CKMLogic::~CKMLogic(){}
-void CKMLogic::loadDKEKFile(uid_t user, const Password &password, bool apiReq) {
+void CKMLogic::loadDKEKFile(uid_t user, const Password &password) {
auto &handle = m_userDataMap[user];
FileSystem fs(user);
- auto wrappedDKEKMain = fs.getDKEK();
- auto wrappedDKEKBackup = fs.getDKEKBackup();
+ auto wrappedDKEK = fs.getDKEK();
- if (wrappedDKEKMain.empty()) {
- wrappedDKEKMain = KeyProvider::generateDomainKEK(std::to_string(user), password);
- fs.saveDKEK(wrappedDKEKMain);
+ if (wrappedDKEK.empty()) {
+ wrappedDKEK = KeyProvider::generateDomainKEK(std::to_string(user), password);
+ fs.saveDKEK(wrappedDKEK);
}
- chooseDKEKFile(handle, password, wrappedDKEKMain, wrappedDKEKBackup);
-
- if (!password.empty() || apiReq) {
- handle.isDKEKConfirmed = true;
-
- if (true == handle.isMainDKEK)
- fs.removeDKEKBackup();
- else
- fs.restoreDKEK();
- }
-}
-
-void CKMLogic::chooseDKEKFile(
- UserData &handle,
- const Password &password,
- const RawBuffer &first,
- const RawBuffer &second)
-{
- try {
- handle.keyProvider = KeyProvider(first, password);
- handle.isMainDKEK = true;
- } catch (const KeyProvider::Exception::Base &e) {
- // Second buffer is empty. Lets rethrow first error
- if (second.empty())
- throw;
- handle.keyProvider = KeyProvider(second, password);
- handle.isMainDKEK = false;
- }
+ handle.keyProvider = KeyProvider(wrappedDKEK, password);
}
void CKMLogic::saveDKEKFile(uid_t user, const Password &password) {
auto &handle = m_userDataMap[user];
FileSystem fs(user);
- if (handle.isMainDKEK)
- fs.createDKEKBackup();
-
fs.saveDKEK(handle.keyProvider.getWrappedDomainKEK(password));
-
- handle.isMainDKEK = true;
- handle.isDKEKConfirmed = false;
}
-RawBuffer CKMLogic::unlockUserKey(uid_t user, const Password &password, bool apiRequest) {
+RawBuffer CKMLogic::unlockUserKey(uid_t user, const Password &password) {
int retCode = CKM_API_SUCCESS;
try {
auto &handle = m_userDataMap[user];
FileSystem fs(user);
- loadDKEKFile(user, password, apiRequest);
+ loadDKEKFile(user, password);
auto wrappedDatabaseDEK = fs.getDBDEK();
for(auto& appSmackLabel : removedApps) {
handle.database.deleteKey(appSmackLabel);
}
- } else if (apiRequest == true && m_userDataMap[user].isDKEKConfirmed == false) {
- // now we will try to choose the DKEK key and remove old one
- loadDKEKFile(user, password, apiRequest);
}
} catch (const KeyProvider::Exception::PassWordError &e) {
LogError("Incorrect Password " << e.GetMessage());
{
int retCode = CKM_API_SUCCESS;
try {
- loadDKEKFile(user, oldPassword, true);
+ loadDKEKFile(user, oldPassword);
saveDKEKFile(user, newPassword);
} catch (const KeyProvider::Exception::PassWordError &e) {
LogError("Incorrect Password " << e.GetMessage());
namespace CKM {
struct UserData {
- UserData()
- : isMainDKEK(false)
- , isDKEKConfirmed(false)
- {}
-
KeyProvider keyProvider;
DB::Crypto database;
CryptoLogic crypto;
- bool isMainDKEK;
- bool isDKEKConfirmed;
};
class CKMLogic {
CKMLogic& operator=(CKMLogic &&) = delete;
virtual ~CKMLogic();
- RawBuffer unlockUserKey(uid_t user, const Password &password, bool apiRequest = true);
-
+ RawBuffer unlockUserKey(uid_t user, const Password &password);
RawBuffer lockUserKey(uid_t user);
RawBuffer removeUserData(uid_t user);
void loadDKEKFile(
uid_t user,
- const Password &password,
- bool apiReq);
-
- void chooseDKEKFile(
- UserData &handle,
- const Password &password,
- const RawBuffer &first,
- const RawBuffer &second);
+ const Password &password);
void saveDKEKFile(
uid_t user,
buffer.Deserialize(command);
buffer.Deserialize(msgID);
- // This is a workaround solution for locktype=None in Tizen 2.2.1
- // When locktype is None, lockscreen app doesn't interfere with unlocking process.
- // Therefor lockscreen app cannot notify unlock events to key-manager when locktype is None.
- // So, to unlock user data when lock type is None, key-manager always try to unlock user data with null password.
- // Even if the result is fail, it will be ignored.
- Password nullPassword("");
- m_logic->unlockUserKey(cred.uid, nullPassword, false);
-
LogDebug("Process storage. Command: " << command);
switch(static_cast<LogicCommand>(command)) {
const std::string CKM_DATA_PATH = "/opt/data/ckm/";
const std::string CKM_KEY_PREFIX = "key-";
-const std::string CKM_KEY_BACKUP_PREFIX = "key-backup-";
const std::string CKM_DB_KEY_PREFIX = "db-key-";
const std::string CKM_DB_PREFIX = "db-";
const std::string CKM_REMOVED_APP_PREFIX = "removed-app-";
return ss.str();
}
-std::string FileSystem::getDKEKBackupPath() const {
- std::stringstream ss;
- ss << CKM_DATA_PATH << CKM_KEY_BACKUP_PREFIX << m_uid;
- return ss.str();
-}
-
std::string FileSystem::getDBDEKPath() const {
std::stringstream ss;
ss << CKM_DATA_PATH << CKM_DB_KEY_PREFIX << m_uid;
return loadFile(getDKEKPath());
}
-RawBuffer FileSystem::getDKEKBackup() const
-{
- return loadFile(getDKEKBackupPath());
-}
-
RawBuffer FileSystem::getDBDEK() const
{
return loadFile(getDBDEKPath());
saveFile(getDKEKPath(), buffer);
}
-void FileSystem::moveFile(const std::string &from, const std::string &to) const {
- if (0 == ::rename(from.c_str(), to.c_str())) {
- return;
- }
- auto description = GetErrnoString(errno);
- LogError("Error during rename file DKEKBackup to DKEK: " << description);
- ThrowMsg(Exception::RenameFailed,
- "Error during rename file DKEKBackup to DKEK: " << description);
-}
-
-void FileSystem::restoreDKEK() const {
- moveFile(getDKEKBackupPath(), getDKEKPath());
-}
-
-void FileSystem::createDKEKBackup() const {
- moveFile(getDKEKPath(), getDKEKBackupPath());
-}
-
-void FileSystem::removeDKEKBackup() const {
- if (0 == unlink(getDKEKBackupPath().c_str())) {
- return;
- }
- // Backup is accessible only during "change password transaction"
- auto description = GetErrnoString(errno);
- LogDebug("Error in unlink file DKEKBackup: " << description);
-}
-
void FileSystem::saveDBDEK(const RawBuffer &buffer) const {
saveFile(getDBDEKPath(), buffer);
}
<< "Errno: " << errno << " " << GetErrnoString(err));
}
- if (unlink(getDKEKBackupPath().c_str())) {
- retCode = -1;
- err = errno;
- LogDebug("Unlink user backup DKEK failed (file probably does not exists): " << getDKEKBackupPath()
- << "Errno: " << errno << " " << GetErrnoString(err));
- }
-
if (unlink(getDBDEKPath().c_str())) {
retCode = -1;
err = errno;
// Domain Key Encryption Key
RawBuffer getDKEK() const;
- RawBuffer getDKEKBackup() const;
void saveDKEK(const RawBuffer &buffer) const;
- // Functions required in "password change transaction"
- void createDKEKBackup() const;
- void restoreDKEK() const; // delete DKEK and move DKEKBackup -> DKEK
- void removeDKEKBackup() const; // delete DKEKBackup
-
// Database Data Encryption Key
RawBuffer getDBDEK() const;
void saveDBDEK(const RawBuffer &buffer) const;
virtual ~FileSystem(){}
protected:
std::string getDKEKPath() const;
- std::string getDKEKBackupPath() const;
std::string getDBDEKPath() const;
RawBuffer loadFile(const std::string &path) const;
void saveFile(const std::string &path, const RawBuffer &buffer) const;
std::string getRemovedAppsPath() const;
- void moveFile(const std::string &from, const std::string &to) const;
uid_t m_uid;
};