From c55576f7662f4467a449ad7510b6971f69a864f4 Mon Sep 17 00:00:00 2001 From: Krzysztof Jackiewicz Date: Wed, 8 Feb 2023 10:27:14 +0100 Subject: [PATCH] Remove unnecessary helpers from CkmLogic Change-Id: I32df8f2f0f17b22e2d72ac99708e79f7b8ebde81 --- src/manager/service/ckm-logic.cpp | 417 ++++++++++++++++---------------------- src/manager/service/ckm-logic.h | 36 ---- 2 files changed, 179 insertions(+), 274 deletions(-) diff --git a/src/manager/service/ckm-logic.cpp b/src/manager/service/ckm-logic.cpp index d39ca76..99418ef 100644 --- a/src/manager/service/ckm-logic.cpp +++ b/src/manager/service/ckm-logic.cpp @@ -373,52 +373,21 @@ RawBuffer CKMLogic::removeUserData(uid_t user) return SerializeMessage(retCode); } -int CKMLogic::changeUserPasswordHelper(uid_t user, - const Password &oldPassword, - const Password &newPassword) -{ - // do not allow to change system database password - if (m_accessControl.isSystemService(user)) - return CKM_API_ERROR_INPUT_PARAM; - - loadDKEKFile(user, oldPassword); - saveDKEKFile(user, newPassword); - - return CKM_API_SUCCESS; -} - RawBuffer CKMLogic::changeUserPassword( uid_t user, const Password &oldPassword, const Password &newPassword) { return SerializeMessage(tryRet([&] { - return changeUserPasswordHelper(user, oldPassword, newPassword); - })); -} - -int CKMLogic::resetUserPasswordHelper( - uid_t user, - const Password &newPassword) -{ - // do not allow to reset system database password - if (m_accessControl.isSystemService(user)) - return CKM_API_ERROR_INPUT_PARAM; - - int retCode = CKM_API_SUCCESS; - - if (0 == m_userDataMap.count(user)) { - // Check if key exists. If exists we must return error - FileSystem fs(user); - auto wrappedDKEKMain = fs.getDKEK(); + // do not allow to change system database password + if (m_accessControl.isSystemService(user)) + return CKM_API_ERROR_INPUT_PARAM; - if (!wrappedDKEKMain.empty()) - retCode = CKM_API_ERROR_BAD_REQUEST; - } else { + loadDKEKFile(user, oldPassword); saveDKEKFile(user, newPassword); - } - return retCode; + return CKM_API_SUCCESS; + })); } RawBuffer CKMLogic::resetUserPassword( @@ -426,7 +395,24 @@ RawBuffer CKMLogic::resetUserPassword( const Password &newPassword) { return SerializeMessage(tryRet([&] { - return resetUserPasswordHelper(user, newPassword); + // do not allow to reset system database password + if (m_accessControl.isSystemService(user)) + return CKM_API_ERROR_INPUT_PARAM; + + int retCode = CKM_API_SUCCESS; + + if (0 == m_userDataMap.count(user)) { + // Check if key exists. If exists we must return error + FileSystem fs(user); + auto wrappedDKEKMain = fs.getDKEK(); + + if (!wrappedDKEKMain.empty()) + retCode = CKM_API_ERROR_BAD_REQUEST; + } else { + saveDKEKFile(user, newPassword); + } + + return retCode; })); } @@ -464,10 +450,21 @@ int CKMLogic::verifyAndSaveDataHelper( // check if data is correct Crypto::Data binaryData; int retCode = toBinaryData(data, binaryData); + if (retCode != CKM_API_SUCCESS) + return retCode; - return retCode != CKM_API_SUCCESS - ? retCode - : saveDataHelper(cred, name, owner, binaryData, policy); + auto [dbOp, digest, ret] = beginSaveAndGetHash(cred, name, owner); + if (ret != CKM_API_SUCCESS) + return ret; + + Crypto::GStore &store = m_decider.getStore(binaryData.type, policy); + + // do not encrypt data with password during cc_mode on + Token token = store.import(binaryData, + m_accessControl.isCCMode() ? "" : policy.password, + Crypto::EncryptionParams(), digest); + dbOp.finalize(std::move(token), policy); + return CKM_API_SUCCESS; }); } @@ -511,52 +508,72 @@ RawBuffer CKMLogic::savePKCS12( const PolicySerializable &certPolicy) { return SerializeMessage(msgId, tryRet([&] { - return saveDataHelper(cred, name, owner, pkcs, keyPolicy, certPolicy); - })); -} + auto [dbOp, retCode] = beginSave(cred, name, owner); + if (retCode != CKM_API_SUCCESS) + return retCode; -int CKMLogic::removeDataHelper( - const Credentials &cred, - const Name &name, - const ClientId &owner) -{ - auto [dbOp, permission, retCode] = beginAndGetPerm(cred, name, owner); - if (retCode != CKM_API_SUCCESS) - return retCode; + // extract and encrypt the data + DB::RowVector encryptedRows; - retCode = m_accessControl.canDelete(cred, permission); - if (retCode != CKM_API_SUCCESS) { - LogWarning("access control check result: " << retCode); - return retCode; - } + auto import = [&](const Crypto::Data &data, const Policy& policy){ + retCode = verifyBinaryData(data); + if (retCode != CKM_API_SUCCESS) + return retCode; - // get all matching rows - DB::RowVector rows; - dbOp.database().getRows(name, owner, DataType::DB_FIRST, DataType::DB_LAST, rows); - if (rows.empty()) { - LogDebug("No row for given name and owner"); - return CKM_API_ERROR_DB_ALIAS_UNKNOWN; - } + auto digest = CryptoLogic::makeHash(name, owner, cred.clientUid, data.type); + if (digest.empty()) + return CKM_API_ERROR_HASH_ERROR; - retCode = dbOp.loadAppKey(); - if (retCode != CKM_API_SUCCESS) - return retCode; + Crypto::GStore &store = m_decider.getStore(data.type, policy); + + // do not encrypt data with password during cc_mode on + Token token = store.import(data, + m_accessControl.isCCMode() ? "" : policy.password, + Crypto::EncryptionParams(), digest); - // destroy it in store - for (auto &r : rows) { - try { - dbOp.handler().crypto.decryptRow(Password(), r); - m_decider.getStore(r).destroy(r); - } catch (const Exc::AuthenticationFailed &) { - LogDebug("Authentication failed when removing data. Ignored."); + encryptedRows.push_back(dbOp.encryptOne(std::move(token), policy)); + return CKM_API_SUCCESS; + }; + + // private key is mandatory + auto key = pkcs.getKey(); + if (!key) { + LogError("Failed to get private key from pkcs"); + return CKM_API_ERROR_INVALID_FORMAT; } - } - // delete row in db - dbOp.database().deleteRow(name, owner); - dbOp.transaction().commit(); + Crypto::Data keyData(DataType(key->getType()), key->getDER()); + retCode = import(keyData, keyPolicy); + if (retCode != CKM_API_SUCCESS) + return retCode; - return CKM_API_SUCCESS; + // certificate is mandatory + auto cert = pkcs.getCertificate(); + if (!cert) { + LogError("Failed to get certificate from pkcs"); + return CKM_API_ERROR_INVALID_FORMAT; + } + + Crypto::Data certData(DataType::CERTIFICATE, cert->getDER()); + retCode = import(certData, certPolicy); + if (retCode != CKM_API_SUCCESS) + return retCode; + + // CA cert chain + unsigned int cert_index = 0; + for (const auto &ca : pkcs.getCaCertificateShPtrVector()) { + Crypto::Data caCertData(DataType::getChainDatatype(cert_index ++), ca->getDER()); + retCode = import(caCertData, certPolicy); + if (retCode != CKM_API_SUCCESS) + return retCode; + } + + // save the data + dbOp.database().saveRows(name, owner, encryptedRows); + dbOp.transaction().commit(); + + return CKM_API_SUCCESS; + })); } RawBuffer CKMLogic::removeData( @@ -566,7 +583,43 @@ RawBuffer CKMLogic::removeData( const ClientId &owner) { return SerializeMessage(msgId, tryRet([&] { - return removeDataHelper(cred, name, owner); + auto [dbOp, permission, retCode] = beginAndGetPerm(cred, name, owner); + if (retCode != CKM_API_SUCCESS) + return retCode; + + retCode = m_accessControl.canDelete(cred, permission); + if (retCode != CKM_API_SUCCESS) { + LogWarning("access control check result: " << retCode); + return retCode; + } + + // get all matching rows + DB::RowVector rows; + dbOp.database().getRows(name, owner, DataType::DB_FIRST, DataType::DB_LAST, rows); + if (rows.empty()) { + LogDebug("No row for given name and owner"); + return CKM_API_ERROR_DB_ALIAS_UNKNOWN; + } + + retCode = dbOp.loadAppKey(); + if (retCode != CKM_API_SUCCESS) + return retCode; + + // destroy it in store + for (auto &r : rows) { + try { + dbOp.handler().crypto.decryptRow(Password(), r); + m_decider.getStore(r).destroy(r); + } catch (const Exc::AuthenticationFailed &) { + LogDebug("Authentication failed when removing data. Ignored."); + } + } + + // delete row in db + dbOp.database().deleteRow(name, owner); + dbOp.transaction().commit(); + + return CKM_API_SUCCESS; })); } @@ -790,63 +843,6 @@ RawBuffer CKMLogic::getDataProtectionStatus( return SerializeMessage(msgId, retCode, objDataType, status); } -int CKMLogic::getPKCS12Helper( - const Credentials &cred, - const Name &name, - const ClientId &owner, - const Password &keyPassword, - const Password &certPassword, - KeyShPtr &privKey, - CertificateShPtr &cert, - CertificateShPtrVector &caChain) -{ - int retCode; - - // read private key (mandatory) - Crypto::GObjUPtr keyObj; - retCode = readDataHelper(true, cred, DataType::DB_KEY_FIRST, name, owner, - keyPassword, keyObj); - - if (retCode != CKM_API_SUCCESS) { - if (retCode != CKM_API_ERROR_NOT_EXPORTABLE) - return retCode; - } else { - privKey = CKM::Key::create(keyObj->getBinary()); - } - - // read certificate (mandatory) - Crypto::GObjUPtr certObj; - retCode = readDataHelper(true, cred, DataType::CERTIFICATE, name, owner, - certPassword, certObj); - - if (retCode != CKM_API_SUCCESS) { - if (retCode != CKM_API_ERROR_NOT_EXPORTABLE) - return retCode; - } else { - cert = CKM::Certificate::create(certObj->getBinary(), DataFormat::FORM_DER); - } - - // read CA cert chain (optional) - Crypto::GObjUPtrVector caChainObjs; - retCode = readDataHelper(true, cred, DataType::DB_CHAIN_FIRST, name, owner, - certPassword, caChainObjs); - - if (retCode != CKM_API_SUCCESS && retCode != CKM_API_ERROR_DB_ALIAS_UNKNOWN) { - if (retCode != CKM_API_ERROR_NOT_EXPORTABLE) - return retCode; - } else { - for (auto &caCertObj : caChainObjs) - caChain.push_back(CKM::Certificate::create(caCertObj->getBinary(), - DataFormat::FORM_DER)); - } - - // if anything found, return it - if (privKey || cert || caChain.size() > 0) - retCode = CKM_API_SUCCESS; - - return retCode; -} - RawBuffer CKMLogic::getPKCS12( const Credentials &cred, int msgId, @@ -861,14 +857,55 @@ RawBuffer CKMLogic::getPKCS12( KeyShPtr privKey; CertificateShPtr cert; CertificateShPtrVector caChain; - int retCode = getPKCS12Helper(cred, name, owner, keyPassword, - certPassword, privKey, cert, caChain); + + // read private key (mandatory) + Crypto::GObjUPtr keyObj; + int retCode = readDataHelper(true, cred, DataType::DB_KEY_FIRST, name, owner, + keyPassword, keyObj); + + if (retCode != CKM_API_SUCCESS) { + if (retCode != CKM_API_ERROR_NOT_EXPORTABLE) + return retCode; + } else { + privKey = CKM::Key::create(keyObj->getBinary()); + } + + // read certificate (mandatory) + Crypto::GObjUPtr certObj; + retCode = readDataHelper(true, cred, DataType::CERTIFICATE, name, owner, + certPassword, certObj); + + if (retCode != CKM_API_SUCCESS) { + if (retCode != CKM_API_ERROR_NOT_EXPORTABLE) + return retCode; + } else { + cert = CKM::Certificate::create(certObj->getBinary(), DataFormat::FORM_DER); + } + + // read CA cert chain (optional) + Crypto::GObjUPtrVector caChainObjs; + retCode = readDataHelper(true, cred, DataType::DB_CHAIN_FIRST, name, owner, + certPassword, caChainObjs); + + if (retCode != CKM_API_SUCCESS && retCode != CKM_API_ERROR_DB_ALIAS_UNKNOWN) { + if (retCode != CKM_API_ERROR_NOT_EXPORTABLE) + return retCode; + } else { + for (auto &caCertObj : caChainObjs) + caChain.push_back(CKM::Certificate::create(caCertObj->getBinary(), + DataFormat::FORM_DER)); + } + + // if anything found, return it + if (privKey || cert || caChain.size() > 0) + retCode = CKM_API_SUCCESS; // prepare response - if (retCode == CKM_API_SUCCESS) - output = PKCS12Serializable(std::move(privKey), std::move(cert), std::move(caChain)); + if (retCode != CKM_API_SUCCESS) + return retCode; - return retCode; + output = PKCS12Serializable(std::move(privKey), std::move(cert), std::move(caChain)); + return CKM_API_SUCCESS; }); return SerializeMessage(msgId, retCode, output); @@ -1001,102 +1038,6 @@ int CKMLogic::importInitialData( } } -int CKMLogic::saveDataHelper( - const Credentials &cred, - const Name &name, - const ClientId &owner, - const Crypto::Data &data, - const PolicySerializable &policy) -{ - auto [dbOp, digest, ret] = beginSaveAndGetHash(cred, name, owner); - if (ret != CKM_API_SUCCESS) - return ret; - - Crypto::GStore &store = m_decider.getStore(data.type, policy); - - // do not encrypt data with password during cc_mode on - Token token = store.import(data, - m_accessControl.isCCMode() ? "" : policy.password, - Crypto::EncryptionParams(), digest); - dbOp.finalize(std::move(token), policy); - return CKM_API_SUCCESS; -} - -int CKMLogic::saveDataHelper( - const Credentials &cred, - const Name &name, - const ClientId &owner, - const PKCS12Serializable &pkcs, - const PolicySerializable &keyPolicy, - const PolicySerializable &certPolicy) -{ - auto [dbOp, retCode] = beginSave(cred, name, owner); - if (retCode != CKM_API_SUCCESS) - return retCode; - - // extract and encrypt the data - DB::RowVector encryptedRows; - - auto import = [&](const Crypto::Data &data, const Policy& policy){ - retCode = verifyBinaryData(data); - if (retCode != CKM_API_SUCCESS) - return retCode; - - auto digest = CryptoLogic::makeHash(name, owner, cred.clientUid, data.type); - if (digest.empty()) - return CKM_API_ERROR_HASH_ERROR; - - Crypto::GStore &store = m_decider.getStore(data.type, policy); - - // do not encrypt data with password during cc_mode on - Token token = store.import(data, - m_accessControl.isCCMode() ? "" : policy.password, - Crypto::EncryptionParams(), digest); - - encryptedRows.push_back(dbOp.encryptOne(std::move(token), policy)); - return CKM_API_SUCCESS; - }; - - // private key is mandatory - auto key = pkcs.getKey(); - if (!key) { - LogError("Failed to get private key from pkcs"); - return CKM_API_ERROR_INVALID_FORMAT; - } - - Crypto::Data keyData(DataType(key->getType()), key->getDER()); - retCode = import(keyData, keyPolicy); - if (retCode != CKM_API_SUCCESS) - return retCode; - - // certificate is mandatory - auto cert = pkcs.getCertificate(); - if (!cert) { - LogError("Failed to get certificate from pkcs"); - return CKM_API_ERROR_INVALID_FORMAT; - } - - Crypto::Data certData(DataType::CERTIFICATE, cert->getDER()); - retCode = import(certData, certPolicy); - if (retCode != CKM_API_SUCCESS) - return retCode; - - // CA cert chain - unsigned int cert_index = 0; - for (const auto &ca : pkcs.getCaCertificateShPtrVector()) { - Crypto::Data caCertData(DataType::getChainDatatype(cert_index ++), ca->getDER()); - retCode = import(caCertData, certPolicy); - if (retCode != CKM_API_SUCCESS) - return retCode; - } - - // save the data - dbOp.database().saveRows(name, owner, encryptedRows); - dbOp.transaction().commit(); - - return CKM_API_SUCCESS; -} - int CKMLogic::DBOperation::loadAppKey(bool keyRequired) { if (!m_handler.crypto.haveKey(m_owner)) { diff --git a/src/manager/service/ckm-logic.h b/src/manager/service/ckm-logic.h index b4cc491..4e77ad6 100644 --- a/src/manager/service/ckm-logic.h +++ b/src/manager/service/ckm-logic.h @@ -236,36 +236,6 @@ private: uid_t user, const Password &password); - int saveDataHelper( - const Credentials &cred, - const Name &name, - const ClientId &owner, - const Crypto::Data &data, - const PolicySerializable &policy); - - int saveDataHelper( - const Credentials &cred, - const Name &name, - const ClientId &owner, - const PKCS12Serializable &pkcs, - const PolicySerializable &keyPolicy, - const PolicySerializable &certPolicy); - - int getPKCS12Helper( - const Credentials &cred, - const Name &name, - const ClientId &owner, - const Password &keyPassword, - const Password &certPassword, - KeyShPtr &privKey, - CertificateShPtr &cert, - CertificateShPtrVector &caChain); - - int removeDataHelper( - const Credentials &cred, - const Name &name, - const ClientId &owner); - int checkDataPermissionsHelper( const Credentials &accessorCred, const DB::Row &row, @@ -332,12 +302,6 @@ private: const DataType dataType, OwnerNameVector &ownerNameVector); - int changeUserPasswordHelper(uid_t user, - const Password &oldPassword, - const Password &newPassword); - - int resetUserPasswordHelper(uid_t user, const Password &newPassword); - void migrateSecureStorageData(bool isAdminUser); class DBOperation { -- 2.7.4