#include <connection-info.h>
#include <db-crypto.h>
#include <key-provider.h>
-#include <DBCryptoModule.h>
-#include <certificate-store.h>
+#include <crypto-logic.h>
+#include <file-lock.h>
+#include <access-control.h>
+#include <certificate-impl.h>
+#include <sys/types.h>
+
+#include <platform/decider.h>
namespace CKM {
struct UserData {
KeyProvider keyProvider;
- DBCrypto database;
- DBCryptoModule crypto;
+ DB::Crypto database;
+ CryptoLogic crypto;
};
class CKMLogic {
public:
+ static const uid_t SYSTEM_DB_UID;
+ class Exception
+ {
+ public:
+ DECLARE_EXCEPTION_TYPE(CKM::Exception, Base)
+ DECLARE_EXCEPTION_TYPE(Base, DatabaseLocked)
+ };
+
CKMLogic();
CKMLogic(const CKMLogic &) = delete;
CKMLogic(CKMLogic &&) = delete;
CKMLogic& operator=(CKMLogic &&) = delete;
virtual ~CKMLogic();
- RawBuffer unlockUserKey(uid_t user, const std::string &password);
-
+ RawBuffer unlockUserKey(uid_t user, const Password &password);
RawBuffer lockUserKey(uid_t user);
RawBuffer removeUserData(uid_t user);
RawBuffer changeUserPassword(
uid_t user,
- const std::string &oldPassword,
- const std::string &newPassword);
+ const Password &oldPassword,
+ const Password &newPassword);
RawBuffer resetUserPassword(
uid_t user,
- const std::string &newPassword);
+ const Password &newPassword);
+
+ RawBuffer removeApplicationData(
+ const Label &smackLabel);
RawBuffer saveData(
- Credentials &cred,
+ const Credentials &cred,
int commandId,
- DBDataType dataType,
- const Alias &alias,
- const RawBuffer &key,
+ const Name &name,
+ const Label &label,
+ const RawBuffer &data,
+ DataType dataType,
const PolicySerializable &policy);
+ RawBuffer savePKCS12(
+ const Credentials &cred,
+ int commandId,
+ const Name &name,
+ const Label &label,
+ const PKCS12Serializable &pkcs,
+ const PolicySerializable &keyPolicy,
+ const PolicySerializable &certPolicy);
+
RawBuffer removeData(
- Credentials &cred,
+ const Credentials &cred,
int commandId,
- DBDataType dataType,
- const Alias &alias);
+ const Name &name,
+ const Label &label);
RawBuffer getData(
- Credentials &cred,
+ const Credentials &cred,
int commandId,
- DBDataType dataType,
- const Alias &alias,
- const std::string &password);
+ DataType dataType,
+ const Name &name,
+ const Label &label,
+ const Password &password);
+
+ RawBuffer getPKCS12(
+ const Credentials &cred,
+ int commandId,
+ const Name &name,
+ const Label &label,
+ const Password &keyPassword,
+ const Password &certPassword);
RawBuffer getDataList(
- Credentials &cred,
+ const Credentials &cred,
int commandId,
- DBDataType dataType);
+ DataType dataType);
- RawBuffer createKeyPairRSA(
- Credentials &cred,
+ RawBuffer createKeyPair(
+ const Credentials &cred,
int commandId,
- int size,
- const Alias &aliasPrivate,
- const Alias &alaisPublic,
+ const CryptoAlgorithmSerializable & keyGenParams,
+ const Name &namePrivate,
+ const Label &labelPrivate,
+ const Name &namePublic,
+ const Label &labelPublic,
const PolicySerializable &policyPrivate,
const PolicySerializable &policyPublic);
- RawBuffer createKeyPairECDSA(
- Credentials &cred,
+ RawBuffer createKeyAES(
+ const Credentials &cred,
int commandId,
- int type,
- const Alias &aliasPrivate,
- const Alias &aliasPublic,
- const PolicySerializable &policyPrivate,
- const PolicySerializable &policyPublic);
+ const int size,
+ const Name &name,
+ const Label &label,
+ const PolicySerializable &policy);
RawBuffer getCertificateChain(
- Credentials &cred,
+ const Credentials &cred,
int commandId,
const RawBuffer &certificate,
- const RawBufferVector &untrustedCertificates);
+ const RawBufferVector &untrustedCertificates,
+ const RawBufferVector &trustedCertificates,
+ bool useTrustedSystemCertificates);
RawBuffer getCertificateChain(
- Credentials &cred,
+ const Credentials &cred,
int commandId,
const RawBuffer &certificate,
- const AliasVector &aliasVector);
+ const LabelNameVector &untrustedCertificates,
+ const LabelNameVector &trustedCertificates,
+ bool useTrustedSystemCertificates);
RawBuffer createSignature(
- Credentials &cred,
+ const Credentials &cred,
int commandId,
- const Alias &privateKeyAlias,
- const std::string &password, // password for private_key
+ const Name &privateKeyName,
+ const Label & ownerLabel,
+ const Password &password, // password for private_key
const RawBuffer &message,
const HashAlgorithm hash,
const RSAPaddingAlgorithm padding);
RawBuffer verifySignature(
- Credentials &cred,
+ const Credentials &cred,
int commandId,
- const Alias &publicKeyOrCertAlias,
- const std::string &password, // password for public_key (optional)
+ const Name &publicKeyOrCertName,
+ const Label &label,
+ const Password &password, // password for public_key (optional)
const RawBuffer &message,
const RawBuffer &signature,
const HashAlgorithm hash,
const RSAPaddingAlgorithm padding);
+ RawBuffer updateCCMode();
+
+ RawBuffer setPermission(
+ const Credentials &cred,
+ const int command,
+ const int msgID,
+ const Name &name,
+ const Label &label,
+ const Label &accessor_label,
+ const PermissionMask permissionMask);
+
+ int setPermissionHelper(
+ const Credentials &cred,
+ const Name &name,
+ const Label &ownerLabel,
+ const Label &accessorLabel,
+ const PermissionMask permissionMask);
+
+ int verifyAndSaveDataHelper(
+ const Credentials &cred,
+ const Name &name,
+ const Label &label,
+ const RawBuffer &data,
+ DataType dataType,
+ const PolicySerializable &policy);
+
private:
+ // select private/system database depending on asking uid and owner label.
+ // output: database handler and effective label
+ UserData & selectDatabase(const Credentials &incoming_cred,
+ const Label &incoming_label);
+
+ int unlockSystemDB();
+ int unlockDatabase(uid_t user,
+ const Password & password);
+
+ void loadDKEKFile(
+ uid_t user,
+ const Password &password);
+
+ void saveDKEKFile(
+ uid_t user,
+ const Password &password);
+
+ int verifyBinaryData(
+ DataType dataType,
+ RawBuffer &input_data) const;
+
+ int toBinaryData(
+ DataType dataType,
+ const RawBuffer &input_data,
+ RawBuffer &output_data) const;
+
+ int checkSaveConditions(
+ const Credentials &cred,
+ UserData &handler,
+ const Name &name,
+ const Label &label);
+
int saveDataHelper(
- Credentials &cred,
- DBDataType dataType,
- const Alias &alias,
- const RawBuffer &key,
+ const Credentials &cred,
+ const Name &name,
+ const Label &label,
+ DataType dataType,
+ const RawBuffer &data,
const PolicySerializable &policy);
- int getDataHelper(
- Credentials &cred,
- DBDataType dataType,
- const Alias &alias,
- const std::string &password,
- DBRow &row);
-
- int createKeyPairRSAHelper(
- Credentials &cred,
- int size,
- const Alias &aliasPrivate,
- const Alias &aliasPublic,
- const PolicySerializable &policyPrivate,
- const PolicySerializable &policyPublic);
+ int saveDataHelper(
+ const Credentials &cred,
+ const Name &name,
+ const Label &label,
+ const PKCS12Serializable &pkcs,
+ const PolicySerializable &keyPolicy,
+ const PolicySerializable &certPolicy);
+
+ DB::Row createEncryptedRow(
+ CryptoLogic &crypto,
+ const Name &name,
+ const Label &label,
+ DataType dataType,
+ const RawBuffer &data,
+ const Policy &policy) const;
+
+ int getPKCS12Helper(
+ const Credentials &cred,
+ const Name &name,
+ const Label &label,
+ const Password &keyPassword,
+ const Password &certPassword,
+ KeyShPtr & privKey,
+ CertificateShPtr & cert,
+ CertificateShPtrVector & caChain);
+
+ int extractPKCS12Data(
+ CryptoLogic &crypto,
+ const Name &name,
+ const Label &ownerLabel,
+ const PKCS12Serializable &pkcs,
+ const PolicySerializable &keyPolicy,
+ const PolicySerializable &certPolicy,
+ DB::RowVector &output) const;
+
+ int removeDataHelper(
+ const Credentials &cred,
+ const Name &name,
+ const Label &ownerLabel);
+
+ int readSingleRow(
+ const Name &name,
+ const Label &ownerLabel,
+ DataType dataType,
+ DB::Crypto & database,
+ DB::Row &row);
- int createKeyPairECDSAHelper(
- Credentials &cred,
- int type,
- const Alias &aliasPrivate,
- const Alias &aliasPublic,
+ int readMultiRow(const Name &name,
+ const Label &ownerLabel,
+ DataType dataType,
+ DB::Crypto & database,
+ DB::RowVector &output);
+
+ int checkDataPermissionsHelper(
+ const Credentials &cred,
+ const Name &name,
+ const Label &ownerLabel,
+ const Label &accessorLabel,
+ const DB::Row &row,
+ bool exportFlag,
+ DB::Crypto & database);
+
+ int readDataHelper(
+ bool exportFlag,
+ const Credentials &cred,
+ DataType dataType,
+ const Name &name,
+ const Label &label,
+ const Password &password,
+ DB::Row &row);
+
+ int readDataHelper(
+ bool exportFlag,
+ const Credentials &cred,
+ DataType dataType,
+ const Name &name,
+ const Label &label,
+ const Password &password,
+ DB::RowVector &rows);
+
+ int createKeyAESHelper(
+ const Credentials &cred,
+ const int size,
+ const Name &name,
+ const Label &label,
+ const PolicySerializable &policy);
+
+ int createKeyPairHelper(
+ const Credentials &cred,
+ const CryptoAlgorithmSerializable & keyGenParams,
+ const Name &namePrivate,
+ const Label &labelPrivate,
+ const Name &namePublic,
+ const Label &labelPublic,
const PolicySerializable &policyPrivate,
const PolicySerializable &policyPublic);
- int getKeyHelper(
- Credentials &cred,
- const Alias &publicKeyOrCertAlias,
- const std::string &password, // password for public_key (optional)
- const GenericKey &genericKey);
+ int readCertificateHelper(
+ const Credentials &cred,
+ const LabelNameVector &labelNameVector,
+ CertificateImplVector &certVector);
+
+ int getCertificateChainHelper(
+ const CertificateImpl &cert,
+ const RawBufferVector &untrustedCertificates,
+ const RawBufferVector &trustedCertificates,
+ bool useTrustedSystemCertificates,
+ RawBufferVector &chainRawVector);
+
+ int getCertificateChainHelper(
+ const Credentials &cred,
+ const CertificateImpl &cert,
+ const LabelNameVector &untrusted,
+ const LabelNameVector &trusted,
+ bool useTrustedSystemCertificates,
+ RawBufferVector &chainRawVector);
+
+ int getDataListHelper(
+ const Credentials &cred,
+ const DataType dataType,
+ LabelNameVector &labelNameVector);
+
+ int changeUserPasswordHelper(uid_t user,
+ const Password &oldPassword,
+ const Password &newPassword);
+
+ int resetUserPasswordHelper(uid_t user, const Password &newPassword);
std::map<uid_t, UserData> m_userDataMap;
- CertificateStore m_certStore;
+ AccessControl m_accessControl;
+ Crypto::Decider m_decider;
+ //FileLock m_lock;
};
} // namespace CKM
projects / platform / core / security / key-manager.git / blobdiff