+ } catch (DB::Crypto::Exception::InternalError &e) {
+ LogDebug("DB::Crypto internal error: " << e.GetMessage());
+ retCode = CKM_API_ERROR_DB_ERROR;
+ } catch (const CKM::Exception &e) {
+ LogError("CKM::Exception: " << e.GetMessage());
+ retCode = CKM_API_ERROR_SERVER_ERROR;
+ }
+
+ return MessageBuffer::Serialize(static_cast<int>(LogicCommand::CREATE_KEY_AES),
+ commandId, retCode).Pop();
+}
+
+int CKMLogic::readCertificateHelper(
+ const Credentials &cred,
+ const LabelNameVector &labelNameVector,
+ CertificateImplVector &certVector)
+{
+ DB::Row row;
+ for (auto &i: labelNameVector) {
+ // certificates can't be protected with custom user password
+ Crypto::GObjUPtr obj;
+ int ec = readDataHelper(false, cred, DataType::CERTIFICATE, i.second, i.first, Password(), obj);
+ if (ec != CKM_API_SUCCESS)
+ return ec;
+
+ certVector.emplace_back(obj->getBinary(), DataFormat::FORM_DER);
+
+ // try to read chain certificates (if present)
+ Crypto::GObjUPtrVector caChainObjs;
+ ec = readDataHelper(false, cred, DataType::DB_CHAIN_FIRST, i.second, i.first, CKM::Password(), caChainObjs);
+ if(ec != CKM_API_SUCCESS && ec != CKM_API_ERROR_DB_ALIAS_UNKNOWN)
+ return ec;
+ for(auto &caCertObj : caChainObjs)
+ certVector.emplace_back(caCertObj->getBinary(), DataFormat::FORM_DER);
+ }
+ return CKM_API_SUCCESS;
+}
+
+int CKMLogic::getCertificateChainHelper(
+ const CertificateImpl &cert,
+ const RawBufferVector &untrustedCertificates,
+ const RawBufferVector &trustedCertificates,
+ bool useTrustedSystemCertificates,
+ RawBufferVector &chainRawVector)
+{
+ CertificateImplVector untrustedCertVector;
+ CertificateImplVector trustedCertVector;
+ CertificateImplVector chainVector;
+
+ if (cert.empty())
+ return CKM_API_ERROR_INPUT_PARAM;
+
+ for (auto &e: untrustedCertificates) {
+ CertificateImpl c(e, DataFormat::FORM_DER);
+ if(c.empty())
+ return CKM_API_ERROR_INPUT_PARAM;
+ untrustedCertVector.push_back(std::move(c));
+ }
+ for (auto &e: trustedCertificates) {
+ CertificateImpl c(e, DataFormat::FORM_DER);
+ if(c.empty())
+ return CKM_API_ERROR_INPUT_PARAM;
+ trustedCertVector.push_back(std::move(c));
+ }
+
+ CertificateStore store;
+ int retCode = store.verifyCertificate(cert,
+ untrustedCertVector,
+ trustedCertVector,
+ useTrustedSystemCertificates,
+ m_accessControl.isCCMode(),
+ chainVector);
+ if (retCode != CKM_API_SUCCESS)
+ return retCode;
+
+ for (auto &e : chainVector)
+ chainRawVector.push_back(e.getDER());
+ return CKM_API_SUCCESS;
+}
+
+int CKMLogic::getCertificateChainHelper(
+ const Credentials &cred,
+ const CertificateImpl &cert,
+ const LabelNameVector &untrusted,
+ const LabelNameVector &trusted,
+ bool useTrustedSystemCertificates,
+ RawBufferVector &chainRawVector)
+{
+ CertificateImplVector untrustedCertVector;
+ CertificateImplVector trustedCertVector;
+ CertificateImplVector chainVector;
+ DB::Row row;
+
+ if (cert.empty())
+ return CKM_API_ERROR_INPUT_PARAM;
+
+ int retCode = readCertificateHelper(cred, untrusted, untrustedCertVector);
+ if (retCode != CKM_API_SUCCESS)
+ return retCode;
+ retCode = readCertificateHelper(cred, trusted, trustedCertVector);
+ if (retCode != CKM_API_SUCCESS)
+ return retCode;
+
+ CertificateStore store;
+ retCode = store.verifyCertificate(cert,
+ untrustedCertVector,
+ trustedCertVector,
+ useTrustedSystemCertificates,
+ m_accessControl.isCCMode(),
+ chainVector);
+ if (retCode != CKM_API_SUCCESS)
+ return retCode;
+
+ for (auto &i: chainVector)
+ chainRawVector.push_back(i.getDER());
+
+ return CKM_API_SUCCESS;
+}
+
+RawBuffer CKMLogic::getCertificateChain(
+ const Credentials & /*cred*/,
+ int commandId,
+ const RawBuffer &certificate,
+ const RawBufferVector &untrustedCertificates,
+ const RawBufferVector &trustedCertificates,
+ bool useTrustedSystemCertificates)
+{
+ CertificateImpl cert(certificate, DataFormat::FORM_DER);
+ RawBufferVector chainRawVector;
+ int retCode = CKM_API_ERROR_UNKNOWN;
+ try {
+ retCode = getCertificateChainHelper(cert,
+ untrustedCertificates,
+ trustedCertificates,
+ useTrustedSystemCertificates,
+ chainRawVector);
+ } catch (const Exc::Exception &e) {
+ retCode = e.error();
+ } catch (const DB::Crypto::Exception::Base &e) {
+ LogError("DB::Crypto failed with message: " << e.GetMessage());
+ retCode = CKM_API_ERROR_DB_ERROR;
+ } catch (const std::exception& e) {
+ LogError("STD exception " << e.what());
+ retCode = CKM_API_ERROR_SERVER_ERROR;
+ } catch (...) {
+ LogError("Unknown error.");
+ }
+
+ auto response = MessageBuffer::Serialize(static_cast<int>(LogicCommand::GET_CHAIN_CERT),
+ commandId,
+ retCode,
+ chainRawVector);
+ return response.Pop();
+}
+
+RawBuffer CKMLogic::getCertificateChain(
+ const Credentials &cred,
+ int commandId,
+ const RawBuffer &certificate,
+ const LabelNameVector &untrustedCertificates,
+ const LabelNameVector &trustedCertificates,
+ bool useTrustedSystemCertificates)
+{
+ int retCode = CKM_API_ERROR_UNKNOWN;
+ CertificateImpl cert(certificate, DataFormat::FORM_DER);
+ RawBufferVector chainRawVector;
+ try {
+ retCode = getCertificateChainHelper(cred,
+ cert,
+ untrustedCertificates,
+ trustedCertificates,
+ useTrustedSystemCertificates,
+ chainRawVector);
+ } catch (const DB::Crypto::Exception::Base &e) {
+ LogError("DB::Crypto failed with message: " << e.GetMessage());
+ retCode = CKM_API_ERROR_DB_ERROR;
+ } catch (const Exc::Exception &e) {
+ retCode = e.error();
+ } catch (const std::exception& e) {
+ LogError("STD exception " << e.what());
+ retCode = CKM_API_ERROR_SERVER_ERROR;