Change-Id: I62335aa31fa14bf2712a72605c97ad5e9fed8a09
Signed-off-by: Kyungwook Tak <k.tak@samsung.com>
namespace {
const CKM::InterfaceID SOCKET_ID_CONTROL = 0;
const CKM::InterfaceID SOCKET_ID_STORAGE = 1;
namespace {
const CKM::InterfaceID SOCKET_ID_CONTROL = 0;
const CKM::InterfaceID SOCKET_ID_STORAGE = 1;
+
+template <typename ...Args>
+CKM::RawBuffer disallowed(int command, int msgID, Args&&... args) {
+ LogError("Disallowed command: " << command);
+ return CKM::MessageBuffer::Serialize(command,
+ msgID,
+ CKM_API_ERROR_ACCESS_DENIED,
+ std::move(args)...).Pop();
+}
} // namespace anonymous
namespace CKM {
} // namespace anonymous
namespace CKM {
-// CKMService does not support security check
-// so 3rd parameter is not used
bool CKMService::ProcessOne(
const ConnectionID &conn,
ConnectionInfo &info,
bool CKMService::ProcessOne(
const ConnectionID &conn,
ConnectionInfo &info,
{
LogDebug ("process One");
RawBuffer response;
{
LogDebug ("process One");
RawBuffer response;
if (info.interfaceID == SOCKET_ID_CONTROL)
response = ProcessControl(info.buffer);
else
if (info.interfaceID == SOCKET_ID_CONTROL)
response = ProcessControl(info.buffer);
else
- response = ProcessStorage(info.credentials, info.buffer);
+ response = ProcessStorage(info.credentials, info.buffer, allowed);
m_serviceManager->Write(conn, response);
m_serviceManager->Write(conn, response);
-RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer)
+RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer, bool allowed)
{
int command = 0;
int msgID = 0;
{
int command = 0;
int msgID = 0;
RawBuffer rawData;
PolicySerializable policy;
buffer.Deserialize(tmpDataType, name, label, rawData, policy);
RawBuffer rawData;
PolicySerializable policy;
buffer.Deserialize(tmpDataType, name, label, rawData, policy);
+
+ if (!allowed)
+ return disallowed(command, msgID, static_cast<int>(DataType(tmpDataType)));
+
return m_logic->saveData(
cred,
msgID,
return m_logic->saveData(
cred,
msgID,
PKCS12Serializable pkcs;
PolicySerializable keyPolicy, certPolicy;
buffer.Deserialize(name, label, pkcs, keyPolicy, certPolicy);
PKCS12Serializable pkcs;
PolicySerializable keyPolicy, certPolicy;
buffer.Deserialize(name, label, pkcs, keyPolicy, certPolicy);
+
+ if (!allowed)
+ return disallowed(command, msgID);
+
return m_logic->savePKCS12(
cred,
msgID,
return m_logic->savePKCS12(
cred,
msgID,
case LogicCommand::REMOVE:
{
buffer.Deserialize(name, label);
case LogicCommand::REMOVE:
{
buffer.Deserialize(name, label);
+
+ if (!allowed)
+ return disallowed(command, msgID);
+
return m_logic->removeData(
cred,
msgID,
return m_logic->removeData(
cred,
msgID,
{
Password password;
buffer.Deserialize(tmpDataType, name, label, password);
{
Password password;
buffer.Deserialize(tmpDataType, name, label, password);
+
+ if (!allowed)
+ return disallowed(command,
+ msgID,
+ static_cast<int>(DataType(tmpDataType)),
+ RawBuffer());
+
return m_logic->getData(
cred,
msgID,
return m_logic->getData(
cred,
msgID,
label,
passKey,
passCert);
label,
passKey,
passCert);
+
+ if (!allowed)
+ return disallowed(command, msgID, PKCS12Serializable());
+
return m_logic->getPKCS12(
cred,
msgID,
return m_logic->getPKCS12(
cred,
msgID,
case LogicCommand::GET_LIST:
{
buffer.Deserialize(tmpDataType);
case LogicCommand::GET_LIST:
{
buffer.Deserialize(tmpDataType);
+
+ if (!allowed)
+ return disallowed(command,
+ msgID,
+ static_cast<int>(DataType(tmpDataType)),
+ LabelNameVector());
+
return m_logic->getDataList(
cred,
msgID,
return m_logic->getDataList(
cred,
msgID,
policyKey,
keyName,
keyLabel);
policyKey,
keyName,
keyLabel);
+
+ if (!allowed)
+ return disallowed(command, msgID);
+
return m_logic->createKeyAES(
cred,
msgID,
return m_logic->createKeyAES(
cred,
msgID,
privateKeyLabel,
publicKeyName,
publicKeyLabel);
privateKeyLabel,
publicKeyName,
publicKeyLabel);
+
+ if (!allowed)
+ return disallowed(command, msgID);
+
return m_logic->createKeyPair(
cred,
msgID,
return m_logic->createKeyPair(
cred,
msgID,
RawBufferVector trustedVector;
bool systemCerts = false;
buffer.Deserialize(certificate, untrustedVector, trustedVector, systemCerts);
RawBufferVector trustedVector;
bool systemCerts = false;
buffer.Deserialize(certificate, untrustedVector, trustedVector, systemCerts);
+
+ if (!allowed)
+ return disallowed(command, msgID, RawBufferVector());
+
return m_logic->getCertificateChain(
cred,
msgID,
return m_logic->getCertificateChain(
cred,
msgID,
LabelNameVector trustedVector;
bool systemCerts = false;
buffer.Deserialize(certificate, untrustedVector, trustedVector, systemCerts);
LabelNameVector trustedVector;
bool systemCerts = false;
buffer.Deserialize(certificate, untrustedVector, trustedVector, systemCerts);
+
+ if (!allowed)
+ return disallowed(command, msgID, LabelNameVector());
+
return m_logic->getCertificateChain(
cred,
msgID,
return m_logic->getCertificateChain(
cred,
msgID,
RawBuffer message;
int padding = 0, hash = 0;
buffer.Deserialize(name, label, password, message, hash, padding);
RawBuffer message;
int padding = 0, hash = 0;
buffer.Deserialize(name, label, password, message, hash, padding);
+
+ if (!allowed)
+ return disallowed(command, msgID, RawBuffer());
+
return m_logic->createSignature(
cred,
msgID,
return m_logic->createSignature(
cred,
msgID,
signature,
hash,
padding);
signature,
hash,
padding);
+
+ if (!allowed)
+ return disallowed(command, msgID);
+
return m_logic->verifySignature(
cred,
msgID,
return m_logic->verifySignature(
cred,
msgID,
{
PermissionMask permissionMask = 0;
buffer.Deserialize(name, label, accessorLabel, permissionMask);
{
PermissionMask permissionMask = 0;
buffer.Deserialize(name, label, accessorLabel, permissionMask);
+
+ if (!allowed)
+ return disallowed(command, msgID);
+
return m_logic->setPermission(
cred,
command,
return m_logic->setPermission(
cred,
command,
-void CKMService::CustomHandle(const ReadEvent &event) {
- LogDebug("Read event");
- auto &info = m_connectionInfoMap[event.connectionID.counter];
- info.buffer.Push(event.rawBuffer);
- while(ProcessOne(event.connectionID, info, true));
-}
-
-void CKMService::CustomHandle(const SecurityEvent & /*event*/) {
- LogError("This should not happend! SecurityEvent was called on CKMService!");
-}
-
CKMService& operator=(const CKMService &) = delete;
CKMService& operator=(CKMService &&) = delete;
CKMService& operator=(const CKMService &) = delete;
CKMService& operator=(CKMService &&) = delete;
- // Custom add custom support for ReadEvent and SecurityEvent
- // because we want to bypass security check in CKMService
- virtual void Event(const ReadEvent &event) {
- CreateEvent([this, event]() { this->CustomHandle(event); });
- }
-
- virtual void Event(const SecurityEvent &event) {
- CreateEvent([this, event]() { this->CustomHandle(event); });
- }
-
virtual void Start(void);
virtual void Stop(void);
virtual void Start(void);
virtual void Stop(void);
ServiceDescriptionVector GetServiceDescription();
ServiceDescriptionVector GetServiceDescription();
-protected:
- // CustomHandle is used to bypass security check
- void CustomHandle(const ReadEvent &event);
- void CustomHandle(const SecurityEvent &event);
-
private:
virtual void SetCommManager(CommMgr *manager);
private:
virtual void SetCommManager(CommMgr *manager);
RawBuffer ProcessStorage(
Credentials &cred,
RawBuffer ProcessStorage(
Credentials &cred,
- MessageBuffer &buffer);
+ MessageBuffer &buffer,
+ bool allowed);
virtual void ProcessMessage(MsgKeyRequest msg);
virtual void ProcessMessage(MsgKeyRequest msg);
GenericSocketService::ServiceDescriptionVector OCSPService::GetServiceDescription()
{
return ServiceDescriptionVector {
GenericSocketService::ServiceDescriptionVector OCSPService::GetServiceDescription()
{
return ServiceDescriptionVector {
- {SERVICE_SOCKET_OCSP, "http://tizen.org/privilege/internet", SOCKET_ID_OCSP}
+ {SERVICE_SOCKET_OCSP, "http://tizen.org/privilege/keymanager", SOCKET_ID_OCSP}