namespace {
+template <int ERROR_ON_CKM_EXCEPTION = CKM_API_ERROR_SERVER_ERROR, class F>
+int tryRet(F &&f)
+{
+ try {
+ static_assert(sizeof(int) == sizeof std::forward<F>(f)());
+ return std::forward<F>(f)();
+ } catch (const Exc::Exception &e) {
+ return e.error();
+ } catch (const CKM::Exception &e) {
+ LogError("CKM::Exception: " << e.GetMessage());
+ return ERROR_ON_CKM_EXCEPTION;
+ }
+}
+
int toBinaryData(const Crypto::Data &input, Crypto::Data &output)
{
// verify the data integrity
m_userDataMap[user].keyProvider.isInitialized())
return CKM_API_SUCCESS;
- int retCode = CKM_API_SUCCESS;
-
- try {
+ int retCode = tryRet([&] {
auto &handle = m_userDataMap[user];
FileSystem fs(user);
migrateSecureStorageData(false);
else if (user == ADMIN_USER_DB_UID && SsMigration::hasData())
migrateSecureStorageData(true);
- } catch (const Exc::Exception &e) {
- retCode = e.error();
- } catch (const CKM::Exception &e) {
- LogError("CKM::Exception: " << e.GetMessage());
- retCode = CKM_API_ERROR_SERVER_ERROR;
- }
+
+ return CKM_API_SUCCESS;
+ });
if (CKM_API_SUCCESS != retCode)
m_userDataMap.erase(user);
const Password &oldPassword,
const Password &newPassword)
{
- int retCode = CKM_API_SUCCESS;
-
- try {
- retCode = changeUserPasswordHelper(user, oldPassword, newPassword);
- } catch (const Exc::Exception &e) {
- retCode = e.error();
- } catch (const CKM::Exception &e) {
- LogError("CKM::Exception: " << e.GetMessage());
- retCode = CKM_API_ERROR_SERVER_ERROR;
- }
-
- return SerializeMessage(retCode);
+ return SerializeMessage(tryRet([&] {
+ return changeUserPasswordHelper(user, oldPassword, newPassword);
+ }));
}
int CKMLogic::resetUserPasswordHelper(
uid_t user,
const Password &newPassword)
{
- int retCode = CKM_API_SUCCESS;
-
- try {
- retCode = resetUserPasswordHelper(user, newPassword);
- } catch (const Exc::Exception &e) {
- retCode = e.error();
- } catch (const CKM::Exception &e) {
- LogError("CKM::Exception: " << e.GetMessage());
- retCode = CKM_API_ERROR_SERVER_ERROR;
- }
-
- return SerializeMessage(retCode);
+ return SerializeMessage(tryRet([&] {
+ return resetUserPasswordHelper(user, newPassword);
+ }));
}
RawBuffer CKMLogic::removeApplicationData(const ClientId &owner)
{
- int retCode = CKM_API_SUCCESS;
+ return SerializeMessage(tryRet([&] {
+ if (owner.empty())
+ return CKM_API_ERROR_INPUT_PARAM;
- try {
- if (owner.empty()) {
- retCode = CKM_API_ERROR_INPUT_PARAM;
- } else {
- UidVector uids = FileSystem::getUIDsFromDBFile();
-
- for (auto userId : uids) {
- if (0 == m_userDataMap.count(userId)) {
- FileSystem fs(userId);
- fs.addRemovedApp(owner);
- } else {
- auto &handle = m_userDataMap[userId];
- handle.crypto.removeKey(owner);
- handle.database.deleteKey(owner);
- }
+ UidVector uids = FileSystem::getUIDsFromDBFile();
+
+ for (auto userId : uids) {
+ if (0 == m_userDataMap.count(userId)) {
+ FileSystem fs(userId);
+ fs.addRemovedApp(owner);
+ } else {
+ auto &handle = m_userDataMap[userId];
+ handle.crypto.removeKey(owner);
+ handle.database.deleteKey(owner);
}
}
- } catch (const Exc::Exception &e) {
- retCode = e.error();
- } catch (const CKM::Exception &e) {
- LogError("CKM::Exception: " << e.GetMessage());
- retCode = CKM_API_ERROR_SERVER_ERROR;
- }
- return SerializeMessage(retCode);
+ return CKM_API_SUCCESS;
+ }));
}
int CKMLogic::checkSaveConditions(
const Crypto::Data &data,
const PolicySerializable &policy)
{
- int retCode = CKM_API_ERROR_UNKNOWN;
-
- try {
+ return tryRet([&] {
// check if data is correct
Crypto::Data binaryData;
- retCode = toBinaryData(data, binaryData);
+ int retCode = toBinaryData(data, binaryData);
- if (retCode != CKM_API_SUCCESS)
- return retCode;
- else
- return saveDataHelper(cred, name, explicitOwner, binaryData, policy);
- } catch (const Exc::Exception &e) {
- return e.error();
- } catch (const CKM::Exception &e) {
- LogError("CKM::Exception: " << e.GetMessage());
- return CKM_API_ERROR_SERVER_ERROR;
- }
+ return retCode != CKM_API_SUCCESS
+ ? retCode
+ : saveDataHelper(cred, name, explicitOwner, binaryData, policy);
+ });
}
int CKMLogic::getKeyForService(
const Password &pass,
Crypto::GObjShPtr &key)
{
- try {
+ return tryRet([&] {
// Key is for internal service use. It won't be exported to the client
Crypto::GObjUPtr obj;
int retCode = readDataHelper(false, cred, DataType::DB_KEY_FIRST, name, explicitOwner,
key = std::move(obj);
return retCode;
- } catch (const Exc::Exception &e) {
- return e.error();
- } catch (const CKM::Exception &e) {
- LogError("CKM::Exception: " << e.GetMessage());
- return CKM_API_ERROR_SERVER_ERROR;
- }
+ });
}
RawBuffer CKMLogic::saveData(
const PolicySerializable &keyPolicy,
const PolicySerializable &certPolicy)
{
- int retCode = CKM_API_ERROR_UNKNOWN;
-
- try {
- retCode = saveDataHelper(cred, name, explicitOwner, pkcs, keyPolicy, certPolicy);
- } catch (const Exc::Exception &e) {
- retCode = e.error();
- } catch (const CKM::Exception &e) {
- LogError("CKM::Exception: " << e.GetMessage());
- retCode = CKM_API_ERROR_SERVER_ERROR;
- }
-
- return SerializeMessage(msgId, retCode);
+ return SerializeMessage(msgId, tryRet([&] {
+ return saveDataHelper(cred, name, explicitOwner, pkcs, keyPolicy, certPolicy);
+ }));
}
const Name &name,
const ClientId &explicitOwner)
{
- int retCode = CKM_API_ERROR_UNKNOWN;
-
- try {
- retCode = removeDataHelper(cred, name, explicitOwner);
- } catch (const Exc::Exception &e) {
- retCode = e.error();
- } catch (const CKM::Exception &e) {
- LogError("Error: " << e.GetMessage());
- retCode = CKM_API_ERROR_DB_ERROR;
- }
-
- return SerializeMessage(msgId, retCode);
+ return SerializeMessage(msgId, tryRet([&] {
+ return removeDataHelper(cred, name, explicitOwner);
+ }));
}
const ClientId &explicitOwner,
const Password &password)
{
- int retCode = CKM_API_SUCCESS;
RawBuffer rowData;
DataType objDataType;
- try {
+ int retCode = tryRet([&] {
Crypto::GObjUPtr obj;
- retCode = readDataHelper(true, cred, dataType, name, explicitOwner,
+ int retCode = readDataHelper(true, cred, dataType, name, explicitOwner,
password, obj, objDataType);
if (retCode == CKM_API_SUCCESS)
rowData = obj->getBinary();
- } catch (const Exc::Exception &e) {
- retCode = e.error();
- } catch (const CKM::Exception &e) {
- LogError("CKM::Exception: " << e.GetMessage());
- retCode = CKM_API_ERROR_SERVER_ERROR;
- }
+
+ return retCode;
+ });
if (CKM_API_SUCCESS != retCode)
rowData.clear();
const Name &name,
const ClientId &explicitOwner)
{
- int retCode = CKM_API_SUCCESS;
bool status = false;
DataType objDataType;
Password password;
- try {
+ int retCode = tryRet([&] {
Crypto::GObjUPtr obj;
- retCode = readDataHelper(false, cred, dataType, name, explicitOwner,
- password, obj, objDataType);
-
- } catch (const Exc::Exception &e) {
- retCode = e.error();
- } catch (const CKM::Exception &e) {
- LogError("CKM::Exception: " << e.GetMessage());
- retCode = CKM_API_ERROR_SERVER_ERROR;
- }
+ return readDataHelper(false, cred, dataType, name, explicitOwner, password, obj, objDataType);
+ });
if (retCode == CKM_API_ERROR_AUTHENTICATION_FAILED) {
status = true;
const Password &keyPassword,
const Password &certPassword)
{
- int retCode = CKM_API_ERROR_UNKNOWN;
-
PKCS12Serializable output;
- try {
+ int retCode = tryRet([&] {
KeyShPtr privKey;
CertificateShPtr cert;
CertificateShPtrVector caChain;
- retCode = getPKCS12Helper(cred, name, explicitOwner, keyPassword,
+ int retCode = getPKCS12Helper(cred, name, explicitOwner, keyPassword,
certPassword, privKey, cert, caChain);
// prepare response
if (retCode == CKM_API_SUCCESS)
output = PKCS12Serializable(std::move(privKey), std::move(cert), std::move(caChain));
- } catch (const Exc::Exception &e) {
- retCode = e.error();
- } catch (const CKM::Exception &e) {
- LogError("CKM::Exception: " << e.GetMessage());
- retCode = CKM_API_ERROR_SERVER_ERROR;
- }
+
+ return retCode;
+ });
return SerializeMessage(msgId, retCode, output);
}
if (0 < m_userDataMap.count(cred.clientUid)) {
auto &database = m_userDataMap[cred.clientUid].database;
- try {
+ retCode = tryRet<CKM_API_ERROR_DB_ERROR>([&] {
OwnerNameVector tmpVector;
if (dataType.isKey()) {
ownerNameVector.insert(ownerNameVector.end(), tmpVector.begin(),
tmpVector.end());
- retCode = CKM_API_SUCCESS;
- } catch (const CKM::Exception &e) {
- LogError("Error: " << e.GetMessage());
- retCode = CKM_API_ERROR_DB_ERROR;
- } catch (const Exc::Exception &e) {
- retCode = e.error();
- }
+ return CKM_API_SUCCESS;
+ });
}
return retCode;
const Policy &policy)
{
try {
- if (encParams.iv.empty() != encParams.tag.empty()) {
- LogError("Both iv and tag must be empty or set");
- return CKM_API_ERROR_INPUT_PARAM;
- }
+ return tryRet([&] {
+ if (encParams.iv.empty() != encParams.tag.empty()) {
+ LogError("Both iv and tag must be empty or set");
+ return CKM_API_ERROR_INPUT_PARAM;
+ }
- // Inital values are always imported with root credentials. Client id is not important.
- Credentials rootCred(0, "");
+ // Inital values are always imported with root credentials. Client id is not important.
+ Credentials rootCred(0, "");
- auto &handler = selectDatabase(rootCred, CLIENT_ID_SYSTEM);
+ auto &handler = selectDatabase(rootCred, CLIENT_ID_SYSTEM);
- // check if save is possible
- DB::Crypto::Transaction transaction(&handler.database);
- int retCode = checkSaveConditions(rootCred, handler, name, CLIENT_ID_SYSTEM);
+ // check if save is possible
+ DB::Crypto::Transaction transaction(&handler.database);
+ int retCode = checkSaveConditions(rootCred, handler, name, CLIENT_ID_SYSTEM);
- if (retCode != CKM_API_SUCCESS)
- return retCode;
+ if (retCode != CKM_API_SUCCESS)
+ return retCode;
- Crypto::GStore &store =
- m_decider.getStore(data.type, policy, !encParams.iv.empty());
+ Crypto::GStore &store =
+ m_decider.getStore(data.type, policy, !encParams.iv.empty());
- Token token;
+ Token token;
- if (encParams.iv.empty()) {
- // Data are not encrypted, let's try to verify them
- Crypto::Data binaryData;
+ if (encParams.iv.empty()) {
+ // Data are not encrypted, let's try to verify them
+ Crypto::Data binaryData;
- if (CKM_API_SUCCESS != (retCode = toBinaryData(data, binaryData)))
- return retCode;
+ if (CKM_API_SUCCESS != (retCode = toBinaryData(data, binaryData)))
+ return retCode;
- token = store.import(binaryData,
- m_accessControl.isCCMode() ? "" : policy.password,
- encParams);
- } else {
- token = store.import(data,
- m_accessControl.isCCMode() ? "" : policy.password,
- encParams);
- }
+ token = store.import(binaryData,
+ m_accessControl.isCCMode() ? "" : policy.password,
+ encParams);
+ } else {
+ token = store.import(data,
+ m_accessControl.isCCMode() ? "" : policy.password,
+ encParams);
+ }
- DB::Row row(std::move(token), name, CLIENT_ID_SYSTEM,
- static_cast<int>(policy.extractable));
- handler.crypto.encryptRow(row);
+ DB::Row row(std::move(token), name, CLIENT_ID_SYSTEM,
+ static_cast<int>(policy.extractable));
+ handler.crypto.encryptRow(row);
- handler.database.saveRow(row);
- transaction.commit();
- } catch (const Exc::Exception &e) {
- return e.error();
- } catch (const CKM::Exception &e) {
- LogError("CKM::Exception: " << e.GetMessage());
- return CKM_API_ERROR_SERVER_ERROR;
+ handler.database.saveRow(row);
+ transaction.commit();
+
+ return CKM_API_SUCCESS;
+ });
} catch (const std::exception &e) {
LogError("Std::exception: " << e.what());
return CKM_API_ERROR_SERVER_ERROR;
}
-
- return CKM_API_SUCCESS;
}
int CKMLogic::saveDataHelper(
const PolicySerializable &policyPrivate,
const PolicySerializable &policyPublic)
{
- int retCode = CKM_API_SUCCESS;
-
- try {
- retCode = createKeyPairHelper(
- cred,
- keyGenParams,
- namePrivate,
- explicitOwnerPrivate,
- namePublic,
- explicitOwnerPublic,
- policyPrivate,
- policyPublic);
- } catch (const Exc::Exception &e) {
- retCode = e.error();
- } catch (const CKM::Exception &e) {
- LogError("CKM::Exception: " << e.GetMessage());
- retCode = CKM_API_ERROR_SERVER_ERROR;
- }
-
- return SerializeMessage(msgId, retCode);
+ return SerializeMessage(msgId, tryRet([&] {
+ return createKeyPairHelper(cred, keyGenParams, namePrivate, explicitOwnerPrivate,
+ namePublic, explicitOwnerPublic, policyPrivate, policyPublic);
+ }));
}
RawBuffer CKMLogic::createKeyAES(
int retCode = CKM_API_SUCCESS;
try {
- retCode = createKeyAESHelper(cred, size, name, explicitOwner, policy);
- } catch (const Exc::Exception &e) {
- retCode = e.error();
+ retCode = tryRet([&] {
+ return createKeyAESHelper(cred, size, name, explicitOwner, policy);
+ });
} catch (std::invalid_argument &e) {
LogDebug("invalid argument error: " << e.what());
retCode = CKM_API_ERROR_INPUT_PARAM;
- } catch (const CKM::Exception &e) {
- LogError("CKM::Exception: " << e.GetMessage());
- retCode = CKM_API_ERROR_SERVER_ERROR;
}
return SerializeMessage(msgId, retCode);
int retCode = CKM_API_SUCCESS;
try {
- Crypto::GObjUPtr obj;
- retCode = readDataHelper(false, cred, DataType::DB_KEY_FIRST, privateKeyName,
- explicitOwner, password, obj);
+ retCode = tryRet([&] {
+ Crypto::GObjUPtr obj;
+ int retCode = readDataHelper(false, cred, DataType::DB_KEY_FIRST, privateKeyName,
+ explicitOwner, password, obj);
- if (retCode == CKM_API_SUCCESS)
- signature = obj->sign(cryptoAlg, message);
- } catch (const Exc::Exception &e) {
- retCode = e.error();
- } catch (const CKM::Exception &e) {
- LogError("Unknown CKM::Exception: " << e.GetMessage());
- retCode = CKM_API_ERROR_SERVER_ERROR;
+ if (retCode == CKM_API_SUCCESS)
+ signature = obj->sign(cryptoAlg, message);
+
+ return retCode;
+ });
} catch (const std::exception &e) {
LogError("STD exception " << e.what());
retCode = CKM_API_ERROR_SERVER_ERROR;
const RawBuffer &signature,
const CryptoAlgorithm ¶ms)
{
- int retCode = CKM_API_ERROR_VERIFICATION_FAILED;
-
- try {
+ return SerializeMessage(msgId, tryRet([&] {
// try certificate first - looking for a public key.
// in case of PKCS, pub key from certificate will be found first
// rather than private key from the same PKCS.
Crypto::GObjUPtr obj;
- retCode = readDataHelper(false, cred, DataType::CERTIFICATE,
- publicKeyOrCertName, explicitOwner, password, obj);
+ int retCode = readDataHelper(false, cred, DataType::CERTIFICATE,
+ publicKeyOrCertName, explicitOwner, password, obj);
if (retCode == CKM_API_ERROR_DB_ALIAS_UNKNOWN)
retCode = readDataHelper(false, cred, DataType::DB_KEY_FIRST,
if (retCode == CKM_API_SUCCESS)
retCode = obj->verify(params, message, signature);
- } catch (const Exc::Exception &e) {
- retCode = e.error();
- } catch (const CKM::Exception &e) {
- LogError("Unknown CKM::Exception: " << e.GetMessage());
- retCode = CKM_API_ERROR_SERVER_ERROR;
- }
- return SerializeMessage(msgId, retCode);
+ return retCode;
+ }));
}
int CKMLogic::setPermissionHelper(
const ClientId &accessor,
const PermissionMask permissionMask)
{
- int retCode;
-
- try {
- retCode = setPermissionHelper(cred, name, explicitOwner, accessor, permissionMask);
- } catch (const Exc::Exception &e) {
- retCode = e.error();
- } catch (const CKM::Exception &e) {
- LogError("Error: " << e.GetMessage());
- retCode = CKM_API_ERROR_DB_ERROR;
- }
-
- return SerializeMessage(msgID, retCode);
+ return SerializeMessage(msgID, tryRet([&] {
+ return setPermissionHelper(cred, name, explicitOwner, accessor, permissionMask);
+ }));
}
} // namespace CKM
projects / platform / core / security / key-manager.git / commitdiff