* @version 1.0
* @brief Sample service implementation.
*/
+#include <vconf/vconf.h>
#include <dpl/serialization.h>
#include <dpl/log/log.h>
#include <ckm/ckm-error.h>
#include <ckm-logic.h>
#include <key-impl.h>
+#ifndef VCONFKEY_SECURITY_MDPP_STATE
+#define VCONFKEY_SECURITY_MDPP_STATE = "file/security_mdpp/security_mdpp_state";
+#endif
+
namespace {
const char * const CERT_SYSTEM_DIR = "/etc/ssl/certs";
+
+const char* const MDPP_MODE_ENFORCING = "Enforcing";
+const char* const MDPP_MODE_ENABLED = "Enabled";
+
} // anonymous namespace
namespace CKM {
-CKMLogic::CKMLogic()
+CKMLogic::CKMLogic() : m_ccMode(false)
{
int retCode = FileSystem::init();
// TODO what can I do when init went wrong? exit(-1) ??
LogError("Fatal error in CertificateStore::setSystemCertificateDir. Chain creation will not work");
}
- cc_mode_status = CCModeState::CC_MODE_OFF;
+ updateCCMode_internal();
}
CKMLogic::~CKMLogic(){}
return MessageBuffer::Serialize(retCode).Pop();
}
-RawBuffer CKMLogic::setCCModeStatus(CCModeState mode_status) {
-
- int retCode = CKM_API_SUCCESS;
+void CKMLogic::updateCCMode_internal() {
int fipsModeStatus = 0;
int rc = 0;
+ bool newMode;
- if((mode_status != CCModeState:: CC_MODE_OFF) && (mode_status != CCModeState:: CC_MODE_ON)) {
- retCode = CKM_API_ERROR_INPUT_PARAM;
- }
+ char *mdppState = vconf_get_str(VCONFKEY_SECURITY_MDPP_STATE);
+ newMode = ( mdppState && (!strcmp(mdppState, MDPP_MODE_ENABLED) ||
+ !strcmp(mdppState, MDPP_MODE_ENFORCING)) );
+ if (newMode == m_ccMode)
+ return;
+
+ m_ccMode = newMode;
- cc_mode_status = mode_status;
fipsModeStatus = FIPS_mode();
- if(cc_mode_status == CCModeState:: CC_MODE_ON) {
+ if(m_ccMode) {
if(fipsModeStatus == 0) { // If FIPS mode off
rc = FIPS_mode_set(1); // Change FIPS_mode from off to on
if(rc == 0) {
}
}
}
+}
- return MessageBuffer::Serialize(retCode).Pop();
+RawBuffer CKMLogic::updateCCMode() {
+ updateCCMode_internal();
+ return MessageBuffer::Serialize(CKM_API_SUCCESS).Pop();
}
RawBuffer CKMLogic::lockUserKey(uid_t user) {
}
// Do not encrypt data with password during cc_mode on
- if(cc_mode_status == CCModeState::CC_MODE_ON) {
+ if(m_ccMode) {
handler.crypto.encryptRow("", row);
} else {
handler.crypto.encryptRow(policy.password, row);
Credentials &cred,
int commandId,
DBDataType dataType,
- const Alias &alias,
- const std::string &label)
+ const Alias &alias)
{
int retCode = CKM_API_SUCCESS;
if (0 < m_userDataMap.count(cred.uid)) {
Try {
- // use client label if not explicitly provided
- const std::string & label_to_use = label.empty()?cred.smackLabel:label;
-
- // verify alias and label are correct
- if (true == checkAliasAndLabelValid(alias, label_to_use))
- {
- auto erased = m_userDataMap[cred.uid].database.deleteDBRow(alias, label_to_use);
- // check if the data existed or not
- if(!erased) {
- LogError("No row for given alias and label");
- retCode = CKM_API_ERROR_DB_ALIAS_UNKNOWN;
- }
- }
- else
- {
- LogError("Invalid label or alias format");
- retCode = CKM_API_ERROR_INPUT_PARAM;
+ auto erased = m_userDataMap[cred.uid].database.deleteDBRow(alias, cred.smackLabel);
+ // check if the data existed or not
+ if(!erased) {
+ LogError("No row for given alias and label");
+ retCode = CKM_API_ERROR_DB_ALIAS_UNKNOWN;
}
} Catch (DBCrypto::Exception::PermissionDenied) {
LogError("Error: not enough permissions!");
return response.Pop();
}
-bool CKMLogic::checkAliasAndLabelValid(const Alias &alias, const std::string &label)
-{
- // verify the alias is valid
- if(alias.find(':') != std::string::npos)
- return false;
-
- // verify the label is valid
- if(label.find(LABEL_ALIAS_SEPARATOR) != std::string::npos)
- return false;
-
- return true;
-}
-
int CKMLogic::getDataHelper(
Credentials &cred,
DBDataType dataType,
const Alias &alias,
- const std::string &label,
const Password &password,
DBRow &row)
{
auto &handler = m_userDataMap[cred.uid];
- // use client label if not explicitly provided
- const std::string & label_to_use = label.empty()?cred.smackLabel:label;
-
- // verify alias and label are correct
- if (true != checkAliasAndLabelValid(alias, label_to_use))
- return CKM_API_ERROR_INPUT_PARAM;
-
DBCrypto::DBRowOptional row_optional;
- if (dataType == DBDataType::CERTIFICATE || dataType == DBDataType::BINARY_DATA)
- {
- row_optional = handler.database.getDBRow(alias, label_to_use, dataType);
- }
- else if ((static_cast<int>(dataType) >= static_cast<int>(DBDataType::DB_KEY_FIRST)) &&
- (static_cast<int>(dataType) <= static_cast<int>(DBDataType::DB_KEY_LAST)))
+ if (dataType == DBDataType::CERTIFICATE || dataType == DBDataType::BINARY_DATA) {
+ row_optional = handler.database.getDBRow(alias, cred.smackLabel, dataType);
+ } else if ((static_cast<int>(dataType) >= static_cast<int>(DBDataType::DB_KEY_FIRST))
+ && (static_cast<int>(dataType) <= static_cast<int>(DBDataType::DB_KEY_LAST)))
{
- row_optional = handler.database.getKeyDBRow(alias, label_to_use);
- }
- else {
+ row_optional = handler.database.getKeyDBRow(alias, cred.smackLabel);
+ } else {
LogError("Unknown type of requested data" << (int)dataType);
return CKM_API_ERROR_BAD_REQUEST;
}
int commandId,
DBDataType dataType,
const Alias &alias,
- const std::string &label,
const Password &password)
{
int retCode = CKM_API_SUCCESS;
DBRow row;
try {
- retCode = getDataHelper(cred, dataType, alias, label, password, row);
+ retCode = getDataHelper(cred, dataType, alias, password, row);
} catch (const KeyProvider::Exception::Base &e) {
LogError("KeyProvider failed with error: " << e.GetMessage());
retCode = CKM_API_ERROR_SERVER_ERROR;
}
// Prevent extracting private keys during cc-mode on
- if((cc_mode_status == CCModeState::CC_MODE_ON) && (row.dataType == DBDataType::KEY_RSA_PRIVATE || row.dataType == DBDataType::KEY_ECDSA_PRIVATE || row.dataType == DBDataType::KEY_DSA_PRIVATE)) {
+ if((m_ccMode) && (row.dataType == DBDataType::KEY_RSA_PRIVATE ||
+ row.dataType == DBDataType::KEY_ECDSA_PRIVATE ||
+ row.dataType == DBDataType::KEY_DSA_PRIVATE))
+ {
row.data.clear();
retCode = CKM_API_ERROR_BAD_REQUEST;
}
DBDataType dataType)
{
int retCode = CKM_API_SUCCESS;
- LabelAliasVector labelAliasVector;
+ AliasVector aliasVector;
if (0 < m_userDataMap.count(cred.uid)) {
auto &handler = m_userDataMap[cred.uid];
Try {
if (dataType == DBDataType::CERTIFICATE || dataType == DBDataType::BINARY_DATA) {
- handler.database.getAliases(cred.smackLabel, dataType, labelAliasVector);
+ handler.database.getAliases(cred.smackLabel, dataType, aliasVector);
} else {
- handler.database.getKeyAliases(cred.smackLabel, labelAliasVector);
+ handler.database.getKeyAliases(cred.smackLabel, aliasVector);
}
} Catch (CKM::Exception) {
LogError("Failed to get aliases");
commandId,
retCode,
static_cast<int>(dataType),
- labelAliasVector);
+ aliasVector);
return response.Pop();
}
}
for (auto &i: aliasVector) {
- retCode = getDataHelper(cred, DBDataType::CERTIFICATE, i, std::string(), Password(), row);
+ retCode = getDataHelper(cred, DBDataType::CERTIFICATE, i, Password(), row);
if (retCode != CKM_API_SUCCESS)
goto senderror;
try {
do {
- retCode = getDataHelper(cred, DBDataType::DB_KEY_FIRST, privateKeyAlias, std::string(), password, row);
+ retCode = getDataHelper(cred, DBDataType::DB_KEY_FIRST, privateKeyAlias, password, row);
if (CKM_API_SUCCESS != retCode) {
LogError("getDataHelper return error");
break;
DBRow row;
KeyImpl key;
- retCode = getDataHelper(cred, DBDataType::DB_KEY_FIRST, publicKeyOrCertAlias, std::string(), password, row);
+ retCode = getDataHelper(cred, DBDataType::DB_KEY_FIRST, publicKeyOrCertAlias, password, row);
if (retCode == CKM_API_SUCCESS) {
key = KeyImpl(row.data);
} else if (retCode == CKM_API_ERROR_DB_ALIAS_UNKNOWN) {
- retCode = getDataHelper(cred, DBDataType::CERTIFICATE, publicKeyOrCertAlias, std::string(), password, row);
+ retCode = getDataHelper(cred, DBDataType::CERTIFICATE, publicKeyOrCertAlias, password, row);
if (retCode != CKM_API_SUCCESS)
break;
CertificateImpl cert(row.data, DataFormat::FORM_DER);