Krzysztof Jackiewicz [Fri, 3 Jul 2015 14:51:22 +0000 (16:51 +0200)]
Fix potential buffer overflow error CID: 40674
Change backported from security-server repository.
Change-Id: I7613de85e79bc5627336c70842c64bd35eb36468
Krzysztof Jackiewicz [Fri, 10 Jul 2015 10:31:40 +0000 (12:31 +0200)]
Extend asynchronous API socket timeout
[Problem] Encryption and decryption may take much longer than 10s. In such case it fails because of timeout.
[Solution] Extend timeout to 60s.
[Verification] Run ckm-tests --group=CKM_ENCRYPTION_DECRYPTION
Change-Id: I14c4084d7c44d310ab69649bd55e608f1b627204
Krzysztof Jackiewicz [Fri, 10 Jul 2015 09:05:42 +0000 (11:05 +0200)]
Call import & destroy on store
[Problem] Data is not imported to store during row creation and is not destroyed in
it during row removal.
[Solution] Import and destroy are called.
[Verification] Run ckm-tests --output=text
Change-Id: I364c98790fa4cffc408f05b641712aaec0d4955c
Bartlomiej Grzelewski [Tue, 4 Aug 2015 13:45:41 +0000 (15:45 +0200)]
Version 0.1.15
Change-Id: I52277c8cf9086d276379282971987d0fcead5ff0
Bartlomiej Grzelewski [Wed, 1 Jul 2015 14:02:45 +0000 (16:02 +0200)]
Update implementation of Stringify.
Change-Id: Id237fe33a435be9ab7b28ad223e00bca23a95fc9
Krzysztof Jackiewicz [Thu, 9 Jul 2015 13:18:01 +0000 (15:18 +0200)]
Remove unnecessary argument names in function typedef
[Problem] Unnecessary argument names in function typedef
[Solution] Names removed
[Verification] Successfull compilation
Change-Id: I32255580b6b9e9c386493adb94f50e2f77b48661
Krzysztof Jackiewicz [Thu, 9 Jul 2015 12:44:36 +0000 (14:44 +0200)]
Implement asynchronous encryption/decryption API
[Feature] Encryption/decryption API implementation
[Solution] Add asynchronous interface for encryption and decryption
[Verification] Run ckm-tests --group=CKM_ENCRYPTION_DECRYPTION
Change-Id: Ie18d80a47885895aabbedc51d8bdb8ff60172726
Krzysztof Jackiewicz [Tue, 7 Jul 2015 10:10:50 +0000 (12:10 +0200)]
Add RSA OAEP support
[Feature] Encryption service development
[Solution] Add support for RSA OAEP encryption/decryption
[Verification] Run ckm-tests --group=CKM_ENCRYPTION_DECRYPTION
Change-Id: Ieb78fcb65fbd6e2042c2b7effe1ef7b66429fcbd
Krzysztof Jackiewicz [Thu, 2 Jul 2015 13:34:47 +0000 (15:34 +0200)]
Add AAD support in AES GCM
[Feature] Encryption service development.
[Solution] Add AppendAAD method to EvpCipherWrapper. Use it to provide AAD in
AES GCM encryption/decryption.
[Verification] ckm-test --regexp=TED_1250_gcm_aad should pass.
Change-Id: If461a875490b3a6319eb5c78b914bd4df6591746
Krzysztof Jackiewicz [Thu, 2 Jul 2015 11:40:12 +0000 (13:40 +0200)]
Openssl: add thread support and fix initialization
[Problem] Openssl is used in multiple threads without proper thread support.
Openssl initialization is scattered across several threads/files.
[Solution] Lock and thread id callbacks registered. Openssl initialization
refactored and fixed.
[Verification] Run ckm-tests --output=text & ckm-tests-internal
Change-Id: Iff26af6a0afd67001155aac040949bfde9cc6d31
Dong Sun Lee [Tue, 28 Jul 2015 01:15:04 +0000 (18:15 -0700)]
Merge "Match schema file version to db version" into tizen
Kyungwook Tak [Fri, 17 Jul 2015 10:45:36 +0000 (19:45 +0900)]
Match schema file version to db version
Change-Id: I9379b1e4eb39125c0a421fc9655ce0f8c3641c4a
Signed-off-by: Kyungwook Tak <k.tak@samsung.com>
Krzysztof Jackiewicz [Thu, 2 Jul 2015 14:05:41 +0000 (16:05 +0200)]
Fix segfault in getCertificateChain
[Problem] When getCertificateChain is called with empty certificate a segfault
occurs in client.
[Solution] Add param check in client.
[Verification] Run ckm-tests --regexp=T13122_get_chain_empty_cert &&
ckm-tests --regexp=T13121_get_chain_no_cert
Change-Id: I4f29ab1ca95166de261ef9120897ac85ac80c722
Krzysztof Jackiewicz [Fri, 3 Jul 2015 14:36:40 +0000 (16:36 +0200)]
Fix parameter validation in ocsp
[Problem] It's possible to pass invalid certificate chains to ocsp that will
cause segfault.
[Solution] Add argument check
[Verification] Run ckm-tests --regexp=ocsp_check
Change-Id: I267054f81780149a0512532a016c3f7caf30e900
Bartlomiej Grzelewski [Wed, 1 Jul 2015 13:47:27 +0000 (15:47 +0200)]
Reduce number of error logs in ckm.
Change-Id: Ibdf054bfa39723910dafd2eea64173b8e34f13e0
Kyungwook Tak [Fri, 3 Jul 2015 04:53:06 +0000 (13:53 +0900)]
Fix table name to add backendId
Change-Id: I5204529f11267f8df1b896435125108bc972bb63
Signed-off-by: Kyungwook Tak <k.tak@samsung.com>
Zbigniew Jasinski [Fri, 26 Jun 2015 13:13:35 +0000 (15:13 +0200)]
Klocwork fixes.
variable is used, but is uninitialized.
Change-Id: Ie7d1d1004479a48745b342c6a1f0914dfc919c3f
Dongsun Lee [Thu, 2 Jul 2015 02:30:22 +0000 (11:30 +0900)]
remove sockets' smack label to conform to 3 domain policy
Change-Id: Ic5907ada63c08f468cdc497b365e66b44176991c
Signed-off-by: Dongsun Lee <ds73.lee@samsung.com>
Krzysztof Jackiewicz [Tue, 30 Jun 2015 09:19:02 +0000 (11:19 +0200)]
Add support for AES CTR and AES CFB
[Feature] Implementation of encryption service
[Solution] CTR and CFB modes implemented
[Verification] Run ckm-tests --group=CKM_ENCRYPTION_DECRYPTION. Only rsa tests
and gcm aad test may fail.
Change-Id: I71f8c71a0fce536037da7653986c674c3a63499a
Krzysztof Jackiewicz [Mon, 29 Jun 2015 13:52:45 +0000 (15:52 +0200)]
Add support for different AES key sizes
[Problem] AES encryption/decryption supports only 256-bit key size.
[Solution] Add support for 128 and 192-bit key encryption/decryption.
[Verification] Run ckm-tests --group=CKM_ENCRYPTION_DECRYPTION. Only
TED_1250_gcm_aad may fail.
Change-Id: Ia949250b7f3597dee5360c3373c9164dc2e4d9e8
Krzysztof Jackiewicz [Fri, 26 Jun 2015 12:19:36 +0000 (14:19 +0200)]
Encryption service refactoring
[Problem] Unnecessary counter in communication manager. Request map name.
[Solution] Counter replaced by size(). Request map renamed.
[Verification] Successfull compilation. Run tests
Change-Id: I757d729de8f26a1bca8af65f1377d43afcc07d79
Krzysztof Jackiewicz [Fri, 19 Jun 2015 08:08:31 +0000 (10:08 +0200)]
Add algorithm param validation
[Problem] Algorithm param validation is quite complicated. We need a generic
mechanism for parameter constraints definition. Aes key generation algorithm is
missing. There's no validation of encryption params.
[Solution] Created generic parameter validation framework. Defined constraints
for all algorithms. Aes key algorithm added. Algorithm parameter validation
refactored.
[Verification] run ckm-tests --output=text
Change-Id: Ia1df8a3f4bcda835a736d5fe1e4fbc7157d1a26c
Krzysztof Jackiewicz [Mon, 29 Jun 2015 09:13:30 +0000 (11:13 +0200)]
Fix C compilation
[Problem] ckmc_param_list_s fails to compile when C compiler is used.
[Solution] Proper typedef added.
[Verification] Successfull compilation of security-tests (c-compilation.c).
Change-Id: I90cbd8a530707961d593f51e5bc0f2cc9b4b38d3
Dongsun Lee [Sat, 27 Jun 2015 07:12:53 +0000 (00:12 -0700)]
Merge "allow all clients to access storage socket and ocsp socket" into tizen
Dongsun Lee [Sat, 27 Jun 2015 07:12:42 +0000 (00:12 -0700)]
Merge "add a solution in case for no password set" into tizen
Dongsun Lee [Sat, 27 Jun 2015 06:29:24 +0000 (15:29 +0900)]
allow all clients to access storage socket and ocsp socket
Change-Id: I38dc270b4e58cc791a219fb2c46520650f2bba0b
Signed-off-by: Dongsun Lee <ds73.lee@samsung.com>
Dongsun Lee [Sat, 27 Jun 2015 06:27:54 +0000 (15:27 +0900)]
add a solution in case for no password set
Change-Id: Ie7d65c5165a2d0e162b4e990240c84e12d6227ed
Signed-off-by: Dongsun Lee <ds73.lee@samsung.com>
Krzysztof Jackiewicz [Thu, 18 Jun 2015 14:24:20 +0000 (16:24 +0200)]
Encryption service calls proper encryption/decryption methods
[Feature] Encryption srevice development
[Solution] After key is retrieved it is used to perform encryption/decryption
of data and return the result to the client.
[Verification] Run ckm-tests --group=CKM_ENCRYPTION_DECRYPTION.
TED_1250_gcm_aad may fail.
Change-Id: Iaff45ac05df0470eabf3164c6fb427c68c9ef1a5
Maciej J. Karpiuk [Thu, 25 Jun 2015 12:34:09 +0000 (14:34 +0200)]
encrypted initial values: schema enhancements plus SW device key schema.
Change-Id: Ib0f47fc5c95a785a9d2263a2d0b16da2c1ea7460
Krzysztof Jackiewicz [Wed, 17 Jun 2015 12:19:50 +0000 (14:19 +0200)]
Implement key retrieval in encryption service
[Feature] Encryption/decryption service implementation
[Solution] Encryption service sends a key request, CKM service retrieves the
key and returns it to Encryption service.
[Verification] Run ckm-tests --group=CKM_ENCRYPTION_DECRYPTION and observe
journalctl -f. TED_0010_encrypt_invalid_param_list should print:
"Attempt to retrieve key failed with error: -15" (5 times)
other failing tests should print:
"Encryption/decryption not yet supported"
Change-Id: I56dc8a08ba211e996295f962da12193027c1a78c
Krzysztof Jackiewicz [Wed, 17 Jun 2015 12:17:57 +0000 (14:17 +0200)]
Add MessageService
[Feature] Inter-service communication development
[Solution] Add MessageService and ThreadMessageService classes to
support/simplify transferring inter service messages between services/threads.
[Verification] Verify together with next commit
Change-Id: Id205e299ffc186a5e6eae6563d9804ce61fdec21
Krzysztof Jackiewicz [Wed, 17 Jun 2015 11:12:39 +0000 (13:12 +0200)]
Add support for inter-service communication in SocketManager
[Feature] Inter-service communication development.
[Solution] Add CommunicationManager basing on existing messages to
SocketManager. Set communication manager in services.
[Verification] Successfull compilation. Run ckm-tests --output.
Change-Id: Ic22b3496f7f40a424cec4794513cec9211a752d1
Krzysztof Jackiewicz [Wed, 17 Jun 2015 11:07:58 +0000 (13:07 +0200)]
Add inter-service messages
[Feature] Development of inter-service communication
[Solution] Create inter-service communication message class hierarchy including
key request and response messages.
[Verification] Successfull compilation
Change-Id: I41de882a089560201395fbcfe0143c067c1aee1f
Krzysztof Jackiewicz [Wed, 17 Jun 2015 10:55:53 +0000 (12:55 +0200)]
CommunicationManager returns the number of called listeners
[Problem] There's no way to find out if inter-service message reached some
listeners.
[Solution] SendMessage returns the number of called listeners.
[Verification] Run ckm-tests-internal -t MESSAGE_MANAGER_TEST
Change-Id: I0f9cba13991cb79e2901a6784a6b18e3b87c7150
Krzysztof Jackiewicz [Fri, 29 May 2015 14:59:57 +0000 (16:59 +0200)]
Add encryption service
[Feature] Encryption/decryption implementation
[Solution] Encryption service added
[Verification] Run test: ckm-tests --group=CKM_ENCRYPTION_DECRYPTION
Change-Id: I3ff79b06eabb6957ef2bbbe9a5bf7e5e2a995a21
Bartlomiej Grzelewski [Fri, 12 Jun 2015 13:32:28 +0000 (15:32 +0200)]
Use new exception types in KeyProvider class.
This commit also removed exception throw in object destructor.
Change-Id: I55f58bd5e63261632404557f60caa7f0af393714
Bartlomiej Grzelewski [Thu, 25 Jun 2015 15:48:19 +0000 (17:48 +0200)]
Replace shared ptr with unique ptr.
Change-Id: I7542c03078dc449dfb925824e8e89d11fcffcde9
Maciej J. Karpiuk [Thu, 11 Jun 2015 13:21:52 +0000 (15:21 +0200)]
Move encryption from crypto-logic class to "internal module".
Change-Id: I60186591a9d3c188d9642b202be1bcab047fee61
Bartlomiej Grzelewski [Tue, 9 Jun 2015 13:09:59 +0000 (15:09 +0200)]
Introduce new (much simpler) Exception type.
This commit changes the exception class hierarhy. Exceptions class won't
be hidden inside classes. From now exceptions will be defined globally
per project.
It does not mean that you cannot create hidden exception inside class.
Change-Id: If10bc10154684de91ea1f82332860ef53bdd2d3a
Bartlomiej Grzelewski [Thu, 11 Jun 2015 15:33:50 +0000 (17:33 +0200)]
Fix serious bug that causes crash on CKM exit.
Change-Id: Idef7ad9a4606b16f293a1052c313fa045a2f5da5
Krzysztof Jackiewicz [Mon, 8 Jun 2015 14:05:47 +0000 (16:05 +0200)]
Update parameter list API
[Problem] Param name range check is needed. Support for param overwriting is
needed. Getters in CAPI are needed. IV param has to be added manually.
[Solution] Add predefined range for possible ParamName values. Add ParamName
value check. Support param overwriting. Add CAPI param getters. IV param is not
generated in ckmc_generate_params.
[Verification] Run ckm-tests --group=CKM_ALGO_PARAMS and
ckm-tests-internal -t SERIALIZATION_TEST
All should pass.
Change-Id: I72a2c603d7a8f60bab5cb0c18fdc3866a28c7a82
Maciej J. Karpiuk [Wed, 3 Jun 2015 07:14:16 +0000 (09:14 +0200)]
AES: add generation, save, get support.
[Verification] a copule of AES tests added along other key types tests:
https://review.tizen.org/gerrit/#/c/38195/
Change-Id: If6508811f874d438551a9d528b17d5719adc8ed0
Krzysztof Jackiewicz [Tue, 7 Apr 2015 08:36:24 +0000 (10:36 +0200)]
AES key creation API
[Issue#] N/A
[Feature] API allowing creation of AES key in key-manager database
[Problem] N/A
[Cause] N/A
[Solution] N/A
[Verification] Successfull compilation. Run tests.
Change-Id: I3ec358ce4a58afb657afaf110ca81bacea7dcd10
Maciej J. Karpiuk [Fri, 29 May 2015 11:51:15 +0000 (13:51 +0200)]
Key generation uses CryptoAlgorithm object provided by the client.
Protocol changed: single command to generate all types of asymetric keys.
Change-Id: Iafe2b593c3945ff0e3fcc31241faea3a542aca65
Krzysztof Jackiewicz [Thu, 28 May 2015 07:11:22 +0000 (09:11 +0200)]
Implement encryption/decryption API
[Feature] Implementation of encryption/decryption service.
[Solution] API implemented
[Verification] Run ckm-tests --group=CKM_ENCRYPTION_DECRYPTION
(TED_0040_encrypt_no_output_buffer passes, all other tests fail with
CKMC_ERROR_SOCKET)
Change-Id: Ib0ce85f031e92660713ae4f320a4fd3981a43ffc
Krzysztof Jackiewicz [Wed, 27 May 2015 12:47:07 +0000 (14:47 +0200)]
Algorithm types and param names updated
[Problem] ED_CTR can be replaced with ED_IV. We need a way to distinguish
asymmetric algorithms for different purposes (encryption, signing/verification,
key generation)
[Solution] ED_CTR replaced with ED_IV. New algorithm types added.
[Verification] Compile and run tests: ckm-tests-internal -t SERIALIZATION_TEST
Change-Id: Id7f5f805f25aa674023f6fc8c3631c8b7abcea64
Krzysztof Jackiewicz [Wed, 1 Apr 2015 09:45:48 +0000 (11:45 +0200)]
Encryption/decryption API
[Issue#] N/A
[Feature] Encryption decryption support
[Problem] N/A
[Cause] N/A
[Solution] API for encryption decryption
[Verification] Succesfull compilation. Run tests
ckm-tests --group=ALGO_PARAMS (all pass)
ckm-tests --group=ENCRYPTION_DECRYPTION (all fail with CKMC_ERROR_UNKNOWN)
Change-Id: I6cbb1fb56ad1d82f8d673ed27d22eade82e4e1d0
Maciej J. Karpiuk [Wed, 27 May 2015 13:01:48 +0000 (15:01 +0200)]
crypto-service key generation contents moved into SW backend.
Change-Id: Icf746f14b7bcbd4bc1ac847dae4de0e4ad23a194
Krzysztof Jackiewicz [Thu, 28 May 2015 07:28:09 +0000 (09:28 +0200)]
Make CryptoAlgorithm copyable.
[Problem] CryptoAlgorithm have to be copied on client side. One copy has to
remain on client side for decryption and the other has to be serialized in
client.
[Solution] Unique_ptr replaced with shared_ptr so that CryptoAlgorithm copying
is possible.
[Verification] Run ckm-tests-internal -t SERIALIZATION_TEST
Change-Id: Ied81a1414cc9c6b40206116895f713b779a685ac
Maciej J. Karpiuk [Mon, 25 May 2015 09:07:45 +0000 (11:07 +0200)]
Initial values XSD moved into read only directory.
Change-Id: I200465912b82eae0b75228273e0af7cafe53ec7d
Bartlomiej Grzelewski [Tue, 19 May 2015 15:18:30 +0000 (17:18 +0200)]
Add classes for Trust Zone backend.
Change-Id: I84d0fc46e0026e83903ead87285fb6f9fb5754db
Maciej J. Karpiuk [Fri, 8 May 2015 12:00:24 +0000 (14:00 +0200)]
Add initial values support - values to feed the shared database on first startup.
Change-Id: Iec81d8aa168dd30072aae86827124744798ef33d
Bartlomiej Grzelewski [Tue, 19 May 2015 14:41:11 +0000 (16:41 +0200)]
SW Backend initialization refactoring.
Random initialization from CryptoService was moved to
CKM::Crypto::SW::Internals namespace.
Change-Id: I47ff24a9af908a9856158ec32a402e09d9b163b2
Maciej J. Karpiuk [Wed, 6 May 2015 13:20:41 +0000 (15:20 +0200)]
Add generic XML parser + tests.
Change-Id: I44494b0e3034cb0e6e258bc9b8da8cadb5e2be70
Bartlomiej Grzelewski [Wed, 13 May 2015 14:56:08 +0000 (16:56 +0200)]
Use new classes to sign and verify messages.
Remove old implementation of sign/verify methods.
Change-Id: I391d29ffc3ae8a2fe49b09259387efa2023abec2
Krzysztof Jackiewicz [Fri, 15 May 2015 17:40:29 +0000 (19:40 +0200)]
Simplify CryptoAlgorithm interface
[Issue#] N/A
[Feature/Bug] N/A
[Problem] N/A
[Cause] CryptoAlgorithm interface was too complicated
[Solution] Add high level interface
[Verification] Run: ckm-tests-internal --run_test=SERIALIZATION_TEST
Change-Id: I9f02d6ea6f3cc37d46585e1460f2a02bdc107f3c
Krzysztof Jackiewicz [Fri, 15 May 2015 09:59:27 +0000 (11:59 +0200)]
Add backend id to database scheme
[Issue#] N/A
[Feature/Bug] N/A
[Problem] N/A
[Cause] We have to keep backend id in database.
[Solution] Schema updated
[Verification] Run migration tests:
ckm-tests-internal --run_test=DBCRYPTO_MIGRATION_TEST
ckm-tests-internal --run_test=DBCRYPTO_TEST/DBtestBackend
Change-Id: Ib33d6c360d655f7c7a01164385e284ec8f759837
Krzysztof Jackiewicz [Tue, 19 May 2015 08:00:09 +0000 (10:00 +0200)]
Fix row comparison function in tests
[Issue#] N/A
[Feature/Bug] N/A
[Problem] N/A
[Cause] The function was comparing the row with itself
[Solution] The pattern row is compared with the row read from db
[Verification] Run ckm-tests-internal
Change-Id: I2d98c3478f5e28ebd08bb1306edb5b00df8ab76b
kyungwook tak [Fri, 15 May 2015 01:39:09 +0000 (10:39 +0900)]
Remove DEK on memory when app removed
Change-Id: I927b50e8738f1fa6b8189467fa25658c2c235763
Signed-off-by: kyungwook tak <k.tak@samsung.com>
Krzysztof Jackiewicz [Fri, 15 May 2015 13:51:22 +0000 (15:51 +0200)]
Fix for sqlcipher ALTER TABLE ADD COLUMN
[Issue#] N/A
[Feature/Bug] N/A
[Problem] N/A
[Cause] In ALTER TABLE ADD COLUMN function the table name was not properly
extracted.
[Solution] Fixed.
[Verification] Run migration tests:
ckm-tests-internal --run_test=DBCRYPTO_MIGRATION_TEST
Change-Id: Ie81a2ec01adc17328bc493ad0aa56bf70dcc1fe5
Bartlomiej Grzelewski [Mon, 11 May 2015 16:05:28 +0000 (18:05 +0200)]
Move Token from CKM::Crypto to CKM namespace.
Token is used in database and crypto module. It should not be hidden in
CKM::Crypto namespace.
Change-Id: I6d000c05deda8f0027ce3afbdeb3bd0a793f0f78
Maciej J. Karpiuk [Thu, 16 Apr 2015 06:55:58 +0000 (08:55 +0200)]
Add system database - managed by service (uid<5000) users, accessible by priviledged regular users.
Change-Id: I08b6c4718ff4219bebfd85ab942cfe22570ed0a5
Bartlomiej Grzelewski [Fri, 8 May 2015 13:58:51 +0000 (15:58 +0200)]
Add implementation for sign and verify operation.
Change-Id: I105f6c719f17483da2987224f0029fd0a7b44c45
Bartlomiej Grzelewski [Mon, 4 May 2015 12:31:27 +0000 (14:31 +0200)]
New class hierarchy (multiple backends support).
Current implemantion my use only one crypto library. The target is to
use at least two libraries at the same time (openssl and trustzone
library for arm devices).
Change-Id: I3563fb1c89f3603a927b8b19f6358b4fc3f5c7cf
Krzysztof Jackiewicz [Fri, 8 May 2015 08:38:10 +0000 (10:38 +0200)]
Add serialization of CryptoAlgorithm
[Issue#] N/A
[Feature/Bug] N/A
[Problem] N/A
[Cause] CryptoAlgorithm needs serialization/deserialization methods.
[Solution] Serialization added.
[Verification] Run ckm-tests-internal --run_test=SERIALIZATION_TEST
Change-Id: I8556f366311f4e4a5255a33303bd7f42dc0cfcdd
Krzysztof Jackiewicz [Thu, 7 May 2015 15:38:24 +0000 (17:38 +0200)]
Add classes for algorithm parameters
[Issue#] N/A
[Feature/Bug] N/A
[Problem] N/A
[Cause] We need a way to represent different algorithm parameters in a common
way.
[Solution] A set of classes and enums added.
[Verification] Run ckm-tests --group=ALGO_PARAM_TEST
Change-Id: I281a1b192d01bad5bdfded8dbb1d385e876b6657
Krzysztof Jackiewicz [Fri, 24 Apr 2015 13:40:16 +0000 (15:40 +0200)]
Initial values format fixed
[Issue#] N/A
[Feature/Bug] N/A
[Problem] Wrong occurrence numbers used.
[Cause] N/A
[Solution] Occurrence numbers fixed. Removed whitespaces from ASCII example.
[Verification] xmllint -schema initial_values.xsd example.xml
Change-Id: I78a7cd216a2c412e271e3811a02ec812eadd53ac
Lukasz Wojciechowski [Wed, 22 Apr 2015 09:59:53 +0000 (11:59 +0200)]
Adjust manifest files to Tizen 3.0 Security model
Remove old Smack based security domain mode known from Tizen 2.X.
Request "_" domain for file labeling as suggested in Three Domains Model.
Do not assign "_" label manually, as that is the default label and files
will receive it anyway.
Change-Id: Ic1735a2f8dffc8f142007d4e3f8dcf981ef90300
Krzysztof Jackiewicz [Thu, 16 Apr 2015 12:38:03 +0000 (14:38 +0200)]
Version 0.1.14
Change-Id: I3bf2fa3b6a233fca6b46215d7b15a2ce8c3cc8e9
Maciej J. Karpiuk [Tue, 7 Apr 2015 11:23:57 +0000 (13:23 +0200)]
Reverting Tizen 2.x specific workarounds for password change/authtype==none.
Change-Id: Ib888b1df3afc54405cf6a3b48bad86e7fc0c92e4
Maciej J. Karpiuk [Wed, 15 Apr 2015 09:04:20 +0000 (11:04 +0200)]
bugfix: minor memory corruption. Internal tests work.
Change-Id: Ie6cc846ac066a6d86f0d2642a9906c08b4d35068
Maciej J. Karpiuk [Mon, 23 Mar 2015 15:13:07 +0000 (16:13 +0100)]
Key Manager tizen.org session and user management
integration.
Key-Manager integrates with PAM (via pam_key_manager_plugin.so lib
and appropriate configuration changes) and gumd via user removal hook.
PAM configuration needs to be changed to use the .so specified above.
For testing, do the following changes in /etc/pam.d/system-auth:
section password:
* remove pam_deny.so line
* change pam_unix.so from sufficient to required
* add "password optional pam_key_manager_plugin.so change_step=before" before the pam_unix.so entry
* add "password optional pam_key_manager_plugin.so change_step=after" after the pam_unix.so entry
section session:
* add "session optional pam_key_manager_plugin.so" as last item
Change-Id: I2fd29ab527aa3d89c810b9c6d5f74cbbec2e5957
Krzysztof Jackiewicz [Fri, 3 Apr 2015 12:30:14 +0000 (14:30 +0200)]
Initial values format adjusted
[Issue#] N/A
[Feature/Bug] N/A
[Problem] Symmetric keys should not hold information about encryption
algorithm. Initial data will be stored as system user but has to be accessible
by ordinary users
[Cause] N/A
[Solution] Symmetric encryption params can be stored separately from key as
data. Encryption params removed from schema. Added permission tag allowing
other users to access system database. XML structure redesigned. Example
updated.
[Verification] Validate example with:
xmllint -schema initial_values.xsd example.xml
Change-Id: I36149b15d6f786e37cec370d632ab74e40efc162
Bartlomiej Grzelewski [Wed, 18 Mar 2015 14:53:57 +0000 (15:53 +0100)]
Simplify implementation of ServiceThread
Change-Id: I56ced6bb12e2a6140ab26ab82f9dd68cb2b92b76
Krzysztof Jackiewicz [Wed, 18 Mar 2015 16:10:30 +0000 (17:10 +0100)]
Add inter-service communication framework
[Issue#] N/A
[Feature/Bug] N/A
[Problem] Services need to communicate with each other
[Cause] N/A
[Solution] Framework for inter-service communication added.
[Verification] Run ckm-tests-internal -t MESSAGE_MANAGER_TEST
Change-Id: I28714ba52efe25c47402adb6ac1bef52859ed898
Krzysztof Jackiewicz [Thu, 12 Mar 2015 16:34:53 +0000 (17:34 +0100)]
Add initial value format schema
[Issue#] N/A
[Feature/Bug] N/A
[Problem] Initial value format needs to be defined
[Cause] N/A
[Solution] Schema and example added
[Verification] Validate example with: xmllint -schema initial_values.xsd example.xml
Change-Id: I5c8979c971e73b07e959e2fdf5d32ee3f9dabf91
Krzysztof Jackiewicz [Tue, 17 Feb 2015 13:42:34 +0000 (14:42 +0100)]
Optimize openssl initialization
[Issue#] N/A
[Feature/Bug] N/A
[Problem] Each time Manager or PKCS12 object is created initCryptoLib is called
and mutex is locked inside it.
[Cause] N/A
[Solution] Once openssl is initialized the initalization function pointer is
switched to empty one, thus mutex is not used any more.
[Verification] Run tests. Alternatively check in gdb that client calls
initOpenSSL() only once
Change-Id: I733e4ca6c88a6a51d69ebb0606f560a9b4828e4c
yuseok.jeon [Wed, 25 Feb 2015 07:00:09 +0000 (16:00 +0900)]
Modify APIs and doxygen to meet ACR(TIZEN 2.4) requirement
Change-Id: I7a883273c6563df23f8e4668d88fbd73d61c2a08
Signed-off-by: yuseok.jeon <yuseok.jeon@samsung.com>
Bartlomiej Grzelewski [Thu, 12 Feb 2015 14:12:38 +0000 (15:12 +0100)]
Fix description in ckmc-manager.h
Change-Id: Iceb597c1c8cd10360add0c20a40a2269c53ab2cd
kyungwook tak [Mon, 23 Feb 2015 06:30:37 +0000 (15:30 +0900)]
Add symbolic-functions linker flag
Change-Id: I6b014e269f83a48ad516e2b64c1e0de89c546bf9
Signed-off-by: kyungwook tak <k.tak@samsung.com>
Krzysztof Jackiewicz [Tue, 10 Feb 2015 17:14:56 +0000 (18:14 +0100)]
Tool for measuring dlopen/dlsym performance
[Issue#] N/A
[Feature/Bug] N/A
[Problem] We need a tool that will show the influence of the number of symbols
and the size of a library on dlopen/dlsym performance
[Cause] N/A
[Solution] Tool added
[Verification] Run ckm_so_loader [library_path] [symbol_to_load]
Change-Id: I524bb20d4a23a5128e83ee42241161ce15fc2092
Krzysztof Jackiewicz [Tue, 10 Feb 2015 17:10:30 +0000 (18:10 +0100)]
Globals in LogSystem adjusted to use in lib constructor
[Issue#] N/A
[Feature/Bug] N/A
[Problem] dlopen() fails with client library
[Cause] The order of global variables construction in common library is unpredictable.
[Solution] Global variable made member. Strings replaced by const char* const.
[Verification] Use ckm_so_loader 2 100 /usr/lib/libkey-manager-client.so ckmc_save_key
Change-Id: I0add0c1fe3c66ac9d42a94b7e59bf21cadecdefc
Bartlomiej Grzelewski [Tue, 17 Feb 2015 16:30:00 +0000 (17:30 +0100)]
Fix serialization implementation to support 32 and 64 platform.
Change-Id: I3bf8c4bf1c1fa369ea9b0ba1aa20edfe9228f0d9
Maciej J. Karpiuk [Tue, 17 Feb 2015 11:54:18 +0000 (12:54 +0100)]
Removal of unused build artifact "key-provider".
Bartlomiej Grzelewski [Thu, 12 Feb 2015 13:09:35 +0000 (14:09 +0100)]
Change parameters of ckmc_get_pkcs12 function.
New version supports additional passwords that may be used
to secure private key and certificates.
Change-Id: I809e5fbbd090e4ee793745e68256915144bb1cd2
kyungwook tak [Thu, 12 Feb 2015 02:30:01 +0000 (11:30 +0900)]
Use _toCkmCertificateVector in pkcs12 client CAPIs
Change-Id: I21caca7f9c39dc5e372977e3a4891e1c71d99c22
Signed-off-by: kyungwook tak <k.tak@samsung.com>
kyungwook tak [Mon, 9 Feb 2015 06:36:07 +0000 (15:36 +0900)]
CKM FileSystem versioning with file name format update mechanism
* DKEK format releaseed on kiran
(key-<uid>-<autoincreased num>)
* DKEK format on version 0.1.13
(key-<uid>)
(key-backup-<uid>)
* DKEK format on tizen 2.4 which has container feature
(not merged from knox-tct branch yet,
so not included about it in this commit)
(key-<zone name>-<uid>)
(key-backup-<zone name>-<uid>
Change-Id: I5ce62528d54268cccb7f9705daf0793aec782513
Signed-off-by: kyungwook tak <k.tak@samsung.com>
Bartlomiej Grzelewski [Fri, 6 Feb 2015 16:55:59 +0000 (17:55 +0100)]
Add support for password in Manager::getPCKS12 function.
In function savePKCS12 user may specify passwords to protect
data. Function getPKCS12 wasn't support passwords so it was not
possible to extract PKCS12 secured with this functionality.
Change-Id: I542873b817a2bff1064b2b56254d14fb632d8bdf
kyungwook tak [Tue, 10 Feb 2015 01:17:12 +0000 (10:17 +0900)]
unlock with password when resetPassword called in case of first start of device
Change-Id: I536b7b5ff2448990bd0c5fdda87730b34e13c16f
Signed-off-by: kyungwook tak <k.tak@samsung.com>
Krzysztof Jackiewicz [Fri, 6 Feb 2015 14:24:47 +0000 (15:24 +0100)]
Fix for gcc4.8 (-ldl)
[Issue#] N/A
[Feature/Bug] N/A
[Problem] Linker fails when gcc4.8 is used
[Cause] Undefined symbols from dynamic linker library because of missing -ldl
option
[Solution] Add -ldl option
[Verification] Successfull linkage
Change-Id: Ida7784fddd9caa92c1a23cb50c5025f257ae7020
Krzysztof Jackiewicz [Thu, 29 Jan 2015 17:12:01 +0000 (18:12 +0100)]
Common logging setup for client and service
[Issue#] N/A
[Feature/Bug] N/A
[Problem] Client may use different logging method than service.
[Cause] Service reads environment flags from config file. Client doesn't
[Solution] Make the client read that file too and setup log system properly.
[Verification] Make changes to /etc/sysconfig/central-key-manager file and see
if both service and client uses the same logging setup (provider and log level)
File format is the following:
"
CKM_LOG_PROVIDER=<provider>
CKM_LOG_LEVEL=<level>
"
where:
<provider> is one of JOURNALD, DLOG, CONSOLE
<level> is <0..5>, 0 means not logs at all, 1 means errors only, 5 means all
Change-Id: I1662fe636f9987778345f8a02afa6fb77f7f1fe0
Krzysztof Jackiewicz [Thu, 5 Feb 2015 14:09:19 +0000 (15:09 +0100)]
Libraries reorganized to limit the number of exported symbols
[Issue#] N/A
[Feature/Bug] N/A
[Problem] Too much exported symbols
[Cause] Some of the code don't have to be exported or is used by a single binary.
[Solution] Unnecessary exports removed. Part of libkey-manager-common code
moved to client library or key-manager binary
[Verification] Compile key-manager and security-tests. Display the number of
exported symbols before and after with:
nm -g <library>.so | wc -l
Change-Id: Iccb053af2523368d353693247e505a794e783318
Bartlomiej Grzelewski [Wed, 4 Feb 2015 18:19:22 +0000 (19:19 +0100)]
Add support for AUTHENTICATION_FAILED code in getData function.
Function getPKCS12, getKey, getData will return proper code when
password does not mach.
Change-Id: I8b506f6c03f7acc5421278360cd839d059b914c2
kyungwook tak [Tue, 3 Feb 2015 03:46:56 +0000 (12:46 +0900)]
Symbol visibility changed from default to hidden.
Change-Id: I9b4b7e8af5ff62cd8c063a0ce45a899f166566d7
Signed-off-by: kyungwook tak <k.tak@samsung.com>
Bartlomiej Grzelewski [Mon, 2 Feb 2015 16:40:20 +0000 (17:40 +0100)]
Version 0.1.13
Change-Id: I1a7c7abb788ef647bd5e3137011484dc539d4771
Bartlomiej Grzelewski [Mon, 2 Feb 2015 11:30:25 +0000 (12:30 +0100)]
Add support for new error code in ckmc API
Change-Id: I111c8b64da39e3a19e5fac144e94a5516b389a32
Maciej J. Karpiuk [Mon, 2 Feb 2015 10:02:24 +0000 (11:02 +0100)]
Deprecated access control API fixed - proper mapping to permissions.
[Issue#] N/A
[Feature/Bug] bug: deprecated access control API not working.
[Problem] deprecated access control API incorrectly mapped given values into permissions.
[Solution] added translation mechanism between old access rights into permissions.
[Verification] compile, run updated test set.
Change-Id: If26c69160a79439774a8ffd800809c0a6f7f85e5
Maciej J. Karpiuk [Tue, 20 Jan 2015 13:29:09 +0000 (14:29 +0100)]
DB related classes moved into CKM::DB namespace.
Change-Id: Ifbf70ffe6865793394d46ea6443f27a0062fe02d
Krzysztof Jackiewicz [Wed, 28 Jan 2015 13:56:18 +0000 (14:56 +0100)]
Fix logs in internal tests
[Issue#] N/A
[Feature/Bug] N/A
[Problem] No logs from internal tests
[Cause] LogSystem tag was not set
[Solution] Internal tests refactored and cleaned up. Proper tag set.
[Verification] Run internal tests and see if logs are visible
Change-Id: Ibb8517bad710d06a62ba9ba7fbc7b9b8ed7b7c21
Krzysztof Jackiewicz [Wed, 28 Jan 2015 09:19:38 +0000 (10:19 +0100)]
Add file, line & function information to journald log
[Issue#] N/A
[Feature/Bug] N/A
[Problem] File, line & function not visible in default journalctl log
[Cause] Default log format does not display this information and other formats
are unreadable
[Solution] File, line & function information added to log message content
[Verification] Create /etc/sysconfig/central-key-manager with following content
"
CKM_LOG_LEVEL=3
CKM_LOG_PROVIDER=JOURNALD
"
Restart the service and see if journalctl logs contain file, line & function
info:
journalctl -f -u central-key-manager
Change-Id: I01389eda9f7db390f6ca00c8f44e1a5c097e59c8