Ignore failing row decryption during data removal
[platform/core/security/key-manager.git] / src / manager / service / ckm-logic.cpp
index 4925735..217d0cd 100644 (file)
  * @version     1.0
  * @brief       Sample service implementation.
  */
-#include <vconf/vconf.h>
 #include <dpl/serialization.h>
 #include <dpl/log/log.h>
 #include <ckm/ckm-error.h>
 #include <ckm/ckm-type.h>
 #include <key-provider.h>
 #include <file-system.h>
-#include <CryptoService.h>
 #include <ckm-logic.h>
 #include <key-impl.h>
+#include <key-aes-impl.h>
+#include <certificate-config.h>
+#include <certificate-store.h>
+#include <dirent.h>
+#include <algorithm>
+#include <InitialValuesFile.h>
+#include <sw-backend/store.h>
+#include <generic-backend/exception.h>
 
 namespace {
-const char * const CERT_SYSTEM_DIR = "/etc/ssl/certs";
+const char * const CERT_SYSTEM_DIR          = "/etc/ssl/certs";
+const char * const INIT_VALUES_DIR          = "/opt/data/ckm/initial_values/";
+const char * const INIT_VALUES_XSD          = "/usr/share/ckm/initial_values.xsd";
+const char * const INIT_VALUES_FILE_SUFFIX  = ".xml";
+const char * const SYSTEM_DB_PASSWD         = "cAtRugU7";
 
 bool isLabelValid(const CKM::Label &label) {
     // TODO: copy code from libprivilege control (for check smack label)
@@ -45,126 +55,164 @@ bool isNameValid(const CKM::Name &name) {
         return false;
     return true;
 }
-
 } // anonymous namespace
 
 namespace CKM {
 
+const uid_t CKMLogic::SYSTEM_DB_UID = 0;
+
 CKMLogic::CKMLogic()
 {
-    if (CKM_API_SUCCESS != m_certStore.setSystemCertificateDir(CERT_SYSTEM_DIR)) {
-        LogError("Fatal error in CertificateStore::setSystemCertificateDir. Chain creation will not work");
-    }
+    CertificateConfig::addSystemCertificateDir(CERT_SYSTEM_DIR);
 
     m_accessControl.updateCCMode();
+
+    // make initial file list
+    std::vector<std::string> filesToParse;
+    DIR *dp = opendir(INIT_VALUES_DIR);
+    if(dp)
+    {
+        struct dirent *entry;
+        while ((entry = readdir(dp)))
+        {
+            std::string filename = std::string(entry->d_name);
+
+            // check if XML file
+            std::string lowercaseFilename = filename;
+            std::transform(lowercaseFilename.begin(), lowercaseFilename.end(), lowercaseFilename.begin(), ::tolower);
+            if(lowercaseFilename.find(INIT_VALUES_FILE_SUFFIX) == std::string::npos)
+                continue;
+
+            filesToParse.push_back(std::string(INIT_VALUES_DIR) + filename);
+        }
+        closedir(dp);
+    }
+
+    // parse
+    for(const auto & file : filesToParse)
+    {
+        InitialValues::InitialValuesFile xmlFile(file.c_str(), *this);
+        int rc = xmlFile.Validate(INIT_VALUES_XSD);
+        if(rc == XML::Parser::PARSE_SUCCESS)
+        {
+            rc = xmlFile.Parse();
+            if(rc != XML::Parser::PARSE_SUCCESS)
+                LogError("invalid initial values file: " << file << ", parsing code: " << rc);
+        }
+        else
+            LogError("invalid initial values file: " << file << ", validation code: " << rc);
+        unlink(file.c_str());
+    }
 }
 
 CKMLogic::~CKMLogic(){}
 
-void CKMLogic::loadDKEKFile(uid_t user, const Password &password, bool apiReq) {
+void CKMLogic::loadDKEKFile(uid_t user, const Password &password) {
     auto &handle = m_userDataMap[user];
 
     FileSystem fs(user);
 
-    auto wrappedDKEKMain = fs.getDKEK();
-    auto wrappedDKEKBackup = fs.getDKEKBackup();
+    auto wrappedDKEK = fs.getDKEK();
 
-    if (wrappedDKEKMain.empty() && wrappedDKEKBackup.empty()) {
-        wrappedDKEKMain = KeyProvider::generateDomainKEK(std::to_string(user), password);
-        fs.saveDKEK(wrappedDKEKMain);
+    if (wrappedDKEK.empty()) {
+        wrappedDKEK = KeyProvider::generateDomainKEK(std::to_string(user), password);
+        fs.saveDKEK(wrappedDKEK);
     }
 
-    chooseDKEKFile(handle, password, wrappedDKEKMain, wrappedDKEKBackup);
-
-    if (!password.empty() || apiReq) {
-        handle.isDKEKConfirmed = true;
-
-        if (true == handle.isMainDKEK)
-            fs.removeDKEKBackup();
-        else
-            fs.restoreDKEK();
-    }
-}
-
-void CKMLogic::chooseDKEKFile(
-    UserData &handle,
-    const Password &password,
-    const RawBuffer &first,
-    const RawBuffer &second)
-{
-    try {
-        handle.keyProvider = KeyProvider(first, password);
-        handle.isMainDKEK = true;
-    } catch (const KeyProvider::Exception::Base &e) {
-        if (second.empty())
-            throw;
-        handle.keyProvider = KeyProvider(second, password);
-        handle.isMainDKEK = false;
-    }
+    handle.keyProvider = KeyProvider(wrappedDKEK, password);
 }
 
 void CKMLogic::saveDKEKFile(uid_t user, const Password &password) {
     auto &handle = m_userDataMap[user];
 
     FileSystem fs(user);
-    if (handle.isMainDKEK)
-        fs.saveDKEKBackup(fs.getDKEK());
-
     fs.saveDKEK(handle.keyProvider.getWrappedDomainKEK(password));
-
-    handle.isMainDKEK = true;
-    handle.isDKEKConfirmed = false;
 }
 
-RawBuffer CKMLogic::unlockUserKey(uid_t user, const Password &password, bool apiRequest) {
-    // TODO try catch for all errors that should be supported by error code
-    int retCode = CKM_API_SUCCESS;
+int CKMLogic::unlockDatabase(uid_t user, const Password & password)
+{
+    if (0<m_userDataMap.count(user) && m_userDataMap[user].keyProvider.isInitialized())
+        return CKM_API_SUCCESS;
 
-    try {
-        if (0 == m_userDataMap.count(user) || !(m_userDataMap[user].keyProvider.isInitialized())) {
-            auto &handle = m_userDataMap[user];
-            FileSystem fs(user);
+    int retCode = CKM_API_SUCCESS;
+    try
+    {
+        auto &handle = m_userDataMap[user];
 
-            loadDKEKFile(user, password, apiRequest);
+        FileSystem fs(user);
+        loadDKEKFile(user, password);
 
-            auto wrappedDatabaseDEK = fs.getDBDEK();
+        auto wrappedDatabaseDEK = fs.getDBDEK();
+        if (wrappedDatabaseDEK.empty()) {
+            wrappedDatabaseDEK = handle.keyProvider.generateDEK(std::to_string(user));
+            fs.saveDBDEK(wrappedDatabaseDEK);
+        }
 
-            if (wrappedDatabaseDEK.empty()) {
-                wrappedDatabaseDEK = handle.keyProvider.generateDEK(std::to_string(user));
-                fs.saveDBDEK(wrappedDatabaseDEK);
-            }
+        RawBuffer key = handle.keyProvider.getPureDEK(wrappedDatabaseDEK);
 
-            RawBuffer key = handle.keyProvider.getPureDEK(wrappedDatabaseDEK);
-            handle.database = DBCrypto(fs.getDBPath(), key);
-            handle.crypto = CryptoLogic();
+        handle.database = DB::Crypto(fs.getDBPath(), key);
+        handle.crypto = CryptoLogic();
 
+        if ( !m_accessControl.isSystemService(user) )
+        {
             // remove data of removed apps during locked state
             AppLabelVector removedApps = fs.clearRemovedsApps();
             for(auto& appSmackLabel : removedApps) {
+                handle.crypto.removeKey(appSmackLabel);
                 handle.database.deleteKey(appSmackLabel);
             }
-        } else if (apiRequest == true && m_userDataMap[user].isDKEKConfirmed == false) {
-            // now we will try to choose the DKEK key and remove old one
-            loadDKEKFile(user, password, apiRequest);
         }
-    } catch (const KeyProvider::Exception::PassWordError &e) {
-        LogError("Incorrect Password " << e.GetMessage());
-        retCode = CKM_API_ERROR_AUTHENTICATION_FAILED;
-    } catch (const KeyProvider::Exception::Base &e) {
-        LogError("Error in KeyProvider " << e.GetMessage());
-        retCode = CKM_API_ERROR_SERVER_ERROR;
-    } catch (const CryptoLogic::Exception::Base &e) {
-        LogError("CryptoLogic error: " << e.GetMessage());
-        retCode = CKM_API_ERROR_SERVER_ERROR;
+    } catch (const Exc::Exception &e) {
+        retCode = e.error();
     } catch (const CKM::Exception &e) {
         LogError("CKM::Exception: " << e.GetMessage());
         retCode = CKM_API_ERROR_SERVER_ERROR;
     }
 
-    if(retCode != CKM_API_SUCCESS) {
-        // When not successful, UserData in m_userDataMap should be erased.
-        // Because other operations make decision based on the existence of UserData in m_userDataMap.
+    if (CKM_API_SUCCESS != retCode)
         m_userDataMap.erase(user);
+
+    return retCode;
+}
+
+int CKMLogic::unlockSystemDB()
+{
+    return unlockDatabase(SYSTEM_DB_UID, SYSTEM_DB_PASSWD);
+}
+
+UserData & CKMLogic::selectDatabase(const Credentials &cred, const Label &incoming_label)
+{
+    // if user trying to access system service - check:
+    //    * if user database is unlocked [mandatory]
+    //    * if not - proceed with regular user database
+    //    * if explicit system database label given -> switch to system DB
+    if ( !m_accessControl.isSystemService(cred) )
+    {
+        if (0 == m_userDataMap.count(cred.clientUid))
+            ThrowErr(Exc::DatabaseLocked, "database with UID: ", cred.clientUid, " locked");
+
+        if (0 != incoming_label.compare(OWNER_ID_SYSTEM))
+            return m_userDataMap[cred.clientUid];
+    }
+
+    // system database selected, modify the label
+    if (CKM_API_SUCCESS != unlockSystemDB() )
+        ThrowErr(Exc::DatabaseLocked, "can not unlock system database");
+    return m_userDataMap[SYSTEM_DB_UID];
+}
+
+RawBuffer CKMLogic::unlockUserKey(uid_t user, const Password &password)
+{
+    int retCode = CKM_API_SUCCESS;
+
+    if( !m_accessControl.isSystemService(user) )
+    {
+        retCode = unlockDatabase(user, password);
+    }
+    else
+    {
+        // do not allow lock/unlock operations for system users
+        retCode = CKM_API_ERROR_INPUT_PARAM;
     }
 
     return MessageBuffer::Serialize(retCode).Pop();
@@ -175,10 +223,18 @@ RawBuffer CKMLogic::updateCCMode() {
     return MessageBuffer::Serialize(CKM_API_SUCCESS).Pop();
 }
 
-RawBuffer CKMLogic::lockUserKey(uid_t user) {
+RawBuffer CKMLogic::lockUserKey(uid_t user)
+{
     int retCode = CKM_API_SUCCESS;
-    // TODO try catch for all errors that should be supported by error code
-    m_userDataMap.erase(user);
+    if( !m_accessControl.isSystemService(user) )
+    {
+        m_userDataMap.erase(user);
+    }
+    else
+    {
+        // do not allow lock/unlock operations for system users
+        retCode = CKM_API_ERROR_INPUT_PARAM;
+    }
 
     return MessageBuffer::Serialize(retCode).Pop();
 
@@ -186,7 +242,10 @@ RawBuffer CKMLogic::lockUserKey(uid_t user) {
 
 RawBuffer CKMLogic::removeUserData(uid_t user) {
     int retCode = CKM_API_SUCCESS;
-    // TODO try catch for all errors that should be supported by error code
+
+    if (m_accessControl.isSystemService(user))
+        user = SYSTEM_DB_UID;
+
     m_userDataMap.erase(user);
 
     FileSystem fs(user);
@@ -195,21 +254,31 @@ RawBuffer CKMLogic::removeUserData(uid_t user) {
     return MessageBuffer::Serialize(retCode).Pop();
 }
 
+int CKMLogic::changeUserPasswordHelper(uid_t user,
+                                       const Password &oldPassword,
+                                       const Password &newPassword)
+{
+    // do not allow to change system database password
+    if( m_accessControl.isSystemService(user) )
+        return CKM_API_ERROR_INPUT_PARAM;
+
+    loadDKEKFile(user, oldPassword);
+    saveDKEKFile(user, newPassword);
+
+    return CKM_API_SUCCESS;
+}
+
 RawBuffer CKMLogic::changeUserPassword(
     uid_t user,
     const Password &oldPassword,
     const Password &newPassword)
 {
     int retCode = CKM_API_SUCCESS;
-    try {
-        loadDKEKFile(user, oldPassword, true);
-        saveDKEKFile(user, newPassword);
-    } catch (const KeyProvider::Exception::PassWordError &e) {
-        LogError("Incorrect Password " << e.GetMessage());
-        retCode = CKM_API_ERROR_AUTHENTICATION_FAILED;
-    } catch (const KeyProvider::Exception::Base &e) {
-        LogError("Error in KeyProvider " << e.GetMessage());
-        retCode = CKM_API_ERROR_SERVER_ERROR;
+    try
+    {
+        retCode = changeUserPasswordHelper(user, oldPassword, newPassword);
+    } catch (const Exc::Exception &e) {
+        retCode = e.error();
     } catch (const CKM::Exception &e) {
         LogError("CKM::Exception: " << e.GetMessage());
         retCode = CKM_API_ERROR_SERVER_ERROR;
@@ -218,18 +287,43 @@ RawBuffer CKMLogic::changeUserPassword(
     return MessageBuffer::Serialize(retCode).Pop();
 }
 
-RawBuffer CKMLogic::resetUserPassword(
+int CKMLogic::resetUserPasswordHelper(
     uid_t user,
     const Password &newPassword)
 {
+    // do not allow to reset system database password
+    if( m_accessControl.isSystemService(user) )
+        return CKM_API_ERROR_INPUT_PARAM;
+
     int retCode = CKM_API_SUCCESS;
-    // TODO try-catch
-    if (0 == m_userDataMap.count(user)) {
-        retCode = CKM_API_ERROR_BAD_REQUEST;
+    if (0 == m_userDataMap.count(user))
+    {
+        // Check if key exists. If exists we must return error
+        FileSystem fs(user);
+        auto wrappedDKEKMain = fs.getDKEK();
+        if (!wrappedDKEKMain.empty())
+            retCode = CKM_API_ERROR_BAD_REQUEST;
     } else {
         saveDKEKFile(user, newPassword);
     }
 
+    return retCode;
+}
+
+RawBuffer CKMLogic::resetUserPassword(
+    uid_t user,
+    const Password &newPassword)
+{
+    int retCode = CKM_API_SUCCESS;
+    try {
+        retCode = resetUserPasswordHelper(user, newPassword);
+    } catch (const Exc::Exception &e) {
+        retCode = e.error();
+    } catch (const CKM::Exception &e) {
+        LogError("CKM::Exception: " << e.GetMessage());
+        retCode = CKM_API_ERROR_SERVER_ERROR;
+    }
+
     return MessageBuffer::Serialize(retCode).Pop();
 }
 
@@ -248,17 +342,23 @@ RawBuffer CKMLogic::removeApplicationData(const Label &smackLabel) {
                     fs.addRemovedApp(smackLabel);
                 } else {
                     auto &handle = m_userDataMap[userId];
+                    handle.crypto.removeKey(smackLabel);
                     handle.database.deleteKey(smackLabel);
                 }
             }
         }
 
-    } catch (const DBCrypto::Exception::InternalError &e) {
-        LogError("DBCrypto couldn't remove data: " << e.GetMessage());
+    } catch (const DB::Crypto::Exception::InternalError &e) {
+        LogError("DB::Crypto couldn't remove data: " << e.GetMessage());
         retCode = CKM_API_ERROR_DB_ERROR;
-    } catch (const DBCrypto::Exception::TransactionError &e) {
-        LogError("DBCrypto transaction failed with message " << e.GetMessage());
+    } catch (const DB::Crypto::Exception::TransactionError &e) {
+        LogError("DB::Crypto transaction failed with message " << e.GetMessage());
         retCode = CKM_API_ERROR_DB_ERROR;
+    } catch (const Exc::Exception &e) {
+        retCode = e.error();
+    } catch (const CKM::Exception &e) {
+        LogError("CKM::Exception: " << e.GetMessage());
+        retCode = CKM_API_ERROR_SERVER_ERROR;
     }
 
     return MessageBuffer::Serialize(retCode).Pop();
@@ -272,53 +372,55 @@ int CKMLogic::checkSaveConditions(
 {
     // verify name and label are correct
     if (!isNameValid(name) || !isLabelValid(ownerLabel)) {
-        LogWarning("Invalid parameter passed to key-manager");
+        LogDebug("Invalid parameter passed to key-manager");
         return CKM_API_ERROR_INPUT_PARAM;
     }
 
     // check if allowed to save using ownerLabel
-    int access_ec = m_accessControl.canSave(ownerLabel, cred.smackLabel);
-    if(access_ec != CKM_API_SUCCESS)
+    int access_ec = m_accessControl.canSave(cred, ownerLabel);
+    if( access_ec != CKM_API_SUCCESS)
     {
-        LogWarning("label " << cred.smackLabel << " can not save rows using label " << ownerLabel);
+        LogDebug("label " << cred.smackLabel << " can not save rows using label " << ownerLabel);
         return access_ec;
     }
 
     // check if not a duplicate
-    if( handler.database.isNameLabelPresent(name, cred.smackLabel) )
+    if( handler.database.isNameLabelPresent(name, ownerLabel))
         return CKM_API_ERROR_DB_ALIAS_EXISTS;
 
     // encryption section
-    if (!handler.crypto.haveKey(cred.smackLabel)) {
+    if (!handler.crypto.haveKey(ownerLabel))
+    {
         RawBuffer got_key;
-        auto key_optional = handler.database.getKey(cred.smackLabel);
+        auto key_optional = handler.database.getKey(ownerLabel);
         if(!key_optional) {
-            LogDebug("No Key in database found. Generating new one for label: "
-                    << cred.smackLabel);
-            got_key = handler.keyProvider.generateDEK(cred.smackLabel);
-            handler.database.saveKey(cred.smackLabel, got_key);
+            LogDebug("No Key in database found. Generating new one for label: " << ownerLabel);
+            got_key = handler.keyProvider.generateDEK(ownerLabel);
+            handler.database.saveKey(ownerLabel, got_key);
         } else {
             LogDebug("Key from DB");
             got_key = *key_optional;
         }
 
         got_key = handler.keyProvider.getPureDEK(got_key);
-        handler.crypto.pushKey(cred.smackLabel, got_key);
+        handler.crypto.pushKey(ownerLabel, got_key);
     }
 
     return CKM_API_SUCCESS;
 }
 
-DBRow CKMLogic::createEncryptedDBRow(
+DB::Row CKMLogic::createEncryptedRow(
     CryptoLogic &crypto,
     const Name &name,
     const Label &label,
-    DBDataType dataType,
+    DataType dataType,
     const RawBuffer &data,
     const Policy &policy) const
 {
-    DBRow row = { name, label, policy.extractable, dataType, DBCMAlgType::NONE,
-                  0, RawBuffer(), static_cast<int>(data.size()), data, RawBuffer() };
+    Crypto::GStore& store = m_decider.getStore(dataType, policy.extractable);
+    Token token = store.import(dataType, data);
+
+    DB::Row row(std::move(token), name, label, static_cast<int>(policy.extractable));
 
     // do not encrypt data with password during cc_mode on
     if(m_accessControl.isCCMode()) {
@@ -329,67 +431,115 @@ DBRow CKMLogic::createEncryptedDBRow(
     return row;
 }
 
-int CKMLogic::verifyBinaryData(DBDataType dataType, const RawBuffer &input_data) const
+int CKMLogic::verifyBinaryData(DataType dataType, RawBuffer &input_data) const
+{
+    RawBuffer dummy;
+    return toBinaryData(dataType, input_data, dummy);
+}
+
+int CKMLogic::toBinaryData(DataType dataType,
+                           const RawBuffer &input_data,
+                           RawBuffer &output_data) const
 {
     // verify the data integrity
     if (dataType.isKey())
     {
-        KeyShPtr output_key = CKM::Key::create(input_data);
+        KeyShPtr output_key;
+        if(dataType.isSKey())
+            output_key = CKM::Key::createAES(input_data);
+        else
+            output_key = CKM::Key::create(input_data);
         if(output_key.get() == NULL)
         {
-            LogError("provided binary data is not valid key data");
+            LogDebug("provided binary data is not valid key data");
             return CKM_API_ERROR_INPUT_PARAM;
         }
+        output_data = output_key->getDER();
     }
     else if (dataType.isCertificate() || dataType.isChainCert())
     {
         CertificateShPtr cert = CKM::Certificate::create(input_data, DataFormat::FORM_DER);
         if(cert.get() == NULL)
         {
-            LogError("provided binary data is not valid certificate data");
+            LogDebug("provided binary data is not valid certificate data");
             return CKM_API_ERROR_INPUT_PARAM;
         }
+        output_data = cert->getDER();
     }
+    else
+        output_data = input_data;
     // TODO: add here BINARY_DATA verification, i.e: max size etc.
     return CKM_API_SUCCESS;
 }
 
-RawBuffer CKMLogic::saveData(
+int CKMLogic::verifyAndSaveDataHelper(
     const Credentials &cred,
-    int commandId,
     const Name &name,
     const Label &label,
     const RawBuffer &data,
-    DBDataType dataType,
+    DataType dataType,
     const PolicySerializable &policy)
 {
-    int retCode;
-    if (0 == m_userDataMap.count(cred.uid))
-        retCode = CKM_API_ERROR_DB_LOCKED;
-    else
-    {
-        try {
-            // check if data is correct
-            retCode = verifyBinaryData(dataType, data);
-            if(retCode == CKM_API_SUCCESS)
-            {
-                retCode = saveDataHelper(cred, name, label, dataType, data, policy);
-            }
-        } catch (const KeyProvider::Exception::Base &e) {
-            LogError("KeyProvider failed with message: " << e.GetMessage());
-            retCode = CKM_API_ERROR_SERVER_ERROR;
-        } catch (const CryptoLogic::Exception::Base &e) {
-            LogError("CryptoLogic failed with message: " << e.GetMessage());
-            retCode = CKM_API_ERROR_SERVER_ERROR;
-        } catch (const DBCrypto::Exception::InternalError &e) {
-            LogError("DBCrypto failed with message: " << e.GetMessage());
-            retCode = CKM_API_ERROR_DB_ERROR;
-        } catch (const DBCrypto::Exception::TransactionError &e) {
-            LogError("DBCrypto transaction failed with message " << e.GetMessage());
-            retCode = CKM_API_ERROR_DB_ERROR;
+    int retCode = CKM_API_ERROR_UNKNOWN;
+
+    try {
+        // check if data is correct
+        RawBuffer binaryData;
+        retCode = toBinaryData(dataType, data, binaryData);
+        if(retCode == CKM_API_SUCCESS)
+        {
+            retCode = saveDataHelper(cred, name, label, dataType, binaryData, policy);
         }
+    } catch (const DB::Crypto::Exception::InternalError &e) {
+        LogError("DB::Crypto failed with message: " << e.GetMessage());
+        retCode = CKM_API_ERROR_DB_ERROR;
+    } catch (const DB::Crypto::Exception::TransactionError &e) {
+        LogError("DB::Crypto transaction failed with message " << e.GetMessage());
+        retCode = CKM_API_ERROR_DB_ERROR;
+    } catch (const Exc::Exception &e) {
+        retCode = e.error();
+    } catch (const CKM::Exception &e) {
+        LogError("CKM::Exception: " << e.GetMessage());
+        retCode = CKM_API_ERROR_SERVER_ERROR;
     }
+    return retCode;
+}
 
+int CKMLogic::getKeyForService(
+        const Credentials &cred,
+        const Name &name,
+        const Label &label,
+        const Password &pass,
+        Crypto::GKeyShPtr &key)
+{
+    DB::Row row;
+    try {
+        // Key is for internal service use. It won't be exported to the client
+        int retCode = readDataHelper(false, cred, DataType::DB_KEY_FIRST, name, label, pass, row);
+        if (retCode == CKM_API_SUCCESS)
+            key = m_decider.getStore(row).getKey(row);
+        return retCode;
+    } catch (const DB::Crypto::Exception::Base &e) {
+        LogError("DB::Crypto failed with message: " << e.GetMessage());
+        return CKM_API_ERROR_DB_ERROR;
+    } catch (const Exc::Exception &e) {
+        return e.error();
+    } catch (const CKM::Exception &e) {
+        LogError("CKM::Exception: " << e.GetMessage());
+        return CKM_API_ERROR_SERVER_ERROR;
+    }
+}
+
+RawBuffer CKMLogic::saveData(
+    const Credentials &cred,
+    int commandId,
+    const Name &name,
+    const Label &label,
+    const RawBuffer &data,
+    DataType dataType,
+    const PolicySerializable &policy)
+{
+    int retCode = verifyAndSaveDataHelper(cred, name, label, data, dataType, policy);
     auto response = MessageBuffer::Serialize(static_cast<int>(LogicCommand::SAVE),
                                              commandId,
                                              retCode,
@@ -404,39 +554,39 @@ int CKMLogic::extractPKCS12Data(
     const PKCS12Serializable &pkcs,
     const PolicySerializable &keyPolicy,
     const PolicySerializable &certPolicy,
-    DBRowVector &output) const
+    DB::RowVector &output) const
 {
     // private key is mandatory
     if( !pkcs.getKey() )
         return CKM_API_ERROR_INVALID_FORMAT;
     Key* keyPtr = pkcs.getKey().get();
-    DBDataType keyType = DBDataType(keyPtr->getType());
+    DataType keyType = DataType(keyPtr->getType());
     RawBuffer keyData = keyPtr->getDER();
     int retCode = verifyBinaryData(keyType, keyData);
     if(retCode != CKM_API_SUCCESS)
         return retCode;
-    output.push_back(createEncryptedDBRow(crypto, name, ownerLabel, keyType, keyData, keyPolicy));
+    output.push_back(createEncryptedRow(crypto, name, ownerLabel, keyType, keyData, keyPolicy));
 
     // certificate is mandatory
     if( !pkcs.getCertificate() )
         return CKM_API_ERROR_INVALID_FORMAT;
     RawBuffer certData = pkcs.getCertificate().get()->getDER();
-    retCode = verifyBinaryData(DBDataType::CERTIFICATE, certData);
+    retCode = verifyBinaryData(DataType::CERTIFICATE, certData);
     if(retCode != CKM_API_SUCCESS)
         return retCode;
-    output.push_back(createEncryptedDBRow(crypto, name, ownerLabel, DBDataType::CERTIFICATE, certData, certPolicy));
+    output.push_back(createEncryptedRow(crypto, name, ownerLabel, DataType::CERTIFICATE, certData, certPolicy));
 
     // CA cert chain
     unsigned int cert_index = 0;
     for(const auto & ca : pkcs.getCaCertificateShPtrVector())
     {
-        DBDataType chainDataType = DBDataType::getChainDatatype(cert_index ++);
+        DataType chainDataType = DataType::getChainDatatype(cert_index ++);
         RawBuffer caCertData = ca->getDER();
         int retCode = verifyBinaryData(chainDataType, caCertData);
         if(retCode != CKM_API_SUCCESS)
             return retCode;
 
-        output.push_back(createEncryptedDBRow(crypto, name, ownerLabel, chainDataType, caCertData, certPolicy));
+        output.push_back(createEncryptedRow(crypto, name, ownerLabel, chainDataType, caCertData, certPolicy));
     }
 
     return CKM_API_SUCCESS;
@@ -451,26 +601,20 @@ RawBuffer CKMLogic::savePKCS12(
     const PolicySerializable &keyPolicy,
     const PolicySerializable &certPolicy)
 {
-    int retCode;
-    if (0 == m_userDataMap.count(cred.uid))
-        retCode = CKM_API_ERROR_DB_LOCKED;
-    else
-    {
-        try {
-            retCode = saveDataHelper(cred, name, label, pkcs, keyPolicy, certPolicy);
-        } catch (const KeyProvider::Exception::Base &e) {
-            LogError("KeyProvider failed with message: " << e.GetMessage());
-            retCode = CKM_API_ERROR_SERVER_ERROR;
-        } catch (const CryptoLogic::Exception::Base &e) {
-            LogError("CryptoLogic failed with message: " << e.GetMessage());
-            retCode = CKM_API_ERROR_SERVER_ERROR;
-        } catch (const DBCrypto::Exception::InternalError &e) {
-            LogError("DBCrypto failed with message: " << e.GetMessage());
-            retCode = CKM_API_ERROR_DB_ERROR;
-        } catch (const DBCrypto::Exception::TransactionError &e) {
-            LogError("DBCrypto transaction failed with message " << e.GetMessage());
-            retCode = CKM_API_ERROR_DB_ERROR;
-        }
+    int retCode = CKM_API_ERROR_UNKNOWN;
+    try {
+        retCode = saveDataHelper(cred, name, label, pkcs, keyPolicy, certPolicy);
+    } catch (const Exc::Exception &e) {
+        retCode = e.error();
+    } catch (const DB::Crypto::Exception::InternalError &e) {
+        LogError("DB::Crypto failed with message: " << e.GetMessage());
+        retCode = CKM_API_ERROR_DB_ERROR;
+    } catch (const DB::Crypto::Exception::TransactionError &e) {
+        LogError("DB::Crypto transaction failed with message " << e.GetMessage());
+        retCode = CKM_API_ERROR_DB_ERROR;
+    } catch (const CKM::Exception &e) {
+        LogError("CKM::Exception: " << e.GetMessage());
+        retCode = CKM_API_ERROR_SERVER_ERROR;
     }
 
     auto response = MessageBuffer::Serialize(static_cast<int>(LogicCommand::SAVE_PKCS12),
@@ -483,38 +627,62 @@ RawBuffer CKMLogic::savePKCS12(
 int CKMLogic::removeDataHelper(
         const Credentials &cred,
         const Name &name,
-        const Label &ownerLabel)
+        const Label &label)
 {
-    if (0 == m_userDataMap.count(cred.uid))
-        return CKM_API_ERROR_DB_LOCKED;
+    auto &handler = selectDatabase(cred, label);
 
+    // use client label if not explicitly provided
+    const Label &ownerLabel = label.empty() ? cred.smackLabel : label;
     if (!isNameValid(name) || !isLabelValid(ownerLabel)) {
-        LogError("Invalid label or name format");
+        LogDebug("Invalid label or name format");
         return CKM_API_ERROR_INPUT_PARAM;
     }
 
-    auto &database = m_userDataMap[cred.uid].database;
-    DBCrypto::Transaction transaction(&database);
+    DB::Crypto::Transaction transaction(&handler.database);
 
     // read and check permissions
     PermissionMaskOptional permissionRowOpt =
-            database.getPermissionRow(name, ownerLabel, cred.smackLabel);
-    int access_ec = m_accessControl.canDelete(PermissionForLabel(cred.smackLabel, permissionRowOpt));
-    if(access_ec != CKM_API_SUCCESS)
+            handler.database.getPermissionRow(name, ownerLabel, cred.smackLabel);
+    int retCode = m_accessControl.canDelete(cred,
+                        PermissionForLabel(cred.smackLabel, permissionRowOpt));
+    if(retCode != CKM_API_SUCCESS)
     {
-        LogWarning("access control check result: " << access_ec);
-        return access_ec;
+        LogWarning("access control check result: " << retCode);
+        return retCode;
     }
 
-    auto erased = database.deleteDBRow(name, ownerLabel);
-    // check if the data existed or not
-    if(erased)
-        transaction.commit();
-    else {
-        LogError("No row for given name and label");
+    // get all matching rows
+    DB::RowVector rows;
+    handler.database.getRows(name, ownerLabel, DataType::DB_FIRST, DataType::DB_LAST, rows);
+    if (rows.empty()) {
+        LogDebug("No row for given name and label");
         return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
     }
 
+    // load app key if needed
+    retCode = loadAppKey(handler, rows.front().ownerLabel);
+    if(CKM_API_SUCCESS != retCode)
+        return retCode;
+
+    // destroy it in store
+    for(auto& r : rows) {
+        /*
+         * TODO: If row is encrypted with user password we won't be able to decrypt it (tz id).
+         * Encryption/decryption with user password and with app key should both be done inside the
+         * store (import, getKey and generateXKey).
+         */
+        try {
+            handler.crypto.decryptRow(Password(), r);
+        } catch (const Exc::AuthenticationFailed&) {
+            LogDebug("Authentication failed when removing data. Ignored.");
+        }
+        m_decider.getStore(r.dataType, r.exportable).destroy(r);
+    }
+
+    // delete row in db
+    handler.database.deleteRow(name, ownerLabel);
+    transaction.commit();
+
     return CKM_API_SUCCESS;
 }
 
@@ -524,13 +692,18 @@ RawBuffer CKMLogic::removeData(
     const Name &name,
     const Label &label)
 {
-    int retCode;
-    Try {
-        // use client label if not explicitly provided
-        const Label &ownerLabel = label.empty() ? cred.smackLabel : label;
+    int retCode = CKM_API_ERROR_UNKNOWN;
 
-        retCode = removeDataHelper(cred, name, ownerLabel);
-    } Catch (CKM::Exception) {
+    try
+    {
+        retCode = removeDataHelper(cred, name, label);
+    }
+    catch (const Exc::Exception &e)
+    {
+        retCode = e.error();
+    }
+    catch (const CKM::Exception &)
+    {
         LogError("Error in deleting row!");
         retCode = CKM_API_ERROR_DB_ERROR;
     }
@@ -543,27 +716,27 @@ RawBuffer CKMLogic::removeData(
 
 int CKMLogic::readSingleRow(const Name &name,
                             const Label &ownerLabel,
-                            DBDataType dataType,
-                            DBCrypto & database,
-                            DBRow &row)
+                            DataType dataType,
+                            DB::Crypto & database,
+                            DB::Row &row)
 {
-    DBCrypto::DBRowOptional row_optional;
+    DB::Crypto::RowOptional row_optional;
     if (dataType.isKey())
     {
         // read all key types
-        row_optional = database.getDBRow(name,
+        row_optional = database.getRow(name,
                                          ownerLabel,
-                                         DBDataType::DB_KEY_FIRST,
-                                         DBDataType::DB_KEY_LAST);
+                                         DataType::DB_KEY_FIRST,
+                                         DataType::DB_KEY_LAST);
     } else {
         // read anything else
-        row_optional = database.getDBRow(name,
+        row_optional = database.getRow(name,
                                          ownerLabel,
                                          dataType);
     }
 
     if(!row_optional) {
-        LogError("No row for given name, label and type");
+        LogDebug("No row for given name, label and type");
         return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
     } else {
         row = *row_optional;
@@ -575,71 +748,71 @@ int CKMLogic::readSingleRow(const Name &name,
 
 int CKMLogic::readMultiRow(const Name &name,
                            const Label &ownerLabel,
-                           DBDataType dataType,
-                           DBCrypto & database,
-                           DBRowVector &output)
+                           DataType dataType,
+                           DB::Crypto & database,
+                           DB::RowVector &output)
 {
     if (dataType.isKey())
     {
         // read all key types
-        database.getDBRows(name,
+        database.getRows(name,
                           ownerLabel,
-                          DBDataType::DB_KEY_FIRST,
-                          DBDataType::DB_KEY_LAST,
+                          DataType::DB_KEY_FIRST,
+                          DataType::DB_KEY_LAST,
                           output);
     }
     else if (dataType.isChainCert())
     {
         // read all key types
-        database.getDBRows(name,
-                          ownerLabel,
-                          DBDataType::DB_CHAIN_FIRST,
-                          DBDataType::DB_CHAIN_LAST,
-                          output);
+        database.getRows(name,
+                         ownerLabel,
+                         DataType::DB_CHAIN_FIRST,
+                         DataType::DB_CHAIN_LAST,
+                         output);
     }
     else
     {
         // read anything else
-        database.getDBRows(name,
-                          ownerLabel,
-                          dataType,
-                          output);
+        database.getRows(name,
+                         ownerLabel,
+                         dataType,
+                         output);
     }
 
     if(!output.size()) {
-        LogError("No row for given name, label and type");
+        LogDebug("No row for given name, label and type");
         return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
     }
 
     return CKM_API_SUCCESS;
 }
 
-int CKMLogic::checkDataPermissionsHelper(const Name &name,
+int CKMLogic::checkDataPermissionsHelper(const Credentials &cred,
+                                         const Name &name,
                                          const Label &ownerLabel,
                                          const Label &accessorLabel,
-                                         const DBRow &row,
+                                         const DB::Row &row,
                                          bool exportFlag,
-                                         DBCrypto & database)
+                                         DB::Crypto & database)
 {
     PermissionMaskOptional permissionRowOpt =
             database.getPermissionRow(name, ownerLabel, accessorLabel);
 
     if(exportFlag)
-        return m_accessControl.canExport(row, PermissionForLabel(accessorLabel, permissionRowOpt));
-    return m_accessControl.canRead(PermissionForLabel(accessorLabel, permissionRowOpt));
+        return m_accessControl.canExport(cred, row, PermissionForLabel(accessorLabel, permissionRowOpt));
+    return m_accessControl.canRead(cred, PermissionForLabel(accessorLabel, permissionRowOpt));
 }
 
 int CKMLogic::readDataHelper(
     bool exportFlag,
     const Credentials &cred,
-    DBDataType dataType,
+    DataType dataType,
     const Name &name,
     const Label &label,
     const Password &password,
-    DBRowVector &rows)
+    DB::RowVector &rows)
 {
-    if (0 == m_userDataMap.count(cred.uid))
-        return CKM_API_ERROR_DB_LOCKED;
+    auto &handler = selectDatabase(cred, label);
 
     // use client label if not explicitly provided
     const Label &ownerLabel = label.empty() ? cred.smackLabel : label;
@@ -647,34 +820,26 @@ int CKMLogic::readDataHelper(
     if (!isNameValid(name) || !isLabelValid(ownerLabel))
         return CKM_API_ERROR_INPUT_PARAM;
 
-    auto &handler = m_userDataMap[cred.uid];
-
     // read rows
-    DBCrypto::Transaction transaction(&handler.database);
-    int ec = readMultiRow(name, ownerLabel, dataType, handler.database, rows);
-    if(CKM_API_SUCCESS != ec)
-        return ec;
+    DB::Crypto::Transaction transaction(&handler.database);
+    int retCode = readMultiRow(name, ownerLabel, dataType, handler.database, rows);
+    if(CKM_API_SUCCESS != retCode)
+        return retCode;
 
     // all read rows belong to the same owner
-    DBRow & firstRow = rows.at(0);
+    DB::Row & firstRow = rows.at(0);
 
     // check access rights
-    ec = checkDataPermissionsHelper(name, ownerLabel, cred.smackLabel, firstRow, exportFlag, handler.database);
-    if(CKM_API_SUCCESS != ec)
-        return ec;
+    retCode = checkDataPermissionsHelper(cred, name, ownerLabel, cred.smackLabel, firstRow, exportFlag, handler.database);
+    if(CKM_API_SUCCESS != retCode)
+        return retCode;
+
+    // load app key if needed
+    retCode = loadAppKey(handler, firstRow.ownerLabel);
+    if(CKM_API_SUCCESS != retCode)
+        return retCode;
 
     // decrypt row
-    if (!handler.crypto.haveKey(firstRow.ownerLabel)) {
-        RawBuffer key;
-        auto key_optional = handler.database.getKey(firstRow.ownerLabel);
-        if(!key_optional) {
-            LogError("No key for given label in database");
-            return CKM_API_ERROR_DB_ERROR;
-        }
-        key = *key_optional;
-        key = handler.keyProvider.getPureDEK(key);
-        handler.crypto.pushKey(firstRow.ownerLabel, key);
-    }
     for(auto &row : rows)
         handler.crypto.decryptRow(password, row);
 
@@ -684,14 +849,13 @@ int CKMLogic::readDataHelper(
 int CKMLogic::readDataHelper(
     bool exportFlag,
     const Credentials &cred,
-    DBDataType dataType,
+    DataType dataType,
     const Name &name,
     const Label &label,
     const Password &password,
-    DBRow &row)
+    DB::Row &row)
 {
-    if (0 == m_userDataMap.count(cred.uid))
-        return CKM_API_ERROR_DB_LOCKED;
+    auto &handler = selectDatabase(cred, label);
 
     // use client label if not explicitly provided
     const Label &ownerLabel = label.empty() ? cred.smackLabel : label;
@@ -699,32 +863,23 @@ int CKMLogic::readDataHelper(
     if (!isNameValid(name) || !isLabelValid(ownerLabel))
         return CKM_API_ERROR_INPUT_PARAM;
 
-    auto &handler = m_userDataMap[cred.uid];
-
     // read row
-    DBCrypto::Transaction transaction(&handler.database);
-    int ec = readSingleRow(name, ownerLabel, dataType, handler.database, row);
-    if(CKM_API_SUCCESS != ec)
-        return ec;
-
+    DB::Crypto::Transaction transaction(&handler.database);
+    int retCode = readSingleRow(name, ownerLabel, dataType, handler.database, row);
+    if(CKM_API_SUCCESS != retCode)
+        return retCode;
 
     // check access rights
-    ec = checkDataPermissionsHelper(name, ownerLabel, cred.smackLabel, row, exportFlag, handler.database);
-    if(CKM_API_SUCCESS != ec)
-        return ec;
+    retCode = checkDataPermissionsHelper(cred, name, ownerLabel, cred.smackLabel, row, exportFlag, handler.database);
+    if(CKM_API_SUCCESS != retCode)
+        return retCode;
+
+    // load app key if needed
+    retCode = loadAppKey(handler, row.ownerLabel);
+    if(CKM_API_SUCCESS != retCode)
+        return retCode;
 
     // decrypt row
-    if (!handler.crypto.haveKey(row.ownerLabel)) {
-        RawBuffer key;
-        auto key_optional = handler.database.getKey(row.ownerLabel);
-        if(!key_optional) {
-            LogError("No key for given label in database");
-            return CKM_API_ERROR_DB_ERROR;
-        }
-        key = *key_optional;
-        key = handler.keyProvider.getPureDEK(key);
-        handler.crypto.pushKey(row.ownerLabel, key);
-    }
     handler.crypto.decryptRow(password, row);
 
     return CKM_API_SUCCESS;
@@ -733,25 +888,24 @@ int CKMLogic::readDataHelper(
 RawBuffer CKMLogic::getData(
     const Credentials &cred,
     int commandId,
-    DBDataType dataType,
+    DataType dataType,
     const Name &name,
     const Label &label,
     const Password &password)
 {
     int retCode = CKM_API_SUCCESS;
-    DBRow row;
+    DB::Row row;
 
     try {
         retCode = readDataHelper(true, cred, dataType, name, label, password, row);
-    } catch (const KeyProvider::Exception::Base &e) {
-        LogError("KeyProvider failed with error: " << e.GetMessage());
-        retCode = CKM_API_ERROR_SERVER_ERROR;
-    } catch (const CryptoLogic::Exception::Base &e) {
-        LogError("CryptoLogic failed with message: " << e.GetMessage());
-        retCode = CKM_API_ERROR_SERVER_ERROR;
-    } catch (const DBCrypto::Exception::Base &e) {
-        LogError("DBCrypto failed with message: " << e.GetMessage());
+    } catch (const DB::Crypto::Exception::Base &e) {
+        LogError("DB::Crypto failed with message: " << e.GetMessage());
         retCode = CKM_API_ERROR_DB_ERROR;
+    } catch (const Exc::Exception &e) {
+        retCode = e.error();
+    } catch (const CKM::Exception &e) {
+        LogError("CKM::Exception: " << e.GetMessage());
+        retCode = CKM_API_ERROR_SERVER_ERROR;
     }
 
     if (CKM_API_SUCCESS != retCode) {
@@ -771,6 +925,8 @@ int CKMLogic::getPKCS12Helper(
     const Credentials &cred,
     const Name &name,
     const Label &label,
+    const Password &keyPassword,
+    const Password &certPassword,
     KeyShPtr & privKey,
     CertificateShPtr & cert,
     CertificateShPtrVector & caChain)
@@ -778,22 +934,22 @@ int CKMLogic::getPKCS12Helper(
     int retCode;
 
     // read private key (mandatory)
-    DBRow privKeyRow;
-    retCode = readDataHelper(true, cred, DBDataType::DB_KEY_FIRST, name, label, CKM::Password(), privKeyRow);
+    DB::Row privKeyRow;
+    retCode = readDataHelper(true, cred, DataType::DB_KEY_FIRST, name, label, keyPassword, privKeyRow);
     if(retCode != CKM_API_SUCCESS)
         return retCode;
     privKey = CKM::Key::create(privKeyRow.data);
 
     // read certificate (mandatory)
-    DBRow certRow;
-    retCode = readDataHelper(true, cred, DBDataType::CERTIFICATE, name, label, CKM::Password(), certRow);
+    DB::Row certRow;
+    retCode = readDataHelper(true, cred, DataType::CERTIFICATE, name, label, certPassword, certRow);
     if(retCode != CKM_API_SUCCESS)
         return retCode;
     cert = CKM::Certificate::create(certRow.data, DataFormat::FORM_DER);
 
     // read CA cert chain (optional)
-    DBRowVector rawCaChain;
-    retCode = readDataHelper(true, cred, DBDataType::DB_CHAIN_FIRST, name, label, CKM::Password(), rawCaChain);
+    DB::RowVector rawCaChain;
+    retCode = readDataHelper(true, cred, DataType::DB_CHAIN_FIRST, name, label, certPassword, rawCaChain);
     if(retCode != CKM_API_SUCCESS &&
        retCode != CKM_API_ERROR_DB_ALIAS_UNKNOWN)
         return retCode;
@@ -811,30 +967,30 @@ RawBuffer CKMLogic::getPKCS12(
         const Credentials &cred,
         int commandId,
         const Name &name,
-        const Label &label)
+        const Label &label,
+        const Password &keyPassword,
+        const Password &certPassword)
 {
-    int retCode;
-    PKCS12Serializable output;
+    int retCode = CKM_API_ERROR_UNKNOWN;
 
+    PKCS12Serializable output;
     try {
         KeyShPtr privKey;
         CertificateShPtr cert;
         CertificateShPtrVector caChain;
-        retCode = getPKCS12Helper(cred, name, label, privKey, cert, caChain);
+        retCode = getPKCS12Helper(cred, name, label, keyPassword, certPassword, privKey, cert, caChain);
 
         // prepare response
         if(retCode == CKM_API_SUCCESS)
             output = PKCS12Serializable(privKey, cert, caChain);
-
-    } catch (const KeyProvider::Exception::Base &e) {
-        LogError("KeyProvider failed with error: " << e.GetMessage());
-        retCode = CKM_API_ERROR_SERVER_ERROR;
-    } catch (const CryptoLogic::Exception::Base &e) {
-        LogError("CryptoLogic failed with message: " << e.GetMessage());
-        retCode = CKM_API_ERROR_SERVER_ERROR;
-    } catch (const DBCrypto::Exception::Base &e) {
-        LogError("DBCrypto failed with message: " << e.GetMessage());
+    } catch (const DB::Crypto::Exception::Base &e) {
+        LogError("DB::Crypto failed with message: " << e.GetMessage());
         retCode = CKM_API_ERROR_DB_ERROR;
+    } catch (const Exc::Exception &e) {
+        retCode = e.error();
+    } catch (const CKM::Exception &e) {
+        LogError("CKM::Exception: " << e.GetMessage());
+        retCode = CKM_API_ERROR_SERVER_ERROR;
     }
 
     auto response = MessageBuffer::Serialize(static_cast<int>(LogicCommand::GET_PKCS12),
@@ -844,39 +1000,84 @@ RawBuffer CKMLogic::getPKCS12(
     return response.Pop();
 }
 
-RawBuffer CKMLogic::getDataList(
-    const Credentials &cred,
-    int commandId,
-    DBDataType dataType)
+int CKMLogic::getDataListHelper(const Credentials &cred,
+                                const DataType dataType,
+                                LabelNameVector &labelNameVector)
 {
-    int retCode = CKM_API_SUCCESS;
-    LabelNameVector labelNameVector;
-
-    if (0 < m_userDataMap.count(cred.uid)) {
-        auto &database = m_userDataMap[cred.uid].database;
+    int retCode = CKM_API_ERROR_DB_LOCKED;
+    if (0 < m_userDataMap.count(cred.clientUid))
+    {
+        auto &database = m_userDataMap[cred.clientUid].database;
 
         Try {
+            LabelNameVector tmpVector;
             if (dataType.isKey()) {
                 // list all key types
                 database.listNames(cred.smackLabel,
-                                   labelNameVector,
-                                   DBDataType::DB_KEY_FIRST,
-                                   DBDataType::DB_KEY_LAST);
+                                   tmpVector,
+                                   DataType::DB_KEY_FIRST,
+                                   DataType::DB_KEY_LAST);
             } else {
                 // list anything else
                 database.listNames(cred.smackLabel,
-                                   labelNameVector,
+                                   tmpVector,
                                    dataType);
             }
+            labelNameVector.insert(labelNameVector.end(), tmpVector.begin(), tmpVector.end());
+            retCode = CKM_API_SUCCESS;
         }
         Catch (CKM::Exception) {
             LogError("Failed to get names");
             retCode = CKM_API_ERROR_DB_ERROR;
         }
-    } else {
-        retCode = CKM_API_ERROR_DB_LOCKED;
     }
+    return retCode;
+}
+
+RawBuffer CKMLogic::getDataList(
+    const Credentials &cred,
+    int commandId,
+    DataType dataType)
+{
+    LabelNameVector systemVector;
+    LabelNameVector userVector;
+    LabelNameVector labelNameVector;
 
+    int retCode = unlockSystemDB();
+    if (CKM_API_SUCCESS == retCode)
+    {
+        // system database
+        if (m_accessControl.isSystemService(cred))
+        {
+            // lookup system DB
+            retCode = getDataListHelper(Credentials(SYSTEM_DB_UID,
+                                                    OWNER_ID_SYSTEM),
+                                        dataType,
+                                        systemVector);
+        }
+        else
+        {
+            // user - lookup system, then client DB
+            retCode = getDataListHelper(Credentials(SYSTEM_DB_UID,
+                                                    cred.smackLabel),
+                                        dataType,
+                                        systemVector);
+
+            // private database
+            if(retCode == CKM_API_SUCCESS)
+            {
+                retCode = getDataListHelper(cred,
+                                            dataType,
+                                            userVector);
+            }
+        }
+    }
+
+    if(retCode == CKM_API_SUCCESS)
+    {
+        labelNameVector.insert(labelNameVector.end(), systemVector.begin(), systemVector.end());
+        labelNameVector.insert(labelNameVector.end(), userVector.begin(), userVector.end());
+    }
     auto response = MessageBuffer::Serialize(static_cast<int>(LogicCommand::GET_LIST),
                                              commandId,
                                              retCode,
@@ -889,24 +1090,26 @@ int CKMLogic::saveDataHelper(
     const Credentials &cred,
     const Name &name,
     const Label &label,
-    DBDataType dataType,
+    DataType dataType,
     const RawBuffer &data,
     const PolicySerializable &policy)
 {
-    auto &handler = m_userDataMap[cred.uid];
+    auto &handler = selectDatabase(cred, label);
 
     // use client label if not explicitly provided
     const Label &ownerLabel = label.empty() ? cred.smackLabel : label;
+    if( m_accessControl.isSystemService(cred) && ownerLabel.compare(OWNER_ID_SYSTEM)!=0)
+        return CKM_API_ERROR_INPUT_PARAM;
 
     // check if save is possible
-    DBCrypto::Transaction transaction(&handler.database);
+    DB::Crypto::Transaction transaction(&handler.database);
     int retCode = checkSaveConditions(cred, handler, name, ownerLabel);
     if(retCode != CKM_API_SUCCESS)
         return retCode;
 
     // save the data
-    DBRow encryptedRow = createEncryptedDBRow(handler.crypto, name, ownerLabel, dataType, data, policy);
-    handler.database.saveDBRow(encryptedRow);
+    DB::Row encryptedRow = createEncryptedRow(handler.crypto, name, ownerLabel, dataType, data, policy);
+    handler.database.saveRow(encryptedRow);
 
     transaction.commit();
     return CKM_API_SUCCESS;
@@ -920,35 +1123,57 @@ int CKMLogic::saveDataHelper(
     const PolicySerializable &keyPolicy,
     const PolicySerializable &certPolicy)
 {
-    auto &handler = m_userDataMap[cred.uid];
+    auto &handler = selectDatabase(cred, label);
 
     // use client label if not explicitly provided
     const Label &ownerLabel = label.empty() ? cred.smackLabel : label;
+    if( m_accessControl.isSystemService(cred) && ownerLabel.compare(OWNER_ID_SYSTEM)!=0)
+        return CKM_API_ERROR_INPUT_PARAM;
 
     // check if save is possible
-    DBCrypto::Transaction transaction(&handler.database);
+    DB::Crypto::Transaction transaction(&handler.database);
     int retCode = checkSaveConditions(cred, handler, name, ownerLabel);
     if(retCode != CKM_API_SUCCESS)
         return retCode;
 
     // extract and encrypt the data
-    DBRowVector encryptedRows;
+    DB::RowVector encryptedRows;
     retCode = extractPKCS12Data(handler.crypto, name, ownerLabel, pkcs, keyPolicy, certPolicy, encryptedRows);
     if(retCode != CKM_API_SUCCESS)
         return retCode;
 
     // save the data
-    handler.database.saveDBRows(name, ownerLabel, encryptedRows);
+    handler.database.saveRows(name, ownerLabel, encryptedRows);
     transaction.commit();
 
     return CKM_API_SUCCESS;
 }
 
 
+int CKMLogic::createKeyAESHelper(
+    const Credentials &cred,
+    const int size,
+    const Name &name,
+    const Label &label,
+    const PolicySerializable &policy)
+{
+    CryptoAlgorithm keyGenAlgorithm;
+    keyGenAlgorithm.setParam(ParamName::ALGO_TYPE, AlgoType::AES_GEN);
+    keyGenAlgorithm.setParam(ParamName::GEN_KEY_LEN, size);
+    Token key = m_decider.getStore(DataType::KEY_AES, policy.extractable).generateSKey(keyGenAlgorithm);
+
+    return saveDataHelper(cred,
+                          name,
+                          label,
+                          DataType::KEY_AES,
+                          key.data,
+                          policy);
+}
+
+
 int CKMLogic::createKeyPairHelper(
     const Credentials &cred,
-    const KeyType key_type,
-    const int additional_param,
+    const CryptoAlgorithmSerializable & keyGenParams,
     const Name &namePrivate,
     const Label &labelPrivate,
     const Name &namePublic,
@@ -956,46 +1181,29 @@ int CKMLogic::createKeyPairHelper(
     const PolicySerializable &policyPrivate,
     const PolicySerializable &policyPublic)
 {
-    if (0 == m_userDataMap.count(cred.uid))
-        return CKM_API_ERROR_DB_LOCKED;
+    auto &handlerPriv = selectDatabase(cred, labelPrivate);
+    auto &handlerPub = selectDatabase(cred, labelPublic);
 
-    KeyImpl prv, pub;
-    int retCode;
-    switch(key_type)
-    {
-        case KeyType::KEY_RSA_PUBLIC:
-        case KeyType::KEY_RSA_PRIVATE:
-            retCode = CryptoService::createKeyPairRSA(additional_param, prv, pub);
-            break;
-
-        case KeyType::KEY_DSA_PUBLIC:
-        case KeyType::KEY_DSA_PRIVATE:
-            retCode = CryptoService::createKeyPairDSA(additional_param, prv, pub);
-            break;
-
-        case KeyType::KEY_ECDSA_PUBLIC:
-        case KeyType::KEY_ECDSA_PRIVATE:
-            retCode = CryptoService::createKeyPairECDSA(static_cast<ElipticCurve>(additional_param), prv, pub);
-            break;
-
-        default:
-            return CKM_API_ERROR_INPUT_PARAM;
-    }
+    AlgoType keyType = AlgoType::RSA_GEN;
+    if(!keyGenParams.getParam(ParamName::ALGO_TYPE, keyType))
+        ThrowErr(Exc::InputParam, "Error, parameter ALGO_TYPE not found.");
+    DataType dt(keyType);
+    if(!dt.isKey())
+        ThrowErr(Exc::InputParam, "Error, parameter ALGO_TYPE with wrong value.");
 
-    if (CKM_CRYPTO_CREATEKEY_SUCCESS != retCode)
-    {
-        LogDebug("CryptoService error with code: " << retCode);
-        return CKM_API_ERROR_SERVER_ERROR; // TODO error code
-    }
+    bool exportable = policyPrivate.extractable || policyPublic.extractable;
+    TokenPair keys = m_decider.getStore(dt, exportable).generateAKey(keyGenParams);
 
-    auto &database = m_userDataMap[cred.uid].database;
-    DBCrypto::Transaction transaction(&database);
+    DB::Crypto::Transaction transactionPriv(&handlerPriv.database);
+    // in case the same database is used for private and public - the second
+    // transaction will not be executed
+    DB::Crypto::Transaction transactionPub(&handlerPub.database);
 
-    retCode = saveDataHelper(cred,
+    int retCode = saveDataHelper(cred,
                              namePrivate,
                              labelPrivate,
-                             DBDataType(prv.getType()),
-                             prv.getDER(),
+                             keys.first.dataType,
+                             keys.first.data,
                              policyPrivate);
     if (CKM_API_SUCCESS != retCode)
         return retCode;
@@ -1003,22 +1211,21 @@ int CKMLogic::createKeyPairHelper(
     retCode = saveDataHelper(cred,
                              namePublic,
                              labelPublic,
-                             DBDataType(pub.getType()),
-                             pub.getDER(),
+                             keys.second.dataType,
+                             keys.second.data,
                              policyPublic);
     if (CKM_API_SUCCESS != retCode)
         return retCode;
 
-    transaction.commit();
-
-    return retCode;
+    transactionPub.commit();
+    transactionPriv.commit();
+    return CKM_API_SUCCESS;
 }
 
 RawBuffer CKMLogic::createKeyPair(
     const Credentials &cred,
-    LogicCommand protocol_cmd,
     int commandId,
-    const int additional_param,
+    const CryptoAlgorithmSerializable & keyGenParams,
     const Name &namePrivate,
     const Label &labelPrivate,
     const Name &namePublic,
@@ -1028,112 +1235,162 @@ RawBuffer CKMLogic::createKeyPair(
 {
     int retCode = CKM_API_SUCCESS;
 
-    KeyType key_type = KeyType::KEY_NONE;
-    switch(protocol_cmd)
-    {
-        case LogicCommand::CREATE_KEY_PAIR_RSA:
-            key_type = KeyType::KEY_RSA_PUBLIC;
-            break;
-        case LogicCommand::CREATE_KEY_PAIR_DSA:
-            key_type = KeyType::KEY_DSA_PUBLIC;
-            break;
-        case LogicCommand::CREATE_KEY_PAIR_ECDSA:
-            key_type = KeyType::KEY_ECDSA_PUBLIC;
-            break;
-        default:
-            break;
-    }
-
     try {
         retCode = createKeyPairHelper(
                         cred,
-                        key_type,
-                        additional_param,
+                        keyGenParams,
                         namePrivate,
                         labelPrivate,
                         namePublic,
                         labelPublic,
                         policyPrivate,
                         policyPublic);
-    } catch (DBCrypto::Exception::TransactionError &e) {
-        LogDebug("DBCrypto error: transaction error: " << e.GetMessage());
+    } catch(const Exc::Exception &e) {
+        retCode = e.error();
+    } catch (DB::Crypto::Exception::TransactionError &e) {
+        LogDebug("DB::Crypto error: transaction error: " << e.GetMessage());
         retCode = CKM_API_ERROR_DB_ERROR;
-    } catch (CKM::CryptoLogic::Exception::Base &e) {
-        LogDebug("CryptoLogic error: " << e.GetMessage());
-        retCode = CKM_API_ERROR_SERVER_ERROR;
-    } catch (DBCrypto::Exception::InternalError &e) {
-        LogDebug("DBCrypto internal error: " << e.GetMessage());
+    } catch (DB::Crypto::Exception::InternalError &e) {
+        LogDebug("DB::Crypto internal error: " << e.GetMessage());
         retCode = CKM_API_ERROR_DB_ERROR;
+    } catch (const CKM::Exception &e) {
+        LogError("CKM::Exception: " << e.GetMessage());
+        retCode = CKM_API_ERROR_SERVER_ERROR;
     }
 
-    return MessageBuffer::Serialize(static_cast<int>(protocol_cmd), commandId, retCode).Pop();
+    return MessageBuffer::Serialize(static_cast<int>(LogicCommand::CREATE_KEY_PAIR),
+                                    commandId, retCode).Pop();
 }
 
-RawBuffer CKMLogic::getCertificateChain(
+RawBuffer CKMLogic::createKeyAES(
     const Credentials &cred,
     int commandId,
-    const RawBuffer &certificate,
-    const RawBufferVector &untrustedRawCertVector)
+    const int size,
+    const Name &name,
+    const Label &label,
+    const PolicySerializable &policy)
 {
-    (void)cred;
+    int retCode = CKM_API_SUCCESS;
 
-    CertificateImpl cert(certificate, DataFormat::FORM_DER);
-    CertificateImplVector untrustedCertVector;
-    CertificateImplVector chainVector;
-    RawBufferVector chainRawVector;
+    try {
+        retCode = createKeyAESHelper(cred, size, name, label, policy);
+    } catch (const Exc::Exception &e) {
+        retCode = e.error();
+    } catch (std::invalid_argument &e) {
+        LogDebug("invalid argument error: " << e.what());
+        retCode = CKM_API_ERROR_INPUT_PARAM;
+    } catch (DB::Crypto::Exception::TransactionError &e) {
+        LogDebug("DB::Crypto error: transaction error: " << e.GetMessage());
+        retCode = CKM_API_ERROR_DB_ERROR;
+    } catch (DB::Crypto::Exception::InternalError &e) {
+        LogDebug("DB::Crypto internal error: " << e.GetMessage());
+        retCode = CKM_API_ERROR_DB_ERROR;
+    } catch (const CKM::Exception &e) {
+        LogError("CKM::Exception: " << e.GetMessage());
+        retCode = CKM_API_ERROR_SERVER_ERROR;
+    }
 
-    for (auto &e: untrustedRawCertVector)
-        untrustedCertVector.push_back(CertificateImpl(e, DataFormat::FORM_DER));
+    return MessageBuffer::Serialize(static_cast<int>(LogicCommand::CREATE_KEY_AES),
+                                    commandId, retCode).Pop();
+}
 
-    LogDebug("Cert is empty: " << cert.empty());
+int CKMLogic::readCertificateHelper(
+        const Credentials &cred,
+        const LabelNameVector &labelNameVector,
+        CertificateImplVector &certVector)
+{
+    DB::Row row;
+    for (auto &i: labelNameVector) {
+        int ec = readDataHelper(false, cred, DataType::CERTIFICATE, i.second, i.first, Password(), row);
+        if (ec != CKM_API_SUCCESS)
+            return ec;
+        certVector.push_back(CertificateImpl(row.data, DataFormat::FORM_DER));
+
+        // try to read chain certificates (if present)
+        DB::RowVector rawCaChain;
+        ec = readDataHelper(false, cred, DataType::DB_CHAIN_FIRST, i.second, i.first, CKM::Password(), rawCaChain);
+        if(ec != CKM_API_SUCCESS && ec != CKM_API_ERROR_DB_ALIAS_UNKNOWN)
+            return ec;
+        for(auto &rawCaCert : rawCaChain)
+            certVector.push_back(CertificateImpl(rawCaCert.data, DataFormat::FORM_DER));
+    }
+    return CKM_API_SUCCESS;
+}
+
+int CKMLogic::getCertificateChainHelper(
+        const CertificateImpl &cert,
+        const RawBufferVector &untrustedCertificates,
+        const RawBufferVector &trustedCertificates,
+        bool useTrustedSystemCertificates,
+        RawBufferVector &chainRawVector)
+{
+    CertificateImplVector untrustedCertVector;
+    CertificateImplVector trustedCertVector;
+    CertificateImplVector chainVector;
 
-    int retCode = m_certStore.verifyCertificate(cert, untrustedCertVector, chainVector, m_accessControl.isCCMode());
+    if (cert.empty())
+        return CKM_API_ERROR_INPUT_PARAM;
 
-    if (retCode == CKM_API_SUCCESS) {
-        for (auto &e : chainVector)
-            chainRawVector.push_back(e.getDER());
+    for (auto &e: untrustedCertificates) {
+        CertificateImpl c(e, DataFormat::FORM_DER);
+        if(c.empty())
+            return CKM_API_ERROR_INPUT_PARAM;
+        untrustedCertVector.push_back(std::move(c));
+    }
+    for (auto &e: trustedCertificates) {
+        CertificateImpl c(e, DataFormat::FORM_DER);
+        if(c.empty())
+            return CKM_API_ERROR_INPUT_PARAM;
+        trustedCertVector.push_back(std::move(c));
     }
 
-    auto response = MessageBuffer::Serialize(static_cast<int>(LogicCommand::GET_CHAIN_CERT),
-                                             commandId,
-                                             retCode,
-                                             chainRawVector);
-    return response.Pop();
+    CertificateStore store;
+    int retCode = store.verifyCertificate(cert,
+                                          untrustedCertVector,
+                                          trustedCertVector,
+                                          useTrustedSystemCertificates,
+                                          m_accessControl.isCCMode(),
+                                          chainVector);
+    if (retCode != CKM_API_SUCCESS)
+        return retCode;
+
+    for (auto &e : chainVector)
+        chainRawVector.push_back(e.getDER());
+    return CKM_API_SUCCESS;
 }
 
 int CKMLogic::getCertificateChainHelper(
         const Credentials &cred,
-        const RawBuffer &certificate,
-        const LabelNameVector &labelNameVector,
-        RawBufferVector & chainRawVector)
+        const CertificateImpl &cert,
+        const LabelNameVector &untrusted,
+        const LabelNameVector &trusted,
+        bool useTrustedSystemCertificates,
+        RawBufferVector &chainRawVector)
 {
-    CertificateImpl cert(certificate, DataFormat::FORM_DER);
     CertificateImplVector untrustedCertVector;
+    CertificateImplVector trustedCertVector;
     CertificateImplVector chainVector;
-    DBRow row;
+    DB::Row row;
 
     if (cert.empty())
-        return CKM_API_ERROR_SERVER_ERROR;
-
-    for (auto &i: labelNameVector) {
-        int ec = readDataHelper(false, cred, DBDataType::CERTIFICATE, i.second, i.first, Password(), row);
-        if (ec != CKM_API_SUCCESS)
-            return ec;
-        untrustedCertVector.push_back(CertificateImpl(row.data, DataFormat::FORM_DER));
+        return CKM_API_ERROR_INPUT_PARAM;
 
-        // try to read chain certificates (if present)
-        DBRowVector rawCaChain;
-        ec = readDataHelper(false, cred, DBDataType::DB_CHAIN_FIRST, i.second, i.first, CKM::Password(), rawCaChain);
-        if(ec != CKM_API_SUCCESS &&
-           ec != CKM_API_ERROR_DB_ALIAS_UNKNOWN)
-            return ec;
-        for(auto &rawCaCert : rawCaChain)
-            untrustedCertVector.push_back(CertificateImpl(rawCaCert.data, DataFormat::FORM_DER));
-    }
+    int retCode = readCertificateHelper(cred, untrusted, untrustedCertVector);
+    if (retCode != CKM_API_SUCCESS)
+        return retCode;
+    retCode = readCertificateHelper(cred, trusted, trustedCertVector);
+    if (retCode != CKM_API_SUCCESS)
+        return retCode;
 
-    int ec = m_certStore.verifyCertificate(cert, untrustedCertVector, chainVector, m_accessControl.isCCMode());
-    if (ec != CKM_API_SUCCESS)
-        return ec;
+    CertificateStore store;
+    retCode = store.verifyCertificate(cert,
+                                      untrustedCertVector,
+                                      trustedCertVector,
+                                      useTrustedSystemCertificates,
+                                      m_accessControl.isCCMode(),
+                                      chainVector);
+    if (retCode != CKM_API_SUCCESS)
+        return retCode;
 
     for (auto &i: chainVector)
         chainRawVector.push_back(i.getDER());
@@ -1142,22 +1399,67 @@ int CKMLogic::getCertificateChainHelper(
 }
 
 RawBuffer CKMLogic::getCertificateChain(
-    const Credentials &cred,
+    const Credentials & /*cred*/,
     int commandId,
     const RawBuffer &certificate,
-    const LabelNameVector &labelNameVector)
+    const RawBufferVector &untrustedCertificates,
+    const RawBufferVector &trustedCertificates,
+    bool useTrustedSystemCertificates)
 {
-    int retCode = CKM_API_SUCCESS;
+    CertificateImpl cert(certificate, DataFormat::FORM_DER);
     RawBufferVector chainRawVector;
+    int retCode = CKM_API_ERROR_UNKNOWN;
     try {
-
-        retCode = getCertificateChainHelper(cred, certificate, labelNameVector, chainRawVector);
-    } catch (const CryptoLogic::Exception::Base &e) {
-        LogError("CryptoLogic failed with message: " << e.GetMessage());
+        retCode = getCertificateChainHelper(cert,
+                                            untrustedCertificates,
+                                            trustedCertificates,
+                                            useTrustedSystemCertificates,
+                                            chainRawVector);
+    } catch (const Exc::Exception &e) {
+        retCode = e.error();
+    } catch (const DB::Crypto::Exception::Base &e) {
+        LogError("DB::Crypto failed with message: " << e.GetMessage());
+        retCode = CKM_API_ERROR_DB_ERROR;
+    } catch (const std::exception& e) {
+        LogError("STD exception " << e.what());
         retCode = CKM_API_ERROR_SERVER_ERROR;
-    } catch (const DBCrypto::Exception::Base &e) {
-        LogError("DBCrypto failed with message: " << e.GetMessage());
+    } catch (...) {
+        LogError("Unknown error.");
+    }
+
+    auto response = MessageBuffer::Serialize(static_cast<int>(LogicCommand::GET_CHAIN_CERT),
+                                             commandId,
+                                             retCode,
+                                             chainRawVector);
+    return response.Pop();
+}
+
+RawBuffer CKMLogic::getCertificateChain(
+    const Credentials &cred,
+    int commandId,
+    const RawBuffer &certificate,
+    const LabelNameVector &untrustedCertificates,
+    const LabelNameVector &trustedCertificates,
+    bool useTrustedSystemCertificates)
+{
+    int retCode = CKM_API_ERROR_UNKNOWN;
+    CertificateImpl cert(certificate, DataFormat::FORM_DER);
+    RawBufferVector chainRawVector;
+    try {
+        retCode = getCertificateChainHelper(cred,
+                                            cert,
+                                            untrustedCertificates,
+                                            trustedCertificates,
+                                            useTrustedSystemCertificates,
+                                            chainRawVector);
+    } catch (const DB::Crypto::Exception::Base &e) {
+        LogError("DB::Crypto failed with message: " << e.GetMessage());
         retCode = CKM_API_ERROR_DB_ERROR;
+    } catch (const Exc::Exception &e) {
+        retCode = e.error();
+    } catch (const std::exception& e) {
+        LogError("STD exception " << e.what());
+        retCode = CKM_API_ERROR_SERVER_ERROR;
     } catch (...) {
         LogError("Unknown error.");
     }
@@ -1179,31 +1481,24 @@ RawBuffer CKMLogic::createSignature(
         const HashAlgorithm hash,
         const RSAPaddingAlgorithm padding)
 {
-    DBRow row;
-    CryptoService cs;
+    DB::Row row;
     RawBuffer signature;
+    CryptoAlgorithm cryptoAlg;
+    cryptoAlg.setParam(ParamName::SV_HASH_ALGO, hash);
+    cryptoAlg.setParam(ParamName::SV_RSA_PADDING, padding);
 
     int retCode = CKM_API_SUCCESS;
 
     try {
-        retCode = readDataHelper(false, cred, DBDataType::DB_KEY_FIRST, privateKeyName, ownerLabel, password, row);
-        if(retCode == CKM_API_SUCCESS)
-        {
-            KeyImpl keyParsed(row.data, Password());
-            if (keyParsed.empty())
-                retCode = CKM_API_ERROR_SERVER_ERROR;
-            else
-                retCode = cs.createSignature(keyParsed, message, hash, padding, signature);
+        retCode = readDataHelper(false, cred, DataType::DB_KEY_FIRST, privateKeyName, ownerLabel, password, row);
+        if(retCode == CKM_API_SUCCESS) {
+            signature = m_decider.getStore(row).getKey(row)->sign(cryptoAlg, message);
         }
-    } catch (const KeyProvider::Exception::Base &e) {
-        LogError("KeyProvider failed with message: " << e.GetMessage());
-        retCode = CKM_API_ERROR_SERVER_ERROR;
-    } catch (const CryptoLogic::Exception::Base &e) {
-        LogError("CryptoLogic failed with message: " << e.GetMessage());
-        retCode = CKM_API_ERROR_SERVER_ERROR;
-    } catch (const DBCrypto::Exception::Base &e) {
-        LogError("DBCrypto failed with message: " << e.GetMessage());
+    } catch (const DB::Crypto::Exception::Base &e) {
+        LogError("DB::Crypto failed with message: " << e.GetMessage());
         retCode = CKM_API_ERROR_DB_ERROR;
+    } catch (const Exc::Exception &e) {
+        retCode = e.error();
     } catch (const CKM::Exception &e) {
         LogError("Unknown CKM::Exception: " << e.GetMessage());
         retCode = CKM_API_ERROR_SERVER_ERROR;
@@ -1230,48 +1525,27 @@ RawBuffer CKMLogic::verifySignature(
     int retCode = CKM_API_ERROR_VERIFICATION_FAILED;
 
     try {
-        do {
-            CryptoService cs;
-            DBRow row;
-            KeyImpl key;
-
-            // try certificate first - looking for a public key.
-            // in case of PKCS, pub key from certificate will be found first
-            // rather than private key from the same PKCS.
-            retCode = readDataHelper(false, cred, DBDataType::CERTIFICATE, publicKeyOrCertName, ownerLabel, password, row);
-            if (retCode == CKM_API_SUCCESS) {
-                CertificateImpl cert(row.data, DataFormat::FORM_DER);
-                key = cert.getKeyImpl();
-            } else if (retCode == CKM_API_ERROR_DB_ALIAS_UNKNOWN) {
-                retCode = readDataHelper(false, cred, DBDataType::DB_KEY_FIRST, publicKeyOrCertName, ownerLabel, password, row);
-                if (retCode != CKM_API_SUCCESS)
-                    break;
-                key = KeyImpl(row.data);
-            } else {
-                break;
-            }
-
-            if (key.empty()) {
-                retCode = CKM_API_ERROR_SERVER_ERROR;
-                break;
-            }
+        DB::Row row;
+
+        CryptoAlgorithm params;
+        params.setParam(ParamName::SV_HASH_ALGO, hash);
+        params.setParam(ParamName::SV_RSA_PADDING, padding);
+
+        // try certificate first - looking for a public key.
+        // in case of PKCS, pub key from certificate will be found first
+        // rather than private key from the same PKCS.
+        retCode = readDataHelper(false, cred, DataType::CERTIFICATE, publicKeyOrCertName, ownerLabel, password, row);
+        if (retCode == CKM_API_ERROR_DB_ALIAS_UNKNOWN) {
+            retCode = readDataHelper(false, cred, DataType::DB_KEY_FIRST, publicKeyOrCertName, ownerLabel, password, row);
+        }
 
-            retCode = cs.verifySignature(key, message, signature, hash, padding);
-        } while(0);
-    } catch (const CryptoService::Exception::Crypto_internal &e) {
-        LogError("KeyProvider failed with message: " << e.GetMessage());
-        retCode = CKM_API_ERROR_SERVER_ERROR;
-    } catch (const CryptoService::Exception::opensslError &e) {
-        LogError("KeyProvider failed with message: " << e.GetMessage());
-        retCode = CKM_API_ERROR_SERVER_ERROR;
-    } catch (const KeyProvider::Exception::Base &e) {
-        LogError("KeyProvider failed with error: " << e.GetMessage());
-        retCode = CKM_API_ERROR_SERVER_ERROR;
-    } catch (const CryptoLogic::Exception::Base &e) {
-        LogError("CryptoLogic failed with message: " << e.GetMessage());
-        retCode = CKM_API_ERROR_SERVER_ERROR;
-    } catch (const DBCrypto::Exception::Base &e) {
-        LogError("DBCrypto failed with message: " << e.GetMessage());
+        if (retCode == CKM_API_SUCCESS) {
+            retCode = m_decider.getStore(row).getKey(row)->verify(params, message, signature);
+        }
+    } catch (const Exc::Exception &e) {
+        retCode = e.error();
+    } catch (const DB::Crypto::Exception::Base &e) {
+        LogError("DB::Crypto failed with message: " << e.GetMessage());
         retCode = CKM_API_ERROR_DB_ERROR;
     } catch (const CKM::Exception &e) {
         LogError("Unknown CKM::Exception: " << e.GetMessage());
@@ -1291,6 +1565,8 @@ int CKMLogic::setPermissionHelper(
         const Label &accessorLabel,             // who will get the access
         const PermissionMask permissionMask)
 {
+    auto &handler = selectDatabase(cred, label);
+
     // we don't know the client
     if (cred.smackLabel.empty() || !isLabelValid(cred.smackLabel))
         return CKM_API_ERROR_INPUT_PARAM;
@@ -1306,29 +1582,30 @@ int CKMLogic::setPermissionHelper(
     if (ownerLabel==accessorLabel)
         return CKM_API_ERROR_INPUT_PARAM;
 
-    // can the client modify permissions to owner's row?
-    int access_ec = m_accessControl.canModify(ownerLabel, cred.smackLabel);
-    if(access_ec != CKM_API_SUCCESS)
-        return access_ec;
+    // system database does not support write/remove permissions
+    if ((0 == ownerLabel.compare(OWNER_ID_SYSTEM)) &&
+        (permissionMask & Permission::REMOVE))
+        return CKM_API_ERROR_INPUT_PARAM;
 
-    if (0 == m_userDataMap.count(cred.uid))
-        return CKM_API_ERROR_DB_LOCKED;
+    // can the client modify permissions to owner's row?
+    int retCode = m_accessControl.canModify(cred, ownerLabel);
+    if(retCode != CKM_API_SUCCESS)
+        return retCode;
 
-    auto &database = m_userDataMap[cred.uid].database;
-    DBCrypto::Transaction transaction(&database);
+    DB::Crypto::Transaction transaction(&handler.database);
 
-    if( !database.isNameLabelPresent(name, ownerLabel) )
+    if( !handler.database.isNameLabelPresent(name, ownerLabel) )
         return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
 
     // removing non-existing permissions: fail
     if(permissionMask == Permission::NONE)
     {
-        if(!database.getPermissionRow(name, ownerLabel, accessorLabel))
+        if(!handler.database.getPermissionRow(name, ownerLabel, accessorLabel))
             return CKM_API_ERROR_INPUT_PARAM;
     }
 
     // set permissions to the row owned by ownerLabel for accessorLabel
-    database.setPermission(name, ownerLabel, accessorLabel, permissionMask);
+    handler.database.setPermission(name, ownerLabel, accessorLabel, permissionMask);
     transaction.commit();
 
     return CKM_API_SUCCESS;
@@ -1346,6 +1623,8 @@ RawBuffer CKMLogic::setPermission(
     int retCode;
     Try {
         retCode = setPermissionHelper(cred, name, label, accessorLabel, permissionMask);
+    } catch (const Exc::Exception &e) {
+        retCode = e.error();
     } Catch (CKM::Exception) {
         LogError("Error in set row!");
         retCode = CKM_API_ERROR_DB_ERROR;
@@ -1354,5 +1633,21 @@ RawBuffer CKMLogic::setPermission(
     return MessageBuffer::Serialize(command, msgID, retCode).Pop();
 }
 
+int CKMLogic::loadAppKey(UserData& handle, const Label& appLabel)
+{
+    if (!handle.crypto.haveKey(appLabel)) {
+        RawBuffer key;
+        auto key_optional = handle.database.getKey(appLabel);
+        if(!key_optional) {
+            LogError("No key for given label in database");
+            return CKM_API_ERROR_DB_ERROR;
+        }
+        key = *key_optional;
+        key = handle.keyProvider.getPureDEK(key);
+        handle.crypto.pushKey(appLabel, key);
+    }
+    return CKM_API_SUCCESS;
+}
+
 } // namespace CKM