2 * Copyright (c) 2014-2021 Samsung Electronics Co., Ltd. All rights reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License
18 * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
20 * @brief Sample service implementation.
27 #include <message-buffer.h>
28 #include <protocols.h>
29 #include <ckm/ckm-type.h>
30 #include <connection-info.h>
31 #include <db-crypto.h>
32 #include <key-provider.h>
33 #include <crypto-logic.h>
34 #include <file-lock.h>
35 #include <access-control.h>
36 #include <certificate-impl.h>
37 #include <sys/types.h>
38 #include <generic-backend/gobj.h>
39 #include <generic-backend/encryption-params.h>
40 #include <platform/decider.h>
45 KeyProvider keyProvider;
52 static const uid_t SYSTEM_DB_UID;
53 static const uid_t ADMIN_USER_DB_UID;
56 CKMLogic(const CKMLogic &) = delete;
57 CKMLogic(CKMLogic &&) = delete;
58 CKMLogic &operator=(const CKMLogic &) = delete;
59 CKMLogic &operator=(CKMLogic &&) = delete;
62 RawBuffer unlockUserKey(uid_t user, const Password &password);
63 RawBuffer lockUserKey(uid_t user);
65 RawBuffer removeUserData(uid_t user);
67 RawBuffer changeUserPassword(
69 const Password &oldPassword,
70 const Password &newPassword);
72 RawBuffer resetUserPassword(
74 const Password &newPassword);
76 RawBuffer removeApplicationData(
77 const ClientId &owner);
80 const Credentials &cred,
83 const ClientId &owner,
84 const Crypto::Data &data,
85 const PolicySerializable &policy);
88 const Credentials &cred,
91 const ClientId &owner,
92 const PKCS12Serializable &pkcs,
93 const PolicySerializable &keyPolicy,
94 const PolicySerializable &certPolicy);
97 const Credentials &cred,
100 const ClientId &owner);
103 const Credentials &cred,
107 const ClientId &owner,
108 const Password &password);
110 RawBuffer getDataProtectionStatus(
111 const Credentials &cred,
115 const ClientId &owner);
118 const Credentials &cred,
121 const ClientId &owner,
122 const Password &keyPassword,
123 const Password &certPassword);
125 RawBuffer getDataList(
126 const Credentials &cred,
130 RawBuffer createKeyPair(
131 const Credentials &cred,
133 const CryptoAlgorithmSerializable &keyGenParams,
134 const Name &namePrivate,
135 const ClientId &ownerPrivate,
136 const Name &namePublic,
137 const ClientId &ownerPublic,
138 const PolicySerializable &policyPrivate,
139 const PolicySerializable &policyPublic);
141 RawBuffer createKeyAES(
142 const Credentials &cred,
146 const ClientId &owner,
147 const PolicySerializable &policy);
149 RawBuffer getCertificateChain(
150 const Credentials &cred,
152 const RawBuffer &certificate,
153 const RawBufferVector &untrustedCertificates,
154 const RawBufferVector &trustedCertificates,
155 bool useTrustedSystemCertificates);
157 RawBuffer getCertificateChain(
158 const Credentials &cred,
160 const RawBuffer &certificate,
161 const OwnerNameVector &untrustedCertificates,
162 const OwnerNameVector &trustedCertificates,
163 bool useTrustedSystemCertificates);
165 RawBuffer createSignature(
166 const Credentials &cred,
168 const Name &privateKeyName,
169 const ClientId &owner,
170 const Password &password, // password for private_key
171 const RawBuffer &message,
172 const CryptoAlgorithm &cryptoAlgorithm);
174 RawBuffer verifySignature(
175 const Credentials &cred,
177 const Name &publicKeyOrCertName,
178 const ClientId &owner,
179 const Password &password, // password for public_key (optional)
180 const RawBuffer &message,
181 const RawBuffer &signature,
182 const CryptoAlgorithm &cryptoAlgorithm);
184 RawBuffer updateCCMode();
186 RawBuffer setPermission(
187 const Credentials &cred,
190 const ClientId &owner,
191 const ClientId &accessor,
192 const PermissionMask permissionMask);
195 const Credentials &cred,
197 const CryptoAlgorithm ¶ms,
198 const Name &secretName,
199 const ClientId &secretOwner,
200 const Password &secretPassword,
201 const Name &newKeyName,
202 const ClientId &newKeyOwner,
203 const Policy &newKeyPolicy);
205 int setPermissionHelper(
206 const Credentials &cred,
208 const ClientId &owner,
209 const ClientId &accessor,
210 const PermissionMask permissionMask);
212 int verifyAndSaveDataHelper(
213 const Credentials &cred,
215 const ClientId &owner,
216 const Crypto::Data &data,
217 const PolicySerializable &policy);
219 int getKeyForService(
220 const Credentials &cred,
222 const ClientId &owner,
223 const Password &pass,
224 Crypto::GObjShPtr &key);
226 int importInitialData(
228 const Crypto::Data &data,
229 const Crypto::EncryptionParams &encData,
230 const Policy &policy);
232 int unlockSystemDB();
234 RawBuffer importWrappedKey(
235 const Credentials &cred,
237 const CryptoAlgorithm ¶ms,
238 const Name &wrappingKeyName,
239 const ClientId &wrappingKeyOwner,
240 const Password &wrappingKeyPassword,
241 const Name &encryptedKeyName,
242 const ClientId &encryptedKeyOwner,
243 const RawBuffer &encryptedKey,
244 const CKM::DataType encryptedKeyType,
245 const PolicySerializable &encryptedKeyPolicy);
248 // select private/system database depending on asking uid and owner id.
249 // output: database handler for effective owner
250 UserData &selectDatabase(const Credentials &cred,
251 const ClientId &owner);
253 int unlockDatabase(uid_t user,
254 const Password &password);
258 const Password &password);
262 const Password &password);
264 int checkDataPermissionsHelper(
265 const Credentials &accessorCred,
268 const PermissionMask& permission);
273 const Password &password,
274 const RawBuffer &hash);
276 Crypto::GObjUPtr rowToObject(
279 const Password &password,
280 const RawBuffer &hash);
284 const Credentials &cred,
287 const ClientId &owner,
288 const Password &password,
289 Crypto::GObjUPtr &obj);
294 const Credentials &cred,
297 const ClientId &owner,
298 const Password &password,
300 DataType &objDataType);
302 Crypto::GObjUPtr decryptedRowToObj(const DB::Row& row, const Password &password);
306 const Credentials &cred,
309 const ClientId &owner,
310 const Password &password,
311 Crypto::GObjUPtr &obj,
312 DataType &objDataType);
316 const Credentials &cred,
319 const ClientId &owner,
320 const Password &password,
321 Crypto::GObjUPtrVector &objs);
323 int readCertificateHelper(
324 const Credentials &cred,
325 const OwnerNameVector &ownerNameVector,
326 CertificateImplVector &certVector);
328 int getCertificateChainHelper(
329 const CertificateImpl &cert,
330 const RawBufferVector &untrustedCertificates,
331 const RawBufferVector &trustedCertificates,
332 bool useTrustedSystemCertificates,
333 RawBufferVector &chainRawVector);
335 int getCertificateChainHelper(
336 const Credentials &cred,
337 const CertificateImpl &cert,
338 const OwnerNameVector &untrusted,
339 const OwnerNameVector &trusted,
340 bool useTrustedSystemCertificates,
341 RawBufferVector &chainRawVector);
343 int getDataListHelper(
344 const Credentials &cred,
345 const DataType dataType,
346 OwnerNameVector &ownerNameVector);
348 void migrateSecureStorageData(bool isAdminUser);
352 DBOperation(UserData& handler, const Name &name, const ClientId &owner) :
354 m_transaction(&handler.database),
359 DB::Row encryptOne(Token&& token, const Policy& policy) {
360 DB::Row row(std::move(token), m_name, m_owner, static_cast<int>(policy.extractable));
361 return m_handler.crypto.encryptRow(row);
364 void finalize(Token&& token, const Policy& policy) {
365 auto row = encryptOne(std::move(token), policy);
366 m_handler.database.saveRow(row);
367 m_transaction.commit();
370 DB::Crypto& database() { return m_handler.database; }
371 DB::Crypto::Transaction& transaction() { return m_transaction; }
372 UserData& handler() { return m_handler; }
373 PermissionMask permission(const Credentials &cred) {
374 return toPermissionMask(
375 m_handler.database.getPermissionRow(m_name, m_owner, cred.client));
377 int loadAppKey(bool keyRequired = true);
381 DB::Crypto::Transaction m_transaction;
383 const ClientId& m_owner;
386 std::tuple<DBOperation, int> begin(
387 const Credentials &cred,
389 const ClientId &owner);
390 std::tuple<DBOperation, PermissionMask, int> beginAndGetPerm(
391 const Credentials &cred,
393 const ClientId &owner);
394 std::tuple<CKMLogic::DBOperation, int> beginSave(
395 const Credentials &cred,
397 const ClientId &owner);
398 std::tuple<CKMLogic::DBOperation, RawBuffer, int> beginSaveAndGetHash(
399 const Credentials &cred,
401 const ClientId &owner);
403 AccessControl m_accessControl;
404 Crypto::Decider m_decider;
407 std::map<uid_t, UserData> m_userDataMap;