src/manager/service/ckm-logic.h

   1 /*
   2  *  Copyright (c) 2014-2021 Samsung Electronics Co., Ltd. All rights reserved
   3  *
   4  *  Licensed under the Apache License, Version 2.0 (the "License");
   5  *  you may not use this file except in compliance with the License.
   6  *  You may obtain a copy of the License at
   7  *
   8  *      http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  *  Unless required by applicable law or agreed to in writing, software
  11  *  distributed under the License is distributed on an "AS IS" BASIS,
  12  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  *  See the License for the specific language governing permissions and
  14  *  limitations under the License
  15  *
  16  *
  17  * @file        ckm-logic.h
  18  * @author      Bartlomiej Grzelewski (b.grzelewski@samsung.com)
  19  * @version     1.0
  20  * @brief       Sample service implementation.
  21  */
  22 #pragma once
  23
  24 #include <string>
  25 #include <vector>
  26
  27 #include <message-buffer.h>
  28 #include <protocols.h>
  29 #include <ckm/ckm-type.h>
  30 #include <connection-info.h>
  31 #include <db-crypto.h>
  32 #include <key-provider.h>
  33 #include <crypto-logic.h>
  34 #include <file-lock.h>
  35 #include <access-control.h>
  36 #include <certificate-impl.h>
  37 #include <sys/types.h>
  38 #include <generic-backend/gobj.h>
  39 #include <generic-backend/encryption-params.h>
  40 #include <platform/decider.h>
  41
  42 namespace CKM {
  43
  44 struct UserData {
  45         KeyProvider    keyProvider;
  46         DB::Crypto     database;
  47         CryptoLogic    crypto;
  48 };
  49
  50 class CKMLogic {
  51 public:
  52         static const uid_t SYSTEM_DB_UID;
  53         static const uid_t ADMIN_USER_DB_UID;
  54
  55         CKMLogic();
  56         CKMLogic(const CKMLogic &) = delete;
  57         CKMLogic(CKMLogic &&) = delete;
  58         CKMLogic &operator=(const CKMLogic &) = delete;
  59         CKMLogic &operator=(CKMLogic &&) = delete;
  60         virtual ~CKMLogic();
  61
  62         RawBuffer unlockUserKey(uid_t user, const Password &password);
  63         RawBuffer lockUserKey(uid_t user);
  64
  65         RawBuffer removeUserData(uid_t user);
  66
  67         RawBuffer changeUserPassword(
  68                 uid_t user,
  69                 const Password &oldPassword,
  70                 const Password &newPassword);
  71
  72         RawBuffer resetUserPassword(
  73                 uid_t user,
  74                 const Password &newPassword);
  75
  76         RawBuffer removeApplicationData(
  77                 const ClientId &owner);
  78
  79         RawBuffer saveData(
  80                 const Credentials &cred,
  81                 int msgId,
  82                 const Name &name,
  83                 const ClientId &owner,
  84                 const Crypto::Data &data,
  85                 const PolicySerializable &policy);
  86
  87         RawBuffer savePKCS12(
  88                 const Credentials &cred,
  89                 int msgId,
  90                 const Name &name,
  91                 const ClientId &owner,
  92                 const PKCS12Serializable &pkcs,
  93                 const PolicySerializable &keyPolicy,
  94                 const PolicySerializable &certPolicy);
  95
  96         RawBuffer removeData(
  97                 const Credentials &cred,
  98                 int msgId,
  99                 const Name &name,
 100                 const ClientId &owner);
 101
 102         RawBuffer getData(
 103                 const Credentials &cred,
 104                 int msgId,
 105                 DataType dataType,
 106                 const Name &name,
 107                 const ClientId &owner,
 108                 const Password &password);
 109
 110         RawBuffer getDataProtectionStatus(
 111                 const Credentials &cred,
 112                 int msgId,
 113                 DataType dataType,
 114                 const Name &name,
 115                 const ClientId &owner);
 116
 117         RawBuffer getPKCS12(
 118                 const Credentials &cred,
 119                 int msgId,
 120                 const Name &name,
 121                 const ClientId &owner,
 122                 const Password &keyPassword,
 123                 const Password &certPassword);
 124
 125         RawBuffer getDataList(
 126                 const Credentials &cred,
 127                 int msgId,
 128                 DataType dataType);
 129
 130         RawBuffer createKeyPair(
 131                 const Credentials &cred,
 132                 int msgId,
 133                 const CryptoAlgorithmSerializable &keyGenParams,
 134                 const Name &namePrivate,
 135                 const ClientId &ownerPrivate,
 136                 const Name &namePublic,
 137                 const ClientId &ownerPublic,
 138                 const PolicySerializable &policyPrivate,
 139                 const PolicySerializable &policyPublic);
 140
 141         RawBuffer createKeyAES(
 142                 const Credentials &cred,
 143                 int msgId,
 144                 const int size,
 145                 const Name &name,
 146                 const ClientId &owner,
 147                 const PolicySerializable &policy);
 148
 149         RawBuffer getCertificateChain(
 150                 const Credentials &cred,
 151                 int msgId,
 152                 const RawBuffer &certificate,
 153                 const RawBufferVector &untrustedCertificates,
 154                 const RawBufferVector &trustedCertificates,
 155                 bool useTrustedSystemCertificates);
 156
 157         RawBuffer getCertificateChain(
 158                 const Credentials &cred,
 159                 int msgId,
 160                 const RawBuffer &certificate,
 161                 const OwnerNameVector &untrustedCertificates,
 162                 const OwnerNameVector &trustedCertificates,
 163                 bool useTrustedSystemCertificates);
 164
 165         RawBuffer createSignature(
 166                 const Credentials &cred,
 167                 int msgId,
 168                 const Name &privateKeyName,
 169                 const ClientId &owner,
 170                 const Password &password,           // password for private_key
 171                 const RawBuffer &message,
 172                 const CryptoAlgorithm &cryptoAlgorithm);
 173
 174         RawBuffer verifySignature(
 175                 const Credentials &cred,
 176                 int msgId,
 177                 const Name &publicKeyOrCertName,
 178                 const ClientId &owner,
 179                 const Password &password,           // password for public_key (optional)
 180                 const RawBuffer &message,
 181                 const RawBuffer &signature,
 182                 const CryptoAlgorithm &cryptoAlgorithm);
 183
 184         RawBuffer updateCCMode();
 185
 186         RawBuffer setPermission(
 187                 const Credentials &cred,
 188                 const int msgID,
 189                 const Name &name,
 190                 const ClientId &owner,
 191                 const ClientId &accessor,
 192                 const PermissionMask permissionMask);
 193
 194         RawBuffer deriveKey(
 195                 const Credentials &cred,
 196                 const int msgID,
 197                 const CryptoAlgorithm &params,
 198                 const Name &secretName,
 199                 const ClientId &secretOwner,
 200                 const Password &secretPassword,
 201                 const Name &newKeyName,
 202                 const ClientId &newKeyOwner,
 203                 const Policy &newKeyPolicy);
 204
 205         int setPermissionHelper(
 206                 const Credentials &cred,
 207                 const Name &name,
 208                 const ClientId &owner,
 209                 const ClientId &accessor,
 210                 const PermissionMask permissionMask);
 211
 212         int verifyAndSaveDataHelper(
 213                 const Credentials &cred,
 214                 const Name &name,
 215                 const ClientId &owner,
 216                 const Crypto::Data &data,
 217                 const PolicySerializable &policy);
 218
 219         int getKeyForService(
 220                 const Credentials &cred,
 221                 const Name &name,
 222                 const ClientId &owner,
 223                 const Password &pass,
 224                 Crypto::GObjShPtr &key);
 225
 226         int importInitialData(
 227                 const Name &name,
 228                 const Crypto::Data &data,
 229                 const Crypto::EncryptionParams &encData,
 230                 const Policy &policy);
 231
 232         int unlockSystemDB();
 233
 234         RawBuffer importWrappedKey(
 235                 const Credentials &cred,
 236                 const int msgId,
 237                 const CryptoAlgorithm &params,
 238                 const Name &wrappingKeyName,
 239                 const ClientId &wrappingKeyOwner,
 240                 const Password &wrappingKeyPassword,
 241                 const Name &encryptedKeyName,
 242                 const ClientId &encryptedKeyOwner,
 243                 const RawBuffer &encryptedKey,
 244                 const CKM::DataType encryptedKeyType,
 245                 const PolicySerializable &encryptedKeyPolicy);
 246
 247 private:
 248         // select private/system database depending on asking uid and owner id.
 249         // output: database handler for effective owner
 250         UserData &selectDatabase(const Credentials &cred,
 251                                                          const ClientId &owner);
 252
 253         int unlockDatabase(uid_t user,
 254                                            const Password &password);
 255
 256         void loadDKEKFile(
 257                 uid_t user,
 258                 const Password &password);
 259
 260         void saveDKEKFile(
 261                 uid_t user,
 262                 const Password &password);
 263
 264         int checkDataPermissionsHelper(
 265                 const Credentials &accessorCred,
 266                 const DB::Row &row,
 267                 bool exportFlag,
 268                 const PermissionMask& permission);
 269
 270         void decryptRow(
 271                 UserData &handler,
 272                 DB::Row &row,
 273                 const Password &password,
 274                 const RawBuffer &hash);
 275
 276         Crypto::GObjUPtr rowToObject(
 277                 UserData &handler,
 278                 DB::Row row,
 279                 const Password &password,
 280                 const RawBuffer &hash);
 281 protected:
 282         int readDataHelper(
 283                 bool exportFlag,
 284                 const Credentials &cred,
 285                 DataType dataType,
 286                 const Name &name,
 287                 const ClientId &owner,
 288                 const Password &password,
 289                 Crypto::GObjUPtr &obj);
 290
 291 private:
 292         int readRowHelper(
 293                 bool exportFlag,
 294                 const Credentials &cred,
 295                 DataType dataType,
 296                 const Name &name,
 297                 const ClientId &owner,
 298                 const Password &password,
 299                 DB::Row &row,
 300                 DataType &objDataType);
 301
 302         Crypto::GObjUPtr decryptedRowToObj(const DB::Row& row, const Password &password);
 303
 304         int readDataHelper(
 305                 bool exportFlag,
 306                 const Credentials &cred,
 307                 DataType dataType,
 308                 const Name &name,
 309                 const ClientId &owner,
 310                 const Password &password,
 311                 Crypto::GObjUPtr &obj,
 312                 DataType &objDataType);
 313
 314         int readDataHelper(
 315                 bool exportFlag,
 316                 const Credentials &cred,
 317                 DataType dataType,
 318                 const Name &name,
 319                 const ClientId &owner,
 320                 const Password &password,
 321                 Crypto::GObjUPtrVector &objs);
 322
 323         int readCertificateHelper(
 324                 const Credentials &cred,
 325                 const OwnerNameVector &ownerNameVector,
 326                 CertificateImplVector &certVector);
 327
 328         int getCertificateChainHelper(
 329                 const CertificateImpl &cert,
 330                 const RawBufferVector &untrustedCertificates,
 331                 const RawBufferVector &trustedCertificates,
 332                 bool useTrustedSystemCertificates,
 333                 RawBufferVector &chainRawVector);
 334
 335         int getCertificateChainHelper(
 336                 const Credentials &cred,
 337                 const CertificateImpl &cert,
 338                 const OwnerNameVector &untrusted,
 339                 const OwnerNameVector &trusted,
 340                 bool useTrustedSystemCertificates,
 341                 RawBufferVector &chainRawVector);
 342
 343         int getDataListHelper(
 344                 const Credentials &cred,
 345                 const DataType dataType,
 346                 OwnerNameVector &ownerNameVector);
 347
 348         void migrateSecureStorageData(bool isAdminUser);
 349
 350         class DBOperation {
 351         public:
 352                 DBOperation(UserData& handler, const Name &name, const ClientId &owner) :
 353                         m_handler(handler),
 354                         m_transaction(&handler.database),
 355                         m_name(name),
 356                         m_owner(owner) {
 357                 }
 358
 359                 DB::Row encryptOne(Token&& token, const Policy& policy) {
 360                         DB::Row row(std::move(token), m_name, m_owner, static_cast<int>(policy.extractable));
 361                         return m_handler.crypto.encryptRow(row);
 362                 }
 363
 364                 void finalize(Token&& token, const Policy& policy) {
 365                         auto row = encryptOne(std::move(token), policy);
 366                         m_handler.database.saveRow(row);
 367                         m_transaction.commit();
 368                 }
 369
 370                 DB::Crypto& database() { return m_handler.database; }
 371                 DB::Crypto::Transaction& transaction() { return m_transaction; }
 372                 UserData& handler() { return m_handler; }
 373                 PermissionMask permission(const Credentials &cred) {
 374                         return toPermissionMask(
 375                                 m_handler.database.getPermissionRow(m_name, m_owner, cred.client));
 376                 }
 377                 int loadAppKey(bool keyRequired = true);
 378
 379         private:
 380                 UserData& m_handler;
 381                 DB::Crypto::Transaction m_transaction;
 382                 const Name& m_name;
 383                 const ClientId& m_owner;
 384         };
 385
 386         std::tuple<DBOperation, int> begin(
 387                 const Credentials &cred,
 388                 const Name &name,
 389                 const ClientId &owner);
 390         std::tuple<DBOperation, PermissionMask, int> beginAndGetPerm(
 391                 const Credentials &cred,
 392                 const Name &name,
 393                 const ClientId &owner);
 394         std::tuple<CKMLogic::DBOperation, int> beginSave(
 395                 const Credentials &cred,
 396                 const Name &name,
 397                 const ClientId &owner);
 398         std::tuple<CKMLogic::DBOperation, RawBuffer, int> beginSaveAndGetHash(
 399                 const Credentials &cred,
 400                 const Name &name,
 401                 const ClientId &owner);
 402
 403         AccessControl m_accessControl;
 404         Crypto::Decider m_decider;
 405
 406 protected:
 407         std::map<uid_t, UserData> m_userDataMap;
 408 };
 409
 410 } // namespace CKM
 411