From: Kyungwook Tak Date: Mon, 21 Sep 2015 07:05:48 +0000 (+0900) Subject: Revert "Old privileges restored" X-Git-Tag: accepted/tizen/mobile/20151014.093603~8 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F92%2F48392%2F1;p=platform%2Fcore%2Fsecurity%2Fkey-manager.git Revert "Old privileges restored" This reverts commit 42a14dd9afaec7949cf4dec5d7be261a43b1e0a3. Change-Id: Ibcea2dd233286e87cc7570f8cfa68e07b5a8e069 --- diff --git a/src/manager/service/ckm-service.cpp b/src/manager/service/ckm-service.cpp index 0bc83a1..132e6a8 100644 --- a/src/manager/service/ckm-service.cpp +++ b/src/manager/service/ckm-service.cpp @@ -31,15 +31,6 @@ namespace { const CKM::InterfaceID SOCKET_ID_CONTROL = 0; const CKM::InterfaceID SOCKET_ID_STORAGE = 1; - -template -CKM::RawBuffer disallowed(int command, int msgID, Args&&... args) { - LogError("Disallowed command: " << command); - return CKM::MessageBuffer::Serialize(command, - msgID, - CKM_API_ERROR_ACCESS_DENIED, - std::move(args)...).Pop(); -} } // namespace anonymous namespace CKM { @@ -74,10 +65,12 @@ void CKMService::SetCommManager(CommMgr *manager) Register(*manager); } +// CKMService does not support security check +// so 3rd parameter is not used bool CKMService::ProcessOne( const ConnectionID &conn, ConnectionInfo &info, - bool allowed) + bool /*allowed*/) { LogDebug ("process One"); RawBuffer response; @@ -89,7 +82,7 @@ bool CKMService::ProcessOne( if (info.interfaceID == SOCKET_ID_CONTROL) response = ProcessControl(info.buffer); else - response = ProcessStorage(info.credentials, info.buffer, allowed); + response = ProcessStorage(info.credentials, info.buffer); m_serviceManager->Write(conn, response); @@ -170,7 +163,7 @@ RawBuffer CKMService::ProcessControl(MessageBuffer &buffer) { } } -RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer, bool allowed) +RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer) { int command = 0; int msgID = 0; @@ -198,10 +191,6 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer, b RawBuffer rawData; PolicySerializable policy; buffer.Deserialize(tmpDataType, name, label, rawData, policy); - - if (!allowed) - return disallowed(command, msgID, static_cast(DataType(tmpDataType))); - return m_logic->saveData( cred, msgID, @@ -217,10 +206,6 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer, b PKCS12Serializable pkcs; PolicySerializable keyPolicy, certPolicy; buffer.Deserialize(name, label, pkcs, keyPolicy, certPolicy); - - if (!allowed) - return disallowed(command, msgID); - return m_logic->savePKCS12( cred, msgID, @@ -233,10 +218,6 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer, b case LogicCommand::REMOVE: { buffer.Deserialize(name, label); - - if (!allowed) - return disallowed(command, msgID); - return m_logic->removeData( cred, msgID, @@ -247,13 +228,6 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer, b { Password password; buffer.Deserialize(tmpDataType, name, label, password); - - if (!allowed) - return disallowed(command, - msgID, - static_cast(DataType(tmpDataType)), - RawBuffer()); - return m_logic->getData( cred, msgID, @@ -270,10 +244,6 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer, b label, passKey, passCert); - - if (!allowed) - return disallowed(command, msgID, PKCS12Serializable()); - return m_logic->getPKCS12( cred, msgID, @@ -285,13 +255,6 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer, b case LogicCommand::GET_LIST: { buffer.Deserialize(tmpDataType); - - if (!allowed) - return disallowed(command, - msgID, - static_cast(DataType(tmpDataType)), - LabelNameVector()); - return m_logic->getDataList( cred, msgID, @@ -307,10 +270,6 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer, b policyKey, keyName, keyLabel); - - if (!allowed) - return disallowed(command, msgID); - return m_logic->createKeyAES( cred, msgID, @@ -335,10 +294,6 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer, b privateKeyLabel, publicKeyName, publicKeyLabel); - - if (!allowed) - return disallowed(command, msgID); - return m_logic->createKeyPair( cred, msgID, @@ -357,10 +312,6 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer, b RawBufferVector trustedVector; bool systemCerts = false; buffer.Deserialize(certificate, untrustedVector, trustedVector, systemCerts); - - if (!allowed) - return disallowed(command, msgID, RawBufferVector()); - return m_logic->getCertificateChain( cred, msgID, @@ -376,10 +327,6 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer, b LabelNameVector trustedVector; bool systemCerts = false; buffer.Deserialize(certificate, untrustedVector, trustedVector, systemCerts); - - if (!allowed) - return disallowed(command, msgID, LabelNameVector()); - return m_logic->getCertificateChain( cred, msgID, @@ -394,10 +341,6 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer, b RawBuffer message; int padding = 0, hash = 0; buffer.Deserialize(name, label, password, message, hash, padding); - - if (!allowed) - return disallowed(command, msgID, RawBuffer()); - return m_logic->createSignature( cred, msgID, @@ -423,10 +366,6 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer, b signature, hash, padding); - - if (!allowed) - return disallowed(command, msgID); - return m_logic->verifySignature( cred, msgID, @@ -442,10 +381,6 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer, b { PermissionMask permissionMask = 0; buffer.Deserialize(name, label, accessorLabel, permissionMask); - - if (!allowed) - return disallowed(command, msgID); - return m_logic->setPermission( cred, command, @@ -477,5 +412,16 @@ void CKMService::ProcessMessage(MsgKeyRequest msg) } } +void CKMService::CustomHandle(const ReadEvent &event) { + LogDebug("Read event"); + auto &info = m_connectionInfoMap[event.connectionID.counter]; + info.buffer.Push(event.rawBuffer); + while(ProcessOne(event.connectionID, info, true)); +} + +void CKMService::CustomHandle(const SecurityEvent & /*event*/) { + LogError("This should not happend! SecurityEvent was called on CKMService!"); +} + } // namespace CKM diff --git a/src/manager/service/ckm-service.h b/src/manager/service/ckm-service.h index 5a96f23..5b6221e 100644 --- a/src/manager/service/ckm-service.h +++ b/src/manager/service/ckm-service.h @@ -39,6 +39,16 @@ public: CKMService& operator=(const CKMService &) = delete; CKMService& operator=(CKMService &&) = delete; + // Custom add custom support for ReadEvent and SecurityEvent + // because we want to bypass security check in CKMService + virtual void Event(const ReadEvent &event) { + CreateEvent([this, event]() { this->CustomHandle(event); }); + } + + virtual void Event(const SecurityEvent &event) { + CreateEvent([this, event]() { this->CustomHandle(event); }); + } + virtual void Start(void); virtual void Stop(void); @@ -46,6 +56,11 @@ public: ServiceDescriptionVector GetServiceDescription(); +protected: + // CustomHandle is used to bypass security check + void CustomHandle(const ReadEvent &event); + void CustomHandle(const SecurityEvent &event); + private: virtual void SetCommManager(CommMgr *manager); @@ -65,8 +80,7 @@ private: RawBuffer ProcessStorage( Credentials &cred, - MessageBuffer &buffer, - bool allowed); + MessageBuffer &buffer); virtual void ProcessMessage(MsgKeyRequest msg); diff --git a/src/manager/service/ocsp-service.cpp b/src/manager/service/ocsp-service.cpp index 33111d5..e65114d 100644 --- a/src/manager/service/ocsp-service.cpp +++ b/src/manager/service/ocsp-service.cpp @@ -53,7 +53,7 @@ void OCSPService::Stop() { GenericSocketService::ServiceDescriptionVector OCSPService::GetServiceDescription() { return ServiceDescriptionVector { - {SERVICE_SOCKET_OCSP, "http://tizen.org/privilege/keymanager", SOCKET_ID_OCSP} + {SERVICE_SOCKET_OCSP, "http://tizen.org/privilege/internet", SOCKET_ID_OCSP} }; }