From 488237a24e8ae3b1a82015dd7a7b88f4609d65ef Mon Sep 17 00:00:00 2001 From: Krzysztof Jackiewicz Date: Thu, 9 Jul 2015 15:18:01 +0200 Subject: [PATCH 01/16] Remove unnecessary argument names in function typedef [Problem] Unnecessary argument names in function typedef [Solution] Names removed [Verification] Successfull compilation Change-Id: I32255580b6b9e9c386493adb94f50e2f77b48661 --- src/manager/client-capi/ckmc-manager.cpp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/manager/client-capi/ckmc-manager.cpp b/src/manager/client-capi/ckmc-manager.cpp index d971943..0fe3b94 100644 --- a/src/manager/client-capi/ckmc-manager.cpp +++ b/src/manager/client-capi/ckmc-manager.cpp @@ -117,11 +117,11 @@ ckmc_cert_list_s *_toNewCkmCertList(const CKM::CertificateShPtrVector &certVecto return start; } -typedef int (CKM::Manager::*cryptoFn)(const CKM::CryptoAlgorithm &algo, - const CKM::Alias &keyAlias, - const CKM::Password &password, - const CKM::RawBuffer& plain, - CKM::RawBuffer& encrypted); +typedef int (CKM::Manager::*cryptoFn)(const CKM::CryptoAlgorithm&, + const CKM::Alias&, + const CKM::Password&, + const CKM::RawBuffer&, + CKM::RawBuffer&); int _cryptoOperation(cryptoFn operation, const ckmc_param_list_s *params, -- 2.7.4 From f459c3382caf8fff147c5ca9623c09432a21f530 Mon Sep 17 00:00:00 2001 From: Bartlomiej Grzelewski Date: Wed, 1 Jul 2015 16:02:45 +0200 Subject: [PATCH 02/16] Update implementation of Stringify. Change-Id: Id237fe33a435be9ab7b28ad223e00bca23a95fc9 --- src/manager/common/exception.h | 2 +- src/manager/common/stringify.h | 21 ++++++++++++--------- src/manager/service/file-lock.cpp | 2 +- 3 files changed, 14 insertions(+), 11 deletions(-) diff --git a/src/manager/common/exception.h b/src/manager/common/exception.h index c174085..de4123a 100644 --- a/src/manager/common/exception.h +++ b/src/manager/common/exception.h @@ -78,7 +78,7 @@ class COMMON_API DefineException : public Exception { public: template DefineException(const char *path, const char *function, int line, const Args&... args) - : Exception(path, function, line, Stringify()(args...)) + : Exception(path, function, line, Stringify::Merge(args...)) { Before(m_path, m_function, m_line, DefineException::error(), m_message); } diff --git a/src/manager/common/stringify.h b/src/manager/common/stringify.h index d989f44..fbe2245 100644 --- a/src/manager/common/stringify.h +++ b/src/manager/common/stringify.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -31,35 +31,38 @@ class StringifyBasic; template <> class StringifyBasic { + StringifyBasic() = delete; public: - std::string operator()() { + static std::string Merge() { return std::string(); } template - std::string operator()(const Args&...){ + static std::string Merge(const Args&...){ return std::string(); } }; template <> class StringifyBasic { - void concatenate(std::ostringstream&) {} + StringifyBasic() = delete; + + static void Concatenate(std::ostringstream&) {} template - void concatenate(std::ostringstream& stream, const t& arg1, const Args&... args) { + static void Concatenate(std::ostringstream& stream, const t& arg1, const Args&... args) { stream << arg1; - concatenate(stream, args...); + Concatenate(stream, args...); } public: - std::string operator()() { + static std::string Merge() { return std::string(); } template - std::string operator()(const T& arg1, const Args&... args){ + static std::string Merge(const T& arg1, const Args&... args) { std::ostringstream stream; - concatenate(stream, arg1, args...); + Concatenate(stream, arg1, args...); return stream.str(); } }; diff --git a/src/manager/service/file-lock.cpp b/src/manager/service/file-lock.cpp index 41ce574..3bc6e38 100644 --- a/src/manager/service/file-lock.cpp +++ b/src/manager/service/file-lock.cpp @@ -41,7 +41,7 @@ namespace { template std::runtime_error io_exception(const Args&... args) { - return std::runtime_error(Stringify()(args...)); + return std::runtime_error(Stringify::Merge(args...)); }; } // namespace anonymous -- 2.7.4 From 23c59abc4f7af57d20f871b5882d972d4e31f850 Mon Sep 17 00:00:00 2001 From: Bartlomiej Grzelewski Date: Tue, 4 Aug 2015 15:45:41 +0200 Subject: [PATCH 03/16] Version 0.1.15 Change-Id: I52277c8cf9086d276379282971987d0fcead5ff0 --- packaging/key-manager.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packaging/key-manager.spec b/packaging/key-manager.spec index f6d52d8..4466607 100644 --- a/packaging/key-manager.spec +++ b/packaging/key-manager.spec @@ -1,6 +1,6 @@ Name: key-manager Summary: Central Key Manager and utilities -Version: 0.1.14 +Version: 0.1.15 Release: 1 Group: System/Security License: Apache-2.0 -- 2.7.4 From 15d8fd29ebaaad00e242494c23b240bf1f72113e Mon Sep 17 00:00:00 2001 From: Krzysztof Jackiewicz Date: Fri, 10 Jul 2015 11:05:42 +0200 Subject: [PATCH 04/16] Call import & destroy on store [Problem] Data is not imported to store during row creation and is not destroyed in it during row removal. [Solution] Import and destroy are called. [Verification] Run ckm-tests --output=text Change-Id: I364c98790fa4cffc408f05b641712aaec0d4955c --- src/manager/crypto/platform/decider.cpp | 44 ++++++++--------- src/manager/crypto/platform/decider.h | 1 - src/manager/service/ckm-logic.cpp | 83 +++++++++++++++++++++------------ src/manager/service/ckm-logic.h | 2 + src/manager/service/db-row.h | 12 ++--- 5 files changed, 84 insertions(+), 58 deletions(-) diff --git a/src/manager/crypto/platform/decider.cpp b/src/manager/crypto/platform/decider.cpp index bcff97e..6c63c49 100644 --- a/src/manager/crypto/platform/decider.cpp +++ b/src/manager/crypto/platform/decider.cpp @@ -31,6 +31,29 @@ namespace CKM { namespace Crypto { +namespace { +CryptoBackend chooseCryptoBackend(DataType dataType, bool exportable) { +// The list of items that MUST be support by OpenSSL + if (dataType.isCertificate()) + return CryptoBackend::OpenSSL; + + if (dataType.isBinaryData()) + return CryptoBackend::OpenSSL; + + if (exportable) + return CryptoBackend::OpenSSL; + +// This is the place where we can use trust zone backend +// Examples: +// +// if (dataType.isKeyPrivate()) +// return CryptoBackend::TrustZone; + +// This item does not met Trust Zone requirements. Let's use software backend + return CryptoBackend::OpenSSL; +} +} // namespace + Decider::Decider() : m_swStore(new SW::Store(CryptoBackend::OpenSSL)) , m_tzStore(new TZ::Store(CryptoBackend::TrustZone)) @@ -58,27 +81,6 @@ GStore& Decider::getStore(DataType data, bool exportable) const { return getStore(chooseCryptoBackend(data, exportable)); } -CryptoBackend Decider::chooseCryptoBackend(DataType dataType, bool exportable) const { -// The list of items that MUST be support by OpenSSL - if (dataType.isCertificate()) - return CryptoBackend::OpenSSL; - - if (dataType.isBinaryData()) - return CryptoBackend::OpenSSL; - - if (exportable) - return CryptoBackend::OpenSSL; - -// This is the place where we can use trust zone backend -// Examples: -// -// if (dataType.isKeyPrivate()) -// return CryptoBackend::TrustZone; - -// This item does not met Trust Zone requirements. Let's use software backend - return CryptoBackend::OpenSSL; -} - } // namespace Crypto } // namespace CKM diff --git a/src/manager/crypto/platform/decider.h b/src/manager/crypto/platform/decider.h index 351f4e2..6be147c 100644 --- a/src/manager/crypto/platform/decider.h +++ b/src/manager/crypto/platform/decider.h @@ -37,7 +37,6 @@ public: Decider(); GStore& getStore(const Token &token) const; GStore& getStore(DataType data, bool exportable) const; - CryptoBackend chooseCryptoBackend(DataType data, bool exportable) const; virtual ~Decider(){} protected: diff --git a/src/manager/service/ckm-logic.cpp b/src/manager/service/ckm-logic.cpp index 3ce1e1c..c5915e8 100644 --- a/src/manager/service/ckm-logic.cpp +++ b/src/manager/service/ckm-logic.cpp @@ -417,8 +417,10 @@ DB::Row CKMLogic::createEncryptedRow( const RawBuffer &data, const Policy &policy) const { - DB::Row row(name, label, static_cast(policy.extractable), dataType, data, static_cast(data.size())); - row.backendId = m_decider.chooseCryptoBackend(dataType, policy.extractable); + Crypto::GStore& store = m_decider.getStore(dataType, policy.extractable); + Token token = store.import(dataType, data); + + DB::Row row(std::move(token), name, label, static_cast(policy.extractable)); // do not encrypt data with password during cc_mode on if(m_accessControl.isCCMode()) { @@ -649,15 +651,34 @@ int CKMLogic::removeDataHelper( return retCode; } - auto erased = handler.database.deleteRow(name, ownerLabel); - // check if the data existed or not - if(erased) - transaction.commit(); - else { + // get all matching rows + DB::RowVector rows; + handler.database.getRows(name, ownerLabel, DataType::DB_FIRST, DataType::DB_LAST, rows); + if (rows.empty()) { LogDebug("No row for given name and label"); return CKM_API_ERROR_DB_ALIAS_UNKNOWN; } + // load app key if needed + retCode = loadAppKey(handler, rows.front().ownerLabel); + if(CKM_API_SUCCESS != retCode) + return retCode; + + // destroy it in store + for(auto& r : rows) { + /* + * TODO: If row is encrypted with user password we won't be able to decrypt it (tz id). + * Encryption/decryption with user password and with app key should both be done inside the + * store (import, getKey and generateXKey). + */ + handler.crypto.decryptRow(Password(), r); + m_decider.getStore(r.dataType, r.exportable).destroy(r); + } + + // delete row in db + handler.database.deleteRow(name, ownerLabel); + transaction.commit(); + return CKM_API_SUCCESS; } @@ -809,18 +830,12 @@ int CKMLogic::readDataHelper( if(CKM_API_SUCCESS != retCode) return retCode; + // load app key if needed + retCode = loadAppKey(handler, firstRow.ownerLabel); + if(CKM_API_SUCCESS != retCode) + return retCode; + // decrypt row - if (!handler.crypto.haveKey(firstRow.ownerLabel)) { - RawBuffer key; - auto key_optional = handler.database.getKey(firstRow.ownerLabel); - if(!key_optional) { - LogError("No key for given label in database"); - return CKM_API_ERROR_DB_ERROR; - } - key = *key_optional; - key = handler.keyProvider.getPureDEK(key); - handler.crypto.pushKey(firstRow.ownerLabel, key); - } for(auto &row : rows) handler.crypto.decryptRow(password, row); @@ -855,18 +870,12 @@ int CKMLogic::readDataHelper( if(CKM_API_SUCCESS != retCode) return retCode; + // load app key if needed + retCode = loadAppKey(handler, row.ownerLabel); + if(CKM_API_SUCCESS != retCode) + return retCode; + // decrypt row - if (!handler.crypto.haveKey(row.ownerLabel)) { - RawBuffer key; - auto key_optional = handler.database.getKey(row.ownerLabel); - if(!key_optional) { - LogError("No key for given label in database"); - return CKM_API_ERROR_DB_ERROR; - } - key = *key_optional; - key = handler.keyProvider.getPureDEK(key); - handler.crypto.pushKey(row.ownerLabel, key); - } handler.crypto.decryptRow(password, row); return CKM_API_SUCCESS; @@ -1620,5 +1629,21 @@ RawBuffer CKMLogic::setPermission( return MessageBuffer::Serialize(command, msgID, retCode).Pop(); } +int CKMLogic::loadAppKey(UserData& handle, const Label& appLabel) +{ + if (!handle.crypto.haveKey(appLabel)) { + RawBuffer key; + auto key_optional = handle.database.getKey(appLabel); + if(!key_optional) { + LogError("No key for given label in database"); + return CKM_API_ERROR_DB_ERROR; + } + key = *key_optional; + key = handle.keyProvider.getPureDEK(key); + handle.crypto.pushKey(appLabel, key); + } + return CKM_API_SUCCESS; +} + } // namespace CKM diff --git a/src/manager/service/ckm-logic.h b/src/manager/service/ckm-logic.h index b6dc1eb..c73fc74 100644 --- a/src/manager/service/ckm-logic.h +++ b/src/manager/service/ckm-logic.h @@ -378,6 +378,8 @@ private: int resetUserPasswordHelper(uid_t user, const Password &newPassword); + int loadAppKey(UserData& handle, const Label& appLabel); + std::map m_userDataMap; AccessControl m_accessControl; Crypto::Decider m_decider; diff --git a/src/manager/service/db-row.h b/src/manager/service/db-row.h index 333f5cc..04907af 100644 --- a/src/manager/service/db-row.h +++ b/src/manager/service/db-row.h @@ -32,19 +32,17 @@ namespace DB { struct Row : public Token { Row() = default; - Row(const Name &pName, + Row(Token token, + const Name &pName, const Label &pLabel, - int pExportable, - DataType pDataType, - const RawBuffer &pData, - int pDataSize) : - Token(CryptoBackend::None, pDataType, pData) + int pExportable) : + Token(std::move(token)) , name(pName) , ownerLabel(pLabel) , exportable(pExportable) , algorithmType(DBCMAlgType::NONE) , encryptionScheme(0) - , dataSize(pDataSize) + , dataSize(data.size()) {} Name name; -- 2.7.4 From d53051801c957b57900be153091a7396688d048f Mon Sep 17 00:00:00 2001 From: Krzysztof Jackiewicz Date: Fri, 10 Jul 2015 12:31:40 +0200 Subject: [PATCH 05/16] Extend asynchronous API socket timeout [Problem] Encryption and decryption may take much longer than 10s. In such case it fails because of timeout. [Solution] Extend timeout to 60s. [Verification] Run ckm-tests --group=CKM_ENCRYPTION_DECRYPTION Change-Id: I14c4084d7c44d310ab69649bd55e608f1b627204 --- src/manager/client-async/descriptor-set.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/manager/client-async/descriptor-set.h b/src/manager/client-async/descriptor-set.h index 7e166ba..7c70be1 100644 --- a/src/manager/client-async/descriptor-set.h +++ b/src/manager/client-async/descriptor-set.h @@ -80,7 +80,7 @@ public: * @throws Timeout exception in case of timeout * @throws InternalError in case of other error */ - void wait(int timeout_ms = 10000); + void wait(int timeout_ms = 60000); /* * Removes and closes all descriptors */ -- 2.7.4 From a13c57abd4d4c6e90ed1e66f74f582751eded47f Mon Sep 17 00:00:00 2001 From: Krzysztof Jackiewicz Date: Fri, 3 Jul 2015 16:51:22 +0200 Subject: [PATCH 06/16] Fix potential buffer overflow error CID: 40674 Change backported from security-server repository. Change-Id: I7613de85e79bc5627336c70842c64bd35eb36468 --- src/manager/main/socket-manager.cpp | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/manager/main/socket-manager.cpp b/src/manager/main/socket-manager.cpp index 44a7d3c..c0bc93f 100644 --- a/src/manager/main/socket-manager.cpp +++ b/src/manager/main/socket-manager.cpp @@ -488,6 +488,14 @@ int SocketManager::CreateDomainSocketHelp( { int sockfd; + if(desc.serviceHandlerPath.size()*sizeof(decltype(desc.serviceHandlerPath)::value_type) >= + sizeof(static_cast(0)->sun_path)) + { + LogError("Service handler path too long: " << desc.serviceHandlerPath.size()); + ThrowMsg(Exception::InitFailed, + "Service handler path too long: " << desc.serviceHandlerPath.size()); + } + if (-1 == (sockfd = socket(AF_UNIX, SOCK_STREAM, 0))) { int err = errno; LogError("Error in socket: " << GetErrnoString(err)); -- 2.7.4 From 3a018155ff07445483178c7a1f668e69c9373705 Mon Sep 17 00:00:00 2001 From: Bartlomiej Grzelewski Date: Mon, 17 Aug 2015 12:04:21 +0200 Subject: [PATCH 07/16] Cleaning environment from systemd flags. Change-Id: I3065468d9948ccec19679de0eaa3a7e8046abc38 --- src/manager/main/socket-manager.cpp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/manager/main/socket-manager.cpp b/src/manager/main/socket-manager.cpp index c0bc93f..b94a38b 100644 --- a/src/manager/main/socket-manager.cpp +++ b/src/manager/main/socket-manager.cpp @@ -339,8 +339,7 @@ void SocketManager::ReadyForWrite(int sock) { void SocketManager::MainLoop() { // remove evironment values passed by systemd - // uncomment it after removing old security-server code - // sd_listen_fds(1); + sd_listen_fds(1); // Daemon is ready to work. sd_notify(0, "READY=1"); -- 2.7.4 From e936b1f16266d77678354e8d57b619065fda866a Mon Sep 17 00:00:00 2001 From: Bartlomiej Grzelewski Date: Mon, 17 Aug 2015 12:05:18 +0200 Subject: [PATCH 08/16] Remove deprecated logs from socket-manager.cpp file. Change-Id: I13ffdbc0c195adba3c2374f4a4a925a87d07a032 --- src/manager/main/socket-manager.cpp | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/manager/main/socket-manager.cpp b/src/manager/main/socket-manager.cpp index b94a38b..f831d8e 100644 --- a/src/manager/main/socket-manager.cpp +++ b/src/manager/main/socket-manager.cpp @@ -334,7 +334,7 @@ void SocketManager::ReadyForWriteBuffer(int sock) { } void SocketManager::ReadyForWrite(int sock) { - ReadyForWriteBuffer(sock); + ReadyForWriteBuffer(sock); } void SocketManager::MainLoop() { @@ -383,8 +383,6 @@ void SocketManager::MainLoop() { ptrTimeout->tv_sec = currentTime < pqTimeout.time ? pqTimeout.time - currentTime : 0; ptrTimeout->tv_usec = 0; -// LogDebug("Set up timeout: " << (int)ptrTimeout->tv_sec -// << " seconds. Socket: " << pqTimeout.sock); } int ret = select(m_maxDesc+1, &readSet, &writeSet, NULL, ptrTimeout); @@ -664,7 +662,6 @@ void SocketManager::ProcessQueue() { } void SocketManager::CloseSocket(int sock) { -// LogInfo("Closing socket: " << sock); auto &desc = m_socketDescriptionVector[sock]; if (!(desc.isOpen)) { -- 2.7.4 From 09a7d6e27fa2f13a79a2a6a0e076e74b65a37f36 Mon Sep 17 00:00:00 2001 From: Bartlomiej Grzelewski Date: Wed, 19 Aug 2015 12:34:04 +0200 Subject: [PATCH 09/16] Replace read/write with send/recv. New implementation does not require to mask SIGPIPE signal in client. Change-Id: Ic2a920b56ed9a6e3dc6627fa026857f31d5c1630 --- src/manager/client-async/service.cpp | 17 ++++++++++------- src/manager/client/client-common.cpp | 14 ++++++++------ 2 files changed, 18 insertions(+), 13 deletions(-) diff --git a/src/manager/client-async/service.cpp b/src/manager/client-async/service.cpp index 39a4379..9725432 100644 --- a/src/manager/client-async/service.cpp +++ b/src/manager/client-async/service.cpp @@ -18,6 +18,8 @@ * @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com) * @version 1.0 */ +#include +#include #include @@ -125,16 +127,17 @@ void Service::sendData() while (!m_sendQueue.empty()) { AsyncRequest& req = m_sendQueue.front(); - ssize_t temp = TEMP_FAILURE_RETRY(write(m_socket->get(), - &req.buffer[req.written], - req.buffer.size() - req.written)); + ssize_t temp = TEMP_FAILURE_RETRY(::send(m_socket->get(), + &req.buffer[req.written], + req.buffer.size() - req.written, + MSG_NOSIGNAL)); if (-1 == temp) { int err = errno; // can't write? -> go to sleep if (EAGAIN == err || EWOULDBLOCK == err) return; - LogError("Error in write: " << GetErrnoString(err)); + LogError("Error in send: " << GetErrnoString(err)); serviceError(CKM_API_ERROR_SEND_FAILED); return; } @@ -159,16 +162,16 @@ void Service::receiveData() { char buffer[RECV_BUFFER_SIZE]; - ssize_t temp = TEMP_FAILURE_RETRY(read(m_socket->get(), buffer, RECV_BUFFER_SIZE)); + ssize_t temp = TEMP_FAILURE_RETRY(::recv(m_socket->get(), buffer, RECV_BUFFER_SIZE,0)); if (-1 == temp) { int err = errno; - LogError("Error in read: " << GetErrnoString(err)); + LogError("Error in recv: " << GetErrnoString(err)); serviceError(CKM_API_ERROR_RECV_FAILED); return; } if (0 == temp) { - LogError("Read return 0/Connection closed by server(?)"); + LogError("Recv return 0/Connection closed by server(?)"); serviceError(CKM_API_ERROR_RECV_FAILED); return; } diff --git a/src/manager/client/client-common.cpp b/src/manager/client/client-common.cpp index 1d61e67..10d5de1 100644 --- a/src/manager/client/client-common.cpp +++ b/src/manager/client/client-common.cpp @@ -241,9 +241,10 @@ int ServiceConnection::send(const CKM::RawBuffer &send_buf) break; } - ssize_t temp = TEMP_FAILURE_RETRY(write(m_socket.get(), - &send_buf[done], - send_buf.size() - done)); + ssize_t temp = TEMP_FAILURE_RETRY(::send(m_socket.get(), + &send_buf[done], + send_buf.size() - done, + MSG_NOSIGNAL)); if (-1 == temp) { LogError("Error in write: " << CKM::GetErrnoString(errno)); retCode = CKM_API_ERROR_SOCKET; @@ -278,9 +279,10 @@ int ServiceConnection::receive(CKM::MessageBuffer &recv_buf) break; } - ssize_t temp = TEMP_FAILURE_RETRY(read(m_socket.get(), - buffer, - sizeof(buffer))); + ssize_t temp = TEMP_FAILURE_RETRY(::recv(m_socket.get(), + buffer, + sizeof(buffer), + 0)); if(-1 == temp) { LogError("Error in read: " << CKM::GetErrnoString(errno)); ec = CKM_API_ERROR_SOCKET; -- 2.7.4 From 4b4f7b9e045fadc3c5348e7ef8be628a742907e2 Mon Sep 17 00:00:00 2001 From: Bartlomiej Grzelewski Date: Wed, 12 Aug 2015 11:12:40 +0200 Subject: [PATCH 10/16] Add functions required during db debug. Add Crypto::getSchema() and Crypto::getContent() Change-Id: I46739eaef891edaa5d4f190a8adcadd2958dcc24 --- src/manager/dpl/db/include/dpl/db/sql_connection.h | 11 ++++ src/manager/dpl/db/src/sql_connection.cpp | 11 ++++ src/manager/service/db-crypto.cpp | 69 ++++++++++++++++++++++ src/manager/service/db-crypto.h | 4 ++ 4 files changed, 95 insertions(+) diff --git a/src/manager/dpl/db/include/dpl/db/sql_connection.h b/src/manager/dpl/db/include/dpl/db/sql_connection.h index b6aced5..4492dec 100644 --- a/src/manager/dpl/db/include/dpl/db/sql_connection.h +++ b/src/manager/dpl/db/include/dpl/db/sql_connection.h @@ -368,6 +368,17 @@ class SqlConnection * @throw Exception::InvalidColumn */ boost::optional GetColumnOptionalBlob(ColumnIndex column); + + /** + * Get number of column. + */ + ColumnIndex GetColumnCount(); + /** + * Get type of the column. + * + * @throw Exception::InvalidColumn + */ + int GetColumnType(ColumnIndex column); }; // Move on copy constructor. No copy semantics diff --git a/src/manager/dpl/db/src/sql_connection.cpp b/src/manager/dpl/db/src/sql_connection.cpp index 59d7877..110eca0 100644 --- a/src/manager/dpl/db/src/sql_connection.cpp +++ b/src/manager/dpl/db/src/sql_connection.cpp @@ -397,6 +397,17 @@ void SqlConnection::DataCommand::Reset() LogPedantic("SQL data command reset"); } +SqlConnection::ColumnIndex SqlConnection::DataCommand::GetColumnCount() { + return sqlcipher3_column_count(m_stmt); +} + +int SqlConnection::DataCommand::GetColumnType( + SqlConnection::ColumnIndex column) +{ + CheckColumnIndex(column); + return sqlcipher3_column_type(m_stmt, column); +} + void SqlConnection::DataCommand::CheckColumnIndex( SqlConnection::ColumnIndex column) { diff --git a/src/manager/service/db-crypto.cpp b/src/manager/service/db-crypto.cpp index 8a5b57b..ce9d750 100644 --- a/src/manager/service/db-crypto.cpp +++ b/src/manager/service/db-crypto.cpp @@ -21,6 +21,7 @@ */ #include +#include #include #include #include @@ -826,6 +827,74 @@ namespace DB { insertObjectCommand->Step(); } + + std::string Crypto::getSchema() { + SqlConnection::DataCommandUniquePtr schema = + m_connection->PrepareDataCommand("SELECT sql FROM " + "(SELECT * FROM sqlcipher_master UNION ALL " + "SELECT * FROM sqlcipher_temp_master) " + "WHERE type!='meta' " + "ORDER BY tbl_name, type DESC, name;"); + + std::stringstream ss; + while(schema->Step()) { + ss << schema->GetColumnString(0) << std::endl; + } + return ss.str(); + } + + std::string Crypto::getContent() { + SqlConnection::DataCommandUniquePtr tableSelect = + m_connection->PrepareDataCommand( + "SELECT name FROM sqlcipher_master " + "WHERE type IN ('table','view') AND name NOT LIKE 'sqlcipher_%' " + "UNION ALL " + "SELECT name FROM sqlcipher_temp_master " + "WHERE type IN ('table','view') " + "ORDER BY 1; "); + + std::vector tables; + while(tableSelect->Step()) { + tables.push_back(tableSelect->GetColumnString(0)); + } + + std::stringstream ss; + + for (auto &e : tables) { + ss << "Table " << e << std::endl; + std::string query = "select * from " + e + ";"; + SqlConnection::DataCommandUniquePtr result = + m_connection->PrepareDataCommand(query.c_str()); + while(result->Step()) { + int maxColumn = result->GetColumnCount(); + for (int i = 0; i < maxColumn; ++i) { + switch(result->GetColumnType(i)) { + case 1: // int64 + ss << result->GetColumnInteger(i) << " | "; + break; + case 2: // float + ss << result->GetColumnFloat(i) << " | "; + break; + case 3: // string + ss << result->GetColumnString(i) << " | "; + break; + case 4: // Blob + { + auto buffer = result->GetColumnBlob(i); + ss << "BLOB (Size: " << buffer.size() << ") | "; + break; + } + case 5: // NULL + ss << "NULL | "; + break; + } + } + ss << std::endl; + } + } + + return ss.str(); + } } // namespace DB } // namespace CKM diff --git a/src/manager/service/db-crypto.h b/src/manager/service/db-crypto.h index ec3281d..193570d 100644 --- a/src/manager/service/db-crypto.h +++ b/src/manager/service/db-crypto.h @@ -115,6 +115,10 @@ namespace DB { const Name &name, const Label &ownerLabel); + std::string getSchema(); + + std::string getContent(); + // keys void saveKey(const Label& label, const RawBuffer &key); RawBufferOptional getKey(const Label& label); -- 2.7.4 From f643841998db96a62b55064616eda251e156267e Mon Sep 17 00:00:00 2001 From: Kyungwook Tak Date: Tue, 25 Aug 2015 14:55:13 +0900 Subject: [PATCH 11/16] Remove useless API : ckmc_remove_pkcs12 Change-Id: Ib56c522f649830eba35267e8b122d0268c5cdb66 Signed-off-by: Kyungwook Tak --- src/include/ckmc/ckmc-manager.h | 32 -------------------------------- src/manager/client-capi/ckmc-manager.cpp | 6 ------ 2 files changed, 38 deletions(-) diff --git a/src/include/ckmc/ckmc-manager.h b/src/include/ckmc/ckmc-manager.h index 9d3cae0..f0dacff 100644 --- a/src/include/ckmc/ckmc-manager.h +++ b/src/include/ckmc/ckmc-manager.h @@ -373,38 +373,6 @@ int ckmc_save_pkcs12(const char *alias, const ckmc_policy_s cert_policy); /** - * @deprecated Deprecated since 2.4. [Use ckmc_remove_alias() instead] - * @brief Removes all PKCS12 contents from key manager. - * - * @since_tizen 2.4 - * @privlevel public - * @privilege %http://tizen.org/privilege/keymanager - * - * @remarks To remove PKCS12, client must have remove permission to the specified PKCS12 object. - * @remarks The key owner can remove by default. - * - * @param[in] alias The name of PKCS12 to be removed - * - * @return @c 0 on success, - * otherwise a negative error value - * - * @retval #CKMC_ERROR_NONE Successful - * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid - * @retval #CKMC_ERROR_DB_LOCKED A user key is not loaded in memory (a user is not logged - * in) - * @retval #CKMC_ERROR_DB_ERROR Failed due to a database error - * @retval #CKMC_ERROR_DB_ALIAS_UNKNOWN Alias does not exist - * @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager - * - * @pre User is already logged in and the user key is already loaded into memory in plain text form. - * - * @see ckmc_remove_alias() - * @see ckmc_save_pkcs12() - * @see ckmc_get_pkcs12() - */ -int ckmc_remove_pkcs12(const char *alias); - -/** * @brief Gets a pkcs12 from key manager. * * @since_tizen 2.4 diff --git a/src/manager/client-capi/ckmc-manager.cpp b/src/manager/client-capi/ckmc-manager.cpp index 0fe3b94..15908e0 100644 --- a/src/manager/client-capi/ckmc-manager.cpp +++ b/src/manager/client-capi/ckmc-manager.cpp @@ -383,12 +383,6 @@ int ckmc_save_pkcs12(const char *alias, const ckmc_pkcs12_s *ppkcs, const ckmc_p } KEY_MANAGER_CAPI -int ckmc_remove_pkcs12(const char *alias) -{ - return ckmc_remove_alias(alias); -} - -KEY_MANAGER_CAPI int ckmc_get_pkcs12(const char *alias, const char *key_password, const char *cert_password, ckmc_pkcs12_s **pkcs12) { int ret; -- 2.7.4 From 7aae54a0382448c7e8f76cd4bf334a734e420aef Mon Sep 17 00:00:00 2001 From: Kyungwook Tak Date: Tue, 25 Aug 2015 09:23:27 +0900 Subject: [PATCH 12/16] Remove temporary defined TIZEN_ERROR_KEY_MANAGER TIZEN_ERROR_KEY_MANAGER is in tizen_error.h in platform/core/api/common package Change-Id: I51b3907f8b73d74cd44a3439a49bfc7a55c8df56 Signed-off-by: Kyungwook Tak --- src/include/ckmc/ckmc-error.h | 9 --------- 1 file changed, 9 deletions(-) diff --git a/src/include/ckmc/ckmc-error.h b/src/include/ckmc/ckmc-error.h index 5719064..613e6f6 100644 --- a/src/include/ckmc/ckmc-error.h +++ b/src/include/ckmc/ckmc-error.h @@ -35,15 +35,6 @@ extern "C" { * @brief Enumeration for Key Manager Errors. * @since_tizen 2.3 */ - - -// MJK TODO: this should be moved into /usr/include/tizen_error.h -#ifndef TIZEN_ERROR_KEY_MANAGER -/** Tizen Key Manager Error */ -#define TIZEN_ERROR_KEY_MANAGER -0x01E10000 -#endif - - typedef enum{ CKMC_ERROR_NONE = TIZEN_ERROR_NONE, /**< Successful */ CKMC_ERROR_INVALID_PARAMETER = TIZEN_ERROR_INVALID_PARAMETER, /**< Invalid function parameter */ -- 2.7.4 From c86a9d3d4d853df934ae756d9d7cffdfcddb1a33 Mon Sep 17 00:00:00 2001 From: Kyungwook Tak Date: Tue, 25 Aug 2015 11:55:49 +0900 Subject: [PATCH 13/16] Fix ckmc headers grammar Change-Id: I525de480255f5b41d39b4d892239a23cd1e28268 Signed-off-by: Kyungwook Tak --- doc/key-manager-control_doc.h | 1 - src/include/ckmc/ckmc-control.h | 1 - src/include/ckmc/ckmc-error.h | 4 +- src/include/ckmc/ckmc-manager.h | 71 ++++++---- src/include/ckmc/ckmc-type.h | 305 +++++++++++++++++++++------------------- 5 files changed, 210 insertions(+), 172 deletions(-) diff --git a/doc/key-manager-control_doc.h b/doc/key-manager-control_doc.h index 8c42b39..70675d8 100644 --- a/doc/key-manager-control_doc.h +++ b/doc/key-manager-control_doc.h @@ -16,7 +16,6 @@ #ifndef __TIZEN_CORE_KEY_MANAGER_CONTROL_DOC_H__ #define __TIZEN_CORE_KEY_MANAGER_CONTROL_DOC_H__ /** - * @internal * @ingroup CAPI_KEY_MANAGER_MODULE * @defgroup CAPI_KEY_MANAGER_CONTROL_MODULE Key Manager Control * @brief These APIs control the key manager state (Unlocked/Locked) and reflects the user's password change. diff --git a/src/include/ckmc/ckmc-control.h b/src/include/ckmc/ckmc-control.h index 2e83eca..6666950 100644 --- a/src/include/ckmc/ckmc-control.h +++ b/src/include/ckmc/ckmc-control.h @@ -33,7 +33,6 @@ extern "C" { #endif /** - * @internal * @addtogroup CAPI_KEY_MANAGER_CONTROL_MODULE * @{ */ diff --git a/src/include/ckmc/ckmc-error.h b/src/include/ckmc/ckmc-error.h index 613e6f6..a77520f 100644 --- a/src/include/ckmc/ckmc-error.h +++ b/src/include/ckmc/ckmc-error.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -35,7 +35,7 @@ extern "C" { * @brief Enumeration for Key Manager Errors. * @since_tizen 2.3 */ -typedef enum{ +typedef enum { CKMC_ERROR_NONE = TIZEN_ERROR_NONE, /**< Successful */ CKMC_ERROR_INVALID_PARAMETER = TIZEN_ERROR_INVALID_PARAMETER, /**< Invalid function parameter */ CKMC_ERROR_OUT_OF_MEMORY = TIZEN_ERROR_OUT_OF_MEMORY, /**< Out of memory */ diff --git a/src/include/ckmc/ckmc-manager.h b/src/include/ckmc/ckmc-manager.h index f0dacff..6c53b24 100644 --- a/src/include/ckmc/ckmc-manager.h +++ b/src/include/ckmc/ckmc-manager.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -336,7 +336,7 @@ int ckmc_get_cert_alias_list(ckmc_alias_list_s** ppalias_list); /** * @brief Stores PKCS12's contents inside key manager based on the provided policies. - * All items from the PKCS12 will use the same alias. + * All items from the PKCS12 will use the same alias. * * @since_tizen 2.4 * @privlevel public @@ -399,7 +399,8 @@ int ckmc_save_pkcs12(const char *alias, * @retval #CKMC_ERROR_DB_ALIAS_UNKNOWN Alias does not exist * @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager * @retval #CKMC_ERROR_AUTHENTICATION_FAILED - * Decryption failed because password is incorrect. + * key_password or cert_password does not match with password + * used to encrypt data * * @pre User is already logged in and the user key is already loaded into memory in plain text form. * @@ -1129,32 +1130,34 @@ int ckmc_deny_access(const char *alias, const char *accessor); * @pre User is already logged in and the user key is already loaded into memory in plain text form. * * @see ckmc_save_key() - * @see ckmc_save_cert - * @see ckmc_save_data - * @see ckmc_save_pkcs12 - * @see ckmc_create_key_pair_rsa - * @see ckmc_create_key_pair_dsa - * @see ckmc_create_key_pair_ecdsa + * @see ckmc_save_cert() + * @see ckmc_save_data() + * @see ckmc_save_pkcs12() + * @see ckmc_create_key_pair_rsa() + * @see ckmc_create_key_pair_dsa() + * @see ckmc_create_key_pair_ecdsa() */ int ckmc_remove_alias(const char *alias); /** - * @brief Encrypts data using selected key and algorithm + * @brief Encrypts data using selected key and algorithm. * * @since_tizen 3.0 * @privlevel public * @privilege %http://tizen.org/privilege/keymanager * - * @remarks Key identified by @a key_alias should exist + * @remarks Key identified by @a key_alias should exist. * * @param[in] params Algorithm parameters * @param[in] key_alias Alias of the key to be used for encryption - * @param[in] password The password used in decrypting a key value. If password of policy - * is provided in ckmc_save_key(), the same password should be provided + * @param[in] password The password used in decrypting a key value \n + * If password of policy is provided in ckmc_save_key(), the same + * password should be provided * @param[in] decrypted Data to be encrypted * @param[out] ppencrypted Encrypted data (some algorithms may return additional information - * embedded in encrypted data. AES GCM is an example). The caller is - * responsible for freeing ppencrypted with ckmc_buffer_free(). + * embedded in encrypted data. AES GCM is an example) \n + * The caller is responsible for freeing ppencrypted with + * ckmc_buffer_free() * * @return @c 0 on success, otherwise a negative error value * @@ -1166,9 +1169,18 @@ int ckmc_remove_alias(const char *alias); * @retval #CKMC_ERROR_DB_ALIAS_UNKNOWN Key with given alias does not exist * @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager * @retval #CKMC_ERROR_AUTHENTICATION_FAILED - * Key decryption failed because password is incorrect. + * Key decryption failed because password is incorrect * * @pre User is already logged in and the user key is already loaded into memory in plain text form. + * + * @see ckmc_buffer_free() + * @see ckmc_param_list_new() + * @see ckmc_param_list_free() + * @see ckmc_param_list_add_integer() + * @see ckmc_param_list_add_buffer() + * @see ckmc_generate_params() + * @see #ckmc_param_list_s + * @see #ckmc_param_name_e */ int ckmc_encrypt_data(const ckmc_param_list_s *params, const char *key_alias, @@ -1177,22 +1189,24 @@ int ckmc_encrypt_data(const ckmc_param_list_s *params, ckmc_raw_buffer_s **ppencrypted); /** - * @brief Decrypts data using selected key and algorithm + * @brief Decrypts data using selected key and algorithm. * * @since_tizen 3.0 * @privlevel public * @privilege %http://tizen.org/privilege/keymanager * - * @remarks Key identified by @a key_alias should exist + * @remarks Key identified by @a key_alias should exist. * * @param[in] params Algorithm parameters * @param[in] key_alias Alias of the key to be used for encryption - * @param[in] password The password used in decrypting a key value. If password of policy - * is provided in ckmc_save_key(), the same password should be provided + * @param[in] password The password used in decrypting a key value \n + * If password of policy is provided in ckmc_save_key(), the same + * password should be provided * @param[in] encrypted Data to be decrypted (some algorithms may require additional - * information embedded in encrypted data. AES GCM is an example). - * @param[out] ppdecrypted Decrypted data. The caller is responsible for freeing ppdecrypted - * with ckmc_buffer_free(). + * information embedded in encrypted data. AES GCM is an example) + * @param[out] ppdecrypted Decrypted data \n + * The caller is responsible for freeing ppdecrypted with + * ckmc_buffer_free() * * @return @c 0 on success, otherwise a negative error value * @@ -1204,9 +1218,18 @@ int ckmc_encrypt_data(const ckmc_param_list_s *params, * @retval #CKMC_ERROR_DB_ALIAS_UNKNOWN Key with given alias does not exist * @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager * @retval #CKMC_ERROR_AUTHENTICATION_FAILED - * Key decryption failed because password is incorrect. + * Key decryption failed because password is incorrect * * @pre User is already logged in and the user key is already loaded into memory in plain text form. + * + * @see ckmc_buffer_free() + * @see ckmc_param_list_new() + * @see ckmc_param_list_free() + * @see ckmc_param_list_add_integer() + * @see ckmc_param_list_add_buffer() + * @see ckmc_generate_params() + * @see #ckmc_param_list_s + * @see #ckmc_param_name_e */ int ckmc_decrypt_data(const ckmc_param_list_s *params, const char *key_alias, diff --git a/src/include/ckmc/ckmc-type.h b/src/include/ckmc/ckmc-type.h index a450b86..e0a6e60 100644 --- a/src/include/ckmc/ckmc-type.h +++ b/src/include/ckmc/ckmc-type.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -39,17 +39,23 @@ extern "C" { */ /** - * alias can be provided as an alias alone, or together with label - in this - * case, separator " " (space bar) is used to separate label and alias. + * @brief Separator between alias and label. + * @since_tizen 2.3 + * @remarks Alias can be provided as an alias alone, or together with label - in this + * case, separator " " (space bar) is used to separate label and alias. + * * @see key-manager_doc.h */ KEY_MANAGER_CAPI extern char const * const ckmc_label_name_separator; /** - * shared database label - user may be given permission to access shared - * database items. In such case, the alias should contain shared database - * label. - * @see ckmc_label_name_separator + * @brief Shared owner label + * @since_tizen 3.0 + * @remarks Shared database label - user may be given permission to access shared + * database items. In such case, the alias should contain shared database + * label. + * + * @see #ckmc_label_name_separator * @see key-manager_doc.h */ KEY_MANAGER_CAPI extern char const * const ckmc_label_shared_owner; @@ -59,7 +65,7 @@ KEY_MANAGER_CAPI extern char const * const ckmc_label_shared_owner; * @since_tizen 2.3 */ typedef enum __ckmc_key_type { - CKMC_KEY_NONE = 0, /**< key type not specified */ + CKMC_KEY_NONE = 0, /**< Key type not specified */ CKMC_KEY_RSA_PUBLIC, /**< RSA public key */ CKMC_KEY_RSA_PRIVATE, /**< RSA private key */ CKMC_KEY_ECDSA_PUBLIC, /**< ECDSA public key */ @@ -120,8 +126,8 @@ typedef enum __ckmc_rsa_padding_algo { * @since_tizen 2.3 */ typedef enum __ckmc_access_right{ - CKMC_AR_READ = 0, /**< access right for read*/ - CKMC_AR_READ_REMOVE /**< access right for read and remove*/ + CKMC_AR_READ = 0, /**< Access right for read*/ + CKMC_AR_READ_REMOVE /**< Access right for read and remove*/ } ckmc_access_right_e; /** @@ -129,13 +135,13 @@ typedef enum __ckmc_access_right{ * @since_tizen 2.4 */ typedef enum __ckmc_permission{ - CKMC_PERMISSION_NONE = 0x00, /**< clear permissions */ - CKMC_PERMISSION_READ = 0x01, /**< read allowed */ - CKMC_PERMISSION_REMOVE = 0x02 /**< remove allowed */ + CKMC_PERMISSION_NONE = 0x00, /**< Clear permissions */ + CKMC_PERMISSION_READ = 0x01, /**< Eead allowed */ + CKMC_PERMISSION_REMOVE = 0x02 /**< Remove allowed */ } ckmc_permission_e; /** - * @brief the structure for binary buffer used in key manager CAPI. + * @brief The structure for binary buffer used in key manager CAPI. * @since_tizen 2.3 */ typedef struct __ckmc_raw_buff { @@ -180,7 +186,7 @@ typedef struct __ckmc_cert { * @since_tizen 2.3 */ typedef struct __ckmc_alias_list { - char *alias; /**< The name of key, certificate or data stored in key manager */ + char *alias; /**< The name of key, certificate or data stored in key manager */ struct __ckmc_alias_list *next; /**< The pointer pointing to the next ckmc_alias_list_s */ } ckmc_alias_list_s; @@ -189,7 +195,7 @@ typedef struct __ckmc_alias_list { * @since_tizen 2.3 */ typedef struct __ckmc_cert_list { - ckmc_cert_s *cert; /**< The pointer of ckmc_cert_s */ + ckmc_cert_s *cert; /**< The pointer of ckmc_cert_s */ struct __ckmc_cert_list *next; /**< The pointer pointing to the next ckmc_cert_list_s */ } ckmc_cert_list_s; @@ -199,13 +205,13 @@ typedef struct __ckmc_cert_list { */ typedef enum __ckmc_ocsp_status { CKMC_OCSP_STATUS_GOOD = 0, /**< OCSP status is good */ - CKMC_OCSP_STATUS_REVOKED, /**< certificate is revoked */ - CKMC_OCSP_STATUS_UNKNOWN, /**< unknown error */ - CKMC_OCSP_ERROR_UNSUPPORTED, /**< certificate does not provide OCSP extension */ - CKMC_OCSP_ERROR_INVALID_URL, /**< invalid URL in certificate OCSP extension */ - CKMC_OCSP_ERROR_INVALID_RESPONSE, /**< invalid response from OCSP server */ + CKMC_OCSP_STATUS_REVOKED, /**< The certificate is revoked */ + CKMC_OCSP_STATUS_UNKNOWN, /**< Unknown error */ + CKMC_OCSP_ERROR_UNSUPPORTED, /**< The certificate does not provide OCSP extension */ + CKMC_OCSP_ERROR_INVALID_URL, /**< The invalid URL in certificate OCSP extension */ + CKMC_OCSP_ERROR_INVALID_RESPONSE, /**< The invalid response from OCSP server */ CKMC_OCSP_ERROR_REMOTE, /**< OCSP remote server error */ - CKMC_OCSP_ERROR_NET, /**< network connection error */ + CKMC_OCSP_ERROR_NET, /**< Network connection error */ CKMC_OCSP_ERROR_INTERNAL /**< OpenSSL API error */ } ckmc_ocsp_status_e; @@ -214,33 +220,32 @@ typedef enum __ckmc_ocsp_status { * @since_tizen 2.4 */ typedef struct __ckmc_pkcs12 { - ckmc_key_s *priv_key; /**< private key, may be null */ - ckmc_cert_s *cert; /**< certificate, may be null */ - ckmc_cert_list_s *ca_chain; /**< chain certificates list, may be null */ + ckmc_key_s *priv_key; /**< The private key, may be null */ + ckmc_cert_s *cert; /**< The certificate, may be null */ + ckmc_cert_list_s *ca_chain; /**< The chain certificate list, may be null */ } ckmc_pkcs12_s; /** * @brief Enumeration for crypto algorithm parameters. * @since_tizen 3.0 + * + * @see #ckmc_algo_type_e */ typedef enum __ckmc_param_name { CKMC_PARAM_ALGO_TYPE = 1, - // encryption & decryption CKMC_PARAM_ED_IV = 101, /**< 16B buffer (up to 2^64-1 bytes long in case of AES GCM) */ CKMC_PARAM_ED_CTR_LEN, /**< integer - ctr length in bits*/ CKMC_PARAM_ED_AAD, /**< buffer */ CKMC_PARAM_ED_TAG_LEN, /**< integer - tag length in bits */ CKMC_PARAM_ED_LABEL, /**< buffer */ - // key generation CKMC_PARAM_GEN_KEY_LEN = 201, /**< integer - key length in bits */ CKMC_PARAM_GEN_EC, /**< integer - elliptic curve (ckmc_ec_type_e) */ - // sign & verify CKMC_PARAM_SV_HASH_ALGO = 301, /**< integer - hash algorithm (ckmc_hash_algo_e) */ - CKMC_PARAM_SV_RSA_PADDING, /**< integer - RSA padding (ckmc_rsa_padding_algo_e) */ -}ckmc_param_name_e; + CKMC_PARAM_SV_RSA_PADDING /**< integer - RSA padding (ckmc_rsa_padding_algo_e) */ +} ckmc_param_name_e; /** * @brief Structure for algorithm parameter list. @@ -251,6 +256,8 @@ typedef struct __ckmc_param_list ckmc_param_list_s; /** * @brief Enumeration for crypto algorithm types. * @since_tizen 3.0 + * + * @see #ckmc_param_name_e */ typedef enum __ckmc_algo_type { CKMC_ALGO_AES_CTR = 1, /**< AES-CTR algorithm @@ -319,25 +326,25 @@ typedef enum __ckmc_algo_type { } ckmc_algo_type_e; /** - * @internal * @brief Creates a new @a ckmc_key_s handle and returns it. * - * @since_tizen 2.3 + * @since_tizen 2.4 * * @remarks You must destroy the newly created @a ckmc_key_s by calling ckmc_key_free() if it is no * longer needed. * * @param[in] raw_key The byte array of key \n - * @a raw_key may be encrypted with password. + * @a raw_key may be encrypted with password * @param[in] key_size The byte size of @a raw_key * @param[in] key_type The @a raw_key's type * @param[in] password The byte array used to decrypt @a raw_key inside key manager \n - * If @a raw_key is not encrypted, @a password can be null. + * If @a raw_key is not encrypted, @a password can be null * @param[out] ppkey The pointer to a newly created @a ckmc_key_s handle * - * @return @c 0 on success, + * @return #CKMC_ERROR_NONE on success, * otherwise a negative error value * + * @retval #CKMC_ERROR_NONE Successful * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid * @retval #CKMC_ERROR_OUT_OF_MEMORY Not enough memory * @@ -360,10 +367,9 @@ int ckmc_key_new(unsigned char *raw_key, void ckmc_key_free(ckmc_key_s *key); /** - * @internal * @brief Creates a new @a ckmc_raw_buffer_s handle and returns it. * - * @since_tizen 2.3 + * @since_tizen 2.4 * * @remarks You must destroy the newly created @a ckmc_raw_buffer_s by calling ckmc_buffer_free() if * it is no longer needed. @@ -372,32 +378,32 @@ void ckmc_key_free(ckmc_key_s *key); * @param[in] size The byte size of buffer * @param[out] ppbuffer The pointer to a newly created @a ckmc_buffer_s handle * - * @return @c 0 on success, + * @return #CKMC_ERROR_NONE on success, * otherwise a negative error value * + * @retval #CKMC_ERROR_NONE Successful * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid * @retval #CKMC_ERROR_OUT_OF_MEMORY Not enough memory * * @see ckmc_buffer_free() * @see #ckmc_raw_buffer_s */ -int ckmc_buffer_new(unsigned char *data, size_t size,ckmc_raw_buffer_s **ppbuffer); +int ckmc_buffer_new(unsigned char *data, size_t size, ckmc_raw_buffer_s **ppbuffer); /** * @brief Destroys the @a ckmc_raw_buffer_s handle and releases all its resources. * * @since_tizen 2.3 * - * @param[in] buffer The @a ckmc_raw_buffer_s handle to destroy + * @param[in] buffer The @a ckmc_raw_buffer_s structure to destroy * */ void ckmc_buffer_free(ckmc_raw_buffer_s *buffer); /** - * @internal * @brief Creates a new @a ckmc_cert_s handle and returns it. * - * @since_tizen 2.3 + * @since_tizen 2.4 * * @remarks You must destroy the newly created @a ckmc_cert_s by calling ckmc_cert_free() if it is * no longer needed. @@ -407,9 +413,10 @@ void ckmc_buffer_free(ckmc_raw_buffer_s *buffer); * @param[in] data_format The encoding format of raw_cert * @param[out] ppcert The pointer to a newly created @a ckmc_cert_s handle * - * @return @c 0 on success, + * @return #CKMC_ERROR_NONE on success, * otherwise a negative error value * + * @retval #CKMC_ERROR_NONE Successful * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid * @retval #CKMC_ERROR_OUT_OF_MEMORY Not enough memory * @@ -443,7 +450,7 @@ void ckmc_cert_free(ckmc_cert_s *cert); * no longer needed. * * @param[in] file_path The path of certificate file to be loaded \n - * The only DER or PEM encoded certificate file is supported. + * The only DER or PEM encoded certificate file is supported * @param[out] cert The pointer of newly created @a ckmc_cert_s handle * * @return #CKMC_ERROR_NONE on success, @@ -460,7 +467,6 @@ void ckmc_cert_free(ckmc_cert_s *cert); int ckmc_load_cert_from_file(const char *file_path, ckmc_cert_s **cert); /** - * @internal * @brief Creates a new @a ckmc_pkcs12_s handle and returns it. * * @since_tizen 2.4 @@ -475,11 +481,12 @@ int ckmc_load_cert_from_file(const char *file_path, ckmc_cert_s **cert); * @param[in] ca_cert_list @a ckmc_cert_list_s list of chain certificate handles (optional) * @param[out] pkcs12_bundle The pointer to a newly created @a ckmc_pkcs12_s handle * - * @return @c 0 on success, + * @return #CKMC_ERROR_NONE on success, * otherwise a negative error value * + * @retval #CKMC_ERROR_NONE Successful * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid or private_key, cert and - * ca_cert_list all are null. + * ca_cert_list all are null * @retval #CKMC_ERROR_OUT_OF_MEMORY Not enough memory * * @see ckmc_pkcs12_free() @@ -508,13 +515,13 @@ int ckmc_pkcs12_new(ckmc_key_s *private_key, * * @param[in] file_path The path of PKCS12 file to be loaded * @param[in] passphrase The passphrase used to decrypt the PCKS12 file \n - * If PKCS12 file is not encrypted, passphrase can be null. + * If PKCS12 file is not encrypted, passphrase can be null * @param[out] private_key The pointer of newly created @a ckmc_key_s handle for a private key * @param[out] cert The pointer of newly created @a ckmc_cert_s handle for a certificate \n - * It is null if the PKCS12 file does not contain a certificate. + * It is null if the PKCS12 file does not contain a certificate * @param[out] ca_cert_list The pointer of newly created @a ckmc_cert_list_s handle for CA * certificates \n - * It is null if the PKCS12 file does not contain CA certificates. + * It is null if the PKCS12 file does not contain CA certificates * * @return #CKMC_ERROR_NONE on success, * otherwise a negative error value @@ -548,10 +555,10 @@ int ckmc_load_from_pkcs12_file(const char *file_path, * * @param[in] file_path The path of PKCS12 file to be loaded * @param[in] passphrase The passphrase used to decrypt the PCKS12 file \n - * If PKCS12 file is not encrypted, passphrase can be null. + * If PKCS12 file is not encrypted, passphrase can be null * @param[out] ca_cert_list The pointer of newly created @a ckmc_cert_list_s handle for CA * certificates \n - * It is null if the PKCS12 file does not contain CA certificates. + * It is null if the PKCS12 file does not contain CA certificates * * @return #CKMC_ERROR_NONE on success, * otherwise a negative error value @@ -581,12 +588,11 @@ int ckmc_pkcs12_load(const char *file_path, void ckmc_pkcs12_free(ckmc_pkcs12_s *pkcs12); /** - * @internal * @brief Creates a new @a ckmc_alias_list_s handle and returns it. * The alias pointer in the returned @a ckmc_alias_list_s handle points to the provided * characters and next is null. * - * @since_tizen 2.3 + * @since_tizen 2.4 * * @remarks You must destroy the newly created @a ckmc_alias_list_s * by calling ckmc_alias_list_free() or ckmc_alias_list_all_free() if it is no longer @@ -595,9 +601,10 @@ void ckmc_pkcs12_free(ckmc_pkcs12_s *pkcs12); * @param[in] alias The first item to be set in the newly created @a ckmc_alias_list_s * @param[out] ppalias_list The pointer to a newly created @a ckmc_alias_list_s handle * - * @return @c 0 on success, + * @return #CKMC_ERROR_NONE on success, * otherwise a negative error value * + * @retval #CKMC_ERROR_NONE Successful * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid * @retval #CKMC_ERROR_OUT_OF_MEMORY Not enough memory * @@ -607,21 +614,21 @@ void ckmc_pkcs12_free(ckmc_pkcs12_s *pkcs12); int ckmc_alias_list_new(char *alias, ckmc_alias_list_s **ppalias_list); /** - * @internal * @brief Creates a new @a ckmc_alias_list_s handle, adds it to a previous @a ckmc_alias_list_s and * returns it. The alias pointer in the returned @a ckmc_alias_list_s handle points to the * provided characters and next is null. * - * @since_tizen 2.3 + * @since_tizen 2.4 * * @param[in] previous The last @a ckmc_alias_list_s handle to which a newly created * @a ckmc_alias_list_s is added * @param[in] alias The item to be set in the newly created @a ckmc_alias_list_s * @param[out] pplast The pointer to a newly created and added @a ckmc_alias_list_s handle * - * @return @c 0 on success, + * @return #CKMC_ERROR_NONE on success, * otherwise a negative error value * + * @retval #CKMC_ERROR_NONE Successful * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid * @retval #CKMC_ERROR_OUT_OF_MEMORY Not enough memory * @@ -633,11 +640,10 @@ int ckmc_alias_list_add(ckmc_alias_list_s *previous, ckmc_alias_list_s **pplast); /** - * @internal * @brief Destroys the @a ckmc_alias_list_s handle and releases resources of @a ckmc_alias_list_s * from the provided first handle cascadingly. * - * @since_tizen 2.3 + * @since_tizen 2.4 * * @remarks It does not destroy an alias itself in @a ckmc_alias_list_s. * @@ -652,7 +658,7 @@ void ckmc_alias_list_free(ckmc_alias_list_s *first); * @brief Destroys the @a ckmc_alias_list_s handle and releases all its resources from the provided * first handle cascadingly. * - * @since_tizen 2.3 + * @since_tizen 2.4 * * @remarks It also destroys the alias in @a ckmc_alias_list_s. * @@ -663,12 +669,11 @@ void ckmc_alias_list_free(ckmc_alias_list_s *first); void ckmc_alias_list_all_free(ckmc_alias_list_s *first); /** - * @internal * @brief Creates a new @a ckmc_cert_list_s handle and returns it. * The cert pointer in the returned @a ckmc_cert_list_s handle points to the provided * @a ckmc_cert_s and next is null. * - * @since_tizen 2.3 + * @since_tizen 2.4 * * @remarks You must destroy the newly created @a ckmc_cert_list_s by calling ckmc_cert_list_free() * or ckmc_cert_list_all_free() if it is no longer needed. @@ -676,9 +681,10 @@ void ckmc_alias_list_all_free(ckmc_alias_list_s *first); * @param[in] cert The first item to be set in the newly created @a ckmc_cert_list_s * @param[out] ppalias_list The pointer to a newly created @a ckmc_alias_list_s handle * - * @return @c 0 on success, + * @return #CKMC_ERROR_NONE on success, * otherwise a negative error value * + * @retval #CKMC_ERROR_NONE Successful * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid * @retval #CKMC_ERROR_OUT_OF_MEMORY Not enough memory * @@ -688,21 +694,21 @@ void ckmc_alias_list_all_free(ckmc_alias_list_s *first); int ckmc_cert_list_new(ckmc_cert_s *cert, ckmc_cert_list_s **ppalias_list); /** - * @internal * @brief Creates a new @a ckmc_cert_list_s handle, adds it to a previous @a ckmc_cert_list_s and * returns it. The cert pointer in the returned @a ckmc_alias_list_s handle points to the * provided @a ckmc_cert_s and next is null. * - * @since_tizen 2.3 + * @since_tizen 2.4 * * @param[in] previous The last @a ckmc_cert_list_s handle to which a newly created * @a ckmc_cert_list_s is added * @param[in] cert The item to be set in the newly created @a ckmc_cert_list_s * @param[out] pplast The pointer to a newly created and added @a ckmc_alias_list_s handle * - * @return @c 0 on success, + * @return #CKMC_ERROR_NONE on success, * otherwise a negative error value * + * @retval #CKMC_ERROR_NONE Successful * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid * @retval #CKMC_ERROR_OUT_OF_MEMORY Not enough memory * @@ -712,11 +718,10 @@ int ckmc_cert_list_new(ckmc_cert_s *cert, ckmc_cert_list_s **ppalias_list); int ckmc_cert_list_add(ckmc_cert_list_s *previous, ckmc_cert_s *cert, ckmc_cert_list_s **pplast); /** - * @internal * @brief Destroys the @a ckmc_cert_list_s handle and releases resources of @a ckmc_cert_list_s * from the provided first handle cascadingly. * - * @since_tizen 2.3 + * @since_tizen 2.4 * * @remarks It does not destroy @a ckmc_cert_s itself in @a ckmc_cert_list_s. * @@ -733,7 +738,7 @@ void ckmc_cert_list_free(ckmc_cert_list_s *first); * * @since_tizen 2.3 * - * @remarks It also destroys @a ckmc_cert_s in ckmc_cert_list_s. + * @remarks It also destroys @a ckmc_cert_s in @a ckmc_cert_list_s. * * @param[in] first The first @a ckmc_cert_list_s handle to destroy * @@ -746,20 +751,21 @@ void ckmc_cert_list_all_free(ckmc_cert_list_s *first); * * @since_tizen 3.0 * - * @remarks Caller is responsible for freeing it with ckmc_param_list_free + * @remarks Caller is responsible for freeing it with ckmc_param_list_free() * * @param[in] ppparam_list Double pointer to the list variable to which the newly created list will - * be assigned. + * be assigned * - * @return @c 0 on success, otherwise a negative error value + * @return #CKMC_ERROR_NONE on success, + * otherwise a negative error value * * @retval #CKMC_ERROR_NONE Successful * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid * - * @see ckmc_param_list_add_integer - * @see ckmc_param_list_add_buffer - * @see ckmc_param_list_free - * @see ckmc_generate_params + * @see ckmc_param_list_add_integer() + * @see ckmc_param_list_add_buffer() + * @see ckmc_param_list_free() + * @see ckmc_generate_params() * @see #ckmc_param_list_s * @see #ckmc_param_name_e */ @@ -770,24 +776,27 @@ int ckmc_param_list_new(ckmc_param_list_s **ppparams); * * @since_tizen 3.0 * - * @remarks Caller is responsible for ckmc_param_list_s creation. + * @remarks Caller is responsible for @a ckmc_param_list_s creation. * - * @param[in] params List of params created with ckcm_param_list_new. - * @param[in] name Name of parameter to add. Existing parameter will be overwritten. Passing - * invalid parameter name will result in an error. - * @param[in] value Value of the parameter in form of a integer. + * @param[in] params List of params created with ckmc_param_list_new() or + * ckmc_generate_params() + * @param[in] name Name of parameter to add \n + * Existing parameter will be overwritten \n + * Passing invalid parameter name will result in an error + * @param[in] value Value of the parameter in form of a integer * - * @return @c 0 on success, otherwise a negative error value + * @return #CKMC_ERROR_NONE on success, + * otherwise a negative error value * * @retval #CKMC_ERROR_NONE Successful * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid * - * @see ckmc_param_list_new - * @see ckmc_param_list_add_buffer - * @see ckmc_param_list_get_integer - * @see ckmc_param_list_get_buffer - * @see ckmc_param_list_free - * @see ckmc_generate_params + * @see ckmc_param_list_new() + * @see ckmc_param_list_add_buffer() + * @see ckmc_param_list_get_integer() + * @see ckmc_param_list_get_buffer() + * @see ckmc_param_list_free() + * @see ckmc_generate_params() * @see #ckmc_param_list_s * @see #ckmc_param_name_e */ @@ -800,25 +809,28 @@ int ckmc_param_list_add_integer(ckmc_param_list_s *params, * * @since_tizen 3.0 * - * @remarks Caller is responsible for ckmc_param_list_s creation. + * @remarks Caller is responsible for @a ckmc_param_list_s creation. * - * @param[in] params List of params created with ckcm_param_list_new. - * @param[in] name Name of parameter to add. Existing parameter will be overwritten. Passing - * invalid parameter name will result in an error - * @param[in] buffer Value of the parameter in form of a buffer. Caller is responsible for - * creating and freeing the buffer. + * @param[in] params List of params created with ckmc_param_list_new() + * or ckmc_generate_params() + * @param[in] name Name of parameter to add \n + * Existing parameter will be overwritten \n + * Passing invalid parameter name will result in an error + * @param[in] buffer Value of the parameter in form of a buffer \n + * Caller is responsible for creating and freeing the buffer * - * @return @c 0 on success, otherwise a negative error value + * @return #CKMC_ERROR_NONE on success, + * otherwise a negative error value * * @retval #CKMC_ERROR_NONE Successful * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid * - * @see ckmc_param_list_new - * @see ckmc_param_list_add_integer - * @see ckmc_param_list_get_integer - * @see ckmc_param_list_get_buffer - * @see ckmc_param_list_free - * @see ckmc_generate_params + * @see ckmc_param_list_new() + * @see ckmc_param_list_add_integer() + * @see ckmc_param_list_get_integer() + * @see ckmc_param_list_get_buffer() + * @see ckmc_param_list_free() + * @see ckmc_generate_params() * @see #ckmc_param_list_s * @see #ckmc_param_name_e */ @@ -831,23 +843,25 @@ int ckmc_param_list_add_buffer(ckmc_param_list_s *params, * * @since_tizen 3.0 * - * @remarks Caller is responsible for ckmc_param_list_s creation. + * @remarks Caller is responsible for @a ckmc_param_list_s creation. * - * @param[in] params List of params created with ckcm_param_list_new. - * @param[in] name Name of parameter to get. - * @param[out] value Value of the parameter in form of a integer. + * @param[in] params List of params created with ckmc_param_list_new() + * or ckmc_generate_params() + * @param[in] name Name of parameter to get + * @param[out] value Value of the parameter in form of a integer * - * @return @c 0 on success, otherwise a negative error value + * @return #CKMC_ERROR_NONE on success, + * otherwise a negative error value * * @retval #CKMC_ERROR_NONE Successful * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid * - * @see ckmc_param_list_new - * @see ckmc_param_list_add_integer - * @see ckmc_param_list_add_buffer - * @see ckmc_param_list_get_buffer - * @see ckmc_param_list_free - * @see ckmc_generate_params + * @see ckmc_param_list_new() + * @see ckmc_param_list_add_integer() + * @see ckmc_param_list_add_buffer() + * @see ckmc_param_list_get_buffer() + * @see ckmc_param_list_free() + * @see ckmc_generate_params() * @see #ckmc_param_list_s * @see #ckmc_param_name_e */ @@ -861,24 +875,26 @@ int ckmc_param_list_get_integer(const ckmc_param_list_s *params, * * @since_tizen 3.0 * - * @remarks Caller is responsible for ckmc_param_list_s creation. + * @remarks Caller is responsible for @a ckmc_param_list_s creation. * - * @param[in] params List of params created with ckcm_param_list_new. - * @param[in] name Name of parameter to get. - * @param[out] buffer Value of the parameter in form of a buffer. Caller is responsible for - * creating and freeing the buffer. + * @param[in] params List of params created with ckmc_param_list_new() + * or ckmc_generate_params() + * @param[in] name Name of parameter to get + * @param[out] buffer Value of the parameter in form of a buffer \n + * Caller is responsible for creating and freeing the buffer * - * @return @c 0 on success, otherwise a negative error value + * @return #CKMC_ERROR_NONE on success, + * otherwise a negative error value * * @retval #CKMC_ERROR_NONE Successful * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid * - * @see ckmc_param_list_new - * @see ckmc_param_list_add_integer - * @see ckmc_param_list_add_buffer - * @see ckmc_param_list_get_integer - * @see ckmc_param_list_free - * @see ckmc_generate_params + * @see ckmc_param_list_new() + * @see ckmc_param_list_add_integer() + * @see ckmc_param_list_add_buffer() + * @see ckmc_param_list_get_integer() + * @see ckmc_param_list_free() + * @see ckmc_generate_params() * @see #ckmc_param_list_s * @see #ckmc_param_name_e */ @@ -891,14 +907,14 @@ int ckmc_param_list_get_buffer(const ckmc_param_list_s *params, * * @since_tizen 3.0 * - * @param[in] first First element of the list to be freed. + * @param[in] first First element of the list to be freed * - * @see ckmc_param_list_new - * @see ckmc_param_list_add_integer - * @see ckmc_param_list_add_buffer - * @see ckmc_param_list_get_integer - * @see ckmc_param_list_get_buffer - * @see ckmc_generate_params + * @see ckmc_param_list_new() + * @see ckmc_param_list_add_integer() + * @see ckmc_param_list_add_buffer() + * @see ckmc_param_list_get_integer() + * @see ckmc_param_list_get_buffer() + * @see ckmc_generate_params() * @see #ckmc_param_list_s * @see #ckmc_param_name_e */ @@ -910,28 +926,29 @@ void ckmc_param_list_free(ckmc_param_list_s *params); * * @since_tizen 3.0 * - * @remarks Caller is responsible for ckmc_param_list_s creation and destruction. + * @remarks Caller is responsible for @a ckmc_param_list_s creation and destruction. * @remarks Algorithm parameters are set to default values. Optional fields are left empty. * Initialization vectors are left empty (they have to be added manually). Existing params * will be overwritten with default values. Caller is responsible for freeing the list with - * ckmc_param_list_free. - * @remarks If the function returns error provided param list may contain some of default parameters + * ckmc_param_list_free(). + * @remarks If the function returns error, provided param list may contain some of default parameters. * * @param[in] type Type of the algorithm - * @param[out] params List of params to be filled. List should be empty. Otherwise an error will - * be returned. + * @param[out] params List of params to be filled \n + * List should be empty, otherwise an error will be returned * - * @return @c 0 on success, otherwise a negative error value + * @return #CKMC_ERROR_NONE on success, + * otherwise a negative error value * * @retval #CKMC_ERROR_NONE Successful * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid * - * @see ckmc_param_list_new - * @see ckmc_param_list_add_integer - * @see ckmc_param_list_add_buffer - * @see ckmc_param_list_get_integer - * @see ckmc_param_list_get_buffer - * @see ckmc_param_list_free + * @see ckmc_param_list_new() + * @see ckmc_param_list_add_integer() + * @see ckmc_param_list_add_buffer() + * @see ckmc_param_list_get_integer() + * @see ckmc_param_list_get_buffer() + * @see ckmc_param_list_free() * @see #ckmc_param_list_s * @see #ckmc_param_name_e */ -- 2.7.4 From aac9dc5483f5faea151a510dcc40c3e44097cabd Mon Sep 17 00:00:00 2001 From: Kyungwook Tak Date: Tue, 25 Aug 2015 09:04:51 +0900 Subject: [PATCH 14/16] Check platform feature(network) before check ocsp Change-Id: I87c60238b0a1c67c853a5d60f635162bf9375e71 Signed-off-by: Kyungwook Tak --- packaging/key-manager.spec | 1 + src/CMakeLists.txt | 3 +- src/include/ckm/ckm-error.h | 3 ++ src/include/ckmc/ckmc-error.h | 1 + src/include/ckmc/ckmc-manager.h | 1 + src/manager/client-capi/ckmc-type-converter.cpp | 2 + src/manager/service/ocsp-logic.cpp | 72 +++++++++++++++++++++---- src/manager/service/ocsp-logic.h | 5 +- 8 files changed, 77 insertions(+), 11 deletions(-) diff --git a/packaging/key-manager.spec b/packaging/key-manager.spec index 4466607..a547123 100644 --- a/packaging/key-manager.spec +++ b/packaging/key-manager.spec @@ -19,6 +19,7 @@ BuildRequires: pkgconfig(libsystemd-daemon) BuildRequires: pkgconfig(vconf) BuildRequires: pkgconfig(libsystemd-journal) BuildRequires: pkgconfig(libxml-2.0) +BuildRequires: pkgconfig(capi-system-info) BuildRequires: boost-devel Requires: libkey-manager-common = %{version}-%{release} %{?systemd_requires} diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index f76673f..47061c9 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -1,13 +1,14 @@ PKG_CHECK_MODULES(KEY_MANAGER_DEP + REQUIRED dlog openssl libsmack libcrypto libsystemd-daemon capi-base-common + capi-system-info vconf libxml-2.0 - REQUIRED ) FIND_PACKAGE(Threads REQUIRED) diff --git a/src/include/ckm/ckm-error.h b/src/include/ckm/ckm-error.h index 671ec25..372bd98 100644 --- a/src/include/ckm/ckm-error.h +++ b/src/include/ckm/ckm-error.h @@ -93,6 +93,9 @@ extern "C" { /*! \brief indicating that files are corrupted or access to files was denied */ #define CKM_API_ERROR_FILE_SYSTEM -20 +/*! \brief indicating that device needed to run API is not supported */ +#define CKM_API_ERROR_NOT_SUPPORTED -21 + #define CKM_API_OCSP_STATUS_GOOD (1<<0) #define CKM_API_OCSP_STATUS_UNSUPPORTED (1<<1) #define CKM_API_OCSP_STATUS_UNKNOWN (1<<2) diff --git a/src/include/ckmc/ckmc-error.h b/src/include/ckmc/ckmc-error.h index a77520f..abbea8d 100644 --- a/src/include/ckmc/ckmc-error.h +++ b/src/include/ckmc/ckmc-error.h @@ -40,6 +40,7 @@ typedef enum { CKMC_ERROR_INVALID_PARAMETER = TIZEN_ERROR_INVALID_PARAMETER, /**< Invalid function parameter */ CKMC_ERROR_OUT_OF_MEMORY = TIZEN_ERROR_OUT_OF_MEMORY, /**< Out of memory */ CKMC_ERROR_PERMISSION_DENIED = TIZEN_ERROR_PERMISSION_DENIED, /**< Permission denied */ + CKMC_ERROR_NOT_SUPPORTED = TIZEN_ERROR_NOT_SUPPORTED, /**< Device needed to run API is not supported*/ CKMC_ERROR_SOCKET = TIZEN_ERROR_KEY_MANAGER | 0x01, /**< Socket error between client and Central Key Manager */ CKMC_ERROR_BAD_REQUEST = TIZEN_ERROR_KEY_MANAGER | 0x02, /**< Invalid request from client */ diff --git a/src/include/ckmc/ckmc-manager.h b/src/include/ckmc/ckmc-manager.h index 6c53b24..4428158 100644 --- a/src/include/ckmc/ckmc-manager.h +++ b/src/include/ckmc/ckmc-manager.h @@ -1003,6 +1003,7 @@ int ckmc_get_cert_chain_with_trustedcert_alias(const ckmc_cert_s *cert, * @retval #CKMC_ERROR_NONE Successful * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid * @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager + * @retval #CKMC_ERROR_NOT_SUPPORTED Device needed to run API is not supported * * @pre User is already logged in and the user key is already loaded into memory in plain text form. * @pre @a pcert_chain_list is created with ckmc_get_certificate_chain() or diff --git a/src/manager/client-capi/ckmc-type-converter.cpp b/src/manager/client-capi/ckmc-type-converter.cpp index 75a957a..b85c885 100644 --- a/src/manager/client-capi/ckmc-type-converter.cpp +++ b/src/manager/client-capi/ckmc-type-converter.cpp @@ -46,6 +46,7 @@ int to_ckm_error(int ckmc_error) { case CKMC_ERROR_FILE_ACCESS_DENIED: return CKM_API_ERROR_FILE_ACCESS_DENIED; case CKMC_ERROR_NOT_EXPORTABLE: return CKM_API_ERROR_NOT_EXPORTABLE; case CKMC_ERROR_FILE_SYSTEM: return CKM_API_ERROR_FILE_SYSTEM; + case CKMC_ERROR_NOT_SUPPORTED: return CKM_API_ERROR_NOT_SUPPORTED; case CKMC_ERROR_UNKNOWN: return CKM_API_ERROR_UNKNOWN; } return CKMC_ERROR_UNKNOWN; @@ -74,6 +75,7 @@ int to_ckmc_error(int ckm_error) { case CKM_API_ERROR_FILE_ACCESS_DENIED: return CKMC_ERROR_FILE_ACCESS_DENIED; case CKM_API_ERROR_NOT_EXPORTABLE: return CKMC_ERROR_NOT_EXPORTABLE; case CKM_API_ERROR_FILE_SYSTEM: return CKMC_ERROR_FILE_SYSTEM; + case CKM_API_ERROR_NOT_SUPPORTED: return CKMC_ERROR_NOT_SUPPORTED; case CKM_API_ERROR_UNKNOWN: return CKMC_ERROR_UNKNOWN; } return CKMC_ERROR_UNKNOWN; diff --git a/src/manager/service/ocsp-logic.cpp b/src/manager/service/ocsp-logic.cpp index af39e20..e5b2b11 100644 --- a/src/manager/service/ocsp-logic.cpp +++ b/src/manager/service/ocsp-logic.cpp @@ -16,9 +16,16 @@ * * @file ocsp-logic.cpp * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) + * @author Kyungwook Tak (k.tak@samsung.com) * @version 1.0 * @brief OCSP logic implementation. */ + +#include +#include + +#include + #include #include @@ -29,24 +36,71 @@ #include #include +namespace { + +const std::vector FEATURES = { + "tizen.org/feature/network.internet", + "tizen.org/feature/network.telephony", + "tizen.org/feature/network.tethering.bluetooth", + "tizen.org/feature/network.ethernet"}; + +} // namespace anonymous + namespace CKM { +OCSPLogic::OCSPLogic() : m_isNetAvailable(false) +{ + setNetAvailable(); +} + +void OCSPLogic::setNetAvailable() +{ + bool value; + int ret; + + for (const auto &feature : FEATURES) { + value = false; + + ret = system_info_get_platform_bool(feature.c_str(), &value); + if (ret != SYSTEM_INFO_ERROR_NONE) { + LogError("Error in system_info_get_platform_bool. ret : " << ret); + continue; + } + + if (value) { + m_isNetAvailable = true; + return; + } + } + + m_isNetAvailable = false; +} + RawBuffer OCSPLogic::ocspCheck(int commandId, const RawBufferVector &rawChain) { CertificateImplVector certChain; OCSPModule ocsp; int retCode = CKM_API_SUCCESS; int ocspStatus = CKM_API_OCSP_STATUS_INTERNAL_ERROR; - if(rawChain.size() < 2) { - LogError("Certificate chain should contain at least 2 certificates"); - retCode = CKM_API_ERROR_INPUT_PARAM; + if (!m_isNetAvailable) { + /* try again for in case of system-info error */ + setNetAvailable(); + } + + if (!m_isNetAvailable) { + retCode = CKM_API_ERROR_NOT_SUPPORTED; } else { - for (auto &e: rawChain) { - certChain.push_back(CertificateImpl(e, DataFormat::FORM_DER)); - if (certChain.rbegin()->empty()) { - LogDebug("Error in parsing certificates!"); - retCode = CKM_API_ERROR_INPUT_PARAM; - break; + if (rawChain.size() < 2) { + LogError("Certificate chain should contain at least 2 certificates"); + retCode = CKM_API_ERROR_INPUT_PARAM; + } else { + for (auto &e: rawChain) { + certChain.push_back(CertificateImpl(e, DataFormat::FORM_DER)); + if (certChain.rbegin()->empty()) { + LogDebug("Error in parsing certificates!"); + retCode = CKM_API_ERROR_INPUT_PARAM; + break; + } } } } diff --git a/src/manager/service/ocsp-logic.h b/src/manager/service/ocsp-logic.h index f0dcab4..386aec8 100644 --- a/src/manager/service/ocsp-logic.h +++ b/src/manager/service/ocsp-logic.h @@ -27,7 +27,7 @@ namespace CKM { class OCSPLogic { public: - OCSPLogic(){} + OCSPLogic(); OCSPLogic(const OCSPLogic &) = delete; OCSPLogic(OCSPLogic &&) = delete; OCSPLogic& operator=(const OCSPLogic &) = delete; @@ -35,6 +35,9 @@ public: RawBuffer ocspCheck(int commandId, const RawBufferVector &rawChain); virtual ~OCSPLogic(){} +private: + void setNetAvailable(); + bool m_isNetAvailable; }; -- 2.7.4 From ea59c2825e3b8bb2b42ea30f113a96e32dff16bb Mon Sep 17 00:00:00 2001 From: Bartlomiej Grzelewski Date: Mon, 17 Aug 2015 14:31:36 +0200 Subject: [PATCH 15/16] Replace smack label with pkgId. Change-Id: I2775a65349bf2103cf7de4702572b031244d9f28 --- packaging/key-manager.spec | 1 + src/CMakeLists.txt | 2 + src/include/ckmc/ckmc-type.h | 31 +++++ src/manager/client-capi/ckmc-type.cpp | 4 +- src/manager/common/protocols.cpp | 3 +- src/manager/common/protocols.h | 3 +- src/manager/initial-values/InitialValueHandler.cpp | 8 +- src/manager/main/socket-2-id.cpp | 128 +++++++++++++++++++++ src/manager/main/socket-2-id.h | 42 +++++++ src/manager/main/socket-manager.cpp | 28 ++--- src/manager/service/ckm-logic.cpp | 10 +- 11 files changed, 227 insertions(+), 33 deletions(-) create mode 100644 src/manager/main/socket-2-id.cpp create mode 100644 src/manager/main/socket-2-id.h diff --git a/packaging/key-manager.spec b/packaging/key-manager.spec index a547123..7329cf3 100644 --- a/packaging/key-manager.spec +++ b/packaging/key-manager.spec @@ -20,6 +20,7 @@ BuildRequires: pkgconfig(vconf) BuildRequires: pkgconfig(libsystemd-journal) BuildRequires: pkgconfig(libxml-2.0) BuildRequires: pkgconfig(capi-system-info) +BuildRequires: pkgconfig(security-manager) BuildRequires: boost-devel Requires: libkey-manager-common = %{version}-%{release} %{?systemd_requires} diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 47061c9..2fa3e94 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -9,6 +9,7 @@ PKG_CHECK_MODULES(KEY_MANAGER_DEP capi-system-info vconf libxml-2.0 + security-manager ) FIND_PACKAGE(Threads REQUIRED) @@ -18,6 +19,7 @@ SET(KEY_MANAGER_PATH ${PROJECT_SOURCE_DIR}/src/manager) SET(KEY_MANAGER_SOURCES ${KEY_MANAGER_PATH}/main/generic-socket-manager.cpp ${KEY_MANAGER_PATH}/main/socket-manager.cpp + ${KEY_MANAGER_PATH}/main/socket-2-id.cpp ${KEY_MANAGER_PATH}/main/key-manager-main.cpp ${KEY_MANAGER_PATH}/main/smack-check.cpp ${KEY_MANAGER_PATH}/main/thread-service.cpp diff --git a/src/include/ckmc/ckmc-type.h b/src/include/ckmc/ckmc-type.h index e0a6e60..4f2fce1 100644 --- a/src/include/ckmc/ckmc-type.h +++ b/src/include/ckmc/ckmc-type.h @@ -38,6 +38,16 @@ extern "C" { * @{ */ +/* + * Note: on tizen 3.0 owner id is equal to pkgId. + * Preinstalled system(uid < 5000) and user (uid >= 5000) applications + * does not have any pkgId. Thats why ckm uses special "virtual" + * pkgid for them. The virtual strings are defined under: + * ckmc_ownerid_system + * ckmc_ownerid_user + * + */ + /** * @brief Separator between alias and label. * @since_tizen 2.3 @@ -49,6 +59,9 @@ extern "C" { KEY_MANAGER_CAPI extern char const * const ckmc_label_name_separator; /** + * This is deprecated: Tizen 3.0 does not use smack labels directly. + * You should use pkgId instead. + * * @brief Shared owner label * @since_tizen 3.0 * @remarks Shared database label - user may be given permission to access shared @@ -61,6 +74,24 @@ KEY_MANAGER_CAPI extern char const * const ckmc_label_name_separator; KEY_MANAGER_CAPI extern char const * const ckmc_label_shared_owner; /** + * alias can be provided as an alias alone, or together with owner id - in this + * case, separator " " (space bar) is used to separate id and alias. + * @see key-manager_doc.h + */ +KEY_MANAGER_CAPI extern char const * const ckmc_owner_id_separator; + +/** + * ckmc_owner_id_system constains id connected with all SYSTEM applications that runs + * with uid less then 5000. + * + * Client should use ckmc_owner_id_system to access data owned by system application + * and stored in system database. + * + * Note: Client must have permission to access proper row. + */ +KEY_MANAGER_CAPI extern char const * const ckmc_owner_id_system; + +/** * @brief Enumeration for key types of key manager. * @since_tizen 2.3 */ diff --git a/src/manager/client-capi/ckmc-type.cpp b/src/manager/client-capi/ckmc-type.cpp index c7458ab..6f1ddd2 100644 --- a/src/manager/client-capi/ckmc-type.cpp +++ b/src/manager/client-capi/ckmc-type.cpp @@ -67,7 +67,9 @@ int _ckmc_load_cert_from_x509(X509 *xCert, ckmc_cert_s **cert) const char * const ckmc_label_name_separator = CKM::LABEL_NAME_SEPARATOR; -const char * const ckmc_label_shared_owner = CKM::LABEL_SYSTEM_DB; +const char * const ckmc_label_shared_owner = CKM::OWNER_ID_SYSTEM; +const char * const ckmc_owner_id_separator = CKM::LABEL_NAME_SEPARATOR; +const char * const ckmc_owner_id_system = CKM::OWNER_ID_SYSTEM; KEY_MANAGER_CAPI int ckmc_key_new(unsigned char *raw_key, size_t key_size, ckmc_key_type_e key_type, char *password, ckmc_key_s **ppkey) diff --git a/src/manager/common/protocols.cpp b/src/manager/common/protocols.cpp index 91a3497..6f6c6c2 100644 --- a/src/manager/common/protocols.cpp +++ b/src/manager/common/protocols.cpp @@ -35,8 +35,7 @@ char const * const SERVICE_SOCKET_CKM_STORAGE = "/tmp/.central-key-manager-api-s char const * const SERVICE_SOCKET_OCSP = "/tmp/.central-key-manager-api-ocsp.sock"; char const * const SERVICE_SOCKET_ENCRYPTION = "/tmp/.central-key-manager-api-encryption.sock"; char const * const LABEL_NAME_SEPARATOR = " "; -char const * const LABEL_SYSTEM_DB = "/"; - +char const * const OWNER_ID_SYSTEM = "/System"; PKCS12Serializable::PKCS12Serializable() {} PKCS12Serializable::PKCS12Serializable(const PKCS12 &pkcs) diff --git a/src/manager/common/protocols.h b/src/manager/common/protocols.h index 4f0fd2c..63a92bd 100644 --- a/src/manager/common/protocols.h +++ b/src/manager/common/protocols.h @@ -75,7 +75,8 @@ enum class EncryptionCommand : int { // (client side) Alias = (service side) Label::Name COMMON_API extern char const * const LABEL_NAME_SEPARATOR; -COMMON_API extern char const * const LABEL_SYSTEM_DB; +COMMON_API extern char const * const OWNER_ID_SYSTEM; + typedef std::string Name; typedef std::vector > LabelNameVector; diff --git a/src/manager/initial-values/InitialValueHandler.cpp b/src/manager/initial-values/InitialValueHandler.cpp index b811aa7..43f9ef3 100644 --- a/src/manager/initial-values/InitialValueHandler.cpp +++ b/src/manager/initial-values/InitialValueHandler.cpp @@ -70,9 +70,9 @@ void InitialValueHandler::End() // save data Policy policy(m_password, m_exportable); int ec = m_db_logic.verifyAndSaveDataHelper( - Credentials(CKMLogic::SYSTEM_DB_UID, LABEL_SYSTEM_DB), + Credentials(CKMLogic::SYSTEM_DB_UID, OWNER_ID_SYSTEM), m_name, - LABEL_SYSTEM_DB, + OWNER_ID_SYSTEM, m_bufferHandler->getData(), getDataType(), PolicySerializable(policy)); @@ -82,9 +82,9 @@ void InitialValueHandler::End() for(const auto & permission : m_permissions) { ec = m_db_logic.setPermissionHelper( - Credentials(CKMLogic::SYSTEM_DB_UID, LABEL_SYSTEM_DB), + Credentials(CKMLogic::SYSTEM_DB_UID, OWNER_ID_SYSTEM), m_name, - LABEL_SYSTEM_DB, + OWNER_ID_SYSTEM, permission->getAccessor(), Permission::READ); if(CKM_API_SUCCESS != ec) diff --git a/src/manager/main/socket-2-id.cpp b/src/manager/main/socket-2-id.cpp new file mode 100644 index 0000000..b522b5f --- /dev/null +++ b/src/manager/main/socket-2-id.cpp @@ -0,0 +1,128 @@ +/* + * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ +/* + * @file socket-2-id.cpp + * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) + * @version 1.0 + */ +#include +#include +#include + +#include + +#include +#include +#include + +namespace CKM { +namespace { + +int getCredentialsFromSocket(int sock, std::string &res) { + std::vector result(1); + socklen_t length = 1; + + if ((0 > getsockopt(sock, SOL_SOCKET, SO_PEERSEC, result.data(), &length)) + && errno != ERANGE) + { + LogError("getsockopt failed"); + return -1; + } + + result.resize(length); + + if (0 > getsockopt(sock, SOL_SOCKET, SO_PEERSEC, result.data(), &length)) { + LogError("getsockopt failed"); + return -1; + } + + result.push_back('\0'); + res = result.data(); + return 0; +} + +int getPkgIdFromSmack(const std::string &smack, std::string &pkgId) { + // TODO + // Conversion from smack label to pkgId should be done + // by security-manager. Current version of security-manager + // does not support this feature yet. + + static const std::string SMACK_PREFIX_APPID = "User::App::"; + + if (smack.empty()) { + LogError("Smack is empty. Connection will be rejected"); + return -1; + } + + if (smack.compare(0, SMACK_PREFIX_APPID.size(), SMACK_PREFIX_APPID)) { + pkgId = "/" + smack; + LogDebug("Smack: " << smack << " Was translated to owner id: " << pkgId); + return 0; + } + + std::string appId = smack.substr(SMACK_PREFIX_APPID.size(), std::string::npos); + + char *pkg = nullptr; + + if (0 > security_manager_get_app_pkgid(&pkg, appId.c_str())) { + LogError("Error in security_manager_get_app_pkgid"); + return -1; + } + + if (!pkg) { + LogError("PkgId could not be NULL"); + return -1; + } + + pkgId = pkg; + free(pkg); + LogDebug("Smack: " << smack << " Was translated to owner id: " << pkgId); + return 0; +} + +} // namespace anonymous + + +int Socket2Id::translate(int sock, std::string &result) { + std::string smack; + + if (0 > getCredentialsFromSocket(sock, smack)) { + return -1; + } + + StringMap::iterator it = m_stringMap.find(smack); + + if (it != m_stringMap.end()) { + result = it->second; + return 0; + } + + std::string pkgId; + if (0 > getPkgIdFromSmack(smack, pkgId)) { + return -1; + } + + result = pkgId; + m_stringMap.emplace(std::move(smack), std::move(pkgId)); + return 0; +} + +void Socket2Id::resetCache() { + m_stringMap.clear(); +} + +} // namespace CKM + diff --git a/src/manager/main/socket-2-id.h b/src/manager/main/socket-2-id.h new file mode 100644 index 0000000..1e83662 --- /dev/null +++ b/src/manager/main/socket-2-id.h @@ -0,0 +1,42 @@ +/* + * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ +/* + * @file socket-2-id.h + * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) + * @version 1.0 + */ +#pragma once + +#include +#include + +namespace CKM { + +class Socket2Id { +public: + Socket2Id() {} + + int translate(int sock, std::string &result); + void resetCache(); + + virtual ~Socket2Id() {} +private: + typedef std::map StringMap; + StringMap m_stringMap; +}; + +} // namespace CKM + diff --git a/src/manager/main/socket-manager.cpp b/src/manager/main/socket-manager.cpp index f831d8e..9d6a632 100644 --- a/src/manager/main/socket-manager.cpp +++ b/src/manager/main/socket-manager.cpp @@ -1,7 +1,5 @@ /* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im + * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -46,39 +44,29 @@ #include #include +#include namespace { const time_t SOCKET_TIMEOUT = 1000; int getCredentialsFromSocket(int sock, CKM::Credentials &cred) { - std::vector result(1); - socklen_t length = 1; - ucred peerCred; - - if ((0 > getsockopt(sock, SOL_SOCKET, SO_PEERSEC, result.data(), &length)) - && errno != ERANGE) - { - LogError("getsockopt failed"); - return -1; - } - - result.resize(length); + static CKM::Socket2Id sock2id; + std::string ownerId; - if (0 > getsockopt(sock, SOL_SOCKET, SO_PEERSEC, result.data(), &length)) { - LogError("getsockopt failed"); + if (0 > sock2id.translate(sock, ownerId)) { return -1; } - length = sizeof(ucred); + ucred peerCred; + socklen_t length = sizeof(ucred); if (0 > getsockopt(sock, SOL_SOCKET, SO_PEERCRED, &peerCred, &length)) { LogError("getsockopt failed"); return -1; } - result.push_back('\0'); - cred = CKM::Credentials(peerCred.uid, result.data()); + cred = CKM::Credentials(peerCred.uid, std::move(ownerId)); return 0; } diff --git a/src/manager/service/ckm-logic.cpp b/src/manager/service/ckm-logic.cpp index c5915e8..b0cea2c 100644 --- a/src/manager/service/ckm-logic.cpp +++ b/src/manager/service/ckm-logic.cpp @@ -191,7 +191,7 @@ UserData & CKMLogic::selectDatabase(const Credentials &cred, const Label &incomi if (0 == m_userDataMap.count(cred.clientUid)) ThrowErr(Exc::DatabaseLocked, "database with UID: ", cred.clientUid, " locked"); - if (0 != incoming_label.compare(LABEL_SYSTEM_DB)) + if (0 != incoming_label.compare(OWNER_ID_SYSTEM)) return m_userDataMap[cred.clientUid]; } @@ -1047,7 +1047,7 @@ RawBuffer CKMLogic::getDataList( { // lookup system DB retCode = getDataListHelper(Credentials(SYSTEM_DB_UID, - LABEL_SYSTEM_DB), + OWNER_ID_SYSTEM), dataType, systemVector); } @@ -1094,7 +1094,7 @@ int CKMLogic::saveDataHelper( // use client label if not explicitly provided const Label &ownerLabel = label.empty() ? cred.smackLabel : label; - if( m_accessControl.isSystemService(cred) && ownerLabel.compare(LABEL_SYSTEM_DB)!=0) + if( m_accessControl.isSystemService(cred) && ownerLabel.compare(OWNER_ID_SYSTEM)!=0) return CKM_API_ERROR_INPUT_PARAM; // check if save is possible @@ -1123,7 +1123,7 @@ int CKMLogic::saveDataHelper( // use client label if not explicitly provided const Label &ownerLabel = label.empty() ? cred.smackLabel : label; - if( m_accessControl.isSystemService(cred) && ownerLabel.compare(LABEL_SYSTEM_DB)!=0) + if( m_accessControl.isSystemService(cred) && ownerLabel.compare(OWNER_ID_SYSTEM)!=0) return CKM_API_ERROR_INPUT_PARAM; // check if save is possible @@ -1579,7 +1579,7 @@ int CKMLogic::setPermissionHelper( return CKM_API_ERROR_INPUT_PARAM; // system database does not support write/remove permissions - if ((0 == ownerLabel.compare(LABEL_SYSTEM_DB)) && + if ((0 == ownerLabel.compare(OWNER_ID_SYSTEM)) && (permissionMask & Permission::REMOVE)) return CKM_API_ERROR_INPUT_PARAM; -- 2.7.4 From bbaf47ebb5d4e4f1f43872a4be80136fa3949fcb Mon Sep 17 00:00:00 2001 From: Bartlomiej Grzelewski Date: Mon, 24 Aug 2015 11:39:02 +0200 Subject: [PATCH 16/16] Add mockup for security-manager. Security-manager mockup should be used with unit-tests. CKM compilation with mockup: gbs lb -A i586 --define "build_type DEBUG" --define "mockup_sm ON" Note: It's not possible to compile RELEASE version of CKM with mockup. Change-Id: I793ec55010b3826dd9d4157ce4e33f555dee14c0 --- packaging/key-manager.spec | 3 +- src/CMakeLists.txt | 12 ++++- src/manager/main/socket-2-id-mockup.cpp | 86 +++++++++++++++++++++++++++++++++ 3 files changed, 99 insertions(+), 2 deletions(-) create mode 100644 src/manager/main/socket-2-id-mockup.cpp diff --git a/packaging/key-manager.spec b/packaging/key-manager.spec index 7329cf3..d39cdbd 100644 --- a/packaging/key-manager.spec +++ b/packaging/key-manager.spec @@ -120,7 +120,8 @@ export LDFLAGS+="-Wl,--rpath=%{_libdir},-Bsymbolic-functions " -DSECURITY_MDFPP_STATE_ENABLE=1 \ %endif -DSYSTEMD_UNIT_DIR=%{_unitdir} \ - -DSYSTEMD_ENV_FILE="/etc/sysconfig/central-key-manager" + -DSYSTEMD_ENV_FILE="/etc/sysconfig/central-key-manager" \ + -DMOCKUP_SM=%{?mockup_sm:%mockup_sm}%{!?mockup_sm:OFF} make %{?jobs:-j%jobs} diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 2fa3e94..30d56ab 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -16,10 +16,19 @@ FIND_PACKAGE(Threads REQUIRED) SET(KEY_MANAGER_SRC_PATH ${PROJECT_SOURCE_DIR}/src) SET(KEY_MANAGER_PATH ${PROJECT_SOURCE_DIR}/src/manager) +IF (MOCKUP_SM MATCHES "ON") + IF (CMAKE_BUILD_TYPE MATCHES "RELEASE") + MESSAGE(FATAL_ERROR "You cannot compile release version with mockups!") + ENDIF (CMAKE_BUILD_TYPE MATCHES "RELEASE") + MESSAGE("USING MOCKUP INSTEAD SECURITY MANAGER") + SET(SECURITY_MANAGER_PATH ${KEY_MANAGER_PATH}/main/socket-2-id-mockup.cpp) +ELSE (MOCKUP_SM MATCHES "ON") + SET(SECURITY_MANAGER_PATH ${KEY_MANAGER_PATH}/main/socket-2-id.cpp) +ENDIF (MOCKUP_SM MATCHES "ON") + SET(KEY_MANAGER_SOURCES ${KEY_MANAGER_PATH}/main/generic-socket-manager.cpp ${KEY_MANAGER_PATH}/main/socket-manager.cpp - ${KEY_MANAGER_PATH}/main/socket-2-id.cpp ${KEY_MANAGER_PATH}/main/key-manager-main.cpp ${KEY_MANAGER_PATH}/main/smack-check.cpp ${KEY_MANAGER_PATH}/main/thread-service.cpp @@ -58,6 +67,7 @@ SET(KEY_MANAGER_SOURCES ${KEY_MANAGER_PATH}/crypto/platform/decider.cpp ${KEY_MANAGER_PATH}/crypto/tz-backend/key.cpp ${KEY_MANAGER_PATH}/crypto/tz-backend/store.cpp + ${SECURITY_MANAGER_PATH} ) # -fPIE and -pie flag is added for ASLR diff --git a/src/manager/main/socket-2-id-mockup.cpp b/src/manager/main/socket-2-id-mockup.cpp new file mode 100644 index 0000000..d031a02 --- /dev/null +++ b/src/manager/main/socket-2-id-mockup.cpp @@ -0,0 +1,86 @@ +/* + * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ +/* + * @file socket-2-id-mockup.cpp + * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) + * @version 1.0 + */ +#include +#include +#include + +#include + +#include +#include +#include + +namespace CKM { +namespace { + +int getCredentialsFromSocket(int sock, std::string &res) { + std::vector result(1); + socklen_t length = 1; + + if ((0 > getsockopt(sock, SOL_SOCKET, SO_PEERSEC, result.data(), &length)) + && errno != ERANGE) + { + LogError("getsockopt failed"); + return -1; + } + + result.resize(length); + + if (0 > getsockopt(sock, SOL_SOCKET, SO_PEERSEC, result.data(), &length)) { + LogError("getsockopt failed"); + return -1; + } + + result.push_back('\0'); + res = result.data(); + return 0; +} + +int getPkgIdFromSmack(const std::string &smack, std::string &pkgId) { + pkgId = smack; + return 0; +} + +} // namespace anonymous + + +int Socket2Id::translate(int sock, std::string &result) { + std::string smack; + std::string pkgId; + + if (0 > getCredentialsFromSocket(sock, smack)) { + return -1; + } + + if (0 > getPkgIdFromSmack(smack, pkgId)) { + return -1; + } + + result = pkgId; + return 0; +} + +void Socket2Id::resetCache() { + m_stringMap.clear(); +} + +} // namespace CKM + -- 2.7.4