2 * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License
18 * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
20 * @brief Sample service implementation.
22 #include <dpl/serialization.h>
23 #include <dpl/log/log.h>
24 #include <ckm/ckm-error.h>
25 #include <ckm/ckm-type.h>
26 #include <key-provider.h>
27 #include <file-system.h>
28 #include <CryptoService.h>
29 #include <ckm-logic.h>
33 const char * const CERT_SYSTEM_DIR = "/etc/ssl/certs";
34 } // anonymous namespace
40 int retCode = FileSystem::init();
41 // TODO what can I do when init went wrong? exit(-1) ??
43 LogError("Fatal error in FileSystem::init()");
46 if (CKM_API_SUCCESS != m_certStore.setSystemCertificateDir(CERT_SYSTEM_DIR)) {
47 LogError("Fatal error in CertificateStore::setSystemCertificateDir. Chain creation will not work");
50 cc_mode_status = CCModeState::CC_MODE_OFF;
53 CKMLogic::~CKMLogic(){}
55 RawBuffer CKMLogic::unlockUserKey(uid_t user, const Password &password) {
56 // TODO try catch for all errors that should be supported by error code
57 int retCode = CKM_API_SUCCESS;
60 if (0 == m_userDataMap.count(user) || !(m_userDataMap[user].keyProvider.isInitialized())) {
61 auto &handle = m_userDataMap[user];
63 auto wrappedDomainKEK = fs.getDKEK();
65 if (wrappedDomainKEK.empty()) {
66 wrappedDomainKEK = KeyProvider::generateDomainKEK(std::to_string(user), password);
67 fs.saveDKEK(wrappedDomainKEK);
70 handle.keyProvider = KeyProvider(wrappedDomainKEK, password);
72 auto wrappedDatabaseDEK = fs.getDBDEK();
74 if (wrappedDatabaseDEK.empty()) {
75 wrappedDatabaseDEK = handle.keyProvider.generateDEK(std::to_string(user));
76 fs.saveDBDEK(wrappedDatabaseDEK);
79 RawBuffer key = handle.keyProvider.getPureDEK(wrappedDatabaseDEK);
80 handle.database = DBCrypto(fs.getDBPath(), key);
81 handle.crypto = CryptoLogic();
83 // remove data of removed apps during locked state
84 AppLabelVector removedApps = fs.clearRemovedsApps();
85 for(auto& appSmackLabel : removedApps) {
86 handle.database.deleteKey(appSmackLabel);
91 } catch (const KeyProvider::Exception::PassWordError &e) {
92 LogError("Incorrect Password " << e.GetMessage());
93 retCode = CKM_API_ERROR_AUTHENTICATION_FAILED;
94 } catch (const KeyProvider::Exception::Base &e) {
95 LogError("Error in KeyProvider " << e.GetMessage());
96 retCode = CKM_API_ERROR_SERVER_ERROR;
97 } catch (const CryptoLogic::Exception::Base &e) {
98 LogError("CryptoLogic error: " << e.GetMessage());
99 retCode = CKM_API_ERROR_SERVER_ERROR;
100 } catch (const CKM::Exception &e) {
101 LogError("CKM::Exception: " << e.GetMessage());
102 retCode = CKM_API_ERROR_SERVER_ERROR;
105 if(retCode != CKM_API_SUCCESS) {
106 // When not successful, UserData in m_userDataMap should be erased.
107 // Because other operations make decision based on the existence of UserData in m_userDataMap.
108 m_userDataMap.erase(user);
111 MessageBuffer response;
112 Serialization::Serialize(response, retCode);
113 return response.Pop();
116 RawBuffer CKMLogic::setCCModeStatus(CCModeState mode_status) {
118 int retCode = CKM_API_SUCCESS;
119 int fipsModeStatus = 0;
122 if((mode_status != CCModeState:: CC_MODE_OFF) && (mode_status != CCModeState:: CC_MODE_ON)) {
123 retCode = CKM_API_ERROR_INPUT_PARAM;
126 cc_mode_status = mode_status;
127 fipsModeStatus = FIPS_mode();
129 if(cc_mode_status == CCModeState:: CC_MODE_ON) {
130 if(fipsModeStatus == 0) { // If FIPS mode off
131 rc = FIPS_mode_set(1); // Change FIPS_mode from off to on
133 LogError("Error in FIPS_mode_set function");
137 if(fipsModeStatus == 1) { // If FIPS mode on
138 rc = FIPS_mode_set(0); // Change FIPS_mode from on to off
140 LogError("Error in FIPS_mode_set function");
145 MessageBuffer response;
146 Serialization::Serialize(response, retCode);
147 return response.Pop();
150 RawBuffer CKMLogic::lockUserKey(uid_t user) {
151 int retCode = CKM_API_SUCCESS;
152 // TODO try catch for all errors that should be supported by error code
153 m_userDataMap.erase(user);
155 MessageBuffer response;
156 Serialization::Serialize(response, retCode);
157 return response.Pop();
160 RawBuffer CKMLogic::removeUserData(uid_t user) {
161 int retCode = CKM_API_SUCCESS;
162 // TODO try catch for all errors that should be supported by error code
163 m_userDataMap.erase(user);
168 MessageBuffer response;
169 Serialization::Serialize(response, retCode);
170 return response.Pop();
173 RawBuffer CKMLogic::changeUserPassword(
175 const Password &oldPassword,
176 const Password &newPassword)
178 int retCode = CKM_API_SUCCESS;
181 auto wrappedDomainKEK = fs.getDKEK();
182 if (wrappedDomainKEK.empty()) {
183 retCode = CKM_API_ERROR_BAD_REQUEST;
185 wrappedDomainKEK = KeyProvider::reencrypt(wrappedDomainKEK, oldPassword, newPassword);
186 fs.saveDKEK(wrappedDomainKEK);
188 } catch (const KeyProvider::Exception::PassWordError &e) {
189 LogError("Incorrect Password " << e.GetMessage());
190 retCode = CKM_API_ERROR_AUTHENTICATION_FAILED;
191 } catch (const KeyProvider::Exception::Base &e) {
192 LogError("Error in KeyProvider " << e.GetMessage());
193 retCode = CKM_API_ERROR_SERVER_ERROR;
194 } catch (const CKM::Exception &e) {
195 LogError("CKM::Exception: " << e.GetMessage());
196 retCode = CKM_API_ERROR_SERVER_ERROR;
199 MessageBuffer response;
200 Serialization::Serialize(response, retCode);
201 return response.Pop();
204 RawBuffer CKMLogic::resetUserPassword(
206 const Password &newPassword)
208 int retCode = CKM_API_SUCCESS;
210 if (0 == m_userDataMap.count(user)) {
211 retCode = CKM_API_ERROR_BAD_REQUEST;
213 auto &handler = m_userDataMap[user];
215 fs.saveDKEK(handler.keyProvider.getWrappedDomainKEK(newPassword));
218 MessageBuffer response;
219 Serialization::Serialize(response, retCode);
220 return response.Pop();
223 RawBuffer CKMLogic::removeApplicationData(const std::string &smackLabel) {
224 int retCode = CKM_API_SUCCESS;
228 if (smackLabel.empty()) {
229 retCode = CKM_API_ERROR_INPUT_PARAM;
231 UidVector uids = FileSystem::getUIDsFromDBFile();
232 for (auto userId : uids) {
233 if (0 == m_userDataMap.count(userId)) {
234 FileSystem fs(userId);
235 fs.addRemovedApp(smackLabel);
237 auto &handle = m_userDataMap[userId];
238 handle.database.deleteKey(smackLabel);
243 } catch (const DBCrypto::Exception::InternalError &e) {
244 LogError("DBCrypto couldn't remove data: " << e.GetMessage());
245 retCode = CKM_API_ERROR_DB_ERROR;
246 } catch (const DBCrypto::Exception::TransactionError &e) {
247 LogError("DBCrypto transaction failed with message " << e.GetMessage());
248 retCode = CKM_API_ERROR_DB_ERROR;
251 MessageBuffer response;
252 Serialization::Serialize(response, retCode);
253 return response.Pop();
256 int CKMLogic::saveDataHelper(
260 const RawBuffer &key,
261 const PolicySerializable &policy)
263 if (0 == m_userDataMap.count(cred.uid))
264 return CKM_API_ERROR_DB_LOCKED;
266 DBRow row = { alias, cred.smackLabel,
267 policy.extractable, dataType, DBCMAlgType::NONE,
268 0, RawBuffer(), static_cast<int>(key.size()), key, RawBuffer() };
270 auto &handler = m_userDataMap[cred.uid];
271 DBCrypto::Transaction transaction(&handler.database);
272 if (!handler.crypto.haveKey(cred.smackLabel)) {
274 auto key_optional = handler.database.getKey(cred.smackLabel);
276 LogDebug("No Key in database found. Generating new one for label: "
278 key = handler.keyProvider.generateDEK(cred.smackLabel);
279 handler.database.saveKey(cred.smackLabel, key);
281 LogDebug("Key from DB");
285 key = handler.keyProvider.getPureDEK(key);
286 handler.crypto.pushKey(cred.smackLabel, key);
289 // Do not encrypt data with password during cc_mode on
290 if(cc_mode_status == CCModeState::CC_MODE_ON) {
291 handler.crypto.encryptRow("", row);
293 handler.crypto.encryptRow(policy.password, row);
296 handler.database.saveDBRow(row);
297 transaction.commit();
298 return CKM_API_SUCCESS;
301 RawBuffer CKMLogic::saveData(
306 const RawBuffer &key,
307 const PolicySerializable &policy)
309 int retCode = CKM_API_SUCCESS;
311 retCode = saveDataHelper(cred, dataType, alias, key, policy);
312 LogDebug("SaveDataHelper returned: " << retCode);
313 } catch (const KeyProvider::Exception::Base &e) {
314 LogError("KeyProvider failed with message: " << e.GetMessage());
315 retCode = CKM_API_ERROR_SERVER_ERROR;
316 } catch (const CryptoLogic::Exception::Base &e) {
317 LogError("CryptoLogic failed with message: " << e.GetMessage());
318 retCode = CKM_API_ERROR_SERVER_ERROR;
319 } catch (const DBCrypto::Exception::InternalError &e) {
320 LogError("DBCrypto failed with message: " << e.GetMessage());
321 retCode = CKM_API_ERROR_DB_ERROR;
322 } catch (const DBCrypto::Exception::AliasExists &e) {
323 LogError("DBCrypto couldn't save duplicate alias");
324 retCode = CKM_API_ERROR_DB_ALIAS_EXISTS;
325 } catch (const DBCrypto::Exception::TransactionError &e) {
326 LogError("DBCrypto transaction failed with message " << e.GetMessage());
327 retCode = CKM_API_ERROR_DB_ERROR;
330 MessageBuffer response;
331 Serialization::Serialize(response, static_cast<int>(LogicCommand::SAVE));
332 Serialization::Serialize(response, commandId);
333 Serialization::Serialize(response, retCode);
334 Serialization::Serialize(response, static_cast<int>(dataType));
336 return response.Pop();
339 RawBuffer CKMLogic::removeData(
345 int retCode = CKM_API_SUCCESS;
347 if (0 < m_userDataMap.count(cred.uid)) {
349 auto erased = m_userDataMap[cred.uid].database.deleteDBRow(alias, cred.smackLabel);
350 // check if the data existed or not
352 LogError("No row for given alias and label");
353 retCode = CKM_API_ERROR_DB_ALIAS_UNKNOWN;
355 } Catch (DBCrypto::Exception::PermissionDenied) {
356 LogError("Error: not enough permissions!");
357 retCode = CKM_API_ERROR_ACCESS_DENIED;
358 } Catch (CKM::Exception) {
359 LogError("Error in deleting row!");
360 retCode = CKM_API_ERROR_DB_ERROR;
363 retCode = CKM_API_ERROR_DB_LOCKED;
366 MessageBuffer response;
367 Serialization::Serialize(response, static_cast<int>(LogicCommand::REMOVE));
368 Serialization::Serialize(response, commandId);
369 Serialization::Serialize(response, retCode);
370 Serialization::Serialize(response, static_cast<int>(dataType));
372 return response.Pop();
375 int CKMLogic::getDataHelper(
379 const Password &password,
382 if (0 == m_userDataMap.count(cred.uid))
383 return CKM_API_ERROR_DB_LOCKED;
385 auto &handler = m_userDataMap[cred.uid];
387 DBCrypto::DBRowOptional row_optional;
388 if (dataType == DBDataType::CERTIFICATE || dataType == DBDataType::BINARY_DATA) {
389 row_optional = handler.database.getDBRow(alias, cred.smackLabel, dataType);
390 } else if ((static_cast<int>(dataType) >= static_cast<int>(DBDataType::DB_KEY_FIRST))
391 && (static_cast<int>(dataType) <= static_cast<int>(DBDataType::DB_KEY_LAST)))
393 row_optional = handler.database.getKeyDBRow(alias, cred.smackLabel);
395 LogError("Unknown type of requested data" << (int)dataType);
396 return CKM_API_ERROR_BAD_REQUEST;
399 LogError("No row for given alias, label and type");
400 return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
405 if (!handler.crypto.haveKey(row.smackLabel)) {
407 auto key_optional = handler.database.getKey(row.smackLabel);
409 LogError("No key for given label in database");
410 return CKM_API_ERROR_DB_ERROR;
413 key = handler.keyProvider.getPureDEK(key);
414 handler.crypto.pushKey(cred.smackLabel, key);
416 handler.crypto.decryptRow(password, row);
418 return CKM_API_SUCCESS;
421 RawBuffer CKMLogic::getData(
426 const Password &password)
428 int retCode = CKM_API_SUCCESS;
432 retCode = getDataHelper(cred, dataType, alias, password, row);
433 } catch (const KeyProvider::Exception::Base &e) {
434 LogError("KeyProvider failed with error: " << e.GetMessage());
435 retCode = CKM_API_ERROR_SERVER_ERROR;
436 } catch (const CryptoLogic::Exception::Base &e) {
437 LogError("CryptoLogic failed with message: " << e.GetMessage());
438 retCode = CKM_API_ERROR_SERVER_ERROR;
439 } catch (const DBCrypto::Exception::PermissionDenied &e) {
440 LogError("DBCrypto failed with message: " << e.GetMessage());
441 retCode = CKM_API_ERROR_ACCESS_DENIED;
442 } catch (const DBCrypto::Exception::Base &e) {
443 LogError("DBCrypto failed with message: " << e.GetMessage());
444 retCode = CKM_API_ERROR_DB_ERROR;
447 if (CKM_API_SUCCESS != retCode) {
449 row.dataType = dataType;
452 if ((CKM_API_SUCCESS == retCode) && (row.exportable == 0)) {
454 retCode = CKM_API_ERROR_NOT_EXPORTABLE;
457 // Prevent extracting private keys during cc-mode on
458 if((cc_mode_status == CCModeState::CC_MODE_ON) && (row.dataType == DBDataType::KEY_RSA_PRIVATE || row.dataType == DBDataType::KEY_ECDSA_PRIVATE || row.dataType == DBDataType::KEY_DSA_PRIVATE)) {
460 retCode = CKM_API_ERROR_BAD_REQUEST;
463 MessageBuffer response;
464 Serialization::Serialize(response, static_cast<int>(LogicCommand::GET));
465 Serialization::Serialize(response, commandId);
466 Serialization::Serialize(response, retCode);
467 Serialization::Serialize(response, static_cast<int>(row.dataType));
468 Serialization::Serialize(response, row.data);
469 return response.Pop();
472 RawBuffer CKMLogic::getDataList(
477 int retCode = CKM_API_SUCCESS;
478 AliasVector aliasVector;
480 if (0 < m_userDataMap.count(cred.uid)) {
481 auto &handler = m_userDataMap[cred.uid];
483 if (dataType == DBDataType::CERTIFICATE || dataType == DBDataType::BINARY_DATA) {
484 handler.database.getAliases(cred.smackLabel, dataType, aliasVector);
486 handler.database.getKeyAliases(cred.smackLabel, aliasVector);
488 } Catch (CKM::Exception) {
489 LogError("Failed to get aliases");
490 retCode = CKM_API_ERROR_DB_ERROR;
493 retCode = CKM_API_ERROR_DB_LOCKED;
496 MessageBuffer response;
497 Serialization::Serialize(response, static_cast<int>(LogicCommand::GET_LIST));
498 Serialization::Serialize(response, commandId);
499 Serialization::Serialize(response, retCode);
500 Serialization::Serialize(response, static_cast<int>(dataType));
501 Serialization::Serialize(response, aliasVector);
502 return response.Pop();
506 int CKMLogic::createKeyPairHelper(
508 const KeyType key_type,
509 const int additional_param,
510 const Alias &aliasPrivate,
511 const Alias &aliasPublic,
512 const PolicySerializable &policyPrivate,
513 const PolicySerializable &policyPublic)
515 if (0 >= m_userDataMap.count(cred.uid))
516 return CKM_API_ERROR_DB_LOCKED;
518 auto &handler = m_userDataMap[cred.uid];
523 case KeyType::KEY_RSA_PUBLIC:
524 case KeyType::KEY_RSA_PRIVATE:
525 retCode = CryptoService::createKeyPairRSA(additional_param, prv, pub);
528 case KeyType::KEY_DSA_PUBLIC:
529 case KeyType::KEY_DSA_PRIVATE:
530 retCode = CryptoService::createKeyPairDSA(additional_param, prv, pub);
533 case KeyType::KEY_ECDSA_PUBLIC:
534 case KeyType::KEY_ECDSA_PRIVATE:
535 retCode = CryptoService::createKeyPairECDSA(static_cast<ElipticCurve>(additional_param), prv, pub);
539 return CKM_API_ERROR_INPUT_PARAM;
542 if (CKM_CRYPTO_CREATEKEY_SUCCESS != retCode)
544 LogDebug("CryptoService error with code: " << retCode);
545 return CKM_API_ERROR_SERVER_ERROR; // TODO error code
548 DBCrypto::Transaction transaction(&handler.database);
549 retCode = saveDataHelper(cred,
550 toDBDataType(prv.getType()),
555 if (CKM_API_SUCCESS != retCode)
558 retCode = saveDataHelper(cred,
559 toDBDataType(pub.getType()),
564 if (CKM_API_SUCCESS != retCode)
567 transaction.commit();
572 RawBuffer CKMLogic::createKeyPair(
574 LogicCommand protocol_cmd,
576 const int additional_param,
577 const Alias &aliasPrivate,
578 const Alias &aliasPublic,
579 const PolicySerializable &policyPrivate,
580 const PolicySerializable &policyPublic)
582 int retCode = CKM_API_SUCCESS;
584 KeyType key_type = KeyType::KEY_NONE;
587 case LogicCommand::CREATE_KEY_PAIR_RSA:
588 key_type = KeyType::KEY_RSA_PUBLIC;
590 case LogicCommand::CREATE_KEY_PAIR_DSA:
591 key_type = KeyType::KEY_DSA_PUBLIC;
593 case LogicCommand::CREATE_KEY_PAIR_ECDSA:
594 key_type = KeyType::KEY_ECDSA_PUBLIC;
601 retCode = createKeyPairHelper(
610 } catch (DBCrypto::Exception::AliasExists &e) {
611 LogDebug("DBCrypto error: alias exists: " << e.GetMessage());
612 retCode = CKM_API_ERROR_DB_ALIAS_EXISTS;
613 } catch (DBCrypto::Exception::TransactionError &e) {
614 LogDebug("DBCrypto error: transaction error: " << e.GetMessage());
615 retCode = CKM_API_ERROR_DB_ERROR;
616 } catch (CKM::CryptoLogic::Exception::Base &e) {
617 LogDebug("CryptoLogic error: " << e.GetMessage());
618 retCode = CKM_API_ERROR_SERVER_ERROR;
619 } catch (DBCrypto::Exception::InternalError &e) {
620 LogDebug("DBCrypto internal error: " << e.GetMessage());
621 retCode = CKM_API_ERROR_DB_ERROR;
624 MessageBuffer response;
625 Serialization::Serialize(response, static_cast<int>(protocol_cmd));
626 Serialization::Serialize(response, commandId);
627 Serialization::Serialize(response, retCode);
629 return response.Pop();
632 RawBuffer CKMLogic::getCertificateChain(
635 const RawBuffer &certificate,
636 const RawBufferVector &untrustedRawCertVector)
640 CertificateImpl cert(certificate, DataFormat::FORM_DER);
641 CertificateImplVector untrustedCertVector;
642 CertificateImplVector chainVector;
643 RawBufferVector chainRawVector;
645 for (auto &e: untrustedRawCertVector)
646 untrustedCertVector.push_back(CertificateImpl(e, DataFormat::FORM_DER));
648 LogDebug("Cert is empty: " << cert.empty());
650 int retCode = m_certStore.verifyCertificate(cert, untrustedCertVector, chainVector);
652 if (retCode == CKM_API_SUCCESS) {
653 for (auto &e : chainVector)
654 chainRawVector.push_back(e.getDER());
657 MessageBuffer response;
658 Serialization::Serialize(response, static_cast<int>(LogicCommand::GET_CHAIN_CERT));
659 Serialization::Serialize(response, commandId);
660 Serialization::Serialize(response, retCode);
661 Serialization::Serialize(response, chainRawVector);
662 return response.Pop();
665 RawBuffer CKMLogic::getCertificateChain(
668 const RawBuffer &certificate,
669 const AliasVector &aliasVector)
671 int retCode = CKM_API_SUCCESS;
672 RawBufferVector chainRawVector;
674 CertificateImpl cert(certificate, DataFormat::FORM_DER);
675 CertificateImplVector untrustedCertVector;
676 CertificateImplVector chainVector;
680 retCode = CKM_API_ERROR_SERVER_ERROR;
684 for (auto &i: aliasVector) {
685 retCode = getDataHelper(cred, DBDataType::CERTIFICATE, i, Password(), row);
687 if (retCode != CKM_API_SUCCESS)
690 untrustedCertVector.push_back(CertificateImpl(row.data, DataFormat::FORM_DER));
693 retCode = m_certStore.verifyCertificate(cert, untrustedCertVector, chainVector);
695 if (retCode != CKM_API_SUCCESS)
698 for (auto &i: chainVector)
699 chainRawVector.push_back(i.getDER());
701 } catch (const CryptoLogic::Exception::Base &e) {
702 LogError("DBCyptorModule failed with message: " << e.GetMessage());
703 retCode = CKM_API_ERROR_SERVER_ERROR;
704 } catch (const DBCrypto::Exception::PermissionDenied &e) {
705 LogError("DBCrypto failed with message: " << e.GetMessage());
706 retCode = CKM_API_ERROR_ACCESS_DENIED;
707 } catch (const DBCrypto::Exception::Base &e) {
708 LogError("DBCrypto failed with message: " << e.GetMessage());
709 retCode = CKM_API_ERROR_DB_ERROR;
711 LogError("Unknown error.");
715 MessageBuffer response;
716 Serialization::Serialize(response, static_cast<int>(LogicCommand::GET_CHAIN_ALIAS));
717 Serialization::Serialize(response, commandId);
718 Serialization::Serialize(response, retCode);
719 Serialization::Serialize(response, chainRawVector);
720 return response.Pop();
723 RawBuffer CKMLogic::createSignature(
726 const Alias &privateKeyAlias,
727 const Password &password, // password for private_key
728 const RawBuffer &message,
729 const HashAlgorithm hash,
730 const RSAPaddingAlgorithm padding)
736 int retCode = CKM_API_SUCCESS;
740 retCode = getDataHelper(cred, DBDataType::DB_KEY_FIRST, privateKeyAlias, password, row);
741 if (CKM_API_SUCCESS != retCode) {
742 LogError("getDataHelper return error");
746 KeyImpl keyParsed(row.data, Password());
747 if (keyParsed.empty())
748 retCode = CKM_API_ERROR_SERVER_ERROR;
750 retCode = cs.createSignature(keyParsed, message, hash, padding, signature);
752 } catch (const KeyProvider::Exception::Base &e) {
753 LogError("KeyProvider failed with message: " << e.GetMessage());
754 retCode = CKM_API_ERROR_SERVER_ERROR;
755 } catch (const CryptoLogic::Exception::Base &e) {
756 LogError("CryptoLogic failed with message: " << e.GetMessage());
757 retCode = CKM_API_ERROR_SERVER_ERROR;
758 } catch (const DBCrypto::Exception::PermissionDenied &e) {
759 LogError("DBCrypto failed with message: " << e.GetMessage());
760 retCode = CKM_API_ERROR_ACCESS_DENIED;
761 } catch (const DBCrypto::Exception::Base &e) {
762 LogError("DBCrypto failed with message: " << e.GetMessage());
763 retCode = CKM_API_ERROR_DB_ERROR;
764 } catch (const CKM::Exception &e) {
765 LogError("Unknown CKM::Exception: " << e.GetMessage());
766 retCode = CKM_API_ERROR_SERVER_ERROR;
769 MessageBuffer response;
770 Serialization::Serialize(response, static_cast<int>(LogicCommand::CREATE_SIGNATURE));
771 Serialization::Serialize(response, commandId);
772 Serialization::Serialize(response, retCode);
773 Serialization::Serialize(response, signature);
774 return response.Pop();
777 RawBuffer CKMLogic::verifySignature(
780 const Alias &publicKeyOrCertAlias,
781 const Password &password, // password for public_key (optional)
782 const RawBuffer &message,
783 const RawBuffer &signature,
784 const HashAlgorithm hash,
785 const RSAPaddingAlgorithm padding)
787 int retCode = CKM_API_ERROR_VERIFICATION_FAILED;
795 retCode = getDataHelper(cred, DBDataType::DB_KEY_FIRST, publicKeyOrCertAlias, password, row);
797 if (retCode == CKM_API_SUCCESS) {
798 key = KeyImpl(row.data);
799 } else if (retCode == CKM_API_ERROR_DB_ALIAS_UNKNOWN) {
800 retCode = getDataHelper(cred, DBDataType::CERTIFICATE, publicKeyOrCertAlias, password, row);
801 if (retCode != CKM_API_SUCCESS)
803 CertificateImpl cert(row.data, DataFormat::FORM_DER);
804 key = cert.getKeyImpl();
810 retCode = CKM_API_ERROR_SERVER_ERROR;
814 retCode = cs.verifySignature(key, message, signature, hash, padding);
816 } catch (const CryptoService::Exception::Crypto_internal &e) {
817 LogError("KeyProvider failed with message: " << e.GetMessage());
818 retCode = CKM_API_ERROR_SERVER_ERROR;
819 } catch (const CryptoService::Exception::opensslError &e) {
820 LogError("KeyProvider failed with message: " << e.GetMessage());
821 retCode = CKM_API_ERROR_SERVER_ERROR;
822 } catch (const KeyProvider::Exception::Base &e) {
823 LogError("KeyProvider failed with error: " << e.GetMessage());
824 retCode = CKM_API_ERROR_SERVER_ERROR;
825 } catch (const CryptoLogic::Exception::Base &e) {
826 LogError("CryptoLogic failed with message: " << e.GetMessage());
827 retCode = CKM_API_ERROR_SERVER_ERROR;
828 } catch (const DBCrypto::Exception::PermissionDenied &e) {
829 LogError("DBCrypto failed with message: " << e.GetMessage());
830 retCode = CKM_API_ERROR_ACCESS_DENIED;
831 } catch (const DBCrypto::Exception::Base &e) {
832 LogError("DBCrypto failed with message: " << e.GetMessage());
833 retCode = CKM_API_ERROR_DB_ERROR;
834 } catch (const CKM::Exception &e) {
835 LogError("Unknown CKM::Exception: " << e.GetMessage());
836 retCode = CKM_API_ERROR_SERVER_ERROR;
839 MessageBuffer response;
840 Serialization::Serialize(response, static_cast<int>(LogicCommand::VERIFY_SIGNATURE));
841 Serialization::Serialize(response, commandId);
842 Serialization::Serialize(response, retCode);
844 return response.Pop();
847 RawBuffer CKMLogic::allowAccess(
851 const Alias &item_alias,
852 const std::string &accessor_label,
853 const AccessRight req_rights)
855 int retCode = CKM_API_ERROR_VERIFICATION_FAILED;
857 if (0 < m_userDataMap.count(cred.uid))
860 retCode = m_userDataMap[cred.uid].database.setAccessRights(cred.smackLabel, item_alias, accessor_label, req_rights);
861 } Catch (DBCrypto::Exception::InvalidArgs) {
862 LogError("Error: invalid args!");
863 retCode = CKM_API_ERROR_INPUT_PARAM;
864 } Catch (DBCrypto::Exception::PermissionDenied) {
865 LogError("Error: not enough permissions!");
866 retCode = CKM_API_ERROR_ACCESS_DENIED;
867 } Catch (CKM::Exception) {
868 LogError("Error in set row!");
869 retCode = CKM_API_ERROR_DB_ERROR;
872 retCode = CKM_API_ERROR_DB_LOCKED;
875 MessageBuffer response;
876 Serialization::Serialize(response, command);
877 Serialization::Serialize(response, msgID);
878 Serialization::Serialize(response, retCode);
880 return response.Pop();
883 RawBuffer CKMLogic::denyAccess(
887 const Alias &item_alias,
888 const std::string &accessor_label)
890 int retCode = CKM_API_ERROR_VERIFICATION_FAILED;
892 if (0 < m_userDataMap.count(cred.uid))
895 retCode = m_userDataMap[cred.uid].database.clearAccessRights(cred.smackLabel, item_alias, accessor_label);
896 } Catch (DBCrypto::Exception::PermissionDenied) {
897 LogError("Error: not enough permissions!");
898 retCode = CKM_API_ERROR_ACCESS_DENIED;
899 } Catch (DBCrypto::Exception::InvalidArgs) {
900 LogError("Error: permission not found!");
901 retCode = CKM_API_ERROR_INPUT_PARAM;
902 } Catch (CKM::Exception) {
903 LogError("Error in deleting row!");
904 retCode = CKM_API_ERROR_DB_ERROR;
907 retCode = CKM_API_ERROR_DB_LOCKED;
910 MessageBuffer response;
911 Serialization::Serialize(response, command);
912 Serialization::Serialize(response, msgID);
913 Serialization::Serialize(response, retCode);
915 return response.Pop();