const ObserverPtr& observer,
const CertificateShPtr& certificate,
const AliasVector& untrustedCertificates);
+ void getCertificateChain(
+ const ObserverPtr& observer,
+ const CertificateShPtr& certificate,
+ const CertificateShPtrVector& untrustedCertificates,
+ const CertificateShPtrVector& trustedCertificates,
+ bool useSystemTrustedCertificates);
+ void getCertificateChain(
+ const ObserverPtr& observer,
+ const CertificateShPtr& certificate,
+ const AliasVector& untrustedCertificates,
+ const AliasVector& trustedCertificates,
+ bool useSystemTrustedCertificates);
void createSignature(
const ObserverPtr& observer,
const AliasVector &untrustedCertificates,
CertificateShPtrVector &certificateChainVector) = 0;
+ virtual int getCertificateChain(
+ const CertificateShPtr &certificate,
+ const CertificateShPtrVector &untrustedCertificates,
+ const CertificateShPtrVector &trustedCertificates,
+ bool useTrustedSystemCertificates,
+ CertificateShPtrVector &certificateChainVector) = 0;
+
+ virtual int getCertificateChain(
+ const CertificateShPtr &certificate,
+ const AliasVector &untrustedCertificates,
+ const AliasVector &trustedCertificates,
+ bool useTrustedSystemCertificates,
+ CertificateShPtrVector &certificateChainVector) = 0;
+
virtual int createSignature(
const Alias &privateKeyAlias,
const Password &password, // password for private_key
int ckmc_verify_signature(const char *public_key_alias, const char *password, const ckmc_raw_buffer_s message, const ckmc_raw_buffer_s signature, const ckmc_hash_algo_e hash, const ckmc_rsa_padding_algo_e padding);
/**
+ * @deprecated, see ckmc_get_certificate_chain()
* @brief Verifies a certificate chain and returns that chain.
*
* @since_tizen 2.3
int ckmc_get_cert_chain(const ckmc_cert_s *cert, const ckmc_cert_list_s *untrustedcerts, ckmc_cert_list_s **ppcert_chain_list);
/**
+ * @deprecated, see ckmc_get_certificate_chain_with_alias()
* @brief Verifies a certificate chain using an alias list of untrusted certificates and return that chain.
*
* @since_tizen 2.3
*/
int ckmc_get_cert_chain_with_alias(const ckmc_cert_s *cert, const ckmc_alias_list_s *untrustedcerts, ckmc_cert_list_s **ppcert_chain_list);
+/**
+ * @brief Verifies a certificate chain and returns that chain using user entered trusted and untrusted CA certificates
+ *
+ * @since_tizen 3.0
+ * @privlevel public
+ * @privilege %http://tizen.org/privilege/keymanager
+ *
+ * @remarks If the trusted root certificates are provided as a user input, these certificates do not need to exist in the system's certificate storage.
+ * @remarks You must destroy the newly created @a ppcert_chain_list by calling ckmc_cert_list_all_free() if it is no longer needed.
+ * *
+ * @param[in] cert The certificate to be verified
+ * @param[in] untrustedcerts The untrusted CA certificates to be used in verifying a certificate chain
+ * @param[in] trustedcerts The trusted CA certificates to be used in verifying a certificate chain
+ * @param[in] use_trustedsystemcerts The flag indicating the use of the trusted root certificates in the system's certificate storage.
+ * @param[out] ppcert_chain_list The pointer to a newly created certificate chain's handle \n
+ * If an error occurs, @a *ppcert_chain_list will be null.
+ *
+ * @return @c 0 on success and the signature is valid,
+ * otherwise a negative error value
+ *
+ * @retval #CKMC_ERROR_NONE Successful
+ * @retval #CKMC_ERROR_VERIFICATION_FAILED The certificate chain is not valid
+ * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
+ * @retval #CKMC_ERROR_DB_LOCKED A user key is not loaded in memory (a user is not logged in)
+ * @retval #CKMC_ERROR_DB_ERROR Failed due to the error with unknown reason
+ * @retval #CKMC_ERROR_INVALID_FORMAT The format of certificate is not valid
+ * @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager
+ *
+ * @pre User is already logged in and the user key is already loaded into memory in plain text form.
+ *
+ * @see ckmc_get_cert_chain_with_alias())
+ * @see ckmc_cert_list_all_free()
+ */
+int ckmc_get_certificate_chain(const ckmc_cert_s *cert, const ckmc_cert_list_s *untrustedcerts, const ckmc_cert_list_s *trustedcerts, const bool use_trustedsystemcerts, ckmc_cert_list_s **ppcert_chain_list);
+
+/**
+ * @brief Verifies a certificate chain and returns that chain using alias lists of untrusted and trusted certificates
+ *
+ * @since_tizen 3.0
+ * @privlevel public
+ * @privilege %http://tizen.org/privilege/keymanager
+ *
+ * @remarks If the alias list of trusted root certificates is provided as a user input, these certificates do not need to exist in the system's certificate storage.
+ * @remarks You must destroy the newly created @a ppcert_chain_list by calling ckmc_cert_list_all_free() if it is no longer needed.
+ *
+ * @param[in] cert The certificate to be verified
+ * @param[in] untrustedcerts The alias list of untrusted CA certificates stored in key manager to be used in verifying a certificate chain
+ * @param[in] trustedcerts The alias list of trusted CA certificates stored in key manager to be used in verifying a certificate chain
+ * @param[in] use_trustedsystemcerts The flag indicating the use of the trusted root certificates in the system's certificate storage.
+ * @param[out] ppcert_chain_list The pointer to a newly created certificate chain's handle \n
+ * If an error occurs, @a *ppcert_chain_list will be null.
+ *
+ * @return @c 0 on success and the signature is valid,
+ * otherwise a negative error value
+ *
+ * @retval #CKMC_ERROR_NONE Successful
+ * @retval #CKMC_ERROR_VERIFICATION_FAILED The certificate chain is not valid
+ * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
+ * @retval #CKMC_ERROR_DB_LOCKED A user key is not loaded in memory (a user is not logged in)
+ * @retval #CKMC_ERROR_DB_ERROR Failed due to the error with unknown reason
+ * @retval #CKMC_ERROR_DB_ALIAS_UNKNOWN Alias does not exist
+ * @retval #CKMC_ERROR_INVALID_FORMAT The format of certificate is not valid
+ * @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager
+ *
+ * @pre User is already logged in and the user key is already loaded into memory in plain text form.
+ *
+ * @see ckmc_get_cert_chain())
+ * @see ckmc_cert_list_all_free()
+ */
+int ckmc_get_certificate_chain_with_alias(const ckmc_cert_s *cert, const ckmc_alias_list_s *untrustedcerts, const ckmc_alias_list_s *trustedcerts, const bool use_trustedsystemcerts, ckmc_cert_list_s **ppcert_chain_list);
/**
* @brief Perform OCSP which checks certificate is whether revoked or not
*/
int ckmc_ocsp_check(const ckmc_cert_list_s *pcert_chain_list, ckmc_ocsp_status_e *ocsp_status);
-
/**
* @deprecated, see ckmc_set_permission()
* @brief Allows another application to access client's application data
${COMMON_PATH}/common/smack-check.cpp
${COMMON_PATH}/common/certificate-impl.cpp
${COMMON_PATH}/common/certificate-store.cpp
+ ${COMMON_PATH}/common/certificate-config.cpp
${COMMON_PATH}/common/key-impl.cpp
${COMMON_PATH}/common/pkcs12-impl.cpp
${COMMON_PATH}/common/descriptor-set.cpp
const ManagerAsync::ObserverPtr& observer,
LogicCommand command,
const CertificateShPtr &certificate,
- const T &sendData)
+ const T &untrusted,
+ const T &trusted,
+ bool useSystemTrustedCertificates)
{
observerCheck(observer);
- if (!certificate || sendData.empty()) {
+ if (!certificate) {
observer->ReceivedError(CKM_API_ERROR_INPUT_PARAM);
return;
}
static_cast<int>(command),
m_counter,
certificate->getDER(),
- sendData);
+ untrusted,
+ trusted,
+ useSystemTrustedCertificates);
}, [&observer](int error){ observer->ReceivedError(error); } );
}
namespace CKM {
+namespace {
+RawBufferVector toRawBufferVector(const CertificateShPtrVector& certificates)
+{
+ RawBufferVector rawBufferVector;
+ for (auto &e: certificates) {
+ rawBufferVector.push_back(e->getDER());
+ }
+ return rawBufferVector;
+}
+
+LabelNameVector toLabelNameVector(const AliasVector& aliases)
+{
+ LabelNameVector labelNames;
+ for (auto &e: aliases) {
+ AliasSupport helper(e);
+ labelNames.push_back(std::make_pair(helper.getLabel(), helper.getName()));
+ }
+ return labelNames;
+}
+const RawBufferVector EMPTY_CERT_VECTOR;
+const LabelNameVector EMPTY_ALIAS_VECTOR;
+
+} // namespace anonymous
+
ManagerAsync::ManagerAsync()
{
m_impl.reset(new Impl());
const CertificateShPtr& certificate,
const CertificateShPtrVector& untrustedCertificates)
{
- RawBufferVector rawBufferVector;
-
- for (auto &e: untrustedCertificates) {
- rawBufferVector.push_back(e->getDER());
- }
-
m_impl->getCertChain(observer,
LogicCommand::GET_CHAIN_CERT,
certificate,
- rawBufferVector);
+ toRawBufferVector(untrustedCertificates),
+ EMPTY_CERT_VECTOR,
+ true);
}
void ManagerAsync::getCertificateChain(const ObserverPtr& observer,
const CertificateShPtr& certificate,
const AliasVector& untrustedCertificates)
{
- LabelNameVector untrusted_certs;
- for (auto &e: untrustedCertificates) {
- AliasSupport helper(e);
- untrusted_certs.push_back(std::make_pair(helper.getLabel(), helper.getName()));
- }
+ m_impl->getCertChain(observer,
+ LogicCommand::GET_CHAIN_ALIAS,
+ certificate,
+ toLabelNameVector(untrustedCertificates),
+ EMPTY_ALIAS_VECTOR,
+ true);
+}
+void ManagerAsync::getCertificateChain(const ObserverPtr& observer,
+ const CertificateShPtr& certificate,
+ const CertificateShPtrVector& untrustedCertificates,
+ const CertificateShPtrVector& trustedCertificates,
+ bool useSystemTrustedCertificates)
+{
+ m_impl->getCertChain(observer,
+ LogicCommand::GET_CHAIN_CERT,
+ certificate,
+ toRawBufferVector(untrustedCertificates),
+ toRawBufferVector(trustedCertificates),
+ useSystemTrustedCertificates);
+}
+
+void ManagerAsync::getCertificateChain(const ObserverPtr& observer,
+ const CertificateShPtr& certificate,
+ const AliasVector& untrustedCertificates,
+ const AliasVector& trustedCertificates,
+ bool useSystemTrustedCertificates)
+{
m_impl->getCertChain(observer,
LogicCommand::GET_CHAIN_ALIAS,
certificate,
- untrusted_certs);
+ toLabelNameVector(untrustedCertificates),
+ toLabelNameVector(trustedCertificates),
+ useSystemTrustedCertificates);
}
void ManagerAsync::createSignature(const ObserverPtr& observer,
namespace
{
+const CKM::CertificateShPtrVector EMPTY_CERT_VECTOR;
+const CKM::AliasVector EMPTY_ALIAS_VECTOR;
+
CKM::Password _tostring(const char *str)
{
if(str == NULL)
return CKM::CertificateShPtr();
}
+CKM::CertificateShPtrVector _toCkmCertificateVector(const ckmc_cert_list_s *list)
+{
+ CKM::CertificateShPtrVector certs;
+ ckmc_cert_list_s *current = const_cast<ckmc_cert_list_s *>(list);
+ while (current != NULL)
+ {
+ if (current->cert != NULL)
+ certs.push_back(_toCkmCertificate(current->cert));
+ current = current->next;
+ }
+ return certs;
+}
+
+CKM::AliasVector _toCkmAliasVector(const ckmc_alias_list_s *list)
+{
+ CKM::AliasVector aliases;
+ ckmc_alias_list_s *current = const_cast<ckmc_alias_list_s *>(list);
+ while (current != NULL)
+ {
+ if (current->alias != NULL)
+ aliases.push_back(CKM::Alias(current->alias));
+ current = current->next;
+ }
+ return aliases;
+}
+
ckmc_cert_list_s *_toNewCkmCertList(const CKM::CertificateShPtrVector &certVector)
{
int ret;
CKM::CertificateShPtr ckmCert = _toCkmCertificate(cert);
- CKM::CertificateShPtrVector ckmUntrustedCerts;
- if(untrustedcerts != NULL) {
- ckmc_cert_list_s *current = NULL;
- ckmc_cert_list_s *next = const_cast<ckmc_cert_list_s *>(untrustedcerts);
- do {
- current = next;
- next = current->next;
-
- if(current->cert == NULL){
- continue;
- }
-
- CKM::CertificateShPtr tmpCkmCert = _toCkmCertificate(current->cert);
- ckmUntrustedCerts.push_back(tmpCkmCert);
- }while(next != NULL);
- }
+ CKM::CertificateShPtrVector ckmUntrustedCerts = _toCkmCertificateVector(untrustedcerts);
- ret = mgr->getCertificateChain(ckmCert, ckmUntrustedCerts, ckmCertChain);
+ ret = mgr->getCertificateChain(ckmCert, ckmUntrustedCerts, EMPTY_CERT_VECTOR, true, ckmCertChain);
if( ret != CKM_API_SUCCESS) {
return to_ckmc_error(ret);
}
return CKMC_ERROR_INVALID_FORMAT;
}
- CKM::AliasVector ckmUntrustedAliases;
- if(untrustedcerts != NULL) {
- ckmc_alias_list_s *current = NULL;
- ckmc_alias_list_s *next = const_cast<ckmc_alias_list_s *>(untrustedcerts);
- do {
- current = next;
- next = current->next;
+ CKM::AliasVector ckmUntrustedAliases = _toCkmAliasVector(untrustedcerts);
- if(current->alias == NULL){
- return CKMC_ERROR_INVALID_PARAMETER;
- }
- CKM::Alias ckmAlias(current->alias);
- ckmUntrustedAliases.push_back(ckmAlias);
- }while(next != NULL);
+ ret = mgr->getCertificateChain(ckmCert, ckmUntrustedAliases, EMPTY_ALIAS_VECTOR, true, ckmCertChain);
+ if( ret != CKM_API_SUCCESS) {
+ return to_ckmc_error(ret);
}
- if( (ret = mgr->getCertificateChain(ckmCert, ckmUntrustedAliases, ckmCertChain)) != CKM_API_SUCCESS) {
+ *cert_chain_list = _toNewCkmCertList(ckmCertChain);
+
+ return CKMC_ERROR_NONE;
+}
+
+KEY_MANAGER_CAPI
+int ckmc_get_certificate_chain(const ckmc_cert_s* cert,
+ const ckmc_cert_list_s* untrustedcerts,
+ const ckmc_cert_list_s* trustedcerts,
+ const bool sys_certs,
+ ckmc_cert_list_s** ppcert_chain_list)
+{
+ int ret;
+ CKM::ManagerShPtr mgr = CKM::Manager::create();
+ CKM::CertificateShPtrVector ckm_cert_chain;
+
+ if(cert == NULL || cert->raw_cert == NULL || cert->cert_size <= 0 || ppcert_chain_list == NULL) {
+ return CKMC_ERROR_INVALID_PARAMETER;
+ }
+
+ CKM::CertificateShPtr ckm_cert = _toCkmCertificate(cert);
+ if(ckm_cert.get() == NULL) {
+ return CKMC_ERROR_INVALID_PARAMETER;
+ }
+
+ CKM::CertificateShPtrVector ckm_untrusted = _toCkmCertificateVector(untrustedcerts);
+ CKM::CertificateShPtrVector ckm_trusted = _toCkmCertificateVector(trustedcerts);
+
+ ret = mgr->getCertificateChain(ckm_cert, ckm_untrusted, ckm_trusted, sys_certs, ckm_cert_chain);
+ if( ret != CKM_API_SUCCESS) {
return to_ckmc_error(ret);
}
- *cert_chain_list = _toNewCkmCertList(ckmCertChain);
+ *ppcert_chain_list = _toNewCkmCertList(ckm_cert_chain);
+
+ return CKMC_ERROR_NONE;
+}
+
+KEY_MANAGER_CAPI
+int ckmc_get_certificate_chain_with_alias(const ckmc_cert_s* cert,
+ const ckmc_alias_list_s* untrustedcerts,
+ const ckmc_alias_list_s* trustedcerts,
+ const bool sys_certs,
+ ckmc_cert_list_s** ppcert_chain_list)
+{
+ int ret;
+ CKM::ManagerShPtr mgr = CKM::Manager::create();
+ CKM::CertificateShPtrVector ckm_cert_chain;
+
+ if(cert == NULL || cert->raw_cert == NULL || cert->cert_size <= 0 || ppcert_chain_list == NULL) {
+ return CKMC_ERROR_INVALID_PARAMETER;
+ }
+
+ CKM::CertificateShPtr ckm_cert = _toCkmCertificate(cert);
+ if(ckm_cert.get() == NULL) {
+ return CKMC_ERROR_INVALID_PARAMETER;
+ }
+
+ CKM::AliasVector ckm_untrusted = _toCkmAliasVector(untrustedcerts);
+ CKM::AliasVector ckm_trusted = _toCkmAliasVector(trustedcerts);
+
+ ret = mgr->getCertificateChain(ckm_cert, ckm_untrusted, ckm_trusted, sys_certs, ckm_cert_chain);
+ if( ret != CKM_API_SUCCESS) {
+ return to_ckmc_error(ret);
+ }
+
+ *ppcert_chain_list = _toNewCkmCertList(ckm_cert_chain);
return CKMC_ERROR_NONE;
}
namespace CKM {
+namespace {
+template <class T>
+int getCertChain(
+ ServiceConnection & serviceConnection,
+ LogicCommand command,
+ int counter,
+ const CertificateShPtr &certificate,
+ const T &untrustedVector,
+ const T &trustedVector,
+ bool useTrustedSystemCertificates,
+ CertificateShPtrVector &certificateChainVector)
+{
+ return try_catch([&] {
+
+ MessageBuffer recv;
+ auto send = MessageBuffer::Serialize(static_cast<int>(command),
+ counter,
+ certificate->getDER(),
+ untrustedVector,
+ trustedVector,
+ useTrustedSystemCertificates);
+
+ int retCode = serviceConnection.processRequest(send.Pop(), recv);
+ if (CKM_API_SUCCESS != retCode)
+ return retCode;
+
+ int retCommand;
+ int retCounter;
+ RawBufferVector rawBufferVector;
+ recv.Deserialize(retCommand, retCounter, retCode, rawBufferVector);
+
+ if ((counter != retCounter) || (static_cast<int>(command) != retCommand)) {
+ return CKM_API_ERROR_UNKNOWN;
+ }
+
+ if (retCode != CKM_API_SUCCESS) {
+ return retCode;
+ }
+
+ for (auto &e: rawBufferVector) {
+ CertificateShPtr cert(new CertificateImpl(e, DataFormat::FORM_DER));
+ if (cert->empty())
+ return CKM_API_ERROR_BAD_RESPONSE;
+ certificateChainVector.push_back(cert);
+ }
+
+ return retCode;
+ });
+}
+
+const CertificateShPtrVector EMPTY_CERT_VECTOR;
+const AliasVector EMPTY_ALIAS_VECTOR;
+
+} // namespace anonymous
+
ManagerImpl::ManagerImpl()
: m_counter(0), m_storageConnection(SERVICE_SOCKET_CKM_STORAGE), m_ocspConnection(SERVICE_SOCKET_OCSP)
{
});
}
-
-template <class T>
-int getCertChain(
- LogicCommand command,
- int counter,
+int ManagerImpl::getCertificateChain(
const CertificateShPtr &certificate,
- const T &sendData,
- CertificateShPtrVector &certificateChainVector,
- ServiceConnection & service_connection)
+ const CertificateShPtrVector &untrustedCertificates,
+ CertificateShPtrVector &certificateChainVector)
{
- return try_catch([&] {
-
- MessageBuffer recv;
- auto send = MessageBuffer::Serialize(static_cast<int>(command),
- counter,
- certificate->getDER(),
- sendData);
-
- int retCode = service_connection.processRequest(send.Pop(), recv);
- if (CKM_API_SUCCESS != retCode)
- return retCode;
-
- int retCommand;
- int retCounter;
- RawBufferVector rawBufferVector;
- recv.Deserialize(retCommand, retCounter, retCode, rawBufferVector);
-
- if ((counter != retCounter) || (static_cast<int>(command) != retCommand)) {
- return CKM_API_ERROR_UNKNOWN;
- }
-
- if (retCode != CKM_API_SUCCESS) {
- return retCode;
- }
-
- for (auto &e: rawBufferVector) {
- CertificateShPtr cert(new CertificateImpl(e, DataFormat::FORM_DER));
- if (cert->empty())
- return CKM_API_ERROR_BAD_RESPONSE;
- certificateChainVector.push_back(cert);
- }
-
- return retCode;
- });
+ return getCertificateChain(certificate,
+ untrustedCertificates,
+ EMPTY_CERT_VECTOR,
+ true,
+ certificateChainVector);
}
+int ManagerImpl::getCertificateChain(
+ const CertificateShPtr &certificate,
+ const AliasVector &untrustedCertificates,
+ CertificateShPtrVector &certificateChainVector)
+{
+ return getCertificateChain(certificate,
+ untrustedCertificates,
+ EMPTY_ALIAS_VECTOR,
+ true,
+ certificateChainVector);
+}
int ManagerImpl::getCertificateChain(
const CertificateShPtr &certificate,
const CertificateShPtrVector &untrustedCertificates,
+ const CertificateShPtrVector &trustedCertificates,
+ bool useTrustedSystemCertificates,
CertificateShPtrVector &certificateChainVector)
{
- RawBufferVector rawBufferVector;
+ RawBufferVector untrustedVector;
+ RawBufferVector trustedVector;
for (auto &e: untrustedCertificates) {
- rawBufferVector.push_back(e->getDER());
+ untrustedVector.push_back(e->getDER());
+ }
+ for (auto &e: trustedCertificates) {
+ trustedVector.push_back(e->getDER());
}
return getCertChain(
- LogicCommand::GET_CHAIN_CERT,
- ++m_counter,
- certificate,
- rawBufferVector,
- certificateChainVector,
- m_storageConnection);
+ m_storageConnection,
+ LogicCommand::GET_CHAIN_CERT,
+ ++m_counter,
+ certificate,
+ untrustedVector,
+ trustedVector,
+ useTrustedSystemCertificates,
+ certificateChainVector);
}
int ManagerImpl::getCertificateChain(
const CertificateShPtr &certificate,
const AliasVector &untrustedCertificates,
+ const AliasVector &trustedCertificates,
+ bool useTrustedSystemCertificates,
CertificateShPtrVector &certificateChainVector)
{
- LabelNameVector untrusted_certs;
+ LabelNameVector untrustedVector;
+ LabelNameVector trustedVector;
+
for (auto &e: untrustedCertificates) {
AliasSupport helper(e);
- untrusted_certs.push_back(std::make_pair(helper.getLabel(), helper.getName()));
+ untrustedVector.push_back(std::make_pair(helper.getLabel(), helper.getName()));
+ }
+ for (auto &e: trustedCertificates) {
+ AliasSupport helper(e);
+ trustedVector.push_back(std::make_pair(helper.getLabel(), helper.getName()));
}
return getCertChain(
- LogicCommand::GET_CHAIN_ALIAS,
- ++m_counter,
- certificate,
- untrusted_certs,
- certificateChainVector,
- m_storageConnection);
+ m_storageConnection,
+ LogicCommand::GET_CHAIN_ALIAS,
+ ++m_counter,
+ certificate,
+ untrustedVector,
+ trustedVector,
+ useTrustedSystemCertificates,
+ certificateChainVector);
}
int ManagerImpl::createSignature(
const AliasVector &untrustedCertificates,
CertificateShPtrVector &certificateChainVector);
+ int getCertificateChain(
+ const CertificateShPtr &certificate,
+ const CertificateShPtrVector &untrustedCertificates,
+ const CertificateShPtrVector &trustedCertificates,
+ bool useTrustedSystemCertificates,
+ CertificateShPtrVector &certificateChainVector);
+
+ int getCertificateChain(
+ const CertificateShPtr &certificate,
+ const AliasVector &untrustedCertificates,
+ const AliasVector &trustedCertificates,
+ bool useTrustedSystemCertificates,
+ CertificateShPtrVector &certificateChainVector);
+
int createSignature(
const Alias &privateKeyAlias,
const Password &password, // password for private_key
--- /dev/null
+/*
+ * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file certificate-config.cpp
+ * @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
+ * @version 1.0
+ */
+
+#include <certificate-config.h>
+
+namespace CKM {
+
+CertificateConfig::PathSet CertificateConfig::m_sysCertDirs;
+CertificateConfig::PathSet CertificateConfig::m_sysCertFiles;
+
+} /* namespace CKM */
--- /dev/null
+/*
+ * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file certificate-config.h
+ * @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
+ * @version 1.0
+ */
+
+#include <set>
+#include <string>
+
+#pragma once
+
+namespace CKM {
+
+class CertificateConfig
+{
+public:
+ static void addSystemCertificateDir(const std::string& dir) { m_sysCertDirs.insert(dir); }
+ static void addSystemCertificateFile(const std::string& file) { m_sysCertFiles.insert(file); }
+
+ typedef std::set<std::string> PathSet;
+
+ static const PathSet& getSystemCertificateDirs() { return m_sysCertDirs; }
+ static const PathSet& getSystemCertificateFiles() { return m_sysCertFiles; }
+
+private:
+ CertificateConfig();
+
+ static PathSet m_sysCertDirs;
+ static PathSet m_sysCertFiles;
+};
+
+} /* namespace CKM */
*/
#include <openssl/x509.h>
+#include <stdexcept>
+
#include <dpl/log/log.h>
#include <certificate-store.h>
+#include <certificate-config.h>
#include <ckm/ckm-error.h>
#include <ckm/ckm-type.h>
namespace CKM {
-CertificateStore::CertificateStore()
- : m_store(X509_STORE_new())
-{}
-
-int CertificateStore::loadFile(const std::string &path) {
- if (!m_store) {
- LogError("CertificateStore is not initialized!");
- return CKM_API_ERROR_UNKNOWN;
- }
-
- auto lookup = X509_STORE_add_lookup(m_store, X509_LOOKUP_file());
-
- if (!lookup) {
- LogError("Error in X509_STORE_add_lookup");
- return CKM_API_ERROR_UNKNOWN;
- }
-
- if (!X509_LOOKUP_load_file(lookup, path.c_str(), X509_FILETYPE_PEM)) {
- LogError("Error in X509_LOOKUP_load_file");
- return CKM_API_ERROR_UNKNOWN;
- }
- return CKM_API_SUCCESS;
+namespace {
+typedef std::unique_ptr<X509_STORE_CTX, void(*)(X509_STORE_CTX*)> X509_STORE_CTX_PTR;
+typedef std::unique_ptr<STACK_OF(X509), void(*)(STACK_OF(X509)*)> X509_STACK_PTR;
}
-int CertificateStore::setSystemCertificateDir(const char *path) {
+CertificateStore::CertificateStore() : m_store(X509_STORE_new())
+{
if (!m_store) {
- LogError("CertificateStore is not initialized!");
- return CKM_API_ERROR_UNKNOWN;
- }
-
- auto lookup = X509_STORE_add_lookup(m_store, X509_LOOKUP_hash_dir());
-
- if (!lookup) {
- LogError("Error in X509_STORE_add_lookup");
- return CKM_API_ERROR_UNKNOWN;
+ LogError("Failed to create store");
+ throw std::runtime_error("Failed to create store");
}
+}
- if (!X509_LOOKUP_add_dir(lookup, path, X509_FILETYPE_PEM)) {
- LogError("Error in X509_LOOKUP_add_dir");
- return CKM_API_ERROR_UNKNOWN;
- }
- return CKM_API_SUCCESS;
+CertificateStore::~CertificateStore()
+{
+ X509_STORE_free(m_store);
}
int CertificateStore::verifyCertificate(
const CertificateImpl &cert,
const CertificateImplVector &untrustedVector,
- CertificateImplVector &chainVector,
- bool stateCCMode)
+ const CertificateImplVector &trustedVector,
+ bool useTrustedSystemCertificates,
+ bool stateCCMode,
+ CertificateImplVector &chainVector)
{
- STACK_OF(X509) *untrusted = NULL;
-
- LogDebug("Verfication with " << chainVector.size() << " untrusted certificates");
-
- if (!untrustedVector.empty()) {
- untrusted = sk_X509_new_null();
- for (auto &e : untrustedVector) {
- sk_X509_push(untrusted, e.getX509());
- }
- }
+ int ret;
+ LogDebug("Certificate for verfication ptr: " << (void*)cert.getX509());
+ LogDebug("Verfication with " << untrustedVector.size() << " untrusted certificates" <<
+ trustedVector.size() << "trusted certificates" << " and system certificates set to: "
+ << useTrustedSystemCertificates);
- X509_STORE_CTX *csc = X509_STORE_CTX_new();
+ X509_STORE_CTX_PTR csc(X509_STORE_CTX_new(),X509_STORE_CTX_free);
if (!csc) {
LogError("failed to create csc");
return CKM_API_ERROR_UNKNOWN;
}
- LogDebug("Certificate for verfication ptr: " << (void*)cert.getX509());
+ if (useTrustedSystemCertificates) {
+ ret = addSystemCertificateDirs();
+ if (ret != CKM_API_SUCCESS)
+ return ret;
+
+ ret = addSystemCertificateFiles();
+ if (ret != CKM_API_SUCCESS)
+ return ret;
+ }
- if (0 == X509_STORE_CTX_init(csc, m_store, cert.getX509(), untrusted)) {
+ ret = addCustomTrustedCertificates(trustedVector);
+ if (ret != CKM_API_SUCCESS)
+ return ret;
+
+ // create stack of untrusted certificates
+ X509_STACK_PTR untrusted(sk_X509_new_null(), [](STACK_OF(X509)* stack) { sk_X509_free(stack); });
+ if (!untrustedVector.empty()) {
+ for (auto &e : untrustedVector) {
+ // we don't want to free certificates because we wont create copies
+ sk_X509_push(untrusted.get(), e.getX509());
+ }
+ }
+
+ if (0 == X509_STORE_CTX_init(csc.get(), m_store, cert.getX509(), untrusted.get())) {
LogError("failed to X509_STORE_CTX_init");
return CKM_API_ERROR_UNKNOWN;
}
X509_VERIFY_PARAM_set_flags(csc->param, X509_V_FLAG_X509_STRICT);
}
- int result = X509_verify_cert(csc); // 1 == ok; 0 == fail; -1 == error
+ int result = X509_verify_cert(csc.get()); // 1 == ok; 0 == fail; -1 == error
LogDebug("Openssl verification result: " << result);
if (result > 0) {
- STACK_OF(X509) *chain = X509_STORE_CTX_get_chain(csc);
+ STACK_OF(X509) *chain = X509_STORE_CTX_get_chain(csc.get());
for (int i = 0; i < sk_X509_num(chain); ++i) {
X509* icert = (X509*)sk_X509_value(chain, i);
chainVector.push_back(CertificateImpl(icert));
}
}
- X509_STORE_CTX_free(csc);
- if (untrusted) {
- // we don't want to free certificates because we did not create copies
- // sk_X509_pop_free(untrusted, X509_free);
- sk_X509_free(untrusted);
+ switch (result) {
+ case 0:
+ return CKM_API_ERROR_VERIFICATION_FAILED;
+ case 1:
+ return CKM_API_SUCCESS;
+ default:
+ return CKM_API_ERROR_UNKNOWN;
}
+}
- if (result == 1)
+int CertificateStore::addSystemCertificateDirs()
+{
+ const auto& dirs = CertificateConfig::getSystemCertificateDirs();
+ if (dirs.empty())
return CKM_API_SUCCESS;
- if (result == 0)
- return CKM_API_ERROR_VERIFICATION_FAILED;
- return CKM_API_ERROR_UNKNOWN;
+
+ // add system certificate directories
+ auto dir_lookup = X509_STORE_add_lookup(m_store, X509_LOOKUP_hash_dir());
+ if (!dir_lookup) {
+ LogError("Error in X509_STORE_add_lookup");
+ return CKM_API_ERROR_UNKNOWN;
+ }
+ for(const auto& i: dirs) {
+ if (!X509_LOOKUP_add_dir(dir_lookup, i.c_str(), X509_FILETYPE_PEM)) {
+ LogError("Error in X509_LOOKUP_add_dir");
+ return CKM_API_ERROR_UNKNOWN;
+ }
+ }
+ return CKM_API_SUCCESS;
}
-CertificateStore::~CertificateStore() {
- if (m_store)
- X509_STORE_free(m_store);
+int CertificateStore::addSystemCertificateFiles()
+{
+ const auto& files = CertificateConfig::getSystemCertificateFiles();
+ if (files.empty())
+ return CKM_API_SUCCESS;
+
+ // add system certificate files
+ auto file_lookup = X509_STORE_add_lookup(m_store, X509_LOOKUP_file());
+ if (!file_lookup) {
+ LogError("Error in X509_STORE_add_lookup");
+ return CKM_API_ERROR_UNKNOWN;
+ }
+
+ for(const auto& i:files) {
+ if (!X509_LOOKUP_load_file(file_lookup, i.c_str(), X509_FILETYPE_PEM)) {
+ LogError("Error in X509_LOOKUP_load_file");
+ return CKM_API_ERROR_UNKNOWN;
+ }
+ }
+ return CKM_API_SUCCESS;
+}
+
+int CertificateStore::addCustomTrustedCertificates(const CertificateImplVector &trustedVector)
+{
+ // add trusted certificates to store
+ for (const auto& i:trustedVector) {
+ if(1 != X509_STORE_add_cert(m_store, i.getX509())) {
+ LogError("failed to add certificate to the store");
+ return CKM_API_ERROR_UNKNOWN;
+ }
+ }
+ return CKM_API_SUCCESS;
}
} // namespace CKM
CertificateStore& operator=(const CertificateStore &) = delete;
virtual ~CertificateStore();
- int loadFile(const std::string &path);
-
- int setSystemCertificateDir(const char *path);
-
int verifyCertificate(
const CertificateImpl &cert,
const CertificateImplVector &untrustedVector,
- CertificateImplVector &chainVector,
- bool stateCCMode);
+ const CertificateImplVector &trustedVector,
+ bool useTrustedSystemCertificates,
+ bool stateCCMode,
+ CertificateImplVector &chainVector);
+
+private:
+ int addSystemCertificateDirs();
+ int addSystemCertificateFiles();
+ int addCustomTrustedCertificates(const CertificateImplVector &trustedVector);
-protected:
- X509_STORE *m_store;
+ X509_STORE* m_store;
};
} // namespace CKM
#include <CryptoService.h>
#include <ckm-logic.h>
#include <key-impl.h>
+#include <certificate-config.h>
+#include <certificate-store.h>
namespace {
const char * const CERT_SYSTEM_DIR = "/etc/ssl/certs";
CKMLogic::CKMLogic()
{
- if (CKM_API_SUCCESS != m_certStore.setSystemCertificateDir(CERT_SYSTEM_DIR)) {
- LogError("Fatal error in CertificateStore::setSystemCertificateDir. Chain creation will not work");
- }
+ CertificateConfig::addSystemCertificateDir(CERT_SYSTEM_DIR);
m_accessControl.updateCCMode();
}
return MessageBuffer::Serialize(static_cast<int>(protocol_cmd), commandId, retCode).Pop();
}
-RawBuffer CKMLogic::getCertificateChain(
- const Credentials &cred,
- int commandId,
- const RawBuffer &certificate,
- const RawBufferVector &untrustedRawCertVector)
+int CKMLogic::readCertificateHelper(
+ const Credentials &cred,
+ const LabelNameVector &labelNameVector,
+ CertificateImplVector &certVector)
{
- (void)cred;
+ DBRow row;
+ for (auto &i: labelNameVector) {
+ int ec = readDataHelper(false, cred, DBDataType::CERTIFICATE, i.second, i.first, Password(), row);
+ if (ec != CKM_API_SUCCESS)
+ return ec;
+ certVector.push_back(CertificateImpl(row.data, DataFormat::FORM_DER));
- CertificateImpl cert(certificate, DataFormat::FORM_DER);
+ // try to read chain certificates (if present)
+ DBRowVector rawCaChain;
+ ec = readDataHelper(false, cred, DBDataType::DB_CHAIN_FIRST, i.second, i.first, CKM::Password(), rawCaChain);
+ if(ec != CKM_API_SUCCESS && ec != CKM_API_ERROR_DB_ALIAS_UNKNOWN)
+ return ec;
+ for(auto &rawCaCert : rawCaChain)
+ certVector.push_back(CertificateImpl(rawCaCert.data, DataFormat::FORM_DER));
+ }
+ return CKM_API_SUCCESS;
+}
+
+int CKMLogic::getCertificateChainHelper(
+ const CertificateImpl &cert,
+ const RawBufferVector &untrustedCertificates,
+ const RawBufferVector &trustedCertificates,
+ bool useTrustedSystemCertificates,
+ RawBufferVector &chainRawVector)
+{
CertificateImplVector untrustedCertVector;
+ CertificateImplVector trustedCertVector;
CertificateImplVector chainVector;
- RawBufferVector chainRawVector;
-
- for (auto &e: untrustedRawCertVector)
- untrustedCertVector.push_back(CertificateImpl(e, DataFormat::FORM_DER));
-
- LogDebug("Cert is empty: " << cert.empty());
- int retCode = m_certStore.verifyCertificate(cert, untrustedCertVector, chainVector, m_accessControl.isCCMode());
+ if (cert.empty())
+ return CKM_API_ERROR_INPUT_PARAM;
- if (retCode == CKM_API_SUCCESS) {
- for (auto &e : chainVector)
- chainRawVector.push_back(e.getDER());
- }
+ for (auto &e: untrustedCertificates)
+ untrustedCertVector.push_back(CertificateImpl(e, DataFormat::FORM_DER));
+ for (auto &e: trustedCertificates)
+ trustedCertVector.push_back(CertificateImpl(e, DataFormat::FORM_DER));
+
+ CertificateStore store;
+ int retCode = store.verifyCertificate(cert,
+ untrustedCertVector,
+ trustedCertVector,
+ useTrustedSystemCertificates,
+ m_accessControl.isCCMode(),
+ chainVector);
+ if (retCode != CKM_API_SUCCESS)
+ return retCode;
- auto response = MessageBuffer::Serialize(static_cast<int>(LogicCommand::GET_CHAIN_CERT),
- commandId,
- retCode,
- chainRawVector);
- return response.Pop();
+ for (auto &e : chainVector)
+ chainRawVector.push_back(e.getDER());
+ return CKM_API_SUCCESS;
}
int CKMLogic::getCertificateChainHelper(
const Credentials &cred,
- const RawBuffer &certificate,
- const LabelNameVector &labelNameVector,
- RawBufferVector & chainRawVector)
+ const CertificateImpl &cert,
+ const LabelNameVector &untrusted,
+ const LabelNameVector &trusted,
+ bool useTrustedSystemCertificates,
+ RawBufferVector &chainRawVector)
{
- CertificateImpl cert(certificate, DataFormat::FORM_DER);
CertificateImplVector untrustedCertVector;
+ CertificateImplVector trustedCertVector;
CertificateImplVector chainVector;
DBRow row;
if (cert.empty())
- return CKM_API_ERROR_SERVER_ERROR;
-
- for (auto &i: labelNameVector) {
- int ec = readDataHelper(false, cred, DBDataType::CERTIFICATE, i.second, i.first, Password(), row);
- if (ec != CKM_API_SUCCESS)
- return ec;
- untrustedCertVector.push_back(CertificateImpl(row.data, DataFormat::FORM_DER));
+ return CKM_API_ERROR_INPUT_PARAM;
- // try to read chain certificates (if present)
- DBRowVector rawCaChain;
- ec = readDataHelper(false, cred, DBDataType::DB_CHAIN_FIRST, i.second, i.first, CKM::Password(), rawCaChain);
- if(ec != CKM_API_SUCCESS &&
- ec != CKM_API_ERROR_DB_ALIAS_UNKNOWN)
- return ec;
- for(auto &rawCaCert : rawCaChain)
- untrustedCertVector.push_back(CertificateImpl(rawCaCert.data, DataFormat::FORM_DER));
- }
+ int retCode = readCertificateHelper(cred, untrusted, untrustedCertVector);
+ if (retCode != CKM_API_SUCCESS)
+ return retCode;
+ retCode = readCertificateHelper(cred, trusted, trustedCertVector);
+ if (retCode != CKM_API_SUCCESS)
+ return retCode;
- int ec = m_certStore.verifyCertificate(cert, untrustedCertVector, chainVector, m_accessControl.isCCMode());
- if (ec != CKM_API_SUCCESS)
- return ec;
+ CertificateStore store;
+ retCode = store.verifyCertificate(cert,
+ untrustedCertVector,
+ trustedCertVector,
+ useTrustedSystemCertificates,
+ m_accessControl.isCCMode(),
+ chainVector);
+ if (retCode != CKM_API_SUCCESS)
+ return retCode;
for (auto &i: chainVector)
chainRawVector.push_back(i.getDER());
}
RawBuffer CKMLogic::getCertificateChain(
+ const Credentials & /*cred*/,
+ int commandId,
+ const RawBuffer &certificate,
+ const RawBufferVector &untrustedCertificates,
+ const RawBufferVector &trustedCertificates,
+ bool useTrustedSystemCertificates)
+{
+ CertificateImpl cert(certificate, DataFormat::FORM_DER);
+ RawBufferVector chainRawVector;
+ int retCode = CKM_API_ERROR_UNKNOWN;
+ try {
+ retCode = getCertificateChainHelper(cert,
+ untrustedCertificates,
+ trustedCertificates,
+ useTrustedSystemCertificates,
+ chainRawVector);
+ } catch (const CryptoLogic::Exception::Base &e) {
+ LogError("CryptoLogic failed with message: " << e.GetMessage());
+ retCode = CKM_API_ERROR_SERVER_ERROR;
+ } catch (const DBCrypto::Exception::Base &e) {
+ LogError("DBCrypto failed with message: " << e.GetMessage());
+ retCode = CKM_API_ERROR_DB_ERROR;
+ } catch (const std::exception& e) {
+ LogError("STD exception " << e.what());
+ retCode = CKM_API_ERROR_SERVER_ERROR;
+ } catch (...) {
+ LogError("Unknown error.");
+ }
+
+ auto response = MessageBuffer::Serialize(static_cast<int>(LogicCommand::GET_CHAIN_CERT),
+ commandId,
+ retCode,
+ chainRawVector);
+ return response.Pop();
+}
+
+RawBuffer CKMLogic::getCertificateChain(
const Credentials &cred,
int commandId,
const RawBuffer &certificate,
- const LabelNameVector &labelNameVector)
+ const LabelNameVector &untrustedCertificates,
+ const LabelNameVector &trustedCertificates,
+ bool useTrustedSystemCertificates)
{
- int retCode = CKM_API_SUCCESS;
+ int retCode = CKM_API_ERROR_UNKNOWN;
+ CertificateImpl cert(certificate, DataFormat::FORM_DER);
RawBufferVector chainRawVector;
try {
+ retCode = getCertificateChainHelper(cred,
+ cert,
+ untrustedCertificates,
+ trustedCertificates,
+ useTrustedSystemCertificates,
+ chainRawVector);
- retCode = getCertificateChainHelper(cred, certificate, labelNameVector, chainRawVector);
} catch (const CryptoLogic::Exception::Base &e) {
LogError("CryptoLogic failed with message: " << e.GetMessage());
retCode = CKM_API_ERROR_SERVER_ERROR;
} catch (const DBCrypto::Exception::Base &e) {
LogError("DBCrypto failed with message: " << e.GetMessage());
retCode = CKM_API_ERROR_DB_ERROR;
+ } catch (const std::exception& e) {
+ LogError("STD exception " << e.what());
+ retCode = CKM_API_ERROR_SERVER_ERROR;
} catch (...) {
LogError("Unknown error.");
}
#include <db-crypto.h>
#include <key-provider.h>
#include <crypto-logic.h>
-#include <certificate-store.h>
#include <file-lock.h>
#include <access-control.h>
+#include <certificate-impl.h>
namespace CKM {
const Credentials &cred,
int commandId,
const RawBuffer &certificate,
- const RawBufferVector &untrustedCertificates);
+ const RawBufferVector &untrustedCertificates,
+ const RawBufferVector &trustedCertificates,
+ bool useTrustedSystemCertificates);
RawBuffer getCertificateChain(
const Credentials &cred,
int commandId,
const RawBuffer &certificate,
- const LabelNameVector &labelNameVector);
+ const LabelNameVector &untrustedCertificates,
+ const LabelNameVector &trustedCertificates,
+ bool useTrustedSystemCertificates);
RawBuffer createSignature(
const Credentials &cred,
const PolicySerializable &policyPrivate,
const PolicySerializable &policyPublic);
- int getCertificateChainHelper(
+ int readCertificateHelper(
const Credentials &cred,
- const RawBuffer &certificate,
const LabelNameVector &labelNameVector,
- RawBufferVector & chainRawVector);
+ CertificateImplVector &certVector);
+
+ int getCertificateChainHelper(
+ const CertificateImpl &cert,
+ const RawBufferVector &untrustedCertificates,
+ const RawBufferVector &trustedCertificates,
+ bool useTrustedSystemCertificates,
+ RawBufferVector &chainRawVector);
+
+ int getCertificateChainHelper(
+ const Credentials &cred,
+ const CertificateImpl &cert,
+ const LabelNameVector &untrusted,
+ const LabelNameVector &trusted,
+ bool useTrustedSystemCertificates,
+ RawBufferVector &chainRawVector);
int setPermissionHelper(
const Credentials &cred,
std::map<uid_t, UserData> m_userDataMap;
- CertificateStore m_certStore;
AccessControl m_accessControl;
//FileLock m_lock;
};
case LogicCommand::GET_CHAIN_CERT:
{
RawBuffer certificate;
- RawBufferVector rawBufferVector;
- buffer.Deserialize(certificate, rawBufferVector);
+ RawBufferVector untrustedVector;
+ RawBufferVector trustedVector;
+ bool systemCerts;
+ buffer.Deserialize(certificate, untrustedVector, trustedVector, systemCerts);
return m_logic->getCertificateChain(
cred,
msgID,
certificate,
- rawBufferVector);
+ untrustedVector,
+ trustedVector,
+ systemCerts);
}
case LogicCommand::GET_CHAIN_ALIAS:
{
RawBuffer certificate;
- LabelNameVector untrusted_certs;
- buffer.Deserialize(certificate, untrusted_certs);
+ LabelNameVector untrustedVector;
+ LabelNameVector trustedVector;
+ bool systemCerts;
+ buffer.Deserialize(certificate, untrustedVector, trustedVector, systemCerts);
return m_logic->getCertificateChain(
cred,
msgID,
certificate,
- untrusted_certs);
+ untrustedVector,
+ trustedVector,
+ systemCerts);
}
case LogicCommand::CREATE_SIGNATURE:
{
projects / platform / core / security / key-manager.git / commitdiff