#include <file-lock.h>
#include <access-control.h>
#include <certificate-impl.h>
+#include <sys/types.h>
+
+#include <platform/decider.h>
namespace CKM {
struct UserData {
- UserData()
- : isMainDKEK(false)
- , isDKEKConfirmed(false)
- {}
-
KeyProvider keyProvider;
- DBCrypto database;
+ DB::Crypto database;
CryptoLogic crypto;
- bool isMainDKEK;
- bool isDKEKConfirmed;
};
class CKMLogic {
public:
+ static const uid_t SYSTEM_DB_UID;
+ class Exception
+ {
+ public:
+ DECLARE_EXCEPTION_TYPE(CKM::Exception, Base)
+ DECLARE_EXCEPTION_TYPE(Base, DatabaseLocked)
+ };
+
CKMLogic();
CKMLogic(const CKMLogic &) = delete;
CKMLogic(CKMLogic &&) = delete;
CKMLogic& operator=(CKMLogic &&) = delete;
virtual ~CKMLogic();
- RawBuffer unlockUserKey(uid_t user, const Password &password, bool apiRequest = true);
-
+ RawBuffer unlockUserKey(uid_t user, const Password &password);
RawBuffer lockUserKey(uid_t user);
RawBuffer removeUserData(uid_t user);
const Name &name,
const Label &label,
const RawBuffer &data,
- DBDataType dataType,
+ DataType dataType,
const PolicySerializable &policy);
RawBuffer savePKCS12(
RawBuffer getData(
const Credentials &cred,
int commandId,
- DBDataType dataType,
+ DataType dataType,
const Name &name,
const Label &label,
const Password &password);
const Credentials &cred,
int commandId,
const Name &name,
- const Label &label);
+ const Label &label,
+ const Password &keyPassword,
+ const Password &certPassword);
RawBuffer getDataList(
const Credentials &cred,
int commandId,
- DBDataType dataType);
+ DataType dataType);
RawBuffer createKeyPair(
const Credentials &cred,
- LogicCommand protocol_cmd,
int commandId,
- const int additional_param,
+ const CryptoAlgorithmSerializable & keyGenParams,
const Name &namePrivate,
const Label &labelPrivate,
const Name &namePublic,
const PolicySerializable &policyPrivate,
const PolicySerializable &policyPublic);
+ RawBuffer createKeyAES(
+ const Credentials &cred,
+ int commandId,
+ const int size,
+ const Name &name,
+ const Label &label,
+ const PolicySerializable &policy);
+
RawBuffer getCertificateChain(
const Credentials &cred,
int commandId,
const Label &accessor_label,
const PermissionMask permissionMask);
+ int setPermissionHelper(
+ const Credentials &cred,
+ const Name &name,
+ const Label &ownerLabel,
+ const Label &accessorLabel,
+ const PermissionMask permissionMask);
+
+ int verifyAndSaveDataHelper(
+ const Credentials &cred,
+ const Name &name,
+ const Label &label,
+ const RawBuffer &data,
+ DataType dataType,
+ const PolicySerializable &policy);
+
private:
+ // select private/system database depending on asking uid and owner label.
+ // output: database handler and effective label
+ UserData & selectDatabase(const Credentials &incoming_cred,
+ const Label &incoming_label);
+
+ int unlockSystemDB();
+ int unlockDatabase(uid_t user,
+ const Password & password);
+
void loadDKEKFile(
uid_t user,
- const Password &password,
- bool apiReq);
-
- void chooseDKEKFile(
- UserData &handle,
- const Password &password,
- const RawBuffer &first,
- const RawBuffer &second);
+ const Password &password);
void saveDKEKFile(
uid_t user,
const Password &password);
int verifyBinaryData(
- DBDataType dataType,
- const RawBuffer &input_data) const;
+ DataType dataType,
+ RawBuffer &input_data) const;
+
+ int toBinaryData(
+ DataType dataType,
+ const RawBuffer &input_data,
+ RawBuffer &output_data) const;
int checkSaveConditions(
const Credentials &cred,
const Credentials &cred,
const Name &name,
const Label &label,
- DBDataType dataType,
+ DataType dataType,
const RawBuffer &data,
const PolicySerializable &policy);
const PolicySerializable &keyPolicy,
const PolicySerializable &certPolicy);
- DBRow createEncryptedDBRow(
+ DB::Row createEncryptedRow(
CryptoLogic &crypto,
const Name &name,
const Label &label,
- DBDataType dataType,
+ DataType dataType,
const RawBuffer &data,
const Policy &policy) const;
const Credentials &cred,
const Name &name,
const Label &label,
+ const Password &keyPassword,
+ const Password &certPassword,
KeyShPtr & privKey,
CertificateShPtr & cert,
CertificateShPtrVector & caChain);
const PKCS12Serializable &pkcs,
const PolicySerializable &keyPolicy,
const PolicySerializable &certPolicy,
- DBRowVector &output) const;
+ DB::RowVector &output) const;
int removeDataHelper(
const Credentials &cred,
int readSingleRow(
const Name &name,
const Label &ownerLabel,
- DBDataType dataType,
- DBCrypto & database,
- DBRow &row);
+ DataType dataType,
+ DB::Crypto & database,
+ DB::Row &row);
int readMultiRow(const Name &name,
const Label &ownerLabel,
- DBDataType dataType,
- DBCrypto & database,
- DBRowVector &output);
+ DataType dataType,
+ DB::Crypto & database,
+ DB::RowVector &output);
int checkDataPermissionsHelper(
+ const Credentials &cred,
const Name &name,
const Label &ownerLabel,
const Label &accessorLabel,
- const DBRow &row,
+ const DB::Row &row,
bool exportFlag,
- DBCrypto & database);
+ DB::Crypto & database);
int readDataHelper(
bool exportFlag,
const Credentials &cred,
- DBDataType dataType,
+ DataType dataType,
const Name &name,
const Label &label,
const Password &password,
- DBRow &row);
+ DB::Row &row);
int readDataHelper(
bool exportFlag,
const Credentials &cred,
- DBDataType dataType,
+ DataType dataType,
const Name &name,
const Label &label,
const Password &password,
- DBRowVector &rows);
+ DB::RowVector &rows);
+
+ int createKeyAESHelper(
+ const Credentials &cred,
+ const int size,
+ const Name &name,
+ const Label &label,
+ const PolicySerializable &policy);
int createKeyPairHelper(
const Credentials &cred,
- const KeyType key_type,
- const int additional_param,
+ const CryptoAlgorithmSerializable & keyGenParams,
const Name &namePrivate,
const Label &labelPrivate,
const Name &namePublic,
bool useTrustedSystemCertificates,
RawBufferVector &chainRawVector);
- int setPermissionHelper(
+ int getDataListHelper(
const Credentials &cred,
- const Name &name,
- const Label &ownerLabel,
- const Label &accessorLabel,
- const PermissionMask permissionMask);
+ const DataType dataType,
+ LabelNameVector &labelNameVector);
+
+ int changeUserPasswordHelper(uid_t user,
+ const Password &oldPassword,
+ const Password &newPassword);
+ int resetUserPasswordHelper(uid_t user, const Password &newPassword);
std::map<uid_t, UserData> m_userDataMap;
AccessControl m_accessControl;
+ Crypto::Decider m_decider;
//FileLock m_lock;
};
projects / platform / core / security / key-manager.git / blobdiff