API_ERROR_INPUT_PARAM;
1613 int retCode = readCertificateHelper(cred, untrusted, untrustedCertVector);
1615 if (retCode != CKM_API_SUCCESS)
1618 retCode = readCertificateHelper(cred, trusted, trustedCertVector);
1620 if (retCode != CKM_API_SUCCESS)
1623 CertificateStore store;
1624 retCode = store.verifyCertificate(cert,
1625 untrustedCertVector,
1627 useTrustedSystemCertificates,
1628 m_accessControl.isCCMode(),
1631 if (retCode != CKM_API_SUCCESS)
1634 for (auto &i : chainVector)
1635 chainRawVector.push_back(i.getDER());
1637 return CKM_API_SUCCESS;
1640 RawBuffer CKMLogic::getCertificateChain(
1641 const Credentials & /*cred*/,
1643 const RawBuffer &certificate,
1644 const RawBufferVector &untrustedCertificates,
1645 const RawBufferVector &trustedCertificates,
1646 bool useTrustedSystemCertificates)
1648 CertificateImpl cert(certificate, DataFormat::FORM_DER);
1649 RawBufferVector chainRawVector;
1650 int retCode = CKM_API_ERROR_UNKNOWN;
1653 retCode = getCertificateChainHelper(cert,
1654 untrustedCertificates,
1655 trustedCertificates,
1656 useTrustedSystemCertificates,
1658 } catch (const Exc::Exception &e) {
1659 retCode = e.error();
1660 } catch (const std::exception &e) {
1661 LogError("STD exception " << e.what());
1662 retCode = CKM_API_ERROR_SERVER_ERROR;
1664 LogError("Unknown error.");
1667 auto response = MessageBuffer::Serialize(msgId, retCode, chainRawVector);
1668 return response.Pop();
1671 RawBuffer CKMLogic::getCertificateChain(
1672 const Credentials &cred,
1674 const RawBuffer &certificate,
1675 const OwnerNameVector &untrustedCertificates,
1676 const OwnerNameVector &trustedCertificates,
1677 bool useTrustedSystemCertificates)
1679 int retCode = CKM_API_ERROR_UNKNOWN;
1680 CertificateImpl cert(certificate, DataFormat::FORM_DER);
1681 RawBufferVector chainRawVector;
1684 retCode = getCertificateChainHelper(cred,
1686 untrustedCertificates,
1687 trustedCertificates,
1688 useTrustedSystemCertificates,
1690 } catch (const Exc::Exception &e) {
1691 retCode = e.error();
1692 } catch (const std::exception &e) {
1693 LogError("STD exception " << e.what());
1694 retCode = CKM_API_ERROR_SERVER_ERROR;
1696 LogError("Unknown error.");
1699 auto response = MessageBuffer::Serialize(msgId, retCode, chainRawVector);
1700 return response.Pop();
1703 RawBuffer CKMLogic::createSignature(
1704 const Credentials &cred,
1706 const Name &privateKeyName,
1707 const ClientId &explicitOwner,
1708 const Password &password, // password for private_key
1709 const RawBuffer &message,
1710 const CryptoAlgorithm &cryptoAlg)
1712 RawBuffer signature;
1714 int retCode = CKM_API_SUCCESS;
1717 Crypto::GObjUPtr obj;
1718 retCode = readDataHelper(false, cred, DataType::DB_KEY_FIRST, privateKeyName,
1719 explicitOwner, password, obj);
1721 if (retCode == CKM_API_SUCCESS)
1722 signature = obj->sign(cryptoAlg, message);
1723 } catch (const Exc::Exception &e) {
1724 retCode = e.error();
1725 } catch (const CKM::Exception &e) {
1726 LogError("Unknown CKM::Exception: " << e.GetMessage());
1727 retCode = CKM_API_ERROR_SERVER_ERROR;
1728 } catch (const std::exception &e) {
1729 LogError("STD exception " << e.what());
1730 retCode = CKM_API_ERROR_SERVER_ERROR;
1733 auto response = MessageBuffer::Serialize(msgId, retCode, signature);
1734 return response.Pop();
1737 RawBuffer CKMLogic::verifySignature(
1738 const Credentials &cred,
1740 const Name &publicKeyOrCertName,
1741 const ClientId &explicitOwner,
1742 const Password &password, // password for public_key (optional)
1743 const RawBuffer &message,
1744 const RawBuffer &signature,
1745 const CryptoAlgorithm ¶ms)
1747 int retCode = CKM_API_ERROR_VERIFICATION_FAILED;
1750 // try certificate first - looking for a public key.
1751 // in case of PKCS, pub key from certificate will be found first
1752 // rather than private key from the same PKCS.
1753 Crypto::GObjUPtr obj;
1754 retCode = readDataHelper(false, cred, DataType::CERTIFICATE,
1755 publicKeyOrCertName, explicitOwner, password, obj);
1757 if (retCode == CKM_API_ERROR_DB_ALIAS_UNKNOWN)
1758 retCode = readDataHelper(false, cred, DataType::DB_KEY_FIRST,
1759 publicKeyOrCertName, explicitOwner, password, obj);
1761 if (retCode == CKM_API_SUCCESS)
1762 retCode = obj->verify(params, message, signature);
1763 } catch (const Exc::Exception &e) {
1764 retCode = e.error();
1765 } catch (const CKM::Exception &e) {
1766 LogError("Unknown CKM::Exception: " << e.GetMessage());
1767 retCode = CKM_API_ERROR_SERVER_ERROR;
1770 auto response = MessageBuffer::Serialize(msgId, retCode);
1771 return response.Pop();
1774 int CKMLogic::setPermissionHelper(
1775 const Credentials &cred, // who's the client
1777 const ClientId &explicitOwner, // who's the owner
1778 const ClientId &accessor, // who will get the access
1779 const PermissionMask permissionMask)
1781 auto &handler = selectDatabase(cred, explicitOwner);
1783 // we don't know the client
1784 if (cred.client.empty() || !isClientValid(cred.client))
1785 return CKM_API_ERROR_INPUT_PARAM;
1787 // use client id if not explicitly provided
1788 const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner;
1790 // verify name and owner are correct
1791 if (!isNameValid(name) || !isClientValid(owner) ||
1792 !isClientValid(accessor))
1793 return CKM_API_ERROR_INPUT_PARAM;
1795 // currently we don't support modification of owner's permissions to his own rows
1796 if (owner == accessor)
1797 return CKM_API_ERROR_INPUT_PARAM;
1799 // system database does not support write/remove permissions
1800 if ((0 == owner.compare(CLIENT_ID_SYSTEM)) &&
1801 (permissionMask & Permission::REMOVE))
1802 return CKM_API_ERROR_INPUT_PARAM;
1804 // can the client modify permissions to owner's row?
1805 int retCode = m_accessControl.canModify(cred, owner);
1807 if (retCode != CKM_API_SUCCESS)
1810 DB::Crypto::Transaction transaction(&handler.database);
1812 if (!handler.database.isNameOwnerPresent(name, owner))
1813 return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
1815 // set permissions to the row owned by owner for accessor
1816 handler.database.setPermission(name, owner, accessor, permissionMask);
1817 transaction.commit();
1819 return CKM_API_SUCCESS;
1822 RawBuffer CKMLogic::setPermission(
1823 const Credentials &cred,
1826 const ClientId &explicitOwner,
1827 const ClientId &accessor,
1828 const PermissionMask permissionMask)
1833 retCode = setPermissionHelper(cred, name, explicitOwner, accessor, permissionMask);
1834 } catch (const Exc::Exception &e) {
1835 retCode = e.error();
1836 } catch (const CKM::Exception &e) {
1837 LogError("Error: " << e.GetMessage());
1838 retCode = CKM_API_ERROR_DB_ERROR;
1841 return MessageBuffer::Serialize(msgID, retCode).Pop();
1844 int CKMLogic::loadAppKey(UserData &handle, const ClientId &owner)
1846 if (!handle.crypto.haveKey(owner)) {
1848 auto key_optional = handle.database.getKey(owner);
1850 if (!key_optional) {
1851 LogError("No key for given owner in database");
1852 return CKM_API_ERROR_DB_ERROR;
1855 key = *key_optional;
1856 key = handle.keyProvider.getPureDEK(key);
1857 handle.crypto.pushKey(owner, key);
1860 return CKM_API_SUCCESS;