* @version 1.0
* @brief Sample service implementation.
*/
+#include <vconf/vconf.h>
#include <dpl/serialization.h>
#include <dpl/log/log.h>
#include <ckm/ckm-error.h>
#include <ckm-logic.h>
#include <key-impl.h>
+#ifndef VCONFKEY_SECURITY_MDPP_STATE
+#define VCONFKEY_SECURITY_MDPP_STATE = "file/security_mdpp/security_mdpp_state";
+#endif
+
namespace {
const char * const CERT_SYSTEM_DIR = "/etc/ssl/certs";
+
+const char* const MDPP_MODE_ENFORCING = "Enforcing";
+const char* const MDPP_MODE_ENABLED = "Enabled";
+
} // anonymous namespace
namespace CKM {
-CKMLogic::CKMLogic()
+CKMLogic::CKMLogic() : m_ccMode(false)
{
int retCode = FileSystem::init();
// TODO what can I do when init went wrong? exit(-1) ??
LogError("Fatal error in CertificateStore::setSystemCertificateDir. Chain creation will not work");
}
- cc_mode_status = CCModeState::CC_MODE_OFF;
+ updateCCMode_internal();
}
CKMLogic::~CKMLogic(){}
return MessageBuffer::Serialize(retCode).Pop();
}
-RawBuffer CKMLogic::setCCModeStatus(CCModeState mode_status) {
-
- int retCode = CKM_API_SUCCESS;
+void CKMLogic::updateCCMode_internal() {
int fipsModeStatus = 0;
int rc = 0;
+ bool newMode;
- if((mode_status != CCModeState:: CC_MODE_OFF) && (mode_status != CCModeState:: CC_MODE_ON)) {
- retCode = CKM_API_ERROR_INPUT_PARAM;
- }
+ char *mdppState = vconf_get_str(VCONFKEY_SECURITY_MDPP_STATE);
+ newMode = ( mdppState && (!strcmp(mdppState, MDPP_MODE_ENABLED) ||
+ !strcmp(mdppState, MDPP_MODE_ENFORCING)) );
+ if (newMode == m_ccMode)
+ return;
+
+ m_ccMode = newMode;
- cc_mode_status = mode_status;
fipsModeStatus = FIPS_mode();
- if(cc_mode_status == CCModeState:: CC_MODE_ON) {
+ if(m_ccMode) {
if(fipsModeStatus == 0) { // If FIPS mode off
rc = FIPS_mode_set(1); // Change FIPS_mode from off to on
if(rc == 0) {
}
}
}
+}
- return MessageBuffer::Serialize(retCode).Pop();
+RawBuffer CKMLogic::updateCCMode() {
+ updateCCMode_internal();
+ return MessageBuffer::Serialize(CKM_API_SUCCESS).Pop();
}
RawBuffer CKMLogic::lockUserKey(uid_t user) {
if (0 == m_userDataMap.count(cred.uid))
return CKM_API_ERROR_DB_LOCKED;
+ // proceed to data save
DBRow row = { alias, cred.smackLabel,
policy.extractable, dataType, DBCMAlgType::NONE,
0, RawBuffer(), static_cast<int>(key.size()), key, RawBuffer() };
}
// Do not encrypt data with password during cc_mode on
- if(cc_mode_status == CCModeState::CC_MODE_ON) {
+ if(m_ccMode) {
handler.crypto.encryptRow("", row);
} else {
handler.crypto.encryptRow(policy.password, row);
return CKM_API_SUCCESS;
}
+void CKMLogic::verifyBinaryData(DBDataType dataType, const RawBuffer &input_data) const
+{
+ // verify the data integrity
+ switch(dataType)
+ {
+ case DBDataType::KEY_RSA_PUBLIC:
+ case DBDataType::KEY_RSA_PRIVATE:
+ case DBDataType::KEY_ECDSA_PUBLIC:
+ case DBDataType::KEY_ECDSA_PRIVATE:
+ case DBDataType::KEY_DSA_PUBLIC:
+ case DBDataType::KEY_DSA_PRIVATE:
+ case DBDataType::KEY_AES:
+ {
+ KeyShPtr output_key = CKM::Key::create(input_data);
+ if(output_key.get() == NULL)
+ ThrowMsg(CKMLogic::Exception::InputDataInvalid, "provided binary data is not valid key data");
+ break;
+ }
+
+ case DBDataType::CERTIFICATE:
+ {
+ CertificateShPtr cert = CKM::Certificate::create(input_data, DataFormat::FORM_DER);
+ if(cert.get() == NULL)
+ ThrowMsg(CKMLogic::Exception::InputDataInvalid, "provided binary data is not valid certificate data");
+ break;
+ }
+
+ // TODO: add here BINARY_DATA verification, i.e: max size etc.
+
+ default: break;
+ }
+}
+
RawBuffer CKMLogic::saveData(
Credentials &cred,
int commandId,
{
int retCode = CKM_API_SUCCESS;
try {
+ verifyBinaryData(dataType, key);
+
retCode = saveDataHelper(cred, dataType, alias, key, policy);
LogDebug("SaveDataHelper returned: " << retCode);
+ } catch (const CKMLogic::Exception::InputDataInvalid &e) {
+ LogError("Provided data invalid: " << e.GetMessage());
+ retCode = CKM_API_ERROR_INPUT_PARAM;
} catch (const KeyProvider::Exception::Base &e) {
LogError("KeyProvider failed with message: " << e.GetMessage());
retCode = CKM_API_ERROR_SERVER_ERROR;
}
// Prevent extracting private keys during cc-mode on
- if((cc_mode_status == CCModeState::CC_MODE_ON) && (row.dataType == DBDataType::KEY_RSA_PRIVATE || row.dataType == DBDataType::KEY_ECDSA_PRIVATE || row.dataType == DBDataType::KEY_DSA_PRIVATE)) {
+ if((m_ccMode) && (row.dataType == DBDataType::KEY_RSA_PRIVATE ||
+ row.dataType == DBDataType::KEY_ECDSA_PRIVATE ||
+ row.dataType == DBDataType::KEY_DSA_PRIVATE))
+ {
row.data.clear();
retCode = CKM_API_ERROR_BAD_REQUEST;
}
projects / platform / core / security / key-manager.git / blobdiff