/*
- * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* limitations under the License
*
*
- * @file ckm-service.h
+ * @file ckm-service.cpp
* @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
* @version 1.0
- * @brief Sample service implementation.
+ * @brief CKM service implementation.
*/
-#include <service-thread.h>
-#include <generic-socket-manager.h>
-#include <connection-info.h>
-#include <message-buffer.h>
+
#include <protocols.h>
#include <dpl/serialization.h>
#include <ckm-service.h>
#include <ckm-logic.h>
-#include <client-key-impl.h>
namespace {
const CKM::InterfaceID SOCKET_ID_CONTROL = 0;
const CKM::InterfaceID SOCKET_ID_STORAGE = 1;
+
+template <typename ...Args>
+CKM::RawBuffer disallowed(int command, int msgID, Args&&... args) {
+ LogError("Disallowed command: " << command);
+ return CKM::MessageBuffer::Serialize(command,
+ msgID,
+ CKM_API_ERROR_ACCESS_DENIED,
+ std::move(args)...).Pop();
+}
} // namespace anonymous
namespace CKM {
delete m_logic;
}
-GenericSocketService::ServiceDescriptionVector CKMService::GetServiceDescription()
-{
- return ServiceDescriptionVector {
- {SERVICE_SOCKET_CKM_CONTROL, "ckm::api-control", SOCKET_ID_CONTROL},
- {SERVICE_SOCKET_CKM_STORAGE, "ckm::api-storage", SOCKET_ID_STORAGE}
- };
+void CKMService::Start() {
+ Create();
}
-void CKMService::accept(const AcceptEvent &event) {
- LogDebug("Accept event");
- auto &info = m_connectionInfoMap[event.connectionID.counter];
- info.interfaceID = event.interfaceID;
+void CKMService::Stop() {
+ Join();
}
-void CKMService::write(const WriteEvent &event) {
- LogDebug("Write event (" << event.size << " bytes)");
+GenericSocketService::ServiceDescriptionVector CKMService::GetServiceDescription()
+{
+ return ServiceDescriptionVector {
+ {SERVICE_SOCKET_CKM_CONTROL, "http://tizen.org/privilege/keymanager.admin", SOCKET_ID_CONTROL},
+ {SERVICE_SOCKET_CKM_STORAGE, "http://tizen.org/privilege/keymanager", SOCKET_ID_STORAGE}
+ };
}
-void CKMService::process(const ReadEvent &event) {
- LogDebug("Read event");
- auto &info = m_connectionInfoMap[event.connectionID.counter];
- info.buffer.Push(event.rawBuffer);
- while(processOne(event.connectionID, info));
+void CKMService::SetCommManager(CommMgr *manager)
+{
+ ThreadService::SetCommManager(manager);
+ Register(*manager);
}
-bool CKMService::processOne(
+bool CKMService::ProcessOne(
const ConnectionID &conn,
- ConnectionInfo &info)
+ ConnectionInfo &info,
+ bool allowed)
{
LogDebug ("process One");
RawBuffer response;
return false;
if (info.interfaceID == SOCKET_ID_CONTROL)
- response = processControl(info.buffer);
+ response = ProcessControl(info.buffer);
else
- response = processStorage(info.credentials, info.buffer);
+ response = ProcessStorage(info.credentials, info.buffer, allowed);
m_serviceManager->Write(conn, response);
return true;
} Catch (MessageBuffer::Exception::Base) {
LogError("Broken protocol. Closing socket.");
+ } Catch (Exception::BrokenProtocol) {
+ LogError("Broken protocol. Closing socket.");
+ } catch (const DataType::Exception::Base &e) {
+ LogError("Closing socket. DBDataType::Exception: " << e.DumpToString());
+ } catch (const std::string &e) {
+ LogError("String exception(" << e << "). Closing socket");
+ } catch (const std::exception &e) {
+ LogError("Std exception:: " << e.what());
} catch (...) {
LogError("Unknown exception. Closing socket.");
}
return false;
}
-RawBuffer CKMService::processControl(MessageBuffer &buffer) {
- int command;
- std::string user;
+RawBuffer CKMService::ProcessControl(MessageBuffer &buffer) {
+ int command = 0;
+ uid_t user = 0;
ControlCommand cc;
- std::string newPass, oldPass;
+ Password newPass, oldPass;
+ Label smackLabel;
+
+ buffer.Deserialize(command);
- Deserialization::Deserialize(buffer, command);
- Deserialization::Deserialize(buffer, user);
+ LogDebug("Process control. Command: " << command);
cc = static_cast<ControlCommand>(command);
switch(cc) {
case ControlCommand::UNLOCK_USER_KEY:
- Deserialization::Deserialize(buffer, newPass);
+ buffer.Deserialize(user, newPass);
return m_logic->unlockUserKey(user, newPass);
case ControlCommand::LOCK_USER_KEY:
+ buffer.Deserialize(user);
return m_logic->lockUserKey(user);
case ControlCommand::REMOVE_USER_DATA:
+ buffer.Deserialize(user);
return m_logic->removeUserData(user);
case ControlCommand::CHANGE_USER_PASSWORD:
- Deserialization::Deserialize(buffer, oldPass);
- Deserialization::Deserialize(buffer, newPass);
+ buffer.Deserialize(user, oldPass, newPass);
return m_logic->changeUserPassword(user, oldPass, newPass);
case ControlCommand::RESET_USER_PASSWORD:
- Deserialization::Deserialize(buffer, newPass);
+ buffer.Deserialize(user, newPass);
return m_logic->resetUserPassword(user, newPass);
+ case ControlCommand::REMOVE_APP_DATA:
+ buffer.Deserialize(smackLabel);
+ return m_logic->removeApplicationData(smackLabel);
+ case ControlCommand::UPDATE_CC_MODE:
+ return m_logic->updateCCMode();
+ case ControlCommand::SET_PERMISSION:
+ {
+ Name name;
+ Label label;
+ Label accessorLabel;
+ PermissionMask permissionMask = 0;
+
+ buffer.Deserialize(user, name, label, accessorLabel, permissionMask);
+
+ Credentials cred(user, label);
+ return m_logic->setPermission(
+ cred,
+ command,
+ 0, // dummy
+ name,
+ label,
+ accessorLabel,
+ permissionMask);
+ }
default:
- // TODO
- throw 1; // broken protocol
+ Throw(Exception::BrokenProtocol);
}
}
-RawBuffer CKMService::processStorage(Credentials &cred, MessageBuffer &buffer){
- int command;
- int commandId;
- int tmpDataType;
- Alias alias;
+RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer, bool allowed)
+{
+ int command = 0;
+ int msgID = 0;
+ int tmpDataType = 0;
+ Name name;
+ Label label, accessorLabel;
std::string user;
- LogicCommand sc;
- Deserialization::Deserialize(buffer, command);
- Deserialization::Deserialize(buffer, commandId);
+ buffer.Deserialize(command);
+ buffer.Deserialize(msgID);
+
+ // This is a workaround solution for locktype=None in Tizen 2.2.1
+ // When locktype is None, lockscreen app doesn't interfere with unlocking process.
+ // Therefor lockscreen app cannot notify unlock events to key-manager when locktype is None.
+ // So, to unlock user data when lock type is None, key-manager always try to unlock user data with null password.
+ // Even if the result is fail, it will be ignored.
+ Password nullPassword("");
+ m_logic->unlockUserKey(cred.clientUid, nullPassword);
- sc = static_cast<LogicCommand>(command);
+ LogDebug("Process storage. Command: " << command);
- switch(sc) {
+ switch(static_cast<LogicCommand>(command)) {
case LogicCommand::SAVE:
{
RawBuffer rawData;
PolicySerializable policy;
- Deserialization::Deserialize(buffer, tmpDataType);
- Deserialization::Deserialize(buffer, alias);
- Deserialization::Deserialize(buffer, rawData);
- Deserialization::Deserialize(buffer, policy);
+ buffer.Deserialize(tmpDataType, name, label, rawData, policy);
+
+ if (!allowed)
+ return disallowed(command, msgID, static_cast<int>(DataType(tmpDataType)));
+
return m_logic->saveData(
cred,
- commandId,
- static_cast<DBDataType>(tmpDataType),
- alias,
+ msgID,
+ name,
+ label,
rawData,
+ DataType(tmpDataType),
policy);
}
+ case LogicCommand::SAVE_PKCS12:
+ {
+ RawBuffer rawData;
+ PKCS12Serializable pkcs;
+ PolicySerializable keyPolicy, certPolicy;
+ buffer.Deserialize(name, label, pkcs, keyPolicy, certPolicy);
+
+ if (!allowed)
+ return disallowed(command, msgID);
+
+ return m_logic->savePKCS12(
+ cred,
+ msgID,
+ name,
+ label,
+ pkcs,
+ keyPolicy,
+ certPolicy);
+ }
case LogicCommand::REMOVE:
{
- Deserialization::Deserialize(buffer, tmpDataType);
- Deserialization::Deserialize(buffer, alias);
+ buffer.Deserialize(name, label);
+
+ if (!allowed)
+ return disallowed(command, msgID);
+
return m_logic->removeData(
cred,
- commandId,
- static_cast<DBDataType>(tmpDataType),
- alias);
+ msgID,
+ name,
+ label);
}
case LogicCommand::GET:
{
- std::string password;
- Deserialization::Deserialize(buffer, tmpDataType);
- Deserialization::Deserialize(buffer, alias);
- Deserialization::Deserialize(buffer, password);
+ Password password;
+ buffer.Deserialize(tmpDataType, name, label, password);
+
+ if (!allowed)
+ return disallowed(command,
+ msgID,
+ static_cast<int>(DataType(tmpDataType)),
+ RawBuffer());
+
return m_logic->getData(
cred,
- commandId,
- static_cast<DBDataType>(tmpDataType),
- alias,
+ msgID,
+ DataType(tmpDataType),
+ name,
+ label,
password);
}
+ case LogicCommand::GET_PKCS12:
+ {
+ Password passKey;
+ Password passCert;
+ buffer.Deserialize(name,
+ label,
+ passKey,
+ passCert);
+
+ if (!allowed)
+ return disallowed(command, msgID, PKCS12Serializable());
+
+ return m_logic->getPKCS12(
+ cred,
+ msgID,
+ name,
+ label,
+ passKey,
+ passCert);
+ }
+ case LogicCommand::GET_LIST:
+ {
+ buffer.Deserialize(tmpDataType);
+
+ if (!allowed)
+ return disallowed(command,
+ msgID,
+ static_cast<int>(DataType(tmpDataType)),
+ LabelNameVector());
+
+ return m_logic->getDataList(
+ cred,
+ msgID,
+ DataType(tmpDataType));
+ }
+ case LogicCommand::CREATE_KEY_AES:
+ {
+ int size = 0;
+ Name keyName;
+ Label keyLabel;
+ PolicySerializable policyKey;
+ buffer.Deserialize(size,
+ policyKey,
+ keyName,
+ keyLabel);
+
+ if (!allowed)
+ return disallowed(command, msgID);
+
+ return m_logic->createKeyAES(
+ cred,
+ msgID,
+ size,
+ keyName,
+ keyLabel,
+ policyKey);
+ }
+ case LogicCommand::CREATE_KEY_PAIR:
+ {
+ CryptoAlgorithmSerializable keyGenAlgorithm;
+ Name privateKeyName;
+ Label privateKeyLabel;
+ Name publicKeyName;
+ Label publicKeyLabel;
+ PolicySerializable policyPrivateKey;
+ PolicySerializable policyPublicKey;
+ buffer.Deserialize(keyGenAlgorithm,
+ policyPrivateKey,
+ policyPublicKey,
+ privateKeyName,
+ privateKeyLabel,
+ publicKeyName,
+ publicKeyLabel);
+
+ if (!allowed)
+ return disallowed(command, msgID);
+
+ return m_logic->createKeyPair(
+ cred,
+ msgID,
+ keyGenAlgorithm,
+ privateKeyName,
+ privateKeyLabel,
+ publicKeyName,
+ publicKeyLabel,
+ policyPrivateKey,
+ policyPublicKey);
+ }
+ case LogicCommand::GET_CHAIN_CERT:
+ {
+ RawBuffer certificate;
+ RawBufferVector untrustedVector;
+ RawBufferVector trustedVector;
+ bool systemCerts = false;
+ buffer.Deserialize(certificate, untrustedVector, trustedVector, systemCerts);
+
+ if (!allowed)
+ return disallowed(command, msgID, RawBufferVector());
+
+ return m_logic->getCertificateChain(
+ cred,
+ msgID,
+ certificate,
+ untrustedVector,
+ trustedVector,
+ systemCerts);
+ }
+ case LogicCommand::GET_CHAIN_ALIAS:
+ {
+ RawBuffer certificate;
+ LabelNameVector untrustedVector;
+ LabelNameVector trustedVector;
+ bool systemCerts = false;
+ buffer.Deserialize(certificate, untrustedVector, trustedVector, systemCerts);
+
+ if (!allowed)
+ return disallowed(command, msgID, LabelNameVector());
+
+ return m_logic->getCertificateChain(
+ cred,
+ msgID,
+ certificate,
+ untrustedVector,
+ trustedVector,
+ systemCerts);
+ }
+ case LogicCommand::CREATE_SIGNATURE:
+ {
+ Password password; // password for private_key
+ RawBuffer message;
+ int padding = 0, hash = 0;
+ buffer.Deserialize(name, label, password, message, hash, padding);
+
+ if (!allowed)
+ return disallowed(command, msgID, RawBuffer());
+
+ return m_logic->createSignature(
+ cred,
+ msgID,
+ name,
+ label,
+ password, // password for private_key
+ message,
+ static_cast<HashAlgorithm>(hash),
+ static_cast<RSAPaddingAlgorithm>(padding));
+ }
+ case LogicCommand::VERIFY_SIGNATURE:
+ {
+ Password password; // password for public_key (optional)
+ RawBuffer message;
+ RawBuffer signature;
+ //HashAlgorithm hash;
+ //RSAPaddingAlgorithm padding;
+ int padding = 0, hash = 0;
+ buffer.Deserialize(name,
+ label,
+ password,
+ message,
+ signature,
+ hash,
+ padding);
+
+ if (!allowed)
+ return disallowed(command, msgID);
+
+ return m_logic->verifySignature(
+ cred,
+ msgID,
+ name,
+ label,
+ password, // password for public_key (optional)
+ message,
+ signature,
+ static_cast<const HashAlgorithm>(hash),
+ static_cast<const RSAPaddingAlgorithm>(padding));
+ }
+ case LogicCommand::SET_PERMISSION:
+ {
+ PermissionMask permissionMask = 0;
+ buffer.Deserialize(name, label, accessorLabel, permissionMask);
+
+ if (!allowed)
+ return disallowed(command, msgID);
+
+ return m_logic->setPermission(
+ cred,
+ command,
+ msgID,
+ name,
+ label,
+ accessorLabel,
+ permissionMask);
+ }
default:
- // TODO
- throw 1; // broken protocol
+ Throw(Exception::BrokenProtocol);
}
}
-
-void CKMService::close(const CloseEvent &event) {
- LogDebug("Close event");
- m_connectionInfoMap.erase(event.connectionID.counter);
+void CKMService::ProcessMessage(MsgKeyRequest msg)
+{
+ Crypto::GKeyShPtr key;
+ int ret = m_logic->getKeyForService(msg.cred,
+ msg.name,
+ msg.label,
+ msg.password,
+ key);
+ MsgKeyResponse kResp(msg.id, key, ret);
+ try {
+ if (!m_commMgr->SendMessage(kResp))
+ LogError("No listener found"); // can't do much more
+ } catch (...) {
+ LogError("Uncaught exception in SendMessage. Check listeners.");
+ }
}
} // namespace CKM