return SerializeMessage(retCode);
}
-int CKMLogic::changeUserPasswordHelper(uid_t user,
- const Password &oldPassword,
- const Password &newPassword)
-{
- // do not allow to change system database password
- if (m_accessControl.isSystemService(user))
- return CKM_API_ERROR_INPUT_PARAM;
-
- loadDKEKFile(user, oldPassword);
- saveDKEKFile(user, newPassword);
-
- return CKM_API_SUCCESS;
-}
-
RawBuffer CKMLogic::changeUserPassword(
uid_t user,
const Password &oldPassword,
const Password &newPassword)
{
return SerializeMessage(tryRet([&] {
- return changeUserPasswordHelper(user, oldPassword, newPassword);
- }));
-}
-
-int CKMLogic::resetUserPasswordHelper(
- uid_t user,
- const Password &newPassword)
-{
- // do not allow to reset system database password
- if (m_accessControl.isSystemService(user))
- return CKM_API_ERROR_INPUT_PARAM;
-
- int retCode = CKM_API_SUCCESS;
-
- if (0 == m_userDataMap.count(user)) {
- // Check if key exists. If exists we must return error
- FileSystem fs(user);
- auto wrappedDKEKMain = fs.getDKEK();
+ // do not allow to change system database password
+ if (m_accessControl.isSystemService(user))
+ return CKM_API_ERROR_INPUT_PARAM;
- if (!wrappedDKEKMain.empty())
- retCode = CKM_API_ERROR_BAD_REQUEST;
- } else {
+ loadDKEKFile(user, oldPassword);
saveDKEKFile(user, newPassword);
- }
- return retCode;
+ return CKM_API_SUCCESS;
+ }));
}
RawBuffer CKMLogic::resetUserPassword(
const Password &newPassword)
{
return SerializeMessage(tryRet([&] {
- return resetUserPasswordHelper(user, newPassword);
+ // do not allow to reset system database password
+ if (m_accessControl.isSystemService(user))
+ return CKM_API_ERROR_INPUT_PARAM;
+
+ int retCode = CKM_API_SUCCESS;
+
+ if (0 == m_userDataMap.count(user)) {
+ // Check if key exists. If exists we must return error
+ FileSystem fs(user);
+ auto wrappedDKEKMain = fs.getDKEK();
+
+ if (!wrappedDKEKMain.empty())
+ retCode = CKM_API_ERROR_BAD_REQUEST;
+ } else {
+ saveDKEKFile(user, newPassword);
+ }
+
+ return retCode;
}));
}
// check if data is correct
Crypto::Data binaryData;
int retCode = toBinaryData(data, binaryData);
+ if (retCode != CKM_API_SUCCESS)
+ return retCode;
- return retCode != CKM_API_SUCCESS
- ? retCode
- : saveDataHelper(cred, name, owner, binaryData, policy);
+ auto [dbOp, digest, ret] = beginSaveAndGetHash(cred, name, owner);
+ if (ret != CKM_API_SUCCESS)
+ return ret;
+
+ Crypto::GStore &store = m_decider.getStore(binaryData.type, policy);
+
+ // do not encrypt data with password during cc_mode on
+ Token token = store.import(binaryData,
+ m_accessControl.isCCMode() ? "" : policy.password,
+ Crypto::EncryptionParams(), digest);
+ dbOp.finalize(std::move(token), policy);
+ return CKM_API_SUCCESS;
});
}
const PolicySerializable &certPolicy)
{
return SerializeMessage(msgId, tryRet([&] {
- return saveDataHelper(cred, name, owner, pkcs, keyPolicy, certPolicy);
- }));
-}
+ auto [dbOp, retCode] = beginSave(cred, name, owner);
+ if (retCode != CKM_API_SUCCESS)
+ return retCode;
-int CKMLogic::removeDataHelper(
- const Credentials &cred,
- const Name &name,
- const ClientId &owner)
-{
- auto [dbOp, permission, retCode] = beginAndGetPerm(cred, name, owner);
- if (retCode != CKM_API_SUCCESS)
- return retCode;
+ // extract and encrypt the data
+ DB::RowVector encryptedRows;
- retCode = m_accessControl.canDelete(cred, permission);
- if (retCode != CKM_API_SUCCESS) {
- LogWarning("access control check result: " << retCode);
- return retCode;
- }
+ auto import = [&](const Crypto::Data &data, const Policy& policy){
+ retCode = verifyBinaryData(data);
+ if (retCode != CKM_API_SUCCESS)
+ return retCode;
- // get all matching rows
- DB::RowVector rows;
- dbOp.database().getRows(name, owner, DataType::DB_FIRST, DataType::DB_LAST, rows);
- if (rows.empty()) {
- LogDebug("No row for given name and owner");
- return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
- }
+ auto digest = CryptoLogic::makeHash(name, owner, cred.clientUid, data.type);
+ if (digest.empty())
+ return CKM_API_ERROR_HASH_ERROR;
- retCode = dbOp.loadAppKey();
- if (retCode != CKM_API_SUCCESS)
- return retCode;
+ Crypto::GStore &store = m_decider.getStore(data.type, policy);
+
+ // do not encrypt data with password during cc_mode on
+ Token token = store.import(data,
+ m_accessControl.isCCMode() ? "" : policy.password,
+ Crypto::EncryptionParams(), digest);
- // destroy it in store
- for (auto &r : rows) {
- try {
- dbOp.handler().crypto.decryptRow(Password(), r);
- m_decider.getStore(r).destroy(r);
- } catch (const Exc::AuthenticationFailed &) {
- LogDebug("Authentication failed when removing data. Ignored.");
+ encryptedRows.push_back(dbOp.encryptOne(std::move(token), policy));
+ return CKM_API_SUCCESS;
+ };
+
+ // private key is mandatory
+ auto key = pkcs.getKey();
+ if (!key) {
+ LogError("Failed to get private key from pkcs");
+ return CKM_API_ERROR_INVALID_FORMAT;
}
- }
- // delete row in db
- dbOp.database().deleteRow(name, owner);
- dbOp.transaction().commit();
+ Crypto::Data keyData(DataType(key->getType()), key->getDER());
+ retCode = import(keyData, keyPolicy);
+ if (retCode != CKM_API_SUCCESS)
+ return retCode;
- return CKM_API_SUCCESS;
+ // certificate is mandatory
+ auto cert = pkcs.getCertificate();
+ if (!cert) {
+ LogError("Failed to get certificate from pkcs");
+ return CKM_API_ERROR_INVALID_FORMAT;
+ }
+
+ Crypto::Data certData(DataType::CERTIFICATE, cert->getDER());
+ retCode = import(certData, certPolicy);
+ if (retCode != CKM_API_SUCCESS)
+ return retCode;
+
+ // CA cert chain
+ unsigned int cert_index = 0;
+ for (const auto &ca : pkcs.getCaCertificateShPtrVector()) {
+ Crypto::Data caCertData(DataType::getChainDatatype(cert_index ++), ca->getDER());
+ retCode = import(caCertData, certPolicy);
+ if (retCode != CKM_API_SUCCESS)
+ return retCode;
+ }
+
+ // save the data
+ dbOp.database().saveRows(name, owner, encryptedRows);
+ dbOp.transaction().commit();
+
+ return CKM_API_SUCCESS;
+ }));
}
RawBuffer CKMLogic::removeData(
const ClientId &owner)
{
return SerializeMessage(msgId, tryRet([&] {
- return removeDataHelper(cred, name, owner);
+ auto [dbOp, permission, retCode] = beginAndGetPerm(cred, name, owner);
+ if (retCode != CKM_API_SUCCESS)
+ return retCode;
+
+ retCode = m_accessControl.canDelete(cred, permission);
+ if (retCode != CKM_API_SUCCESS) {
+ LogWarning("access control check result: " << retCode);
+ return retCode;
+ }
+
+ // get all matching rows
+ DB::RowVector rows;
+ dbOp.database().getRows(name, owner, DataType::DB_FIRST, DataType::DB_LAST, rows);
+ if (rows.empty()) {
+ LogDebug("No row for given name and owner");
+ return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
+ }
+
+ retCode = dbOp.loadAppKey();
+ if (retCode != CKM_API_SUCCESS)
+ return retCode;
+
+ // destroy it in store
+ for (auto &r : rows) {
+ try {
+ dbOp.handler().crypto.decryptRow(Password(), r);
+ m_decider.getStore(r).destroy(r);
+ } catch (const Exc::AuthenticationFailed &) {
+ LogDebug("Authentication failed when removing data. Ignored.");
+ }
+ }
+
+ // delete row in db
+ dbOp.database().deleteRow(name, owner);
+ dbOp.transaction().commit();
+
+ return CKM_API_SUCCESS;
}));
}
return SerializeMessage(msgId, retCode, objDataType, status);
}
-int CKMLogic::getPKCS12Helper(
- const Credentials &cred,
- const Name &name,
- const ClientId &owner,
- const Password &keyPassword,
- const Password &certPassword,
- KeyShPtr &privKey,
- CertificateShPtr &cert,
- CertificateShPtrVector &caChain)
-{
- int retCode;
-
- // read private key (mandatory)
- Crypto::GObjUPtr keyObj;
- retCode = readDataHelper(true, cred, DataType::DB_KEY_FIRST, name, owner,
- keyPassword, keyObj);
-
- if (retCode != CKM_API_SUCCESS) {
- if (retCode != CKM_API_ERROR_NOT_EXPORTABLE)
- return retCode;
- } else {
- privKey = CKM::Key::create(keyObj->getBinary());
- }
-
- // read certificate (mandatory)
- Crypto::GObjUPtr certObj;
- retCode = readDataHelper(true, cred, DataType::CERTIFICATE, name, owner,
- certPassword, certObj);
-
- if (retCode != CKM_API_SUCCESS) {
- if (retCode != CKM_API_ERROR_NOT_EXPORTABLE)
- return retCode;
- } else {
- cert = CKM::Certificate::create(certObj->getBinary(), DataFormat::FORM_DER);
- }
-
- // read CA cert chain (optional)
- Crypto::GObjUPtrVector caChainObjs;
- retCode = readDataHelper(true, cred, DataType::DB_CHAIN_FIRST, name, owner,
- certPassword, caChainObjs);
-
- if (retCode != CKM_API_SUCCESS && retCode != CKM_API_ERROR_DB_ALIAS_UNKNOWN) {
- if (retCode != CKM_API_ERROR_NOT_EXPORTABLE)
- return retCode;
- } else {
- for (auto &caCertObj : caChainObjs)
- caChain.push_back(CKM::Certificate::create(caCertObj->getBinary(),
- DataFormat::FORM_DER));
- }
-
- // if anything found, return it
- if (privKey || cert || caChain.size() > 0)
- retCode = CKM_API_SUCCESS;
-
- return retCode;
-}
-
RawBuffer CKMLogic::getPKCS12(
const Credentials &cred,
int msgId,
KeyShPtr privKey;
CertificateShPtr cert;
CertificateShPtrVector caChain;
- int retCode = getPKCS12Helper(cred, name, owner, keyPassword,
- certPassword, privKey, cert, caChain);
+
+ // read private key (mandatory)
+ Crypto::GObjUPtr keyObj;
+ int retCode = readDataHelper(true, cred, DataType::DB_KEY_FIRST, name, owner,
+ keyPassword, keyObj);
+
+ if (retCode != CKM_API_SUCCESS) {
+ if (retCode != CKM_API_ERROR_NOT_EXPORTABLE)
+ return retCode;
+ } else {
+ privKey = CKM::Key::create(keyObj->getBinary());
+ }
+
+ // read certificate (mandatory)
+ Crypto::GObjUPtr certObj;
+ retCode = readDataHelper(true, cred, DataType::CERTIFICATE, name, owner,
+ certPassword, certObj);
+
+ if (retCode != CKM_API_SUCCESS) {
+ if (retCode != CKM_API_ERROR_NOT_EXPORTABLE)
+ return retCode;
+ } else {
+ cert = CKM::Certificate::create(certObj->getBinary(), DataFormat::FORM_DER);
+ }
+
+ // read CA cert chain (optional)
+ Crypto::GObjUPtrVector caChainObjs;
+ retCode = readDataHelper(true, cred, DataType::DB_CHAIN_FIRST, name, owner,
+ certPassword, caChainObjs);
+
+ if (retCode != CKM_API_SUCCESS && retCode != CKM_API_ERROR_DB_ALIAS_UNKNOWN) {
+ if (retCode != CKM_API_ERROR_NOT_EXPORTABLE)
+ return retCode;
+ } else {
+ for (auto &caCertObj : caChainObjs)
+ caChain.push_back(CKM::Certificate::create(caCertObj->getBinary(),
+ DataFormat::FORM_DER));
+ }
+
+ // if anything found, return it
+ if (privKey || cert || caChain.size() > 0)
+ retCode = CKM_API_SUCCESS;
// prepare response
- if (retCode == CKM_API_SUCCESS)
- output = PKCS12Serializable(std::move(privKey), std::move(cert), std::move(caChain));
+ if (retCode != CKM_API_SUCCESS)
+ return retCode;
- return retCode;
+ output = PKCS12Serializable(std::move(privKey), std::move(cert), std::move(caChain));
+ return CKM_API_SUCCESS;
});
return SerializeMessage(msgId, retCode, output);
}
}
-int CKMLogic::saveDataHelper(
- const Credentials &cred,
- const Name &name,
- const ClientId &owner,
- const Crypto::Data &data,
- const PolicySerializable &policy)
-{
- auto [dbOp, digest, ret] = beginSaveAndGetHash(cred, name, owner);
- if (ret != CKM_API_SUCCESS)
- return ret;
-
- Crypto::GStore &store = m_decider.getStore(data.type, policy);
-
- // do not encrypt data with password during cc_mode on
- Token token = store.import(data,
- m_accessControl.isCCMode() ? "" : policy.password,
- Crypto::EncryptionParams(), digest);
- dbOp.finalize(std::move(token), policy);
- return CKM_API_SUCCESS;
-}
-
-int CKMLogic::saveDataHelper(
- const Credentials &cred,
- const Name &name,
- const ClientId &owner,
- const PKCS12Serializable &pkcs,
- const PolicySerializable &keyPolicy,
- const PolicySerializable &certPolicy)
-{
- auto [dbOp, retCode] = beginSave(cred, name, owner);
- if (retCode != CKM_API_SUCCESS)
- return retCode;
-
- // extract and encrypt the data
- DB::RowVector encryptedRows;
-
- auto import = [&](const Crypto::Data &data, const Policy& policy){
- retCode = verifyBinaryData(data);
- if (retCode != CKM_API_SUCCESS)
- return retCode;
-
- auto digest = CryptoLogic::makeHash(name, owner, cred.clientUid, data.type);
- if (digest.empty())
- return CKM_API_ERROR_HASH_ERROR;
-
- Crypto::GStore &store = m_decider.getStore(data.type, policy);
-
- // do not encrypt data with password during cc_mode on
- Token token = store.import(data,
- m_accessControl.isCCMode() ? "" : policy.password,
- Crypto::EncryptionParams(), digest);
-
- encryptedRows.push_back(dbOp.encryptOne(std::move(token), policy));
- return CKM_API_SUCCESS;
- };
-
- // private key is mandatory
- auto key = pkcs.getKey();
- if (!key) {
- LogError("Failed to get private key from pkcs");
- return CKM_API_ERROR_INVALID_FORMAT;
- }
-
- Crypto::Data keyData(DataType(key->getType()), key->getDER());
- retCode = import(keyData, keyPolicy);
- if (retCode != CKM_API_SUCCESS)
- return retCode;
-
- // certificate is mandatory
- auto cert = pkcs.getCertificate();
- if (!cert) {
- LogError("Failed to get certificate from pkcs");
- return CKM_API_ERROR_INVALID_FORMAT;
- }
-
- Crypto::Data certData(DataType::CERTIFICATE, cert->getDER());
- retCode = import(certData, certPolicy);
- if (retCode != CKM_API_SUCCESS)
- return retCode;
-
- // CA cert chain
- unsigned int cert_index = 0;
- for (const auto &ca : pkcs.getCaCertificateShPtrVector()) {
- Crypto::Data caCertData(DataType::getChainDatatype(cert_index ++), ca->getDER());
- retCode = import(caCertData, certPolicy);
- if (retCode != CKM_API_SUCCESS)
- return retCode;
- }
-
- // save the data
- dbOp.database().saveRows(name, owner, encryptedRows);
- dbOp.transaction().commit();
-
- return CKM_API_SUCCESS;
-}
-
int CKMLogic::DBOperation::loadAppKey(bool keyRequired)
{
if (!m_handler.crypto.haveKey(m_owner)) {
projects / platform / core / security / key-manager.git / commitdiff