From b4e8e40dd875264f868d21fbee8cb9e6eb75c123 Mon Sep 17 00:00:00 2001 From: Tomasz Swierczek Date: Tue, 27 Aug 2019 10:23:55 +0200 Subject: [PATCH 01/16] Release 0.1.32 * Change serialization in TZ backend to match km-ta changes * Refactoring central-key-manager.service and central-key-manager-OOO.socket * Assume http if no protocol is given in proxy url Change-Id: I6ee197d13561231aed8f584463397b088456e1f1 --- packaging/key-manager.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packaging/key-manager.spec b/packaging/key-manager.spec index dcb4e63..4e422d3 100644 --- a/packaging/key-manager.spec +++ b/packaging/key-manager.spec @@ -5,7 +5,7 @@ Name: key-manager Summary: Central Key Manager and utilities -Version: 0.1.31 +Version: 0.1.32 Release: 1 Group: Security/Secure Storage License: Apache-2.0 and BSD-3-Clause -- 2.7.4 From c0bd1d0122558e1d062269ff33040559990f1803 Mon Sep 17 00:00:00 2001 From: Krzysztof Jackiewicz Date: Tue, 3 Sep 2019 11:33:13 +0200 Subject: [PATCH 02/16] Treat pwd data deserialization as an error The KM_PwdData structure keeps an authentication data needed to access an item on the TA side. As such it should only be transferred from key-manager to the TA. Expecting such structure in an output buffer of the TA command execution is a programmer error. It is now dealt with accordingly. Change-Id: I209957a05700052eefc694d82b881c8aae96abb5 --- src/manager/crypto/tz-backend/tz-serializer.cpp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/manager/crypto/tz-backend/tz-serializer.cpp b/src/manager/crypto/tz-backend/tz-serializer.cpp index b268e22..d8fc107 100644 --- a/src/manager/crypto/tz-backend/tz-serializer.cpp +++ b/src/manager/crypto/tz-backend/tz-serializer.cpp @@ -23,6 +23,8 @@ #include +#include + #include namespace CKM { @@ -107,9 +109,11 @@ int TZSerializablePwdData::Serialize(void **buffer, uint32_t *size_guard) const return KM_SerializePwdData(buffer, size_guard, const_cast(&m_data)); } -int TZSerializablePwdData::Deserialize(void **buffer, uint32_t *size_guard) +int TZSerializablePwdData::Deserialize(void **, uint32_t *) { - return KM_DeserializePwdData(buffer, size_guard, &m_data); + // Key manager should not receive any password data from the TA + assert(false); + return -1; } // TZSerializableFlag -- 2.7.4 From 2462933c170b0eed0f76afa8805d8bf346c5dba2 Mon Sep 17 00:00:00 2001 From: Alicja Kluczek Date: Tue, 3 Sep 2019 12:10:13 +0200 Subject: [PATCH 03/16] Improve ckm deserialization errors detection Add a check to TZSerializableBinary::Deserialize making sure that deserialized buffer has adequate size. * In case of fixed-size data, buffer size should be equal to the size given in constructor. * In case of variable-size data, buffer size should be less or equal to the size given in constructor. Change-Id: Ie0f80169adb8b758cb7aa2370551bd30410dc8b0 --- src/manager/crypto/tz-backend/tz-context.cpp | 28 ++++++++----------------- src/manager/crypto/tz-backend/tz-serializer.cpp | 18 ++++++++++++++-- src/manager/crypto/tz-backend/tz-serializer.h | 4 +++- 3 files changed, 28 insertions(+), 22 deletions(-) diff --git a/src/manager/crypto/tz-backend/tz-context.cpp b/src/manager/crypto/tz-backend/tz-context.cpp index 917716e..9dcd13f 100644 --- a/src/manager/crypto/tz-backend/tz-context.cpp +++ b/src/manager/crypto/tz-backend/tz-context.cpp @@ -176,14 +176,6 @@ void TrustZoneContext::generateSKeyPwd(tz_algo_type algo, sOut.Deserialize(outMemory); sOut.Pull(keyId); sOut.Pull(pwdTag); - - if (keyId.size() != KM_KEY_ID_SIZE) { - ThrowErr(Exc::Crypto::InternalError, "Deserialized incorrect key ID"); - } - - if (pwdTag.size() != Params::DEFAULT_AES_GCM_TAG_LEN_BYTES) { - ThrowErr(Exc::Crypto::InternalError, "Deserialized incorrect key tag"); - } } void TrustZoneContext::GenerateAKey(tz_command commandId, @@ -219,9 +211,13 @@ void TrustZoneContext::GenerateAKey(tz_command commandId, TZSerializer sOut; sOut.Push(new TZSerializableBinary(KM_KEY_ID_SIZE)); - sOut.Push(new TZSerializableBinary(pubTagSize)); + if (pubTagSize) { + sOut.Push(new TZSerializableBinary(pubTagSize)); + } sOut.Push(new TZSerializableBinary(KM_KEY_ID_SIZE)); - sOut.Push(new TZSerializableBinary(privTagSize)); + if (privTagSize) { + sOut.Push(new TZSerializableBinary(privTagSize)); + } TrustZoneMemory outMemory(m_Context, sOut.GetSize(), TEEC_MEM_OUTPUT); @@ -240,18 +236,12 @@ void TrustZoneContext::GenerateAKey(tz_command commandId, sOut.Deserialize(outMemory); sOut.Pull(pubKeyId); - if (pubKeyId.size() != KM_KEY_ID_SIZE) { - ThrowErr(Exc::Crypto::InternalError, "Failed to deserialize public key ID"); - } if (pubPwdExists) { sOut.Pull(pubKeyTag); } sOut.Pull(privKeyId); - if (privKeyId.size() != KM_KEY_ID_SIZE) { - ThrowErr(Exc::Crypto::InternalError, "Failed to deserialize private key ID"); - } if (privPwdExists) { sOut.Pull(privKeyTag); @@ -358,7 +348,7 @@ void TrustZoneContext::executeCrypt(tz_command cmd, } TZSerializer sOut; - sOut.Push(new TZSerializableBinary(outMemorySize)); + sOut.Push(new TZSerializableBinary(outMemorySize, false)); TrustZoneMemory outMemory(m_Context, sOut.GetSize(), TEEC_MEM_OUTPUT); TEEC_Operation op; @@ -413,7 +403,7 @@ void TrustZoneContext::executeEncryptAE(const RawBuffer &keyId, uint32_t tagSizeBytes = (tagSizeBits + 7) / 8; TZSerializer sOut; - sOut.Push(new TZSerializableBinary(outMemorySize)); + sOut.Push(new TZSerializableBinary(outMemorySize, false)); sOut.Push(new TZSerializableBinary(tagSizeBytes)); TrustZoneMemory outMemory(m_Context, sOut.GetSize(), TEEC_MEM_OUTPUT); @@ -515,7 +505,7 @@ void TrustZoneContext::executeSign(tz_algo_type algo, sIn.Serialize(inMemory); TZSerializer sOut; - sOut.Push(new TZSerializableBinary(MAX_KEY_SIZE.at(algo))); + sOut.Push(new TZSerializableBinary(MAX_KEY_SIZE.at(algo), false)); TrustZoneMemory outMemory(m_Context, sOut.GetSize(), TEEC_MEM_OUTPUT); TEEC_Operation op; diff --git a/src/manager/crypto/tz-backend/tz-serializer.cpp b/src/manager/crypto/tz-backend/tz-serializer.cpp index d8fc107..764c532 100644 --- a/src/manager/crypto/tz-backend/tz-serializer.cpp +++ b/src/manager/crypto/tz-backend/tz-serializer.cpp @@ -47,16 +47,20 @@ void TZSerializable::Pull(uint32_t &) const // TZSerializableBinary -TZSerializableBinary::TZSerializableBinary(uint32_t data_size) +TZSerializableBinary::TZSerializableBinary(uint32_t data_size, bool is_size_fixed) { m_data.data = nullptr; m_data.data_size = data_size; + m_isSizeFixed = is_size_fixed; + m_expectedSize = data_size; } TZSerializableBinary::TZSerializableBinary(const RawBuffer &data) { m_data.data = data.empty() ? nullptr : const_cast(data.data()); m_data.data_size = data.size(); + m_isSizeFixed = true; + m_expectedSize = data.size(); } uint32_t TZSerializableBinary::GetSize() const @@ -71,7 +75,17 @@ int TZSerializableBinary::Serialize(void **buffer, uint32_t *size_guard) const int TZSerializableBinary::Deserialize(void **buffer, uint32_t *size_guard) { - return KM_DeserializeBinaryData(buffer, size_guard, &m_data); + int ret = KM_DeserializeBinaryData(buffer, size_guard, &m_data); + if (m_isSizeFixed) { + if (m_data.data_size != m_expectedSize) { + ThrowErr(Exc::Crypto::InternalError, "Size of deserialized data differ from size given in constructor."); + } + } else { + if (m_data.data_size > m_expectedSize) { + ThrowErr(Exc::Crypto::InternalError, "Size of deserialized data is bigger than size given in constructor."); + } + } + return ret; } void TZSerializableBinary::Pull(RawBuffer &buffer) const diff --git a/src/manager/crypto/tz-backend/tz-serializer.h b/src/manager/crypto/tz-backend/tz-serializer.h index 6a5b572..a3fbbd9 100644 --- a/src/manager/crypto/tz-backend/tz-serializer.h +++ b/src/manager/crypto/tz-backend/tz-serializer.h @@ -55,7 +55,7 @@ public: class TZSerializableBinary : public TZSerializable { public: - explicit TZSerializableBinary(uint32_t data_size); + explicit TZSerializableBinary(uint32_t data_size, bool is_size_fixed = true); explicit TZSerializableBinary(const RawBuffer &data); uint32_t GetSize() const override; int Serialize(void **buffer, uint32_t *size_guard) const override; @@ -63,6 +63,8 @@ public: void Pull(RawBuffer &buffer) const override; private: KM_BinaryData m_data; + bool m_isSizeFixed; + uint32_t m_expectedSize; }; -- 2.7.4 From 382a6ea386f8ef2e5c131f7c65f7b041beb328c8 Mon Sep 17 00:00:00 2001 From: Konrad Lipinski Date: Tue, 24 Sep 2019 14:40:58 +0200 Subject: [PATCH 04/16] [ocsp] Fix static string length calculation Change-Id: I13d6c6f825a9340bfd54462d7d6c9cbd46008dd2 --- src/manager/service/ocsp.cpp | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/src/manager/service/ocsp.cpp b/src/manager/service/ocsp.cpp index 60cdb5b..c6cb2fd 100644 --- a/src/manager/service/ocsp.cpp +++ b/src/manager/service/ocsp.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2014 - 2019 Samsung Electronics Co. + * Copyright (c) 2014-2019 Samsung Electronics Co., Ltd. All rights reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -45,10 +45,16 @@ namespace CKM { namespace { -const char *const HTTP_PREFIX = "http://"; -const size_t HTTP_PREFIX_LEN = sizeof(HTTP_PREFIX) / sizeof(HTTP_PREFIX[0]); -const char *const HTTPS_PREFIX = "https://"; -const size_t HTTPS_PREFIX_LEN = sizeof(HTTPS_PREFIX) / sizeof(HTTPS_PREFIX[0]); +template +constexpr size_t staticStringLen(const char (&)[S]) { + static_assert(S, "static string of zero size"); + return S-1; +} + +const char HTTP_PREFIX[] = "http://"; +const size_t HTTP_PREFIX_LEN = staticStringLen(HTTP_PREFIX); +const char HTTPS_PREFIX[] = "https://"; +const size_t HTTPS_PREFIX_LEN = staticStringLen(HTTPS_PREFIX); typedef std::unique_ptr> BioUniquePtr; -- 2.7.4 From 5b029d90a0aa25426d210f95deee09287a2bb0ca Mon Sep 17 00:00:00 2001 From: Konrad Lipinski Date: Tue, 24 Sep 2019 15:11:32 +0200 Subject: [PATCH 05/16] ckmc_alias_new: replace str* calls with memcpy Change-Id: I7b8d340f7ce2ce1f5867065cf65650733ef1c44a --- src/manager/client-capi/ckmc-type.cpp | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/src/manager/client-capi/ckmc-type.cpp b/src/manager/client-capi/ckmc-type.cpp index 3b03f12..9409025 100644 --- a/src/manager/client-capi/ckmc-type.cpp +++ b/src/manager/client-capi/ckmc-type.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000-2019 Samsung Electronics Co., Ltd. All rights reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -86,15 +86,19 @@ int ckmc_alias_new(const char *owner_id, const char *alias, char **full_alias) if (owner_id == NULL || alias == NULL || full_alias == NULL) return CKMC_ERROR_INVALID_PARAMETER; - size_t len = strlen(owner_id) + strlen(alias) + strlen(ckmc_owner_id_separator); + const size_t owner_id_len = strlen(owner_id); + const size_t separator_len = strlen(ckmc_owner_id_separator); + const size_t alias_len = strlen(alias); + const size_t len = owner_id_len + separator_len + alias_len; char *_full_alias = static_cast(malloc(len + 1)); if (_full_alias == NULL) return CKMC_ERROR_OUT_OF_MEMORY; - strncpy(_full_alias, owner_id, len + 1); - strncat(_full_alias, ckmc_owner_id_separator, len - strlen(_full_alias)); - strncat(_full_alias, alias, len - strlen(_full_alias)); + memcpy(_full_alias, owner_id, owner_id_len); + memcpy(_full_alias + owner_id_len, ckmc_owner_id_separator, separator_len); + memcpy(_full_alias + owner_id_len + separator_len, alias, alias_len); + _full_alias[len] = '\0'; *full_alias = _full_alias; -- 2.7.4 From 883bbabf156932fd18cb7a2ad383cba454508703 Mon Sep 17 00:00:00 2001 From: Konrad Lipinski Date: Tue, 24 Sep 2019 16:36:36 +0200 Subject: [PATCH 06/16] Refactor RawBuffer hex dumps Change-Id: I2d52c63c908e3a69c8de5f20e275fecda0165a66 --- src/include/ckm/ckm-raw-buffer.h | 20 +++++++++++++++++++- src/manager/crypto/tz-backend/tz-context.cpp | 13 +------------ src/manager/dpl/db/src/sql_connection.cpp | 13 ++----------- tests/test_common.cpp | 14 ++------------ 4 files changed, 24 insertions(+), 36 deletions(-) diff --git a/src/include/ckm/ckm-raw-buffer.h b/src/include/ckm/ckm-raw-buffer.h index d9b41a7..c4c2a06 100644 --- a/src/include/ckm/ckm-raw-buffer.h +++ b/src/include/ckm/ckm-raw-buffer.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2014 Samsung Electronics Co. +/* Copyright (c) 2014-2019 Samsung Electronics Co., Ltd. All rights reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -113,6 +113,24 @@ struct SafeBuffer { // used to pass password and raw key data typedef SafeBuffer::Type RawBuffer; +template +T hexDump(const RawBuffer &raw) { + T dump; + dump.reserve(2 * raw.size()); + constexpr char digit[2][16] = {{ + '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', + 'a', 'b', 'c', 'd', 'e', 'f' + }, { + '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', + 'A', 'B', 'C', 'D', 'E', 'F' + }}; + for (auto &e : raw) { + dump.push_back(digit[Uppercase][e / 16]); + dump.push_back(digit[Uppercase][e % 16]); + } + return dump; +} + } // namespace CKM #endif //_SAFE_BUFFER_H_ diff --git a/src/manager/crypto/tz-backend/tz-context.cpp b/src/manager/crypto/tz-backend/tz-context.cpp index 9dcd13f..df421f7 100644 --- a/src/manager/crypto/tz-backend/tz-context.cpp +++ b/src/manager/crypto/tz-backend/tz-context.cpp @@ -32,8 +32,6 @@ #include #include #include -#include -#include #include namespace CKM { @@ -56,16 +54,7 @@ const TEEC_UUID KEY_MANAGER_TA_UUID = KM_TA_UUID; //raw to hex string conversion to print persistent storage data ID static std::string rawToHexString(const RawBuffer &raw) { - std::string dump; - - for (auto &e : raw) { - char buf[3]; - snprintf(buf, sizeof(buf), "%02x", (e & 0xff)); - dump.push_back(buf[0]); - dump.push_back(buf[1]); - } - - return dump; + return hexDump(raw); } /* diff --git a/src/manager/dpl/db/src/sql_connection.cpp b/src/manager/dpl/db/src/sql_connection.cpp index 902c94d..15e3cc8 100644 --- a/src/manager/dpl/db/src/sql_connection.cpp +++ b/src/manager/dpl/db/src/sql_connection.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2014-2019 Samsung Electronics Co., Ltd. All rights reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -678,16 +678,7 @@ const std::size_t SQLCIPHER_RAW_DATA_SIZE = 32; RawBuffer rawToHexString(const RawBuffer &raw) { - RawBuffer output; - - for (auto &e : raw) { - char result[3]; - snprintf(result, sizeof(result), "%02X", (e & 0xff)); - output.push_back(static_cast(result[0])); - output.push_back(static_cast(result[1])); - } - - return output; + return hexDump(raw); } RawBuffer createHexPass(const RawBuffer &rawPass) diff --git a/tests/test_common.cpp b/tests/test_common.cpp index d01b92a..ab51cea 100644 --- a/tests/test_common.cpp +++ b/tests/test_common.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2016-2019 Samsung Electronics Co., Ltd. All rights reserved * * Contact: Kyungwook Tak * @@ -21,7 +21,6 @@ * @brief */ #include -#include #include #include @@ -61,14 +60,5 @@ RawBuffer createRandom(std::size_t size) //raw to hex string conversion from SqlConnection std::string rawToHexString(const RawBuffer &raw) { - std::string dump; - - for (auto &e : raw) { - char buf[3]; - snprintf(buf, sizeof(buf), "%02x", (e & 0xff)); - dump.push_back(buf[0]); - dump.push_back(buf[1]); - } - - return dump; + return hexDump(raw); } -- 2.7.4 From e74a06d22d48ee4903ec933f4332b261d633514b Mon Sep 17 00:00:00 2001 From: Konrad Lipinski Date: Tue, 24 Sep 2019 14:58:06 +0200 Subject: [PATCH 07/16] Devirtualize DescriptorSet Change-Id: I985ab5279078ffde6686390a1d3284a3e93ff92d --- src/manager/client-async/descriptor-set.h | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/src/manager/client-async/descriptor-set.h b/src/manager/client-async/descriptor-set.h index 931d10d..de8e24b 100644 --- a/src/manager/client-async/descriptor-set.h +++ b/src/manager/client-async/descriptor-set.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000-2019 Samsung Electronics Co., Ltd. All rights reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -34,8 +34,8 @@ public: // int is for descriptor, short is for revents, typedef std::function Callback; - virtual void add(int fd, short events, Callback &&callback) = 0; - virtual void remove(int fd, bool close_fd = true) = 0; + void add(int fd, short events, Callback &&callback); + void remove(int fd, bool close_fd = true); protected: // I don't want anyone to manage object lifetime via interface. IDescriptorSet() {} @@ -45,10 +45,10 @@ protected: /** * @brief Wrapper for poll() */ -class DescriptorSet : public IDescriptorSet { +class DescriptorSet final : public IDescriptorSet { public: DescriptorSet(); - virtual ~DescriptorSet(); + ~DescriptorSet(); NONCOPYABLE(DescriptorSet); @@ -61,19 +61,19 @@ public: * @param events events to watch for * @param callback callback to be called when an event on descriptor occurs */ - virtual void add(int fd, short events, Callback &&callback); + void add(int fd, short events, Callback &&callback); /* * Removes give descriptor from watched set and closes it. * * @param fd descriptor to be removed and closed */ - virtual void remove(int fd, bool close_fd = true); + void remove(int fd, bool close_fd = true); /* * Wait for descriptor events using poll(). * Synchronously calls provided descriptor callbacks. * - * @param timeout_ms timeout in ms. egative value means no timeout. + * @param timeout_ms timeout in ms. negative value means no timeout. * * @throws Timeout exception in case of timeout * @throws InternalError in case of other error @@ -87,7 +87,7 @@ public: DECLARE_EXCEPTION_TYPE(CKM::Exception, InternalError); DECLARE_EXCEPTION_TYPE(CKM::Exception, Timeout); -protected: +private: // returns false if there are no descriptors to wait for bool rebuildPollfd(); void notify(int descCount); @@ -106,4 +106,11 @@ protected: pollfd *m_fds; }; +inline void IDescriptorSet::add(int fd, short events, Callback &&callback) { + static_cast(this)->add(fd, events, std::move(callback)); +} +inline void IDescriptorSet::remove(int fd, bool close_fd) { + static_cast(this)->remove(fd, close_fd); +} + } /* namespace CKM */ -- 2.7.4 From 364d93eb12e268651f1de236f66b9824a22bdc4d Mon Sep 17 00:00:00 2001 From: Konrad Lipinski Date: Fri, 20 Sep 2019 15:48:03 +0200 Subject: [PATCH 08/16] Refactor Decider, route all encrypted storage to tz backend Change-Id: Iaf00f5a2a09792586f59fbc726c22fcccbb8ca7d --- src/manager/crypto/platform/decider.cpp | 105 ++++++++++------------------ src/manager/crypto/platform/decider.h | 22 +----- src/manager/crypto/tz-backend/internals.cpp | 2 +- src/manager/service/ckm-logic.cpp | 9 +-- 4 files changed, 40 insertions(+), 98 deletions(-) diff --git a/src/manager/crypto/platform/decider.cpp b/src/manager/crypto/platform/decider.cpp index 9540509..25ec1a8 100644 --- a/src/manager/crypto/platform/decider.cpp +++ b/src/manager/crypto/platform/decider.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015 - 2019 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2015-2019 Samsung Electronics Co., Ltd. All rights reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -34,72 +34,14 @@ #include #endif // TZ_BACKEND_ENABLED -#include -#include -#include - namespace CKM { namespace Crypto { namespace { -template -std::string ValueToString(const T& value) -{ - std::stringstream str; - // we need to re-cast because otherwise stringstream - // will write our value incorrectly - str << std::setfill('0') << std::setw(2 * sizeof(T)) << std::hex - << static_cast(value); - return str.str(); -} - -CryptoBackend chooseCryptoBackend(const DataParams& params) -{ #ifdef TZ_BACKEND_ENABLED - if (params.size() != 1 && params.size() != 2) { - ThrowErr(Exc::Crypto::InternalError, "Invalid number of key parameters provided to decider"); - } - - // user directly point proper backend - we will not discuss with it - if (params[0].policy.backend == CKM::PolicyBackend::FORCE_SOFTWARE) - return CryptoBackend::OpenSSL; - - // user directly point proper backend - we will not discuss with it - if (params[0].policy.backend == CKM::PolicyBackend::FORCE_HARDWARE) - return CryptoBackend::TrustZone; - - if (params.size() == 1) { - // For now only software backend supports device encyption key - // TODO tz-backend could support the master key, but it would require - // hardcoding a known key ID and querying TA whether the key is - // reachable - if (params[0].encrypted) { - return CryptoBackend::OpenSSL; - } - - // tz-backend allows only for data binary export - if (params[0].policy.extractable && !params[0].data.isBinaryData()) { - return CryptoBackend::OpenSSL; - } - - // Use TrustZone only with symmetric keys or unencrypted binary - // data until asymmetric cryptography is implemented - if (!params[0].data.isSKey() && !params[0].data.isBinaryData()) { - return CryptoBackend::OpenSSL; - } - } else if (params.size() == 2) { - // extractable private key can only be handled by OpenSSL - if (params[0].policy.extractable) { - return CryptoBackend::OpenSSL; - } - - // ECDSA algorithm is unsupported by GP API 1.0 - if (params[0].data.isEllipticCurve() || params[1].data.isEllipticCurve()) { - return CryptoBackend::OpenSSL; - } - } - +CryptoBackend tryGetTzBackend() +{ try { LogDebug("Trying to open TA session..."); TZ::Internals::TrustZoneContext::Instance(); @@ -110,10 +52,23 @@ CryptoBackend chooseCryptoBackend(const DataParams& params) LogDebug("...succeeded. Selecting TZ backend."); return CryptoBackend::TrustZone; +} +#endif +template +CryptoBackend chooseBackend(const Policy &policy, const ForceOpenSSL &forceOpenSSL) +{ +#ifdef TZ_BACKEND_ENABLED + switch (policy.backend) { + case CKM::PolicyBackend::FORCE_SOFTWARE: return CryptoBackend::OpenSSL; + case CKM::PolicyBackend::FORCE_HARDWARE: return CryptoBackend::TrustZone; + case CKM::PolicyBackend::DEFAULT: break; + } + return forceOpenSSL() ? CryptoBackend::OpenSSL : tryGetTzBackend(); #else // TZ_BACKEND_ENABLED - (void) params; - return CryptoBackend::OpenSSL; + (void)policy; + (void)forceOpenSSL; + return CryptoBackend::OpenSSL; #endif // TZ_BACKEND_ENABLED } @@ -151,16 +106,26 @@ GStore &Decider::getStore(CryptoBackend cryptoBackend) GStore &Decider::getStore(DataType data, const Policy &policy, bool encrypted) { - DataParams params{ - DataParam(data, policy, encrypted) - }; - - return getStore(chooseCryptoBackend(params)); + return getStore(chooseBackend(policy, [&]{ + return !encrypted && !data.isBinaryData() && ( + // tz-backend allows only for data binary export + policy.extractable || + // Use TrustZone only with symmetric keys or unencrypted binary + // data until asymmetric cryptography is implemented + !data.isSKey() + ); + })); } -GStore &Decider::getStore(const DataParams& params) +GStore &Decider::getStore(const Policy &policyPrv, DataType prv, DataType pub) { - return getStore(chooseCryptoBackend(params)); + return getStore(chooseBackend(policyPrv, [&]{ + return + // extractable private key can only be handled by OpenSSL + policyPrv.extractable || + // ECDSA algorithm is unsupported by GP API 1.0 + prv.isEllipticCurve() || pub.isEllipticCurve(); + })); } } // namespace Crypto diff --git a/src/manager/crypto/platform/decider.h b/src/manager/crypto/platform/decider.h index 59bc9ef..ddf62b0 100644 --- a/src/manager/crypto/platform/decider.h +++ b/src/manager/crypto/platform/decider.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015 - 2019 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2015-2019 Samsung Electronics Co., Ltd. All rights reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,8 +20,6 @@ */ #pragma once -#include - #include #include @@ -38,28 +36,12 @@ namespace CKM { namespace Crypto { -struct DataParam { - DataParam() = delete; - DataParam(const DataType &d, const Policy &pol, bool enc = false) - : data(d) - , policy(pol) - , encrypted(enc) - { - } - - DataType data; - Policy policy; - bool encrypted; -}; - -using DataParams = std::vector; - class Decider final { public: Decider(); GStore &getStore(const Token &token); GStore &getStore(DataType data, const Policy &policy, bool encrypted = false); - GStore &getStore(const DataParams& params); + GStore &getStore(const Policy &policyPrv, DataType prv, DataType pub); private: GStore &getStore(CryptoBackend id); diff --git a/src/manager/crypto/tz-backend/internals.cpp b/src/manager/crypto/tz-backend/internals.cpp index ae67c8c..cc8efca 100644 --- a/src/manager/crypto/tz-backend/internals.cpp +++ b/src/manager/crypto/tz-backend/internals.cpp @@ -277,7 +277,7 @@ RawBuffer importData(const Data &data, dataType = TYPE_AKEY_PUBLIC; } else { ThrowErr(Exc::Crypto::DataTypeNotSupported, - "Data type could not be impoted by tz-backend"); + "Data type could not be imported by tz-backend"); } RawBuffer result; diff --git a/src/manager/service/ckm-logic.cpp b/src/manager/service/ckm-logic.cpp index 5616b7e..c557e8c 100644 --- a/src/manager/service/ckm-logic.cpp +++ b/src/manager/service/ckm-logic.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2014 - 2019 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2014-2019 Samsung Electronics Co., Ltd. All rights reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -1427,12 +1427,7 @@ int CKMLogic::createKeyPairHelper( bool exportable = policyPrivate.extractable || policyPublic.extractable; Policy lessRestricted(Password(), exportable, policyPrivate.backend); - Crypto::DataParams params{ - Crypto::DataParam(dt.first, policyPrivate), - Crypto::DataParam(dt.second, policyPublic), - }; - - TokenPair keys = m_decider.getStore(params).generateAKey(keyGenParams, + TokenPair keys = m_decider.getStore(policyPrivate, dt.first, dt.second).generateAKey(keyGenParams, policyPrivate.password, policyPublic.password); -- 2.7.4 From 02ad30a3f6f3101019ae75c87c11da2f9c6ab16c Mon Sep 17 00:00:00 2001 From: Konrad Lipinski Date: Tue, 24 Sep 2019 16:45:41 +0200 Subject: [PATCH 09/16] Make some single arg constructors explicit Change-Id: Id5023fef37dd0b84a83a90fb0a3c52b0be31974c --- src/manager/client/client-common.h | 6 +++--- src/manager/initial-values/BufferHandler.h | 4 ++-- src/manager/service/db-crypto.h | 4 ++-- src/manager/service/encryption-logic.h | 4 ++-- src/manager/service/file-system.h | 4 ++-- src/manager/service/key-provider.h | 4 ++-- tests/DBFixture.h | 4 ++-- tests/test_comm-manager.cpp | 8 ++++---- tests/test_safe-buffer.cpp | 4 ++-- tests/test_xml-parser.cpp | 4 ++-- tools/ckm_db_tool/db-crypto-ext.h | 4 ++-- 11 files changed, 25 insertions(+), 25 deletions(-) diff --git a/src/manager/client/client-common.h b/src/manager/client/client-common.h index 032f2f9..d285b5d 100644 --- a/src/manager/client/client-common.h +++ b/src/manager/client/client-common.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000-2019 Samsung Electronics Co., Ltd. All rights reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -53,7 +53,7 @@ namespace CKM { class AliasSupport { public: - AliasSupport(const Alias &alias); + explicit AliasSupport(const Alias &alias); const ClientId &getOwner() const; const Name &getName() const; @@ -87,7 +87,7 @@ protected: class ServiceConnection { public: - ServiceConnection(const char *service_interface); + explicit ServiceConnection(const char *service_interface); // roundtrip: send and receive int processRequest(const CKM::RawBuffer &send_buf, diff --git a/src/manager/initial-values/BufferHandler.h b/src/manager/initial-values/BufferHandler.h index 1b45839..b85c492 100644 --- a/src/manager/initial-values/BufferHandler.h +++ b/src/manager/initial-values/BufferHandler.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015 - 2018 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2015-2019 Samsung Electronics Co., Ltd. All rights reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -35,7 +35,7 @@ class BufferHandler : public XML::Parser::ElementHandler { public: typedef std::shared_ptr BufferHandlerPtr; - BufferHandler(EncodingType type); + explicit BufferHandler(EncodingType type); virtual ~BufferHandler(); virtual void Start(const XML::Parser::Attributes &); diff --git a/src/manager/service/db-crypto.h b/src/manager/service/db-crypto.h index ad0ef12..4642b74 100644 --- a/src/manager/service/db-crypto.h +++ b/src/manager/service/db-crypto.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2014-2019 Samsung Electronics Co., Ltd. All rights reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -133,7 +133,7 @@ public: class Transaction { public: - Transaction(Crypto *db) : m_db(db), m_inTransaction(false) + explicit Transaction(Crypto *db) : m_db(db), m_inTransaction(false) { if (!m_db->m_inUserTransaction) { try { diff --git a/src/manager/service/encryption-logic.h b/src/manager/service/encryption-logic.h index b51439e..627ed85 100644 --- a/src/manager/service/encryption-logic.h +++ b/src/manager/service/encryption-logic.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000-2019 Samsung Electronics Co., Ltd. All rights reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -32,7 +32,7 @@ namespace CKM { class EncryptionLogic { public: - EncryptionLogic(IEncryptionService &service) : m_service(service) {} + explicit EncryptionLogic(IEncryptionService &service) : m_service(service) {} virtual ~EncryptionLogic() {} void Crypt(const CryptoRequest &request); diff --git a/src/manager/service/file-system.h b/src/manager/service/file-system.h index 287fbf6..8c77755 100644 --- a/src/manager/service/file-system.h +++ b/src/manager/service/file-system.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000-2019 Samsung Electronics Co., Ltd. All rights reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -32,7 +32,7 @@ typedef std::vector UidVector; class FileSystem { public: - FileSystem(uid_t uid); + explicit FileSystem(uid_t uid); std::string getDBPath() const; diff --git a/src/manager/service/key-provider.h b/src/manager/service/key-provider.h index 668786e..713e952 100644 --- a/src/manager/service/key-provider.h +++ b/src/manager/service/key-provider.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2014 - 2019 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2014-2019 Samsung Electronics Co., Ltd. All rights reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -98,7 +98,7 @@ private: class KeyAndInfoContainer { public: KeyAndInfoContainer(); - KeyAndInfoContainer(const unsigned char *); + explicit KeyAndInfoContainer(const unsigned char *); KeyAndInfo &getKeyAndInfo(); void setKeyInfoKeyLength(const unsigned int); void setKeyInfo(const KeyComponentsInfo *); diff --git a/tests/DBFixture.h b/tests/DBFixture.h index be7e2e0..9efb330 100644 --- a/tests/DBFixture.h +++ b/tests/DBFixture.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2016-2019 Samsung Electronics Co., Ltd. All rights reserved * * Contact: Kyungwook Tak * @@ -30,7 +30,7 @@ class DBFixture { public: DBFixture(); - DBFixture(const char *db_fname); + explicit DBFixture(const char *db_fname); constexpr static const char *m_default_name = "name"; constexpr static const char *m_default_owner = "label"; diff --git a/tests/test_comm-manager.cpp b/tests/test_comm-manager.cpp index b06a3ac..6817632 100644 --- a/tests/test_comm-manager.cpp +++ b/tests/test_comm-manager.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000-2019 Samsung Electronics Co., Ltd. All rights reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -28,17 +28,17 @@ namespace { struct MessageA { - MessageA(int ai) : i(ai) {} + explicit MessageA(int ai) : i(ai) {} int i; }; struct MessageB { - MessageB(char ac) : c(ac) {} + explicit MessageB(char ac) : c(ac) {} char c; }; struct MessageC { - MessageC(const std::string &astr) : str(astr) {} + explicit MessageC(const std::string &astr) : str(astr) {} std::string str; }; diff --git a/tests/test_safe-buffer.cpp b/tests/test_safe-buffer.cpp index fa42c36..47ecbef 100644 --- a/tests/test_safe-buffer.cpp +++ b/tests/test_safe-buffer.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2016-2019 Samsung Electronics Co., Ltd. All rights reserved * * Contact: Kyungwook Tak * @@ -34,7 +34,7 @@ namespace { const size_t LEN = 100; struct Item { - Item(size_t a) : mA(a) {} + explicit Item(size_t a) : mA(a) {} ~Item() {} bool operator==(const size_t &other) const diff --git a/tests/test_xml-parser.cpp b/tests/test_xml-parser.cpp index 4b71217..5029306 100644 --- a/tests/test_xml-parser.cpp +++ b/tests/test_xml-parser.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000-2019 Samsung Electronics Co., Ltd. All rights reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -211,7 +211,7 @@ public: } }; - StructureTest(const char *filename) : m_parser(filename), m_sum(0), + explicit StructureTest(const char *filename) : m_parser(filename), m_sum(0), m_expectedSum(0) { m_parser.RegisterErrorCb(StructureTest::Error); diff --git a/tools/ckm_db_tool/db-crypto-ext.h b/tools/ckm_db_tool/db-crypto-ext.h index bb1eb35..bbf7476 100644 --- a/tools/ckm_db_tool/db-crypto-ext.h +++ b/tools/ckm_db_tool/db-crypto-ext.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015-2017 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2015-2019 Samsung Electronics Co., Ltd. All rights reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -30,7 +30,7 @@ namespace CKM { namespace DB { struct CryptoExt : public Crypto { - CryptoExt(Crypto orig) : Crypto(std::move(orig)) {} + explicit CryptoExt(Crypto orig) : Crypto(std::move(orig)) {} SqlConnection::Output Execute(const std::string &cmd); RowVector getRows(); -- 2.7.4 From 5cc0740b310d5385da418d858447b695cf7bb557 Mon Sep 17 00:00:00 2001 From: Dongsun Lee Date: Thu, 31 Oct 2019 13:24:46 +0900 Subject: [PATCH 10/16] Add key-manager script for platform upgrade Change-Id: Icd62bd0f79ba7accab6acd5ee5e5527eac580fb8 Signed-off-by: Dongsun Lee --- CMakeLists.txt | 1 + packaging/key-manager.spec | 1 + upgrade/295.key-manager_upgrade.sh | 2 ++ upgrade/CMakeLists.txt | 2 ++ 4 files changed, 6 insertions(+) create mode 100644 upgrade/295.key-manager_upgrade.sh create mode 100644 upgrade/CMakeLists.txt diff --git a/CMakeLists.txt b/CMakeLists.txt index f448b51..e0d9bc5 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -100,3 +100,4 @@ ADD_SUBDIRECTORY(build) ADD_SUBDIRECTORY(systemd) ADD_SUBDIRECTORY(tests) ADD_SUBDIRECTORY(tools) +ADD_SUBDIRECTORY(upgrade) diff --git a/packaging/key-manager.spec b/packaging/key-manager.spec index 4e422d3..3d4cc91 100644 --- a/packaging/key-manager.spec +++ b/packaging/key-manager.spec @@ -284,6 +284,7 @@ fi %dir %attr(770, %{user_name}, %{group_name}) %{rw_data_dir} %dir %attr(550, %{user_name}, %{group_name}) %{initial_values_dir_ro} %dir %attr(770, %{user_name}, %{group_name}) %{initial_values_dir_rw} +%attr(755,root,root) /usr/share/upgrade/scripts/295.key-manager_upgrade.sh %{ro_etc_dir}/gumd/userdel.d/10_key-manager.post %{bin_dir}/ckm_tool diff --git a/upgrade/295.key-manager_upgrade.sh b/upgrade/295.key-manager_upgrade.sh new file mode 100644 index 0000000..df4b1d7 --- /dev/null +++ b/upgrade/295.key-manager_upgrade.sh @@ -0,0 +1,2 @@ +# start key-manager to support adding & removing of web app encryption key during upgrade +systemctl start central-key-manager diff --git a/upgrade/CMakeLists.txt b/upgrade/CMakeLists.txt new file mode 100644 index 0000000..789f59e --- /dev/null +++ b/upgrade/CMakeLists.txt @@ -0,0 +1,2 @@ + +INSTALL(FILES ${CMAKE_SOURCE_DIR}/upgrade/295.key-manager_upgrade.sh DESTINATION /usr/share/upgrade/scripts) -- 2.7.4 From 15e895bf652b61c812e44ee9481adc1892eaba21 Mon Sep 17 00:00:00 2001 From: Konrad Lipinski Date: Tue, 22 Oct 2019 18:52:52 +0200 Subject: [PATCH 11/16] Implement asymmetric key initial value import Change-Id: I0f5e4ab9b156abc3ab97a59f32b4adef9779eb98 --- src/manager/crypto/tz-backend/internals.cpp | 34 ++++++++++++++--------------- tools/ckm_initial_values/main.cpp | 4 ++-- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/src/manager/crypto/tz-backend/internals.cpp b/src/manager/crypto/tz-backend/internals.cpp index cc8efca..9962cf5 100644 --- a/src/manager/crypto/tz-backend/internals.cpp +++ b/src/manager/crypto/tz-backend/internals.cpp @@ -84,6 +84,20 @@ void generateDSAParams(const int sizeBits, CKM::RawBuffer &prime, #endif } +tz_data_type toTzDataType(const CKM::DataType dataType) { + switch (int(dataType)) { + case CKM::DataType::Type::BINARY_DATA: return TYPE_GENERIC_SECRET; + case CKM::DataType::Type::KEY_AES: return TYPE_SKEY; + case CKM::DataType::Type::KEY_DSA_PRIVATE: return TYPE_AKEY_PRIVATE_DSA; + case CKM::DataType::Type::KEY_RSA_PRIVATE: return TYPE_AKEY_PRIVATE_RSA; + case CKM::DataType::Type::KEY_DSA_PUBLIC: return TYPE_AKEY_PUBLIC_DSA; + case CKM::DataType::Type::KEY_RSA_PUBLIC: return TYPE_AKEY_PUBLIC_RSA; + default: + ThrowErr(CKM::Exc::Crypto::DataTypeNotSupported, + "Data type could not be imported by tz-backend"); + } +} + } // namespace namespace CKM { @@ -265,21 +279,7 @@ RawBuffer importData(const Data &data, RawBuffer &tag) { - uint32_t dataType; - - if (data.type.isSKey()) { - dataType = TYPE_SKEY; - } else if (data.type.isBinaryData()) { - dataType = TYPE_GENERIC_SECRET; - } else if (data.type.isKeyPrivate()) { - dataType = TYPE_AKEY_PRIVATE; - } else if (data.type.isKeyPublic()) { - dataType = TYPE_AKEY_PUBLIC; - } else { - ThrowErr(Exc::Crypto::DataTypeNotSupported, - "Data type could not be imported by tz-backend"); - } - + const auto dataType = toTzDataType(data.type); RawBuffer result; RawBuffer pwdBuf(pwd.begin(), pwd.end()); @@ -493,7 +493,7 @@ RawBuffer asymmetricEncrypt(const RawBuffer &key, getAlgType(algo), key, pwd, - unpack(alg, ParamName::ED_IV), + result, // unused dummy data, result); return result; @@ -521,7 +521,7 @@ RawBuffer asymmetricDecrypt(const RawBuffer &key, getAlgType(algo), key, pwd, - unpack(alg, ParamName::ED_IV), + result, // unused dummy cipher, result); return result; diff --git a/tools/ckm_initial_values/main.cpp b/tools/ckm_initial_values/main.cpp index f717e5e..c5d9e7d 100644 --- a/tools/ckm_initial_values/main.cpp +++ b/tools/ckm_initial_values/main.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2018-2019 Samsung Electronics Co., Ltd. All rights reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -137,7 +137,7 @@ void usage() " -a|--accessors [,[,...]]" << std::endl << " A list of key-manager clients allowed to access given initial" << std::endl << " value separated by commas." << std::endl << - " -b|--backend A key-manager's backed to use when saving the initial values." << std::endl << + " -b|--backend A key-manager's backend to use when saving the initial values." << std::endl << " Allowed values: 'software' and 'hardware'." << std::endl; } -- 2.7.4 From b48ce806a3be66c66ab18da5496a868cf0cafe11 Mon Sep 17 00:00:00 2001 From: Tomasz Swierczek Date: Thu, 21 Nov 2019 09:56:55 +0100 Subject: [PATCH 12/16] Release 0.1.33 * Implement asymmetric key initial value import * Add key-manager script for platform upgrade * Make some single arg constructors explicit * Refactor Decider, route all encrypted storage to tz backend * Devirtualize DescriptorSet * Refactor RawBuffer hex dumps * ckmc_alias_new: replace str* calls with memcpy * [ocsp] Fix static string length calculation * Improve ckm deserialization errors detection * Treat pwd data deserialization as an error Change-Id: I60f2fe6d0a3d539e2a63743f9b3a61ae31287bd9 --- packaging/key-manager.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packaging/key-manager.spec b/packaging/key-manager.spec index 3d4cc91..883f60d 100644 --- a/packaging/key-manager.spec +++ b/packaging/key-manager.spec @@ -5,7 +5,7 @@ Name: key-manager Summary: Central Key Manager and utilities -Version: 0.1.32 +Version: 0.1.33 Release: 1 Group: Security/Secure Storage License: Apache-2.0 and BSD-3-Clause -- 2.7.4 From d852ca671c590f178ed0bc3dbd308dc4770069f1 Mon Sep 17 00:00:00 2001 From: Dongsun Lee Date: Fri, 29 Nov 2019 11:42:59 +0900 Subject: [PATCH 13/16] Fix documentation error(This function points to itself in the @see tag) Change-Id: I464677cf7e23d41a133e3ea83a71754a17ca8541 Signed-off-by: Dongsun Lee --- src/include/ckmc/ckmc-manager.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/include/ckmc/ckmc-manager.h b/src/include/ckmc/ckmc-manager.h index 251052c..4d90b66 100644 --- a/src/include/ckmc/ckmc-manager.h +++ b/src/include/ckmc/ckmc-manager.h @@ -661,7 +661,7 @@ int ckmc_create_signature(const char *private_key_alias, const char *password, c * @pre User is already logged in and the user key is already loaded into memory in plain text form. * @see ckmc_create_key_pair_rsa() * @see ckmc_create_key_pair_ecdsa() - * @see ckmc_verify_signature() + * @see ckmc_create_signature() * @see #ckmc_hash_algo_e * @see #ckmc_rsa_padding_algo_e */ -- 2.7.4 From 85ccbe5c56a9cd16a764d94e5a456c1262a54d8b Mon Sep 17 00:00:00 2001 From: Tomasz Swierczek Date: Fri, 10 Jan 2020 10:11:23 +0100 Subject: [PATCH 14/16] Fix build for gcc 9 Change-Id: I2d5eb654f7e7ab6fa9145d902542b5fe1984da64 --- packaging/key-manager.spec | 4 ++++ src/manager/common/openssl-error-handler.cpp | 3 ++- src/manager/common/pkcs12-impl.cpp | 4 +++- src/manager/crypto/sw-backend/obj.h | 3 ++- src/manager/dpl/core/src/binary_queue.cpp | 3 ++- src/manager/main/message-service.h | 5 +++-- src/manager/service/file-system.cpp | 6 +++--- src/manager/service/ocsp.cpp | 3 ++- 8 files changed, 21 insertions(+), 10 deletions(-) diff --git a/packaging/key-manager.spec b/packaging/key-manager.spec index 883f60d..2dabc94 100644 --- a/packaging/key-manager.spec +++ b/packaging/key-manager.spec @@ -149,6 +149,10 @@ Includes ckm_initial_values tool for initial values XML generation export FFLAGS="$FFLAGS -DTIZEN_DEBUG_ENABLE" %endif +# needed to surpress sqlcipher errors while its still embedded +export CFLAGS="$CFLAGS -Wno-cast-function-type -Wno-implicit-fallthrough" +export CXXFLAGS="$CXXFLAGS -Wno-cast-function-type -Wno-implicit-fallthrough" + export LDFLAGS+="-Wl,--rpath=%{_libdir},-Bsymbolic-functions " %cmake . -DVERSION=%{version} \ diff --git a/src/manager/common/openssl-error-handler.cpp b/src/manager/common/openssl-error-handler.cpp index a43e094..c7c1263 100644 --- a/src/manager/common/openssl-error-handler.cpp +++ b/src/manager/common/openssl-error-handler.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017 - 2019 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2017-2020 Samsung Electronics Co., Ltd. All rights reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -30,6 +30,7 @@ #include "openssl-error-handler.h" #include +#include #include #include #include diff --git a/src/manager/common/pkcs12-impl.cpp b/src/manager/common/pkcs12-impl.cpp index 100e9b5..17f60a1 100644 --- a/src/manager/common/pkcs12-impl.cpp +++ b/src/manager/common/pkcs12-impl.cpp @@ -1,4 +1,4 @@ -/* Copyright (c) 2014 - 2019 Samsung Electronics Co. +/* Copyright (c) 2014-2020 Samsung Electronics Co., Ltd. All rights reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -31,6 +31,8 @@ #include #include +#include + namespace CKM { namespace { diff --git a/src/manager/crypto/sw-backend/obj.h b/src/manager/crypto/sw-backend/obj.h index 0a00734..aeed086 100644 --- a/src/manager/crypto/sw-backend/obj.h +++ b/src/manager/crypto/sw-backend/obj.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000-2020 Samsung Electronics Co., Ltd. All rights reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -19,6 +19,7 @@ * @version 1.0 */ #pragma once +#include #include #include diff --git a/src/manager/dpl/core/src/binary_queue.cpp b/src/manager/dpl/core/src/binary_queue.cpp index 36b174e..d30e18b 100644 --- a/src/manager/dpl/core/src/binary_queue.cpp +++ b/src/manager/dpl/core/src/binary_queue.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2011-2020 Samsung Electronics Co., Ltd. All rights reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -23,6 +23,7 @@ #include #include #include +#include #include #include #include diff --git a/src/manager/main/message-service.h b/src/manager/main/message-service.h index fc36cc6..19fe074 100644 --- a/src/manager/main/message-service.h +++ b/src/manager/main/message-service.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000-2020 Samsung Electronics Co., Ltd. All rights reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -98,7 +98,8 @@ template template void MessageService::Register(Mgr &mgr) { - mgr.Register([this](const Msg & msg) { + mgr.template Register([this](const Msg & msg) { + //intentional fall to Unknown option this->AddMessage(msg); }); } diff --git a/src/manager/service/file-system.cpp b/src/manager/service/file-system.cpp index 079a4cd..5ab97b2 100644 --- a/src/manager/service/file-system.cpp +++ b/src/manager/service/file-system.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000-2020 Samsung Electronics Co., Ltd. All rights reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -215,11 +215,11 @@ UidVector FileSystem::getUIDsFromDBFile() try { uids.emplace_back(static_cast(std::stoi((filename.c_str()) + CKM_KEY_PREFIX.size()))); - } catch (const std::invalid_argument) { + } catch (const std::invalid_argument &) { LogDebug("Error in extracting uid from db file. " "Error=std::invalid_argument. " "This will be ignored.File=" << filename); - } catch (const std::out_of_range) { + } catch (const std::out_of_range &) { LogDebug("Error in extracting uid from db file. " "Error=std::out_of_range. " "This will be ignored. File=" << filename); diff --git a/src/manager/service/ocsp.cpp b/src/manager/service/ocsp.cpp index c6cb2fd..0bf71a9 100644 --- a/src/manager/service/ocsp.cpp +++ b/src/manager/service/ocsp.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2014-2019 Samsung Electronics Co., Ltd. All rights reserved + * Copyright (c) 2014-2020 Samsung Electronics Co., Ltd. All rights reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -27,6 +27,7 @@ #include #include #include +#include #include #include #include -- 2.7.4 From 77639c672c8533959348b2d0a351a5d54136d504 Mon Sep 17 00:00:00 2001 From: Tomasz Swierczek Date: Wed, 15 Jan 2020 09:33:24 +0100 Subject: [PATCH 15/16] Release 0.1.34 * Fix build for gcc 9 * Fix documentation error(This function points to itself in the @see tag) Change-Id: Ica82caa211fa8005183a1834f860aff6b42ad3c0 --- packaging/key-manager.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packaging/key-manager.spec b/packaging/key-manager.spec index 2dabc94..03668c4 100644 --- a/packaging/key-manager.spec +++ b/packaging/key-manager.spec @@ -5,7 +5,7 @@ Name: key-manager Summary: Central Key Manager and utilities -Version: 0.1.33 +Version: 0.1.34 Release: 1 Group: Security/Secure Storage License: Apache-2.0 and BSD-3-Clause -- 2.7.4 From 1b490565354785bce2b0ba6ecd255fcc01a29310 Mon Sep 17 00:00:00 2001 From: Tomasz Swierczek Date: Thu, 30 Jan 2020 10:05:39 +0100 Subject: [PATCH 16/16] Fix build break with boost 1.71.0 Change-Id: I539f28540d327b4cd87a63f39b84a2a36a35e34a --- tests/colour_log_formatter.cpp | 14 ++++++++++++++ tests/colour_log_formatter.h | 1 + 2 files changed, 15 insertions(+) diff --git a/tests/colour_log_formatter.cpp b/tests/colour_log_formatter.cpp index b2d2b9b..fb51aaa 100644 --- a/tests/colour_log_formatter.cpp +++ b/tests/colour_log_formatter.cpp @@ -124,6 +124,20 @@ colour_log_formatter::log_build_info(std::ostream &output) //____________________________________________________________________________// void +colour_log_formatter::log_build_info(std::ostream &output, bool log_build_info) +{ + if (log_build_info) + output << "Platform: " << BOOST_PLATFORM << '\n' + << "Compiler: " << BOOST_COMPILER << '\n' + << "STL : " << BOOST_STDLIB << '\n'; + output << "Boost : " << BOOST_VERSION / 100000 << '.' + << BOOST_VERSION / 100 % 1000 << '.' + << BOOST_VERSION % 100 << std::endl; +} + +//____________________________________________________________________________// + +void colour_log_formatter::test_unit_start( std::ostream &output, test_unit const &tu) diff --git a/tests/colour_log_formatter.h b/tests/colour_log_formatter.h index 064cfe2..937ef9b 100644 --- a/tests/colour_log_formatter.h +++ b/tests/colour_log_formatter.h @@ -25,6 +25,7 @@ public: boost::unit_test::counter_t test_cases_amount); void log_finish(std::ostream &); void log_build_info(std::ostream &); + void log_build_info(std::ostream &output, bool log_build_info = true); void test_unit_start( std::ostream &, -- 2.7.4