Get rid of all references to smack labels except database scheme.
alias = owner_id + name
Simplify db permissions processing
Change-Id: I36c3dbb3ee605fb00e5e4e6bcbada6400a0cbcab
${KEY_MANAGER_PATH}/service/ocsp-service.cpp
${KEY_MANAGER_PATH}/service/ss-migrate.cpp
${KEY_MANAGER_PATH}/service/ss-crypto.cpp
+ ${KEY_MANAGER_PATH}/service/permission.cpp
${KEY_MANAGER_PATH}/initial-values/parser.cpp
${KEY_MANAGER_PATH}/initial-values/BufferHandler.cpp
${KEY_MANAGER_PATH}/initial-values/CertHandler.cpp
// Required for tizen 2.3.
// It will remove all application data owned by application identified
- // by smackLabel. This function will remove application data from unlocked
+ // by owner. This function will remove application data from unlocked
// database only. This function may be used during application uninstallation.
- virtual int removeApplicationData(const std::string &smackLabel) = 0;
+ virtual int removeApplicationData(const ClientId &owner) = 0;
virtual int updateCCMode() = 0;
virtual int setPermission(uid_t user,
const Alias &alias,
- const Label &accessor,
+ const ClientId &accessor,
PermissionMask permissionMask) = 0;
virtual ~Control() {}
void setPermission(
const ObserverPtr &observer,
const Alias &alias,
- const Label &accessor,
+ const ClientId &accessor,
PermissionMask permissionMask);
// This function will encrypt data.
int ocspCheck(const CertificateShPtrVector &certificateChainVector,
int &ocspStatus);
- int setPermission(const Alias &alias, const Label &accessor,
+ int setPermission(const Alias &alias, const ClientId &accessor,
PermissionMask permissionMask);
// This function will encrypt data.
// used to pass password and raw key data
typedef std::vector<RawBuffer> RawBufferVector;
+/*
+ * Alias = ClientId + ' ' + Name
+ * ClientId is optional
+ */
typedef std::string Alias;
-typedef std::string Label;
+/*
+ * ClientId is an identifier of the API caller returned by security-manager(pkgid).
+ * It can be an application or a system component.
+ * Depending on the context the ClientId may indicate a data owner, data accessor
+ * or just a client in general.
+ */
+typedef std::string ClientId;
typedef std::vector<Alias> AliasVector;
enum class KeyType : int {
* @privilege %http://tizen.org/privilege/keymanager.admin
*
* @remarks Data identified by @a alias should exist
- * @remarks @a alias must contain owner label (<owner label><ckmc_owner_id_separator><name>)
- *
- * @param[in] user User ID of a user whose data will be affected
- * @param[in] alias Data alias for which access will be granted
- * @param[in] accessor Package id of the application that will gain access rights
- * @param[in] permissions Mask of permissions granted for @a accessor application
- * (@a ckmc_permission_e)
- * (previous permission mask will be replaced with the new mask value)
+ * @remarks @a alias must contain owner id and name
+ * (<owner id><ckmc_owner_id_separator><name>)
+ *
+ * @param[in] user User ID of a user whose data will be affected
+ * @param[in] alias Data alias for which access will be granted
+ * @param[in] accessor Package id of the application that will gain access rights
+ * @param[in] mask Mask of permissions granted for @a accessor application
+ * (@a ckmc_permission_e)
+ * (previous permission mask will be replaced with the new mask value)
*
* @return @c 0 on success, otherwise a negative error value
*
AliasSupport helper(alias);
sendToStorage(observer, static_cast<int>(LogicCommand::SAVE), m_counter,
- static_cast<int>(dataType), helper.getName(), helper.getLabel(), rawData,
+ static_cast<int>(dataType), helper.getName(), helper.getOwner(), rawData,
PolicySerializable(policy));
}, [&observer](int error) {
observer->ReceivedError(error);
try_catch_async([&]() {
AliasSupport helper(alias);
sendToStorage(observer, static_cast<int>(LogicCommand::SAVE_PKCS12),
- m_counter, helper.getName(), helper.getLabel(), PKCS12Serializable(*pkcs.get()),
+ m_counter, helper.getName(), helper.getOwner(), PKCS12Serializable(*pkcs.get()),
PolicySerializable(keyPolicy), PolicySerializable(certPolicy));
}, [&observer](int error) {
observer->ReceivedError(error);
try_catch_async([&]() {
AliasSupport helper(alias);
sendToStorage(observer, static_cast<int>(LogicCommand::REMOVE), m_counter,
- helper.getName(), helper.getLabel());
+ helper.getName(), helper.getOwner());
}, [&observer](int error) {
observer->ReceivedError(error);
});
AliasSupport helper(alias);
sendToStorage(observer, static_cast<int>(LogicCommand::GET), m_counter,
- static_cast<int>(sendDataType), helper.getName(), helper.getLabel(), password);
+ static_cast<int>(sendDataType), helper.getName(), helper.getOwner(), password);
}, [&observer](int error) {
observer->ReceivedError(error);
});
AliasSupport helper(alias);
sendToStorage(observer, static_cast<int>(LogicCommand::GET_PKCS12), m_counter,
- helper.getName(), helper.getLabel(), passwordKey, passwordCert);
+ helper.getName(), helper.getOwner(), passwordKey, passwordCert);
}, [&observer](int error) {
observer->ReceivedError(error);
});
try_catch_async([&]() {
AliasSupport helper(privateKeyAlias);
sendToStorage(observer, static_cast<int>(LogicCommand::CREATE_SIGNATURE),
- m_counter, helper.getName(), helper.getLabel(), password, message,
+ m_counter, helper.getName(), helper.getOwner(), password, message,
CryptoAlgorithmSerializable(cAlg));
}, [&observer](int error) {
observer->ReceivedError(error);
AliasSupport helper(publicKeyOrCertAlias);
sendToStorage(observer, static_cast<int>(LogicCommand::VERIFY_SIGNATURE),
- m_counter, helper.getName(), helper.getLabel(), password,
+ m_counter, helper.getName(), helper.getOwner(), password,
message, signature, CryptoAlgorithmSerializable(cAlg));
}, [&observer](int error) {
observer->ReceivedError(error);
void ManagerAsync::Impl::setPermission(const ObserverPtr &observer,
const Alias &alias,
- const Label &accessor,
+ const ClientId &accessor,
PermissionMask permissionMask)
{
observerCheck(observer);
AliasSupport helper(alias);
sendToStorage(observer, static_cast<int>(LogicCommand::SET_PERMISSION),
- m_counter, helper.getName(), helper.getLabel(), accessor, permissionMask);
+ m_counter, helper.getName(), helper.getOwner(), accessor, permissionMask);
}, [&observer](int error) {
observer->ReceivedError(error);
});
sendToStorage(observer, static_cast<int>(LogicCommand::CREATE_KEY_PAIR),
m_counter, CryptoAlgorithmSerializable(keyGenAlgorithm),
PolicySerializable(policyPrivateKey), PolicySerializable(policyPublicKey),
- prvHelper.getName(), prvHelper.getLabel(), pubHelper.getName(),
- pubHelper.getLabel());
+ prvHelper.getName(), prvHelper.getOwner(), pubHelper.getName(),
+ pubHelper.getOwner());
}, [&observer](int error) {
observer->ReceivedError(error);
});
sendToStorage(observer, static_cast<int>(LogicCommand::CREATE_KEY_AES),
m_counter, static_cast<int>(size), PolicySerializable(policyKey),
- aliasHelper.getName(), aliasHelper.getLabel());
+ aliasHelper.getName(), aliasHelper.getOwner());
}, [&observer](int error) {
observer->ReceivedError(error);
});
auto send = MessageBuffer::Serialize(static_cast<int>(encryption ?
EncryptionCommand::ENCRYPT : EncryptionCommand::DECRYPT), m_counter, cas,
- helper.getName(), helper.getLabel(), password, input);
+ helper.getName(), helper.getOwner(), password, input);
thread()->sendMessage(AsyncRequest(observer, SERVICE_SOCKET_ENCRYPTION,
send.Pop(), m_counter));
void setPermission(
const ObserverPtr &observer,
const Alias &alias,
- const Label &accessor,
+ const ClientId &accessor,
PermissionMask permissionMask);
// generic methods
return rawBufferVector;
}
-LabelNameVector toLabelNameVector(const AliasVector &aliases)
+OwnerNameVector toOwnerNameVector(const AliasVector &aliases)
{
- LabelNameVector labelNames;
+ OwnerNameVector ownerNameVector;
for (auto &e : aliases) {
AliasSupport helper(e);
- labelNames.push_back(std::make_pair(helper.getLabel(), helper.getName()));
+ ownerNameVector.push_back(std::make_pair(helper.getOwner(), helper.getName()));
}
- return labelNames;
+ return ownerNameVector;
}
} // namespace anonymous
m_impl->getCertChain(observer,
LogicCommand::GET_CHAIN_ALIAS,
certificate,
- toLabelNameVector(untrustedCertificates),
- toLabelNameVector(trustedCertificates),
+ toOwnerNameVector(untrustedCertificates),
+ toOwnerNameVector(trustedCertificates),
useSystemTrustedCertificates);
}, [&observer](int error) {
observer->ReceivedError(error);
void ManagerAsync::setPermission(const ObserverPtr &observer,
const Alias &alias,
- const Label &accessor,
+ const ClientId &accessor,
PermissionMask permissionMask)
{
m_impl->setPermission(observer, alias, accessor, permissionMask);
void StorageReceiver::parseGetListCommand()
{
int dataType = 0, retCode = 0;
- LabelNameVector labelNameVector;
- m_buffer.Deserialize(retCode, dataType, labelNameVector);
+ OwnerNameVector ownerNameVector;
+ m_buffer.Deserialize(retCode, dataType, ownerNameVector);
// check error code
if (retCode != CKM_API_SUCCESS) {
AliasVector aliasVector;
- for (const auto &it : labelNameVector)
+ for (const auto &it : ownerNameVector)
aliasVector.push_back(AliasSupport::merge(it.first, it.second));
DataType type(dataType);
if (ec != CKMC_ERROR_NONE)
return ec;
- // if label given twice, service will return an error
+ // if owner given twice, service will return an error
return ckmc_set_permission_by_adm(user,
- CKM::AliasSupport::merge(CKM::Label(owner), CKM::Name(alias)).c_str(), accessor,
+ CKM::AliasSupport::merge(CKM::ClientId(owner), CKM::Name(alias)).c_str(), accessor,
permissionMask);
}
if (!owner || !alias)
return CKMC_ERROR_INVALID_PARAMETER;
- // if label given twice, service will return an error
+ // if owner given twice, service will return an error
auto control = CKM::Control::create();
return to_ckmc_error(control->setPermission(
user,
- CKM::AliasSupport::merge(CKM::Label(owner), CKM::Name(alias)).c_str(),
+ CKM::AliasSupport::merge(CKM::ClientId(owner), CKM::Name(alias)).c_str(),
accessor,
CKM::Permission::NONE));
}
} // namespace anonymous
-const char *const ckmc_label_name_separator = CKM::LABEL_NAME_SEPARATOR;
-const char *const ckmc_owner_id_separator = CKM::LABEL_NAME_SEPARATOR;
-const char *const ckmc_owner_id_system = CKM::OWNER_ID_SYSTEM;
+const char *const ckmc_label_name_separator = CKM::ALIAS_SEPARATOR;
+const char *const ckmc_owner_id_separator = CKM::ALIAS_SEPARATOR;
+const char *const ckmc_owner_id_system = CKM::CLIENT_ID_SYSTEM;
KEY_MANAGER_CAPI
int ckmc_alias_new(const char *owner_id, const char *alias, char **full_alias)
AliasSupport::AliasSupport(const Alias &alias)
{
- std::size_t separator_pos = alias.rfind(CKM::LABEL_NAME_SEPARATOR);
+ std::size_t separator_pos = alias.rfind(CKM::ALIAS_SEPARATOR);
if (separator_pos == Alias::npos) {
- m_label.clear();
+ m_owner.clear();
m_name = alias;
} else {
- m_label = alias.substr(0, separator_pos);
- m_name = alias.substr(separator_pos + strlen(CKM::LABEL_NAME_SEPARATOR));
+ m_owner = alias.substr(0, separator_pos);
+ m_name = alias.substr(separator_pos + strlen(CKM::ALIAS_SEPARATOR));
}
}
-Alias AliasSupport::merge(const Label &label, const Name &name)
+Alias AliasSupport::merge(const ClientId &owner, const Name &name)
{
- if (label.empty())
+ if (owner.empty())
return name;
std::stringstream output;
- output << label << std::string(CKM::LABEL_NAME_SEPARATOR) << name;
+ output << owner << std::string(CKM::ALIAS_SEPARATOR) << name;
return output.str();
}
return m_name;
}
-const Label &AliasSupport::getLabel() const
+const ClientId &AliasSupport::getOwner() const
{
- return m_label;
+ return m_owner;
}
-bool AliasSupport::isLabelEmpty() const
+bool AliasSupport::isOwnerEmpty() const
{
- return m_label.empty();
+ return m_owner.empty();
}
ServiceConnection::ServiceConnection(const char *service_interface)
public:
AliasSupport(const Alias &alias);
- const Label &getLabel() const;
+ const ClientId &getOwner() const;
const Name &getName() const;
- bool isLabelEmpty() const;
+ bool isOwnerEmpty() const;
- static Alias merge(const Label &label, const Name &alias);
+ static Alias merge(const ClientId &owner, const Name &alias);
private:
Name m_name;
- Label m_label;
+ ClientId m_owner;
};
class SockRAII {
EXCEPTION_GUARD_END
}
- virtual int removeApplicationData(const Label &smackLabel)
+ virtual int removeApplicationData(const ClientId &owner)
{
EXCEPTION_GUARD_START_CPPAPI
- if (smackLabel.empty())
+ if (owner.empty())
return CKM_API_ERROR_INPUT_PARAM;
MessageBuffer recv;
auto send = MessageBuffer::Serialize(static_cast<int>
- (ControlCommand::REMOVE_APP_DATA), smackLabel);
+ (ControlCommand::REMOVE_APP_DATA), owner);
int retCode = m_controlConnection.processRequest(send.Pop(), recv);
virtual int setPermission(uid_t user,
const Alias &alias,
- const Label &accessor,
+ const ClientId &accessor,
PermissionMask permissionMask)
{
EXCEPTION_GUARD_START_CPPAPI
(ControlCommand::SET_PERMISSION),
static_cast<int>(user),
helper.getName(),
- helper.getLabel(),
+ helper.getOwner(),
accessor,
permissionMask);
my_counter,
static_cast<int>(dataType),
helper.getName(),
- helper.getLabel(),
+ helper.getOwner(),
rawData,
PolicySerializable(policy));
(LogicCommand::SAVE_PKCS12),
my_counter,
helper.getName(),
- helper.getLabel(),
+ helper.getOwner(),
PKCS12Serializable(*pkcs.get()),
PolicySerializable(keyPolicy),
PolicySerializable(certPolicy));
auto send = MessageBuffer::Serialize(static_cast<int>(LogicCommand::GET_PKCS12),
my_counter,
helper.getName(),
- helper.getLabel(),
+ helper.getOwner(),
keyPass,
certPass);
auto send = MessageBuffer::Serialize(static_cast<int>(LogicCommand::REMOVE),
my_counter,
helper.getName(),
- helper.getLabel());
+ helper.getOwner());
int retCode = m_storageConnection.processRequest(send.Pop(), recv);
my_counter,
static_cast<int>(sendDataType),
helper.getName(),
- helper.getLabel(),
+ helper.getOwner(),
password);
int retCode = m_storageConnection.processRequest(send.Pop(), recv);
int command;
int counter;
int tmpDataType;
- LabelNameVector labelNameVector;
- recv.Deserialize(command, counter, retCode, tmpDataType, labelNameVector);
+ OwnerNameVector ownerNameVector;
+ recv.Deserialize(command, counter, retCode, tmpDataType, ownerNameVector);
if ((command != static_cast<int>(LogicCommand::GET_LIST)) ||
(counter != my_counter))
return CKM_API_ERROR_UNKNOWN;
- for (const auto &it : labelNameVector)
+ for (const auto &it : ownerNameVector)
aliasVector.push_back(AliasSupport::merge(it.first, it.second));
return retCode;
static_cast<int>(size),
PolicySerializable(policyKey),
aliasHelper.getName(),
- aliasHelper.getLabel());
+ aliasHelper.getOwner());
int retCode = m_storageConnection.processRequest(send.Pop(), recv);
PolicySerializable(policyPrivateKey),
PolicySerializable(policyPublicKey),
privateHelper.getName(),
- privateHelper.getLabel(),
+ privateHelper.getOwner(),
publicHelper.getName(),
- publicHelper.getLabel());
+ publicHelper.getOwner());
int retCode = m_storageConnection.processRequest(send.Pop(), recv);
bool useTrustedSystemCertificates,
CertificateShPtrVector &certificateChainVector)
{
- LabelNameVector untrustedVector;
- LabelNameVector trustedVector;
+ OwnerNameVector untrustedVector;
+ OwnerNameVector trustedVector;
if (!certificate || certificate->empty())
return CKM_API_ERROR_INPUT_PARAM;
for (auto &e : untrustedCertificates) {
AliasSupport helper(e);
- untrustedVector.push_back(std::make_pair(helper.getLabel(), helper.getName()));
+ untrustedVector.push_back(std::make_pair(helper.getOwner(), helper.getName()));
}
for (auto &e : trustedCertificates) {
AliasSupport helper(e);
- trustedVector.push_back(std::make_pair(helper.getLabel(), helper.getName()));
+ trustedVector.push_back(std::make_pair(helper.getOwner(), helper.getName()));
}
return getCertChain(
(LogicCommand::CREATE_SIGNATURE),
my_counter,
helper.getName(),
- helper.getLabel(),
+ helper.getOwner(),
password,
message,
CryptoAlgorithmSerializable(cAlgorithm));
(LogicCommand::VERIFY_SIGNATURE),
my_counter,
helper.getName(),
- helper.getLabel(),
+ helper.getOwner(),
password,
message,
signature,
}
int Manager::Impl::setPermission(const Alias &alias,
- const Label &accessor,
+ const ClientId &accessor,
PermissionMask permissionMask)
{
int my_counter = ++m_counter;
(LogicCommand::SET_PERMISSION),
my_counter,
helper.getName(),
- helper.getLabel(),
+ helper.getOwner(),
accessor,
permissionMask);
my_counter,
cas,
helper.getName(),
- helper.getLabel(),
+ helper.getOwner(),
password,
input);
int ocspCheck(const CertificateShPtrVector &certificateChain, int &ocspCheck);
- int setPermission(const Alias &alias, const Label &accessor,
+ int setPermission(const Alias &alias, const ClientId &accessor,
PermissionMask permissionMask);
int encrypt(const CryptoAlgorithm &algo,
int Manager::setPermission(
const Alias &alias,
- const Label &accessor,
+ const ClientId &accessor,
PermissionMask permissionMask)
{
return m_impl->setPermission(alias, accessor, permissionMask);
"/tmp/.central-key-manager-api-ocsp.sock";
char const *const SERVICE_SOCKET_ENCRYPTION =
"/tmp/.central-key-manager-api-encryption.sock";
-char const *const LABEL_NAME_SEPARATOR = " ";
-char const *const OWNER_ID_SYSTEM = "/System";
-char const *const OWNER_ID_ADMIN_USER = "/User";
+char const *const ALIAS_SEPARATOR = " ";
+char const *const CLIENT_ID_SYSTEM = "/System";
+char const *const CLIENT_ID_ADMIN_USER = "/User";
PKCS12Serializable::PKCS12Serializable()
{
DECRYPT
};
-// (client side) Alias = (service side) Label::Name
-COMMON_API extern char const *const LABEL_NAME_SEPARATOR;
-COMMON_API extern char const *const OWNER_ID_SYSTEM;
-COMMON_API extern char const *const OWNER_ID_ADMIN_USER;
+// (client side) Alias = (service side) Owner::Name
+COMMON_API extern char const *const ALIAS_SEPARATOR;
+COMMON_API extern char const *const CLIENT_ID_SYSTEM;
+COMMON_API extern char const *const CLIENT_ID_ADMIN_USER;
typedef std::string Name;
-typedef std::vector<std::pair<Label, Name>> LabelNameVector;
+typedef std::vector<std::pair<ClientId, Name>> OwnerNameVector;
class IStream;
// save permissions
for (const auto &permission : m_permissions) {
ec = m_db_logic.setPermissionHelper(
- Credentials(CKMLogic::SYSTEM_DB_UID, OWNER_ID_SYSTEM),
+ Credentials(CKMLogic::SYSTEM_DB_UID, CLIENT_ID_SYSTEM),
m_name,
- OWNER_ID_SYSTEM,
+ CLIENT_ID_SYSTEM,
permission->getAccessor(),
Permission::READ);
void PermissionHandler::Start(const XML::Parser::Attributes &attr)
{
- // get accessor label
+ // get accessor id
if (attr.find(XML_ATTR_ACCESSOR) != attr.end())
- m_accessor = Label(attr.at(XML_ATTR_ACCESSOR));
+ m_accessor = ClientId(attr.at(XML_ATTR_ACCESSOR));
}
void PermissionHandler::End()
virtual void Start(const XML::Parser::Attributes &);
virtual void End();
- const Label &getAccessor() const
+ const ClientId &getAccessor() const
{
return m_accessor;
}
private:
- Label m_accessor;
+ ClientId m_accessor;
};
}
struct Credentials {
Credentials() : clientUid(0) {}
- Credentials(uid_t socketUid, const Label &socketLabel)
- : clientUid(socketUid), smackLabel(socketLabel) {}
+ Credentials(uid_t socketUid, const ClientId &client)
+ : clientUid(socketUid), client(client) {}
uid_t clientUid;
- Label smackLabel;
+ ClientId client;
};
} // namespace CKM
// key request
struct MsgKeyRequest : public MsgBase {
MsgKeyRequest(int id, const Credentials &cred, const Name &name,
- const Label &label, const Password &password) :
- MsgBase(id), cred(cred), name(name), label(label), password(password) {}
+ const ClientId &explicitOwner, const Password &password) :
+ MsgBase(id),
+ cred(cred),
+ name(name),
+ explicitOwner(explicitOwner),
+ password(password)
+ {}
Credentials cred;
Name name;
- Label label;
+ ClientId explicitOwner;
Password password;
};
return assignToString(result, length, res);
}
-void Socket2Id::mapToDomainLabel(std::string &label)
+void Socket2Id::mapToDomainClient(std::string &pkgId)
{
static const std::string subdomainSep = "::";
- static const auto systemLabelLen = strlen(OWNER_ID_SYSTEM);
+ static const auto systemClientLen = strlen(CLIENT_ID_SYSTEM);
- if (label.length() > systemLabelLen + subdomainSep.length() &&
- label.compare(0, systemLabelLen, OWNER_ID_SYSTEM) == 0 &&
- label.compare(systemLabelLen, subdomainSep.length(), subdomainSep) == 0) {
- label = OWNER_ID_SYSTEM;
+ if (pkgId.length() > systemClientLen + subdomainSep.length() &&
+ pkgId.compare(0, systemClientLen, CLIENT_ID_SYSTEM) == 0 &&
+ pkgId.compare(systemClientLen, subdomainSep.length(), subdomainSep) == 0) {
+ pkgId = CLIENT_ID_SYSTEM;
}
}
pkgId = "/" + smack;
}
- mapToDomainLabel(pkgId);
+ mapToDomainClient(pkgId);
result = pkgId;
m_stringMap.emplace(std::move(smack), std::move(pkgId));
private:
int getCredentialsFromSocket(int sock, std::string &res);
- void mapToDomainLabel(std::string &label);
+ void mapToDomainClient(std::string &label);
typedef std::map<std::string, std::string> StringMap;
StringMap m_stringMap;
int getCredentialsFromSocket(int sock, CKM::Credentials &cred)
{
static CKM::Socket2Id sock2id;
- std::string ownerId;
+ CKM::ClientId client;
- if (0 > sock2id.translate(sock, ownerId))
+ if (0 > sock2id.translate(sock, client))
return -1;
ucred peerCred;
return -1;
}
- cred = CKM::Credentials(peerCred.uid, std::move(ownerId));
+ cred = CKM::Credentials(peerCred.uid, std::move(client));
return 0;
}
int AccessControl::canSave(
const CKM::Credentials &accessorCred,
- const Label &ownerLabel) const
+ const ClientId &owner) const
{
if (isSystemService(accessorCred))
return CKM_API_SUCCESS;
- if (ownerLabel != accessorCred.smackLabel)
+ if (owner != accessorCred.client)
return CKM_API_ERROR_ACCESS_DENIED;
return CKM_API_SUCCESS;
int AccessControl::canModify(
const CKM::Credentials &accessorCred,
- const Label &ownerLabel) const
+ const ClientId &owner) const
{
- return canSave(accessorCred, ownerLabel);
+ return canSave(accessorCred, owner);
}
int AccessControl::canRead(
const CKM::Credentials &accessorCred,
- const PermissionForLabel &permissionLabel) const
+ const PermissionMask &existingPermission) const
{
if (isSystemService(accessorCred))
return CKM_API_SUCCESS;
- if (permissionLabel & Permission::READ)
+ if (existingPermission & Permission::READ)
return CKM_API_SUCCESS;
return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
int AccessControl::canExport(
const CKM::Credentials &accessorCred,
const DB::Row &row,
- const PermissionForLabel &permissionLabel) const
+ const PermissionMask &existingPermission) const
{
int ec;
- if (CKM_API_SUCCESS != (ec = canRead(accessorCred, permissionLabel)))
+ if (CKM_API_SUCCESS != (ec = canRead(accessorCred, existingPermission)))
return ec;
// check if can export
int AccessControl::canDelete(
const CKM::Credentials &accessorCred,
- const PermissionForLabel &permissionLabel) const
+ const PermissionMask &existingPermission) const
{
if (isSystemService(accessorCred))
return CKM_API_SUCCESS;
- if (permissionLabel & Permission::REMOVE)
+ if (existingPermission & Permission::REMOVE)
return CKM_API_SUCCESS;
- if (permissionLabel & Permission::READ)
+ if (existingPermission & Permission::READ)
return CKM_API_ERROR_ACCESS_DENIED;
return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
* @return CKM_API_SUCCESS if access is allowed, otherwise negative error code
*/
int canSave(const CKM::Credentials &accessorCred,
- const Label &ownerLabel) const;
+ const ClientId &owner) const;
/**
- * check if given label can be modified by accessor
+ * check if given data can be modified by accessor
* @return CKM_API_SUCCESS if access is allowed, otherwise negative error code
*/
int canModify(const CKM::Credentials &accessorCred,
- const Label &ownerLabel) const;
+ const ClientId &owner) const;
/**
* check if given row can be read (for internal use)
* @return CKM_API_SUCCESS if access is allowed, otherwise negative error code
*/
int canRead(const CKM::Credentials &accessorCred,
- const PermissionForLabel &permissionLabel) const;
+ const PermissionMask &existingPermission) const;
/**
* check if given row can be exported (data provided to the client)
*/
int canExport(const CKM::Credentials &accessorCred,
const DB::Row &row,
- const PermissionForLabel &permissionLabel) const;
+ const PermissionMask &existingPermission) const;
/**
- * check if given accessor can delete ownerLabel's items.
+ * check if given accessor can delete owner's items.
* @return CKM_API_SUCCESS if access is allowed, otherwise negative error code
*/
int canDelete(const CKM::Credentials &accessorCred,
- const PermissionForLabel &permissionLabel) const;
+ const PermissionMask &existingPermission) const;
void updateCCMode();
bool isCCMode() const;
const char *const CERT_SYSTEM_DIR = CA_CERTS_DIR;
const char *const SYSTEM_DB_PASSWD = "cAtRugU7";
-bool isLabelValid(const CKM::Label &label)
+bool isClientValid(const CKM::ClientId &client)
{
- // TODO: copy code from libprivilege control (for check smack label)
- if (label.find(CKM::LABEL_NAME_SEPARATOR) != CKM::Label::npos)
+ if (client.find(CKM::ALIAS_SEPARATOR) != CKM::ClientId::npos)
return false;
return true;
bool isNameValid(const CKM::Name &name)
{
- if (name.find(CKM::LABEL_NAME_SEPARATOR) != CKM::Name::npos)
+ if (name.find(CKM::ALIAS_SEPARATOR) != CKM::Name::npos)
return false;
return true;
const Crypto::Data &data,
bool adminUserFlag) {
LogInfo("Migrate data called with name: " << name);
- auto ownerId = adminUserFlag ? OWNER_ID_ADMIN_USER : OWNER_ID_SYSTEM;
+ auto ownerId = adminUserFlag ? CLIENT_ID_ADMIN_USER : CLIENT_ID_SYSTEM;
auto uid = adminUserFlag ? ADMIN_USER_DB_UID : SYSTEM_DB_UID;
int ret = verifyAndSaveDataHelper(Credentials(uid, ownerId), name, ownerId, data,
if (!m_accessControl.isSystemService(user)) {
// remove data of removed apps during locked state
- AppLabelVector removedApps = fs.clearRemovedsApps();
+ ClientIdVector removedApps = fs.clearRemovedsApps();
- for (auto &appSmackLabel : removedApps) {
- handle.crypto.removeKey(appSmackLabel);
- handle.database.deleteKey(appSmackLabel);
+ for (auto &app : removedApps) {
+ handle.crypto.removeKey(app);
+ handle.database.deleteKey(app);
}
}
}
UserData &CKMLogic::selectDatabase(const Credentials &cred,
- const Label &incoming_label)
+ const ClientId &explicitOwner)
{
// if user trying to access system service - check:
// * if user database is unlocked [mandatory]
// * if not - proceed with regular user database
- // * if explicit system database label given -> switch to system DB
+ // * if explicit system database owner given -> switch to system DB
if (!m_accessControl.isSystemService(cred)) {
if (0 == m_userDataMap.count(cred.clientUid))
ThrowErr(Exc::DatabaseLocked, "database with UID: ", cred.clientUid, " locked");
- if (0 != incoming_label.compare(OWNER_ID_SYSTEM))
+ if (0 != explicitOwner.compare(CLIENT_ID_SYSTEM))
return m_userDataMap[cred.clientUid];
}
- // system database selected, modify the label
+ // system database selected, modify the owner id
if (CKM_API_SUCCESS != unlockSystemDB())
ThrowErr(Exc::DatabaseLocked, "can not unlock system database");
return MessageBuffer::Serialize(retCode).Pop();
}
-RawBuffer CKMLogic::removeApplicationData(const Label &smackLabel)
+RawBuffer CKMLogic::removeApplicationData(const ClientId &owner)
{
int retCode = CKM_API_SUCCESS;
try {
- if (smackLabel.empty()) {
+ if (owner.empty()) {
retCode = CKM_API_ERROR_INPUT_PARAM;
} else {
UidVector uids = FileSystem::getUIDsFromDBFile();
for (auto userId : uids) {
if (0 == m_userDataMap.count(userId)) {
FileSystem fs(userId);
- fs.addRemovedApp(smackLabel);
+ fs.addRemovedApp(owner);
} else {
auto &handle = m_userDataMap[userId];
- handle.crypto.removeKey(smackLabel);
- handle.database.deleteKey(smackLabel);
+ handle.crypto.removeKey(owner);
+ handle.database.deleteKey(owner);
}
}
}
}
int CKMLogic::checkSaveConditions(
- const Credentials &cred,
+ const Credentials &accessorCred,
UserData &handler,
const Name &name,
- const Label &ownerLabel)
+ const ClientId &owner)
{
- // verify name and label are correct
- if (!isNameValid(name) || !isLabelValid(ownerLabel)) {
+ // verify name and client are correct
+ if (!isNameValid(name) || !isClientValid(owner)) {
LogDebug("Invalid parameter passed to key-manager");
return CKM_API_ERROR_INPUT_PARAM;
}
- // check if allowed to save using ownerLabel
- int access_ec = m_accessControl.canSave(cred, ownerLabel);
+ // check if accessor is allowed to save owner's items
+ int access_ec = m_accessControl.canSave(accessorCred, owner);
if (access_ec != CKM_API_SUCCESS) {
- LogDebug("label " << cred.smackLabel << " can not save rows using label " <<
- ownerLabel);
+ LogDebug("accessor " << accessorCred.client << " can not save rows owned by " <<
+ owner);
return access_ec;
}
// check if not a duplicate
- if (handler.database.isNameLabelPresent(name, ownerLabel))
+ if (handler.database.isNameOwnerPresent(name, owner))
return CKM_API_ERROR_DB_ALIAS_EXISTS;
// encryption section
- if (!handler.crypto.haveKey(ownerLabel)) {
+ if (!handler.crypto.haveKey(owner)) {
RawBuffer got_key;
- auto key_optional = handler.database.getKey(ownerLabel);
+ auto key_optional = handler.database.getKey(owner);
if (!key_optional) {
- LogDebug("No Key in database found. Generating new one for label: " <<
- ownerLabel);
- got_key = handler.keyProvider.generateDEK(ownerLabel);
- handler.database.saveKey(ownerLabel, got_key);
+ LogDebug("No Key in database found. Generating new one for client: " <<
+ owner);
+ got_key = handler.keyProvider.generateDEK(owner);
+ handler.database.saveKey(owner, got_key);
} else {
LogDebug("Key from DB");
got_key = *key_optional;
}
got_key = handler.keyProvider.getPureDEK(got_key);
- handler.crypto.pushKey(ownerLabel, got_key);
+ handler.crypto.pushKey(owner, got_key);
}
return CKM_API_SUCCESS;
DB::Row CKMLogic::createEncryptedRow(
CryptoLogic &crypto,
const Name &name,
- const Label &label,
+ const ClientId &owner,
const Crypto::Data &data,
const Policy &policy) const
{
// do not encrypt data with password during cc_mode on
Token token = store.import(data,
m_accessControl.isCCMode() ? "" : policy.password);
- DB::Row row(std::move(token), name, label,
+ DB::Row row(std::move(token), name, owner,
static_cast<int>(policy.extractable));
crypto.encryptRow(row);
return row;
int CKMLogic::verifyAndSaveDataHelper(
const Credentials &cred,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const Crypto::Data &data,
const PolicySerializable &policy)
{
if (retCode != CKM_API_SUCCESS)
return retCode;
else
- return saveDataHelper(cred, name, label, binaryData, policy);
+ return saveDataHelper(cred, name, explicitOwner, binaryData, policy);
} catch (const Exc::Exception &e) {
return e.error();
} catch (const CKM::Exception &e) {
int CKMLogic::getKeyForService(
const Credentials &cred,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const Password &pass,
Crypto::GObjShPtr &key)
{
try {
// Key is for internal service use. It won't be exported to the client
Crypto::GObjUPtr obj;
- int retCode = readDataHelper(false, cred, DataType::DB_KEY_FIRST, name, label,
+ int retCode = readDataHelper(false, cred, DataType::DB_KEY_FIRST, name, explicitOwner,
pass, obj);
if (retCode == CKM_API_SUCCESS)
const Credentials &cred,
int commandId,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const Crypto::Data &data,
const PolicySerializable &policy)
{
- int retCode = verifyAndSaveDataHelper(cred, name, label, data, policy);
+ int retCode = verifyAndSaveDataHelper(cred, name, explicitOwner, data, policy);
auto response = MessageBuffer::Serialize(static_cast<int>(LogicCommand::SAVE),
commandId,
retCode,
int CKMLogic::extractPKCS12Data(
CryptoLogic &crypto,
const Name &name,
- const Label &ownerLabel,
+ const ClientId &owner,
const PKCS12Serializable &pkcs,
const PolicySerializable &keyPolicy,
const PolicySerializable &certPolicy,
if (retCode != CKM_API_SUCCESS)
return retCode;
- output.push_back(createEncryptedRow(crypto, name, ownerLabel, keyData,
+ output.push_back(createEncryptedRow(crypto, name, owner, keyData,
keyPolicy));
// certificate is mandatory
if (retCode != CKM_API_SUCCESS)
return retCode;
- output.push_back(createEncryptedRow(crypto, name, ownerLabel, certData,
+ output.push_back(createEncryptedRow(crypto, name, owner, certData,
certPolicy));
// CA cert chain
if (retCode != CKM_API_SUCCESS)
return retCode;
- output.push_back(createEncryptedRow(crypto, name, ownerLabel, caCertData,
+ output.push_back(createEncryptedRow(crypto, name, owner, caCertData,
certPolicy));
}
const Credentials &cred,
int commandId,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const PKCS12Serializable &pkcs,
const PolicySerializable &keyPolicy,
const PolicySerializable &certPolicy)
int retCode = CKM_API_ERROR_UNKNOWN;
try {
- retCode = saveDataHelper(cred, name, label, pkcs, keyPolicy, certPolicy);
+ retCode = saveDataHelper(cred, name, explicitOwner, pkcs, keyPolicy, certPolicy);
} catch (const Exc::Exception &e) {
retCode = e.error();
} catch (const CKM::Exception &e) {
int CKMLogic::removeDataHelper(
const Credentials &cred,
const Name &name,
- const Label &label)
+ const ClientId &explicitOwner)
{
- auto &handler = selectDatabase(cred, label);
+ auto &handler = selectDatabase(cred, explicitOwner);
- // use client label if not explicitly provided
- const Label &ownerLabel = label.empty() ? cred.smackLabel : label;
+ // use client id if not explicitly provided
+ const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner;
- if (!isNameValid(name) || !isLabelValid(ownerLabel)) {
- LogDebug("Invalid label or name format");
+ if (!isNameValid(name) || !isClientValid(owner)) {
+ LogDebug("Invalid owner or name format");
return CKM_API_ERROR_INPUT_PARAM;
}
// read and check permissions
PermissionMaskOptional permissionRowOpt =
- handler.database.getPermissionRow(name, ownerLabel, cred.smackLabel);
+ handler.database.getPermissionRow(name, owner, cred.client);
int retCode = m_accessControl.canDelete(cred,
- PermissionForLabel(cred.smackLabel, permissionRowOpt));
+ toPermissionMask(permissionRowOpt));
if (retCode != CKM_API_SUCCESS) {
LogWarning("access control check result: " << retCode);
// get all matching rows
DB::RowVector rows;
- handler.database.getRows(name, ownerLabel, DataType::DB_FIRST,
+ handler.database.getRows(name, owner, DataType::DB_FIRST,
DataType::DB_LAST, rows);
if (rows.empty()) {
- LogDebug("No row for given name and label");
+ LogDebug("No row for given name and owner");
return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
}
// load app key if needed
- retCode = loadAppKey(handler, rows.front().ownerLabel);
+ retCode = loadAppKey(handler, rows.front().owner);
if (CKM_API_SUCCESS != retCode)
return retCode;
}
// delete row in db
- handler.database.deleteRow(name, ownerLabel);
+ handler.database.deleteRow(name, owner);
transaction.commit();
return CKM_API_SUCCESS;
const Credentials &cred,
int commandId,
const Name &name,
- const Label &label)
+ const ClientId &explicitOwner)
{
int retCode = CKM_API_ERROR_UNKNOWN;
try {
- retCode = removeDataHelper(cred, name, label);
+ retCode = removeDataHelper(cred, name, explicitOwner);
} catch (const Exc::Exception &e) {
retCode = e.error();
} catch (const CKM::Exception &e) {
}
int CKMLogic::readSingleRow(const Name &name,
- const Label &ownerLabel,
+ const ClientId &owner,
DataType dataType,
DB::Crypto &database,
DB::Row &row)
if (dataType.isKey()) {
// read all key types
row_optional = database.getRow(name,
- ownerLabel,
+ owner,
DataType::DB_KEY_FIRST,
DataType::DB_KEY_LAST);
} else {
// read anything else
row_optional = database.getRow(name,
- ownerLabel,
+ owner,
dataType);
}
if (!row_optional) {
- LogDebug("No row for given name, label and type");
+ LogDebug("No row for given name, owner and type");
return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
} else {
row = *row_optional;
int CKMLogic::readMultiRow(const Name &name,
- const Label &ownerLabel,
+ const ClientId &owner,
DataType dataType,
DB::Crypto &database,
DB::RowVector &output)
if (dataType.isKey())
// read all key types
database.getRows(name,
- ownerLabel,
+ owner,
DataType::DB_KEY_FIRST,
DataType::DB_KEY_LAST,
output);
else if (dataType.isChainCert())
// read all key types
database.getRows(name,
- ownerLabel,
+ owner,
DataType::DB_CHAIN_FIRST,
DataType::DB_CHAIN_LAST,
output);
else
// read anything else
database.getRows(name,
- ownerLabel,
+ owner,
dataType,
output);
if (!output.size()) {
- LogDebug("No row for given name, label and type");
+ LogDebug("No row for given name, owner and type");
return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
}
return CKM_API_SUCCESS;
}
-int CKMLogic::checkDataPermissionsHelper(const Credentials &cred,
+int CKMLogic::checkDataPermissionsHelper(const Credentials &accessorCred,
const Name &name,
- const Label &ownerLabel,
- const Label &accessorLabel,
+ const ClientId &owner,
const DB::Row &row,
bool exportFlag,
DB::Crypto &database)
{
PermissionMaskOptional permissionRowOpt =
- database.getPermissionRow(name, ownerLabel, accessorLabel);
+ database.getPermissionRow(name, owner, accessorCred.client);
if (exportFlag)
- return m_accessControl.canExport(cred, row, PermissionForLabel(accessorLabel,
- permissionRowOpt));
+ return m_accessControl.canExport(accessorCred,
+ row,
+ toPermissionMask(permissionRowOpt));
- return m_accessControl.canRead(cred, PermissionForLabel(accessorLabel,
- permissionRowOpt));
+ return m_accessControl.canRead(accessorCred,
+ toPermissionMask(permissionRowOpt));
}
Crypto::GObjUPtr CKMLogic::rowToObject(
const Credentials &cred,
DataType dataType,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const Password &password,
Crypto::GObjUPtrVector &objs)
{
- auto &handler = selectDatabase(cred, label);
+ auto &handler = selectDatabase(cred, explicitOwner);
- // use client label if not explicitly provided
- const Label &ownerLabel = label.empty() ? cred.smackLabel : label;
+ // use client id if not explicitly provided
+ const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner;
- if (!isNameValid(name) || !isLabelValid(ownerLabel))
+ if (!isNameValid(name) || !isClientValid(owner))
return CKM_API_ERROR_INPUT_PARAM;
// read rows
DB::Crypto::Transaction transaction(&handler.database);
DB::RowVector rows;
- int retCode = readMultiRow(name, ownerLabel, dataType, handler.database, rows);
+ int retCode = readMultiRow(name, owner, dataType, handler.database, rows);
if (CKM_API_SUCCESS != retCode)
return retCode;
DB::Row &firstRow = rows.at(0);
// check access rights
- retCode = checkDataPermissionsHelper(cred, name, ownerLabel, cred.smackLabel,
- firstRow, exportFlag, handler.database);
+ retCode = checkDataPermissionsHelper(cred, name, owner, firstRow,
+ exportFlag, handler.database);
if (CKM_API_SUCCESS != retCode)
return retCode;
// load app key if needed
- retCode = loadAppKey(handler, firstRow.ownerLabel);
+ retCode = loadAppKey(handler, firstRow.owner);
if (CKM_API_SUCCESS != retCode)
return retCode;
const Credentials &cred,
DataType dataType,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const Password &password,
Crypto::GObjUPtr &obj)
{
DataType objDataType;
- return readDataHelper(exportFlag, cred, dataType, name, label, password, obj,
- objDataType);
+ return readDataHelper(exportFlag, cred, dataType, name, explicitOwner,
+ password, obj, objDataType);
}
int CKMLogic::readDataHelper(
const Credentials &cred,
DataType dataType,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const Password &password,
Crypto::GObjUPtr &obj,
DataType &objDataType)
{
- auto &handler = selectDatabase(cred, label);
+ auto &handler = selectDatabase(cred, explicitOwner);
- // use client label if not explicitly provided
- const Label &ownerLabel = label.empty() ? cred.smackLabel : label;
+ // use client id if not explicitly provided
+ const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner;
- if (!isNameValid(name) || !isLabelValid(ownerLabel))
+ if (!isNameValid(name) || !isClientValid(owner))
return CKM_API_ERROR_INPUT_PARAM;
// read row
DB::Crypto::Transaction transaction(&handler.database);
DB::Row row;
- int retCode = readSingleRow(name, ownerLabel, dataType, handler.database, row);
+ int retCode = readSingleRow(name, owner, dataType, handler.database, row);
if (CKM_API_SUCCESS != retCode)
return retCode;
objDataType = row.dataType;
// check access rights
- retCode = checkDataPermissionsHelper(cred, name, ownerLabel, cred.smackLabel,
- row, exportFlag, handler.database);
+ retCode = checkDataPermissionsHelper(cred, name, owner, row, exportFlag,
+ handler.database);
if (CKM_API_SUCCESS != retCode)
return retCode;
// load app key if needed
- retCode = loadAppKey(handler, row.ownerLabel);
+ retCode = loadAppKey(handler, row.owner);
if (CKM_API_SUCCESS != retCode)
return retCode;
int commandId,
DataType dataType,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const Password &password)
{
int retCode = CKM_API_SUCCESS;
try {
Crypto::GObjUPtr obj;
- retCode = readDataHelper(true, cred, dataType, name, label, password, obj,
- objDataType);
+ retCode = readDataHelper(true, cred, dataType, name, explicitOwner,
+ password, obj, objDataType);
if (retCode == CKM_API_SUCCESS)
rowData = obj->getBinary();
int CKMLogic::getPKCS12Helper(
const Credentials &cred,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const Password &keyPassword,
const Password &certPassword,
KeyShPtr &privKey,
// read private key (mandatory)
Crypto::GObjUPtr keyObj;
- retCode = readDataHelper(true, cred, DataType::DB_KEY_FIRST, name, label,
+ retCode = readDataHelper(true, cred, DataType::DB_KEY_FIRST, name, explicitOwner,
keyPassword, keyObj);
if (retCode != CKM_API_SUCCESS) {
// read certificate (mandatory)
Crypto::GObjUPtr certObj;
- retCode = readDataHelper(true, cred, DataType::CERTIFICATE, name, label,
+ retCode = readDataHelper(true, cred, DataType::CERTIFICATE, name, explicitOwner,
certPassword, certObj);
if (retCode != CKM_API_SUCCESS) {
// read CA cert chain (optional)
Crypto::GObjUPtrVector caChainObjs;
- retCode = readDataHelper(true, cred, DataType::DB_CHAIN_FIRST, name, label,
+ retCode = readDataHelper(true, cred, DataType::DB_CHAIN_FIRST, name, explicitOwner,
certPassword, caChainObjs);
if (retCode != CKM_API_SUCCESS && retCode != CKM_API_ERROR_DB_ALIAS_UNKNOWN) {
const Credentials &cred,
int commandId,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const Password &keyPassword,
const Password &certPassword)
{
KeyShPtr privKey;
CertificateShPtr cert;
CertificateShPtrVector caChain;
- retCode = getPKCS12Helper(cred, name, label, keyPassword, certPassword, privKey,
- cert, caChain);
+ retCode = getPKCS12Helper(cred, name, explicitOwner, keyPassword,
+ certPassword, privKey, cert, caChain);
// prepare response
if (retCode == CKM_API_SUCCESS)
int CKMLogic::getDataListHelper(const Credentials &cred,
const DataType dataType,
- LabelNameVector &labelNameVector)
+ OwnerNameVector &ownerNameVector)
{
int retCode = CKM_API_ERROR_DB_LOCKED;
auto &database = m_userDataMap[cred.clientUid].database;
try {
- LabelNameVector tmpVector;
+ OwnerNameVector tmpVector;
if (dataType.isKey()) {
// list all key types
- database.listNames(cred.smackLabel,
+ database.listNames(cred.client,
tmpVector,
DataType::DB_KEY_FIRST,
DataType::DB_KEY_LAST);
} else {
// list anything else
- database.listNames(cred.smackLabel,
+ database.listNames(cred.client,
tmpVector,
dataType);
}
- labelNameVector.insert(labelNameVector.end(), tmpVector.begin(),
+ ownerNameVector.insert(ownerNameVector.end(), tmpVector.begin(),
tmpVector.end());
retCode = CKM_API_SUCCESS;
} catch (const CKM::Exception &e) {
int commandId,
DataType dataType)
{
- LabelNameVector systemVector;
- LabelNameVector userVector;
- LabelNameVector labelNameVector;
+ OwnerNameVector systemVector;
+ OwnerNameVector userVector;
+ OwnerNameVector ownerNameVector;
int retCode = unlockSystemDB();
if (m_accessControl.isSystemService(cred)) {
// lookup system DB
retCode = getDataListHelper(Credentials(SYSTEM_DB_UID,
- OWNER_ID_SYSTEM),
+ CLIENT_ID_SYSTEM),
dataType,
systemVector);
} else {
// user - lookup system, then client DB
retCode = getDataListHelper(Credentials(SYSTEM_DB_UID,
- cred.smackLabel),
+ cred.client),
dataType,
systemVector);
}
if (retCode == CKM_API_SUCCESS) {
- labelNameVector.insert(labelNameVector.end(), systemVector.begin(),
+ ownerNameVector.insert(ownerNameVector.end(), systemVector.begin(),
systemVector.end());
- labelNameVector.insert(labelNameVector.end(), userVector.begin(),
+ ownerNameVector.insert(ownerNameVector.end(), userVector.begin(),
userVector.end());
}
commandId,
retCode,
static_cast<int>(dataType),
- labelNameVector);
+ ownerNameVector);
return response.Pop();
}
const Policy &policy)
{
try {
- // Inital values are always imported with root credentials. Label is not important.
+ // Inital values are always imported with root credentials. Client id is not important.
Credentials rootCred(0, "");
- auto &handler = selectDatabase(rootCred, OWNER_ID_SYSTEM);
+ auto &handler = selectDatabase(rootCred, CLIENT_ID_SYSTEM);
// check if save is possible
DB::Crypto::Transaction transaction(&handler.database);
- int retCode = checkSaveConditions(rootCred, handler, name, OWNER_ID_SYSTEM);
+ int retCode = checkSaveConditions(rootCred, handler, name, CLIENT_ID_SYSTEM);
if (retCode != CKM_API_SUCCESS)
return retCode;
m_accessControl.isCCMode() ? "" : policy.password, enc);
}
- DB::Row row(std::move(token), name, OWNER_ID_SYSTEM,
+ DB::Row row(std::move(token), name, CLIENT_ID_SYSTEM,
static_cast<int>(policy.extractable));
handler.crypto.encryptRow(row);
int CKMLogic::saveDataHelper(
const Credentials &cred,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const Crypto::Data &data,
const PolicySerializable &policy)
{
- auto &handler = selectDatabase(cred, label);
+ auto &handler = selectDatabase(cred, explicitOwner);
- // use client label if not explicitly provided
- const Label &ownerLabel = label.empty() ? cred.smackLabel : label;
+ // use client id if not explicitly provided
+ const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner;
if (m_accessControl.isSystemService(cred) &&
- ownerLabel.compare(OWNER_ID_SYSTEM) != 0)
+ owner.compare(CLIENT_ID_SYSTEM) != 0)
return CKM_API_ERROR_INPUT_PARAM;
// check if save is possible
DB::Crypto::Transaction transaction(&handler.database);
- int retCode = checkSaveConditions(cred, handler, name, ownerLabel);
+ int retCode = checkSaveConditions(cred, handler, name, owner);
if (retCode != CKM_API_SUCCESS)
return retCode;
// save the data
- DB::Row encryptedRow = createEncryptedRow(handler.crypto, name, ownerLabel,
+ DB::Row encryptedRow = createEncryptedRow(handler.crypto, name, owner,
data, policy);
handler.database.saveRow(encryptedRow);
int CKMLogic::saveDataHelper(
const Credentials &cred,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const PKCS12Serializable &pkcs,
const PolicySerializable &keyPolicy,
const PolicySerializable &certPolicy)
{
- auto &handler = selectDatabase(cred, label);
+ auto &handler = selectDatabase(cred, explicitOwner);
- // use client label if not explicitly provided
- const Label &ownerLabel = label.empty() ? cred.smackLabel : label;
+ // use client id if not explicitly provided
+ const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner;
if (m_accessControl.isSystemService(cred) &&
- ownerLabel.compare(OWNER_ID_SYSTEM) != 0)
+ owner.compare(CLIENT_ID_SYSTEM) != 0)
return CKM_API_ERROR_INPUT_PARAM;
// check if save is possible
DB::Crypto::Transaction transaction(&handler.database);
- int retCode = checkSaveConditions(cred, handler, name, ownerLabel);
+ int retCode = checkSaveConditions(cred, handler, name, owner);
if (retCode != CKM_API_SUCCESS)
return retCode;
// extract and encrypt the data
DB::RowVector encryptedRows;
- retCode = extractPKCS12Data(handler.crypto, name, ownerLabel, pkcs, keyPolicy,
+ retCode = extractPKCS12Data(handler.crypto, name, owner, pkcs, keyPolicy,
certPolicy, encryptedRows);
if (retCode != CKM_API_SUCCESS)
return retCode;
// save the data
- handler.database.saveRows(name, ownerLabel, encryptedRows);
+ handler.database.saveRows(name, owner, encryptedRows);
transaction.commit();
return CKM_API_SUCCESS;
const Credentials &cred,
const int size,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const PolicySerializable &policy)
{
- auto &handler = selectDatabase(cred, label);
+ auto &handler = selectDatabase(cred, explicitOwner);
- // use client label if not explicitly provided
- const Label &ownerLabel = label.empty() ? cred.smackLabel : label;
+ // use client id if not explicitly provided
+ const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner;
if (m_accessControl.isSystemService(cred) &&
- ownerLabel.compare(OWNER_ID_SYSTEM) != 0)
+ owner.compare(CLIENT_ID_SYSTEM) != 0)
return CKM_API_ERROR_INPUT_PARAM;
// check if save is possible
DB::Crypto::Transaction transaction(&handler.database);
- int retCode = checkSaveConditions(cred, handler, name, ownerLabel);
+ int retCode = checkSaveConditions(cred, handler, name, owner);
if (retCode != CKM_API_SUCCESS)
return retCode;
policy).generateSKey(keyGenAlgorithm, policy.password);
// save the data
- DB::Row row(std::move(key), name, ownerLabel,
+ DB::Row row(std::move(key), name, owner,
static_cast<int>(policy.extractable));
handler.crypto.encryptRow(row);
const Credentials &cred,
const CryptoAlgorithmSerializable &keyGenParams,
const Name &namePrivate,
- const Label &labelPrivate,
+ const ClientId &explicitOwnerPrivate,
const Name &namePublic,
- const Label &labelPublic,
+ const ClientId &explicitOwnerPublic,
const PolicySerializable &policyPrivate,
const PolicySerializable &policyPublic)
{
- auto &handlerPriv = selectDatabase(cred, labelPrivate);
- auto &handlerPub = selectDatabase(cred, labelPublic);
+ auto &handlerPriv = selectDatabase(cred, explicitOwnerPrivate);
+ auto &handlerPub = selectDatabase(cred, explicitOwnerPublic);
AlgoType keyType = AlgoType::RSA_GEN;
if (policyPrivate.backend != policyPublic.backend)
ThrowErr(Exc::InputParam, "Error, key pair must be supported with the same backend.");
- // use client label if not explicitly provided
- const Label &ownerLabelPrv = labelPrivate.empty() ? cred.smackLabel :
- labelPrivate;
+ // use client id if not explicitly provided
+ const ClientId &ownerPrv = explicitOwnerPrivate.empty() ? cred.client :
+ explicitOwnerPrivate;
if (m_accessControl.isSystemService(cred) &&
- ownerLabelPrv.compare(OWNER_ID_SYSTEM) != 0)
+ ownerPrv.compare(CLIENT_ID_SYSTEM) != 0)
return CKM_API_ERROR_INPUT_PARAM;
- const Label &ownerLabelPub = labelPublic.empty() ? cred.smackLabel :
- labelPublic;
+ const ClientId &ownerPub = explicitOwnerPublic.empty() ? cred.client :
+ explicitOwnerPublic;
if (m_accessControl.isSystemService(cred) &&
- ownerLabelPub.compare(OWNER_ID_SYSTEM) != 0)
+ ownerPub.compare(CLIENT_ID_SYSTEM) != 0)
return CKM_API_ERROR_INPUT_PARAM;
bool exportable = policyPrivate.extractable || policyPublic.extractable;
DB::Crypto::Transaction transactionPub(&handlerPub.database);
int retCode;
- retCode = checkSaveConditions(cred, handlerPriv, namePrivate, ownerLabelPrv);
+ retCode = checkSaveConditions(cred, handlerPriv, namePrivate, ownerPrv);
if (CKM_API_SUCCESS != retCode)
return retCode;
- retCode = checkSaveConditions(cred, handlerPub, namePublic, ownerLabelPub);
+ retCode = checkSaveConditions(cred, handlerPub, namePublic, ownerPub);
if (CKM_API_SUCCESS != retCode)
return retCode;
// save the data
- DB::Row rowPrv(std::move(keys.first), namePrivate, ownerLabelPrv,
+ DB::Row rowPrv(std::move(keys.first), namePrivate, ownerPrv,
static_cast<int>(policyPrivate.extractable));
handlerPriv.crypto.encryptRow(rowPrv);
handlerPriv.database.saveRow(rowPrv);
- DB::Row rowPub(std::move(keys.second), namePublic, ownerLabelPub,
+ DB::Row rowPub(std::move(keys.second), namePublic, ownerPub,
static_cast<int>(policyPublic.extractable));
handlerPub.crypto.encryptRow(rowPub);
handlerPub.database.saveRow(rowPub);
int commandId,
const CryptoAlgorithmSerializable &keyGenParams,
const Name &namePrivate,
- const Label &labelPrivate,
+ const ClientId &explicitOwnerPrivate,
const Name &namePublic,
- const Label &labelPublic,
+ const ClientId &explicitOwnerPublic,
const PolicySerializable &policyPrivate,
const PolicySerializable &policyPublic)
{
cred,
keyGenParams,
namePrivate,
- labelPrivate,
+ explicitOwnerPrivate,
namePublic,
- labelPublic,
+ explicitOwnerPublic,
policyPrivate,
policyPublic);
} catch (const Exc::Exception &e) {
int commandId,
const int size,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const PolicySerializable &policy)
{
int retCode = CKM_API_SUCCESS;
try {
- retCode = createKeyAESHelper(cred, size, name, label, policy);
+ retCode = createKeyAESHelper(cred, size, name, explicitOwner, policy);
} catch (const Exc::Exception &e) {
retCode = e.error();
} catch (std::invalid_argument &e) {
int CKMLogic::readCertificateHelper(
const Credentials &cred,
- const LabelNameVector &labelNameVector,
+ const OwnerNameVector &ownerNameVector,
CertificateImplVector &certVector)
{
- for (auto &i : labelNameVector) {
+ for (auto &i : ownerNameVector) {
// certificates can't be protected with custom user password
Crypto::GObjUPtr obj;
int ec;
int CKMLogic::getCertificateChainHelper(
const Credentials &cred,
const CertificateImpl &cert,
- const LabelNameVector &untrusted,
- const LabelNameVector &trusted,
+ const OwnerNameVector &untrusted,
+ const OwnerNameVector &trusted,
bool useTrustedSystemCertificates,
RawBufferVector &chainRawVector)
{
const Credentials &cred,
int commandId,
const RawBuffer &certificate,
- const LabelNameVector &untrustedCertificates,
- const LabelNameVector &trustedCertificates,
+ const OwnerNameVector &untrustedCertificates,
+ const OwnerNameVector &trustedCertificates,
bool useTrustedSystemCertificates)
{
int retCode = CKM_API_ERROR_UNKNOWN;
const Credentials &cred,
int commandId,
const Name &privateKeyName,
- const Label &ownerLabel,
+ const ClientId &explicitOwner,
const Password &password, // password for private_key
const RawBuffer &message,
const CryptoAlgorithm &cryptoAlg)
try {
Crypto::GObjUPtr obj;
retCode = readDataHelper(false, cred, DataType::DB_KEY_FIRST, privateKeyName,
- ownerLabel, password, obj);
+ explicitOwner, password, obj);
if (retCode == CKM_API_SUCCESS)
signature = obj->sign(cryptoAlg, message);
const Credentials &cred,
int commandId,
const Name &publicKeyOrCertName,
- const Label &ownerLabel,
+ const ClientId &explicitOwner,
const Password &password, // password for public_key (optional)
const RawBuffer &message,
const RawBuffer &signature,
// rather than private key from the same PKCS.
Crypto::GObjUPtr obj;
retCode = readDataHelper(false, cred, DataType::CERTIFICATE,
- publicKeyOrCertName, ownerLabel, password, obj);
+ publicKeyOrCertName, explicitOwner, password, obj);
if (retCode == CKM_API_ERROR_DB_ALIAS_UNKNOWN)
retCode = readDataHelper(false, cred, DataType::DB_KEY_FIRST,
- publicKeyOrCertName, ownerLabel, password, obj);
+ publicKeyOrCertName, explicitOwner, password, obj);
if (retCode == CKM_API_SUCCESS)
retCode = obj->verify(params, message, signature);
int CKMLogic::setPermissionHelper(
const Credentials &cred, // who's the client
const Name &name,
- const Label &label, // who's the owner
- const Label &accessorLabel, // who will get the access
+ const ClientId &explicitOwner, // who's the owner
+ const ClientId &accessor, // who will get the access
const PermissionMask permissionMask)
{
- auto &handler = selectDatabase(cred, label);
+ auto &handler = selectDatabase(cred, explicitOwner);
// we don't know the client
- if (cred.smackLabel.empty() || !isLabelValid(cred.smackLabel))
+ if (cred.client.empty() || !isClientValid(cred.client))
return CKM_API_ERROR_INPUT_PARAM;
- // use client label if not explicitly provided
- const Label &ownerLabel = label.empty() ? cred.smackLabel : label;
+ // use client id if not explicitly provided
+ const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner;
- // verify name and label are correct
- if (!isNameValid(name) || !isLabelValid(ownerLabel) ||
- !isLabelValid(accessorLabel))
+ // verify name and owner are correct
+ if (!isNameValid(name) || !isClientValid(owner) ||
+ !isClientValid(accessor))
return CKM_API_ERROR_INPUT_PARAM;
// currently we don't support modification of owner's permissions to his own rows
- if (ownerLabel == accessorLabel)
+ if (owner == accessor)
return CKM_API_ERROR_INPUT_PARAM;
// system database does not support write/remove permissions
- if ((0 == ownerLabel.compare(OWNER_ID_SYSTEM)) &&
+ if ((0 == owner.compare(CLIENT_ID_SYSTEM)) &&
(permissionMask & Permission::REMOVE))
return CKM_API_ERROR_INPUT_PARAM;
// can the client modify permissions to owner's row?
- int retCode = m_accessControl.canModify(cred, ownerLabel);
+ int retCode = m_accessControl.canModify(cred, owner);
if (retCode != CKM_API_SUCCESS)
return retCode;
DB::Crypto::Transaction transaction(&handler.database);
- if (!handler.database.isNameLabelPresent(name, ownerLabel))
+ if (!handler.database.isNameOwnerPresent(name, owner))
return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
- // set permissions to the row owned by ownerLabel for accessorLabel
- handler.database.setPermission(name, ownerLabel, accessorLabel, permissionMask);
+ // set permissions to the row owned by owner for accessor
+ handler.database.setPermission(name, owner, accessor, permissionMask);
transaction.commit();
return CKM_API_SUCCESS;
const int command,
const int msgID,
const Name &name,
- const Label &label,
- const Label &accessorLabel,
+ const ClientId &explicitOwner,
+ const ClientId &accessor,
const PermissionMask permissionMask)
{
int retCode;
try {
- retCode = setPermissionHelper(cred, name, label, accessorLabel, permissionMask);
+ retCode = setPermissionHelper(cred, name, explicitOwner, accessor, permissionMask);
} catch (const Exc::Exception &e) {
retCode = e.error();
} catch (const CKM::Exception &e) {
return MessageBuffer::Serialize(command, msgID, retCode).Pop();
}
-int CKMLogic::loadAppKey(UserData &handle, const Label &appLabel)
+int CKMLogic::loadAppKey(UserData &handle, const ClientId &owner)
{
- if (!handle.crypto.haveKey(appLabel)) {
+ if (!handle.crypto.haveKey(owner)) {
RawBuffer key;
- auto key_optional = handle.database.getKey(appLabel);
+ auto key_optional = handle.database.getKey(owner);
if (!key_optional) {
- LogError("No key for given label in database");
+ LogError("No key for given owner in database");
return CKM_API_ERROR_DB_ERROR;
}
key = *key_optional;
key = handle.keyProvider.getPureDEK(key);
- handle.crypto.pushKey(appLabel, key);
+ handle.crypto.pushKey(owner, key);
}
return CKM_API_SUCCESS;
const Password &newPassword);
RawBuffer removeApplicationData(
- const Label &smackLabel);
+ const ClientId &owner);
RawBuffer saveData(
const Credentials &cred,
int commandId,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const Crypto::Data &data,
const PolicySerializable &policy);
const Credentials &cred,
int commandId,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const PKCS12Serializable &pkcs,
const PolicySerializable &keyPolicy,
const PolicySerializable &certPolicy);
const Credentials &cred,
int commandId,
const Name &name,
- const Label &label);
+ const ClientId &explicitOwner);
RawBuffer getData(
const Credentials &cred,
int commandId,
DataType dataType,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const Password &password);
RawBuffer getPKCS12(
const Credentials &cred,
int commandId,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const Password &keyPassword,
const Password &certPassword);
int commandId,
const CryptoAlgorithmSerializable &keyGenParams,
const Name &namePrivate,
- const Label &labelPrivate,
+ const ClientId &explicitOwnerPrivate,
const Name &namePublic,
- const Label &labelPublic,
+ const ClientId &explicitOwnerPublic,
const PolicySerializable &policyPrivate,
const PolicySerializable &policyPublic);
int commandId,
const int size,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const PolicySerializable &policy);
RawBuffer getCertificateChain(
const Credentials &cred,
int commandId,
const RawBuffer &certificate,
- const LabelNameVector &untrustedCertificates,
- const LabelNameVector &trustedCertificates,
+ const OwnerNameVector &untrustedCertificates,
+ const OwnerNameVector &trustedCertificates,
bool useTrustedSystemCertificates);
RawBuffer createSignature(
const Credentials &cred,
int commandId,
const Name &privateKeyName,
- const Label &ownerLabel,
+ const ClientId &explicitOwner,
const Password &password, // password for private_key
const RawBuffer &message,
const CryptoAlgorithm &cryptoAlgorithm);
const Credentials &cred,
int commandId,
const Name &publicKeyOrCertName,
- const Label &label,
+ const ClientId &explicitOwner,
const Password &password, // password for public_key (optional)
const RawBuffer &message,
const RawBuffer &signature,
const int command,
const int msgID,
const Name &name,
- const Label &label,
- const Label &accessor_label,
+ const ClientId &explicitOwner,
+ const ClientId &accessor,
const PermissionMask permissionMask);
int setPermissionHelper(
const Credentials &cred,
const Name &name,
- const Label &ownerLabel,
- const Label &accessorLabel,
+ const ClientId &explicitOwner,
+ const ClientId &accessor,
const PermissionMask permissionMask);
int verifyAndSaveDataHelper(
const Credentials &cred,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const Crypto::Data &data,
const PolicySerializable &policy);
int getKeyForService(
const Credentials &cred,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const Password &pass,
Crypto::GObjShPtr &key);
int unlockSystemDB();
private:
- // select private/system database depending on asking uid and owner label.
- // output: database handler and effective label
- UserData &selectDatabase(const Credentials &incoming_cred,
- const Label &incoming_label);
+ // select private/system database depending on asking uid and owner id.
+ // output: database handler for effective owner
+ UserData &selectDatabase(const Credentials &cred,
+ const ClientId &explicitOwner);
int unlockDatabase(uid_t user,
const Password &password);
const Credentials &cred,
UserData &handler,
const Name &name,
- const Label &label);
+ const ClientId &owner);
int saveDataHelper(
const Credentials &cred,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const Crypto::Data &data,
const PolicySerializable &policy);
int saveDataHelper(
const Credentials &cred,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const PKCS12Serializable &pkcs,
const PolicySerializable &keyPolicy,
const PolicySerializable &certPolicy);
DB::Row createEncryptedRow(
CryptoLogic &crypto,
const Name &name,
- const Label &label,
+ const ClientId &owner,
const Crypto::Data &data,
const Policy &policy) const;
int getPKCS12Helper(
const Credentials &cred,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const Password &keyPassword,
const Password &certPassword,
KeyShPtr &privKey,
int extractPKCS12Data(
CryptoLogic &crypto,
const Name &name,
- const Label &ownerLabel,
+ const ClientId &owner,
const PKCS12Serializable &pkcs,
const PolicySerializable &keyPolicy,
const PolicySerializable &certPolicy,
int removeDataHelper(
const Credentials &cred,
const Name &name,
- const Label &ownerLabel);
+ const ClientId &explicitOwner);
int readSingleRow(
const Name &name,
- const Label &ownerLabel,
+ const ClientId &owner,
DataType dataType,
DB::Crypto &database,
DB::Row &row);
int readMultiRow(const Name &name,
- const Label &ownerLabel,
+ const ClientId &owner,
DataType dataType,
DB::Crypto &database,
DB::RowVector &output);
int checkDataPermissionsHelper(
- const Credentials &cred,
+ const Credentials &accessorCred,
const Name &name,
- const Label &ownerLabel,
- const Label &accessorLabel,
+ const ClientId &owner,
const DB::Row &row,
bool exportFlag,
DB::Crypto &database);
const Credentials &cred,
DataType dataType,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const Password &password,
Crypto::GObjUPtr &obj);
const Credentials &cred,
DataType dataType,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const Password &password,
Crypto::GObjUPtr &obj,
DataType &objDataType);
const Credentials &cred,
DataType dataType,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const Password &password,
Crypto::GObjUPtrVector &objs);
const Credentials &cred,
const int size,
const Name &name,
- const Label &label,
+ const ClientId &explicitOwner,
const PolicySerializable &policy);
int createKeyPairHelper(
const Credentials &cred,
const CryptoAlgorithmSerializable &keyGenParams,
const Name &namePrivate,
- const Label &labelPrivate,
+ const ClientId &explicitOwnerPrivate,
const Name &namePublic,
- const Label &labelPublic,
+ const ClientId &explicitOwnerPublic,
const PolicySerializable &policyPrivate,
const PolicySerializable &policyPublic);
int readCertificateHelper(
const Credentials &cred,
- const LabelNameVector &labelNameVector,
+ const OwnerNameVector &ownerNameVector,
CertificateImplVector &certVector);
int getCertificateChainHelper(
int getCertificateChainHelper(
const Credentials &cred,
const CertificateImpl &cert,
- const LabelNameVector &untrusted,
- const LabelNameVector &trusted,
+ const OwnerNameVector &untrusted,
+ const OwnerNameVector &trusted,
bool useTrustedSystemCertificates,
RawBufferVector &chainRawVector);
int getDataListHelper(
const Credentials &cred,
const DataType dataType,
- LabelNameVector &labelNameVector);
+ OwnerNameVector &ownerNameVector);
int changeUserPasswordHelper(uid_t user,
const Password &oldPassword,
int resetUserPasswordHelper(uid_t user, const Password &newPassword);
- int loadAppKey(UserData &handle, const Label &appLabel);
+ int loadAppKey(UserData &handle, const ClientId &owner);
void migrateSecureStorageData(bool isAdminUser);
uid_t user = 0;
ControlCommand cc;
Password newPass, oldPass;
- Label smackLabel;
+ ClientId explicitOwner;
buffer.Deserialize(command);
break;
case ControlCommand::REMOVE_APP_DATA:
- buffer.Deserialize(smackLabel);
+ buffer.Deserialize(explicitOwner);
logicFunc = [&]() {
- return m_logic->removeApplicationData(smackLabel);
+ return m_logic->removeApplicationData(explicitOwner);
};
break;
case ControlCommand::SET_PERMISSION: {
Name name;
- Label label;
- Label accessorLabel;
+ ClientId accessor;
PermissionMask permissionMask = 0;
- buffer.Deserialize(user, name, label, accessorLabel, permissionMask);
+ buffer.Deserialize(user, name, explicitOwner, accessor, permissionMask);
- Credentials cred(user, label);
- logicFunc = [&, name, label, accessorLabel, permissionMask, cred]() {
+ Credentials cred(user, explicitOwner);
+ logicFunc = [&, name, explicitOwner, accessor, permissionMask, cred]() {
return m_logic->setPermission(
cred,
command,
0, // dummy
name,
- label,
- accessorLabel,
+ explicitOwner,
+ accessor,
permissionMask);
};
break;
int msgID = 0;
int tmpDataType = 0;
Name name;
- Label label, accessorLabel;
+ ClientId explicitOwner, accessor;
buffer.Deserialize(command);
buffer.Deserialize(msgID);
case LogicCommand::SAVE: {
RawBuffer rawData;
PolicySerializable policy;
- buffer.Deserialize(tmpDataType, name, label, rawData, policy);
+ buffer.Deserialize(tmpDataType, name, explicitOwner, rawData, policy);
return m_logic->saveData(
cred,
msgID,
name,
- label,
+ explicitOwner,
Crypto::Data(DataType(tmpDataType), std::move(rawData)),
policy);
}
RawBuffer rawData;
PKCS12Serializable pkcs;
PolicySerializable keyPolicy, certPolicy;
- buffer.Deserialize(name, label, pkcs, keyPolicy, certPolicy);
+ buffer.Deserialize(name, explicitOwner, pkcs, keyPolicy, certPolicy);
return m_logic->savePKCS12(
cred,
msgID,
name,
- label,
+ explicitOwner,
pkcs,
keyPolicy,
certPolicy);
}
case LogicCommand::REMOVE: {
- buffer.Deserialize(name, label);
+ buffer.Deserialize(name, explicitOwner);
return m_logic->removeData(
cred,
msgID,
name,
- label);
+ explicitOwner);
}
case LogicCommand::GET: {
Password password;
- buffer.Deserialize(tmpDataType, name, label, password);
+ buffer.Deserialize(tmpDataType, name, explicitOwner, password);
return m_logic->getData(
cred,
msgID,
DataType(tmpDataType),
name,
- label,
+ explicitOwner,
password);
}
Password passCert;
buffer.Deserialize(
name,
- label,
+ explicitOwner,
passKey,
passCert);
return m_logic->getPKCS12(
cred,
msgID,
name,
- label,
+ explicitOwner,
passKey,
passCert);
}
case LogicCommand::CREATE_KEY_AES: {
int size = 0;
Name keyName;
- Label keyLabel;
+ ClientId keyExplicitOwner;
PolicySerializable policyKey;
buffer.Deserialize(
size,
policyKey,
keyName,
- keyLabel);
+ keyExplicitOwner);
return m_logic->createKeyAES(
cred,
msgID,
size,
keyName,
- keyLabel,
+ keyExplicitOwner,
policyKey);
}
case LogicCommand::CREATE_KEY_PAIR: {
CryptoAlgorithmSerializable keyGenAlgorithm;
Name privateKeyName;
- Label privateKeyLabel;
+ ClientId explicitOwnerPrivate;
Name publicKeyName;
- Label publicKeyLabel;
+ ClientId explicitOwnerPublic;
PolicySerializable policyPrivateKey;
PolicySerializable policyPublicKey;
buffer.Deserialize(keyGenAlgorithm,
policyPrivateKey,
policyPublicKey,
privateKeyName,
- privateKeyLabel,
+ explicitOwnerPrivate,
publicKeyName,
- publicKeyLabel);
+ explicitOwnerPublic);
return m_logic->createKeyPair(
cred,
msgID,
keyGenAlgorithm,
privateKeyName,
- privateKeyLabel,
+ explicitOwnerPrivate,
publicKeyName,
- publicKeyLabel,
+ explicitOwnerPublic,
policyPrivateKey,
policyPublicKey);
}
case LogicCommand::GET_CHAIN_ALIAS: {
RawBuffer certificate;
- LabelNameVector untrustedVector;
- LabelNameVector trustedVector;
+ OwnerNameVector untrustedVector;
+ OwnerNameVector trustedVector;
bool systemCerts = false;
buffer.Deserialize(certificate, untrustedVector, trustedVector, systemCerts);
return m_logic->getCertificateChain(
RawBuffer message;
CryptoAlgorithmSerializable cAlgorithm;
- buffer.Deserialize(name, label, password, message, cAlgorithm);
+ buffer.Deserialize(name, explicitOwner, password, message, cAlgorithm);
return m_logic->createSignature(
cred,
msgID,
name,
- label,
+ explicitOwner,
password, // password for private_key
message,
cAlgorithm);
CryptoAlgorithmSerializable cAlg;
buffer.Deserialize(name,
- label,
+ explicitOwner,
password,
message,
signature,
cred,
msgID,
name,
- label,
+ explicitOwner,
password, // password for public_key (optional)
message,
signature,
case LogicCommand::SET_PERMISSION: {
PermissionMask permissionMask = 0;
- buffer.Deserialize(name, label, accessorLabel, permissionMask);
+ buffer.Deserialize(name, explicitOwner, accessor, permissionMask);
return m_logic->setPermission(
cred,
command,
msgID,
name,
- label,
- accessorLabel,
+ explicitOwner,
+ accessor,
permissionMask);
}
Crypto::GObjShPtr key;
int ret = m_logic->getKeyForService(msg.cred,
msg.name,
- msg.label,
+ msg.explicitOwner,
msg.password,
key);
MsgKeyResponse kResp(msg.id, key, ret);
return *this;
}
-bool CryptoLogic::haveKey(const Label &smackLabel)
+bool CryptoLogic::haveKey(const ClientId &client)
{
- return (m_keyMap.count(smackLabel) > 0);
+ return (m_keyMap.count(client) > 0);
}
-void CryptoLogic::pushKey(const Label &smackLabel,
+void CryptoLogic::pushKey(const ClientId &client,
const RawBuffer &applicationKey)
{
- if (smackLabel.length() == 0)
- ThrowErr(Exc::InternalError, "Empty smack label.");
+ if (client.empty())
+ ThrowErr(Exc::InternalError, "Empty client id.");
if (applicationKey.size() == 0)
ThrowErr(Exc::InternalError, "Empty application key.");
- if (haveKey(smackLabel))
- ThrowErr(Exc::InternalError, "Application key for ", smackLabel,
- "label already exists.");
+ if (haveKey(client))
+ ThrowErr(Exc::InternalError, "Application key for ", client,
+ " already exists.");
- m_keyMap[smackLabel] = applicationKey;
+ m_keyMap[client] = applicationKey;
}
-void CryptoLogic::removeKey(const Label &smackLabel)
+void CryptoLogic::removeKey(const ClientId &client)
{
- m_keyMap.erase(smackLabel);
+ m_keyMap.erase(client);
}
RawBuffer CryptoLogic::passwordToKey(
if (crow.dataSize <= 0)
ThrowErr(Exc::InternalError, "Invalid dataSize.");
- if (!haveKey(row.ownerLabel))
+ if (!haveKey(row.owner))
ThrowErr(Exc::InternalError, "Missing application key for ",
- row.ownerLabel, " label.");
+ row.owner, " client.");
if (crow.iv.empty())
crow.iv = generateRandIV();
- key = m_keyMap[row.ownerLabel];
+ key = m_keyMap[row.owner];
CLEAR_FLAGS(crow.encryptionScheme);
SET_FLAG(ENCR_APPKEY, crow.encryptionScheme);
ThrowErr(Exc::AuthenticationFailed,
"DB row is not password protected, but given password is not empty.");
- if (GET_FLAG(ENCR_APPKEY, row.encryptionScheme) && !haveKey(row.ownerLabel))
+ if (GET_FLAG(ENCR_APPKEY, row.encryptionScheme) && !haveKey(row.owner))
ThrowErr(Exc::AuthenticationFailed,
"Missing application key for ",
- row.ownerLabel,
- " label.");
+ row.owner,
+ " client.");
decBase64(crow.iv);
try {
if (GET_ENCRYPTION_VERSION(crow.encryptionScheme) == ENCRYPTION_V2) {
if (GET_FLAG(ENCR_APPKEY, crow.encryptionScheme)) {
- key = m_keyMap[crow.ownerLabel];
+ key = m_keyMap[crow.owner];
crow.data = Crypto::SW::Internals::decryptDataAesGcm(key, crow.data, crow.iv,
crow.tag);
}
}
if (GET_FLAG(ENCR_APPKEY, crow.encryptionScheme)) {
- key = m_keyMap[crow.ownerLabel];
+ key = m_keyMap[crow.owner];
crow.data = Crypto::SW::Internals::decryptDataAesGcm(key, crow.data, crow.iv,
crow.tag);
}
static int getSchemeVersion(int encryptionScheme);
- bool haveKey(const Label &smackLabel);
- void pushKey(const Label &smackLabel,
+ bool haveKey(const ClientId &client);
+ void pushKey(const ClientId &client,
const RawBuffer &applicationKey);
- void removeKey(const Label &smackLabel);
+ void removeKey(const ClientId &client);
/*
* v1 encryption.
return encryptionScheme >> ENCR_ORDER_OFFSET;
}
- std::map<Label, RawBuffer> m_keyMap;
+ std::map<ClientId, RawBuffer> m_keyMap;
RawBuffer generateRandIV() const;
RawBuffer passwordToKey(const Password &password,
int msgId;
CryptoAlgorithmSerializable cas;
Name name;
- Label label;
+ ClientId explicitOwner;
Password password;
RawBuffer input;
};
const char *DB_CMD_NAME_DELETE =
"DELETE FROM NAMES WHERE name=?101 AND label=?102;";
-const char *DB_CMD_NAME_DELETE_BY_LABEL =
+const char *DB_CMD_NAME_DELETE_BY_OWNER =
"DELETE FROM NAMES WHERE label=?102;";
" WHERE idx IN (SELECT idx FROM NAMES WHERE name=?101 and label=?102)"
" AND dataType = ?002;";
-const char *DB_CMD_OBJECT_SELECT_BY_NAME_AND_LABEL =
+const char *DB_CMD_OBJECT_SELECT_BY_NAME_AND_OWNER =
"SELECT * FROM [join_name_object_tables] "
" WHERE (dataType BETWEEN ?001 AND ?002) "
" AND name=?101 and label=?102;";
transaction.commit();
}
-bool Crypto::isNameLabelPresent(const Name &name, const Label &owner) const
+bool Crypto::isNameOwnerPresent(const Name &name, const ClientId &owner) const
{
try {
NameTable nameTable(this->m_connection);
}
ThrowErr(Exc::DatabaseFailed,
- "Couldn't check if name and label pair is present");
+ "Couldn't check if name and owner pair is present");
}
-void Crypto::saveRows(const Name &name, const Label &owner,
+void Crypto::saveRows(const Name &name, const ClientId &owner,
const RowVector &rows)
{
try {
NameTable nameTable(this->m_connection);
ObjectTable objectTable(this->m_connection);
PermissionTable permissionTable(this->m_connection);
- nameTable.addRow(row.name, row.ownerLabel);
+ nameTable.addRow(row.name, row.owner);
objectTable.addRow(row);
permissionTable.setPermission(row.name,
- row.ownerLabel,
- row.ownerLabel,
+ row.owner,
+ row.owner,
static_cast<int>(DEFAULT_PERMISSIONS));
return;
} catch (const SqlConnection::Exception::SyntaxError &) {
bool Crypto::deleteRow(
const Name &name,
- const Label &ownerLabel)
+ const ClientId &owner)
{
try {
// transaction is present in the layer above
NameTable nameTable(this->m_connection);
- if (nameTable.isPresent(name, ownerLabel)) {
- nameTable.deleteRow(name, ownerLabel);
+ if (nameTable.isPresent(name, owner)) {
+ nameTable.deleteRow(name, owner);
return true;
}
}
ThrowErr(Exc::DatabaseFailed,
- "Couldn't delete Row for name ", name, " using ownerLabel ", ownerLabel);
+ "Couldn't delete Row for name ", name, " using owner id ", owner);
}
Row Crypto::getRow(
{
Row row;
row.name = selectCommand->GetColumnString(0);
- row.ownerLabel = selectCommand->GetColumnString(1);
+ row.owner = selectCommand->GetColumnString(1);
row.exportable = selectCommand->GetColumnInteger(2);
row.dataType = DataType(selectCommand->GetColumnInteger(3));
row.algorithmType =
PermissionMaskOptional Crypto::getPermissionRow(
const Name &name,
- const Label &ownerLabel,
- const Label &accessorLabel) const
+ const ClientId &owner,
+ const ClientId &accessor) const
{
try {
PermissionTable permissionTable(this->m_connection);
- return permissionTable.getPermissionRow(name, ownerLabel, accessorLabel);
+ return permissionTable.getPermissionRow(name, owner, accessor);
} catch (const SqlConnection::Exception::InvalidColumn &) {
LogError("Select statement invalid column error");
} catch (const SqlConnection::Exception::SyntaxError &) {
Crypto::RowOptional Crypto::getRow(
const Name &name,
- const Label &ownerLabel,
+ const ClientId &owner,
DataType type)
{
- return getRow(name, ownerLabel, type, type);
+ return getRow(name, owner, type, type);
}
Crypto::RowOptional Crypto::getRow(
const Name &name,
- const Label &ownerLabel,
+ const ClientId &owner,
DataType typeRangeStart,
DataType typeRangeStop)
{
try {
SqlConnection::DataCommandUniquePtr selectCommand =
- m_connection->PrepareDataCommand(DB_CMD_OBJECT_SELECT_BY_NAME_AND_LABEL);
+ m_connection->PrepareDataCommand(DB_CMD_OBJECT_SELECT_BY_NAME_AND_OWNER);
selectCommand->BindInteger(1, typeRangeStart);
selectCommand->BindInteger(2, typeRangeStop);
// name table reference
selectCommand->BindString(101, name.c_str());
- selectCommand->BindString(102, ownerLabel.c_str());
+ selectCommand->BindString(102, owner.c_str());
if (selectCommand->Step()) {
// extract data
"Couldn't get row of type <",
static_cast<int>(typeRangeStart), ",",
static_cast<int>(typeRangeStop), ">",
- " name ", name, " with owner label ", ownerLabel);
+ " name ", name, " with owner ", owner);
}
void Crypto::getRows(
const Name &name,
- const Label &ownerLabel,
+ const ClientId &owner,
DataType type,
RowVector &output)
{
- getRows(name, ownerLabel, type, type, output);
+ getRows(name, owner, type, type, output);
}
void Crypto::getRows(
const Name &name,
- const Label &ownerLabel,
+ const ClientId &owner,
DataType typeRangeStart,
DataType typeRangeStop,
RowVector &output)
{
try {
SqlConnection::DataCommandUniquePtr selectCommand =
- m_connection->PrepareDataCommand(DB_CMD_OBJECT_SELECT_BY_NAME_AND_LABEL);
+ m_connection->PrepareDataCommand(DB_CMD_OBJECT_SELECT_BY_NAME_AND_OWNER);
selectCommand->BindInteger(1, typeRangeStart);
selectCommand->BindInteger(2, typeRangeStop);
// name table reference
selectCommand->BindString(101, name.c_str());
- selectCommand->BindString(102, ownerLabel.c_str());
+ selectCommand->BindString(102, owner.c_str());
while (selectCommand->Step()) {
// extract data
"Couldn't get row of type <",
static_cast<int>(typeRangeStart), ",",
static_cast<int>(typeRangeStop), ">",
- " name ", name, " with owner label ", ownerLabel);
+ " name ", name, " with owner label ", owner);
}
void Crypto::listNames(
- const Label &smackLabel,
- LabelNameVector &labelNameVector,
+ const ClientId &owner,
+ OwnerNameVector &ownerNameVector,
DataType type)
{
- listNames(smackLabel, labelNameVector, type, type);
+ listNames(owner, ownerNameVector, type, type);
}
void Crypto::listNames(
- const Label &smackLabel,
- LabelNameVector &labelNameVector,
+ const ClientId &owner,
+ OwnerNameVector &ownerNameVector,
DataType typeRangeStart,
DataType typeRangeStop)
{
m_connection->PrepareDataCommand(DB_CMD_NAME_SELECT_BY_TYPE_AND_PERMISSION);
selectCommand->BindInteger(1, static_cast<int>(typeRangeStart));
selectCommand->BindInteger(2, static_cast<int>(typeRangeStop));
- selectCommand->BindString(104, smackLabel.c_str());
+ selectCommand->BindString(104, owner.c_str());
selectCommand->BindInteger(4,
static_cast<int>(Permission::READ | Permission::REMOVE));
while (selectCommand->Step()) {
- Label ownerLabel = selectCommand->GetColumnString(0);
- Name name = selectCommand->GetColumnString(1);
- labelNameVector.push_back(std::make_pair(ownerLabel, name));
+ ClientId itemOwner = selectCommand->GetColumnString(0);
+ Name itemName = selectCommand->GetColumnString(1);
+ ownerNameVector.push_back(std::make_pair(itemOwner, itemName));
}
return;
"Couldn't list names of type <",
static_cast<int>(typeRangeStart), ",",
static_cast<int>(typeRangeStop), ">",
- " accessible to client label ", smackLabel);
+ " accessible to client ", owner);
}
void Crypto::saveKey(
- const Label &label,
+ const ClientId &owner,
const RawBuffer &key)
{
try {
SqlConnection::DataCommandUniquePtr insertCommand =
m_connection->PrepareDataCommand(DB_CMD_KEY_INSERT);
- insertCommand->BindString(1, label.c_str());
+ insertCommand->BindString(1, owner.c_str());
insertCommand->BindBlob(2, key);
insertCommand->Step();
return;
LogError("Couldn't execute insert statement");
}
- ThrowErr(Exc::DatabaseFailed, "Couldn't save key for label ", label);
+ ThrowErr(Exc::DatabaseFailed, "Couldn't save key for owner ", owner);
}
-Crypto::RawBufferOptional Crypto::getKey(const Label &label)
+Crypto::RawBufferOptional Crypto::getKey(const ClientId &owner)
{
try {
SqlConnection::DataCommandUniquePtr selectCommand =
m_connection->PrepareDataCommand(DB_CMD_KEY_SELECT);
- selectCommand->BindString(1, label.c_str());
+ selectCommand->BindString(1, owner.c_str());
if (selectCommand->Step())
return RawBufferOptional(selectCommand->GetColumnBlob(0));
LogError("Couldn't execute insert statement");
}
- ThrowErr(Exc::DatabaseFailed, "Couldn't get key for label ", label);
+ ThrowErr(Exc::DatabaseFailed, "Couldn't get key for owner ", owner);
}
-void Crypto::deleteKey(const Label &label)
+void Crypto::deleteKey(const ClientId &owner)
{
try {
Transaction transaction(this);
SqlConnection::DataCommandUniquePtr deleteCommand =
m_connection->PrepareDataCommand(DB_CMD_KEY_DELETE);
- deleteCommand->BindString(1, label.c_str());
+ deleteCommand->BindString(1, owner.c_str());
deleteCommand->Step();
NameTable nameTable(this->m_connection);
- nameTable.deleteAllRows(label);
+ nameTable.deleteAllRows(owner);
transaction.commit();
return;
LogError("Couldn't execute insert statement");
}
- ThrowErr(Exc::DatabaseFailed, "Couldn't delete key for label ", label);
+ ThrowErr(Exc::DatabaseFailed, "Couldn't delete key for owner ", owner);
}
void Crypto::setPermission(
const Name &name,
- const Label &ownerLabel,
- const Label &accessorLabel,
+ const ClientId &owner,
+ const ClientId &accessor,
const PermissionMask permissionMask)
{
try {
PermissionTable permissionTable(this->m_connection);
- permissionTable.setPermission(name, ownerLabel, accessorLabel, permissionMask);
+ permissionTable.setPermission(name, owner, accessor, permissionMask);
return;
} catch (const SqlConnection::Exception::SyntaxError &) {
LogError("Couldn't prepare set statement");
void Crypto::PermissionTable::setPermission(
const Name &name,
- const Label &ownerLabel,
- const Label &accessorLabel,
+ const ClientId &owner,
+ const ClientId &accessor,
const PermissionMask permissionMask)
{
if (permissionMask == Permission::NONE) {
// clear permissions
SqlConnection::DataCommandUniquePtr deletePermissionCommand =
m_connection->PrepareDataCommand(DB_CMD_PERMISSION_DELETE);
- deletePermissionCommand->BindString(104, accessorLabel.c_str());
+ deletePermissionCommand->BindString(104, accessor.c_str());
deletePermissionCommand->BindString(101, name.c_str());
- deletePermissionCommand->BindString(102, ownerLabel.c_str());
+ deletePermissionCommand->BindString(102, owner.c_str());
deletePermissionCommand->Step();
} else {
// add new permissions
SqlConnection::DataCommandUniquePtr setPermissionCommand =
m_connection->PrepareDataCommand(DB_CMD_PERMISSION_SET);
- setPermissionCommand->BindString(104, accessorLabel.c_str());
+ setPermissionCommand->BindString(104, accessor.c_str());
setPermissionCommand->BindInteger(105, static_cast<int>(permissionMask));
setPermissionCommand->BindString(101, name.c_str());
- setPermissionCommand->BindString(102, ownerLabel.c_str());
+ setPermissionCommand->BindString(102, owner.c_str());
setPermissionCommand->Step();
}
}
PermissionMaskOptional Crypto::PermissionTable::getPermissionRow(
const Name &name,
- const Label &ownerLabel,
- const Label &accessorLabel) const
+ const ClientId &owner,
+ const ClientId &accessor) const
{
SqlConnection::DataCommandUniquePtr selectCommand =
m_connection->PrepareDataCommand(DB_CMD_PERMISSION_SELECT);
- selectCommand->BindString(104, accessorLabel.c_str());
+ selectCommand->BindString(104, accessor.c_str());
// name table reference
selectCommand->BindString(101, name.c_str());
- selectCommand->BindString(102, ownerLabel.c_str());
+ selectCommand->BindString(102, owner.c_str());
if (selectCommand->Step()) {
- // there is entry for the <name, ownerLabel> pair
+ // there is entry for the <name, owner> pair
return PermissionMaskOptional(PermissionMask(selectCommand->GetColumnInteger(
0)));
}
void Crypto::NameTable::addRow(
const Name &name,
- const Label &ownerLabel)
+ const ClientId &owner)
{
// insert NAMES item
SqlConnection::DataCommandUniquePtr insertNameCommand =
m_connection->PrepareDataCommand(DB_CMD_NAME_INSERT);
insertNameCommand->BindString(101, name.c_str());
- insertNameCommand->BindString(102, ownerLabel.c_str());
+ insertNameCommand->BindString(102, owner.c_str());
insertNameCommand->Step();
}
void Crypto::NameTable::deleteRow(
const Name &name,
- const Label &ownerLabel)
+ const ClientId &ownerOwner)
{
SqlConnection::DataCommandUniquePtr deleteCommand =
m_connection->PrepareDataCommand(DB_CMD_NAME_DELETE);
deleteCommand->BindString(101, name.c_str());
- deleteCommand->BindString(102, ownerLabel.c_str());
+ deleteCommand->BindString(102, ownerOwner.c_str());
// Step() result code does not provide information whether
// anything was removed.
deleteCommand->Step();
}
-void Crypto::NameTable::deleteAllRows(const Label &ownerLabel)
+void Crypto::NameTable::deleteAllRows(const ClientId &owner)
{
SqlConnection::DataCommandUniquePtr deleteData =
- m_connection->PrepareDataCommand(DB_CMD_NAME_DELETE_BY_LABEL);
- deleteData->BindString(102, ownerLabel.c_str());
+ m_connection->PrepareDataCommand(DB_CMD_NAME_DELETE_BY_OWNER);
+ deleteData->BindString(102, owner.c_str());
// Step() result code does not provide information whether
// anything was removed.
}
bool Crypto::NameTable::isPresent(const Name &name,
- const Label &ownerLabel) const
+ const ClientId &owner) const
{
SqlConnection::DataCommandUniquePtr checkCmd =
m_connection->PrepareDataCommand(DB_CMD_NAME_COUNT_ROWS);
checkCmd->BindString(101, name.c_str());
- checkCmd->BindString(102, ownerLabel.c_str());
+ checkCmd->BindString(102, owner.c_str());
if (checkCmd->Step()) {
int element_count = checkCmd->GetColumnInteger(0);
- LogDebug("Item name: " << name << " ownerLabel: " << ownerLabel <<
+ LogDebug("Item name: " << name << " owner: " << owner <<
" hit count: " << element_count);
if (element_count > 0)
// name table reference
insertObjectCommand->BindString(101, row.name.c_str());
- insertObjectCommand->BindString(102, row.ownerLabel.c_str());
+ insertObjectCommand->BindString(102, row.owner.c_str());
insertObjectCommand->Step();
}
// name table reference
updateObjectCommand->BindString(101, row.name.c_str());
- updateObjectCommand->BindString(102, row.ownerLabel.c_str());
+ updateObjectCommand->BindString(102, row.owner.c_str());
updateObjectCommand->Step();
}
void saveRows(
const Name &name,
- const Label &owner,
+ const ClientId &owner,
const RowVector &rows);
void updateRow(
const Row &row);
- bool isNameLabelPresent(
+ bool isNameOwnerPresent(
const Name &name,
- const Label &owner) const;
+ const ClientId &owner) const;
RowOptional getRow(
const Name &name,
- const Label &ownerLabel,
+ const ClientId &owner,
DataType type);
RowOptional getRow(
const Name &name,
- const Label &ownerLabel,
+ const ClientId &owner,
DataType typeRangeStart,
DataType typeRangeStop);
void getRows(
const Name &name,
- const Label &ownerLabel,
+ const ClientId &owner,
DataType type,
RowVector &output);
void getRows(
const Name &name,
- const Label &ownerLabel,
+ const ClientId &owner,
DataType typeRangeStart,
DataType typeRangeStop,
RowVector &output);
void listNames(
- const Label &smackLabel,
- LabelNameVector &labelNameVector,
+ const ClientId &owner,
+ OwnerNameVector &ownerNameVector,
DataType type);
void listNames(
- const Label &smackLabel,
- LabelNameVector &labelNameVector,
+ const ClientId &owner,
+ OwnerNameVector &ownerNameVector,
DataType typeRangeStart,
DataType typeRangeStop);
bool deleteRow(
const Name &name,
- const Label &ownerLabel);
+ const ClientId &owner);
// keys
- void saveKey(const Label &label, const RawBuffer &key);
- RawBufferOptional getKey(const Label &label);
- void deleteKey(const Label &label);
+ void saveKey(const ClientId &owner, const RawBuffer &key);
+ RawBufferOptional getKey(const ClientId &owner);
+ void deleteKey(const ClientId &owner);
// permissions
void setPermission(
const Name &name,
- const Label &ownerLabel,
- const Label &accessorLabel,
+ const ClientId &owner,
+ const ClientId &accessor,
const PermissionMask permissionMask);
PermissionMaskOptional getPermissionRow(
const Name &name,
- const Label &ownerLabel,
- const Label &accessorLabel) const;
+ const ClientId &owner,
+ const ClientId &accessor) const;
// transactions
int beginTransaction();
void addRow(
const Name &name,
- const Label &ownerLabel);
+ const ClientId &owner);
void deleteRow(
const Name &name,
- const Label &ownerLabel);
+ const ClientId &owner);
void deleteAllRows(
- const Label &ownerLabel);
+ const ClientId &owner);
bool isPresent(
const Name &name,
- const Label &ownerLabel) const;
+ const ClientId &owner) const;
private:
SqlConnection *m_connection;
void setPermission(
const Name &name,
- const Label &ownerLabel,
- const Label &accessorLabel,
+ const ClientId &owner,
+ const ClientId &accessor,
const PermissionMask permissionMask);
PermissionMaskOptional getPermissionRow(
const Name &name,
- const Label &ownerLabel,
- const Label &accessorLabel) const;
+ const ClientId &owner,
+ const ClientId &accessor) const;
private:
SqlConnection *m_connection;
encryptionScheme(0),
dataSize(0) {}
- Row(Token token, const Name &pName, const Label &pLabel, int pExportable) :
+ Row(Token token, const Name &pName, const ClientId &pOwner, int pExportable) :
Token(std::move(token)),
name(pName),
- ownerLabel(pLabel),
+ owner(pOwner),
exportable(pExportable),
algorithmType(DBCMAlgType::NONE),
encryptionScheme(0),
dataSize(data.size()) {}
Name name;
- Label ownerLabel;
+ ClientId owner;
int exportable;
DBCMAlgType algorithmType; // Algorithm type used for row data encryption
int encryptionScheme; // for example: (ENCR_BASE64 | ENCR_PASSWORD)
void EncryptionService::RequestKey(const CryptoRequest &request)
{
- MsgKeyRequest kReq(request.msgId, request.cred, request.name, request.label,
- request.password);
+ MsgKeyRequest kReq(request.msgId, request.cred, request.name,
+ request.explicitOwner, request.password);
if (!m_commMgr->SendMessage(kReq))
throw std::runtime_error("No listener found");// TODO
int tmpCmd = 0;
CryptoRequest req;
- buffer.Deserialize(tmpCmd, req.msgId, req.cas, req.name, req.label,
+ buffer.Deserialize(tmpCmd, req.msgId, req.cas, req.name, req.explicitOwner,
req.password, req.input);
req.command = static_cast<EncryptionCommand>(tmpCmd);
saveFile(getDBDEKPath(), buffer);
}
-void FileSystem::addRemovedApp(const std::string &smackLabel) const
+void FileSystem::addRemovedApp(const ClientId &app) const
{
std::ofstream outfile;
outfile.open(getRemovedAppsPath(), std::ios_base::app);
- outfile << smackLabel << std::endl;
+ outfile << app << std::endl;
outfile.close();
if (outfile.fail()) {
}
}
-AppLabelVector FileSystem::clearRemovedsApps() const
+ClientIdVector FileSystem::clearRemovedsApps() const
{
// read the contents
- AppLabelVector removedApps;
+ ClientIdVector removedApps;
std::string line;
std::ifstream removedAppsFile(getRemovedAppsPath());
namespace CKM {
-typedef std::vector<std::string> AppLabelVector;
+typedef std::vector<ClientId> ClientIdVector;
typedef std::vector<uid_t> UidVector;
class FileSystem {
// Remove all ckm data related to user
int removeUserData() const;
- void addRemovedApp(const std::string &smackLabel) const;
- AppLabelVector clearRemovedsApps() const;
+ void addRemovedApp(const ClientId &app) const;
+ ClientIdVector clearRemovedsApps() const;
static int init();
static UidVector getUIDsFromDBFile();
wrappedKeyAndInfo->keyInfo.keyLength = length;
}
-void WrappedKeyAndInfoContainer::setKeyInfoLabel(const std::string label)
+void WrappedKeyAndInfoContainer::setKeyInfoClient(const std::string resized_client)
{
strncpy(
- wrappedKeyAndInfo->keyInfo.label,
- label.c_str(),
- MAX_LABEL_SIZE-1);
+ wrappedKeyAndInfo->keyInfo.client,
+ resized_client.c_str(),
+ MAX_CLIENT_ID_SIZE-1);
}
void WrappedKeyAndInfoContainer::setKeyInfoSalt(const unsigned char *salt,
uint8_t PKEK1[MAX_KEY_SIZE];
concat_user_pass = concat_password_user(
- wkmcDKEK.getWrappedKeyAndInfo().keyInfo.label,
+ wkmcDKEK.getWrappedKeyAndInfo().keyInfo.client,
password.c_str());
if (!PKCS5_PBKDF2_HMAC_SHA1(
uint8_t PKEK1[MAX_KEY_SIZE];
concat_user_pass = concat_password_user(
- m_kmcDKEK->getKeyAndInfo().keyInfo.label,
+ m_kmcDKEK->getKeyAndInfo().keyInfo.client,
password.c_str());
if (!PKCS5_PBKDF2_HMAC_SHA1(
int keyLength;
if (!PKCS5_PBKDF2_HMAC_SHA1(
- wkmcDEK.getWrappedKeyAndInfo().keyInfo.label,
- strlen(wkmcDEK.getWrappedKeyAndInfo().keyInfo.label),
+ wkmcDEK.getWrappedKeyAndInfo().keyInfo.client,
+ strlen(wkmcDEK.getWrappedKeyAndInfo().keyInfo.client),
m_kmcDKEK->getKeyAndInfo().key,
MAX_SALT_SIZE,
PBKDF2_ITERATIONS,
(kmcDEK.getKeyAndInfo().key) + kmcDEK.getKeyAndInfo().keyInfo.keyLength);
}
-RawBuffer KeyProvider::generateDEK(const std::string &smackLabel)
+RawBuffer KeyProvider::generateDEK(const ClientId &client)
{
if (!m_isInitialized)
ThrowErr(Exc::InternalError, "Object not initialized!");
WrappedKeyAndInfoContainer wkmcDEK = WrappedKeyAndInfoContainer();
- std::string resized_smackLabel;
+ std::string resized_client;
- if (smackLabel.length() < APP_LABEL_SIZE)
- resized_smackLabel = smackLabel;
+ if (client.length() < MAX_CLIENT_ID_SIZE)
+ resized_client = client;
else
- resized_smackLabel = smackLabel.substr(0, APP_LABEL_SIZE - 1);
+ resized_client = client.substr(0, MAX_CLIENT_ID_SIZE - 1);
uint8_t key[MAX_KEY_SIZE], PKEK2[MAX_KEY_SIZE];
ThrowErr(Exc::InternalError, "OPENSSL_ENGINE_ERROR");
if (!PKCS5_PBKDF2_HMAC_SHA1(
- resized_smackLabel.c_str(),
- strlen(resized_smackLabel.c_str()),
+ resized_client.c_str(),
+ strlen(resized_client.c_str()),
m_kmcDKEK->getKeyAndInfo().key,
MAX_SALT_SIZE,
PBKDF2_ITERATIONS,
ThrowErr(Exc::InternalError, "GenerateDEK Failed in KeyProvider::generateDEK");
wkmcDEK.setKeyInfoKeyLength((unsigned int)wrappedKeyLength);
- wkmcDEK.setKeyInfoLabel(resized_smackLabel);
+ wkmcDEK.setKeyInfoClient(resized_client);
LogDebug("GenerateDEK Success");
return toRawBuffer(wkmcDEK.getWrappedKeyAndInfo());
concat_user_pass = concat_password_user(
- wkmcOldDKEK.getWrappedKeyAndInfo().keyInfo.label,
+ wkmcOldDKEK.getWrappedKeyAndInfo().keyInfo.client,
oldPass.c_str());
if (!PKCS5_PBKDF2_HMAC_SHA1(
kmcDKEK.setKeyInfoKeyLength((unsigned int)keyLength);
concat_user_pass = concat_password_user(
- kmcDKEK.getKeyAndInfo().keyInfo.label,
+ kmcDKEK.getKeyAndInfo().keyInfo.client,
newPass.c_str());
if (!PKCS5_PBKDF2_HMAC_SHA1(
"GenerateDomainKEK Failed in KeyProvider::generateDomainKEK");
wkmcDKEK.setKeyInfoKeyLength((unsigned int)wrappedKeyLength);
- wkmcDKEK.setKeyInfoLabel(user);
+ wkmcDKEK.setKeyInfoClient(user);
LogDebug("generateDomainKEK Success");
return toRawBuffer(wkmcDKEK.getWrappedKeyAndInfo());
std::string result(password);
result += user;
- if (strlen(user) > MAX_LABEL_SIZE - 1)
- result.resize(strlen(password) + MAX_LABEL_SIZE - 1);
+ if (strlen(user) > MAX_CLIENT_ID_SIZE - 1)
+ result.resize(strlen(password) + MAX_CLIENT_ID_SIZE - 1);
char *ret = new char[result.size() + 1];
memcpy(ret, result.c_str(), result.size() + 1);
#define MAX_SALT_SIZE 16
#define MAX_KEY_SIZE 32
#define MAX_WRAPPED_KEY_SIZE 32
-#define MAX_LABEL_SIZE 32
+#define MAX_CLIENT_ID_SIZE 32
#define DOMAIN_NAME_SIZE 32
-#define APP_LABEL_SIZE 32
namespace CKM {
typedef struct KeyComponentsInfo_ {
uint32_t keyLength;
- char label[MAX_LABEL_SIZE];
+ char client[MAX_CLIENT_ID_SIZE];
uint8_t salt[MAX_SALT_SIZE];
uint8_t iv[MAX_IV_SIZE];
uint8_t tag[MAX_IV_SIZE];
WrappedKeyAndInfoContainer(const unsigned char *);
WrappedKeyAndInfo &getWrappedKeyAndInfo();
void setKeyInfoKeyLength(const unsigned int);
- void setKeyInfoLabel(const std::string);
+ void setKeyInfoClient(const std::string);
void setKeyInfoSalt(const unsigned char *, const int);
void setKeyInfo(const KeyComponentsInfo *);
~WrappedKeyAndInfoContainer();
// This key will be used to decrypt/encrypt data in ROW
RawBuffer getPureDEK(const RawBuffer &DEKInWrapForm);
- // Returns WRAPPED DEK. This will be written to datbase.
+ // Returns WRAPPED DEK. This will be written to database.
// This key will be used to encrypt all application information.
- // All application are identified by smackLabel.
- RawBuffer generateDEK(const std::string &smackLabel);
+ // All application are identified by client id.
+ RawBuffer generateDEK(const ClientId &client);
// used by change user password. On error -> exception
static RawBuffer reencrypt(
--- /dev/null
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/*
+ * @file permission.cpp
+ * @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
+ * @version 1.0
+ */
+
+#include <permission.h>
+
+namespace CKM {
+
+PermissionMask toPermissionMask(const PermissionMaskOptional& mask)
+{
+ return mask ? *mask : Permission::NONE;
+}
+
+} // namespace CKM
* @file permission.h
* @author Maciej Karpiuk (m.karpiuk2@samsung.com)
* @version 1.0
- * @brief PermissionForLabel - helper to bind permissions with accessor label.
+ * @brief toPermissionMask - PermissionMaskOptional conversion helper.
*/
#pragma once
namespace CKM {
typedef boost::optional<PermissionMask> PermissionMaskOptional;
-struct PermissionForLabel {
- Label accessorLabel; // who is accessing the item
- PermissionMask permissionMask;
- PermissionForLabel(const Label &accessor, const PermissionMaskOptional mask)
- {
- accessorLabel = accessor;
+PermissionMask toPermissionMask(const PermissionMaskOptional& mask);
- if (mask)
- permissionMask = *mask;
- else
- permissionMask = Permission::NONE;
- }
-
- int operator&(const Permission &bit) const
- {
- return permissionMask & bit;
- }
-};
} // namespace CKM
output = ss.str();
}
-void DBFixture::generate_label(unsigned int id, Label &output)
+void DBFixture::generate_owner(unsigned int id, ClientId &output)
{
std::stringstream ss;
- ss << "label_no_" << id;
+ ss << "owner_no_" << id;
output = ss.str();
}
void DBFixture::generate_perf_DB(unsigned int num_name,
- unsigned int num_elements)
+ unsigned int names_per_owner)
{
// to speed up data creation - cache the row
DB::Row rowPattern = create_default_row(DataType::BINARY_DATA);
for (unsigned int i = 0; i < num_name; i++) {
generate_name(i, rowPattern.name);
- generate_label(i / num_elements, rowPattern.ownerLabel);
+ generate_owner(i / names_per_owner, rowPattern.owner);
BOOST_REQUIRE_NO_THROW(m_db.saveRow(rowPattern));
}
}
long DBFixture::add_full_access_rights(unsigned int num_name,
- unsigned int num_name_per_label)
+ unsigned int num_name_per_owner)
{
long iterations = 0;
- unsigned int num_labels = num_name / num_name_per_label;
+ unsigned int num_owners = num_name / num_name_per_owner;
Name name;
- Label owner_label, accessor_label;
+ ClientId owner, accessor;
for (unsigned int a = 0; a < num_name; a++) {
generate_name(a, name);
- generate_label(a / num_name_per_label, owner_label);
+ generate_owner(a / num_name_per_owner, owner);
- for (unsigned int l = 0; l < num_labels; l++) {
- // bypass the owner label
- if (l == (a / num_name_per_label))
+ for (unsigned int l = 0; l < num_owners; l++) {
+ // bypass the owner
+ if (l == (a / num_name_per_owner))
continue;
// add permission
- generate_label(l, accessor_label);
- add_permission(name, owner_label, accessor_label);
+ generate_owner(l, accessor);
+ add_permission(name, owner, accessor);
iterations++;
}
}
DB::Row DBFixture::create_default_row(DataType type)
{
- return create_default_row(m_default_name, m_default_label, type);
+ return create_default_row(m_default_name, m_default_owner, type);
}
DB::Row DBFixture::create_default_row(const Name &name,
- const Label &label,
+ const ClientId &owner,
DataType type)
{
DB::Row row;
row.name = name;
- row.ownerLabel = label;
+ row.owner = owner;
row.exportable = 1;
row.algorithmType = DBCMAlgType::AES_GCM_256;
row.dataType = type;
"namees didn't match! Got: " << rhs.name
<< " , expected : " << lhs.name);
- BOOST_CHECK_MESSAGE(lhs.ownerLabel == rhs.ownerLabel,
- "smackLabel didn't match! Got: " << rhs.ownerLabel
- << " , expected : " << lhs.ownerLabel);
+ BOOST_CHECK_MESSAGE(lhs.owner == rhs.owner,
+ "owner didn't match! Got: " << rhs.owner
+ << " , expected : " << lhs.owner);
BOOST_CHECK_MESSAGE(lhs.exportable == rhs.exportable,
"exportable didn't match! Got: " << rhs.exportable
BOOST_REQUIRE_NO_THROW(m_db.saveRow(rowPattern));
DB::Crypto::RowOptional optional_row;
- BOOST_REQUIRE_NO_THROW(optional_row = m_db.getRow("name", "label",
+ BOOST_REQUIRE_NO_THROW(optional_row = m_db.getRow("name", "owner",
DataType::BINARY_DATA));
BOOST_REQUIRE_MESSAGE(optional_row, "Select didn't return any row");
name_duplicate.dataSize = name_duplicate.data.size();
unsigned int erased;
- BOOST_REQUIRE_NO_THROW(erased = m_db.deleteRow("name", "label"));
+ BOOST_REQUIRE_NO_THROW(erased = m_db.deleteRow("name", "owner"));
BOOST_REQUIRE_MESSAGE(erased > 0, "Inserted row didn't exist in db");
DB::Crypto::RowOptional row_optional;
- BOOST_REQUIRE_NO_THROW(row_optional = m_db.getRow("name", "label",
+ BOOST_REQUIRE_NO_THROW(row_optional = m_db.getRow("name", "owner",
DataType::BINARY_DATA));
BOOST_REQUIRE_MESSAGE(!row_optional,
"Select should not return row after deletion");
void DBFixture::insert_row()
{
- insert_row(m_default_name, m_default_label);
+ insert_row(m_default_name, m_default_owner);
}
-void DBFixture::insert_row(const Name &name, const Label &owner_label)
+void DBFixture::insert_row(const Name &name, const ClientId &owner)
{
- DB::Row rowPattern = create_default_row(name, owner_label,
+ DB::Row rowPattern = create_default_row(name, owner,
DataType::BINARY_DATA);
rowPattern.data = RawBuffer(100, 20);
rowPattern.dataSize = rowPattern.data.size();
BOOST_REQUIRE_NO_THROW(m_db.saveRow(rowPattern));
}
-void DBFixture::delete_row(const Name &name, const Label &owner_label)
+void DBFixture::delete_row(const Name &name, const ClientId &owner)
{
bool exit_flag;
- BOOST_REQUIRE_NO_THROW(exit_flag = m_db.deleteRow(name, owner_label));
+ BOOST_REQUIRE_NO_THROW(exit_flag = m_db.deleteRow(name, owner));
BOOST_REQUIRE_MESSAGE(true == exit_flag, "remove name failed: no rows removed");
}
-void DBFixture::add_permission(const Name &name, const Label &owner_label,
- const Label &accessor_label)
+void DBFixture::add_permission(const Name &name, const ClientId &owner,
+ const ClientId &accessor)
{
BOOST_REQUIRE_NO_THROW(m_db.setPermission(name,
- owner_label,
- accessor_label,
+ owner,
+ accessor,
CKM::Permission::READ | CKM::Permission::REMOVE));
}
void DBFixture::read_row_expect_success(const Name &name,
- const Label &owner_label)
+ const ClientId &owner)
{
DB::Crypto::RowOptional row;
- BOOST_REQUIRE_NO_THROW(row = m_db.getRow(name, owner_label,
+ BOOST_REQUIRE_NO_THROW(row = m_db.getRow(name, owner,
DataType::BINARY_DATA));
BOOST_REQUIRE_MESSAGE(row, "row is empty");
BOOST_REQUIRE_MESSAGE(row->name == name, "name is not valid");
DBFixture(const char *db_fname);
constexpr static const char *m_default_name = "name";
- constexpr static const char *m_default_label = "label";
+ constexpr static const char *m_default_owner = "owner";
// ::::::::::::::::::::::::: helper methods :::::::::::::::::::::::::
static void generate_name(unsigned int id, CKM::Name &output);
- static void generate_label(unsigned int id, CKM::Label &output);
+ static void generate_owner(unsigned int id, CKM::ClientId &output);
static CKM::DB::Row create_default_row(CKM::DataType type =
CKM::DataType::BINARY_DATA);
static CKM::DB::Row create_default_row(const CKM::Name &name,
- const CKM::Label &label,
+ const CKM::ClientId &owner,
CKM::DataType type = CKM::DataType::BINARY_DATA);
static void compare_row(const CKM::DB::Row &lhs, const CKM::DB::Row &rhs);
void performance_stop(long num_operations_performed);
// ::::::::::::::::::::::::: DB :::::::::::::::::::::::::
- void generate_perf_DB(unsigned int num_name, unsigned int num_label);
+ void generate_perf_DB(unsigned int num_name, unsigned int names_per_owner);
long add_full_access_rights(unsigned int num_name,
- unsigned int num_names_per_label);
+ unsigned int num_names_per_owner);
void check_DB_integrity(const CKM::DB::Row &rowPattern);
void insert_row();
- void insert_row(const CKM::Name &name, const CKM::Label &owner_label);
- void delete_row(const CKM::Name &name, const CKM::Label &owner_label);
- void add_permission(const CKM::Name &name, const CKM::Label &owner_label,
- const CKM::Label &accessor_label);
+ void insert_row(const CKM::Name &name, const CKM::ClientId &owner);
+ void delete_row(const CKM::Name &name, const CKM::ClientId &owner);
+ void add_permission(const CKM::Name &name, const CKM::ClientId &owner,
+ const CKM::ClientId &accessor);
void read_row_expect_success(const CKM::Name &name,
- const CKM::Label &owner_label);
+ const CKM::ClientId &owner);
CKM::DB::Crypto m_db;
const gid_t GID = 7654;
const char *const DBPASS = "db-pass";
const char *const LABEL = "my-label";
-const Label DB_LABEL = "/" + string(LABEL);
+const ClientId OWNER = "/" + string(LABEL);
const int ENC_SCHEME_OFFSET = 24;
const string TEST_DATA_STR = "test-data";
RawBuffer TEST_DATA(TEST_DATA_STR.begin(), TEST_DATA_STR.end());
for (const auto &i : g.items) {
DB::RowVector rows;
// it is assumed that aliases are different
- m_db->getRows(i.alias, DB_LABEL, DataType::DB_FIRST, DataType::DB_LAST, rows);
+ m_db->getRows(i.alias, OWNER, DataType::DB_FIRST, DataType::DB_LAST, rows);
ret += rows.size();
}
}
continue;
DB::RowVector rows;
- m_db->getRows(i.alias, DB_LABEL, filter.typeFrom, filter.typeTo, rows);
+ m_db->getRows(i.alias, OWNER, filter.typeFrom, filter.typeTo, rows);
BOOST_REQUIRE_MESSAGE(rows.size() > 0, "No rows found for " << i.alias);
for (const auto &r : rows) {
<storage name> is only used for migratable data re-encryption.
-system db with owner label = "/System" and name = "<data name>"
-admin user(owner) db with owner label = "/User" and name = "<data name>"
+system db with owner = "/System" and name = "<data name>"
+admin user(owner) db with owner = "/User" and name = "<data name>"
storage name extraction examples) Client with...
Case1:: <smack label> = "client.service.label", <data name> = "data", <group id> = "secure-storage::client"
{
CryptoLogic logic;
- const std::string label = "test_label";
- BOOST_REQUIRE_NO_THROW(logic.pushKey(label, createRandom(10)));
+ const ClientId client = "test_client";
+ BOOST_REQUIRE_NO_THROW(logic.pushKey(client, createRandom(10)));
CryptoLogic moved(std::move(logic));
- BOOST_REQUIRE(!logic.haveKey(label));
- BOOST_REQUIRE(moved.haveKey(label));
+ BOOST_REQUIRE(!logic.haveKey(client));
+ BOOST_REQUIRE(moved.haveKey(client));
CryptoLogic moveAssigned = std::move(moved);
- BOOST_REQUIRE(!moved.haveKey(label));
- BOOST_REQUIRE(moveAssigned.haveKey(label));
+ BOOST_REQUIRE(!moved.haveKey(client));
+ BOOST_REQUIRE(moveAssigned.haveKey(client));
moveAssigned = std::move(moveAssigned);
- BOOST_REQUIRE(moveAssigned.haveKey(label));
+ BOOST_REQUIRE(moveAssigned.haveKey(client));
}
BOOST_AUTO_TEST_CASE(push_key)
{
CryptoLogic logic;
- const std::string label = "test_label";
+ const ClientId client = "test_client";
BOOST_REQUIRE_THROW(logic.pushKey(std::string(), createRandom(10)),
Exc::InternalError);
- BOOST_REQUIRE_THROW(logic.pushKey(label, RawBuffer()),
+ BOOST_REQUIRE_THROW(logic.pushKey(client, RawBuffer()),
Exc::InternalError);
- BOOST_REQUIRE_NO_THROW(logic.pushKey(label, createRandom(10)));
- BOOST_REQUIRE_THROW(logic.pushKey(label, createRandom(10)),
+ BOOST_REQUIRE_NO_THROW(logic.pushKey(client, createRandom(10)));
+ BOOST_REQUIRE_THROW(logic.pushKey(client, createRandom(10)),
Exc::InternalError);
- std::string increasingLabel = "a";
- for (size_t i = 0; i < 20; ++i, increasingLabel.push_back('a')) {
- BOOST_REQUIRE_NO_THROW(logic.pushKey(increasingLabel, createRandom(10)));
- BOOST_REQUIRE_THROW(logic.pushKey(increasingLabel, createRandom(10)),
+ ClientId increasingOwner = "a";
+ for (size_t i = 0; i < 20; ++i, increasingOwner.push_back('a')) {
+ BOOST_REQUIRE_NO_THROW(logic.pushKey(increasingOwner, createRandom(10)));
+ BOOST_REQUIRE_THROW(logic.pushKey(increasingOwner, createRandom(10)),
Exc::InternalError);
}
}
Token token = store.import(data, policy.password);
Name name = "test_data";
- Label label = "test_owner";
- DB::Row row(token, name, label, static_cast<int>(policy.extractable));
+ ClientId owner = "test_owner";
+ DB::Row row(token, name, owner, static_cast<int>(policy.extractable));
CryptoLogic logic;
BOOST_REQUIRE_THROW(logic.encryptRow(row), Exc::InternalError);
auto key = createRandom(32);
- BOOST_REQUIRE_NO_THROW(logic.pushKey(label, key));
+ BOOST_REQUIRE_NO_THROW(logic.pushKey(owner, key));
BOOST_REQUIRE_NO_THROW(logic.encryptRow(row));
BOOST_REQUIRE_NO_THROW(logic.decryptRow(policy.password, row));
}
Token token = store.import(data, policy.password);
Name name = "test_data";
- Label label = "test_owner";
- DB::Row row(token, name, label, static_cast<int>(policy.extractable));
+ ClientId owner = "test_owner";
+ DB::Row row(token, name, owner, static_cast<int>(policy.extractable));
CryptoLogic logic;
auto key = createRandom(32);
- BOOST_REQUIRE_NO_THROW(logic.pushKey(label, key));
+ BOOST_REQUIRE_NO_THROW(logic.pushKey(owner, key));
BOOST_REQUIRE_NO_THROW(logic.encryptRow(row));
BOOST_REQUIRE_THROW(logic.decryptRow(createRandomPass(10), row),
Exc::AuthenticationFailed);
- BOOST_REQUIRE_NO_THROW(logic.removeKey(label));
+ BOOST_REQUIRE_NO_THROW(logic.removeKey(owner));
BOOST_REQUIRE_THROW(logic.decryptRow(Password(), row),
Exc::AuthenticationFailed);
- BOOST_REQUIRE_NO_THROW(logic.pushKey(label, key));
+ BOOST_REQUIRE_NO_THROW(logic.pushKey(owner, key));
row.algorithmType = DBCMAlgType::NONE;
BOOST_REQUIRE_THROW(logic.decryptRow(Password(), row),
const unsigned int c_test_retries = 1000;
const unsigned int c_num_names = 500;
const unsigned int c_num_names_add_test = 5000;
-const unsigned int c_names_per_label = 15;
+const unsigned int c_names_per_owner = 15;
} // namespace anonymous
BOOST_REQUIRE_NO_THROW(m_db.saveRow(rowPattern));
DB::Row name_duplicate = rowPattern;
- rowPattern.ownerLabel = rowPattern.ownerLabel + "1";
+ rowPattern.owner = rowPattern.owner + "1";
}
BOOST_AUTO_TEST_CASE(DBtestTransaction)
{
DB::Crypto::RowOptional row_optional;
BOOST_REQUIRE_NO_THROW(row_optional = m_db.getRow(m_default_name,
- m_default_label,
+ m_default_owner,
DataType::BINARY_DATA));
BOOST_CHECK_MESSAGE(!row_optional, "Row still present after rollback");
}
performance_start("saveRow");
{
- generate_perf_DB(c_num_names_add_test, c_names_per_label);
+ generate_perf_DB(c_num_names_add_test, c_names_per_owner);
}
performance_stop(c_num_names_add_test);
BOOST_AUTO_TEST_CASE(DBperfLookupAliasByOwner)
{
// prepare data
- generate_perf_DB(c_num_names, c_names_per_label);
+ generate_perf_DB(c_num_names, c_names_per_owner);
- unsigned int num_labels = c_num_names / c_names_per_label;
+ unsigned int num_owners = c_num_names / c_names_per_owner;
Name name;
- Label label;
+ ClientId owner;
// actual test - successful lookup
performance_start("getRow");
for (unsigned int t = 0; t < c_test_retries; t++) {
- int label_num = rand_r(&t) % num_labels;
- generate_label(label_num, label);
+ int owner_num = rand_r(&t) % num_owners;
+ generate_owner(owner_num, owner);
- unsigned int start_name = label_num * c_names_per_label;
+ unsigned int start_name = owner_num * c_names_per_owner;
for (unsigned int name_num = start_name;
- name_num < (start_name + c_names_per_label); name_num++) {
+ name_num < (start_name + c_names_per_owner); name_num++) {
generate_name(name_num, name);
- read_row_expect_success(name, label);
+ read_row_expect_success(name, owner);
}
}
performance_stop(c_test_retries * c_num_names);
}
+// TODO this test makes no sense. Rewrite it.
BOOST_AUTO_TEST_CASE(DBperfLookupAliasRandomOwnershipNoPermissions)
{
// prepare data
- generate_perf_DB(c_num_names, c_names_per_label);
+ generate_perf_DB(c_num_names, c_names_per_owner);
Name name;
- Label owner_label;
- Label smack_label;
- unsigned int num_labels = c_num_names / c_names_per_label;
+ ClientId owner;
+ //ClientId smack_label;
+ //unsigned int num_owners = c_num_names / c_names_per_owner;
// actual test - random lookup
performance_start("getRow");
for (unsigned int t = 0; t < c_test_retries; t++) {
int name_idx = rand_r(&t) % c_num_names;
generate_name(name_idx, name);
- generate_label(name_idx / c_names_per_label, owner_label);
- generate_label(rand_r(&t) % num_labels, smack_label);
+ generate_owner(name_idx / c_names_per_owner, owner);
+ //generate_owner(rand_r(&t) % num_owners, smack_label);
// do not care of result
- m_db.getRow(name, owner_label, DataType::BINARY_DATA);
+ m_db.getRow(name, owner, DataType::BINARY_DATA);
}
performance_stop(c_test_retries * c_num_names);
BOOST_AUTO_TEST_CASE(DBperfAddPermissions)
{
// prepare data
- generate_perf_DB(c_num_names, c_names_per_label);
+ generate_perf_DB(c_num_names, c_names_per_owner);
// actual test - add access rights
performance_start("setPermission");
- long iterations = add_full_access_rights(c_num_names, c_names_per_label);
+ long iterations = add_full_access_rights(c_num_names, c_names_per_owner);
performance_stop(iterations);
}
BOOST_AUTO_TEST_CASE(DBperfAliasRemoval)
{
// prepare data
- generate_perf_DB(c_num_names, c_names_per_label);
- add_full_access_rights(c_num_names, c_names_per_label);
+ generate_perf_DB(c_num_names, c_names_per_owner);
+ add_full_access_rights(c_num_names, c_names_per_owner);
// actual test - random lookup
performance_start("deleteRow");
Name name;
- Label label;
+ ClientId owner;
for (unsigned int t = 0; t < c_num_names; t++) {
generate_name(t, name);
- generate_label(t / c_names_per_label, label);
+ generate_owner(t / c_names_per_owner, owner);
- BOOST_REQUIRE_NO_THROW(m_db.deleteRow(name, label));
+ BOOST_REQUIRE_NO_THROW(m_db.deleteRow(name, owner));
}
performance_stop(c_num_names);
// verify everything has been removed
- unsigned int num_labels = c_num_names / c_names_per_label;
+ unsigned int num_owners = c_num_names / c_names_per_owner;
- for (unsigned int l = 0; l < num_labels; l++) {
- generate_label(l, label);
- LabelNameVector expect_no_data;
- BOOST_REQUIRE_NO_THROW(m_db.listNames(label, expect_no_data,
+ for (unsigned int l = 0; l < num_owners; l++) {
+ generate_owner(l, owner);
+ OwnerNameVector expect_no_data;
+ BOOST_REQUIRE_NO_THROW(m_db.listNames(owner, expect_no_data,
DataType::BINARY_DATA));
BOOST_REQUIRE(0 == expect_no_data.size());
}
BOOST_AUTO_TEST_CASE(DBperfGetAliasList)
{
// prepare data
- generate_perf_DB(c_num_names, c_names_per_label);
- add_full_access_rights(c_num_names, c_names_per_label);
+ generate_perf_DB(c_num_names, c_names_per_owner);
+ add_full_access_rights(c_num_names, c_names_per_owner);
- unsigned int num_labels = c_num_names / c_names_per_label;
- Label label;
+ unsigned int num_owners = c_num_names / c_names_per_owner;
+ ClientId owner;
// actual test - random lookup
performance_start("listNames");
- for (unsigned int t = 0; t < (c_test_retries / num_labels); t++) {
- LabelNameVector ret_list;
- generate_label(rand_r(&t) % num_labels, label);
+ for (unsigned int t = 0; t < (c_test_retries / num_owners); t++) {
+ OwnerNameVector ret_list;
+ generate_owner(rand_r(&t) % num_owners, owner);
- BOOST_REQUIRE_NO_THROW(m_db.listNames(label, ret_list, DataType::BINARY_DATA));
+ BOOST_REQUIRE_NO_THROW(m_db.listNames(owner, ret_list, DataType::BINARY_DATA));
BOOST_REQUIRE(c_num_names == ret_list.size());
ret_list.clear();
}
- performance_stop(c_test_retries / num_labels);
+ performance_stop(c_test_retries / num_owners);
}
BOOST_AUTO_TEST_SUITE_END()
BOOST_AUTO_TEST_SUITE(DBCRYPTO_MIGRATION_TEST)
namespace {
const unsigned migration_names = 16107;
-const unsigned migration_labels = 273;
-const unsigned migration_reference_label_idx = 0;
+const unsigned migration_owners = 273;
+const unsigned migration_reference_owner_idx = 0;
const unsigned migration_accessed_element_idx = 7;
void verifyDBisValid(DBFixture &fixture)
{
/**
- * there are (migration_labels), each having (migration_names)/(migration_labels) entries.
- * reference label (migration_reference_label_idx) exists such that it has access to
- * all others' label element with index (migration_accessed_element_idx).
+ * There are (migration_owners), each having (migration_names)/(migration_owners)
+ * entries. Reference owner (migration_reference_owner_idx) exists such that
+ * it has access to all other owners' elements with index
+ * (migration_accessed_element_idx).
*
* Example:
- * - migration_label_63 has access to all items owned by migration_label_63,
- * which gives (migration_names)/(migration_labels) entries.
+ * - migration_owner_63 has access to all items owned by migration_owner_63,
+ * which gives (migration_names)/(migration_owners) entries.
*
- * - migration_label_0 (0 is the reference label) has access to all items
- * owned by migration_label_0 and all others' label element index 7,
- * which gives (migration_names)/(migration_labels) + (migration_labels-1) entries.
+ * - migration_owner_0 (0 is the reference owner) has access to all items
+ * owned by migration_owner_0 and all other owners' elements with index 7,
+ * which gives (migration_names)/(migration_owners) + (migration_owners-1) entries.
*
*/
- Label reference_label;
- fixture.generate_label(migration_reference_label_idx, reference_label);
+ ClientId reference_owner;
+ fixture.generate_owner(migration_reference_owner_idx, reference_owner);
- // check number of elements accessible to the reference label
- LabelNameVector ret_list;
- BOOST_REQUIRE_NO_THROW(fixture.m_db.listNames(reference_label, ret_list,
+ // check number of elements accessible to the reference owner
+ OwnerNameVector ret_list;
+ BOOST_REQUIRE_NO_THROW(fixture.m_db.listNames(reference_owner, ret_list,
DataType::BINARY_DATA));
- BOOST_REQUIRE((migration_names / migration_labels)/*own items*/ +
- (migration_labels - 1)/*other labels'*/ == ret_list.size());
+ BOOST_REQUIRE((migration_names / migration_owners)/*own items*/ +
+ (migration_owners - 1)/*other owners'*/ == ret_list.size());
ret_list.clear();
- // check number of elements accessible to the other labels
- for (unsigned int l = 0; l < migration_labels; l++) {
- // bypass the reference owner label
- if (l == migration_reference_label_idx)
+ // check number of elements accessible to the other owners
+ for (unsigned int l = 0; l < migration_owners; l++) {
+ // bypass the reference owner
+ if (l == migration_reference_owner_idx)
continue;
- Label current_label;
- fixture.generate_label(l, current_label);
- BOOST_REQUIRE_NO_THROW(fixture.m_db.listNames(current_label, ret_list,
+ ClientId current_owner;
+ fixture.generate_owner(l, current_owner);
+ BOOST_REQUIRE_NO_THROW(fixture.m_db.listNames(current_owner, ret_list,
DataType::BINARY_DATA));
- BOOST_REQUIRE((migration_names / migration_labels) == ret_list.size());
+ BOOST_REQUIRE((migration_names / migration_owners) == ret_list.size());
for (auto it : ret_list)
- BOOST_REQUIRE(it.first == current_label);
+ BOOST_REQUIRE(it.first == current_owner);
ret_list.clear();
}
DBFixture currentDB;
// prepare data using current DB mechanism
- Label reference_label;
- currentDB.generate_label(migration_reference_label_idx, reference_label);
+ ClientId reference_owner;
+ currentDB.generate_owner(migration_reference_owner_idx, reference_owner);
{
- currentDB.generate_perf_DB(migration_names, migration_names / migration_labels);
+ currentDB.generate_perf_DB(migration_names, migration_names / migration_owners);
- // only the reference label has access to the other labels element <migration_accessed_element_idx>
- for (unsigned int l = 0; l < migration_labels; l++) {
- // bypass the reference owner label
- if (l == migration_reference_label_idx)
+ // only the reference owner has access to the other owners' elements <migration_accessed_element_idx>
+ for (unsigned int l = 0; l < migration_owners; l++) {
+ // bypass the reference owner
+ if (l == migration_reference_owner_idx)
continue;
unsigned element_index = migration_accessed_element_idx + l * migration_names /
- migration_labels;
+ migration_owners;
// add permission
Name accessed_name;
currentDB.generate_name(element_index, accessed_name);
- Label current_label;
- currentDB.generate_label(l, current_label);
- currentDB.add_permission(accessed_name, current_label, reference_label);
+ ClientId current_owner;
+ currentDB.generate_owner(l, current_owner);
+ currentDB.add_permission(accessed_name, current_owner, reference_owner);
}
}
const std::string USERNAME_SHORT = "AB";
const std::string USERNAME_LONG = "SOFTWARE_CENTER_SYSTEM_SW_LAB_SECURITY_PART";
-const std::string SMACK_LABEL_1 = "SAMPLE_SMACK_LABEL_1";
-const std::string SMACK_LABEL_2 = "SAMPLE_SMACK_LABEL_2";
+const std::string CLIENT_ID_1 = "SAMPLE_CLIENT_ID_1";
+const std::string CLIENT_ID_2 = "SAMPLE_CLIENT_ID_2";
extern bool isLibInitialized;
BOOST_REQUIRE_NO_THROW(keyProvider = CKM::KeyProvider(rb_test, PASSWORD));
BOOST_REQUIRE_MESSAGE(keyProvider.isInitialized(),
"KeyProvider created, but uninitialized");
- BOOST_REQUIRE_NO_THROW(rb_DEK1 = keyProvider.generateDEK(SMACK_LABEL_1));
+ BOOST_REQUIRE_NO_THROW(rb_DEK1 = keyProvider.generateDEK(CLIENT_ID_1));
}
BOOST_AUTO_TEST_CASE(KeyGetPureDEK)
BOOST_REQUIRE_NO_THROW(keyProvider = CKM::KeyProvider(rb_test, PASSWORD));
BOOST_REQUIRE_MESSAGE(keyProvider.isInitialized(),
"KeyProvider created, but uninitialized");
- BOOST_REQUIRE_NO_THROW(rb_DEK1 = keyProvider.generateDEK(SMACK_LABEL_1));
+ BOOST_REQUIRE_NO_THROW(rb_DEK1 = keyProvider.generateDEK(CLIENT_ID_1));
BOOST_REQUIRE_NO_THROW(rb_pureDEK1 = keyProvider.getPureDEK(rb_DEK1));
}
BOOST_REQUIRE_NO_THROW(rb_test =
CKM::KeyProvider::generateDomainKEK(USERNAME_LONG, PASSWORD));
BOOST_REQUIRE_NO_THROW(keyProvider = CKM::KeyProvider(rb_test, PASSWORD));
- BOOST_REQUIRE_NO_THROW(rb_DEK1 = keyProvider.generateDEK(SMACK_LABEL_1));
+ BOOST_REQUIRE_NO_THROW(rb_DEK1 = keyProvider.generateDEK(CLIENT_ID_1));
BOOST_REQUIRE_NO_THROW(keyProvider.getPureDEK(rb_DEK1));
}
auto salt = createRandom(20);
BOOST_REQUIRE_NO_THROW(wrappedContainer.setKeyInfoSalt(salt.data(), salt.size()));
- BOOST_REQUIRE_NO_THROW(wrappedContainer.setKeyInfoLabel("key_info_label"));
+ BOOST_REQUIRE_NO_THROW(wrappedContainer.setKeyInfoClient("key_info_client"));
CKM::WrappedKeyAndInfoContainer wrappedContainer2;
BOOST_REQUIRE_NO_THROW(
wrappedContainer2.getWrappedKeyAndInfo().keyInfo.salt,
sizeof(wrappedContainer.getWrappedKeyAndInfo().keyInfo.salt)) == 0);
BOOST_REQUIRE(memcmp(
- wrappedContainer.getWrappedKeyAndInfo().keyInfo.label,
- wrappedContainer2.getWrappedKeyAndInfo().keyInfo.label,
- sizeof(wrappedContainer.getWrappedKeyAndInfo().keyInfo.label)) == 0);
+ wrappedContainer.getWrappedKeyAndInfo().keyInfo.client,
+ wrappedContainer2.getWrappedKeyAndInfo().keyInfo.client,
+ sizeof(wrappedContainer.getWrappedKeyAndInfo().keyInfo.client)) == 0);
}
BOOST_AUTO_TEST_CASE(container)
${KEY_MANAGER_PATH}/service/key-provider.cpp
${KEY_MANAGER_PATH}/service/ss-migrate.cpp
${KEY_MANAGER_PATH}/service/ss-crypto.cpp
+ ${KEY_MANAGER_PATH}/service/permission.cpp
${KEY_MANAGER_PATH}/sqlcipher/sqlcipher.c
)
projects / platform / core / security / key-manager.git / commitdiff